feat(home): 添加 Vercel skills CLI 工具

- op inject 结果缓存到 ~/.cache/op-env/env.fish，shell 启动不再联网
- 新增 op-env-refresh（手动刷新）和 op-env-clear（清除缓存）
- mktemp + mv 原子写入，刷新失败保留旧缓存
- 更新 README 文档匹配新行为

AGENTS.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-Nix flake managing 3 devices: Mac Mini, MacBook Air (both aarch64-darwin via nix-darwin), and a Windows PC via NixOS-WSL (x86_64-linux). Single user `imbytecat` everywhere. Uses **Lix** (not stock Nix).
+Nix flake — 3 devices (Mac Mini, MacBook Air: aarch64-darwin; WSL: x86_64-linux). Single user `imbytecat`. Uses **Lix**.
 
 ## Architecture
 
@@ -13,88 +13,75 @@ flake.nix
 └── nixosConfigurations.wsl          (x86_64-linux)
 ```
 
-- `lib/default.nix` — builders: `mkDarwin`, `mkNixos`. All hosts get shared modules + home-manager + lazyvim-nix (as HM sharedModule). NixOS also gets `catppuccin.nixosModules.catppuccin`; home-manager imports `catppuccin.homeModules.catppuccin` directly in `home/default.nix`.
+- `lib/default.nix` — `mkDarwin`/`mkNixos` builders, `sshKeys` (via `specialArgs`), `homeManagerConfig`
-- `modules/shared/` — both platforms: nixpkgs config, overlays, nix settings, Lix
+- `modules/shared/` — cross-platform: Lix, overlays, fonts, fish, openssh, 1password
-- `modules/darwin/` — macOS: system preferences, homebrew (casks/brews/masApps), fonts, fish shell, user
+- `modules/darwin/` — system preferences, homebrew, user
-- `modules/nixos/` — NixOS: base packages, docker, locale, user
+- `modules/nixos/` — system packages, locale, docker, user
-- `home/` — home-manager (shared across all hosts via `useGlobalPkgs`)
+- `home/` — home-manager (shared, `useGlobalPkgs`), catppuccin
-- `hosts/*/` — per-host overrides (mac-mini: 24/7 server with sleep disabled; macbook-air: portable)
+- `hosts/*/` — per-host overrides
-- `overlays/` + `pkgs/` — custom packages (comment-checker)
+- `overlays/` + `pkgs/` — custom packages (`comment-checker`)
 
-Config flows: `hosts/*` (host-specific) -> `modules/*` (platform) -> `home/*` (user-level, cross-platform)
+Flow: `hosts/*` → `modules/*` → `home/*`
-
-## Nix implementation
-
-All platforms use **Lix** (`nix.package = pkgs.lix` in `modules/shared/nix.nix`). Channels are disabled (`nix.channel.enable = false`) — flakes only.
 
 ## Commands
 
 ```bash
-# Justfile shortcuts (preferred)
+just rebuild mac-mini       # macOS host (darwin-rebuild)
-just rebuild mac-mini       # rebuild macOS host (on macOS)
 just rebuild macbook-air
-just rebuild                # rebuild WSL (linux only, default: "wsl")
+just rebuild wsl            # NixOS host (nixos-rebuild)
-just check                  # eval configs without building (platform-aware)
+just check                  # eval without building (platform-aware)
 just update                 # nix flake update
-just up nixpkgs             # update a single flake input
+just up nixpkgs             # update single input
-just show                   # nix flake show
+just clean                  # nix-collect-garbage -d (user-level only)
-just secrets                # sops secrets/secrets.yaml
+just rollback               # NixOS only — rollback to previous generation
-just clean                  # nix-collect-garbage -d
 just history                # list system profile generations
-just lsp mac-mini           # generate .vscode/settings.json for nixd option completion
+just show                   # nix flake show
-
+just lsp mac-mini           # nixd option completion for VSCode
-# Direct (when just isn't available)
-sudo darwin-rebuild switch --flake .#mac-mini
-sudo nixos-rebuild switch --flake .#wsl
-nix build .#darwinConfigurations.mac-mini.system --dry-run   # validate (eval only)
-nix build .#darwinConfigurations.mac-mini.system             # validate (full build)
-
-# First-time bootstrap (nix-darwin not yet installed)
-sudo nix run nix-darwin -- switch --flake .#mac-mini
 ```
 
-## Critical gotchas
+Note: `just check` and `just rebuild` have `[macos]`/`[linux]` variants — the justfile auto-selects by platform.
 
-- **Neovim uses lazyvim-nix**: `programs.lazyvim` in `home/dev/neovim.nix` manages neovim via the `lazyvim-nix` flake input. Catppuccin nvim integration is explicitly disabled (`catppuccin.nvim.enable = false`) because LazyVim manages its own colorscheme. Don't try to use `catppuccin.enable` for nvim or the old `programs.neovim.plugins` approach.
+## Gotchas
-- **catppuccin module name**: Home-manager uses `catppuccin.homeModules.catppuccin` (imported in `home/default.nix`). NixOS uses `catppuccin.nixosModules.catppuccin` (in `lib/default.nix`). Don't use the old `homeManagerModules` name.
-- **Homebrew tap casks**: Casks from taps need full path (e.g. `"goooler/repo/fl-clash"`), not just the short name.
-- **`onActivation.cleanup = "zap"`**: Any brew formula/cask NOT declared in `modules/darwin/default.nix` WILL be removed on rebuild. Be comprehensive.
-- **First-time bootstrap requires sudo**: `sudo nix run nix-darwin -- switch --flake .#mac-mini` (not `darwin-rebuild` which doesn't exist yet).
-- **mise for version management**: Activated in `home/shell/fish.nix` via `mise activate fish | source`. Config in `home/dev/languages.nix` trusts all config paths.
 
-## Secrets (1Password CLI)
+- **Shared settings in `modules/shared/`** — don't re-declare fish/openssh/1password/fonts in platform modules.
+- **`sshKeys` centralized** in `lib/default.nix` via `specialArgs`. Don't hardcode.
+- **WSL aliases force-cleared** — `hosts/wsl/default.nix` uses `lib.mkForce {}`. All aliases via Home Manager only.
+- **Neovim = lazyvim-nix** — `programs.lazyvim` in `home/dev/neovim.nix`. `catppuccin.nvim.enable = false` (LazyVim manages colorscheme). The `lazyvim.homeManagerModules.default` is loaded as a sharedModule in `lib/default.nix`.
+- **catppuccin modules** — `catppuccin.homeModules.catppuccin` (home), `catppuccin.nixosModules.catppuccin` (NixOS). Not the old `homeManagerModules`.
+- **Homebrew `cleanup = "zap"`** — undeclared casks/brews get removed. `greedyCasks = true` upgrades even auto-updating casks. Shared → `modules/darwin/`, host-specific → `hosts/*/`. Tap casks need full path (e.g. `"goooler/repo/fl-clash"`).
+- **Ghostty macOS-only** — `enable = pkgs.stdenv.isDarwin`, `package = null` (Homebrew cask). Terminfo propagated via `ghostty.terminfo` in `modules/nixos/`.
+- **nix-ld on WSL** — `programs.nix-ld.enable = true` for VSCode Remote.
+- **home-manager `backupFileExtension = "bak"`** — set in `lib/default.nix`. Existing dotfiles get `.bak` suffix on conflict.
+- **mise** — runtime version management (`home/dev/languages.nix`). `trusted_config_paths = [ "/" ]` trusts all config files.
 
-- **Not sops-nix** — secrets are injected at shell startup via `op inject` (1Password CLI).
+## Environment
-- Template: `home/shell/fish.nix` generates `~/.config/op-env/env.tpl` with `op://` references (safe to commit — contains no real secrets).
-- Fish function `op-env` runs on interactive shell init, calling `op inject --in-file` to set env vars: `AI_GATEWAY_BASE_URL`, `AI_GATEWAY_API_KEY`, `EXA_API_KEY`, `CONTEXT7_API_KEY`.
-- macOS: `programs._1password.enable = true` in `modules/darwin/default.nix`.
-- WSL: aliases `op` to `op.exe` (Windows interop) in `home/shell/fish.nix`.
-- Never commit `*.dec.yaml`, `*.dec.json`, `*.plaintext` (in `.gitignore`).
 
-## Shell
+1Password CLI secrets are **cached locally** — shell startup reads `~/.cache/op-env/env.fish` (no network).
 
-Fish (not zsh). All tool integrations use `enableFishIntegration`. Key files:
+- Template: `home/shell/fish.nix` → `~/.config/op-env/env.tpl` (`op://` refs, safe to commit)
-- `home/shell/fish.nix` — abbreviations, interactiveShellInit, mise activation
+- Cache: `~/.cache/op-env/env.fish` (plaintext, `chmod 600`, outside git/nix store)
-- `home/shell/tools.nix` — fzf, atuin, zoxide (`--cmd cd`), direnv, bat, eza, yazi, btop, zellij
+- Auth: `OP_SERVICE_ACCOUNT_TOKEN` in `~/.config/fish/local.fish` (gitignored)
-- `home/shell/starship.nix` — prompt
+- Refresh: user runs `op-env-refresh` manually (needs network). Atomic write (mktemp + mv), failure keeps old cache.
+- Clear: `op-env-clear` removes cache file.
+- `local.fish` is sourced **after** the cache, so it can override env vars per-machine.
 
 ## Home Manager option API
 
-These options were renamed in recent home-manager; use the new names:
+Use the new names:
 - `programs.git.settings.user.{name,email}` (not `userName`/`userEmail`)
 - `programs.git.settings.*` (not `extraConfig`)
 - `programs.delta.{enable,options}` (not `programs.git.delta.*`)
 - `programs.delta.enableGitIntegration = true` (must be explicit)
-- `programs.ssh.matchBlocks."*".addKeysToAgent` (not top-level `addKeysToAgent`)
+- `programs.ssh.matchBlocks."*".addKeysToAgent` (not top-level)
-- `programs.ssh.enableDefaultConfig = false` (set explicitly)
+- `programs.ssh.enableDefaultConfig = false`
 
-## Nix LSP & formatter
+## Nix tooling
 
-- LSP: `nixd` (not `nil`). Provides nixpkgs/option completion.
+- LSP: `nixd`. Formatter: `nixfmt`. Linter: `statix`.
-- Formatter: `nixfmt`. Run: `nixfmt <file.nix>`
+- All in `home/dev/languages.nix`.
-- Both installed via `home/dev/languages.nix`.
+- `just lsp <host>` generates `.vscode/settings.json` from `.vscode/settings.base.json` (gitignored output).
-- VSCode settings for nixd option completion: `just lsp <host>` (generates `.vscode/settings.json` from `.vscode/settings.base.json`)
 
 ## Tool usage
 
-- **Always use the `nixos_nix` MCP tool** when searching for nix-darwin / NixOS / home-manager options. Query with `source=darwin/nixos/home-manager` and `type=options/packages` to find available options before writing config. Do not guess option names or value types — verify first.
+- `opencode.jsonc` configures `just-lsp` (LSP) and `mcp-nixos` (MCP).
+- **Always use `nixos_nix` MCP** to look up nix-darwin/NixOS/home-manager options before writing config. Don't guess option names.

README.md

@@ -1,6 +1,6 @@
 # Nix Config
 
-使用 [nix-darwin](https://github.com/nix-darwin/nix-darwin) + [NixOS-WSL](https://github.com/nix-community/NixOS-WSL) + [Home Manager](https://github.com/nix-community/home-manager) + [Flakes](https://nix.dev/concepts/flakes) 声明式管理三台设备的系统配置。
+nix-darwin + NixOS-WSL + Home Manager + Flakes 声明式管理三台设备的系统配置。
 
 ## 设备
 
@@ -12,108 +12,114 @@
 
 ## 快速开始
 
-### macOS (Mac Mini / MacBook Air)
+### macOS
 
-1. 安装 [Lix](https://lix.systems/)（Nix 的社区分支，nix-darwin 官方推荐）：
+1. 安装 [Lix](https://lix.systems/)：
 
 ```bash
 curl -sSf -L https://install.lix.systems/lix | sh -s -- install
 ```
 
-2. 克隆仓库并首次构建：
+2. 安装 [Homebrew](https://brew.sh/)（nix-darwin 不会自动安装）：
+
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+3. 克隆仓库并首次构建：
 
 ```bash
 git clone <repo-url> ~/nix-config
 cd ~/nix-config
-# 首次（nix-darwin 尚未安装）：
+sudo nix run nix-darwin -- switch --flake .#macbook-air
-sudo nix run nix-darwin -- switch --flake .#mac-mini
-# 之后日常重建：
-sudo darwin-rebuild switch --flake .#mac-mini
 ```
 
-### WSL (Windows PC)
+之后日常重建：`just rebuild macbook-air`
 
-1. 安装 [NixOS-WSL](https://github.com/nix-community/NixOS-WSL/releases)：
+### WSL
+
+1. 启用 WSL 并更新内核：
+
+```powershell
+wsl --install --no-distribution
+wsl --update
+```
+
+2. 安装 [NixOS-WSL](https://github.com/nix-community/NixOS-WSL/releases)：
 
 ```powershell
 wsl --import NixOS C:\wsl\nixos nixos-wsl.tar.gz
 wsl -d NixOS
 ```
 
-2. 克隆仓库并构建：
+3. 首次构建：
 
 ```bash
+nix shell nixpkgs#git
 git clone <repo-url> ~/nix-config
 cd ~/nix-config
 sudo nixos-rebuild switch --flake .#wsl
 ```
 
+之后日常重建：`just rebuild wsl`
+
 ## 仓库结构
 
 ```
-├── flake.nix                  # 入口：输入源 + 输出配置
+flake.nix                      # 入口
-├── flake.lock                 # 依赖锁定文件
+hosts/                         # 主机特定配置
-├── hosts/
+modules/
-│   ├── mac-mini/default.nix   # Mac Mini 特定配置
+  ├── darwin/                  # macOS 模块
-│   ├── macbook-air/default.nix# MacBook Air 特定配置
+  ├── nixos/                   # NixOS 模块
-│   └── wsl/default.nix        # WSL 特定配置
+  └── shared/                  # 共享模块
-├── modules/
+home/                          # Home Manager 配置
-│   ├── darwin/default.nix     # macOS 模块（Homebrew、系统偏好等）
+  ├── dev/                     # 开发工具
-│   ├── nixos/                 # NixOS 模块
+  └── shell/                   # Shell 配置
-│   │   ├── base.nix           # 基础包
+lib/default.nix                # 构建辅助函数
-│   │   ├── docker.nix         # Docker 配置
+overlays/ + pkgs/              # 自定义包
-│   │   ├── locale.nix         # 区域 / 语言
-│   │   └── default.nix        # 入口（用户、shell）
-│   └── shared/                # 共享模块（Nix 设置）
-├── home/                      # Home Manager 配置
-│   ├── default.nix            # 入口 + 用户级包
-│   ├── theme.nix              # Catppuccin 主题
-│   ├── dev/                   # 开发工具
-│   │   ├── neovim.nix
-│   │   ├── languages.nix      # 语言运行时、LSP
-│   │   └── git.nix
-│   └── shell/                 # Shell 配置
-│       ├── fish.nix           # Fish shell
-│       ├── starship.nix       # Prompt
-│       └── tools.nix          # fzf, atuin, zoxide 等
-├── lib/default.nix            # 构建辅助函数
-├── overlays/                  # 自定义包覆盖
-└── pkgs/                      # 自定义包
 ```
 
-**配置层级**：`hosts/*`（主机特定） → `modules/*`（平台模块） → `home/*`（用户级，跨平台共享）
+配置层级：`hosts/*` → `modules/*` → `home/*`
 
 ## 日常使用
 
 ```bash
-# 重建（abbreviation 自动选择 darwin-rebuild 或 nixos-rebuild）
+just rebuild <host>   # 重建系统
-rebuild
+just update           # 更新所有 flake 输入
-
+just up <input>       # 更新单个输入
-# 更新所有依赖
+just check            # 检查配置
-update
+just clean            # 清理旧 generation
-
+just rollback         # 回滚（仅 NixOS）
-# 回滚（NixOS）
+just history          # 查看 profile 历史
-sudo nixos-rebuild switch --rollback
+just show             # 显示 flake 输出
-
-# 清理旧 generation
-sudo nix-collect-garbage -d   # NixOS
-nix-collect-garbage -d        # macOS
 ```
 
 ## Shell
 
-使用 **Fish** 作为默认 shell，搭配：
+Fish + Starship + Atuin + Zoxide + FZF + Direnv，Catppuccin Mocha 主题。
 
-- **Starship** — 跨平台 prompt
+常用自定义：
-- **Atuin** — shell 历史搜索
+- fish abbreviation → `home/shell/fish.nix`
-- **Zoxide** — 智能 cd（`cd` = zoxide, `cdi` = 交互选择）
+- 添加包 → `home/default.nix` 或 `home/dev/languages.nix`
-- **FZF** — 模糊搜索（Ctrl-R 历史, Ctrl-T 文件, Alt-C 目录）
+- Homebrew cask → `modules/darwin/default.nix`
-- **Direnv** — 自动加载项目环境
-- **Catppuccin Mocha** — 统一主题
 
-### 自定义
+## Environment
 
-- 添加 fish abbreviation: 编辑 `home/shell/fish.nix` 中的 `shellAbbrs`
+1Password CLI `op inject` 获取环境变量，本地缓存后离线可用。
-- 添加包: 编辑 `home/default.nix` 或 `home/dev/languages.nix`
+
-- 添加 Homebrew cask: 编辑 `modules/darwin/default.nix` 中的 `homebrew.casks`
+模板文件 `~/.config/op-env/env.tpl` 由 `home/shell/fish.nix` 生成，仅包含 `op://` 引用，可安全提交。
-- 查包名: `nix search nixpkgs <关键词>` 或 [search.nixos.org](https://search.nixos.org/packages)
+
+Shell 启动时只读取本地缓存（`~/.cache/op-env/env.fish`），不联网。首次使用或密钥变更后需手动刷新：
+
+```bash
+op-env-refresh   # 从 1Password 获取并缓存（需联网）
+op-env-clear     # 清除本地缓存
+```
+
+认证需要在 `~/.config/fish/local.fish`（gitignored）中设置：
+
+```bash
+set -gx OP_SERVICE_ACCOUNT_TOKEN "your-service-account-token"
+```
+
+未设置 token 时 `op-env-refresh` 会提示错误，不影响已有缓存的正常使用。

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775994227,
+        "lastModified": 1776190523,
-        "narHash": "sha256-4VKeWtl9dEubrgpy9fSXkXbjBZlNXPNlQQM5l1ppHv4=",
+        "narHash": "sha256-qfZWzaWuXfbF487cXj43uT7HWtqF45A+g7g59fOPYsk=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "d0a9a21ed8e235956a768fc624242ec9a3e15575",
+        "rev": "2eefec08414e2f90824bf2b508ea38ef6f295dfa",
         "type": "github"
       },
       "original": {
@@ -61,11 +61,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776046499,
+        "lastModified": 1776184304,
-        "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=",
+        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d",
+        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -37,7 +37,7 @@
       mylib = import ./lib { inherit inputs; };
     in
     {
-      # ── macOS hosts ─────────────────────────────────────
+      # ── macOS 主机 ──────────────────────────────────────
       darwinConfigurations = {
         mac-mini = mylib.mkDarwin {
           hostname = "awesome-mac-mini";
@@ -54,7 +54,7 @@
         };
       };
 
-      # ── NixOS hosts (WSL on Windows PC) ─────────────────
+      # ── NixOS 主机（Windows PC 上的 WSL）──────────────
       nixosConfigurations = {
         wsl = mylib.mkNixos {
           hostname = "awesome-wsl";
@@ -67,14 +67,19 @@
         };
       };
 
-      # ── Packages ────────────────────────────────────────
+      # ── 自定义包 ─────────────────────────────────────────
-      packages = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-linux" ] (system: {
+      packages = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-linux" ] (
-        comment-checker =
+        system:
-          (import nixpkgs {
+        let
+          pkgs = import nixpkgs {
             inherit system;
             overlays = [ self.overlays.default ];
-          }).comment-checker;
+          };
-      });
+        in
+        {
+          inherit (pkgs) comment-checker;
+        }
+      );
 
       # ── Overlays ───────────────────────────────────────
       overlays.default = import ./overlays;

home/default.nix

@@ -10,53 +10,52 @@
     inputs.catppuccin.homeModules.catppuccin
     ./shell
     ./dev
-    ./theme.nix
   ];
 
+  catppuccin = {
+    enable = true;
+    flavor = "mocha";
+  };
+
   home = {
     username = username;
     homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
-    stateVersion = "24.11";
+    stateVersion = "25.11";
   };
 
-  # ── User-level packages ────────────────────────────
+  home.packages = with pkgs; [
-  home.packages =
+    # 现代 CLI 替代工具
-    with pkgs;
+    dust # du
-    [
+    duf # df
-      # Modern CLI replacements
+    procs # ps
-      dust # du
+    sd # sed
-      duf # df
+    jq # JSON
-      procs # ps
+    yq # YAML
-      sd # sed
+    wget
-      jq # JSON
-      yq # YAML
-      wget
 
-      # System info
+    # 系统信息
-      fastfetch
+    fastfetch
-      tealdeer # tldr
+    tealdeer # tldr
 
-      # File management
+    # 文件管理
-      gomi
+    gomi
+    ouch # 压缩/解压
 
-      # Nix tools
+    # Nix 工具
-      nix-output-monitor # nom
+    nix-output-monitor # nom
-      nvd # nix version diff
+    nvd # Nix 版本对比
-      nh # nix helper
+    nh # Nix 辅助工具
-      just
+    just
 
-      # Secrets management (WSL uses Windows op.exe via interop)
+    # AI 编程代理
-    ]
+    opencode
-    ++ (with pkgs; [
+    comment-checker
-      # AI coding agent
+    skills
-      opencode
-      comment-checker
 
-      # Misc
+    # 其他
-      ffmpeg
+    ffmpeg
-      pandoc
+    pandoc
-    ]);
+  ];
 
-  # XDG directories
   xdg.enable = true;
 }

home/dev/git.nix

@@ -1,14 +1,12 @@
-{ ... }:
+_:
 
 {
   programs.git = {
     enable = true;
     signing.format = null;
     settings = {
-      user = {
+      user.name = "imbytecat";
-        name = "imbytecat";
+      user.email = "imbytecat@gmail.com";
-        email = "imbytecat@gmail.com";
-      };
       merge.conflictstyle = "zdiff3";
       pull.rebase = true;
       push.autoSetupRemote = true;
@@ -36,9 +34,7 @@
         nerdFontsVersion = "3";
         showBottomLine = false;
       };
-      git.pagers = [
+      git.pagers = [ { pager = "delta --paging=never"; } ];
-        { pager = "delta --paging=never"; }
-      ];
       update.method = "never";
       disableStartupPopups = true;
     };

home/dev/languages.nix

@@ -2,18 +2,16 @@
 
 {
   home.packages = with pkgs; [
-    # ── Language runtimes ──
+    # ── 语言运行时 ──
-    # Node.js: 默认跟随 nixpkgs，当前 unstable 为 v24.14.0
-    # 如需固定 LTS 版本，改为: nodejs_22 或 nodejs_20
     nodejs
     go
     bun
+    python3
 
-    # ── Package management / version management ──
+    # ── 包管理 / 版本管理 ──
-    mise
     uv
 
-    # ── LSP servers ──
+    # ── LSP 服务器 ──
     bash-language-server
     gopls
     typescript-language-server
@@ -21,25 +19,31 @@
     vue-language-server
     dockerfile-language-server
     lua-language-server
-    nixd # Nix LSP
+    nixd
-    just-lsp # Justfile LSP
+    just-lsp
 
-    # ── Linter / Formatter ──
+    # ── 代码检查 / 格式化 ──
     biome
     ruff
     shellcheck
     shfmt
-    nixfmt # nix formatter
+    nixfmt
-    statix # nix linter
+    statix
     stylua
 
-    # ── Code intelligence ──
+    # ── 代码智能 ──
     ast-grep
   ];
 
-  # ── mise config ──────────────────────────────────────
+  # ── mise ─────────────────────────────────────────────
-  xdg.configFile."mise/config.toml".text = ''
+  programs.mise = {
-    [settings]
+    enable = true;
-    trusted_config_paths = ["/"]
+    enableFishIntegration = true;
-  '';
+    globalConfig = {
+      settings = {
+        trusted_config_paths = [ "/" ];
+        all_compile = false;
+      };
+    };
+  };
 }

home/dev/neovim.nix

@@ -1,7 +1,7 @@
-{ ... }:
+_:
 
 {
-  # Disable catppuccin/nix neovim integration — LazyVim manages its own colorscheme
+  # 禁用 catppuccin/nix 的 Neovim 集成 — LazyVim 自行管理配色方案
   catppuccin.nvim.enable = false;
 
   programs.neovim = {
@@ -22,7 +22,7 @@
       lang.docker.enable = true;
     };
 
-    # Catppuccin Mocha colorscheme (managed by LazyVim, not catppuccin/nix)
+    # Catppuccin Mocha 配色方案（由 LazyVim 管理，非 catppuccin/nix）
     plugins = {
       colorscheme = ''
         return {

home/shell/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./fish.nix
+    ./ghostty.nix
     ./starship.nix
     ./tools.nix
   ];

home/shell/fish.nix

@@ -1,81 +1,135 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   envTpl = "${config.xdg.configHome}/op-env/env.tpl";
+  envCache = "${config.xdg.cacheHome}/op-env/env.fish";
 in
 {
-  # ── 1Password env template ──────────────────────────
+  # ── 1Password 环境变量模板 ─────────────────────────────
-  # op:// references only — no real secrets, safe to commit
+  # 仅包含 op:// 引用 — 无真实密钥，可安全提交
-  # Kept outside ~/.config/op — that dir must be 700 and owned by op CLI
+  # 放在 ~/.config/op 之外 — 该目录必须是 700 权限且属于 op CLI
   xdg.configFile."op-env/env.tpl".text = ''
-    AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
+    set -gx AI_GATEWAY_BASE_URL "{{ op://Developer/AI Gateway API/URL }}"
-    AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }}
+    set -gx AI_GATEWAY_API_KEY "{{ op://Developer/AI Gateway API/credential }}"
-    EXA_API_KEY={{ op://Private/Exa API/credential }}
+    set -gx EXA_API_KEY "{{ op://Developer/Exa API/credential }}"
-    CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }}
+    set -gx CONTEXT7_API_KEY "{{ op://Developer/Context7 API/credential }}"
   '';
 
   programs.fish = {
     enable = true;
 
     shellAbbrs = {
-      # Navigation (one-shot, no need to recall in history)
+      # 导航（一次性命令，无需记录历史）
       ".." = "cd ..";
       "..." = "cd ../..";
     };
 
     shellAliases = {
-      # File listing (eza) — base aliases (ls/la/lt) from programs.eza
+      # 文件列表（eza）— 基础别名（ls/la/lt）来自 programs.eza
       ll = "eza -lh";
       lla = "eza -lah --time-style=long-iso";
 
-      # Tools
       cat = "bat --paging=never";
       rm = "gomi";
       lg = "lazygit";
-      vi = "nvim";
     };
 
     interactiveShellInit = ''
-      # No greeting
       set -g fish_greeting
-
-      # PATH
       fish_add_path $HOME/go/bin $HOME/.bun/bin
+      ${lib.optionalString pkgs.stdenv.isDarwin ''fish_add_path "/Applications/Visual Studio Code.app/Contents/Resources/app/bin"''}
 
-      # mise
+      # 双击 Escape 在命令前插入 sudo
-      mise activate fish | source
-
-      # Sudo: double Escape to prepend sudo
       bind \e\e 'fish_commandline_prepend sudo'
 
-      # WSL clipboard
+      # WSL 剪贴板
       if set -q WSL_DISTRO_NAME
         alias pbcopy clip.exe
         alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
-        alias op op.exe
       end
 
-      # User-local overrides
+      # Windows Terminal：发送 OSC 9;9 使新标签页/窗格在同一目录打开
+      function __wt_osc9_9 --on-variable PWD
+        if test -n "$WT_SESSION"
+          printf "\e]9;9;%s\e\\" (wslpath -w "$PWD")
+        end
+      end
+
+      # 1Password → 环境变量（本地缓存，启动时不联网）
+      # 启动时仅加载缓存；手动执行 op-env-refresh 拉取/更新
+      # 通过 OP_SERVICE_ACCOUNT_TOKEN 认证（在 ~/.config/fish/local.fish 中设置）
+      function op-env-refresh --description "Fetch secrets from 1Password and cache locally"
+        if not type -q op
+          echo "op-env: op CLI not found in PATH" >&2
+          return 1
+        end
+        if not set -q OP_SERVICE_ACCOUNT_TOKEN; or test -z "$OP_SERVICE_ACCOUNT_TOKEN"
+          echo "op-env: OP_SERVICE_ACCOUNT_TOKEN is not set" >&2
+          return 1
+        end
+        if not test -f "${envTpl}"
+          echo "op-env: template not found: ${envTpl}" >&2
+          return 1
+        end
+        set -l cache_dir (path dirname "${envCache}")
+        if not mkdir -p "$cache_dir"; or not chmod 700 "$cache_dir"
+          echo "op-env: cannot prepare cache dir: $cache_dir" >&2
+          return 1
+        end
+        set -l tmp (mktemp "$cache_dir/.tmp.XXXXXX")
+        or begin
+          echo "op-env: mktemp failed" >&2
+          return 1
+        end
+        if not op inject --in-file "${envTpl}" > "$tmp"
+          command rm -f "$tmp"
+          echo "op-env: inject failed; old cache kept" >&2
+          return 1
+        end
+        # 替换缓存前记录旧变量名
+        set -l old_vars
+        if test -f "${envCache}"
+          set old_vars (string match -rg 'set -gx (\S+)' < "${envCache}")
+        end
+        if not mv "$tmp" "${envCache}"
+          command rm -f "$tmp"
+          echo "op-env: cannot replace cache file" >&2
+          return 1
+        end
+        for var in $old_vars
+          set -e $var
+        end
+        if not source "${envCache}"
+          echo "op-env: cache written but could not be sourced" >&2
+          return 1
+        end
+        echo "op-env: refreshed"
+      end
+
+      function op-env-clear --description "Clear cached secrets"
+        if test -f "${envCache}"
+          for var in (string match -rg 'set -gx (\S+)' < "${envCache}")
+            set -e $var
+          end
+          command rm -f "${envCache}"
+        end
+        echo "op-env: cleared"
+      end
+
+      # 加载缓存的密钥（即时，不联网）
+      if test -f "${envCache}"
+        source "${envCache}"
+      end
+
+      # 用户本地配置（OP_SERVICE_ACCOUNT_TOKEN、机器特定覆盖）
       if test -f ~/.config/fish/local.fish
         source ~/.config/fish/local.fish
       end
-
-      # 1Password → env vars (single op call, silent on failure)
-      function op-env --description "Load secrets from 1Password"
-        if not type -q op; or not test -f ${envTpl}
-          return 1
-        end
-        set -l output (op inject --in-file ${envTpl} 2>/dev/null)
-        or return 1
-        for line in $output
-          string match -qr '^\s*(#|$)' -- $line; and continue
-          set -l kv (string split -m 1 '=' $line)
-          if test (count $kv) -ge 2
-            set -gx $kv[1] $kv[2]
-          end
-        end
-      end
-      op-env
     '';
   };
 }

home/shell/ghostty.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  programs.ghostty = {
+    enable = pkgs.stdenv.isDarwin;
+    package = null; # 通过 Homebrew cask 安装
+    settings = {
+      font-family = "Maple Mono NF CN";
+      font-size = 14;
+      shell-integration-features = "cursor,sudo,title,ssh-env,ssh-terminfo";
+    };
+  };
+}

home/shell/starship.nix

@@ -18,10 +18,11 @@
         "$git_branch"
         "$git_status"
         "[](fg:yellow bg:green)"
-        "$nodejs"
+        "$bun"
-        "$python"
         "$golang"
         "$nix_shell"
+        "$nodejs"
+        "$python"
         "[](fg:green bg:sapphire)"
         "$docker_context"
         "[](fg:sapphire bg:lavender)"
@@ -38,6 +39,7 @@
         symbols = {
           Linux = "󰌽";
           Macos = "󰀵";
+          NixOS = "";
           Windows = "";
         };
       };
@@ -55,11 +57,11 @@
         truncation_length = 3;
         truncation_symbol = "…/";
         substitutions = {
-          Developer = "󰲋 ";
+          Developer = "󰲋";
-          Documents = "󰈙 ";
+          Documents = "󰈙";
-          Downloads = " ";
+          Downloads = "";
-          Music = "󰝚 ";
+          Music = "󰝚";
-          Pictures = " ";
+          Pictures = "";
         };
       };
 
@@ -74,17 +76,10 @@
         format = "[[($all_status$ahead_behind )](fg:crust bg:yellow)]($style)";
       };
 
-      nodejs = {
+      bun = {
-        symbol = "";
+        symbol = "";
         style = "bg:green";
         format = "[[ $symbol( $version) ](fg:crust bg:green)]($style)";
-        detect_extensions = [ ];
-      };
-
-      python = {
-        symbol = "";
-        style = "bg:green";
-        format = "[[ $symbol( $version)(\\($virtualenv\\)) ](fg:crust bg:green)]($style)";
       };
 
       golang = {
@@ -99,6 +94,19 @@
         format = "[[ $symbol$state( \\($name\\)) ](fg:crust bg:green)]($style)";
       };
 
+      nodejs = {
+        symbol = "";
+        style = "bg:green";
+        format = "[[ $symbol( $version) ](fg:crust bg:green)]($style)";
+        detect_extensions = [ ];
+      };
+
+      python = {
+        symbol = "";
+        style = "bg:green";
+        format = "[[ $symbol( $version)(\\($virtualenv\\)) ](fg:crust bg:green)]($style)";
+      };
+
       docker_context = {
         symbol = "";
         style = "bg:sapphire";

home/shell/tools.nix

@@ -19,7 +19,7 @@
     ];
   };
 
-  # ── Atuin (shell history) ────────────────────────────
+  # ── Atuin（Shell 历史记录）─────────────────────────────
   programs.atuin = {
     enable = true;
     enableFishIntegration = true;
@@ -33,11 +33,11 @@
     };
   };
 
-  # ── Zoxide (smart cd) ───────────────────────────────
+  # ── Zoxide（智能 cd）──────────────────────────────────
   programs.zoxide = {
     enable = true;
     enableFishIntegration = true;
-    options = [ "--cmd cd" ]; # cd/cdi instead of z/zi
+    options = [ "--cmd cd" ]; # 用 cd/cdi 替代 z/zi
   };
 
   # ── Direnv + nix-direnv ─────────────────────────────
@@ -50,7 +50,7 @@
     };
   };
 
-  # ── Bat (cat replacement) ───────────────────────────
+  # ── Bat（cat 替代）────────────────────────────────────
   programs.bat = {
     enable = true;
     extraPackages = with pkgs.bat-extras; [
@@ -59,7 +59,7 @@
     ];
   };
 
-  # ── Eza (ls replacement) ────────────────────────────
+  # ── Eza（ls 替代）─────────────────────────────────────
   programs.eza = {
     enable = true;
     enableFishIntegration = true;
@@ -70,14 +70,14 @@
     ];
   };
 
-  # ── Yazi (file manager) ─────────────────────────────
+  # ── Yazi（文件管理器）────────────────────────────────
   programs.yazi = {
     enable = true;
     enableFishIntegration = true;
     shellWrapperName = "y";
   };
 
-  # ── Btop (system monitor) ───────────────────────────
+  # ── Btop（系统监控）──────────────────────────────────
   programs.btop = {
     enable = true;
     settings = {
@@ -85,7 +85,7 @@
     };
   };
 
-  # ── Zellij (terminal multiplexer) ────────────────────
+  # ── Zellij（终端复用器）──────────────────────────────
   programs.zellij = {
     enable = true;
     enableFishIntegration = false;

home/theme.nix

@@ -1,8 +0,0 @@
-{ ... }:
-
-{
-  catppuccin = {
-    enable = true;
-    flavor = "mocha";
-  };
-}

hosts/mac-mini/default.nix

@@ -1,13 +1,13 @@
 { ... }:
 
 {
-  # ── Mac Mini specific ─────────────────────────────────
+  # ── Mac Mini 专属配置 ────────────────────────────────
-  # Always plugged in — 24/7 server role
+  # 常驻供电 — 全天候服务器角色
 
-  # Touch ID for sudo
+  # Touch ID 验证 sudo
   security.pam.services.sudo_local.touchIdAuth = true;
 
-  # ── Never sleep ─────────────────────────────────────
+  # ── 禁止睡眠 ────────────────────────────────────────
   power.sleep.computer = "never";
   power.sleep.display = "never";
   power.sleep.harddisk = "never";
@@ -15,17 +15,17 @@
   power.restartAfterPowerFailure = true;
   power.restartAfterFreeze = true;
 
-  # ── Wake on LAN ──────────────────────────────────
+  # ── 网络唤醒（WoL）─────────────────────────────────
   networking.wakeOnLan.enable = true;
 
-  # ── Screen Sharing (VNC) & pmset ─────────────────
+  # ── 屏幕共享（VNC）& pmset ──────────────────────────
   system.activationScripts.postActivation.text = ''
     # VNC
     launchctl enable system/com.apple.screensharing
     launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist 2>/dev/null || true
-    # Disable Power Nap
+    # 禁用 Power Nap
     pmset -a powernap 0
   '';
 
-  system.stateVersion = 5;
+  system.stateVersion = 6;
 }

hosts/macbook-air/default.nix

@@ -1,11 +1,16 @@
 { ... }:
 
 {
-  # ── MacBook Air specific ──────────────────────────────
+  # ── MacBook Air 专属配置 ─────────────────────────────
-  # Portable — battery-conscious settings
+  # 便携设备 — 注意电池续航
 
-  # Touch ID for sudo
+  # Touch ID 验证 sudo
   security.pam.services.sudo_local.touchIdAuth = true;
 
-  system.stateVersion = 5;
+  # ── 刘海屏适配 ──────────────────────────────────────
+  homebrew.casks = [
+    "thaw" # 刘海屏菜单栏管理工具
+  ];
+
+  system.stateVersion = 6;
 }

hosts/wsl/default.nix

@@ -1,6 +1,10 @@
-{ username, ... }:
+{ lib, username, ... }:
 
 {
+  # ── Shell ─────────────────────────────────────────────
+  # 移除 NixOS 默认别名（ls/ll/l）— 由 Home Manager eza 管理
+  environment.shellAliases = lib.mkForce { };
+
   # ── WSL ──────────────────────────────────────────────
   wsl = {
     enable = true;
@@ -11,5 +15,5 @@
   # ── nix-ld (VSCode Remote, etc.) ────────────────────
   programs.nix-ld.enable = true;
 
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.11";
 }

justfile

@@ -17,7 +17,7 @@ rebuild host:
 # Rebuild and switch to new system configuration
 [linux]
 [group('build')]
-rebuild host="wsl":
+rebuild host:
     sudo nixos-rebuild switch --flake .#{{host}}
 
 # Check configs evaluate without errors
@@ -27,6 +27,12 @@ check:
     @nix eval .#darwinConfigurations.mac-mini.system > /dev/null && echo "mac-mini: ok"
     @nix eval .#darwinConfigurations.macbook-air.system > /dev/null && echo "macbook-air: ok"
 
+# Rollback to previous system generation
+[linux]
+[group('build')]
+rollback:
+    sudo nixos-rebuild switch --rollback
+
 # Check configs evaluate without errors
 [linux]
 [group('build')]
@@ -66,15 +72,10 @@ clean:
 
 ############################################################################
 #
-#  Secrets & tooling
+#  Tooling
 #
 ############################################################################
 
-# Edit encrypted secrets
-[group('tools')]
-secrets:
-    sops secrets/secrets.yaml
-
 # Generate .vscode/settings.json with LSP option completion
 [macos]
 [group('tools')]
@@ -85,6 +86,6 @@ lsp host:
 # Generate .vscode/settings.json with LSP option completion
 [linux]
 [group('tools')]
-lsp host="wsl":
+lsp host:
     @jq --arg h "{{host}}" '."nix.serverSettings".nixd.options = {"nixos":{"expr":"(builtins.getFlake (toString ./.)).nixosConfigurations.\($h).options"},"home-manager":{"expr":"(builtins.getFlake (toString ./.)).nixosConfigurations.\($h).options.home-manager.users.type.getSubOptions []"}}' .vscode/settings.base.json > .vscode/settings.json
     @echo "Generated .vscode/settings.json for {{host}}"

lib/default.nix

@@ -3,30 +3,28 @@
 let
   inherit (inputs.nixpkgs) lib;
 
-  # Shared home-manager configuration block
+  sshKeys = [
-  homeManagerConfig =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRTOo48gzzRGT+bF9dzJCFJu61YgsQVONFtxU9kTPIg"
-    {
+  ];
-      username,
+
-      sharedModules ? [ ],
+  # 共享的 Home Manager 配置块
-    }:
+  homeManagerConfig = username: {
-    {
+    home-manager = {
-      home-manager = {
+      useGlobalPkgs = true;
-        useGlobalPkgs = true;
+      useUserPackages = true;
-        useUserPackages = true;
+      backupFileExtension = "bak";
-        backupFileExtension = "bak";
+      sharedModules = [
-        sharedModules = [
+        inputs.lazyvim.homeManagerModules.default
-          inputs.lazyvim.homeManagerModules.default
+      ];
-        ]
+      extraSpecialArgs = {
-        ++ sharedModules;
+        inherit inputs username;
-        extraSpecialArgs = {
-          inherit inputs username;
-        };
-        users.${username} = import ../home;
       };
+      users.${username} = import ../home;
     };
+  };
 in
 {
-  # ── NixOS host builder ──────────────────────────────
+  # ── NixOS 主机构建器 ─────────────────────────────────
   mkNixos =
     {
       hostname,
@@ -37,20 +35,25 @@ in
     lib.nixosSystem {
       inherit system;
       specialArgs = {
-        inherit inputs hostname username;
+        inherit
+          inputs
+          hostname
+          username
+          sshKeys
+          ;
       };
       modules = [
         ../modules/shared
         ../modules/nixos
         inputs.home-manager.nixosModules.home-manager
         inputs.catppuccin.nixosModules.catppuccin
-        (homeManagerConfig { inherit username; })
+        (homeManagerConfig username)
         { networking.hostName = hostname; }
       ]
       ++ extraModules;
     };
 
-  # ── nix-darwin host builder ─────────────────────────
+  # ── nix-darwin 主机构建器 ────────────────────────────
   mkDarwin =
     {
       hostname,
@@ -61,13 +64,18 @@ in
     inputs.nix-darwin.lib.darwinSystem {
       inherit system;
       specialArgs = {
-        inherit inputs hostname username;
+        inherit
+          inputs
+          hostname
+          username
+          sshKeys
+          ;
       };
       modules = [
         ../modules/shared
         ../modules/darwin
         inputs.home-manager.darwinModules.home-manager
-        (homeManagerConfig { inherit username; })
+        (homeManagerConfig username)
         { networking.hostName = hostname; }
       ]
       ++ extraModules;

modules/darwin/default.nix

@@ -1,36 +1,27 @@
-{ pkgs, username, ... }:
+{
+  pkgs,
+  username,
+  sshKeys,
+  ...
+}:
 
 {
-  # ── Primary user (required by nix-darwin) ──────────
   system.primaryUser = username;
 
-  # ── Shell ──────────────────────────────────────────
+  # ── 免密 sudo ────────────────────────────────────────
-  programs.fish.enable = true;
+  security.sudo.extraConfig = ''
+    ${username} ALL=(ALL) NOPASSWD:ALL
+  '';
 
-  # ── 1Password CLI ───────────────────────────────────
-  programs._1password.enable = true;
-
-  # ── SSH ───────────────────────────────────────────
-  services.openssh.enable = true;
-
-  # ── User ───────────────────────────────────────────
   users.knownUsers = [ username ];
   users.users.${username} = {
     home = "/Users/${username}";
     shell = pkgs.fish;
     uid = 501;
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = sshKeys;
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRTOo48gzzRGT+bF9dzJCFJu61YgsQVONFtxU9kTPIg"
-    ];
   };
 
-  # ── Fonts ──────────────────────────────────────────
+  # ── macOS 系统偏好设置 ────────────────────────────────
-  fonts.packages = with pkgs; [
-    maple-mono.NF-CN-unhinted
-    nerd-fonts.symbols-only
-  ];
-
-  # ── macOS system preferences ───────────────────────
   system.defaults = {
     LaunchServices.LSQuarantine = false;
     dock = {
@@ -44,35 +35,40 @@
       wvous-bl-corner = 1;
       wvous-br-corner = 1;
     };
-    finder = {
+    finder.FXPreferredViewStyle = "clmv";
-      AppleShowAllExtensions = true;
-      FXPreferredViewStyle = "clmv";
-    };
     NSGlobalDomain = {
       AppleShowAllExtensions = true;
       InitialKeyRepeat = 15;
       KeyRepeat = 2;
     };
+    CustomUserPreferences."ch.sudo.cyberduck" = {
+      # 永久禁用捐赠提示（日期设为遥远的未来）
+      "donate.reminder.date" = 253402300799000;
+    };
   };
 
   # ── Homebrew ───────────────────────────────────────
   homebrew = {
     enable = true;
-    greedyCasks = true; # always upgrade casks even if they auto-update
+    greedyCasks = true; # 即使 cask 自动更新也始终升级
+    # 已废弃：Homebrew 将于 2026-09 后移除 --no-quarantine
+    # 待所有 cask 通过 Gatekeeper（签名且公证）后移除此项
+    caskArgs.no_quarantine = true;
 
     taps = [
       "goooler/repo"
     ];
 
     brews = [
-      "mole" # broken in nixpkgs
+      "mole"
     ];
 
-    # GUI apps
+    # GUI 应用
     casks = [
       "1password"
       "brave-browser"
       "cherry-studio"
+      "cyberduck"
       "dbeaver-community"
       "discord"
       "feishu"
@@ -97,6 +93,7 @@
 
     # Mac App Store
     masApps = {
+      "iPreview" = 1519213509;
       "Microsoft Word" = 462054704;
       "Microsoft Excel" = 462058435;
       "Microsoft PowerPoint" = 462062816;
@@ -107,7 +104,7 @@
     onActivation = {
       autoUpdate = true;
       upgrade = true;
-      cleanup = "zap"; # remove anything not declared above
+      cleanup = "zap"; # 移除所有未声明的内容
     };
   };
 }

modules/nixos/base.nix

@@ -1,18 +0,0 @@
-{ pkgs, ... }:
-
-{
-  # ── System-essential packages ──────────────────────
-  # User-level tools live in home-manager (home/)
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    vim
-    wget
-  ];
-
-  # ── Fonts ──────────────────────────────────────────
-  fonts.packages = with pkgs; [
-    maple-mono.NF-CN-unhinted
-    nerd-fonts.symbols-only
-  ];
-}

modules/nixos/default.nix

@@ -1,28 +1,33 @@
-{ pkgs, username, ... }:
+{
+  pkgs,
+  username,
+  sshKeys,
+  ...
+}:
 
 {
   imports = [
-    ./base.nix
     ./docker.nix
-    ./locale.nix
   ];
 
-  # ── Default shell ──────────────────────────────────
+  environment.systemPackages = with pkgs; [
-  programs.fish.enable = true;
+    curl
+    git
+    ghostty.terminfo
+  ];
 
-  # ── SSH ──────────────────────────────────────────
+  i18n = {
-  services.openssh.enable = true;
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+  };
+  time.timeZone = "Asia/Shanghai";
 
-  # ── Default user ───────────────────────────────────
   users.users.${username} = {
     isNormalUser = true;
     shell = pkgs.fish;
     extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = sshKeys;
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRTOo48gzzRGT+bF9dzJCFJu61YgsQVONFtxU9kTPIg"
-    ];
   };
 
-  # ── sudo ───────────────────────────────────────────
   security.sudo.wheelNeedsPassword = false;
 }

modules/nixos/docker.nix

@@ -8,8 +8,4 @@
   environment.systemPackages = with pkgs; [
     docker-compose
   ];
-
-  # WSL 环境下如使用 Docker Desktop，可改为：
-  #   wsl.docker-desktop.enable = true;
-  # 并将上面的 virtualisation.docker.enable 设为 false
 }

modules/nixos/locale.nix

@@ -1,10 +0,0 @@
-{ ... }:
-
-{
-  i18n = {
-    defaultLocale = "en_US.UTF-8";
-    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
-  };
-
-  time.timeZone = "Asia/Shanghai";
-}

modules/shared/default.nix

@@ -1,3 +1,10 @@
 {
-  imports = [ ./nix.nix ];
+  imports = [
+    ./fonts.nix
+    ./nix.nix
+  ];
+
+  programs.fish.enable = true;
+  programs._1password.enable = true;
+  services.openssh.enable = true;
 }

modules/shared/fonts.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  fonts.packages = with pkgs; [
+    maple-mono.NF-CN-unhinted
+    nerd-fonts.symbols-only
+  ];
+}

modules/shared/nix.nix

@@ -11,7 +11,7 @@
     warn-dirty = false;
   };
 
-  # Disable channels — we use flakes exclusively
+  # 禁用 channels — 仅使用 flakes
   nix.channel.enable = false;
 
   nixpkgs = {