From dab6541947bd8a4157999c9ea726f640108f79ac Mon Sep 17 00:00:00 2001
From: Hunter Haugen <hunter@haugen.email>
Date: Fri, 6 Mar 2026 13:19:03 -0800
Subject: [PATCH] Add user account for agents

---
 hosts/liminal/configuration.nix | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/hosts/liminal/configuration.nix b/hosts/liminal/configuration.nix
index fa27985..7fe3d4a 100644
--- a/hosts/liminal/configuration.nix
+++ b/hosts/liminal/configuration.nix
@@ -255,11 +255,32 @@
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.secrets.hashedPassword.neededForUsers = true;
 
-  # Define a user account. Don't forget to set a password with 'passwd'.
+  # Define user accounts
+  users.groups.ai = {};
+  users.users.agents = {
+    isSystemUser = true;
+    description = "Account for AI agent sandboxing";
+    group = "ai";
+    home = "/home/agents";
+    createHome = true;
+    homeMode = "0770";
+    extraGroups = [ "docker" "audio" "video" "dialout" ];
+    shell = pkgs.zsh;
+    packages = with pkgs; [
+      nodejs
+      docker-credential-helpers
+      pass
+      pkgs.unstable.claude-code
+      codex
+      just
+      socat
+      pkgs.beads
+    ];
+  };
   users.users.hunner = {
     isNormalUser = true;
     description = "Hunter Haugen";
-    extraGroups = [ "docker" "networkmanager" "wheel" "audio" "video" "dialout" ];
+    extraGroups = [ "docker" "networkmanager" "wheel" "audio" "video" "dialout" "ai" ];
     hashedPasswordFile = config.sops.secrets.hashedPassword.path;
     shell = pkgs.zsh;
     packages = with pkgs; [