fix: shift renovate schedules to 5-7 PM Saturday to align with cron

CronJob runs at 0/6/12/18h. Old 2-4 PM window never had a run
inside it, so Renovate never created PRs. Shift to 5-7 PM so the
18:00 run lands in the window. nixpkgs-qt staggered to 7-9 PM.

.gitea/workflows/ci.yml

@@ -18,3 +18,91 @@ jobs:
         run: nix flake check
         env:
           NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-cache:
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Setup SSH for cache
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+      - name: Setup signing key
+        run: |
+          echo "${{ secrets.NIX_SIGNING_KEY }}" > /tmp/signing-key
+          chmod 600 /tmp/signing-key
+
+      - name: Build, sign, and cache all packages
+        run: |
+          PACKAGES=(
+            custom-claude-code
+            custom-app-launcher-server
+            custom-mcrcon-rbw
+            custom-tea-rbw
+            custom-rclone-torbox-setup
+            custom-beads
+            custom-gastown
+            custom-perles
+            qt-pinned-jellyfin-media-player
+            qt-pinned-stremio
+            nix-deck-kernel
+          )
+
+          FAILED=()
+          SKIPPED=()
+          for pkg in "${PACKAGES[@]}"; do
+            echo "::group::Building $pkg"
+
+            # Check if package is already cached by evaluating its store path and checking the remote
+            OUT_PATH=$(nix eval ".#$pkg.outPath" --raw 2>/dev/null)
+            if [ -n "$OUT_PATH" ] && ssh -i ~/.ssh/cache_key ${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }} \
+                "nix path-info '$OUT_PATH' >/dev/null 2>&1"; then
+              echo "⏭ $pkg already cached ($OUT_PATH), skipping"
+              SKIPPED+=("$pkg")
+              echo "::endgroup::"
+              continue
+            fi
+
+            # --cores 2 limits parallel jobs to reduce RAM pressure on john-endesktop
+            if BUILD_OUTPUT=$(nix build ".#$pkg" --no-link --print-out-paths --cores 2 2>&1); then
+              OUT_PATH=$(echo "$BUILD_OUTPUT" | grep '^/nix/store/' | tail -1)
+              echo "$BUILD_OUTPUT"
+              echo "Store path: $OUT_PATH"
+
+              # Sign the closure
+              nix store sign --key-file /tmp/signing-key -r "$OUT_PATH"
+
+              # Push to cache
+              nix copy --to "ssh-ng://${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }}?ssh-key=$HOME/.ssh/cache_key" "$OUT_PATH"
+
+              # Create GC root to prevent garbage collection
+              OUT_HASH=$(basename "$OUT_PATH" | cut -d'-' -f1)
+              ssh -i ~/.ssh/cache_key ${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }} \
+                "mkdir -p /nix/var/nix/gcroots/ci-cache && ln -sfn $OUT_PATH /nix/var/nix/gcroots/ci-cache/${OUT_HASH}"
+
+              echo "✓ $pkg cached successfully"
+            else
+              echo "✗ $pkg failed to build"
+              FAILED+=("$pkg")
+            fi
+            echo "::endgroup::"
+          done
+
+          if [ ${#SKIPPED[@]} -gt 0 ]; then
+            echo "Skipped (already cached): ${SKIPPED[*]}"
+          fi
+
+          if [ ${#FAILED[@]} -gt 0 ]; then
+            echo "::error::Failed packages: ${FAILED[*]}"
+            exit 1
+          fi
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"

flake.lock

@@ -2,17 +2,16 @@
   "nodes": {
     "beads": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs-unstable"
         ]
       },
       "locked": {
-        "lastModified": 1769405733,
-        "narHash": "sha256-WpROnW0dRi5ub0SlpKrMBs3pYlSBY4xw22hnTNvBMgI=",
+        "lastModified": 1773070962,
+        "narHash": "sha256-kHZXx+kygpVholOBsuQocCtksHo5ZWYskP64qK2Kjh0=",
         "owner": "steveyegge",
         "repo": "beads",
-        "rev": "6e82d1e2eea121ce5dc0964d554879f8b0c08563",
+        "rev": "9604d30b7c746f9f04f6dea5f82996f71bb66073",
         "type": "github"
       },
       "original": {
@@ -24,11 +23,11 @@
     "doomemacs": {
       "flake": false,
       "locked": {
-        "lastModified": 1768984347,
-        "narHash": "sha256-VvC4rgAAaFnYLCdcUoz7dTE3kuBNuHIc+GlXOrPCxpg=",
+        "lastModified": 1772615218,
+        "narHash": "sha256-z+3c0AGkrMf1xZ+pq57aVp4Zo4KsqFMIjEVzSZinghc=",
         "owner": "doomemacs",
         "repo": "doomemacs",
-        "rev": "57818a6da90fbef39ff80d62fab2cd319496c3b9",
+        "rev": "d23bbe87721c61f4d5a605f2914b32780bb89949",
         "type": "github"
       },
       "original": {
@@ -47,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769329593,
-        "narHash": "sha256-u5PSA+8TUYF/13ziBcnoE67nkDwpjAdecKh3srcJJm0=",
+        "lastModified": 1772706147,
+        "narHash": "sha256-C0UMYQg3KBU6+L8TLfQ/s60O6/Tiu/JpN8C/WiIH9DU=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "776dc33d735af583a14cc56b406ea658398964a7",
+        "rev": "54af2ae96631311dc4d2686a07e4f472fb36f516",
         "type": "github"
       },
       "original": {
@@ -79,13 +78,21 @@
       }
     },
     "gastown": {
-      "flake": false,
+      "inputs": {
+        "beads": [
+          "beads"
+        ],
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
       "locked": {
-        "lastModified": 1769538736,
-        "narHash": "sha256-A33gyS/ERUCFcaFG9PJdIHfIOafguqkRe+DuIZteH5s=",
+        "lastModified": 1773088127,
+        "narHash": "sha256-gJFayiBYrF0Q99AOQH29uq0Mli8KRfwReYeAh5H5evY=",
         "owner": "steveyegge",
         "repo": "gastown",
-        "rev": "177094a2335786d1d450fd9e14b935877291c004",
+        "rev": "8da798be0663af74be7960844b90038e51769203",
         "type": "github"
       },
       "original": {
@@ -121,11 +128,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768949235,
-        "narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=",
+        "lastModified": 1772633058,
+        "narHash": "sha256-SO7JapRy2HPhgmqiLbfnW1kMx5rakPMKZ9z3wtRLQjI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5",
+        "rev": "080657a04188aca25f8a6c70a0fb2ea7e37f1865",
         "type": "github"
       },
       "original": {
@@ -142,11 +149,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769397130,
-        "narHash": "sha256-TTM4KV9IHwa181X7afBRbhLJIrgynpDjAXJFMUOWfyU=",
+        "lastModified": 1772633327,
+        "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c37679d37bdbecf11bbe3c5eb238d89ca4f60641",
+        "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc",
         "type": "github"
       },
       "original": {
@@ -164,11 +171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769273817,
-        "narHash": "sha256-+iyLihi/ynJokMgJZMRXuMuI6DPGUQRajz5ztNCHgnI=",
+        "lastModified": 1772517207,
+        "narHash": "sha256-qxHfxqbigqBTn//U4leIS5he22Wp1GS0+zmwGV7Pozs=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "98f988ad46e31f9956c5f6874dfb3580a7ff3969",
+        "rev": "7ca1501c2d80900b5967baea4d42581f84b388dd",
         "type": "github"
       },
       "original": {
@@ -184,11 +191,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767634391,
-        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
+        "lastModified": 1772129556,
+        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
+        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
         "type": "github"
       },
       "original": {
@@ -206,11 +213,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1769330679,
-        "narHash": "sha256-X7rw5ouiAYKmbbKLtkEc/Kqcg6DxKgOtgaftzuchy/M=",
+        "lastModified": 1772716420,
+        "narHash": "sha256-T3UEKNTGqBl44AQ0+0OIpiWMXeQ8+4QW/akSc4yeL2A=",
         "owner": "marienz",
         "repo": "nix-doom-emacs-unstraightened",
-        "rev": "0c2d527055f448c8856129c6d063535e06aeff4d",
+        "rev": "be3ecb81a85be302e27d46ff32a1e251e444327d",
         "type": "github"
       },
       "original": {
@@ -243,11 +250,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769089682,
-        "narHash": "sha256-9yA/LIuAVQq0lXelrZPjLuLVuZdm03p8tfmHhnDIkms=",
+        "lastModified": 1772598333,
+        "narHash": "sha256-YaHht/C35INEX3DeJQNWjNaTcPjYmBwwjFJ2jdtr+5U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "078d69f03934859a181e81ba987c2bb033eebfc5",
+        "rev": "fabb8c9deee281e50b1065002c9828f2cf7b2239",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-qt": {
+      "locked": {
+        "lastModified": 1772598333,
+        "narHash": "sha256-YaHht/C35INEX3DeJQNWjNaTcPjYmBwwjFJ2jdtr+5U=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "fabb8c9deee281e50b1065002c9828f2cf7b2239",
         "type": "github"
       },
       "original": {
@@ -259,11 +282,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1769170682,
-        "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=",
+        "lastModified": 1772624091,
+        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c5296fdd05cfa2c187990dd909864da9658df755",
+        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
         "type": "github"
       },
       "original": {
@@ -276,11 +299,11 @@
     "perles": {
       "flake": false,
       "locked": {
-        "lastModified": 1769460725,
-        "narHash": "sha256-zM2jw+emxe8+mNyR1ebMWkQiEx8uSmhoqqI0IxXLDgs=",
+        "lastModified": 1772661365,
+        "narHash": "sha256-kMlvIpfGMBkN5D1W0O1fcqUiH3dyobcH0GRRLCX7GGo=",
         "owner": "zjrosen",
         "repo": "perles",
-        "rev": "57b20413eea461452b59e13f5a4a367953b1f768",
+        "rev": "326ff1938dfe073daab7939762ce2f44c2ee74a1",
         "type": "github"
       },
       "original": {
@@ -299,11 +322,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767662275,
-        "narHash": "sha256-d5Q1GmQ+sW1Bt8cgDE0vOihzLaswsm8cSdg8124EqXE=",
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "51816be33a1ff0d4b22427de83222d5bfa96d30e",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
         "type": "github"
       },
       "original": {
@@ -322,11 +345,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767662275,
-        "narHash": "sha256-d5Q1GmQ+sW1Bt8cgDE0vOihzLaswsm8cSdg8124EqXE=",
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "51816be33a1ff0d4b22427de83222d5bfa96d30e",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
         "type": "github"
       },
       "original": {
@@ -346,6 +369,7 @@
         "nix-darwin": "nix-darwin",
         "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-qt": "nixpkgs-qt",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "perles": "perles",
         "plasma-manager": "plasma-manager",

flake.nix

@@ -4,6 +4,9 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # Separate nixpkgs for qt5webengine-dependent packages (jellyfin-media-player, etc.)
+    # Updates on separate Renovate schedule to avoid massive qt rebuilds
+    nixpkgs-qt.url = "github:nixos/nixpkgs/nixos-25.11";
 
     nix-darwin = {
       url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
@@ -49,7 +52,8 @@
 
     gastown = {
       url = "github:steveyegge/gastown";
-      flake = false;  # No flake.nix upstream yet
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.beads.follows = "beads";
     };
 
     perles = {
@@ -74,6 +78,14 @@
         config.allowUnfree = true;
         overlays = unstableOverlays;
       };
+      # Separate nixpkgs for qt5webengine-heavy packages to avoid rebuild churn
+      qt-pinned = import inputs.nixpkgs-qt {
+        system = prev.stdenv.hostPlatform.system;
+        config = {
+          allowUnfree = true;
+          permittedInsecurePackages = [ "qtwebengine-5.15.19" ];
+        };
+      };
       custom = prev.callPackage ./packages {};
       # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
       bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
@@ -101,6 +113,19 @@
       (ufinal: uprev: {
         claude-code = uprev.callPackage ./packages/claude-code {};
       })
+      # Pin dolt to v1.82.4 (gastown requires >= 1.82.4)
+      (ufinal: uprev: {
+        dolt = uprev.dolt.overrideAttrs (old: rec {
+          version = "1.82.4";
+          src = uprev.fetchFromGitHub {
+            owner = "dolthub";
+            repo = "dolt";
+            tag = "v${version}";
+            hash = "sha256-mavL3y+Kv25hzFlDFXk7W/jeKVKlCBjlc67GkL3Jcwk=";
+          };
+          vendorHash = "sha256-K1KzsqptZxO5OraWKIXeqKuVSzb6E/Mjy3c5PQ7Rs9k=";
+        });
+      })
     ];
 
     nixosModules = [
@@ -171,7 +196,16 @@
       modules = nixosModules ++ [
         ./machines/zix790prors/configuration.nix
         {
-          home-manager.users.johno = import ./home/home-desktop.nix;
+          home-manager.users.johno = {
+            imports = [ ./home/home-desktop.nix ];
+            home.roles.i3_sway.extraSwayConfig = {
+              output = {
+                "DP-1" = {
+                  mode = "3440x1440@164.900Hz";
+                };
+              };
+            };
+          };
           home-manager.extraSpecialArgs = { inherit system; };
         }
       ];
@@ -226,6 +260,53 @@
       ];
     };
 
+    # Packages for CI caching (custom packages, flake inputs, and qt-pinned)
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+      let
+        pkgs = import nixpkgs {
+          inherit system;
+          config.allowUnfree = true;
+          overlays = [ (mkBaseOverlay {}) ];
+        };
+        pkgsQt = import inputs.nixpkgs-qt {
+          inherit system;
+          config = {
+            allowUnfree = true;
+            permittedInsecurePackages = [ "qtwebengine-5.15.19" ];
+          };
+        };
+        # Version strings for flake input packages
+        beadsRev = builtins.substring 0 8 (inputs.beads.rev or "unknown");
+        gastownRev = builtins.substring 0 8 (inputs.gastown.rev or "unknown");
+      in {
+        "custom-claude-code" = pkgs.custom.claude-code;
+        "custom-app-launcher-server" = pkgs.custom.app-launcher-server;
+        "custom-mcrcon-rbw" = pkgs.custom.mcrcon-rbw;
+        "custom-tea-rbw" = pkgs.custom.tea-rbw;
+        "custom-rclone-torbox-setup" = pkgs.custom.rclone-torbox-setup;
+        "qt-pinned-jellyfin-media-player" = pkgsQt.jellyfin-media-player;
+        "qt-pinned-stremio" = pkgsQt.stremio;
+        # Flake input packages (beads, gastown) - these get version from input rev
+        "custom-beads" = pkgs.callPackage ./packages/beads {
+          inherit (pkgs.unstable) buildGoModule;
+          src = inputs.beads;
+          version = "0.52.0-${beadsRev}";
+        };
+        "custom-gastown" = pkgs.callPackage ./packages/gastown {
+          src = inputs.gastown;
+          version = "unstable-${gastownRev}";
+        };
+        "custom-perles" = pkgs.callPackage ./packages/perles {
+          inherit (pkgs.unstable) buildGoModule;
+          src = inputs.perles;
+          version = "unstable-${builtins.substring 0 8 (inputs.perles.rev or "unknown")}";
+        };
+      } // (if system == "x86_64-linux" then {
+        # nix-deck kernel from Jovian-NixOS (Steam Deck) - expensive to build
+        "nix-deck-kernel" = self.nixosConfigurations.nix-deck.config.boot.kernelPackages.kernel;
+      } else {})
+    );
+
     # Flake apps
     apps = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system:
       let

home/home-kodi.nix

@@ -12,6 +12,7 @@
   home.roles = {
     base.enable = true;
     plasma-manager-kodi.enable = true;
+    kdeconnect.enable = true;
   };
 
   home.packages = with pkgs; [

home/roles/development/beads-search-query-optimization.patch

@@ -1,44 +0,0 @@
-diff --git a/internal/storage/dolt/queries.go b/internal/storage/dolt/queries.go
-index 7d8214ee..8acdaae2 100644
---- a/internal/storage/dolt/queries.go
-+++ b/internal/storage/dolt/queries.go
-@@ -212,8 +212,21 @@ func (s *DoltStore) SearchIssues(ctx context.Context, query string, filter types
- 	}
- 
- 	// nolint:gosec // G201: whereSQL contains column comparisons with ?, limitSQL is a safe integer
-+	// Performance fix: SELECT all columns directly instead of id-only + WHERE IN (all_ids)
-+	// See: hq-ihwsj - bd list uses inefficient WHERE IN (all_ids) query pattern
- 	querySQL := fmt.Sprintf(`
--		SELECT id FROM issues
-+		SELECT id, content_hash, title, description, design, acceptance_criteria, notes,
-+		       status, priority, issue_type, assignee, estimated_minutes,
-+		       created_at, created_by, owner, updated_at, closed_at, external_ref,
-+		       compaction_level, compacted_at, compacted_at_commit, original_size, source_repo, close_reason,
-+		       deleted_at, deleted_by, delete_reason, original_type,
-+		       sender, ephemeral, pinned, is_template, crystallizes,
-+		       await_type, await_id, timeout_ns, waiters,
-+		       hook_bead, role_bead, agent_state, last_activity, role_type, rig, mol_type,
-+		       event_kind, actor, target, payload,
-+		       due_at, defer_until,
-+		       quality_score, work_type, source_system
-+		FROM issues
- 		%s
- 		ORDER BY priority ASC, created_at DESC
- 		%s
-@@ -225,7 +238,15 @@ func (s *DoltStore) SearchIssues(ctx context.Context, query string, filter types
- 	}
- 	defer rows.Close()
- 
--	return s.scanIssueIDs(ctx, rows)
-+	var issues []*types.Issue
-+	for rows.Next() {
-+		issue, err := scanIssueRow(rows)
-+		if err != nil {
-+			return nil, err
-+		}
-+		issues = append(issues, issue)
-+	}
-+	return issues, rows.Err()
- }
- 
- // GetReadyWork returns issues that are ready to work on (not blocked)

home/roles/development/default.nix

@@ -5,89 +5,25 @@ with lib;
 let
   cfg = config.home.roles.development;
 
-  # FIXME: Temporary override for upstream beads vendorHash mismatch
-  # Remove after upstream fix: https://github.com/steveyegge/beads/issues/XXX
-  beadsPackage = globalInputs.beads.packages.${system}.default.overrideAttrs (old: {
-    vendorHash = "sha256-YU+bRLVlWtHzJ1QPzcKJ70f+ynp8lMoIeFlm+29BNPE=";
-
-    # Performance fix: avoid WHERE IN (8000+ IDs) query pattern that hammers Dolt CPU
-    # See: hq-ihwsj - bd list uses inefficient WHERE IN (all_ids) query pattern
-    # The fix changes SearchIssues to SELECT all columns directly instead of:
-    #   1. SELECT id FROM issues WHERE ... -> collect IDs
-    #   2. SELECT * FROM issues WHERE id IN (all_ids) -> 8000+ placeholder IN clause
-    patches = (old.patches or []) ++ [
-      ./beads-search-query-optimization.patch
-    ];
-  });
-
-  # Gastown - multi-agent workspace manager (no upstream flake.nix yet)
-  # Source is tracked via flake input for renovate updates
-  gastownRev = builtins.substring 0 8 (globalInputs.gastown.rev or "unknown");
-  gastownPackage = pkgs.buildGoModule {
-    pname = "gastown";
-    version = "unstable-${gastownRev}";
-    src = globalInputs.gastown;
-    vendorHash = "sha256-ripY9vrYgVW8bngAyMLh0LkU/Xx1UUaLgmAA7/EmWQU=";
-    subPackages = [ "cmd/gt" ];
-    doCheck = false;
-
-    # Must match ldflags from gastown Makefile - BuiltProperly=1 is required
-    # or gt will error with "This binary was built with 'go build' directly"
-    ldflags = [
-      "-X github.com/steveyegge/gastown/internal/cmd.Version=${gastownRev}"
-      "-X github.com/steveyegge/gastown/internal/cmd.Commit=${gastownRev}"
-      "-X github.com/steveyegge/gastown/internal/cmd.BuildTime=nix-build"
-      "-X github.com/steveyegge/gastown/internal/cmd.BuiltProperly=1"
-    ];
-
-    # Bug fixes not yet merged upstream
-    # Each patch is stored in a separate file for clarity and maintainability
-    patches = [
-      # Fix validateRecipient bug: normalize addresses before comparison
-      ./gastown-fix-validate-recipient.patch
-      # Fix agentBeadToAddress to use title field for hq- prefixed beads
-      ./gastown-fix-agent-bead-address-title.patch
-      # Fix agentBeadToAddress to handle rig-specific prefixes (j-, sc-, etc.)
-      ./gastown-fix-agent-bead-rig-prefix.patch
-      # Fix crew/polecat home paths: remove incorrect /rig suffix
-      ./gastown-fix-role-home-paths.patch
-      # Fix town root detection: don't map to Mayor (causes spurious mismatch warnings)
-      ./gastown-fix-town-root-detection.patch
-      # Fix copyDir to handle symlinks (broken symlinks cause "no such file" errors)
-      ./gastown-fix-copydir-symlinks.patch
-      # TODO: Statusline optimization patch needs regenerating against current gastown source
-      # Reduces Dolt CPU from ~70% to ~20% by avoiding beads queries for sessions nobody is watching
-      # ./gastown-statusline-optimization.patch
-    ];
-
-    meta = with lib; {
-      description = "Gas Town - multi-agent workspace manager by Steve Yegge";
-      homepage = "https://github.com/steveyegge/gastown";
-      license = licenses.mit;
-      mainProgram = "gt";
-    };
+  # Build beads and gastown from flake inputs using shared package definitions
+  beadsRev = builtins.substring 0 8 (globalInputs.beads.rev or "unknown");
+  beadsPackage = pkgs.callPackage ../../../packages/beads {
+    src = globalInputs.beads;
+    version = "0.52.0-${beadsRev}";
   };
 
-  # Perles - TUI for beads issue tracking (no upstream flake.nix yet)
-  # Source is tracked via flake input for renovate updates
+  gastownRev = builtins.substring 0 8 (globalInputs.gastown.rev or "unknown");
+  gastownPackage = pkgs.callPackage ../../../packages/gastown {
+    src = globalInputs.gastown;
+    version = "unstable-${gastownRev}";
+  };
+
+  # Build perles from flake input using shared package definition
   perlesRev = builtins.substring 0 8 (globalInputs.perles.rev or "unknown");
-  perlesPackage = pkgs.buildGoModule {
-    pname = "perles";
-    version = "unstable-${perlesRev}";
+  perlesPackage = pkgs.callPackage ../../../packages/perles {
+    inherit (pkgs.unstable) buildGoModule;
     src = globalInputs.perles;
-    vendorHash = "sha256-JHERJDzbiqgjWXwRhXVjgDEiDQ3AUXRIONotfPF21B0=";
-    doCheck = false;
-
-    ldflags = [
-      "-X main.version=${perlesRev}"
-    ];
-
-    meta = with lib; {
-      description = "Perles - Terminal UI for beads issue tracking";
-      homepage = "https://github.com/zjrosen/perles";
-      license = licenses.mit;
-      mainProgram = "perles";
-    };
+    version = "unstable-${perlesRev}";
   };
 
   # Fetch the claude-plugins repository (for humanlayer commands/agents)
@@ -100,6 +36,12 @@ let
     ref = "main";
   };
 
+  # Claude Code statusline: shows model, cwd, git branch, and context usage %
+  claudeCodeStatusLineConfig = pkgs.writeText "claude-statusline.json" (builtins.toJSON {
+    type = "command";
+    command = ''input=$(cat); model=$(echo "$input" | jq -r '.model.display_name'); cwd=$(echo "$input" | jq -r '.workspace.current_dir'); if git -C "$cwd" rev-parse --git-dir > /dev/null 2>&1; then branch=$(git -C "$cwd" --no-optional-locks rev-parse --abbrev-ref HEAD 2>/dev/null || echo ""); if [ -n "$branch" ]; then git_info=" on $branch"; else git_info=""; fi; else git_info=""; fi; usage=$(echo "$input" | jq '.context_window.current_usage'); if [ "$usage" != "null" ]; then current=$(echo "$usage" | jq '.input_tokens + .cache_creation_input_tokens + .cache_read_input_tokens'); size=$(echo "$input" | jq '.context_window.context_window_size'); pct=$((current * 100 / size)); context_info=" | ''${pct}% context"; else context_info=""; fi; printf "%s in %s%s%s" "$model" "$cwd" "$git_info" "$context_info"'';
+  });
+
 in
 {
   options.home.roles.development = {
@@ -128,11 +70,12 @@ in
       pkgs.unstable.claude-code
       pkgs.unstable.claude-code-router
       pkgs.unstable.codex
-      pkgs.dolt
+      pkgs.unstable.dolt
       pkgs.sqlite
 
       # Custom packages
       pkgs.custom.tea-rbw
+      pkgs.custom.pi-coding-agent
     ];
 
     # Install Claude Code humanlayer command and agent plugins
@@ -141,6 +84,9 @@ in
       rm -f ~/.claude/commands/humanlayer:* 2>/dev/null || true
       rm -f ~/.claude/agents/humanlayer:* 2>/dev/null || true
 
+      # Remove explicitly blocked commands that may have been installed previously
+      rm -f ~/.claude/commands/humanlayer:create_handoff.md 2>/dev/null || true
+
       # Create directories if they don't exist
       mkdir -p ~/.claude/commands
       mkdir -p ~/.claude/agents
@@ -149,6 +95,12 @@ in
       for file in ${claudePluginsRepo}/humanlayer/commands/*.md; do
         if [ -f "$file" ]; then
           filename=$(basename "$file" .md)
+
+          # Skip blocked commands
+          case "$filename" in
+            create_handoff) continue ;;
+          esac
+
           dest="$HOME/.claude/commands/humanlayer:''${filename}.md"
           rm -f "$dest" 2>/dev/null || true
 
@@ -241,6 +193,18 @@ in
       $DRY_RUN_CMD echo "Claude Code beads integration configured (hooks installed)"
     '';
 
+    # Configure Claude Code statusline (merge into existing settings.json)
+    home.activation.claudeCodeStatusLine = lib.hm.dag.entryAfter ["writeBoundary" "claudeCodeBeadsSetup"] ''
+      SETTINGS="$HOME/.claude/settings.json"
+      mkdir -p "$HOME/.claude"
+      if [ -f "$SETTINGS" ]; then
+        ${pkgs.jq}/bin/jq --slurpfile sl ${claudeCodeStatusLineConfig} '.statusLine = $sl[0]' "$SETTINGS" > "''${SETTINGS}.tmp" && mv "''${SETTINGS}.tmp" "$SETTINGS"
+      else
+        ${pkgs.jq}/bin/jq -n --slurpfile sl ${claudeCodeStatusLineConfig} '{statusLine: $sl[0]}' > "$SETTINGS"
+      fi
+      $DRY_RUN_CMD echo "Claude Code statusline configured"
+    '';
+
     # Beads timer gate checker (Linux only - uses systemd)
     # Runs every 5 minutes to auto-resolve expired timer gates across all beads projects
     # This enables self-scheduling molecules (watchers, patrols, etc.)

home/roles/development/gastown-fix-agent-bead-address-title.patch

@@ -1,15 +0,0 @@
-diff --git a/internal/mail/router.go b/internal/mail/router.go
---- a/internal/mail/router.go
-+++ b/internal/mail/router.go
-@@ -326,7 +326,10 @@ func agentBeadToAddress(bead *agentBead) string {
- 		}
- 
- 		// Fall back to parsing description for role_type and rig
--		return parseAgentAddressFromDescription(bead.Description)
-+		if bead.Title != "" && strings.Contains(bead.Title, "/") {
-+			return bead.Title
-+		}
-+		return parseAgentAddressFromDescription(bead.Description)
- 	}
- 
- 	// Handle gt- prefixed IDs (legacy format)

home/roles/development/gastown-fix-agent-bead-rig-prefix.patch

@@ -1,35 +0,0 @@
-diff --git a/internal/mail/router.go b/internal/mail/router.go
---- a/internal/mail/router.go
-+++ b/internal/mail/router.go
-@@ -330,8 +330,29 @@ func agentBeadToAddress(bead *agentBead) string {
- 	}
- 
- 	// Handle gt- prefixed IDs (legacy format)
--	if !strings.HasPrefix(id, "gt-") {
--		return "" // Not a valid agent bead ID
-+	// Handle rig-specific prefixes: <prefix>-<rig>-<role>-<name>
-+	// Examples: j-java-crew-americano -> java/crew/americano
-+	idParts := strings.Split(id, "-")
-+	if len(idParts) >= 3 {
-+		for i, part := range idParts {
-+			if part == "crew" || part == "polecat" || part == "polecats" {
-+				if i >= 1 && i < len(idParts)-1 {
-+					rig := idParts[i-1]
-+					name := strings.Join(idParts[i+1:], "-")
-+					return rig + "/" + part + "/" + name
-+				}
-+			}
-+			if part == "witness" || part == "refinery" {
-+				if i >= 1 {
-+					return idParts[i-1] + "/" + part
-+				}
-+			}
-+		}
-+	}
-+
-+	// Handle gt- prefixed IDs (legacy format)
-+	if !strings.HasPrefix(id, "gt-") {
-+		return "" // Not a valid agent bead ID
- 	}
- 
- 	// Strip prefix

home/roles/development/gastown-fix-copydir-symlinks.patch

@@ -1,25 +0,0 @@
-diff --git a/internal/git/git.go b/internal/git/git.go
---- a/internal/git/git.go
-+++ b/internal/git/git.go
-@@ -73,7 +73,19 @@ func copyDir(src, dest string) error {
- 		srcPath := filepath.Join(src, entry.Name())
- 		destPath := filepath.Join(dest, entry.Name())
- 
--		if entry.IsDir() {
-+		// Handle symlinks (recreate them, do not follow)
-+		if entry.Type()&os.ModeSymlink != 0 {
-+			linkTarget, err := os.Readlink(srcPath)
-+			if err != nil {
-+				return err
-+			}
-+			if err := os.Symlink(linkTarget, destPath); err != nil {
-+				return err
-+			}
-+			continue
-+		}
-+
-+		if entry.IsDir() {
- 			if err := copyDir(srcPath, destPath); err != nil {
- 				return err
- 			}
-

home/roles/development/gastown-fix-role-home-paths.patch

@@ -1,18 +0,0 @@
-diff --git a/internal/cmd/role.go b/internal/cmd/role.go
---- a/internal/cmd/role.go
-+++ b/internal/cmd/role.go
-@@ -326,11 +326,11 @@ func getRoleHome(role Role, rig, polecat, townRoot string) string {
- 		if rig == "" || polecat == "" {
- 			return ""
- 		}
--		return filepath.Join(townRoot, rig, "polecats", polecat, "rig")
-+		return filepath.Join(townRoot, rig, "polecats", polecat)
- 	case RoleCrew:
- 		if rig == "" || polecat == "" {
- 			return ""
- 		}
--		return filepath.Join(townRoot, rig, "crew", polecat, "rig")
-+		return filepath.Join(townRoot, rig, "crew", polecat)
- 	default:
- 		return ""
- 	}

home/roles/development/gastown-fix-town-root-detection.patch

@@ -1,18 +0,0 @@
-diff --git a/internal/cmd/prime.go b/internal/cmd/prime.go
---- a/internal/cmd/prime.go
-+++ b/internal/cmd/prime.go
-@@ -276,11 +276,12 @@ func detectRole(cwd, townRoot string) RoleInfo {
- 
- 	// Check for mayor role
- 	// At town root, or in mayor/ or mayor/rig/
- 	if relPath == "." || relPath == "" {
--		ctx.Role = RoleMayor
--		return ctx
-+		return ctx // RoleUnknown - town root is shared space
- 	}
-+
-+	// Check for mayor role: mayor/ or mayor/rig/
- 	if len(parts) >= 1 && parts[0] == "mayor" {
- 		ctx.Role = RoleMayor
- 		return ctx
- 	}

home/roles/development/gastown-fix-validate-recipient.patch

@@ -1,13 +0,0 @@
-diff --git a/internal/mail/router.go b/internal/mail/router.go
-index b864c069..4b6a045b 100644
---- a/internal/mail/router.go
-+++ b/internal/mail/router.go
-@@ -646,7 +646,7 @@ func (r *Router) validateRecipient(identity string) error {
- 	}
- 
- 	for _, agent := range agents {
--		if agentBeadToAddress(agent) == identity {
-+		if AddressToIdentity(agentBeadToAddress(agent)) == AddressToIdentity(identity) {
- 			return nil // Found matching agent
- 		}
- 	}

home/roles/development/gastown-statusline-optimization.patch

@@ -1,135 +0,0 @@
-diff --git a/internal/cmd/statusline.go b/internal/cmd/statusline.go
---- a/internal/cmd/statusline.go
-+++ b/internal/cmd/statusline.go
-@@ -6,6 +6,7 @@ import (
- 	"os"
- 	"path/filepath"
- 	"sort"
- 	"strings"
-+	"time"
- 
- 	"github.com/spf13/cobra"
- 	"github.com/steveyegge/gastown/internal/beads"
-@@ -15,6 +16,43 @@ import (
- 	"github.com/steveyegge/gastown/internal/workspace"
- )
- 
-+// statusLineCacheTTL is how long cached status output remains valid.
-+const statusLineCacheTTL = 10 * time.Second
-+
-+// statusLineCachePath returns the cache file path for a session.
-+func statusLineCachePath(session string) string {
-+	return filepath.Join(os.TempDir(), fmt.Sprintf("gt-status-%s", session))
-+}
-+
-+// getStatusLineCache returns cached status if fresh, empty string otherwise.
-+func getStatusLineCache(session string) string {
-+	path := statusLineCachePath(session)
-+	info, err := os.Stat(path)
-+	if err != nil {
-+		return ""
-+	}
-+	if time.Since(info.ModTime()) > statusLineCacheTTL {
-+		return ""
-+	}
-+	data, err := os.ReadFile(path)
-+	if err != nil {
-+		return ""
-+	}
-+	return string(data)
-+}
-+
-+// setStatusLineCache writes status to cache file.
-+func setStatusLineCache(session, status string) {
-+	path := statusLineCachePath(session)
-+	_ = os.WriteFile(path, []byte(status), 0644)
-+}
-+
- var (
- 	statusLineSession string
- )
-@@ -32,6 +70,20 @@ func init() {
- func runStatusLine(cmd *cobra.Command, args []string) error {
- 	t := tmux.NewTmux()
- 
-+	// Optimization: skip expensive beads queries for detached sessions
-+	if statusLineSession != "" {
-+		if !t.IsSessionAttached(statusLineSession) {
-+			fmt.Print("○ |")
-+			return nil
-+		}
-+		// Check cache for attached sessions too
-+		if cached := getStatusLineCache(statusLineSession); cached != "" {
-+			fmt.Print(cached)
-+			return nil
-+		}
-+	}
-+
- 	// Get session environment
- 	var rigName, polecat, crew, issue, role string
- 
-@@ -149,7 +201,12 @@ func runWorkerStatusLine(t *tmux.Tmux, session, rigName, polecat, crew, issue st
- 
- 	// Output
- 	if len(parts) > 0 {
--		fmt.Print(strings.Join(parts, " | ") + " |")
-+		output := strings.Join(parts, " | ") + " |"
-+		if statusLineSession != "" {
-+			setStatusLineCache(statusLineSession, output)
-+		}
-+		fmt.Print(output)
- 	}
- 
- 	return nil
-@@ -389,7 +446,12 @@ func runMayorStatusLine(t *tmux.Tmux) error {
- 		}
- 	}
- 
--	fmt.Print(strings.Join(parts, " | ") + " |")
-+	output := strings.Join(parts, " | ") + " |"
-+	if statusLineSession != "" {
-+		setStatusLineCache(statusLineSession, output)
-+	}
-+	fmt.Print(output)
- 	return nil
- }
- 
-@@ -458,7 +520,12 @@ func runDeaconStatusLine(t *tmux.Tmux) error {
- 		}
- 	}
- 
--	fmt.Print(strings.Join(parts, " | ") + " |")
-+	output := strings.Join(parts, " | ") + " |"
-+	if statusLineSession != "" {
-+		setStatusLineCache(statusLineSession, output)
-+	}
-+	fmt.Print(output)
- 	return nil
- }
- 
-@@ -526,7 +593,12 @@ func runWitnessStatusLine(t *tmux.Tmux, rigName string) error {
- 		}
- 	}
- 
--	fmt.Print(strings.Join(parts, " | ") + " |")
-+	output := strings.Join(parts, " | ") + " |"
-+	if statusLineSession != "" {
-+		setStatusLineCache(statusLineSession, output)
-+	}
-+	fmt.Print(output)
- 	return nil
- }
- 
-@@ -617,7 +689,12 @@ func runRefineryStatusLine(t *tmux.Tmux, rigName string) error {
- 		}
- 	}
- 
--	fmt.Print(strings.Join(parts, " | ") + " |")
-+	output := strings.Join(parts, " | ") + " |"
-+	if statusLineSession != "" {
-+		setStatusLineCache(statusLineSession, output)
-+	}
-+	fmt.Print(output)
- 	return nil
- }
- 

home/roles/emacs/default.nix

@@ -8,8 +8,8 @@ let
   doomEmacs = pkgs.fetchFromGitHub {
     owner = "doomemacs";
     repo = "doomemacs";
-    rev = "38d94da67dc84897a4318714dcc48494c016d8c4";
-    sha256 = "sha256-Uc6qONH3jjUVDgW+pPBCGC7mh88ZY05u1y37fQrsxq0=";
+    rev = "d23bbe87721c61f4d5a605f2914b32780bb89949";
+    sha256 = "sha256-z+3c0AGkrMf1xZ+pq57aVp4Zo4KsqFMIjEVzSZinghc=";
   };
 
   # Shared emacs packages

home/roles/emacs/doom/config.el

@@ -274,6 +274,18 @@ rbw is unavailable or the entry is not found."
                  (error (format "Error listing directory %s: %s" dirpath (error-message-string err)))))
    :args (list '(:name "dirpath" :type "string" :description "Directory path to list"))))
 
+(use-package! pi-coding-agent
+  :commands (pi-coding-agent pi-coding-agent-toggle)
+  :init
+  (defalias 'pi 'pi-coding-agent)
+  (map! :leader
+        (:prefix ("o" . "open")
+         :desc "Pi Coding Agent" "p" #'pi-coding-agent))
+  :config
+  ;; Tree-sitter grammars are managed by Nix (treesit-grammars.with-all-grammars),
+  ;; so suppress the auto-install prompt
+  (setq pi-coding-agent-essential-grammar-action 'warn))
+
 (use-package! claude-code-ide
   :commands (claude-code-ide-menu claude-code-ide-open-here)
   :init

home/roles/emacs/doom/packages.el

@@ -51,6 +51,9 @@
 
 (package! org-caldav)
 
+;; Pin org-msg - upstream doom pin references a force-pushed commit
+(package! org-msg :pin "aa608b399586fb771ad37045a837f8286a0b6124")
+
 ;; Note: Packages with custom recipes must be pinned for nix-doom-emacs-unstraightened
 ;; to build deterministically. Update pins when upgrading packages.
 
@@ -69,3 +72,8 @@
   :recipe (:type git :repo "https://codeberg.org/ctietze/beads.el.git"
            :files ("lisp/*.el"))
   :pin "f40a6461d3c0fa0969311bbb6a1e30d1bba86c88")
+
+(package! pi-coding-agent
+  :recipe (:host github :repo "dnouri/pi-coding-agent"
+           :files ("*.el"))
+  :pin "8d8158b0a6150ce13d91e561a1223790670acaa7")

home/wallpapers/default.nix

@@ -2,7 +2,7 @@
 # The currentIndex is incremented by `nix run .#rotate-wallpaper`
 # and gets committed as part of `nix run .#upgrade`
 {
-  currentIndex = 1;  # Index into wallpapers list
+  currentIndex = 2;  # Index into wallpapers list
 
   wallpapers = [
     {

machines/john-endesktop/configuration.nix

@@ -54,6 +54,7 @@ with lib;
       4000  # nfs callback
       4001  # nlockmgr
       4002  # mountd
+      5000  # harmonia binary cache
       20048 # mountd
     ];
     allowedUDPPorts = [
@@ -148,6 +149,16 @@ with lib;
     };
   };
 
+  # Harmonia binary cache server
+  # Replaces the broken k8s deployment with native NixOS service
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ "/etc/harmonia/signing-key.private" ];
+    settings = {
+      bind = "[::]:5000";
+    };
+  };
+
   # Time zone
   time.timeZone = "America/Los_Angeles"; # Adjust as needed
 

machines/nix-book/configuration.nix

@@ -38,7 +38,24 @@
       enable = true;
       extraGroups = [ "video" ];
     };
-    virtualisation.enable = true;
+    virtualisation = {
+      enable = true;
+      waydroid = true;
+    };
+    wireguard = {
+      enable = true;
+      autostart = true;
+      interfaceName = "ogleNet";
+      address = [ "192.168.4.2/32" ];
+      privateKeyFile = "/etc/wireguard/oglehome-private-key";
+      dns = [ "192.168.4.1" ];
+      peers = [{
+        publicKey = "AWkmtaz0poyyKJGnRcabO5ecd6ESh1lKu+XRb3ObxBc=";
+        endpoint = "pi.johnogle.info:6666";
+        allowedIPs = [ "0.0.0.0/0" ];
+        persistentKeepalive = 25;
+      }];
+    };
   };
 
   # Bootloader.
@@ -58,13 +75,6 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
-  # WireGuard setup
-  networking.wg-quick.interfaces = {
-    ogleNet = {
-      configFile = "/root/Oglehome-VPN-johno-nixbook.conf";
-    };
-  };
-
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [

packages/beads/default.nix

@@ -0,0 +1,26 @@
+# Beads package - issue tracker for AI-supervised coding workflows
+# Takes src as argument so it can be called from both overlay and flake packages
+{ lib
+, buildGoModule
+, git
+, pkg-config
+, icu
+, src
+, version ? "unknown"
+}:
+
+buildGoModule {
+  pname = "beads";
+  inherit version src;
+  subPackages = [ "cmd/bd" ];
+  doCheck = false;
+  vendorHash = "sha256-XAhe4yuLzP9vQ3IFhWAO5fN/3OOfokcRxfeGKaRYEws=";
+  nativeBuildInputs = [ git pkg-config ];
+  buildInputs = [ icu ];
+  meta = with lib; {
+    description = "beads (bd) - An issue tracker designed for AI-supervised coding workflows";
+    homepage = "https://github.com/steveyegge/beads";
+    license = licenses.mit;
+    mainProgram = "bd";
+  };
+}

packages/claude-code/default.nix

@@ -6,24 +6,24 @@
 }:
 
 let
-  version = "2.1.19";
+  version = "2.1.75";
 
   srcs = {
     aarch64-darwin = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-arm64/claude";
-      sha256 = "d386ac8f6d1479f85d31f369421c824135c10249c32087017d05a5f428852c41";
+      sha256 = "8c541a5e924eda2070eaf1702a48047af671c4dff6a11a5e762076614a082675";
     };
     x86_64-darwin = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-x64/claude";
-      sha256 = "be266b3a952f483d8358ad141e2afe661170386506f479ead992319e4fdc38ac";
+      sha256 = "82c90b91a0a18f60191f817b9b42304d8b17dbed75795b715c41f4fdfe4c782d";
     };
     x86_64-linux = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-x64/claude";
-      sha256 = "4e2a1c73871ecf3b133376b57ded03333a7a6387f2d2a3a6279bb90a07f7a944";
+      sha256 = "328b0a429c05a04f911157d886be5123cf1824a19ba8ca1f9d594c004eac32c9";
     };
     aarch64-linux = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-arm64/claude";
-      sha256 = "8c4b61b24ca760d6f7aa2f19727163d122e9fd0c3ce91f106a21b6918a7b1bbb";
+      sha256 = "ec8f4f7f7bb50611dae70c109a76ee1da6a3ab45511c65f117df215848ecc905";
     };
   };
 

packages/default.nix

@@ -5,4 +5,5 @@
   claude-code = pkgs.callPackage ./claude-code {};
   mcrcon-rbw = pkgs.callPackage ./mcrcon-rbw {};
   rclone-torbox-setup = pkgs.callPackage ./rclone-torbox-setup {};
+  pi-coding-agent = pkgs.callPackage ./pi-coding-agent {};
 }

packages/gastown/default.nix

@@ -0,0 +1,31 @@
+# Gastown package - multi-agent workspace manager
+# Takes src as argument so it can be called from both overlay and flake packages
+{ lib
+, buildGoModule
+, src
+, version ? "unknown"
+}:
+
+buildGoModule {
+  pname = "gastown";
+  inherit version src;
+  vendorHash = "sha256-8SdvSASP+bJjMooqEQvkCzG+J6CbsK+HCQulrPnJZ1Y=";
+  subPackages = [ "cmd/gt" ];
+  doCheck = false;
+
+  # Must match ldflags from gastown Makefile - BuiltProperly=1 is required
+  # or gt will error with "This binary was built with 'go build' directly"
+  ldflags = [
+    "-X github.com/steveyegge/gastown/internal/cmd.Version=${version}"
+    "-X github.com/steveyegge/gastown/internal/cmd.Commit=${version}"
+    "-X github.com/steveyegge/gastown/internal/cmd.BuildTime=nix-build"
+    "-X github.com/steveyegge/gastown/internal/cmd.BuiltProperly=1"
+  ];
+
+  meta = with lib; {
+    description = "Gas Town - multi-agent workspace manager by Steve Yegge";
+    homepage = "https://github.com/steveyegge/gastown";
+    license = licenses.mit;
+    mainProgram = "gt";
+  };
+}

packages/perles/default.nix

@@ -0,0 +1,25 @@
+# Perles - Terminal UI for beads issue tracking
+# Takes src as argument so it can be called from both overlay and flake packages
+{ lib
+, buildGoModule
+, src
+, version ? "unknown"
+}:
+
+buildGoModule {
+  pname = "perles";
+  inherit version src;
+  doCheck = false;
+  vendorHash = "sha256-A5LE9Cor/DRcJtVpiScSoqDYhJIKyaq0cbK+OGmr4XU=";
+
+  ldflags = [
+    "-X main.version=${version}"
+  ];
+
+  meta = with lib; {
+    description = "Perles - Terminal UI for beads issue tracking";
+    homepage = "https://github.com/zjrosen/perles";
+    license = licenses.mit;
+    mainProgram = "perles";
+  };
+}

packages/pi-coding-agent/default.nix

@@ -0,0 +1,79 @@
+{ lib
+, stdenv
+, fetchurl
+, patchelf
+, glibc
+, makeWrapper
+}:
+
+let
+  version = "0.55.4";
+
+  srcs = {
+    aarch64-darwin = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-darwin-arm64.tar.gz";
+      sha256 = "0vsav9frvnzskk6p6j60i7klrs3m8lphhyi4c39mv2mvhpm8fkl5";
+    };
+    x86_64-darwin = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-darwin-x64.tar.gz";
+      sha256 = "1377rvhsiiww1bbpgv2v46fjm7iz2smmh8g2yhm28kbsq3gwvvr0";
+    };
+    x86_64-linux = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-linux-x64.tar.gz";
+      sha256 = "1wnfwnkfq5ffz6wyqyhciv4lz06bpxims0hv0dlhz0f9vliyc1md";
+    };
+    aarch64-linux = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-linux-arm64.tar.gz";
+      sha256 = "00fp37hgjl40kc59jfpv189i7np53ymm037hvds6k9y2sz818wjy";
+    };
+  };
+
+  src = srcs.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+in stdenv.mkDerivation {
+  pname = "pi-coding-agent";
+  inherit version;
+
+  src = fetchurl {
+    inherit (src) url sha256;
+  };
+
+  sourceRoot = "pi";
+
+  # Bun standalone binaries have JS code appended after the ELF sections
+  dontStrip = true;
+  dontPatchELF = true;
+
+  nativeBuildInputs = [ makeWrapper ]
+    ++ lib.optionals stdenv.isLinux [ patchelf ];
+
+  installPhase = ''
+    runHook preInstall
+
+    # Install the full pi directory structure (binary + supporting files)
+    mkdir -p $out/lib/pi-coding-agent
+    cp -r . $out/lib/pi-coding-agent/
+
+    # Create bin wrapper that runs the binary from its lib directory
+    # (pi expects supporting files like themes and wasm relative to itself)
+    mkdir -p $out/bin
+    makeWrapper $out/lib/pi-coding-agent/pi $out/bin/pi
+
+    runHook postInstall
+  '';
+
+  # Manually patch the interpreter for bun standalone binaries on Linux
+  postFixup = lib.optionalString stdenv.isLinux ''
+    interpreter="${glibc}/lib/${if stdenv.hostPlatform.system == "aarch64-linux" then "ld-linux-aarch64.so.1" else "ld-linux-x86-64.so.2"}"
+    patchelf --set-interpreter "$interpreter" $out/lib/pi-coding-agent/pi
+  '';
+
+  meta = with lib; {
+    description = "Minimal terminal coding agent with extensible tools and session management";
+    homepage = "https://github.com/badlogic/pi-mono/tree/main/packages/coding-agent";
+    license = licenses.mit;
+    maintainers = [ ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" "x86_64-linux" "aarch64-linux" ];
+    mainProgram = "pi";
+  };
+}

renovate.json

@@ -13,7 +13,7 @@
   "lockFileMaintenance": {
     "enabled": true,
     "schedule": [
-      "before 5am on monday"
+      "after 5pm and before 7pm on Saturday"
     ]
   },
   "dependencyDashboard": true,
@@ -37,6 +37,9 @@
         "/^nixpkgs$/",
         "/^home-manager$/",
         "/^nix-darwin$/"
+      ],
+      "schedule": [
+        "after 5pm and before 7pm on Saturday"
       ]
     },
     {
@@ -48,6 +51,21 @@
       "matchPackageNames": [
         "/nixpkgs-unstable/",
         "/home-manager-unstable/"
+      ],
+      "schedule": [
+        "after 5pm and before 7pm on Saturday"
+      ]
+    },
+    {
+      "description": "nixpkgs-qt updates on Saturday (staggered from main ecosystem)",
+      "matchManagers": [
+        "nix"
+      ],
+      "matchPackageNames": [
+        "/nixpkgs-qt/"
+      ],
+      "schedule": [
+        "after 7pm and before 9pm on Saturday"
       ]
     },
     {
@@ -69,7 +87,7 @@
         "/gastown/"
       ],
       "schedule": [
-        "before 6am every day"
+        "before 6am"
       ],
       "automerge": false
     },
@@ -82,7 +100,7 @@
         "/beads/"
       ],
       "schedule": [
-        "before 6am every day"
+        "before 6am"
       ],
       "automerge": false
     }

roles/common.nix

@@ -23,7 +23,13 @@
         max-jobs = "auto";
         trusted-users = [ "johno" ];
         substituters = [
+          "http://john-endesktop.oglehome:5000"
         ];
+        trusted-public-keys = [
+          "harmonia.john-endesktop:1iGr4xZrsR7WtXOlPCgFF3LcODYBpu+B3TS54MyBn4M="
+        ];
+        fallback = true;
+        connect-timeout = 5;
       };
 
       gc = {

roles/default.nix

@@ -19,6 +19,7 @@ with lib;
     ./spotifyd
     ./users
     ./virtualisation
+    ./wireguard
   ];
 
   config = {

roles/desktop/wayland.nix

@@ -11,9 +11,8 @@ in
       enable = true;
       wrapperFeatures.gtk = true;
     };
-    programs.light.enable = true;
-
     environment.systemPackages = with pkgs; [
+      brightnessctl
       grim
       slurp
       wl-clipboard

roles/kodi/default.nix

@@ -47,23 +47,23 @@ in
       if cfg.jellyfinScaleFactor != null
       then pkgs.symlinkJoin {
         name = "jellyfin-media-player-scaled";
-        paths = [ pkgs.jellyfin-media-player ];
+        paths = [ pkgs.qt-pinned.jellyfin-media-player ];
         nativeBuildInputs = [ pkgs.makeWrapper ];
         postBuild = ''
           mkdir -p $out/bin
           rm -f $out/bin/jellyfin-desktop
-          makeWrapper ${pkgs.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
+          makeWrapper ${pkgs.qt-pinned.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
             --add-flags "--tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
 
           # Update .desktop file to include scale factor and TV mode arguments
           mkdir -p $out/share/applications
           rm -f $out/share/applications/org.jellyfin.JellyfinDesktop.desktop
-          substitute ${pkgs.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
+          substitute ${pkgs.qt-pinned.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
             $out/share/applications/org.jellyfin.JellyfinDesktop.desktop \
             --replace-fail "Exec=jellyfin-desktop" "Exec=jellyfin-desktop --tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
         '';
       }
-      else pkgs.jellyfin-media-player;
+      else pkgs.qt-pinned.jellyfin-media-player;
   in mkIf cfg.enable
     {
       users.extraUsers.kodi = {
@@ -77,14 +77,15 @@ in
       };
 
       environment.systemPackages = with pkgs; [
+        firefox
         jellyfinMediaPlayerPkg
         kodiPkg
+        qt-pinned.stremio
         wget
-        firefox
       ] ++ optional cfg.appLauncherServer.enable pkgs.custom.app-launcher-server;
 
       nixpkgs.config.permittedInsecurePackages = lib.warn
-        "Allowing insecure package qtwebengine-5.15.19 as a jellyfin-media-player dependency. Remove this once jellyfin is updated to use qt6"
+        "Allowing insecure package qtwebengine-5.15.19 as a jellyfin-media-player/stremio dependency. These are pinned to nixpkgs-qt to avoid rebuilds - update that input separately when you have time."
         [
           "qtwebengine-5.15.19"
         ];

roles/virtualisation/default.nix

@@ -13,6 +13,11 @@ in
       default = [ "johno" ];
       description = "List of users to add to the docker group";
     };
+    waydroid = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable waydroid support";
+    };
   };
 
   config = mkIf cfg.enable
@@ -21,5 +26,6 @@ in
       programs.virt-manager.enable = true;
       virtualisation.docker.enable = true;
       users.extraGroups.docker.members = cfg.dockerUsers;
+      virtualisation.waydroid.enable = cfg.waydroid;
     };
 }

roles/wireguard/default.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.wireguard;
+in
+{
+  options.roles.wireguard = {
+    enable = mkEnableOption "Enable WireGuard VPN";
+    interfaceName = mkOption {
+      type = types.str;
+      default = "wg0";
+      description = "Name of the WireGuard interface";
+    };
+    address = mkOption {
+      type = types.listOf types.str;
+      description = "Address(es) for the WireGuard interface";
+    };
+    privateKeyFile = mkOption {
+      type = types.path;
+      description = "Path to a root-owned file containing the WireGuard private key";
+    };
+    dns = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "DNS servers to use when the tunnel is active";
+    };
+    peers = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          publicKey = mkOption {
+            type = types.str;
+            description = "Public key of the peer";
+          };
+          endpoint = mkOption {
+            type = types.str;
+            description = "Endpoint address of the peer (host:port)";
+          };
+          allowedIPs = mkOption {
+            type = types.listOf types.str;
+            description = "List of allowed IP ranges for this peer";
+          };
+          persistentKeepalive = mkOption {
+            type = types.int;
+            default = 25;
+            description = "Persistent keepalive interval in seconds";
+          };
+        };
+      });
+      description = "WireGuard peers";
+    };
+    autostart = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to start the VPN automatically on boot";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.wg-quick.interfaces.${cfg.interfaceName} = {
+      inherit (cfg) address dns autostart peers;
+      privateKeyFile = cfg.privateKeyFile;
+    };
+
+    systemd.services."wg-quick-${cfg.interfaceName}" = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+    };
+  };
+}