fixing update-flake-lock.yaml permissions

sunshine is a cool idea but has been causing annoying ui glitches and started preventing the display manning for starting
Its a cool idea in theory but not useful enough for me to want to debug

.github/workflows/build_systems.yml

@@ -23,6 +23,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Build default package
-        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
+        run: "nixos-rebuild build --accept-flake-config --flake ./#${{ matrix.system }}"
       - name: copy to nix-cache
         run: nix copy --accept-flake-config --to unix:///host-nix/var/nix/daemon-socket/socket .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel

.github/workflows/pytest.yml

@@ -1,6 +1,7 @@
 name: pytest
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - main

.github/workflows/update-flake-lock.yml

@@ -8,6 +8,7 @@ jobs:
   lockfile:
     runs-on: self-hosted
     permissions:
+      actions: write
       contents: write
       pull-requests: write
     steps:

common/global/default.nix

@@ -23,7 +23,10 @@
   boot = {
     tmp.useTmpfs = true;
     kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
-    zfs.package = lib.mkDefault pkgs.zfs_2_4;
+    zfs = {
+      package = lib.mkDefault pkgs.zfs_2_4;
+      forceImportRoot = lib.mkDefault false;
+    };
   };
 
   hardware.enableRedistributableFirmware = true;

docs/zfs_failed_root_import_recovry.md

@@ -0,0 +1,76 @@
+# ZFS failed root import recovery
+
+## Fast path
+
+If the machine fails to boot because ZFS refuses to import `root_pool`:
+
+### GRUB
+
+1. At the bootloader menu, select the normal NixOS entry.
+2. Press `e`.
+3. Find the line that starts with `linux`.
+4. Append this to the end of that line:
+
+```text
+zfs_force=1
+```
+
+5. Boot once with `Ctrl+x` or `F10`.
+
+### systemd-boot
+
+1. At the bootloader menu, highlight the normal NixOS entry.
+2. Press `e`.
+3. Append this to the end of the options line:
+
+```text
+zfs_force=1
+```
+
+4. Press `Enter` to boot once.
+
+## After boot
+
+Run:
+
+```bash
+sudo zpool status
+sudo zpool import
+journalctl -b | rg "ZFS|zfs|import|root_pool"
+```
+
+## Expected result
+
+`sudo zpool status` should show `root_pool` as `ONLINE`.
+
+## Reboot test
+
+Run:
+
+```bash
+sudo reboot
+```
+
+Do not add `zfs_force=1` the second time.
+
+## If it still fails
+
+Boot once more with:
+
+```text
+zfs_force=1
+```
+
+Then run:
+
+```bash
+sudo zpool status -v
+sudo zpool history | tail -n 50
+journalctl -b | rg "ZFS|zfs|import|root_pool"
+```
+
+## Notes
+
+- Root pool name is `root_pool`.
+- This is a one-time recovery path after disk moves, controller changes, dirty exports, or interrupted imports.
+- Some hosts also need the LUKS unlock USB key inserted before boot.

flake.lock

@@ -8,11 +8,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1777521781,
-        "narHash": "sha256-bQ9oIcNyHsiagt7yptfe7OmfUDEyuXFUb7ajkrWNzSo=",
+        "lastModified": 1780733803,
+        "narHash": "sha256-QBJPq12P1DAXFGezoEJaSO/xPUrPlnaI3ddSaMG2JpM=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "8a444a5c02840666c9c2f92042bfbb7a10c68200",
+        "rev": "c80b0aa94392c5f3612ac797108f6d952752036d",
         "type": "gitlab"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777518431,
-        "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=",
+        "lastModified": 1780679734,
+        "narHash": "sha256-KmRNvpNOb7QEORa06bVgjW9kITcx0VhsI7w0vhmZyD8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670",
+        "rev": "b2b7db486e06e098711dc291bb25db82850e1d16",
         "type": "github"
       },
       "original": {
@@ -43,12 +43,15 @@
       }
     },
     "nixos-hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1776983936,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "lastModified": 1780310866,
+        "narHash": "sha256-fPBRVf6A5xlACYcOI59shGrjURuvwu0lRsDoSCEXt/I=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "4ed851c979641e28597a05086332d75cdc9e395f",
         "type": "github"
       },
       "original": {
@@ -60,27 +63,24 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777268161,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
-        "type": "github"
+        "lastModified": 1767892417,
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
       }
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1777553282,
-        "narHash": "sha256-GCJkEogieqOYJ1BBhG0w9fqezul1cGdEcmBbJ+34F4U=",
+        "lastModified": 1780798858,
+        "narHash": "sha256-4KLc5ZMjfMQosXA2JasUgZTk3i+c/i1zMH4custtmI0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0d93cb69a4fd4449088c69859e1836fda6eb9f6a",
+        "rev": "92840095e65b9970125843175f4be974b71a92ad",
         "type": "github"
       },
       "original": {
@@ -106,12 +106,28 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1780243769,
+        "narHash": "sha256-x5UQuRsH3MqI0U9afaXSNqzTPSeZlRLvFAav2Ux1pNw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "331800de5053fcebacf6813adb5db9c9dca22a0c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "firefox-addons": "firefox-addons",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable",
         "sops-nix": "sops-nix",
@@ -125,11 +141,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777338324,
-        "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
+        "lastModified": 1780547341,
+        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
+        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
         "type": "github"
       },
       "original": {

overlays/default.nix

@@ -23,7 +23,6 @@
         apscheduler
         fastapi
         fastapi-cli
-        faster-whisper
         httpx
         mypy
         orjson

python/gitea.py

@@ -4,10 +4,12 @@ from __future__ import annotations
 
 from dataclasses import dataclass
 from typing import Self
+from urllib.parse import quote
 
 import httpx
 
 DEFAULT_PAGE_SIZE = 100
+EXPECTED_NO_CONTENT = 204
 EXPECTED_CREATED = 201
 EXPECTED_OK = 200
 
@@ -222,6 +224,16 @@ class GiteaClient:
             json=payload,
         )
 
+    def dispatch_workflow(self, *, owner: str, repo: str, workflow_id: str, ref: str) -> None:
+        """Trigger a workflow_dispatch run."""
+        workflow_path = quote(workflow_id, safe="")
+        self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/actions/workflows/{workflow_path}/dispatches",
+            expected_statuses={EXPECTED_OK, EXPECTED_NO_CONTENT},
+            json={"ref": ref},
+        )
+
     def list_run_jobs(self, *, owner: str, repo: str, run_id: str | int) -> list[WorkflowJob]:
         """List workflow jobs for a specific run."""
         jobs: list[WorkflowJob] = []

python/gitea_flake_lock.py

@@ -14,6 +14,7 @@ DEFAULT_BASE_BRANCH = "main"
 DEFAULT_BRANCH = "automation/update-flake-lock"
 DEFAULT_GITEA_URL = "https://gitea.tmmworkshop.com"
 PR_LABELS = ["dependencies", "automated", "flake_lock_update"]
+PR_CHECK_WORKFLOWS = ["build_systems.yml", "treefmt.yml", "pytest.yml"]
 PR_TITLE = "Update flake.lock"
 PR_BODY = "Automated flake.lock update."
 
@@ -57,6 +58,12 @@ def find_flake_lock_pull_request(client: GiteaClient, *, owner: str, repo: str)
     return pull_requests[0]
 
 
+def dispatch_pull_request_checks(client: GiteaClient, *, owner: str, repo: str, branch: str) -> None:
+    """Dispatch the workflows that normally run for pull requests."""
+    for workflow in PR_CHECK_WORKFLOWS:
+        client.dispatch_workflow(owner=owner, repo=repo, workflow_id=workflow, ref=branch)
+
+
 def has_worktree_changes() -> bool:
     """Return whether `flake.lock` has worktree changes."""
     result = run_cmd(["git", "diff", "--quiet", "--", "flake.lock"], check=False)
@@ -113,6 +120,9 @@ def update(
             branch=branch,
             base=base,
         )
+        # We can remove this if Gitea fixes the following issue:
+        # https://github.com/go-gitea/gitea/issues/33963
+        dispatch_pull_request_checks(client, owner=owner, repo=repo_name, branch=branch)
     typer.echo(pull_request.html_url or f"Pull request #{pull_request.number}")
 
 

systems/bob/hardware.nix

@@ -30,6 +30,11 @@
         keyFile = "/dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0374620080067131-0:0";
       };
     };
+
+    zfs.extraPools = [
+      "storage"
+    ];
+
     kernelModules = [ "kvm-amd" ];
     extraModulePackages = [ ];
   };

systems/bob/llms.nix

@@ -42,11 +42,12 @@
       "qwen3:8b"
       "qwen3.5:27b"
       "qwen3.5:35b"
+      "qwen3.6:27b"
       "qwen3.6:35b"
+      "rinex20/translategemma3:12b"
       "translategemma:12b"
       "translategemma:27b"
       "translategemma:4b"
-      "rinex20/translategemma3:12b"
     ];
     models = "/zfs/storage/models";
     openFirewall = true;

systems/jeeves/networking.nix

@@ -43,11 +43,18 @@
       };
     };
     networks = {
-      "10-1GB_Primary" = {
-        matchConfig.Name = "enp97s0f1";
+      "10-Primary" = {
+        matchConfig.Name = "enp97s0";
         address = [ "192.168.99.14/24" ];
+        dns = [
+          "192.168.99.1"
+          "2600:4040:abfb:d700::1"
+        ];
         routes = [ { Gateway = "192.168.99.1"; } ];
         vlan = [ "internet-vlan" ];
+        dhcpV4Config.UseDNS = false;
+        dhcpV6Config.UseDNS = false;
+        ipv6AcceptRAConfig.UseDNS = false;
         linkConfig.RequiredForOnline = "routable";
       };
       "50-internet-vlan" = {

systems/jeeves/programs.nix

@@ -3,5 +3,6 @@
   environment.systemPackages = with pkgs; [
     filebot
     docker-compose
+    ffmpeg
   ];
 }

systems/jeeves/services/audiobookshelf.nix

@@ -3,7 +3,10 @@ let
   vars = import ../vars.nix;
 in
 {
-  services.audiobookshelf.enable = true;
+  services.audiobookshelf = {
+    enable = true;
+    port = 8000;
+  };
   systemd.services.audiobookshelf.serviceConfig.WorkingDirectory =
     lib.mkForce "${vars.docker_configs}/audiobookshelf";
   users.users.audiobookshelf.home = lib.mkForce "${vars.docker_configs}/audiobookshelf";

systems/jeeves/services/camofox-browser.nix

@@ -0,0 +1,80 @@
+{
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
+  ];
+
+  containers.camofox-browser = {
+    autoStart = true;
+    privateNetwork = false;
+    bindMounts = {
+      camofox-browser = {
+        hostPath = "${vars.docker_configs}/camofox-browser";
+        mountPoint = "/var/lib/camofox-browser";
+        isReadOnly = false;
+      };
+    };
+    config =
+      {
+        pkgs,
+        lib,
+        ...
+      }:
+      {
+        networking.hostName = "camofox-browser";
+
+        environment.systemPackages = with pkgs; [
+          ffmpeg
+          git
+          nodejs
+          python3Packages.yt-dlp
+        ];
+
+        systemd.services.camofox-browser = {
+          description = "Camofox browser server";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          environment = {
+            CAMOFOX_HOST = "127.0.0.1";
+            CAMOFOX_PORT = "9377";
+            HOME = "/var/lib/camofox-browser";
+          };
+          path = with pkgs; [
+            bash
+            coreutils
+            git
+            nodejs
+          ];
+          serviceConfig = {
+            Restart = "always";
+            RestartSec = "5s";
+            WorkingDirectory = "/var/lib/camofox-browser";
+          };
+          script = ''
+            set -eu
+
+            app_dir=/var/lib/camofox-browser/app
+
+            if [ ! -d "$app_dir/.git" ]; then
+              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
+            fi
+
+            cd "$app_dir"
+
+            if [ ! -d node_modules ]; then
+              npm install
+            fi
+
+            exec npm start
+          '';
+        };
+
+        system.stateVersion = lib.mkDefault "24.05";
+      };
+  };
+}

systems/jeeves/services/nornsight.nix

@@ -0,0 +1,107 @@
+{ pkgs, ... }:
+let
+  vars = import ../vars.nix;
+  stateDir = "${vars.services}/nornsight";
+  appDir = "${stateDir}/app";
+  binPath = pkgs.lib.makeBinPath [
+    pkgs.binutils
+    pkgs.libpq
+    pkgs.postgresql
+    pkgs.stdenv.cc
+  ];
+  libraryPath = pkgs.lib.makeLibraryPath [
+    pkgs.libpq
+    pkgs.postgresql.lib
+  ];
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${stateDir} 0750 nornsight nornsight - -"
+  ];
+
+  users.users.nornsight = {
+    isSystemUser = true;
+    group = "nornsight";
+    home = stateDir;
+  };
+
+  systemd.services.nornsight = {
+    description = "Norn Sight";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      HOME = stateDir;
+      UV_CACHE_DIR = "${stateDir}/.cache/uv";
+      UV_PROJECT_ENVIRONMENT = "${appDir}/.venv";
+      UV_PYTHON = "${pkgs.python313}/bin/python3.13";
+      UV_PYTHON_DOWNLOADS = "never";
+      LD_LIBRARY_PATH = libraryPath;
+      LIBRARY_PATH = libraryPath;
+      PSYCOPG_IMPL = "python";
+    };
+
+    path = with pkgs; [
+      bash
+      coreutils
+      git
+      uv
+    ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "nornsight";
+      Group = "nornsight";
+      EnvironmentFile = "-${vars.secrets}/services/nornsight";
+      WorkingDirectory = stateDir;
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = true;
+      ProtectSystem = "strict";
+      ReadWritePaths = [ stateDir ];
+    };
+
+    script = ''
+      set -eu
+      export PATH="${binPath}:$PATH"
+      export LD_LIBRARY_PATH="${libraryPath}:''${LD_LIBRARY_PATH:-}"
+      export LIBRARY_PATH="${libraryPath}:''${LIBRARY_PATH:-}"
+
+      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
+      branch="''${NORN_SIGHT_BRANCH:-main}"
+
+      if [ -d "${appDir}/.git" ]; then
+        current_origin="$(git -C "${appDir}" remote get-url origin)"
+        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
+          rm -rf "${appDir}"
+        fi
+      fi
+
+      if [ ! -d "${appDir}/.git" ]; then
+        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
+      else
+        cd "${appDir}"
+        git fetch origin "$branch"
+        git checkout "$branch"
+        git pull --ff-only origin "$branch"
+      fi
+
+      cd "${appDir}"
+      uv sync --upgrade
+      uv run python - <<'PY'
+      import ctypes.util
+      import os
+
+      print(f"LD_LIBRARY_PATH={os.environ.get('LD_LIBRARY_PATH')}")
+      print(f"LIBRARY_PATH={os.environ.get('LIBRARY_PATH')}")
+      print(f"libpq={ctypes.util.find_library('pq')}")
+      PY
+      exec uv run uvicorn pipelines.web.main:app --host 0.0.0.0 --port 8001
+    '';
+  };
+}

systems/jeeves/syncthing.nix

@@ -10,6 +10,14 @@ in
     settings = {
       devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
       folders = {
+        photos = {
+          path = "${vars.syncthing}/important";
+          devices = [
+            "rhapsody-in-green"
+            "phone"
+          ];
+          fsWatcherEnabled = true;
+        };
         "dotfiles" = {
           path = "/home/richie/dotfiles";
           devices = [

systems/jeeves/web_services/haproxy.cfg

@@ -81,4 +81,4 @@ backend gitea
 
 backend norn_sight
   mode http
-  server server 192.168.90.49:8000
+  server server 127.0.0.1:8001

systems/rhapsody-in-green/default.nix

@@ -11,10 +11,9 @@
     "${inputs.self}/common/optional/yubikey.nix"
     "${inputs.self}/common/optional/zerotier.nix"
     ./hardware.nix
-    ./llms.nix
     ./open_webui.nix
+    ./programs.nix
     ./qmk.nix
-    ./sunshine.nix
     ./syncthing.nix
     inputs.nixos-hardware.nixosModules.framework-13-7040-amd
   ];
@@ -27,6 +26,7 @@
       allowedTCPPorts = [
         8000
         8080
+        8081
       ];
     };
     networkmanager.enable = true;

systems/rhapsody-in-green/llms.nix

@@ -1,29 +0,0 @@
-{
-  services.ollama = {
-    user = "ollama";
-    enable = true;
-    host = "127.0.0.1";
-    syncModels = true;
-    loadModels = [
-      "deepscaler:1.5b"
-      "deepseek-r1:8b"
-      "gemma3:12b"
-      "lfm2:24b"
-      "nemotron-3-nano:4b"
-      "qwen3:14b"
-      "qwen3.5:27b"
-    ];
-  };
-  systemd.services = {
-    ollama.serviceConfig = {
-      Nice = 19;
-      IOSchedulingPriority = 7;
-    };
-    ollama-model-loader.serviceConfig = {
-      Nice = 19;
-      CPUWeight = 50;
-      IOSchedulingClass = "idle";
-      IOSchedulingPriority = 7;
-    };
-  };
-}

systems/rhapsody-in-green/programs.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    ffmpeg
+  ];
+}

systems/rhapsody-in-green/sunshine.nix

@@ -1,28 +0,0 @@
-{ pkgs, ... }:
-{
-  services.sunshine = {
-    enable = true;
-    openFirewall = true;
-    capSysAdmin = true;
-  };
-  environment.systemPackages = [ pkgs.kdePackages.libkscreen ];
-
-  boot = {
-    kernelParams = [
-      "drm.edid_firmware=DP-4:edid/virtual-display.bin"
-      "video=DP-4:e"
-    ];
-  };
-
-  hardware.firmware = [
-    (pkgs.runCommandLocal "virtual-display-edid"
-      {
-        compressFirmware = false;
-      }
-      ''
-        mkdir -p $out/lib/firmware/edid
-        cp ${./edid/virtual-display.bin} $out/lib/firmware/edid/virtual-display.bin
-      ''
-    )
-  ];
-}

systems/rhapsody-in-green/syncthing.nix

@@ -39,6 +39,14 @@
       ];
       fsWatcherEnabled = true;
     };
+    photos = {
+      path = "/home/richie/photos";
+      devices = [
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
     "projects" = {
       id = "vyma6-lqqrz"; # cspell:disable-line
       path = "/home/richie/projects";

tests/test_gitea_flake_lock.py

@@ -0,0 +1,113 @@
+"""Tests for Gitea flake.lock automation."""
+
+from __future__ import annotations
+
+from python.gitea import PullRequest
+from python.gitea_flake_lock import (
+    PR_CHECK_WORKFLOWS,
+    PR_LABELS,
+    dispatch_pull_request_checks,
+    ensure_flake_lock_pull_request,
+    find_flake_lock_pull_request,
+)
+
+
+def _pull_request(number=1, head_branch="automation/update-flake-lock"):
+    return PullRequest(
+        number=number,
+        title="Update flake.lock",
+        html_url=f"https://gitea.example.test/pulls/{number}",
+        labels=(),
+        head_branch=head_branch,
+        base_branch="main",
+    )
+
+
+class FakeGiteaClient:
+    def __init__(self, pull_requests=None):
+        self.pull_requests = pull_requests or []
+        self.dispatch_calls = []
+        self.list_calls = []
+        self.create_calls = []
+
+    def list_open_pull_requests(self, **kwargs):
+        self.list_calls.append(kwargs)
+        return self.pull_requests
+
+    def create_pull_request(self, **kwargs):
+        self.create_calls.append(kwargs)
+        return _pull_request()
+
+    def dispatch_workflow(self, **kwargs):
+        self.dispatch_calls.append(kwargs)
+
+
+def test_ensure_flake_lock_pull_request_finds_by_branch():
+    pull_request = _pull_request()
+    client = FakeGiteaClient([pull_request])
+
+    result = ensure_flake_lock_pull_request(
+        client,
+        owner="Richie",
+        repo="dotfiles",
+        branch="automation/update-flake-lock",
+        base="main",
+    )
+
+    assert result == pull_request
+    assert client.list_calls == [
+        {"owner": "Richie", "repo": "dotfiles", "head": "automation/update-flake-lock"},
+    ]
+    assert client.create_calls == []
+
+
+def test_ensure_flake_lock_pull_request_creates_with_labels():
+    client = FakeGiteaClient()
+
+    ensure_flake_lock_pull_request(
+        client,
+        owner="Richie",
+        repo="dotfiles",
+        branch="automation/update-flake-lock",
+        base="main",
+    )
+
+    assert client.create_calls == [
+        {
+            "owner": "Richie",
+            "repo": "dotfiles",
+            "title": "Update flake.lock",
+            "body": "Automated flake.lock update.",
+            "head": "automation/update-flake-lock",
+            "base": "main",
+            "labels": PR_LABELS,
+        },
+    ]
+
+
+def test_find_flake_lock_pull_request_finds_by_label():
+    pull_request = _pull_request()
+    client = FakeGiteaClient([pull_request])
+
+    result = find_flake_lock_pull_request(client, owner="Richie", repo="dotfiles")
+
+    assert result == pull_request
+    assert client.list_calls == [
+        {"owner": "Richie", "repo": "dotfiles", "labels": ["flake_lock_update"]},
+    ]
+
+
+def test_dispatch_pull_request_checks_runs_each_workflow():
+    client = FakeGiteaClient()
+
+    dispatch_pull_request_checks(client, owner="Richie", repo="dotfiles", branch="automation/update-flake-lock")
+
+    assert client.dispatch_calls == [
+        {
+            "owner": "Richie",
+            "repo": "dotfiles",
+            "workflow_id": workflow,
+            "ref": "automation/update-flake-lock",
+        }
+        for workflow in PR_CHECK_WORKFLOWS
+    ]

users/richie/home/gui/default.nix

@@ -6,6 +6,7 @@
     "${inputs.self}/users/shared/sweet.nix"
     ./firefox
     ./kitty.nix
+    ./llm_tools.nix
     ./vscode
   ];
 
@@ -19,13 +20,11 @@
     qalculate-gtk
     vlc
     # browser
+    brave
     chromium
     # dev tools
-    claude-code
-    codex
     gparted
     jetbrains.datagrip
-    opencode
     proxychains
   ];
 }

users/richie/home/gui/firefox/default.nix

@@ -1,8 +1,9 @@
-{ inputs, ... }:
+{ config, inputs, ... }:
 {
   imports = [ ./search_engines.nix ];
 
   programs.firefox = {
+    configPath = "${config.xdg.configHome}/mozilla/firefox";
     enable = true;
     profiles.richie = {
       extensions.packages = with inputs.firefox-addons.packages.x86_64-linux; [

users/richie/home/gui/kitty.nix

@@ -12,6 +12,7 @@
       tab_bar_edge = "top";
       tab_bar_style = "powerline";
       enabled_layouts = "splits";
+      enable_audio_bell = "no";
     };
     keybindings = {
       "ctrl+alt+1" = "launch --type=tab --tab-title jeeves kitten ssh jeeves";

users/richie/home/gui/llm_tools.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  home.packages = [
+    pkgs.master.claude-code
+    pkgs.master.codex
+    pkgs.master.opencode
+    pkgs.master.pi-coding-agent
+  ];
+}

users/richie/home/ssh_config.nix

@@ -2,46 +2,46 @@
   programs.ssh = {
     enable = true;
     enableDefaultConfig = false;
-    matchBlocks = {
+    settings = {
       jeeves = {
-        hostname = "192.168.90.40";
-        user = "richie";
-        identityFile = "~/.ssh/id_ed25519";
-        port = 629;
-        dynamicForwards = [ { port = 9050; } ];
-        compression = true;
+        HostName = "192.168.90.40";
+        User = "richie";
+        IdentityFile = "~/.ssh/id_ed25519";
+        Port = 629;
+        DynamicForward = [ { port = 9050; } ];
+        Compression = true;
       };
       unlock-jeeves = {
-        hostname = "192.168.99.14";
-        user = "root";
-        identityFile = "~/.ssh/id_ed25519";
-        port = 2222;
+        HostName = "192.168.99.14";
+        User = "root";
+        IdentityFile = "~/.ssh/id_ed25519";
+        Port = 2222;
       };
       brain = {
-        hostname = "192.168.90.35";
-        user = "richie";
-        identityFile = "~/.ssh/id_ed25519";
-        port = 129;
-        dynamicForwards = [ { port = 9050; } ];
+        HostName = "192.168.90.35";
+        User = "richie";
+        IdentityFile = "~/.ssh/id_ed25519";
+        Port = 129;
+        DynamicForward = [ { port = 9050; } ];
       };
       unlock-brain = {
-        hostname = "192.168.95.35";
-        user = "root";
-        identityFile = "~/.ssh/id_ed25519";
-        port = 2222;
+        HostName = "192.168.95.35";
+        User = "root";
+        IdentityFile = "~/.ssh/id_ed25519";
+        Port = 2222;
       };
       bob = {
-        hostname = "192.168.90.25";
-        user = "richie";
-        identityFile = "~/.ssh/id_ed25519";
-        port = 262;
-        dynamicForwards = [ { port = 9050; } ];
+        HostName = "192.168.90.25";
+        User = "richie";
+        IdentityFile = "~/.ssh/id_ed25519";
+        Port = 262;
+        DynamicForward = [ { port = 9050; } ];
       };
       rhapsody-in-green = {
-        hostname = "192.168.90.221";
-        user = "richie";
-        identityFile = "~/.ssh/id_ed25519";
-        port = 922;
+        HostName = "192.168.90.221";
+        User = "richie";
+        IdentityFile = "~/.ssh/id_ed25519";
+        Port = 922;
       };
     };
   };