set update.nix to gitea

set dbus.implementation = "dbus";
removed verilux
2026-04-30 12:36:04 -04:00 · 2026-04-30 12:35:47 -04:00 · 2026-04-30 12:27:03 -04:00 · 2026-04-30 11:47:46 -04:00 · 2026-04-30 11:46:18 -04:00 · 2026-04-28 17:40:13 -04:00
11 changed files with 136 additions and 174 deletions
@@ -37,12 +37,7 @@

  nixpkgs = {
    overlays = builtins.attrValues outputs.overlays;
-    config = {
-      allowUnfree = true;
-      permittedInsecurePackages = [
-        "openssl-1.1.1w" # This is for discord-canary
-      ];
-    };
+    config.allowUnfree = true;
  };

  services = {
@@ -8,11 +8,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1777521781,
-        "narHash": "sha256-bQ9oIcNyHsiagt7yptfe7OmfUDEyuXFUb7ajkrWNzSo=",
+        "lastModified": 1776398575,
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "8a444a5c02840666c9c2f92042bfbb7a10c68200",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
        "type": "gitlab"
      },
      "original": {
@@ -29,11 +29,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777518431,
-        "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=",
+        "lastModified": 1776454077,
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
        "type": "github"
      },
      "original": {
@@ -44,11 +44,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1776983936,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
        "type": "github"
      },
      "original": {
@@ -60,11 +60,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1777268161,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
        "type": "github"
      },
      "original": {
@@ -76,11 +76,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1777553282,
-        "narHash": "sha256-GCJkEogieqOYJ1BBhG0w9fqezul1cGdEcmBbJ+34F4U=",
+        "lastModified": 1776469842,
+        "narHash": "sha256-sqzM6PKMQoGk8Sl+uv2sbP1qiS2SPQhA2yn5zgZINMc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "0d93cb69a4fd4449088c69859e1836fda6eb9f6a",
+        "rev": "025c852a89be820b3117f604c8ace42e9b4caa08",
        "type": "github"
      },
      "original": {
@@ -125,11 +125,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777338324,
-        "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
+        "lastModified": 1776119890,
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
        "type": "github"
      },
      "original": {
@@ -42,12 +42,11 @@
      "qwen3:8b"
      "qwen3.5:27b"
      "qwen3.5:35b"
-      "qwen3.6:27b"
      "qwen3.6:35b"
-      "rinex20/translategemma3:12b"
      "translategemma:12b"
      "translategemma:27b"
      "translategemma:4b"
+      "rinex20/translategemma3:12b"
    ];
    models = "/zfs/storage/models";
    openFirewall = true;
@@ -1,13 +1,4 @@
 {
-  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
-  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
-  # does not hit the host firewall/rpfilter path.
-  boot.kernel.sysctl = {
-    "net.bridge.bridge-nf-call-arptables" = 0;
-    "net.bridge.bridge-nf-call-ip6tables" = 0;
-    "net.bridge.bridge-nf-call-iptables" = 0;
-  };
-
  networking = {
    hostName = "jeeves";
    hostId = "0e15ce35";
@@ -58,10 +49,23 @@
      "60-br-nix-builder" = {
        matchConfig.Name = "br-nix-builder";
        bridgeConfig = { };
-        networkConfig = {
-          IPv6AcceptRA = false;
-          LinkLocalAddressing = "no";
-        };
+        address = [ "192.168.3.10/24" ];
+        routingPolicyRules = [
+          {
+            From = "192.168.3.0/24";
+            Table = 100;
+            Priority = 100;
+          }
+        ];
+        routes = [
+          {
+            Gateway = "192.168.3.1";
+            Table = 100;
+            GatewayOnLink = false;
+            Metric = 2048;
+            PreferredSource = "192.168.3.10";
+          }
+        ];
        linkConfig.RequiredForOnline = "no";
      };
    };
@@ -2,7 +2,6 @@
  config,
  lib,
  outputs,
-  utils,
  ...
 }:

@@ -10,8 +9,6 @@ with lib;
 let
  vars = import ../vars.nix;
  cfg = config.services.nix_builder;
-  runnerUsername = "gitea-runner";
-  runnerUserid = 601;
 in
 {
  options.services.nix_builder = {
@@ -36,30 +33,27 @@ in
  };

  config = {
-    users = {
-      users.${runnerUsername} = {
-        isSystemUser = true;
-        group = runnerUsername;
-        uid = runnerUserid;
-      };
-      groups.${runnerUsername}.gid = runnerUserid;
-    };
-
    containers = mapAttrs (
      name: containerCfg:
      mkIf containerCfg.enable {
        autoStart = true;
        privateNetwork = true;
        hostBridge = cfg.bridgeName;
+        ephemeral = true;
        bindMounts = {
+          storage = {
+            hostPath = "/zfs/media/github-runners/${name}";
+            mountPoint = "/var/lib/gitea-runner/${name}";
+            isReadOnly = false;
+          };
          host-nix = {
            mountPoint = "/host-nix/var/nix/daemon-socket";
            hostPath = "/nix/var/nix/daemon-socket";
            isReadOnly = false;
          };
          token = {
-            hostPath = "${vars.secrets}/services/gitea-runners";
-            mountPoint = "/run/secrets/gitea-runners";
+            hostPath = "${vars.secrets}/services/gitea-runners/registration-token";
+            mountPoint = "${vars.secrets}/services/gitea-runners/registration-token";
            isReadOnly = true;
          };
        };
@@ -108,59 +102,24 @@ in
              overlays = builtins.attrValues outputs.overlays;
              config.allowUnfree = true;
            };
-            users = {
-              users.${runnerUsername} = {
-                isSystemUser = true;
-                group = runnerUsername;
-                uid = runnerUserid;
-              };
-              groups.${runnerUsername}.gid = runnerUserid;
-            };
            services.gitea-actions-runner.instances.${name} = {
              enable = true;
              name = "jeeves-${name}";
-              url = "http://192.168.99.14:6443/";
+              url = "https://gitea.tmmworkshop.com";
              labels = [
                "self-hosted:host"
                "nixos:host"
              ];
-              tokenFile = "/run/secrets/gitea-runners/registration-token";
+              tokenFile = "${vars.secrets}/services/gitea-runners/registration-token";
              hostPackages = with pkgs; [
-                bash
-                coreutils
-                curl
-                gawk
-                gitMinimal
-                gnused
-                my_python
-                nix
-                nixfmt
                nixos-rebuild
-                nodejs
                treefmt
-                wget
+                my_python
              ];
            };
-            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
-              serviceConfig = {
-                DynamicUser = mkForce false;
-                User = mkForce runnerUsername;
-                Group = mkForce runnerUsername;
-              };
-            };
            system.stateVersion = "24.05";
          };
      }
    ) cfg.containers;
-
-    systemd.services = builtins.listToAttrs (
-      map (name: {
-        name = "container@${name}";
-        value = {
-          requires = [ "gitea.service" ];
-          after = [ "gitea.service" ];
-        };
-      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
-    );
  };
 }
@@ -1,80 +0,0 @@
-{
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
-  ];
-
-  containers.camofox-browser = {
-    autoStart = true;
-    privateNetwork = false;
-    bindMounts = {
-      camofox-browser = {
-        hostPath = "${vars.docker_configs}/camofox-browser";
-        mountPoint = "/var/lib/camofox-browser";
-        isReadOnly = false;
-      };
-    };
-    config =
-      {
-        pkgs,
-        lib,
-        ...
-      }:
-      {
-        networking.hostName = "camofox-browser";
-
-        environment.systemPackages = with pkgs; [
-          ffmpeg
-          git
-          nodejs
-          python3Packages.yt-dlp
-        ];
-
-        systemd.services.camofox-browser = {
-          description = "Camofox browser server";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          environment = {
-            CAMOFOX_HOST = "127.0.0.1";
-            CAMOFOX_PORT = "9377";
-            HOME = "/var/lib/camofox-browser";
-          };
-          path = with pkgs; [
-            bash
-            coreutils
-            git
-            nodejs
-          ];
-          serviceConfig = {
-            Restart = "always";
-            RestartSec = "5s";
-            WorkingDirectory = "/var/lib/camofox-browser";
-          };
-          script = ''
-            set -eu
-
-            app_dir=/var/lib/camofox-browser/app
-
-            if [ ! -d "$app_dir/.git" ]; then
-              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
-            fi
-
-            cd "$app_dir"
-
-            if [ ! -d node_modules ]; then
-              npm install
-            fi
-
-            exec npm start
-          '';
-        };
-
-        system.stateVersion = lib.mkDefault "24.05";
-      };
-  };
-}
@@ -0,0 +1,57 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  users = {
+    users.signalbot = {
+      isSystemUser = true;
+      group = "signalbot";
+    };
+    groups.signalbot = { };
+  };
+
+  systemd.services.signal-bot = {
+    description = "Signal command and control bot";
+    after = [
+      "network.target"
+      "podman-signal_cli_rest_api.service"
+    ];
+    wants = [ "podman-signal_cli_rest_api.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      PYTHONPATH = "${inputs.self}";
+      SIGNALBOT_DB = "signalbot";
+      SIGNALBOT_USER = "signalbot";
+      SIGNALBOT_HOST = "/run/postgresql";
+      SIGNALBOT_PORT = "5432";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      WorkingDirectory = "${inputs.self}";
+      User = "signalbot";
+      Group = "signalbot";
+      EnvironmentFile = "${vars.secrets}/services/signal-bot";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.signal_bot.main";
+      StateDirectory = "signal-bot";
+      Restart = "on-failure";
+      RestartSec = "10s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadWritePaths = [ "/var/lib/signal-bot" ];
+      ReadOnlyPaths = [
+        "${inputs.self}"
+      ];
+    };
+  };
+}
@@ -28,6 +28,7 @@ frontend ContentSwitching

  # ACME challenge routing (must be first)
  acl is_acme path_beg /.well-known/acme-challenge/
+  use_backend acme_challenge if is_acme

  # tmmworkshop.com
  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
@@ -44,7 +45,6 @@ frontend ContentSwitching
  # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
  http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme

-  use_backend acme_challenge if is_acme
  use_backend audiobookshelf_nodes if host_audiobookshelf
  use_backend cache_nodes  if host_cache
  use_backend jellyfin if host_jellyfin
@@ -11,6 +11,7 @@
    "${inputs.self}/common/optional/yubikey.nix"
    "${inputs.self}/common/optional/zerotier.nix"
    ./hardware.nix
+    ./llms.nix
    ./open_webui.nix
    ./qmk.nix
    ./sunshine.nix
@@ -0,0 +1,29 @@
+{
+  services.ollama = {
+    user = "ollama";
+    enable = true;
+    host = "127.0.0.1";
+    syncModels = true;
+    loadModels = [
+      "deepscaler:1.5b"
+      "deepseek-r1:8b"
+      "gemma3:12b"
+      "lfm2:24b"
+      "nemotron-3-nano:4b"
+      "qwen3:14b"
+      "qwen3.5:27b"
+    ];
+  };
+  systemd.services = {
+    ollama.serviceConfig = {
+      Nice = 19;
+      IOSchedulingPriority = 7;
+    };
+    ollama-model-loader.serviceConfig = {
+      Nice = 19;
+      CPUWeight = 50;
+      IOSchedulingClass = "idle";
+      IOSchedulingPriority = 7;
+    };
+  };
+}
@@ -78,8 +78,6 @@
    "Corvidae",
    "drivername",
    "fastapi",
-    "Michal",
-    "Nornsight",
    "sandboxing",
    "syncthing",
  ],
Author	SHA1	Message	Date
Richie	c77371daae	set update.nix to gitea	2026-04-30 12:36:04 -04:00
Richie	56bd0439f6	set dbus.implementation = "dbus";	2026-04-30 12:35:47 -04:00
Richie	18258344df	removed verilux	2026-04-30 12:27:03 -04:00
Richie	eaee1b0d58	updated nix builders	2026-04-30 11:47:46 -04:00
Richie	a906e59a8c	updated actions	2026-04-30 11:46:18 -04:00
Richie	21a7578a6a	made Prometheus require zfs-media-database-prometheus.mount	2026-04-28 17:40:13 -04:00
Richie	690edd9f3d	fixed typo	2026-04-28 16:56:53 -04:00
Richie	639e18cfab	ran treefmt	2026-04-28 14:49:23 -04:00
Richie	0e2ada067d	added gitlens.pushRepositories key shourtcut	2026-04-28 14:46:12 -04:00
Richie	e148eeb8cc	setting up resource monitoring for bob and jeeves	2026-04-28 14:44:37 -04:00