feat(home): 添加 Vercel skills CLI 工具

fix(mise): 使用 all_compile 禁用 NixOS 默认源码编译
fix(mise): 禁用 Node.js 源码编译，使用预编译二进制
2026-04-15 20:17:14 +08:00 · 2026-04-15 19:35:14 +08:00 · 2026-04-15 19:32:13 +08:00 · 2026-04-15 19:19:48 +08:00 · 2026-04-15 19:14:58 +08:00 · 2026-04-15 17:01:56 +08:00
21 changed files with 301 additions and 255 deletions
@@ -2,7 +2,7 @@

 ## Overview

-Nix flake managing 3 devices: Mac Mini, MacBook Air (both aarch64-darwin via nix-darwin), and a Windows PC via NixOS-WSL (x86_64-linux). Single user `imbytecat` everywhere. Uses **Lix** (not stock Nix).
+Nix flake — 3 devices (Mac Mini, MacBook Air: aarch64-darwin; WSL: x86_64-linux). Single user `imbytecat`. Uses **Lix**.

 ## Architecture

@@ -13,95 +13,75 @@ flake.nix
 └── nixosConfigurations.wsl          (x86_64-linux)
 ```

- `lib/default.nix` — builders `mkDarwin`/`mkNixos`, shared `sshKeys` constant (passed via `specialArgs`), `homeManagerConfig` helper. NixOS also gets `catppuccin.nixosModules.catppuccin`.
- `modules/shared/` — both platforms: nix/nixpkgs settings (Lix, overlays), fonts, `programs.fish.enable`, `services.openssh.enable`
- `modules/darwin/` — macOS: system preferences, homebrew (casks/brews/masApps), 1Password CLI, user
- `modules/nixos/` — NixOS: system packages, locale/timezone, docker, user
- `home/` — home-manager (shared across all hosts via `useGlobalPkgs`), catppuccin theme
- `hosts/*/` — per-host overrides (mac-mini: 24/7 server with sleep disabled; macbook-air: portable)
- `overlays/` + `pkgs/` — custom packages (comment-checker)
+- `lib/default.nix` — `mkDarwin`/`mkNixos` builders, `sshKeys` (via `specialArgs`), `homeManagerConfig`
+- `modules/shared/` — cross-platform: Lix, overlays, fonts, fish, openssh, 1password
+- `modules/darwin/` — system preferences, homebrew, user
+- `modules/nixos/` — system packages, locale, docker, user
+- `home/` — home-manager (shared, `useGlobalPkgs`), catppuccin
+- `hosts/*/` — per-host overrides
+- `overlays/` + `pkgs/` — custom packages (`comment-checker`)

-Config flows: `hosts/*` (host-specific) -> `modules/*` (platform) -> `home/*` (user-level, cross-platform)
-
-## Nix implementation
-
-All platforms use **Lix** (`nix.package = pkgs.lix` in `modules/shared/nix.nix`). Channels are disabled (`nix.channel.enable = false`) — flakes only.
+Flow: `hosts/*` → `modules/*` → `home/*`

 ## Commands

 ```bash
-# Justfile shortcuts (preferred)
-just rebuild mac-mini       # rebuild macOS host (on macOS)
+just rebuild mac-mini       # macOS host (darwin-rebuild)
 just rebuild macbook-air
-just rebuild                # rebuild WSL (linux only, default: "wsl")
-just rollback               # rollback to previous generation (linux only)
-just check                  # eval configs without building (platform-aware)
+just rebuild wsl            # NixOS host (nixos-rebuild)
+just check                  # eval without building (platform-aware)
 just update                 # nix flake update
-just up nixpkgs             # update a single flake input
-just show                   # nix flake show
-just clean                  # nix-collect-garbage -d (user-level only; NixOS system-level needs sudo)
+just up nixpkgs             # update single input
+just clean                  # nix-collect-garbage -d (user-level only)
+just rollback               # NixOS only — rollback to previous generation
 just history                # list system profile generations
-just lsp mac-mini           # generate .vscode/settings.json for nixd option completion
-
-# Direct (when just isn't available)
-sudo darwin-rebuild switch --flake .#mac-mini
-sudo nixos-rebuild switch --flake .#wsl
-nix build .#darwinConfigurations.mac-mini.system --dry-run   # validate (eval only)
-nix build .#darwinConfigurations.mac-mini.system             # validate (full build)
-
-# First-time bootstrap (nix-darwin not yet installed)
-sudo nix run nix-darwin -- switch --flake .#mac-mini
-
-# First-time bootstrap WSL (fresh NixOS-WSL has no git)
-nix-shell -p git --run "git clone <repo-url> ~/nix-config"
-cd ~/nix-config && sudo nixos-rebuild switch --flake .#wsl
+just show                   # nix flake show
+just lsp mac-mini           # nixd option completion for VSCode
 ```

-## Critical gotchas
+Note: `just check` and `just rebuild` have `[macos]`/`[linux]` variants — the justfile auto-selects by platform.

- **Shared settings live in `modules/shared/`**: Fish, openssh, fonts, nix settings are enabled once in shared — don't re-declare in platform modules.
- **SSH keys are centralized**: Defined as `sshKeys` in `lib/default.nix`, passed via `specialArgs`. Don't hardcode keys in platform modules.
- **Neovim uses lazyvim-nix**: `programs.lazyvim` in `home/dev/neovim.nix` manages neovim via the `lazyvim-nix` flake input. Catppuccin nvim integration is explicitly disabled (`catppuccin.nvim.enable = false`) because LazyVim manages its own colorscheme. Don't use `catppuccin.enable` for nvim or the old `programs.neovim.plugins` approach.
- **catppuccin module name**: Home-manager uses `catppuccin.homeModules.catppuccin` (imported in `home/default.nix`). NixOS uses `catppuccin.nixosModules.catppuccin` (in `lib/default.nix`). Don't use the old `homeManagerModules` name.
- **Homebrew tap casks**: Casks from taps need full path (e.g. `"goooler/repo/fl-clash"`), not just the short name.
- **`onActivation.cleanup = "zap"`**: Any brew formula/cask NOT declared in `modules/darwin/default.nix` WILL be removed on rebuild. Be comprehensive.
- **First-time macOS bootstrap requires sudo**: `sudo nix run nix-darwin -- switch --flake .#mac-mini` (not `darwin-rebuild` which doesn't exist yet).
- **First-time WSL bootstrap needs `nix-shell -p git`**: Fresh NixOS-WSL has no `git`. Use `nix-shell -p git --run "git clone ..."` to clone, then `sudo nixos-rebuild switch`.
- **mise for version management**: Activated in `home/shell/fish.nix` via `mise activate fish | source`. Config in `home/dev/languages.nix` trusts all config paths.
+## Gotchas

-## Secrets (1Password CLI)
+- **Shared settings in `modules/shared/`** — don't re-declare fish/openssh/1password/fonts in platform modules.
+- **`sshKeys` centralized** in `lib/default.nix` via `specialArgs`. Don't hardcode.
+- **WSL aliases force-cleared** — `hosts/wsl/default.nix` uses `lib.mkForce {}`. All aliases via Home Manager only.
+- **Neovim = lazyvim-nix** — `programs.lazyvim` in `home/dev/neovim.nix`. `catppuccin.nvim.enable = false` (LazyVim manages colorscheme). The `lazyvim.homeManagerModules.default` is loaded as a sharedModule in `lib/default.nix`.
+- **catppuccin modules** — `catppuccin.homeModules.catppuccin` (home), `catppuccin.nixosModules.catppuccin` (NixOS). Not the old `homeManagerModules`.
+- **Homebrew `cleanup = "zap"`** — undeclared casks/brews get removed. `greedyCasks = true` upgrades even auto-updating casks. Shared → `modules/darwin/`, host-specific → `hosts/*/`. Tap casks need full path (e.g. `"goooler/repo/fl-clash"`).
+- **Ghostty macOS-only** — `enable = pkgs.stdenv.isDarwin`, `package = null` (Homebrew cask). Terminfo propagated via `ghostty.terminfo` in `modules/nixos/`.
+- **nix-ld on WSL** — `programs.nix-ld.enable = true` for VSCode Remote.
+- **home-manager `backupFileExtension = "bak"`** — set in `lib/default.nix`. Existing dotfiles get `.bak` suffix on conflict.
+- **mise** — runtime version management (`home/dev/languages.nix`). `trusted_config_paths = [ "/" ]` trusts all config files.

- **Not sops-nix** — secrets are injected at shell startup via `op inject` (1Password CLI).
- Template: `home/shell/fish.nix` generates `~/.config/op-env/env.tpl` with `op://` references (safe to commit — contains no real secrets).
- Fish function `op-env` runs on interactive shell init, calling `op inject --in-file` to set env vars: `AI_GATEWAY_BASE_URL`, `AI_GATEWAY_API_KEY`, `EXA_API_KEY`, `CONTEXT7_API_KEY`.
- macOS: `programs._1password.enable = true` in `modules/darwin/default.nix`.
- WSL: aliases `op` to `op.exe` (Windows interop) in `home/shell/fish.nix`.
- Never commit `*.dec.yaml`, `*.dec.json`, `*.plaintext` (in `.gitignore`).
+## Environment

-## Shell
+1Password CLI secrets are **cached locally** — shell startup reads `~/.cache/op-env/env.fish` (no network).

-Fish (not zsh). All tool integrations use `enableFishIntegration`. Key files:
- `home/shell/fish.nix` — abbreviations, interactiveShellInit, mise activation
- `home/shell/tools.nix` — fzf, atuin, zoxide (`--cmd cd`), direnv, bat, eza, yazi, btop, zellij
- `home/shell/starship.nix` — prompt
+- Template: `home/shell/fish.nix` → `~/.config/op-env/env.tpl` (`op://` refs, safe to commit)
+- Cache: `~/.cache/op-env/env.fish` (plaintext, `chmod 600`, outside git/nix store)
+- Auth: `OP_SERVICE_ACCOUNT_TOKEN` in `~/.config/fish/local.fish` (gitignored)
+- Refresh: user runs `op-env-refresh` manually (needs network). Atomic write (mktemp + mv), failure keeps old cache.
+- Clear: `op-env-clear` removes cache file.
+- `local.fish` is sourced **after** the cache, so it can override env vars per-machine.

 ## Home Manager option API

-These options were renamed in recent home-manager; use the new names:
+Use the new names:
 - `programs.git.settings.user.{name,email}` (not `userName`/`userEmail`)
 - `programs.git.settings.*` (not `extraConfig`)
 - `programs.delta.{enable,options}` (not `programs.git.delta.*`)
 - `programs.delta.enableGitIntegration = true` (must be explicit)
- `programs.ssh.matchBlocks."*".addKeysToAgent` (not top-level `addKeysToAgent`)
- `programs.ssh.enableDefaultConfig = false` (set explicitly)
+- `programs.ssh.matchBlocks."*".addKeysToAgent` (not top-level)
+- `programs.ssh.enableDefaultConfig = false`

-## Nix LSP & formatter
+## Nix tooling

- LSP: `nixd` (not `nil`). Provides nixpkgs/option completion.
- Formatter: `nixfmt`. Run: `nixfmt <file.nix>`
- Both installed via `home/dev/languages.nix`.
- VSCode settings for nixd option completion: `just lsp <host>` (generates `.vscode/settings.json` from `.vscode/settings.base.json`)
+- LSP: `nixd`. Formatter: `nixfmt`. Linter: `statix`.
+- All in `home/dev/languages.nix`.
+- `just lsp <host>` generates `.vscode/settings.json` from `.vscode/settings.base.json` (gitignored output).

 ## Tool usage

- **Always use the `nixos_nix` MCP tool** when searching for nix-darwin / NixOS / home-manager options. Query with `source=darwin/nixos/home-manager` and `type=options/packages` to find available options before writing config. Do not guess option names or value types — verify first.
+- `opencode.jsonc` configures `just-lsp` (LSP) and `mcp-nixos` (MCP).
+- **Always use `nixos_nix` MCP** to look up nix-darwin/NixOS/home-manager options before writing config. Don't guess option names.
@@ -1,6 +1,6 @@
 # Nix Config

-使用 [nix-darwin](https://github.com/nix-darwin/nix-darwin) + [NixOS-WSL](https://github.com/nix-community/NixOS-WSL) + [Home Manager](https://github.com/nix-community/home-manager) + [Flakes](https://nix.dev/concepts/flakes) 声明式管理三台设备的系统配置。
+nix-darwin + NixOS-WSL + Home Manager + Flakes 声明式管理三台设备的系统配置。

 ## 设备

@@ -12,117 +12,114 @@

 ## 快速开始

-### macOS (Mac Mini / MacBook Air)
+### macOS

-1. 安装 [Lix](https://lix.systems/)（Nix 的社区分支，nix-darwin 官方推荐）：
+1. 安装 [Lix](https://lix.systems/)：

 ```bash
 curl -sSf -L https://install.lix.systems/lix | sh -s -- install
 ```

-2. 克隆仓库并首次构建：
+2. 安装 [Homebrew](https://brew.sh/)（nix-darwin 不会自动安装）：
+
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+3. 克隆仓库并首次构建：

 ```bash
 git clone <repo-url> ~/nix-config
 cd ~/nix-config
-# 首次（nix-darwin 尚未安装）：
-sudo nix run nix-darwin -- switch --flake .#mac-mini
-# 之后日常重建：
-sudo darwin-rebuild switch --flake .#mac-mini
+sudo nix run nix-darwin -- switch --flake .#macbook-air
 ```

-### WSL (Windows PC)
+之后日常重建：`just rebuild macbook-air`

-1. 安装 [NixOS-WSL](https://github.com/nix-community/NixOS-WSL/releases)：
+### WSL
+
+1. 启用 WSL 并更新内核：
+
+```powershell
+wsl --install --no-distribution
+wsl --update
+```
+
+2. 安装 [NixOS-WSL](https://github.com/nix-community/NixOS-WSL/releases)：

 ```powershell
 wsl --import NixOS C:\wsl\nixos nixos-wsl.tar.gz
 wsl -d NixOS
 ```

-2. 首次初始化（全新的 NixOS-WSL 没有 `git`，需要借助 `nix-shell` 临时引入）：
+3. 首次构建：

 ```bash
-nix-shell -p git --run "git clone <repo-url> ~/nix-config"
+nix shell nixpkgs#git
+git clone <repo-url> ~/nix-config
 cd ~/nix-config
 sudo nixos-rebuild switch --flake .#wsl
 ```

-> 首次 rebuild 完成后 `git`、`just` 等工具会由配置声明安装，此后可直接使用 `just rebuild` 重建。
+之后日常重建：`just rebuild wsl`

 ## 仓库结构

 ```
-├── flake.nix                  # 入口：输入源 + 输出配置
-├── flake.lock                 # 依赖锁定文件
-├── hosts/
-│   ├── mac-mini/default.nix   # Mac Mini 特定配置
-│   ├── macbook-air/default.nix# MacBook Air 特定配置
-│   └── wsl/default.nix        # WSL 特定配置
-├── modules/
-│   ├── darwin/default.nix     # macOS 模块（Homebrew、系统偏好等）
-│   ├── nixos/                 # NixOS 模块
-│   │   ├── base.nix           # 基础包
-│   │   ├── docker.nix         # Docker 配置
-│   │   ├── locale.nix         # 区域 / 语言
-│   │   └── default.nix        # 入口（用户、shell）
-│   └── shared/                # 共享模块（Nix 设置）
-├── home/                      # Home Manager 配置
-│   ├── default.nix            # 入口 + 用户级包
-│   ├── theme.nix              # Catppuccin 主题
-│   ├── dev/                   # 开发工具
-│   │   ├── neovim.nix
-│   │   ├── languages.nix      # 语言运行时、LSP
-│   │   └── git.nix
-│   └── shell/                 # Shell 配置
-│       ├── fish.nix           # Fish shell
-│       ├── starship.nix       # Prompt
-│       └── tools.nix          # fzf, atuin, zoxide 等
-├── lib/default.nix            # 构建辅助函数
-├── overlays/                  # 自定义包覆盖
-└── pkgs/                      # 自定义包
+flake.nix                      # 入口
+hosts/                         # 主机特定配置
+modules/
+  ├── darwin/                  # macOS 模块
+  ├── nixos/                   # NixOS 模块
+  └── shared/                  # 共享模块
+home/                          # Home Manager 配置
+  ├── dev/                     # 开发工具
+  └── shell/                   # Shell 配置
+lib/default.nix                # 构建辅助函数
+overlays/ + pkgs/              # 自定义包
 ```

-**配置层级**：`hosts/*`（主机特定） → `modules/*`（平台模块） → `home/*`（用户级，跨平台共享）
+配置层级：`hosts/*` → `modules/*` → `home/*`

 ## 日常使用

-项目提供 [`justfile`](justfile)，首次 rebuild 后即可使用：
-
 ```bash
-just rebuild <host>   # 重建系统（自动选择 darwin-rebuild / nixos-rebuild）
+just rebuild <host>   # 重建系统
 just update           # 更新所有 flake 输入
-just up <input>       # 更新单个输入，如 just up nixpkgs
-just check            # 检查配置是否能正常 evaluate
-just clean            # 清理旧 generation 并回收空间
-just rollback         # 回滚到上一个 generation（仅 NixOS）
-just history          # 查看系统 profile 历史
+just up <input>       # 更新单个输入
+just check            # 检查配置
+just clean            # 清理旧 generation
+just rollback         # 回滚（仅 NixOS）
+just history          # 查看 profile 历史
 just show             # 显示 flake 输出
 ```

-Fish shell 中也定义了 abbreviation 可直接使用：
-
-```bash
-rebuild               # 自动选择 darwin-rebuild 或 nixos-rebuild
-update                # nix flake update
-```
-
-> **注意**：`just clean` 仅清理用户级 generation。NixOS 上如需清理系统级旧 generation，需要 `sudo nix-collect-garbage -d`。
-
 ## Shell

-使用 **Fish** 作为默认 shell，搭配：
+Fish + Starship + Atuin + Zoxide + FZF + Direnv，Catppuccin Mocha 主题。

- **Starship** — 跨平台 prompt
- **Atuin** — shell 历史搜索
- **Zoxide** — 智能 cd（`cd` = zoxide, `cdi` = 交互选择）
- **FZF** — 模糊搜索（Ctrl-R 历史, Ctrl-T 文件, Alt-C 目录）
- **Direnv** — 自动加载项目环境
- **Catppuccin Mocha** — 统一主题
+常用自定义：
+- fish abbreviation → `home/shell/fish.nix`
+- 添加包 → `home/default.nix` 或 `home/dev/languages.nix`
+- Homebrew cask → `modules/darwin/default.nix`

-### 自定义
+## Environment

- 添加 fish abbreviation: 编辑 `home/shell/fish.nix` 中的 `shellAbbrs`
- 添加包: 编辑 `home/default.nix` 或 `home/dev/languages.nix`
- 添加 Homebrew cask: 编辑 `modules/darwin/default.nix` 中的 `homebrew.casks`
- 查包名: `nix search nixpkgs <关键词>` 或 [search.nixos.org](https://search.nixos.org/packages)
+1Password CLI `op inject` 获取环境变量，本地缓存后离线可用。
+
+模板文件 `~/.config/op-env/env.tpl` 由 `home/shell/fish.nix` 生成，仅包含 `op://` 引用，可安全提交。
+
+Shell 启动时只读取本地缓存（`~/.cache/op-env/env.fish`），不联网。首次使用或密钥变更后需手动刷新：
+
+```bash
+op-env-refresh   # 从 1Password 获取并缓存（需联网）
+op-env-clear     # 清除本地缓存
+```
+
+认证需要在 `~/.config/fish/local.fish`（gitignored）中设置：
+
+```bash
+set -gx OP_SERVICE_ACCOUNT_TOKEN "your-service-account-token"
+```
+
+未设置 token 时 `op-env-refresh` 会提示错误，不影响已有缓存的正常使用。
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775994227,
-        "narHash": "sha256-4VKeWtl9dEubrgpy9fSXkXbjBZlNXPNlQQM5l1ppHv4=",
+        "lastModified": 1776190523,
+        "narHash": "sha256-qfZWzaWuXfbF487cXj43uT7HWtqF45A+g7g59fOPYsk=",
        "owner": "catppuccin",
        "repo": "nix",
-        "rev": "d0a9a21ed8e235956a768fc624242ec9a3e15575",
+        "rev": "2eefec08414e2f90824bf2b508ea38ef6f295dfa",
        "type": "github"
      },
      "original": {
@@ -61,11 +61,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776046499,
-        "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=",
+        "lastModified": 1776184304,
+        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d",
+        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
        "type": "github"
      },
      "original": {
@@ -37,7 +37,7 @@
      mylib = import ./lib { inherit inputs; };
    in
    {
-      # ── macOS hosts ─────────────────────────────────────
+      # ── macOS 主机 ──────────────────────────────────────
      darwinConfigurations = {
        mac-mini = mylib.mkDarwin {
          hostname = "awesome-mac-mini";
@@ -54,7 +54,7 @@
        };
      };

-      # ── NixOS hosts (WSL on Windows PC) ─────────────────
+      # ── NixOS 主机（Windows PC 上的 WSL）──────────────
      nixosConfigurations = {
        wsl = mylib.mkNixos {
          hostname = "awesome-wsl";
@@ -67,7 +67,7 @@
        };
      };

-      # ── Packages ────────────────────────────────────────
+      # ── 自定义包 ─────────────────────────────────────────
      packages = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-linux" ] (
        system:
        let
@@ -20,12 +20,11 @@
  home = {
    username = username;
    homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
-    stateVersion = "24.11";
+    stateVersion = "25.11";
  };

-  # ── User-level packages ────────────────────────────
  home.packages = with pkgs; [
-    # Modern CLI replacements
+    # 现代 CLI 替代工具
    dust # du
    duf # df
    procs # ps
@@ -34,28 +33,29 @@
    yq # YAML
    wget

-    # System info
+    # 系统信息
    fastfetch
    tealdeer # tldr

-    # File management
+    # 文件管理
    gomi
+    ouch # 压缩/解压

-    # Nix tools
+    # Nix 工具
    nix-output-monitor # nom
-    nvd # nix version diff
-    nh # nix helper
+    nvd # Nix 版本对比
+    nh # Nix 辅助工具
    just

-    # AI coding agent
+    # AI 编程代理
    opencode
    comment-checker
+    skills

-    # Misc
+    # 其他
    ffmpeg
    pandoc
  ];

-  # XDG directories
  xdg.enable = true;
 }
@@ -1,4 +1,4 @@
-{ ... }:
+_:

 {
  programs.git = {
@@ -34,9 +34,7 @@
        nerdFontsVersion = "3";
        showBottomLine = false;
      };
-      git.pagers = [
-        { pager = "delta --paging=never"; }
-      ];
+      git.pagers = [ { pager = "delta --paging=never"; } ];
      update.method = "never";
      disableStartupPopups = true;
    };
@@ -2,15 +2,16 @@

 {
  home.packages = with pkgs; [
-    # ── Language runtimes ──
+    # ── 语言运行时 ──
    nodejs
    go
    bun
+    python3

-    # ── Package management / version management ──
+    # ── 包管理 / 版本管理 ──
    uv

-    # ── LSP servers ──
+    # ── LSP 服务器 ──
    bash-language-server
    gopls
    typescript-language-server
@@ -21,7 +22,7 @@
    nixd
    just-lsp

-    # ── Linter / Formatter ──
+    # ── 代码检查 / 格式化 ──
    biome
    ruff
    shellcheck
@@ -30,7 +31,7 @@
    statix
    stylua

-    # ── Code intelligence ──
+    # ── 代码智能 ──
    ast-grep
  ];

@@ -41,6 +42,7 @@
    globalConfig = {
      settings = {
        trusted_config_paths = [ "/" ];
+        all_compile = false;
      };
    };
  };
@@ -1,7 +1,7 @@
-{ ... }:
+_:

 {
-  # Disable catppuccin/nix neovim integration — LazyVim manages its own colorscheme
+  # 禁用 catppuccin/nix 的 Neovim 集成 — LazyVim 自行管理配色方案
  catppuccin.nvim.enable = false;

  programs.neovim = {
@@ -22,7 +22,7 @@
      lang.docker.enable = true;
    };

-    # Catppuccin Mocha colorscheme (managed by LazyVim, not catppuccin/nix)
+    # Catppuccin Mocha 配色方案（由 LazyVim 管理，非 catppuccin/nix）
    plugins = {
      colorscheme = ''
        return {
@@ -1,78 +1,135 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 let
  envTpl = "${config.xdg.configHome}/op-env/env.tpl";
+  envCache = "${config.xdg.cacheHome}/op-env/env.fish";
 in
 {
-  # ── 1Password env template ──────────────────────────
-  # op:// references only — no real secrets, safe to commit
-  # Kept outside ~/.config/op — that dir must be 700 and owned by op CLI
+  # ── 1Password 环境变量模板 ─────────────────────────────
+  # 仅包含 op:// 引用 — 无真实密钥，可安全提交
+  # 放在 ~/.config/op 之外 — 该目录必须是 700 权限且属于 op CLI
  xdg.configFile."op-env/env.tpl".text = ''
-    AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
-    AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }}
-    EXA_API_KEY={{ op://Private/Exa API/credential }}
-    CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }}
+    set -gx AI_GATEWAY_BASE_URL "{{ op://Developer/AI Gateway API/URL }}"
+    set -gx AI_GATEWAY_API_KEY "{{ op://Developer/AI Gateway API/credential }}"
+    set -gx EXA_API_KEY "{{ op://Developer/Exa API/credential }}"
+    set -gx CONTEXT7_API_KEY "{{ op://Developer/Context7 API/credential }}"
  '';

  programs.fish = {
    enable = true;

    shellAbbrs = {
-      # Navigation (one-shot, no need to recall in history)
+      # 导航（一次性命令，无需记录历史）
      ".." = "cd ..";
      "..." = "cd ../..";
    };

    shellAliases = {
-      # File listing (eza) — base aliases (ls/la/lt) from programs.eza
+      # 文件列表（eza）— 基础别名（ls/la/lt）来自 programs.eza
      ll = "eza -lh";
      lla = "eza -lah --time-style=long-iso";

-      # Tools
      cat = "bat --paging=never";
      rm = "gomi";
      lg = "lazygit";
-      vi = "nvim";
    };

    interactiveShellInit = ''
-      # No greeting
      set -g fish_greeting
-
-      # PATH
      fish_add_path $HOME/go/bin $HOME/.bun/bin
+      ${lib.optionalString pkgs.stdenv.isDarwin ''fish_add_path "/Applications/Visual Studio Code.app/Contents/Resources/app/bin"''}

-      # Sudo: double Escape to prepend sudo
+      # 双击 Escape 在命令前插入 sudo
      bind \e\e 'fish_commandline_prepend sudo'

-      # WSL clipboard
+      # WSL 剪贴板
      if set -q WSL_DISTRO_NAME
        alias pbcopy clip.exe
        alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
-        alias op op.exe
      end

-      # User-local overrides
+      # Windows Terminal：发送 OSC 9;9 使新标签页/窗格在同一目录打开
+      function __wt_osc9_9 --on-variable PWD
+        if test -n "$WT_SESSION"
+          printf "\e]9;9;%s\e\\" (wslpath -w "$PWD")
+        end
+      end
+
+      # 1Password → 环境变量（本地缓存，启动时不联网）
+      # 启动时仅加载缓存；手动执行 op-env-refresh 拉取/更新
+      # 通过 OP_SERVICE_ACCOUNT_TOKEN 认证（在 ~/.config/fish/local.fish 中设置）
+      function op-env-refresh --description "Fetch secrets from 1Password and cache locally"
+        if not type -q op
+          echo "op-env: op CLI not found in PATH" >&2
+          return 1
+        end
+        if not set -q OP_SERVICE_ACCOUNT_TOKEN; or test -z "$OP_SERVICE_ACCOUNT_TOKEN"
+          echo "op-env: OP_SERVICE_ACCOUNT_TOKEN is not set" >&2
+          return 1
+        end
+        if not test -f "${envTpl}"
+          echo "op-env: template not found: ${envTpl}" >&2
+          return 1
+        end
+        set -l cache_dir (path dirname "${envCache}")
+        if not mkdir -p "$cache_dir"; or not chmod 700 "$cache_dir"
+          echo "op-env: cannot prepare cache dir: $cache_dir" >&2
+          return 1
+        end
+        set -l tmp (mktemp "$cache_dir/.tmp.XXXXXX")
+        or begin
+          echo "op-env: mktemp failed" >&2
+          return 1
+        end
+        if not op inject --in-file "${envTpl}" > "$tmp"
+          command rm -f "$tmp"
+          echo "op-env: inject failed; old cache kept" >&2
+          return 1
+        end
+        # 替换缓存前记录旧变量名
+        set -l old_vars
+        if test -f "${envCache}"
+          set old_vars (string match -rg 'set -gx (\S+)' < "${envCache}")
+        end
+        if not mv "$tmp" "${envCache}"
+          command rm -f "$tmp"
+          echo "op-env: cannot replace cache file" >&2
+          return 1
+        end
+        for var in $old_vars
+          set -e $var
+        end
+        if not source "${envCache}"
+          echo "op-env: cache written but could not be sourced" >&2
+          return 1
+        end
+        echo "op-env: refreshed"
+      end
+
+      function op-env-clear --description "Clear cached secrets"
+        if test -f "${envCache}"
+          for var in (string match -rg 'set -gx (\S+)' < "${envCache}")
+            set -e $var
+          end
+          command rm -f "${envCache}"
+        end
+        echo "op-env: cleared"
+      end
+
+      # 加载缓存的密钥（即时，不联网）
+      if test -f "${envCache}"
+        source "${envCache}"
+      end
+
+      # 用户本地配置（OP_SERVICE_ACCOUNT_TOKEN、机器特定覆盖）
      if test -f ~/.config/fish/local.fish
        source ~/.config/fish/local.fish
      end
-
-      # 1Password → env vars (single op call, silent on failure)
-      function op-env --description "Load secrets from 1Password"
-        if not type -q op; or not test -f ${envTpl}
-          return 1
-        end
-        set -l output (op inject --in-file ${envTpl} 2>/dev/null)
-        or return 1
-        for line in $output
-          string match -qr '^\s*(#|$)' -- $line; and continue
-          set -l kv (string split -m 1 '=' $line)
-          if test (count $kv) -ge 2
-            set -gx $kv[1] $kv[2]
-          end
-        end
-      end
-      op-env
    '';
  };
 }
@@ -3,7 +3,7 @@
 {
  programs.ghostty = {
    enable = pkgs.stdenv.isDarwin;
-    package = null; # installed via Homebrew cask
+    package = null; # 通过 Homebrew cask 安装
    settings = {
      font-family = "Maple Mono NF CN";
      font-size = 14;
@@ -57,11 +57,11 @@
        truncation_length = 3;
        truncation_symbol = "…/";
        substitutions = {
-          Developer = "󰲋 ";
-          Documents = "󰈙 ";
-          Downloads = " ";
-          Music = "󰝚 ";
-          Pictures = " ";
+          Developer = "󰲋";
+          Documents = "󰈙";
+          Downloads = "";
+          Music = "󰝚";
+          Pictures = "";
        };
      };

@@ -19,7 +19,7 @@
    ];
  };

-  # ── Atuin (shell history) ────────────────────────────
+  # ── Atuin（Shell 历史记录）─────────────────────────────
  programs.atuin = {
    enable = true;
    enableFishIntegration = true;
@@ -33,11 +33,11 @@
    };
  };

-  # ── Zoxide (smart cd) ───────────────────────────────
+  # ── Zoxide（智能 cd）──────────────────────────────────
  programs.zoxide = {
    enable = true;
    enableFishIntegration = true;
-    options = [ "--cmd cd" ]; # cd/cdi instead of z/zi
+    options = [ "--cmd cd" ]; # 用 cd/cdi 替代 z/zi
  };

  # ── Direnv + nix-direnv ─────────────────────────────
@@ -50,7 +50,7 @@
    };
  };

-  # ── Bat (cat replacement) ───────────────────────────
+  # ── Bat（cat 替代）────────────────────────────────────
  programs.bat = {
    enable = true;
    extraPackages = with pkgs.bat-extras; [
@@ -59,7 +59,7 @@
    ];
  };

-  # ── Eza (ls replacement) ────────────────────────────
+  # ── Eza（ls 替代）─────────────────────────────────────
  programs.eza = {
    enable = true;
    enableFishIntegration = true;
@@ -70,14 +70,14 @@
    ];
  };

-  # ── Yazi (file manager) ─────────────────────────────
+  # ── Yazi（文件管理器）────────────────────────────────
  programs.yazi = {
    enable = true;
    enableFishIntegration = true;
    shellWrapperName = "y";
  };

-  # ── Btop (system monitor) ───────────────────────────
+  # ── Btop（系统监控）──────────────────────────────────
  programs.btop = {
    enable = true;
    settings = {
@@ -85,7 +85,7 @@
    };
  };

-  # ── Zellij (terminal multiplexer) ────────────────────
+  # ── Zellij（终端复用器）──────────────────────────────
  programs.zellij = {
    enable = true;
    enableFishIntegration = false;
@@ -1,13 +1,13 @@
 { ... }:

 {
-  # ── Mac Mini specific ─────────────────────────────────
-  # Always plugged in — 24/7 server role
+  # ── Mac Mini 专属配置 ────────────────────────────────
+  # 常驻供电 — 全天候服务器角色

-  # Touch ID for sudo
+  # Touch ID 验证 sudo
  security.pam.services.sudo_local.touchIdAuth = true;

-  # ── Never sleep ─────────────────────────────────────
+  # ── 禁止睡眠 ────────────────────────────────────────
  power.sleep.computer = "never";
  power.sleep.display = "never";
  power.sleep.harddisk = "never";
@@ -15,17 +15,17 @@
  power.restartAfterPowerFailure = true;
  power.restartAfterFreeze = true;

-  # ── Wake on LAN ──────────────────────────────────
+  # ── 网络唤醒（WoL）─────────────────────────────────
  networking.wakeOnLan.enable = true;

-  # ── Screen Sharing (VNC) & pmset ─────────────────
+  # ── 屏幕共享（VNC）& pmset ──────────────────────────
  system.activationScripts.postActivation.text = ''
    # VNC
    launchctl enable system/com.apple.screensharing
    launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist 2>/dev/null || true
-    # Disable Power Nap
+    # 禁用 Power Nap
    pmset -a powernap 0
  '';

-  system.stateVersion = 5;
+  system.stateVersion = 6;
 }
@@ -1,11 +1,16 @@
 { ... }:

 {
-  # ── MacBook Air specific ──────────────────────────────
-  # Portable — battery-conscious settings
+  # ── MacBook Air 专属配置 ─────────────────────────────
+  # 便携设备 — 注意电池续航

-  # Touch ID for sudo
+  # Touch ID 验证 sudo
  security.pam.services.sudo_local.touchIdAuth = true;

-  system.stateVersion = 5;
+  # ── 刘海屏适配 ──────────────────────────────────────
+  homebrew.casks = [
+    "thaw" # 刘海屏菜单栏管理工具
+  ];
+
+  system.stateVersion = 6;
 }
@@ -1,6 +1,10 @@
-{ username, ... }:
+{ lib, username, ... }:

 {
+  # ── Shell ─────────────────────────────────────────────
+  # 移除 NixOS 默认别名（ls/ll/l）— 由 Home Manager eza 管理
+  environment.shellAliases = lib.mkForce { };
+
  # ── WSL ──────────────────────────────────────────────
  wsl = {
    enable = true;
@@ -11,5 +15,5 @@
  # ── nix-ld (VSCode Remote, etc.) ────────────────────
  programs.nix-ld.enable = true;

-  system.stateVersion = "24.11";
+  system.stateVersion = "25.11";
 }
@@ -17,7 +17,7 @@ rebuild host:
 # Rebuild and switch to new system configuration
 [linux]
 [group('build')]
-rebuild host="wsl":
+rebuild host:
    sudo nixos-rebuild switch --flake .#{{host}}

 # Check configs evaluate without errors
@@ -86,6 +86,6 @@ lsp host:
 # Generate .vscode/settings.json with LSP option completion
 [linux]
 [group('tools')]
-lsp host="wsl":
+lsp host:
    @jq --arg h "{{host}}" '."nix.serverSettings".nixd.options = {"nixos":{"expr":"(builtins.getFlake (toString ./.)).nixosConfigurations.\($h).options"},"home-manager":{"expr":"(builtins.getFlake (toString ./.)).nixosConfigurations.\($h).options.home-manager.users.type.getSubOptions []"}}' .vscode/settings.base.json > .vscode/settings.json
    @echo "Generated .vscode/settings.json for {{host}}"
@@ -7,7 +7,7 @@ let
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRTOo48gzzRGT+bF9dzJCFJu61YgsQVONFtxU9kTPIg"
  ];

-  # Shared home-manager configuration block
+  # 共享的 Home Manager 配置块
  homeManagerConfig = username: {
    home-manager = {
      useGlobalPkgs = true;
@@ -24,7 +24,7 @@ let
  };
 in
 {
-  # ── NixOS host builder ──────────────────────────────
+  # ── NixOS 主机构建器 ─────────────────────────────────
  mkNixos =
    {
      hostname,
@@ -53,7 +53,7 @@ in
      ++ extraModules;
    };

-  # ── nix-darwin host builder ─────────────────────────
+  # ── nix-darwin 主机构建器 ────────────────────────────
  mkDarwin =
    {
      hostname,
@@ -6,13 +6,13 @@
 }:

 {
-  # ── Primary user (required by nix-darwin) ──────────
  system.primaryUser = username;

-  # ── 1Password CLI ───────────────────────────────────
-  programs._1password.enable = true;
+  # ── 免密 sudo ────────────────────────────────────────
+  security.sudo.extraConfig = ''
+    ${username} ALL=(ALL) NOPASSWD:ALL
+  '';

-  # ── User ───────────────────────────────────────────
  users.knownUsers = [ username ];
  users.users.${username} = {
    home = "/Users/${username}";
@@ -21,7 +21,7 @@
    openssh.authorizedKeys.keys = sshKeys;
  };

-  # ── macOS system preferences ───────────────────────
+  # ── macOS 系统偏好设置 ────────────────────────────────
  system.defaults = {
    LaunchServices.LSQuarantine = false;
    dock = {
@@ -35,21 +35,25 @@
      wvous-bl-corner = 1;
      wvous-br-corner = 1;
    };
-    finder = {
-      AppleShowAllExtensions = true;
-      FXPreferredViewStyle = "clmv";
-    };
+    finder.FXPreferredViewStyle = "clmv";
    NSGlobalDomain = {
      AppleShowAllExtensions = true;
      InitialKeyRepeat = 15;
      KeyRepeat = 2;
    };
+    CustomUserPreferences."ch.sudo.cyberduck" = {
+      # 永久禁用捐赠提示（日期设为遥远的未来）
+      "donate.reminder.date" = 253402300799000;
+    };
  };

  # ── Homebrew ───────────────────────────────────────
  homebrew = {
    enable = true;
-    greedyCasks = true; # always upgrade casks even if they auto-update
+    greedyCasks = true; # 即使 cask 自动更新也始终升级
+    # 已废弃：Homebrew 将于 2026-09 后移除 --no-quarantine
+    # 待所有 cask 通过 Gatekeeper（签名且公证）后移除此项
+    caskArgs.no_quarantine = true;

    taps = [
      "goooler/repo"
@@ -59,11 +63,12 @@
      "mole"
    ];

-    # GUI apps
+    # GUI 应用
    casks = [
      "1password"
      "brave-browser"
      "cherry-studio"
+      "cyberduck"
      "dbeaver-community"
      "discord"
      "feishu"
@@ -88,6 +93,7 @@

    # Mac App Store
    masApps = {
+      "iPreview" = 1519213509;
      "Microsoft Word" = 462054704;
      "Microsoft Excel" = 462058435;
      "Microsoft PowerPoint" = 462062816;
@@ -98,7 +104,7 @@
    onActivation = {
      autoUpdate = true;
      upgrade = true;
-      cleanup = "zap"; # remove anything not declared above
+      cleanup = "zap"; # 移除所有未声明的内容
    };
  };
 }
@@ -10,21 +10,18 @@
    ./docker.nix
  ];

-  # ── System-essential packages ──────────────────────
  environment.systemPackages = with pkgs; [
    curl
    git
    ghostty.terminfo
  ];

-  # ── Locale / Timezone ──────────────────────────────
  i18n = {
    defaultLocale = "en_US.UTF-8";
    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
  };
  time.timeZone = "Asia/Shanghai";

-  # ── Default user ───────────────────────────────────
  users.users.${username} = {
    isNormalUser = true;
    shell = pkgs.fish;
@@ -32,6 +29,5 @@
    openssh.authorizedKeys.keys = sshKeys;
  };

-  # ── sudo ───────────────────────────────────────────
  security.sudo.wheelNeedsPassword = false;
 }
@@ -5,5 +5,6 @@
  ];

  programs.fish.enable = true;
+  programs._1password.enable = true;
  services.openssh.enable = true;
 }
@@ -11,7 +11,7 @@
    warn-dirty = false;
  };

-  # Disable channels — we use flakes exclusively
+  # 禁用 channels — 仅使用 flakes
  nix.channel.enable = false;

  nixpkgs = {
Author	SHA1	Message	Date
imbytecat	a4c7f28849	feat(home): 添加 Vercel skills CLI 工具	2026-04-15 20:17:14 +08:00
imbytecat	8d68dfafd2	fix(mise): 使用 all_compile 禁用 NixOS 默认源码编译	2026-04-15 19:35:14 +08:00
imbytecat	f9d7d40e4e	fix(mise): 禁用 Node.js 源码编译，使用预编译二进制	2026-04-15 19:32:13 +08:00
imbytecat	d072bb491c	style(starship): 移除目录替换图标后的多余空格	2026-04-15 19:19:48 +08:00
imbytecat	f011b5027d	chore: 升级所有 stateVersion 至最新版本	2026-04-15 19:14:58 +08:00
imbytecat	007a104ef3	feat(fish): 添加 VS Code code 命令到 PATH（仅 macOS）	2026-04-15 17:01:56 +08:00
imbytecat	41913d9a24	style: 将项目中所有英文注释统一改为中文	2026-04-15 16:40:20 +08:00
imbytecat	2cd41bcd16	docs(agents): 补充缺失命令和注意事项，完善架构描述	2026-04-15 04:08:16 +08:00
imbytecat	7fccb75e4f	docs(readme): 将快速开始示例从 mac-mini 改为 macbook-air	2026-04-15 04:01:04 +08:00
imbytecat	8c0ada01b9	chore(flake): 更新 catppuccin/nix 和 home-manager 锁定版本	2026-04-15 03:56:33 +08:00
imbytecat	4e7ddff3eb	docs(readme): 修正 WSL 首次构建步骤，使用 nix shell 替代过时的 nix-shell	2026-04-15 03:48:22 +08:00
imbytecat	ba7e0bb7af	feat(fish): 支持 Windows Terminal 新标签页保持当前目录	2026-04-15 03:43:26 +08:00
imbytecat	af82b03b3e	fix(git): 更新 lazygit pager 配置为新版 git.pagers 格式	2026-04-15 03:38:32 +08:00
imbytecat	b84b747b76	fix(shell): 修复 op-env 缓存逻辑——旧变量清理、rm 绕过 gomi、错误信息细化	2026-04-15 03:26:14 +08:00
imbytecat	aec2625eaa	feat(shell): 1Password 环境变量改为本地缓存，支持离网使用 - op inject 结果缓存到 ~/.cache/op-env/env.fish，shell 启动不再联网 - 新增 op-env-refresh（手动刷新）和 op-env-clear（清除缓存） - mktemp + mv 原子写入，刷新失败保留旧缓存 - 更新 README 文档匹配新行为	2026-04-15 03:10:06 +08:00
imbytecat	40731eda73	refactor: 移除 justfile 中 linux 命令的默认主机参数	2026-04-14 22:35:12 +08:00
imbytecat	bd5b0d9772	docs: 精简 README 和 AGENTS.md，补充 Homebrew 前置步骤	2026-04-14 22:27:47 +08:00
imbytecat	0cc6294e44	feat(darwin): 配置 sudo 免密码认证	2026-04-14 22:04:06 +08:00
imbytecat	883d551f8e	feat: add ouch for modern compression/decompression	2026-04-14 20:16:14 +08:00
imbytecat	27b265803c	feat(darwin): 添加 iPreview Quick Look 扩展	2026-04-14 19:33:35 +08:00
imbytecat	635ea270aa	fix(darwin): 永久关闭 Cyberduck 捐赠弹窗	2026-04-14 19:17:59 +08:00
imbytecat	54c56501e4	feat(darwin): add cyberduck for NAS file transfers	2026-04-14 19:02:13 +08:00
imbytecat	1df2e87a6e	feat(macbook-air): add thaw menu bar manager for notched display	2026-04-14 18:53:14 +08:00
imbytecat	2147d2917e	feat: add python3 runtime	2026-04-14 17:01:39 +08:00
imbytecat	82a148a894	Revert "feat: add python3 runtime and extend nix-ld libraries" This reverts commit `7e5e05470a`.	2026-04-14 17:01:11 +08:00
imbytecat	7e5e05470a	feat: add python3 runtime and extend nix-ld libraries	2026-04-14 16:59:37 +08:00
imbytecat	f6e2f92da3	refactor: remove redundant aliases, comments, and fix lazygit pager config	2026-04-14 13:53:04 +08:00
imbytecat	5583970878	docs: update AGENTS.md with shell alias gotcha and tighten guidance	2026-04-14 13:41:50 +08:00
imbytecat	beeb9948f4	fix(wsl): remove NixOS default shell aliases for cross-platform consistency	2026-04-14 13:37:16 +08:00
imbytecat	804e96a979	docs: sync README and AGENTS.md with current codebase, rename Justfile to justfile	2026-04-14 13:26:40 +08:00
imbytecat	fbb83ff013	refactor(op): switch to service account auth and simplify env injection	2026-04-14 13:11:16 +08:00