overthinkos
869 verified skills
jupyter-ml
Full CUDA ML JupyterLab image with real-time collaboration and CRDT MCP server. Base: nvidia. Port 8888. GPU-accelerated ML training + collaborative notebooks. MUST be invoked before building, deploying, or troubleshooting the jupyter-ml image.
tools
wl-screenshot-pixelflux
Screenshot via selkies WebSocket capture bridge for selkies-desktop. Use when working with the wl-screenshot-pixelflux layer.
development
himalaya
Himalaya email CLI (IMAP/SMTP). Use when working with the himalaya layer.
tools
start
Start a container as a background service. MUST be invoked before any work involving: ov start command, launching containers, quadlet vs direct mode startup, or encrypted volume auto-mounting.
data-ai
new
Scaffold new layers, images, and whole projects with template files. MUST be invoked before any work involving: ov image new {project, image, layer} commands, creating new projects/images/layers, or scaffolding directories.
content-media
remove
Remove service container, quadlet file, and deploy.yml entry. MUST be invoked before any work involving: ov remove command, cleaning up containers, removing quadlets, or purging volumes.
devops
songsee
Audio spectrogram and visualization CLI. Use when working with the songsee layer.
tools
rocm
AMD ROCm runtime, OpenCL, and GPU compute support via system packages. Use when working with AMD GPU computing, ROCm, HIP, OpenCL, or AMD GPU passthrough in containers.
data-ai
filebrowser-layer
FileBrowser Quantum web file manager on port 8080 with config-file-driven setup. Use when working with FileBrowser, web file management, or file browsing in containers.
development
desktop-fonts
JetBrains Mono and Nerd Fonts for desktop containers. Use when working with font configuration or desktop text rendering.
data-ai
openclaw-full-ml
OpenClaw full + ML tools + Ollama + Sway desktop + VNC. GPU-accelerated. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full-ml image.
tools
merge
Post-build layer optimization via merging consecutive small layers. MUST be invoked before any work involving: ov image merge command, image layer reduction, merge configuration, or post-build optimization.
development
chrome-sway
Google Chrome running on Sway compositor via exec autostart with DevTools protocol. Use when working with Chrome in Sway, browser automation, or CDP in desktop containers.
tools
heroic
Heroic Games Launcher for Epic, GOG, and Amazon Prime Gaming with mangohud and gamemode. Use when working with Heroic, Epic Games, GOG, or non-Steam game launchers in containers.
development
selkies/skills/a11y-tools
# a11y-tools - AT-SPI2 Accessibility Introspection ## Overview Provides Python AT-SPI2 bindings for querying the accessibility tree of GTK, Qt, and Chrome applications. Enables element-based automation — find buttons, menus, and text fields by name/role instead of pixel coordinates. Used by `ov eval wl atspi tree/find/click`. ## Layer Definition ```yaml requires: - dbus rpm: packages: - python3-pyatspi - python3-gobject ``` ## Key Properties | Property | Value | |----------|-
tools
notebook-openrouter
OpenRouter API integration notebook collection provisioned into the workspace volume at deploy time. 3 Jupyter notebooks demonstrating OpenRouter API basics, model discovery, and practical inference. Data-only layer with env_requires — first layer to use the env_requires feature. Use when working with notebook-openrouter, OpenRouter API tutorials, or Jupyter+OpenRouter integration.
development
steam
Steam gaming client with gamescope. Use when working with Steam, gaming, or gamescope in containers.
tools
notebook-templates
Starter notebook templates provisioned into the workspace volume at deploy time. First data-only layer in the project — no packages, no services, no dependencies. Use when working with notebook-templates, data layers, or jupyter initial content.
testing
notebook-ollama
Ollama integration notebook collection provisioned into the workspace volume at deploy time. 6 Jupyter notebooks demonstrating Ollama via requests, OpenAI, ollama lib, Anthropic, HuggingFace, and GPU. Data-only layer — no packages, no services, no dependencies. Use when working with notebook-ollama, Ollama API tutorials, or Jupyter+Ollama integration.
development
sway-browser-vnc
Minimal Sway desktop with VNC remote access and Chrome browser. Use when working with VNC desktop containers or testing the sway-desktop-vnc composition.
testing
wl-record-pixelflux
Desktop video recorder via selkies WebSocket capture bridge for selkies-desktop. Use when working with the wl-record-pixelflux layer.
development
marimo-mcp
marimo's built-in MCP server (10 read-only inspection tools — get_active_notebooks, get_cell_outputs, get_notebook_errors, etc.) at port 2718 path /mcp/server. Use when working with the marimo MCP tool catalog, programmatic notebook diagnostics, or the cells-don't-execute-via-MCP gap (marimo MCP is read-only; cells run via WebSocket from a browser OR `marimo export ipynb --include-outputs` for headless execution).
tools
selkies-desktop-layer
Metalayer composing a full Selkies Wayland streaming desktop with Chrome, Waybar, desktop automation tools, and accessibility introspection. Use when working with the selkies-desktop metalayer composition, labwc desktop, or browser-accessible remote desktops.
tools
selkies-desktop-ov
Fully rootless Selkies streaming desktop + the full ov toolchain inside one image. Runs as uid 1000 with zero --privileged / zero cap_add; nested rootless podman and rootless libvirt session VMs work via config-level namespace sharing and the surgical unmask=/proc/* security_opt. Use when working with the selkies-desktop-ov image — especially for any "browser-accessible desktop that can itself build images, start pods, or launch VMs" workflow.
tools
sway
Sway Wayland compositor running headless inside containers with Mesa GPU drivers. Use when working with Sway, Wayland desktop, or headless compositor setup.
data-ai
sway-desktop-vnc
Sway desktop with VNC remote access via wayvnc on port 5900. Composes sway-desktop base with wayvnc.
tools
selkies/skills/waybar-labwc
# Layer: waybar-labwc Waybar status bar adapted for labwc compositor (not sway). Uses the same unified config as the `waybar` layer — sway-specific modules (workspaces, mode) auto-hide on labwc since `SWAYSOCK` is not set. ## Architecture Waybar connects to `wayland-0` (labwc's socket), NOT `wayland-1` (pixelflux). This is critical for: - **Layer-shell exclusive zones** — Waybar reserves space at the top, windows don't overlap it - **wlr-foreign-toplevel-management** — Waybar's taskbar can se
testing
wayvnc
WayVNC server on port tcp:5900 for remote access to Wayland desktops. Use when working with VNC access, remote desktop, or wayvnc configuration.
tools
waybar
Waybar status bar and sway-autotile for the Sway desktop compositor. Use when working with Waybar configuration, status bar, or automatic tiling.
tools
gogcli
Google Workspace CLI (Gmail, Calendar, Drive, Contacts, Sheets, Docs). Use when working with the gogcli layer.
tools
selkies/skills/xdg-portal
# xdg-portal - XDG Desktop Portal Infrastructure ## Overview Provides XDG Desktop Portal support for Sway containers. Installs the portal daemon, the wlroots-specific backend (`xdg-desktop-portal-wlr`), and the GTK fallback backend. Enables screen sharing, screenshots via portal API, and file dialogs for applications running inside the container. ## Layer Definition ```yaml requires: - dbus - sway - pipewire env: XDG_CURRENT_DESKTOP: "sway" rpm: packages: - xdg-desktop-portal
development
thunar
Thunar file manager for Sway desktop environments with sway config integration. Use when working with file management in Sway desktop containers.
data-ai
selkies/skills/xterm
# xterm - X11 Terminal (XWayland) ## Overview Lightweight X11 terminal emulator. On labwc (selkies-desktop), launching xterm triggers XWayland to start on-demand, enabling X11-based automation tools (xdotool, xprop, xwininfo) to find windows. ## Layer Definition ```yaml rpm: packages: - xterm ``` ## Key Properties | Property | Value | |----------|-------| | Depends | None | | Packages | `xterm` | | WM_CLASS | `xterm` / `XTerm` | | XWayland | Triggers on-demand start on labwc | ## Us
tools
ov
Overthink CLI (ov) binary installed into container/VM images for in-container use. Use when working with ov binary deployment inside containers, native D-Bus support, or the ov-full composition.
tools
xfce4-terminal
Xfce4 terminal emulator for Sway desktop environments with sway config integration. Use when working with terminal emulators in Sway desktop containers.
data-ai
ssh-client
OpenSSH client tools for SSH agent forwarding. Use when working with SSH client, SSH agent forwarding, or the ssh-client layer.
tools
whisper
OpenAI Whisper local speech-to-text. Use when working with the whisper layer.
data-ai
marimo-layer
marimo reactive notebook server (also runs as MCP server via --mcp), GPU-accelerated OSM/GTFS analytics deps (cudf-polars-cu13, polars, geopandas, quackosm, gtfs-parquet), Apache Airflow Python deps (the airflow layer ships no pixi env), and the marimo-team/learn curriculum + marimo-team/skills bundle for AI agents. Use when working with the marimo layer, its pixi environment, the supervisord service spec, or the cell-display + mo.iframe rendering patterns.
tools
maputnik-layer
Maputnik — visual editor for MapLibre GL vector-tile styles. Pure-JS SPA built from upstream source via npm at image build time, served as static dist by python -m http.server. Pairs with osm-tools's martin tile server. Use when working with the maputnik layer, the Vite --base=/ build override (critical fix; default --base=/maputnik/ produces 404 asset paths), or the asset-base lock-in eval test.
tools
socat
Socket relay tool for VM console access and port relays (eth0 to loopback). Use when working with port relays, socat, or loopback service exposure.
tools
xdg-portal-kde
KDE XDG Desktop Portal backend with ScreenCast and RemoteDesktop support. Use when working with KDE portals, screen sharing, or libei input in KWin containers.
development
xdg-portal-gnome
GNOME XDG Desktop Portal backend with ScreenCast, RemoteDesktop, and AT-SPI2 support. Use when working with GNOME portals, screen sharing, or libei input in Mutter containers.
development
ordercli
Food delivery order status CLI (Foodora). Use when working with the ordercli layer.
tools
gnupg
GnuPG encryption and signing tools for GPG agent forwarding. Use when working with GPG, encryption, signing, or the gnupg layer.
tools
gogcli
Google Workspace CLI (Gmail, Calendar, Drive, Contacts, Sheets, Docs). Use when working with the gogcli layer.
tools
grafana-tools
Grafana observability CLI tools: mcp-grafana, logcli, promtool, mimirtool, tempo-cli, tanka, grafanactl. Use when working with Grafana, Prometheus, Loki, Mimir, Tempo, or observability tooling.
tools
himalaya
Himalaya email CLI (IMAP/SMTP). Use when working with the himalaya layer.
tools
heroic
Heroic Games Launcher for Epic, GOG, and Amazon Prime Gaming with mangohud and gamemode. Use when working with Heroic, Epic Games, GOG, or non-Steam game launchers in containers.
development
immich
Immich photo management server on port 2283 with PostgreSQL and Redis. Use when working with Immich, photo management, or media library services.
development
codex
OpenAI Codex CLI coding agent. Use when working with the codex layer.
tools
kwin-desktop
KDE desktop composition with KWin, PipeWire, XDG Portal, Chrome, Konsole, and Dolphin. Use when working with KWin desktop containers.
data-ai
mutter-apps
GNOME-native desktop applications (gnome-terminal, Nautilus) for Mutter compositor. Use when working with the mutter-apps layer.
tools
libnotify
Desktop notification client library providing notify-send CLI. Use when working with notify-send, libnotify, or shell-based notifications.
tools
niri-apps
Desktop applications (terminal, file manager) for Niri compositor. Use when working with the niri-apps layer.
tools
nodejs
Node.js and npm via system packages (RPM/DEB) with global npm prefix. Use when working with Node.js, npm, or JavaScript/TypeScript tooling.
tools
openclaw
OpenClaw AI gateway service on port 18789 via npm with persistent data. Use when working with OpenClaw, AI gateway configuration, or model routing.
data-ai
selkies-desktop
Metalayer composing a full Selkies Wayland streaming desktop with Chrome, Waybar, desktop automation tools, and accessibility introspection. Use when working with the selkies-desktop metalayer composition, labwc desktop, or browser-accessible remote desktops.
tools
rpmfusion
RPM Fusion free and nonfree repository configuration for Fedora. Use when working with RPM Fusion repos, multimedia codecs, or nonfree packages.
development
postgresql
PostgreSQL database server on port 5432 with pgvector extension and persistent data. Entrypoint supports POSTGRES_SHARED_PRELOAD_LIBRARIES for extension loading. Use when working with PostgreSQL, database configuration, or pgvector.
tools
songsee
Audio spectrogram and visualization CLI. Use when working with the songsee layer.
tools
testapi
FastAPI test service on port 9090 routed via testapi.localhost for development testing. Use when working with the test API, Traefik routing validation, or service health checks.
development
swaync
SwayNotificationCenter notification daemon for wlroots compositors (sway, labwc). Use when working with desktop notifications, notification center, or swaync configuration.
tools
arch-ov
Arch Linux image with the full ov toolchain. Rootless-first since 2026-04 — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /ov-layers:ov-mcp so the image is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the arch-ov image.
tools
openclaw-ollama-sway-browser
Full-stack AI image: OpenClaw gateway + all tools + Ollama LLM + Whisper STT + sherpa-onnx TTS + Sway desktop with Chrome. GPU-accelerated with CUDA. MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-ollama-sway-browser image.
tools
jupyter-ml
Full CUDA ML JupyterLab image with real-time collaboration and CRDT MCP server. Base: nvidia. Port 8888. GPU-accelerated ML training + collaborative notebooks. MUST be invoked before building, deploying, or troubleshooting the jupyter-ml image.
tools
ov-images/skills/selkies-desktop
# Image: selkies-desktop Browser-accessible Wayland desktop streamed via Selkies/pixelflux WebSocket at `https://localhost:3000` (HTTPS with self-signed Traefik certificate). ## Definition ```yaml selkies-desktop: base: fedora-nonfree layers: - agent-forwarding - selkies-desktop - dbus - ov ports: - "3000:3000" - "9222:9222" - "9224:9224" platforms: - linux/amd64 ``` Tunnel config is in `deploy.yml` (not image.yml): `tunnel: {provider: tailscale, priva
development
aurora
Aurora DX bootc image with NVIDIA, SSH, ov toolchain, and Go. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the aurora image.
tools
arch-test
Test image for Arch Linux pacman and AUR package installation. MUST be invoked before building or troubleshooting the arch-test image.
development
agent-forwarding
Agent forwarding support -- GPG, SSH, and direnv for .secrets workflow. Use when working with agent forwarding, SSH/GPG socket forwarding, or the agent-forwarding layer.
data-ai
jupyter-ml-notebook
Full CUDA ML JupyterLab image with finetuning, Ollama, and LLM course notebooks, CRDT MCP server, and real-time collaboration. Base: nvidia. Port 8888. Combines jupyter-ml with 37 Unsloth fine-tuning notebooks, 6 Ollama integration notebooks, and 15 LLM course notebooks. MUST be invoked before building, deploying, or troubleshooting the jupyter-ml-notebook image.
tools
arch-aur-test
Test layer for AUR package installation on Arch Linux. Use when working with the arch-aur-test layer.
testing
ov-layers/skills/xterm
# xterm - X11 Terminal (XWayland) ## Overview Lightweight X11 terminal emulator. On labwc (selkies-desktop), launching xterm triggers XWayland to start on-demand, enabling X11-based automation tools (xdotool, xprop, xwininfo) to find windows. ## Layer Definition ```yaml rpm: packages: - xterm ``` ## Key Properties | Property | Value | |----------|-------| | Depends | None | | Packages | `xterm` | | WM_CLASS | `xterm` / `XTerm` | | XWayland | Triggers on-demand start on labwc | ## Us
tools
sway
Sway Wayland compositor running headless inside containers with Mesa GPU drivers. Use when working with Sway, Wayland desktop, or headless compositor setup.
data-ai
llama-cpp
llama.cpp prebuilt binaries and GGUF conversion tools. Use when working with llama.cpp, GGUF model conversion, or llama-quantize/llama-cli.
tools
config
MUST be invoked before any work involving: ov config commands, image deployment setup, quadlet generation, secrets provisioning, encrypted volumes, data seeding, or volume backing configuration.
devops
settings
Runtime configuration management for the ov CLI. MUST be invoked before any work involving: ov settings commands, runtime configuration, engine selection, bind address, storage paths, or secret backend configuration.
tools
vm
MUST be invoked before any work involving: virtual machines, ov vm commands, kind:vm entities in vms.yml, cloud_image vs bootc source types, libvirt/QEMU backends, BIOS vs UEFI firmware, virtio-gpu video, or VM lifecycle.
development
wl
MUST be invoked before any work involving: Wayland / wlroots desktop automation — `ov test wl` commands (screenshots, click/type/scroll/drag, window management via wlrctl, clipboard, resolution control, AT-SPI2 introspection, window geometry), nested `wl sway` / `wl overlay` subcommands, or `wl:` declarative verbs inside `tests:` blocks. Covers sway-desktop and selkies-desktop image automation on both sway and labwc compositors.
tools
shell
MUST be invoked before any work involving: ov shell command, interactive shells, command execution in containers, workspace mounts, TTY allocation, or port relay.
data-ai
sway-browser-vnc
Minimal Sway desktop with VNC remote access and Chrome browser. Use when working with VNC desktop containers or testing the sway-desktop-vnc composition.
testing
hermes-full
Hermes agent with AI CLIs (Claude Code, Codex, Gemini), developer tools, DevOps tools, and ov. Use when working with the hermes-full metalayer or full-featured standalone hermes deployments.
tools
kwin
KWin Wayland compositor running headless inside containers with virtual backend. Use when working with KWin, KDE desktop, or headless compositor setup.
development
os-system-files
System files overlay and justfile imports for bootc images. Copies system_files to root filesystem. Use when working with system file overlays, justfile imports, or bazzite-ai configuration.
data-ai
eval
MUST be invoked before any work involving: `ov eval` (image / live / run), the `eval:` / `deploy_eval:` fields in layer.yml / image.yml / deploy.yml, the `org.overthinkos.eval` OCI label, the AI iteration harness loop, `kind: ai` / `kind: recipe` / `kind: score` in eval.yml, or any declarative check authoring. Covers the unified post-2026-04 `ov eval` surface (which replaced the legacy `ov test` + `ov harness` commands): three primary modes (image / live / run), 9 live-container probe verbs (cdp/wl/dbus/vnc/mcp/record/spice/libvirt/k8s), verb catalog (file/port/command/http/package/service/process/dns/user/ group/interface/kernel-param/mount/addr/matching), runtime variable resolution (`${HOST_PORT:N}`, `${VOLUME_PATH:name}`, `${CONTAINER_IP}`, `${ENV_*}`), deploy.yml overlay rules, authoring gotchas learned the hard way (package renames, absent binaries, host vs container network routing), AI-iteration loop semantics (plateau-bounded, progressive recipe disclosure, watchdog), and the `from:` block for composing recipes from existing layer/image/pod/vm tests.
tools
notebook-llm-on-supercomputers
LLMs on Supercomputers course notebook collection (TU Wien AI Factory Austria). 15 Jupyter notebooks covering prompt engineering, RAG, and fine-tuning. Data-only layer — no packages, no services, no dependencies. Use when working with the LLM course notebooks, LangChain tutorials, or RAG examples.
testing
notebook-openrouter
OpenRouter API integration notebook collection provisioned into the workspace volume at deploy time. 3 Jupyter notebooks demonstrating OpenRouter API basics, model discovery, and practical inference. Data-only layer with env_requires — first layer to use the env_requires feature. Use when working with notebook-openrouter, OpenRouter API tutorials, or Jupyter+OpenRouter integration.
development
jupyter-ml
Full CUDA ML stack + JupyterLab with real-time collaboration and CRDT MCP server on port 8888. Use when working with GPU-accelerated Jupyter notebooks, ML training with collaboration, or the jupyter-ml layer.
tools
llama-cpp
llama.cpp prebuilt binaries and GGUF conversion tools. Use when working with llama.cpp, GGUF model conversion, or llama-quantize/llama-cli.
tools
unsloth
Unsloth LLM fine-tuning library with vLLM integration. Tier 1 post-install layer — no pixi.toml, requires pixi env from a parent layer (python-ml, jupyter-ml, unsloth-studio). Use when working with Unsloth, LLM fine-tuning, or vLLM wheel installation.
development
openclaw-full
Maximal OpenClaw deployment (gateway + browser + all feasible tools/skills). Use when working with the openclaw-full layer.
tools
clawhub
ClawHub CLI for searching and installing OpenClaw skills. Use when working with the clawhub layer.
tools
grafana-tools
Grafana observability CLI tools: mcp-grafana, logcli, promtool, mimirtool, tempo-cli, tanka, grafanactl. Use when working with Grafana, Prometheus, Loki, Mimir, Tempo, or observability tooling.
tools
comfyui
ComfyUI image generation service on port 8188 with CUDA GPU support. Use when working with ComfyUI, image generation, Stable Diffusion, or AI art pipelines.
devops
skills
Skill maintenance guidelines: when and how to update skills, CLAUDE.md, and README.md. Use when updating documentation, feeding back operational insights, or auditing skill coverage.
testing
openwebui
Open WebUI with auto-configured LLM providers, MCP servers, and Jupyter code execution. MUST be invoked before any work involving: the openwebui layer, Open WebUI configuration, LLM provider auto-detection, or MCP server discovery for Open WebUI.
tools
nvidia
NVIDIA GPU runtime support: driver libs, nvidia-container-toolkit (CDI), and VA-API. Fedora (negativo17) and Arch Linux (pac). Base layer for all GPU-accelerated images. Use when working with NVIDIA GPU support, CDI device injection, or the nvidia layer.
tools
goplaces
Google Places API CLI for location search. Use when working with the goplaces layer.
tools
ssh-client
OpenSSH client tools for SSH agent forwarding. Use when working with SSH client, SSH agent forwarding, or the ssh-client layer.
tools
testapi
FastAPI test service on port 9090 routed via testapi.localhost for development testing. Use when working with the test API, Traefik routing validation, or service health checks.
development
vscode
Visual Studio Code editor installed from Microsoft's RPM repository. Use when working with VS Code installation or configuration in container images.
development
whisper
OpenAI Whisper local speech-to-text. Use when working with the whisper layer.
data-ai
playwright
Playwright browser automation (OpenClaw AI snapshots). Use when working with the playwright layer.
tools
desktop-apps
Desktop applications including Chromium, VLC, KeePassXC, btop, cockpit, and zsh. Use when working with GUI applications or desktop environment setup.
tools
vms
Authoring reference for kind:vm entities in vms.yml. Parallel to /ov-build:layer and /ov-build:image. Covers the VmSpec schema, source.kind discriminator (cloud_image vs bootc), base_user adopt pattern, and step-by-step recipes for both source kinds. MUST be invoked before authoring or editing vms.yml entries.
development
ollama
Ollama LLM server on port 11434 with CUDA GPU support and model persistence. Use when working with Ollama, LLM serving, or local AI model inference.
data-ai
camsnap
RTSP/ONVIF camera snapshot and clip CLI. Use when working with the camsnap layer.
tools
fastfetch
Fast system information tool (neofetch successor). Use when working with the fastfetch layer.
tools
sway-browser-vnc
Minimal Sway desktop with VNC remote access and Chrome browser. Use when working with VNC desktop containers or testing the sway-desktop-vnc composition.
testing
merge
Post-build layer optimization via merging consecutive small layers. MUST be invoked before any work involving: ov image merge command, image layer reduction, merge configuration, or post-build optimization.
development
record
Record terminal sessions (asciinema) or desktop video (pixelflux/wf-recorder). MUST be invoked before any work involving: ov test record commands, terminal recording, desktop video recording, or session capture.
testing
service
MUST be invoked before any work involving: ov start/stop/status/logs/update/remove commands, ov config (deployment), init system service management, or container lifecycle.
devops
stop
Stop a running service container. MUST be invoked before any work involving: ov stop command, stopping containers, or halting services.
data-ai
ov:test-k8s
Kubernetes cluster probe verb — `ov test k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
tools
update
Update image and restart service with data sync. MUST be invoked before any work involving: ov update command, pulling new image versions, data seeding, force-seed, or updating deployed services.
devops
record
Record terminal sessions (asciinema) or desktop video (pixelflux/wf-recorder). MUST be invoked before any work involving: ov eval record commands, terminal recording, desktop video recording, or session capture.
testing
wl-overlay
Fullscreen Wayland overlays for screen recordings via gtk4-layer-shell. MUST be invoked before any work involving: ov eval wl overlay commands, recording overlays, title cards, lower-thirds, countdowns, or fade transitions.
tools
capabilities
MUST be invoked before any work involving: OCI label contract, Capabilities / ImageMetadata struct, CapabilityLabelMap completeness check, LabelServices structured round-trip, source-less deploy via `ov deploy from-image`, or adding a new OCI label. Developer-facing; users author via `/ov-build:layer` and `/ov-build:image`.
development
filebrowser
FileBrowser Quantum web file manager with Tailscale tunnel. MUST be invoked before building, deploying, configuring, or troubleshooting the filebrowser image.
development
strict-policy
Operationalization of CLAUDE.md R1-R5 — the engineering-discipline rules that come BEFORE runtime verification. Covers: (R1) RCA on every failure via /ov-dev:root-cause-analyzer; (R2) no "pre-existing" / "out of scope" / "follow-up PR" classifications; (R3) no code duplication, generic over ad-hoc; (R4) no ad-hoc workarounds; (R5) hard cutover deletes the deprecated path AND every stale reference in the same commit. MUST be invoked when a failure / warning / anomaly surfaces, when the same pattern is about to land in a second surface, when a sleep / retry / magic-number is tempting, or when a cutover commit is about to ship.
development
bootc-base
Base composition for bootc OS images including SSH, QEMU guest agent, and bootc config. Use when working with bootable container images, VMs, or OS-level configuration.
data-ai
ov:test-k8s
Kubernetes cluster probe verb — `ov eval k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
tools
generate
Containerfile generation: understanding ov image generate output, multi-stage builds, intermediate images, and the .build/ directory. Use when debugging or understanding generated Containerfiles. MUST be invoked before reading or modifying any Go source file in ov/.
development
deploy
MUST be invoked before any work involving: `ov deploy add`/`ov deploy del` commands, quadlet generation, volume backing, tunnels (Tailscale/Cloudflare), `add_layers:` overlay, or per-machine deploy overlays.
devops
kubernetes
MUST be invoked before any work involving: `ov deploy add --target kubernetes`, `ov deploy from-image`, Kustomize manifest generation, cluster profiles, K8s deployments, `kubernetes:` block in deploy spec, or OCI-label capabilities.
testing
pixi
Pixi package manager binary with environment and PATH setup. Use when working with pixi, conda-forge packages, or Python environment management.
development
list
List components from image.yml and filesystem. MUST be invoked before any work involving: ov image list commands, enumerating images, layers, build targets, services, routes, volumes, or aliases.
development
golang
Go programming language compiler via RPM package. Use when working with Go development or Go builds.
development
asciinema
Terminal session recorder (asciinema). Use when working with the asciinema layer.
testing
gh
GitHub CLI, git, and git-lfs — the single-responsibility home for all git/GitHub tooling as of 2026-04. Ships the noscripts + post-install dance for git-lfs so the RPM's systemd trigger doesn't fail at build time. Use when composing git + gh + git-lfs into an image, or when deciding which layer should own a git-related binary.
tools
github-actions
GitHub Actions local runner (act-cli) and guestfs-tools via COPR. Use when working with GitHub Actions, local CI testing, or act.
tools
immich-ml
Immich photo management with CUDA ML backend for face recognition and smart search. Includes PostgreSQL, Redis, and the immich-ml service. MUST be invoked before building, deploying, configuring, or troubleshooting the immich-ml image.
development
openclaw-full-ml
OpenClaw full + ML tools (whisper, sherpa-onnx-tts, CUDA). Use when working with the openclaw-full-ml layer.
tools
openwebui
Open WebUI image with auto-configured LLM providers, MCP servers, and Jupyter on port 8080. MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui image.
tools
selkies-desktop-ov
Fully rootless Selkies streaming desktop + the full ov toolchain inside one image. Runs as uid 1000 with zero --privileged / zero cap_add; nested rootless podman and rootless libvirt session VMs work via config-level namespace sharing and the surgical unmask=/proc/* security_opt. Use when working with the selkies-desktop-ov image — especially for any "browser-accessible desktop that can itself build images, start pods, or launch VMs" workflow.
tools
go
Go CLI development: building the ov binary, running tests, understanding the source code structure. MUST be invoked before reading or modifying any Go source file in ov/.
tools
ov-selkies/skills/selkies-desktop
# Image: selkies-desktop Browser-accessible Wayland desktop streamed via Selkies/pixelflux WebSocket at `https://localhost:3000` (HTTPS with self-signed Traefik certificate). ## Definition ```yaml selkies-desktop: base: fedora-nonfree layers: - agent-forwarding - selkies-desktop - dbus - ov ports: - "3000:3000" - "9222:9222" - "9224:9224" platforms: - linux/amd64 ``` Tunnel config is in `deploy.yml` (not image.yml): `tunnel: {provider: tailscale, priva
development
himalaya
Himalaya email CLI (IMAP/SMTP). Use when working with the himalaya layer.
tools
python
Python 3.13 runtime installed via pixi (conda-forge). Use when working with Python, pixi environments, or Python dependencies.
development
sag
ElevenLabs text-to-speech CLI. Use when working with the sag layer.
tools
xurl
X (Twitter) API CLI for posts, search, DMs, and media. Use when working with the xurl layer.
tools
hermes
Hermes self-improving AI agent by Nous Research with voice, messaging, and tool-calling. MUST be invoked before any work involving: the hermes layer, Hermes Agent configuration, hermes service setup, or hermes Python/npm dependencies.
tools
ov-selkies/skills/a11y-tools
# a11y-tools - AT-SPI2 Accessibility Introspection ## Overview Provides Python AT-SPI2 bindings for querying the accessibility tree of GTK, Qt, and Chrome applications. Enables element-based automation — find buttons, menus, and text fields by name/role instead of pixel coordinates. Used by `ov eval wl atspi tree/find/click`. ## Layer Definition ```yaml requires: - dbus rpm: packages: - python3-pyatspi - python3-gobject ``` ## Key Properties | Property | Value | |----------|-
tools
heroic
Heroic Games Launcher for Epic, GOG, and Amazon Prime Gaming with mangohud and gamemode. Use when working with Heroic, Epic Games, GOG, or non-Steam game launchers in containers.
development
chrome
Google Chrome with DevTools on port 9222, Chrome DevTools MCP on port 9224, and browser-open helper. Use when working with Chrome, CDP, browser automation, or DevTools Protocol.
tools
ffmpeg
FFmpeg multimedia framework (negativo17 nonfree build with H.264/AAC support). Use when working with the ffmpeg layer.
development
unsloth-studio
Unsloth Studio fine-tuning web UI on ports 8888/8000 with vLLM inference. Tier 2 environment-owner meta-layer composing llama-cpp + unsloth, owns pixi.toml. Use when working with Unsloth Studio, the fine-tuning web UI, or the unsloth-studio image.
development
wayvnc
WayVNC server on port tcp:5900 for remote access to Wayland desktops. Use when working with VNC access, remote desktop, or wayvnc configuration.
tools
unsloth
Unsloth LLM fine-tuning library with vLLM integration. Tier 1 post-install layer — no pixi.toml, requires pixi env from a parent layer (python-ml, jupyter-ml, unsloth-studio). Use when working with Unsloth, LLM fine-tuning, or vLLM wheel installation.
development
selkies-desktop
Metalayer composing a full Selkies Wayland streaming desktop with Chrome, Waybar, desktop automation tools, and accessibility introspection. Use when working with the selkies-desktop metalayer composition, labwc desktop, or browser-accessible remote desktops.
tools
pavucontrol
PulseAudio volume control GUI for desktop containers with PipeWire audio. Use when working with audio configuration or volume control.
data-ai
cdp
MUST be invoked before any work involving: Chrome DevTools Protocol, ov eval cdp commands, browser automation, clicking elements, taking screenshots, or OAuth flows inside containers.
tools
dbus
D-Bus interaction inside containers via native Go godbus/dbus/v5. MUST be invoked before any work involving: ov eval dbus commands, desktop notifications, D-Bus method calls, service introspection, or session bus interaction.
development
local-deploy
MUST be invoked before any work involving: `target: local` deployments (was `target: host`), the Ansible-style `host:` destination field (literal `local` for direct shell, anything else routes through ssh(1) reading `~/.ssh/config` + ssh-agent), the `local:` template reference, the `user:` and `ssh_args:` Ansible-shaped overrides, the managed `~/.config/ov/ssh_config` fragment, the install ledger at `~/.config/overthink/installed/`, ReverseOp teardown, or the `--with-services`/`--allow-repo-changes`/`--allow-root-tasks` gates.
devops
wl
MUST be invoked before any work involving: Wayland / wlroots desktop automation — `ov eval wl` commands (screenshots, click/type/scroll/drag, window management via wlrctl, clipboard, resolution control, AT-SPI2 introspection, window geometry), nested `wl sway` / `wl overlay` subcommands, or `wl:` declarative verbs inside `eval:` blocks. Covers sway-desktop and selkies-desktop image automation on both sway and labwc compositors.
tools
mcp
MUST be invoked before any work involving: Model Context Protocol — both directions. (1) `ov eval mcp` client: probing MCP servers declared via mcp_provides, testing MCP tool catalogs, debugging the URL-rewriter (including host-networked containers via `HostConfig.NetworkMode` detection — new 2026-04) or port-publishing behavior. (2) `ov mcp serve` server: running the ov CLI itself as an MCP server over Streamable HTTP or stdio, auto-generated from Kong reflection (~192 tools including the MCP-first authoring surface — image/layer scaffolding, comment-preserving YAML edits, free-form file writes), destructive-hint annotations, the `--read-only` filter, auto-fallback to `overthinkos/overthink` when cwd has no `image.yml` (always fires now, regardless of OV_PROJECT_DIR being set — 2026-04 change), and the `ov-mcp` deployment layer with its `/workspace` bind mount.
tools
image
MUST be invoked before any work involving: the `ov image` command family, image definitions in image.yml, image inheritance, defaults, platforms, builder configuration, the image dependency graph, or the build/deploy scope boundary.
development
generate
Containerfile generation from image.yml and layers. MUST be invoked before any work involving: ov image generate command, Containerfile generation, .build/ directory contents, the task-verb emission pipeline, or understanding generated output.
development
local-spec
MUST be invoked before any work involving: authoring `kind: local` templates (the post-cutover replacement for `kind: host`), `local.yml` files, the inline `local:` map in `overthink.yml`, or the merge semantics between a `kind: local` template and a `target: local` deployment.
devops
vm
MUST be invoked before any work involving: virtual machines, ov vm commands, kind:vm entities in vms.yml, cloud_image vs bootc source types, libvirt/QEMU backends, BIOS vs UEFI firmware, virtio-gpu video, or VM lifecycle.
development
vnc
MUST be invoked before any work involving: VNC automation, ov eval vnc commands, RFB protocol desktop interaction, VNC screenshots, clicking coordinates, or VNC authentication.
tools
migrate
MUST be invoked before any work involving: `ov migrate unified` command (converting legacy image.yml/layer.yml/build.yml into unified overthink.yml, rewriting flat-form layer.yml, migrating legacy service:|...| raw-INI and system_services: entries), or `ov migrate vm-spec` (harvesting legacy image.bootc/image.vm/image.libvirt fields into kind:vm entities in vms.yml).
development
arch-coder
Kitchen-sink development image on Arch Linux: coding + AI-coding CLIs + DevOps tooling in one container. Arch base, 30+ direct layers mirroring fedora-coder's stack but with pac:-section packages (plus AUR for a few unique cases). Runs as uid 1000 (`user`) with passwordless sudo. Use when working with the arch-coder image — or when comparing cross-distro parity across the four coder-family images (fedora, debian, ubuntu, arch).
tools
secrets
MUST be invoked before any work involving: ov secrets commands, KeePass .kdbx credential management, credential import/export, or secret database administration.
data-ai
layer
MUST be invoked before any work involving: layer authoring, layer.yml, tasks, pixi.toml, package.json, Cargo.toml, or any file under layers/. This skill is the authoritative reference for the `tasks:` verb catalog, `vars:` substitution, execution order, and per-verb validation. Every other skill defers here for install-schema questions.
development
ov-layers/skills/waybar-labwc
# Layer: waybar-labwc Waybar status bar adapted for labwc compositor (not sway). Uses the same unified config as the `waybar` layer — sway-specific modules (workspaces, mode) auto-hide on labwc since `SWAYSOCK` is not set. ## Architecture Waybar connects to `wayland-0` (labwc's socket), NOT `wayland-1` (pixelflux). This is critical for: - **Layer-shell exclusive zones** — Waybar reserves space at the top, windows don't overlap it - **wlr-foreign-toplevel-management** — Waybar's taskbar can se
testing
build-toolchain
C/C++ build toolchain with gcc, cmake, autoconf, ninja, git, and pkg-config. Use when working with native compilation, build tools, or C/C++ development.
tools
debian-coder
Kitchen-sink development image on Debian 13 trixie: coding + AI-coding CLIs + DevOps tooling in one container. Debian base, 30+ direct layers mirroring fedora-coder's stack but with deb: sections. Runs as uid 1000 (`user`) with passwordless sudo. 143/0 tests pass as of 2026-04-20. Use when working with the debian-coder image — or when comparing cross-distro parity across the four coder-family images.
tools
direnv
direnv -- automatic environment variable loading from .envrc files. Use when working with direnv, .envrc, .secrets, or environment management.
tools
devops-tools
DevOps CLI tools: AWS CLI, Scaleway, kubectx/kubens, OpenTofu, wrangler, bind-utils, jq, rsync. Use when working with cloud infrastructure, DNS lookups, infrastructure-as-code, or DevOps tooling.
tools
docker-ce
Docker CE engine with buildx and compose plugins from the official Docker repository. Use when working with Docker, container builds, or Docker Compose.
tools
wf-recorder
Wayland screen recorder for wlroots compositors. Use when working with the wf-recorder layer.
tools
wayvnc
WayVNC server on port tcp:5900 for remote access to Wayland desktops. Use when working with VNC access, remote desktop, or wayvnc configuration.
tools
google-cloud-npm
Google Cloud npm packages: firebase-tools and Gemini CLI. Use when working with Firebase, Gemini CLI, or GCP Node.js tooling.
tools
google-cloud
Google Cloud SDK providing gcloud, gsutil, and bq CLI tools. Use when working with Google Cloud Platform, GCP services, or cloud SDK configuration.
tools
golang
Go programming language compiler via RPM package. Use when working with Go development or Go builds.
development
fedora-coder
Kitchen-sink development image: coding + AI-coding CLIs + DevOps tooling in one container. Fedora-nonfree base, 32 direct layers spanning language runtimes, build tooling, five AI coding CLIs, and the full cloud/devops stack. Runs as uid 1000 with passwordless sudo — rootless-first, matches the /ov-selkies:selkies-desktop-ov security posture. Use when working with the fedora-coder image — specifically any task that involves SSH-ing into a single container and having every tool a polyglot engineer reaches for during a working day already installed.
tools
language-runtimes
Multi-language runtime meta-layer — Go, PHP, .NET 9 SDK, nodejs-devel, python3-devel, ramalama. System Python via RPM (not pixi-python). Uses nodejs and rust layers as explicit deps. Use when working with polyglot development or composing multiple language runtimes into a single image.
development
whisper
OpenAI Whisper local speech-to-text. Use when working with the whisper layer.
data-ai
valkey
Valkey 9.x key-value store (Redis-compatible) on port 6379 via Remi modular repo. Use when working with Valkey, Redis-compatible caching, or the valkey layer.
databases
ov-mcp
MCP server exposing the full ov CLI as tools (Streamable HTTP on port 18765). Meta-layer composition — layers: [ov, supervisord] — ships only service wiring + `/workspace` bind-mount + OV_PROJECT_DIR env plumbing. Auto-falls back to the upstream overthinkos/overthink repo when /workspace has no image.yml. Use when composing an MCP gateway into any image so LLM agents can drive ov remotely.
tools
labwc
Lightweight Wayland compositor (wlroots-based) for nested desktop inside pixelflux. MUST be invoked when working with: the labwc layer, Wayland compositor config in selkies images, or labwc-wrapper.
content-media
sway
Sway Wayland compositor running headless inside containers with Mesa GPU drivers. Use when working with Sway, Wayland desktop, or headless compositor setup.
data-ai
swaync
SwayNotificationCenter notification daemon for wlroots compositors (sway, labwc). Use when working with desktop notifications, notification center, or swaync configuration.
tools
sway-desktop
Base Sway desktop composition with audio, portals, Wayland tools, Chrome, terminal, file manager, and status bar. Use sway-desktop-vnc for VNC remote access.
tools
rust
Rust compiler and Cargo package manager via system packages (RPM/DEB). Use when working with Rust development or Cargo builds.
development
pre-commit
Pre-commit git hooks framework via pixi, plus markdownlint-cli via npm. Use when working with git hooks, linting, or code quality tooling.
tools
typst
Typst document processor binary for typesetting and document generation. Use when working with Typst, document compilation, or typesetting tools.
tools
ov-layers/skills/xdg-portal
# xdg-portal - XDG Desktop Portal Infrastructure ## Overview Provides XDG Desktop Portal support for Sway containers. Installs the portal daemon, the wlroots-specific backend (`xdg-desktop-portal-wlr`), and the GTK fallback backend. Enables screen sharing, screenshots via portal API, and file dialogs for applications running inside the container. ## Layer Definition ```yaml depends: - dbus - sway - pipewire env: XDG_CURRENT_DESKTOP: "sway" rpm: packages: - xdg-desktop-portal
development
config
MUST be invoked before any work involving: ov config commands, image deployment setup, quadlet generation, secrets provisioning, encrypted volumes, data seeding, or volume backing configuration.
devops
ov-full
Full ov toolchain composition with CLI, virtualization, encrypted storage, and console access. Works identically on container/pod targets AND on host/local/bootc targets via the unified virtualization layer's mixed-`service:` schema. The previous ov-full-host sibling was deleted in the 2026-05 init-system-polymorphism cutover.
tools
uv
uv + uvx — Astral's fast Python package/project manager. Rewritten 2026-04 to install as a direct-download binary (no pixi env, no Python dep). Pulled via the `download:` verb with `strip_components: 1` to handle the upstream tarball's arch-prefixed top-level directory. Use when working with the uv layer or when deciding whether to install a CLI tool via pixi vs. direct binary download.
tools
deploy
MUST be invoked before any work involving: `ov deploy add`/`ov deploy del` commands, quadlet generation, volume backing, tunnels (Tailscale/Cloudflare), `add_layers:` overlay, or per-machine deploy overlays.
devops
oracle
Oracle CLI for prompt bundling and multi-engine AI queries. Use when working with the oracle layer.
tools
start
Start a container as a background service. MUST be invoked before any work involving: ov start command, launching containers, quadlet vs direct mode startup, or encrypted volume auto-mounting.
data-ai
wacli
WhatsApp CLI for message sending and history sync. Use when working with the wacli layer.
tools
nodejs24
Node.js 24 and npm via Fedora RPM packages with global npm prefix. Use when working with Node.js 24 or applications requiring a newer Node.js version.
tools
service
MUST be invoked before any work involving: ov start/stop/status/logs/update/remove commands, ov config (deployment), init system service management, or container lifecycle.
devops
cutover-policy
Authoritative reference for the "Hard Cutover by Default" policy governing schema changes, API renames, and deprecations. Forbidden patterns, required deliverables, rationale, examples from this repo, and the no-exception enforcement: plans are authored as full-scope single-phase cutovers and executed end-to-end regardless of estimated time, context, or scope. MUST be invoked when planning or reviewing any breaking change to Go types, YAML field names, CLI flags, or OCI labels.
tools
vscode
Visual Studio Code editor installed from Microsoft's RPM repository. Use when working with VS Code installation or configuration in container images.
development
disposable
`disposable: true` is the ONE and ONLY authorization for autonomous destroy + rebuild via `ov update`. MUST be invoked before any task involving `ov update`, live verification on rebuildable targets, or marking a VM / container deploy as safe-to-nuke. Explains why disposability is a DEPLOY property (not an image property), the separation between load-bearing `disposable:` and informational `lifecycle:`, why derivation is deliberately absent, and how the flag makes live verification fearless on shared hosts.
development
golang
Go programming language compiler via RPM package. Use when working with Go development or Go builds.
development
status
Service status display with tool probes and device detection. MUST be invoked before any work involving: ov status command, checking container state, tool availability, port mapping, or JSON status output.
tools
ov-selkies/skills/wl-tools
# wl-tools - Compositor-Agnostic Desktop Automation Tools ## Overview Provides CLI tools for desktop automation — Wayland-native, X11, and clipboard. Used by the `ov eval wl` command. Works on all wlroots compositors (sway, labwc). No daemon or special device access needed. **Note:** Screenshots are NOT included in this layer. Use `wl-screenshot-grim` (sway) or `wl-screenshot-pixelflux` (selkies) depending on your compositor. ## Layer Definition ```yaml rpm: packages: - wtype - wl
tools
wl-overlay
Wayland overlay windows via gtk4-layer-shell (for screen recordings). Use when working with the wl-overlay layer, gtk4-layer-shell, or overlay dependencies.
testing
vm-deploy-target
VmDeployTarget is the 4th DeployTarget implementer (after OCITarget, PodDeployTarget, HostDeployTarget; K8sDeployTarget is 5th). Applies an InstallPlan inside a running VM over SSH. Covers DeployExecutor interface, SSHExecutor, LocalExecutor, VmDeployState persistence, and the guest-side ledger. Source: ov/deploy_target_vm.go, ov/deploy_executor*.go, ov/deploy_add_cmd_vm.go. MUST be invoked before editing VM-target deploy code.
development
install-plan
The InstallPlan IR — the shared intermediate representation consumed by build-mode Containerfile emission (OCITarget), container deploys (ContainerDeployTarget), host deploys (HostDeployTarget), VM deploys (VmDeployTarget over SSH), and Kubernetes deploys (KubernetesDeployTarget). MUST be invoked before reading or modifying any of: ov/install_plan.go, ov/install_build.go, ov/build_target_oci.go, ov/deploy_target_host.go, ov/deploy_target_container.go, ov/deploy_target_vm.go, ov/deploy_target_k8s.go, or when adding a new step kind / deploy target / reverse-op kind.
development
wl-record-pixelflux
Desktop video recorder via selkies WebSocket capture bridge for selkies-desktop. Use when working with the wl-record-pixelflux layer.
development
build
MUST be invoked before any work involving: building container images, ov image build command, pushing to registries, merging layers, build caches, or Containerfile generation.
development
local-infra
Go file map for the target:local execution surface. Files: local_spec.go, deploy_target_local.go, unified_targets_local.go, ssh_managed_config.go, hostdistro.go, install_ledger.go, builder_run.go, shell_profile.go, reverse_ops.go, service_render.go, deploy_ref.go. MUST be invoked before reading or modifying any of those files, or when debugging target:local deploy behaviour (ledger state, sudo batching, managed-block insertion, glibc preflight, ssh-config fragment, ref resolution).
development
filebrowser
FileBrowser Quantum web file manager on port 8080 with config-file-driven setup. Use when working with FileBrowser, web file management, or file browsing in containers.
development
arch-aur-test
Test layer for AUR package installation on Arch Linux. Use when working with the arch-aur-test layer.
testing
copr-desktop
COPR and external desktop packages: CoolerControl, Ghostty terminal, Nerd Fonts, WinBoat. Use when working with COPR repositories or these desktop applications in bootc images.
content-media
cloud-init
Cloud-init for instance initialization in cloud/VM environments with NoCloud datasource. Use when working with cloud-init, VM provisioning, or cloud instance bootstrapping.
devops
cuda
CUDA toolkit, cuDNN, ONNX Runtime, and NVIDIA GPU development libraries from negativo17 repos. Depends on the nvidia layer for runtime support. Use when working with GPU computing, CUDA, cuDNN, machine learning infrastructure, or NVIDIA development tools.
tools
blogwatcher
Blog/RSS feed monitor CLI. Use when working with the blogwatcher layer.
tools
wl-screenshot-pixelflux
Screenshot via selkies WebSocket capture bridge for selkies-desktop. Use when working with the wl-screenshot-pixelflux layer.
development
container-nesting
Rootless nested podman/buildah/skopeo recipe. Ships zero cap_add — works via surgical `unmask=/proc/*` security_opt plus dual-location containers.conf/storage.conf/policy.json plus two canonical env vars plus subuid layout that fits inside the outer user namespace. Authoritative source for the `mount_too_revealing()` kernel RCA. Use when working with nested containers, the container-nesting layer, or any "rootless-in-rootless podman" question.
development
gnupg
GnuPG encryption and signing tools for GPG agent forwarding. Use when working with GPG, encryption, signing, or the gnupg layer.
tools
github-runner
GitHub Actions self-hosted runner as a supervised container service. Use when working with GitHub Actions runners, CI/CD infrastructure, or runner registration.
testing
doctor
Host dependency checker and hardware detector. Use when diagnosing host setup, checking dependencies, or verifying GPU detection.
testing
cmd
Single command execution in a running container with D-Bus notification. MUST be invoked before any work involving: ov cmd command, running commands in containers, or container exec with notifications.
data-ai
pull
Fetch an image from its registry into local container storage so deploy-mode commands can read its OCI labels. MUST be invoked before any work involving: ov image pull command, the ErrImageNotLocal error, fetching images by short name / fully-qualified ref / @github.com/... remote ref, or recovering deploy-mode commands that fail with "image X is not available locally".
testing
gifgrep
GIF search and download CLI. Use when working with the gifgrep layer.
tools
image
MUST be invoked before any work involving: the `ov image` command family, image definitions in image.yml, image inheritance, defaults, platforms, builder configuration, the image dependency graph, or the build/deploy scope boundary.
development
generate
Containerfile generation from image.yml and layers. MUST be invoked before any work involving: ov image generate command, Containerfile generation, .build/ directory contents, the task-verb emission pipeline, or understanding generated output.
development
agent-forwarding
Agent forwarding support -- GPG, SSH, and direnv for .secrets workflow. Use when working with agent forwarding, SSH/GPG socket forwarding, or the agent-forwarding layer.
data-ai
gocryptfs
Encrypted filesystem (gocryptfs) for ov config encrypted volume operations. Use when working with encrypted volumes, ov config mount/unmount, or filesystem encryption.
development
xfce4-terminal
Xfce4 terminal emulator for Sway desktop environments with sway config integration. Use when working with terminal emulators in Sway desktop containers.
data-ai
keepassxc-keyring
Configure KeePassXC as the freedesktop.org Secret Service provider on a target:local host: enable FdoSecrets, autostart KeePassXC, disable competing daemons (gnome-keyring + kwallet) at the per-user XDG-autostart and systemd-user-unit layers, install pinentry/libsecret/keyutils, and install generic direnv shell hooks for bash/zsh/fish. Use when adding KeePassXC as the Secret Service backend on a host (NOT for adding the binary to a container image — use /ov-foundation:keepassxc for that).
development
dbus
D-Bus session bus for inter-process communication inside containers. Use when working with D-Bus, desktop services, Wayland compositor dependencies, or ov eval dbus commands.
testing
mcporter
MCP server CLI for listing, configuring, and calling MCP tools. Use when working with the mcporter layer.
tools
nano-pdf
nano-pdf CLI for PDF editing with natural language. Use when working with the nano-pdf layer.
tools
os-config
OS system configuration for bootc images: SDDM/KDE cleanup, systemd preset, /opt permissions, initramfs rebuild. Use when working with bootc OS configuration, systemd presets, or initramfs in bootable containers.
development
ordercli
Food delivery order status CLI (Foodora). Use when working with the ordercli layer.
tools
ov
Overthink CLI (ov) binary installed into container/VM images for in-container use. Use when working with ov binary deployment inside containers, native D-Bus support, or the ov-full composition.
tools
os-system-files
System files overlay and justfile imports for bootc images. Copies system_files to root filesystem. Use when working with system file overlays, justfile imports, or bazzite-ai configuration.
data-ai
gogcli
Google Workspace CLI (Gmail, Calendar, Drive, Contacts, Sheets, Docs). Use when working with the gogcli layer.
tools
python-ml
Core ML/AI Python environment with PyTorch, vLLM runtime deps, and CUDA support. Tier 2 environment-owner meta-layer that composes llama-cpp. Use when working with machine learning, PyTorch, HuggingFace, or GPU computing.
development
ripgrep
Fast recursive text search (rg). Use when working with the ripgrep layer.
tools
postgresql
PostgreSQL database server on port 5432 with pgvector extension and persistent data. Entrypoint supports POSTGRES_SHARED_PRELOAD_LIBRARIES for extension loading. Use when working with PostgreSQL, database configuration, or pgvector.
tools
sherpa-onnx
sherpa-onnx offline text-to-speech. Use when working with the sherpa-onnx layer.
tools
socat
Socket relay tool for VM console access and port relays (eth0 to loopback). Use when working with port relays, socat, or loopback service exposure.
tools
summarize
Summarize CLI for extracting text/transcripts from URLs and files. Use when working with the summarize layer.
tools
sqlite
SQLite database CLI. Use when working with the sqlite layer.
tools
supervisord
Supervisord process manager for running multiple services inside containers. Use when working with supervisord, container service management, multi-process containers, event listeners for crash-loop circuit breaking, or service priority ordering.
testing
tailscale-up
Tailscale runtime wiring for target:local hosts. Sets `--operator=$account` + `--hostname=$(hostname -s)` so user-systemd ExecStartPost can run `tailscale serve` without sudo, and the tailnet device name stays in sync with the system hostname. Depends on /ov-foundation:tailscale (which installs the daemon). Self-gates on `systemctl is-active tailscaled` so it's a no-op in image-build / pre-auth contexts. Use when adding deploy-runtime tailscale wiring to a target:local host (canonical consumer: local.ov-cachyos) — distinct from the tailscale layer which only installs + enables the daemon.
development
chrome-devtools-mcp
Chrome DevTools MCP server via mcp-proxy (Streamable HTTP on port 9224). Use when working with the chrome-devtools-mcp layer, MCP-based browser automation, or the mcp-proxy stdio-to-HTTP bridge pattern.
tools
qemu-guest-agent
QEMU guest agent for host-guest communication in virtual machines. Use when working with QEMU/KVM VMs, guest agent setup, or libvirt channel configuration.
data-ai
ujust
Just task runner with ujust wrapper for Universal Blue justfile conventions. Use when working with just/ujust task runners or ublue-os justfile integration.
tools
valkey
Valkey 9.x key-value store (Redis-compatible) on port 6379 via Remi modular repo. Use when working with Valkey, Redis-compatible caching, or the valkey layer.
databases
traefik
Traefik reverse proxy on ports 8000/8080/443 with automatic TLS and dynamic routing. Use when working with Traefik, reverse proxy, TLS certificates, or service routing.
tools
virtualization
QEMU/KVM/libvirt stack — works identically under supervisord (containers/ pods, custom `exec:` form) AND under systemd (host installs / bootc / VMs, use_packaged: virtqemud.socket / virtnetworkd.socket). Uses the mixed-entry `service:` schema (CLAUDE.md "Init-system polymorphism") — same name appears twice in the service: list, init system at deploy time picks the matching form. Canonical worked example of the polymorphism pattern.
devops
tailscale
Tailscale mesh VPN (tailscaled service). Installs the tailscale package from upstream, enables tailscaled.service via systemd. Use when adding Tailscale as a standalone systemd service to an image — distinct from the deploy-time Tailscale tunnel/sidecar model.
devops
hermes-full
Hermes agent with AI CLIs (Claude Code, Codex, Gemini), developer tools, DevOps tools, and ov. Use when working with the hermes-full metalayer or full-featured standalone hermes deployments.
tools
immich
Immich photo management server on port 2283 with PostgreSQL and Redis. Use when working with Immich, photo management, or media library services.
development
hermes-playwright
Playwright Chromium browser for Hermes Agent with Fedora-compatible system deps. MUST be invoked before any work involving: Playwright in hermes containers, Chromium browser automation for hermes, or hermes-playwright layer configuration.
tools
sway-desktop-vnc
Sway desktop with VNC remote access via wayvnc on port 5900. Composes sway-desktop base with wayvnc.
tools
libnotify
Desktop notification client library providing notify-send CLI. Use when working with notify-send, libnotify, or shell-based notifications.
tools
jupyter-mcp
JupyterLab CRDT MCP server extension with 11 tools (notebook_*/cell_* + room_list + notebook_list_users) for programmatic notebook access. MUST be invoked when working with: the MCP server implementation, CRDT collaboration, the auto-attach single-room invariant, or the Tier 1 pip-only installation pattern for jupyter extensions.
tools
notebook-finetuning
Unsloth fine-tuning notebook collection provisioned into the workspace volume at deploy time. Data-only layer — no packages, no services, no dependencies. Use when working with notebook-finetuning, Unsloth training notebooks, or unsloth-studio data provisioning.
testing
arch
First kind:vm entity with source.kind: cloud_image — fetches the Arch Linux cloud qcow2 from pkgbuild.com, applies cloud-init, boots under libvirt/QEMU via BIOS firmware + virtio-gpu. Documents the stale-BOOTX64.EFI RCA, the simpledrm→qxldrmfb takeover race, the adopt-user pattern, and resource sizing. MUST be invoked before editing arch in vms.yml or authoring another cloud_image VM from a template.
development
notebook-ollama
Ollama integration notebook collection provisioned into the workspace volume at deploy time. 6 Jupyter notebooks demonstrating Ollama via requests, OpenAI, ollama lib, Anthropic, HuggingFace, and GPU. Data-only layer — no packages, no services, no dependencies. Use when working with notebook-ollama, Ollama API tutorials, or Jupyter+Ollama integration.
development
immich-ml
Immich machine learning backend on port 3003 for photo classification and search. Use when working with Immich ML features, face detection, or CLIP search.
tools
ov-selkies/skills/waybar-labwc
# Layer: waybar-labwc Waybar status bar adapted for labwc compositor (not sway). Uses the same unified config as the `waybar` layer — sway-specific modules (workspaces, mode) auto-hide on labwc since `SWAYSOCK` is not set. ## Architecture Waybar connects to `wayland-0` (labwc's socket), NOT `wayland-1` (pixelflux). This is critical for: - **Layer-shell exclusive zones** — Waybar reserves space at the top, windows don't overlap it - **wlr-foreign-toplevel-management** — Waybar's taskbar can se
testing
ov-selkies/skills/xdg-portal
# xdg-portal - XDG Desktop Portal Infrastructure ## Overview Provides XDG Desktop Portal support for Sway containers. Installs the portal daemon, the wlroots-specific backend (`xdg-desktop-portal-wlr`), and the GTK fallback backend. Enables screen sharing, screenshots via portal API, and file dialogs for applications running inside the container. ## Layer Definition ```yaml requires: - dbus - sway - pipewire env: XDG_CURRENT_DESKTOP: "sway" rpm: packages: - xdg-desktop-portal
development
wf-recorder
Wayland screen recorder for wlroots compositors. Use when working with the wf-recorder layer.
tools
ov-selkies/skills/wl-screenshot-grim
# wl-screenshot-grim - Screenshot via grim (wlr-screencopy) ## Overview Provides `grim` for Wayland screenshot capture using the `wlr-screencopy` protocol. Works on sway and standalone wlroots compositors. **Does NOT work on selkies-desktop** (labwc nested in pixelflux can't deliver screencopy frames). For selkies-desktop, use `wl-screenshot-pixelflux` instead. ## Layer Definition ```yaml rpm: packages: - grim ``` ## Key Properties | Property | Value | |----------|-------| | Depends
data-ai
secrets
MUST be invoked before any work involving: ov secrets commands, KeePass .kdbx credential management, credential import/export, or secret database administration.
data-ai
ov-mcp
MCP server exposing the full ov CLI as tools (Streamable HTTP on port 18765). Meta-layer composition — layers: [ov, supervisord] — ships only service wiring + `/workspace` bind-mount + OV_PROJECT_DIR env plumbing. Auto-falls back to the upstream overthinkos/overthink repo when /workspace has no image.yml. Use when composing an MCP gateway into any image so LLM agents can drive ov remotely.
tools
tailscale
Tailscale mesh VPN (tailscaled service). Installs the tailscale package from upstream, enables tailscaled.service via systemd. Use when adding Tailscale as a standalone systemd service to an image — distinct from the deploy-time Tailscale tunnel/sidecar model.
devops
selkies-desktop-bootc
Bootable (bootc) VM image combining the selkies-desktop streaming desktop with Tailscale (mesh VPN) and KeePassXC (password manager). Fedora 43 base. Boots under libvirt/QEMU as a full OS. Canonical worked example of the external-base-bootc + explicit-distro pattern. MUST be invoked before building, deploying, or troubleshooting selkies-desktop-bootc.
development
ubuntu-builder
Minimal Ubuntu 24.04 builder image (pixi + Node.js + build-toolchain) used as the multi-stage builder for Ubuntu-based images — currently ubuntu-coder. Runs as uid 1000 `ubuntu` (adopted from the upstream ubuntu:24.04 base image via build.yml's base_user declaration). MUST be invoked before building, deploying, configuring, or troubleshooting the ubuntu-builder image.
tools
keepassxc
KeePassXC password manager desktop app. Single-responsibility layer (rpm+pac, one test). Use when adding KeePassXC to an image as a standalone layer rather than pulling in the broader desktop-apps grab-bag.
testing
validate
MUST be invoked before any work involving: ov image validate command, validation rules, common validation errors, or checking image.yml and layer definitions.
testing
vnc
MUST be invoked before any work involving: VNC automation, ov test vnc commands, RFB protocol desktop interaction, VNC screenshots, clicking coordinates, or VNC authentication.
tools
filebrowser
FileBrowser Quantum web file manager with Tailscale tunnel. MUST be invoked before building, deploying, configuring, or troubleshooting the filebrowser image.
development
summarize
Summarize CLI for extracting text/transcripts from URLs and files. Use when working with the summarize layer.
tools
kubernetes-layer
Kubernetes client tools: kubectl and Helm package manager. Use when working with Kubernetes, kubectl, or Helm charts.
tools
fedora-builder
Builder image with pixi, Node.js, and C/C++ build toolchain. Used as the default builder for multi-stage image builds. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-builder image.
tools
build
MUST be invoked before any work involving: building container images, ov image build command, pushing to registries, merging layers, build caches, or Containerfile generation.
development
notebook-templates
Starter notebook templates provisioned into the workspace volume at deploy time. First data-only layer in the project — no packages, no services, no dependencies. Use when working with notebook-templates, data layers, or jupyter initial content.
testing
update
Update image and restart service with data sync. MUST be invoked before any work involving: ov update command, pulling new image versions, data seeding, force-seed, or updating deployed services.
devops
kubernetes
MUST be invoked before any work involving: `ov deploy add --target kubernetes`, `ov deploy from-image`, Kustomize manifest generation, cluster profiles, K8s deployments, `kubernetes:` block in deploy spec, or OCI-label capabilities.
testing
openclaw
Topic skill (no dedicated `ov openclaw` command — the surface is layer composition + image deployment). MUST be invoked before any work involving: OpenClaw gateway configuration, model auth, browser integration, channel setup, or any image composing `openclaw-*` layers (`openclaw`, `openclaw-ollama`, `openclaw-sway-browser`, `openclaw-full`, `openclaw-full-ml`, `openclaw-full-sway`, `openclaw-ollama-sway-browser`, `openclaw-browser-bootc`).
devops
list
List components from image.yml and filesystem. MUST be invoked before any work involving: ov image list commands, enumerating images, layers, build targets, services, routes, volumes, or aliases.
development
new
Scaffold new layers, images, and whole projects with template files. MUST be invoked before any work involving: ov image new {project, image, layer} commands, creating new projects/images/layers, or scaffolding directories.
content-media
settings
Runtime configuration management for the ov CLI. MUST be invoked before any work involving: ov settings commands, runtime configuration, engine selection, bind address, storage paths, or secret backend configuration.
tools
yay
AUR helper for Arch Linux, enabling aur: package sections in layer.yml. Use when working with the yay layer or Arch AUR builds.
tools
ov-selkies/skills/xterm
# xterm - X11 Terminal (XWayland) ## Overview Lightweight X11 terminal emulator. On labwc (selkies-desktop), launching xterm triggers XWayland to start on-demand, enabling X11-based automation tools (xdotool, xprop, xwininfo) to find windows. ## Layer Definition ```yaml rpm: packages: - xterm ``` ## Key Properties | Property | Value | |----------|-------| | Depends | None | | Packages | `xterm` | | WM_CLASS | `xterm` / `XTerm` | | XWayland | Triggers on-demand start on labwc | ## Us
tools
nodejs
Node.js and npm via system packages (RPM/DEB) with global npm prefix. Use when working with Node.js, npm, or JavaScript/TypeScript tooling.
tools
validate
MUST be invoked before any work involving: ov image validate command, validation rules, common validation errors, or checking image.yml and layer definitions.
testing
settings
Runtime configuration management for the ov CLI. MUST be invoked before any work involving: ov settings commands, runtime configuration, engine selection, bind address, storage paths, or secret backend configuration.
tools
ssh
Generic SSH support for ov — `--host <alias>` re-execs any command on a remote machine; `ov ssh tunnel` exposes remote SPICE/VNC endpoints on the local host for external GUI apps.
tools
arch-aur-test
Test layer for AUR package installation on Arch Linux. Use when working with the arch-aur-test layer.
testing
arch-builder
Arch Linux builder image with pixi, Node.js, build toolchain, and yay AUR helper. Default builder for pixi, npm, cargo, and aur multi-stage builds on Arch. MUST be invoked before building, deploying, configuring, or troubleshooting the arch-builder image.
tools
k3s-server
k3s control-plane (server) node with ServiceLB, Traefik v2, and local-path-provisioner enabled by default. Publishes kubeconfig back to the operator via layer artifacts and registers a ClusterProfile on first boot.
tools
maplibre-versatiles-styler
maplibre-versatiles-styler — interactive MapLibre GL JS control widget. Renders a collapsible sidebar on the map enabling users to switch between VersaTiles style presets (colorful/eclipse/graybeard/neutrino/shadow/satellite), edit color palettes, apply global recoloring, adjust fonts/language, modify satellite imagery settings, and export the resulting style JSON. Bundled locally from the npm package so the notebook's MapLibre cell can `<script src>` it without a CDN dependency. Re-exported by the versatiles-frontend layer's http.server at /styler/. MUST be invoked before building, deploying, or troubleshooting the maplibre-versatiles-styler layer.
tools
pmtiles-viewer
PMTiles Viewer — visual inspector for PMTiles archives. TypeScript SPA from protomaps/PMTiles/app built via npm at image build time, served as a static dist by python -m http.server on port 8001 (host 28001). Pairs with the osm-tools layer's martin tile server to inspect all four sibling PMTiles archives the versa image produces. MUST be invoked before building, deploying, or troubleshooting the pmtiles-viewer layer.
tools
versatiles-fonts
VersaTiles SDF font glyphs for MapLibre GL JS. 10 font families (Fira Sans, Lato, Libre Baskerville, Merriweather Sans, Noto Sans, Nunito, Open Sans, PT Sans, Roboto, Source Sans 3) bundled locally from versatiles-org/versatiles-fonts GitHub releases. Installed so the notebook's shortbread MapLibre cell renders labels without hitting tiles.versatiles.org as a runtime font CDN. Re-exported by the versatiles-frontend layer's http.server at /fonts/. MUST be invoked before building, deploying, or troubleshooting the versatiles-fonts layer.
development
versatiles-frontend
VersaTiles Frontend — pre-built TypeScript SPA from versatiles-org/versatiles-frontend GitHub releases. Third static-SPA-via-python-http.server in the versa image (after maputnik + pmtiles-viewer). Served on port 8002 (host-mapped 28002). Also re-exports the versatiles-style layer's bundle at /style/ so the notebook's mo.iframe can reach it via an absolute URL. MUST be invoked before building, deploying, or troubleshooting the versatiles-frontend layer.
development
shortbread
Shortbread vector-tile schema generation via Tilemaker. The Shortbread schema (https://shortbread-tiles.org) is the de-facto general-purpose OSM vector-tile schema; the layer builds systemed/tilemaker (C++/Lua) from source and bundles the official shortbread-tiles/shortbread-tilemaker Lua + JSON configuration. The notebook's `notebook_osm_shortbread_pipeline` DAG invokes tilemaker on the Monaco PBF to produce `/workspace/tiles/shortbread/monaco-shortbread.pmtiles`, which the versatiles serve service auto-discovers. MUST be invoked before building, deploying, or troubleshooting the shortbread layer.
development
debug-tools-layer
Debug toolkit for inspecting deployed services from inside the container — network probes (ip/ss/lsof/ping/dig/nc/socat/tcpdump/traceroute/mtr/wget), process inspection (ps/top/htop/pgrep/free/vmstat/strace/ltrace), file inspection (file/tree/xxd/vim/nano), system stats (iotop/iftop/sysstat), session helpers (tmux/rsync/yq). Distro-agnostic. Use when working with the debug-tools layer, the per-distro package-name divergence (nmap-ncat vs ncat vs gnu-netcat), or the 16 build-scope eval probes that lock in headline binary presence.
tools
openclaw-browser-bootc-bootc
kind:vm entity pairing with the /ov-openclaw:openclaw-browser-bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-openclaw:openclaw-browser-bootc. This skill documents only VM overrides. MUST be invoked before editing openclaw-browser-bootc-bootc in vms.yml.
documentation
bazzite-ai-bootc
kind:vm entity pairing with the /ov-distros:bazzite-ai bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-distros:bazzite-ai. This skill documents only the VM-specific fields. MUST be invoked before editing bazzite-ai-bootc in vms.yml.
testing
versatiles-style
@versatiles/style — TypeScript npm package that generates MapLibre style JSON for the Shortbread vector-tile schema. Installed locally (npm install + copy browser bundle to /opt/versatiles-style/) so the notebook's MapLibre HTML can `<script src>` the locally-served JS without a CDN dependency. Re-exported by the versatiles-frontend layer's http.server at /style/ so the notebook's mo.iframe (which can only fetch absolute URLs) can reach the bundle. MUST be invoked before building, deploying, or troubleshooting the versatiles-style layer.
development
ov:libvirt
libvirt-RPC test commands — `ov eval libvirt <vm> …` for VM info, framebuffer screenshots, send-key, passwd, QMP, qemu-guest-agent client, snapshots, events.
tools
versatiles
VersaTiles CLI (versatiles-rs) — a single Rust binary that handles `convert` / `serve` / `probe` / `dev` for the `.versatiles`, `.pmtiles`, `.mbtiles`, and `.tar` tile-container formats. Installed from the pre-built linux-x86_64-gnu tarball on GitHub releases. Ships a supervisord service running `versatiles serve` on port 8090 (host 28090) that watches `/workspace/tiles/shortbread/`, parallel to martin on 3000/23000. The `convert` subcommand is symmetric — PMTiles ↔ .versatiles ↔ MBTiles round-trip — and is exercised end-to-end by both the layer's deploy-scope eval probe and a dedicated notebook cell. MUST be invoked before building, deploying, or troubleshooting the versatiles layer.
tools
k3s-agent
k3s worker (agent) node — joins an existing k3s-server via pre-shared token. Fully declarative: same ov secrets set once + env K3S_SERVER_URL per agent deploy.
devops
jupyter
Lightweight JupyterLab with real-time collaboration on port 8888. No GPU required. Based on fedora (not nvidia), supports both amd64 and arm64. MUST be invoked before building, deploying, configuring, or troubleshooting the jupyter image.
development
remove
Remove service container, quadlet file, and deploy.yml entry. MUST be invoked before any work involving: ov remove command, cleaning up containers, removing quadlets, or purging volumes.
devops
hermes
Full-featured standalone Hermes AI agent with AI CLIs, dev tools, DevOps tools, and ov. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.
tools
jupyter
Lightweight JupyterLab with real-time collaboration (jupyter-collaboration) on port 8888. No GPU required. Use when working with collaborative notebooks, jupyter-collaboration, or lightweight Jupyter environments without ML/CUDA dependencies.
testing
jupyter-ml
Full CUDA ML JupyterLab image with real-time collaboration and CRDT MCP server. Base: nvidia. Port 8888. GPU-accelerated ML training + collaborative notebooks. MUST be invoked before building, deploying, or troubleshooting the jupyter-ml image.
tools
k3s-server
k3s control-plane (server) node with ServiceLB, Traefik v2, and local-path-provisioner enabled by default. Publishes kubeconfig back to the operator via layer artifacts and registers a ClusterProfile on first boot.
tools
tmux
Persistent tmux sessions inside containers: shell reconnection, background commands, output capture, and key sending. Use when running long-lived or TTY-dependent commands. MUST be invoked before any work involving: ov tmux commands, persistent shells, background container commands, or TTY-dependent TUI programs.
data-ai
sidecar
Topic skill (no dedicated `ov sidecar` command — the surface is the `--sidecar <name>` / `--list-sidecars` flags on `ov config` and the `sidecars:` field in `deploy.yml`). MUST be invoked before any work involving: sidecar containers, pod networking, Tailscale exit nodes, `ov config --sidecar`, the `deploy.yml` `sidecars:` field, or sidecar-env filtering (`env_accepts` / `env_requires` routing to the sidecar vs the app container).
devops
udev
MUST be invoked before any work involving: GPU device access rules, ov udev commands, udev rule management, or container GPU troubleshooting.
development
dev-tools
Developer tools including bat, ripgrep, neovim, gh, direnv, fd-find, htop, podman-compose, and many more CLI utilities. Use when working with developer tooling, CLI utilities, or container dev environments.
tools
gemini
Google Gemini CLI for AI coding assistance and search. Use when working with the gemini layer.
tools
kubernetes
Kubernetes client tools: kubectl and Helm package manager. Use when working with Kubernetes, kubectl, or Helm charts.
tools
nodejs
Node.js and npm via system packages (RPM/DEB) with global npm prefix. Use when working with Node.js, npm, or JavaScript/TypeScript tooling.
tools
sshd
OpenSSH server and client on port 22 for remote access. Use when working with SSH access, remote login, or sshd configuration in containers/VMs.
tools
comfyui
ComfyUI image generation server with CUDA GPU support. Runs as a supervisord service on port 8188 with persistent storage. MUST be invoked before building, deploying, configuring, or troubleshooting the comfyui image.
development
logs
Service log viewing for running containers. MUST be invoked before any work involving: ov logs command, viewing container output, or debugging service issues.
development
version
Show ov CLI version information. MUST be invoked before any work involving: ov version command or checking installed ov version.
tools
archlinux-builder
Arch Linux builder image with pixi, Node.js, build toolchain, and yay AUR helper. Default builder for pixi, npm, cargo, and aur multi-stage builds on Arch. MUST be invoked before building, deploying, configuring, or troubleshooting the archlinux-builder image.
tools
archlinux
Base Arch Linux image. Root of the image hierarchy for all pac-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the archlinux image.
development
unsloth-studio
Unsloth Studio fine-tuning web UI with CUDA GPU support, vLLM inference, and llama.cpp. Runs as a supervisord service on ports 8888 (Studio) and 8000 (vLLM API). MUST be invoked before building, deploying, configuring, or troubleshooting the unsloth-studio image.
development
bootc-config
Bootc system configuration: tty1 autologin, graphical target, pipewire/wireplumber enablement, and the systemd-user supervisord autostart unit that brings up supervisord-managed desktop services on bootc. Canonical home for any bootc-side boot wiring. Use when working with bootc images, autologin, systemd graphical target, or the supervisord-under-systemd autostart pattern.
content-media
debian
Base Debian 13 trixie image. Root of the image hierarchy for deb-based builds that run as uid 1000 `user` (create mode — Debian 13 ships no pre-existing uid-1000 account). Enabled 2026-04 as part of Phase A–F. MUST be invoked before building, deploying, configuring, or troubleshooting any Debian-based image.
development
fedora-remote
Fedora image using remote layer references from GitHub. Demonstrates the @github.com/org/repo/layers/name:version remote layer syntax. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-remote image.
development
fedora-test
Test image with Traefik reverse proxy and testapi service. Currently disabled. Used for development testing. MUST be invoked before building or troubleshooting the fedora-test image.
development
githubrunner
Self-hosted GitHub Actions runner with the full Overthink toolchain. Rootless-first since 2026-04 — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Host networking retained for reachability. MUST be invoked before building, deploying, configuring, or troubleshooting the githubrunner image.
tools
keepassxc
KeePassXC password manager desktop app. Single-responsibility layer (rpm+pac, one test). Use when adding KeePassXC to an image as a standalone layer rather than pulling in the broader desktop-apps grab-bag.
testing
nvidia
NVIDIA GPU base image with runtime support and CUDA toolkit on Fedora. Base for all GPU-accelerated images (python-ml, jupyter, ollama, comfyui). MUST be invoked before building, deploying, configuring, or troubleshooting the nvidia image.
tools
redis
Redis in-memory data store on port 6379 with periodic persistence. Use when working with Redis, caching, or session storage in containers.
data-ai
rocm
AMD ROCm runtime, OpenCL, and GPU compute support via system packages. Use when working with AMD GPU computing, ROCm, HIP, OpenCL, or AMD GPU passthrough in containers.
data-ai
songsee
Audio spectrogram and visualization CLI. Use when working with the songsee layer.
tools
vectorchord
VectorChord PostgreSQL extension for optimized vector similarity search. Use when working with VectorChord, vector indices, or smart search performance.
tools
fedora
Base Fedora 43 image. Root of the image hierarchy for all RPM-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora image.
development
hermes-playwright
Hermes AI agent image with Playwright Chromium browser for web automation. Builds on top of the headless hermes image, adding Chromium and system deps. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes-playwright image.
tools
immich
Immich photo management server on port 2283. Includes PostgreSQL, Redis, and non-free codec support via RPM Fusion. CPU-only (no ML). MUST be invoked before building, deploying, configuring, or troubleshooting the immich image.
development
nvidia-layer
NVIDIA GPU runtime support: driver libs, nvidia-container-toolkit (CDI), and VA-API. Fedora (negativo17) and Arch Linux (pac). Base layer for all GPU-accelerated images. Use when working with NVIDIA GPU support, CDI device injection, or the nvidia layer.
tools
fedora-nonfree
Fedora with RPM Fusion non-free repositories enabled. Base for images needing codec or proprietary package support like immich. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-nonfree image.
development
layer
MUST be invoked before any work involving: layer authoring, layer.yml, tasks, pixi.toml, package.json, Cargo.toml, or any file under layers/. This skill is the authoritative reference for the `task:` verb catalog, `vars:` substitution, execution order, and per-verb validation. Every other skill defers here for install-schema questions.
development
build
MUST be invoked before any work involving: building container images, ov image build command, pushing to registries, merging layers, build caches, or Containerfile generation.
development
generate
Containerfile generation from image.yml and layers. MUST be invoked before any work involving: ov image generate command, Containerfile generation, .build/ directory contents, the task-verb emission pipeline, or understanding generated output.
development
ov-mcp-cmd
MUST be invoked before any work involving: Model Context Protocol — both directions. (1) `ov eval mcp` client: probing MCP servers declared via mcp_provides, testing MCP tool catalogs, debugging the URL-rewriter (including host-networked containers via `HostConfig.NetworkMode` detection) or port-publishing behavior. (2) `ov mcp serve` server: running the ov CLI itself as an MCP server over Streamable HTTP or stdio, auto-generated from Kong reflection (~192 tools including the MCP-first authoring surface — image/layer scaffolding, comment-preserving YAML edits, free-form file writes), destructive-hint annotations, the `--read-only` filter, auto-fallback to `overthinkos/overthink` when cwd has no `image.yml` (always fires regardless of OV_PROJECT_DIR being set), and the `ov-mcp` deployment layer with its `/workspace` bind mount. Named `ov-mcp-cmd` (not `mcp`) to disambiguate from Claude Code's built-in `/mcp` slash command (the `-cmd` suffix avoids collision with the existing `/ov-coder:ov-mcp` image skill).
tools
agent-forwarding
Agent forwarding support -- GPG, SSH, and direnv for .secrets workflow. Use when working with agent forwarding, SSH/GPG socket forwarding, or the agent-forwarding layer.
data-ai
ov-status
Service status display with tool probes and device detection. MUST be invoked before any work involving: ov status command, checking container state, tool availability, port mapping, or JSON status output. Named `ov-status` (not `status`) to disambiguate from Claude Code's built-in `/status` slash command.
tools
bootc-config
Bootc system configuration: tty1 autologin, graphical target, pipewire/wireplumber enablement, and the systemd-user supervisord autostart unit that brings up supervisord-managed desktop services on bootc. Canonical home for any bootc-side boot wiring. Use when working with bootc images, autologin, systemd graphical target, or the supervisord-under-systemd autostart pattern.
content-media
cachyos-pacstrap-builder
Privileged pacstrap builder image for bootstrapping a CachyOS rootfs from scratch. base: ov.arch (via the `ov` import namespace) + the pacstrap-builder layer. Lives in the overthinkos/cachyos submodule (image/cachyos). MUST be invoked before building or troubleshooting cachyos-pacstrap / cachyos-vm.
development
sshd
OpenSSH server and client on port 22 for remote access. Use when working with SSH access, remote login, or sshd configuration in containers/VMs.
tools
ov-config
MUST be invoked before any work involving: ov config commands, image deployment setup, quadlet generation, secrets provisioning, encrypted volumes, data seeding, or volume backing configuration. Named `ov-config` (not `config`) to disambiguate from Claude Code's built-in `/config` slash command.
development
ov-update
Update image and restart service with data sync. MUST be invoked before any work involving: ov update command, pulling new image versions, data seeding, force-seed, or updating deployed services. Named `ov-update` (not `update`) to disambiguate from Claude Code's built-in `/update`/`/upgrade` slash commands.
development
adb
MUST be invoked before any work involving: ov eval adb commands, Android Debug Bridge interaction, APK install/uninstall, device shell command execution, system property reads, screencap, logcat tailing — anywhere the goal is to drive a running Android emulator from outside the container via the host-published ADB server port.
development
wl
MUST be invoked before any work involving: Wayland / wlroots desktop automation — `ov eval wl` commands (screenshots, click/type/scroll/drag, window management via wlrctl, clipboard, resolution control, AT-SPI2 introspection, window geometry), nested `wl sway` / `wl overlay` subcommands, or `wl:` declarative verbs inside `eval:` blocks. Covers sway-desktop and selkies-desktop image automation on both sway and labwc compositors.
tools
android
MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.
development
wl-overlay
Fullscreen Wayland overlays for screen recordings via gtk4-layer-shell. MUST be invoked before any work involving: ov eval wl overlay commands, recording overlays, title cards, lower-thirds, countdowns, or fade transitions.
tools
record
Record terminal sessions (asciinema) or desktop video (pixelflux/wf-recorder). MUST be invoked before any work involving: ov eval record commands, terminal recording, desktop video recording, or session capture.
testing
hermes
Full-featured standalone Hermes AI agent with AI CLIs, dev tools, DevOps tools, and ov. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.
tools
hermes-layer
Hermes self-improving AI agent by Nous Research with voice, messaging, and tool-calling. MUST be invoked before any work involving: the hermes layer, Hermes Agent configuration, hermes service setup, or hermes Python/npm dependencies.
tools
image
MUST be invoked before any work involving: the `ov image` command family, image definitions in image.yml, image inheritance, defaults, platforms, builder configuration, the image dependency graph, or the build/deploy scope boundary.
development
cutover-policy
Authoritative reference for the "Hard Cutover by Default" policy governing schema changes, API renames, and deprecations. Forbidden patterns, required deliverables, rationale, examples from this repo, and the no-exception enforcement: plans are authored as full-scope single-phase cutovers and executed end-to-end regardless of estimated time, context, or scope. MUST be invoked when planning or reviewing any breaking change to Go types, YAML field names, CLI flags, or OCI labels.
tools
tailscale-up
Tailscale runtime wiring for target:local hosts. Sets `--operator=$account` + `--hostname=$(hostname -s)` so user-systemd ExecStartPost can run `tailscale serve` without sudo, and the tailnet device name stays in sync with the system hostname. Depends on /ov-infrastructure:tailscale (which installs the daemon). Self-gates on `systemctl is-active tailscaled` so it's a no-op in image-build / pre-auth contexts. Use when adding deploy-runtime tailscale wiring to a target:local host (canonical consumer: local.ov-cachyos) — distinct from the tailscale layer which only installs + enables the daemon.
development
agents
Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".
development
tailscale
Tailscale mesh VPN (tailscaled service). Installs the tailscale package from upstream, enables tailscaled.service via systemd. Use when adding Tailscale as a standalone systemd service to an image — distinct from the deploy-time Tailscale tunnel/sidecar model.
devops
disposable
`disposable: true` is the ONE and ONLY authorization for autonomous destroy + rebuild via `ov update`. MUST be invoked before any task involving `ov update`, live verification on rebuildable targets, or marking a VM / container deploy as safe-to-nuke. Explains why disposability is a DEPLOY property (not an image property), the separation between load-bearing `disposable:` and informational `lifecycle:`, why derivation is deliberately absent, and how the flag makes live verification fearless on shared hosts.
development
git-workflow
Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.
tools
install-plan
The InstallPlan IR — the shared intermediate representation consumed by build-mode Containerfile emission (OCITarget), pod deploys (PodDeployTarget), local deploys (LocalDeployTarget), VM deploys (VmDeployTarget over SSH), and Kubernetes deploys (K8sDeployTarget). MUST be invoked before reading or modifying any of: ov/install_plan.go, ov/install_build.go, ov/build_target_oci.go, ov/deploy_target_local.go, ov/deploy_target_pod.go, ov/deploy_target_vm.go, ov/k8s_target.go, or when adding a new step kind / deploy target / reverse-op kind.
development
go
Go CLI development: building the ov binary, running tests, understanding the source code structure. MUST be invoked before reading or modifying any Go source file in ov/.
tools
libvirt-renderer
Pure renderer from VmSpec + LibvirtConfig to libvirt domain XML and QEMU argv. Covers RenderDomain, device emission (passt backend, portForward attribute order, virtio-gpu defaults), firmware plumbing, and LibvirtConfig schema shape. Source: ov/libvirt_schema.go, ov/libvirt_render.go, ov/libvirt_render_devices.go, ov/qemu_render.go. MUST be invoked before editing libvirt XML emission.
development
ovmf
UEFI firmware (OVMF_CODE + OVMF_VARS) path resolution for VMs. Covers the per-distro path table (Fedora vs Arch vs Debian/Ubuntu), per-VM NVRAM copies pattern, secure-boot variants, and the "empty strings = skip loader/nvram" contract for firmware: bios. Source: ov/ovmf_paths.go. MUST be invoked before editing UEFI firmware resolution.
development
supervisord
Supervisord process manager for running multiple services inside containers. Use when working with supervisord, container service management, multi-process containers, event listeners for crash-loop circuit breaking, or service priority ordering.
testing
keepassxc
KeePassXC password manager desktop app. Single-responsibility layer (rpm+pac, one test). Use when adding KeePassXC to an image as a standalone layer rather than pulling in the broader desktop-apps grab-bag.
testing
debian-coder
Kitchen-sink development image on Debian 13 trixie: coding + AI-coding CLIs + DevOps tooling in one container. Debian base, 30+ direct layers mirroring fedora-coder's stack but with deb: sections. Runs as uid 1000 (`user`) with passwordless sudo. 143/0 tests pass. Use when working with the debian-coder image — or when comparing cross-distro parity across the four coder-family images.
tools
strict-policy
Operationalization of CLAUDE.md R1-R5 — the engineering-discipline rules that come BEFORE runtime verification. Covers: (R1) RCA on every failure via /ov-internals:root-cause-analyzer; (R2) no "pre-existing" / "out of scope" / "follow-up PR" classifications; (R3) no code duplication, generic over ad-hoc; (R4) no ad-hoc workarounds; (R5) hard cutover deletes the deprecated path AND every stale reference in the same commit. MUST be invoked when a failure / warning / anomaly surfaces, when the same pattern is about to land in a second surface, when a sleep / retry / magic-number is tempting, or when a cutover commit is about to ship.
development
ov:spice
SPICE wire-level client for VMs — `ov eval spice <vm>` handshake, inputs, native display screenshots via the Shells-com/spice library.
tools
validate
MUST be invoked before any work involving: ov image validate command, validation rules, common validation errors, or checking image.yml and layer definitions.
testing
pull
Fetch an image from its registry into local container storage so deploy-mode commands can read its OCI labels. MUST be invoked before any work involving: ov image pull command, the ErrImageNotLocal error, fetching images by short name / fully-qualified ref / @github.com/... remote ref, or recovering deploy-mode commands that fail with "image X is not available locally".
testing
arch-ov
Arch Linux image with the full ov toolchain. Rootless-first since 2026-04 — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /ov-coder:ov-mcp so the image is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the arch-ov image.
tools
codex
OpenAI Codex CLI coding agent. Use when working with the codex layer.
tools
forgecode
Forge AI coding agent CLI (forgecode.dev) installed globally via npm from the `forgecode` package. Installs the `forge` binary. Use when working with Forge, forgecode.dev, or alternative AI coding agents.
tools
doctor
Host dependency checker and hardware detector. Use when diagnosing host setup, checking dependencies, or verifying GPU detection.
testing
claude-code
Claude Code CLI installed globally via npm from @anthropic-ai/claude-code. Use when working with Claude Code, AI coding assistants, or Anthropic tooling.
tools
ubuntu-coder
Kitchen-sink development image on Ubuntu 24.04 noble: coding + AI-coding CLIs + DevOps tooling in one container. Ubuntu base, 30+ direct layers mirroring fedora-coder's stack. Runs as uid 1000 `ubuntu` — the upstream ubuntu:24.04 account, adopted verbatim via build.yml's base_user declaration. 142/0/1-skip tests pass as of 2026-04-20. Use when working with the ubuntu-coder image — especially when the `${USER}` / `${HOME}` / sudoers differ from the other three coder images.
tools
shell
MUST be invoked before any work involving: ov shell command, interactive shells, command execution in containers, workspace mounts, TTY allocation, or port relay.
data-ai
ov:ssh
Generic SSH support for ov — `--host <alias>` re-execs any command on a remote machine; `ov ssh tunnel` exposes remote SPICE/VNC endpoints on the local host for external GUI apps.
tools
ubuntu
Base Ubuntu 24.04 noble image. Root of the image hierarchy for Ubuntu- based builds. Runs as uid 1000 `ubuntu` via ADOPT mode — the upstream ubuntu:24.04 base image ships a pre-existing ubuntu:ubuntu account, and build.yml distro.ubuntu declares base_user to adopt it verbatim. Enabled 2026-04 as part of Phase A–F. MUST be invoked before building, deploying, configuring, or troubleshooting any Ubuntu-based image.
development
ovmf
UEFI firmware (OVMF_CODE + OVMF_VARS) path resolution for VMs. Covers the per-distro path table (Fedora vs Arch vs Debian/Ubuntu), per-VM NVRAM copies pattern, secure-boot variants, and the "empty strings = skip loader/nvram" contract for firmware: bios. Source: ov/ovmf_paths.go. MUST be invoked before editing UEFI firmware resolution.
development
libvirt-renderer
Pure renderer from VmSpec + LibvirtConfig to libvirt domain XML and QEMU argv. Covers RenderDomain, device emission (passt backend, portForward attribute order, virtio-gpu defaults), firmware plumbing, and LibvirtConfig schema shape. Source: ov/libvirt_schema.go, ov/libvirt_render.go, ov/libvirt_render_devices.go, ov/qemu_render.go. MUST be invoked before editing libvirt XML emission.
development
cloud-init-renderer
Pure renderer from VmSpec + VmCloudInit to NoCloud seed ISO (user-data + meta-data + network-config). Covers composeUsers adopt-merge, SMBIOS vs cloud_init additive channels, xorriso ISO emission, and ov_install.strategy state machine. Source: ov/cloud_init_render.go, ov/cloud_init_iso.go, ov/ov_install.go. MUST be invoked before editing cloud-init emission paths.
development
vm-spec
Go type reference for VmSpec and the discriminated-union source types (VmSource cloud_image | bootc). Documents every field, validation rules, and the adopt-user decision. Source files: ov/vm_spec.go, ov/cloud_init_types.go, ov/libvirt_validate.go. MUST be invoked before editing VmSpec Go code or authoring vms.yml entries.
development
arch-test
Test image for Arch Linux pacman and AUR package installation. MUST be invoked before building or troubleshooting the arch-test image.
development
bazzite-ai
Bazzite NVIDIA bootc image with dev tools, CUDA, Kubernetes, Docker, and desktop apps. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the bazzite-ai image.
tools
aurora
Aurora DX bootc image with NVIDIA, SSH, ov toolchain, and Go. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the aurora image.
tools
rpmfusion
RPM Fusion free and nonfree repository configuration for Fedora. Use when working with RPM Fusion repos, multimedia codecs, or nonfree packages.
development
debian-builder
Minimal Debian 13 builder image (pixi + Node.js + build-toolchain) used as the multi-stage builder for every image based on Debian — currently debian-coder. Produces the pre-compiled pixi envs, npm globals, and cargo crates that land in the final runtime image via COPY --from. MUST be invoked before building, deploying, configuring, or troubleshooting the debian-builder image.
tools
fedora-nonfree
Fedora with RPM Fusion non-free repositories enabled. Base for images needing codec or proprietary package support like immich. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-nonfree image.
development
fedora-builder
Builder image with pixi, Node.js, and C/C++ build toolchain. Used as the default builder for multi-stage image builds. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-builder image.
tools
fedora-ov
Fedora image with the full ov toolchain using shared layers. Rootless-first since 2026-04 — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same layer list as arch-ov. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-ov image.
tools
fedora
Base Fedora 43 image. Root of the image hierarchy for all RPM-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora image.
development
arch-pac-test
Test layer for pacman package installation on Arch Linux. Use when working with the arch-pac-test layer.
testing
python-ml
GPU-accelerated Python ML environment with CUDA, PyTorch, and llama.cpp. No Jupyter server — use as a base for ML workloads or interactive shell. MUST be invoked before building, deploying, configuring, or troubleshooting the python-ml image.
development
k3s
k3s binary installer (common base for k3s-server and k3s-agent). Use when building images that need the k3s binary but do NOT want a server/agent service started automatically.
development
valkey-test
Test image with Valkey (Redis-compatible) key-value store. Currently disabled. Used for development testing. MUST be invoked before building or troubleshooting the valkey-test image.
development
tmux
Terminal multiplexer. Use when working with the tmux layer.
tools
ubuntu-builder
Minimal Ubuntu 24.04 builder image (pixi + Node.js + build-toolchain) used as the multi-stage builder for Ubuntu-based images — currently ubuntu-coder. Runs as uid 1000 `ubuntu` (adopted from the upstream ubuntu:24.04 base image via build.yml's base_user declaration). MUST be invoked before building, deploying, configuring, or troubleshooting the ubuntu-builder image.
tools
jupyter-ml-notebook
Full CUDA ML JupyterLab image with finetuning, Ollama, and LLM course notebooks, CRDT MCP server, and real-time collaboration. Base: nvidia. Port 8888. Combines jupyter-ml with 37 Unsloth fine-tuning notebooks, 6 Ollama integration notebooks, and 15 LLM course notebooks. MUST be invoked before building, deploying, or troubleshooting the jupyter-ml-notebook image.
tools
yay
AUR helper for Arch Linux, enabling aur: package sections in layer.yml. Use when working with the yay layer or Arch AUR builds.
tools
cmd
Single command execution in a running container with D-Bus notification. MUST be invoked before any work involving: ov cmd command, running commands in containers, or container exec with notifications.
data-ai
inspect
Image inspection showing resolved configuration as JSON. MUST be invoked before any work involving: ov image inspect command, viewing image configuration, or querying image metadata.
data-ai
list
List components from image.yml and filesystem. MUST be invoked before any work involving: ov image list commands, enumerating images, layers, build targets, services, routes, volumes, or aliases.
development
doctor
Host dependency checker and hardware detector. Use when diagnosing host setup, checking dependencies, or verifying GPU detection.
testing
nodejs24
Node.js 24 and npm via Fedora RPM packages with global npm prefix. Use when working with Node.js 24 or applications requiring a newer Node.js version.
tools
cmd
Single command execution in a running container with D-Bus notification. MUST be invoked before any work involving: ov cmd command, running commands in containers, or container exec with notifications.
data-ai
config
MUST be invoked before any work involving: ov config commands, image deployment setup, quadlet generation, secrets provisioning, encrypted volumes, data seeding, or volume backing configuration.
devops
stop
Stop a running service container. MUST be invoked before any work involving: ov stop command, stopping containers, or halting services.
data-ai
version
Show ov CLI version information. MUST be invoked before any work involving: ov version command or checking installed ov version.
tools
arch-pac-test
Test layer for pacman package installation on Arch Linux. Use when working with the arch-pac-test layer.
testing
archlinux
Base Arch Linux image. Root of the image hierarchy for all pac-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the archlinux image.
development
bazzite-ai
Bazzite NVIDIA bootc image with dev tools, CUDA, Kubernetes, Docker, and desktop apps. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the bazzite-ai image.
tools
fedora-remote
Fedora image using remote layer references from GitHub. Demonstrates the @github.com/org/repo/layers/name:version remote layer syntax. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-remote image.
development
github-runner
GitHub Actions self-hosted runner as a supervised container service. Use when working with GitHub Actions runners, CI/CD infrastructure, or runner registration.
testing
immich-layer
Immich photo management server on port 2283 with PostgreSQL and Redis. Use when working with Immich, photo management, or media library services.
development
gocryptfs
Encrypted filesystem (gocryptfs) for ov config encrypted volume operations. Use when working with encrypted volumes, ov config mount/unmount, or filesystem encryption.
development
k3s-agent
k3s worker (agent) node — joins an existing k3s-server via pre-shared token. Fully declarative: same ov secrets set once + env K3S_SERVER_URL per agent deploy.
devops
socat
Socket relay tool for VM console access and port relays (eth0 to loopback). Use when working with port relays, socat, or loopback service exposure.
tools
kubernetes
MUST be invoked before any work involving: `ov deploy add --target kubernetes`, `ov deploy from-image`, Kustomize manifest generation, cluster profiles, K8s deployments, `kubernetes:` block in deploy spec, or OCI-label capabilities.
testing
eval-k8s
Kubernetes cluster probe verb — `ov eval k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
tools
python-ml
GPU-accelerated Python ML environment with CUDA, PyTorch, and llama.cpp. No Jupyter server — use as a base for ML workloads or interactive shell. MUST be invoked before building, deploying, configuring, or troubleshooting the python-ml image.
development
python
Python 3.13 runtime installed via pixi (conda-forge). Use when working with Python, pixi environments, or Python dependencies.
development
airflow-mcp
mcp-server-apache-airflow 0.2.10 wraps Apache Airflow's REST API as ~70 MCP tools (fetch_dags, post_dag_run, get_dag_run, list_connections, …). Use when working with the airflow MCP server's tool catalog, the JWT auth flow it shares with direct REST clients, or the wrapper script's airflow-readiness wait loop.
tools
marimo-layer
marimo reactive notebook server (also runs as MCP server via --mcp), GPU-accelerated OSM/GTFS analytics deps (cudf-polars-cu13, polars, geopandas, quackosm, gtfs-parquet), Apache Airflow Python deps (the airflow layer ships no pixi env), and the marimo-team/learn curriculum + marimo-team/skills bundle for AI agents. Use when working with the marimo layer, its pixi environment, the supervisord service spec, or the cell-display + mo.iframe rendering patterns.
tools
marimo-ml
marimo reactive notebook environment with Apache Airflow + GPU-accelerated OSM/GTFS analytics + martin vector tiles + 3D terrain via MapLibre. Composes 9 layers (agent-forwarding, marimo, airflow, osm-data, maputnik, notebook-osm, debug-tools, dbus, ov) into a single pod that exposes 5 host ports and 2 MCP servers. MUST be invoked before building, deploying, configuring, or troubleshooting the marimo-ml image.
tools
marimo-mcp
marimo's built-in MCP server (10 read-only inspection tools — get_active_notebooks, get_cell_outputs, get_notebook_errors, etc.) at port 2718 path /mcp/server. Use when working with the marimo MCP tool catalog, programmatic notebook diagnostics, or the cells-don't-execute-via-MCP gap (marimo MCP is read-only; cells run via WebSocket from a browser OR `marimo export ipynb --include-outputs` for headless execution).
tools
openclaw-browser-bootc
Bootc VM image with OpenClaw gateway, Chrome, VNC, and PipeWire. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-browser-bootc image.
development
alias
MUST be invoked before any work involving: host command aliases, ov alias add/remove/install/uninstall, or wrapper scripts that run inside containers.
data-ai
mcp
MUST be invoked before any work involving: Model Context Protocol — both directions. (1) `ov eval mcp` client: probing MCP servers declared via mcp_provides, testing MCP tool catalogs, debugging the URL-rewriter (including host-networked containers via `HostConfig.NetworkMode` detection — new 2026-04) or port-publishing behavior. (2) `ov mcp serve` server: running the ov CLI itself as an MCP server over Streamable HTTP or stdio, auto-generated from Kong reflection (~192 tools including the MCP-first authoring surface — image/layer scaffolding, comment-preserving YAML edits, free-form file writes), destructive-hint annotations, the `--read-only` filter, auto-fallback to `overthinkos/overthink` when cwd has no `image.yml` (always fires now, regardless of OV_PROJECT_DIR being set — 2026-04 change), and the `ov-mcp` deployment layer with its `/workspace` bind mount.
tools
claude-code
Claude Code CLI installed globally via npm from @anthropic-ai/claude-code. Use when working with Claude Code, AI coding assistants, or Anthropic tooling.
tools
merge
Post-build layer optimization via merging consecutive small layers. MUST be invoked before any work involving: ov image merge command, image layer reduction, merge configuration, or post-build optimization.
development
forgecode
Forge AI coding agent CLI (forgecode.dev) installed globally via npm from the `forgecode` package. Installs the `forge` binary. Use when working with Forge, forgecode.dev, or alternative AI coding agents.
tools
google-cloud-npm
Google Cloud npm packages: firebase-tools and Gemini CLI. Use when working with Firebase, Gemini CLI, or GCP Node.js tooling.
tools
pre-commit
Pre-commit git hooks framework via pixi, plus markdownlint-cli via npm. Use when working with git hooks, linting, or code quality tooling.
tools
status
Service status display with tool probes and device detection. MUST be invoked before any work involving: ov status command, checking container state, tool availability, port mapping, or JSON status output.
tools
update
Update image and restart service with data sync. MUST be invoked before any work involving: ov update command, pulling new image versions, data seeding, force-seed, or updating deployed services.
devops
archlinux-builder
Arch Linux builder image with pixi, Node.js, build toolchain, and yay AUR helper. Default builder for pixi, npm, cargo, and aur multi-stage builds on Arch. MUST be invoked before building, deploying, configuring, or troubleshooting the archlinux-builder image.
tools
bootc-base
Base composition for bootc OS images including SSH, QEMU guest agent, and bootc config. Use when working with bootable container images, VMs, or OS-level configuration.
data-ai
dbus
D-Bus interaction inside containers via native Go godbus/dbus/v5. MUST be invoked before any work involving: ov eval dbus commands, desktop notifications, D-Bus method calls, service introspection, or session bus interaction.
development
rpmfusion
RPM Fusion free and nonfree repository configuration for Fedora. Use when working with RPM Fusion repos, multimedia codecs, or nonfree packages.
development
hermes-playwright-layer
Playwright Chromium browser for Hermes Agent with Fedora-compatible system deps. MUST be invoked before any work involving: Playwright in hermes containers, Chromium browser automation for hermes, or hermes-playwright layer configuration.
tools
immich-ml-layer
Immich machine learning backend on port 3003 for photo classification and search. Use when working with Immich ML features, face detection, or CLIP search.
tools
playwright-layer
Playwright browser automation (OpenClaw AI snapshots). Use when working with the playwright layer.
tools
gnupg
GnuPG encryption and signing tools for GPG agent forwarding. Use when working with GPG, encryption, signing, or the gnupg layer.
tools
sqlite
SQLite database CLI. Use when working with the sqlite layer.
tools
ssh-client
OpenSSH client tools for SSH agent forwarding. Use when working with SSH client, SSH agent forwarding, or the ssh-client layer.
tools
dbus-layer
D-Bus session bus for inter-process communication inside containers. Use when working with D-Bus, desktop services, Wayland compositor dependencies, or ov eval dbus commands.
testing
k3s
k3s binary installer (common base for k3s-server and k3s-agent). Use when building images that need the k3s binary but do NOT want a server/agent service started automatically.
development
cloud-init-renderer
Pure renderer from VmSpec + VmCloudInit to NoCloud seed ISO (user-data + meta-data + network-config). Covers composeUsers adopt-merge, SMBIOS vs cloud_init additive channels, xorriso ISO emission, and ov_install.strategy state machine. Source: ov/cloud_init_render.go, ov/cloud_init_iso.go, ov/ov_install.go. MUST be invoked before editing cloud-init emission paths.
development
valkey
Valkey 9.x key-value store (Redis-compatible) on port 6379 via Remi modular repo. Use when working with Valkey, Redis-compatible caching, or the valkey layer.
databases
testapi
FastAPI test service on port 9090 routed via testapi.localhost for development testing. Use when working with the test API, Traefik routing validation, or service health checks.
development
llama-cpp
llama.cpp prebuilt binaries and GGUF conversion tools. Use when working with llama.cpp, GGUF model conversion, or llama-quantize/llama-cli.
tools
python-ml-layer
Core ML/AI Python environment with PyTorch, vLLM runtime deps, and CUDA support. Tier 2 environment-owner meta-layer that composes llama-cpp. Use when working with machine learning, PyTorch, HuggingFace, or GPU computing.
development
airflow-layer
Apache Airflow 3.x with LocalExecutor + SQLite (single-node, dev-friendly), 4 supervisord services (init, scheduler, dag-processor, webserver) plus the airflow-mcp wrapper. Layer is service-only — its Python deps live in /ov-marimo:marimo-layer's pixi env. Use when working with the airflow layer, Airflow 3.x compatibility findings, the SimpleAuthManager auth-fix pattern, the dag-processor split-from-scheduler architecture change, or the JWT-issuance + REST API trigger flow used by self-authoring notebooks.
tools
debug-tools-layer
Debug toolkit for inspecting deployed services from inside the container — network probes (ip/ss/lsof/ping/dig/nc/socat/tcpdump/traceroute/mtr/wget), process inspection (ps/top/htop/pgrep/free/vmstat/strace/ltrace), file inspection (file/tree/xxd/vim/nano), system stats (iotop/iftop/sysstat), session helpers (tmux/rsync/yq). Distro-agnostic. Use when working with the debug-tools layer, the per-distro package-name divergence (nmap-ncat vs ncat vs gnu-netcat), or the 16 build-scope eval probes that lock in headline binary presence.
tools
osm-data-layer
OpenStreetMap data pipeline tooling: tippecanoe (GeoJSON → MBTiles/PMTiles, built from source), osmium-tool, gdal/ogr2ogr, jq, martin (Rust musl static binary on port 3000), pmtiles CLI. Martin reads tiles from ${HOME}/workspace/tiles/pmtiles/. Use when working with the osm-data layer, tippecanoe build steps, the martin tile server config, the martin "Underlying data source was modified" cache issue + DAG-completion supervisord-restart pattern, or the vector-tiles-only output that requires MapLibre GL JS clients (NOT folium TileLayer).
tools
unsloth
Unsloth LLM fine-tuning library with vLLM integration. Tier 1 post-install layer — no pixi.toml, requires pixi env from a parent layer (python-ml, jupyter-ml, unsloth-studio). Use when working with Unsloth, LLM fine-tuning, or vLLM wheel installation.
development
notebook-osm
Standalone marimo notebook (osm-monaco-viz.py) that self-authors TWO Airflow DAGs (osm + gtfs), triggers them via REST, runs polars + pyarrow analytics on both datasets, and renders TWO maps: streets via MapLibre GL JS + martin vector tiles + 3D terrain, transit via folium with 98 bus-stop CircleMarkers. Use when working with the notebook content itself, the dual-DAG self-authoring pattern, the two URL spaces (server-side AIRFLOW_API_INTERNAL_URL vs browser-bound MARTIN_PUBLIC_URL), the MapLibre/folium rendering split, or the surfaced-and-fixed bug catalog.
development
clawhub
ClawHub CLI for searching and installing OpenClaw skills. Use when working with the clawhub layer.
tools
maputnik-layer
Maputnik — visual editor for MapLibre GL vector-tile styles. Pure-JS SPA built from upstream source via npm at image build time, served as static dist by python -m http.server. Pairs with osm-data's martin tile server. Use when working with the maputnik layer, the Vite --base=/ build override (critical fix; default --base=/maputnik/ produces 404 asset paths), or the asset-base lock-in eval test.
development
appium
MUST be invoked before any work involving: ov eval appium commands, Android UI automation, WebDriver session management, APK install via Appium, element find/click/send-keys, mobile-specific WebDriver caps — anywhere the goal is to drive a running Appium 3.x server inside a container via W3C WebDriver from outside.
tools
arch-ov
Arch Linux image with the full ov toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /ov-coder:ov-mcp so the image is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the arch-ov image.
tools
direnv
direnv -- automatic environment variable loading from .envrc files. Use when working with direnv, .envrc, .secrets, or environment management.
tools
alias
MUST be invoked before any work involving: host command aliases, ov alias add/remove/install/uninstall, or wrapper scripts that run inside containers.
data-ai
jupyter-mcp
JupyterLab CRDT MCP server extension with 13 tools for programmatic notebook access. MUST be invoked when working with: the MCP server implementation, CRDT collaboration, or the Tier 1 pip-only installation pattern for jupyter extensions.
tools
steam
Steam gaming client with gamescope. Use when working with Steam, gaming, or gamescope in containers.
tools
ollama
Standalone Ollama LLM inference server with CUDA GPU support. Runs as a supervisord service on port 11434 with persistent model storage. MUST be invoked before building, deploying, configuring, or troubleshooting the ollama image.
development
openclaw-full
Headless OpenClaw with all tool layers. No desktop environment. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full image.
tools
openclaw-full-ml
OpenClaw full + ML tools + Ollama + Sway desktop + VNC. GPU-accelerated. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full-ml image.
tools
openclaw
OpenClaw AI gateway service on port 18789 via npm with persistent data. Use when working with OpenClaw, AI gateway configuration, or model routing.
data-ai
openclaw-ollama
Headless OpenClaw gateway with local Ollama LLM inference. GPU-accelerated, no desktop. Use when working with the headless openclaw+ollama deployment MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-ollama image.
development
openclaw-sway-browser
Maximal OpenClaw deployment with Sway desktop, Chrome, VNC, and all tool layers. Includes all feasible OpenClaw skill dependencies. Use when working with MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-sway-browser image.
tools
chrome-kwin
Google Chrome running on KWin compositor with DevTools protocol. Use when working with Chrome in KWin desktop containers.
tools
chrome-sway
Google Chrome running on Sway compositor via exec autostart with DevTools protocol. Use when working with Chrome in Sway, browser automation, or CDP in desktop containers.
tools
desktop-fonts
JetBrains Mono and Nerd Fonts for desktop containers. Use when working with font configuration or desktop text rendering.
data-ai
niri
Niri Wayland compositor (Smithay-based) built from source with virtual output support. Use when working with niri compositor, headless Wayland, or Smithay-based desktop containers.
data-ai
niri-desktop
Base Niri desktop composition with audio, portals, Chrome, terminal, and file manager. Base desktop composition layer — no display server included.
content-media
niri-apps
Desktop applications (terminal, file manager) for Niri compositor. Use when working with the niri-apps layer.
tools
xdg-portal-gnome
GNOME XDG Desktop Portal backend with ScreenCast, RemoteDesktop, and AT-SPI2 support. Use when working with GNOME portals, screen sharing, or libei input in Mutter containers.
development
qemu-guest-agent
QEMU guest agent for host-guest communication in virtual machines. Use when working with QEMU/KVM VMs, guest agent setup, or libvirt channel configuration.
data-ai
sway-desktop-vnc
Sway desktop with VNC remote access via wayvnc on port 5900. Composes sway-desktop base with wayvnc.
tools
camsnap
RTSP/ONVIF camera snapshot and clip CLI. Use when working with the camsnap layer.
tools
arch-coder
Kitchen-sink development image on Arch Linux: coding + AI-coding CLIs + DevOps tooling in one container. Arch base, 30+ direct layers mirroring fedora-coder's stack but with pac:-section packages (plus AUR for a few unique cases). Runs as uid 1000 (`user`) with passwordless sudo. Use when working with the arch-coder image — or when comparing cross-distro parity across the four coder-family images (fedora, debian, ubuntu, arch).
tools
ov-layers/skills/a11y-tools
# a11y-tools - AT-SPI2 Accessibility Introspection ## Overview Provides Python AT-SPI2 bindings for querying the accessibility tree of GTK, Qt, and Chrome applications. Enables element-based automation — find buttons, menus, and text fields by name/role instead of pixel coordinates. Used by `ov test wl atspi tree/find/click`. ## Layer Definition ```yaml depends: - dbus rpm: packages: - python3-pyatspi - python3-gobject ``` ## Key Properties | Property | Value | |----------|--
tools
alias
MUST be invoked before any work involving: host command aliases, ov alias add/remove/install/uninstall, or wrapper scripts that run inside containers.
data-ai
fedora
Base Fedora 43 image. Root of the image hierarchy for all RPM-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora image.
development
fedora-builder
Builder image with pixi, Node.js, and C/C++ build toolchain. Used as the default builder for multi-stage image builds. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-builder image.
tools
fedora-coder
Kitchen-sink development image: coding + AI-coding CLIs + DevOps tooling in one container. Fedora-nonfree base, 32 direct layers spanning language runtimes, build tooling, five AI coding CLIs, and the full cloud/devops stack. Runs as uid 1000 with passwordless sudo — rootless-first, matches the /ov-images:selkies-desktop-ov security posture. Use when working with the fedora-coder image — specifically any task that involves SSH-ing into a single container and having every tool a polyglot engineer reaches for during a working day already installed.
tools
archlinux
Base Arch Linux image. Root of the image hierarchy for all pac-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the archlinux image.
development
archlinux-builder
Arch Linux builder image with pixi, Node.js, build toolchain, and yay AUR helper. Default builder for pixi, npm, cargo, and aur multi-stage builds on Arch. MUST be invoked before building, deploying, configuring, or troubleshooting the archlinux-builder image.
tools
arch-pac-test
Test layer for pacman package installation on Arch Linux. Use when working with the arch-pac-test layer.
testing
asciinema
Terminal session recorder (asciinema). Use when working with the asciinema layer.
testing
bazzite-ai
Bazzite NVIDIA bootc image with dev tools, CUDA, Kubernetes, Docker, and desktop apps. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the bazzite-ai image.
tools
blogwatcher
Blog/RSS feed monitor CLI. Use when working with the blogwatcher layer.
tools
bootc-base
Base composition for bootc OS images including SSH, QEMU guest agent, and bootc config. Use when working with bootable container images, VMs, or OS-level configuration.
data-ai
bootc-config
Bootc system configuration: tty1 autologin, graphical target, pipewire/wireplumber enablement, and the systemd-user supervisord autostart unit that brings up supervisord-managed desktop services on bootc. Canonical home for any bootc-side boot wiring. Use when working with bootc images, autologin, systemd graphical target, or the supervisord-under-systemd autostart pattern.
content-media
build-toolchain
C/C++ build toolchain with gcc, cmake, autoconf, ninja, git, and pkg-config. Use when working with native compilation, build tools, or C/C++ development.
tools
cuda
CUDA toolkit, cuDNN, ONNX Runtime, and NVIDIA GPU development libraries from negativo17 repos. Depends on the nvidia layer for runtime support. Use when working with GPU computing, CUDA, cuDNN, machine learning infrastructure, or NVIDIA development tools.
tools
dbus
D-Bus session bus for inter-process communication inside containers. Use when working with D-Bus, desktop services, Wayland compositor dependencies, or ov test dbus commands.
testing
cdp
MUST be invoked before any work involving: Chrome DevTools Protocol, ov test cdp commands, browser automation, clicking elements, taking screenshots, or OAuth flows inside containers.
tools
chrome
Google Chrome with DevTools on port 9222, Chrome DevTools MCP on port 9224, and browser-open helper. Use when working with Chrome, CDP, browser automation, or DevTools Protocol.
tools
chrome-devtools-mcp
Chrome DevTools MCP server via mcp-proxy (Streamable HTTP on port 9224). Use when working with the chrome-devtools-mcp layer, MCP-based browser automation, or the mcp-proxy stdio-to-HTTP bridge pattern.
tools
chrome-kwin
Google Chrome running on KWin compositor with DevTools protocol. Use when working with Chrome in KWin desktop containers.
tools
chrome-mutter
Google Chrome running on Mutter compositor with DevTools protocol. Use when working with Chrome in Mutter/GNOME desktop containers.
tools
chrome-niri
Google Chrome running on Niri compositor with DevTools protocol. Use when working with Chrome in Niri desktop containers.
tools
chrome-sway
Google Chrome running on Sway compositor via exec autostart with DevTools protocol. Use when working with Chrome in Sway, browser automation, or CDP in desktop containers.
tools
chrome-x11
Google Chrome on X11 with DevTools protocol. Launched via Openbox autostart. Use when working with Chrome in X11 desktop containers.
tools
claude-code
Claude Code CLI installed globally via npm from @anthropic-ai/claude-code. Use when working with Claude Code, AI coding assistants, or Anthropic tooling.
tools
clawhub
ClawHub CLI for searching and installing OpenClaw skills. Use when working with the clawhub layer.
tools
cloud-init
Cloud-init for instance initialization in cloud/VM environments with NoCloud datasource. Use when working with cloud-init, VM provisioning, or cloud instance bootstrapping.
devops
comfyui
ComfyUI image generation server with CUDA GPU support. Runs as a supervisord service on port 8188 with persistent storage. MUST be invoked before building, deploying, configuring, or troubleshooting the comfyui image.
development
comfyui
ComfyUI image generation service on port 8188 with CUDA GPU support. Use when working with ComfyUI, image generation, Stable Diffusion, or AI art pipelines.
devops
container-nesting
Rootless nested podman/buildah/skopeo recipe. Ships zero cap_add — works via surgical `unmask=/proc/*` security_opt plus dual-location containers.conf/storage.conf/policy.json plus two canonical env vars plus subuid layout that fits inside the outer user namespace. Authoritative source for the `mount_too_revealing()` kernel RCA. Use when working with nested containers, the container-nesting layer, or any "rootless-in-rootless podman" question.
development
copr-desktop
COPR and external desktop packages: CoolerControl, Ghostty terminal, Nerd Fonts, WinBoat. Use when working with COPR repositories or these desktop applications in bootc images.
content-media
debian
Base Debian 13 trixie image. Root of the image hierarchy for deb-based builds that run as uid 1000 `user` (create mode — Debian 13 ships no pre-existing uid-1000 account). Enabled 2026-04 as part of Phase A–F. MUST be invoked before building, deploying, configuring, or troubleshooting any Debian-based image.
development
enc
Topic skill (no dedicated `ov enc` command — the surface is flags + subcommands on `ov config`). MUST be invoked before any work involving: encrypted storage, gocryptfs, or the `--encrypt` / `-v <name>:encrypted` backing flags on `ov config`, the `ov config mount` / `unmount` / `status` / `passwd` subcommands, or `ov-enc-<image>-<volume>.scope` systemd units.
development
dbus
D-Bus interaction inside containers via native Go godbus/dbus/v5. MUST be invoked before any work involving: ov test dbus commands, desktop notifications, D-Bus method calls, service introspection, or session bus interaction.
development
debian-builder
Minimal Debian 13 builder image (pixi + Node.js + build-toolchain) used as the multi-stage builder for every image based on Debian — currently debian-coder. Produces the pre-compiled pixi envs, npm globals, and cargo crates that land in the final runtime image via COPY --from. MUST be invoked before building, deploying, configuring, or troubleshooting the debian-builder image.
tools
debian-coder
Kitchen-sink development image on Debian 13 trixie: coding + AI-coding CLIs + DevOps tooling in one container. Debian base, 30+ direct layers mirroring fedora-coder's stack but with deb: sections. Runs as uid 1000 (`user`) with passwordless sudo. 143/0 tests pass as of 2026-04-20. Use when working with the debian-coder image — or when comparing cross-distro parity across the four coder-family images.
tools
desktop-apps
Desktop applications including Chromium, VLC, KeePassXC, btop, cockpit, and zsh. Use when working with GUI applications or desktop environment setup.
tools
devops-tools
DevOps CLI tools: AWS CLI, Scaleway, kubectx/kubens, OpenTofu, wrangler, bind-utils, jq, rsync. Use when working with cloud infrastructure, DNS lookups, infrastructure-as-code, or DevOps tooling.
tools
dev-tools
Developer tools including bat, ripgrep, neovim, gh, direnv, fd-find, htop, podman-compose, and many more CLI utilities. Use when working with developer tooling, CLI utilities, or container dev environments.
tools
docker-ce
Docker CE engine with buildx and compose plugins from the official Docker repository. Use when working with Docker, container builds, or Docker Compose.
tools
fastfetch
Fast system information tool (neofetch successor). Use when working with the fastfetch layer.
tools
language-runtimes
Multi-language runtime meta-layer — Go, PHP, .NET 9 SDK, nodejs-devel, python3-devel, ramalama. System Python via RPM (not pixi-python). Uses nodejs and rust layers as explicit deps. Use when working with polyglot development or composing multiple language runtimes into a single image.
development
layer
MUST be invoked before any work involving: layer authoring, layer.yml, tasks, pixi.toml, package.json, Cargo.toml, or any file under layers/. This skill is the authoritative reference for the `tasks:` verb catalog, `vars:` substitution, execution order, and per-verb validation. Every other skill defers here for install-schema questions.
development
ov:libvirt
libvirt-RPC test commands — `ov test libvirt <vm> …` for VM info, framebuffer screenshots, send-key, passwd, QMP, qemu-guest-agent client, snapshots, events.
tools
fedora-nonfree
Fedora with RPM Fusion non-free repositories enabled. Base for images needing codec or proprietary package support like immich. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-nonfree image.
development
fedora-ov
Fedora image with the full ov toolchain using shared layers. Rootless-first since 2026-04 — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same layer list as arch-ov. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-ov image.
tools
fedora-test
Test image with Traefik reverse proxy and testapi service. Currently disabled. Used for development testing. MUST be invoked before building or troubleshooting the fedora-test image.
development
ffmpeg
FFmpeg multimedia framework (negativo17 nonfree build with H.264/AAC support). Use when working with the ffmpeg layer.
development
filebrowser
FileBrowser Quantum web file manager on port 8080 with config-file-driven setup. Use when working with FileBrowser, web file management, or file browsing in containers.
development
forgecode
Forge AI coding agent CLI (forgecode.dev) installed globally via npm from the `forgecode` package. Installs the `forge` binary. Use when working with Forge, forgecode.dev, or alternative AI coding agents.
tools
gemini
Google Gemini CLI for AI coding assistance and search. Use when working with the gemini layer.
tools
gh
GitHub CLI, git, and git-lfs — the single-responsibility home for all git/GitHub tooling as of 2026-04. Ships the noscripts + post-install dance for git-lfs so the RPM's systemd trigger doesn't fail at build time. Use when composing git + gh + git-lfs into an image, or when deciding which layer should own a git-related binary.
tools
gifgrep
GIF search and download CLI. Use when working with the gifgrep layer.
tools
github-actions
GitHub Actions local runner (act-cli) and guestfs-tools via COPR. Use when working with GitHub Actions, local CI testing, or act.
tools
github-runner
GitHub Actions self-hosted runner as a supervised container service. Use when working with GitHub Actions runners, CI/CD infrastructure, or runner registration.
testing
githubrunner
Self-hosted GitHub Actions runner with the full Overthink toolchain. Rootless-first since 2026-04 — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Host networking retained for reachability. MUST be invoked before building, deploying, configuring, or troubleshooting the githubrunner image.
tools
kwin-apps
KDE-native desktop applications (Konsole, Dolphin) for KWin compositor. Use when working with the kwin-apps layer.
tools
gocryptfs
Encrypted filesystem (gocryptfs) for ov config encrypted volume operations. Use when working with encrypted volumes, ov config mount/unmount, or filesystem encryption.
development
google-cloud
Google Cloud SDK providing gcloud, gsutil, and bq CLI tools. Use when working with Google Cloud Platform, GCP services, or cloud SDK configuration.
tools
google-cloud-npm
Google Cloud npm packages: firebase-tools and Gemini CLI. Use when working with Firebase, Gemini CLI, or GCP Node.js tooling.
tools
goplaces
Google Places API CLI for location search. Use when working with the goplaces layer.
tools
ov/skills/harness
# harness — Drive AI agents through BDD-scenario iteration cycles ## Overview `ov harness` is the project's iterative AI driver. Same loop, two modes: - **Benchmarking** — score an AI against pending BDD scenarios; iterate until plateau. - **BDD development** — write failing scenarios first, let the AI drive code that makes them pass. Both modes share the machinery: per-iteration git clone + AI-CLI invocation + nested `ov image build` + `ov image test --format yaml` scoring + plateau-bou
tools
hermes
Full-featured standalone Hermes AI agent with AI CLIs, dev tools, DevOps tools, and ov. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.
tools
hermes
Hermes self-improving AI agent by Nous Research with voice, messaging, and tool-calling. MUST be invoked before any work involving: the hermes layer, Hermes Agent configuration, hermes service setup, or hermes Python/npm dependencies.
tools
hermes-playwright
Hermes AI agent image with Playwright Chromium browser for web automation. Builds on top of the headless hermes image, adding Chromium and system deps. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes-playwright image.
tools
hermes-playwright
Playwright Chromium browser for Hermes Agent with Fedora-compatible system deps. MUST be invoked before any work involving: Playwright in hermes containers, Chromium browser automation for hermes, or hermes-playwright layer configuration.
tools
host-deploy
MUST be invoked before any work involving: `ov deploy add host` / `ov deploy del host`, applying layer recipes to the local filesystem, the host-target install ledger, ReverseOp teardown, the host-specific `--with-services`/`--allow-repo-changes`/`--allow-root-tasks` gates, sudo batching, or the `~/.config/overthink/installed/` directory.
testing
host-infra
Host-deploy supporting Go files: hostdistro.go, install_ledger.go, builder_run.go, shell_profile.go, reverse_ops.go, service_render.go, deploy_ref.go, migrate_services_tool.go. MUST be invoked before reading or modifying any of those files, or when debugging host-target deploy behaviour (ledger state, sudo batching, managed-block insertion, glibc preflight, ref resolution).
tools
openclaw-browser-bootc
Bootc VM image with OpenClaw gateway, Chrome, VNC, and PipeWire. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-browser-bootc image.
development
immich
Immich photo management server on port 2283. Includes PostgreSQL, Redis, and non-free codec support via RPM Fusion. CPU-only (no ML). MUST be invoked before building, deploying, configuring, or troubleshooting the immich image.
development
immich-ml
Immich photo management with CUDA ML backend for face recognition and smart search. Includes PostgreSQL, Redis, and the immich-ml service. MUST be invoked before building, deploying, configuring, or troubleshooting the immich-ml image.
development
jupyter
Lightweight JupyterLab with real-time collaboration on port 8888. No GPU required. Based on fedora (not nvidia), supports both amd64 and arm64. MUST be invoked before building, deploying, configuring, or troubleshooting the jupyter image.
development
jupyter-ml
Full CUDA ML stack + JupyterLab with real-time collaboration and CRDT MCP server on port 8888. Use when working with GPU-accelerated Jupyter notebooks, ML training with collaboration, or the jupyter-ml layer.
tools
jupyter
Lightweight JupyterLab with real-time collaboration (jupyter-collaboration) on port 8888. No GPU required. Use when working with collaborative notebooks, jupyter-collaboration, or lightweight Jupyter environments without ML/CUDA dependencies.
testing
k3s
k3s binary installer (common base for k3s-server and k3s-agent). Use when building images that need the k3s binary but do NOT want a server/agent service started automatically.
development
k3s-agent
k3s worker (agent) node — joins an existing k3s-server via pre-shared token. Fully declarative: same ov secrets set once + env K3S_SERVER_URL per agent deploy.
devops
k3s-server
k3s control-plane (server) node with ServiceLB, Traefik v2, and local-path-provisioner enabled by default. Publishes kubeconfig back to the operator via layer artifacts and registers a ClusterProfile on first boot.
tools
labwc
Lightweight Wayland compositor (wlroots-based) for nested desktop inside pixelflux. MUST be invoked when working with: the labwc layer, Wayland compositor config in selkies images, or labwc-wrapper.
content-media
rust
Rust compiler and Cargo package manager via system packages (RPM/DEB). Use when working with Rust development or Cargo builds.
development
sag
ElevenLabs text-to-speech CLI. Use when working with the sag layer.
tools
selkies
Browser-accessible desktop streaming via WebSocket using pixelflux and pcmflux. Use when working with Selkies streaming engine, pixelflux, pcmflux, or browser-based remote desktop.
development
logs
Service log viewing for running containers. MUST be invoked before any work involving: ov logs command, viewing container output, or debugging service issues.
development
mcp
MUST be invoked before any work involving: Model Context Protocol — both directions. (1) `ov test mcp` client: probing MCP servers declared via mcp_provides, testing MCP tool catalogs, debugging the URL-rewriter (including host-networked containers via `HostConfig.NetworkMode` detection — new 2026-04) or port-publishing behavior. (2) `ov mcp serve` server: running the ov CLI itself as an MCP server over Streamable HTTP or stdio, auto-generated from Kong reflection (~192 tools including the MCP-first authoring surface — image/layer scaffolding, comment-preserving YAML edits, free-form file writes), destructive-hint annotations, the `--read-only` filter, auto-fallback to `overthinkos/overthink` when cwd has no `image.yml` (always fires now, regardless of OV_PROJECT_DIR being set — 2026-04 change), and the `ov-mcp` deployment layer with its `/workspace` bind mount.
tools
mcporter
MCP server CLI for listing, configuring, and calling MCP tools. Use when working with the mcporter layer.
tools
migrate
MUST be invoked before any work involving: `ov migrate unified` command (converting legacy image.yml/layer.yml/build.yml into unified overthink.yml, rewriting flat-form layer.yml, migrating legacy service:|...| raw-INI and system_services: entries), or `ov migrate vm-spec` (harvesting legacy image.bootc/image.vm/image.libvirt fields into kind:vm entities in vms.yml).
development
mutter
GNOME Mutter Wayland compositor running headless inside containers with virtual monitor. Use when working with Mutter, GNOME desktop, or headless compositor setup.
data-ai
mutter-desktop
GNOME desktop composition with Mutter, PipeWire, XDG Portal, Chrome, gnome-terminal, and Nautilus. Use when working with Mutter/GNOME desktop containers.
data-ai
nano-pdf
nano-pdf CLI for PDF editing with natural language. Use when working with the nano-pdf layer.
tools
new
Scaffold new layers, images, and whole projects with template files. MUST be invoked before any work involving: ov image new {project, image, layer} commands, creating new projects/images/layers, or scaffolding directories.
content-media
niri
Niri Wayland compositor (Smithay-based) built from source with virtual output support. Use when working with niri compositor, headless Wayland, or Smithay-based desktop containers.
data-ai
pre-commit
Pre-commit git hooks framework via pixi, plus markdownlint-cli via npm. Use when working with git hooks, linting, or code quality tooling.
tools
python
Python 3.13 runtime installed via pixi (conda-forge). Use when working with Python, pixi environments, or Python dependencies.
development
python-ml
GPU-accelerated Python ML environment with CUDA, PyTorch, and llama.cpp. No Jupyter server — use as a base for ML workloads or interactive shell. MUST be invoked before building, deploying, configuring, or troubleshooting the python-ml image.
development
niri-desktop
Base Niri desktop composition with audio, portals, Chrome, terminal, and file manager. Base desktop composition layer — no display server included.
content-media
nodejs24
Node.js 24 and npm via Fedora RPM packages with global npm prefix. Use when working with Node.js 24 or applications requiring a newer Node.js version.
tools
notebook-finetuning
Unsloth fine-tuning notebook collection provisioned into the workspace volume at deploy time. Data-only layer — no packages, no services, no dependencies. Use when working with notebook-finetuning, Unsloth training notebooks, or unsloth-studio data provisioning.
testing
notebook-llm-on-supercomputers
LLMs on Supercomputers course notebook collection (TU Wien AI Factory Austria). 15 Jupyter notebooks covering prompt engineering, RAG, and fine-tuning. Data-only layer — no packages, no services, no dependencies. Use when working with the LLM course notebooks, LangChain tutorials, or RAG examples.
testing
notebook-ollama
Ollama integration notebook collection provisioned into the workspace volume at deploy time. 6 Jupyter notebooks demonstrating Ollama via requests, OpenAI, ollama lib, Anthropic, HuggingFace, and GPU. Data-only layer — no packages, no services, no dependencies. Use when working with notebook-ollama, Ollama API tutorials, or Jupyter+Ollama integration.
development
notebook-openrouter
OpenRouter API integration notebook collection provisioned into the workspace volume at deploy time. 3 Jupyter notebooks demonstrating OpenRouter API basics, model discovery, and practical inference. Data-only layer with env_requires — first layer to use the env_requires feature. Use when working with notebook-openrouter, OpenRouter API tutorials, or Jupyter+OpenRouter integration.
development
notebook-templates
Starter notebook templates provisioned into the workspace volume at deploy time. First data-only layer in the project — no packages, no services, no dependencies. Use when working with notebook-templates, data layers, or jupyter initial content.
testing
nvidia
NVIDIA GPU base image with runtime support and CUDA toolkit on Fedora. Base for all GPU-accelerated images (python-ml, jupyter, ollama, comfyui). MUST be invoked before building, deploying, configuring, or troubleshooting the nvidia image.
tools
nvidia
NVIDIA GPU runtime support: driver libs, nvidia-container-toolkit (CDI), and VA-API. Fedora (negativo17) and Arch Linux (pac). Base layer for all GPU-accelerated images. Use when working with NVIDIA GPU support, CDI device injection, or the nvidia layer.
tools
ollama
Standalone Ollama LLM inference server with CUDA GPU support. Runs as a supervisord service on port 11434 with persistent model storage. MUST be invoked before building, deploying, configuring, or troubleshooting the ollama image.
development
ollama
Ollama LLM server on port 11434 with CUDA GPU support and model persistence. Use when working with Ollama, LLM serving, or local AI model inference.
data-ai
openbox
Openbox lightweight X11 window manager with keybindings and desktop support. Use when working with Openbox WM in X11 desktop containers.
data-ai
openclaw
Headless OpenClaw AI gateway image. Runs the gateway on port 18789 without a desktop environment. Use when working with the headless MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw image.
development
x11-apps
Desktop applications (terminal, file manager) for X11 containers. Use when working with the x11-apps layer.
data-ai
x11-desktop
Base X11 desktop composition with Xorg headless, Openbox, Chrome, terminal, and file manager. Use when working with X11 desktop containers or comparing X11 vs Wayland stacks.
data-ai
xdg-portal-niri
XDG desktop portal integration for Niri compositor (GTK + GNOME backends). Use when working with portals, screen sharing, or file dialogs in Niri containers.
development
openclaw-full
Headless OpenClaw with all tool layers. No desktop environment. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full image.
tools
openclaw-full-ml
OpenClaw full + ML tools (whisper, sherpa-onnx-tts, CUDA). Use when working with the openclaw-full-ml layer.
tools
openclaw-full
Maximal OpenClaw deployment (gateway + browser + all feasible tools/skills). Use when working with the openclaw-full layer.
tools
openclaw-full-sway
OpenClaw with all tools + Sway desktop + VNC. No GPU/ML. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full-sway image.
tools
openclaw-ollama
Headless OpenClaw gateway with local Ollama LLM inference. GPU-accelerated, no desktop. Use when working with the headless openclaw+ollama deployment MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-ollama image.
development
openclaw
Topic skill (no dedicated `ov openclaw` command — the surface is layer composition + image deployment). MUST be invoked before any work involving: OpenClaw gateway configuration, model auth, browser integration, channel setup, or any image composing `openclaw-*` layers (`openclaw`, `openclaw-ollama`, `openclaw-sway-browser`, `openclaw-full`, `openclaw-full-ml`, `openclaw-full-sway`, `openclaw-ollama-sway-browser`, `openclaw-browser-bootc`).
devops
openwebui
Open WebUI image with auto-configured LLM providers, MCP servers, and Jupyter on port 8080. MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui image.
tools
openwebui
Open WebUI with auto-configured LLM providers, MCP servers, and Jupyter code execution. MUST be invoked before any work involving: the openwebui layer, Open WebUI configuration, LLM provider auto-detection, or MCP server discovery for Open WebUI.
tools
oracle
Oracle CLI for prompt bundling and multi-engine AI queries. Use when working with the oracle layer.
tools
os-config
OS system configuration for bootc images: SDDM/KDE cleanup, systemd preset, /opt permissions, initramfs rebuild. Use when working with bootc OS configuration, systemd presets, or initramfs in bootable containers.
development
ov
Overthink CLI (ov) binary installed into container/VM images for in-container use. Use when working with ov binary deployment inside containers, native D-Bus support, or the ov-full composition.
tools
ov-full
Full ov toolchain composition with CLI, virtualization, encrypted storage, and console access. Use when working with ov inside containers/VMs, VM management, or encrypted volumes.
tools
pavucontrol
PulseAudio volume control GUI for desktop containers with PipeWire audio. Use when working with audio configuration or volume control.
data-ai
pipewire
PipeWire audio and media server with WirePlumber session manager. Use when working with audio in containers, PipeWire, or PulseAudio compatibility.
data-ai
pixi
Pixi package manager binary with environment and PATH setup. Use when working with pixi, conda-forge packages, or Python environment management.
development
playwright
Playwright browser automation (OpenClaw AI snapshots). Use when working with the playwright layer.
tools
wl-overlay
Wayland overlay windows via gtk4-layer-shell (for screen recordings). Use when working with the wl-overlay layer, gtk4-layer-shell, or overlay dependencies.
testing
wl-overlay
Fullscreen Wayland overlays for screen recordings via gtk4-layer-shell. MUST be invoked before any work involving: ov test wl overlay commands, recording overlays, title cards, lower-thirds, countdowns, or fade transitions.
testing
python-ml
Core ML/AI Python environment with PyTorch, vLLM runtime deps, and CUDA support. Tier 2 environment-owner meta-layer that composes llama-cpp. Use when working with machine learning, PyTorch, HuggingFace, or GPU computing.
development
redis
Redis in-memory data store on port 6379 with periodic persistence. Use when working with Redis, caching, or session storage in containers.
data-ai
remove
Remove service container, quadlet file, and deploy.yml entry. MUST be invoked before any work involving: ov remove command, cleaning up containers, removing quadlets, or purging volumes.
devops
ripgrep
Fast recursive text search (rg). Use when working with the ripgrep layer.
tools
rocm
AMD ROCm runtime, OpenCL, and GPU compute support via system packages. Use when working with AMD GPU computing, ROCm, HIP, OpenCL, or AMD GPU passthrough in containers.
data-ai
sway-desktop
Base Sway desktop composition with audio, portals, Wayland tools, Chrome, terminal, file manager, and status bar. Use sway-desktop-vnc for VNC remote access.
tools
thunar
Thunar file manager for Sway desktop environments with sway config integration. Use when working with file management in Sway desktop containers.
data-ai
shell
MUST be invoked before any work involving: ov shell command, interactive shells, command execution in containers, workspace mounts, TTY allocation, or port relay.
data-ai
sherpa-onnx
sherpa-onnx offline text-to-speech. Use when working with the sherpa-onnx layer.
tools
sidecar
Topic skill (no dedicated `ov sidecar` command — the surface is the `--sidecar <name>` / `--list-sidecars` flags on `ov config` and the `sidecars:` field in `deploy.yml`). MUST be invoked before any work involving: sidecar containers, pod networking, Tailscale exit nodes, `ov config --sidecar`, the `deploy.yml` `sidecars:` field, or sidecar-env filtering (`env_accepts` / `env_requires` routing to the sidecar vs the app container).
devops
ov:spice
SPICE wire-level client for VMs — `ov test spice <vm>` handshake, inputs, native display screenshots via the Shells-com/spice library.
tools
ov:ssh
Generic SSH support for ov — `--host <alias>` re-execs any command on a remote machine; `ov ssh tunnel` exposes remote SPICE/VNC endpoints on the local host for external GUI apps.
tools
sshd
OpenSSH server and client on port 22 for remote access. Use when working with SSH access, remote login, or sshd configuration in containers/VMs.
tools
start
Start a container as a background service. MUST be invoked before any work involving: ov start command, launching containers, quadlet vs direct mode startup, or encrypted volume auto-mounting.
data-ai
status
Service status display with tool probes and device detection. MUST be invoked before any work involving: ov status command, checking container state, tool availability, port mapping, or JSON status output.
tools
steam
Steam gaming client with gamescope. Use when working with Steam, gaming, or gamescope in containers.
tools
summarize
Summarize CLI for extracting text/transcripts from URLs and files. Use when working with the summarize layer.
tools
ubuntu
Base Ubuntu 24.04 noble image. Root of the image hierarchy for Ubuntu- based builds. Runs as uid 1000 `ubuntu` via ADOPT mode — the upstream ubuntu:24.04 base image ships a pre-existing ubuntu:ubuntu account, and build.yml distro.ubuntu declares base_user to adopt it verbatim. Enabled 2026-04 as part of Phase A–F. MUST be invoked before building, deploying, configuring, or troubleshooting any Ubuntu-based image.
development
supervisord
Supervisord process manager for running multiple services inside containers. Use when working with supervisord, container service management, multi-process containers, event listeners for crash-loop circuit breaking, or service priority ordering.
testing
test
MUST be invoked before any work involving: `ov test`, `ov image test`, the `tests:` / `deploy_tests:` fields in layer.yml / image.yml / deploy.yml, the `org.overthinkos.tests` OCI label, or any declarative check authoring. Covers verb catalog (file/port/command/http/package/service/process/dns/ user/group/interface/kernel-param/mount/addr/matching), runtime variable resolution (`${HOST_PORT:N}`, `${VOLUME_PATH:name}`, `${CONTAINER_IP}`, `${ENV_*}`), deploy.yml overlay rules, authoring gotchas learned the hard way (package renames, absent binaries, host vs container network routing), and both build-time / deploy-time CLI wrappers.
tools
tmux
Persistent tmux sessions inside containers: shell reconnection, background commands, output capture, and key sending. Use when running long-lived or TTY-dependent commands. MUST be invoked before any work involving: ov tmux commands, persistent shells, background container commands, or TTY-dependent TUI programs.
data-ai
traefik
Traefik reverse proxy on ports 8000/8080/443 with automatic TLS and dynamic routing. Use when working with Traefik, reverse proxy, TLS certificates, or service routing.
tools
tmux
Terminal multiplexer. Use when working with the tmux layer.
tools
ubuntu-coder
Kitchen-sink development image on Ubuntu 24.04 noble: coding + AI-coding CLIs + DevOps tooling in one container. Ubuntu base, 30+ direct layers mirroring fedora-coder's stack. Runs as uid 1000 `ubuntu` — the upstream ubuntu:24.04 account, adopted verbatim via build.yml's base_user declaration. 142/0/1-skip tests pass as of 2026-04-20. Use when working with the ubuntu-coder image — especially when the `${USER}` / `${HOME}` / sudoers differ from the other three coder images.
tools
udev
MUST be invoked before any work involving: GPU device access rules, ov udev commands, udev rule management, or container GPU troubleshooting.
development
ujust
Just task runner with ujust wrapper for Universal Blue justfile conventions. Use when working with just/ujust task runners or ublue-os justfile integration.
tools
unsloth-studio
Unsloth Studio fine-tuning web UI with CUDA GPU support, vLLM inference, and llama.cpp. Runs as a supervisord service on ports 8888 (Studio) and 8000 (vLLM API). MUST be invoked before building, deploying, configuring, or troubleshooting the unsloth-studio image.
development
unsloth-studio
Unsloth Studio fine-tuning web UI on ports 8888/8000 with vLLM inference. Tier 2 environment-owner meta-layer composing llama-cpp + unsloth, owns pixi.toml. Use when working with Unsloth Studio, the fine-tuning web UI, or the unsloth-studio image.
development
uv
uv + uvx — Astral's fast Python package/project manager. Rewritten 2026-04 to install as a direct-download binary (no pixi env, no Python dep). Pulled via the `download:` verb with `strip_components: 1` to handle the upstream tarball's arch-prefixed top-level directory. Use when working with the uv layer or when deciding whether to install a CLI tool via pixi vs. direct binary download.
tools
vectorchord
VectorChord PostgreSQL extension for optimized vector similarity search. Use when working with VectorChord, vector indices, or smart search performance.
tools
valkey-test
Test image with Valkey (Redis-compatible) key-value store. Currently disabled. Used for development testing. MUST be invoked before building or troubleshooting the valkey-test image.
development
version
Show ov CLI version information. MUST be invoked before any work involving: ov version command or checking installed ov version.
tools
virtualization
QEMU/KVM/libvirt stack plus supervisord-managed virtqemud and virtnetworkd daemons. Works rootless: `qemu:///session` mode serves uid 1000 with only /dev/kvm passthrough — no SYS_ADMIN, no root. Canonical source for the rootless nested VM recipe. Use when working with virtual machines, QEMU, KVM, libvirt, or the virtualization layer.
development
vr-streaming
OpenXR, OpenVR, and GStreamer libraries for VR streaming and development. Use when working with VR, AR, streaming, or spatial computing.
development
waybar
Waybar status bar and sway-autotile for the Sway desktop compositor. Use when working with Waybar configuration, status bar, or automatic tiling.
tools
wl-record-pixelflux
Desktop video recorder via selkies WebSocket capture bridge for selkies-desktop. Use when working with the wl-record-pixelflux layer.
development
wl-screenshot-pixelflux
Screenshot via selkies WebSocket capture bridge for selkies-desktop. Use when working with the wl-screenshot-pixelflux layer.
development
ov-layers/skills/wl-tools
# wl-tools - Compositor-Agnostic Desktop Automation Tools ## Overview Provides CLI tools for desktop automation — Wayland-native, X11, and clipboard. Used by the `ov test wl` command. Works on all wlroots compositors (sway, labwc, niri). No daemon or special device access needed. **Note:** Screenshots are NOT included in this layer. Use `wl-screenshot-grim` (sway) or `wl-screenshot-pixelflux` (selkies) depending on your compositor. ## Layer Definition ```yaml rpm: packages: - wtype
tools
xfce4-terminal
Xfce4 terminal emulator for Sway desktop environments with sway config integration. Use when working with terminal emulators in Sway desktop containers.
data-ai
xorg-headless
Xorg X server with dummy video driver and libinput for headless containers. Provides virtual framebuffer + input device auto-detection from /dev/input.
development
xurl
X (Twitter) API CLI for posts, search, DMs, and media. Use when working with the xurl layer.
tools
yay
AUR helper for Arch Linux, enabling aur: package sections in layer.yml. Use when working with the yay layer or Arch AUR builds.
tools
openclaw-full-sway
OpenClaw with all tools + Sway desktop + VNC. No GPU/ML. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full-sway image.
tools
openclaw-browser-bootc
Bootc VM image with OpenClaw gateway, Chrome, VNC, and PipeWire. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-browser-bootc image.
development
openclaw-ollama-sway-browser
Full-stack AI image: OpenClaw gateway + all tools + Ollama LLM + Whisper STT + sherpa-onnx TTS + Sway desktop with Chrome. GPU-accelerated with CUDA. MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-ollama-sway-browser image.
tools
chrome-niri
Google Chrome running on Niri compositor with DevTools protocol. Use when working with Chrome in Niri desktop containers.
tools
kwin-apps
KDE-native desktop applications (Konsole, Dolphin) for KWin compositor. Use when working with the kwin-apps layer.
tools
chrome-mutter
Google Chrome running on Mutter compositor with DevTools protocol. Use when working with Chrome in Mutter/GNOME desktop containers.
tools
mutter-apps
GNOME-native desktop applications (gnome-terminal, Nautilus) for Mutter compositor. Use when working with the mutter-apps layer.
tools
openclaw
Headless OpenClaw AI gateway image. Runs the gateway on port 18789 without a desktop environment. Use when working with the headless MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw image.
development
kwin-desktop
KDE desktop composition with KWin, PipeWire, XDG Portal, Chrome, Konsole, and Dolphin. Use when working with KWin desktop containers.
data-ai
mutter-desktop
GNOME desktop composition with Mutter, PipeWire, XDG Portal, Chrome, gnome-terminal, and Nautilus. Use when working with Mutter/GNOME desktop containers.
data-ai
mutter
GNOME Mutter Wayland compositor running headless inside containers with virtual monitor. Use when working with Mutter, GNOME desktop, or headless compositor setup.
data-ai
selkies
Browser-accessible desktop streaming via WebSocket using pixelflux and pcmflux. Use when working with Selkies streaming engine, pixelflux, pcmflux, or browser-based remote desktop.
development
selkies-desktop-nvidia
GPU-accelerated Selkies streaming desktop with NVIDIA CUDA. Use when working with the selkies-desktop-nvidia image.
content-media
pipewire
PipeWire audio and media server with WirePlumber session manager. Use when working with audio in containers, PipeWire, or PulseAudio compatibility.
data-ai
selkies-desktop-bootc
Bootable (bootc) VM image combining the selkies-desktop streaming desktop with Tailscale (mesh VPN) and KeePassXC (password manager). Fedora 43 base. Boots under libvirt/QEMU as a full OS. Canonical worked example of the external-base-bootc + explicit-distro pattern. MUST be invoked before building, deploying, or troubleshooting selkies-desktop-bootc.
development
vr-streaming
OpenXR, OpenVR, and GStreamer libraries for VR streaming and development. Use when working with VR, AR, streaming, or spatial computing.
development
wacli
WhatsApp CLI for message sending and history sync. Use when working with the wacli layer.
tools
kwin
KWin Wayland compositor running headless inside containers with virtual backend. Use when working with KWin, KDE desktop, or headless compositor setup.
development
waybar
Waybar status bar and sway-autotile for the Sway desktop compositor. Use when working with Waybar configuration, status bar, or automatic tiling.
tools
thunar
Thunar file manager for Sway desktop environments with sway config integration. Use when working with file management in Sway desktop containers.
data-ai
aurora-bootc
kind:vm entity pairing with the /ov-foundation:aurora bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-foundation:aurora. This skill documents only the VM resource sizing. MUST be invoked before editing aurora-bootc in vms.yml.
documentation
xdg-portal-kde
KDE XDG Desktop Portal backend with ScreenCast and RemoteDesktop support. Use when working with KDE portals, screen sharing, or libei input in KWin containers.
development
xdg-portal-niri
XDG desktop portal integration for Niri compositor (GTK + GNOME backends). Use when working with portals, screen sharing, or file dialogs in Niri containers.
development
openclaw-browser-bootc-bootc
kind:vm entity pairing with the /ov-openclaw:openclaw-browser-bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-openclaw:openclaw-browser-bootc. This skill documents only VM overrides. MUST be invoked before editing openclaw-browser-bootc-bootc in vms.yml.
documentation
bazzite-ai-bootc
kind:vm entity pairing with the /ov-foundation:bazzite-ai bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-foundation:bazzite-ai. This skill documents only the VM-specific fields. MUST be invoked before editing bazzite-ai-bootc in vms.yml.
testing
selkies-desktop-bootc-bootc
kind:vm entity pairing with the /ov-selkies:selkies-desktop-bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-selkies:selkies-desktop-bootc (the canonical bootc-VM worked example). MUST be invoked before editing selkies-desktop-bootc-bootc in vms.yml.
data-ai
stop
Stop a running service container. MUST be invoked before any work involving: ov stop command, stopping containers, or halting services.
data-ai
vm
MUST be invoked before any work involving: virtual machines, ov vm commands, kind:vm entities in vm.yml, cloud_image vs bootc source types, libvirt/QEMU backends, BIOS vs UEFI firmware, virtio-gpu video, or VM lifecycle.
development
inspect
Image inspection showing resolved configuration as JSON. MUST be invoked before any work involving: ov image inspect command, viewing image configuration, or querying image metadata.
data-ai
enc
Topic skill (no dedicated `ov enc` command — the surface is flags + subcommands on `ov config`). MUST be invoked before any work involving: encrypted storage, gocryptfs, or the `--encrypt` / `-v <name>:encrypted` backing flags on `ov config`, the `ov config mount` / `unmount` / `status` / `passwd` subcommands, or `ov-enc-<image>-<volume>.scope` systemd units.
development
workspace-mount
Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).
tools
qemu-guest-agent
QEMU guest agent for host-guest communication in virtual machines. Use when working with QEMU/KVM VMs, guest agent setup, or libvirt channel configuration.
data-ai
vm-spec
Go type reference for VmSpec and the discriminated-union source types (VmSource cloud_image | bootc). Documents every field, validation rules, and the adopt-user decision. Source files: ov/vm_spec.go, ov/cloud_init_types.go, ov/libvirt_validate.go. MUST be invoked before editing VmSpec Go code or authoring vm.yml entries.
development
vms-catalog
Authoring reference for kind:vm entities in vm.yml. Parallel to /ov-image:layer and /ov-image:image. Covers the VmSpec schema, source.kind discriminator (cloud_image vs bootc), base_user adopt pattern, and step-by-step recipes for both source kinds. MUST be invoked before authoring or editing vm.yml entries.
testing
labwc
Lightweight Wayland compositor (wlroots-based) for nested desktop inside pixelflux. MUST be invoked when working with: the labwc layer, Wayland compositor config in selkies images, or labwc-wrapper.
content-media
libnotify
Desktop notification client library providing notify-send CLI. Use when working with notify-send, libnotify, or shell-based notifications.
tools
pipewire
PipeWire audio and media server with WirePlumber session manager. Use when working with audio in containers, PipeWire, or PulseAudio compatibility.
data-ai
selkies
Browser-accessible desktop streaming via WebSocket using pixelflux and pcmflux. Use when working with Selkies streaming engine, pixelflux, pcmflux, or browser-based remote desktop.
development
openclaw-ollama
Headless OpenClaw gateway with local Ollama LLM inference. GPU-accelerated, no desktop. Use when working with the headless openclaw+ollama deployment MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-ollama image.
development
openclaw-ollama-sway-browser
Full-stack AI image: OpenClaw gateway + all tools + Ollama LLM + Whisper STT + sherpa-onnx TTS + Sway desktop with Chrome. GPU-accelerated with CUDA. MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-ollama-sway-browser image.
tools
openclaw-full-sway
OpenClaw with all tools + Sway desktop + VNC. No GPU/ML. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full-sway image.
tools
notebook-finetuning
Unsloth fine-tuning notebook collection provisioned into the workspace volume at deploy time. Data-only layer — no packages, no services, no dependencies. Use when working with notebook-finetuning, Unsloth training notebooks, or unsloth-studio data provisioning.
testing
unsloth-studio-layer
Unsloth Studio fine-tuning web UI on ports 8888/8000 with vLLM inference. Tier 2 environment-owner meta-layer composing llama-cpp + unsloth, owns pixi.toml. Use when working with Unsloth Studio, the fine-tuning web UI, or the unsloth-studio image.
development
openwebui
Open WebUI image with auto-configured LLM providers, MCP servers, and Jupyter on port 8080. MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui image.
tools
openclaw-sway-browser
Maximal OpenClaw deployment with Sway desktop, Chrome, VNC, and all tool layers. Includes all feasible OpenClaw skill dependencies. Use when working with MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-sway-browser image.
tools
openclaw
Headless OpenClaw AI gateway image. Runs the gateway on port 18789 without a desktop environment. Use when working with the headless MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw image.
development
camsnap
RTSP/ONVIF camera snapshot and clip CLI. Use when working with the camsnap layer.
tools
versa
versa — image bundling marimo reactive notebook environment with Apache Airflow + GPU-accelerated OSM/GTFS analytics + martin vector tiles + 3D terrain via MapLibre + Polars geospatial extensions (polars-st, geopolars) + GeoArrow + deck.gl rendering via lonboard. Composes a marimo + airflow + OSM/GTFS analytics stack (agent-forwarding, nvidia, cuda, marimo, airflow, osm-tools, maputnik, notebook-osm, notebook-graph, debug-tools, dbus, ov, plus the versatiles tile-serving layers) on a CachyOS / Arch base into a single pod that exposes 7 host ports and 1 MCP server. MUST be invoked before building, deploying, configuring, or troubleshooting the versa image.
tools
ubuntu-debootstrap
Bootstrap-from-scratch Ubuntu 24.04 rootfs via debootstrap inside a privileged builder (from: builder:debootstrap, bootstrap_builder_image: ubuntu-debootstrap-builder). Retained for offline/air-gapped builds. Lives in the overthinkos/ubuntu submodule (image/ubuntu). MUST be invoked before building or troubleshooting ubuntu-debootstrap.
development
container-nesting
Rootless nested podman/buildah/skopeo recipe. Ships zero cap_add — works via surgical `unmask=/proc/*` security_opt plus dual-location containers.conf/storage.conf/policy.json plus two canonical env vars plus subuid layout that fits inside the outer user namespace. Authoritative source for the `mount_too_revealing()` kernel RCA. Use when working with nested containers, the container-nesting layer, or any "rootless-in-rootless podman" question.
development
asciinema
Terminal session recorder (asciinema). Use when working with the asciinema layer.
testing
sidecar
Topic skill (no dedicated `ov sidecar` command — the surface is the `--sidecar <name>` / `--list-sidecars` flags on `ov config` and the `sidecar:` field in `deploy.yml`). MUST be invoked before any work involving: sidecar containers, pod networking, Tailscale exit nodes, `ov config --sidecar`, the `deploy.yml` `sidecar:` field, or sidecar-env filtering (`env_accept` / `env_require` routing to the sidecar vs the app container).
devops
tmux
Persistent tmux sessions inside containers: shell reconnection, background commands, output capture, and key sending. Use when running long-lived or TTY-dependent commands. MUST be invoked before any work involving: ov tmux commands, persistent shells, background container commands, or TTY-dependent TUI programs.
data-ai
codex
OpenAI Codex CLI coding agent. Use when working with the codex layer.
tools
copr-desktop
COPR and external desktop packages: CoolerControl, Ghostty terminal, Nerd Fonts, WinBoat. Use when working with COPR repositories or these desktop applications in bootc images.
content-media
devops-tools
DevOps CLI tools: AWS CLI, Scaleway, kubectx/kubens, OpenTofu, wrangler, bind-utils, jq, rsync. Use when working with cloud infrastructure, DNS lookups, infrastructure-as-code, or DevOps tooling.
tools
gh
GitHub CLI, git, and git-lfs — the single-responsibility home for all git/GitHub tooling. Ships the noscripts + post-install dance for git-lfs so the RPM's systemd trigger doesn't fail at build time. Use when composing git + gh + git-lfs into an image, or when deciding which layer should own a git-related binary.
tools
google-cloud
Google Cloud SDK providing gcloud, gsutil, and bq CLI tools. Use when working with Google Cloud Platform, GCP services, or cloud SDK configuration.
tools
oracle
Oracle CLI for prompt bundling and multi-engine AI queries. Use when working with the oracle layer.
tools
ov-mcp
MCP server exposing the full ov CLI as tools (Streamable HTTP on port 18765). Meta-layer composition — layers: [ov, supervisord] — ships only service wiring + `/workspace` bind-mount + OV_PROJECT_DIR env plumbing. Auto-falls back to the upstream overthinkos/overthink repo when /workspace has no image.yml. Use when composing an MCP gateway into any image so LLM agents can drive ov remotely.
tools
typst
Typst document processor binary for typesetting and document generation. Use when working with Typst, document compilation, or typesetting tools.
tools
arch
Base Arch Linux image. Root of the image hierarchy for all pac-based images. MUST be invoked before building, deploying, configuring, or troubleshooting the arch image.
development
cloud-init
Cloud-init for instance initialization in cloud/VM environments with NoCloud datasource. Use when working with cloud-init, VM provisioning, or cloud instance bootstrapping.
devops
os-config
OS system configuration for bootc images: SDDM/KDE cleanup, systemd preset, /opt permissions, initramfs rebuild. Use when working with bootc OS configuration, systemd presets, or initramfs in bootable containers.
development
os-system-files
System files overlay and justfile imports for bootc images. Copies system_files to root filesystem. Use when working with system file overlays, justfile imports, or bazzite configuration.
content-media
cdp
MUST be invoked before any work involving: Chrome DevTools Protocol, ov eval cdp commands, browser automation, clicking elements, taking screenshots, or OAuth flows inside containers.
tools
eval-sway-browser-vnc
The DISPOSABLE pod bed (eval-sway-browser-vnc-pod) for R10 testing of the Sway desktop verb surface (cdp / wl / vnc / dbus / mcp / record). Deploys the shipping sway-browser-vnc image. Use when running or maintaining the live-container eval bed for the sway stack.
tools
spice
SPICE wire-level client for VMs — `ov eval spice <vm>` handshake, inputs, native display screenshots via the Shells-com/spice library.
tools
keepassxc-keyring
Configure KeePassXC as the freedesktop.org Secret Service provider on a target:local host: enable FdoSecrets, autostart KeePassXC, disable competing daemons (gnome-keyring + kwallet) at the per-user XDG-autostart and systemd-user-unit layers, install pinentry/libsecret, and install generic direnv shell hooks for bash/zsh/fish. Use when adding KeePassXC as the Secret Service backend on a host (NOT for adding the binary to a container image — use /ov-infrastructure:keepassxc for that).
development
tmux-layer
Terminal multiplexer. Use when working with the tmux layer.
tools
virtualization
QEMU/KVM/libvirt stack — works identically under supervisord (containers/ pods, custom `exec:` form) AND under systemd (host installs / bootc / VMs, use_packaged: virtqemud.socket / virtnetworkd.socket). Uses the mixed-entry `service:` schema (CLAUDE.md "Init-system polymorphism") — same name appears twice in the service: list, init system at deploy time picks the matching form. Canonical worked example of the polymorphism pattern.
devops
vm-deploy-target
VmDeployTarget is the 4th DeployTarget implementer (after OCITarget, PodDeployTarget, LocalDeployTarget; K8sDeployTarget is 5th). Applies an InstallPlan inside a running VM over SSH. Covers DeployExecutor interface, SSHExecutor, ShellExecutor, VmDeployState persistence, and the guest-side ledger. Source: ov/deploy_target_vm.go, ov/deploy_executor*.go, ov/deploy_add_cmd_vm.go. MUST be invoked before editing VM-target deploy code.
development
local-deploy
MUST be invoked before any work involving: `target: local` deployments, the Ansible-style `host:` destination field (literal `local` for direct shell, anything else routes through ssh(1) reading `~/.ssh/config` + ssh-agent), the `local:` template reference, the `user:` and `ssh_args:` Ansible-shaped overrides, the managed `~/.config/ov/ssh_config` fragment, the install ledger at `~/.config/overthink/installed/`, ReverseOp teardown, or the `--with-services`/`--allow-repo-changes`/`--allow-root-tasks` gates.
devops
jupyter
Lightweight JupyterLab with real-time collaboration on port 8888. No GPU required. Based on fedora (not nvidia), supports both amd64 and arm64. MUST be invoked before building, deploying, configuring, or troubleshooting the jupyter image.
development
jupyter-ml-notebook
Full CUDA ML JupyterLab image with finetuning, Ollama, and LLM course notebooks, CRDT MCP server, and real-time collaboration. Base: nvidia. Port 8888. Combines jupyter-ml with 37 Unsloth fine-tuning notebooks, 6 Ollama integration notebooks, and 15 LLM course notebooks. MUST be invoked before building, deploying, or troubleshooting the jupyter-ml-notebook image.
tools
notebook-llm-on-supercomputers
LLMs on Supercomputers course notebook collection (TU Wien AI Factory Austria). 15 Jupyter notebooks covering prompt engineering, RAG, and fine-tuning. Data-only layer — no packages, no services, no dependencies. Use when working with the LLM course notebooks, LangChain tutorials, or RAG examples.
testing
openclaw-full-ml-layer
OpenClaw full + ML tools (whisper, sherpa-onnx-tts, CUDA). Use when working with the openclaw-full-ml layer.
tools
openclaw-full
Headless OpenClaw with all tool layers. No desktop environment. MUST be invoked before building, deploying, or troubleshooting the openclaw-full image.
tools
desktop-apps
Desktop applications including Chromium, VLC, KeePassXC, btop, cockpit, and zsh. Use when working with GUI applications or desktop environment setup.
tools
ffmpeg
FFmpeg multimedia framework (negativo17 nonfree build with H.264/AAC support). Use when working with the ffmpeg layer.
development
selkies-desktop-nvidia
GPU-accelerated Selkies streaming desktop with NVIDIA CUDA. Use when working with the selkies-desktop-nvidia image.
content-media
selkies/skills/wl-tools
# wl-tools - Compositor-Agnostic Desktop Automation Tools ## Overview Provides CLI tools for desktop automation — Wayland-native, X11, and clipboard. Used by the `ov eval wl` command. Works on all wlroots compositors (sway, labwc). No daemon or special device access needed. **Note:** Screenshots are NOT included in this layer. Use `wl-screenshot-grim` (sway) or `wl-screenshot-pixelflux` (selkies) depending on your compositor. ## Layer Definition ```yaml rpm: packages: - wtype - wl
tools
swaync
SwayNotificationCenter notification daemon for wlroots compositors (sway, labwc). Use when working with desktop notifications, notification center, or swaync configuration.
tools
wl-overlay-layer
Wayland overlay windows via gtk4-layer-shell (for screen recordings). Use when working with the wl-overlay layer, gtk4-layer-shell, or overlay dependencies.
testing
wf-recorder
Wayland screen recorder for wlroots compositors. Use when working with the wf-recorder layer.
tools
blogwatcher
Blog/RSS feed monitor CLI. Use when working with the blogwatcher layer.
tools
ripgrep
Fast recursive text search (rg). Use when working with the ripgrep layer.
tools
goplaces
Google Places API CLI for location search. Use when working with the goplaces layer.
tools
mcporter
MCP server CLI for listing, configuring, and calling MCP tools. Use when working with the mcporter layer.
tools
nano-pdf
nano-pdf CLI for PDF editing with natural language. Use when working with the nano-pdf layer.
tools
ordercli
Food delivery order status CLI (Foodora). Use when working with the ordercli layer.
tools
sag
ElevenLabs text-to-speech CLI. Use when working with the sag layer.
tools
ujust
Just task runner with ujust wrapper for Universal Blue justfile conventions. Use when working with just/ujust task runners or ublue-os justfile integration.
tools
vscode
Visual Studio Code editor installed from Microsoft's RPM repository. Use when working with VS Code installation or configuration in container images.
development
enc
Topic skill (no dedicated `ov enc` command — the surface is flags + subcommands on `ov config`). MUST be invoked before any work involving: encrypted storage, gocryptfs, or the `--encrypt` / `-v <name>:encrypted` backing flags on `ov config`, the `ov config mount` / `unmount` / `status` / `passwd` subcommands, or `ov-enc-<image>-<volume>.scope` systemd units.
development
openclaw-deploy
Topic skill (no dedicated `ov openclaw` command — the surface is layer composition + image deployment). MUST be invoked before any work involving: OpenClaw gateway configuration, model auth, browser integration, channel setup, or any image composing `openclaw-*` layers (`openclaw`, `openclaw-full`, or a custom image composing `openclaw`/`openclaw-full` + `sway-desktop`).
devops
secrets
MUST be invoked before any work involving: ov secrets commands, Secret Service / config-file credential management, GPG-encrypted .secrets files, credential import/export, or secret administration.
tools
ubuntu-coder
Kitchen-sink development image on Ubuntu 24.04 noble: coding + AI-coding CLIs + DevOps tooling in one container. Ubuntu base, 30+ direct layers mirroring fedora-coder's stack. Runs as uid 1000 `ubuntu` — the upstream ubuntu:24.04 account, adopted verbatim via build.yml's base_user declaration. 142/0/1-skip tests pass. Use when working with the ubuntu-coder image — especially when the `${USER}` / `${HOME}` / sudoers differ from the other three coder images.
tools
direnv
direnv -- automatic environment variable loading from .envrc files. Use when working with direnv, .envrc, .secrets, or environment management.
tools
uv
uv + uvx — Astral's fast Python package/project manager. Installs as a direct-download binary (no pixi env, no Python dep). Pulled via the `download:` verb with `strip_components: 1` to handle the upstream tarball's arch-prefixed top-level directory. Use when working with the uv layer or when deciding whether to install a CLI tool via pixi vs. direct binary download.
tools
github-actions
GitHub Actions local runner (act-cli) and guestfs-tools via COPR. Use when working with GitHub Actions, local CI testing, or act.
tools
gemini
Google Gemini CLI for AI coding assistance and search. Use when working with the gemini layer.
tools
service
MUST be invoked before any work involving: ov start/stop/status/logs/update/remove commands, ov config (deployment), init system service management, or container lifecycle.
devops
ov-version
Show ov CLI version information. MUST be invoked before any work involving: ov version command or checking installed ov version. Named `ov-version` (not `version`) to disambiguate from Claude Code's built-in `/version` slash command.
tools
githubrunner
Self-hosted GitHub Actions runner with the full Overthink toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Host networking retained for reachability. MUST be invoked before building, deploying, configuring, or troubleshooting the githubrunner image.
tools
libvirt
libvirt-RPC test commands — `ov eval libvirt <vm> …` for VM info, framebuffer screenshots, send-key, passwd, QMP, qemu-guest-agent client, snapshots, events.
tools
hermes-playwright
Hermes AI agent image with Playwright Chromium browser for web automation. Builds on top of the headless hermes image, adding Chromium and system deps. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes-playwright image.
tools
hermes-full-layer
Hermes agent with AI CLIs (Claude Code, Codex, Gemini), developer tools, DevOps tools, and ov. Use when working with the hermes-full metalayer or full-featured standalone hermes deployments.
tools
jupyter-mcp
JupyterLab CRDT MCP server extension with 11 tools (notebook_*/cell_* + room_list + notebook_list_users) for programmatic notebook access. MUST be invoked when working with: the MCP server implementation, CRDT collaboration, the auto-attach single-room invariant, or the Tier 1 pip-only installation pattern for jupyter extensions.
tools
selkies/skills/wl-screenshot-grim
# wl-screenshot-grim - Screenshot via grim (wlr-screencopy) ## Overview Provides `grim` for Wayland screenshot capture using the `wlr-screencopy` protocol. Works on sway and standalone wlroots compositors. **Does NOT work on selkies-desktop** (labwc nested in pixelflux can't deliver screencopy frames). For selkies-desktop, use `wl-screenshot-pixelflux` instead. ## Layer Definition ```yaml rpm: packages: - grim ``` ## Key Properties | Property | Value | |----------|-------| | Depends
data-ai
ollama-layer
Ollama LLM server on port 11434 with CUDA GPU support and model persistence. Use when working with Ollama, LLM serving, or local AI model inference.
data-ai
openclaw-full-layer
Maximal OpenClaw deployment (gateway + browser + all feasible tools/skills). Use when working with the openclaw-full layer.
tools
pod/skills/pod
--- name: pod description: Schema reference for `kind: pod` and `kind: deploy` entities — deploy.yml entry shape, nested deploys, sidecars, pod networking. For verb-level operations see /ov-core:deploy. --- # `kind: pod` and `kind: deploy` — Schema Reference This skill is a thin schema pointer. For runtime verbs (`ov deploy add`, `ov deploy del`, `ov update`), see `/ov-core:deploy`. ## What lives in `kind: pod` / `kind: deploy` A `pod` entity declares a co-scheduled set of containers and the
devops
openwebui-layer
Open WebUI with auto-configured LLM providers, MCP servers, and Jupyter code execution. MUST be invoked before any work involving: the openwebui layer, Open WebUI configuration, LLM provider auto-detection, or MCP server discovery for Open WebUI.
tools
sway-desktop
Base Sway desktop composition with audio, portals, Wayland tools, Chrome, terminal, file manager, and status bar. Use sway-desktop-vnc for VNC remote access.
tools
chrome
Google Chrome with DevTools on port 9222, Chrome DevTools MCP on port 9224, and browser-open helper. Use when working with Chrome, CDP, browser automation, or DevTools Protocol.
tools
pavucontrol
PulseAudio volume control GUI for desktop containers with PipeWire audio. Use when working with audio configuration or volume control.
data-ai
openclaw-layer
OpenClaw AI gateway service on port 18789 via npm with persistent data. Use when working with OpenClaw, AI gateway configuration, or model routing.
data-ai
desktop-fonts
JetBrains Mono and Nerd Fonts for desktop containers. Use when working with font configuration or desktop text rendering.
data-ai
udev
MUST be invoked before any work involving: GPU device access rules, ov udev commands, udev rule management, or container GPU troubleshooting.
development
pull
Fetch an image from its registry into local container storage so deploy-mode commands can read its OCI labels. MUST be invoked before any work involving: ov image pull command, the ErrImageNotLocal error, fetching images by short name / fully-qualified ref / @github.com/... remote ref, or recovering deploy-mode commands that fail with "image X is not available locally".
testing
fedora-coder
Kitchen-sink development image: coding + AI-coding CLIs + DevOps tooling in one container. Fedora-nonfree base, 32 direct layers spanning language runtimes, build tooling, five AI coding CLIs, and the full cloud/devops stack. Runs as uid 1000 with passwordless sudo — rootless-first, matches the /ov-openclaw:openclaw-desktop security posture. Use when working with the fedora-coder image — specifically any task that involves SSH-ing into a single container and having every tool a polyglot engineer reaches for during a working day already installed.
tools
logs
Service log viewing for running containers. MUST be invoked before any work involving: ov logs command, viewing container output, or debugging service issues.
development
gifgrep
GIF search and download CLI. Use when working with the gifgrep layer.
tools
vnc
MUST be invoked before any work involving: VNC automation, ov eval vnc commands, RFB protocol desktop interaction, VNC screenshots, clicking coordinates, or VNC authentication.
tools
sherpa-onnx
sherpa-onnx offline text-to-speech. Use when working with the sherpa-onnx layer.
tools
filebrowser
FileBrowser Quantum web file manager with Tailscale tunnel. MUST be invoked before building, deploying, configuring, or troubleshooting the filebrowser image.
development
xurl
X (Twitter) API CLI for posts, search, DMs, and media. Use when working with the xurl layer.
tools
fastfetch
Fast system information tool (neofetch successor). Use when working with the fastfetch layer.
tools
wacli
WhatsApp CLI for message sending and history sync. Use when working with the wacli layer.
tools
sway-browser-ecovoyage
Sway-browser-vnc instance wired to versa/ecovoyage tailnet URLs — chrome-devtools-mcp + CDP for debugging the generated MapLibre + folium maps.
tools
osm-tools-layer
OpenStreetMap data pipeline tooling: tippecanoe (GeoJSON → MBTiles/PMTiles, built from source), gdal/ogr2ogr, jq, martin (Rust musl static binary on port 3000), pmtiles CLI. Martin reads tiles from /workspace/tiles/pmtiles/. Use when working with the osm-tools layer, tippecanoe build steps, the martin tile server config, the martin "Underlying data source was modified" cache issue + DAG-completion supervisord-restart pattern, or the vector-tiles-only output that requires MapLibre GL JS clients (NOT folium TileLayer).
tools
notebook-osm
Standalone marimo notebook (osm-monaco-viz.py) that self-authors TWO Airflow DAGs (osm + gtfs), triggers them via REST, runs polars + pyarrow analytics on both datasets, and renders TWO maps: streets via MapLibre GL JS + martin vector tiles + 3D terrain, transit via folium with 98 bus-stop CircleMarkers. Use when working with the notebook content itself, the dual-DAG self-authoring pattern, the two URL spaces (server-side AIRFLOW_API_INTERNAL_URL vs browser-bound MARTIN_PUBLIC_URL), the MapLibre/folium rendering split, or the surfaced-and-fixed bug catalog.
development
ov-full
Full ov toolchain composition with CLI, virtualization, encrypted storage, and console access. Works identically on container/pod targets AND on host/local/bootc targets via the unified virtualization layer's mixed-`service:` schema — one layer for every target, no `-host` sibling.
tools
rust
Rust compiler and Cargo package manager via system packages (RPM/DEB). Use when working with Rust development or Cargo builds.
development
grafana-tools
Grafana observability CLI tools: mcp-grafana, logcli, promtool, mimirtool, tempo-cli, tanka, grafanactl. Use when working with Grafana, Prometheus, Loki, Mimir, Tempo, or observability tooling.
tools
bazzite
Bazzite NVIDIA bootc image with dev tools, CUDA, Kubernetes, Docker, and desktop apps. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the bazzite image.
tools
jupyter-layer
Lightweight JupyterLab with real-time collaboration (jupyter-collaboration) on port 8888. No GPU required. Use when working with collaborative notebooks, jupyter-collaboration, or lightweight Jupyter environments without ML/CUDA dependencies.
testing
chrome-devtools-mcp
Chrome DevTools MCP server via mcp-proxy (Streamable HTTP on port 9224). Use when working with the chrome-devtools-mcp layer, MCP-based browser automation, or the mcp-proxy stdio-to-HTTP bridge pattern.
tools
ov-doctor
Host dependency checker and hardware detector for the `ov doctor` CLI verb. Use when diagnosing host setup, checking dependencies, or verifying GPU detection. Named `ov-doctor` (not `doctor`) to disambiguate from Claude Code's built-in `/doctor` slash command.
tools
skills
Skill maintenance guidelines: when and how to update skills, CLAUDE.md, and README.md. Use when updating documentation, feeding back operational insights, or auditing skill coverage.
testing
arch-test
Test image for Arch Linux pacman and AUR package installation. MUST be invoked before building or troubleshooting the arch-test image.
development
airflow-layer
Apache Airflow 3.x with LocalExecutor + SQLite (single-node, dev-friendly), 4 supervisord services (init, scheduler, dag-processor, webserver). Layer is service-only — its Python deps live in /ov-versa:versa-layer's pixi env. No MCP wrapper (no upstream v2 release exists; consumers drive Airflow via direct REST /api/v2 calls). Use when working with the airflow layer, Airflow 3.x compatibility findings, the SimpleAuthManager auth-fix pattern, the dag-processor split-from-scheduler architecture change, or the JWT-issuance + REST API trigger flow used by self-authoring notebooks.
tools
openclaw-desktop
Use when working with the openclaw-desktop image — the all-in-one CachyOS power image that fuses the selkies streaming desktop, the openclaw-full gateway + AI CLIs (claude-code/codex/gemini), a CPU ollama, and the full nested ov toolchain (build images / run nested rootless pods / launch rootless libvirt VMs from a terminal inside the browser-accessible desktop).
tools
valkey-test
Test image with Valkey (Redis-compatible) key-value store. Currently disabled. Used for development testing. MUST be invoked before building or troubleshooting the valkey-test image.
development
ubuntu-debootstrap-builder
Privileged debootstrap builder image (base: debian:13 — debootstrap is a Debian tool that bootstraps Ubuntu suites too) — ships the debootstrap toolchain for ubuntu-debootstrap and the ubuntu-debootstrap VM. Lives in the overthinkos/ubuntu submodule (image/ubuntu). MUST be invoked before building or troubleshooting ubuntu-debootstrap-builder.
tools
vr-streaming
OpenXR, OpenVR, and GStreamer libraries for VR streaming and development. Use when working with VR, AR, streaming, or spatial computing.
development
dev-tools
Developer tools including bat, ripgrep, neovim, direnv, fd-find, htop, podman-compose, and many more CLI utilities. Use when working with developer tooling, CLI utilities, or container dev environments.
tools
docker-ce
Docker CE engine with buildx and compose plugins from the official Docker repository. Use when working with Docker, container builds, or Docker Compose.
tools
clean
Prune reusable build artifacts to defaults: retention (images, eval runs) and sweep one-time makepkg leftovers. MUST be invoked before any work involving: ov clean, build-artifact retention, keep_images / keep_eval_runs, image-tag pruning, or .eval run cleanup.
development
build-toolchain
C/C++ build toolchain with gcc, cmake, autoconf, ninja, git, and pkg-config. Use when working with native compilation, build tools, or C/C++ development.
tools
debian-debootstrap-builder
Privileged debootstrap builder image (base: debian:13) — ships the debootstrap toolchain used to bootstrap a Debian rootfs from scratch for debian-debootstrap and the debian-debootstrap VM. Lives in the overthinkos/debian submodule (image/debian). MUST be invoked before building or troubleshooting debian-debootstrap-builder.
tools
pixi
Pixi package manager binary with environment and PATH setup. Use when working with pixi, conda-forge packages, or Python environment management.
development
debian-debootstrap
Bootstrap-from-scratch Debian rootfs via debootstrap inside a privileged builder (from: builder:debootstrap, bootstrap_builder_image: debian-debootstrap-builder). Retained for offline/air-gapped builds and as a worked example of the from: builder:debootstrap pattern. Lives in the overthinkos/debian submodule (image/debian). MUST be invoked before building or troubleshooting debian-debootstrap.
development
fedora-test
Test image with Traefik reverse proxy and testapi service. Currently disabled. Used for development testing. MUST be invoked before building or troubleshooting the fedora-test image.
development
selkies-desktop-bootc
Bootable (bootc) VM image combining the selkies-desktop streaming desktop with Tailscale (mesh VPN) and KeePassXC (password manager). Fedora 43 base. Boots under libvirt/QEMU as a full OS. Canonical worked example of the external-base-bootc + explicit-distro pattern. MUST be invoked before building, deploying, or troubleshooting selkies-desktop-bootc.
development
selkies/skills/selkies-desktop
# Image: selkies-desktop Browser-accessible Wayland desktop streamed via Selkies/pixelflux WebSocket at `https://localhost:3000` (HTTPS with self-signed Traefik certificate). ## Definition ```yaml selkies-desktop: base: cachyos.cachyos # via the `cachyos` import namespace build: [pac, aur] # aur required: chrome (google-chrome) + wl-tools (wlrctl) layers: - agent-forwarding - selkies-desktop - dbus - ov ports: - "3000:3000" - "9222:9222" - "9
tools
cachyos-pacstrap
Bootstrap-from-scratch CachyOS rootfs via pacstrap inside a privileged builder. Builds end-to-end as of ov 2026.141.1850 (shared pacstrap renderer emits Architecture + SigLevel); retained for offline/air-gapped builds. Lives in the overthinkos/cachyos submodule (image/cachyos). MUST be invoked before building or troubleshooting cachyos-pacstrap.
development
selkies-desktop-bootc-bootc
kind:vm entity pairing with the /ov-selkies:selkies-desktop-bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-selkies:selkies-desktop-bootc (the canonical bootc-VM worked example). MUST be invoked before editing selkies-desktop-bootc-bootc in image/bootc/overthink.yml.
data-ai
fedora-ov
Fedora image with the full ov toolchain using shared layers. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same layer list as arch-ov. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-ov image.
tools
aurora
Aurora DX bootc image with NVIDIA, SSH, ov toolchain, and Go. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the aurora image.
tools
bazzite-bootc
kind:vm entity pairing with the /ov-distros:bazzite bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-distros:bazzite. This skill documents only the VM-specific fields. MUST be invoked before editing bazzite-bootc in image/bootc/overthink.yml.
testing
aurora-bootc
kind:vm entity pairing with the /ov-distros:aurora bootc container image. source.kind: bootc. Thin pointer skill — composition + layer stack authority lives in /ov-distros:aurora. This skill documents only the VM resource sizing. MUST be invoked before editing aurora-bootc in image/bootc/overthink.yml.
documentation
traefik
Traefik reverse proxy on ports 8000/8080/443 with automatic TLS and dynamic routing. Use when working with Traefik, reverse proxy, TLS certificates, or service routing.
tools
vectorchord
VectorChord PostgreSQL extension for optimized vector similarity search. Use when working with VectorChord, vector indices, or smart search performance.
tools
comfyui
ComfyUI image generation server with CUDA GPU support. Runs as a supervisord service on port 8188 with persistent storage. MUST be invoked before building, deploying, configuring, or troubleshooting the comfyui image.
development
debian-builder
Minimal Debian 13 builder image (pixi + Node.js + build-toolchain) used as the multi-stage builder for every image based on Debian — currently debian-coder. Produces the pre-compiled pixi envs, npm globals, and cargo crates that land in the final runtime image via COPY --from. MUST be invoked before building, deploying, configuring, or troubleshooting the debian-builder image.
tools
deploy
MUST be invoked before any work involving: `ov deploy add`/`ov deploy del` commands, quadlet generation, volume backing, tunnels (Tailscale/Cloudflare), `add_layer:` overlay, or per-machine deploy overlays.
devops
reconcile
Use when @github layer/namespace pins drift across repos and the resolver emits "referenced at multiple versions" warnings — `ov image reconcile` aligns every pin of a repo to one version (clearing the warnings). Invoked as `ov image reconcile`.
testing
cuda
CUDA toolkit, cuDNN, ONNX Runtime, and NVIDIA GPU development libraries from negativo17 repos. Depends on the nvidia layer for runtime support. Use when working with GPU computing, CUDA, cuDNN, machine learning infrastructure, or NVIDIA development tools.
tools
nvidia
NVIDIA GPU base image with runtime support and CUDA toolkit on Fedora. Base for all GPU-accelerated images (python-ml, jupyter, ollama, comfyui). MUST be invoked before building, deploying, configuring, or troubleshooting the nvidia image.
tools
immich-ml
Immich photo management with CUDA ML backend for face recognition and smart search. Includes PostgreSQL, Redis, and the immich-ml service. MUST be invoked before building, deploying, configuring, or troubleshooting the immich-ml image.
development
migrate
MUST be invoked before any work involving: the `ov migrate` command (the single idempotent migration that brings any overthink config up to the latest schema CalVer), the CalVer schema-version stamp (`version: YYYY.DDD.HHMM`), the ordered migration chain / registry (ov/migrate_registry.go), the `LatestSchemaVersion()` load-time gate, adding a new schema cutover as a migration step, or the calver-schema int→CalVer transition.
development
jupyter-ml-layer
Full CUDA ML stack + JupyterLab with real-time collaboration and CRDT MCP server on port 8888. Use when working with GPU-accelerated Jupyter notebooks, ML training with collaboration, or the jupyter-ml layer.
tools
unsloth-studio
Unsloth Studio fine-tuning web UI with CUDA GPU support, vLLM inference, and llama.cpp. Runs as a supervisord service on ports 8888 (Studio) and 8000 (vLLM API). MUST be invoked before building, deploying, configuring, or troubleshooting the unsloth-studio image.
development
arch-coder
Kitchen-sink development image on Arch Linux: coding + AI-coding CLIs + DevOps tooling in one container. Arch base, 30+ direct layers mirroring fedora-coder's stack but with pac:-section packages (plus AUR for a few unique cases). Runs as uid 1000 (`user`) with passwordless sudo. Use when working with the arch-coder image — or when comparing cross-distro parity across the four coder-family images (fedora, debian, ubuntu, arch).
tools
language-runtimes
Multi-language runtime meta-layer — Go, PHP, .NET 9 SDK, nodejs-devel, python3-devel, ramalama. System Python via RPM (not pixi-python). Uses nodejs and rust layers as explicit deps. Use when working with polyglot development or composing multiple language runtimes into a single image.
development
comfyui-layer
ComfyUI image generation service on port 8188 with CUDA GPU support. Use when working with ComfyUI, image generation, Stable Diffusion, or AI art pipelines.
devops
capabilities
MUST be invoked before any work involving: OCI label contract, Capabilities / ImageMetadata struct, CapabilityLabelMap completeness check, LabelServices structured round-trip, source-less deploy via `ov deploy from-image`, or adding a new OCI label. Developer-facing; users author via `/ov-image:layer` and `/ov-image:image`.
development
immich
Immich photo management server on port 2283. Includes PostgreSQL, Redis, and non-free codec support via RPM Fusion. CPU-only (no ML). MUST be invoked before building, deploying, configuring, or troubleshooting the immich image.
development
postgresql
PostgreSQL database server on port 5432 with pgvector extension and persistent data. Entrypoint supports POSTGRES_SHARED_PRELOAD_LIBRARIES for extension loading. Use when working with PostgreSQL, database configuration, or pgvector.
tools
generate-source
Containerfile generation: understanding ov image generate output, multi-stage builds, intermediate images, and the .build/ directory. Use when debugging or understanding generated Containerfiles. MUST be invoked before reading or modifying any Go source file in ov/.
development
local-spec
MUST be invoked before any work involving: authoring `kind: local` templates, `local.yml` files, the inline `local:` map in `overthink.yml`, or the merge semantics between a `kind: local` template and a `target: local` deployment.
devops
ollama
Standalone Ollama LLM inference server with CUDA GPU support. Runs as a supervisord service on port 11434 with persistent model storage. MUST be invoked before building, deploying, configuring, or troubleshooting the ollama image.
development
redis
Redis in-memory data store on port 6379 with periodic persistence. Use when working with Redis, caching, or session storage in containers.
data-ai
ubuntu-builder
Minimal Ubuntu 24.04 builder image (pixi + Node.js + build-toolchain) used as the multi-stage builder for Ubuntu-based images — currently ubuntu-coder. Runs as uid 1000 `ubuntu` (adopted from the upstream ubuntu:24.04 base image via build.yml's base_user declaration). MUST be invoked before building, deploying, configuring, or troubleshooting the ubuntu-builder image.
tools
openclaw-sway-browser
Maximal OpenClaw deployment with Sway desktop, Chrome, VNC, and all tool layers. Includes all feasible OpenClaw skill dependencies. Use when working with MUST be invoked before building, deploying, configuring, or troubleshooting the openclaw-sway-browser image.
tools
ubuntu
Base Ubuntu 24.04 noble image. Root of the image hierarchy for Ubuntu- based builds. Runs as uid 1000 `ubuntu` via ADOPT mode — the upstream ubuntu:24.04 base image ships a pre-existing ubuntu:ubuntu account, and build.yml distro.ubuntu declares base_user to adopt it verbatim. MUST be invoked before building, deploying, configuring, or troubleshooting any Ubuntu-based image.
development
cachyos
CachyOS base image (docker.io/cachyos/cachyos-v3) — x86_64_v3-optimized Arch derivative. Owned by the overthinkos/cachyos submodule (image/cachyos); consumed by main's versa image via the `cachyos` import namespace. MUST be invoked before building, deploying, or troubleshooting cachyos images.
development
debian
Base Debian 13 trixie image. Root of the image hierarchy for Debian builds that run as uid 1000 `user` (create mode — Debian 13 ships no pre-existing uid-1000 account). Owned by the overthinkos/debian submodule (image/debian); consumed by no main-repo image. MUST be invoked before building, deploying, configuring, or troubleshooting any Debian-based image.
development
cachyos
CachyOS bootstrap VM (kind:vm cachyos-vm) — source.kind: bootstrap via cachyos-pacstrap-builder + pacstrap, btrfs rootfs, uefi-insecure. Plus the disposable eval-cachyos-vm kind:eval bed. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing cachyos-vm or its eval bed.
development
ubuntu
Ubuntu bootstrap VM (kind:vm ubuntu-debootstrap) — source.kind: bootstrap via ubuntu-debootstrap-builder + debootstrap, ext4 rootfs, uefi-insecure. Plus the disposable eval-ubuntu-debootstrap-vm kind:eval bed. Lives in the overthinkos/ubuntu submodule. MUST be invoked before editing ubuntu-debootstrap or its eval bed.
development
eval
MUST be invoked before any work involving: `ov eval` (image / live / run), the `eval:` / `deploy_eval:` fields in layer.yml / image.yml / deploy.yml, the `org.overthinkos.eval` OCI label, the AI iteration harness loop, `kind: ai` / `kind: recipe` / `kind: score` / `kind: eval` (disposable R10 beds run via `ov eval run <bed>`) in eval.yml, or any declarative check authoring. Covers the unified `ov eval` surface: three primary modes (image / live / run), 9 live-container probe verbs (cdp/wl/dbus/vnc/mcp/record/spice/libvirt/k8s), verb catalog (file/port/command/http/package/service/process/dns/user/ group/interface/kernel-param/mount/addr/matching), runtime variable resolution (`${HOST_PORT:N}`, `${VOLUME_PATH:name}`, `${CONTAINER_IP}`, `${ENV_*}`), deploy.yml overlay rules, authoring gotchas learned the hard way (package renames, absent binaries, host vs container network routing), AI-iteration loop semantics (plateau-bounded, progressive recipe disclosure, watchdog), and the `from:` block for composing recipes from existing layer/image/pod/vm tests.
tools
ov-cachyos
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 layers) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the ov-cachyos workstation profile.
development
arch
First kind:vm entity with source.kind: cloud_image — fetches the Arch Linux cloud qcow2 from pkgbuild.com, applies cloud-init, boots under libvirt/QEMU via BIOS firmware + virtio-gpu. Documents the stale-BOOTX64.EFI RCA, the simpledrm→qxldrmfb takeover race, the adopt-user pattern, and resource sizing. MUST be invoked before editing arch in image/arch/overthink.yml or authoring another cloud_image VM from a template.
development
debian
Debian bootstrap VM (kind:vm debian-debootstrap) — source.kind: bootstrap via debian-debootstrap-builder + debootstrap, ext4 rootfs, uefi-insecure. Plus the disposable eval-debian-debootstrap-vm kind:eval bed. Lives in the overthinkos/debian submodule. MUST be invoked before editing debian-debootstrap or its eval bed.
development
local-infra
Go file map for the target:local execution surface. Files: local_spec.go, deploy_target_local.go, unified_targets_local.go, ssh_managed_config.go, hostdistro.go, install_ledger.go, builder_run.go, shell_profile.go, reverse_ops.go, service_render.go, deploy_ref.go. MUST be invoked before reading or modifying any of those files, or when debugging target:local deploy behaviour (ledger state, sudo batching, managed-block insertion, glibc preflight, ssh-config fragment, ref resolution).
development
selkies-desktop-ov
Fully rootless Selkies streaming desktop + the full ov toolchain inside one image. Runs as uid 1000 with zero --privileged / zero cap_add; nested rootless podman and rootless libvirt session VMs work via config-level namespace sharing and the surgical unmask=/proc/* security_opt. Use when working with the selkies-desktop-ov image — especially for any "browser-accessible desktop that can itself build images, start pods, or launch VMs" workflow.
tools
inspect
Image inspection showing resolved configuration as JSON. MUST be invoked before any work involving: ov image inspect command, viewing image configuration, or querying image metadata.
data-ai
sqlite
SQLite database CLI. Use when working with the sqlite layer.
tools
ov-layers/skills/wl-screenshot-grim
# wl-screenshot-grim - Screenshot via grim (wlr-screencopy) ## Overview Provides `grim` for Wayland screenshot capture using the `wlr-screencopy` protocol. Works on sway and standalone wlroots compositors. **Does NOT work on selkies-desktop** (labwc nested in pixelflux can't deliver screencopy frames). For selkies-desktop, use `wl-screenshot-pixelflux` instead. ## Layer Definition ```yaml rpm: packages: - grim ``` ## Key Properties | Property | Value | |----------|-------| | Depends
data-ai
selkies-desktop-nvidia
GPU-accelerated Selkies streaming desktop with NVIDIA CUDA. Use when working with the selkies-desktop-nvidia image.
content-media
kubernetes
Kubernetes client tools: kubectl and Helm package manager. Use when working with Kubernetes, kubectl, or Helm charts.
tools
immich-ml
Immich machine learning backend on port 3003 for photo classification and search. Use when working with Immich ML features, face detection, or CLIP search.
tools
fedora-remote
Fedora image using remote layer references from GitHub. Demonstrates the @github.com/org/repo/layers/name:version remote layer syntax. MUST be invoked before building, deploying, configuring, or troubleshooting the fedora-remote image.
development
typst
Typst document processor binary for typesetting and document generation. Use when working with Typst, document compilation, or typesetting tools.
tools
openclaw-full-ml
OpenClaw full + ML tools + Ollama + Sway desktop + VNC. GPU-accelerated. Currently disabled. Enable in image.yml to build. MUST be invoked before building, deploying, or troubleshooting the openclaw-full-ml image.
tools