07a5276e40
patiodeck: fix disko partition order (fixed-size before 100%)
2026-04-24 01:47:25 -04:00
f3d21f16fb
desktop-jovian: unify steam/jovian config across yarn + patiodeck
...
- modules/desktop-jovian.nix: shared Jovian deck-mode config (unfree
predicate, jovian.steam, sddm, gamescope override, imports
desktop-steam-update.nix)
- home/progs/steam-shortcuts.nix: declarative non-Steam shortcuts
(Prism Launcher); add new entries here for all Jovian hosts
- hosts/yarn/default.nix: reduced to host-specific config only
- hosts/patiodeck/default.nix: same
2026-04-23 22:42:25 -04:00
5b2a1a652a
patiodeck: add prism launcher to steam shortcuts
2026-04-23 22:34:58 -04:00
665793668d
patiodeck: add steam deck LCD host
2026-04-23 22:34:47 -04:00
5ccd84c77e
yarn: fix steamos-update exit code — 7 means no update, not 0
...
Build and Deploy / mreow (push) Successful in 1m48s
Build and Deploy / yarn (push) Successful in 4m39s
Build and Deploy / muffin (push) Failing after 31s
Steam interprets exit 0 from 'steamos-update check' as 'update applied
successfully' and shows a persistent 'update available' notification.
The SteamOS convention is exit 7 = no update available.
2026-04-23 20:47:33 -04:00
7721c9d3a2
ssh: remove desktop key
Build and Deploy / mreow (push) Successful in 1m58s
Build and Deploy / yarn (push) Successful in 47s
Build and Deploy / muffin (push) Failing after 30s
2026-04-23 20:23:37 -04:00
b41a547589
yarn: persist root fish history
Build and Deploy / mreow (push) Successful in 46s
Build and Deploy / yarn (push) Successful in 51s
Build and Deploy / muffin (push) Failing after 28s
2026-04-23 20:17:02 -04:00
d122842995
secrets: update yarn TPM recipient after tmpfs wipe
Build and Deploy / mreow (push) Successful in 2m8s
Build and Deploy / yarn (push) Successful in 48s
Build and Deploy / muffin (push) Failing after 29s
2026-04-23 19:56:54 -04:00
d65d991118
secrets: add mreow + yarn TPM recipients, re-encrypt desktop secrets
Build and Deploy / mreow (push) Successful in 2m56s
Build and Deploy / yarn (push) Successful in 1m49s
Build and Deploy / muffin (push) Failing after 31s
2026-04-23 19:45:57 -04:00
06ccc337c1
secrets: proper agenix for desktop hosts via TPM identity
...
- modules/desktop-age-secrets.nix: agenix + rage wrapped with age-plugin-tpm,
TPM identity primary, admin SSH key fallback for recovery/pre-bootstrap
- modules/desktop-lanzaboote-agenix.nix: extract secureboot.tar at activation
- modules/desktop-networkmanager.nix: revert to simple import of git-crypt file
- modules/server-age-secrets.nix: renamed from age-secrets.nix
- modules/desktop-common.nix: wire netrc + password-hash to agenix paths
- hosts/yarn/impermanence.nix: persist /var/lib/agenix across tmpfs wipes
- secrets/secrets.nix: recipient declarations (admin + tpm + muffin USB)
- secrets/desktop/*.age: secureboot.tar, nix-cache-netrc, password-hash
- scripts/bootstrap-desktop-tpm.sh: generate TPM identity + print recipient
2026-04-23 19:24:34 -04:00
a3f7a19cc2
update
Build and Deploy / mreow (push) Successful in 3m39s
Build and Deploy / yarn (push) Successful in 1m3s
Build and Deploy / muffin (push) Successful in 2m26s
2026-04-23 14:23:17 -04:00
e019f2d4fb
secrets overhaul: use tpm for laptop (need to migrate desktop later)
2026-04-23 14:22:37 -04:00
22282691e7
grafana: add minecraft server stats
2026-04-23 01:17:10 -04:00
bc3652c782
kernel: cleanup + add back intel gpu (for future server unification)
Build and Deploy / mreow (push) Successful in 1h25m37s
Build and Deploy / yarn (push) Successful in 1m3s
Build and Deploy / muffin (push) Successful in 1m6s
2026-04-23 00:23:21 -04:00
0a8b863e4b
gitea: fix actions visibility
Build and Deploy / mreow (push) Successful in 2m39s
Build and Deploy / yarn (push) Successful in 1m48s
Build and Deploy / muffin (push) Successful in 1m14s
2026-04-22 23:02:53 -04:00
0901f5edf0
deploy: potentially fix self-deploy issue?
2026-04-22 23:02:38 -04:00
a1924849d6
pi: edit AGENTS.md
Build and Deploy / mreow (push) Successful in 51s
Build and Deploy / yarn (push) Successful in 54s
Build and Deploy / muffin (push) Failing after 27s
2026-04-22 21:28:20 -04:00
fdd5c5fba0
gitea: hide actions when not logged in
Build and Deploy / mreow (push) Successful in 56s
Build and Deploy / yarn (push) Successful in 52s
Build and Deploy / muffin (push) Successful in 1m1s
2026-04-22 21:23:47 -04:00
d00ff42e8e
site-config: dedupe cross-host values, fix stale dark-reader urls, drop desktop 1g hugepages
...
new site-config.nix holds values previously duplicated across hosts:
domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
ssh_keys.{laptop,desktop,ci_deploy}.
threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.
breakage fixes rolled in:
- home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
these never fired and the new sigkill urls were getting dark-reader applied)
- modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
its own via services/monero/xmrig.nix)
verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.
2026-04-22 20:48:29 -04:00
8cdb9c4381
yarn: improve pull-update-apply script
Build and Deploy / mreow (push) Successful in 2m3s
Build and Deploy / yarn (push) Successful in 1m3s
Build and Deploy / muffin (push) Failing after 28s
2026-04-22 20:11:22 -04:00
3902ad5de3
yarn: fix jovian-stubs
Build and Deploy / mreow (push) Successful in 1m9s
Build and Deploy / yarn (push) Successful in 4m36s
Build and Deploy / muffin (push) Failing after 33s
2026-04-22 19:54:00 -04:00
0538907674
yarn: simplify stubs
Build and Deploy / mreow (push) Successful in 41s
Build and Deploy / yarn (push) Failing after 1m8s
Build and Deploy / muffin (push) Failing after 1m39s
2026-04-22 19:44:53 -04:00
90ce41cd9e
gitea: move gitea-runner user declaration to actions-runner.nix
Build and Deploy / mreow (push) Successful in 55s
Build and Deploy / yarn (push) Failing after 58s
Build and Deploy / muffin (push) Has started running
2026-04-22 19:24:18 -04:00
1be21b6c52
split off terminal utilities
2026-04-22 18:45:00 -04:00
c3cc94a305
merge common-*.nix files
Build and Deploy / mreow (push) Successful in 1h37m19s
Build and Deploy / muffin (push) Has been cancelled
Build and Deploy / yarn (push) Has been cancelled
2026-04-22 18:02:05 -04:00
3317ac7997
update
2026-04-22 17:43:05 -04:00
6ad25c0e49
Revert "kernel: add the penguins" (didn't work)
...
This reverts commit 9ed48ce841
2026-04-22 17:41:21 -04:00
d5e6908899
kernel: force amdgpu init on boot
Build and Deploy / mreow (push) Successful in 1h38m1s
Build and Deploy / yarn (push) Successful in 1m2s
Build and Deploy / muffin (push) Failing after 28s
2026-04-22 15:43:37 -04:00
9ed48ce841
kernel: add the penguins
2026-04-22 15:36:00 -04:00
d8a218524a
kernel: disable more things
Build and Deploy / yarn (push) Has been cancelled
Build and Deploy / muffin (push) Has been cancelled
Build and Deploy / mreow (push) Has been cancelled
2026-04-22 15:32:16 -04:00
f03cc87fc9
update senior project website
Build and Deploy / mreow (push) Successful in 28s
Build and Deploy / yarn (push) Successful in 9s
Build and Deploy / muffin (push) Successful in 1m19s
2026-04-22 13:10:26 -04:00
0c8b8232c2
yarn: disable steamos-mandatory-update
Build and Deploy / mreow (push) Successful in 52s
Build and Deploy / yarn (push) Successful in 4m33s
Build and Deploy / muffin (push) Successful in 1m10s
2026-04-22 11:46:37 -04:00
a780c5505a
update
Build and Deploy / mreow (push) Successful in 1h39m40s
Build and Deploy / yarn (push) Successful in 4m26s
Build and Deploy / muffin (push) Failing after 5m12s
2026-04-22 09:16:09 -04:00
b21bb3b33b
deploy guard: expose binary
Build and Deploy / mreow (push) Successful in 1m21s
Build and Deploy / yarn (push) Successful in 45s
Build and Deploy / muffin (push) Successful in 1m26s
2026-04-22 07:28:56 -04:00
b0b4bcb0b3
deploy guard: fix actions
Build and Deploy / mreow (push) Successful in 2m8s
Build and Deploy / yarn (push) Successful in 1m2s
Build and Deploy / muffin (push) Failing after 27s
2026-04-22 01:18:09 -04:00
aef99e7365
deploy-guard: block activation while users are online
...
Build and Deploy / mreow (push) Successful in 51s
Build and Deploy / yarn (push) Successful in 47s
Build and Deploy / muffin (push) Failing after 1m9s
- modules/server-deploy-guard.nix: extendable aggregator registered via
services.deployGuard.checks.<name>.{description,command}. Installs
deploy-guard-check with per-check timeout, pass/block reporting, JSON
output, DEPLOY_GUARD_BYPASS / /run/deploy-guard-bypass (single-shot).
- services/jellyfin/jellyfin-deploy-guard.nix: curl+jq on /Sessions,
blocks when any session carries NowPlayingItem; soft-fails when unreachable.
- services/minecraft-deploy-guard.nix: mcstatus SLP query on 25565, blocks
when players.online > 0; soft-fails when unreachable.
- flake.nix: wrap deploy.nodes.muffin activation with activate.custom so
deploy-guard-check runs before switch-to-configuration. Auto-rollback
catches the failure. dryActivate/boot branches preserved.
- deploy.sh: SSH preflight for ./deploy.sh muffin with --force /
DEPLOY_GUARD_FORCE=1 (touches remote bypass marker). Connectivity
failure is soft; activation still enforces.
- tests/deploy-guard.nix: aggregator contract, bypass mechanics, timeout,
JSON output.
2026-04-22 00:36:21 -04:00
ddac5e3f04
jellyfin-annotations: preserve state on grafana failure, add grace period
...
Three edge cases broke annotations on reboot or interrupted sessions:
- state.pop() ran before grafana_close(), so a failed PATCH (Grafana
still restarting after reboot) permanently lost the grafana_id and
left the annotation open forever in Grafana.
- a single poll with no sessions closed every active annotation, so
Jellyfin restarts or client reconnects produced spurious close +
duplicate-open pairs.
- timeEnd was always now_ms, so a reboot during playback wrote an
annotation reading as if the user watched through the outage.
Fix: track last_seen_ms and missing_count in state; retain entries
until grafana_close succeeds (retry indefinitely); require
MISSING_THRESHOLD absent polls before close; clamp close_time to
last_seen_ms + (MISSING_THRESHOLD + 1) * POLL_INTERVAL.
Adds three subtests in tests/jellyfin-annotations.nix that each fail
on the old code and pass on the new.
2026-04-22 00:35:26 -04:00
a228f61d34
systemd: patch freezer stuck-state on kill-while-frozen
...
Reset u->freezer_state to FREEZER_RUNNING when a unit transitions to
inactive/failed. Without this, any SIGKILL path to a frozen unit
(systemctl kill, OOM, watchdog SIGABRT-then-KILL, segfault) leaves
the unit stranded at FreezerState=frozen with no recovery short of
a reboot. Complements upstream PR #38528 which covers only the
watchdog path.
xmrig-auto-pause never calls `systemctl freeze` itself (direct
cgroup.freeze writes bypass the bug class entirely), so the patch
is defensive: benefits systemd-homed on lock, user-session freezing
on suspend, or anything else that may freeze units on muffin.
Patching systemd cascades udev-check-hook hash changes into fuse3 -->
e2fsprogs and into fish. Two test-suite workarounds ride along:
drop e2fsprogs m_hugefile (4 GiB sparse file, fails on some build
sandboxes) and fish doCheck=false (cargo pexpect TTY tests). Both
are environmental, unrelated to the patch.
2026-04-21 23:52:36 -04:00
018b590e0d
xmrig-auto-pause: use cgroup.freeze and thaws
2026-04-21 14:30:03 -04:00
a8cf95c7dd
soulseek: only retain cache for 1 day
Build and Deploy / mreow (push) Successful in 1m53s
Build and Deploy / yarn (push) Successful in 42s
Build and Deploy / muffin (push) Successful in 1m18s
2026-04-21 12:56:46 -04:00
e8e3174420
remove timeout stop sec for qbt
Build and Deploy / mreow (push) Successful in 2m22s
Build and Deploy / yarn (push) Successful in 2m19s
Build and Deploy / muffin (push) Successful in 1m59s
2026-04-20 22:19:24 -04:00
c3d934867c
qbt: enbiggen aggregation of reads
Build and Deploy / mreow (push) Successful in 1m14s
Build and Deploy / yarn (push) Successful in 40s
Build and Deploy / muffin (push) Failing after 3m29s
2026-04-20 22:01:25 -04:00
41efc1f061
update
Build and Deploy / mreow (push) Successful in 2h15m30s
Build and Deploy / yarn (push) Successful in 2m33s
Build and Deploy / muffin (push) Failing after 3m20s
2026-04-20 17:26:53 -04:00
b99a039ab0
tests: move fail2ban tests into subdirectory
2026-04-20 17:25:45 -04:00
9ddef4bd54
llama.cpp: fail2ban for invalid api keys
2026-04-20 17:20:52 -04:00
b1c3914b8f
tests: fix service-configs.nix reference
2026-04-20 15:24:21 -04:00
adbb019977
gitea: move runner and main module to services/gitea
2026-04-20 15:18:37 -04:00
5232211c0a
update
Build and Deploy / mreow (push) Successful in 11m39s
Build and Deploy / yarn (push) Successful in 58s
Build and Deploy / muffin (push) Successful in 1m58s
2026-04-19 20:35:52 -04:00
0a873e8eaa
AGENTS.md: nit, wording
2026-04-18 02:03:05 -04:00
primary
3953fd92df
readme: bring back the fun
2026-04-18 01:56:35 -04:00
