titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:fdd5c5fba023866833bde45e476ae6e6b6a37a81
Branches Tags
titaniumtown:main
..
compare: titaniumtown:main
Branches Tags
titaniumtown:main

36 Commits
fdd5c5fba0 ... main

Author SHA1 Message Date
Simon Gardling
3201b5726e update
Some checks failed
Build and Deploy / mreow (push) Successful in 1m44s
Details
Build and Deploy / yarn (push) Successful in 1m3s
Details
Build and Deploy / muffin (push) Failing after 27s
Details
2026-04-26 00:12:30 -04:00
Simon Gardling
3c7bdc0c42 ghostty: colors
Some checks failed
Build and Deploy / mreow (push) Successful in 1m9s
Details
Build and Deploy / yarn (push) Successful in 1m4s
Details
Build and Deploy / muffin (push) Failing after 30s
Details
2026-04-25 22:36:29 -04:00
Simon Gardling
2ebb7fc90d ghostty: open in home 2026-04-25 22:34:42 -04:00
Simon Gardling
72320e2332 ghostty: speedup start 2026-04-25 22:31:21 -04:00
Simon Gardling
b5a94520fe README.md: i don't use KDE anymore 2026-04-25 22:24:36 -04:00
Simon Gardling
9ee3547d5d ghostty 2026-04-25 22:21:27 -04:00
Simon Gardling
ce288ccdb0 update
Some checks failed
Build and Deploy / mreow (push) Successful in 8m39s
Details
Build and Deploy / yarn (push) Successful in 1m6s
Details
Build and Deploy / muffin (push) Failing after 34s
Details
2026-04-25 20:22:48 -04:00
Simon Gardling
da87f82a66 noctalia: disable startup animation 2026-04-25 20:21:44 -04:00
Simon Gardling
90f2c27c2c DISABLE KMSCON
Some checks failed
Build and Deploy / mreow (push) Successful in 7m39s
Details
Build and Deploy / yarn (push) Successful in 1m5s
Details
Build and Deploy / muffin (push) Failing after 36s
Details 
THIS is what caused issues with greetd, nothing kernel related
 2026-04-25 19:20:24 -04:00
Simon Gardling
450b77140b pi: apply omp patches via prePatch (bun2nix.hook overrides patchPhase) 
`bun2nix.hook` (used by upstream omp's package.nix) sets

  patchPhase = bunPatchPhase

at the end of its setup-hook unless `dontUseBunPatch` is already set.
`bunPatchPhase` only runs `patchShebangs` plus a HOME mktemp; it never
iterates over `$patches`. The standard nixpkgs `patches` attribute
therefore went into the derivation env but was silently ignored at
build time, leaving the deployed omp binary unpatched.

Switch to applying the two patches via `prePatch` (which `bunPatchPhase`
does call). Verified with strings(1) over the rebuilt binary that both
patch hunks land:

  /wrong_api_format|...|invalid tool parameters/  (patch 0001)
  stubsReasoningContent ... thinkingFormat == "openrouter"  (patch 0002)
 2026-04-25 19:20:08 -04:00
Simon Gardling
318373c09c pi: patch omp to require reasoning_content for OpenRouter reasoning models 
DeepSeek V4 Pro (and similar reasoning models reached via OpenRouter) reject
multi-turn requests in thinking mode with:

  400 The `reasoning_content` in the thinking mode must be passed back
  to the API.

omp's existing kimi placeholder injection (`requiresReasoningContentForToolCalls`)
covered this requirement only for `thinkingFormat == "openai"`. OpenRouter
sets `thinkingFormat == "openrouter"`, so the gate never fired even though
the underlying providers behind OpenRouter (DeepSeek, Kimi, etc.) all enforce
the same invariant.

This patch:

1. Extends `requiresReasoningContentForToolCalls` detection: any
   reasoning-capable model fronted by OpenRouter now sets the flag.
2. Extends the placeholder gate in `convertMessages` to accept
   `thinkingFormat == "openrouter"` alongside `"openai"`.

Cross-provider continuations are the dominant trigger: a conversation
warmed up by Anthropic Claude (whose reasoning is redacted/encrypted on
the wire) followed by a switch to DeepSeek V4 Pro via OpenRouter. omp
cannot synthesize plaintext `reasoning_content` from Anthropic's
encrypted blocks, so the placeholder satisfies DeepSeek's validator
without fabricating a reasoning trace. Real captured reasoning, when
present, short-circuits the placeholder via `hasReasoningField` and
survives intact.

Side benefit: also closes a latent gap where Kimi-via-OpenRouter
(`thinkingFormat == "openrouter"`) had the compat flag set but the
placeholder gate silently rejected it.

Applies cleanly on top of patch 0001.
 2026-04-25 19:20:05 -04:00
Simon Gardling
d55743a9e7 revert: roll back flake.lock pre-update (niri 8ed0da4 black-screens on amdgpu) 2026-04-25 16:21:28 -04:00
Simon Gardling
8ab4924948 omp: add patch that fixes deepseek 2026-04-25 15:38:39 -04:00
Simon Gardling
8bd148dc96 update
All checks were successful
Build and Deploy / mreow (push) Successful in 12m7s
Details
Build and Deploy / yarn (push) Successful in 1m36s
Details
Build and Deploy / muffin (push) Successful in 1m11s
Details
2026-04-25 15:20:34 -04:00
Simon Gardling
2ab1c855ec Revert "muffin: test, move to 7.0"
All checks were successful
Build and Deploy / mreow (push) Successful in 1m45s
Details
Build and Deploy / yarn (push) Successful in 47s
Details
Build and Deploy / muffin (push) Successful in 1m31s
Details 
This reverts commit f67ec5bde6.
 2026-04-25 10:50:00 -04:00
Simon Gardling
f67ec5bde6 muffin: test, move to 7.0
Some checks failed
Build and Deploy / mreow (push) Successful in 1h43m17s
Details
Build and Deploy / yarn (push) Successful in 22m1s
Details
Build and Deploy / muffin (push) Failing after 33s
Details
2026-04-25 02:12:21 -04:00
Simon Gardling
112b85f3fb update
Some checks failed
Build and Deploy / yarn (push) Has been cancelled
Details
Build and Deploy / muffin (push) Has been cancelled
Details
Build and Deploy / mreow (push) Has been cancelled
Details
2026-04-25 01:45:47 -04:00
Simon Gardling
86cf624027 Revert "muffin: test, move to 6.18"
All checks were successful
Build and Deploy / mreow (push) Successful in 50s
Details
Build and Deploy / yarn (push) Successful in 44s
Details
Build and Deploy / muffin (push) Successful in 1m2s
Details 
This reverts commit 1df3a303f5.
 2026-04-24 14:21:40 -04:00
Simon Gardling
1df3a303f5 muffin: test, move to 6.18
All checks were successful
Build and Deploy / mreow (push) Successful in 1m15s
Details
Build and Deploy / yarn (push) Successful in 43s
Details
Build and Deploy / muffin (push) Successful in 1m29s
Details
2026-04-24 14:08:26 -04:00
Simon Gardling
07a5276e40 patiodeck: fix disko partition order (fixed-size before 100%) 2026-04-24 01:47:25 -04:00
Simon Gardling
f3d21f16fb desktop-jovian: unify steam/jovian config across yarn + patiodeck 
- modules/desktop-jovian.nix: shared Jovian deck-mode config (unfree
  predicate, jovian.steam, sddm, gamescope override, imports
  desktop-steam-update.nix)
- home/progs/steam-shortcuts.nix: declarative non-Steam shortcuts
  (Prism Launcher); add new entries here for all Jovian hosts
- hosts/yarn/default.nix: reduced to host-specific config only
- hosts/patiodeck/default.nix: same
 2026-04-23 22:42:25 -04:00
Simon Gardling
5b2a1a652a patiodeck: add prism launcher to steam shortcuts 2026-04-23 22:34:58 -04:00
Simon Gardling
665793668d patiodeck: add steam deck LCD host 2026-04-23 22:34:47 -04:00
Simon Gardling
5ccd84c77e yarn: fix steamos-update exit code — 7 means no update, not 0
Some checks failed
Build and Deploy / mreow (push) Successful in 1m48s
Details
Build and Deploy / yarn (push) Successful in 4m39s
Details
Build and Deploy / muffin (push) Failing after 31s
Details 
Steam interprets exit 0 from 'steamos-update check' as 'update applied
successfully' and shows a persistent 'update available' notification.
The SteamOS convention is exit 7 = no update available.
 2026-04-23 20:47:33 -04:00
Simon Gardling
7721c9d3a2 ssh: remove desktop key
Some checks failed
Build and Deploy / mreow (push) Successful in 1m58s
Details
Build and Deploy / yarn (push) Successful in 47s
Details
Build and Deploy / muffin (push) Failing after 30s
Details
2026-04-23 20:23:37 -04:00
Simon Gardling
b41a547589 yarn: persist root fish history
Some checks failed
Build and Deploy / mreow (push) Successful in 46s
Details
Build and Deploy / yarn (push) Successful in 51s
Details
Build and Deploy / muffin (push) Failing after 28s
Details
2026-04-23 20:17:02 -04:00
Simon Gardling
d122842995 secrets: update yarn TPM recipient after tmpfs wipe
Some checks failed
Build and Deploy / mreow (push) Successful in 2m8s
Details
Build and Deploy / yarn (push) Successful in 48s
Details
Build and Deploy / muffin (push) Failing after 29s
Details
2026-04-23 19:56:54 -04:00
Simon Gardling
d65d991118 secrets: add mreow + yarn TPM recipients, re-encrypt desktop secrets
Some checks failed
Build and Deploy / mreow (push) Successful in 2m56s
Details
Build and Deploy / yarn (push) Successful in 1m49s
Details
Build and Deploy / muffin (push) Failing after 31s
Details
2026-04-23 19:45:57 -04:00
Simon Gardling
06ccc337c1 secrets: proper agenix for desktop hosts via TPM identity 
- modules/desktop-age-secrets.nix: agenix + rage wrapped with age-plugin-tpm,
  TPM identity primary, admin SSH key fallback for recovery/pre-bootstrap
- modules/desktop-lanzaboote-agenix.nix: extract secureboot.tar at activation
- modules/desktop-networkmanager.nix: revert to simple import of git-crypt file
- modules/server-age-secrets.nix: renamed from age-secrets.nix
- modules/desktop-common.nix: wire netrc + password-hash to agenix paths
- hosts/yarn/impermanence.nix: persist /var/lib/agenix across tmpfs wipes
- secrets/secrets.nix: recipient declarations (admin + tpm + muffin USB)
- secrets/desktop/*.age: secureboot.tar, nix-cache-netrc, password-hash
- scripts/bootstrap-desktop-tpm.sh: generate TPM identity + print recipient
 2026-04-23 19:24:34 -04:00
Simon Gardling
a3f7a19cc2 update
All checks were successful
Build and Deploy / mreow (push) Successful in 3m39s
Details
Build and Deploy / yarn (push) Successful in 1m3s
Details
Build and Deploy / muffin (push) Successful in 2m26s
Details
2026-04-23 14:23:17 -04:00
Simon Gardling
e019f2d4fb secrets overhaul: use tpm for laptop (need to migrate desktop later) 2026-04-23 14:22:37 -04:00
Simon Gardling
22282691e7 grafana: add minecraft server stats 2026-04-23 01:17:10 -04:00
Simon Gardling
bc3652c782 kernel: cleanup + add back intel gpu (for future server unification)
All checks were successful
Build and Deploy / mreow (push) Successful in 1h25m37s
Details
Build and Deploy / yarn (push) Successful in 1m3s
Details
Build and Deploy / muffin (push) Successful in 1m6s
Details
2026-04-23 00:23:21 -04:00
Simon Gardling
0a8b863e4b gitea: fix actions visibility
All checks were successful
Build and Deploy / mreow (push) Successful in 2m39s
Details
Build and Deploy / yarn (push) Successful in 1m48s
Details
Build and Deploy / muffin (push) Successful in 1m14s
Details
2026-04-22 23:02:53 -04:00
Simon Gardling
0901f5edf0 deploy: potentially fix self-deploy issue? 2026-04-22 23:02:38 -04:00
Simon Gardling
a1924849d6 pi: edit AGENTS.md
Some checks failed
Build and Deploy / mreow (push) Successful in 51s
Details
Build and Deploy / yarn (push) Successful in 54s
Details
Build and Deploy / muffin (push) Failing after 27s
Details
2026-04-22 21:28:20 -04:00
50 changed files with 2289 additions and 427 deletions
Expand all files Collapse all files

36
AGENTS.md
View File

@@ -36,10 +36,11 @@ lib/
overlays.nix # jellyfin-exporter, igpu-exporter, reflac, ensureZfsMounts
patches/nixpkgs/ # applied to nixpkgs-stable for muffin builds
secrets/
desktop/ # git-crypt: mreow + yarn share these (wifi, nix-cache-netrc, secureboot.tar, password-hash, disk-password)
secrets.nix # agenix recipients (who can decrypt each .age)
desktop/ # agenix *.age (mreow + yarn) + disk-password (install-time only, git-crypt)
home/ # git-crypt: per-user HM secrets (api keys, steam id)
server/ # agenix *.age + git-crypt *.nix/*.tar/livekit_keys
usb-secrets/ # USB-resident agenix identity key (git-crypt inside the repo)
server/ # agenix *.age + git-crypt *.nix/*.tar/livekit_keys (muffin)
usb-secrets/ # USB-resident agenix identity for muffin (git-crypt inside the repo)
```
**Never read or write files under `secrets/`.** They are encrypted at rest (git-crypt for plaintext, agenix for `.age`). The git-crypt key is delivered to `muffin` at runtime as `/run/agenix/git-crypt-key-nixos.age`.
@@ -89,7 +90,7 @@ If Nix complains about a missing file, `git add` it first — flakes only see tr
| `common-` | imported by ALL hosts | `common-doas.nix`, `common-nix.nix`, `common-shell-fish.nix` |
| `desktop-` | imported by mreow + yarn only | `desktop-common.nix`, `desktop-steam.nix`, `desktop-networkmanager.nix` |
| `server-` | imported by muffin only | `server-security.nix`, `server-power.nix`, `server-impermanence.nix`, `server-lanzaboote-agenix.nix` |
| *(none)* | host-specific filename-scoped; see file contents | `age-secrets.nix`, `zfs.nix`, `no-rgb.nix` (yarn + muffin) |
| *(none)* | host-specific filename-scoped; see file contents | `zfs.nix`, `no-rgb.nix` (yarn + muffin) |
New modules: pick the narrowest prefix that's true, then add the import explicitly in the host's `default.nix` (there is no auto-discovery).
@@ -117,14 +118,18 @@ New modules: pick the narrowest prefix that's true, then add the import explicit
## Secrets
- **git-crypt** covers `secrets/**` per the root `.gitattributes`. Initialized with a single symmetric key checked into `secrets/server/git-crypt-key-nixos.age` (agenix-encrypted to the USB SSH identity).
- **agenix** decrypts `secrets/server/*.age` at activation into `/run/agenix/` on muffin.
- **USB identity**: `/mnt/usb-secrets/usb-secrets-key` on muffin; the age identity path is wired in `modules/usb-secrets.nix`.
- **Encrypting a new agenix secret** uses the SSH public key directly with `age -R`:
- **agenix** decrypts `*.age` into `/run/agenix/` at activation on every host:
- **muffin**: identity is `/mnt/usb-secrets/usb-secrets-key` (ssh-ed25519 on a physical USB). Wired in `modules/usb-secrets.nix`.
- **mreow + yarn**: identity is `/var/lib/agenix/tpm-identity` (an `age-plugin-tpm` handle sealed by the host's TPM 2.0). Wired in `modules/desktop-age-secrets.nix`; yarn persists `/var/lib/agenix` through impermanence.
- **Recipients** are declared in `secrets/secrets.nix`. Desktop secrets are encrypted to the admin SSH key + each host's TPM recipient; server secrets stay encrypted to the muffin USB key.
- **Bootstrap a new desktop**: run `doas scripts/bootstrap-desktop-tpm.sh` on the host. It generates a TPM-sealed identity at `/var/lib/agenix/tpm-identity` and prints an `age1tpm1…` recipient. Append it to the `tpm` list in `secrets/secrets.nix`, run `agenix -r` to re-encrypt, commit, `./deploy.sh switch`.
- **Encrypting a new server secret** uses the SSH public key directly with `age -R`:
```sh
age -R <(ssh-keygen -y -f secrets/usb-secrets/usb-secrets-key) \
-o secrets/server/<name>.age \
/path/to/plaintext
```
For desktop secrets, prefer `agenix -e secrets/desktop/<name>.age` from a shell with `age-plugin-tpm` on PATH — it reads `secrets/secrets.nix` and encrypts to every recipient listed there.
- **DO NOT use `ssh-to-age`**. It produces `X25519` recipient stanzas, which the SSH private key on muffin cannot decrypt (it only decrypts `ssh-ed25519` stanzas produced by `age -R` against the SSH pubkey). Mismatched stanzas show up as `age: error: no identity matched any of the recipients` at deploy time.
- Never read or commit plaintext secrets. Never log secret values.
@@ -191,11 +196,26 @@ lib.mkIf config.services.<service>.enable {
Existing registrations live in `services/jellyfin/jellyfin-deploy-guard.nix` (REST `/Sessions` via curl+jq) and `services/minecraft-deploy-guard.nix` (Server List Ping via `mcstatus`). Prefer soft-fail on unreachable — a service that's already down has no users to disrupt.
## Deploy finalize (muffin)
`modules/server-deploy-finalize.nix` solves the self-deploy problem: the gitea-actions runner driving CI deploys lives on muffin itself, so a direct `switch-to-configuration switch` restarts the runner mid-activation, killing the SSH session, the CI job, and deploy-rs's magic-rollback handshake. The failure mode is visible as "deploy appears to fail even though the new config landed" (or worse, a rollback storm).
The fix is a two-phase activation wired into `deploy.nodes.muffin.profiles.system.path` in `flake.nix`:
1. `switch-to-configuration boot` — bootloader-only, no service restarts. The runner, SSH session, and magic-rollback survive.
2. `deploy-finalize` — schedules a detached `systemd-run --on-active=N` transient unit (default 60s). The unit is owned by pid1, so it survives the eventual runner restart. If `/run/booted-system/{kernel,initrd,kernel-modules}` differs from the new profile's, the unit runs `systemctl reboot`; otherwise it runs `switch-to-configuration switch`.
That is, reboot is dynamically gated on kernel/initrd/kernel-modules change. The 60s delay is tuned so the CI job (or manual `./deploy.sh muffin`) has time to emit status/notification steps before the runner is recycled.
Back-to-back deploys supersede each other: each invocation cancels any still-pending `deploy-finalize-*.timer` before scheduling its own. `deploy-finalize --dry-run` prints the decision without scheduling anything — useful when debugging.
Prior art: the 3-path `{kernel,initrd,kernel-modules}` diff is lifted from nixpkgs's `system.autoUpgrade` module (the `allowReboot = true` branch) and was packaged the same way in [obsidiansystems/obelisk#957](https://github.com/obsidiansystems/obelisk/pull/957). nixpkgs#185030 tracks lifting it into `switch-to-configuration` proper but has been stale since 2025-07. The self-deploy `systemd-run` detachment is the proposed fix from [deploy-rs#153](https://github.com/serokell/deploy-rs/issues/153), also unmerged upstream.
## Technical details
- **Privilege escalation**: `doas` everywhere; `sudo` is disabled on every host.
- **Shell**: fish. `bash` login shells re-exec into fish via `programs.bash.interactiveShellInit` (see `modules/common-shell-fish.nix`).
- **Secure boot**: lanzaboote. Desktops extract keys from `secrets/desktop/secureboot.tar`; muffin extracts from an agenix-decrypted tar (see `modules/server-lanzaboote-agenix.nix`).
- **Secure boot**: lanzaboote. Every host extracts keys from an agenix-decrypted tar at activation — desktops via `modules/desktop-lanzaboote-agenix.nix`, muffin via `modules/server-lanzaboote-agenix.nix`.
- **Impermanence**: muffin is tmpfs-root with `/persistent` surviving reboots (`modules/server-impermanence.nix`); yarn binds `/home/primary` from `/persistent` (`hosts/yarn/impermanence.nix`).
- **Disks**: disko.
- **Binary cache**: muffin runs harmonia; desktops consume it at `https://nix-cache.sigkill.computer`.

4
README.md
View File

@@ -12,11 +12,11 @@ Browser: Firefox 🦊 (actually [Zen Browser](https://github.com/zen-browser/des
Text Editor: [Doom Emacs](https://github.com/doomemacs/doomemacs)
Terminal: [alacritty](https://github.com/alacritty/alacritty)
Terminal: [ghostty](https://ghostty.org/)
Shell: [fish](https://fishshell.com/) with the [pure](https://github.com/pure-fish/pure) prompt
WM: [niri](https://github.com/YaLTeR/niri) (KDE on my desktop)
WM: [niri](https://github.com/YaLTeR/niri)
### Background
- Got my background from [here](https://old.reddit.com/r/celestegame/comments/11dtgwg/all_most_of_the_backgrounds_in_celeste_edited/) and used the command `magick input.png -filter Point -resize 2880x1920! output.png` to upscale it bilinearly

132
flake.lock generated
View File

@@ -92,16 +92,16 @@
]
},
"locked": {
"lastModified": 1776182890,
"narHash": "sha256-+/VOe8XGq5klpU+I19D+3TcaR7o+Cwbq67KNF7mcFak=",
"owner": "Mic92",
"lastModified": 1776192490,
"narHash": "sha256-5gYQNEs0/vDkHhg63aHS5g0IwG/8HNvU1Vr00cElofk=",
"owner": "nix-community",
"repo": "bun2nix",
"rev": "648d293c51e981aec9cb07ba4268bc19e7a8c575",
"rev": "6ef9f144616eedea90b364bb408ef2e1de7b310a",
"type": "github"
},
"original": {
"owner": "Mic92",
"ref": "catalog-support",
"owner": "nix-community",
"ref": "staging-2.1.0",
"repo": "bun2nix",
"type": "github"
}
@@ -109,11 +109,11 @@
"cachyos-kernel": {
"flake": false,
"locked": {
"lastModified": 1776608760,
"narHash": "sha256-ehDv8bF7k/2Kf4b8CCoSm51U/MOoFuLsRXqe5wZ57sE=",
"lastModified": 1776881435,
"narHash": "sha256-j8AobLjMzeKJugseObrVC4O5k7/aZCWoft2sCS3jWYs=",
"owner": "CachyOS",
"repo": "linux-cachyos",
"rev": "7e06e29005853bbaaa3b1c1067f915d6e0db728a",
"rev": "1c61dfd1c3ad7762faa0db8b06c6af6c59cc4340",
"type": "github"
},
"original": {
@@ -125,11 +125,11 @@
"cachyos-kernel-patches": {
"flake": false,
"locked": {
"lastModified": 1776792814,
"narHash": "sha256-39dlIhz9KxUNQFxGpE9SvCviaOWAivdW0XJM8RnPNmg=",
"lastModified": 1777002108,
"narHash": "sha256-PIZCIf6xUTOUqLFbEGH0mSwu2O/YfeAmYlgdAbP4dhs=",
"owner": "CachyOS",
"repo": "kernel-patches",
"rev": "d7d558d0b2e239e27b40bcf1af6fe12e323aa391",
"rev": "46476ae2538db486462aef8a9de37d19030cdaf2",
"type": "github"
},
"original": {
@@ -222,11 +222,11 @@
]
},
"locked": {
"lastModified": 1776849698,
"narHash": "sha256-t2I9ZhBuAcaLV1Z65aVd/5BmDFGvyzLY5kpiSedx2uY=",
"lastModified": 1777171226,
"narHash": "sha256-nEH9cLA1CRj5JAIjNHBqIam3SCetPNNVCqs8pc1SRao=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "87dff52c245cba0c5103cf89b964e508ed9bb720",
"rev": "ef37c2288f4e1f709f0317757527f52c8563651b",
"type": "github"
},
"original": {
@@ -266,11 +266,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1776830588,
"narHash": "sha256-1X4L6+F7DgYTUDah+PDs7IYJiQrb7MwYfateq2fBxGY=",
"lastModified": 1777176175,
"narHash": "sha256-l/0TJCLEarrsyHIKNhAjI4+7lkyGsFqojyx1X1h64Ks=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "f3db83bc13aee22474fab41fa838e50a691dfbc5",
"rev": "515c8c1296021efe49ba1b1318ff27a43e93442b",
"type": "gitlab"
},
"original": {
@@ -484,11 +484,11 @@
]
},
"locked": {
"lastModified": 1776891022,
"narHash": "sha256-vEe2f4NEhMvaNDpM1pla4hteaIIGQyAMKUfIBPLasr0=",
"lastModified": 1777151655,
"narHash": "sha256-Th3a5OZyEy4kCoyLfefnt+2dwRIrFQqYgMsayF9qzFw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "508daf831ab8d1b143d908239c39a7d8d39561b2",
"rev": "6f59831b23d03bbf4fbd13ad167ae25da294cc14",
"type": "github"
},
"original": {
@@ -564,11 +564,11 @@
]
},
"locked": {
"lastModified": 1776874528,
"narHash": "sha256-X4Y2vMbVBuyUQzbZnl72BzpZMYUsWdE78JuDg2ySDxE=",
"lastModified": 1777132364,
"narHash": "sha256-qK6A0xRDAgLf8DUHpDWpVL6NcWi4IhoVClcov+GjLP0=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "4c8ccc482a3665fb4a3b2cadbbe7772fb7cc2629",
"rev": "7ae8615cc307c282555b025f88e0c8d7c185bcbf",
"type": "github"
},
"original": {
@@ -631,11 +631,11 @@
]
},
"locked": {
"lastModified": 1776862155,
"narHash": "sha256-EDvbwsGNE/N5ul+9ul1dJP3Ouf72+Ub2C0UMbDWcxyQ=",
"lastModified": 1777066729,
"narHash": "sha256-f+a+ikbq0VS6RQFf+A6EuVnsWYn2RR3ggRJNkzZgMto=",
"owner": "TheTom",
"repo": "llama-cpp-turboquant",
"rev": "9e3fb40e8bc0f873ad4d3d8329b17dacff28e4ca",
"rev": "11a241d0db78a68e0a5b99fe6f36de6683100f6a",
"type": "github"
},
"original": {
@@ -657,11 +657,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1776883427,
"narHash": "sha256-prHCm++hniRcoqzvWTEFyAiLKT6m+EUVCRaDLrsuEgM=",
"lastModified": 1777164684,
"narHash": "sha256-5msV3Vf8yHp22Sht1/pC/6WmkhWVwkQ53K3YkaBpao4=",
"owner": "numtide",
"repo": "llm-agents.nix",
"rev": "6fd26c9cb50d9549f3791b3d35e4f72f97677103",
"rev": "5cc373b344601f1a32621f443e506108a914536a",
"type": "github"
},
"original": {
@@ -704,11 +704,11 @@
"xwayland-satellite-unstable": "xwayland-satellite-unstable"
},
"locked": {
"lastModified": 1776879043,
"narHash": "sha256-M9RjuowtoqQbFRdQAm2P6GjFwgHjRcnWYcB7ChSjDms=",
"lastModified": 1777130270,
"narHash": "sha256-AgOIR3O+hLkTe/spgYjp0knc37iy/A5DqGRY+8DP3LE=",
"owner": "sodiboo",
"repo": "niri-flake",
"rev": "535ebbe038039215a5d1c6c0c67f833409a5be96",
"rev": "e43ef13f23c2c7ae5b10e842745cb345faff4f40",
"type": "github"
},
"original": {
@@ -737,11 +737,11 @@
"niri-unstable": {
"flake": false,
"locked": {
"lastModified": 1776853441,
"narHash": "sha256-mSxfoEs7DiDhMCBzprI/1K7UXzMISuGq0b7T06LVJXE=",
"lastModified": 1777115961,
"narHash": "sha256-ehSMsSpE+0k8r+2Vseu8kangsYxToZv3vinynsDp9zs=",
"owner": "YaLTeR",
"repo": "niri",
"rev": "74d2b18603366b98ec9045ecf4a632422f472365",
"rev": "8ed0da44d974c32c6877d2f4630c314da0717ecb",
"type": "github"
},
"original": {
@@ -761,11 +761,11 @@
]
},
"locked": {
"lastModified": 1776796985,
"narHash": "sha256-cNFg3H09sBZl1v9ds6PDHfLCUTDJbefGMSv+WxFs+9c=",
"lastModified": 1777140538,
"narHash": "sha256-2y5SwHxTOwEdr8WZv1IGBVoJM47YcomfoxFnZj9TgN0=",
"owner": "xddxdd",
"repo": "nix-cachyos-kernel",
"rev": "ac5956bbceb022998fc1dd0001322f10ef1e6dda",
"rev": "ce6083d35e50516dd6eb6156d0cbda67baed9117",
"type": "github"
},
"original": {
@@ -787,11 +787,11 @@
"systems": "systems_6"
},
"locked": {
"lastModified": 1776851701,
"narHash": "sha256-tdtOcU2Hz/eLqAhkzUcEocgX0WpjKSbl2SkVjOZGZw0=",
"lastModified": 1776938345,
"narHash": "sha256-3/BFiytDNoIXMUQHcJLoxa7JK0Q1/49M0ffOR9pbzvw=",
"owner": "marienz",
"repo": "nix-doom-emacs-unstraightened",
"rev": "7ac65a49eec5e3f87d27396e645eddbf9dc626de",
"rev": "eb25c754986165e509ad2ab8c6b6729f4a861f0c",
"type": "github"
},
"original": {
@@ -846,11 +846,11 @@
"systems": "systems_7"
},
"locked": {
"lastModified": 1776828595,
"narHash": "sha256-LkFpFnPTK6H0gwyfYezN3kEKHVxjSdPp/tBnrQRFP3E=",
"lastModified": 1777001712,
"narHash": "sha256-9JX9msZU1NvHzjKM24PRorP76Ge8GBy6LAkJKA21mlY=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "28f0f2369655a5910e810c35c698dfaa9ccec692",
"rev": "394d3bfd943458baf29e4798bc9b256d824a3bb9",
"type": "github"
},
"original": {
@@ -861,11 +861,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1776830795,
"narHash": "sha256-PAfvLwuHc1VOvsLcpk6+HDKgMEibvZjCNvbM1BJOA7o=",
"lastModified": 1776983936,
"narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "72674a6b5599e844c045ae7449ba91f803d44ebc",
"rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
"type": "github"
},
"original": {
@@ -877,11 +877,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1776548001,
"narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
"lastModified": 1776877367,
"narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
"rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
"type": "github"
},
"original": {
@@ -991,11 +991,11 @@
"noctalia-qs": "noctalia-qs"
},
"locked": {
"lastModified": 1776888984,
"narHash": "sha256-Up2F/eoMuPUsZnPVYdH5TMHe1TBP2Ue1QuWd0vWZoxY=",
"lastModified": 1777079905,
"narHash": "sha256-TvYEXwkZnRFQRuFyyqTNSfPnU2tMdhtiBOXSk2AWLJA=",
"owner": "noctalia-dev",
"repo": "noctalia-shell",
"rev": "2c1808f9f8937fc0b82c54af513f7620fec56d71",
"rev": "a50c92167c8d438000270f7eca36f6eea74f388e",
"type": "github"
},
"original": {
@@ -1133,11 +1133,11 @@
]
},
"locked": {
"lastModified": 1776827647,
"narHash": "sha256-sYixYhp5V8jCajO8TRorE4fzs7IkL4MZdfLTKgkPQBk=",
"lastModified": 1777173302,
"narHash": "sha256-ERiu3cbxvnTDxiDcimRA7af7xp6x1y0sRyLGm28Qzz8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "40e6ccc06e1245a4837cbbd6bdda64e21cc67379",
"rev": "aaec8c50baeaf2f2ba653e8aae71778a2bbbac94",
"type": "github"
},
"original": {
@@ -1190,11 +1190,11 @@
]
},
"locked": {
"lastModified": 1776653059,
"narHash": "sha256-K3tWnUj6FXaK95sBUajedutJrFVrOzYhvrQwQjJ0FbU=",
"lastModified": 1777000965,
"narHash": "sha256-xcrhVgfI13s1WH4hg5MLL83zAp6/htfF8Pjw4RPiKM8=",
"owner": "nix-community",
"repo": "srvos",
"rev": "4968d2a44c84edfc9a38a2494cc7f85ad2c7122b",
"rev": "7ae6f096b2ffbd25d17da8a4d0fe299a164c4eac",
"type": "github"
},
"original": {
@@ -1356,11 +1356,11 @@
"trackerlist": {
"flake": false,
"locked": {
"lastModified": 1776809383,
"narHash": "sha256-r4V5l+Yk3jxVfZNQk2Ddu8Vlyshd9FWcnGGFyaL4UCw=",
"lastModified": 1777154980,
"narHash": "sha256-zEJCVDBjo0SDlYOnkfi9o6lJWpMfmmR6Oh67RPybbqI=",
"owner": "ngosang",
"repo": "trackerslist",
"rev": "37d5c0552c25abf50f05cc6b377345e65a588dc2",
"rev": "9599dfb9be9d899bb5abd40a5dc53e5c5be90fd4",
"type": "github"
},
"original": {
@@ -1524,11 +1524,11 @@
]
},
"locked": {
"lastModified": 1776844129,
"narHash": "sha256-DaYSEBVzTvUhTuoVe70NHphoq5JKUHqUhlNlN5XnTuU=",
"lastModified": 1777138694,
"narHash": "sha256-yjAFuyqQyOtQ5entLYmSRf/1L0kuSDWQndS2QNBLQlc=",
"owner": "0xc000022070",
"repo": "zen-browser-flake",
"rev": "90706e6ab801e4fb7bc53343db67583631936192",
"rev": "5ceb2bfc5671bfca6b1b363669309d6871043d66",
"type": "github"
},
"original": {

23
flake.nix
View File

@@ -376,6 +376,7 @@
nixosConfigurations = {
mreow = mkDesktopHost "mreow";
yarn = mkDesktopHost "yarn";
patiodeck = mkDesktopHost "patiodeck";
muffin = muffinHost;
};
@@ -415,7 +416,27 @@
# want to avoid when the deploy is supposed to be a no-op blocked by
# the guard. Blocking before the deploy-rs invocation is the only
# clean way to leave the running system untouched.
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin;
#
# Activation uses `switch-to-configuration boot` + a detached finalize
# (modules/server-deploy-finalize.nix) rather than the default
# `switch`. The gitea-actions runner driving CI deploys lives on
# muffin itself; a direct `switch` restarts gitea-runner-muffin mid-
# activation, killing the SSH session, the CI job, and deploy-rs's
# magic-rollback handshake. `boot` only touches the bootloader — no
# service restarts — and deploy-finalize schedules a pid1-owned
# transient unit that runs the real `switch` (or `systemctl reboot`
# when kernel/initrd/kernel-modules changed) ~60s later, surviving
# runner restart because it's decoupled from the SSH session.
path =
deploy-rs.lib.${system}.activate.custom self.nixosConfigurations.muffin.config.system.build.toplevel
''
# matches activate.nixos's workaround for NixOS/nixpkgs#73404
cd /tmp
$PROFILE/bin/switch-to-configuration boot
${nixpkgs-stable.lib.getExe self.nixosConfigurations.muffin.config.system.build.deployFinalize}
'';
};
};

3
home/profiles/gui.nix
View File

@@ -8,8 +8,7 @@
{
imports = [
./no-gui.nix
# ../progs/ghostty.nix
../progs/alacritty.nix
../progs/ghostty.nix
../progs/emacs.nix
# ../progs/trezor.nix # - broken
../progs/flatpak.nix

131
home/progs/alacritty.nix
View File

@@ -1,131 +0,0 @@
{ pkgs, ... }:
{
home.sessionVariables = {
TERMINAL = "alacritty";
};
programs.alacritty = {
enable = true;
package = pkgs.alacritty;
settings = {
# some programs can't handle alacritty
env.TERM = "xterm-256color";
window = {
# using a window manager, no decorations needed
decorations = "none";
# semi-transparent
opacity = 0.90;
# padding between the content of the terminal and the edge
padding = {
x = 10;
y = 10;
};
dimensions = {
columns = 80;
lines = 40;
};
};
scrolling = {
history = 1000;
multiplier = 3;
};
font =
let
baseFont = {
family = "JetBrains Mono Nerd Font";
style = "Regular";
};
in
{
size = 12;
normal = baseFont;
bold = baseFont // {
style = "Bold";
};
italic = baseFont // {
style = "Italic";
};
offset.y = 0;
glyph_offset.y = 0;
};
# color scheme
colors =
let
normal = {
black = "0x1b1e28";
red = "0xd0679d";
green = "0x5de4c7";
yellow = "0xfffac2";
blue = "#435c89";
magenta = "0xfcc5e9";
cyan = "0xadd7ff";
white = "0xffffff";
};
bright = {
black = "0xa6accd";
red = normal.red;
green = normal.green;
yellow = normal.yellow;
blue = normal.cyan;
magenta = "0xfae4fc";
cyan = "0x89ddff";
white = normal.white;
};
in
{
inherit normal bright;
primary = {
background = "0x131621";
foreground = bright.black;
};
cursor = {
text = "CellBackground";
cursor = "CellForeground";
};
search =
let
foreground = normal.black;
background = normal.cyan;
in
{
matches = {
inherit foreground background;
};
focused_match = {
inherit foreground background;
};
};
selection = {
text = "CellForeground";
background = "0x303340";
};
vi_mode_cursor = {
text = "CellBackground";
cursor = "CellForeground";
};
};
cursor = {
style = "Underline";
vi_mode_style = "Underline";
};
};
};
}

58
home/progs/ghostty.nix
View File

@@ -1,12 +1,64 @@
{ pkgs, ... }:
{ ... }:
{
# https://mynixos.com/home-manager/option/programs.ghostty
programs.ghostty = {
enable = true;
enableFishIntegration = true;
# custom palette ported verbatim from the previous alacritty config
# (poimandres-ish). lives in ~/.config/ghostty/themes/poimandres and is
# selected by `theme = "poimandres"` below.
themes.poimandres = {
palette = [
"0=#1b1e28"
"1=#d0679d"
"2=#5de4c7"
"3=#fffac2"
"4=#435c89"
"5=#fcc5e9"
"6=#add7ff"
"7=#ffffff"
"8=#a6accd"
"9=#d0679d"
"10=#5de4c7"
"11=#fffac2"
"12=#add7ff"
"13=#fae4fc"
"14=#89ddff"
"15=#ffffff"
];
background = "131621";
foreground = "a6accd";
cursor-color = "a6accd";
cursor-text = "131621";
selection-background = "303340";
selection-foreground = "a6accd";
};
settings = {
theme = "Adventure";
background-opacity = 0.7;
theme = "poimandres";
# font
font-family = "JetBrainsMono Nerd Font";
font-size = 12;
# window
window-decoration = false;
window-padding-x = 10;
window-padding-y = 10;
window-width = 80;
window-height = 40;
# semi-transparent background
background-opacity = 0.90;
# cursor
cursor-style = "underline";
# keep one daemon alive so subsequent launches (e.g. niri Mod+T) are
# instant instead of paying GTK + wgpu init each time. relies on the
# dbus-activated systemd user service that the HM module wires up.
gtk-single-instance = true;
};
};

8
home/progs/niri.nix
View File

@@ -115,8 +115,12 @@ in
"Mod+O".action = toggle-overview;
# open a terminal
"Mod+T".action = spawn config.home.sessionVariables.TERMINAL;
# open a terminal — pass --working-directory=home so the gtk-single-instance
# daemon doesn't keep handing back whatever cwd the focused window has.
"Mod+T".action = spawn [
config.home.sessionVariables.TERMINAL
"--working-directory=home"
];
# lock the screen
"Mod+X".action = spawn (lib.getExe pkgs.swaylock);

1
home/progs/noctalia.nix
View File

@@ -32,6 +32,7 @@
};
wallpaper = {
enabled = true;
skipStartupTransition = true;
};
};
};

18
home/progs/pi.nix
View File

@@ -37,8 +37,21 @@ let
in
{
home.packages = [
# `bun2nix.hook` sets `patchPhase = bunPatchPhase`, which only runs `patchShebangs` and
# silently ignores the standard `patches` attribute. Apply patches via `prePatch` instead
# so they actually take effect. Tracking: nothing upstream yet.
(inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ];
prePatch =
(old.prePatch or "")
+ ''
# 0001 retry without strict tools when DeepSeek (via OpenRouter) rejects strict-mode
# `anyOf` nullable unions with `Invalid tool parameters schema : field \`anyOf\`:
# missing field \`type\``.
patch -p1 < ${../../patches/omp/0001-openai-completions-retry-without-strict-on-deepseek-openrouter.patch}
# 0002 require `reasoning_content` for OpenRouter reasoning models so DeepSeek V4 Pro
# et al. accept follow-up requests in thinking mode.
patch -p1 < ${../../patches/omp/0002-openai-completions-stub-reasoning-content-for-openrouter.patch}
'';
}))
];
@@ -69,6 +82,9 @@ in
## Nix
For using `nix build` append `-L` to get better visibility into the logs.
If you get an error that a file can't be found, always try to `git add` the file before trying other troubleshooting steps.
## Implementation
When sketching out an implementation of something, always look for tools that already exist in the space first before implementing something custom. This is also the case when it comes to submodules and sections of code, I don't want you to implement things in-house when it isn't needed.
'';
home.file.".omp/agent/skills/android-ui/SKILL.md".text = ''

29
home/progs/steam-shortcuts.nix Normal file
View File

@@ -0,0 +1,29 @@
# Declarative non-Steam game shortcuts for the Steam library.
# Add entries to the `shortcuts` list to have them appear in Steam's UI.
{
pkgs,
inputs,
lib,
...
}:
{
imports = [
inputs.json2steamshortcut.homeModules.default
];
services.steam-shortcuts = {
enable = true;
overwriteExisting = true;
steamUserId = lib.strings.toInt (
lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id)
);
shortcuts = [
{
AppName = "Prism Launcher";
Exe = "${pkgs.prismlauncher}/bin/prismlauncher";
Icon = "${pkgs.prismlauncher}/share/icons/hicolor/scalable/apps/org.prismlauncher.PrismLauncher.svg";
Tags = [ "Game" ];
}
];
};
}

10
hosts/muffin/default.nix
View File

@@ -19,13 +19,14 @@
../../modules/zfs.nix
../../modules/server-impermanence.nix
../../modules/usb-secrets.nix
../../modules/age-secrets.nix
../../modules/server-age-secrets.nix
../../modules/server-lanzaboote-agenix.nix
../../modules/no-rgb.nix
../../modules/server-security.nix
../../modules/ntfy-alerts.nix
../../modules/server-power.nix
../../modules/server-deploy-guard.nix
../../modules/server-deploy-finalize.nix
../../services/postgresql.nix
../../services/jellyfin
@@ -99,6 +100,13 @@
services.deployGuard.enable = true;
# Detached deploy finalize: see modules/server-deploy-finalize.nix. deploy-rs
# activates in `boot` mode and invokes deploy-finalize to schedule the real
# `switch` (or reboot, when kernel/initrd/kernel-modules changed) 60s later
# as a pid1-owned transient unit. Prevents the self-hosted gitea runner from
# being restarted mid-CI-deploy.
services.deployFinalize.enable = true;
# Disable serial getty on ttyS0 to prevent dmesg warnings
systemd.services."serial-getty@ttyS0".enable = false;

4
hosts/muffin/service-configs.nix
View File

@@ -196,6 +196,10 @@ rec {
port = 9563;
proto = "tcp";
};
minecraft_exporter = {
port = 9567;
proto = "tcp";
};
prometheus_zfs = {
port = 9134;
proto = "tcp";

38
hosts/patiodeck/default.nix Normal file
View File

@@ -0,0 +1,38 @@
{
username,
inputs,
site_config,
...
}:
{
imports = [
../../modules/desktop-common.nix
../../modules/desktop-jovian.nix
./disk.nix
./impermanence.nix
inputs.impermanence.nixosModules.impermanence
];
networking.hostId = "a1b2c3d4";
# SSH for remote management from laptop
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "yes";
};
};
users.users.${username}.openssh.authorizedKeys.keys = [
site_config.ssh_keys.laptop
];
users.users.root.openssh.authorizedKeys.keys = [
site_config.ssh_keys.laptop
];
jovian.devices.steamdeck.enable = true;
}

52
hosts/patiodeck/disk.nix Normal file
View File

@@ -0,0 +1,52 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
nix = {
size = "200G";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/nix";
};
};
persistent = {
size = "100%";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/persistent";
};
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"defaults"
"size=2G"
"mode=755"
];
};
};
};
fileSystems."/persistent".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
}

8
hosts/patiodeck/home.nix Normal file
View File

@@ -0,0 +1,8 @@
{ ... }:
{
imports = [
../../home/profiles/gui.nix
../../home/profiles/desktop.nix
../../home/progs/steam-shortcuts.nix
];
}

48
hosts/patiodeck/impermanence.nix Normal file
View File

@@ -0,0 +1,48 @@
{
username,
...
}:
{
environment.persistence."/persistent" = {
hideMounts = true;
directories = [
"/var/log"
"/var/lib/systemd/coredump"
"/var/lib/nixos"
"/var/lib/systemd/timers"
# agenix identity sealed by the TPM
{
directory = "/var/lib/agenix";
mode = "0700";
user = "root";
group = "root";
}
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/machine-id"
];
users.root = {
files = [
".local/share/fish/fish_history"
];
};
};
# bind mount home directory from persistent storage
fileSystems."/home/${username}" = {
device = "/persistent/home/${username}";
fsType = "none";
options = [ "bind" ];
neededForBoot = true;
};
systemd.tmpfiles.rules = [
"d /etc 755 root"
];
}

146
hosts/yarn/default.nix
View File

@@ -1,5 +1,4 @@
{
config,
pkgs,
lib,
username,
@@ -10,13 +9,13 @@
{
imports = [
../../modules/desktop-common.nix
../../modules/desktop-jovian.nix
../../modules/no-rgb.nix
./disk.nix
./impermanence.nix
./vr.nix
inputs.impermanence.nixosModules.impermanence
inputs.jovian-nixos.nixosModules.default
];
fileSystems."/media/games" = {
@@ -83,145 +82,6 @@
systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
# root-level service that applies a pending update. Triggered by
# steamos-update (via systemctl start) when the user accepts an update.
# Runs as root so it can write the system profile and boot entry.
systemd.services.pull-update-apply = {
description = "Apply pending NixOS update pulled from binary cache";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "pull-update-apply" ''
set -uo pipefail
export PATH=${
pkgs.lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.nix
]
}
STORE_PATH=$(curl -sf --max-time 30 "${site_config.binary_cache.url}/deploy/yarn" || true)
if [ -z "$STORE_PATH" ]; then
echo "server unreachable"
exit 1
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
echo "already up to date: $STORE_PATH"
exit 0
fi
echo "applying $STORE_PATH (was $CURRENT)"
nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \
|| { echo "fetch failed"; exit 1; }
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \
|| { echo "profile set failed"; exit 1; }
"$STORE_PATH/bin/switch-to-configuration" boot \
|| { echo "boot entry failed"; exit 1; }
echo "update applied; reboot required"
'';
};
};
# Allow primary user to start pull-update-apply.service without a password
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "pull-update-apply.service" &&
subject.user == "${username}") {
return polkit.Result.YES;
}
});
'';
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"steamdeck-hw-theme"
"steam-jupiter-unwrapped"
"steam"
"steam-original"
"steam-unwrapped"
"steam-run"
];
# Override jovian-stubs to disable steamos-update kernel check
# This prevents Steam from requesting reboots for "system updates"
# Steam client updates will still work normally
nixpkgs.overlays = [
(
final: prev:
let
deploy-url = "${site_config.binary_cache.url}/deploy/yarn";
steamos-update-script = final.writeShellScript "steamos-update" ''
export PATH=${
final.lib.makeBinPath [
final.curl
final.coreutils
final.systemd
]
}
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
if [ -z "$STORE_PATH" ]; then
>&2 echo "[steamos-update] server unreachable"
exit 7
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
>&2 echo "[steamos-update] no update available"
exit 0
fi
# check-only mode: just report that an update exists
if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
>&2 echo "[steamos-update] update available"
exit 0
fi
# apply: trigger the root-running systemd service to install the update
>&2 echo "[steamos-update] applying update..."
if systemctl start --wait pull-update-apply.service; then
>&2 echo "[steamos-update] update installed, reboot to apply"
exit 0
else
>&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
exit 1
fi
'';
in
{
# Only replace holo-update (and its steamos-update alias) with our
# binary-cache pull script. All other stubs (pkexec, sudo,
# holo-reboot, holo-select-branch, …) come from upstream unchanged.
jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
buildCommand = (old.buildCommand or "") + ''
install -D -m 755 ${steamos-update-script} $out/bin/holo-update
install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
'';
});
}
)
];
jovian = {
devices.steamdeck.enable = false;
steam = {
enable = true;
autoStart = true;
desktopSession = "niri";
user = username;
};
};
# Jovian-NixOS requires sddm
# https://github.com/Jovian-Experiments/Jovian-NixOS/commit/52f140c07493f8bb6cd0773c7e1afe3e1fd1d1fa
services.displayManager.sddm.wayland.enable = true;
# Disable gamescope from common.nix to avoid conflict with jovian-nixos
programs.gamescope.enable = lib.mkForce false;
# yarn is not a Steam Deck
jovian.devices.steamdeck.enable = false;
}

21
hosts/yarn/home.nix
View File

@@ -1,15 +1,12 @@
{
pkgs,
inputs,
lib,
config,
...
}:
{
imports = [
../../home/profiles/gui.nix
../../home/profiles/desktop.nix
inputs.json2steamshortcut.homeModules.default
../../home/progs/steam-shortcuts.nix
];
home.packages = with pkgs; [
@@ -27,20 +24,4 @@
obs-pipewire-audio-capture
];
};
services.steam-shortcuts = {
enable = true;
overwriteExisting = true;
steamUserId = lib.strings.toInt (
lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id)
);
shortcuts = [
{
AppName = "Prism Launcher";
Exe = "${pkgs.prismlauncher}/bin/prismlauncher";
Icon = "${pkgs.prismlauncher}/share/icons/hicolor/scalable/apps/org.prismlauncher.PrismLauncher.svg";
Tags = [ "Game" ];
}
];
};
}

14
hosts/yarn/impermanence.nix
View File

@@ -12,6 +12,14 @@
"/var/lib/systemd/coredump"
"/var/lib/nixos"
"/var/lib/systemd/timers"
# agenix identity sealed by the TPM. Must survive the tmpfs root
# wipe so decryption at activation finds the right handle.
{
directory = "/var/lib/agenix";
mode = "0700";
user = "root";
group = "root";
}
];
files = [
@@ -21,6 +29,12 @@
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/machine-id"
];
users.root = {
files = [
".local/share/fish/fish_history"
];
};
};
# Bind mount entire home directory from persistent storage

15
lib/overlays.nix
View File

@@ -75,4 +75,19 @@ final: prev: {
'';
meta.mainProgram = "igpu-exporter";
};
mc-monitor = prev.buildGoModule rec {
pname = "mc-monitor";
version = "0.16.1";
src = prev.fetchFromGitHub {
owner = "itzg";
repo = "mc-monitor";
rev = version;
hash = "sha256-/94+Z9FTFOzQHynHiJuaGFiidkOxmM0g/FIpHn+xvJM=";
};
vendorHash = "sha256-qq7rIpvGRi3AMnBbi8uAhiPcfSF4McIuqozdtxB5CeQ=";
# upstream tests probe live Minecraft servers
doCheck = false;
meta.mainProgram = "mc-monitor";
};
}

2
modules/common.nix
View File

@@ -58,8 +58,6 @@
];
};
services.kmscon.enable = true;
environment.systemPackages = with pkgs; [
doas-sudo-shim
];

70
modules/desktop-age-secrets.nix Normal file
View File

@@ -0,0 +1,70 @@
{
pkgs,
inputs,
...
}:
let
# Wrap rage so age-plugin-tpm is on PATH at activation time.
# Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding),
# which age-plugin-tpm handles under its own name.
rageWithTpm = pkgs.writeShellScriptBin "rage" ''
export PATH="${pkgs.age-plugin-tpm}/bin:$PATH"
exec ${pkgs.rage}/bin/rage "$@"
'';
in
{
imports = [
inputs.agenix.nixosModules.default
];
# Expose the plugin + agenix CLI for interactive edits (`agenix -e …`).
environment.systemPackages = [
inputs.agenix.packages.${pkgs.system}.default
pkgs.age-plugin-tpm
];
age.ageBin = "${rageWithTpm}/bin/rage";
# Primary identity: TPM-sealed key, generated by scripts/bootstrap-desktop-tpm.sh.
# Fallback identity: admin SSH key. age tries paths in order, so if the TPM
# is wiped or the board is replaced the SSH key keeps secrets accessible until
# the TPM is re-bootstrapped. Both are encrypted recipients on every .age file.
age.identityPaths = [
"/var/lib/agenix/tpm-identity"
"/home/primary/.ssh/id_ed25519"
];
# Ensure the identity directory exists before agenix activation so a fresh
# bootstrap doesn't race the directory creation.
systemd.tmpfiles.rules = [
"d /var/lib/agenix 0700 root root -"
];
age.secrets = {
# Secureboot PKI bundle (db/KEK/PK keys + certs) consumed by lanzaboote
# via desktop-lanzaboote-agenix.nix at activation time.
secureboot-tar = {
file = ../secrets/desktop/secureboot.tar.age;
mode = "0400";
owner = "root";
group = "root";
};
# netrc for the private nix binary cache.
nix-cache-netrc = {
file = ../secrets/desktop/nix-cache-netrc.age;
mode = "0400";
owner = "root";
group = "root";
};
# yescrypt hash for the primary user.
password-hash = {
file = ../secrets/desktop/password-hash.age;
mode = "0400";
owner = "root";
group = "root";
};
};
}

509
modules/desktop-common.nix
View File

@@ -17,9 +17,10 @@
./desktop-vm.nix
./desktop-steam.nix
./desktop-networkmanager.nix
./desktop-age-secrets.nix
./desktop-lanzaboote-agenix.nix
inputs.disko.nixosModules.disko
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
@@ -50,16 +51,6 @@
mkdir -p /nix/var/nix/profiles/per-user/root/channels
'';
# extract all my secureboot keys
# TODO! proper secrets management
"secureboot-keys".text = ''
#!/usr/bin/env sh
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle}
${lib.getExe pkgs.gnutar} xf ${../secrets/desktop/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
'';
};
swapDevices = [ ];
@@ -71,7 +62,7 @@
trusted-public-keys = [
site_config.binary_cache.public_key
];
netrc-file = "${../secrets/desktop/nix-cache-netrc}";
netrc-file = config.age.secrets.nix-cache-netrc.path;
};
# cachyos kernel overlay
@@ -182,9 +173,14 @@
DRM_HISI_HIBMC = lib.mkForce no;
DRM_APPLETBDRM = lib.mkForce no;
# intel gpu
DRM_I915 = lib.mkForce no;
DRM_XE = lib.mkForce no;
# legacy AMD IP blocks. hosts are Navi 32 RDNA3 dGPU (7800 XT, yarn,
# 2023, gfx1101, DCN 3.2) and Krackan Point RDNA 3.5 iGPU (mreow,
# 2024, gfx1150, DCN 3.5). everything below pre-dates those by a
# decade. upstream only exposes per-generation toggles for SI and
# CIK — no switch for VI/Polaris/Vega/Navi1x, those stay in amdgpu.
DRM_AMDGPU_SI = lib.mkForce no; # Southern Islands / GCN 1 (2012): HD 7950/7970, R9 280/280X, R7 260X
DRM_AMDGPU_CIK = lib.mkForce no; # Sea Islands / GCN 2 (2013): R9 290/290X/390, Kaveri APUs (A10-7850K), Steam Machine Bonaire
DRM_AMD_SECURE_DISPLAY = lib.mkForce no; # HDCP region-CRC debugfs helper, needs custom DMCU firmware
# early-boot framebuffer chain: drop every alternative to amdgpu so
# the console never transitions simpledrm -> dummy -> amdgpu (visible
@@ -286,6 +282,486 @@
XZ_DEC_ARM64 = lib.mkForce no;
XZ_DEC_SPARC = lib.mkForce no;
XZ_DEC_RISCV = lib.mkForce no;
# ==== no hardware for any of these on either host ====
# laptop vendor platform drivers (only FRAMEWORK_LAPTOP is used)
ACER_WMI = lib.mkForce no;
ACER_WIRELESS = lib.mkForce no;
ACERHDF = lib.mkForce no;
APPLE_GMUX = lib.mkForce no;
ASUS_LAPTOP = lib.mkForce no;
ASUS_WMI = lib.mkForce no;
ASUS_NB_WMI = lib.mkForce no;
ASUS_ARMOURY = lib.mkForce no;
ASUS_TF103C_DOCK = lib.mkForce no;
ASUS_WIRELESS = lib.mkForce no;
COMPAL_LAPTOP = lib.mkForce no;
DELL_LAPTOP = lib.mkForce no;
DELL_RBTN = lib.mkForce no;
DELL_PC = lib.mkForce no;
DELL_SMBIOS = lib.mkForce no;
DELL_SMO8800 = lib.mkForce no;
DELL_UART_BACKLIGHT = lib.mkForce no;
DELL_WMI = lib.mkForce no;
DELL_WMI_AIO = lib.mkForce no;
DELL_WMI_DDV = lib.mkForce no;
DELL_WMI_DESCRIPTOR = lib.mkForce no;
DELL_WMI_LED = lib.mkForce no;
DELL_WMI_SYSMAN = lib.mkForce no;
EEEPC_LAPTOP = lib.mkForce no;
EEEPC_WMI = lib.mkForce no;
FUJITSU_LAPTOP = lib.mkForce no;
FUJITSU_ES = lib.mkForce no;
FUJITSU_TABLET = lib.mkForce no;
HUAWEI_WMI = lib.mkForce no;
IBM_ASM = lib.mkForce no;
IBM_RTL = lib.mkForce no;
IDEAPAD_LAPTOP = lib.mkForce no;
LG_LAPTOP = lib.mkForce no;
MSI_LAPTOP = lib.mkForce no;
MSI_WMI = lib.mkForce no;
MSI_EC = lib.mkForce no;
PANASONIC_LAPTOP = lib.mkForce no;
SONY_LAPTOP = lib.mkForce no;
SAMSUNG_LAPTOP = lib.mkForce no;
TOPSTAR_LAPTOP = lib.mkForce no;
THINKPAD_ACPI = lib.mkForce no;
THINKPAD_LMI = lib.mkForce no;
LENOVO_SE10_WDT = lib.mkForce no;
LENOVO_SE30_WDT = lib.mkForce no;
LENOVO_WMI_HOTKEY_UTILITIES = lib.mkForce no;
LENOVO_WMI_CAMERA = lib.mkForce no;
LENOVO_YMC = lib.mkForce no;
LENOVO_WMI_CAPDATA = lib.mkForce no;
LENOVO_WMI_EVENTS = lib.mkForce no;
LENOVO_WMI_HELPERS = lib.mkForce no;
LENOVO_WMI_GAMEZONE = lib.mkForce no;
LENOVO_WMI_TUNING = lib.mkForce no;
YOGABOOK = lib.mkForce no;
YT2_1380 = lib.mkForce no;
XIAOMI_WMI = lib.mkForce no;
BARCO_P50_GPIO = lib.mkForce no;
PC_ENGINES_APU = lib.mkForce no;
SILICOM_PLATFORM = lib.mkForce no;
SIEMENS_SIMATIC_IPC_WDT = lib.mkForce no;
SYSTEM76_ACPI = lib.mkForce no;
INSPUR_PLATFORM_PROFILE = lib.mkForce no;
NVIDIA_WMI_EC_BACKLIGHT = lib.mkForce no;
# legacy filesystems (hosts use vfat/f2fs/tmpfs/fuse; exfat/ntfs3 kept for externals)
JFS_FS = lib.mkForce no;
GFS2_FS = lib.mkForce no;
OCFS2_FS = lib.mkForce no;
NILFS2_FS = lib.mkForce no;
AFFS_FS = lib.mkForce no;
HFS_FS = lib.mkForce no;
HFSPLUS_FS = lib.mkForce no;
BEFS_FS = lib.mkForce no;
JFFS2_FS = lib.mkForce no;
UBIFS_FS = lib.mkForce no;
MINIX_FS = lib.mkForce no;
OMFS_FS = lib.mkForce no;
ROMFS_FS = lib.mkForce no;
UFS_FS = lib.mkForce no;
EROFS_FS = lib.mkForce no;
ORANGEFS_FS = lib.mkForce no;
CODA_FS = lib.mkForce no;
AFS_FS = lib.mkForce no;
CEPH_FS = lib.mkForce no;
ZONEFS_FS = lib.mkForce no;
BCACHE = lib.mkForce no;
BCACHEFS_FS = lib.mkForce no;
ECRYPT_FS = lib.mkForce no;
NFSD = lib.mkForce no;
# legacy partition tables (only GPT+MBR in use)
AIX_PARTITION = lib.mkForce no;
MAC_PARTITION = lib.mkForce no;
LDM_PARTITION = lib.mkForce no;
KARMA_PARTITION = lib.mkForce no;
MINIX_SUBPARTITION = lib.mkForce no;
SOLARIS_X86_PARTITION = lib.mkForce no;
BSD_DISKLABEL = lib.mkForce no;
UNIXWARE_DISKLABEL = lib.mkForce no;
SYSV68_PARTITION = lib.mkForce no;
ULTRIX_PARTITION = lib.mkForce no;
OSF_PARTITION = lib.mkForce no;
SGI_PARTITION = lib.mkForce no;
SUN_PARTITION = lib.mkForce no;
ATARI_PARTITION = lib.mkForce no;
AMIGA_PARTITION = lib.mkForce no;
ACORN_PARTITION = lib.mkForce no;
# legacy net protocols (nothing uses SCTP/RDS/TIPC/SMC or GRE tunnels)
IP_SCTP = lib.mkForce no;
RDS = lib.mkForce no;
TIPC = lib.mkForce no;
SMC = lib.mkForce no;
NET_IPIP = lib.mkForce no;
NET_IPGRE = lib.mkForce no;
NET_IPGRE_DEMUX = lib.mkForce no;
NET_IPVTI = lib.mkForce no;
# legacy PCI sound cards (kept: SND_HDA_* for AMD HDA, SND_SOC_SOF_AMD for ACP)
SND_ALI5451 = lib.mkForce no;
SND_ATIIXP = lib.mkForce no;
SND_ATIIXP_MODEM = lib.mkForce no;
SND_AU8810 = lib.mkForce no;
SND_AU8820 = lib.mkForce no;
SND_AU8830 = lib.mkForce no;
SND_AW2 = lib.mkForce no;
SND_AZT3328 = lib.mkForce no;
SND_BT87X = lib.mkForce no;
SND_CA0106 = lib.mkForce no;
SND_CMIPCI = lib.mkForce no;
SND_OXYGEN = lib.mkForce no;
SND_CS46XX = lib.mkForce no;
SND_CTXFI = lib.mkForce no;
SND_DARLA20 = lib.mkForce no;
SND_GINA20 = lib.mkForce no;
SND_LAYLA20 = lib.mkForce no;
SND_DARLA24 = lib.mkForce no;
SND_GINA24 = lib.mkForce no;
SND_LAYLA24 = lib.mkForce no;
SND_MONA = lib.mkForce no;
SND_MIA = lib.mkForce no;
SND_ECHO3G = lib.mkForce no;
SND_INDIGO = lib.mkForce no;
SND_INDIGOIO = lib.mkForce no;
SND_INDIGODJ = lib.mkForce no;
SND_INDIGOIOX = lib.mkForce no;
SND_INDIGODJX = lib.mkForce no;
SND_EMU10K1 = lib.mkForce no;
SND_EMU10K1X = lib.mkForce no;
SND_ENS1370 = lib.mkForce no;
SND_ENS1371 = lib.mkForce no;
SND_ES1938 = lib.mkForce no;
SND_ES1968 = lib.mkForce no;
SND_FM801 = lib.mkForce no;
SND_HDSP = lib.mkForce no;
SND_HDSPM = lib.mkForce no;
SND_ICE1712 = lib.mkForce no;
SND_ICE1724 = lib.mkForce no;
SND_INTEL8X0 = lib.mkForce no;
SND_INTEL8X0M = lib.mkForce no;
SND_KORG1212 = lib.mkForce no;
SND_LOLA = lib.mkForce no;
SND_LX6464ES = lib.mkForce no;
SND_MAESTRO3 = lib.mkForce no;
SND_MIXART = lib.mkForce no;
SND_MPU401 = lib.mkForce no;
SND_MTS64 = lib.mkForce no;
SND_NM256 = lib.mkForce no;
SND_PCXHR = lib.mkForce no;
SND_PORTMAN2X4 = lib.mkForce no;
SND_RIPTIDE = lib.mkForce no;
SND_RME32 = lib.mkForce no;
SND_RME96 = lib.mkForce no;
SND_RME9652 = lib.mkForce no;
SND_SE6X = lib.mkForce no;
SND_TRIDENT = lib.mkForce no;
SND_VIA82XX = lib.mkForce no;
SND_VIRTUOSO = lib.mkForce no;
SND_VX222 = lib.mkForce no;
SND_YMFPCI = lib.mkForce no;
# legacy HDA codecs (kept: REALTEK for ALC269 on Framework + HDMI for amdhdmi)
SND_HDA_CODEC_ANALOG = lib.mkForce no;
SND_HDA_CODEC_SIGMATEL = lib.mkForce no;
SND_HDA_CODEC_VIA = lib.mkForce no;
SND_HDA_CODEC_CONEXANT = lib.mkForce no;
SND_HDA_CODEC_CA0110 = lib.mkForce no;
SND_HDA_CODEC_CA0132 = lib.mkForce no;
SND_HDA_CODEC_SI3054 = lib.mkForce no;
SND_HDA_CODEC_CIRRUS = lib.mkForce no;
SND_HDA_CODEC_CS420X = lib.mkForce no;
SND_HDA_CODEC_CS421X = lib.mkForce no;
SND_HDA_CODEC_CS8409 = lib.mkForce no;
# OSS compat (deprecated)
SOUND_OSS_CORE = lib.mkForce no;
# legacy USB HCDs (Zen APUs only have xHCI)
USB_OHCI_HCD = lib.mkForce no;
USB_UHCI_HCD = lib.mkForce no;
USB_C67X00_HCD = lib.mkForce no;
USB_OXU210HP_HCD = lib.mkForce no;
USB_ISP116X_HCD = lib.mkForce no;
USB_ISP1760 = lib.mkForce no;
USB_MAX3421_HCD = lib.mkForce no;
USB_SL811_HCD = lib.mkForce no;
USB_R8A66597 = lib.mkForce no;
USB_XEN_HCD = lib.mkForce no;
# USB gadget + exotic device drivers
USB_GADGET = lib.mkForce no;
USB_MICROTEK = lib.mkForce no;
USB_USS720 = lib.mkForce no;
USB_EMI26 = lib.mkForce no;
USB_EMI62 = lib.mkForce no;
USB_ADUTUX = lib.mkForce no;
USB_SEVSEG = lib.mkForce no;
USB_LEGOTOWER = lib.mkForce no;
USB_CYPRESS_CY7C63 = lib.mkForce no;
USB_CYTHERM = lib.mkForce no;
USB_IDMOUSE = lib.mkForce no;
USB_APPLEDISPLAY = lib.mkForce no;
USB_TRANCEVIBRATOR = lib.mkForce no;
USB_CHAOSKEY = lib.mkForce no;
USB_TEST = lib.mkForce no;
# USB mass-storage sub-drivers for legacy flash/camera readers
USB_STORAGE_REALTEK = lib.mkForce no;
USB_STORAGE_DATAFAB = lib.mkForce no;
USB_STORAGE_FREECOM = lib.mkForce no;
USB_STORAGE_ISD200 = lib.mkForce no;
USB_STORAGE_USBAT = lib.mkForce no;
USB_STORAGE_SDDR09 = lib.mkForce no;
USB_STORAGE_SDDR55 = lib.mkForce no;
USB_STORAGE_JUMPSHOT = lib.mkForce no;
USB_STORAGE_ALAUDA = lib.mkForce no;
USB_STORAGE_ONETOUCH = lib.mkForce no;
USB_STORAGE_KARMA = lib.mkForce no;
USB_STORAGE_CYPRESS_ATACB = lib.mkForce no;
USB_STORAGE_ENE_UB6250 = lib.mkForce no;
# wlan vendors (kept: MEDIATEK/INTEL/REALTEK/BROADCOM for mreow+yarn)
WLAN_VENDOR_ADMTEK = lib.mkForce no;
WLAN_VENDOR_ATMEL = lib.mkForce no;
WLAN_VENDOR_CISCO = lib.mkForce no;
WLAN_VENDOR_INTERSIL = lib.mkForce no;
WLAN_VENDOR_MARVELL = lib.mkForce no;
WLAN_VENDOR_MICROCHIP = lib.mkForce no;
WLAN_VENDOR_PURELIFI = lib.mkForce no;
WLAN_VENDOR_QUANTENNA = lib.mkForce no;
WLAN_VENDOR_RALINK = lib.mkForce no;
WLAN_VENDOR_RSI = lib.mkForce no;
WLAN_VENDOR_SILABS = lib.mkForce no;
WLAN_VENDOR_ST = lib.mkForce no;
WLAN_VENDOR_TI = lib.mkForce no;
WLAN_VENDOR_ZYDAS = lib.mkForce no;
# ethernet vendors (kept: AMD/INTEL/REALTEK/AQUANTIA/ATHEROS)
NET_VENDOR_3COM = lib.mkForce no;
NET_VENDOR_ADAPTEC = lib.mkForce no;
NET_VENDOR_AGERE = lib.mkForce no;
NET_VENDOR_ALACRITECH = lib.mkForce no;
NET_VENDOR_ALTEON = lib.mkForce no;
NET_VENDOR_AMAZON = lib.mkForce no;
NET_VENDOR_ARC = lib.mkForce no;
NET_VENDOR_BROADCOM = lib.mkForce no;
NET_VENDOR_BROCADE = lib.mkForce no;
NET_VENDOR_CADENCE = lib.mkForce no;
NET_VENDOR_CAVIUM = lib.mkForce no;
NET_VENDOR_CHELSIO = lib.mkForce no;
NET_VENDOR_CISCO = lib.mkForce no;
NET_VENDOR_CORTINA = lib.mkForce no;
NET_VENDOR_DAVICOM = lib.mkForce no;
NET_VENDOR_DEC = lib.mkForce no;
NET_VENDOR_DLINK = lib.mkForce no;
NET_VENDOR_EMULEX = lib.mkForce no;
NET_VENDOR_ENGLEDER = lib.mkForce no;
NET_VENDOR_EZCHIP = lib.mkForce no;
NET_VENDOR_FUJITSU = lib.mkForce no;
NET_VENDOR_FUNGIBLE = lib.mkForce no;
NET_VENDOR_GOOGLE = lib.mkForce no;
NET_VENDOR_HISILICON = lib.mkForce no;
NET_VENDOR_HUAWEI = lib.mkForce no;
NET_VENDOR_I825XX = lib.mkForce no;
NET_VENDOR_ADI = lib.mkForce no;
NET_VENDOR_LITEX = lib.mkForce no;
NET_VENDOR_MARVELL = lib.mkForce no;
NET_VENDOR_META = lib.mkForce no;
NET_VENDOR_MICREL = lib.mkForce no;
NET_VENDOR_MICROCHIP = lib.mkForce no;
NET_VENDOR_MICROSEMI = lib.mkForce no;
NET_VENDOR_MICROSOFT = lib.mkForce no;
NET_VENDOR_MUCSE = lib.mkForce no;
NET_VENDOR_MYRI = lib.mkForce no;
NET_VENDOR_NI = lib.mkForce no;
NET_VENDOR_NATSEMI = lib.mkForce no;
NET_VENDOR_NETRONOME = lib.mkForce no;
NET_VENDOR_8390 = lib.mkForce no;
NET_VENDOR_NVIDIA = lib.mkForce no;
NET_VENDOR_OKI = lib.mkForce no;
NET_VENDOR_PACKET_ENGINES = lib.mkForce no;
NET_VENDOR_PENSANDO = lib.mkForce no;
NET_VENDOR_QLOGIC = lib.mkForce no;
NET_VENDOR_QUALCOMM = lib.mkForce no;
NET_VENDOR_RDC = lib.mkForce no;
NET_VENDOR_RENESAS = lib.mkForce no;
NET_VENDOR_ROCKER = lib.mkForce no;
NET_VENDOR_SAMSUNG = lib.mkForce no;
NET_VENDOR_SEEQ = lib.mkForce no;
NET_VENDOR_SILAN = lib.mkForce no;
NET_VENDOR_SIS = lib.mkForce no;
NET_VENDOR_SOLARFLARE = lib.mkForce no;
NET_VENDOR_SMSC = lib.mkForce no;
NET_VENDOR_SOCIONEXT = lib.mkForce no;
NET_VENDOR_STMICRO = lib.mkForce no;
NET_VENDOR_SUN = lib.mkForce no;
NET_VENDOR_SYNOPSYS = lib.mkForce no;
NET_VENDOR_TEHUTI = lib.mkForce no;
NET_VENDOR_TI = lib.mkForce no;
NET_VENDOR_VERTEXCOM = lib.mkForce no;
NET_VENDOR_VIA = lib.mkForce no;
NET_VENDOR_WANGXUN = lib.mkForce no;
NET_VENDOR_WIZNET = lib.mkForce no;
NET_VENDOR_XILINX = lib.mkForce no;
NET_VENDOR_XIRCOM = lib.mkForce no;
# watchdogs (kept: SP5100_TCO for AMD chipset, WDAT_WDT for ACPI)
ACQUIRE_WDT = lib.mkForce no;
ADVANTECH_WDT = lib.mkForce no;
ADVANTECH_EC_WDT = lib.mkForce no;
ALIM1535_WDT = lib.mkForce no;
ALIM7101_WDT = lib.mkForce no;
CGBC_WDT = lib.mkForce no;
EBC_C384_WDT = lib.mkForce no;
EXAR_WDT = lib.mkForce no;
F71808E_WDT = lib.mkForce no;
EUROTECH_WDT = lib.mkForce no;
IB700_WDT = lib.mkForce no;
WAFER_WDT = lib.mkForce no;
I6300ESB_WDT = lib.mkForce no;
IE6XX_WDT = lib.mkForce no;
ITCO_WDT = lib.mkForce no;
IT8712F_WDT = lib.mkForce no;
IT87_WDT = lib.mkForce no;
HP_WATCHDOG = lib.mkForce no;
HPWDT_NMI_DECODE = lib.mkForce no;
KEMPLD_WDT = lib.mkForce no;
MLX_WDT = lib.mkForce no;
NI903X_WDT = lib.mkForce no;
NIC7018_WDT = lib.mkForce no;
SMSC37B787_WDT = lib.mkForce no;
TQMX86_WDT = lib.mkForce no;
VIA_WDT = lib.mkForce no;
W83627HF_WDT = lib.mkForce no;
W83877F_WDT = lib.mkForce no;
W83977F_WDT = lib.mkForce no;
MACHZ_WDT = lib.mkForce no;
SBC_EPX_C3_WATCHDOG = lib.mkForce no;
MEN_A21_WDT = lib.mkForce no;
DW_WATCHDOG = lib.mkForce no;
SOFT_WATCHDOG = lib.mkForce no;
XILINX_WATCHDOG = lib.mkForce no;
# misc dead weight
BLK_DEV_DRBD = lib.mkForce no;
GREYBUS = lib.mkForce no;
SOUNDWIRE_QCOM = lib.mkForce no;
SOUNDWIRE_INTEL = lib.mkForce no;
MEDIA_RADIO_SUPPORT = lib.mkForce no;
# net queue disciplines not used on desktop (kept: htb/prio/fifo/fq/fq_codel/cake/bpf/ingress/netem/tbf/mqprio for basic shaping + testing)
NET_SCH_CBS = lib.mkForce no;
NET_SCH_CHOKE = lib.mkForce no;
NET_SCH_CODEL = lib.mkForce no;
NET_SCH_DRR = lib.mkForce no;
NET_SCH_DUALPI2 = lib.mkForce no;
NET_SCH_ETF = lib.mkForce no;
NET_SCH_ETS = lib.mkForce no;
NET_SCH_FQ_PIE = lib.mkForce no;
NET_SCH_GRED = lib.mkForce no;
NET_SCH_HFSC = lib.mkForce no;
NET_SCH_HHF = lib.mkForce no;
NET_SCH_MULTIQ = lib.mkForce no;
NET_SCH_PIE = lib.mkForce no;
NET_SCH_PLUG = lib.mkForce no;
NET_SCH_QFQ = lib.mkForce no;
NET_SCH_RED = lib.mkForce no;
NET_SCH_SFB = lib.mkForce no;
NET_SCH_SFQ = lib.mkForce no;
NET_SCH_SKBPRIO = lib.mkForce no;
NET_SCH_TAPRIO = lib.mkForce no;
NET_SCH_TEQL = lib.mkForce no;
# battery charger PMIC drivers — all mobile/embedded SoCs, none of these
# exist on x86 laptops/desktops (which use ACPI battery + USB-PD via ucsi).
# CROS_* are Chromebook-specific; Framework has CrOS EC but not CrOS charging.
CHARGER_88PM860X = lib.mkForce no;
CHARGER_ADP5061 = lib.mkForce no;
CHARGER_AXP20X = lib.mkForce no;
CHARGER_BD71828 = lib.mkForce no;
CHARGER_BD99954 = lib.mkForce no;
CHARGER_BQ2415X = lib.mkForce no;
CHARGER_BQ24190 = lib.mkForce no;
CHARGER_BQ24257 = lib.mkForce no;
CHARGER_BQ24735 = lib.mkForce no;
CHARGER_BQ2515X = lib.mkForce no;
CHARGER_BQ256XX = lib.mkForce no;
CHARGER_BQ257XX = lib.mkForce no;
CHARGER_BQ25890 = lib.mkForce no;
CHARGER_BQ25980 = lib.mkForce no;
CHARGER_CROS_CONTROL = lib.mkForce no;
CHARGER_CROS_PCHG = lib.mkForce no;
CHARGER_CROS_USBPD = lib.mkForce no;
CHARGER_DA9150 = lib.mkForce no;
CHARGER_DETECTOR_MAX14656 = lib.mkForce no;
CHARGER_GPIO = lib.mkForce no;
CHARGER_ISP1704 = lib.mkForce no;
CHARGER_LP8727 = lib.mkForce no;
CHARGER_LP8788 = lib.mkForce no;
CHARGER_LT3651 = lib.mkForce no;
CHARGER_LTC4162L = lib.mkForce no;
CHARGER_MANAGER = lib.mkForce no;
CHARGER_MAX14577 = lib.mkForce no;
CHARGER_MAX77650 = lib.mkForce no;
CHARGER_MAX77693 = lib.mkForce no;
CHARGER_MAX77705 = lib.mkForce no;
CHARGER_MAX77976 = lib.mkForce no;
CHARGER_MAX8903 = lib.mkForce no;
CHARGER_MAX8971 = lib.mkForce no;
CHARGER_MAX8997 = lib.mkForce no;
CHARGER_MAX8998 = lib.mkForce no;
CHARGER_MP2629 = lib.mkForce no;
CHARGER_MT6360 = lib.mkForce no;
CHARGER_MT6370 = lib.mkForce no;
CHARGER_PF1550 = lib.mkForce no;
CHARGER_RK817 = lib.mkForce no;
CHARGER_RT5033 = lib.mkForce no;
CHARGER_RT9455 = lib.mkForce no;
CHARGER_RT9467 = lib.mkForce no;
CHARGER_RT9471 = lib.mkForce no;
CHARGER_RT9756 = lib.mkForce no;
CHARGER_SBS = lib.mkForce no;
CHARGER_SMB347 = lib.mkForce no;
CHARGER_TPS65090 = lib.mkForce no;
CHARGER_TPS65217 = lib.mkForce no;
CHARGER_TWL4030 = lib.mkForce no;
CHARGER_TWL6030 = lib.mkForce no;
CHARGER_UCS1002 = lib.mkForce no;
CHARGER_WILCO = lib.mkForce no;
# enterprise storage stack (kept: DM_CRYPT for LUKS, DM_SNAPSHOT/INTEGRITY/VERITY, MD_RAID0/1/10/456 in case)
DM_MULTIPATH = lib.mkForce no;
DM_MULTIPATH_QL = lib.mkForce no;
DM_MULTIPATH_ST = lib.mkForce no;
DM_MULTIPATH_HST = lib.mkForce no;
DM_MULTIPATH_IOA = lib.mkForce no;
DM_VDO = lib.mkForce no;
DM_PCACHE = lib.mkForce no;
DM_ZONED = lib.mkForce no;
DM_LOG_USERSPACE = lib.mkForce no;
DM_EBS = lib.mkForce no;
DM_ERA = lib.mkForce no;
DM_DUST = lib.mkForce no;
DM_DELAY = lib.mkForce no;
DM_FLAKEY = lib.mkForce no;
DM_SWITCH = lib.mkForce no;
DM_LOG_WRITES = lib.mkForce no;
DM_CLONE = lib.mkForce no;
DM_UNSTRIPED = lib.mkForce no;
DM_CACHE = lib.mkForce no;
DM_WRITECACHE = lib.mkForce no;
DM_THIN_PROVISIONING = lib.mkForce no;
MD_CLUSTER = lib.mkForce no;
MD_LINEAR = lib.mkForce no;
SCSI_DH_RDAC = lib.mkForce no;
SCSI_DH_HP_SW = lib.mkForce no;
SCSI_ENCLOSURE = lib.mkForce no;
};
}
];
@@ -411,8 +887,7 @@
"camera"
"adbusers"
];
# TODO! this is really bad :( I should really figure out how to do proper secrets management
hashedPasswordFile = "${../secrets/desktop/password-hash}";
hashedPasswordFile = config.age.secrets.password-hash.path;
};
services.gvfs.enable = true;

40
modules/desktop-jovian.nix Normal file
View File

@@ -0,0 +1,40 @@
# Jovian-NixOS deck-mode configuration shared by all hosts running Steam
# in gamescope (yarn, patiodeck). Host-specific settings (like
# jovian.devices.steamdeck.enable) stay in the host's default.nix.
{
lib,
username,
inputs,
...
}:
{
imports = [
./desktop-steam-update.nix
inputs.jovian-nixos.nixosModules.default
];
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"steamdeck-hw-theme"
"steam-jupiter-unwrapped"
"steam"
"steam-original"
"steam-unwrapped"
"steam-run"
];
jovian.steam = {
enable = true;
autoStart = true;
desktopSession = "niri";
user = username;
};
# jovian overrides the display manager; sddm is required
services.displayManager.sddm.wayland.enable = true;
# desktop-common.nix enables programs.gamescope which conflicts with
# jovian's own gamescope wrapper
programs.gamescope.enable = lib.mkForce false;
}

49
modules/desktop-lanzaboote-agenix.nix Normal file
View File

@@ -0,0 +1,49 @@
{
config,
lib,
pkgs,
inputs,
...
}:
{
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
boot = {
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
# sbctl expects the bundle at /var/lib/sbctl; muffin uses /etc/secureboot
# because it is wiped on every activation there (impermanence) — desktops
# extract to the historical sbctl path so existing tooling keeps working.
pkiBundle = "/var/lib/sbctl";
};
};
system.activationScripts = {
# Extract the secureboot PKI bundle from the agenix-decrypted tar. Mirrors
# modules/server-lanzaboote-agenix.nix; skip when keys are already present
# (e.g., disko-install staged them via --extra-files).
"secureboot-keys" = {
deps = [ "agenix" ];
text = ''
#!/bin/sh
(
umask 077
if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
echo "secureboot keys already present, skipping extraction"
else
echo "extracting secureboot keys from agenix"
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle}
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
fi
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
)
'';
};
};
}

7
modules/desktop-networkmanager.nix
View File

@@ -1,4 +1,4 @@
{ hostname, site_config, ... }:
{ hostname, ... }:
{
# speed up boot times (by about three seconds)
systemd.services.NetworkManager-wait-online.enable = false;
@@ -9,7 +9,10 @@
networkmanager = {
enable = true;
appendNameservers = site_config.dns_servers;
appendNameservers = [
"1.1.1.1"
"9.9.9.9"
];
wifi = {
scanRandMacAddress = true;

122
modules/desktop-steam-update.nix Normal file
View File

@@ -0,0 +1,122 @@
# Binary-cache update mechanism for Jovian-NixOS desktops.
#
# Replaces the upstream holo-update/steamos-update stubs with a script that
# checks the private binary cache for a newer system closure, and provides a
# root-level systemd service to apply it. Steam's deck UI calls
# `steamos-update check` periodically; exit 7 = no update, exit 0 = update
# applied or available.
#
# The deploy endpoint is ${binary_cache_url}/deploy/${hostname} — a plain
# text file containing the /nix/store path of the latest closure, published
# by CI after a successful build.
{
pkgs,
lib,
hostname,
username,
site_config,
...
}:
let
deploy-url = "${site_config.binary_cache.url}/deploy/${hostname}";
steamos-update-script = pkgs.writeShellScript "steamos-update" ''
export PATH=${
lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.systemd
]
}
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
if [ -z "$STORE_PATH" ]; then
>&2 echo "[steamos-update] server unreachable"
exit 7
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
>&2 echo "[steamos-update] no update available"
exit 7
fi
# check-only mode: just report that an update exists
if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
>&2 echo "[steamos-update] update available"
exit 0
fi
# apply: trigger the root-running systemd service to install the update
>&2 echo "[steamos-update] applying update..."
if systemctl start --wait pull-update-apply.service; then
>&2 echo "[steamos-update] update installed, reboot to apply"
exit 0
else
>&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
exit 1
fi
'';
in
{
nixpkgs.overlays = [
(_final: prev: {
jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
buildCommand = (old.buildCommand or "") + ''
install -D -m 755 ${steamos-update-script} $out/bin/holo-update
install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
'';
});
})
];
systemd.services.pull-update-apply = {
description = "Apply pending NixOS update pulled from binary cache";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "pull-update-apply" ''
set -uo pipefail
export PATH=${
lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.nix
]
}
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
if [ -z "$STORE_PATH" ]; then
echo "server unreachable"
exit 1
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
echo "already up to date: $STORE_PATH"
exit 0
fi
echo "applying $STORE_PATH (was $CURRENT)"
nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \
|| { echo "fetch failed"; exit 1; }
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \
|| { echo "profile set failed"; exit 1; }
"$STORE_PATH/bin/switch-to-configuration" boot \
|| { echo "boot entry failed"; exit 1; }
echo "update applied; reboot required"
'';
};
};
# allow the primary user to trigger pull-update-apply without a password
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "pull-update-apply.service" &&
subject.user == "${username}") {
return polkit.Result.YES;
}
});
'';
}

0
modules/age-secrets.nix → modules/server-age-secrets.nix
View File

187
modules/server-deploy-finalize.nix Normal file
View File

@@ -0,0 +1,187 @@
# Deferred deploy finalize for deploy-rs-driven hosts.
#
# When deploy-rs activates via `switch-to-configuration switch` and the gitea-
# actions runner driving the deploy lives on the same host, the runner unit
# gets restarted mid-activation — its definition changes between builds. That
# restart kills the SSH session, the CI job, and deploy-rs's magic-rollback
# handshake, so CI reports failure even when the deploy itself completed.
# This is deploy-rs#153, open since 2022.
#
# This module breaks the dependency: activation does `switch-to-configuration
# boot` (bootloader only, no service restarts), then invokes deploy-finalize
# which schedules a detached systemd transient unit that fires `delay` seconds
# later with the real `switch` (or `systemctl reboot` when the kernel, initrd,
# or kernel-modules changed since boot). The transient unit is owned by pid1,
# so it survives the runner's eventual restart — by which time the CI job has
# finished reporting.
#
# Prior art (reboot-or-switch logic, not the self-deploy detachment):
# - nixpkgs `system.autoUpgrade` (allowReboot = true branch) is the canonical
# source of the 3-path {initrd,kernel,kernel-modules} comparison.
# - obsidiansystems/obelisk#957 merged the same snippet into `ob deploy` for
# push-based remote deploys — but doesn't need detachment since its deployer
# lives on a different machine from the target.
# - nixpkgs#185030 tracks lifting this into switch-to-configuration proper.
# Stale since 2025-07; until it lands, every downstream reimplements it.
#
# Bootstrap note: the activation snippet resolves deploy-finalize via
# lib.getExe (store path), not via `/run/current-system/sw/bin` — `boot` mode
# does not update `/run/current-system`, so the old binary would be resolved.
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.deployFinalize;
finalize = pkgs.writeShellApplication {
name = "deploy-finalize";
runtimeInputs = [
pkgs.coreutils
pkgs.systemd
];
text = ''
delay=${toString cfg.delay}
profile=/nix/var/nix/profiles/system
dry_run=0
usage() {
cat <<EOF
Usage: deploy-finalize [--dry-run] [--delay N] [--profile PATH]
Compares /run/booted-system against PATH (default /nix/var/nix/profiles/system)
and schedules either \`systemctl reboot\` (kernel or initrd changed) or
\`switch-to-configuration switch\` (services only) via a detached systemd-run
timer firing N seconds later.
Options:
--dry-run Print the decision and would-be command without scheduling.
--delay N Override the delay in seconds. Default: ${toString cfg.delay}.
--profile PATH Override the profile path used for comparison.
EOF
}
while [[ $# -gt 0 ]]; do
case "$1" in
--dry-run) dry_run=1; shift ;;
--delay) delay="$2"; shift 2 ;;
--profile) profile="$2"; shift 2 ;;
-h|--help) usage; exit 0 ;;
*)
echo "deploy-finalize: unknown option $1" >&2
usage >&2
exit 2
;;
esac
done
# Comparing {kernel,initrd,kernel-modules} matches nixpkgs's canonical
# `system.autoUpgrade` allowReboot logic. -e (not -f) so a dangling
# symlink counts as missing: on a real NixOS profile all three exist,
# but defensive: if a profile has bad symlinks we refuse to schedule
# rather than scheduling against ghost paths.
booted_kernel="$(readlink -e /run/booted-system/kernel 2>/dev/null || true)"
booted_initrd="$(readlink -e /run/booted-system/initrd 2>/dev/null || true)"
booted_modules="$(readlink -e /run/booted-system/kernel-modules 2>/dev/null || true)"
new_kernel="$(readlink -e "$profile/kernel" 2>/dev/null || true)"
new_initrd="$(readlink -e "$profile/initrd" 2>/dev/null || true)"
new_modules="$(readlink -e "$profile/kernel-modules" 2>/dev/null || true)"
if [[ -z "$new_kernel" || -z "$new_initrd" || -z "$new_modules" ]]; then
echo "deploy-finalize: refusing to schedule $profile is missing kernel, initrd, or kernel-modules" >&2
exit 1
fi
changed=()
if [[ -z "$booted_kernel" || -z "$booted_initrd" || -z "$booted_modules" ]]; then
# Unreachable on a booted NixOS, but fail closed on reboot.
changed+=("/run/booted-system incomplete")
fi
[[ "$booted_kernel" != "$new_kernel" ]] && changed+=("kernel")
[[ "$booted_initrd" != "$new_initrd" ]] && changed+=("initrd")
[[ "$booted_modules" != "$new_modules" ]] && changed+=("kernel-modules")
reboot_needed=0
reason=""
if [[ ''${#changed[@]} -gt 0 ]]; then
reboot_needed=1
# Join with commas so the reason reads as e.g. `kernel,initrd changed`.
reason="$(IFS=, ; echo "''${changed[*]}") changed"
fi
if [[ "$reboot_needed" == 1 ]]; then
action=reboot
cmd="systemctl reboot"
else
action=switch
reason="services only"
cmd="$profile/bin/switch-to-configuration switch"
fi
# Nanosecond suffix so back-to-back deploys don't collide on unit names.
unit="deploy-finalize-$(date +%s%N)"
printf 'deploy-finalize: booted_kernel=%s\n' "$booted_kernel"
printf 'deploy-finalize: new_kernel=%s\n' "$new_kernel"
printf 'deploy-finalize: booted_initrd=%s\n' "$booted_initrd"
printf 'deploy-finalize: new_initrd=%s\n' "$new_initrd"
printf 'deploy-finalize: booted_kernel-modules=%s\n' "$booted_modules"
printf 'deploy-finalize: new_kernel-modules=%s\n' "$new_modules"
printf 'deploy-finalize: action=%s reason=%s delay=%ss unit=%s\n' \
"$action" "$reason" "$delay" "$unit"
if [[ "$dry_run" == 1 ]]; then
printf 'deploy-finalize: dry-run not scheduling\n'
printf 'deploy-finalize: would run: %s\n' "$cmd"
printf 'deploy-finalize: would schedule: systemd-run --collect --unit=%s --on-active=%s\n' \
"$unit" "$delay"
exit 0
fi
# Cancel any still-pending finalize timers from an earlier deploy so this
# invocation is authoritative. Without this a stale timer could fire with
# the old profile's action (reboot/switch) against the new profile and
# briefly run new userspace under the old kernel.
systemctl stop 'deploy-finalize-*.timer' 2>/dev/null || true
# --on-active arms a transient timer owned by pid1. systemd-run returns
# once the timer is armed; the SSH session that called us can exit and
# the gitea-runner can be restarted (by the switch the timer fires)
# without affecting whether the finalize runs.
systemd-run \
--collect \
--unit="$unit" \
--description="Finalize NixOS deploy ($action after boot-mode activation)" \
--on-active="$delay" \
/bin/sh -c "$cmd"
'';
};
in
{
options.services.deployFinalize = {
enable = lib.mkEnableOption "deferred deploy finalize (switch or reboot) after boot-mode activation";
delay = lib.mkOption {
type = lib.types.ints.positive;
default = 60;
description = ''
Seconds between the deploy-rs activation completing and the scheduled
finalize firing. Tuned so the CI job (or manual SSH session) has time
to complete status reporting before the runner is restarted by the
eventual switch-to-configuration.
'';
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ finalize ];
# Exposed for the deploy-rs activation snippet to reference by /nix/store
# path via lib.getExe — `boot` mode does not update /run/current-system,
# so reading through /run/current-system/sw/bin would resolve to the OLD
# binary on a new-feature rollout or immediately after a rollback.
system.build.deployFinalize = finalize;
};
}

126
patches/omp/0001-openai-completions-retry-without-strict-on-deepseek-openrouter.patch Normal file
View File

@@ -0,0 +1,126 @@
Subject: [PATCH] fix(openai-completions): retry without strict tools for DeepSeek-via-OpenRouter anyOf rejections
The retry-on-strict-tool-error path in openai-completions failed to recover when
DeepSeek (and similar backends fronted by OpenRouter) reject strict-mode tool
schemas with errors of the form:
Invalid tool parameters schema : field `anyOf`: missing field `type`
Two reasons:
1. Retry only triggered in "all_strict" mode. OpenRouter defaults to "mixed"
(per-tool strict), so the early return prevented retry.
2. The error-message regex required "strict" near "tool". DeepSeek's message
never mentions "strict".
Fix:
- Allow retry whenever any tool was sent with strict (i.e. mode != "none").
- Recognize "Invalid tool parameters" in the regex.
Includes a regression test reproducing the exact DeepSeek error body via
OpenRouter mixed-strict mode.
Applies cleanly against v14.2.1.
---
diff --git a/packages/ai/src/providers/openai-completions.ts b/packages/ai/src/providers/openai-completions.ts
index e58189607..3c20631c1 100644
--- a/packages/ai/src/providers/openai-completions.ts
+++ b/packages/ai/src/providers/openai-completions.ts
@@ -1245,7 +1245,10 @@ function shouldRetryWithoutStrictTools(
toolStrictMode: AppliedToolStrictMode,
tools: Tool[] | undefined,
): boolean {
- if (!tools || tools.length === 0 || toolStrictMode !== "all_strict") {
+ // Retry whenever any tool was sent with `strict: true`. OpenRouter routes to underlying
+ // providers (e.g. DeepSeek) whose schema validators reject the strict-mode `anyOf` shape
+ // even when omp emitted strict per-tool ("mixed"), not just provider-wide ("all_strict").
+ if (!tools || tools.length === 0 || toolStrictMode === "none") {
return false;
}
const status = extractHttpStatusFromError(error) ?? capturedErrorResponse?.status;
@@ -1255,7 +1258,14 @@ function shouldRetryWithoutStrictTools(
const messageParts = [error instanceof Error ? error.message : undefined, capturedErrorResponse?.bodyText]
.filter((value): value is string => typeof value === "string" && value.trim().length > 0)
.join("\n");
- return /wrong_api_format|mixed values for 'strict'|tool[s]?\b.*strict|\bstrict\b.*tool/i.test(messageParts);
+ // Patterns:
+ // - `wrong_api_format`, `mixed values for 'strict'`: OpenAI rejecting mixed strict flags.
+ // - `tool ... strict` / `strict ... tool`: generic strict-tool complaints.
+ // - `Invalid tool parameters schema`: DeepSeek (via OpenRouter) rejecting strict-mode
+ // nullable unions because their validator demands `type` alongside `anyOf`.
+ return /wrong_api_format|mixed values for 'strict'|tool[s]?\b.*strict|\bstrict\b.*tool|invalid tool parameters/i.test(
+ messageParts,
+ );
}
function mapStopReason(reason: ChatCompletionChunk.Choice["finish_reason"] | string): {
diff --git a/packages/ai/test/openai-tool-strict-mode.test.ts b/packages/ai/test/openai-tool-strict-mode.test.ts
index 2bf17e6d8..24d5a09d5 100644
--- a/packages/ai/test/openai-tool-strict-mode.test.ts
+++ b/packages/ai/test/openai-tool-strict-mode.test.ts
@@ -231,6 +231,64 @@ describe("OpenAI tool strict mode", () => {
expect(result.content).toContainEqual({ type: "text", text: "Hello" });
expect(strictFlags).toEqual([[true], [false]]);
});
+ it("retries with non-strict tool schemas when OpenRouter backend rejects strict anyOf nullable unions", async () => {
+ // Reproduces deepseek/deepseek-v4-pro via OpenRouter rejecting the strict-mode schema with:
+ // 400 Provider returned error
+ // {"error":{"message":"Invalid tool parameters schema : field `anyOf`: missing field `type`",...}}
+ // OpenRouter is in mixed-strict mode by default (per-tool strict), so the original retry condition
+ // (only "all_strict") prevented recovery. The retry now triggers whenever any tool sent strict=true.
+ const model = getBundledModel("openrouter", "deepseek/deepseek-v3.2") as Model<"openai-completions">;
+ const strictFlags: boolean[][] = [];
+ global.fetch = Object.assign(
+ async (_input: string | URL | Request, init?: RequestInit): Promise<Response> => {
+ const bodyText = typeof init?.body === "string" ? init.body : "";
+ const payload = JSON.parse(bodyText) as {
+ tools?: Array<{ function?: { strict?: boolean } }>;
+ };
+ strictFlags.push((payload.tools ?? []).map(tool => tool.function?.strict === true));
+ if (strictFlags.length === 1) {
+ return new Response(
+ JSON.stringify({
+ error: {
+ message: "Invalid tool parameters schema : field `anyOf`: missing field `type`",
+ type: "invalid_request_error",
+ param: null,
+ code: "invalid_request_error",
+ },
+ }),
+ {
+ status: 400,
+ headers: { "content-type": "application/json" },
+ },
+ );
+ }
+ return createSseResponse([
+ {
+ id: "chatcmpl-or",
+ object: "chat.completion.chunk",
+ created: 0,
+ model: model.id,
+ choices: [{ index: 0, delta: { content: "Hello" } }],
+ },
+ {
+ id: "chatcmpl-or",
+ object: "chat.completion.chunk",
+ created: 0,
+ model: model.id,
+ choices: [{ index: 0, delta: {}, finish_reason: "stop" }],
+ },
+ "[DONE]",
+ ]);
+ },
+ { preconnect: originalFetch.preconnect },
+ );
+
+ const result = await streamOpenAICompletions(model, testContext, { apiKey: "test-key" }).result();
+ expect(result.stopReason).toBe("stop");
+ expect(result.content).toContainEqual({ type: "text", text: "Hello" });
+ expect(strictFlags).toEqual([[true], [false]]);
+ });
+
it("sends strict=true for openai-responses tool schemas on OpenAI", async () => {
const model = getBundledModel("openai", "gpt-5-mini") as Model<"openai-responses">;

233
patches/omp/0002-openai-completions-stub-reasoning-content-for-openrouter.patch Normal file
View File

@@ -0,0 +1,233 @@
Subject: [PATCH] fix(openai-completions): require `reasoning_content` for OpenRouter reasoning models
DeepSeek V4 Pro (and similar reasoning models reached via OpenRouter) reject
multi-turn requests in thinking mode with:
400 The `reasoning_content` in the thinking mode must be passed back to
the API.
omp's existing kimi placeholder injection (`requiresReasoningContentForToolCalls`)
covered this requirement only for `thinkingFormat === "openai"`. OpenRouter
sets `thinkingFormat === "openrouter"`, so the gate never fired even though
the underlying providers behind OpenRouter (DeepSeek, Kimi, etc.) all enforce
the same invariant.
This patch:
1. Extends `requiresReasoningContentForToolCalls` detection: any
reasoning-capable model fronted by OpenRouter now sets the flag.
2. Extends the placeholder gate in `convertMessages` to accept
`thinkingFormat === "openrouter"` alongside `"openai"`.
Cross-provider continuations are the dominant trigger: a conversation warmed
up by Anthropic Claude (whose reasoning is redacted/encrypted on the wire)
followed by a switch to DeepSeek V4 Pro via OpenRouter. omp cannot
synthesize plaintext `reasoning_content` from Anthropic's encrypted blocks,
so the placeholder satisfies DeepSeek's validator without fabricating a
reasoning trace. Real captured reasoning, when present, short-circuits the
placeholder via `hasReasoningField` and survives intact.
Side benefit: also closes a latent gap where Kimi-via-OpenRouter
(`thinkingFormat === "openrouter"`) had the compat flag set but the
placeholder gate silently rejected it.
Regression tests cover:
- compat flag detection on OpenRouter reasoning models
- opt-out for non-reasoning OpenRouter models
- cross-provider redacted-thinking placeholder
- Kimi-via-OpenRouter placeholder firing
- real reasoning preserved over the placeholder
Applies cleanly on top of patch 0001.
---
diff --git a/packages/ai/src/providers/openai-completions-compat.ts b/packages/ai/src/providers/openai-completions-compat.ts
--- a/packages/ai/src/providers/openai-completions-compat.ts
+++ b/packages/ai/src/providers/openai-completions-compat.ts
@@ -105,7 +105,14 @@
? "qwen"
: "openai",
reasoningContentField: "reasoning_content",
- requiresReasoningContentForToolCalls: isKimiModel,
+ // Backends that 400 follow-up requests when prior assistant tool-call turns lack `reasoning_content`:
+ // - Kimi: documented invariant on its native API and via OpenCode-Go.
+ // - Any reasoning-capable model reached through OpenRouter: DeepSeek V4 Pro and similar enforce
+ // this server-side whenever the request is in thinking mode. We can't translate Anthropic's
+ // redacted/encrypted reasoning into DeepSeek's plaintext form, so cross-provider continuations
+ // rely on a placeholder — see `convertMessages` for the placeholder injection.
+ requiresReasoningContentForToolCalls:
+ isKimiModel || ((provider === "openrouter" || baseUrl.includes("openrouter.ai")) && Boolean(model.reasoning)),
requiresAssistantContentForToolCalls: isKimiModel,
openRouterRouting: undefined,
vercelGatewayRouting: undefined,
diff --git a/packages/ai/src/providers/openai-completions.ts b/packages/ai/src/providers/openai-completions.ts
--- a/packages/ai/src/providers/openai-completions.ts
+++ b/packages/ai/src/providers/openai-completions.ts
@@ -1059,12 +1059,21 @@
(assistantMsg as any).reasoning_content !== undefined ||
(assistantMsg as any).reasoning !== undefined ||
(assistantMsg as any).reasoning_text !== undefined;
- if (
- toolCalls.length > 0 &&
+ // Inject a `reasoning_content` placeholder on assistant tool-call turns when the backend
+ // rejects history without it. The compat flag captures the rule:
+ // - Kimi (native or via OpenCode-Go): chat completion endpoint demands the field.
+ // - Reasoning models reached through OpenRouter (e.g. DeepSeek V4 Pro): the underlying
+ // provider's thinking-mode validator demands it on every prior assistant turn. omp
+ // cannot synthesize real reasoning when the conversation was warmed up by another
+ // provider whose reasoning is redacted/encrypted (Anthropic) or simply absent, so we
+ // emit a placeholder. Real captured reasoning, when present, is preserved earlier via
+ // the `thinkingSignature` echo path and short-circuits via `hasReasoningField`.
+ // `thinkingFormat` is gated to formats that consume the field (openai/openrouter chat
+ // completions); formats with their own conventions (zai, qwen) are excluded.
+ const stubsReasoningContent =
compat.requiresReasoningContentForToolCalls &&
- compat.thinkingFormat === "openai" &&
- !hasReasoningField
- ) {
+ (compat.thinkingFormat === "openai" || compat.thinkingFormat === "openrouter");
+ if (toolCalls.length > 0 && stubsReasoningContent && !hasReasoningField) {
const reasoningField = compat.reasoningContentField ?? "reasoning_content";
(assistantMsg as any)[reasoningField] = ".";
}
diff --git a/packages/ai/test/openai-completions-compat.test.ts b/packages/ai/test/openai-completions-compat.test.ts
--- a/packages/ai/test/openai-completions-compat.test.ts
+++ b/packages/ai/test/openai-completions-compat.test.ts
@@ -367,4 +367,137 @@
const compat = detectCompat(model);
expect(compat.requiresReasoningContentForToolCalls).toBe(true);
});
+
+ it("requires reasoning_content for tool calls on reasoning-capable models via OpenRouter", () => {
+ const model: Model<"openai-completions"> = {
+ ...(getBundledModel("openrouter", "deepseek/deepseek-v3.2") as Model<"openai-completions">),
+ reasoning: true,
+ };
+ const compat = detectCompat(model);
+ expect(compat.thinkingFormat).toBe("openrouter");
+ expect(compat.requiresReasoningContentForToolCalls).toBe(true);
+ });
+
+ it("does not require reasoning_content for non-reasoning OpenRouter models", () => {
+ const model: Model<"openai-completions"> = {
+ ...(getBundledModel("openrouter", "deepseek/deepseek-v3.2") as Model<"openai-completions">),
+ reasoning: false,
+ };
+ const compat = detectCompat(model);
+ expect(compat.requiresReasoningContentForToolCalls).toBe(false);
+ });
+
+ it("injects reasoning_content placeholder for OpenRouter reasoning models lacking captured reasoning", () => {
+ // Reproduces the failing path from real usage: a conversation generated under Anthropic Claude (whose
+ // reasoning is redacted/encrypted) is continued with deepseek/deepseek-v4-pro via OpenRouter. The
+ // prior assistant turns persist as ThinkingContent blocks with empty `thinking` text plus an opaque
+ // Anthropic signature cookie. omp cannot translate that into DeepSeek's plain-text `reasoning_content`,
+ // so the empty thinking block is filtered out and the placeholder fires — satisfying DeepSeek's
+ // thinking-mode validator without fabricating a reasoning trace.
+ const model: Model<"openai-completions"> = {
+ ...(getBundledModel("openrouter", "deepseek/deepseek-v3.2") as Model<"openai-completions">),
+ reasoning: true,
+ };
+ const compat = detectCompat(model);
+ const toolCallMessage: AssistantMessage = {
+ role: "assistant",
+ content: [
+ // Anthropic-style redacted thinking block: empty text plus opaque signature.
+ // `thinking.trim().length === 0` filters this out before the signature echo can fire.
+ { type: "thinking", thinking: "", thinkingSignature: "Ep4CClkIDRgCKkDOpaqueAnthropicCookie" },
+ { type: "toolCall", id: "call_anth_to_ds", name: "web_search", arguments: { query: "hi" } },
+ ],
+ api: model.api,
+ provider: model.provider,
+ model: model.id,
+ usage: {
+ input: 0,
+ output: 0,
+ cacheRead: 0,
+ cacheWrite: 0,
+ totalTokens: 0,
+ cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
+ },
+ stopReason: "toolUse",
+ timestamp: Date.now(),
+ };
+ const messages = convertMessages(model, { messages: [toolCallMessage] }, compat);
+ const assistant = messages.find(m => m.role === "assistant");
+ expect(assistant).toBeDefined();
+ expect(Reflect.get(assistant as object, "reasoning_content")).toBe(".");
+ });
+
+ it("injects reasoning_content placeholder for kimi-k2-5 via OpenRouter (closes the kimi-via-openrouter gap)", () => {
+ // Before this fix, `requiresReasoningContentForToolCalls` was true for Kimi via OpenRouter but the
+ // stub gate only fired when `thinkingFormat === "openai"`. OpenRouter sets thinkingFormat="openrouter",
+ // so the stub silently never fired and Kimi-via-OpenRouter conversations 400'd the same way.
+ const model: Model<"openai-completions"> = {
+ ...getBundledModel("openai", "gpt-4o-mini"),
+ api: "openai-completions",
+ provider: "openrouter",
+ baseUrl: "https://openrouter.ai/api/v1",
+ id: "moonshotai/kimi-k2-5",
+ reasoning: true,
+ };
+ const compat = detectCompat(model);
+ const toolCallMessage: AssistantMessage = {
+ role: "assistant",
+ content: [
+ { type: "toolCall", id: "call_kimi_or", name: "web_search", arguments: { query: "hi" } },
+ ],
+ api: model.api,
+ provider: model.provider,
+ model: model.id,
+ usage: {
+ input: 0,
+ output: 0,
+ cacheRead: 0,
+ cacheWrite: 0,
+ totalTokens: 0,
+ cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
+ },
+ stopReason: "toolUse",
+ timestamp: Date.now(),
+ };
+ const messages = convertMessages(model, { messages: [toolCallMessage] }, compat);
+ const assistant = messages.find(m => m.role === "assistant");
+ expect(assistant).toBeDefined();
+ expect(Reflect.get(assistant as object, "reasoning_content")).toBe(".");
+ });
+
+ it("preserves real captured reasoning over the placeholder when the assistant has non-empty thinking", () => {
+ // Sanity check: the placeholder must not overwrite real reasoning. When the prior assistant turn was
+ // generated by the same provider and surfaces plaintext reasoning, the existing thinkingSignature
+ // echo path sets `reasoning_content` first, and `hasReasoningField` short-circuits the stub.
+ const model: Model<"openai-completions"> = {
+ ...(getBundledModel("openrouter", "deepseek/deepseek-v3.2") as Model<"openai-completions">),
+ reasoning: true,
+ };
+ const compat = detectCompat(model);
+ const toolCallMessage: AssistantMessage = {
+ role: "assistant",
+ content: [
+ { type: "thinking", thinking: "Step 1: read the file. Step 2: search.", thinkingSignature: "reasoning_content" },
+ { type: "toolCall", id: "call_real", name: "web_search", arguments: { query: "hi" } },
+ ],
+ api: model.api,
+ provider: model.provider,
+ model: model.id,
+ usage: {
+ input: 0,
+ output: 0,
+ cacheRead: 0,
+ cacheWrite: 0,
+ totalTokens: 0,
+ cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
+ },
+ stopReason: "toolUse",
+ timestamp: Date.now(),
+ };
+ const messages = convertMessages(model, { messages: [toolCallMessage] }, compat);
+ const assistant = messages.find(m => m.role === "assistant");
+ expect(assistant).toBeDefined();
+ expect(Reflect.get(assistant as object, "reasoning_content")).toBe("Step 1: read the file. Step 2: search.");
+ });
+
});

54
scripts/bootstrap-desktop-tpm.sh Executable file
View File

@@ -0,0 +1,54 @@
#!/usr/bin/env bash
# Bootstrap the age-plugin-tpm identity for a desktop host (mreow / yarn).
#
# Produces a TPM-sealed age identity at /var/lib/agenix/tpm-identity and
# prints the recipient string to add to secrets/secrets.nix.
#
# Usage:
# doas scripts/bootstrap-desktop-tpm.sh
#
# After running:
# 1. Append the printed recipient to the `tpm` list in secrets/secrets.nix.
# 2. Re-encrypt: nix-shell -p age-plugin-tpm rage --run \
# 'agenix -r -i ~/.ssh/id_ed25519'
# 3. Commit + ./deploy.sh switch.
set -euo pipefail
if [[ $EUID -ne 0 ]]; then
echo "this script must run as root (access to /dev/tpmrm0 + /var/lib/agenix)" >&2
exit 1
fi
host=$(hostname -s)
id_file=/var/lib/agenix/tpm-identity
install -d -m 0700 -o root -g root /var/lib/agenix
if [[ -f "$id_file" ]]; then
echo "existing identity found at $id_file — preserving"
else
echo "generating TPM-sealed age identity..."
nix-shell -p age-plugin-tpm --run "age-plugin-tpm --generate -o $id_file"
chmod 0400 "$id_file"
chown root:root "$id_file"
fi
# Read the recipient directly from the identity file header — no TPM
# round-trip needed, no nix run, no set -e hazards.
recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}')
if [[ -z "$recipient" ]]; then
echo "failed to read recipient from $id_file" >&2
exit 1
fi
cat <<EOF
recipient for $host:
"$recipient $host"
next steps (run on a workstation with git-crypt unlocked):
1. edit secrets/secrets.nix and add the line above to the \`tpm\` list.
2. re-encrypt: nix-shell -p age-plugin-tpm rage --run 'agenix -r -i ~/.ssh/id_ed25519'
3. git commit + ./deploy.sh switch
EOF

BIN
secrets/desktop/nix-cache-netrc
View File

Binary file not shown.

BIN
secrets/desktop/nix-cache-netrc.age Normal file
View File

Binary file not shown.

BIN
secrets/desktop/password-hash
View File

Binary file not shown.

BIN
secrets/desktop/password-hash.age Normal file
View File

Binary file not shown.

BIN
secrets/desktop/secureboot.tar
View File

Binary file not shown.

BIN
secrets/desktop/secureboot.tar.age Normal file
View File

Binary file not shown.

BIN
secrets/desktop/wifi-passwords.nix
View File

Binary file not shown.

BIN
secrets/secrets.nix Normal file
View File

Binary file not shown.

20
services/gitea/gitea.nix
View File

@@ -50,14 +50,14 @@
};
# Hide repo Actions/workflow details from anonymous visitors. Gitea's own
# REQUIRE_SIGNIN_VIEW=expensive mode does not cover /{user}/{repo}/actions,
# so we gate the path at Caddy: forward_auth probes Gitea's /api/v1/user
# with the incoming request's Cookie/Authorization headers. A logged-in
# session answers 200 and the original request falls through to the
# reverse_proxy from mkCaddyReverseProxy; a 401 is turned into a redirect
# to the login page so the browser shows the login form instead of the
# workflow list. Workflow status badges stay public so README links keep
# rendering.
# REQUIRE_SIGNIN_VIEW=expensive does not cover /{user}/{repo}/actions, and
# the API auth chain (routers/api/v1/api.go buildAuthGroup) deliberately
# omits `auth_service.Session`, so an /api/v1/user probe would 401 even
# for logged-in browser sessions. We gate at Caddy instead: forward_auth
# probes a lightweight *web-UI* endpoint that does accept session cookies,
# and Gitea's own reqSignIn middleware answers 303 to /user/login for
# anonymous callers which we rewrite to preserve the original URL.
# Workflow status badges stay public so README links keep rendering.
services.caddy.virtualHosts.${service_configs.gitea.domain}.extraConfig = ''
@repoActionsNotBadge {
path_regexp ^/[^/]+/[^/]+/actions(/.*)?$
@@ -65,9 +65,9 @@
}
handle @repoActionsNotBadge {
forward_auth :${toString service_configs.ports.private.gitea.port} {
uri /api/v1/user
uri /user/stopwatches
@unauthorized status 401
@unauthorized status 302 303
handle_response @unauthorized {
redir * /user/login?redirect_to={uri} 302
}

182
services/grafana/dashboard.nix
View File

@@ -687,6 +687,188 @@ let
overrides = [ ];
};
}
# -- Row 6: Minecraft --
{
id = 14;
type = "stat";
title = "Minecraft Players";
gridPos = {
h = 8;
w = 6;
x = 0;
y = 40;
};
datasource = promDs;
targets = [
{
datasource = promDs;
expr = "sum(minecraft_status_players_online_count) or vector(0)";
refId = "A";
}
];
fieldConfig = {
defaults = {
thresholds = {
mode = "absolute";
steps = [
{
color = "green";
value = null;
}
{
color = "yellow";
value = 3;
}
{
color = "red";
value = 6;
}
];
};
};
overrides = [ ];
};
options = {
reduceOptions = {
calcs = [ "lastNotNull" ];
fields = "";
values = false;
};
colorMode = "value";
graphMode = "area";
};
}
{
id = 15;
type = "stat";
title = "Minecraft Server";
gridPos = {
h = 8;
w = 6;
x = 6;
y = 40;
};
datasource = promDs;
targets = [
{
datasource = promDs;
expr = "max(minecraft_status_healthy) or vector(0)";
refId = "A";
}
];
fieldConfig = {
defaults = {
mappings = [
{
type = "value";
options = {
"0" = {
text = "Offline";
color = "red";
index = 0;
};
"1" = {
text = "Online";
color = "green";
index = 1;
};
};
}
];
thresholds = {
mode = "absolute";
steps = [
{
color = "red";
value = null;
}
{
color = "green";
value = 1;
}
];
};
};
overrides = [ ];
};
options = {
reduceOptions = {
calcs = [ "lastNotNull" ];
fields = "";
values = false;
};
colorMode = "value";
graphMode = "none";
};
}
{
id = 16;
type = "timeseries";
title = "Minecraft Player Activity";
gridPos = {
h = 8;
w = 12;
x = 12;
y = 40;
};
datasource = promDs;
targets = [
{
datasource = promDs;
expr = "sum(minecraft_status_players_online_count) or vector(0)";
legendFormat = "Online players";
refId = "A";
}
{
datasource = promDs;
expr = "max(minecraft_status_players_max_count) or vector(0)";
legendFormat = "Max players";
refId = "B";
}
];
fieldConfig = {
defaults = {
unit = "short";
min = 0;
decimals = 0;
color.mode = "palette-classic";
custom = {
lineWidth = 2;
fillOpacity = 15;
spanNulls = true;
};
};
overrides = [
{
matcher = {
id = "byFrameRefID";
options = "B";
};
properties = [
{
id = "custom.lineStyle";
value = {
fill = "dash";
dash = [
8
4
];
};
}
{
id = "custom.fillOpacity";
value = 0;
}
{
id = "custom.lineWidth";
value = 1;
}
];
}
];
};
}
];
};
in

44
services/grafana/exporters.nix
View File

@@ -10,6 +10,9 @@ let
jellyfinExporterPort = service_configs.ports.private.jellyfin_exporter.port;
qbitExporterPort = service_configs.ports.private.qbittorrent_exporter.port;
igpuExporterPort = service_configs.ports.private.igpu_exporter.port;
minecraftExporterPort = service_configs.ports.private.minecraft_exporter.port;
minecraftServerName = service_configs.minecraft.server_name;
minecraftServerPort = service_configs.ports.public.minecraft.port;
in
{
# -- Jellyfin Prometheus Exporter --
@@ -109,4 +112,45 @@ in
REFRESH_PERIOD_MS = "30000";
};
};
# -- Minecraft Prometheus Exporter --
# itzg/mc-monitor queries the local server via SLP on each scrape and exposes
# minecraft_status_{healthy,response_time_seconds,players_online_count,players_max_count}.
# mc-monitor binds to 0.0.0.0 (no listen-address flag); the firewall keeps
# 9567 internal and IPAddressAllow pins the socket to loopback as defense-in-depth.
systemd.services.minecraft-exporter =
lib.mkIf (config.services.grafana.enable && config.services.minecraft-servers.enable)
{
description = "Prometheus exporter for Minecraft (mc-monitor SLP)";
after = [
"network.target"
"minecraft-server-${minecraftServerName}.service"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${lib.getExe pkgs.mc-monitor} export-for-prometheus";
Restart = "on-failure";
RestartSec = "10s";
DynamicUser = true;
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
IPAddressAllow = [
"127.0.0.0/8"
"::1/128"
];
IPAddressDeny = "any";
};
environment = {
EXPORT_SERVERS = "127.0.0.1:${toString minecraftServerPort}";
EXPORT_PORT = toString minecraftExporterPort;
TIMEOUT = "5s";
};
};
}

6
services/grafana/prometheus.nix
View File

@@ -95,6 +95,12 @@ in
{ targets = [ "127.0.0.1:${toString service_configs.ports.private.igpu_exporter.port}" ]; }
];
}
{
job_name = "minecraft";
static_configs = [
{ targets = [ "127.0.0.1:${toString service_configs.ports.private.minecraft_exporter.port}" ]; }
];
}
{
job_name = "zfs";
static_configs = [

1
services/ssh.nix
View File

@@ -27,7 +27,6 @@
users.users.${username}.openssh.authorizedKeys.keys = [
site_config.ssh_keys.laptop
site_config.ssh_keys.desktop
];
# used for deploying configs to server

1
site-config.nix
View File

@@ -57,7 +57,6 @@ rec {
# hosts/yarn/default.nix. Rotating a key means changing it here, nowhere else.
ssh_keys = {
laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH";
desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi";
ci_deploy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin";
};
}

196
tests/deploy-finalize.nix Normal file
View File

@@ -0,0 +1,196 @@
# Test for modules/server-deploy-finalize.nix.
#
# Covers the decision and scheduling logic with fabricated profile directories,
# since spawning a second booted NixOS toplevel to diff kernels is too heavy for
# a runNixOSTest. We rely on the shellcheck pass baked into writeShellApplication
# to catch syntax regressions in the script itself.
{
lib,
pkgs,
inputs,
...
}:
pkgs.testers.runNixOSTest {
name = "deploy-finalize";
node.specialArgs = {
inherit inputs lib;
username = "testuser";
};
nodes.machine =
{ ... }:
{
imports = [
../modules/server-deploy-finalize.nix
];
services.deployFinalize = {
enable = true;
# Shorter default in the test to make expected-substring assertions
# stable and reinforce that the option is wired through.
delay = 15;
};
};
testScript = ''
start_all()
machine.wait_for_unit("multi-user.target")
# Test fixtures: fabricated profile trees whose kernel/initrd/kernel-modules
# symlinks are under test control. `readlink -e` requires the targets to
# exist, so we point at real files in /tmp rather than non-existent paths.
machine.succeed(
"mkdir -p /tmp/profile-same /tmp/profile-changed-kernel "
"/tmp/profile-changed-initrd /tmp/profile-changed-modules "
"/tmp/profile-missing /tmp/fake-targets"
)
machine.succeed(
"touch /tmp/fake-targets/alt-kernel /tmp/fake-targets/alt-initrd "
"/tmp/fake-targets/alt-modules"
)
booted_kernel = machine.succeed("readlink -e /run/booted-system/kernel").strip()
booted_initrd = machine.succeed("readlink -e /run/booted-system/initrd").strip()
booted_modules = machine.succeed("readlink -e /run/booted-system/kernel-modules").strip()
def link_profile(path, kernel, initrd, modules):
machine.succeed(f"ln -sf {kernel} {path}/kernel")
machine.succeed(f"ln -sf {initrd} {path}/initrd")
machine.succeed(f"ln -sf {modules} {path}/kernel-modules")
# profile-same: matches booted exactly should choose `switch`.
link_profile("/tmp/profile-same", booted_kernel, booted_initrd, booted_modules)
machine.succeed("mkdir -p /tmp/profile-same/bin")
machine.succeed(
"ln -sf /run/current-system/bin/switch-to-configuration "
"/tmp/profile-same/bin/switch-to-configuration"
)
# profile-changed-kernel: kernel differs only should choose `reboot`.
link_profile(
"/tmp/profile-changed-kernel",
"/tmp/fake-targets/alt-kernel",
booted_initrd,
booted_modules,
)
# profile-changed-initrd: initrd differs only should choose `reboot`.
link_profile(
"/tmp/profile-changed-initrd",
booted_kernel,
"/tmp/fake-targets/alt-initrd",
booted_modules,
)
# profile-changed-modules: kernel-modules differs only should choose `reboot`.
# Catches the obelisk PR / nixpkgs auto-upgrade case where modules rebuild
# against the same kernel but ABI-incompatible.
link_profile(
"/tmp/profile-changed-modules",
booted_kernel,
booted_initrd,
"/tmp/fake-targets/alt-modules",
)
# profile-missing: no kernel/initrd/kernel-modules should fail closed.
with subtest("dry-run against identical profile selects switch"):
rc, out = machine.execute(
"deploy-finalize --dry-run --profile /tmp/profile-same 2>&1"
)
assert rc == 0, f"rc={rc}\n{out}"
assert "action=switch" in out, out
assert "services only" in out, out
assert "dry-run not scheduling" in out, out
assert "would run: /tmp/profile-same/bin/switch-to-configuration switch" in out, out
assert "would schedule: systemd-run" in out, out
with subtest("dry-run against changed-kernel profile selects reboot"):
rc, out = machine.execute(
"deploy-finalize --dry-run --profile /tmp/profile-changed-kernel 2>&1"
)
assert rc == 0, f"rc={rc}\n{out}"
assert "action=reboot" in out, out
assert "reason=kernel changed" in out, out
assert "systemctl reboot" in out, out
with subtest("dry-run against changed-initrd profile selects reboot"):
rc, out = machine.execute(
"deploy-finalize --dry-run --profile /tmp/profile-changed-initrd 2>&1"
)
assert rc == 0, f"rc={rc}\n{out}"
assert "action=reboot" in out, out
assert "reason=initrd changed" in out, out
with subtest("dry-run against changed-modules profile selects reboot"):
rc, out = machine.execute(
"deploy-finalize --dry-run --profile /tmp/profile-changed-modules 2>&1"
)
assert rc == 0, f"rc={rc}\n{out}"
assert "action=reboot" in out, out
assert "reason=kernel-modules changed" in out, out
with subtest("dry-run against empty profile fails closed with rc=1"):
rc, out = machine.execute(
"deploy-finalize --dry-run --profile /tmp/profile-missing 2>&1"
)
assert rc == 1, f"rc={rc}\n{out}"
assert "missing kernel, initrd, or kernel-modules" in out, out
with subtest("--delay override is reflected in output"):
rc, out = machine.execute(
"deploy-finalize --dry-run --delay 7 --profile /tmp/profile-same 2>&1"
)
assert rc == 0, f"rc={rc}\n{out}"
assert "delay=7s" in out, out
with subtest("configured default delay from module option is used"):
rc, out = machine.execute(
"deploy-finalize --dry-run --profile /tmp/profile-same 2>&1"
)
assert rc == 0, f"rc={rc}\n{out}"
# module option delay=15 in nodes.machine above.
assert "delay=15s" in out, out
with subtest("unknown option rejected with rc=2"):
rc, out = machine.execute("deploy-finalize --bogus 2>&1")
assert rc == 2, f"rc={rc}\n{out}"
assert "unknown option --bogus" in out, out
with subtest("non-dry run arms a transient systemd timer"):
# Long delay so the timer doesn't fire during the test. We stop it
# explicitly afterwards.
rc, out = machine.execute(
"deploy-finalize --delay 3600 --profile /tmp/profile-same 2>&1"
)
assert rc == 0, f"scheduling rc={rc}\n{out}"
# Confirm exactly one transient timer is active.
timers = machine.succeed(
"systemctl list-units --type=timer --no-legend 'deploy-finalize-*.timer' "
"--state=waiting | awk 'NF{print $1}'"
).strip().splitlines()
assert len(timers) == 1, f"expected exactly one pending timer, got {timers}"
assert timers[0].startswith("deploy-finalize-"), timers
with subtest("back-to-back scheduling cancels the previous timer"):
# The previous subtest left one timer armed. Schedule again; the old
# one should be stopped before the new unit name is created.
machine.succeed("sleep 1") # ensure a distinct unit-name timestamp
rc, out = machine.execute(
"deploy-finalize --delay 3600 --profile /tmp/profile-same 2>&1"
)
assert rc == 0, f"second-schedule rc={rc}\n{out}"
timers = machine.succeed(
"systemctl list-units --type=timer --no-legend 'deploy-finalize-*.timer' "
"--state=waiting | awk 'NF{print $1}'"
).strip().splitlines()
assert len(timers) == 1, f"expected only the new timer, got {timers}"
# Clean up so the test's shutdown path is quiet.
machine.succeed(
"systemctl stop 'deploy-finalize-*.timer' 'deploy-finalize-*.service' "
"2>/dev/null || true"
)
'';
}

67
tests/gitea-hide-actions.nix
View File

@@ -67,9 +67,14 @@ pkgs.testers.runNixOSTest {
# `service_configs.gitea.domain` string, which here is the full URL
# `http://server`. Override to valid bare values so Gitea doesn't
# get a malformed ROOT_URL like `https://http://server`.
services.gitea.settings.server = {
DOMAIN = lib.mkForce "server";
ROOT_URL = lib.mkForce "http://server/";
services.gitea.settings = {
server = {
DOMAIN = lib.mkForce "server";
ROOT_URL = lib.mkForce "http://server/";
};
# Tests talk HTTP, so drop the Secure flag — otherwise curl's cookie
# jar holds the session cookie but never sends it back.
session.COOKIE_SECURE = lib.mkForce false;
};
services.caddy = {
enable = true;
@@ -103,6 +108,8 @@ pkgs.testers.runNixOSTest {
};
testScript = ''
import re
start_all()
server.wait_for_unit("postgresql.service")
server.wait_for_unit("gitea.service")
@@ -110,7 +117,6 @@ pkgs.testers.runNixOSTest {
server.wait_for_open_port(3000)
server.wait_for_open_port(80)
# Admin user used to exercise the authenticated path via Basic Auth.
server.succeed(
"su -l gitea -s /bin/sh -c '${pkgs.gitea}/bin/gitea admin user create "
"--username testuser --password testpassword "
@@ -118,13 +124,44 @@ pkgs.testers.runNixOSTest {
"--work-path /var/lib/gitea'"
)
def curl(args):
def curl(args, cookies=None):
cookie_args = f"-b {cookies} " if cookies else ""
cmd = (
"curl -4 -s -o /dev/null "
"-w '%{http_code}|%{redirect_url}' " + args
f"-w '%{{http_code}}|%{{redirect_url}}' {cookie_args}{args}"
)
return client.succeed(cmd).strip()
def login():
# Gitea's POST /user/login requires a _csrf token and expects the
# matching session cookie already set. Fetch the login form first
# to harvest both, then submit credentials with the same cookie jar.
client.succeed("rm -f /tmp/cookies.txt")
html = client.succeed(
"curl -4 -s -c /tmp/cookies.txt http://server/user/login"
)
match = re.search(r'name="_csrf"\s+value="([^"]+)"', html)
assert match, f"CSRF token not found in login form: {html[:500]!r}"
csrf = match.group(1)
# -L so we follow the post-login redirect; the session cookie is
# rewritten by Gitea on successful login to carry uid.
client.succeed(
"curl -4 -s -L -o /dev/null "
"-b /tmp/cookies.txt -c /tmp/cookies.txt "
f"--data-urlencode '_csrf={csrf}' "
"--data-urlencode 'user_name=testuser' "
"--data-urlencode 'password=testpassword' "
"http://server/user/login"
)
# Sanity-check the session by hitting the gated probe directly
# the post-login cookie jar MUST drive /user/stopwatches to 200.
probe = client.succeed(
"curl -4 -s -o /dev/null -w '%{http_code}' "
"-b /tmp/cookies.txt http://server/user/stopwatches"
).strip()
assert probe == "200", f"session auth probe expected 200, got {probe!r}"
return "/tmp/cookies.txt"
with subtest("Anonymous /{user}/{repo}/actions redirects to login"):
result = curl("http://server/foo/bar/actions")
code, _, redir = result.partition("|")
@@ -132,6 +169,9 @@ pkgs.testers.runNixOSTest {
assert code == "302", f"expected 302, got {code!r} (full: {result!r})"
assert "/user/login" in redir, f"expected login redirect, got {redir!r}"
assert "redirect_to=" in redir, f"expected redirect_to param, got {redir!r}"
assert "/foo/bar/actions" in redir, (
f"expected original URL preserved in redirect_to, got {redir!r}"
)
with subtest("Anonymous deep /actions paths also redirect"):
for path in ["/foo/bar/actions/", "/foo/bar/actions/runs/1", "/foo/bar/actions/workflows/build.yaml"]:
@@ -142,8 +182,6 @@ pkgs.testers.runNixOSTest {
assert "/user/login" in redir, f"{path}: expected login redirect, got {redir!r}"
with subtest("Anonymous workflow badge stays public"):
# Repo doesn't exist Gitea answers 404, but Caddy does NOT intercept
# with a login redirect so README badges keep rendering.
result = curl("http://server/foo/bar/actions/workflows/ci.yaml/badge.svg")
code, _, redir = result.partition("|")
print(f"anon badge -> {result!r}")
@@ -151,17 +189,18 @@ pkgs.testers.runNixOSTest {
f"badge path should not redirect to login, got {result!r}"
)
with subtest("Authenticated /{user}/{repo}/actions does not redirect to login"):
cookies = login()
with subtest("Session-authenticated /{user}/{repo}/actions reaches Gitea"):
result = curl(
"-u testuser:testpassword "
"http://server/testuser/nonexistent/actions"
"http://server/testuser/nonexistent/actions", cookies=cookies
)
code, _, redir = result.partition("|")
print(f"auth /testuser/nonexistent/actions -> {result!r}")
# Gitea will 404 the missing repo the key assertion is that the
# Caddy gate let the request through instead of redirecting to login.
# Gitea returns 404 for the missing repo the key assertion is that
# Caddy's gate forwarded the request instead of redirecting to login.
assert not (code == "302" and "/user/login" in redir), (
f"authenticated actions request was intercepted by login gate: {result!r}"
f"session-authed actions request was intercepted by login gate: {result!r}"
)
with subtest("Anonymous /explore/repos is served without gating"):

1
tests/tests.nix
View File

@@ -13,6 +13,7 @@ in
minecraftTest = handleTest ./minecraft.nix;
jellyfinQbittorrentMonitorTest = handleTest ./jellyfin-qbittorrent-monitor.nix;
deployGuardTest = handleTest ./deploy-guard.nix;
deployFinalizeTest = handleTest ./deploy-finalize.nix;
filePermsTest = handleTest ./file-perms.nix;
# fail2ban tests