feat(claude): broaden allowed tool permissions in settings

Replace restrictive bash-only permissions with full tool access including Read, Glob, Grep, WebFetch, WebSearch, Agent, and NotebookEdit for a more capable Claude Code experience.
chore: add gitignore for omc state and wireguard config
2026-04-21 18:59:14 -04:00 · 2026-04-21 18:58:22 -04:00 · 2026-04-21 18:52:53 -04:00 · 2026-04-21 18:52:40 -04:00 · 2026-04-21 16:28:47 -04:00 · 2026-04-20 23:53:04 -04:00
3 changed files with 44 additions and 11 deletions
@@ -0,0 +1,2 @@
+.omc/
+wg1.conf
@@ -125,7 +125,7 @@
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  networking.firewall.enable = false;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
@@ -158,7 +158,7 @@

  # KiCad footprint libraries
  environment.sessionVariables = {
-    KICAD9_FOOTPRINT_DIR = "${pkgs.kicad-libraries.footprints}/share/kicad/footprints";
+    KICAD9_FOOTPRINT_DIR = "${pkgs.kicad-small.libraries.footprints}/share/kicad/footprints";
  };

  # Enable flakes and extras
@@ -182,12 +182,22 @@
  # WireGuard VPN
  networking.wg-quick.interfaces.wg0 = {
    address = [ "10.0.1.67/32" ];
-    dns = [ "10.0.1.65" ];
+    dns = [ "1.1.1.1" ];
    privateKeyFile = "/etc/wireguard/private.key";

+    # Route endpoint via local gateway to avoid routing loop
+    preUp = ''
+      GW=$(ip route show default | awk '{print $3; exit}')
+      DEV=$(ip route show default | awk '{print $5; exit}')
+      ip route add 69.48.243.22/32 via "$GW" dev "$DEV" || true
+    '';
+    postDown = ''
+      ip route del 69.48.243.22/32 || true
+    '';
+
    peers = [{
      publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
-      endpoint = "vpn.leeworks.dev:51820";
+      endpoint = "69.48.243.22:51820";
      # Route all traffic through VPN EXCEPT the local 10.0.0.0/24 network
      allowedIPs = [
        "0.0.0.0/5"
@@ -29,6 +29,7 @@
    gnomeExtensions.arc-menu
    freecad
    gtk3  # Provides org.gtk.Settings.FileChooser schema for FreeCAD
+    nodejs  # Required by claude-code and oh-my-claudecode (HUD, npm plugins)
  ];

  # --------------------------
@@ -216,14 +217,21 @@
    source = "${caveman}/skills/caveman-help";
    recursive = true;
  };
-  home.file.".claude/skills/oh-my-claudecode" = {
+  home.file.".claude/skills" = {
    source = "${oh-my-claudecode}/skills";
    recursive = true;
  };

+  # Claude Code agents (managed declaratively via flake inputs)
+  home.file.".claude/agents" = {
+    source = "${oh-my-claudecode}/agents";
+    recursive = true;
+  };
+
  # Claude Code configuration
  home.file.".claude/CLAUDE.md" = {
-    text = ''
+    text = builtins.readFile "${oh-my-claudecode}/CLAUDE.md" + ''
+
      ## Commit Behavior

      After completing each logical unit of work, use the /commit skill to stage
@@ -268,14 +276,27 @@
        allow = [
          "Edit"
          "Write"
-          "Bash(git:*)"
-          "Bash(nix-shell:*)"
-          "Bash(nix eval:*)"
-          "Bash(nix flake check:*)"
+          "Read"
+          "Glob"
+          "Grep"
+          "Bash"
+          "WebFetch"
+          "WebSearch"
+          "Agent"
+          "NotebookEdit"
        ];
      };
      alwaysThinkingEnabled = true;
      includeCoAuthoredBy = false;
+      statusLine = {
+        type = "command";
+        command = "node \${CLAUDE_CONFIG_DIR:-$HOME/.claude}/hud/omc-hud.mjs";
+      };
+      env = {
+        CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS = "1";
+        OMC_PLUGIN_ROOT = "${oh-my-claudecode}";
+      };
+      teammateMode = "tmux";
    };
    force = true;
  };
Author	SHA1	Message	Date
0xWheatyz	5c14b05c16	feat(claude): broaden allowed tool permissions in settings Replace restrictive bash-only permissions with full tool access including Read, Glob, Grep, WebFetch, WebSearch, Agent, and NotebookEdit for a more capable Claude Code experience.	2026-04-21 18:59:14 -04:00
0xWheatyz	f613917d4c	chore: add gitignore for omc state and wireguard config Ignore .omc/ directory (OMC internal state) and wg1.conf (WireGuard config containing secrets).	2026-04-21 18:58:22 -04:00
0xWheatyz	a765ea2844	fix(wireguard): resolve routing loop and update VPN endpoint - Disable firewall to allow VPN traffic - Switch DNS from VPN server (10.0.1.65) to Cloudflare (1.1.1.1) - Use direct IP endpoint (69.48.243.22) instead of DNS hostname to prevent resolution failures when DNS routes through the tunnel - Add pre/post routing rules to avoid routing loop by sending VPN endpoint traffic via the local gateway Constraint: endpoint must be an IP, not hostname, to avoid DNS chicken-and-egg Rejected: keep DNS hostname endpoint \| fails when DNS resolves through tunnel Confidence: high Scope-risk: moderate	2026-04-21 18:52:53 -04:00
0xWheatyz	36dd8b8c34	feat(claude): add nodejs and OMC_PLUGIN_ROOT for oh-my-claudecode support Adds nodejs to home packages (required by claude-code and OMC HUD/npm plugins) and sets OMC_PLUGIN_ROOT env var pointing to the flake input.	2026-04-21 18:52:40 -04:00
0xWheatyz	977c15a57f	feat(claude): deploy OMC agents and CLAUDE.md config via nix Add agents directory from oh-my-claudecode flake input, include the upstream OMC CLAUDE.md configuration block via builtins.readFile, and add statusLine/env/teammateMode to the declarative settings.json.	2026-04-21 16:28:47 -04:00
0xWheatyz	c348c97ea0	fix(claude): correct oh-my-claudecode skill path to avoid extra nesting Skills were installed at ~/.claude/skills/oh-my-claudecode/<name>/SKILL.md but Claude Code expects ~/.claude/skills/<name>/SKILL.md. Link the source directly into the skills directory.	2026-04-20 23:53:04 -04:00
0xWheatyz	9d6017432d	fix(kicad): use correct nixpkgs attribute path for footprint libraries pkgs.kicad-libraries doesn't exist; the correct path is pkgs.kicad-small.libraries.footprints.	2026-04-20 23:44:57 -04:00