d8a218524a
kernel: disable more things
Build and Deploy / yarn (push) Has been cancelled
Build and Deploy / muffin (push) Has been cancelled
Build and Deploy / mreow (push) Has been cancelled
2026-04-22 15:32:16 -04:00
b21bb3b33b
deploy guard: expose binary
Build and Deploy / mreow (push) Successful in 1m21s
Build and Deploy / yarn (push) Successful in 45s
Build and Deploy / muffin (push) Successful in 1m26s
2026-04-22 07:28:56 -04:00
aef99e7365
deploy-guard: block activation while users are online
...
Build and Deploy / mreow (push) Successful in 51s
Build and Deploy / yarn (push) Successful in 47s
Build and Deploy / muffin (push) Failing after 1m9s
- modules/server-deploy-guard.nix: extendable aggregator registered via
services.deployGuard.checks.<name>.{description,command}. Installs
deploy-guard-check with per-check timeout, pass/block reporting, JSON
output, DEPLOY_GUARD_BYPASS / /run/deploy-guard-bypass (single-shot).
- services/jellyfin/jellyfin-deploy-guard.nix: curl+jq on /Sessions,
blocks when any session carries NowPlayingItem; soft-fails when unreachable.
- services/minecraft-deploy-guard.nix: mcstatus SLP query on 25565, blocks
when players.online > 0; soft-fails when unreachable.
- flake.nix: wrap deploy.nodes.muffin activation with activate.custom so
deploy-guard-check runs before switch-to-configuration. Auto-rollback
catches the failure. dryActivate/boot branches preserved.
- deploy.sh: SSH preflight for ./deploy.sh muffin with --force /
DEPLOY_GUARD_FORCE=1 (touches remote bypass marker). Connectivity
failure is soft; activation still enforces.
- tests/deploy-guard.nix: aggregator contract, bypass mechanics, timeout,
JSON output.
2026-04-22 00:36:21 -04:00
primary
25d6e7eead
phase 6: remove legacy git-crypt-key-{dotfiles,server-config} agenix entries
...
Build and Deploy / mreow (push) Successful in 1m42s
Build and Deploy / yarn (push) Successful in 45s
Build and Deploy / muffin (push) Successful in 1m10s
Unified CI on nixos repo is proven end-to-end (CI run on 836f80a
2026-04-18 01:37:14 -04:00
primary
c7712e57ff
phase 5: add git-crypt-key-nixos agenix entry (additive)
...
The two legacy entries git-crypt-key-{dotfiles,server-config} stay until
muffin has deployed this config at least once and the new CI pipeline is
green. Phase 6 removes them after cutover.
2026-04-18 01:14:09 -04:00
primary
97ab8bffc0
phase 3: generate flake.lock; fix desktop-networkmanager wifi path
...
Secret plaintext sits in working tree for Phase 3 eval only; Phase 5 re-encrypts
under the new unified git-crypt key.
2026-04-18 01:05:08 -04:00
primary
1719d54ee0
phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports
...
- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin)
- modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks
- modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/
- hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix
- hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override
- modules/age-secrets.nix: file paths → ../secrets/server/*.age
- services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/
- home/profiles/*.nix: ./progs/ → ../progs/
- hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/
- home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/
- tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix
- lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
2026-04-18 00:58:55 -04:00
primary
30d8cf4c99
phase 2: move modules/ (server-*, desktop-*, shared); drop dotfiles no-rgb (superseded)
2026-04-18 00:47:56 -04:00
