feat(yubikey): add GPG agent, pcscd, and YubiKey support

Enable gpg-agent with SSH support and pinentry-gnome3, add
yubikey-manager and pcscd service, configure GPG with hardened
preferences and scdaemon, disable gnome-keyring SSH agent, and
prepare git signing configuration.

README.md

@@ -0,0 +1,251 @@
+# NixOS Configuration
+
+Personal NixOS system configuration using Flakes and Home Manager for declarative system management.
+
+## System Overview
+
+- **OS**: NixOS 25.11
+- **Desktop Environment**: GNOME (Wayland/X11)
+- **Terminal**: Ghostty + tmux
+- **Shell**: Zsh with Oh-My-Zsh (agnoster theme)
+- **Editor**: Neovim with [kickstart.nvim](https://github.com/0xWheatyz/kickstart.nvim)
+- **Hostname**: nixos
+
+## Features
+
+### Core System
+- **Bootloader**: GRUB with EFI support and OS Prober (dual-boot ready)
+- **Timezone**: America/New_York
+- **Locale**: en_US.UTF-8
+- **Networking**: NetworkManager enabled
+
+### Hardware Support
+- **Bluetooth**: Enabled with Blueman
+- **Fingerprint Sensor**: fprintd enabled
+- **Audio**: PipeWire with ALSA and PulseAudio compatibility
+- **Printing**: CUPS enabled
+
+### Security & Authentication
+- **YubiKey Support**: Configured for login and sudo authentication
+- **Auto-lock on YubiKey removal**: Sessions lock when YubiKey is disconnected
+- **Fingerprint Authentication**: Available for compatible hardware
+
+### Development Environment
+- **Docker**: Rootless mode enabled with proper namespace configuration
+- **VMware Workstation**: Host support enabled
+- **Nix Flakes**: Experimental features enabled
+
+### Networking
+- **Tailscale VPN**: Enabled with client routing features
+- **Firewall**: Configured with Tailscale trusted interface
+- **Editable /etc/hosts**: Permissions set to 0644 for easy modification
+
+### Desktop Customization
+- **GNOME Extensions**:
+  - Blur My Shell
+  - Just Perfection
+  - Arc Menu
+- **Fonts**: 0xProto Nerd Font, Adwaita icons
+- **Scaling**: Experimental fractional scaling and xwayland-native-scaling enabled
+- **QT Integration**: QT apps use GNOME theme (Adwaita Dark)
+
+### Alternative Window Manager
+- **Hyprland**: Configured but not currently active (see `home.nix` for configuration)
+
+## Installed Software
+
+### System Packages
+- Firefox
+- VMware Workstation
+- Lunar Client (Minecraft)
+- JetBrains Rust Rover
+- Cursor (VS Code fork)
+- Obsidian
+- Claude Code
+
+### User Packages
+- Kate (KDE text editor)
+- Bitwarden (desktop + CLI)
+- LunarVim
+- KiCad
+- Ghostty terminal
+- Python 3
+- nmap
+- minicom
+- freerdp
+
+## Configuration Files
+
+```
+.
+├── configuration.nix          # System-level configuration
+├── home.nix                   # User-level configuration (Home Manager)
+├── hardware-configuration.nix # Auto-generated hardware config
+└── flake.nix                  # Flake inputs and outputs
+```
+
+## Getting Started
+
+### First Time Setup
+
+1. Clone this repository:
+```bash
+git clone <your-repo-url> ~/Documents/nixos-configuration
+cd ~/Documents/nixos-configuration
+```
+
+2. Review and customize configurations:
+   - Edit `configuration.nix` for system-wide changes
+   - Edit `home.nix` for user-specific settings
+
+3. Apply the configuration:
+```bash
+sudo nixos-rebuild switch --flake .#nixos
+```
+
+### Making Changes
+
+#### System-Level Changes
+Edit `configuration.nix` and rebuild:
+```bash
+sudo nixos-rebuild switch --flake .#nixos
+```
+
+#### User-Level Changes
+Edit `home.nix` and rebuild:
+```bash
+sudo nixos-rebuild switch --flake .#nixos
+# or use home-manager directly:
+home-manager switch
+```
+
+### Adding Packages
+
+**System-wide** (available to all users):
+Add to `environment.systemPackages` in `configuration.nix`:
+```nix
+environment.systemPackages = with pkgs; [
+  # your-package-here
+];
+```
+
+**User-specific**:
+Add to `home.packages` in `home.nix`:
+```nix
+home.packages = with pkgs; [
+  # your-package-here
+];
+```
+
+### Updating the System
+
+Update flake inputs and rebuild:
+```bash
+nix flake update
+sudo nixos-rebuild switch --flake .#nixos
+```
+
+## Key Configurations
+
+### Git Configuration
+Managed declaratively in `home.nix`:
+- **User**: 0xWheatyz
+- **Email**: wyatt@leeworks.dev
+- **Default Branch**: master
+- **Auto push remote setup**: Enabled
+- **Custom alias**: `git lg` for pretty log visualization
+
+### SSH Configuration
+Custom SSH hosts configured in `home.nix`:
+- **vps**: Direct connection to 45.79.198.105
+- **home**: Via jump host proxy
+- **git**: Local git server at 10.0.1.10
+- Connection multiplexing enabled for faster subsequent connections
+
+### Tmux
+- Mouse support enabled
+- Window numbering starts at 1
+- 256-color terminal support
+- Auto-starts on terminal launch
+
+### Zsh
+- Oh-My-Zsh with agnoster theme
+- Custom `nix develop` wrapper that launches in zsh
+- Tmux auto-start on interactive terminals
+- Project shell indicator in prompt
+
+## Neovim Configuration
+
+Using [kickstart.nvim](https://github.com/0xWheatyz/kickstart.nvim) as the base configuration, managed through Flakes.
+
+Required dependencies are automatically installed:
+- Neovim
+- ripgrep
+- fd
+- gcc
+- gnumake
+- git
+
+Configuration is synchronized from the GitHub repository and placed in `~/.config/nvim`.
+
+## Docker Configuration
+
+Docker is configured in rootless mode:
+- Unprivileged user namespaces enabled
+- Socket variable automatically set
+- User `l-wyatt` is in the `docker` group
+
+Usage:
+```bash
+docker ps  # No sudo required
+```
+
+## Troubleshooting
+
+### Slow Shutdown
+The configuration includes optimizations for shutdown handling:
+- User manager timeout reduced to 30s (from default 90s)
+- Prevents hangs when user linger is enabled
+
+### Building from Flake
+If you encounter issues, try:
+```bash
+# Rebuild with verbose output
+sudo nixos-rebuild switch --flake .#nixos --show-trace
+
+# Check flake validity
+nix flake check
+
+# Update flake lock file
+nix flake update
+```
+
+### YubiKey Issues
+If YubiKey authentication isn't working:
+```bash
+# Check PAM configuration
+cat /etc/pam.d/login
+cat /etc/pam.d/sudo
+
+# Verify udev rules
+udevadm control --reload-rules
+```
+
+## Important Notes
+
+- **stateVersion**: Set to 25.11 - do not change after initial installation
+- **Home Manager stateVersion**: Also 25.11 - keep in sync with system version
+- **Unfree packages**: Enabled system-wide via `nixpkgs.config.allowUnfree`
+- **User groups**: l-wyatt is member of: networkmanager, wheel, docker, dialout
+- **User linger**: Enabled for background services
+
+## Additional Resources
+
+- [NixOS Manual](https://nixos.org/manual/nixos/stable/)
+- [Home Manager Manual](https://nix-community.github.io/home-manager/)
+- [Nix Flakes](https://nixos.wiki/wiki/Flakes)
+- [kickstart.nvim Documentation](https://github.com/nvim-lua/kickstart.nvim)
+
+## License
+
+This configuration is personal and provided as-is for reference.

configuration.nix

@@ -1,14 +1,14 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').
 
-{ config, pkgs, ... }:
+{ config, pkgs, pkgs-unstable, ... }:
 
 {
-  imports =
+  imports = [
-    [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
-      /etc/nixos/hardware-configuration.nix
+    # home-manager is imported via flake.nix
-    ];
+  ];
 
  ## Commented out as defined at the end of the page
 
@@ -100,22 +100,21 @@
   environment.systemPackages = with pkgs; [
     home-manager
     firefox
-    vmware-workstation
     cacert
-    lunar-client
-    jetbrains.rust-rover
     code-cursor
     adwaita-icon-theme
-    obsidian
+    pkgs-unstable.claude-code  # Use unstable for latest version
+    yubikey-manager
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
+  programs.gnupg.agent = {
-  #   enable = true;
+    enable = true;
-  #   enableSSHSupport = true;
+    enableSSHSupport = true;
-  # };
+    pinentryPackage = pkgs.pinentry-gnome3;
+  };
 
   # List services that you want to enable:
 
@@ -136,6 +135,8 @@
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "25.11"; # Did you read the comment?
 
+  # Home Manager Configuration is handled in flake.nix
+
   ### Start of self configuration
   # Configure grub to provide ubuntu option
   boot.loader.grub.enable = true;
@@ -153,7 +154,7 @@
   services.blueman.enable = true;
 
   # Allow /etc/hosts to be modified without system rebuild
-  environment.etc.hosts.mode = "0700";
+  environment.etc.hosts.mode = "0644";
 
   # Enable flakes and extras
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -172,7 +173,6 @@
     };
   };
   
-  virtualisation.vmware.host.enable = true; 
 
   services.tailscale = {
     enable = true;
@@ -213,20 +213,13 @@
 
 #  security.pki.certificateFiles = [ /etc/nixos/certs/ipa-ca.crt ];
 
-  programs.hyprland = {
-    enable = true;
-    withUWSM = true; # Recommended for NixOS 24.11+
-    xwayland.enable = true;
-  };
-
   # Enable necessary services
   xdg.portal = {
     enable = true;
-    extraPortals = with pkgs; [ 
-      xdg-desktop-portal-hyprland 
-    ];
   };
 
+  services.pcscd.enable = true;
+
   security.pam.services = {
     login.u2fAuth = true;
     sudo.u2fAuth = true;
@@ -241,17 +234,36 @@
        RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
   '';
 
+  # Optimize shutdown handling to prevent user manager hangs
+  # Reduce timeout for user manager service during shutdown (default is 90s, reducing to 30s)
+  # This prevents the 2-minute hang when shutting down with linger enabled
+  systemd.services."user@".serviceConfig = {
+    TimeoutStopSec = "30s";
+  };
+  # Reduce default timeout for all user services
+  systemd.user.extraConfig = ''
+    DefaultTimeoutStopSec=30s
+  '';
+
   # Gnome Configuration
   fonts.packages = [ 
     pkgs.adwaita-icon-theme
     pkgs.nerd-fonts._0xproto
   ];
   fonts.fontconfig.enable = true;
-  services.gnome.core-apps.enable = false;
+  services.gnome = {
-  services.gnome.core-developer-tools.enable = false;
+    core-apps.enable = true;
-  services.gnome.games.enable = false;
+    core-developer-tools.enable = true;
+    games.enable = false;
+  };
+  
+  services.desktopManager.gnome.extraGSettingsOverrides = ''
+    [org.gnome.mutter]
+    experimental-features=['scale-monitor-framebuffer']
+  '';
+  
   environment.gnome.excludePackages = with pkgs; [
-    gnome-tour gnome-user-docs
+    gnome-tour gnome-user-docs gnome-console
   ];
   
   qt = {
@@ -261,4 +273,14 @@
   };
 
   
+  security.wrappers = {
+    # Low-level unprivileged sandboxing tool, see <https://github.com/containers/bubblewrap>.
+    bwrap = {
+      owner = "root";
+      group = "root";
+      source = "${pkgs.bubblewrap}/bin/bwrap";
+      setuid = true;
+    };
+  };
+
 }

err.log

@@ -0,0 +1,32 @@
+building the system configuration...
+error:
+       … while calling the 'head' builtin
+         at /nix/store/j4hbw1ws742nmsfhbd9r22k1qgivk7hc-nixos-25.11/nixos/lib/attrsets.nix:1696:13:
+         1695|           if length values == 1 || pred here (elemAt values 1) (head values) then
+         1696|             head values
+             |             ^
+         1697|           else
+
+       … while evaluating the attribute 'value'
+         at /nix/store/j4hbw1ws742nmsfhbd9r22k1qgivk7hc-nixos-25.11/nixos/lib/modules.nix:1118:7:
+         1117|     // {
+         1118|       value = addErrorContext "while evaluating the option `${showOption loc}':" value;
+             |       ^
+         1119|       inherit (res.defsFinal') highestPrio;
+
+       … while evaluating the option `system.build.toplevel':
+
+       … while evaluating definitions from `/nix/store/j4hbw1ws742nmsfhbd9r22k1qgivk7hc-nixos-25.11/nixos/nixos/modules/system/activation/top-level.nix':
+
+       … while evaluating the option `assertions':
+
+       … while evaluating definitions from `/nix/store/qlchl88ml287pcv5xqyrpcq7jjyl3qgm-home-manager-25.11.tar.gz/home-manager/nixos/common.nix':
+
+       (stack trace truncated; use '--show-trace' to show the full, detailed trace)
+
+       error: The option `home-manager.users.l-wyatt.programs.neovim-kickstart' does not exist. Definition values:
+       - In `/home/l-wyatt/Documents/nixos-configuration/configuration.nix':
+           {
+             enable = true;
+           }
+Command 'nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel --no-out-link' returned non-zero exit status 1.

flake.lock

@@ -0,0 +1,135 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772633058,
+        "narHash": "sha256-SO7JapRy2HPhgmqiLbfnW1kMx5rakPMKZ9z3wtRLQjI=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "080657a04188aca25f8a6c70a0fb2ea7e37f1865",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "kickstart-nvim": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1771545825,
+        "narHash": "sha256-xGrTr8aXGzKBpF+RRwnLR8y8yDweojaoqttfA6RH1ws=",
+        "owner": "0xWheatyz",
+        "repo": "kickstart.nvim",
+        "rev": "cef178c27d1b3840d943f5a28b3a45f9eae049d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "0xWheatyz",
+        "repo": "kickstart.nvim",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1771369470,
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1773597492,
+        "narHash": "sha256-hQ284SkIeNaeyud+LS0WVLX+WL2rxcVZLFEaK0e03zg=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "a07d4ce6bee67d7c838a8a5796e75dff9caa21ef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1772822230,
+        "narHash": "sha256-yf3iYLGbGVlIthlQIk5/4/EQDZNNEmuqKZkQssMljuw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "71caefce12ba78d84fe618cf61644dce01cf3a96",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "kickstart-nvim": "kickstart-nvim",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -1,37 +1,28 @@
 {
-  description = "FrostPhoenix's nixos configuration";
+  description = "NixOS configuration with home-manager and kickstart.nvim";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
-    nur.url = "github:nix-community/NUR";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
+    kickstart-nvim.url = "github:0xWheatyz/kickstart.nvim";
-    nix-gaming.url = "github:fufexan/nix-gaming";
-    nix-flatpak.url = "github:gmodena/nix-flatpak";
-
-    nix-index-database = {
-      url = "github:nix-community/nix-index-database";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    maple-mono = {
-      url = "github:subframe7536/maple-font/variable";
-      flake = false;
-    };
-
-    superfile.url = "github:yorukot/superfile";
-    vicinae.url = "github:vicinaehq/vicinae";
-    zen-browser.url = "github:0xc000022070/zen-browser-flake/beta";
   };
 
-  outputs = { self, nixpkgs, home-manager, ... }: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, kickstart-nvim, ... }:
+    let
+      system = "x86_64-linux";
+      pkgs-unstable = import nixpkgs-unstable {
+        inherit system;
+        config.allowUnfree = true;
+      };
+    in {
     nixosConfigurations = {
       nixos = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
+        inherit system;
+        specialArgs = { inherit pkgs-unstable; };
         modules = [
           ./configuration.nix
           home-manager.nixosModules.home-manager
@@ -39,9 +30,15 @@
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
             home-manager.users.l-wyatt = import ./home.nix;
+            home-manager.extraSpecialArgs = {
+              inherit kickstart-nvim;
+            };
+            home-manager.sharedModules = [
+              kickstart-nvim.homeManagerModules.default
+            ];
           }
         ];
       };
     };
   };
-}`
+}

hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by 'nixos-generate-config'
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/2e63927a-129d-400a-b532-5e98dd1f53d0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/6FAB-C1E3";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp193s0f3u2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

home.nix

@@ -21,6 +21,9 @@
     lunarvim
     minicom
     kicad
+    ghostty
+    gnupg
+    pinentry-gnome3
     gnomeExtensions.blur-my-shell
     gnomeExtensions.just-perfection
     gnomeExtensions.arc-menu
@@ -69,6 +72,16 @@
     initContent = ''
       export SHELL=$(which zsh)
       alias nix-shell='nix-shell --run $SHELL'
+
+      # Auto-update nixpkgs-unstable (for claude-code) on rebuild
+      nixos-rebuild() {
+        if [[ "$1" == "switch" || "$1" == "boot" || "$1" == "test" ]]; then
+          echo "Updating nixpkgs-unstable for latest Claude Code..."
+          nix flake update nixpkgs-unstable --flake /home/l-wyatt/Documents/nixos-configuration
+        fi
+        command sudo nixos-rebuild "$@" --flake /home/l-wyatt/Documents/nixos-configuration
+      }
+
       nix() {
         if [[ $1 == "develop" ]]; then
           shift
@@ -88,14 +101,55 @@
     '';
 
   };
+  # Configure cursor theme
+  home.pointerCursor = {
+    gtk.enable = true;
+    x11.enable = true;
+    name = "Adwaita";
+    package = pkgs.adwaita-icon-theme;
+    size = 24;
+  };
+
+  # Set Ghostty as default terminal
+  dconf.settings = {
+    "org/gnome/desktop/default-applications/terminal" = {
+      exec = "ghostty";
+      exec-arg = "";
+    };
+    "org/gnome/crypto/cache" = {
+      enable-ssh-agent = false;
+    };
+  };
+
+  # GPG configuration
+  programs.gpg = {
+    enable = true;
+    settings = {
+      keyserver = "hkps://keys.openpgp.org";
+      keyid-format = "0xlong";
+      with-fingerprint = true;
+      personal-cipher-preferences = "AES256 AES192 AES";
+      personal-digest-preferences = "SHA512 SHA384 SHA256";
+      personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+    };
+    scdaemonSettings = {
+      disable-ccid = true;
+    };
+  };
+
   # Manage your git configuration declaratively
   programs.git = {
     enable = true;
+    signing = {
+      key = null; # Will be set after GPG key generation
+      signByDefault = true;
+    };
     settings = {
       user = {
         name = "0xWheatyz";
         email = "wyatt@leeworks.dev";
       };
+      pull.rebase = "false";
       init.defaultBranch = "master";
       push.autoSetupRemote = "true";
       alias.lg = "log --graph --pretty=format:'%C(yellow)%h%Creset -%C(red)%d%Creset %s %Cgreen(%cr)%Creset %C(bold blue)<%an>%Creset' --abbrev-commit";
@@ -106,52 +160,105 @@
   programs.tmux = {
     enable = true;
 
-    # Basic tmux configuration
+    # Optional: customize tmux settings
-    terminal = "screen-256color";
-    historyLimit = 10000;
-    keyMode = "vi";
-    mouse = true;
-
     extraConfig = ''
-      # Set prefix to Ctrl-a instead of Ctrl-b
+      # Enable mouse support
-      unbind C-b
+      set -g mouse on
-      set-option -g prefix C-a
-      bind-key C-a send-prefix
 
-      # Split panes using | and -
+      # Start window numbering at 1
-      bind | split-window -h
+      set -g base-index 1
-      bind - split-window -v
-      unbind '"'
-      unbind %
 
-      # Reload config file
+      # Set terminal colors
-      bind r source-file ~/.config/tmux/tmux.conf
+      set -g default-terminal "screen-256color"
     '';
   };
 
-  # Neovim management
+  # Neovim management - using kickstart.nvim via flake
-  programs.neovim = {
+  # Basic fallback config (uncomment if not using the flake)
-    enable = true;
+  #programs.neovim = {
-    defaultEditor = true;
+  #  enable = true;
+  #  defaultEditor = true;
+  #
+  #  # Load Lua config inline
+  #  extraLuaConfig = ''
+  #    vim.opt.number = true
+  #    vim.opt.tabstop = 2
+  #    vim.opt.shiftwidth = 2
+  #    vim.opt.expandtab = true
+  #    vim.opt.relativenumber = true
+  #
+  #    require("telescope").setup {}
+  #    require("nvim-treesitter.configs").setup { highlight = { enable = true } }
+  #  '';
+  #
+  #  plugins = with pkgs.vimPlugins; [
+  #    telescope-nvim
+  #    nvim-treesitter
+  #    nvim-lspconfig
+  #    gruvbox
+  #  ];
+  #};
 
-    # Load Lua config inline
+  # Use kickstart.nvim configuration from flake
-    extraLuaConfig = ''
+  programs.neovim-kickstart.enable = true;
-      vim.opt.number = true
-      vim.opt.tabstop = 2
-      vim.opt.shiftwidth = 2
-      vim.opt.expandtab = true
-      vim.opt.relativenumber = true
 
-      require("telescope").setup {}
+  # Claude Code configuration
-      require("nvim-treesitter.configs").setup { highlight = { enable = true } }
+  home.file.".claude/CLAUDE.md" = {
+    text = ''
+      ## Commit Behavior
+
+      After completing each logical unit of work, use the /commit skill to stage
+      and commit changes before proceeding to the next task. Do not batch unrelated
+      changes into a single commit. Do not wait to be asked.
     '';
+    force = true;
+  };
 
-    plugins = with pkgs.vimPlugins; [
+  home.file.".claude/commands/commit.md" = {
-      telescope-nvim
+    text = ''
-      nvim-treesitter
+      ---
-      nvim-lspconfig
+      description: Stage and commit changes as a conventional commit with one logical unit per commit
-      gruvbox
+      ---
-    ];
+
+      Review the current working tree with `git status` and `git diff --staged` and `git diff`.
+
+      Then do the following:
+
+      1. Identify the smallest logical unit of change present. If multiple unrelated changes exist, only stage and commit one unit at a time — leave the rest unstaged.
+
+      2. Stage only the files (or hunks via `git add -p`) relevant to that logical unit.
+
+      3. Write a commit message following the Conventional Commits format:
+         <type>(<scope>): <description>
+
+         Types: feat, fix, docs, style, refactor, perf, test, chore, ci
+         - scope is optional but use it when the change is clearly scoped to a module, package, or domain
+         - description: lowercase, imperative mood, no trailing period, max ~72 chars
+         - if the change warrants a body, add it after a blank line
+
+      4. Run `git commit` with that message. Never use `--no-verify`.
+
+      5. Report what was committed and what (if anything) remains uncommitted.
+    '';
+    force = true;
+  };
+
+  home.file.".claude/settings.json" = {
+    text = builtins.toJSON {
+      permissions = {
+        allow = [
+          "Edit"
+          "Write"
+          "Bash(git:*)"
+          "Bash(nix-shell:*)"
+          "Bash(nix eval:*)"
+          "Bash(nix flake check:*)"
+         ];
+      };
+      alwaysThinkingEnabled = true;
+      includeCoAuthoredBy = false;
+    };
+    force = true;
   };
 
   programs.ssh = {
@@ -183,8 +290,8 @@
         proxyJump = "_JumpHost";
       };
       "git" = {
-        hostname = "10.0.0.9";
+        hostname = "10.0.1.10";
-        port = 122;
+        port = 22;
         user = "git";
       };
     };

yubikey.md

@@ -0,0 +1,269 @@
+# Post-Rebuild YubiKey Setup Guide
+
+## Step 0: Rebuild & Reboot
+
+```bash
+nixos-rebuild switch
+# Then reboot to ensure gpg-agent replaces gnome-keyring as SSH agent
+reboot
+```
+
+After reboot, verify the new environment:
+
+```bash
+gpg --version           # Should show GnuPG 2.4+
+ykman info              # Should show your YubiKey model/serial
+gpg --card-status       # Should show the YubiKey smartcard
+echo $SSH_AUTH_SOCK     # Should point to gpg-agent socket, NOT gcr
+```
+
+> If `gpg --card-status` hangs or errors, restart pcscd:
+> `sudo systemctl restart pcscd`
+
+---
+
+## Step 1: Generate GPG Master Key
+
+```bash
+gpg --expert --full-generate-key
+```
+
+At the prompts:
+
+1. Select **(9) ECC and ECC**
+2. Curve: **Curve 25519**
+3. Expiration: **1y**
+4. Real name: **0xWheatyz**
+5. Email: **wyatt@leeworks.dev**
+6. Set a strong passphrase
+
+Note the key ID printed (e.g. `0x1234ABCD5678EFGH`).
+
+---
+
+## Step 2: Add Subkeys
+
+```bash
+gpg --expert --edit-key <KEY-ID>
+```
+
+Add 3 subkeys at the `gpg>` prompt:
+
+**Signing subkey:**
+
+```
+gpg> addkey
+→ (10) ECC (sign only)
+→ Curve 25519
+→ 1y expiry
+```
+
+**Encryption subkey** (may already exist — check with `list`):
+
+```
+gpg> addkey
+→ (12) ECC (encrypt only)
+→ Curve 25519
+→ 1y expiry
+```
+
+**Authentication subkey:**
+
+```
+gpg> addkey
+→ (11) ECC (set your own capabilities)
+→ Toggle: disable Sign, enable Authenticate
+→ Curve 25519
+→ 1y expiry
+```
+
+```
+gpg> save
+```
+
+---
+
+## Step 3: Back Up Master Key (CRITICAL)
+
+> Once keys are moved to the YubiKey, they cannot be extracted. Back up now.
+
+```bash
+mkdir -p /tmp/gpg-backup
+gpg --armor --export-secret-keys <KEY-ID> > /tmp/gpg-backup/master-secret.asc
+gpg --armor --export-secret-subkeys <KEY-ID> > /tmp/gpg-backup/subkeys-secret.asc
+gpg --armor --export <KEY-ID> > /tmp/gpg-backup/public.asc
+gpg --export-ownertrust > /tmp/gpg-backup/ownertrust.txt
+```
+
+Copy `/tmp/gpg-backup/` to an encrypted USB drive or other secure offline storage. Then remove the temp copy:
+
+```bash
+rm -rf /tmp/gpg-backup
+```
+
+---
+
+## Step 4: Move Subkeys to YubiKey
+
+```bash
+gpg --edit-key <KEY-ID>
+```
+
+Move each subkey to its corresponding card slot:
+
+```
+gpg> key 1
+gpg> keytocard
+→ (1) Signature key
+gpg> key 1
+
+gpg> key 2
+gpg> keytocard
+→ (2) Encryption key
+gpg> key 2
+
+gpg> key 3
+gpg> keytocard
+→ (3) Authentication key
+
+gpg> save
+```
+
+---
+
+## Step 5: Set Trust & Verify
+
+```bash
+gpg --edit-key <KEY-ID>
+```
+
+```
+gpg> trust
+→ (5) I trust ultimately
+gpg> quit
+```
+
+Verify the card:
+
+```bash
+gpg --card-status        # Should show all 3 subkeys
+gpg --list-secret-keys   # Subkeys should show "ssb>" (stub pointing to card)
+```
+
+---
+
+## Step 6: Back Up & Remove Old SSH Keys
+
+```bash
+mkdir -p ~/.ssh/old
+mv ~/.ssh/id_ed25519 ~/.ssh/old/
+mv ~/.ssh/id_ed25519.pub ~/.ssh/old/
+```
+
+---
+
+## Step 7: Get Your New SSH Public Key
+
+```bash
+gpg --export-ssh-key <KEY-ID>
+```
+
+This outputs the SSH public key derived from your GPG auth subkey. Save it:
+
+```bash
+gpg --export-ssh-key <KEY-ID> > ~/.ssh/yubikey.pub
+```
+
+Verify gpg-agent serves it:
+
+```bash
+ssh-add -L   # Should show the same key
+```
+
+Deploy this key to your remote servers:
+
+- **vps** (45.79.198.105) — add to `~/.ssh/authorized_keys` for user `wyatt`
+- **home** (10.0.0.20) — add to `~/.ssh/authorized_keys` for user `l-wyatt`
+- **git** (10.0.1.10) — add via your Gitea/Forgejo web UI
+- **GitHub** — Settings → SSH and GPG Keys → New SSH Key
+
+> **Tip:** Use the old key (still in `~/.ssh/old/`) to SSH in and deploy the new one:
+> ```bash
+> ssh -i ~/.ssh/old/id_ed25519 vps "echo '$(gpg --export-ssh-key <KEY-ID>)' >> ~/.ssh/authorized_keys"
+> ```
+
+---
+
+## Step 8: Update home.nix with Your Signing Key
+
+Get your key ID:
+
+```bash
+gpg --list-secret-keys --keyid-format 0xlong
+```
+
+Then edit `home.nix` and replace the `key = null;` line:
+
+```nix
+signing = {
+  key = "<YOUR-0xLONG-KEY-ID>";  # e.g. "0x1234ABCD5678EFGH"
+  signByDefault = true;
+};
+```
+
+Rebuild again:
+
+```bash
+nixos-rebuild switch
+```
+
+---
+
+## Step 9: Verify Everything
+
+```bash
+# Smartcard
+gpg --card-status
+
+# SSH via YubiKey
+ssh-add -L
+ssh vps echo "YubiKey SSH works!"
+
+# Git signing
+cd /tmp && git init test-sign && cd test-sign
+git commit --allow-empty -m "test signing"
+git log --show-signature -1
+# Should show "Good signature from 0xWheatyz <wyatt@leeworks.dev>"
+rm -rf /tmp/test-sign
+```
+
+---
+
+## Step 10 (Optional): Change YubiKey PINs
+
+The default PINs are `123456` (user) and `12345678` (admin). Change them:
+
+```
+gpg --card-edit
+gpg/card> admin
+gpg/card> passwd
+→ (1) Change PIN
+→ (3) Change Admin PIN
+gpg/card> quit
+```
+
+---
+
+## Step 11 (Optional): Upload GPG Public Key to GitHub
+
+```bash
+gpg --armor --export <KEY-ID>
+```
+
+Paste the output into **GitHub → Settings → SSH and GPG Keys → New GPG Key**. This makes your signed commits show "Verified" on GitHub.
+
+---
+
+## Note
+
+The config changes to `configuration.nix` and `home.nix` are already saved. After you rebuild, reboot, and follow the steps above, you'll need to come back to update `home.nix` one more time with your actual GPG key ID (Step 8) and do a final rebuild.