1645 Commits

Author SHA1 Message Date
b1c3914b8f tests: fix service-configs.nix reference 2026-04-20 15:24:21 -04:00
adbb019977 gitea: move runner and main module to services/gitea 2026-04-20 15:18:37 -04:00
5232211c0a update
All checks were successful
Build and Deploy / mreow (push) Successful in 11m39s
Build and Deploy / yarn (push) Successful in 58s
Build and Deploy / muffin (push) Successful in 1m58s
2026-04-19 20:35:52 -04:00
0a873e8eaa AGENTS.md: nit, wording 2026-04-18 02:03:05 -04:00
primary
3953fd92df readme: bring back the fun 2026-04-18 01:56:35 -04:00
primary
25d6e7eead phase 6: remove legacy git-crypt-key-{dotfiles,server-config} agenix entries
All checks were successful
Build and Deploy / mreow (push) Successful in 1m42s
Build and Deploy / yarn (push) Successful in 45s
Build and Deploy / muffin (push) Successful in 1m10s
Unified CI on nixos repo is proven end-to-end (CI run on 836f80a deployed to
muffin successfully and yarn's pull URL now serves from the new build). The
two per-repo git-crypt keys are no longer in use by any active pipeline.
Old dotfiles and server-config repos had Gitea Actions disabled before this
commit, so no CI race possible.
2026-04-18 01:37:14 -04:00
primary
7ef4e5a68f trigger first ci run
All checks were successful
Build and Deploy / mreow (push) Successful in 41s
Build and Deploy / yarn (push) Successful in 52s
Build and Deploy / muffin (push) Successful in 1m14s
2026-04-18 01:32:02 -04:00
primary
836f80a011 scripts/cutover-muffin.sh: pre-seed nix-deploy + deploy + verify
Some checks failed
Build and Deploy / yarn (push) Has been cancelled
Build and Deploy / muffin (push) Has been cancelled
Build and Deploy / mreow (push) Has been cancelled
Bundles Phases 5.5 + 6.2 + 6.3 into one invocation. Order-sensitive: pre-seed
must happen BEFORE the deploy-rs run so yarn's pull-update URL stays resolvable
across the harmonia /var/lib/dotfiles-deploy \u2192 /var/lib/nix-deploy rename.
2026-04-18 01:17:02 -04:00
primary
c7712e57ff phase 5: add git-crypt-key-nixos agenix entry (additive)
The two legacy entries git-crypt-key-{dotfiles,server-config} stay until
muffin has deployed this config at least once and the new CI pipeline is
green. Phase 6 removes them after cutover.
2026-04-18 01:14:09 -04:00
primary
efa1fb0c07 phase 5: git-crypt re-init + re-encrypt secrets/ under new unified key
- .gitattributes declares secrets/** covered by git-crypt filter
- New symmetric key at $HOME/.nixos-git-crypt.key (chmod 400, not committed)
- All 36 files under secrets/ re-encrypted via the clean filter on 'git add':
  - 5 files in secrets/desktop/ (wifi, secureboot, disk pw, cache netrc, hash)
  - 3 files in secrets/home/ (hm api keys + steam id)
  - 26 files in secrets/server/ (.age + .nix + .tar + livekit_keys)
  - 2 files in secrets/usb-secrets/ (agenix identity)

'git-crypt status' confirms 36 encrypted, 150 non-encrypted.

Old git-crypt keys from the two subtree-merged repos are in the historical subtree commits (pre-Phase 2). To decrypt pre-unify history one still needs the old GPG-encrypted keys, which survive at:
  ~/nixos-migration-aux-*.tar.gz
2026-04-18 01:12:38 -04:00
primary
ba48d223c2 harmonia: /var/lib/dotfiles-deploy → /var/lib/nix-deploy
URL contract (https://nix-cache.sigkill.computer/deploy/<host>) is preserved;
only the on-disk Caddy root and the tmpfiles directory change. Phase 6 seeds
/var/lib/nix-deploy/ from the old path before deploying the new config, so the
pull-update on yarn stays working across the cutover.
2026-04-18 01:09:15 -04:00
primary
01de310296 phase 4: unified CI workflow, deploy.sh wrapper, root AGENTS.md
- .gitea/workflows/deploy.yml: three jobs (mreow, yarn, muffin) sharing a single git-crypt unlock step. muffin job retains the healthcheck + ntfy success/failure notifications from the old server-config pipeline verbatim.
- CI writes to /var/lib/nix-deploy/ (renamed from /var/lib/dotfiles-deploy/). The URL path /deploy/<host> is preserved; only the on-disk directory name changes. Harmonia's Caddy root is updated in Phase 6.
- deploy.sh: inspects hostname, dispatches to nixos-rebuild for desktops or deploy-rs for muffin. Accepts boot/switch/test/build/muffin.
- AGENTS.md: intersected rules from both repos, split into host-agnostic conventions + muffin-specific service pattern. Rewritten layout section reflects the new tree.
2026-04-18 01:07:56 -04:00
primary
3150d29e1a phase 3: delete legacy/ subtree workspaces
Histories remain reachable via the subtree merge commits (dc481c2, 6448a04).
The old flake.nix, flake.lock, AGENTS.md, .gitea/, and .gitattributes are
superseded by the unified versions at the repo root.
2026-04-18 01:05:45 -04:00
primary
56bcaf0580 nix fmt: wrap long expression in yarn home 2026-04-18 01:05:29 -04:00
primary
97ab8bffc0 phase 3: generate flake.lock; fix desktop-networkmanager wifi path
Secret plaintext sits in working tree for Phase 3 eval only; Phase 5 re-encrypts
under the new unified git-crypt key.
2026-04-18 01:05:08 -04:00
primary
1719d54ee0 phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports
- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin)
- modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks
- modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/
- hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix
- hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override
- modules/age-secrets.nix: file paths → ../secrets/server/*.age
- services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/
- home/profiles/*.nix: ./progs/ → ../progs/
- hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/
- home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/
- tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix
- lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
2026-04-18 00:58:55 -04:00
primary
05fd05deda phase 2: move secrets → secrets/{desktop,home,server,usb-secrets}/ 2026-04-18 00:48:18 -04:00
primary
d13cec76ba phase 2: move home-manager/ → home/{profiles,progs,util,wallpaper} 2026-04-18 00:48:08 -04:00
primary
30d8cf4c99 phase 2: move modules/ (server-*, desktop-*, shared); drop dotfiles no-rgb (superseded) 2026-04-18 00:47:56 -04:00
primary
999ed05d9f phase 2: promote services/, tests/, patches/, lib/, scripts/ 2026-04-18 00:47:39 -04:00
primary
99e98e39b7 phase 2: move host files to hosts/{mreow,yarn,muffin}/ 2026-04-18 00:47:25 -04:00
primary
6448a0427f Add 'legacy/server-config/' from commit '4bc5d57fa69a393877e7019d7673ceb33c3ab4b4'
git-subtree-dir: legacy/server-config
git-subtree-mainline: dc481c24b0
git-subtree-split: 4bc5d57fa6
2026-04-18 00:45:33 -04:00
primary
dc481c24b0 Add 'legacy/dotfiles/' from commit 'e9a44f677d2852fd5856cecc49ecb984efeba66c'
git-subtree-dir: legacy/dotfiles
git-subtree-mainline: 382887df65
git-subtree-split: e9a44f677d
2026-04-18 00:45:25 -04:00
primary
382887df65 init: empty repo for unified nixos flake 2026-04-18 00:45:20 -04:00
e9a44f677d update 2026-04-17 23:26:43 -04:00
0c881602e9 yarn: fix steamos update flow 2026-04-17 23:26:15 -04:00
4bc5d57fa6 jellyfin: restartTriggers on webhook plugin so install runs at activation
The jellyfin-webhook-install oneshot has 'wantedBy = jellyfin.service',
which only runs it when jellyfin (re)starts. On first rollout to a host
where jellyfin is already running, the unit gets added but never fires,
leaving the Webhook plugin files absent -- jellyfin-webhook-configure
then gets 404 from /Plugins/$GUID/Configuration and deploy-rs rolls back.

Pinning jellyfin.restartTriggers to the plugin package + install script
forces a restart whenever either derivation changes, which pulls install
in via the existing before/wantedBy chain.
2026-04-17 22:08:29 -04:00
1403c9d3bc jellyfin-qbittorrent-monitor: add webhook receiver for instant throttling 2026-04-17 19:47:29 -04:00
48ac68c297 jellyfin: add webhook plugin helper 2026-04-17 19:47:26 -04:00
fc548a137f patches/nixpkgs: add jellyfin declarative network.xml options 2026-04-17 19:47:23 -04:00
9ea45d4558 hardware: tighten mq-deadline read_expire for jellyfin coexistence 2026-04-17 19:47:20 -04:00
7f375e8574 kernel: re-enable SND_PCI 2026-04-17 18:26:21 -04:00
577b5eeb77 update 2026-04-17 12:33:33 -04:00
cebdd3ea96 arr: fix prowlarrUrl for cross-netns reachability
Prowlarr runs in the wg VPN namespace; Sonarr/Radarr run in the host
namespace. Configuring the Prowlarr sync with prowlarrUrl=localhost:9696
made Sonarr/Radarr try to connect to their own localhost, where
Prowlarr does not exist — the host netns. Every indexer sync emitted
'Prowlarr URL is invalid' with Connection refused (localhost:9696).

Use vpnNamespaces.wg.namespaceAddress (192.168.15.1) so host-netns
clients hit the wg-side veth where Prowlarr is listening.

Also re-enables healthChecks on prowlarr-init: the /applications/testall
endpoint now validates clean (manually verified via API).
2026-04-17 00:53:24 -04:00
df57d636f5 arr: declare critical config.xml elements via configXml
Pin <Port>, <BindAddress>, and <EnableSsl> in each arr service's
config.xml through arr-init's new configXml option. A preStart hook
ensures these elements exist before the service reads its config,
fixing the recurring Prowlarr bug where <Port> was absent from
config.xml and the service would run without binding any socket.

Updates arr-init lock to 6dde2a3.
2026-04-17 00:47:08 -04:00
2f09c800e0 update arr-init 2026-04-17 00:38:44 -04:00
91aba32afb pi: update to claude opus 4.7 2026-04-17 00:25:38 -04:00
29e71fb127 ??!?!?!??! 2026-04-16 23:46:13 -04:00
ff94c3b027 steamos-update: exit 0 not 7 2026-04-16 23:05:24 -04:00
0b457b83d3 fix build 2026-04-16 22:53:11 -04:00
c23240c529 yarn: move pull-update into steamos-update script 2026-04-16 22:28:49 -04:00
e40929018f eww: remove 2026-04-16 18:02:02 -04:00
2c67b9729b arr-init: fix prowlarr health check failure
Disable health checks on Prowlarr -- the synced-app testall endpoint
requires Sonarr/Radarr to reverse-connect to prowlarrUrl, which is
unreachable across the wg namespace boundary.

Also add networkNamespaceService = "wg" for the new configurable
namespace service dependency (replaces old hardcoded wg.service).
2026-04-16 17:45:19 -04:00
5997c886f6 pull-update: improvement 2026-04-16 17:43:35 -04:00
7d77926f8a update arr-init 2026-04-16 17:33:54 -04:00
2aa401a9ef update 2026-04-16 16:47:27 -04:00
72d37f57ac update 2026-04-16 16:31:49 -04:00
0718568bec pull-update: forgot lib.getExe 2026-04-16 15:03:06 -04:00
982cc4aebc pull-update: use writeShellApplication instead 2026-04-16 15:02:08 -04:00
d2d25bbdfe omp: remove patch that didn't work 2026-04-16 14:52:51 -04:00