set update.nix to gitea

.github/workflows/build_systems.yml

@@ -23,6 +23,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Build default package
-        run: "nixos-rebuild build --accept-flake-config --flake ./#${{ matrix.system }}"
+        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
       - name: copy to nix-cache
         run: nix copy --accept-flake-config --to unix:///host-nix/var/nix/daemon-socket/socket .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel

.github/workflows/pytest.yml

@@ -1,7 +1,6 @@
 name: pytest
 
 on:
-  workflow_dispatch:
   push:
     branches:
       - main

.github/workflows/update-flake-lock.yml

@@ -8,7 +8,6 @@ jobs:
   lockfile:
     runs-on: self-hosted
     permissions:
-      actions: write
       contents: write
       pull-requests: write
     steps:

common/global/default.nix

@@ -23,10 +23,7 @@
   boot = {
     tmp.useTmpfs = true;
     kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
-    zfs = {
+    zfs.package = lib.mkDefault pkgs.zfs_2_4;
-      package = lib.mkDefault pkgs.zfs_2_4;
-      forceImportRoot = lib.mkDefault false;
-    };
   };
 
   hardware.enableRedistributableFirmware = true;
@@ -40,12 +37,7 @@
 
   nixpkgs = {
     overlays = builtins.attrValues outputs.overlays;
-    config = {
+    config.allowUnfree = true;
-      allowUnfree = true;
-      permittedInsecurePackages = [
-        "openssl-1.1.1w" # This is for discord-canary
-      ];
-    };
   };
 
   services = {

docs/zfs_failed_root_import_recovry.md

@@ -1,76 +0,0 @@
-# ZFS failed root import recovery
-
-## Fast path
-
-If the machine fails to boot because ZFS refuses to import `root_pool`:
-
-### GRUB
-
-1. At the bootloader menu, select the normal NixOS entry.
-2. Press `e`.
-3. Find the line that starts with `linux`.
-4. Append this to the end of that line:
-
-```text
-zfs_force=1
-```
-
-5. Boot once with `Ctrl+x` or `F10`.
-
-### systemd-boot
-
-1. At the bootloader menu, highlight the normal NixOS entry.
-2. Press `e`.
-3. Append this to the end of the options line:
-
-```text
-zfs_force=1
-```
-
-4. Press `Enter` to boot once.
-
-## After boot
-
-Run:
-
-```bash
-sudo zpool status
-sudo zpool import
-journalctl -b | rg "ZFS|zfs|import|root_pool"
-```
-
-## Expected result
-
-`sudo zpool status` should show `root_pool` as `ONLINE`.
-
-## Reboot test
-
-Run:
-
-```bash
-sudo reboot
-```
-
-Do not add `zfs_force=1` the second time.
-
-## If it still fails
-
-Boot once more with:
-
-```text
-zfs_force=1
-```
-
-Then run:
-
-```bash
-sudo zpool status -v
-sudo zpool history | tail -n 50
-journalctl -b | rg "ZFS|zfs|import|root_pool"
-```
-
-## Notes
-
-- Root pool name is `root_pool`.
-- This is a one-time recovery path after disk moves, controller changes, dirty exports, or interrupted imports.
-- Some hosts also need the LUKS unlock USB key inserted before boot.

flake.lock

@@ -8,11 +8,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1781270820,
+        "lastModified": 1776398575,
-        "narHash": "sha256-KuDdN/p4UtqUb1wnjo8a/YougmRXEaKvUoGHkYnuAq0=",
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "5f4259c0c832a93e13c5ec481d3318ce1394a8f9",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
         "type": "gitlab"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1781305496,
+        "lastModified": 1776454077,
-        "narHash": "sha256-g8Vv4Qfc7n+lgov97REu3X6BeJtvYY0hlSUZR1GrGQQ=",
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c87a39aa979acc4848016d2220c6238390d84779",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
         "type": "github"
       },
       "original": {
@@ -43,15 +43,12 @@
       }
     },
     "nixos-hardware": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      },
       "locked": {
-        "lastModified": 1781168557,
+        "lastModified": 1775490113,
-        "narHash": "sha256-LOnLQ2tpYF9gqIDDr3+j3DbpJJr/QCH6zPRT2GzEUOE=",
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "6358ff76821101c178e3ab4919a62799bfe3652e",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -63,24 +60,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1767892417,
+        "lastModified": 1776169885,
-        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
-        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "owner": "nixos",
-        "type": "tarball",
+        "repo": "nixpkgs",
-        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
+        "owner": "nixos",
-        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1781306963,
+        "lastModified": 1776469842,
-        "narHash": "sha256-qWZ+XEwsf8pN4DnYyyLbmAyj1a74gOO/VNCff44MuB4=",
+        "narHash": "sha256-sqzM6PKMQoGk8Sl+uv2sbP1qiS2SPQhA2yn5zgZINMc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1eee1a273e2e3fdc3db5b1a4a66f06cd5749db69",
+        "rev": "025c852a89be820b3117f604c8ace42e9b4caa08",
         "type": "github"
       },
       "original": {
@@ -106,28 +106,12 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1781074563,
-        "narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "firefox-addons": "firefox-addons",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable",
         "sops-nix": "sops-nix",
@@ -141,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1780547341,
+        "lastModified": 1776119890,
-        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {

overlays/default.nix

@@ -23,6 +23,7 @@
         apscheduler
         fastapi
         fastapi-cli
+        faster-whisper
         httpx
         mypy
         orjson

python/gitea.py

@@ -4,12 +4,10 @@ from __future__ import annotations
 
 from dataclasses import dataclass
 from typing import Self
-from urllib.parse import quote
 
 import httpx
 
 DEFAULT_PAGE_SIZE = 100
-EXPECTED_NO_CONTENT = 204
 EXPECTED_CREATED = 201
 EXPECTED_OK = 200
 
@@ -224,16 +222,6 @@ class GiteaClient:
             json=payload,
         )
 
-    def dispatch_workflow(self, *, owner: str, repo: str, workflow_id: str, ref: str) -> None:
-        """Trigger a workflow_dispatch run."""
-        workflow_path = quote(workflow_id, safe="")
-        self._request(
-            "POST",
-            f"/api/v1/repos/{owner}/{repo}/actions/workflows/{workflow_path}/dispatches",
-            expected_statuses={EXPECTED_OK, EXPECTED_NO_CONTENT},
-            json={"ref": ref},
-        )
-
     def list_run_jobs(self, *, owner: str, repo: str, run_id: str | int) -> list[WorkflowJob]:
         """List workflow jobs for a specific run."""
         jobs: list[WorkflowJob] = []

python/gitea_flake_lock.py

@@ -14,7 +14,6 @@ DEFAULT_BASE_BRANCH = "main"
 DEFAULT_BRANCH = "automation/update-flake-lock"
 DEFAULT_GITEA_URL = "https://gitea.tmmworkshop.com"
 PR_LABELS = ["dependencies", "automated", "flake_lock_update"]
-PR_CHECK_WORKFLOWS = ["build_systems.yml", "treefmt.yml", "pytest.yml"]
 PR_TITLE = "Update flake.lock"
 PR_BODY = "Automated flake.lock update."
 
@@ -58,12 +57,6 @@ def find_flake_lock_pull_request(client: GiteaClient, *, owner: str, repo: str)
     return pull_requests[0]
 
 
-def dispatch_pull_request_checks(client: GiteaClient, *, owner: str, repo: str, branch: str) -> None:
-    """Dispatch the workflows that normally run for pull requests."""
-    for workflow in PR_CHECK_WORKFLOWS:
-        client.dispatch_workflow(owner=owner, repo=repo, workflow_id=workflow, ref=branch)
-
-
 def has_worktree_changes() -> bool:
     """Return whether `flake.lock` has worktree changes."""
     result = run_cmd(["git", "diff", "--quiet", "--", "flake.lock"], check=False)
@@ -120,9 +113,6 @@ def update(
             branch=branch,
             base=base,
         )
-        # We can remove this if Gitea fixes the following issue:
-        # https://github.com/go-gitea/gitea/issues/33963
-        dispatch_pull_request_checks(client, owner=owner, repo=repo_name, branch=branch)
     typer.echo(pull_request.html_url or f"Pull request #{pull_request.number}")
 
 

systems/bob/default.nix

@@ -28,12 +28,7 @@
   networking = {
     hostName = "bob";
     hostId = "7c678a41";
-    firewall = {
+    firewall.enable = true;
-      enable = true;
-      allowedTCPPorts = [
-        8000
-      ];
-    };
     networkmanager.enable = true;
   };
 

systems/bob/hardware.nix

@@ -30,11 +30,6 @@
         keyFile = "/dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0374620080067131-0:0";
       };
     };
-
-    zfs.extraPools = [
-      "storage"
-    ];
-
     kernelModules = [ "kvm-amd" ];
     extraModulePackages = [ ];
   };

systems/bob/llms.nix

@@ -42,12 +42,11 @@
       "qwen3:8b"
       "qwen3.5:27b"
       "qwen3.5:35b"
-      "qwen3.6:27b"
       "qwen3.6:35b"
-      "rinex20/translategemma3:12b"
       "translategemma:12b"
       "translategemma:27b"
       "translategemma:4b"
+      "rinex20/translategemma3:12b"
     ];
     models = "/zfs/storage/models";
     openFirewall = true;

systems/jeeves/networking.nix

@@ -1,13 +1,4 @@
 {
-  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
-  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
-  # does not hit the host firewall/rpfilter path.
-  boot.kernel.sysctl = {
-    "net.bridge.bridge-nf-call-arptables" = 0;
-    "net.bridge.bridge-nf-call-ip6tables" = 0;
-    "net.bridge.bridge-nf-call-iptables" = 0;
-  };
-
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
@@ -43,18 +34,11 @@
       };
     };
     networks = {
-      "10-Primary" = {
+      "10-1GB_Primary" = {
-        matchConfig.Name = "enp97s0";
+        matchConfig.Name = "enp97s0f1";
         address = [ "192.168.99.14/24" ];
-        dns = [
-          "192.168.99.1"
-          "2600:4040:abfb:d700::1"
-        ];
         routes = [ { Gateway = "192.168.99.1"; } ];
         vlan = [ "internet-vlan" ];
-        dhcpV4Config.UseDNS = false;
-        dhcpV6Config.UseDNS = false;
-        ipv6AcceptRAConfig.UseDNS = false;
         linkConfig.RequiredForOnline = "routable";
       };
       "50-internet-vlan" = {
@@ -65,10 +49,23 @@
       "60-br-nix-builder" = {
         matchConfig.Name = "br-nix-builder";
         bridgeConfig = { };
-        networkConfig = {
+        address = [ "192.168.3.10/24" ];
-          IPv6AcceptRA = false;
+        routingPolicyRules = [
-          LinkLocalAddressing = "no";
+          {
-        };
+            From = "192.168.3.0/24";
+            Table = 100;
+            Priority = 100;
+          }
+        ];
+        routes = [
+          {
+            Gateway = "192.168.3.1";
+            Table = 100;
+            GatewayOnLink = false;
+            Metric = 2048;
+            PreferredSource = "192.168.3.10";
+          }
+        ];
         linkConfig.RequiredForOnline = "no";
       };
     };

systems/jeeves/programs.nix

@@ -3,6 +3,5 @@
   environment.systemPackages = with pkgs; [
     filebot
     docker-compose
-    ffmpeg
   ];
 }

systems/jeeves/runners/nix_builder.nix

@@ -2,7 +2,6 @@
   config,
   lib,
   outputs,
-  utils,
   ...
 }:
 
@@ -10,8 +9,6 @@ with lib;
 let
   vars = import ../vars.nix;
   cfg = config.services.nix_builder;
-  runnerUsername = "gitea-runner";
-  runnerUserid = 601;
 in
 {
   options.services.nix_builder = {
@@ -36,30 +33,27 @@ in
   };
 
   config = {
-    users = {
-      users.${runnerUsername} = {
-        isSystemUser = true;
-        group = runnerUsername;
-        uid = runnerUserid;
-      };
-      groups.${runnerUsername}.gid = runnerUserid;
-    };
-
     containers = mapAttrs (
       name: containerCfg:
       mkIf containerCfg.enable {
         autoStart = true;
         privateNetwork = true;
         hostBridge = cfg.bridgeName;
+        ephemeral = true;
         bindMounts = {
+          storage = {
+            hostPath = "/zfs/media/github-runners/${name}";
+            mountPoint = "/var/lib/gitea-runner/${name}";
+            isReadOnly = false;
+          };
           host-nix = {
             mountPoint = "/host-nix/var/nix/daemon-socket";
             hostPath = "/nix/var/nix/daemon-socket";
             isReadOnly = false;
           };
           token = {
-            hostPath = "${vars.secrets}/services/gitea-runners";
+            hostPath = "${vars.secrets}/services/gitea-runners/registration-token";
-            mountPoint = "/run/secrets/gitea-runners";
+            mountPoint = "${vars.secrets}/services/gitea-runners/registration-token";
             isReadOnly = true;
           };
         };
@@ -108,59 +102,24 @@ in
               overlays = builtins.attrValues outputs.overlays;
               config.allowUnfree = true;
             };
-            users = {
-              users.${runnerUsername} = {
-                isSystemUser = true;
-                group = runnerUsername;
-                uid = runnerUserid;
-              };
-              groups.${runnerUsername}.gid = runnerUserid;
-            };
             services.gitea-actions-runner.instances.${name} = {
               enable = true;
               name = "jeeves-${name}";
-              url = "http://192.168.99.14:6443/";
+              url = "https://gitea.tmmworkshop.com";
               labels = [
                 "self-hosted:host"
                 "nixos:host"
               ];
-              tokenFile = "/run/secrets/gitea-runners/registration-token";
+              tokenFile = "${vars.secrets}/services/gitea-runners/registration-token";
               hostPackages = with pkgs; [
-                bash
-                coreutils
-                curl
-                gawk
-                gitMinimal
-                gnused
-                my_python
-                nix
-                nixfmt
                 nixos-rebuild
-                nodejs
                 treefmt
-                wget
+                my_python
               ];
             };
-            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
-              serviceConfig = {
-                DynamicUser = mkForce false;
-                User = mkForce runnerUsername;
-                Group = mkForce runnerUsername;
-              };
-            };
             system.stateVersion = "24.05";
           };
       }
     ) cfg.containers;
-
-    systemd.services = builtins.listToAttrs (
-      map (name: {
-        name = "container@${name}";
-        value = {
-          requires = [ "gitea.service" ];
-          after = [ "gitea.service" ];
-        };
-      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
-    );
   };
 }

systems/jeeves/services/audiobookshelf.nix

@@ -3,10 +3,7 @@ let
   vars = import ../vars.nix;
 in
 {
-  services.audiobookshelf = {
+  services.audiobookshelf.enable = true;
-    enable = true;
-    port = 8000;
-  };
   systemd.services.audiobookshelf.serviceConfig.WorkingDirectory =
     lib.mkForce "${vars.docker_configs}/audiobookshelf";
   users.users.audiobookshelf.home = lib.mkForce "${vars.docker_configs}/audiobookshelf";

systems/jeeves/services/camofox-browser.nix

@@ -1,80 +0,0 @@
-{
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
-  ];
-
-  containers.camofox-browser = {
-    autoStart = true;
-    privateNetwork = false;
-    bindMounts = {
-      camofox-browser = {
-        hostPath = "${vars.docker_configs}/camofox-browser";
-        mountPoint = "/var/lib/camofox-browser";
-        isReadOnly = false;
-      };
-    };
-    config =
-      {
-        pkgs,
-        lib,
-        ...
-      }:
-      {
-        networking.hostName = "camofox-browser";
-
-        environment.systemPackages = with pkgs; [
-          ffmpeg
-          git
-          nodejs
-          python3Packages.yt-dlp
-        ];
-
-        systemd.services.camofox-browser = {
-          description = "Camofox browser server";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          environment = {
-            CAMOFOX_HOST = "127.0.0.1";
-            CAMOFOX_PORT = "9377";
-            HOME = "/var/lib/camofox-browser";
-          };
-          path = with pkgs; [
-            bash
-            coreutils
-            git
-            nodejs
-          ];
-          serviceConfig = {
-            Restart = "always";
-            RestartSec = "5s";
-            WorkingDirectory = "/var/lib/camofox-browser";
-          };
-          script = ''
-            set -eu
-
-            app_dir=/var/lib/camofox-browser/app
-
-            if [ ! -d "$app_dir/.git" ]; then
-              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
-            fi
-
-            cd "$app_dir"
-
-            if [ ! -d node_modules ]; then
-              npm install
-            fi
-
-            exec npm start
-          '';
-        };
-
-        system.stateVersion = lib.mkDefault "24.05";
-      };
-  };
-}

systems/jeeves/services/nornsight.nix

@@ -1,107 +0,0 @@
-{ pkgs, ... }:
-let
-  vars = import ../vars.nix;
-  stateDir = "${vars.services}/nornsight";
-  appDir = "${stateDir}/app";
-  binPath = pkgs.lib.makeBinPath [
-    pkgs.binutils
-    pkgs.libpq
-    pkgs.postgresql
-    pkgs.stdenv.cc
-  ];
-  libraryPath = pkgs.lib.makeLibraryPath [
-    pkgs.libpq
-    pkgs.postgresql.lib
-  ];
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${stateDir} 0750 nornsight nornsight - -"
-  ];
-
-  users.users.nornsight = {
-    isSystemUser = true;
-    group = "nornsight";
-    home = stateDir;
-  };
-
-  systemd.services.nornsight = {
-    description = "Norn Sight";
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    environment = {
-      HOME = stateDir;
-      UV_CACHE_DIR = "${stateDir}/.cache/uv";
-      UV_PROJECT_ENVIRONMENT = "${appDir}/.venv";
-      UV_PYTHON = "${pkgs.python313}/bin/python3.13";
-      UV_PYTHON_DOWNLOADS = "never";
-      LD_LIBRARY_PATH = libraryPath;
-      LIBRARY_PATH = libraryPath;
-      PSYCOPG_IMPL = "python";
-    };
-
-    path = with pkgs; [
-      bash
-      coreutils
-      git
-      uv
-    ];
-
-    serviceConfig = {
-      Type = "simple";
-      User = "nornsight";
-      Group = "nornsight";
-      EnvironmentFile = "-${vars.secrets}/services/nornsight";
-      WorkingDirectory = stateDir;
-      Restart = "on-failure";
-      RestartSec = "5s";
-      StandardOutput = "journal";
-      StandardError = "journal";
-      NoNewPrivileges = true;
-      PrivateTmp = true;
-      ProtectHome = true;
-      ProtectSystem = "strict";
-      ReadWritePaths = [ stateDir ];
-    };
-
-    script = ''
-      set -eu
-      export PATH="${binPath}:$PATH"
-      export LD_LIBRARY_PATH="${libraryPath}:''${LD_LIBRARY_PATH:-}"
-      export LIBRARY_PATH="${libraryPath}:''${LIBRARY_PATH:-}"
-
-      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
-      branch="''${NORN_SIGHT_BRANCH:-main}"
-
-      if [ -d "${appDir}/.git" ]; then
-        current_origin="$(git -C "${appDir}" remote get-url origin)"
-        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
-          rm -rf "${appDir}"
-        fi
-      fi
-
-      if [ ! -d "${appDir}/.git" ]; then
-        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
-      else
-        cd "${appDir}"
-        git fetch origin "$branch"
-        git checkout "$branch"
-        git pull --ff-only origin "$branch"
-      fi
-
-      cd "${appDir}"
-      uv sync --upgrade
-      uv run python - <<'PY'
-      import ctypes.util
-      import os
-
-      print(f"LD_LIBRARY_PATH={os.environ.get('LD_LIBRARY_PATH')}")
-      print(f"LIBRARY_PATH={os.environ.get('LIBRARY_PATH')}")
-      print(f"libpq={ctypes.util.find_library('pq')}")
-      PY
-      exec uv run uvicorn pipelines.web.main:app --host 0.0.0.0 --port 8001
-    '';
-  };
-}

systems/jeeves/services/signal_bot.nix

@@ -0,0 +1,57 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  users = {
+    users.signalbot = {
+      isSystemUser = true;
+      group = "signalbot";
+    };
+    groups.signalbot = { };
+  };
+
+  systemd.services.signal-bot = {
+    description = "Signal command and control bot";
+    after = [
+      "network.target"
+      "podman-signal_cli_rest_api.service"
+    ];
+    wants = [ "podman-signal_cli_rest_api.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      PYTHONPATH = "${inputs.self}";
+      SIGNALBOT_DB = "signalbot";
+      SIGNALBOT_USER = "signalbot";
+      SIGNALBOT_HOST = "/run/postgresql";
+      SIGNALBOT_PORT = "5432";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      WorkingDirectory = "${inputs.self}";
+      User = "signalbot";
+      Group = "signalbot";
+      EnvironmentFile = "${vars.secrets}/services/signal-bot";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.signal_bot.main";
+      StateDirectory = "signal-bot";
+      Restart = "on-failure";
+      RestartSec = "10s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadWritePaths = [ "/var/lib/signal-bot" ];
+      ReadOnlyPaths = [
+        "${inputs.self}"
+      ];
+    };
+  };
+}

systems/jeeves/syncthing.nix

@@ -10,14 +10,6 @@ in
     settings = {
       devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
       folders = {
-        photos = {
-          path = "${vars.syncthing}/important";
-          devices = [
-            "rhapsody-in-green"
-            "phone"
-          ];
-          fsWatcherEnabled = true;
-        };
         "dotfiles" = {
           path = "/home/richie/dotfiles";
           devices = [

systems/jeeves/web_services/haproxy.cfg

@@ -28,6 +28,7 @@ frontend ContentSwitching
 
   # ACME challenge routing (must be first)
   acl is_acme path_beg /.well-known/acme-challenge/
+  use_backend acme_challenge if is_acme
 
   # tmmworkshop.com
   acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
@@ -44,7 +45,6 @@ frontend ContentSwitching
   # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
   http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme
 
-  use_backend acme_challenge if is_acme
   use_backend audiobookshelf_nodes if host_audiobookshelf
   use_backend cache_nodes  if host_cache
   use_backend jellyfin if host_jellyfin
@@ -81,4 +81,4 @@ backend gitea
 
 backend norn_sight
   mode http
-  server server 127.0.0.1:8001
+  server server 192.168.90.49:8000

systems/rhapsody-in-green/default.nix

@@ -11,9 +11,10 @@
     "${inputs.self}/common/optional/yubikey.nix"
     "${inputs.self}/common/optional/zerotier.nix"
     ./hardware.nix
+    ./llms.nix
     ./open_webui.nix
-    ./programs.nix
     ./qmk.nix
+    ./sunshine.nix
     ./syncthing.nix
     inputs.nixos-hardware.nixosModules.framework-13-7040-amd
   ];
@@ -26,7 +27,6 @@
       allowedTCPPorts = [
         8000
         8080
-        8081
       ];
     };
     networkmanager.enable = true;

systems/rhapsody-in-green/llms.nix

@@ -0,0 +1,29 @@
+{
+  services.ollama = {
+    user = "ollama";
+    enable = true;
+    host = "127.0.0.1";
+    syncModels = true;
+    loadModels = [
+      "deepscaler:1.5b"
+      "deepseek-r1:8b"
+      "gemma3:12b"
+      "lfm2:24b"
+      "nemotron-3-nano:4b"
+      "qwen3:14b"
+      "qwen3.5:27b"
+    ];
+  };
+  systemd.services = {
+    ollama.serviceConfig = {
+      Nice = 19;
+      IOSchedulingPriority = 7;
+    };
+    ollama-model-loader.serviceConfig = {
+      Nice = 19;
+      CPUWeight = 50;
+      IOSchedulingClass = "idle";
+      IOSchedulingPriority = 7;
+    };
+  };
+}

systems/rhapsody-in-green/programs.nix

@@ -1,6 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    ffmpeg
-  ];
-}

systems/rhapsody-in-green/sunshine.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  services.sunshine = {
+    enable = true;
+    openFirewall = true;
+    capSysAdmin = true;
+  };
+  environment.systemPackages = [ pkgs.kdePackages.libkscreen ];
+
+  boot = {
+    kernelParams = [
+      "drm.edid_firmware=DP-4:edid/virtual-display.bin"
+      "video=DP-4:e"
+    ];
+  };
+
+  hardware.firmware = [
+    (pkgs.runCommandLocal "virtual-display-edid"
+      {
+        compressFirmware = false;
+      }
+      ''
+        mkdir -p $out/lib/firmware/edid
+        cp ${./edid/virtual-display.bin} $out/lib/firmware/edid/virtual-display.bin
+      ''
+    )
+  ];
+}

systems/rhapsody-in-green/syncthing.nix

@@ -39,14 +39,6 @@
       ];
       fsWatcherEnabled = true;
     };
-    photos = {
-      path = "/home/richie/photos";
-      devices = [
-        "jeeves"
-        "phone"
-      ];
-      fsWatcherEnabled = true;
-    };
     "projects" = {
       id = "vyma6-lqqrz"; # cspell:disable-line
       path = "/home/richie/projects";

tests/test_gitea_flake_lock.py

@@ -1,113 +0,0 @@
-"""Tests for Gitea flake.lock automation."""
-
-from __future__ import annotations
-
-from python.gitea import PullRequest
-from python.gitea_flake_lock import (
-    PR_CHECK_WORKFLOWS,
-    PR_LABELS,
-    dispatch_pull_request_checks,
-    ensure_flake_lock_pull_request,
-    find_flake_lock_pull_request,
-)
-
-
-def _pull_request(number=1, head_branch="automation/update-flake-lock"):
-    return PullRequest(
-        number=number,
-        title="Update flake.lock",
-        html_url=f"https://gitea.example.test/pulls/{number}",
-        labels=(),
-        head_branch=head_branch,
-        base_branch="main",
-    )
-
-
-class FakeGiteaClient:
-    def __init__(self, pull_requests=None):
-        self.pull_requests = pull_requests or []
-        self.dispatch_calls = []
-        self.list_calls = []
-        self.create_calls = []
-
-    def list_open_pull_requests(self, **kwargs):
-        self.list_calls.append(kwargs)
-        return self.pull_requests
-
-    def create_pull_request(self, **kwargs):
-        self.create_calls.append(kwargs)
-        return _pull_request()
-
-    def dispatch_workflow(self, **kwargs):
-        self.dispatch_calls.append(kwargs)
-
-
-def test_ensure_flake_lock_pull_request_finds_by_branch():
-    pull_request = _pull_request()
-    client = FakeGiteaClient([pull_request])
-
-    result = ensure_flake_lock_pull_request(
-        client,
-        owner="Richie",
-        repo="dotfiles",
-        branch="automation/update-flake-lock",
-        base="main",
-    )
-
-    assert result == pull_request
-    assert client.list_calls == [
-        {"owner": "Richie", "repo": "dotfiles", "head": "automation/update-flake-lock"},
-    ]
-    assert client.create_calls == []
-
-
-def test_ensure_flake_lock_pull_request_creates_with_labels():
-    client = FakeGiteaClient()
-
-    ensure_flake_lock_pull_request(
-        client,
-        owner="Richie",
-        repo="dotfiles",
-        branch="automation/update-flake-lock",
-        base="main",
-    )
-
-    assert client.create_calls == [
-        {
-            "owner": "Richie",
-            "repo": "dotfiles",
-            "title": "Update flake.lock",
-            "body": "Automated flake.lock update.",
-            "head": "automation/update-flake-lock",
-            "base": "main",
-            "labels": PR_LABELS,
-        },
-    ]
-
-
-def test_find_flake_lock_pull_request_finds_by_label():
-    pull_request = _pull_request()
-    client = FakeGiteaClient([pull_request])
-
-    result = find_flake_lock_pull_request(client, owner="Richie", repo="dotfiles")
-
-    assert result == pull_request
-    assert client.list_calls == [
-        {"owner": "Richie", "repo": "dotfiles", "labels": ["flake_lock_update"]},
-    ]
-
-
-def test_dispatch_pull_request_checks_runs_each_workflow():
-    client = FakeGiteaClient()
-
-    dispatch_pull_request_checks(client, owner="Richie", repo="dotfiles", branch="automation/update-flake-lock")
-
-    assert client.dispatch_calls == [
-        {
-            "owner": "Richie",
-            "repo": "dotfiles",
-            "workflow_id": workflow,
-            "ref": "automation/update-flake-lock",
-        }
-        for workflow in PR_CHECK_WORKFLOWS
-    ]

users/richie/home/gui/default.nix

@@ -6,7 +6,6 @@
     "${inputs.self}/users/shared/sweet.nix"
     ./firefox
     ./kitty.nix
-    ./llm_tools.nix
     ./vscode
   ];
 
@@ -20,11 +19,13 @@
     qalculate-gtk
     vlc
     # browser
-    brave
     chromium
     # dev tools
+    claude-code
+    codex
     gparted
     jetbrains.datagrip
+    opencode
     proxychains
   ];
 }

users/richie/home/gui/firefox/default.nix

@@ -1,9 +1,8 @@
-{ config, inputs, ... }:
+{ inputs, ... }:
 {
   imports = [ ./search_engines.nix ];
 
   programs.firefox = {
-    configPath = "${config.xdg.configHome}/mozilla/firefox";
     enable = true;
     profiles.richie = {
       extensions.packages = with inputs.firefox-addons.packages.x86_64-linux; [

users/richie/home/gui/kitty.nix

@@ -12,7 +12,6 @@
       tab_bar_edge = "top";
       tab_bar_style = "powerline";
       enabled_layouts = "splits";
-      enable_audio_bell = "no";
     };
     keybindings = {
       "ctrl+alt+1" = "launch --type=tab --tab-title jeeves kitten ssh jeeves";

users/richie/home/gui/llm_tools.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-{
-  home.packages = [
-    pkgs.master.claude-code
-    pkgs.master.codex
-    pkgs.master.opencode
-    pkgs.master.pi-coding-agent
-  ];
-}

users/richie/home/gui/vscode/settings.json

@@ -78,8 +78,6 @@
     "Corvidae",
     "drivername",
     "fastapi",
-    "Michal",
-    "Nornsight",
     "sandboxing",
     "syncthing",
   ],

users/richie/home/ssh_config.nix

@@ -2,46 +2,46 @@
   programs.ssh = {
     enable = true;
     enableDefaultConfig = false;
-    settings = {
+    matchBlocks = {
       jeeves = {
-        HostName = "192.168.90.40";
+        hostname = "192.168.90.40";
-        User = "richie";
+        user = "richie";
-        IdentityFile = "~/.ssh/id_ed25519";
+        identityFile = "~/.ssh/id_ed25519";
-        Port = 629;
+        port = 629;
-        DynamicForward = [ { port = 9050; } ];
+        dynamicForwards = [ { port = 9050; } ];
-        Compression = true;
+        compression = true;
       };
       unlock-jeeves = {
-        HostName = "192.168.99.14";
+        hostname = "192.168.99.14";
-        User = "root";
+        user = "root";
-        IdentityFile = "~/.ssh/id_ed25519";
+        identityFile = "~/.ssh/id_ed25519";
-        Port = 2222;
+        port = 2222;
       };
       brain = {
-        HostName = "192.168.90.35";
+        hostname = "192.168.90.35";
-        User = "richie";
+        user = "richie";
-        IdentityFile = "~/.ssh/id_ed25519";
+        identityFile = "~/.ssh/id_ed25519";
-        Port = 129;
+        port = 129;
-        DynamicForward = [ { port = 9050; } ];
+        dynamicForwards = [ { port = 9050; } ];
       };
       unlock-brain = {
-        HostName = "192.168.95.35";
+        hostname = "192.168.95.35";
-        User = "root";
+        user = "root";
-        IdentityFile = "~/.ssh/id_ed25519";
+        identityFile = "~/.ssh/id_ed25519";
-        Port = 2222;
+        port = 2222;
       };
       bob = {
-        HostName = "192.168.90.25";
+        hostname = "192.168.90.25";
-        User = "richie";
+        user = "richie";
-        IdentityFile = "~/.ssh/id_ed25519";
+        identityFile = "~/.ssh/id_ed25519";
-        Port = 262;
+        port = 262;
-        DynamicForward = [ { port = 9050; } ];
+        dynamicForwards = [ { port = 9050; } ];
       };
       rhapsody-in-green = {
-        HostName = "192.168.90.221";
+        hostname = "192.168.90.221";
-        User = "richie";
+        user = "richie";
-        IdentityFile = "~/.ssh/id_ed25519";
+        identityFile = "~/.ssh/id_ed25519";
-        Port = 922;
+        port = 922;
       };
     };
   };