fix(flake): unpin nixpkgs-unstable to resolve broken claude-code package

Revert the nixpkgs-unstable pin to follow the branch again, as the
pinned revision shipped a broken package.

configuration.nix

@@ -174,6 +174,19 @@
   };
   
 
+  # WireGuard VPN
+  networking.wg-quick.interfaces.wg0 = {
+    address = [ "10.0.1.66/28" ];
+    privateKeyFile = "/etc/wireguard/private.key";
+
+    peers = [{
+      publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
+      endpoint = "vpn.leeworks.dev:51820";
+      allowedIPs = [ "10.0.1.64/28" ];
+      persistentKeepalive = 25;
+    }];
+  };
+
   services.tailscale = {
     enable = true;
     useRoutingFeatures = "client";  # or "both" for subnet routing

flake.lock

@@ -25,11 +25,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772633058,
-        "narHash": "sha256-SO7JapRy2HPhgmqiLbfnW1kMx5rakPMKZ9z3wtRLQjI=",
+        "lastModified": 1775077333,
+        "narHash": "sha256-OXcxobt7lBkh1B8AjwreU+24myhtKpqeLfAeIyNLFY8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "080657a04188aca25f8a6c70a0fb2ea7e37f1865",
+        "rev": "49ca96b2714c5931e17401eff87f3edd42d2b0f2",
         "type": "github"
       },
       "original": {
@@ -76,11 +76,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1773597492,
-        "narHash": "sha256-hQ284SkIeNaeyud+LS0WVLX+WL2rxcVZLFEaK0e03zg=",
+        "lastModified": 1775126147,
+        "narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a07d4ce6bee67d7c838a8a5796e75dff9caa21ef",
+        "rev": "8d8c1fa5b412c223ffa47410867813290cdedfef",
         "type": "github"
       },
       "original": {
@@ -92,11 +92,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1772822230,
-        "narHash": "sha256-yf3iYLGbGVlIthlQIk5/4/EQDZNNEmuqKZkQssMljuw=",
+        "lastModified": 1775002709,
+        "narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "71caefce12ba78d84fe618cf61644dce01cf3a96",
+        "rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e",
         "type": "github"
       },
       "original": {

home.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   home.username = "l-wyatt";
@@ -27,6 +27,7 @@
     gnomeExtensions.blur-my-shell
     gnomeExtensions.just-perfection
     gnomeExtensions.arc-menu
+    freecad
   ];
 
   # --------------------------
@@ -121,6 +122,9 @@
     };
   };
 
+  # Disable GCR ssh-agent so gpg-agent handles SSH
+  systemd.user.sockets.gcr-ssh-agent.Install.WantedBy = lib.mkForce [];
+
   # GPG configuration
   programs.gpg = {
     enable = true;
@@ -141,7 +145,7 @@
   programs.git = {
     enable = true;
     signing = {
-      key = null; # Will be set after GPG key generation
+      key = "0xADCEAC560B498269";
       signByDefault = true;
     };
     settings = {

yubikey.md

@@ -1,27 +1,5 @@
 # Post-Rebuild YubiKey Setup Guide
 
-## Step 0: Rebuild & Reboot
-
-```bash
-nixos-rebuild switch
-# Then reboot to ensure gpg-agent replaces gnome-keyring as SSH agent
-reboot
-```
-
-After reboot, verify the new environment:
-
-```bash
-gpg --version           # Should show GnuPG 2.4+
-ykman info              # Should show your YubiKey model/serial
-gpg --card-status       # Should show the YubiKey smartcard
-echo $SSH_AUTH_SOCK     # Should point to gpg-agent socket, NOT gcr
-```
-
-> If `gpg --card-status` hangs or errors, restart pcscd:
-> `sudo systemctl restart pcscd`
-
----
-
 ## Step 1: Generate GPG Master Key
 
 ```bash