update secrets

hosts/nb/modules/development/default.nix

@@ -10,8 +10,9 @@ in {
   imports = [
     # ./mcp.nix
     ./coding.nix
-    ./android.nix
+    # ./android.nix
     ./nvim/default.nix
+    ./mcp-chromium.nix
   ];
   environment.systemPackages = with pkgs; [
     bento

hosts/nb/modules/development/mcp-chromium.nix

@@ -0,0 +1,57 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # Wrapper to launch Chromium on Wayland, scale=1, DevTools debugging on 127.0.0.1:9222
+  chromiumWaylandWrapper = pkgs.writeShellScriptBin "chromium-mcp" ''
+    exec ${pkgs.chromium}/bin/chromium \
+      --ozone-platform=wayland \
+      --enable-features=UseOzonePlatform \
+      --force-device-scale-factor=1 \
+      --remote-debugging-address=127.0.0.1 \
+      --remote-debugging-port=9222 \
+      "$@"
+  '';
+
+  # Desktop entry that uses our wrapper. The filename will be chromium.desktop
+  chromiumDesktopOverride = pkgs.makeDesktopItem {
+    name = "chromium";  # ← important: must match stock filename to override
+    desktopName = "Chromium";
+    genericName  = "Web Browser";
+    comment      = "Chromium on Wayland (scale=1) with DevTools remote debugging for MCP";
+    icon         = "chromium";
+    exec         = "${chromiumWaylandWrapper}/bin/chromium-mcp %U";
+    terminal     = false;
+    categories   = [ "Network" "WebBrowser" ];
+    mimeTypes = [
+      "text/html" "text/xml" "application/xhtml+xml"
+      "x-scheme-handler/http" "x-scheme-handler/https"
+      "x-scheme-handler/ftp"  "x-scheme-handler/chrome"
+    ];
+    # If you want extra desktop keys, you can add them as a raw block:
+  };
+in
+{
+  # Tools: Chromium, Node (for MCP server), our wrapper, and the desktop override
+  environment.systemPackages = [
+    pkgs.chromium
+    pkgs.nodejs_22   # 25.05 ships Node 22 LTS; works great for MCP servers
+    chromiumWaylandWrapper
+    chromiumDesktopOverride  # ← keep AFTER pkgs.chromium so our .desktop wins
+  ];
+
+  # Where Codex CLI reads config; we make it system-wide
+  environment.variables.CODEX_HOME = "/etc/codex";
+
+  # Codex CLI MCP config: wires Chrome DevTools MCP to the local DevTools port
+  environment.etc."codex/config.toml".text = ''
+    [mcp_servers.chrome-devtools]
+    command = "npx"
+    args = ["-y", "chrome-devtools-mcp@latest", "--browserUrl=http://127.0.0.1:9222"]
+    startup_timeout_sec = 30
+    tool_timeout_sec = 120
+  '';
+
+  # No firewall opening: binding to 127.0.0.1 only
+  # networking.firewall.allowedTCPPorts = [ 9222 ];
+}
+

hosts/nb/secrets.yaml

@@ -16,29 +16,38 @@ sops:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUG5oZ1BPL1hiRm5zQ3FO
-            Zks2RWg1ODZGYm4rY05wT2dWTHFCN1FhcEY4ClB5N29SclVxWUpGaHF1V0o1cHVK
-            TWtoTGFsRHVERWgxczlqdysrRmVDM3cKLS0tIFNISWhUbmV5dERHSXV3ZW5Gd0l3
-            bHZHdy9jUHhLSTFUWHBxUTcrT3FoaHcKpKjzC3KDD6TXpbPm/ObztJQzkNnnTnvH
-            uWzRhQg7lHAKiiz4szzT64WCuisxFAOJP1KrSK9qP5DLBm8aKIDcPA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpMnBLcDdsczB5TnczVFdQ
+            V2NEZFR1bkNvK09HZWV1MDg3RmRHbXNYeGpBCmpmemFjYzZQMXAzTmh1NWhOMkFK
+            UGNBRDZZa3dhUFVpa29JdWVrdU0vd00KLS0tIGpQeDdFNTFIRjg0SEhrQURVdW1Q
+            VmdHNkI3eDd2aHo1VTJhZHN4bGxNNzAKcIrRBasCcoNCdYM3lcjzMIME8jn48x39
+            0DJGKX6/hoVaUlpRcCfnEx5Ihu4dSBxd2PMz7DgDZizftFWOJ2TZaQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VU1JZ3FkQ2lPVE9KeGMw
-            c1lRWGlPU1BKbXlJc0lnVURNNjN4bDRNWFZ3CnQyRUE0MXllajgySHRkSTNRZ2U4
-            K2w3bWEzNmxrZHRybXdFdnZCTmYySW8KLS0tIFduVUdYdDdVOS83QUxveG5lMDRi
-            M3E3bDhrM1FvMERESmI2RTdBTVNUMlkKoKhTGUYULeQvqMjwMCanDxD4yflGURgE
-            ROZe6d8R5Sya+RsS4uzNMs5KkjGeC/xjbNO22uSRennIwCqBaHNmgg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTV2hRelFkTVdSOEQxaExp
+            VGNnb202UVdpK2wwWTl2YUp2VU5WRTViaGpnCllxKzNCWExZZnllQ0lvM1ZPbjlz
+            TndkRHBvRHBaVVY5M0xZTmFXRTFlZzAKLS0tIHQ3QWcrYklaZ2ExUnRObTg0YnNG
+            Nk5JOFQ3M1pBdmg5dUpkSFZoQXY3QVUKNL3HpYBWsGdHPG/eUlU5+G4Dcnk6efX1
+            e7B2ye+mzMjt0Kpz5QxltOZIiTyvNLKNUijNgmoK5RGJibJCwbl1ng==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMW1zeU5ubDloazBKNFR5
-            M0xnbXQySWptOHFEQmQ0VHdvTWVieitYK1drCmI0VW5PVUFaTFo3STF2MUxSOXhC
-            T1YxY2lFMitKM29rS1FKQWRweStxUlUKLS0tIEFnQTlHcFJEcTAxem5QK2xrTm8r
-            L21ncjlQdGVDUjI2eXFIb3U2dW13bWsKuEwATNEUWtjuLsH7DQAt6J2l4blTId1W
-            A1kQ+0dfUKrZ0dsbvUA5L9+haUiK8f5RvapaKW+L2JEn7gW5wJSJEw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZ3RBeUM5NE91K0RnQnhU
+            cE53akR2bnU4MmljY3BWcjlNOXZueWpJNEV3CkFOdWdGaXVrM0hvNTdubFkxdERZ
+            TjQvMDc1cEM2TnVabVJNTnhkK2hyMmMKLS0tIGhLQ1liSUhnVmw4N0lWR2Y0clV6
+            OXhTc2YwWXhZRzlPbDdkZE1QUUVNMFUKHSE1LckK00qdCBl4iK6lzOzlIJ0WnSrk
+            c9kuwHrZoQIv6JuscjkJ1n9/SeDZoFRnaEHC31txMot/tkpG5iyrbw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEFSaHIyVnZsOG82UDJX
+            VDhjOGxTakVQZWttTFVxTEUyUnpaRjZmelFjCk52RGYwRUhkMVpSWXV1UFFhelhl
+            Nk9QazR0V2JaanpHMGVOSWF1aTRRZ00KLS0tIFk4QS9uVGJVYlh2aXRlQi9WWkpn
+            WmpuN3RGK2pCdzB6TVkrcy9YV0lPRW8KWbTtmqbkHibf6SfueCE+s03Efkr5Oat9
+            sBi4uDTmaaqBEcoO1mQ4MQD/On9tZzThjfD8v+m0wUU5xGvE5naA6g==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-05T16:28:03Z"
     mac: ENC[AES256_GCM,data:NNYwveO78Q4cWOPPt3Pyqh6AtbfRj/ax6D4t2KlVXWSLzKTUZKKaULXGY5PBp/jI2pyhPp5yEMhEyjRPWC8Xhvxjv+NLb6KltgaMfzIBS/jfSNk3dcYx6i8Y2oSG1efLJrRMc2Q/uACeztyivtjV9A7JCrEtb84Wb9HzkI4nZVs=,iv:Q8cTw+/RMJ3WHrkB9lyaAyI2K3O1ZhDnAMUYMJ4JMRk=,tag:JvrLiaKKYXiOmud4oZZZ1w==,type:str]

hosts/nb/users/codex-cli.nix

@@ -5,7 +5,7 @@ let
   npmPrefix = "${home}/.npm-global";
   node = pkgs.nodejs; # or pkgs.nodejs_20
 in {
-  home-manager.users.dominik = { lib, pkgs, ... }: {
+  home-manager.users.dominik = { config, lib, pkgs, ... }: {
     home.packages = with pkgs; [
       node
       gnutar     # provides `tar`
@@ -13,6 +13,12 @@ in {
       unzip  
       python314  # useful for codex model use
       jq         # useful for JSON processing
+      (pkgs.writeShellScriptBin "codex" ''
+        #!/usr/bin/env bash
+        export TMPDIR="''${TMPDIR:-$HOME/.cache/codex-tmp}"
+        export XDG_RUNTIME_DIR="''${XDG_RUNTIME_DIR:-$HOME/.cache/xdg-runtime}"
+        exec ${npmPrefix}/bin/codex "$@"
+      '')
     ];
 
     # Ensure ~/.npmrc with a user prefix (no sudo needed)
@@ -34,12 +40,17 @@ in {
       NPM_CONFIG_PREFIX = npmPrefix;
     };
 
+    home.activation.ensureCodexDirs = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+      install -d -m 700 "${config.home.homeDirectory}/.cache/codex-tmp"
+      install -d -m 700 "${config.home.homeDirectory}/.cache/xdg-runtime"
+    '';
+
     # Auto-install @openai/codex if it's not already there
     # (idempotent on each `home-manager switch`)
     home.activation.installCodexCli = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
       export PATH=${node}/bin:${pkgs.gnutar}/bin:${pkgs.gzip}/bin:${pkgs.unzip}/bin:${pkgs.curl}/bin:$PATH
       mkdir -p ${npmPrefix}
-      if ! command -v codex >/dev/null 2>&1; then
+      if [ ! -x "${npmPrefix}/bin/codex" ]; then
         echo "Installing @openai/codex globally..."
         # --global uses prefix from ~/.npmrc; PATH has node for postinstall
         ${node}/bin/npm install -g @openai/codex

hosts/nb/users/dominik.nix

@@ -646,10 +646,10 @@ in
 
       ssh-keygen -R gitlab.epicenter.works
       ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts
+      git clone git@github.com:AKVorrat/nixos.git ${persistHome}/projects/epicenter.works/epicenter-nixos 2>/dev/null
       git clone git@github.com:AKVorrat/ewcampaign.git ${persistHome}/projects/epicenter.works/ewcampaign 2>/dev/null
       git clone git@gitlab.epicenter.works:epicenter.works/website.git ${persistHome}/projects/epicenter.works/epicenter.works 2>/dev/null
       git clone git@github.com:AKVorrat/epicenter.works-website.git ${persistHome}/projects/epicenter.works/epicenter.works-website 2>/dev/null
-      git clone git@gitlab.epicenter.works:epicenter.works/nixos.git ${persistHome}/projects/epicenter.works/epicenter-nixos 2>/dev/null
       git clone git@github.com:AKVorrat/spenden.akvorrat.at.git ${persistHome}/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null
       git clone git@github.com:AKVorrat/dearmep-website.git ${persistHome}/projects/epicenter.works/dearmep-website 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/eidas.monitor.git ${persistHome}/projects/epicenter.works/eidas.monitor 2>/dev/null
@@ -658,7 +658,10 @@ in
 
     home.file.".wallpaper.jpg".source = ./configs/wallpaper.jpg;
     home.file.".wallpaper.png".source = ./configs/wallpaper.png;
-    home.file.".local/share/nvim/project_nvim/project_history".source = ./configs/project_history;
+    home.file.".local/share/nvim/project_nvim/project_history" = {
+      source = ./configs/project_history;
+      force = true;
+    };
     home.file.".config/Cryptomator/settings.json" = {
       source = ./configs/cryptomator.json;
       force  = true;