This commit is contained in:
Sridhar Ratnakumar 2026-06-19 13:51:51 -04:00
parent 62d6272b14
commit 915f0fbac8
4 changed files with 19 additions and 2 deletions

View file

@ -37,6 +37,7 @@ in
"localhost" "localhost"
"sincereintent" "sincereintent"
"pureintent" "pureintent"
"naiveintent"
"vanjaram.tail12b27.ts.net" "vanjaram.tail12b27.ts.net"
"nix-infra@rasam.tail12b27.ts.net" "nix-infra@rasam.tail12b27.ts.net"
]; ];

View file

@ -6,7 +6,7 @@ let
homeMod = self + /modules/home; homeMod = self + /modules/home;
in in
{ {
nixos-unified.sshTarget = "srid@192.168.2.219"; nixos-unified.sshTarget = "srid@naiveintent";
nixos-unified.localPrivilegeMode = "sudo-nixos-rebuild"; nixos-unified.localPrivilegeMode = "sudo-nixos-rebuild";
security.sudo.extraRules = [ security.sudo.extraRules = [
@ -24,13 +24,17 @@ in
imports = [ imports = [
self.nixosModules.default self.nixosModules.default
./configuration.nix ./configuration.nix
(self + /modules/nixos/linux/llm-debugging.nix)
]; ];
users.users.${flake.config.me.username}.linger = true; users.users.${flake.config.me.username}.linger = true;
home-manager.sharedModules = [ home-manager.sharedModules = [
"${homeMod}/services/kolu.nix" "${homeMod}/services/kolu.nix"
{ {
services.kolu.host = "192.168.2.219"; # Tailscale IP of pureintent services.kolu.host = "100.78.88.70"; # Tailscale IP of naiveintent
# Browser origin differs from the Host kolu sees (served via Tailscale
# MagicDNS reverse proxy), so allow it for the CSWSH origin gate.
services.kolu.allowedOrigins = [ "https://naiveintent.rooster-blues.ts.net" ];
} }
"${homeMod}/nix/gc.nix" "${homeMod}/nix/gc.nix"

View file

@ -32,6 +32,7 @@ in
./devbox.nix ./devbox.nix
(self + /modules/nixos/linux/beszel.nix) (self + /modules/nixos/linux/beszel.nix)
(self + /modules/nixos/linux/incus) (self + /modules/nixos/linux/incus)
(self + /modules/nixos/linux/llm-debugging.nix)
]; ];
# anywhen runs as an incus-pet container (see modules/nixos/linux/incus/incus-pet). # anywhen runs as an incus-pet container (see modules/nixos/linux/incus/incus-pet).

View file

@ -0,0 +1,11 @@
# Loosen kernel hardening so LLM agents can debug without sudo.
#
# NixOS defaults `kernel.dmesg_restrict` to 1, so reading the kernel ring
# buffer (`dmesg`) requires CAP_SYSLOG — i.e. sudo. The kernel log is
# read-only, and handing an agent sudo just to tail it is a far bigger
# hammer than the problem. Setting this to 0 lets unprivileged users (and
# the agents running as them) run `dmesg` directly.
{ ... }:
{
boot.kernel.sysctl."kernel.dmesg_restrict" = 0;
}