overthinkos/cachyos
vm/skills/cachyos/SKILL.md
CachyOS bootstrap VM (kind:vm cachyos-vm) — source.kind: bootstrap via cachyos-pacstrap-builder + pacstrap, btrfs rootfs, uefi-insecure. Plus the disposable eval-cachyos-vm kind:eval bed. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing cachyos-vm or its eval bed.
development
Updated Jun 12, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins cachyosInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 6:55 AM129.9s1 file scanned
SKILL.md
- name:
- cachyos
- description:
- |
- CachyOS bootstrap VM (kind:
- vm cachyos-vm) — source.kind: bootstrap via
- disposable eval-cachyos-vm kind:
- eval bed. Lives in the overthinkos/cachyos submodule.
cachyos (VM)
source.kind: bootstrap VM that builds a CachyOS rootfs from scratch via
pacstrap (using /charly-distros:cachyos-pacstrap-builder), then boots it under
libvirt/QEMU.
The cachyos-vm entity and its eval-cachyos-vm disposable test bed live in
the overthinkos/cachyos repo (git submodule at box/cachyos),
in that repo's config (its charly.yml + per-kind sibling files). The bed is a kind: eval entity
(the 2026-05 deploy→eval unification moved repo-shipped disposable beds out of
charly.yml), driven by charly eval run eval-cachyos-vm. Drive the VM lifecycle
from the submodule: charly -C box/cachyos vm build cachyos-vm +
charly -C box/cachyos vm create cachyos-vm (or charly --repo overthinkos/cachyos …).
VM Configuration (from box/cachyos/vm.yml)
| Setting | Value |
|---|---|
| Source | kind: bootstrap, builder: pacstrap, builder_image: cachyos-pacstrap-builder |
| Distro | cachyos |
| rootfs | btrfs |
| Disk / RAM / CPU | 25G / 4G / 2 |
| Machine / firmware | q35 / uefi-insecure |
| Network | user mode |
| SSH | user cachy, port 12226, key_source generate |
The cachyos distro config (base packages, keyring, mirrors, repos) comes from
the main repo's build.yml, flat-imported by the submodule (a bare-string
import: item).
Eval bed
eval-cachyos-vm is a kind: eval bed (target: vm, vm: cachyos-vm) that
carries disposable: true, so charly -C box/cachyos eval run eval-cachyos-vm
runs the full R10 sequence unattended (the equivalent charly update eval-cachyos-vm rebuild also works, since the eval bed is folded into the
Deploy map).
eval-cachyos-gpu-vm is the full KDE GPU workstation bed — it mirrors the
operator cachyos-gpu workstation's dual-desktop config and is the acceptance gate
for migrating it. A cachyos-gpu-vm guest (bootstrap VM, UEFI, backend: libvirt,
podman) receives a physical NVIDIA GPU via a VFIO <hostdev> and runs BOTH (a) a
bare-metal KDE Plasma SDDM seat as in-guest layers, AND (b) a nested
selkies-kde-nvidia streaming pod (real NVENC). It applies the nvidia toolkit +
the locally-vendored nvidia-driver kernel layer (whose reboot: true reboots the
guest mid-deploy so the open module loads on a clean boot and the boot-time
nvidia-ctk cdi generate writes /etc/cdi/nvidia.yaml), then VmUnifiedTarget.Add
(deployNestedPodsInGuest) host-builds selkies-kde-nvidia, charly vm cp-box --rootlesss it into the guest user's podman as localhost/charly-selkies-kde:latest,
and runs the guest's own project-free charly deploy from-box localhost/charly-selkies-kde:latest selkies-kde — a PERSISTENT in-guest --user
quadlet (GPU device auto-detected; loginctl enable-linger so it survives the
guest reboot the fresh-rebuild leg recreates). Deploy-scope checks run in-guest over
SSH: the quadlet is active + lingering, the stream answers on
https://localhost:3000 (an in-guest curl, since the pod publishes :3000 only
on the guest), and the nvidia encoder is queryable. The committed cachyos-gpu-vm
is portable — it carries NO hostdev block (a PCI address is host-specific);
generate one with charly vm gpu list and add it locally before a live GPU run. The
GPU-gated checks pass with an N/A note when no card is passed through, so the bed
runs anywhere. This is the R10 gate for the nested-pod-in-VM capability
(/charly-internals:vm-deploy-target). See /charly-vm:vm "GPU passthrough",
/charly-distros:cuda.
pacstrap path
charly vm build cachyos-vm builds a bootable disk end-to-end. The
vm_bootstrap.go path uses the same renderPacstrapExtraConf helper as the
image path, which emits the per-repo SigLevel (required for GPGME) and an
[options] Architecture = x86_64 x86_64_v3 directive (so linux-cachyos
passes the architecture check).
pacstrap installs linux-cachyos (x86_64_v3), mkinitcpio generates the
initramfs (its autodetect hook warns in the chroot and falls back to
all-modules — non-fatal), and a bootable disk.qcow2 (~3.5 GB) + cloud-init
seed.iso are written. The Docker-Hub /charly-distros:cachyos container base
remains the faster path when you don't need a VM disk.
Cross-References
/charly-distros:cachyos-pacstrap-builder— the builder image this VM uses/charly-distros:cachyos-pacstrap— the container equivalent of this bootstrap path/charly-vm:arch— the canonical cloud_image VM (BIOS/virtio-gpu/sizing rationale)/charly-vm:vm— VM lifecycle commands + BIOS/UEFI matrix/charly-vm:vms-catalog— VmSpec authoring reference
When to Use This Skill
MUST be invoked when editing cachyos-vm or its eval bed, or authoring a
CachyOS VM. Invoke BEFORE reading source code or launching Explore agents.
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026