set update.nix to gitea

common/global/default.nix

@@ -37,12 +37,7 @@
 
   nixpkgs = {
     overlays = builtins.attrValues outputs.overlays;
-    config = {
+    config.allowUnfree = true;
-      allowUnfree = true;
-      permittedInsecurePackages = [
-        "openssl-1.1.1w" # This is for discord-canary
-      ];
-    };
   };
 
   services = {

flake.lock

@@ -8,11 +8,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1777521781,
+        "lastModified": 1776398575,
-        "narHash": "sha256-bQ9oIcNyHsiagt7yptfe7OmfUDEyuXFUb7ajkrWNzSo=",
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "8a444a5c02840666c9c2f92042bfbb7a10c68200",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
         "type": "gitlab"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777518431,
+        "lastModified": 1776454077,
-        "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=",
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
         "type": "github"
       },
       "original": {
@@ -44,11 +44,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1776983936,
+        "lastModified": 1775490113,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -60,11 +60,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777268161,
+        "lastModified": 1776169885,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
         "type": "github"
       },
       "original": {
@@ -76,11 +76,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1777553282,
+        "lastModified": 1776469842,
-        "narHash": "sha256-GCJkEogieqOYJ1BBhG0w9fqezul1cGdEcmBbJ+34F4U=",
+        "narHash": "sha256-sqzM6PKMQoGk8Sl+uv2sbP1qiS2SPQhA2yn5zgZINMc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0d93cb69a4fd4449088c69859e1836fda6eb9f6a",
+        "rev": "025c852a89be820b3117f604c8ace42e9b4caa08",
         "type": "github"
       },
       "original": {
@@ -125,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777338324,
+        "lastModified": 1776119890,
-        "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {

systems/bob/llms.nix

@@ -42,12 +42,11 @@
       "qwen3:8b"
       "qwen3.5:27b"
       "qwen3.5:35b"
-      "qwen3.6:27b"
       "qwen3.6:35b"
-      "rinex20/translategemma3:12b"
       "translategemma:12b"
       "translategemma:27b"
       "translategemma:4b"
+      "rinex20/translategemma3:12b"
     ];
     models = "/zfs/storage/models";
     openFirewall = true;

systems/jeeves/networking.nix

@@ -1,13 +1,4 @@
 {
-  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
-  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
-  # does not hit the host firewall/rpfilter path.
-  boot.kernel.sysctl = {
-    "net.bridge.bridge-nf-call-arptables" = 0;
-    "net.bridge.bridge-nf-call-ip6tables" = 0;
-    "net.bridge.bridge-nf-call-iptables" = 0;
-  };
-
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
@@ -58,10 +49,23 @@
       "60-br-nix-builder" = {
         matchConfig.Name = "br-nix-builder";
         bridgeConfig = { };
-        networkConfig = {
+        address = [ "192.168.3.10/24" ];
-          IPv6AcceptRA = false;
+        routingPolicyRules = [
-          LinkLocalAddressing = "no";
+          {
-        };
+            From = "192.168.3.0/24";
+            Table = 100;
+            Priority = 100;
+          }
+        ];
+        routes = [
+          {
+            Gateway = "192.168.3.1";
+            Table = 100;
+            GatewayOnLink = false;
+            Metric = 2048;
+            PreferredSource = "192.168.3.10";
+          }
+        ];
         linkConfig.RequiredForOnline = "no";
       };
     };

systems/jeeves/runners/nix_builder.nix

@@ -2,7 +2,6 @@
   config,
   lib,
   outputs,
-  utils,
   ...
 }:
 
@@ -10,8 +9,6 @@ with lib;
 let
   vars = import ../vars.nix;
   cfg = config.services.nix_builder;
-  runnerUsername = "gitea-runner";
-  runnerUserid = 601;
 in
 {
   options.services.nix_builder = {
@@ -36,30 +33,27 @@ in
   };
 
   config = {
-    users = {
-      users.${runnerUsername} = {
-        isSystemUser = true;
-        group = runnerUsername;
-        uid = runnerUserid;
-      };
-      groups.${runnerUsername}.gid = runnerUserid;
-    };
-
     containers = mapAttrs (
       name: containerCfg:
       mkIf containerCfg.enable {
         autoStart = true;
         privateNetwork = true;
         hostBridge = cfg.bridgeName;
+        ephemeral = true;
         bindMounts = {
+          storage = {
+            hostPath = "/zfs/media/github-runners/${name}";
+            mountPoint = "/var/lib/gitea-runner/${name}";
+            isReadOnly = false;
+          };
           host-nix = {
             mountPoint = "/host-nix/var/nix/daemon-socket";
             hostPath = "/nix/var/nix/daemon-socket";
             isReadOnly = false;
           };
           token = {
-            hostPath = "${vars.secrets}/services/gitea-runners";
+            hostPath = "${vars.secrets}/services/gitea-runners/registration-token";
-            mountPoint = "/run/secrets/gitea-runners";
+            mountPoint = "${vars.secrets}/services/gitea-runners/registration-token";
             isReadOnly = true;
           };
         };
@@ -108,59 +102,24 @@ in
               overlays = builtins.attrValues outputs.overlays;
               config.allowUnfree = true;
             };
-            users = {
-              users.${runnerUsername} = {
-                isSystemUser = true;
-                group = runnerUsername;
-                uid = runnerUserid;
-              };
-              groups.${runnerUsername}.gid = runnerUserid;
-            };
             services.gitea-actions-runner.instances.${name} = {
               enable = true;
               name = "jeeves-${name}";
-              url = "http://192.168.99.14:6443/";
+              url = "https://gitea.tmmworkshop.com";
               labels = [
                 "self-hosted:host"
                 "nixos:host"
               ];
-              tokenFile = "/run/secrets/gitea-runners/registration-token";
+              tokenFile = "${vars.secrets}/services/gitea-runners/registration-token";
               hostPackages = with pkgs; [
-                bash
-                coreutils
-                curl
-                gawk
-                gitMinimal
-                gnused
-                my_python
-                nix
-                nixfmt
                 nixos-rebuild
-                nodejs
                 treefmt
-                wget
+                my_python
               ];
             };
-            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
-              serviceConfig = {
-                DynamicUser = mkForce false;
-                User = mkForce runnerUsername;
-                Group = mkForce runnerUsername;
-              };
-            };
             system.stateVersion = "24.05";
           };
       }
     ) cfg.containers;
-
-    systemd.services = builtins.listToAttrs (
-      map (name: {
-        name = "container@${name}";
-        value = {
-          requires = [ "gitea.service" ];
-          after = [ "gitea.service" ];
-        };
-      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
-    );
   };
 }

systems/jeeves/services/camofox-browser.nix

@@ -1,80 +0,0 @@
-{
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
-  ];
-
-  containers.camofox-browser = {
-    autoStart = true;
-    privateNetwork = false;
-    bindMounts = {
-      camofox-browser = {
-        hostPath = "${vars.docker_configs}/camofox-browser";
-        mountPoint = "/var/lib/camofox-browser";
-        isReadOnly = false;
-      };
-    };
-    config =
-      {
-        pkgs,
-        lib,
-        ...
-      }:
-      {
-        networking.hostName = "camofox-browser";
-
-        environment.systemPackages = with pkgs; [
-          ffmpeg
-          git
-          nodejs
-          python3Packages.yt-dlp
-        ];
-
-        systemd.services.camofox-browser = {
-          description = "Camofox browser server";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          environment = {
-            CAMOFOX_HOST = "127.0.0.1";
-            CAMOFOX_PORT = "9377";
-            HOME = "/var/lib/camofox-browser";
-          };
-          path = with pkgs; [
-            bash
-            coreutils
-            git
-            nodejs
-          ];
-          serviceConfig = {
-            Restart = "always";
-            RestartSec = "5s";
-            WorkingDirectory = "/var/lib/camofox-browser";
-          };
-          script = ''
-            set -eu
-
-            app_dir=/var/lib/camofox-browser/app
-
-            if [ ! -d "$app_dir/.git" ]; then
-              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
-            fi
-
-            cd "$app_dir"
-
-            if [ ! -d node_modules ]; then
-              npm install
-            fi
-
-            exec npm start
-          '';
-        };
-
-        system.stateVersion = lib.mkDefault "24.05";
-      };
-  };
-}

systems/jeeves/services/signal_bot.nix

@@ -0,0 +1,57 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  users = {
+    users.signalbot = {
+      isSystemUser = true;
+      group = "signalbot";
+    };
+    groups.signalbot = { };
+  };
+
+  systemd.services.signal-bot = {
+    description = "Signal command and control bot";
+    after = [
+      "network.target"
+      "podman-signal_cli_rest_api.service"
+    ];
+    wants = [ "podman-signal_cli_rest_api.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      PYTHONPATH = "${inputs.self}";
+      SIGNALBOT_DB = "signalbot";
+      SIGNALBOT_USER = "signalbot";
+      SIGNALBOT_HOST = "/run/postgresql";
+      SIGNALBOT_PORT = "5432";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      WorkingDirectory = "${inputs.self}";
+      User = "signalbot";
+      Group = "signalbot";
+      EnvironmentFile = "${vars.secrets}/services/signal-bot";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.signal_bot.main";
+      StateDirectory = "signal-bot";
+      Restart = "on-failure";
+      RestartSec = "10s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadWritePaths = [ "/var/lib/signal-bot" ];
+      ReadOnlyPaths = [
+        "${inputs.self}"
+      ];
+    };
+  };
+}

systems/jeeves/web_services/haproxy.cfg

@@ -28,6 +28,7 @@ frontend ContentSwitching
 
   # ACME challenge routing (must be first)
   acl is_acme path_beg /.well-known/acme-challenge/
+  use_backend acme_challenge if is_acme
 
   # tmmworkshop.com
   acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
@@ -44,7 +45,6 @@ frontend ContentSwitching
   # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
   http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme
 
-  use_backend acme_challenge if is_acme
   use_backend audiobookshelf_nodes if host_audiobookshelf
   use_backend cache_nodes  if host_cache
   use_backend jellyfin if host_jellyfin

systems/rhapsody-in-green/default.nix

@@ -11,6 +11,7 @@
     "${inputs.self}/common/optional/yubikey.nix"
     "${inputs.self}/common/optional/zerotier.nix"
     ./hardware.nix
+    ./llms.nix
     ./open_webui.nix
     ./qmk.nix
     ./sunshine.nix

systems/rhapsody-in-green/llms.nix

@@ -0,0 +1,29 @@
+{
+  services.ollama = {
+    user = "ollama";
+    enable = true;
+    host = "127.0.0.1";
+    syncModels = true;
+    loadModels = [
+      "deepscaler:1.5b"
+      "deepseek-r1:8b"
+      "gemma3:12b"
+      "lfm2:24b"
+      "nemotron-3-nano:4b"
+      "qwen3:14b"
+      "qwen3.5:27b"
+    ];
+  };
+  systemd.services = {
+    ollama.serviceConfig = {
+      Nice = 19;
+      IOSchedulingPriority = 7;
+    };
+    ollama-model-loader.serviceConfig = {
+      Nice = 19;
+      CPUWeight = 50;
+      IOSchedulingClass = "idle";
+      IOSchedulingPriority = 7;
+    };
+  };
+}

users/richie/home/gui/vscode/settings.json

@@ -78,8 +78,6 @@
     "Corvidae",
     "drivername",
     "fastapi",
-    "Michal",
-    "Nornsight",
     "sandboxing",
     "syncthing",
   ],