feat!: adopt Lix as default Nix daemon

Introduce Lix and make the shared configuration default to the upstream source-build path while still allowing consumers to opt out via `repo.lix.enable = false`.

Add flake input wiring for `lix` and `lix-module`, export the upstream default nixos and darwin modules, and apply the upstream source-build overlay during nixpkgs imports when Lix is enabled. Update the standalone Home Manager `nix.package` fallback so enabling Lix does not get overridden back to `pkgs.nix`, and regenerate `flake.nix` and `flake.lock` to capture the new inputs.

Refresh the README to document a Lix-first bootstrap flow for darwin and standalone Home Manager hosts, fix the concrete installer invocation, and tighten the domain-joined machine guidance around the known `sssd`/`nscd` workaround.

Strengthen repo and agent guidance to require staging new Nix files before validation, since untracked files are ignored by flake evaluation and can lead to misleading test results.

Add a temporary `just rebuild` workaround that appends `extra-deprecated-features = broken-string-indentation` to `NIX_CONFIG` so upstream zen-browser-flake warnings stay out of local rebuild output until 0xc000022070/zen-browser-flake#268 lands.

BREAKING CHANGE: Lix is now the default daemon and package-manager wiring for this repo's shared configuration surface. Consumers that need the previous behavior must opt out explicitly with `repo.lix.enable = false`.

Author: aw1cks

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
             runner: macos-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: cachix/install-nix-action@v31
+      - uses: samueldr/lix-gha-installer-action@v2026-02-22
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
       - uses: nix-community/cache-nix-action@v7

AGENTS.md

@@ -89,7 +89,7 @@ Use the Nix MCP first for Nix package, option, flake-input, and cache lookups be
 - Make the smallest correct change.
 - Prefer editing files under `modules/` and future `profiles/` trees over generated outputs.
 - If a change affects generated flake output, regenerate `flake.nix` rather than hand-editing it.
-- For any new file that must be evaluated by Nix, ensure it is tracked by git before relying on `nix` commands for validation; untracked files are ignored by flake evaluation.
+- For any new file that must be evaluated by Nix, stage it with git before relying on `nix` commands for validation; untracked files are ignored by flake evaluation, and staged files are the safest default for accurate testing.
 - Prefer exposing maintained operational commands via `nix run .#<name>` or `nix build .#<name>` instead of telling users to run repository-local shell scripts directly.
 - Prefer introducing or consuming profiles instead of expanding repeated host import lists.
 - Prefer mapping `hostFacts.roles` to existing profiles in `modules/roles/defaults.nix` rather than making hosts import repeated role bundles directly.
@@ -99,6 +99,7 @@ Use the Nix MCP first for Nix package, option, flake-input, and cache lookups be
 ## Verification
 
 - For configuration changes, prefer the narrowest useful validation first.
+- Before running validation for changes that add new Nix files or change generated flake inputs, stage the relevant new files first so evaluation sees the intended source tree.
 - Use `nix flake check` when it meaningfully covers the change.
 - Use `just rebuild` for local apply flows across nix-darwin, NixOS, and standalone Home Manager.
 - On macOS bootstrap flows, preserving `NIX_CONFIG` may be required until managed Nix settings are active.

README.md

@@ -24,47 +24,61 @@ Reusable Nix library plus public live host configurations for NixOS, standalone
 
 ### Prerequisites
 
-Install a standard multi-user Nix daemon. For nix-darwin hosts, prefer the standard Nix installer over Determinate if you want nix-darwin to manage the Nix installation.
+For darwin and standalone Home Manager hosts, install a multi-user Nix daemon
+manually to bootstrap the configuration. The recommended happy path is
+[Lix](https://lix.systems/), which enables the required defaults out of the box.
 
-On Arch Linux: `sudo pacman -S nix`
+Our configuration relies on `flakes` and `nix-command`.
 
-For other distros:
+`trusted-users` should also cover your user directly or via an admin group,
+especially for standalone Home Manager hosts where daemon settings are not
+managed declaratively post-bootstrap.
 
 ```sh
-sudo install -d -m755 -o $(id -u) -g $(id -g) /nix
-curl -L https://nixos.org/nix/install | sh
-sudo systemctl enable --now nix-daemon
+$ LIX_INSTALLER="$(mktemp)"
+$ curl --proto 'https' --tlsv1.2 -fsSLo "$LIX_INSTALLER" https://install.lix.systems/lix
+$ less "$LIX_INSTALLER" # inspect the installer to make sure it looks correct
+$ sh "$LIX_INSTALLER" install \
+    --extra-conf 'trusted-users = root @wheel @sudo'
+$ rm -vf "$LIX_INSTALLER"
 ```
 
-If running on a domain-joined machine, you may need to install `nscd`.
+#### Domain-joined machines
 
-Ensure the user is in the `trusted-users` list to prevent annoying warnings:
+If running on a domain-joined Linux machine, apps may have issues with UID,
+group, or host lookups. This is usually because `sssd` provides that
+functionality through NSS plugins configured in `/etc/nsswitch.conf`, and
+Nix-built glibc binaries on non-NixOS systems often cannot use the host NSS
+plugins directly.
 
-```sh
-echo "trusted-users = $(whoami)" | sudo tee -a /etc/nix/nix.conf
-sudo systemctl restart nix-daemon
-```
-
-### Bootstrap note
-
-If you are bootstrapping on a machine where `nix` does not yet have flakes enabled, run commands with:
+Installing `nscd` via the host package manager is a known workaround here and
+has worked reliably on a few machines. Nix's libc will check for
+`/var/run/nscd/socket`, so an `nscd`-compatible daemon can bridge those
+lookups without requiring Nix-built binaries to load the host NSS plugins
+themselves.
 
-```sh
-NIX_CONFIG='experimental-features = nix-command flakes'
-```
+This is still suboptimal: upstream SSSD documentation advises against running
+`nscd` alongside `sssd` because of caching and behavior conflicts.
 
-This is mainly needed for first-run bootstrapping before this repo's own Nix settings are active.
+Possible alternatives that are not yet validated:
+- Use [nsncd](https://github.com/twosigma/nsncd), an `nscd`-compatible daemon that forwards lookups without glibc `nscd`'s caching behavior
+- Make the required NSS modules discoverable to Nix-built binaries directly instead of routing lookups through an `nscd`-compatible socket
+  - In practice this likely means a glibc/NSS setup that can expose `libnss_sss` compatibly to those binaries
+  - The exact implementation is environment-specific and still untested here
 
 ### Rebuilding the current machine
 
 The pinned `nh` CLI is exposed as a flake app on all supported platforms.
 
 Bootstrap rebuilds can be run directly with:
 
+If you are not using Lix, ensure `nix-command` and `flakes` are enabled before
+running these commands.
+
 ```sh
-NIX_CONFIG='experimental-features = nix-command flakes' nix run .#nh -- darwin switch .
-NIX_CONFIG='experimental-features = nix-command flakes' nix run .#nh -- os switch .
-NIX_CONFIG='experimental-features = nix-command flakes' nix run .#nh -- home switch .
+nix run .#nh -- darwin switch .
+nix run .#nh -- os switch .
+nix run .#nh -- home switch .
 ```
 
 Once `just` is available, `just rebuild` wraps the same pinned `nh` entrypoint:

flake.lock

@@ -23,6 +23,17 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     import-tree.url = "github:vic/import-tree";
+    lix = {
+      url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
+      flake = false;
+    };
+    lix-module = {
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
+      inputs = {
+        lix.follows = "lix";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
     llm-agents = {
       url = "github:numtide/llm-agents.nix";
       inputs.nixpkgs.follows = "nixpkgs-unstable";

flake.nix

@@ -1,3 +1,11 @@
+# WORKAROUND: suppress upstream broken-string-indentation warnings from
+# zen-browser-flake until https://github.com/0xc000022070/zen-browser-flake/pull/268 lands.
+nix_config_prefix := if env_var_or_default("NIX_CONFIG", "") == "" {
+  "extra-deprecated-features = broken-string-indentation"
+} else {
+  trim_end(env_var("NIX_CONFIG")) + "\nextra-deprecated-features = broken-string-indentation"
+}
+
 is_wsl := path_exists("/proc/sys/fs/binfmt_misc/WSLInterop")
 is_nixos := path_exists("/run/current-system/nixos-version")
 
@@ -19,7 +27,7 @@ default:
   @just --list --unsorted
 
 rebuild target=".":
-  {{rebuild_command}} {{target}}
+  NIX_CONFIG='{{nix_config_prefix}}' {{rebuild_command}} {{target}}
 
 fix-nix-daemon:
   @set -e; \

justfile

@@ -0,0 +1,18 @@
+{ lib, inputs, ... }:
+{
+  flake-file.inputs.lix = {
+    url = lib.mkDefault "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
+    flake = false;
+  };
+
+  flake-file.inputs.lix-module = {
+    url = lib.mkDefault "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
+    inputs.lix.follows = lib.mkDefault "lix";
+    inputs.nixpkgs.follows = lib.mkDefault "nixpkgs";
+  };
+
+  flake.modules = {
+    nixos.lix = inputs.lix-module.nixosModules.default;
+    darwin.lix = inputs.lix-module.darwinModules.default;
+  };
+}

modules/inputs/lix.nix

@@ -13,6 +13,12 @@ let
       system = pkgs.stdenv.hostPlatform.system;
     in
     {
+      options.repo.lix.enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether this module should enable the shared Lix overlay and module wiring.";
+      };
+
       options.repo.nixpkgs.enable = lib.mkOption {
         type = lib.types.bool;
         default = true;
@@ -26,7 +32,7 @@ let
             allowUnfreePredicate = _: true;
             nvidia.acceptLicense = true;
           };
-          overlays = [
+          overlays = lib.optional config.repo.lix.enable inputs.lix-module.overlays.default ++ [
             (_final: _prev: {
               unstable = import inputs.nixpkgs-unstable {
                 inherit system;

modules/nix/nixpkgs.nix

@@ -54,11 +54,19 @@ in
         {
           lib,
           pkgs,
+          config,
           osConfig ? null,
           ...
         }:
         mkSettingsAdapter {
-          nix.package = lib.mkDefault (if osConfig != null then osConfig.nix.package else pkgs.nix);
+          nix.package = lib.mkDefault (
+            if osConfig != null then
+              osConfig.nix.package
+            else if lib.attrByPath [ "repo" "lix" "enable" ] false config then
+              pkgs.lix
+            else
+              pkgs.nix
+          );
         };
     };
   };

modules/nix/settings.nix

@@ -15,3 +15,4 @@ The `agent-health` skill must be active for any task longer than a few exchanges
 - Prefer small verifiable steps over large monolithic outputs
 - If a task is underspecified, ask one focused clarifying question before proceeding
 - Escalate to the user rather than silently retrying when blocked
+- Stage any new files that must participate in Nix evaluation before testing; untracked files are ignored by flake evaluation, so staging is required for reliable validation