aef99e7365
deploy-guard: block activation while users are online
...
Build and Deploy / mreow (push) Successful in 51s
Build and Deploy / yarn (push) Successful in 47s
Build and Deploy / muffin (push) Failing after 1m9s
- modules/server-deploy-guard.nix: extendable aggregator registered via
services.deployGuard.checks.<name>.{description,command}. Installs
deploy-guard-check with per-check timeout, pass/block reporting, JSON
output, DEPLOY_GUARD_BYPASS / /run/deploy-guard-bypass (single-shot).
- services/jellyfin/jellyfin-deploy-guard.nix: curl+jq on /Sessions,
blocks when any session carries NowPlayingItem; soft-fails when unreachable.
- services/minecraft-deploy-guard.nix: mcstatus SLP query on 25565, blocks
when players.online > 0; soft-fails when unreachable.
- flake.nix: wrap deploy.nodes.muffin activation with activate.custom so
deploy-guard-check runs before switch-to-configuration. Auto-rollback
catches the failure. dryActivate/boot branches preserved.
- deploy.sh: SSH preflight for ./deploy.sh muffin with --force /
DEPLOY_GUARD_FORCE=1 (touches remote bypass marker). Connectivity
failure is soft; activation still enforces.
- tests/deploy-guard.nix: aggregator contract, bypass mechanics, timeout,
JSON output.
2026-04-22 00:36:21 -04:00
ddac5e3f04
jellyfin-annotations: preserve state on grafana failure, add grace period
...
Three edge cases broke annotations on reboot or interrupted sessions:
- state.pop() ran before grafana_close(), so a failed PATCH (Grafana
still restarting after reboot) permanently lost the grafana_id and
left the annotation open forever in Grafana.
- a single poll with no sessions closed every active annotation, so
Jellyfin restarts or client reconnects produced spurious close +
duplicate-open pairs.
- timeEnd was always now_ms, so a reboot during playback wrote an
annotation reading as if the user watched through the outage.
Fix: track last_seen_ms and missing_count in state; retain entries
until grafana_close succeeds (retry indefinitely); require
MISSING_THRESHOLD absent polls before close; clamp close_time to
last_seen_ms + (MISSING_THRESHOLD + 1) * POLL_INTERVAL.
Adds three subtests in tests/jellyfin-annotations.nix that each fail
on the old code and pass on the new.
2026-04-22 00:35:26 -04:00
018b590e0d
xmrig-auto-pause: use cgroup.freeze and thaws
2026-04-21 14:30:03 -04:00
b99a039ab0
tests: move fail2ban tests into subdirectory
2026-04-20 17:25:45 -04:00
9ddef4bd54
llama.cpp: fail2ban for invalid api keys
2026-04-20 17:20:52 -04:00
b1c3914b8f
tests: fix service-configs.nix reference
2026-04-20 15:24:21 -04:00
adbb019977
gitea: move runner and main module to services/gitea
2026-04-20 15:18:37 -04:00
primary
1719d54ee0
phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports
...
- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin)
- modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks
- modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/
- hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix
- hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override
- modules/age-secrets.nix: file paths → ../secrets/server/*.age
- services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/
- home/profiles/*.nix: ./progs/ → ../progs/
- hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/
- home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/
- tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix
- lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
2026-04-18 00:58:55 -04:00
primary
999ed05d9f
phase 2: promote services/, tests/, patches/, lib/, scripts/
2026-04-18 00:47:39 -04:00
