commit 7415a980742a8fe62a2d9fa1adf6965563e41f36
Author: Luis Eduardo Bueso de Barrio <luiseduardobueso96@gmail.com>
Date:   Sat Jan 31 01:07:22 2026 +0100

    flake.nix

diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..05be1ef
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,134 @@
+{
+  description = "Reusable jailed LLM agents (opencode)";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    jail-nix.url = "sourcehut:~alexdavid/jail.nix";
+    llm-agents.url = "github:numtide/llm-agents.nix";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      jail-nix,
+      llm-agents,
+      ...
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+        jail = jail-nix.lib.init pkgs;
+
+        makeJailedAgent =
+          {
+            name,
+            pkg,
+            extraPkgs ? [ ],
+            extraCombinators ? [ ],
+          }:
+          jail name pkg (
+            with jail.combinators;
+            (
+              [
+                network
+                time-zone
+                no-new-session
+                mount-cwd
+                (readwrite (noescape "~/.config/${name}"))
+                (readwrite (noescape "~/.local/share/${name}"))
+                (readwrite (noescape "~/.local/state/${name}"))
+                (add-pkg-deps (
+                  with pkgs;
+                  [
+                    bashInteractive
+                    curl
+                    wget
+                    jq
+                    git
+                    which
+                    ripgrep
+                    gnugrep
+                    gawkInteractive
+                    ps
+                    findutils
+                    gzip
+                    unzip
+                    gnutar
+                    diffutils
+                  ]
+                ))
+                (add-pkg-deps extraPkgs)
+              ]
+              ++ extraCombinators
+            )
+          );
+
+        opencodePkg = llm-agents.packages.${system}.opencode;
+
+        opencode-jailed = makeJailedAgent {
+          name = "opencode";
+          pkg = opencodePkg;
+        };
+      in
+      {
+        packages = {
+          inherit opencode-jailed;
+        };
+
+        lib = {
+          # Call as: inputs.jailed-agents.lib.makeJailedOpencode system { extraPkgs = [...]; }
+          makeJailedOpencode =
+            system':
+            {
+              extraPkgs ? [ ],
+              extraCombinators ? [ ],
+            }:
+            let
+              pkgs' = nixpkgs.legacyPackages.${system'};
+              jail' = jail-nix.lib.init pkgs';
+              pkg' = llm-agents.packages.${system'}.opencode;
+            in
+            jail' "opencode" pkg' (
+              with jail'.combinators;
+              (
+                [
+                  network
+                  time-zone
+                  no-new-session
+                  mount-cwd
+                  (readwrite (noescape "~/.config/opencode"))
+                  (readwrite (noescape "~/.local/share/opencode"))
+                  (readwrite (noescape "~/.local/state/opencode"))
+                  (add-pkg-deps (
+                    with pkgs';
+                    [
+                      bashInteractive
+                      curl
+                      wget
+                      jq
+                      git
+                      which
+                      ripgrep
+                      gnugrep
+                      gawkInteractive
+                      ps
+                      findutils
+                      gzip
+                      unzip
+                      gnutar
+                      diffutils
+                    ]
+                  ))
+                  (add-pkg-deps extraPkgs)
+                ]
+                ++ extraCombinators
+              )
+            );
+        };
+      }
+    );
+}