Add MCP integrations, move to unstable inputs

Justfile

@@ -48,15 +48,19 @@ move-rc-files:
     sudo mv /etc/zshrc /etc/zshrc.before-nix-darwin
     sudo mv /etc/zprofile /etc/zprofile.before-nix-darwin
 
+[doc("Edit a secret file")]
 edit-secret file:
     EDITOR="zeditor --wait" sops {{ file }}
 
+[doc("Update all secret files with new keys")]
 update-secret-files:
     find . -regextype egrep -regex '^.*secrets\.(json|yml)' -execdir sops updatekeys {} -y ';'
 
+[doc("Generate an age key for the current user")]
 generate-user-age-key:
     mkdir -p ~/.config/sops/age
     nix shell nixpkgs#age --command sh -c "age-keygen -o ~/.config/sops/age/keys.txt"
 
+[doc("Get the age key for the current host")]
 host-age-key:
     nix shell nixpkgs#ssh-to-age --command sh -c "sudo cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age"

flake.nix

@@ -20,16 +20,16 @@
   };
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-25.11-darwin";
+    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
 
     nixpkgs-master.url = "github:nixos/nixpkgs";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
 
-    nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
+    nix-darwin.url = "github:nix-darwin/nix-darwin";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager.url = "github:nix-community/home-manager/release-25.11";
+    home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     flake-root.url = "github:srid/flake-root";
@@ -48,6 +48,9 @@
     emacs-overlay.url = "github:nix-community/emacs-overlay";
     emacs-overlay.inputs.nixpkgs.follows = "nixpkgs";
 
+    mcp-servers.url = "github:natsukium/mcp-servers-nix";
+    mcp-servers.inputs.nixpkgs.follows = "nixpkgs";
+
     pragmatapro.url = "git+ssh://git@github.com/ethnt/pragmatapro";
     pragmatapro.inputs.nixpkgs.follows = "nixpkgs";
     pragmatapro.inputs.flake-parts.follows = "flake-parts";

lib/src/hm.nix

@@ -5,8 +5,10 @@ let
 
   l = inputs.nixpkgs.lib // builtins;
 
-  sharedModules = l.attrValues flake.homeModules
-    ++ [ inputs.sops-nix.homeManagerModules.sops ];
+  sharedModules = l.attrValues flake.homeModules ++ (with inputs; [
+    sops-nix.homeManagerModules.sops
+    mcp-servers.homeManagerModules.default
+  ]);
 
   extraSpecialArgs = {
     inherit flake inputs secrets;

modules/profiles/home/claude-code.nix

@@ -0,0 +1,6 @@
+{
+  programs.claude-code = {
+    enable = true;
+    enableMcpIntegration = true;
+  };
+}

modules/profiles/home/man.nix

@@ -0,0 +1 @@
+{ pkgs, ... }: { programs.man.package = pkgs.man; }

modules/profiles/home/mcp/default.nix

@@ -0,0 +1 @@
+{ programs.mcp.enable = true; }

modules/profiles/home/mcp/github/default.nix

@@ -0,0 +1,20 @@
+{ config, ... }: {
+  sops = {
+    secrets.github_mcp_pat = {
+      sopsFile = ./secrets.json;
+      path = "${config.xdg.dataHome}/secrets/mcp/github-mcp-pat.txt";
+    };
+
+    templates.github_mcp_env_file = {
+      content = ''
+        GITHUB_PERSONAL_ACCESS_TOKEN=${config.sops.placeholder.github_mcp_pat}
+      '';
+      mode = "0777";
+    };
+  };
+
+  mcp-servers.programs.github = {
+    enable = true;
+    envFile = config.sops.templates.github_mcp_env_file.path;
+  };
+}

modules/profiles/home/mcp/github/secrets.json

@@ -0,0 +1,27 @@
+{
+	"github_mcp_pat": "ENC[AES256_GCM,data:L8TNbqtvvbl8Un/VXTeqqPYA9pJcS6TgyMZNI5mZyMuB+HQrfoR5Ew==,iv:FkL5gq/va/CEPYvvk0CMSMOmoIv3H3/u+RY9HdQe7Xc=,tag:VI8mlpcrSSHjJUpLZNgIsg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkb0h6cjlFYWNzc25ZdXl4\nTnppQXo1SVhDQVUyNkhIdFA0K2JKY1BYbkJrCjhHZmIyclV3TWpDMjEyUS9Rb2lW\ncXpQOFhoVXBUNEtoQmx4WEo1OGpnQTgKLS0tIGxaN0xvQ3ZYdnEwWmoxZGR1R1My\nZlFmNVFYN0JDbWFFSk4vcDFoL1o1SGcKLZbwXjvCGfA9/e0/bdDTTf9NIg4XWBYQ\nm+kCwS2KSxlgFZux81UO5Jgo9irkwJ5giyvy3EksXHaGItGEsgWN2Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1s2dhv789xf9jjfr9pdjsww7rf4dutl3qmavgpurlwj6l5khdkfasd4v7xn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYlV5Z3ZkRExxL1A2aFlC\nV2hNVHFZU05RVWJtOG82YXVjWE9rb044S0ZrCnIvV3F3MHltMHNaUFprKzRubURM\nL1FmMVdKdFZLbEcxT0xVMlZObjlHWmsKLS0tIFVrSTIzdlByaExqNzBtK2xwWGZN\nbWxneERMS05icE5Wb2gwSXROdjdTOEkKsXQ2uGllbWEALG943bIHsF05Ic93rfdX\n3nwiqsTpXorkfuv/38RRi61OvGPJFwx+SGHEnX22nfIka4ltFC2Yrg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hqq6znfaedyrmqkqqnaafa243cus77nts3e5vunxdl5xkfm6ffgqmf70r8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWm9JQU0yK1h0eHRkY2tN\nczFhSHJiNG9ReXhjMkpLYXlrRTZsU1dNZ0RNCklpaHpNSHhPSXVpdFdyWStTaVFs\naGk2N1l2VUYzSnNlWDR5eXNmMGVNdEEKLS0tIDhVLzhXbm1LbGRpVTZlVTFqL0hz\nMVBmS05venVkRnV5NndnMUJWbVhwM3cKizmrV8U0BJj4Mu2g0nHLA9j+SvDbBC10\n9auqt6WjqbsyiCbpdKTmu6krzHK3Ivg8YKekLIAnPKaexa8CBe2CBA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zkx88lththygcwj07xtz54tcvy6ltavnedrpskfpzcdh9tt2ngyq9gvqv5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWDltbGlKVlRhRkxCMW5V\ncm14bmpXam5zR2VkbGhUSHpFemc5VTVueVY0CklYNllSMHprSVlTMlJ1ZGJJc0pK\nbDZzNU5MOWtGclM1TFFseHNKclM1UGMKLS0tIHVtV2dGRmgxMXdjYkZJZDRjNXZZ\nZ01uaHo4Q0ZVNzlJSEo5L1ZGUXlwRUUKsMz0K7x57fbPka6BAlINK8P0AK+UdiQh\nTtnS0wYIIz/SAGDqcBKtZNH902v2zpJXkrWu5e2+f4z6Thu84Gk6mg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-11T18:18:16Z",
+		"mac": "ENC[AES256_GCM,data:mr9tFkYfP5l9a0hpRtLJK4GosCyZJ+aIXpol6IyzfQh4hPQORuxFVLMW5FgkNNFf6Cw9+Vvjn/iIAdQcDt/rvLJ4493RX/nfN/uU7yq1RL+d3amIfHUTabzh64erdt2INgVkhocLQb8crXH/JWE2unQHEGW1hS8BrVnFrQKZdqY=,iv:FwlnaMdzkKnSYtO2WGtRZ5x8qK/d38p7sxM5Gvf7Iqs=,tag:mc+wo0LIATIHvlLm6Z0yQg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.12.1"
+	}
+}

modules/profiles/home/mcp/nixos.nix

@@ -0,0 +1 @@
+{ mcp-servers.programs.nixos.enable = true; }

modules/profiles/home/mise.nix

@@ -3,7 +3,7 @@
     enable = true;
     enableFishIntegration = true;
     package = pkgs.mise;
-    settings = {
+    globalConfig.settings = {
       asdf_compat = true;
       legacy_version_file = true;
       idiomatic_version_file_enable_tools = [ "node" ];

modules/profiles/home/nodejs.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ corepack nodejs_24 ]; }
+{ pkgs, ... }: { home.packages = with pkgs; [ nodejs_25 ]; }

modules/profiles/system/core/nix-config/secrets.json

@@ -4,11 +4,19 @@
 		"age": [
 			{
 				"recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBV1BzVHpRYWMzN2lrTmR1\nTG1CdDc5a2lMbXZxNnc5RnlhMEg0aklyUFNzCkovbElTOGhIZjNuMHFsU3ZNQWhN\nc0VNeFhST3EybGR6eDZqbnhNNUFsTmsKLS0tIGZlK0JDRG5QWWFXdnByQjdZTkti\neVNrQWFCUll2d2VFbFVEdkF1YnhEa2MK0EhU2rJSFMHJ9SUCBWxdgXXOh1gyGKDr\nY0A7DVjbhqZqPUz0DMmnrTn7um7uvxJqy+QEwd/nDUtbHgh1Ws/urQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcFJCMkxmVE50MGMxUU9B\nU0hWZU80aGNGV2JWcW15RTYxRTVUL2QwUW1RCnBwbUpCYTdzYW13WW1pMnY2aUhy\nTmsySHFIWlFudk1ZamVWb0huMVNRZUUKLS0tIEFHYTBFSGhJNTY3eFpYRVI3bEFk\nYkx6QjFLbVFoTWVyNzVaQ05FVW1yQTgK1lbBhhCvCGX96oNt9UAx0p3d+aJubew2\nZuX7UXjXOd6uRpO08zaBwPVC7rCivmPsm+54hhZmFvWm1m4WhD5boA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1s2dhv789xf9jjfr9pdjsww7rf4dutl3qmavgpurlwj6l5khdkfasd4v7xn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQnNFaEduaWVrWGNrUW5K\nZEdka2JxSmRMSjhuM3RGYU9FOWJiRTQyd0FJCkhFZG9NT0p2MS9hSmhHbGFweGlZ\nM2ZieE11YWpmcHhhQXg5V09WbmYzUWsKLS0tIHNUdHRYYWloV2oxcURkekNhdDRG\nRkJxOHh5MlorTnNxbXhsUkJtcUlPRkUKS7ustSTK/mh/In1bclZGHJ+4yrtI/wTl\n8xHN2hI9tiuXk3PJT73PTc0V/6BBYXsHC3HYSPVcgRbEPLf0KU8uqQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1hqq6znfaedyrmqkqqnaafa243cus77nts3e5vunxdl5xkfm6ffgqmf70r8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUkN1VFJoOGJBVUszMmJL\najVnZkZ5bTRHZkJVcXlSS0toNDl2N0dIU2tJCnN5Q0MxdmVxc2s3cTY3bjgxUDBV\nY3YxNFE2YnhNSG1ZR0xDa09MbitLM2sKLS0tIHp4QmhMaEJkWFV1Y1NxSUp5WnVv\nY2tlSjBING01Yi9PeXcvQjZLSWpCUzgKwb98LBNBawqlAEGIuZzBWSh7S/4fLJV5\nVsewLWRGyePe/IbekpnYpENvVVP7oap9QSsdIdlYGyg4zycnQN1w1w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsb1FtYXdUbTczVVBUbGJK\nSThSZlBJbG5ybitQd1VFNVNXTTFralpadUVJCmh6TE94dWJVdUVIZDJVcWlCdGM4\nUDIvbS9OV29CMHlORkxGWnFCQ0V2cFEKLS0tIGhoNGoza1BVWmtKRU1VRzB5UlQ1\nWk9wYzB1VDNnRW5EbUJNYXVuZFc4TmMKbo2wmIqT0owmmEhFHnoj40fMiOitoRo6\nI89QzzC9nEsKvqjRHysgRJx5r6DnEryz1lidEw8MZso29xJj44kBDQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zkx88lththygcwj07xtz54tcvy6ltavnedrpskfpzcdh9tt2ngyq9gvqv5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsL0hMVWgyYU15SUFsQ25w\nQXRTYUNZeE02SHBGMFFteHlEQTN0cmg2NjBVCjJTWER2SVRURndhU2NIWmNZOGN3\neEh2dm14d0pmTlVVV3FMZW1aNWxGclkKLS0tIDd3ci9SY3h4TnpHQy9yU24wT3c1\nTHNpRTVwZUJOa1NkS28vS3dsREc3eDgK5y+i56ywqzk4vXg3Vwrn8m2BRu9jiTpB\nMMCjOv4fMPg+N3xJR/7cS+QnM5zDH8lk9mDtj8yEVcFpTTjRyucotQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2026-04-11T03:31:33Z",

modules/suites/home.nix

@@ -16,6 +16,7 @@ with profiles;
     helix
     lazygit
     jujutsu
+    man
     navi
     paths
     rippkgs
@@ -29,12 +30,16 @@ with profiles;
   ];
 
   development = [
+    claude-code
     git.common
     git.difftastic
     git.mergiraf
     git.worktrunk
     gh
     gh-dash
+    mcp.default
+    mcp.github.default
+    mcp.nixos
     mise
     vscode
   ];

users/et/home.nix

@@ -13,6 +13,6 @@
     username = "et";
     homeDirectory = "/Users/et";
 
-    stateVersion = "24.05";
+    stateVersion = "26.05";
   };
 }

users/et/profiles/mcp.nix

@@ -0,0 +1 @@
+{ mcp-servers.programs.notion.enable = true; }

users/ethan/home.nix

@@ -12,6 +12,6 @@
   home = {
     username = "ethan";
     homeDirectory = "/Users/ethan";
-    stateVersion = "24.05";
+    stateVersion = "26.05";
   };
 }