removed --reload

moved nornsight off my_python
adding nornsight.nix
2026-05-29 20:26:32 -04:00 · 2026-05-29 20:15:51 -04:00 · 2026-05-29 18:39:27 -04:00 · 2026-05-29 13:52:46 -04:00 · 2026-05-28 22:14:59 -04:00 · 2026-05-28 22:08:46 -04:00
55 changed files with 2745 additions and 299 deletions
@@ -23,6 +23,6 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Build default package
-        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
+        run: "nixos-rebuild build --accept-flake-config --flake ./#${{ matrix.system }}"
      - name: copy to nix-cache
        run: nix copy --accept-flake-config --to unix:///host-nix/var/nix/daemon-socket/socket .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel
@@ -1,30 +0,0 @@
-name: fix_eval_warnings
-on:
-  workflow_run:
-    workflows: ["build_systems"]
-    types: [completed]
-
-jobs:
-  check-warnings:
-    if: >-
-      github.event.workflow_run.conclusion != 'cancelled' &&
-      github.event.workflow_run.head_branch == 'main' &&
-      (github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'schedule')
-    runs-on: self-hosted
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Fix eval warnings
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-        run: >-
-          nix develop .#devShells.x86_64-linux.default -c
-          python -m python.eval_warnings.main
-          --run-id "${{ github.event.workflow_run.id }}"
-          --repo "${{ github.repository }}"
-          --ollama-url "${{ secrets.OLLAMA_URL }}"
-          --run-url "${{ github.event.workflow_run.html_url }}"
@@ -6,24 +6,18 @@ on:

 jobs:
  merge:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted

    permissions:
      contents: write
      pull-requests: write

    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
      - name: merge_flake_lock_update
-        run: |
-          pr_number=$(gh pr list --state open --author RichieCahill --label flake_lock_update --json number --jq '.[0].number')
-          echo "pr_number=$pr_number" >> $GITHUB_ENV
-          if [ -n "$pr_number" ]; then
-            gh pr merge "$pr_number" --rebase
-          else
-            echo "No open PR found with label flake_lock_update"
-          fi
+        run: >-
+          nix develop .#devShells.x86_64-linux.default -c
+          python -m python.gitea_flake_lock merge
+          --repo "${{ github.repository }}"
        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_URL: https://gitea.tmmworkshop.com
@@ -7,7 +7,6 @@ on:
  pull_request:
    branches:
      - main
-  merge_group:

 jobs:
  pytest:
@@ -6,18 +6,20 @@ on:

 jobs:
  lockfile:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
      - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@main
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-          pr-title: "Update flake.lock"
-          pr-labels: |
-            dependencies
-            automated
-            flake_lock_update
+        run: nix flake update
+      - name: Create or update flake.lock PR
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_URL: https://gitea.tmmworkshop.com
+        run: >-
+          nix develop .#devShells.x86_64-linux.default -c
+          python -m python.gitea_flake_lock update
+          --repo "${{ github.repository }}"
@@ -169,3 +169,6 @@ test.*
 # Frontend build output
 frontend/dist/
 frontend/node_modules/
+
+# data from testing llms
+data/*
@@ -203,6 +203,7 @@
    "peerconnection",
    "PESKYFOX",
    "PGID",
+    "pgvector",
    "pipewire",
    "pkgs",
    "plugdev",
@@ -23,7 +23,10 @@
  boot = {
    tmp.useTmpfs = true;
    kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
-    zfs.package = lib.mkDefault pkgs.zfs_2_4;
+    zfs = {
+      package = lib.mkDefault pkgs.zfs_2_4;
+      forceImportRoot = lib.mkDefault false;
+    };
  };

  hardware.enableRedistributableFirmware = true;
@@ -37,10 +40,17 @@

  nixpkgs = {
    overlays = builtins.attrValues outputs.overlays;
-    config.allowUnfree = true;
+    config = {
+      allowUnfree = true;
+      permittedInsecurePackages = [
+        "openssl-1.1.1w" # This is for discord-canary
+      ];
+    };
  };

  services = {
+    dbus.implementation = "dbus";
+
    # firmware update
    fwupd.enable = true;

@@ -0,0 +1,256 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  monitoringInterface = "ztwfunumly";
+  nodeTextfileDir = "/var/lib/prometheus-node-exporter-textfile";
+
+  mkProcessNameTemplate =
+    perPid: template: if perPid then "${template}:{{.PID}}:{{.StartTime}}" else template;
+
+  mkProcessMatchers = perPid: [
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Module}}";
+      cmdline = [ "^/nix/store[^ ]*/bin/python[^ ]* -m (?P<Module>[^ ]+)" ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
+      cmdline = [
+        "^/nix/store[^ ]*/bin/python[^ ]* /nix/store[^ ]*/bin/\\.?(?P<Wrapped>[^ /]+?)(?:-wrapped)?(?:\\s|$)"
+      ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
+      cmdline = [
+        "^/nix/store[^ ]*/bin/node /nix/store[^ ]*-(?P<Wrapped>[A-Za-z0-9._+-]+)-[0-9][^ /]*/"
+      ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
+      cmdline = [ "^/nix/store[^ ]*/(?:bin/|lib/[^ ]*/)?\\.?(?P<Wrapped>[^ /]+?)(?:-wrapped)?(?:\\s|$)" ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.ExeBase}}";
+      cmdline = [ ".+" ];
+    }
+  ];
+
+  perPidConfig = pkgs.writeText "process-exporter-per-pid.yaml" (
+    builtins.toJSON {
+      process_names = mkProcessMatchers true;
+    }
+  );
+
+  zpoolLatencyScript = pkgs.writeShellScript "zpool-latency-exporter" ''
+        set -euo pipefail
+
+        out_dir=${lib.escapeShellArg nodeTextfileDir}
+        host=${lib.escapeShellArg config.networking.hostName}
+        tmp_file="$(mktemp "$out_dir/zpool.prom.XXXXXX")"
+        trap 'rm -f "$tmp_file"' EXIT
+
+        pools="$(zpool list -H -o name | paste -sd, -)"
+
+        cat >"$tmp_file" <<'EOF'
+    # HELP zpool_iostat_total_wait_read_ns Average total read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_total_wait_read_ns gauge
+    # HELP zpool_iostat_total_wait_write_ns Average total write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_total_wait_write_ns gauge
+    # HELP zpool_iostat_disk_wait_read_ns Average disk read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_disk_wait_read_ns gauge
+    # HELP zpool_iostat_disk_wait_write_ns Average disk write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_disk_wait_write_ns gauge
+    # HELP zpool_iostat_syncq_wait_read_ns Average synchronous queue read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_syncq_wait_read_ns gauge
+    # HELP zpool_iostat_syncq_wait_write_ns Average synchronous queue write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_syncq_wait_write_ns gauge
+    # HELP zpool_iostat_asyncq_wait_read_ns Average asynchronous queue read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_asyncq_wait_read_ns gauge
+    # HELP zpool_iostat_asyncq_wait_write_ns Average asynchronous queue write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_asyncq_wait_write_ns gauge
+    EOF
+
+        zpool iostat -Hplvy -y 1 1 | awk -F '\t' -v host="$host" -v pools="$pools" '
+          function esc(str, out) {
+            out = str
+            gsub(/\\/, "\\\\", out)
+            gsub(/"/, "\\\"", out)
+            return out
+          }
+
+          function emit(metric, pool, vdev, value) {
+            if (value == "" || value == "-") {
+              return
+            }
+
+            printf "%s{host=\"%s\",pool=\"%s\",vdev=\"%s\"} %s\n",
+              metric,
+              esc(host),
+              esc(pool),
+              esc(vdev),
+              value
+          }
+
+          BEGIN {
+            split(pools, pool_names, ",")
+            for (idx in pool_names) {
+              if (pool_names[idx] != "") {
+                known_pools[pool_names[idx]] = 1
+              }
+            }
+          }
+
+          NF == 0 {
+            next
+          }
+
+          {
+            row_name = $1
+
+            if (row_name in known_pools) {
+              current_pool = row_name
+              current_vdev = "_pool"
+            } else if (current_pool == "") {
+              next
+            } else {
+              current_vdev = row_name
+            }
+
+            emit("zpool_iostat_total_wait_read_ns", current_pool, current_vdev, $8)
+            emit("zpool_iostat_total_wait_write_ns", current_pool, current_vdev, $9)
+            emit("zpool_iostat_disk_wait_read_ns", current_pool, current_vdev, $10)
+            emit("zpool_iostat_disk_wait_write_ns", current_pool, current_vdev, $11)
+            emit("zpool_iostat_syncq_wait_read_ns", current_pool, current_vdev, $12)
+            emit("zpool_iostat_syncq_wait_write_ns", current_pool, current_vdev, $13)
+            emit("zpool_iostat_asyncq_wait_read_ns", current_pool, current_vdev, $14)
+            emit("zpool_iostat_asyncq_wait_write_ns", current_pool, current_vdev, $15)
+          }
+        ' >>"$tmp_file"
+
+        mv "$tmp_file" "$out_dir/zpool.prom"
+        trap - EXIT
+  '';
+in
+{
+  networking.firewall.interfaces.${monitoringInterface}.allowedTCPPorts = [
+    9100
+    9134
+    9256
+    9257
+    9633
+  ];
+
+  services.prometheus.exporters = {
+    node = {
+      enable = true;
+      enabledCollectors = [
+        "pressure"
+        "processes"
+        "systemd"
+      ];
+      extraFlags = [ "--collector.textfile.directory=${nodeTextfileDir}" ];
+    };
+
+    process = {
+      enable = true;
+      user = "root";
+      group = "root";
+      settings.process_names = mkProcessMatchers false;
+      extraFlags = [
+        "-gather-smaps=false"
+        "-remove-empty-groups=true"
+        "-threads=false"
+      ];
+    };
+
+    smartctl.enable = true;
+    zfs.enable = true;
+  };
+
+  programs.atop = {
+    enable = true;
+    atopService.enable = true;
+    atopRotateTimer.enable = true;
+    atopacctService.enable = true;
+    settings.interval = 30;
+  };
+
+  systemd = {
+    services = {
+      prometheus-process-pid-exporter = {
+        description = "Prometheus process exporter with per-PID naming";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          ExecStart = ''
+            ${pkgs.prometheus-process-exporter}/bin/process-exporter \
+              --web.listen-address 0.0.0.0:9257 \
+              --config.path ${perPidConfig} \
+              -children=false \
+              -gather-smaps=false \
+              -remove-empty-groups=true \
+              -threads=false
+          '';
+          User = "root";
+          Group = "root";
+          Restart = "always";
+          WorkingDirectory = "/tmp";
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          UMask = "0077";
+        };
+      };
+
+      zpool-latency-exporter = {
+        description = "Exports ZFS latency metrics for node_exporter textfile collection";
+        after = [ "zfs-import.target" ];
+        requires = [ "zfs-import.target" ];
+        path = [
+          config.boot.zfs.package
+          pkgs.coreutils
+          pkgs.gawk
+        ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = zpoolLatencyScript;
+        };
+      };
+    };
+
+    timers.zpool-latency-exporter = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "2m";
+        OnUnitActiveSec = "60s";
+        Unit = "zpool-latency-exporter.service";
+      };
+    };
+
+    tmpfiles.rules = [ "d ${nodeTextfileDir} 0755 root root - -" ];
+  };
+}
@@ -4,7 +4,7 @@
    flags = [ "--accept-flake-config" ];
    randomizedDelaySec = "1h";
    persistent = true;
-    flake = "github:RichieCahill/dotfiles";
+    flake = "git+https://gitea.tmmworkshop.com/richie/dotfiles?ref=main";
    allowReboot = true;
    dates = "Sat *-*-* 06:00:00";
  };
@@ -0,0 +1,76 @@
+# ZFS failed root import recovery
+
+## Fast path
+
+If the machine fails to boot because ZFS refuses to import `root_pool`:
+
+### GRUB
+
+1. At the bootloader menu, select the normal NixOS entry.
+2. Press `e`.
+3. Find the line that starts with `linux`.
+4. Append this to the end of that line:
+
+```text
+zfs_force=1
+```
+
+5. Boot once with `Ctrl+x` or `F10`.
+
+### systemd-boot
+
+1. At the bootloader menu, highlight the normal NixOS entry.
+2. Press `e`.
+3. Append this to the end of the options line:
+
+```text
+zfs_force=1
+```
+
+4. Press `Enter` to boot once.
+
+## After boot
+
+Run:
+
+```bash
+sudo zpool status
+sudo zpool import
+journalctl -b | rg "ZFS|zfs|import|root_pool"
+```
+
+## Expected result
+
+`sudo zpool status` should show `root_pool` as `ONLINE`.
+
+## Reboot test
+
+Run:
+
+```bash
+sudo reboot
+```
+
+Do not add `zfs_force=1` the second time.
+
+## If it still fails
+
+Boot once more with:
+
+```text
+zfs_force=1
+```
+
+Then run:
+
+```bash
+sudo zpool status -v
+sudo zpool history | tail -n 50
+journalctl -b | rg "ZFS|zfs|import|root_pool"
+```
+
+## Notes
+
+- Root pool name is `root_pool`.
+- This is a one-time recovery path after disk moves, controller changes, dirty exports, or interrupted imports.
+- Some hosts also need the LUKS unlock USB key inserted before boot.
@@ -8,11 +8,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1776398575,
-        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
+        "lastModified": 1778385775,
+        "narHash": "sha256-n0MUvWA2SML/qBB4hpShQ7i+i961MX4oPtaQfYo0+uU=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
+        "rev": "268324916742a48cd03b94fd63f2822d6b66d519",
        "type": "gitlab"
      },
      "original": {
@@ -29,11 +29,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776454077,
-        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
+        "lastModified": 1778365864,
+        "narHash": "sha256-ImoT/wqmgMImf2dAC+E0MverAdA4QXsedOeES9B7Ezw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
+        "rev": "2f419037039a152448c5f4ae9494154753d1b399",
        "type": "github"
      },
      "original": {
@@ -44,11 +44,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1775490113,
-        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
+        "lastModified": 1778143761,
+        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
+        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
        "type": "github"
      },
      "original": {
@@ -60,11 +60,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1776169885,
-        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
        "type": "github"
      },
      "original": {
@@ -76,11 +76,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1776469842,
-        "narHash": "sha256-sqzM6PKMQoGk8Sl+uv2sbP1qiS2SPQhA2yn5zgZINMc=",
+        "lastModified": 1778434251,
+        "narHash": "sha256-TznExR00uHvyeJsQW9cy8aBCW8W8sIvhzoVjAQTEyiw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "025c852a89be820b3117f604c8ace42e9b4caa08",
+        "rev": "4f90e32d9c535072f0a6a9ac4599f1e78b829eab",
        "type": "github"
      },
      "original": {
@@ -125,11 +125,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776119890,
-        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
+        "lastModified": 1777944972,
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
        "type": "github"
      },
      "original": {
@@ -23,7 +23,6 @@
        apscheduler
        fastapi
        fastapi-cli
-        faster-whisper
        httpx
        mypy
        orjson
@@ -42,6 +41,7 @@
        sqlalchemy
        tenacity
        textual
+        tiktoken
        tinytuya
        typer
        websockets
@@ -0,0 +1,335 @@
+"""Small Gitea API client for repository automation."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Self
+
+import httpx
+
+DEFAULT_PAGE_SIZE = 100
+EXPECTED_CREATED = 201
+EXPECTED_OK = 200
+
+
+@dataclass(frozen=True)
+class CreatedIssue:
+    """Issue data returned by Gitea."""
+
+    number: int | None
+    html_url: str | None
+    title: str
+
+
+@dataclass(frozen=True)
+class PullRequest:
+    """Pull request data returned by Gitea."""
+
+    number: int
+    title: str
+    html_url: str | None
+    labels: tuple[str, ...]
+    head_branch: str | None
+    base_branch: str | None
+
+
+@dataclass(frozen=True)
+class WorkflowJob:
+    """Workflow job data returned by Gitea Actions."""
+
+    id: int
+    name: str
+    run_id: int | None
+    status: str | None
+    conclusion: str | None
+
+
+class GiteaError(RuntimeError):
+    """Raised when Gitea rejects an API request."""
+
+
+def split_repo_name(repo: str) -> tuple[str, str]:
+    """Split an owner/repo string into its parts."""
+    owner, separator, repo_name = repo.partition("/")
+    if not separator or not owner or not repo_name:
+        msg = f"Invalid repository name: {repo}"
+        raise ValueError(msg)
+    return owner, repo_name
+
+
+class GiteaClient:
+    """HTTP client for the subset of Gitea APIs used in this repository."""
+
+    def __init__(
+        self,
+        *,
+        base_url: str,
+        token: str,
+        timeout: int = 30,
+        transport: httpx.BaseTransport | None = None,
+    ) -> None:
+        """Initialize the Gitea client."""
+        self._client = httpx.Client(
+            base_url=base_url.rstrip("/"),
+            timeout=timeout,
+            headers={"Authorization": f"token {token}"},
+            transport=transport,
+        )
+
+    def create_issue(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        title: str,
+        body: str,
+        labels: list[int] | None = None,
+    ) -> CreatedIssue:
+        """Create a Gitea issue."""
+        payload: dict[str, object] = {"title": title, "body": body, "labels": labels or []}
+        response = self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/issues",
+            expected_statuses={EXPECTED_CREATED},
+            json=payload,
+        )
+        data = response.json()
+        return CreatedIssue(
+            number=_optional_int(data.get("number")),
+            html_url=_optional_str(data.get("html_url")),
+            title=str(data.get("title", title)),
+        )
+
+    def resolve_label_ids(self, *, owner: str, repo: str, labels: list[str]) -> list[int]:
+        """Resolve label names to Gitea label IDs."""
+        if not labels:
+            return []
+
+        available_labels: dict[str, int] = {}
+        page = 1
+        while True:
+            response = self._request(
+                "GET",
+                f"/api/v1/repos/{owner}/{repo}/labels",
+                params={"page": page, "limit": DEFAULT_PAGE_SIZE},
+            )
+            batch = response.json()
+            if not batch:
+                break
+            for label in batch:
+                label_name = str(label.get("name", ""))
+                label_id = _optional_int(label.get("id"))
+                if label_name and label_id is not None:
+                    available_labels[label_name] = label_id
+            if len(batch) < DEFAULT_PAGE_SIZE:
+                break
+            page += 1
+
+        missing = [label for label in labels if label not in available_labels]
+        if missing:
+            missing_names = ", ".join(sorted(missing))
+            msg = f"Missing Gitea labels: {missing_names}"
+            raise GiteaError(msg)
+
+        return [available_labels[label] for label in labels]
+
+    def list_open_pull_requests(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        labels: list[str] | None = None,
+        head: str | None = None,
+    ) -> list[PullRequest]:
+        """List open pull requests for a repository."""
+        expected_labels = set(labels or [])
+        pull_requests: list[PullRequest] = []
+        page = 1
+        while True:
+            response = self._request(
+                "GET",
+                f"/api/v1/repos/{owner}/{repo}/pulls",
+                params={"state": "open", "page": page, "limit": DEFAULT_PAGE_SIZE},
+            )
+            batch = response.json()
+            if not batch:
+                break
+
+            for item in batch:
+                pull_request = _pull_request_from_api(item)
+                if head and pull_request.head_branch != head:
+                    continue
+                if expected_labels and not expected_labels.issubset(set(pull_request.labels)):
+                    continue
+                pull_requests.append(pull_request)
+
+            if len(batch) < DEFAULT_PAGE_SIZE:
+                break
+            page += 1
+
+        return pull_requests
+
+    def create_pull_request(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        title: str,
+        body: str,
+        head: str,
+        base: str,
+        labels: list[str] | None = None,
+    ) -> PullRequest:
+        """Create a pull request."""
+        payload: dict[str, object] = {
+            "title": title,
+            "body": body,
+            "head": head,
+            "base": base,
+        }
+        if labels:
+            payload["labels"] = self.resolve_label_ids(owner=owner, repo=repo, labels=labels)
+
+        response = self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/pulls",
+            expected_statuses={EXPECTED_CREATED},
+            json=payload,
+        )
+        return _pull_request_from_api(response.json())
+
+    def merge_pull_request(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        number: int,
+        merge_method: str = "rebase",
+        head_commit_id: str | None = None,
+        delete_branch_after_merge: bool = False,
+    ) -> None:
+        """Merge a pull request."""
+        payload: dict[str, object] = {
+            "Do": merge_method,
+            "delete_branch_after_merge": delete_branch_after_merge,
+        }
+        if head_commit_id:
+            payload["head_commit_id"] = head_commit_id
+
+        self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/pulls/{number}/merge",
+            json=payload,
+        )
+
+    def list_run_jobs(self, *, owner: str, repo: str, run_id: str | int) -> list[WorkflowJob]:
+        """List workflow jobs for a specific run."""
+        jobs: list[WorkflowJob] = []
+        page = 1
+        while True:
+            response = self._request(
+                "GET",
+                f"/api/v1/repos/{owner}/{repo}/actions/jobs",
+                params={"page": page, "limit": DEFAULT_PAGE_SIZE},
+            )
+            payload = response.json()
+            batch = payload.get("jobs", [])
+            if not batch:
+                break
+
+            for item in batch:
+                if str(item.get("run_id")) != str(run_id):
+                    continue
+                jobs.append(_workflow_job_from_api(item))
+
+            if len(batch) < DEFAULT_PAGE_SIZE:
+                break
+            page += 1
+
+        return jobs
+
+    def download_job_logs(self, *, owner: str, repo: str, job_id: int) -> str:
+        """Download logs for a workflow job."""
+        response = self._request(
+            "GET",
+            f"/api/v1/repos/{owner}/{repo}/actions/jobs/{job_id}/logs",
+        )
+        return response.text
+
+    def close(self) -> None:
+        """Close the underlying HTTP client."""
+        self._client.close()
+
+    def __enter__(self) -> Self:
+        """Enter the context manager."""
+        return self
+
+    def __exit__(self, *args: object) -> None:
+        """Close the HTTP client."""
+        self.close()
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        *,
+        expected_statuses: set[int] | None = None,
+        **kwargs: object,
+    ) -> httpx.Response:
+        """Send an HTTP request and validate the response status."""
+        response = self._client.request(method, path, **kwargs)
+        statuses = expected_statuses or {EXPECTED_OK}
+        if response.status_code not in statuses:
+            msg = f"Gitea request failed ({response.status_code}): {response.text}"
+            raise GiteaError(msg)
+        return response
+
+
+def _pull_request_from_api(data: dict[str, object]) -> PullRequest:
+    """Convert Gitea API pull-request data into a dataclass."""
+    number = _optional_int(data.get("number")) or _optional_int(data.get("index"))
+    if number is None:
+        msg = "Gitea pull request payload is missing a number"
+        raise GiteaError(msg)
+
+    labels = tuple(str(label.get("name", "")) for label in data.get("labels", []))
+    head = data.get("head", {})
+    base = data.get("base", {})
+    return PullRequest(
+        number=number,
+        title=str(data.get("title", "")),
+        html_url=_optional_str(data.get("html_url")),
+        labels=tuple(label for label in labels if label),
+        head_branch=_optional_str(head.get("ref")) or _optional_str(data.get("head_branch")),
+        base_branch=_optional_str(base.get("ref")) or _optional_str(data.get("base_branch")),
+    )
+
+
+def _workflow_job_from_api(data: dict[str, object]) -> WorkflowJob:
+    """Convert Gitea API workflow-job data into a dataclass."""
+    job_id = _optional_int(data.get("id"))
+    if job_id is None:
+        msg = "Gitea workflow job payload is missing an ID"
+        raise GiteaError(msg)
+
+    return WorkflowJob(
+        id=job_id,
+        name=str(data.get("name", "")),
+        run_id=_optional_int(data.get("run_id")),
+        status=_optional_str(data.get("status")),
+        conclusion=_optional_str(data.get("conclusion")),
+    )
+
+
+def _optional_int(value: object) -> int | None:
+    """Convert an API value to an integer when present."""
+    if value is None:
+        return None
+    return int(value)
+
+
+def _optional_str(value: object) -> str | None:
+    """Convert an API value to a string when present."""
+    if value is None:
+        return None
+    return str(value)
@@ -0,0 +1,138 @@
+"""Automation helpers for flake.lock pull requests on Gitea."""
+
+from __future__ import annotations
+
+import subprocess
+from os import getenv
+from typing import Annotated
+
+import typer
+
+from python.gitea import GiteaClient, PullRequest, split_repo_name
+
+DEFAULT_BASE_BRANCH = "main"
+DEFAULT_BRANCH = "automation/update-flake-lock"
+DEFAULT_GITEA_URL = "https://gitea.tmmworkshop.com"
+PR_LABELS = ["dependencies", "automated", "flake_lock_update"]
+PR_TITLE = "Update flake.lock"
+PR_BODY = "Automated flake.lock update."
+
+app = typer.Typer(add_completion=False)
+
+
+def run_cmd(cmd: list[str], *, check: bool = True) -> subprocess.CompletedProcess[str]:
+    """Run a subprocess command."""
+    return subprocess.run(cmd, capture_output=True, text=True, check=check)
+
+
+def ensure_flake_lock_pull_request(
+    client: GiteaClient,
+    *,
+    owner: str,
+    repo: str,
+    branch: str,
+    base: str,
+) -> PullRequest:
+    """Return an existing flake.lock PR for the branch or create one."""
+    pull_requests = client.list_open_pull_requests(owner=owner, repo=repo, head=branch)
+    if pull_requests:
+        return pull_requests[0]
+
+    return client.create_pull_request(
+        owner=owner,
+        repo=repo,
+        title=PR_TITLE,
+        body=PR_BODY,
+        head=branch,
+        base=base,
+        labels=PR_LABELS,
+    )
+
+
+def find_flake_lock_pull_request(client: GiteaClient, *, owner: str, repo: str) -> PullRequest | None:
+    """Find the first open flake.lock pull request."""
+    pull_requests = client.list_open_pull_requests(owner=owner, repo=repo, labels=["flake_lock_update"])
+    if not pull_requests:
+        return None
+    return pull_requests[0]
+
+
+def has_worktree_changes() -> bool:
+    """Return whether `flake.lock` has worktree changes."""
+    result = run_cmd(["git", "diff", "--quiet", "--", "flake.lock"], check=False)
+    return result.returncode != 0
+
+
+def commit_flake_lock_update(*, branch: str) -> None:
+    """Commit the updated lock file to the automation branch."""
+    run_cmd(["git", "config", "user.name", "gitea-actions[bot]"])
+    run_cmd(["git", "config", "user.email", "gitea-actions@tmmworkshop.com"])
+    run_cmd(["git", "checkout", "-B", branch])
+    run_cmd(["git", "add", "flake.lock"])
+    run_cmd(["git", "commit", "-m", "chore: update flake.lock"])
+
+
+def push_branch(*, branch: str) -> None:
+    """Push the automation branch to origin."""
+    run_cmd(["git", "push", "origin", f"HEAD:{branch}", "--force"])
+
+
+def _required_gitea_token() -> str:
+    """Read the required Gitea token from the environment."""
+    token = getenv("GITEA_TOKEN")
+    if token:
+        return token
+
+    msg = "GITEA_TOKEN environment variable is required"
+    raise RuntimeError(msg)
+
+
+@app.command()
+def update(
+    repo: Annotated[str, typer.Option("--repo", help="Gitea repository in owner/repo form")],
+    base: Annotated[str, typer.Option("--base", help="Base branch")] = DEFAULT_BASE_BRANCH,
+    branch: Annotated[str, typer.Option("--branch", help="Automation branch")] = DEFAULT_BRANCH,
+) -> None:
+    """Commit flake.lock changes and ensure a pull request exists."""
+    if not has_worktree_changes():
+        typer.echo("No flake.lock changes detected")
+        return
+
+    commit_flake_lock_update(branch=branch)
+    push_branch(branch=branch)
+
+    owner, repo_name = split_repo_name(repo)
+    with GiteaClient(
+        base_url=getenv("GITEA_URL", DEFAULT_GITEA_URL),
+        token=_required_gitea_token(),
+    ) as client:
+        pull_request = ensure_flake_lock_pull_request(
+            client,
+            owner=owner,
+            repo=repo_name,
+            branch=branch,
+            base=base,
+        )
+    typer.echo(pull_request.html_url or f"Pull request #{pull_request.number}")
+
+
+@app.command()
+def merge(
+    repo: Annotated[str, typer.Option("--repo", help="Gitea repository in owner/repo form")],
+) -> None:
+    """Merge the first open flake.lock pull request."""
+    owner, repo_name = split_repo_name(repo)
+    with GiteaClient(
+        base_url=getenv("GITEA_URL", DEFAULT_GITEA_URL),
+        token=_required_gitea_token(),
+    ) as client:
+        pull_request = find_flake_lock_pull_request(client, owner=owner, repo=repo_name)
+        if not pull_request:
+            typer.echo("No open PR found with label flake_lock_update")
+            return
+        client.merge_pull_request(owner=owner, repo=repo_name, number=pull_request.number, merge_method="rebase")
+    typer.echo(f"Merged PR #{pull_request.number}")
+
+
+if __name__ == "__main__":
+    app()
@@ -7,6 +7,7 @@
    "${inputs.self}/common/global"
    "${inputs.self}/common/optional/docker.nix"
    "${inputs.self}/common/optional/scanner.nix"
+    "${inputs.self}/common/optional/monitoring-agent.nix"
    "${inputs.self}/common/optional/steam.nix"
    "${inputs.self}/common/optional/syncthing_base.nix"
    "${inputs.self}/common/optional/systemd-boot.nix"
@@ -42,12 +42,14 @@
      "qwen3:8b"
      "qwen3.5:27b"
      "qwen3.5:35b"
+      "qwen3.6:27b"
+      "qwen3.6:35b"
+      "rinex20/translategemma3:12b"
      "translategemma:12b"
      "translategemma:27b"
      "translategemma:4b"
-      "rinex20/translategemma3:12b"
    ];
-    models = "/zfs/models";
+    models = "/zfs/storage/models";
    openFirewall = true;
  };
 }
@@ -10,10 +10,12 @@ in
    "${inputs.self}/users/steve"
    "${inputs.self}/common/global"
    "${inputs.self}/common/optional/docker.nix"
+    "${inputs.self}/common/optional/monitoring-agent.nix"
    "${inputs.self}/common/optional/ssh_decrypt.nix"
    "${inputs.self}/common/optional/syncthing_base.nix"
    "${inputs.self}/common/optional/update.nix"
    "${inputs.self}/common/optional/zerotier.nix"
+    ./monitoring
    ./docker
    ./services
    ./web_services
@@ -37,5 +39,10 @@ in
    zerotierone.joinNetworks = [ "a09acf02330d37b9" ];
  };

+  users.groups = {
+    nornsight = { };
+    nornsight-admin = { };
+  };
+
  system.stateVersion = "24.05";
 }
@@ -0,0 +1,426 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - avg by (instance) (rate(node_cpu_seconds_total{mode=\"idle\"}[5m])))",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "CPU Used",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 6,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes))",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "RAM Used",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 12,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes))",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Swap Used",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 18,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "node_load1",
+          "legendFormat": "{{instance}} load1",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "node_load5",
+          "legendFormat": "{{instance}} load5",
+          "range": true,
+          "refId": "B"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "node_load15",
+          "legendFormat": "{{instance}} load15",
+          "range": true,
+          "refId": "C"
+        }
+      ],
+      "title": "Load",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 8
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "sum by (instance) (rate(node_disk_read_bytes_total[5m]))",
+          "legendFormat": "{{instance}} read",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "sum by (instance) (rate(node_disk_written_bytes_total[5m]))",
+          "legendFormat": "{{instance}} write",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Disk Throughput",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 8
+      },
+      "id": 6,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - (node_filesystem_avail_bytes{mountpoint=~\"(/|/home|/var|/zfs.*)\",fstype!=\"\"} / node_filesystem_size_bytes{mountpoint=~\"(/|/home|/var|/zfs.*)\",fstype!=\"\"}))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{mountpoint}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Filesystem Usage",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 17
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_cpu_seconds_total[5m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top Grouped CPU",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 17
+      },
+      "id": 8,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top Grouped Memory",
+      "type": "table"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Overview",
+  "uid": "monitor-overview",
+  "version": 1,
+  "weekStart": ""
+}
@@ -0,0 +1,216 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_cpu_seconds_total[5m]))",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped CPU",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped Resident Memory",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_read_bytes_total[5m]))",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped Read I/O",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 10
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_write_bytes_total[5m]))",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped Write I/O",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring",
+    "process"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-7d",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Process History Grouped",
+  "uid": "monitor-process-history",
+  "version": 1,
+  "weekStart": ""
+}
@@ -0,0 +1,224 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, rate(namedprocess_namegroup_cpu_seconds_total[2m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID CPU",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID RSS",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, rate(namedprocess_namegroup_read_bytes_total[2m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID Read I/O",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 10
+      },
+      "id": 4,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, rate(namedprocess_namegroup_write_bytes_total[2m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID Write I/O",
+      "type": "table"
+    }
+  ],
+  "refresh": "15s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring",
+    "process"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-10m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Process Live PID",
+  "uid": "monitor-process-pid",
+  "version": 1,
+  "weekStart": ""
+}
@@ -0,0 +1,351 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (zfs_pool_allocated_bytes / zfs_pool_size_bytes)",
+          "legendFormat": "{{instance}} {{pool}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Pool Usage",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 8,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "zfs_pool_free_bytes",
+          "legendFormat": "{{instance}} {{pool}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Pool Free Bytes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, zfs_dataset_used_bytes{type=\"filesystem\"})",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{name}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top Filesystems by Used Bytes",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ns"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 8
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, zpool_iostat_total_wait_read_ns{vdev!=\"_pool\"})",
+          "legendFormat": "{{host}} {{pool}} {{vdev}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "ZFS Read Wait",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ns"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 8
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, zpool_iostat_total_wait_write_ns{vdev!=\"_pool\"})",
+          "legendFormat": "{{host}} {{pool}} {{vdev}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "ZFS Write Wait",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "celsius"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 17
+      },
+      "id": 6,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "smartctl_device_temperature{temperature_type=\"current\"}",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{device}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Disk Temperature",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 17
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": false,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "smartctl_device_smart_status",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{device}}",
+          "refId": "A"
+        }
+      ],
+      "title": "SMART Health",
+      "type": "table"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring",
+    "zfs"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Storage and ZFS",
+  "uid": "monitor-storage",
+  "version": 1,
+  "weekStart": ""
+}
@@ -0,0 +1,186 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+
+  prometheusDataRoot = "${vars.database}/prometheus";
+  mainPrometheusDataDir = "${prometheusDataRoot}/main";
+  pidPrometheusDataDir = "${prometheusDataRoot}/pid-short";
+
+  prometheusYaml = pkgs.formats.yaml { };
+
+  mkPrometheusConfig =
+    name: cfg:
+    let
+      configFile = prometheusYaml.generate "${name}.yaml" cfg;
+    in
+    pkgs.runCommand "${name}-checked.yaml"
+      {
+        nativeBuildInputs = [ pkgs.prometheus.cli ];
+      }
+      ''
+        promtool check config ${configFile}
+        cp ${configFile} $out
+      '';
+
+  mkTarget = host: address: {
+    targets = [ address ];
+    labels.instance = host;
+  };
+
+  mainPrometheusConfig = mkPrometheusConfig "prometheus-main" {
+    global = {
+      scrape_interval = "30s";
+      scrape_timeout = "10s";
+      evaluation_interval = "30s";
+    };
+    scrape_configs = [
+      {
+        job_name = "node";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9100")
+          (mkTarget "bob" "192.168.90.25:9100")
+        ];
+      }
+      {
+        job_name = "process_grouped";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9256")
+          (mkTarget "bob" "192.168.90.25:9256")
+        ];
+      }
+      {
+        job_name = "smartctl";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9633")
+          (mkTarget "bob" "192.168.90.25:9633")
+        ];
+      }
+      {
+        job_name = "zfs";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9134")
+          (mkTarget "bob" "192.168.90.25:9134")
+        ];
+      }
+    ];
+  };
+
+  pidPrometheusConfig = mkPrometheusConfig "prometheus-pid-short" {
+    global = {
+      scrape_interval = "15s";
+      scrape_timeout = "10s";
+      evaluation_interval = "15s";
+    };
+    scrape_configs = [
+      {
+        job_name = "process_pid";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9257")
+          (mkTarget "bob" "192.168.90.25:9257")
+        ];
+      }
+    ];
+  };
+
+  mkPrometheusService =
+    {
+      dataDir,
+      configFile,
+      port,
+      retention,
+    }:
+    {
+      after = [
+        "zfs-media-database-prometheus.mount"
+        "network.target"
+      ];
+      requires = [ "zfs-media-database-prometheus.mount" ];
+      wantedBy = [ "multi-user.target" ];
+      unitConfig.RequiresMountsFor = [ dataDir ];
+      serviceConfig = {
+        ExecStart = "${lib.getExe pkgs.prometheus} ${
+          lib.escapeShellArgs [
+            "--config.file=${configFile}"
+            "--storage.tsdb.path=${dataDir}"
+            "--storage.tsdb.retention.time=${retention}"
+            "--web.listen-address=127.0.0.1:${toString port}"
+          ]
+        }";
+        User = "prometheus";
+        Group = "prometheus";
+        Restart = "always";
+        RestartSec = "5s";
+        WorkingDirectory = dataDir;
+        ReadWritePaths = [ dataDir ];
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "/dev/null rw" ];
+        DevicePolicy = "strict";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
+    };
+in
+{
+  users = {
+    groups.prometheus = { };
+    users.prometheus = {
+      isSystemUser = true;
+      group = "prometheus";
+      description = "Prometheus daemon user";
+    };
+  };
+
+  systemd = {
+    services = {
+      prometheus-main = mkPrometheusService {
+        configFile = mainPrometheusConfig;
+        dataDir = mainPrometheusDataDir;
+        port = 9090;
+        retention = "90d";
+      };
+
+      prometheus-pid-short = mkPrometheusService {
+        configFile = pidPrometheusConfig;
+        dataDir = pidPrometheusDataDir;
+        port = 9092;
+        retention = "10m";
+      };
+    };
+
+    tmpfiles.rules = [
+      "d ${prometheusDataRoot} 0755 root root - -"
+      "d ${mainPrometheusDataDir} 0750 prometheus prometheus - -"
+      "d ${pidPrometheusDataDir} 0750 prometheus prometheus - -"
+    ];
+  };
+}
@@ -1,4 +1,13 @@
 {
+  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
+  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
+  # does not hit the host firewall/rpfilter path.
+  boot.kernel.sysctl = {
+    "net.bridge.bridge-nf-call-arptables" = 0;
+    "net.bridge.bridge-nf-call-ip6tables" = 0;
+    "net.bridge.bridge-nf-call-iptables" = 0;
+  };
+
  networking = {
    hostName = "jeeves";
    hostId = "0e15ce35";
@@ -49,23 +58,10 @@
      "60-br-nix-builder" = {
        matchConfig.Name = "br-nix-builder";
        bridgeConfig = { };
-        address = [ "192.168.3.10/24" ];
-        routingPolicyRules = [
-          {
-            From = "192.168.3.0/24";
-            Table = 100;
-            Priority = 100;
-          }
-        ];
-        routes = [
-          {
-            Gateway = "192.168.3.1";
-            Table = 100;
-            GatewayOnLink = false;
-            Metric = 2048;
-            PreferredSource = "192.168.3.10";
-          }
-        ];
+        networkConfig = {
+          IPv6AcceptRA = false;
+          LinkLocalAddressing = "no";
+        };
        linkConfig.RequiredForOnline = "no";
      };
    };
@@ -3,5 +3,6 @@
  environment.systemPackages = with pkgs; [
    filebot
    docker-compose
+    ffmpeg
  ];
 }
@@ -1,20 +1,7 @@
-{ pkgs, ... }:
+{ ... }:
 {
  imports = [ ./nix_builder.nix ];

-  users = {
-    users.github-runners = {
-      shell = pkgs.bash;
-      isSystemUser = true;
-      group = "github-runners";
-      uid = 601;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/S8i+BNX/12JNKg+5EKGX7Aqimt5KM+ve3wt/SyWuO github-runners" # cspell:disable-line
-      ];
-    };
-    groups.github-runners.gid = 601;
-  };
-
  services.nix_builder.containers = {
    nix-builder-00.enable = true;
    nix-builder-01.enable = true;
@@ -2,6 +2,7 @@
  config,
  lib,
  outputs,
+  utils,
  ...
 }:

@@ -9,6 +10,8 @@ with lib;
 let
  vars = import ../vars.nix;
  cfg = config.services.nix_builder;
+  runnerUsername = "gitea-runner";
+  runnerUserid = 601;
 in
 {
  options.services.nix_builder = {
@@ -23,37 +26,40 @@ in
        types.submodule (
          { name, ... }:
          {
-            options.enable = mkEnableOption "GitHub runner container";
+            options.enable = mkEnableOption "Gitea runner container";
          }
        )
      );
      default = { };
-      description = "GitHub runner container configurations";
+      description = "Gitea runner container configurations";
    };
  };

  config = {
+    users = {
+      users.${runnerUsername} = {
+        isSystemUser = true;
+        group = runnerUsername;
+        uid = runnerUserid;
+      };
+      groups.${runnerUsername}.gid = runnerUserid;
+    };
+
    containers = mapAttrs (
      name: containerCfg:
      mkIf containerCfg.enable {
        autoStart = true;
        privateNetwork = true;
        hostBridge = cfg.bridgeName;
-        ephemeral = true;
        bindMounts = {
-          storage = {
-            hostPath = "/zfs/media/github-runners/${name}";
-            mountPoint = "/zfs/media/github-runners/${name}";
-            isReadOnly = false;
-          };
          host-nix = {
            mountPoint = "/host-nix/var/nix/daemon-socket";
            hostPath = "/nix/var/nix/daemon-socket";
            isReadOnly = false;
          };
-          pat = {
-            hostPath = "${vars.secrets}/services/github-runners/runner_pat";
-            mountPoint = "${vars.secrets}/services/github-runners/runner_pat";
+          token = {
+            hostPath = "${vars.secrets}/services/gitea-runners";
+            mountPoint = "/run/secrets/gitea-runners";
            isReadOnly = true;
          };
        };
@@ -92,46 +98,69 @@ in
                "nix-command"
              ];
              sandbox = true;
-              allowed-users = [ "github-runners" ];
+              allowed-users = [ "gitea-runner" ];
              trusted-users = [
                "root"
-                "github-runners"
+                "gitea-runner"
              ];
            };
            nixpkgs = {
              overlays = builtins.attrValues outputs.overlays;
              config.allowUnfree = true;
            };
-            services.github-runners.${name} = {
+            users = {
+              users.${runnerUsername} = {
+                isSystemUser = true;
+                group = runnerUsername;
+                uid = runnerUserid;
+              };
+              groups.${runnerUsername}.gid = runnerUserid;
+            };
+            services.gitea-actions-runner.instances.${name} = {
              enable = true;
-              replace = true;
-              workDir = "/zfs/media/github-runners/${name}";
-              url = "https://github.com/RichieCahill/dotfiles";
-              extraLabels = [ "nixos" ];
-              tokenFile = "${vars.secrets}/services/github-runners/runner_pat";
-              user = "github-runners";
-              group = "github-runners";
-              extraPackages = with pkgs; [
+              name = "jeeves-${name}";
+              url = "http://192.168.99.14:6443/";
+              labels = [
+                "self-hosted:host"
+                "nixos:host"
+              ];
+              tokenFile = "/run/secrets/gitea-runners/registration-token";
+              hostPackages = with pkgs; [
+                bash
+                coreutils
+                curl
+                gawk
                gitMinimal
-                gh
+                gnused
+                my_python
+                nix
                nixfmt
                nixos-rebuild
+                nodejs
                treefmt
-                my_python
+                wget
              ];
            };
-            users = {
-              users.github-runners = {
-                shell = pkgs.bash;
-                isSystemUser = true;
-                group = "github-runners";
-                uid = 601;
+            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
+              serviceConfig = {
+                DynamicUser = mkForce false;
+                User = mkForce runnerUsername;
+                Group = mkForce runnerUsername;
              };
-              groups.github-runners.gid = 601;
            };
            system.stateVersion = "24.05";
          };
      }
    ) cfg.containers;
+
+    systemd.services = builtins.listToAttrs (
+      map (name: {
+        name = "container@${name}";
+        value = {
+          requires = [ "gitea.service" ];
+          after = [ "gitea.service" ];
+        };
+      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
+    );
  };
 }
@@ -23,6 +23,7 @@ sudo zfs create media/secure/home_assistant -o compression=zstd-19
 sudo zfs create media/secure/notes -o copies=2
 sudo zfs create media/secure/postgres -o mountpoint=/zfs/media/database/postgres -o recordsize=16k -o primarycache=metadata
 sudo zfs create media/secure/postgres-wal -o mountpoint=/zfs/media/database/postgres-wal -o recordsize=32k -o primarycache=metadata -o special_small_blocks=32K -o compression=lz4 -o secondarycache=none -o logbias=latency
+sudo zfs create media/secure/prometheus -o mountpoint=/zfs/media/database/prometheus -o compression=lz4
 sudo zfs create media/secure/services -o compression=zstd-9
 sudo zfs create media/secure/share -o mountpoint=/zfs/media/share -o exec=off

@@ -41,3 +42,4 @@ sudo zfs create storage/secure/plex -o recordsize=1M -o compression=zstd-19
 sudo zfs create storage/secure/secrets -o compression=zstd-19 -o copies=3
 sudo zfs create storage/secure/syncthing -o compression=zstd-19
 sudo zfs create storage/secure/transmission -o recordsize=1M -o compression=zstd-9 -o exec=off -o sync=disabled
+sudo zfs create storage/secure/important -o compression=zstd-19 -o copies=2 -o mountpoint=/zfs/storage/important
@@ -3,7 +3,10 @@ let
  vars = import ../vars.nix;
 in
 {
-  services.audiobookshelf.enable = true;
+  services.audiobookshelf = {
+    enable = true;
+    port = 8000;
+  };
  systemd.services.audiobookshelf.serviceConfig.WorkingDirectory =
    lib.mkForce "${vars.docker_configs}/audiobookshelf";
  users.users.audiobookshelf.home = lib.mkForce "${vars.docker_configs}/audiobookshelf";
@@ -0,0 +1,80 @@
+{
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
+  ];
+
+  containers.camofox-browser = {
+    autoStart = true;
+    privateNetwork = false;
+    bindMounts = {
+      camofox-browser = {
+        hostPath = "${vars.docker_configs}/camofox-browser";
+        mountPoint = "/var/lib/camofox-browser";
+        isReadOnly = false;
+      };
+    };
+    config =
+      {
+        pkgs,
+        lib,
+        ...
+      }:
+      {
+        networking.hostName = "camofox-browser";
+
+        environment.systemPackages = with pkgs; [
+          ffmpeg
+          git
+          nodejs
+          python3Packages.yt-dlp
+        ];
+
+        systemd.services.camofox-browser = {
+          description = "Camofox browser server";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          environment = {
+            CAMOFOX_HOST = "127.0.0.1";
+            CAMOFOX_PORT = "9377";
+            HOME = "/var/lib/camofox-browser";
+          };
+          path = with pkgs; [
+            bash
+            coreutils
+            git
+            nodejs
+          ];
+          serviceConfig = {
+            Restart = "always";
+            RestartSec = "5s";
+            WorkingDirectory = "/var/lib/camofox-browser";
+          };
+          script = ''
+            set -eu
+
+            app_dir=/var/lib/camofox-browser/app
+
+            if [ ! -d "$app_dir/.git" ]; then
+              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
+            fi
+
+            cd "$app_dir"
+
+            if [ ! -d node_modules ]; then
+              npm install
+            fi
+
+            exec npm start
+          '';
+        };
+
+        system.stateVersion = lib.mkDefault "24.05";
+      };
+  };
+}
@@ -21,6 +21,10 @@ in
      createDatabase = false;
    };
    settings = {
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
      service.DISABLE_REGISTRATION = true;
      server = {
        DOMAIN = "tmmworkshop.com";
@@ -0,0 +1,80 @@
+{
+  ...
+}:
+let
+  vars = import ../vars.nix;
+  grafanaDataDir = "${vars.services}/grafana";
+in
+{
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+
+  services.grafana = {
+    enable = true;
+    dataDir = grafanaDataDir;
+    settings = {
+      database.type = "sqlite3";
+      security = {
+        admin_password = "$__file{${vars.secrets}/services/grafana/admin_password}";
+        admin_user = "admin";
+        secret_key = "$__file{${vars.secrets}/services/grafana/secret_key}";
+      };
+      server = {
+        http_addr = "192.168.90.40";
+        http_port = 3000;
+        root_url = "http://192.168.90.40:3000/";
+      };
+    };
+    provision = {
+      enable = true;
+      dashboards.settings = {
+        apiVersion = 1;
+        providers = [
+          {
+            name = "monitoring";
+            folder = "Monitoring";
+            type = "file";
+            disableDeletion = false;
+            editable = false;
+            allowUiUpdates = false;
+            updateIntervalSeconds = 30;
+            options.path = ../monitoring/dashboards;
+          }
+        ];
+      };
+      datasources.settings = {
+        apiVersion = 1;
+        prune = true;
+        datasources = [
+          {
+            access = "proxy";
+            editable = false;
+            isDefault = true;
+            name = "prom-main";
+            type = "prometheus";
+            uid = "prom-main";
+            url = "http://127.0.0.1:9090";
+          }
+          {
+            access = "proxy";
+            editable = false;
+            name = "prom-pid-short";
+            type = "prometheus";
+            uid = "prom-pid-short";
+            url = "http://127.0.0.1:9092";
+          }
+        ];
+      };
+    };
+  };
+
+  systemd = {
+    services.grafana.after = [
+      "prometheus-main.service"
+      "prometheus-pid-short.service"
+    ];
+
+    tmpfiles.rules = [
+      "d ${grafanaDataDir} 0750 grafana grafana - -"
+    ];
+  };
+}
@@ -1,24 +0,0 @@
-{
-  services.hedgedoc = {
-    enable = true;
-    settings = {
-      host = "0.0.0.0";
-      port = 3000;
-      domain = "192.168.90.40";
-      urlAddPort = true;
-      protocolUseSSL = false;
-      db = {
-        dialect = "postgres";
-        database = "hedgedoc";
-        username = "hedgedoc";
-        host = "/run/postgresql";
-      };
-    };
-  };
-  networking.firewall.allowedTCPPorts = [ 3000 ];
-
-  systemd.services.hedgedoc = {
-    after = [ "postgresql.service" ];
-    requires = [ "postgresql.service" ];
-  };
-}
@@ -0,0 +1,107 @@
+{ pkgs, ... }:
+let
+  vars = import ../vars.nix;
+  stateDir = "${vars.services}/nornsight";
+  appDir = "${stateDir}/app";
+  binPath = pkgs.lib.makeBinPath [
+    pkgs.binutils
+    pkgs.libpq
+    pkgs.postgresql
+    pkgs.stdenv.cc
+  ];
+  libraryPath = pkgs.lib.makeLibraryPath [
+    pkgs.libpq
+    pkgs.postgresql.lib
+  ];
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${stateDir} 0750 nornsight nornsight - -"
+  ];
+
+  users.users.nornsight = {
+    isSystemUser = true;
+    group = "nornsight";
+    home = stateDir;
+  };
+
+  systemd.services.nornsight = {
+    description = "Norn Sight";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      HOME = stateDir;
+      UV_CACHE_DIR = "${stateDir}/.cache/uv";
+      UV_PROJECT_ENVIRONMENT = "${appDir}/.venv";
+      UV_PYTHON = "${pkgs.python313}/bin/python3.13";
+      UV_PYTHON_DOWNLOADS = "never";
+      LD_LIBRARY_PATH = libraryPath;
+      LIBRARY_PATH = libraryPath;
+      PSYCOPG_IMPL = "python";
+    };
+
+    path = with pkgs; [
+      bash
+      coreutils
+      git
+      uv
+    ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "nornsight";
+      Group = "nornsight";
+      EnvironmentFile = "-${vars.secrets}/services/nornsight";
+      WorkingDirectory = stateDir;
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = true;
+      ProtectSystem = "strict";
+      ReadWritePaths = [ stateDir ];
+    };
+
+    script = ''
+      set -eu
+      export PATH="${binPath}:$PATH"
+      export LD_LIBRARY_PATH="${libraryPath}:''${LD_LIBRARY_PATH:-}"
+      export LIBRARY_PATH="${libraryPath}:''${LIBRARY_PATH:-}"
+
+      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
+      branch="''${NORN_SIGHT_BRANCH:-main}"
+
+      if [ -d "${appDir}/.git" ]; then
+        current_origin="$(git -C "${appDir}" remote get-url origin)"
+        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
+          rm -rf "${appDir}"
+        fi
+      fi
+
+      if [ ! -d "${appDir}/.git" ]; then
+        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
+      else
+        cd "${appDir}"
+        git fetch origin "$branch"
+        git checkout "$branch"
+        git pull --ff-only origin "$branch"
+      fi
+
+      cd "${appDir}"
+      uv sync --upgrade
+      uv run python - <<'PY'
+      import ctypes.util
+      import os
+
+      print(f"LD_LIBRARY_PATH={os.environ.get('LD_LIBRARY_PATH')}")
+      print(f"LIBRARY_PATH={os.environ.get('LIBRARY_PATH')}")
+      print(f"libpq={ctypes.util.find_library('pq')}")
+      PY
+      exec uv run uvicorn pipelines.web.main:app --host 0.0.0.0 --port 8001
+    '';
+  };
+}
@@ -12,6 +12,7 @@ in
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_17_jit;
+    extensions = ps: with ps; [ pgvector ];
    enableTCPIP = true;
    enableJIT = true;
    dataDir = "${vars.database}/postgres";
@@ -1,57 +0,0 @@
-{
-  pkgs,
-  inputs,
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  users = {
-    users.signalbot = {
-      isSystemUser = true;
-      group = "signalbot";
-    };
-    groups.signalbot = { };
-  };
-
-  systemd.services.signal-bot = {
-    description = "Signal command and control bot";
-    after = [
-      "network.target"
-      "podman-signal_cli_rest_api.service"
-    ];
-    wants = [ "podman-signal_cli_rest_api.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    environment = {
-      PYTHONPATH = "${inputs.self}";
-      SIGNALBOT_DB = "signalbot";
-      SIGNALBOT_USER = "signalbot";
-      SIGNALBOT_HOST = "/run/postgresql";
-      SIGNALBOT_PORT = "5432";
-    };
-
-    serviceConfig = {
-      Type = "simple";
-      WorkingDirectory = "${inputs.self}";
-      User = "signalbot";
-      Group = "signalbot";
-      EnvironmentFile = "${vars.secrets}/services/signal-bot";
-      ExecStart = "${pkgs.my_python}/bin/python -m python.signal_bot.main";
-      StateDirectory = "signal-bot";
-      Restart = "on-failure";
-      RestartSec = "10s";
-      StandardOutput = "journal";
-      StandardError = "journal";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = "read-only";
-      PrivateTmp = true;
-      ReadWritePaths = [ "/var/lib/signal-bot" ];
-      ReadOnlyPaths = [
-        "${inputs.self}"
-      ];
-    };
-  };
-}
@@ -10,6 +10,14 @@ in
    settings = {
      devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
      folders = {
+        photos = {
+          path = "${vars.syncthing}/important";
+          devices = [
+            "rhapsody-in-green"
+            "phone"
+          ];
+          fsWatcherEnabled = true;
+        };
        "dotfiles" = {
          path = "/home/richie/dotfiles";
          devices = [
@@ -6,6 +6,7 @@ let
    "jellyfin"
    "share"
  ];
+  extraDomains = [ "www.norn-sight.com" ];

  makeCert = name: {
    name = "${name}.tmmworkshop.com";
@@ -16,7 +17,18 @@ let
    };
  };

-  acmeServices = map (domain: "acme-${domain}.tmmworkshop.com.service") domains;
+  makeExtraCert = name: {
+    inherit name;
+    value = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+  };
+
+  acmeServices =
+    map (domain: "acme-${domain}.tmmworkshop.com.service") domains
+    ++ map (domain: "acme-${domain}.service") extraDomains;
 in
 {
  users.users.haproxy.extraGroups = [ "acme" ];
@@ -24,7 +36,7 @@ in
  security.acme = {
    acceptTerms = true;
    defaults.email = "Richie@tmmworkshop.com";
-    certs = builtins.listToAttrs (map makeCert domains);
+    certs = builtins.listToAttrs ((map makeCert domains) ++ (map makeExtraCert extraDomains));
  };

  # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
@@ -23,12 +23,11 @@ defaults
 #Application Setup
 frontend ContentSwitching
  bind *:80 v4v6
-  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem
+  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem crt /var/lib/acme/www.norn-sight.com/full.pem
  mode  http

  # ACME challenge routing (must be first)
  acl is_acme path_beg /.well-known/acme-challenge/
-  use_backend acme_challenge if is_acme

  # tmmworkshop.com
  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
@@ -36,6 +35,7 @@ frontend ContentSwitching
  acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
  acl host_share  hdr(host) -i share.tmmworkshop.com
  acl host_gitea  hdr(host) -i gitea.tmmworkshop.com
+  acl host_norn_sight  hdr(host) -i www.norn-sight.com

  # Hosts allowed to serve plain HTTP (add entries to skip the HTTPS redirect)
  acl allow_http hdr(host) -i __none__
@@ -44,11 +44,13 @@ frontend ContentSwitching
  # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
  http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme

+  use_backend acme_challenge if is_acme
  use_backend audiobookshelf_nodes if host_audiobookshelf
  use_backend cache_nodes  if host_cache
  use_backend jellyfin if host_jellyfin
  use_backend share_nodes  if host_share
  use_backend gitea  if host_gitea
+  use_backend norn_sight  if host_norn_sight

 backend acme_challenge
  mode http
@@ -76,3 +78,7 @@ backend share_nodes
 backend gitea
  mode http
  server server 127.0.0.1:6443
+
+backend norn_sight
+  mode http
+  server server 127.0.0.1:8001
@@ -0,0 +1,35 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  systemd.services.agent-logger = {
+    description = "Unified agent logger";
+    after = [ "local-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      AGENT_LOG_DB = "/var/lib/agent-logger/agent_log.sqlite";
+      HOME = "/home/richie";
+      PYTHONPATH = "${inputs.self}";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = "richie";
+      WorkingDirectory = "/home/richie";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.agent_logger.main";
+      StateDirectory = "agent-logger";
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadOnlyPaths = [ "${inputs.self}" ];
+    };
+  };
+}
@@ -11,10 +11,9 @@
    "${inputs.self}/common/optional/yubikey.nix"
    "${inputs.self}/common/optional/zerotier.nix"
    ./hardware.nix
-    ./llms.nix
    ./open_webui.nix
+    ./programs.nix
    ./qmk.nix
-    ./sunshine.nix
    ./syncthing.nix
    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
  ];
@@ -27,6 +26,7 @@
      allowedTCPPorts = [
        8000
        8080
+        8081
      ];
    };
    networkmanager.enable = true;
@@ -1,29 +0,0 @@
-{
-  services.ollama = {
-    user = "ollama";
-    enable = true;
-    host = "127.0.0.1";
-    syncModels = true;
-    loadModels = [
-      "deepscaler:1.5b"
-      "deepseek-r1:8b"
-      "gemma3:12b"
-      "lfm2:24b"
-      "nemotron-3-nano:4b"
-      "qwen3:14b"
-      "qwen3.5:27b"
-    ];
-  };
-  systemd.services = {
-    ollama.serviceConfig = {
-      Nice = 19;
-      IOSchedulingPriority = 7;
-    };
-    ollama-model-loader.serviceConfig = {
-      Nice = 19;
-      CPUWeight = 50;
-      IOSchedulingClass = "idle";
-      IOSchedulingPriority = 7;
-    };
-  };
-}
@@ -1,6 +1,7 @@
 {
  services.open-webui = {
    enable = true;
+    host = "0.0.0.0";
    environment = {
      ANONYMIZED_TELEMETRY = "False";
      DO_NOT_TRACK = "True";
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    ffmpeg
+  ];
+}
@@ -1,28 +0,0 @@
-{ pkgs, ... }:
-{
-  services.sunshine = {
-    enable = true;
-    openFirewall = true;
-    capSysAdmin = true;
-  };
-  environment.systemPackages = [ pkgs.kdePackages.libkscreen ];
-
-  boot = {
-    kernelParams = [
-      "drm.edid_firmware=DP-4:edid/virtual-display.bin"
-      "video=DP-4:e"
-    ];
-  };
-
-  hardware.firmware = [
-    (pkgs.runCommandLocal "virtual-display-edid"
-      {
-        compressFirmware = false;
-      }
-      ''
-        mkdir -p $out/lib/firmware/edid
-        cp ${./edid/virtual-display.bin} $out/lib/firmware/edid/virtual-display.bin
-      ''
-    )
-  ];
-}
@@ -39,6 +39,14 @@
      ];
      fsWatcherEnabled = true;
    };
+    photos = {
+      path = "/home/richie/photos";
+      devices = [
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
    "projects" = {
      id = "vyma6-lqqrz"; # cspell:disable-line
      path = "/home/richie/projects";
@@ -36,6 +36,8 @@ in
        "hass"
        "libvirtd"
        "networkmanager"
+        "nornsight"
+        "nornsight-admin"
        "plugdev"
        "scanner"
        "transmission"
@@ -36,6 +36,8 @@ in
        "hass"
        "libvirtd"
        "networkmanager"
+        "nornsight"
+        "nornsight-admin"
        "ollama"
        "plugdev"
        "scanner"
@@ -6,6 +6,7 @@
    "${inputs.self}/users/shared/sweet.nix"
    ./firefox
    ./kitty.nix
+    ./llm_tools.nix
    ./vscode
  ];

@@ -21,11 +22,8 @@
    # browser
    chromium
    # dev tools
-    claude-code
-    codex
    gparted
    jetbrains.datagrip
-    opencode
    proxychains
  ];
 }
@@ -1,8 +1,9 @@
-{ inputs, ... }:
+{ config, inputs, ... }:
 {
  imports = [ ./search_engines.nix ];

  programs.firefox = {
+    configPath = "${config.xdg.configHome}/mozilla/firefox";
    enable = true;
    profiles.richie = {
      extensions.packages = with inputs.firefox-addons.packages.x86_64-linux; [
@@ -6,11 +6,13 @@
    settings = {
      allow_remote_control = "yes";
      shell = "${pkgs.zsh}/bin/zsh";
+      scrollback_lines = 50000;
      wayland_titlebar_color = "background";
      background_opacity = "0.75";
      tab_bar_edge = "top";
      tab_bar_style = "powerline";
      enabled_layouts = "splits";
+      enable_audio_bell = "no";
    };
    keybindings = {
      "ctrl+alt+1" = "launch --type=tab --tab-title jeeves kitten ssh jeeves";
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  home.packages = [
+    pkgs.claude-code
+    pkgs.master.codex
+    pkgs.master.opencode
+    pkgs.master.pi-coding-agent
+  ];
+}
@@ -2,28 +2,32 @@
  {
    "key": "shift+alt+f",
    "command": "editor.action.formatDocument",
-    "when": "editorHasDocumentFormattingProvider && editorTextFocus && !editorReadonly && !inCompositeEditor"
+    "when": "editorHasDocumentFormattingProvider && editorTextFocus && !editorReadonly && !inCompositeEditor",
  },
  {
    "key": "alt+a d",
-    "command": "cSpell.addWordToWorkspaceSettings"
+    "command": "cSpell.addWordToWorkspaceSettings",
  },
  {
    "key": "ctrl+shift+`",
-    "command": "workbench.action.createTerminalEditor"
+    "command": "workbench.action.createTerminalEditor",
  },
  {
    "key": "ctrl+shift+`",
    "command": "-workbench.action.terminal.new",
-    "when": "terminalProcessSupported || terminalWebExtensionContributedProfile"
+    "when": "terminalProcessSupported || terminalWebExtensionContributedProfile",
  },
  {
    "key": "ctrl+shift+g r",
-    "command": "gitlens.git.rebase"
+    "command": "gitlens.git.rebase",
  },
  {
    "key": "ctrl+shift+g c",
    "command": "-gitlens.showQuickCommitFileDetails",
-    "when": "editorTextFocus && !gitlens:disabled && config.gitlens.keymap == 'chorded'"
-  }
+    "when": "editorTextFocus && !gitlens:disabled && config.gitlens.keymap == 'chorded'",
+  },
+  {
+    "key": "ctrl+shift+g p",
+    "command": "gitlens.pushRepositories",
+  },
 ]
@@ -14,7 +14,7 @@
  "git.pruneOnFetch": true,
  "terminal.integrated.scrollback": 10000,
  "update.mode": "none",
-  "workbench.colorTheme": "Default Dark+",
+  "workbench.colorTheme": "Dark+",
  "workbench.secondarySideBar.showLabels": false,

  // turns off all sounds and announcements
@@ -78,6 +78,8 @@
    "Corvidae",
    "drivername",
    "fastapi",
+    "Michal",
+    "Nornsight",
    "sandboxing",
    "syncthing",
  ],
@@ -98,4 +100,5 @@
  "hediet.vscode-drawio.resizeImages": null,
  "hediet.vscode-drawio.appearance": "automatic",
  "claudeCode.preferredLocation": "panel",
+  "docker.extension.enableComposeLanguageServer": false,
 }
Author	SHA1	Message	Date
Richie	38fb14520e	removed --reload treefmt / nix fmt (pull_request) Successful in 6s Details pytest / pytest (pull_request) Successful in 27s Details build_systems / build-brain (pull_request) Successful in 52s Details build_systems / build-bob (pull_request) Successful in 54s Details build_systems / build-leviathan (pull_request) Successful in 1m4s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 1m5s Details build_systems / build-jeeves (pull_request) Successful in 2m45s Details build_systems / build-bob (push) Successful in 34s Details build_systems / build-brain (push) Successful in 32s Details treefmt / nix fmt (push) Successful in 6s Details pytest / pytest (push) Successful in 26s Details build_systems / build-leviathan (push) Successful in 43s Details build_systems / build-rhapsody-in-green (push) Successful in 47s Details build_systems / build-jeeves (push) Successful in 2m26s Details	2026-05-29 20:26:32 -04:00
Richie	006ae6079a	moved nornsight off my_python	2026-05-29 20:15:51 -04:00
Richie	7d507fb7e1	adding nornsight.nix treefmt / nix fmt (pull_request) Successful in 6s Details build_systems / build-brain (pull_request) Successful in 51s Details build_systems / build-bob (pull_request) Successful in 56s Details pytest / pytest (pull_request) Successful in 28s Details build_systems / build-leviathan (pull_request) Successful in 1m24s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 1m30s Details build_systems / build-jeeves (pull_request) Successful in 2m45s Details	2026-05-29 18:39:27 -04:00
Richie	0f69022e51	disabled terminal bell treefmt / nix fmt (pull_request) Successful in 7s Details pytest / pytest (pull_request) Successful in 29s Details build_systems / build-brain (pull_request) Successful in 48s Details build_systems / build-bob (pull_request) Successful in 48s Details build_systems / build-jeeves (pull_request) Successful in 2m42s Details build_systems / build-brain (push) Successful in 30s Details build_systems / build-leviathan (pull_request) Successful in 1m0s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 1m4s Details treefmt / nix fmt (push) Successful in 6s Details build_systems / build-bob (push) Successful in 33s Details pytest / pytest (push) Successful in 25s Details build_systems / build-leviathan (push) Successful in 41s Details build_systems / build-rhapsody-in-green (push) Successful in 46s Details build_systems / build-jeeves (push) Successful in 2m23s Details	2026-05-29 13:52:46 -04:00
Richie	a260ae2470	adding ffmpeg to jeeves and rhapsody-in-green treefmt / nix fmt (pull_request) Successful in 7s Details build_systems / build-bob (pull_request) Successful in 32s Details pytest / pytest (pull_request) Successful in 26s Details build_systems / build-brain (pull_request) Successful in 44s Details build_systems / build-leviathan (pull_request) Successful in 55s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 1m30s Details build_systems / build-jeeves (pull_request) Successful in 2m40s Details treefmt / nix fmt (push) Successful in 6s Details build_systems / build-bob (push) Successful in 33s Details build_systems / build-brain (push) Successful in 34s Details pytest / pytest (push) Successful in 26s Details build_systems / build-leviathan (push) Successful in 44s Details build_systems / build-rhapsody-in-green (push) Successful in 45s Details build_systems / build-jeeves (push) Successful in 2m21s Details	2026-05-28 22:14:59 -04:00
Richie	820b4a53d2	adding photos to syncthing treefmt / nix fmt (pull_request) Successful in 6s Details pytest / pytest (pull_request) Successful in 1m16s Details build_systems / build-jeeves (pull_request) Successful in 5m29s Details build_systems / build-brain (pull_request) Successful in 6m4s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 16m47s Details build_systems / build-leviathan (pull_request) Successful in 16m49s Details build_systems / build-bob (pull_request) Successful in 31s Details treefmt / nix fmt (push) Successful in 6s Details build_systems / build-bob (push) Successful in 31s Details build_systems / build-brain (push) Successful in 32s Details pytest / pytest (push) Successful in 26s Details build_systems / build-leviathan (push) Successful in 40s Details build_systems / build-rhapsody-in-green (push) Successful in 14s Details build_systems / build-jeeves (push) Successful in 2m33s Details	2026-05-28 22:08:46 -04:00
Richie	ea77e83f06	setting forceImportRoot to false pytest / pytest (pull_request) Successful in 53s Details treefmt / nix fmt (pull_request) Successful in 9s Details build_systems / build-brain (pull_request) Successful in 2m33s Details build_systems / build-bob (pull_request) Successful in 2m41s Details build_systems / build-leviathan (pull_request) Successful in 3m22s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 3m32s Details build_systems / build-jeeves (pull_request) Successful in 8m52s Details build_systems / build-bob (push) Successful in 33s Details treefmt / nix fmt (push) Successful in 6s Details build_systems / build-brain (push) Successful in 31s Details pytest / pytest (push) Successful in 26s Details build_systems / build-leviathan (push) Successful in 41s Details build_systems / build-rhapsody-in-green (push) Successful in 47s Details build_systems / build-jeeves (push) Successful in 2m28s Details	2026-05-14 15:12:53 -04:00
Richie	a9da208bc3	added --accept-flake-config to nixos-rebuild step treefmt / nix fmt (pull_request) Successful in 9s Details pytest / pytest (pull_request) Successful in 1m17s Details build_systems / build-brain (pull_request) Successful in 2m14s Details build_systems / build-bob (pull_request) Successful in 2m25s Details build_systems / build-leviathan (pull_request) Successful in 4m32s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 4m35s Details build_systems / build-jeeves (pull_request) Successful in 8m45s Details pytest / pytest (push) Successful in 1m1s Details treefmt / nix fmt (push) Successful in 8s Details build_systems / build-bob (push) Successful in 44s Details build_systems / build-leviathan (push) Successful in 38s Details build_systems / build-brain (push) Successful in 1m39s Details build_systems / build-rhapsody-in-green (push) Successful in 3m0s Details build_systems / build-jeeves (push) Successful in 7m3s Details	2026-05-14 13:39:13 -04:00
Richie	739d7dd28c	droped whisper from my_python	2026-05-14 13:38:41 -04:00
Richie	651599796e	moved ./llm_tools.nix to gui only treefmt / nix fmt (pull_request) Successful in 9s Details pytest / pytest (pull_request) Successful in 1m24s Details build_systems / build-brain (pull_request) Successful in 4m7s Details build_systems / build-leviathan (pull_request) Successful in 4m11s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 4m41s Details build_systems / build-jeeves (pull_request) Successful in 8m38s Details build_systems / build-bob (pull_request) Failing after 14m11s Details	2026-05-14 12:58:15 -04:00
Richie	b9d440597c	removed llm tools from gui treefmt / nix fmt (pull_request) Successful in 9s Details pytest / pytest (pull_request) Successful in 1m4s Details build_systems / build-brain (pull_request) Successful in 2m31s Details build_systems / build-leviathan (pull_request) Successful in 3m21s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 3m21s Details build_systems / build-jeeves (pull_request) Successful in 6m55s Details build_systems / build-bob (pull_request) Failing after 16m4s Details	2026-05-13 10:03:15 -04:00
Richie	311cc5d7a7	adding pi-coding-agenta treefmt / nix fmt (pull_request) Successful in 6s Details pytest / pytest (pull_request) Successful in 1m24s Details build_systems / build-brain (pull_request) Successful in 6m28s Details build_systems / build-leviathan (pull_request) Failing after 7m21s Details build_systems / build-rhapsody-in-green (pull_request) Failing after 7m22s Details build_systems / build-jeeves (pull_request) Successful in 11m47s Details build_systems / build-bob (pull_request) Failing after 19m3s Details	2026-05-13 08:57:45 -04:00
Richie	fb2519046d	moved codex and opencode to master pkgs	2026-05-13 08:56:18 -04:00
Richie	bc6b1585ec	flake update	2026-05-10 13:49:53 -04:00
Richie	d71330a85a	updated firefox configPath treefmt / nix fmt (pull_request) Successful in 6s Details pytest / pytest (pull_request) Successful in 29s Details build_systems / build-brain (pull_request) Successful in 5m41s Details build_systems / build-leviathan (pull_request) Successful in 5m43s Details build_systems / build-jeeves (pull_request) Successful in 6m58s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 27m16s Details build_systems / build-bob (pull_request) Failing after 12m14s Details	2026-05-10 12:36:54 -04:00
Richie	df51aa5200	removing sunshine sunshine is a cool idea but has been causing annoying ui glitches and started preventing the display manning for starting Its a cool idea in theory but not useful enough for me to want to debug	2026-05-10 12:31:06 -04:00
Richie	e93cc816db	flake update	2026-05-09 17:38:13 -04:00
Richie	19050b4cf4	removing llms from rhapsody-in-green	2026-05-07 18:06:21 -04:00
Richie	6676c15f75	adding qwen3.6:27b	2026-05-07 18:05:00 -04:00
Richie	27e487e322	removing signal_bot treefmt / nix fmt (pull_request) Successful in 5s Details pytest / pytest (pull_request) Successful in 27s Details build_systems / build-bob (pull_request) Successful in 48s Details build_systems / build-brain (pull_request) Successful in 46s Details build_systems / build-leviathan (pull_request) Successful in 54s Details build_systems / build-rhapsody-in-green (pull_request) Successful in 1m0s Details build_systems / build-jeeves (pull_request) Successful in 2m34s Details treefmt / nix fmt (push) Successful in 5s Details build_systems / build-bob (push) Successful in 34s Details build_systems / build-brain (push) Successful in 31s Details pytest / pytest (push) Successful in 27s Details build_systems / build-leviathan (push) Successful in 40s Details build_systems / build-rhapsody-in-green (push) Successful in 43s Details build_systems / build-jeeves (push) Successful in 2m31s Details	2026-05-03 21:23:20 -04:00
Richie	4f28050eff	added nixfmt and nix build_systems / build-bob (pull_request) Failing after 52s Details build_systems / build-brain (pull_request) Failing after 50s Details pytest / pytest (pull_request) Failing after 4s Details treefmt / nix fmt (pull_request) Failing after 4s Details build_systems / build-leviathan (pull_request) Failing after 57s Details build_systems / build-rhapsody-in-green (pull_request) Failing after 52s Details build_systems / build-jeeves (pull_request) Failing after 3m17s Details	2026-05-03 20:47:03 -04:00
Richie	b58ea60557	adding hostPackages pytest / pytest (pull_request) Failing after 10s Details treefmt / nix fmt (pull_request) Failing after 13s Details build_systems / build-brain (pull_request) Failing after 29s Details build_systems / build-bob (pull_request) Failing after 29s Details build_systems / build-rhapsody-in-green (pull_request) Failing after 46s Details build_systems / build-jeeves (pull_request) Failing after 2m29s Details build_systems / build-leviathan (pull_request) Failing after 35s Details	2026-05-03 19:16:37 -04:00
Richie	e95eedffe4	updated br-nix-builder build_systems / build-bob (pull_request) Failing after 2s Details build_systems / build-brain (pull_request) Failing after 1s Details build_systems / build-jeeves (pull_request) Failing after 1s Details build_systems / build-leviathan (pull_request) Failing after 1s Details build_systems / build-rhapsody-in-green (pull_request) Failing after 1s Details treefmt / nix fmt (pull_request) Failing after 2s Details pytest / pytest (pull_request) Failing after 9s Details	2026-05-03 16:30:51 -04:00
Richie	1abd53987c	made nix_builders not ephemeral and depended on gitea	2026-05-03 16:29:56 -04:00
Richie	d1a3e7338a	added permittedInsecurePackages for discord-canary	2026-05-03 00:39:23 -04:00
Richie	687ef0c167	moved acme_challenge backend	2026-05-03 00:39:19 -04:00
Richie	3a86148352	working nix builder	2026-05-02 17:10:02 -04:00
Richie	fe9a2912e1	added words to spell check	2026-04-30 12:46:55 -04:00
Richie	29a99fc210	flake lock update	2026-04-30 12:46:55 -04:00
Richie	d7651bf588	set update.nix to gitea	2026-04-30 12:46:55 -04:00
Richie	2865dcbe9c	set dbus.implementation = "dbus";	2026-04-30 12:46:55 -04:00
Richie	d920b77bab	removed verilux	2026-04-30 12:46:55 -04:00
Richie	1b53167b53	updated nix builders	2026-04-30 12:46:55 -04:00
Richie	9dabb9dc07	updated actions	2026-04-30 12:46:55 -04:00
Richie	95630fe151	made Prometheus require zfs-media-database-prometheus.mount	2026-04-30 10:16:37 -04:00
Richie	d3a889f100	fixed typo	2026-04-30 10:16:37 -04:00
Richie	6ce0671f51	ran treefmt	2026-04-30 10:16:37 -04:00
Richie	25ab6b2ab6	added gitlens.pushRepositories key shourtcut	2026-04-30 10:16:37 -04:00
Richie	374d7e8d38	setting up resource monitoring for bob and jeeves	2026-04-30 10:16:37 -04:00
Richie	957110b7e9	increasing kitty scrollback_lines	2026-04-28 12:07:03 -04:00
Richie	e7dc60f2c3	adding tiktoken	2026-04-28 12:07:03 -04:00
Richie	353a9d6787	adding pgvector	2026-04-27 13:02:04 -04:00
Richie	9f2d3a3c89	updated .gitignore	2026-04-25 16:33:45 -04:00
Richie	73e221716f	adding nornsight	2026-04-25 16:33:45 -04:00
Richie	0d0ed5445a	moved models	2026-04-19 21:05:56 -04:00
Richie	9e4c6f6f56	adding qwen3.6	2026-04-19 21:05:56 -04:00