feat(docker): rewrite dev environment with multi-stage Ubuntu + Determinate Nix

Replace broken Arch Linux-based Dockerfile with a proper multi-stage build:
- Stage 1 (builder): Ubuntu 24.04 + Determinate Nix installer, runs home-manager switch
- Stage 2 (runtime): Debian bookworm-slim with only /nix/store and user home
- Flake dep caching layer (flake.lock), nix-collect-garbage for smaller images
- Pinned apt versions, hadolint-clean, SSL cert env vars for git HTTPS
- Add justfile (build/dev), docker-compose.yml, hadolint pre-commit hook

Also: guard ghostty config with mkIf (!isLinux) since it's a GUI terminal,
remove scripts/ module, add dev packages (fd, gcc, tree-sitter, unzip, gnused),
add claude-skills-generator integration, simplify dock config, add just to devShell.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: svnlto

.pre-commit-config.yaml

@@ -39,6 +39,12 @@ repos:
         pass_filenames: false
         description: Validate Nix flake structure
 
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker
+        name: Lint Dockerfile
+
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:

CLAUDE.md

@@ -66,7 +66,6 @@ This is a **cross-platform Nix configuration** managing both macOS hosts and Lin
 │   │   └── default.omp.json     # Oh My Posh theme
 │   ├── lazygit/                 # Lazygit configuration (cross-platform via xdg)
 │   ├── ghostty/                 # Ghostty terminal configuration
-│   └── scripts/                 # Custom shell scripts
 └── systems/
     ├── aarch64-darwin/          # macOS-specific (nix-darwin)
     │   ├── home.nix             # Home Manager config - imports common modules
@@ -420,30 +419,24 @@ If a configuration breaks your system:
 
 ## Testing with Docker
 
-Test the Nix configuration in a clean Ubuntu environment:
+Test the Nix configuration in a clean environment:
 
 ```bash
-# Build the Docker image
-docker build -t nix-config-test .
+# Build the image
+just build
 
-# Run interactively
-docker run -it --rm \
-  -v $(pwd):/home/ubuntu/workspace \
-  -w /home/ubuntu \
-  nix-config-test
-
-# Or use docker-compose (simpler)
-docker-compose run --rm nix-dev
+# Run interactively (drops into zsh as svenlito)
+just dev
 ```
 
 **Docker Setup Details:**
 
-- Ubuntu 24.04 base with pinned SHA256
-- Pinned package versions (curl, git, sudo, xz-utils, ca-certificates, zsh)
-- Pinned Nix version: 2.24.10
-- Pinned home-manager: release-24.05
-- Applies `homeConfigurations.minimal-arm` automatically during build
-- All tools (tmux, neovim, zsh) pre-configured and ready to test
+- Multi-stage build: Ubuntu 24.04 + Determinate Nix installer
+- Stage 1 (builder): installs Nix, runs `home-manager switch`, discarded after build
+- Stage 2 (runtime): slim Ubuntu with only `/nix/store` and user home copied over
+- Auto-detects architecture (`minimal-arm` or `minimal-x86`)
+- All tools (tmux, neovim, zsh, oh-my-posh) pre-configured and ready to test
+- No `nix-daemon` needed at runtime — packages are pre-built in the store
 
 ## Configuration Development Commands
 
@@ -580,7 +573,7 @@ The configuration uses a layered import system that eliminates duplication:
 
 1. **flake.nix**: Orchestrates everything using `mkDarwinSystem` and `mkHomeManagerConfig` functions
 2. **common/home-manager-base.nix**:
-   - Imports shared modules: `home-packages.nix`, `claude-code/`, `programs/`, `scripts/`
+   - Imports shared modules: `home-packages.nix`, `claude-code/`, `programs/`
    - Sets base home configuration (username, stateVersion)
    - Exports session variables and paths from `zsh/shared.nix`
    - Configures Oh My Posh theme
@@ -591,7 +584,7 @@ The configuration uses a layered import system that eliminates duplication:
 4. **common/default.nix**: Nix settings shared across platforms (performance tuning, experimental features)
 5. **systems/{arch}/home.nix**: Platform-specific ONLY
    - **macOS**: homeDirectory + platform-specific aliases (nixswitch, darwin-rebuild)
-   - **Linux**: homeDirectory + nix settings + platform aliases (hmswitch, hm-user) + worktree manager
+   - **Linux**: homeDirectory + nix settings + platform aliases (hmswitch, hm-user)
 
 ### Cross-Platform Module Strategy
 

Dockerfile

@@ -1,38 +1,101 @@
-FROM lopsided/archlinux-arm64v8:devel
-
-# Install additional dependencies
-RUN pacman -Syu --noconfirm && \
-  pacman -S --noconfirm \
-  curl \
-  git \
-  sudo \
-  zsh && \
-  pacman -Scc --noconfirm
-
-# Create user
+# Stage 1: Builder — install Nix, run home-manager switch
+FROM ubuntu:24.04 AS builder
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 ARG USERNAME
-RUN useradd -m -s /bin/zsh ${USERNAME} && \
-  echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+ARG UID=1000
+ARG GID=1000
 
-USER ${USERNAME}
-WORKDIR /home/${USERNAME}
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  curl=8.5.0-2ubuntu10.7 \
+  ca-certificates=20240203 \
+  xz-utils=5.6.1+really5.4.5-1ubuntu0.2 \
+  git=1:2.43.0-1ubuntu7.3 \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN userdel -r ubuntu 2>/dev/null; groupdel ubuntu 2>/dev/null; \
+  groupadd -g ${GID} ${USERNAME} \
+  && useradd -l -m -u ${UID} -g ${GID} -s /bin/bash ${USERNAME}
+
+RUN curl --proto '=https' --tlsv1.2 -sSf -L \
+  https://install.determinate.systems/nix | sh -s -- install linux \
+  --extra-conf "trusted-users = root ${USERNAME}" \
+  --init none --no-confirm
 
-# Install Nix
-RUN curl -L https://nixos.org/nix/install | sh -s -- --no-daemon
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+RUN mkdir -p /etc/nix \
+  && echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
 
-# Source Nix in shell
-RUN echo ". $HOME/.nix-profile/etc/profile.d/nix.sh" >> "$HOME/.zshrc"
+# Prepare home directory structure for home-manager activation
+RUN mkdir -p /home/${USERNAME}/.config/nix \
+  /home/${USERNAME}/.local/state/nix/profiles \
+  /home/${USERNAME}/.local/state/home-manager \
+  /nix/var/nix/profiles/per-user/${USERNAME} \
+  && chown -R ${UID}:${GID} /home/${USERNAME}
 
-# Copy Nix configuration
-COPY --chown=${USERNAME}:${USERNAME} . /home/${USERNAME}/.config/nix/
+# Layer cache: flake lock changes rarely, so fetch deps first
+COPY flake.nix flake.lock /home/${USERNAME}/.config/nix/
+RUN chown -R ${UID}:${GID} /home/${USERNAME}/.config/nix
+
+ENV USER=${USERNAME} HOME=/home/${USERNAME}
+
+# Pre-fetch flake deps (cached until flake.lock changes)
+RUN nix-daemon & sleep 1 \
+  && su -s /bin/sh ${USERNAME} -c " \
+  export PATH=/nix/var/nix/profiles/default/bin:\$PATH USER=${USERNAME} HOME=/home/${USERNAME} \
+  && cd /home/${USERNAME}/.config/nix \
+  && nix flake archive"
+
+# Now copy full config and build
+COPY . /home/${USERNAME}/.config/nix/
+RUN chown -R ${UID}:${GID} /home/${USERNAME}/.config/nix
 
-# Apply home-manager configuration
 WORKDIR /home/${USERNAME}/.config/nix
-ENV PATH="/home/${USERNAME}/.nix-profile/bin:${PATH}"
+RUN set -e; \
+  export PROFILE; \
+  PROFILE=$(if [ "$(uname -m)" = "aarch64" ]; then echo minimal-arm; else echo minimal-x86; fi); \
+  nix-daemon & sleep 1; \
+  su -s /bin/sh ${USERNAME} -c " \
+  export PATH=/nix/var/nix/profiles/default/bin:\$PATH USER=${USERNAME} HOME=/home/${USERNAME} \
+  && cd /home/${USERNAME}/.config/nix \
+  && nix run home-manager -- switch --flake .#\$PROFILE -b backup"
+
+# Prune build-only deps from the store
+RUN nix-daemon & sleep 1 \
+  && nix-collect-garbage -d \
+  && rm -rf /nix/var/nix/temproots/* /nix/var/log/nix/*
+
+# -----------------------------------------------------------
+# Stage 2: Runtime — slim glibc base, everything useful comes from Nix
+FROM debian:bookworm-slim
 ARG USERNAME
-ENV USER=${USERNAME}
-RUN nix run home-manager -- switch --flake .#minimal-arm -b backup
+ARG UID=1000
+ARG GID=1000
 
-WORKDIR /home/${USERNAME}
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  ca-certificates=20230311+deb12u1 \
+  locales=2.36-9+deb12u13 \
+  && sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen \
+  && locale-gen \
+  && rm -rf /var/lib/apt/lists/* \
+  && groupadd -g ${GID} ${USERNAME} \
+  && useradd -l -m -u ${UID} -g ${GID} -s /bin/bash ${USERNAME}
+
+ENV LANG=en_US.UTF-8 \
+  LC_ALL=en_US.UTF-8
+
+# Copy pruned Nix store and user profile (ownership preserved from builder)
+COPY --from=builder /nix /nix
+COPY --from=builder /home/${USERNAME} /home/${USERNAME}
 
-CMD ["/bin/zsh"]
+ENV USER=${USERNAME} \
+  HOME=/home/${USERNAME} \
+  PATH="/home/${USERNAME}/.nix-profile/bin:/nix/var/nix/profiles/default/bin:${PATH}" \
+  NIX_PROFILES="/nix/var/nix/profiles/default /home/${USERNAME}/.nix-profile" \
+  NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
+  SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
+  CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
+  GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
+
+USER ${USERNAME}
+WORKDIR /home/${USERNAME}
+CMD ["zsh", "-l"]

common/claude-code/default.nix

@@ -1,4 +1,20 @@
-{ config, ... }: {
+{ config, pkgs, ... }:
+let
+  skills-repo = pkgs.fetchFromGitHub {
+    owner = "martinholovsky";
+    repo = "claude-skills-generator";
+    rev = "1086ef25672acba2916220c6ce032a612cd9dc98";
+    sha256 = "1shvigcnm63a62w0nynqcnly292dz4zchybzjg90nwv0vz38c1a3";
+  };
+  selectedSkills = pkgs.runCommand "claude-skills" { } ''
+    mkdir -p $out
+    for skill in ci-cd devsecops-expert rest-api-design security-auditing \
+                 argo-expert cilium-expert cloud-api-integration \
+                 database-design talos-os-expert; do
+      cp -r ${skills-repo}/skills/$skill $out/
+    done
+  '';
+in {
   home.file = {
     # Create writable settings.json using out-of-store symlink
     ".claude/settings.json".source = config.lib.file.mkOutOfStoreSymlink
@@ -18,6 +34,9 @@
     # Status line script (read-only, no need for out-of-store symlink)
     ".claude/statusline-command.sh".source = ./statusline-command.sh;
 
+    # External skills from claude-skills-generator (auto-invoked by description match)
+    ".claude/skills".source = selectedSkills;
+
     # Create necessary directories
     ".claude/.keep".text = "";
   };

common/ghostty/default.nix

@@ -2,51 +2,53 @@
 
 let constants = import ../constants.nix;
 in {
-  # Ghostty terminal configuration
-  home.file.".config/ghostty/config".text = ''
-    theme = Catppuccin Mocha
-
-    font-family = "Hack Nerd Font"
-    font-size = 12
-    font-thicken = true
-    adjust-cell-height = 7
-    adjust-cell-width = -1
-
-    window-theme = dark
-    window-padding-x = 2
-    window-padding-y = 0
-    window-decoration = true
-    macos-window-buttons = hidden
-    macos-titlebar-style = transparent
-    macos-titlebar-proxy-icon = hidden
-    background-opacity = 0.85
-
-    cursor-style = block
-    cursor-style-blink = true
-    cursor-color = "#ff00ff"
-
-    shell-integration = zsh
-    shell-integration-features = cursor,sudo,title
-
-    scrollback-limit = ${toString constants.history.scrollbackLines}
-
-    mouse-hide-while-typing = true
-    click-repeat-interval = 300
-
-    link-url = true
-
-    ${lib.optionalString pkgs.stdenv.isLinux ''
-      # Linux-specific: disable problematic GTK settings
-      gtk-single-instance = false
-
-      # Linux: use Ctrl+V for paste (macOS-style, not Ctrl+Shift+V)
-      keybind = ctrl+v=paste_from_clipboard
-      keybind = ctrl+c=copy_to_clipboard
-    ''}
-
-    ${lib.optionalString pkgs.stdenv.isDarwin ''
-      macos-option-as-alt = true
-    ''}
-    confirm-close-surface = false
-  '';
+  # Ghostty terminal configuration (GUI terminal — skip in containers/servers)
+  home.file.".config/ghostty/config" = lib.mkIf (!pkgs.stdenv.isLinux) {
+    text = ''
+      theme = Catppuccin Mocha
+
+      font-family = "Hack Nerd Font"
+      font-size = 12
+      font-thicken = true
+      adjust-cell-height = 7
+      adjust-cell-width = -1
+
+      window-theme = dark
+      window-padding-x = 2
+      window-padding-y = 0
+      window-decoration = true
+      macos-window-buttons = hidden
+      macos-titlebar-style = transparent
+      macos-titlebar-proxy-icon = hidden
+      background-opacity = 0.85
+
+      cursor-style = block
+      cursor-style-blink = true
+      cursor-color = "#ff00ff"
+
+      shell-integration = zsh
+      shell-integration-features = cursor,sudo,title
+
+      scrollback-limit = ${toString constants.history.scrollbackLines}
+
+      mouse-hide-while-typing = true
+      click-repeat-interval = 300
+
+      link-url = true
+
+      ${lib.optionalString pkgs.stdenv.isLinux ''
+        # Linux-specific: disable problematic GTK settings
+        gtk-single-instance = false
+
+        # Linux: use Ctrl+V for paste (macOS-style, not Ctrl+Shift+V)
+        keybind = ctrl+v=paste_from_clipboard
+        keybind = ctrl+c=copy_to_clipboard
+      ''}
+
+      ${lib.optionalString pkgs.stdenv.isDarwin ''
+        macos-option-as-alt = true
+      ''}
+      confirm-close-surface = false
+    '';
+  };
 }

common/home-manager-base.nix

@@ -7,12 +7,8 @@ let
   versions = import ./versions.nix;
 in {
   # Common imports for all Home Manager configurations
-  imports = [
-    ./home-packages.nix
-    ./claude-code/default.nix
-    ./programs/default.nix
-    ./scripts/default.nix
-  ];
+  imports =
+    [ ./home-packages.nix ./claude-code/default.nix ./programs/default.nix ];
 
   # Base home configuration (homeDirectory set per platform)
   home = {

common/packages.nix

@@ -33,6 +33,11 @@
     neofetch
     docker-compose
     shellcheck
+    fd
+    unzip
+    gcc
+    tree-sitter
+    gnused
   ];
 
   # macOS-specific packages