feat(microvm): add SSH config and centralize VM definitions

@@ -168,7 +168,30 @@ in
             identitiesOnly = true;
             identityFile = lib.mkIf hasFido2Keys "~/.ssh/id_homelab_sk";
           };
+          # MicroVMs on aomi (192.168.83.x subnet, reachable via jump host)
+          "${globals.microvms.subnet}.*" = {
+            user = "vincent";
+            proxyJump = globals.microvms.host;
+            identitiesOnly = true;
+            identityFile = lib.mkIf hasFido2Keys "~/.ssh/id_homelab_sk";
+            extraOptions = {
+              StrictHostKeyChecking = "no";
+              UserKnownHostsFile = "/dev/null";
+            };
+          };
         }
+        # Generated microvm SSH aliases
+        // (lib.mapAttrs (_name: vm: {
+          hostname = vm.ip;
+          user = "vincent";
+          proxyJump = globals.microvms.host;
+          identitiesOnly = true;
+          identityFile = lib.mkIf hasFido2Keys "~/.ssh/id_homelab_sk";
+          extraOptions = {
+            StrictHostKeyChecking = "no";
+            UserKnownHostsFile = "/dev/null";
+          };
+        }) globals.microvms.vms)
       ) (lib.recursiveUpdate criticalInfraOverrides aomiOverrides);
     extraConfig = ''
       # IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock

@@ -3,86 +3,92 @@
 # Ephemeral VMs for running Claude Code agents in isolation.
 # VMs share host's /nix/store and mount specific workspaces.
 #
+# VM definitions come from globals.microvms, with host-specific overrides here.
+#
 # Usage:
 #   sudo systemctl start microvm@claude-home
-#   ssh vincent@192.168.83.2
-#   cd /workspace && claude --dangerously-skip-permissions
+#   ssh claude-home  # (uses ProxyJump via aomi.sbr.pm)
+#   cd /workspace && cc  # alias for claude --dangerously-skip-permissions
 #
-{ pkgs, ... }:
+{
+  pkgs,
+  lib,
+  globals,
+  ...
+}:
+let
+  # Base VM config from globals, with aomi-specific overrides
+  vmOverrides = {
+    claude-home = {
+      vcpu = 8;
+      mem = 4096;
+      extraPackages = with pkgs; [
+        # Nix development
+        deadnix
+        statix
+        nixfmt
+        nix-prefetch-scripts
+        # Go (for tools in this repo)
+        go
+      ];
+    };
+    claude-tekton = {
+      vcpu = 8;
+      mem = 8192; # Tekton tests need more memory
+      extraPackages = with pkgs; [
+        # Go development
+        go
+        gopls
+        golangci-lint
+        ko
+        # Kubernetes
+        kubectl
+        kind
+        kubernetes-helm
+      ];
+    };
+    claude-nixpkgs = {
+      vcpu = 8;
+      mem = 8192; # nixpkgs builds need memory
+      extraPackages = with pkgs; [
+        # Nix tools
+        nixpkgs-review
+        nix-update
+        nurl
+        nix-init
+        nixfmt
+        deadnix
+        statix
+      ];
+    };
+  };
+
+  # Merge globals.microvms.vms with local overrides
+  # Filter out 'description' as it's only for documentation, not a VM option
+  mergedVms = lib.mapAttrs (
+    name: globalVm:
+    (lib.filterAttrs (k: _: k != "description") globalVm)
+    // (vmOverrides.${name} or { })
+    // {
+      autostart = false;
+    }
+  ) globals.microvms.vms;
+in
 {
   imports = [ ../../modules/microvm ];
 
   services.microvm-host = {
     enable = true;
 
-    # Network configuration
+    # Network configuration from globals
     bridge = "microbr";
-    subnet = "192.168.83";
+    subnet = globals.microvms.subnet;
     externalInterface = "enp0s31f6"; # ThinkPad P1 Gen3 ethernet
 
     # State directory for persistent VM data (SSH keys, etc.)
     stateDir = "/home/vincent/microvm";
 
-    # VM definitions
-    vms = {
-      # VM for home repository work (NixOS configs, homelab)
-      claude-home = {
-        ip = "192.168.83.2";
-        workspace = "/home/vincent/src/home";
-        vcpu = 8;
-        mem = 4096;
-        autostart = false;
-        extraPackages = with pkgs; [
-          # Nix development
-          deadnix
-          statix
-          nixfmt
-          nix-prefetch-scripts
-
-          # Go (for tools in this repo)
-          go
-        ];
-      };
-
-      # VM for Tekton pipeline development
-      claude-tekton = {
-        ip = "192.168.83.3";
-        workspace = "/home/vincent/src/tekton-pipelines";
-        vcpu = 8;
-        mem = 8192; # Tekton tests need more memory
-        autostart = false;
-        extraPackages = with pkgs; [
-          # Go development
-          go
-          gopls
-          golangci-lint
-          ko
-
-          # Kubernetes
-          kubectl
-          kind
-          kubernetes-helm
-        ];
-      };
-
-      # VM for nixpkgs contributions
-      claude-nixpkgs = {
-        ip = "192.168.83.4";
-        workspace = "/home/vincent/src/nixpkgs";
-        vcpu = 8;
-        mem = 8192; # nixpkgs builds need memory
-        autostart = false;
-        extraPackages = with pkgs; [
-          # Nix tools
-          nixpkgs-review
-          nix-update
-          nurl
-          nix-init
-          nixfmt
-          deadnix
-          statix
-        ];
-      };
-    };
+    # VM definitions (merged from globals + local overrides)
+    vms = mergedVms;
   };
 }

@@ -57,6 +57,29 @@ _: {
       endpoint = "167.99.17.238";
     };
   };
+  # MicroVMs for isolated Claude Code agents (hosted on aomi)
+  # Used by: modules/microvm, home/common/shell/openssh.nix
+  microvms = {
+    host = "aomi.sbr.pm"; # SSH jump host
+    subnet = "192.168.83";
+    vms = {
+      claude-home = {
+        ip = "192.168.83.2";
+        workspace = "/home/vincent/src/home";
+        description = "Homelab/NixOS work";
+      };
+      claude-tekton = {
+        ip = "192.168.83.3";
+        workspace = "/home/vincent/src/tekton-pipelines";
+        description = "Tekton development";
+      };
+      claude-nixpkgs = {
+        ip = "192.168.83.4";
+        workspace = "/home/vincent/src/nixpkgs";
+        description = "nixpkgs contributions";
+      };
+    };
+  };
   machines = {
     athena = {
       net = {

Commit 5987a736324e

Commit `5987a736324e`