From 4188a6c0d887691ccae0742ea1ad83663ba22a86 Mon Sep 17 00:00:00 2001
From: Kat Huang <kkathuang@gmail.com>
Date: Sat, 30 May 2026 07:10:36 -0700
Subject: [PATCH] Make jay-lenovo switch activation robust

---
 .../home-manager/codex-generated-skills.nix   | 54 ++++++++++++-------
 nixos/dotfiles-links.nix                      |  2 +
 nixos/machines/jay-lenovo.nix                 |  1 +
 nixos/tailscale.nix                           |  7 ++-
 4 files changed, 44 insertions(+), 20 deletions(-)

diff --git a/nix-shared/home-manager/codex-generated-skills.nix b/nix-shared/home-manager/codex-generated-skills.nix
index ccdfe756..f7e98b1f 100644
--- a/nix-shared/home-manager/codex-generated-skills.nix
+++ b/nix-shared/home-manager/codex-generated-skills.nix
@@ -22,6 +22,12 @@ in {
       description = "Codex dotfiles directory in the live worktree.";
     };
 
+    sourceCodexDir = lib.mkOption {
+      type = lib.types.str;
+      default = "${cfg.worktreeCodexDir}";
+      description = "Readable fallback Codex dotfiles directory from the flake source.";
+    };
+
     localConfig = lib.mkOption {
       type = lib.types.str;
       default = "${cfg.codexHome}/config.local.toml";
@@ -103,6 +109,7 @@ in {
     home.activation.generateCodexConfig = lib.hm.dag.entryAfter ["writeBoundary"] ''
       codex_home=${lib.escapeShellArg cfg.codexHome}
       base=${lib.escapeShellArg "${cfg.worktreeCodexDir}/config.toml"}
+      source_base=${lib.escapeShellArg "${cfg.sourceCodexDir}/config.toml"}
       local_config=${lib.escapeShellArg cfg.localConfig}
       local_state_config=${lib.escapeShellArg cfg.generatedStateConfig}
       target="$codex_home/config.toml"
@@ -115,8 +122,12 @@ in {
       )}
 
       if [ ! -r "$base" ]; then
-        echo "Missing shared Codex config at $base" >&2
-        exit 1
+        if [ -r "$source_base" ]; then
+          base="$source_base"
+        else
+          echo "Missing shared Codex config at $base and $source_base" >&2
+          exit 1
+        fi
       fi
 
       mkdir -p "$codex_home"
@@ -221,30 +232,37 @@ in {
     home.activation.linkCodexDotfileSkills = lib.hm.dag.entryAfter ["writeBoundary"] ''
       skills_dir=${lib.escapeShellArg cfg.skillsDir}
       worktree_skills=${lib.escapeShellArg "${cfg.worktreeCodexDir}/skills"}
+      source_skills=${lib.escapeShellArg "${cfg.sourceCodexDir}/skills"}
 
       if [ ! -d "$worktree_skills" ]; then
-        echo "Skipping Codex dotfile skills setup because $worktree_skills is not a directory" >&2
-        exit 1
+        if [ -d "$source_skills" ]; then
+          worktree_skills="$source_skills"
+        else
+          echo "Skipping Codex dotfile skills setup because neither $worktree_skills nor $source_skills is a directory" >&2
+          worktree_skills=
+        fi
       fi
 
       mkdir -p "$skills_dir"
 
-      for skill in "$worktree_skills"/*; do
-        [ -d "$skill" ] || continue
-        [ -r "$skill/SKILL.md" ] || continue
+      if [ -n "$worktree_skills" ]; then
+        for skill in "$worktree_skills"/*; do
+          [ -d "$skill" ] || continue
+          [ -r "$skill/SKILL.md" ] || continue
 
-        name="$(basename "$skill")"
-        case "$name" in
-          .system|codex-primary-runtime) continue ;;
-        esac
+          name="$(basename "$skill")"
+          case "$name" in
+            .system|codex-primary-runtime) continue ;;
+          esac
 
-        target="$skills_dir/$name"
-        if [ -L "$target" ] || [ ! -e "$target" ]; then
-          ln -sfn "$skill" "$target"
-        elif [ ! -d "$target" ]; then
-          echo "Skipping Codex skill $name because $target exists and is not a directory" >&2
-        fi
-      done
+          target="$skills_dir/$name"
+          if [ -L "$target" ] || [ ! -e "$target" ]; then
+            ln -sfn "$skill" "$target"
+          elif [ ! -d "$target" ]; then
+            echo "Skipping Codex skill $name because $target exists and is not a directory" >&2
+          fi
+        done
+      fi
     '';
 
     home.activation.setupCodexGeneratedSkills = lib.hm.dag.entryAfter ["linkCodexDotfileSkills"] ''
diff --git a/nixos/dotfiles-links.nix b/nixos/dotfiles-links.nix
index 784ff2a7..3f771646 100644
--- a/nixos/dotfiles-links.nix
+++ b/nixos/dotfiles-links.nix
@@ -18,6 +18,7 @@
   # Use the flake source for enumeration (pure), but point links at the worktree.
   srcDotfiles = ../dotfiles;
   srcConfig = srcDotfiles + "/config";
+  srcCodex = srcDotfiles + "/codex";
 
   excludedTop = [
     # Managed by nix-shared/home-manager/codex-generated-skills.nix so
@@ -86,6 +87,7 @@ in {
     builtins.listToAttrs (map mkConfigDir configDirNames);
 
   myModules.codexGeneratedSkills.enable = true;
+  myModules.codexGeneratedSkills.sourceCodexDir = "${srcCodex}";
 
   # Home Manager directory links for .emacs.d resolve through the store on this
   # machine, which breaks Elpaca's writable state under ~/.emacs.d/elpaca.
diff --git a/nixos/machines/jay-lenovo.nix b/nixos/machines/jay-lenovo.nix
index 0f7279f9..90ec79fc 100644
--- a/nixos/machines/jay-lenovo.nix
+++ b/nixos/machines/jay-lenovo.nix
@@ -34,6 +34,7 @@
   boot.extraModulePackages = [];
 
   boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 1;
   boot.loader.efi.canTouchEfiVariables = true;
 
   myModules.postgres.enable = true;
diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix
index 4e84516b..3141c12f 100644
--- a/nixos/tailscale.nix
+++ b/nixos/tailscale.nix
@@ -63,11 +63,14 @@ makeEnable config "myModules.tailscale" true {
       fi
 
       # First-time (or post-logout) login.
-      ${pkgs.tailscale}/bin/tailscale up \
+      if ! ${pkgs.tailscale}/bin/tailscale up \
         --auth-key "file:$key_file" \
         --accept-dns=true \
         --operator=imalison \
-        --timeout=60s
+        --timeout=60s; then
+        echo "tailscale-autoconnect: tailscale up failed; leaving manual login required" >&2
+        exit 0
+      fi
     '';
   };
 }