deleting data_science code

this code was moved to https://gitea.tmmworkshop.com/Nornsight/weave

.github/workflows/build_systems.yml

@@ -23,6 +23,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Build default package
-        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
+        run: "nixos-rebuild build --accept-flake-config --flake ./#${{ matrix.system }}"
       - name: copy to nix-cache
         run: nix copy --accept-flake-config --to unix:///host-nix/var/nix/daemon-socket/socket .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel

.github/workflows/fix_eval_warnings.yml

@@ -1,30 +0,0 @@
-name: fix_eval_warnings
-on:
-  workflow_run:
-    workflows: ["build_systems"]
-    types: [completed]
-
-jobs:
-  check-warnings:
-    if: >-
-      github.event.workflow_run.conclusion != 'cancelled' &&
-      github.event.workflow_run.head_branch == 'main' &&
-      (github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'schedule')
-    runs-on: self-hosted
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Fix eval warnings
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-        run: >-
-          nix develop .#devShells.x86_64-linux.default -c
-          python -m python.eval_warnings.main
-          --run-id "${{ github.event.workflow_run.id }}"
-          --repo "${{ github.repository }}"
-          --ollama-url "${{ secrets.OLLAMA_URL }}"
-          --run-url "${{ github.event.workflow_run.html_url }}"

.github/workflows/merge_flake_lock_update.yml

@@ -6,24 +6,18 @@ on:
 
 jobs:
   merge:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
 
     permissions:
       contents: write
       pull-requests: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: merge_flake_lock_update
-        run: |
-          pr_number=$(gh pr list --state open --author RichieCahill --label flake_lock_update --json number --jq '.[0].number')
-          echo "pr_number=$pr_number" >> $GITHUB_ENV
-          if [ -n "$pr_number" ]; then
-            gh pr merge "$pr_number" --rebase
-          else
-            echo "No open PR found with label flake_lock_update"
-          fi
+        run: >-
+          nix develop .#devShells.x86_64-linux.default -c
+          python -m python.gitea_flake_lock merge
+          --repo "${{ github.repository }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_URL: https://gitea.tmmworkshop.com

.github/workflows/pytest.yml

@@ -1,13 +1,13 @@
 name: pytest
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - main
   pull_request:
     branches:
       - main
-  merge_group:
 
 jobs:
   pytest:

.github/workflows/update-flake-lock.yml

@@ -6,18 +6,21 @@ on:
 
 jobs:
   lockfile:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
       - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@main
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-          pr-title: "Update flake.lock"
-          pr-labels: |
-            dependencies
-            automated
-            flake_lock_update
+        run: nix flake update
+      - name: Create or update flake.lock PR
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_URL: https://gitea.tmmworkshop.com
+        run: >-
+          nix develop .#devShells.x86_64-linux.default -c
+          python -m python.gitea_flake_lock update
+          --repo "${{ github.repository }}"

.gitignore

@@ -169,3 +169,6 @@ test.*
 # Frontend build output
 frontend/dist/
 frontend/node_modules/
+
+# data from testing llms
+data/*

.vscode/settings.json

@@ -40,7 +40,6 @@
     "cgroupdriver",
     "charliermarsh",
     "Checkpointing",
-    "cloudflared",
     "codellama",
     "codezombiech",
     "compactmode",
@@ -204,6 +203,7 @@
     "peerconnection",
     "PESKYFOX",
     "PGID",
+    "pgvector",
     "pipewire",
     "pkgs",
     "plugdev",
@@ -308,6 +308,7 @@
     "usernamehw",
     "userprefs",
     "vaninventory",
+    "vdev",
     "vfat",
     "victron",
     "virt",

AGENTS.md

@@ -1,12 +0,0 @@
-## Dev environment tips
-
-- use treefmt to format all files
-- make python code ruff compliant
-- use pytest to test python code
-- always use the minimum amount of complexity
-- if judgment calls are easy to reverse make them. if not ask me first
-- Match existing code style.
-- Use builtin helpers getenv() over os.environ.get.
-- Prefer single-purpose functions over “do everything” helpers.
-- Avoid compatibility branches like PG_USER and POSTGRESQL_URL unless requested.
-- Keep helpers only if reused or they simplify the code otherwise inline.

common/global/default.nix

@@ -23,7 +23,10 @@
   boot = {
     tmp.useTmpfs = true;
     kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
-    zfs.package = lib.mkDefault pkgs.zfs_2_4;
+    zfs = {
+      package = lib.mkDefault pkgs.zfs_2_4;
+      forceImportRoot = lib.mkDefault false;
+    };
   };
 
   hardware.enableRedistributableFirmware = true;
@@ -37,10 +40,17 @@
 
   nixpkgs = {
     overlays = builtins.attrValues outputs.overlays;
-    config.allowUnfree = true;
+    config = {
+      allowUnfree = true;
+      permittedInsecurePackages = [
+        "openssl-1.1.1w" # This is for discord-canary
+      ];
+    };
   };
 
   services = {
+    dbus.implementation = "dbus";
+
     # firmware update
     fwupd.enable = true;
 

common/global/nix.nix

@@ -34,6 +34,7 @@ in
       warn-dirty = false;
       flake-registry = ""; # disable global flake registries
       connect-timeout = 10;
+      download-buffer-size = 536870912;
       fallback = true;
     };
 

common/optional/monitoring-agent.nix

@@ -0,0 +1,256 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  monitoringInterface = "ztwfunumly";
+  nodeTextfileDir = "/var/lib/prometheus-node-exporter-textfile";
+
+  mkProcessNameTemplate =
+    perPid: template: if perPid then "${template}:{{.PID}}:{{.StartTime}}" else template;
+
+  mkProcessMatchers = perPid: [
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Module}}";
+      cmdline = [ "^/nix/store[^ ]*/bin/python[^ ]* -m (?P<Module>[^ ]+)" ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
+      cmdline = [
+        "^/nix/store[^ ]*/bin/python[^ ]* /nix/store[^ ]*/bin/\\.?(?P<Wrapped>[^ /]+?)(?:-wrapped)?(?:\\s|$)"
+      ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
+      cmdline = [
+        "^/nix/store[^ ]*/bin/node /nix/store[^ ]*-(?P<Wrapped>[A-Za-z0-9._+-]+)-[0-9][^ /]*/"
+      ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
+      cmdline = [ "^/nix/store[^ ]*/(?:bin/|lib/[^ ]*/)?\\.?(?P<Wrapped>[^ /]+?)(?:-wrapped)?(?:\\s|$)" ];
+    }
+    {
+      name = mkProcessNameTemplate perPid "{{.Username}}:{{.ExeBase}}";
+      cmdline = [ ".+" ];
+    }
+  ];
+
+  perPidConfig = pkgs.writeText "process-exporter-per-pid.yaml" (
+    builtins.toJSON {
+      process_names = mkProcessMatchers true;
+    }
+  );
+
+  zpoolLatencyScript = pkgs.writeShellScript "zpool-latency-exporter" ''
+        set -euo pipefail
+
+        out_dir=${lib.escapeShellArg nodeTextfileDir}
+        host=${lib.escapeShellArg config.networking.hostName}
+        tmp_file="$(mktemp "$out_dir/zpool.prom.XXXXXX")"
+        trap 'rm -f "$tmp_file"' EXIT
+
+        pools="$(zpool list -H -o name | paste -sd, -)"
+
+        cat >"$tmp_file" <<'EOF'
+    # HELP zpool_iostat_total_wait_read_ns Average total read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_total_wait_read_ns gauge
+    # HELP zpool_iostat_total_wait_write_ns Average total write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_total_wait_write_ns gauge
+    # HELP zpool_iostat_disk_wait_read_ns Average disk read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_disk_wait_read_ns gauge
+    # HELP zpool_iostat_disk_wait_write_ns Average disk write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_disk_wait_write_ns gauge
+    # HELP zpool_iostat_syncq_wait_read_ns Average synchronous queue read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_syncq_wait_read_ns gauge
+    # HELP zpool_iostat_syncq_wait_write_ns Average synchronous queue write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_syncq_wait_write_ns gauge
+    # HELP zpool_iostat_asyncq_wait_read_ns Average asynchronous queue read wait time reported by zpool iostat.
+    # TYPE zpool_iostat_asyncq_wait_read_ns gauge
+    # HELP zpool_iostat_asyncq_wait_write_ns Average asynchronous queue write wait time reported by zpool iostat.
+    # TYPE zpool_iostat_asyncq_wait_write_ns gauge
+    EOF
+
+        zpool iostat -Hplvy -y 1 1 | awk -F '\t' -v host="$host" -v pools="$pools" '
+          function esc(str, out) {
+            out = str
+            gsub(/\\/, "\\\\", out)
+            gsub(/"/, "\\\"", out)
+            return out
+          }
+
+          function emit(metric, pool, vdev, value) {
+            if (value == "" || value == "-") {
+              return
+            }
+
+            printf "%s{host=\"%s\",pool=\"%s\",vdev=\"%s\"} %s\n",
+              metric,
+              esc(host),
+              esc(pool),
+              esc(vdev),
+              value
+          }
+
+          BEGIN {
+            split(pools, pool_names, ",")
+            for (idx in pool_names) {
+              if (pool_names[idx] != "") {
+                known_pools[pool_names[idx]] = 1
+              }
+            }
+          }
+
+          NF == 0 {
+            next
+          }
+
+          {
+            row_name = $1
+
+            if (row_name in known_pools) {
+              current_pool = row_name
+              current_vdev = "_pool"
+            } else if (current_pool == "") {
+              next
+            } else {
+              current_vdev = row_name
+            }
+
+            emit("zpool_iostat_total_wait_read_ns", current_pool, current_vdev, $8)
+            emit("zpool_iostat_total_wait_write_ns", current_pool, current_vdev, $9)
+            emit("zpool_iostat_disk_wait_read_ns", current_pool, current_vdev, $10)
+            emit("zpool_iostat_disk_wait_write_ns", current_pool, current_vdev, $11)
+            emit("zpool_iostat_syncq_wait_read_ns", current_pool, current_vdev, $12)
+            emit("zpool_iostat_syncq_wait_write_ns", current_pool, current_vdev, $13)
+            emit("zpool_iostat_asyncq_wait_read_ns", current_pool, current_vdev, $14)
+            emit("zpool_iostat_asyncq_wait_write_ns", current_pool, current_vdev, $15)
+          }
+        ' >>"$tmp_file"
+
+        mv "$tmp_file" "$out_dir/zpool.prom"
+        trap - EXIT
+  '';
+in
+{
+  networking.firewall.interfaces.${monitoringInterface}.allowedTCPPorts = [
+    9100
+    9134
+    9256
+    9257
+    9633
+  ];
+
+  services.prometheus.exporters = {
+    node = {
+      enable = true;
+      enabledCollectors = [
+        "pressure"
+        "processes"
+        "systemd"
+      ];
+      extraFlags = [ "--collector.textfile.directory=${nodeTextfileDir}" ];
+    };
+
+    process = {
+      enable = true;
+      user = "root";
+      group = "root";
+      settings.process_names = mkProcessMatchers false;
+      extraFlags = [
+        "-gather-smaps=false"
+        "-remove-empty-groups=true"
+        "-threads=false"
+      ];
+    };
+
+    smartctl.enable = true;
+    zfs.enable = true;
+  };
+
+  programs.atop = {
+    enable = true;
+    atopService.enable = true;
+    atopRotateTimer.enable = true;
+    atopacctService.enable = true;
+    settings.interval = 30;
+  };
+
+  systemd = {
+    services = {
+      prometheus-process-pid-exporter = {
+        description = "Prometheus process exporter with per-PID naming";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          ExecStart = ''
+            ${pkgs.prometheus-process-exporter}/bin/process-exporter \
+              --web.listen-address 0.0.0.0:9257 \
+              --config.path ${perPidConfig} \
+              -children=false \
+              -gather-smaps=false \
+              -remove-empty-groups=true \
+              -threads=false
+          '';
+          User = "root";
+          Group = "root";
+          Restart = "always";
+          WorkingDirectory = "/tmp";
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          UMask = "0077";
+        };
+      };
+
+      zpool-latency-exporter = {
+        description = "Exports ZFS latency metrics for node_exporter textfile collection";
+        after = [ "zfs-import.target" ];
+        requires = [ "zfs-import.target" ];
+        path = [
+          config.boot.zfs.package
+          pkgs.coreutils
+          pkgs.gawk
+        ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = zpoolLatencyScript;
+        };
+      };
+    };
+
+    timers.zpool-latency-exporter = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "2m";
+        OnUnitActiveSec = "60s";
+        Unit = "zpool-latency-exporter.service";
+      };
+    };
+
+    tmpfiles.rules = [ "d ${nodeTextfileDir} 0755 root root - -" ];
+  };
+}

common/optional/syncthing_base.nix

@@ -12,7 +12,7 @@
       brain.id = "SSCGIPI-IV3VYKB-TRNIJE3-COV4T2H-CDBER7F-I2CGHYA-NWOEUDU-3T5QAAN"; # cspell:disable-line
       ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
       jeeves.id = "ICRHXZW-ECYJCUZ-I4CZ64R-3XRK7CG-LL2HAAK-FGOHD22-BQA4AI6-5OAL6AG"; # cspell:disable-line
-      phone.id = "TBRULKD-7DZPGGZ-F6LLB7J-MSO54AY-7KLPBIN-QOFK6PX-W2HBEWI-PHM2CQI"; # cspell:disable-line
+      phone.id = "JPVQKQW-CFXOJXT-Q5G5F3H-QIDHDRE-GKHPTQB-GXZUQSP-U7FR7F7-INP3AAH"; # cspell:disable-line
       rhapsody-in-green.id = "ASL3KC4-3XEN6PA-7BQBRKE-A7JXLI6-DJT43BY-Q4WPOER-7UALUAZ-VTPQ6Q4"; # cspell:disable-line
     };
   };

common/optional/update.nix

@@ -4,7 +4,7 @@
     flags = [ "--accept-flake-config" ];
     randomizedDelaySec = "1h";
     persistent = true;
-    flake = "github:RichieCahill/dotfiles";
+    flake = "git+https://gitea.tmmworkshop.com/richie/dotfiles?ref=main";
     allowReboot = true;
     dates = "Sat *-*-* 06:00:00";
   };

docs/zfs_failed_root_import_recovry.md

@@ -0,0 +1,76 @@
+# ZFS failed root import recovery
+
+## Fast path
+
+If the machine fails to boot because ZFS refuses to import `root_pool`:
+
+### GRUB
+
+1. At the bootloader menu, select the normal NixOS entry.
+2. Press `e`.
+3. Find the line that starts with `linux`.
+4. Append this to the end of that line:
+
+```text
+zfs_force=1
+```
+
+5. Boot once with `Ctrl+x` or `F10`.
+
+### systemd-boot
+
+1. At the bootloader menu, highlight the normal NixOS entry.
+2. Press `e`.
+3. Append this to the end of the options line:
+
+```text
+zfs_force=1
+```
+
+4. Press `Enter` to boot once.
+
+## After boot
+
+Run:
+
+```bash
+sudo zpool status
+sudo zpool import
+journalctl -b | rg "ZFS|zfs|import|root_pool"
+```
+
+## Expected result
+
+`sudo zpool status` should show `root_pool` as `ONLINE`.
+
+## Reboot test
+
+Run:
+
+```bash
+sudo reboot
+```
+
+Do not add `zfs_force=1` the second time.
+
+## If it still fails
+
+Boot once more with:
+
+```text
+zfs_force=1
+```
+
+Then run:
+
+```bash
+sudo zpool status -v
+sudo zpool history | tail -n 50
+journalctl -b | rg "ZFS|zfs|import|root_pool"
+```
+
+## Notes
+
+- Root pool name is `root_pool`.
+- This is a one-time recovery path after disk moves, controller changes, dirty exports, or interrupted imports.
+- Some hosts also need the LUKS unlock USB key inserted before boot.

flake.lock

@@ -8,11 +8,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1773979456,
-        "narHash": "sha256-9kBMJ5IvxqNlkkj/swmE8uK1Sc7TL/LIRUI958m7uBM=",
+        "lastModified": 1781150628,
+        "narHash": "sha256-b4mp8l3qWuSCyYYo9HSngDtcB3PpecYiOXjULrjwwlw=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "81e28f47ac18d9e89513929c77e711e657b64851",
+        "rev": "753319310f4673a2dabbfab87482187b40bf9bac",
         "type": "gitlab"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774007980,
-        "narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
+        "lastModified": 1781189114,
+        "narHash": "sha256-5inaamLgUMWy+MOBE9ChF9QAF1o/74LFuHkI0W/9rqc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
+        "rev": "486595d2cf49cfcd649b58a284fa11ac0e34da22",
         "type": "github"
       },
       "original": {
@@ -43,12 +43,15 @@
       }
     },
     "nixos-hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1774018263,
-        "narHash": "sha256-HHYEwK1A22aSaxv2ibhMMkKvrDGKGlA/qObG4smrSqc=",
+        "lastModified": 1781168557,
+        "narHash": "sha256-LOnLQ2tpYF9gqIDDr3+j3DbpJJr/QCH6zPRT2GzEUOE=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "2d4b4717b2534fad5c715968c1cece04a172b365",
+        "rev": "6358ff76821101c178e3ab4919a62799bfe3652e",
         "type": "github"
       },
       "original": {
@@ -60,27 +63,24 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1773821835,
-        "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
-        "type": "github"
+        "lastModified": 1767892417,
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
       }
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1774051532,
-        "narHash": "sha256-d3CGMweyYIcPuTj5BKq+1Lx4zwlgL31nVtN647tOZKo=",
+        "lastModified": 1781229721,
+        "narHash": "sha256-ORvqDbb/LYxiJljGIejapjkc/kJbVote2N1WSb9W45I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8620c0b5cc8fbe76502442181be1d0514bc3a1b7",
+        "rev": "173d0ad7a974f8543a9ab01d2271b2e290341b33",
         "type": "github"
       },
       "original": {
@@ -106,12 +106,28 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1781074563,
+        "narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "firefox-addons": "firefox-addons",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable",
         "sops-nix": "sops-nix",
@@ -125,11 +141,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773889674,
-        "narHash": "sha256-+ycaiVAk3MEshJTg35cBTUa0MizGiS+bgpYw/f8ohkg=",
+        "lastModified": 1780547341,
+        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "29b6519f3e0780452bca0ac0be4584f04ac16cc5",
+        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
         "type": "github"
       },
       "original": {

overlays/default.nix

@@ -25,6 +25,7 @@
         fastapi-cli
         httpx
         mypy
+        orjson
         polars
         psycopg
         pydantic
@@ -40,6 +41,7 @@
         sqlalchemy
         tenacity
         textual
+        tiktoken
         tinytuya
         typer
         websockets

pyproject.toml

@@ -26,6 +26,7 @@ dependencies = [
 [project.scripts]
 database = "python.database_cli:app"
 van-inventory = "python.van_inventory.main:serve"
+whisper-transcribe = "python.tools.whisper.transcribe:main"
 
 [dependency-groups]
 dev = [
@@ -50,6 +51,7 @@ lint.ignore = [
     "COM812", # (TEMP) conflicts when used with the formatter
     "ISC001", # (TEMP) conflicts when used with the formatter
     "S603",   # (PERM) This is known to cause a false positive
+    "S607",   # (PERM) This is becoming a consistent annoyance
 ]
 
 [tool.ruff.lint.per-file-ignores]
@@ -78,15 +80,10 @@ lint.ignore = [
 "python/congress_tracker/**" = [
     "TC003", # (perm) this creates issues because sqlalchemy uses these at runtime
 ]
-"python/eval_warnings/**" = [
-    "S607", # (perm) gh and git are expected on PATH in the runner environment
-]
+
 "python/alembic/**" = [
     "INP001", # (perm) this creates LSP issues for alembic
 ]
-"python/signal_bot/**" = [
-    "D107", # (perm) class docstrings cover __init__
-]
 
 [tool.ruff.lint.pydocstyle]
 convention = "google"

python/alembic/env.py

@@ -81,6 +81,7 @@ def include_name(
 
     """
     if type_ == "schema":
+        # allows a database with multiple schemas to have separate alembic revisions
         return name == target_metadata.schema
     return True
 

python/alembic/richie/versions/2026_03_29-removed_ds_table_from_richie_db_c8a794340928.py

@@ -0,0 +1,187 @@
+"""removed ds table from richie DB.
+
+Revision ID: c8a794340928
+Revises: 6b275323f435
+Create Date: 2026-03-29 15:29:23.643146
+
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+import sqlalchemy as sa
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+from python.orm import RichieBase
+
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+
+# revision identifiers, used by Alembic.
+revision: str = "c8a794340928"
+down_revision: str | None = "6b275323f435"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+schema = RichieBase.schema_name
+
+
+def upgrade() -> None:
+    """Upgrade."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("vote_record", schema=schema)
+    op.drop_index(op.f("ix_vote_congress_chamber"), table_name="vote", schema=schema)
+    op.drop_index(op.f("ix_vote_date"), table_name="vote", schema=schema)
+    op.drop_index(op.f("ix_legislator_bioguide_id"), table_name="legislator", schema=schema)
+    op.drop_table("legislator", schema=schema)
+    op.drop_table("vote", schema=schema)
+    op.drop_index(op.f("ix_bill_congress"), table_name="bill", schema=schema)
+    op.drop_table("bill", schema=schema)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "vote",
+        sa.Column("congress", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("chamber", sa.VARCHAR(), autoincrement=False, nullable=False),
+        sa.Column("session", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("number", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("vote_type", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("question", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("result", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("result_text", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("vote_date", sa.DATE(), autoincrement=False, nullable=False),
+        sa.Column("yea_count", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("nay_count", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("not_voting_count", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("present_count", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("bill_id", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("id", sa.INTEGER(), autoincrement=True, nullable=False),
+        sa.Column(
+            "created",
+            postgresql.TIMESTAMP(timezone=True),
+            server_default=sa.text("now()"),
+            autoincrement=False,
+            nullable=False,
+        ),
+        sa.Column(
+            "updated",
+            postgresql.TIMESTAMP(timezone=True),
+            server_default=sa.text("now()"),
+            autoincrement=False,
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(["bill_id"], [f"{schema}.bill.id"], name=op.f("fk_vote_bill_id_bill")),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_vote")),
+        sa.UniqueConstraint(
+            "congress",
+            "chamber",
+            "session",
+            "number",
+            name=op.f("uq_vote_congress_chamber_session_number"),
+            postgresql_include=[],
+            postgresql_nulls_not_distinct=False,
+        ),
+        schema=schema,
+    )
+    op.create_index(op.f("ix_vote_date"), "vote", ["vote_date"], unique=False, schema=schema)
+    op.create_index(op.f("ix_vote_congress_chamber"), "vote", ["congress", "chamber"], unique=False, schema=schema)
+    op.create_table(
+        "vote_record",
+        sa.Column("vote_id", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("legislator_id", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("position", sa.VARCHAR(), autoincrement=False, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["legislator_id"],
+            [f"{schema}.legislator.id"],
+            name=op.f("fk_vote_record_legislator_id_legislator"),
+            ondelete="CASCADE",
+        ),
+        sa.ForeignKeyConstraint(
+            ["vote_id"], [f"{schema}.vote.id"], name=op.f("fk_vote_record_vote_id_vote"), ondelete="CASCADE"
+        ),
+        sa.PrimaryKeyConstraint("vote_id", "legislator_id", name=op.f("pk_vote_record")),
+        schema=schema,
+    )
+    op.create_table(
+        "legislator",
+        sa.Column("bioguide_id", sa.TEXT(), autoincrement=False, nullable=False),
+        sa.Column("thomas_id", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("lis_id", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("govtrack_id", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("opensecrets_id", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("fec_ids", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("first_name", sa.VARCHAR(), autoincrement=False, nullable=False),
+        sa.Column("last_name", sa.VARCHAR(), autoincrement=False, nullable=False),
+        sa.Column("official_full_name", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("nickname", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("birthday", sa.DATE(), autoincrement=False, nullable=True),
+        sa.Column("gender", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("current_party", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("current_state", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("current_district", sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column("current_chamber", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("id", sa.INTEGER(), autoincrement=True, nullable=False),
+        sa.Column(
+            "created",
+            postgresql.TIMESTAMP(timezone=True),
+            server_default=sa.text("now()"),
+            autoincrement=False,
+            nullable=False,
+        ),
+        sa.Column(
+            "updated",
+            postgresql.TIMESTAMP(timezone=True),
+            server_default=sa.text("now()"),
+            autoincrement=False,
+            nullable=False,
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_legislator")),
+        schema=schema,
+    )
+    op.create_index(op.f("ix_legislator_bioguide_id"), "legislator", ["bioguide_id"], unique=True, schema=schema)
+    op.create_table(
+        "bill",
+        sa.Column("congress", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("bill_type", sa.VARCHAR(), autoincrement=False, nullable=False),
+        sa.Column("number", sa.INTEGER(), autoincrement=False, nullable=False),
+        sa.Column("title", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("title_short", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("official_title", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("status", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("status_at", sa.DATE(), autoincrement=False, nullable=True),
+        sa.Column("sponsor_bioguide_id", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("subjects_top_term", sa.VARCHAR(), autoincrement=False, nullable=True),
+        sa.Column("id", sa.INTEGER(), autoincrement=True, nullable=False),
+        sa.Column(
+            "created",
+            postgresql.TIMESTAMP(timezone=True),
+            server_default=sa.text("now()"),
+            autoincrement=False,
+            nullable=False,
+        ),
+        sa.Column(
+            "updated",
+            postgresql.TIMESTAMP(timezone=True),
+            server_default=sa.text("now()"),
+            autoincrement=False,
+            nullable=False,
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_bill")),
+        sa.UniqueConstraint(
+            "congress",
+            "bill_type",
+            "number",
+            name=op.f("uq_bill_congress_type_number"),
+            postgresql_include=[],
+            postgresql_nulls_not_distinct=False,
+        ),
+        schema=schema,
+    )
+    op.create_index(op.f("ix_bill_congress"), "bill", ["congress"], unique=False, schema=schema)
+    # ### end Alembic commands ###

python/alembic/signal_bot/versions/2026_03_17-seprating_signal_bot_database_6eaf696e07a5.py

@@ -1,100 +0,0 @@
-"""seprating signal_bot database.
-
-Revision ID: 6eaf696e07a5
-Revises:
-Create Date: 2026-03-17 21:35:37.612672
-
-"""
-
-from __future__ import annotations
-
-from typing import TYPE_CHECKING
-
-import sqlalchemy as sa
-from alembic import op
-from sqlalchemy.dialects import postgresql
-
-from python.orm import SignalBotBase
-
-if TYPE_CHECKING:
-    from collections.abc import Sequence
-
-# revision identifiers, used by Alembic.
-revision: str = "6eaf696e07a5"
-down_revision: str | None = None
-branch_labels: str | Sequence[str] | None = None
-depends_on: str | Sequence[str] | None = None
-
-schema = SignalBotBase.schema_name
-
-
-def upgrade() -> None:
-    """Upgrade."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table(
-        "dead_letter_message",
-        sa.Column("source", sa.String(), nullable=False),
-        sa.Column("message", sa.Text(), nullable=False),
-        sa.Column("received_at", sa.DateTime(timezone=True), nullable=False),
-        sa.Column(
-            "status", postgresql.ENUM("UNPROCESSED", "PROCESSED", name="message_status", schema=schema), nullable=False
-        ),
-        sa.Column("id", sa.Integer(), nullable=False),
-        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.PrimaryKeyConstraint("id", name=op.f("pk_dead_letter_message")),
-        schema=schema,
-    )
-    op.create_table(
-        "role",
-        sa.Column("name", sa.String(length=50), nullable=False),
-        sa.Column("id", sa.SmallInteger(), nullable=False),
-        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.PrimaryKeyConstraint("id", name=op.f("pk_role")),
-        sa.UniqueConstraint("name", name=op.f("uq_role_name")),
-        schema=schema,
-    )
-    op.create_table(
-        "signal_device",
-        sa.Column("phone_number", sa.String(length=50), nullable=False),
-        sa.Column("safety_number", sa.String(), nullable=True),
-        sa.Column(
-            "trust_level",
-            postgresql.ENUM("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", schema=schema),
-            nullable=False,
-        ),
-        sa.Column("last_seen", sa.DateTime(timezone=True), nullable=False),
-        sa.Column("id", sa.Integer(), nullable=False),
-        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.PrimaryKeyConstraint("id", name=op.f("pk_signal_device")),
-        sa.UniqueConstraint("phone_number", name=op.f("uq_signal_device_phone_number")),
-        schema=schema,
-    )
-    op.create_table(
-        "device_role",
-        sa.Column("device_id", sa.Integer(), nullable=False),
-        sa.Column("role_id", sa.SmallInteger(), nullable=False),
-        sa.Column("id", sa.Integer(), nullable=False),
-        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
-        sa.ForeignKeyConstraint(
-            ["device_id"], [f"{schema}.signal_device.id"], name=op.f("fk_device_role_device_id_signal_device")
-        ),
-        sa.ForeignKeyConstraint(["role_id"], [f"{schema}.role.id"], name=op.f("fk_device_role_role_id_role")),
-        sa.PrimaryKeyConstraint("id", name=op.f("pk_device_role")),
-        sa.UniqueConstraint("device_id", "role_id", name="uq_device_role_device_role"),
-        schema=schema,
-    )
-    # ### end Alembic commands ###
-
-
-def downgrade() -> None:
-    """Downgrade."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table("device_role", schema=schema)
-    op.drop_table("signal_device", schema=schema)
-    op.drop_table("role", schema=schema)
-    op.drop_table("dead_letter_message", schema=schema)
-    # ### end Alembic commands ###

python/alembic/signal_bot/versions/2026_03_18-test_66bdd532bcab.py

@@ -1,72 +0,0 @@
-"""test.
-
-Revision ID: 66bdd532bcab
-Revises: 6eaf696e07a5
-Create Date: 2026-03-18 19:21:14.561568
-
-"""
-
-from __future__ import annotations
-
-from typing import TYPE_CHECKING
-
-import sqlalchemy as sa
-from alembic import op
-from sqlalchemy.dialects import postgresql
-
-from python.orm import SignalBotBase
-
-if TYPE_CHECKING:
-    from collections.abc import Sequence
-
-# revision identifiers, used by Alembic.
-revision: str = "66bdd532bcab"
-down_revision: str | None = "6eaf696e07a5"
-branch_labels: str | Sequence[str] | None = None
-depends_on: str | Sequence[str] | None = None
-
-schema = SignalBotBase.schema_name
-
-
-def upgrade() -> None:
-    """Upgrade."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.alter_column(
-        "dead_letter_message",
-        "status",
-        existing_type=postgresql.ENUM("UNPROCESSED", "PROCESSED", name="message_status", schema=schema),
-        type_=sa.Enum("UNPROCESSED", "PROCESSED", name="message_status", native_enum=False),
-        existing_nullable=False,
-        schema=schema,
-    )
-    op.alter_column(
-        "signal_device",
-        "trust_level",
-        existing_type=postgresql.ENUM("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", schema=schema),
-        type_=sa.Enum("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", native_enum=False),
-        existing_nullable=False,
-        schema=schema,
-    )
-    # ### end Alembic commands ###
-
-
-def downgrade() -> None:
-    """Downgrade."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.alter_column(
-        "signal_device",
-        "trust_level",
-        existing_type=sa.Enum("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", native_enum=False),
-        type_=postgresql.ENUM("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", schema=schema),
-        existing_nullable=False,
-        schema=schema,
-    )
-    op.alter_column(
-        "dead_letter_message",
-        "status",
-        existing_type=sa.Enum("UNPROCESSED", "PROCESSED", name="message_status", native_enum=False),
-        type_=postgresql.ENUM("UNPROCESSED", "PROCESSED", name="message_status", schema=schema),
-        existing_nullable=False,
-        schema=schema,
-    )
-    # ### end Alembic commands ###

python/database_cli.py

@@ -83,13 +83,6 @@ DATABASES: dict[str, DatabaseConfig] = {
         base_class_name="VanInventoryBase",
         models_module="python.orm.van_inventory.models",
     ),
-    "signal_bot": DatabaseConfig(
-        env_prefix="SIGNALBOT",
-        version_location="python/alembic/signal_bot/versions",
-        base_module="python.orm.signal_bot.base",
-        base_class_name="SignalBotBase",
-        models_module="python.orm.signal_bot.models",
-    ),
 }
 
 

python/gitea.py

@@ -0,0 +1,347 @@
+"""Small Gitea API client for repository automation."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Self
+from urllib.parse import quote
+
+import httpx
+
+DEFAULT_PAGE_SIZE = 100
+EXPECTED_NO_CONTENT = 204
+EXPECTED_CREATED = 201
+EXPECTED_OK = 200
+
+
+@dataclass(frozen=True)
+class CreatedIssue:
+    """Issue data returned by Gitea."""
+
+    number: int | None
+    html_url: str | None
+    title: str
+
+
+@dataclass(frozen=True)
+class PullRequest:
+    """Pull request data returned by Gitea."""
+
+    number: int
+    title: str
+    html_url: str | None
+    labels: tuple[str, ...]
+    head_branch: str | None
+    base_branch: str | None
+
+
+@dataclass(frozen=True)
+class WorkflowJob:
+    """Workflow job data returned by Gitea Actions."""
+
+    id: int
+    name: str
+    run_id: int | None
+    status: str | None
+    conclusion: str | None
+
+
+class GiteaError(RuntimeError):
+    """Raised when Gitea rejects an API request."""
+
+
+def split_repo_name(repo: str) -> tuple[str, str]:
+    """Split an owner/repo string into its parts."""
+    owner, separator, repo_name = repo.partition("/")
+    if not separator or not owner or not repo_name:
+        msg = f"Invalid repository name: {repo}"
+        raise ValueError(msg)
+    return owner, repo_name
+
+
+class GiteaClient:
+    """HTTP client for the subset of Gitea APIs used in this repository."""
+
+    def __init__(
+        self,
+        *,
+        base_url: str,
+        token: str,
+        timeout: int = 30,
+        transport: httpx.BaseTransport | None = None,
+    ) -> None:
+        """Initialize the Gitea client."""
+        self._client = httpx.Client(
+            base_url=base_url.rstrip("/"),
+            timeout=timeout,
+            headers={"Authorization": f"token {token}"},
+            transport=transport,
+        )
+
+    def create_issue(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        title: str,
+        body: str,
+        labels: list[int] | None = None,
+    ) -> CreatedIssue:
+        """Create a Gitea issue."""
+        payload: dict[str, object] = {"title": title, "body": body, "labels": labels or []}
+        response = self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/issues",
+            expected_statuses={EXPECTED_CREATED},
+            json=payload,
+        )
+        data = response.json()
+        return CreatedIssue(
+            number=_optional_int(data.get("number")),
+            html_url=_optional_str(data.get("html_url")),
+            title=str(data.get("title", title)),
+        )
+
+    def resolve_label_ids(self, *, owner: str, repo: str, labels: list[str]) -> list[int]:
+        """Resolve label names to Gitea label IDs."""
+        if not labels:
+            return []
+
+        available_labels: dict[str, int] = {}
+        page = 1
+        while True:
+            response = self._request(
+                "GET",
+                f"/api/v1/repos/{owner}/{repo}/labels",
+                params={"page": page, "limit": DEFAULT_PAGE_SIZE},
+            )
+            batch = response.json()
+            if not batch:
+                break
+            for label in batch:
+                label_name = str(label.get("name", ""))
+                label_id = _optional_int(label.get("id"))
+                if label_name and label_id is not None:
+                    available_labels[label_name] = label_id
+            if len(batch) < DEFAULT_PAGE_SIZE:
+                break
+            page += 1
+
+        missing = [label for label in labels if label not in available_labels]
+        if missing:
+            missing_names = ", ".join(sorted(missing))
+            msg = f"Missing Gitea labels: {missing_names}"
+            raise GiteaError(msg)
+
+        return [available_labels[label] for label in labels]
+
+    def list_open_pull_requests(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        labels: list[str] | None = None,
+        head: str | None = None,
+    ) -> list[PullRequest]:
+        """List open pull requests for a repository."""
+        expected_labels = set(labels or [])
+        pull_requests: list[PullRequest] = []
+        page = 1
+        while True:
+            response = self._request(
+                "GET",
+                f"/api/v1/repos/{owner}/{repo}/pulls",
+                params={"state": "open", "page": page, "limit": DEFAULT_PAGE_SIZE},
+            )
+            batch = response.json()
+            if not batch:
+                break
+
+            for item in batch:
+                pull_request = _pull_request_from_api(item)
+                if head and pull_request.head_branch != head:
+                    continue
+                if expected_labels and not expected_labels.issubset(set(pull_request.labels)):
+                    continue
+                pull_requests.append(pull_request)
+
+            if len(batch) < DEFAULT_PAGE_SIZE:
+                break
+            page += 1
+
+        return pull_requests
+
+    def create_pull_request(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        title: str,
+        body: str,
+        head: str,
+        base: str,
+        labels: list[str] | None = None,
+    ) -> PullRequest:
+        """Create a pull request."""
+        payload: dict[str, object] = {
+            "title": title,
+            "body": body,
+            "head": head,
+            "base": base,
+        }
+        if labels:
+            payload["labels"] = self.resolve_label_ids(owner=owner, repo=repo, labels=labels)
+
+        response = self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/pulls",
+            expected_statuses={EXPECTED_CREATED},
+            json=payload,
+        )
+        return _pull_request_from_api(response.json())
+
+    def merge_pull_request(
+        self,
+        *,
+        owner: str,
+        repo: str,
+        number: int,
+        merge_method: str = "rebase",
+        head_commit_id: str | None = None,
+        delete_branch_after_merge: bool = False,
+    ) -> None:
+        """Merge a pull request."""
+        payload: dict[str, object] = {
+            "Do": merge_method,
+            "delete_branch_after_merge": delete_branch_after_merge,
+        }
+        if head_commit_id:
+            payload["head_commit_id"] = head_commit_id
+
+        self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/pulls/{number}/merge",
+            json=payload,
+        )
+
+    def dispatch_workflow(self, *, owner: str, repo: str, workflow_id: str, ref: str) -> None:
+        """Trigger a workflow_dispatch run."""
+        workflow_path = quote(workflow_id, safe="")
+        self._request(
+            "POST",
+            f"/api/v1/repos/{owner}/{repo}/actions/workflows/{workflow_path}/dispatches",
+            expected_statuses={EXPECTED_OK, EXPECTED_NO_CONTENT},
+            json={"ref": ref},
+        )
+
+    def list_run_jobs(self, *, owner: str, repo: str, run_id: str | int) -> list[WorkflowJob]:
+        """List workflow jobs for a specific run."""
+        jobs: list[WorkflowJob] = []
+        page = 1
+        while True:
+            response = self._request(
+                "GET",
+                f"/api/v1/repos/{owner}/{repo}/actions/jobs",
+                params={"page": page, "limit": DEFAULT_PAGE_SIZE},
+            )
+            payload = response.json()
+            batch = payload.get("jobs", [])
+            if not batch:
+                break
+
+            for item in batch:
+                if str(item.get("run_id")) != str(run_id):
+                    continue
+                jobs.append(_workflow_job_from_api(item))
+
+            if len(batch) < DEFAULT_PAGE_SIZE:
+                break
+            page += 1
+
+        return jobs
+
+    def download_job_logs(self, *, owner: str, repo: str, job_id: int) -> str:
+        """Download logs for a workflow job."""
+        response = self._request(
+            "GET",
+            f"/api/v1/repos/{owner}/{repo}/actions/jobs/{job_id}/logs",
+        )
+        return response.text
+
+    def close(self) -> None:
+        """Close the underlying HTTP client."""
+        self._client.close()
+
+    def __enter__(self) -> Self:
+        """Enter the context manager."""
+        return self
+
+    def __exit__(self, *args: object) -> None:
+        """Close the HTTP client."""
+        self.close()
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        *,
+        expected_statuses: set[int] | None = None,
+        **kwargs: object,
+    ) -> httpx.Response:
+        """Send an HTTP request and validate the response status."""
+        response = self._client.request(method, path, **kwargs)
+        statuses = expected_statuses or {EXPECTED_OK}
+        if response.status_code not in statuses:
+            msg = f"Gitea request failed ({response.status_code}): {response.text}"
+            raise GiteaError(msg)
+        return response
+
+
+def _pull_request_from_api(data: dict[str, object]) -> PullRequest:
+    """Convert Gitea API pull-request data into a dataclass."""
+    number = _optional_int(data.get("number")) or _optional_int(data.get("index"))
+    if number is None:
+        msg = "Gitea pull request payload is missing a number"
+        raise GiteaError(msg)
+
+    labels = tuple(str(label.get("name", "")) for label in data.get("labels", []))
+    head = data.get("head", {})
+    base = data.get("base", {})
+    return PullRequest(
+        number=number,
+        title=str(data.get("title", "")),
+        html_url=_optional_str(data.get("html_url")),
+        labels=tuple(label for label in labels if label),
+        head_branch=_optional_str(head.get("ref")) or _optional_str(data.get("head_branch")),
+        base_branch=_optional_str(base.get("ref")) or _optional_str(data.get("base_branch")),
+    )
+
+
+def _workflow_job_from_api(data: dict[str, object]) -> WorkflowJob:
+    """Convert Gitea API workflow-job data into a dataclass."""
+    job_id = _optional_int(data.get("id"))
+    if job_id is None:
+        msg = "Gitea workflow job payload is missing an ID"
+        raise GiteaError(msg)
+
+    return WorkflowJob(
+        id=job_id,
+        name=str(data.get("name", "")),
+        run_id=_optional_int(data.get("run_id")),
+        status=_optional_str(data.get("status")),
+        conclusion=_optional_str(data.get("conclusion")),
+    )
+
+
+def _optional_int(value: object) -> int | None:
+    """Convert an API value to an integer when present."""
+    if value is None:
+        return None
+    return int(value)
+
+
+def _optional_str(value: object) -> str | None:
+    """Convert an API value to a string when present."""
+    if value is None:
+        return None
+    return str(value)

python/gitea_flake_lock.py

@@ -0,0 +1,148 @@
+"""Automation helpers for flake.lock pull requests on Gitea."""
+
+from __future__ import annotations
+
+import subprocess
+from os import getenv
+from typing import Annotated
+
+import typer
+
+from python.gitea import GiteaClient, PullRequest, split_repo_name
+
+DEFAULT_BASE_BRANCH = "main"
+DEFAULT_BRANCH = "automation/update-flake-lock"
+DEFAULT_GITEA_URL = "https://gitea.tmmworkshop.com"
+PR_LABELS = ["dependencies", "automated", "flake_lock_update"]
+PR_CHECK_WORKFLOWS = ["build_systems.yml", "treefmt.yml", "pytest.yml"]
+PR_TITLE = "Update flake.lock"
+PR_BODY = "Automated flake.lock update."
+
+app = typer.Typer(add_completion=False)
+
+
+def run_cmd(cmd: list[str], *, check: bool = True) -> subprocess.CompletedProcess[str]:
+    """Run a subprocess command."""
+    return subprocess.run(cmd, capture_output=True, text=True, check=check)
+
+
+def ensure_flake_lock_pull_request(
+    client: GiteaClient,
+    *,
+    owner: str,
+    repo: str,
+    branch: str,
+    base: str,
+) -> PullRequest:
+    """Return an existing flake.lock PR for the branch or create one."""
+    pull_requests = client.list_open_pull_requests(owner=owner, repo=repo, head=branch)
+    if pull_requests:
+        return pull_requests[0]
+
+    return client.create_pull_request(
+        owner=owner,
+        repo=repo,
+        title=PR_TITLE,
+        body=PR_BODY,
+        head=branch,
+        base=base,
+        labels=PR_LABELS,
+    )
+
+
+def find_flake_lock_pull_request(client: GiteaClient, *, owner: str, repo: str) -> PullRequest | None:
+    """Find the first open flake.lock pull request."""
+    pull_requests = client.list_open_pull_requests(owner=owner, repo=repo, labels=["flake_lock_update"])
+    if not pull_requests:
+        return None
+    return pull_requests[0]
+
+
+def dispatch_pull_request_checks(client: GiteaClient, *, owner: str, repo: str, branch: str) -> None:
+    """Dispatch the workflows that normally run for pull requests."""
+    for workflow in PR_CHECK_WORKFLOWS:
+        client.dispatch_workflow(owner=owner, repo=repo, workflow_id=workflow, ref=branch)
+
+
+def has_worktree_changes() -> bool:
+    """Return whether `flake.lock` has worktree changes."""
+    result = run_cmd(["git", "diff", "--quiet", "--", "flake.lock"], check=False)
+    return result.returncode != 0
+
+
+def commit_flake_lock_update(*, branch: str) -> None:
+    """Commit the updated lock file to the automation branch."""
+    run_cmd(["git", "config", "user.name", "gitea-actions[bot]"])
+    run_cmd(["git", "config", "user.email", "gitea-actions@tmmworkshop.com"])
+    run_cmd(["git", "checkout", "-B", branch])
+    run_cmd(["git", "add", "flake.lock"])
+    run_cmd(["git", "commit", "-m", "chore: update flake.lock"])
+
+
+def push_branch(*, branch: str) -> None:
+    """Push the automation branch to origin."""
+    run_cmd(["git", "push", "origin", f"HEAD:{branch}", "--force"])
+
+
+def _required_gitea_token() -> str:
+    """Read the required Gitea token from the environment."""
+    token = getenv("GITEA_TOKEN")
+    if token:
+        return token
+
+    msg = "GITEA_TOKEN environment variable is required"
+    raise RuntimeError(msg)
+
+
+@app.command()
+def update(
+    repo: Annotated[str, typer.Option("--repo", help="Gitea repository in owner/repo form")],
+    base: Annotated[str, typer.Option("--base", help="Base branch")] = DEFAULT_BASE_BRANCH,
+    branch: Annotated[str, typer.Option("--branch", help="Automation branch")] = DEFAULT_BRANCH,
+) -> None:
+    """Commit flake.lock changes and ensure a pull request exists."""
+    if not has_worktree_changes():
+        typer.echo("No flake.lock changes detected")
+        return
+
+    commit_flake_lock_update(branch=branch)
+    push_branch(branch=branch)
+
+    owner, repo_name = split_repo_name(repo)
+    with GiteaClient(
+        base_url=getenv("GITEA_URL", DEFAULT_GITEA_URL),
+        token=_required_gitea_token(),
+    ) as client:
+        pull_request = ensure_flake_lock_pull_request(
+            client,
+            owner=owner,
+            repo=repo_name,
+            branch=branch,
+            base=base,
+        )
+        # We can remove this if Gitea fixes the following issue:
+        # https://github.com/go-gitea/gitea/issues/33963
+        dispatch_pull_request_checks(client, owner=owner, repo=repo_name, branch=branch)
+    typer.echo(pull_request.html_url or f"Pull request #{pull_request.number}")
+
+
+@app.command()
+def merge(
+    repo: Annotated[str, typer.Option("--repo", help="Gitea repository in owner/repo form")],
+) -> None:
+    """Merge the first open flake.lock pull request."""
+    owner, repo_name = split_repo_name(repo)
+    with GiteaClient(
+        base_url=getenv("GITEA_URL", DEFAULT_GITEA_URL),
+        token=_required_gitea_token(),
+    ) as client:
+        pull_request = find_flake_lock_pull_request(client, owner=owner, repo=repo_name)
+        if not pull_request:
+            typer.echo("No open PR found with label flake_lock_update")
+            return
+        client.merge_pull_request(owner=owner, repo=repo_name, number=pull_request.number, merge_method="rebase")
+    typer.echo(f"Merged PR #{pull_request.number}")
+
+
+if __name__ == "__main__":
+    app()

python/orm/__init__.py

@@ -1,11 +1,9 @@
 """ORM package exports."""
 
 from python.orm.richie.base import RichieBase
-from python.orm.signal_bot.base import SignalBotBase
 from python.orm.van_inventory.base import VanInventoryBase
 
 __all__ = [
     "RichieBase",
-    "SignalBotBase",
     "VanInventoryBase",
 ]

python/orm/richie/__init__.py

@@ -3,7 +3,6 @@
 from __future__ import annotations
 
 from python.orm.richie.base import RichieBase, TableBase, TableBaseBig, TableBaseSmall
-from python.orm.richie.congress import Bill, Legislator, Vote, VoteRecord
 from python.orm.richie.contact import (
     Contact,
     ContactNeed,
@@ -13,17 +12,13 @@ from python.orm.richie.contact import (
 )
 
 __all__ = [
-    "Bill",
     "Contact",
     "ContactNeed",
     "ContactRelationship",
-    "Legislator",
     "Need",
     "RelationshipType",
     "RichieBase",
     "TableBase",
     "TableBaseBig",
     "TableBaseSmall",
-    "Vote",
-    "VoteRecord",
 ]

python/orm/richie/congress.py

@@ -1,150 +0,0 @@
-"""Congress Tracker database models."""
-
-from __future__ import annotations
-
-from datetime import date
-
-from sqlalchemy import ForeignKey, Index, Text, UniqueConstraint
-from sqlalchemy.orm import Mapped, mapped_column, relationship
-
-from python.orm.richie.base import RichieBase, TableBase
-
-
-class Legislator(TableBase):
-    """Legislator model - members of Congress."""
-
-    __tablename__ = "legislator"
-
-    # Natural key - bioguide ID is the authoritative identifier
-    bioguide_id: Mapped[str] = mapped_column(Text, unique=True, index=True)
-
-    # Other IDs for cross-referencing
-    thomas_id: Mapped[str | None]
-    lis_id: Mapped[str | None]
-    govtrack_id: Mapped[int | None]
-    opensecrets_id: Mapped[str | None]
-    fec_ids: Mapped[str | None]  # JSON array stored as string
-
-    # Name info
-    first_name: Mapped[str]
-    last_name: Mapped[str]
-    official_full_name: Mapped[str | None]
-    nickname: Mapped[str | None]
-
-    # Bio
-    birthday: Mapped[date | None]
-    gender: Mapped[str | None]  # M/F
-
-    # Current term info (denormalized for query efficiency)
-    current_party: Mapped[str | None]
-    current_state: Mapped[str | None]
-    current_district: Mapped[int | None]  # House only
-    current_chamber: Mapped[str | None]  # rep/sen
-
-    # Relationships
-    vote_records: Mapped[list[VoteRecord]] = relationship(
-        "VoteRecord",
-        back_populates="legislator",
-        cascade="all, delete-orphan",
-    )
-
-
-class Bill(TableBase):
-    """Bill model - legislation introduced in Congress."""
-
-    __tablename__ = "bill"
-
-    # Composite natural key: congress + bill_type + number
-    congress: Mapped[int]
-    bill_type: Mapped[str]  # hr, s, hres, sres, hjres, sjres
-    number: Mapped[int]
-
-    # Bill info
-    title: Mapped[str | None]
-    title_short: Mapped[str | None]
-    official_title: Mapped[str | None]
-
-    # Status
-    status: Mapped[str | None]
-    status_at: Mapped[date | None]
-
-    # Sponsor
-    sponsor_bioguide_id: Mapped[str | None]
-
-    # Subjects
-    subjects_top_term: Mapped[str | None]
-
-    # Relationships
-    votes: Mapped[list[Vote]] = relationship(
-        "Vote",
-        back_populates="bill",
-    )
-
-    __table_args__ = (
-        UniqueConstraint("congress", "bill_type", "number", name="uq_bill_congress_type_number"),
-        Index("ix_bill_congress", "congress"),
-    )
-
-
-class Vote(TableBase):
-    """Vote model - roll call votes in Congress."""
-
-    __tablename__ = "vote"
-
-    # Composite natural key: congress + chamber + session + number
-    congress: Mapped[int]
-    chamber: Mapped[str]  # house/senate
-    session: Mapped[int]
-    number: Mapped[int]
-
-    # Vote details
-    vote_type: Mapped[str | None]
-    question: Mapped[str | None]
-    result: Mapped[str | None]
-    result_text: Mapped[str | None]
-
-    # Timing
-    vote_date: Mapped[date]
-
-    # Vote counts (denormalized for efficiency)
-    yea_count: Mapped[int | None]
-    nay_count: Mapped[int | None]
-    not_voting_count: Mapped[int | None]
-    present_count: Mapped[int | None]
-
-    # Related bill (optional - not all votes are on bills)
-    bill_id: Mapped[int | None] = mapped_column(ForeignKey("main.bill.id"))
-
-    # Relationships
-    bill: Mapped[Bill | None] = relationship("Bill", back_populates="votes")
-    vote_records: Mapped[list[VoteRecord]] = relationship(
-        "VoteRecord",
-        back_populates="vote",
-        cascade="all, delete-orphan",
-    )
-
-    __table_args__ = (
-        UniqueConstraint("congress", "chamber", "session", "number", name="uq_vote_congress_chamber_session_number"),
-        Index("ix_vote_date", "vote_date"),
-        Index("ix_vote_congress_chamber", "congress", "chamber"),
-    )
-
-
-class VoteRecord(RichieBase):
-    """Association table: Vote <-> Legislator with position."""
-
-    __tablename__ = "vote_record"
-
-    vote_id: Mapped[int] = mapped_column(
-        ForeignKey("main.vote.id", ondelete="CASCADE"),
-        primary_key=True,
-    )
-    legislator_id: Mapped[int] = mapped_column(
-        ForeignKey("main.legislator.id", ondelete="CASCADE"),
-        primary_key=True,
-    )
-    position: Mapped[str]  # Yea, Nay, Not Voting, Present
-
-    # Relationships
-    vote: Mapped[Vote] = relationship("Vote", back_populates="vote_records")
-    legislator: Mapped[Legislator] = relationship("Legislator", back_populates="vote_records")

python/orm/signal_bot/__init__.py

@@ -1,16 +0,0 @@
-"""Signal bot database ORM exports."""
-
-from __future__ import annotations
-
-from python.orm.signal_bot.base import SignalBotBase, SignalBotTableBase, SignalBotTableBaseSmall
-from python.orm.signal_bot.models import DeadLetterMessage, DeviceRole, RoleRecord, SignalDevice
-
-__all__ = [
-    "DeadLetterMessage",
-    "DeviceRole",
-    "RoleRecord",
-    "SignalBotBase",
-    "SignalBotTableBase",
-    "SignalBotTableBaseSmall",
-    "SignalDevice",
-]

python/orm/signal_bot/base.py

@@ -1,52 +0,0 @@
-"""Signal bot database ORM base."""
-
-from __future__ import annotations
-
-from datetime import datetime
-
-from sqlalchemy import DateTime, MetaData, SmallInteger, func
-from sqlalchemy.ext.declarative import AbstractConcreteBase
-from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
-
-from python.orm.common import NAMING_CONVENTION
-
-
-class SignalBotBase(DeclarativeBase):
-    """Base class for signal_bot database ORM models."""
-
-    schema_name = "main"
-
-    metadata = MetaData(
-        schema=schema_name,
-        naming_convention=NAMING_CONVENTION,
-    )
-
-
-class _TableMixin:
-    """Shared timestamp columns for all table bases."""
-
-    created: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True),
-        server_default=func.now(),
-    )
-    updated: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True),
-        server_default=func.now(),
-        onupdate=func.now(),
-    )
-
-
-class SignalBotTableBaseSmall(_TableMixin, AbstractConcreteBase, SignalBotBase):
-    """Table with SmallInteger primary key."""
-
-    __abstract__ = True
-
-    id: Mapped[int] = mapped_column(SmallInteger, primary_key=True)
-
-
-class SignalBotTableBase(_TableMixin, AbstractConcreteBase, SignalBotBase):
-    """Table with Integer primary key."""
-
-    __abstract__ = True
-
-    id: Mapped[int] = mapped_column(primary_key=True)

python/orm/signal_bot/models.py

@@ -1,62 +0,0 @@
-"""Signal bot device, role, and dead letter ORM models."""
-
-from __future__ import annotations
-
-from datetime import datetime
-
-from sqlalchemy import DateTime, Enum, ForeignKey, SmallInteger, String, Text, UniqueConstraint
-from sqlalchemy.orm import Mapped, mapped_column, relationship
-
-from python.orm.signal_bot.base import SignalBotTableBase, SignalBotTableBaseSmall
-from python.signal_bot.models import MessageStatus, TrustLevel
-
-
-class RoleRecord(SignalBotTableBaseSmall):
-    """Lookup table for RBAC roles, keyed by smallint."""
-
-    __tablename__ = "role"
-
-    name: Mapped[str] = mapped_column(String(50), unique=True)
-
-
-class DeviceRole(SignalBotTableBase):
-    """Association between a device and a role."""
-
-    __tablename__ = "device_role"
-    __table_args__ = (
-        UniqueConstraint("device_id", "role_id", name="uq_device_role_device_role"),
-        {"schema": "main"},
-    )
-
-    device_id: Mapped[int] = mapped_column(ForeignKey("main.signal_device.id"))
-    role_id: Mapped[int] = mapped_column(SmallInteger, ForeignKey("main.role.id"))
-
-
-class SignalDevice(SignalBotTableBase):
-    """A Signal device tracked by phone number and safety number."""
-
-    __tablename__ = "signal_device"
-
-    phone_number: Mapped[str] = mapped_column(String(50), unique=True)
-    safety_number: Mapped[str | None]
-    trust_level: Mapped[TrustLevel] = mapped_column(
-        Enum(TrustLevel, name="trust_level", create_constraint=False, native_enum=False),
-        default=TrustLevel.UNVERIFIED,
-    )
-    last_seen: Mapped[datetime] = mapped_column(DateTime(timezone=True))
-
-    roles: Mapped[list[RoleRecord]] = relationship(secondary=DeviceRole.__table__)
-
-
-class DeadLetterMessage(SignalBotTableBase):
-    """A Signal message that failed processing and was sent to the dead letter queue."""
-
-    __tablename__ = "dead_letter_message"
-
-    source: Mapped[str]
-    message: Mapped[str] = mapped_column(Text)
-    received_at: Mapped[datetime] = mapped_column(DateTime(timezone=True))
-    status: Mapped[MessageStatus] = mapped_column(
-        Enum(MessageStatus, name="message_status", create_constraint=False, native_enum=False),
-        default=MessageStatus.UNPROCESSED,
-    )

python/signal_bot/__init__.py

@@ -1 +0,0 @@
-"""Signal command and control bot."""

python/signal_bot/commands/__init__.py

@@ -1 +0,0 @@
-"""Signal bot commands."""

python/signal_bot/commands/inventory.py

@@ -1,137 +0,0 @@
-"""Van inventory command — parse receipts and item lists via LLM, push to API."""
-
-from __future__ import annotations
-
-import json
-import logging
-from typing import TYPE_CHECKING, Any
-
-import httpx
-
-from python.signal_bot.models import InventoryItem, InventoryUpdate
-
-if TYPE_CHECKING:
-    from python.signal_bot.llm_client import LLMClient
-    from python.signal_bot.models import SignalMessage
-    from python.signal_bot.signal_client import SignalClient
-
-logger = logging.getLogger(__name__)
-
-SYSTEM_PROMPT = """\
-You are an inventory assistant. Extract items from the input and return ONLY
-a JSON array. Each element must have these fields:
-  - "name": item name (string)
-  - "quantity": numeric count or amount (default 1)
-  - "unit": unit of measure (e.g. "each", "lb", "oz", "gallon", "bag", "box")
-  - "category": category like "food", "tools", "supplies", etc.
-  - "notes": any extra detail (empty string if none)
-
-Example output:
-[{"name": "water bottles", "quantity": 6, "unit": "gallon", "category": "supplies", "notes": "1 gallon each"}]
-
-Return ONLY the JSON array, no other text.\
-"""
-
-IMAGE_PROMPT = "Extract all items from this receipt or inventory photo."
-TEXT_PROMPT = "Extract all items from this inventory list."
-
-
-def parse_llm_response(raw: str) -> list[InventoryItem]:
-    """Parse the LLM JSON response into InventoryItem list."""
-    text = raw.strip()
-    # Strip markdown code fences if present
-    if text.startswith("```"):
-        lines = text.split("\n")
-        lines = [line for line in lines if not line.startswith("```")]
-        text = "\n".join(lines)
-
-    items_data: list[dict[str, Any]] = json.loads(text)
-    return [InventoryItem.model_validate(item) for item in items_data]
-
-
-def _upsert_item(api_url: str, item: InventoryItem) -> None:
-    """Create or update an item via the van_inventory API.
-
-    Fetches existing items, and if one with the same name exists,
-    patches its quantity (summing). Otherwise creates a new item.
-    """
-    base = api_url.rstrip("/")
-    response = httpx.get(f"{base}/api/items", timeout=10)
-    response.raise_for_status()
-    existing: list[dict[str, Any]] = response.json()
-
-    match = next((e for e in existing if e["name"].lower() == item.name.lower()), None)
-
-    if match:
-        new_qty = match["quantity"] + item.quantity
-        patch = {"quantity": new_qty}
-        if item.category:
-            patch["category"] = item.category
-        response = httpx.patch(f"{base}/api/items/{match['id']}", json=patch, timeout=10)
-        response.raise_for_status()
-        return
-    payload = {
-        "name": item.name,
-        "quantity": item.quantity,
-        "unit": item.unit,
-        "category": item.category or None,
-    }
-    response = httpx.post(f"{base}/api/items", json=payload, timeout=10)
-    response.raise_for_status()
-
-
-def handle_inventory_update(
-    message: SignalMessage,
-    signal: SignalClient,
-    llm: LLMClient,
-    api_url: str,
-) -> InventoryUpdate:
-    """Process an inventory update from a Signal message.
-
-    Accepts either an image (receipt photo) or text list.
-    Uses the LLM to extract structured items, then pushes to the van_inventory API.
-    """
-    try:
-        logger.info(f"Processing inventory update from {message.source}")
-        if message.attachments:
-            image_data = signal.get_attachment(message.attachments[0])
-            raw_response = llm.chat(
-                IMAGE_PROMPT,
-                image_data=image_data,
-                system=SYSTEM_PROMPT,
-            )
-            source_type = "receipt_photo"
-        elif message.message.strip():
-            raw_response = llm.chat(
-                f"{TEXT_PROMPT}\n\n{message.message}",
-                system=SYSTEM_PROMPT,
-            )
-            source_type = "text_list"
-        else:
-            signal.reply(message, "Send a photo of a receipt or a text list of items to update inventory.")
-            return InventoryUpdate()
-
-        logger.info(f"{raw_response=}")
-
-        new_items = parse_llm_response(raw_response)
-
-        logger.info(f"{new_items=}")
-
-        for item in new_items:
-            _upsert_item(api_url, item)
-
-        summary = _format_summary(new_items)
-        signal.reply(message, f"Inventory updated with {len(new_items)} item(s):\n{summary}")
-
-        return InventoryUpdate(items=new_items, raw_response=raw_response, source_type=source_type)
-
-    except Exception:
-        logger.exception("Failed to process inventory update")
-        signal.reply(message, "Failed to process inventory update. Check logs for details.")
-        return InventoryUpdate()
-
-
-def _format_summary(items: list[InventoryItem]) -> str:
-    """Format items into a readable summary."""
-    lines = [f"  - {item.name} x{item.quantity} {item.unit} [{item.category}]" for item in items]
-    return "\n".join(lines)

python/signal_bot/commands/location.py

@@ -1,64 +0,0 @@
-"""Location command for the Signal bot."""
-
-from __future__ import annotations
-
-import logging
-from typing import TYPE_CHECKING, Any
-
-import httpx
-
-if TYPE_CHECKING:
-    from python.signal_bot.models import SignalMessage
-    from python.signal_bot.signal_client import SignalClient
-
-logger = logging.getLogger(__name__)
-
-
-def _get_entity_state(ha_url: str, ha_token: str, entity_id: str) -> dict[str, Any]:
-    """Fetch an entity's state from Home Assistant."""
-    entity_url = f"{ha_url}/api/states/{entity_id}"
-    logger.debug(f"Fetching {entity_url=}")
-    response = httpx.get(
-        entity_url,
-        headers={"Authorization": f"Bearer {ha_token}"},
-        timeout=30,
-    )
-    response.raise_for_status()
-    return response.json()
-
-
-def _format_location(latitude: str, longitude: str) -> str:
-    """Render a friendly location response."""
-    return f"Van location: {latitude}, {longitude}\nhttps://maps.google.com/?q={latitude},{longitude}"
-
-
-def handle_location_request(
-    message: SignalMessage,
-    signal: SignalClient,
-    ha_url: str | None,
-    ha_token: str | None,
-) -> None:
-    """Reply with van location from Home Assistant."""
-    if ha_url is None or ha_token is None:
-        signal.reply(message, "Location command is not configured (missing HA_URL or HA_TOKEN).")
-        return
-
-    lat_payload = None
-    lon_payload = None
-    try:
-        lat_payload = _get_entity_state(ha_url, ha_token, "sensor.van_last_known_latitude")
-        lon_payload = _get_entity_state(ha_url, ha_token, "sensor.van_last_known_longitude")
-    except httpx.HTTPError:
-        logger.exception("Couldn't fetch van location from Home Assistant right now.")
-        logger.debug(f"{ha_url=} {lat_payload=} {lon_payload=}")
-        signal.reply(message, "Couldn't fetch van location from Home Assistant right now.")
-        return
-
-    latitude = lat_payload.get("state", "")
-    longitude = lon_payload.get("state", "")
-
-    if not latitude or not longitude or latitude == "unavailable" or longitude == "unavailable":
-        signal.reply(message, "Van location is unavailable in Home Assistant right now.")
-        return
-
-    signal.reply(message, _format_location(latitude, longitude))

python/signal_bot/device_registry.py

@@ -1,286 +0,0 @@
-"""Device registry — tracks verified/unverified devices by safety number."""
-
-from __future__ import annotations
-
-import logging
-from datetime import datetime, timedelta
-from typing import TYPE_CHECKING, NamedTuple
-
-from sqlalchemy import delete, select
-from sqlalchemy.orm import Session
-
-from python.common import utcnow
-from python.orm.signal_bot.models import RoleRecord, SignalDevice
-from python.signal_bot.models import Role, TrustLevel
-
-if TYPE_CHECKING:
-    from sqlalchemy.engine import Engine
-
-    from python.signal_bot.signal_client import SignalClient
-
-logger = logging.getLogger(__name__)
-
-_BLOCKED_TTL = timedelta(minutes=60)
-_DEFAULT_TTL = timedelta(minutes=5)
-
-
-class _CacheEntry(NamedTuple):
-    expires: datetime
-    trust_level: TrustLevel
-    has_safety_number: bool
-    safety_number: str | None
-    roles: list[Role]
-
-
-class DeviceRegistry:
-    """Manage device trust based on Signal safety numbers.
-
-    Devices start as UNVERIFIED. An admin verifies them over SSH by calling
-    ``verify(phone_number)`` which marks the device VERIFIED and also tells
-    signal-cli to trust the identity.
-
-    Only VERIFIED devices may execute commands.
-    """
-
-    def __init__(self, signal_client: SignalClient, engine: Engine) -> None:
-        self.signal_client = signal_client
-        self.engine = engine
-        self._contact_cache: dict[str, _CacheEntry] = {}
-
-    def is_verified(self, phone_number: str) -> bool:
-        """Check if a phone number is verified."""
-        if entry := self._cached(phone_number):
-            return entry.trust_level == TrustLevel.VERIFIED
-        device = self._load_device(phone_number)
-        return device is not None and device.trust_level == TrustLevel.VERIFIED
-
-    def record_contact(self, phone_number: str, safety_number: str | None = None) -> None:
-        """Record seeing a device. Creates entry if new, updates last_seen."""
-        now = utcnow()
-
-        entry = self._cached(phone_number)
-        if entry and entry.safety_number == safety_number:
-            return
-
-        with Session(self.engine) as session:
-            device = session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-            if device:
-                if device.safety_number != safety_number and device.trust_level != TrustLevel.BLOCKED:
-                    logger.warning(f"Safety number changed for {phone_number}, resetting to UNVERIFIED")
-                    device.safety_number = safety_number
-                    device.trust_level = TrustLevel.UNVERIFIED
-                device.last_seen = now
-            else:
-                device = SignalDevice(
-                    phone_number=phone_number,
-                    safety_number=safety_number,
-                    trust_level=TrustLevel.UNVERIFIED,
-                    last_seen=now,
-                )
-                session.add(device)
-                logger.info(f"New device registered: {phone_number}")
-
-            session.commit()
-            self._update_cache(phone_number, device)
-
-    def has_safety_number(self, phone_number: str) -> bool:
-        """Check if a device has a safety number on file."""
-        if entry := self._cached(phone_number):
-            return entry.has_safety_number
-        device = self._load_device(phone_number)
-        return device is not None and device.safety_number is not None
-
-    def verify(self, phone_number: str) -> bool:
-        """Mark a device as verified. Called by admin over SSH.
-
-        Returns True if the device was found and verified.
-        """
-        with Session(self.engine) as session:
-            device = session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-            if not device:
-                logger.warning(f"Cannot verify unknown device: {phone_number}")
-                return False
-
-            device.trust_level = TrustLevel.VERIFIED
-            self.signal_client.trust_identity(phone_number, trust_all_known_keys=True)
-            session.commit()
-            self._update_cache(phone_number, device)
-            logger.info(f"Device verified: {phone_number}")
-            return True
-
-    def block(self, phone_number: str) -> bool:
-        """Block a device."""
-        return self._set_trust(phone_number, TrustLevel.BLOCKED, "Device blocked")
-
-    def unverify(self, phone_number: str) -> bool:
-        """Reset a device to unverified."""
-        return self._set_trust(phone_number, TrustLevel.UNVERIFIED)
-
-    # -- role management ------------------------------------------------------
-
-    def get_roles(self, phone_number: str) -> list[Role]:
-        """Return the roles for a device, defaulting to empty."""
-        if entry := self._cached(phone_number):
-            return entry.roles
-        device = self._load_device(phone_number)
-        return _extract_roles(device) if device else []
-
-    def has_role(self, phone_number: str, role: Role) -> bool:
-        """Check if a device has a specific role or is admin."""
-        roles = self.get_roles(phone_number)
-        return Role.ADMIN in roles or role in roles
-
-    def grant_role(self, phone_number: str, role: Role) -> bool:
-        """Add a role to a device. Called by admin over SSH."""
-        with Session(self.engine) as session:
-            device = session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-            if not device:
-                logger.warning(f"Cannot grant role for unknown device: {phone_number}")
-                return False
-
-            if any(record.name == role for record in device.roles):
-                return True
-
-            role_record = session.execute(select(RoleRecord).where(RoleRecord.name == role)).scalar_one_or_none()
-
-            if not role_record:
-                logger.warning(f"Unknown role: {role}")
-                return False
-
-            device.roles.append(role_record)
-            session.commit()
-            self._update_cache(phone_number, device)
-            logger.info(f"Device {phone_number} granted role {role}")
-            return True
-
-    def revoke_role(self, phone_number: str, role: Role) -> bool:
-        """Remove a role from a device. Called by admin over SSH."""
-        with Session(self.engine) as session:
-            device = session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-            if not device:
-                logger.warning(f"Cannot revoke role for unknown device: {phone_number}")
-                return False
-
-            device.roles = [record for record in device.roles if record.name != role]
-            session.commit()
-            self._update_cache(phone_number, device)
-            logger.info(f"Device {phone_number} revoked role {role}")
-            return True
-
-    def set_roles(self, phone_number: str, roles: list[Role]) -> bool:
-        """Replace all roles for a device. Called by admin over SSH."""
-        with Session(self.engine) as session:
-            device = session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-            if not device:
-                logger.warning(f"Cannot set roles for unknown device: {phone_number}")
-                return False
-
-            role_names = [str(role) for role in roles]
-            records = list(session.execute(select(RoleRecord).where(RoleRecord.name.in_(role_names))).scalars().all())
-            device.roles = records
-            session.commit()
-            self._update_cache(phone_number, device)
-            logger.info(f"Device {phone_number} roles set to {role_names}")
-            return True
-
-    # -- queries --------------------------------------------------------------
-
-    def list_devices(self) -> list[SignalDevice]:
-        """Return all known devices."""
-        with Session(self.engine) as session:
-            return list(session.execute(select(SignalDevice)).scalars().all())
-
-    def sync_identities(self) -> None:
-        """Pull identity list from signal-cli and record any new ones."""
-        identities = self.signal_client.get_identities()
-        for identity in identities:
-            number = identity.get("number", "")
-            safety = identity.get("safety_number", identity.get("fingerprint", ""))
-            if number:
-                self.record_contact(number, safety)
-
-    # -- internals ------------------------------------------------------------
-
-    def _cached(self, phone_number: str) -> _CacheEntry | None:
-        """Return the cache entry if it exists and hasn't expired."""
-        entry = self._contact_cache.get(phone_number)
-        if entry and utcnow() < entry.expires:
-            return entry
-        return None
-
-    def _load_device(self, phone_number: str) -> SignalDevice | None:
-        """Fetch a device by phone number (with joined roles)."""
-        with Session(self.engine) as session:
-            return session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-    def _update_cache(self, phone_number: str, device: SignalDevice) -> None:
-        """Refresh the cache entry for a device."""
-        ttl = _BLOCKED_TTL if device.trust_level == TrustLevel.BLOCKED else _DEFAULT_TTL
-        self._contact_cache[phone_number] = _CacheEntry(
-            expires=utcnow() + ttl,
-            trust_level=device.trust_level,
-            has_safety_number=device.safety_number is not None,
-            safety_number=device.safety_number,
-            roles=_extract_roles(device),
-        )
-
-    def _set_trust(self, phone_number: str, level: str, log_msg: str | None = None) -> bool:
-        """Update the trust level for a device."""
-        with Session(self.engine) as session:
-            device = session.execute(
-                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
-            ).scalar_one_or_none()
-
-            if not device:
-                return False
-
-            device.trust_level = level
-            session.commit()
-            self._update_cache(phone_number, device)
-            if log_msg:
-                logger.info(f"{log_msg}: {phone_number}")
-            return True
-
-
-def _extract_roles(device: SignalDevice) -> list[Role]:
-    """Convert a device's RoleRecord objects to a list of Role enums."""
-    return [Role(record.name) for record in device.roles]
-
-
-def sync_roles(engine: Engine) -> None:
-    """Sync the Role enum to the role table, adding new and removing stale entries."""
-    expected = {role.value for role in Role}
-
-    with Session(engine) as session:
-        existing = {record.name for record in session.execute(select(RoleRecord)).scalars().all()}
-
-        to_add = expected - existing
-        to_remove = existing - expected
-
-        for name in to_add:
-            session.add(RoleRecord(name=name))
-            logger.info(f"Role added: {name}")
-
-        if to_remove:
-            session.execute(delete(RoleRecord).where(RoleRecord.name.in_(to_remove)))
-            for name in to_remove:
-                logger.info(f"Role removed: {name}")
-
-        session.commit()

python/signal_bot/llm_client.py

@@ -1,80 +0,0 @@
-"""Flexible LLM client for ollama backends."""
-
-from __future__ import annotations
-
-import base64
-import logging
-from typing import Any, Self
-
-import httpx
-
-logger = logging.getLogger(__name__)
-
-
-class LLMClient:
-    """Talk to an ollama instance.
-
-    Args:
-        model: Ollama model name.
-        host: Ollama host.
-        port: Ollama port.
-        temperature: Sampling temperature.
-    """
-
-    def __init__(
-        self,
-        *,
-        model: str,
-        host: str,
-        port: int = 11434,
-        temperature: float = 0.1,
-        timeout: int = 300,
-    ) -> None:
-        self.model = model
-        self.temperature = temperature
-        self._client = httpx.Client(base_url=f"http://{host}:{port}", timeout=timeout)
-
-    def chat(self, prompt: str, image_data: bytes | None = None, system: str | None = None) -> str:
-        """Send a text prompt and return the response."""
-        messages: list[dict[str, Any]] = []
-        if system:
-            messages.append({"role": "system", "content": system})
-
-        user_msg = {"role": "user", "content": prompt}
-        if image_data:
-            user_msg["images"] = [base64.b64encode(image_data).decode()]
-
-        messages.append(user_msg)
-        return self._generate(messages)
-
-    def _generate(self, messages: list[dict[str, Any]]) -> str:
-        """Call the ollama chat API."""
-        payload = {
-            "model": self.model,
-            "messages": messages,
-            "stream": False,
-            "options": {"temperature": self.temperature},
-        }
-        logger.info(f"LLM request to {self.model}")
-        response = self._client.post("/api/chat", json=payload)
-        response.raise_for_status()
-        data = response.json()
-        return data["message"]["content"]
-
-    def list_models(self) -> list[str]:
-        """List available models on the ollama instance."""
-        response = self._client.get("/api/tags")
-        response.raise_for_status()
-        return [m["name"] for m in response.json().get("models", [])]
-
-    def __enter__(self) -> Self:
-        """Enter the context manager."""
-        return self
-
-    def __exit__(self, *args: object) -> None:
-        """Close the HTTP client on exit."""
-        self.close()
-
-    def close(self) -> None:
-        """Close the HTTP client."""
-        self._client.close()

python/signal_bot/main.py

@@ -1,239 +0,0 @@
-"""Signal command and control bot — main entry point."""
-
-from __future__ import annotations
-
-import logging
-from dataclasses import dataclass
-from os import getenv
-from typing import TYPE_CHECKING, Annotated
-
-if TYPE_CHECKING:
-    from collections.abc import Callable
-
-import typer
-from alembic.command import upgrade
-from sqlalchemy.orm import Session
-from tenacity import before_sleep_log, retry, stop_after_attempt, wait_exponential
-
-from python.common import configure_logger, utcnow
-from python.database_cli import DATABASES
-from python.orm.common import get_postgres_engine
-from python.orm.signal_bot.models import DeadLetterMessage
-from python.signal_bot.commands.inventory import handle_inventory_update
-from python.signal_bot.commands.location import handle_location_request
-from python.signal_bot.device_registry import DeviceRegistry, sync_roles
-from python.signal_bot.llm_client import LLMClient
-from python.signal_bot.models import BotConfig, MessageStatus, Role, SignalMessage
-from python.signal_bot.signal_client import SignalClient
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass(frozen=True, slots=True)
-class Command:
-    """A registered bot command."""
-
-    action: Callable[[SignalMessage, str], None]
-    help_text: str
-    role: Role | None  # None = no role required (always allowed)
-
-
-class Bot:
-    """Holds shared resources and dispatches incoming messages to command handlers."""
-
-    def __init__(
-        self,
-        signal: SignalClient,
-        llm: LLMClient,
-        registry: DeviceRegistry,
-        config: BotConfig,
-    ) -> None:
-        self.signal = signal
-        self.llm = llm
-        self.registry = registry
-        self.config = config
-        self.commands: dict[str, Command] = {
-            "help": Command(action=self._help, help_text="show this help message", role=None),
-            "status": Command(action=self._status, help_text="show bot status", role=Role.STATUS),
-            "inventory": Command(
-                action=self._inventory,
-                help_text="update van inventory from a text list or receipt photo",
-                role=Role.INVENTORY,
-            ),
-            "location": Command(
-                action=self._location,
-                help_text="get current van location",
-                role=Role.LOCATION,
-            ),
-        }
-
-    # -- actions --------------------------------------------------------------
-
-    def _help(self, message: SignalMessage, _cmd: str) -> None:
-        """Return help text filtered to the sender's roles."""
-        self.signal.reply(message, self._build_help(self.registry.get_roles(message.source)))
-
-    def _status(self, message: SignalMessage, _cmd: str) -> None:
-        """Return the status of the bot."""
-        models = self.llm.list_models()
-        model_list = ", ".join(models[:10])
-        device_count = len(self.registry.list_devices())
-        self.signal.reply(
-            message,
-            f"Bot online.\nLLM: {self.llm.model}\nAvailable models: {model_list}\nKnown devices: {device_count}",
-        )
-
-    def _inventory(self, message: SignalMessage, _cmd: str) -> None:
-        """Process an inventory update."""
-        handle_inventory_update(message, self.signal, self.llm, self.config.inventory_api_url)
-
-    def _location(self, message: SignalMessage, _cmd: str) -> None:
-        """Reply with current van location."""
-        handle_location_request(message, self.signal, self.config.ha_url, self.config.ha_token)
-
-    # -- dispatch -------------------------------------------------------------
-
-    def _build_help(self, roles: list[Role]) -> str:
-        """Build help text showing only the commands the user can access."""
-        is_admin = Role.ADMIN in roles
-        lines = ["Available commands:"]
-        for name, cmd in self.commands.items():
-            if cmd.role is None or is_admin or cmd.role in roles:
-                lines.append(f"  {name:20s} — {cmd.help_text}")
-        return "\n".join(lines)
-
-    def dispatch(self, message: SignalMessage) -> None:
-        """Route an incoming message to the right command handler."""
-        source = message.source
-
-        if not self.registry.is_verified(source):
-            logger.info(f"Device {source} not verified, ignoring message")
-            return
-
-        if not self.registry.has_safety_number(source) and self.registry.has_role(source, Role.ADMIN):
-            logger.warning(f"Admin device {source} missing safety number, ignoring message")
-            return
-
-        text = message.message.strip()
-        parts = text.split()
-
-        if not parts and not message.attachments:
-            return
-
-        cmd = parts[0].lower() if parts else ""
-
-        logger.info(f"f{source=} running {cmd=} with {message=}")
-
-        command = self.commands.get(cmd)
-        if command is None:
-            if message.attachments:
-                command = self.commands["inventory"]
-                cmd = "inventory"
-            else:
-                return
-
-        if command.role is not None and not self.registry.has_role(source, command.role):
-            logger.warning(f"Device {source} denied access to {cmd!r}")
-            self.signal.reply(message, f"Permission denied: you do not have the '{command.role}' role.")
-            return
-
-        command.action(message, cmd)
-
-    def process_message(self, message: SignalMessage) -> None:
-        """Process a single message, sending it to the dead letter queue after repeated failures."""
-        max_attempts = self.config.max_message_attempts
-        for attempt in range(1, max_attempts + 1):
-            try:
-                safety_number = self.signal.get_safety_number(message.source)
-                self.registry.record_contact(message.source, safety_number)
-                self.dispatch(message)
-            except Exception:
-                logger.exception(f"Failed to process message (attempt {attempt}/{max_attempts})")
-            else:
-                return
-
-        logger.error(f"Message from {message.source} failed {max_attempts} times, sending to dead letter queue")
-        with Session(self.config.engine) as session:
-            session.add(
-                DeadLetterMessage(
-                    source=message.source,
-                    message=message.message,
-                    received_at=utcnow(),
-                    status=MessageStatus.UNPROCESSED,
-                )
-            )
-            session.commit()
-
-    def run(self) -> None:
-        """Listen for messages via WebSocket, reconnecting on failure."""
-        logger.info("Bot started — listening via WebSocket")
-
-        @retry(
-            stop=stop_after_attempt(self.config.max_retries),
-            wait=wait_exponential(multiplier=self.config.reconnect_delay, max=self.config.max_reconnect_delay),
-            before_sleep=before_sleep_log(logger, logging.WARNING),
-            reraise=True,
-        )
-        def _listen() -> None:
-            for message in self.signal.listen():
-                logger.info(f"Message from {message.source}: {message.message[:80]}")
-                self.process_message(message)
-
-        try:
-            _listen()
-        except Exception:
-            logger.critical("Max retries exceeded, shutting down")
-            raise
-
-
-def main(
-    log_level: Annotated[str, typer.Option()] = "DEBUG",
-    llm_timeout: Annotated[int, typer.Option()] = 600,
-) -> None:
-    """Run the Signal command and control bot."""
-    configure_logger(log_level)
-    signal_api_url = getenv("SIGNAL_API_URL")
-    phone_number = getenv("SIGNAL_PHONE_NUMBER")
-    inventory_api_url = getenv("INVENTORY_API_URL")
-
-    if signal_api_url is None:
-        error = "SIGNAL_API_URL environment variable not set"
-        raise ValueError(error)
-    if phone_number is None:
-        error = "SIGNAL_PHONE_NUMBER environment variable not set"
-        raise ValueError(error)
-    if inventory_api_url is None:
-        error = "INVENTORY_API_URL environment variable not set"
-        raise ValueError(error)
-
-    signal_bot_config = DATABASES["signal_bot"].alembic_config()
-    upgrade(signal_bot_config, "head")
-    engine = get_postgres_engine(name="SIGNALBOT")
-    sync_roles(engine)
-    config = BotConfig(
-        signal_api_url=signal_api_url,
-        phone_number=phone_number,
-        inventory_api_url=inventory_api_url,
-        ha_url=getenv("HA_URL"),
-        ha_token=getenv("HA_TOKEN"),
-        engine=engine,
-    )
-
-    llm_host = getenv("LLM_HOST")
-    llm_model = getenv("LLM_MODEL", "qwen3-vl:32b")
-    llm_port = int(getenv("LLM_PORT", "11434"))
-    if llm_host is None:
-        error = "LLM_HOST environment variable not set"
-        raise ValueError(error)
-
-    with (
-        SignalClient(config.signal_api_url, config.phone_number) as signal,
-        LLMClient(model=llm_model, host=llm_host, port=llm_port, timeout=llm_timeout) as llm,
-    ):
-        registry = DeviceRegistry(signal, engine)
-        bot = Bot(signal, llm, registry, config)
-        bot.run()
-
-
-if __name__ == "__main__":
-    typer.run(main)

python/signal_bot/models.py

@@ -1,97 +0,0 @@
-"""Models for the Signal command and control bot."""
-
-from __future__ import annotations
-
-from datetime import datetime  # noqa: TC003 - pydantic needs this at runtime
-from enum import StrEnum
-from typing import Any
-
-from pydantic import BaseModel, ConfigDict
-from sqlalchemy.engine import Engine  # noqa: TC002 - pydantic needs this at runtime
-
-
-class TrustLevel(StrEnum):
-    """Device trust level."""
-
-    VERIFIED = "verified"
-    UNVERIFIED = "unverified"
-    BLOCKED = "blocked"
-
-
-class Role(StrEnum):
-    """RBAC roles — one per command, plus admin which grants all."""
-
-    ADMIN = "admin"
-    STATUS = "status"
-    INVENTORY = "inventory"
-    LOCATION = "location"
-
-
-class MessageStatus(StrEnum):
-    """Dead letter queue message status."""
-
-    UNPROCESSED = "unprocessed"
-    PROCESSED = "processed"
-
-
-class Device(BaseModel):
-    """A registered device tracked by safety number."""
-
-    phone_number: str
-    safety_number: str
-    trust_level: TrustLevel = TrustLevel.UNVERIFIED
-    first_seen: datetime
-    last_seen: datetime
-
-
-class SignalMessage(BaseModel):
-    """An incoming Signal message."""
-
-    source: str
-    timestamp: int
-    message: str = ""
-    attachments: list[str] = []
-    group_id: str | None = None
-    is_receipt: bool = False
-
-
-class SignalEnvelope(BaseModel):
-    """Raw envelope from signal-cli-rest-api."""
-
-    envelope: dict[str, Any]
-    account: str | None = None
-
-
-class InventoryItem(BaseModel):
-    """An item in the van inventory."""
-
-    name: str
-    quantity: float = 1
-    unit: str = "each"
-    category: str = ""
-    notes: str = ""
-
-
-class InventoryUpdate(BaseModel):
-    """Result of processing an inventory update."""
-
-    items: list[InventoryItem] = []
-    raw_response: str = ""
-    source_type: str = ""  # "receipt_photo" or "text_list"
-
-
-class BotConfig(BaseModel):
-    """Top-level bot configuration."""
-
-    model_config = ConfigDict(arbitrary_types_allowed=True)
-
-    signal_api_url: str
-    phone_number: str
-    inventory_api_url: str
-    ha_url: str | None = None
-    ha_token: str | None = None
-    engine: Engine
-    reconnect_delay: int = 5
-    max_reconnect_delay: int = 300
-    max_retries: int = 10
-    max_message_attempts: int = 3

python/signal_bot/signal_client.py

@@ -1,141 +0,0 @@
-"""Client for the signal-cli-rest-api."""
-
-from __future__ import annotations
-
-import json
-import logging
-from typing import TYPE_CHECKING, Any, Self
-
-import httpx
-import websockets.sync.client
-
-if TYPE_CHECKING:
-    from collections.abc import Generator
-
-from python.signal_bot.models import SignalMessage
-
-logger = logging.getLogger(__name__)
-
-
-def _parse_envelope(envelope: dict[str, Any]) -> SignalMessage | None:
-    """Parse a signal-cli envelope into a SignalMessage, or None if not a data message."""
-    data_message = envelope.get("dataMessage")
-    if not data_message:
-        return None
-
-    attachment_ids = [att["id"] for att in data_message.get("attachments", []) if "id" in att]
-
-    group_info = data_message.get("groupInfo")
-    group_id = group_info.get("groupId") if group_info else None
-
-    return SignalMessage(
-        source=envelope.get("source", ""),
-        timestamp=envelope.get("timestamp", 0),
-        message=data_message.get("message", "") or "",
-        attachments=attachment_ids,
-        group_id=group_id,
-    )
-
-
-class SignalClient:
-    """Communicate with signal-cli-rest-api.
-
-    Args:
-        base_url: URL of the signal-cli-rest-api (e.g. http://localhost:8989).
-        phone_number: The registered phone number to send/receive as.
-    """
-
-    def __init__(self, base_url: str, phone_number: str) -> None:
-        self.base_url = base_url.rstrip("/")
-        self.phone_number = phone_number
-        self._client = httpx.Client(base_url=self.base_url, timeout=30)
-
-    def _ws_url(self) -> str:
-        """Build the WebSocket URL from the base HTTP URL."""
-        url = self.base_url.replace("http://", "ws://").replace("https://", "wss://")
-        return f"{url}/v1/receive/{self.phone_number}"
-
-    def listen(self) -> Generator[SignalMessage]:
-        """Connect via WebSocket and yield messages as they arrive."""
-        ws_url = self._ws_url()
-        logger.info(f"Connecting to WebSocket: {ws_url}")
-
-        with websockets.sync.client.connect(ws_url) as ws:
-            for raw in ws:
-                try:
-                    data = json.loads(raw)
-                    envelope = data.get("envelope", {})
-                    message = _parse_envelope(envelope)
-                    if message:
-                        yield message
-                except json.JSONDecodeError:
-                    logger.warning(f"Non-JSON WebSocket frame: {raw[:200]}")
-
-    def send(self, recipient: str, message: str) -> None:
-        """Send a text message."""
-        payload = {
-            "message": message,
-            "number": self.phone_number,
-            "recipients": [recipient],
-        }
-        response = self._client.post("/v2/send", json=payload)
-        response.raise_for_status()
-
-    def send_to_group(self, group_id: str, message: str) -> None:
-        """Send a message to a group."""
-        payload = {
-            "message": message,
-            "number": self.phone_number,
-            "recipients": [group_id],
-        }
-        response = self._client.post("/v2/send", json=payload)
-        response.raise_for_status()
-
-    def get_attachment(self, attachment_id: str) -> bytes:
-        """Download an attachment by ID."""
-        response = self._client.get(f"/v1/attachments/{attachment_id}")
-        response.raise_for_status()
-        return response.content
-
-    def get_identities(self) -> list[dict[str, Any]]:
-        """List known identities and their trust levels."""
-        response = self._client.get(f"/v1/identities/{self.phone_number}")
-        response.raise_for_status()
-        return response.json()
-
-    def get_safety_number(self, phone_number: str) -> str | None:
-        """Look up the safety number for a contact from signal-cli's local store."""
-        for identity in self.get_identities():
-            if identity.get("number") == phone_number:
-                return identity.get("safety_number", identity.get("fingerprint", ""))
-        return None
-
-    def trust_identity(self, number_to_trust: str, *, trust_all_known_keys: bool = False) -> None:
-        """Trust an identity (verify safety number)."""
-        payload: dict[str, Any] = {}
-        if trust_all_known_keys:
-            payload["trust_all_known_keys"] = True
-        response = self._client.put(
-            f"/v1/identities/{self.phone_number}/trust/{number_to_trust}",
-            json=payload,
-        )
-        response.raise_for_status()
-
-    def reply(self, message: SignalMessage, text: str) -> None:
-        """Reply to a message, routing to group or individual."""
-        if message.group_id:
-            self.send_to_group(message.group_id, text)
-        else:
-            self.send(message.source, text)
-
-    def __enter__(self) -> Self:
-        """Enter the context manager."""
-        return self
-
-    def __exit__(self, *args: object) -> None:
-        """Close the HTTP client on exit."""
-        self.close()
-
-    def close(self) -> None:
-        """Close the HTTP client."""
-        self._client.close()

python/tools/snapshot_manager.py

@@ -34,8 +34,9 @@ def main(config_file: Path) -> None:
                 logger.error(msg)
                 signal_alert(msg)
                 continue
-
-            get_snapshots_to_delete(dataset, get_count_lookup(config_file, dataset.name))
+            count_lookup = get_count_lookup(config_file, dataset.name)
+            logger.info(f"using {count_lookup} for {dataset.name}")
+            get_snapshots_to_delete(dataset, count_lookup)
     except Exception:
         logger.exception("snapshot_manager failed")
         signal_alert("snapshot_manager failed")
@@ -99,6 +100,7 @@ def get_snapshots_to_delete(
     """
     snapshots = dataset.get_snapshots()
 
+    logger.info(f"calculating snapshots for {dataset.name} to be deleted")
     if not snapshots:
         logger.info(f"{dataset.name} has no snapshots")
         return

python/tools/whisper/Dockerfile

@@ -0,0 +1,17 @@
+FROM nvidia/cuda:12.4.1-cudnn-runtime-ubuntu22.04
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends python3 python3-pip ffmpeg \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install --no-cache-dir --upgrade pip \
+    && pip3 install --no-cache-dir faster-whisper requests
+
+WORKDIR /app
+COPY python/tools/whisper/inference.py /app/inference.py
+
+ENTRYPOINT ["python3", "/app/inference.py"]

python/tools/whisper/Dockerfile.dockerignore

@@ -0,0 +1,2 @@
+*
+!python/tools/whisper/inference.py

python/tools/whisper/__init__.py

@@ -0,0 +1 @@
+"""Whisper transcription tools (host orchestrator and container entrypoint)."""

python/tools/whisper/inference.py

@@ -0,0 +1,136 @@
+"""Container entrypoint that transcribes a directory of audio files with faster-whisper.
+
+Run inside the whisper-transcribe docker image; segment timestamps are grouped
+into one-minute buckets so the output reads as ``[HH:MM:00] text``.
+"""
+
+from __future__ import annotations
+
+import argparse
+import logging
+from pathlib import Path
+
+from faster_whisper import WhisperModel
+
+logger = logging.getLogger(__name__)
+
+AUDIO_EXTENSIONS = {".mp3", ".wav", ".m4a", ".flac", ".ogg", ".opus", ".mp4", ".mkv", ".webm", ".aac"}
+BUCKET_SECONDS = 60
+BEAM_SIZE = 5
+SECONDS_PER_HOUR = 3600
+SECONDS_PER_MINUTE = 60
+
+
+def format_timestamp(total_seconds: float) -> str:
+    """Render a whole-minute timestamp as ``HH:MM:00``.
+
+    Args:
+        total_seconds: Offset in seconds from the start of the audio.
+
+    Returns:
+        A zero-padded ``HH:MM:00`` string.
+    """
+    hours = int(total_seconds // SECONDS_PER_HOUR)
+    minutes = int((total_seconds % SECONDS_PER_HOUR) // SECONDS_PER_MINUTE)
+    return f"{hours:02d}:{minutes:02d}:00"
+
+
+def transcribe_file(model: WhisperModel, audio_path: Path, output_path: Path) -> None:
+    """Transcribe one audio file and write the bucketed transcript to disk.
+
+    Args:
+        model: Loaded faster-whisper model.
+        audio_path: Source audio file.
+        output_path: Destination ``.txt`` path.
+    """
+    logger.info("Transcribing %s", audio_path)
+    segments, info = model.transcribe(
+        str(audio_path),
+        language="en",
+        beam_size=BEAM_SIZE,
+        vad_filter=True,
+    )
+    logger.info("Duration %.1fs", info.duration)
+
+    buckets: dict[int, list[str]] = {}
+    for segment in segments:
+        bucket = int(segment.start // BUCKET_SECONDS)
+        buckets.setdefault(bucket, []).append(segment.text.strip())
+
+    lines = [f"[{format_timestamp(bucket * BUCKET_SECONDS)}] {' '.join(buckets[bucket])}" for bucket in sorted(buckets)]
+    output_path.write_text("\n\n".join(lines) + "\n", encoding="utf-8")
+    logger.info("Wrote %s", output_path)
+
+
+def find_audio_files(input_directory: Path) -> list[Path]:
+    """Collect every audio file under ``input_directory``.
+
+    Args:
+        input_directory: Directory to walk recursively.
+
+    Returns:
+        Sorted list of audio file paths.
+    """
+    return sorted(
+        path for path in input_directory.rglob("*") if path.is_file() and path.suffix.lower() in AUDIO_EXTENSIONS
+    )
+
+
+def configure_container_logger() -> None:
+    """Configure logging for the container (stdout, INFO)."""
+    logging.basicConfig(
+        level=logging.INFO,
+        format="%(asctime)s %(levelname)s %(message)s",
+    )
+
+
+def parse_arguments() -> argparse.Namespace:
+    """Parse CLI arguments for the container entrypoint.
+
+    Returns:
+        Parsed argparse namespace.
+    """
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--input", type=Path, default=Path("/audio"))
+    parser.add_argument("--output", type=Path, default=Path("/output"))
+    parser.add_argument("--model", default="large-v3")
+    parser.add_argument(
+        "--download-only",
+        action="store_true",
+        help="Download the model into the cache volume and exit without transcribing.",
+    )
+    return parser.parse_args()
+
+
+def main() -> None:
+    """Load the model, then either exit (download-only) or transcribe the directory."""
+    configure_container_logger()
+    arguments = parse_arguments()
+
+    logger.info("Loading model %s on CUDA", arguments.model)
+    model = WhisperModel(arguments.model, device="cuda", compute_type="float16")
+
+    if arguments.download_only:
+        logger.info("Model ready; exiting (download-only mode)")
+        return
+
+    arguments.output.mkdir(parents=True, exist_ok=True)
+
+    audio_files = find_audio_files(arguments.input)
+    if not audio_files:
+        logger.warning("No audio files found in %s", arguments.input)
+        return
+
+    logger.info("Found %d audio file(s)", len(audio_files))
+    for audio_path in audio_files:
+        relative = audio_path.relative_to(arguments.input)
+        output_path = arguments.output / relative.with_suffix(".txt")
+        output_path.parent.mkdir(parents=True, exist_ok=True)
+        if output_path.exists():
+            logger.info("Skip %s (already transcribed)", relative)
+            continue
+        transcribe_file(model, audio_path, output_path)
+
+
+if __name__ == "__main__":
+    main()

python/tools/whisper/transcribe.py

@@ -0,0 +1,167 @@
+"""Build and run the whisper transcription docker container on demand.
+
+The container is started fresh for each invocation and removed on exit
+(``docker run --rm``). The model is cached in a named docker volume so
+only the first run pays the download cost.
+"""
+
+from __future__ import annotations
+
+import logging
+import subprocess
+from pathlib import Path
+from typing import Annotated
+
+import typer
+
+from python.common import configure_logger
+
+logger = logging.getLogger(__name__)
+
+
+class Config:
+    """Paths and names for the whisper-transcribe Docker workflow."""
+
+    image_tag = "whisper-transcribe:latest"
+    model_volume = "whisper-models"
+    repo_root = Path(__file__).resolve().parents[3]
+    dockerfile = Path(__file__).resolve().parent / "Dockerfile"
+    huggingface_cache = "/root/.cache/huggingface"
+
+
+def run_docker(arguments: list[str]) -> None:
+    """Run a docker subcommand, streaming output and raising on failure.
+
+    Args:
+        arguments: Arguments to pass to the ``docker`` binary.
+
+    Raises:
+        subprocess.CalledProcessError: If docker exits non-zero.
+    """
+    logger.info("docker %s", " ".join(arguments))
+    subprocess.run(["docker", *arguments], check=True)
+
+
+def build_image() -> None:
+    """Build the whisper-transcribe image using the repo root as build context."""
+    logger.info("Building image %s", Config.image_tag)
+    run_docker(
+        [
+            "build",
+            "--tag",
+            Config.image_tag,
+            "--file",
+            str(Config.dockerfile),
+            str(Config.repo_root),
+        ],
+    )
+
+
+def model_cache_present(model: str) -> bool:
+    """Check whether the given model is already downloaded in the cache volume.
+
+    Args:
+        model: faster-whisper model name (e.g. ``large-v3``).
+
+    Returns:
+        True if the HuggingFace cache directory for the model exists in the volume.
+    """
+    cache_directory = f"hub/models--Systran--faster-whisper-{model}"
+    completed = subprocess.run(
+        [
+            "docker",
+            "run",
+            "--rm",
+            "--volume",
+            f"{Config.model_volume}:/cache",
+            "alpine",
+            "test",
+            "-d",
+            f"/cache/{cache_directory}",
+        ],
+        check=False,
+    )
+    return completed.returncode == 0
+
+
+def download_model(model: str) -> None:
+    """Download the model into the cache volume and exit.
+
+    Args:
+        model: faster-whisper model name.
+    """
+    logger.info("Downloading model %s into volume %s", model, Config.model_volume)
+    run_docker(
+        [
+            "run",
+            "--rm",
+            "--device=nvidia.com/gpu=all",
+            "--ipc=host",
+            "--volume",
+            f"{Config.model_volume}:{Config.huggingface_cache}",
+            Config.image_tag,
+            "--model",
+            model,
+            "--download-only",
+        ],
+    )
+
+
+def transcribe(input_directory: Path, output_directory: Path, model: str) -> None:
+    """Run transcription on every audio file under ``input_directory``.
+
+    Args:
+        input_directory: Host path containing audio files (mounted read-only).
+        output_directory: Host path for ``.txt`` transcripts.
+        model: faster-whisper model name.
+    """
+    logger.info("Transcribing %s -> %s (model=%s)", input_directory, output_directory, model)
+    run_docker(
+        [
+            "run",
+            "--rm",
+            "--device=nvidia.com/gpu=all",
+            "--ipc=host",
+            "--volume",
+            f"{input_directory}:/audio:ro",
+            "--volume",
+            f"{output_directory}:/output",
+            "--volume",
+            f"{Config.model_volume}:{Config.huggingface_cache}",
+            Config.image_tag,
+            "--model",
+            model,
+        ],
+    )
+
+
+def main(
+    input_directory: Annotated[Path, typer.Argument(help="Directory of audio files to transcribe.")],
+    output_directory: Annotated[Path, typer.Argument(help="Directory to write .txt transcripts to.")],
+    model: Annotated[str, typer.Option(help="faster-whisper model name.")] = "large-v3",
+    *,
+    force_download: Annotated[
+        bool,
+        typer.Option("--force-download", help="Re-download the model even if already cached."),
+    ] = False,
+) -> None:
+    """Build the image, ensure the model is cached, then transcribe and stop."""
+    configure_logger()
+
+    resolved_input = input_directory.resolve(strict=True)
+    output_directory.mkdir(parents=True, exist_ok=True)
+    resolved_output = output_directory.resolve()
+
+    build_image()
+
+    if force_download or not model_cache_present(model):
+        download_model(model)
+    else:
+        logger.info("Model %s already cached in volume %s", model, Config.model_volume)
+
+    transcribe(resolved_input, resolved_output, model)
+    logger.info("Done. Container stopped.")
+
+
+if __name__ == "__main__":
+    typer.run(main)

systems/bob/default.nix

@@ -1,28 +1,39 @@
-{ inputs, ... }:
+{ inputs, pkgs, ... }:
 {
   imports = [
+    "${inputs.self}/users/math"
     "${inputs.self}/users/richie"
+    "${inputs.self}/users/steve"
     "${inputs.self}/common/global"
-    "${inputs.self}/common/optional/desktop.nix"
     "${inputs.self}/common/optional/docker.nix"
     "${inputs.self}/common/optional/scanner.nix"
+    "${inputs.self}/common/optional/monitoring-agent.nix"
     "${inputs.self}/common/optional/steam.nix"
     "${inputs.self}/common/optional/syncthing_base.nix"
     "${inputs.self}/common/optional/systemd-boot.nix"
     "${inputs.self}/common/optional/update.nix"
     "${inputs.self}/common/optional/yubikey.nix"
     "${inputs.self}/common/optional/zerotier.nix"
-    "${inputs.self}/common/optional/brain_substituter.nix"
     "${inputs.self}/common/optional/nvidia.nix"
     ./hardware.nix
     ./syncthing.nix
     ./llms.nix
   ];
 
+  boot = {
+    kernelPackages = pkgs.linuxPackages_6_18;
+    zfs.package = pkgs.zfs_2_4;
+  };
+
   networking = {
     hostName = "bob";
     hostId = "7c678a41";
-    firewall.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        8000
+      ];
+    };
     networkmanager.enable = true;
   };
 

systems/bob/hardware.nix

@@ -28,9 +28,13 @@
         allowDiscards = true;
         keyFileSize = 4096;
         keyFile = "/dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0374620080067131-0:0";
-        fallbackToPassword = true;
       };
     };
+
+    zfs.extraPools = [
+      "storage"
+    ];
+
     kernelModules = [ "kvm-amd" ];
     extraModulePackages = [ ];
   };

systems/bob/llms.nix

@@ -23,6 +23,7 @@
       "magistral:24b"
       "ministral-3:14b"
       "nemotron-3-nano:30b"
+      "nemotron-3-nano:4b"
       "nemotron-cascade-2:30b"
       "qwen3-coder:30b"
       "qwen3-embedding:0.6b"
@@ -41,11 +42,14 @@
       "qwen3:8b"
       "qwen3.5:27b"
       "qwen3.5:35b"
+      "qwen3.6:27b"
+      "qwen3.6:35b"
+      "rinex20/translategemma3:12b"
       "translategemma:12b"
       "translategemma:27b"
       "translategemma:4b"
     ];
-    models = "/zfs/models";
+    models = "/zfs/storage/models";
     openFirewall = true;
   };
 }

systems/bob/syncthing.nix

@@ -31,5 +31,15 @@
       ];
       fsWatcherEnabled = true;
     };
+    "recordings" = {
+      path = "/home/richie/recordings";
+      devices = [
+        "jeeves"
+        "phone"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+
   };
 }

systems/brain/hardware.nix

@@ -26,7 +26,6 @@
         allowDiscards = true;
         keyFileSize = 4096;
         keyFile = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_03021630090925173333-0:0";
-        fallbackToPassword = true;
       };
     };
     kernelModules = [ "kvm-intel" ];

systems/jeeves/default.nix

@@ -4,17 +4,21 @@ let
 in
 {
   imports = [
-    "${inputs.self}/users/richie"
-    "${inputs.self}/users/math"
     "${inputs.self}/users/dov"
+    "${inputs.self}/users/math"
+    "${inputs.self}/users/richie"
+    "${inputs.self}/users/steve"
     "${inputs.self}/common/global"
     "${inputs.self}/common/optional/docker.nix"
+    "${inputs.self}/common/optional/monitoring-agent.nix"
     "${inputs.self}/common/optional/ssh_decrypt.nix"
     "${inputs.self}/common/optional/syncthing_base.nix"
     "${inputs.self}/common/optional/update.nix"
     "${inputs.self}/common/optional/zerotier.nix"
+    ./monitoring
     ./docker
     ./services
+    ./web_services
     ./hardware.nix
     ./networking.nix
     ./programs.nix
@@ -35,5 +39,10 @@ in
     zerotierone.joinNetworks = [ "a09acf02330d37b9" ];
   };
 
+  users.groups = {
+    nornsight = { };
+    nornsight-admin = { };
+  };
+
   system.stateVersion = "24.05";
 }

systems/jeeves/hardware.nix

@@ -9,7 +9,6 @@ let
     inherit device;
     keyFileSize = 4096;
     keyFile = "/dev/disk/by-id/usb-XIAO_USB_Drive_24587CE29074-0:0";
-    fallbackToPassword = true;
   };
   makeLuksSSD =
     device:

systems/jeeves/monitoring/dashboards/overview.json

@@ -0,0 +1,426 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - avg by (instance) (rate(node_cpu_seconds_total{mode=\"idle\"}[5m])))",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "CPU Used",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 6,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes))",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "RAM Used",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 12,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes))",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Swap Used",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 6,
+        "x": 18,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "node_load1",
+          "legendFormat": "{{instance}} load1",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "node_load5",
+          "legendFormat": "{{instance}} load5",
+          "range": true,
+          "refId": "B"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "node_load15",
+          "legendFormat": "{{instance}} load15",
+          "range": true,
+          "refId": "C"
+        }
+      ],
+      "title": "Load",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 8
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "sum by (instance) (rate(node_disk_read_bytes_total[5m]))",
+          "legendFormat": "{{instance}} read",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "sum by (instance) (rate(node_disk_written_bytes_total[5m]))",
+          "legendFormat": "{{instance}} write",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Disk Throughput",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 8
+      },
+      "id": 6,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (1 - (node_filesystem_avail_bytes{mountpoint=~\"(/|/home|/var|/zfs.*)\",fstype!=\"\"} / node_filesystem_size_bytes{mountpoint=~\"(/|/home|/var|/zfs.*)\",fstype!=\"\"}))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{mountpoint}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Filesystem Usage",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 17
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_cpu_seconds_total[5m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top Grouped CPU",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 17
+      },
+      "id": 8,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top Grouped Memory",
+      "type": "table"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Overview",
+  "uid": "monitor-overview",
+  "version": 1,
+  "weekStart": ""
+}

systems/jeeves/monitoring/dashboards/process-history-grouped.json

@@ -0,0 +1,216 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_cpu_seconds_total[5m]))",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped CPU",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped Resident Memory",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_read_bytes_total[5m]))",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped Read I/O",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 10
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(10, rate(namedprocess_namegroup_write_bytes_total[5m]))",
+          "legendFormat": "{{instance}} {{groupname}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Grouped Write I/O",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring",
+    "process"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-7d",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Process History Grouped",
+  "uid": "monitor-process-history",
+  "version": 1,
+  "weekStart": ""
+}

systems/jeeves/monitoring/dashboards/process-live-pid.json

@@ -0,0 +1,224 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, rate(namedprocess_namegroup_cpu_seconds_total[2m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID CPU",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID RSS",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, rate(namedprocess_namegroup_read_bytes_total[2m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID Read I/O",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-pid-short"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "Bps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 10
+      },
+      "id": 4,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-pid-short"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, rate(namedprocess_namegroup_write_bytes_total[2m]))",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{groupname}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top PID Write I/O",
+      "type": "table"
+    }
+  ],
+  "refresh": "15s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring",
+    "process"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-10m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Process Live PID",
+  "uid": "monitor-process-pid",
+  "version": 1,
+  "weekStart": ""
+}

systems/jeeves/monitoring/dashboards/storage-zfs.json

@@ -0,0 +1,351 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "100 * (zfs_pool_allocated_bytes / zfs_pool_size_bytes)",
+          "legendFormat": "{{instance}} {{pool}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Pool Usage",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 8,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "zfs_pool_free_bytes",
+          "legendFormat": "{{instance}} {{pool}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Pool Free Bytes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, zfs_dataset_used_bytes{type=\"filesystem\"})",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{name}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Top Filesystems by Used Bytes",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ns"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 8
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, zpool_iostat_total_wait_read_ns{vdev!=\"_pool\"})",
+          "legendFormat": "{{host}} {{pool}} {{vdev}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "ZFS Read Wait",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ns"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 8
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "topk(20, zpool_iostat_total_wait_write_ns{vdev!=\"_pool\"})",
+          "legendFormat": "{{host}} {{pool}} {{vdev}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "ZFS Write Wait",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "celsius"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 0,
+        "y": 17
+      },
+      "id": 6,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "smartctl_device_temperature{temperature_type=\"current\"}",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{device}}",
+          "refId": "A"
+        }
+      ],
+      "title": "Disk Temperature",
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prom-main"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 9,
+        "w": 12,
+        "x": 12,
+        "y": 17
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": false,
+            "displayName": "Value"
+          }
+        ]
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prom-main"
+          },
+          "editorMode": "code",
+          "expr": "smartctl_device_smart_status",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "{{instance}} {{device}}",
+          "refId": "A"
+        }
+      ],
+      "title": "SMART Health",
+      "type": "table"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 39,
+  "style": "dark",
+  "tags": [
+    "monitoring",
+    "zfs"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Storage and ZFS",
+  "uid": "monitor-storage",
+  "version": 1,
+  "weekStart": ""
+}

systems/jeeves/monitoring/default.nix

@@ -0,0 +1,186 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+
+  prometheusDataRoot = "${vars.database}/prometheus";
+  mainPrometheusDataDir = "${prometheusDataRoot}/main";
+  pidPrometheusDataDir = "${prometheusDataRoot}/pid-short";
+
+  prometheusYaml = pkgs.formats.yaml { };
+
+  mkPrometheusConfig =
+    name: cfg:
+    let
+      configFile = prometheusYaml.generate "${name}.yaml" cfg;
+    in
+    pkgs.runCommand "${name}-checked.yaml"
+      {
+        nativeBuildInputs = [ pkgs.prometheus.cli ];
+      }
+      ''
+        promtool check config ${configFile}
+        cp ${configFile} $out
+      '';
+
+  mkTarget = host: address: {
+    targets = [ address ];
+    labels.instance = host;
+  };
+
+  mainPrometheusConfig = mkPrometheusConfig "prometheus-main" {
+    global = {
+      scrape_interval = "30s";
+      scrape_timeout = "10s";
+      evaluation_interval = "30s";
+    };
+    scrape_configs = [
+      {
+        job_name = "node";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9100")
+          (mkTarget "bob" "192.168.90.25:9100")
+        ];
+      }
+      {
+        job_name = "process_grouped";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9256")
+          (mkTarget "bob" "192.168.90.25:9256")
+        ];
+      }
+      {
+        job_name = "smartctl";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9633")
+          (mkTarget "bob" "192.168.90.25:9633")
+        ];
+      }
+      {
+        job_name = "zfs";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9134")
+          (mkTarget "bob" "192.168.90.25:9134")
+        ];
+      }
+    ];
+  };
+
+  pidPrometheusConfig = mkPrometheusConfig "prometheus-pid-short" {
+    global = {
+      scrape_interval = "15s";
+      scrape_timeout = "10s";
+      evaluation_interval = "15s";
+    };
+    scrape_configs = [
+      {
+        job_name = "process_pid";
+        static_configs = [
+          (mkTarget "jeeves" "192.168.90.40:9257")
+          (mkTarget "bob" "192.168.90.25:9257")
+        ];
+      }
+    ];
+  };
+
+  mkPrometheusService =
+    {
+      dataDir,
+      configFile,
+      port,
+      retention,
+    }:
+    {
+      after = [
+        "zfs-media-database-prometheus.mount"
+        "network.target"
+      ];
+      requires = [ "zfs-media-database-prometheus.mount" ];
+      wantedBy = [ "multi-user.target" ];
+      unitConfig.RequiresMountsFor = [ dataDir ];
+      serviceConfig = {
+        ExecStart = "${lib.getExe pkgs.prometheus} ${
+          lib.escapeShellArgs [
+            "--config.file=${configFile}"
+            "--storage.tsdb.path=${dataDir}"
+            "--storage.tsdb.retention.time=${retention}"
+            "--web.listen-address=127.0.0.1:${toString port}"
+          ]
+        }";
+        User = "prometheus";
+        Group = "prometheus";
+        Restart = "always";
+        RestartSec = "5s";
+        WorkingDirectory = dataDir;
+        ReadWritePaths = [ dataDir ];
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "/dev/null rw" ];
+        DevicePolicy = "strict";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
+    };
+in
+{
+  users = {
+    groups.prometheus = { };
+    users.prometheus = {
+      isSystemUser = true;
+      group = "prometheus";
+      description = "Prometheus daemon user";
+    };
+  };
+
+  systemd = {
+    services = {
+      prometheus-main = mkPrometheusService {
+        configFile = mainPrometheusConfig;
+        dataDir = mainPrometheusDataDir;
+        port = 9090;
+        retention = "90d";
+      };
+
+      prometheus-pid-short = mkPrometheusService {
+        configFile = pidPrometheusConfig;
+        dataDir = pidPrometheusDataDir;
+        port = 9092;
+        retention = "10m";
+      };
+    };
+
+    tmpfiles.rules = [
+      "d ${prometheusDataRoot} 0755 root root - -"
+      "d ${mainPrometheusDataDir} 0750 prometheus prometheus - -"
+      "d ${pidPrometheusDataDir} 0750 prometheus prometheus - -"
+    ];
+  };
+}

systems/jeeves/networking.nix

@@ -1,4 +1,13 @@
 {
+  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
+  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
+  # does not hit the host firewall/rpfilter path.
+  boot.kernel.sysctl = {
+    "net.bridge.bridge-nf-call-arptables" = 0;
+    "net.bridge.bridge-nf-call-ip6tables" = 0;
+    "net.bridge.bridge-nf-call-iptables" = 0;
+  };
+
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
@@ -34,11 +43,18 @@
       };
     };
     networks = {
-      "10-1GB_Primary" = {
-        matchConfig.Name = "enp97s0f1";
+      "10-Primary" = {
+        matchConfig.Name = "enp97s0";
         address = [ "192.168.99.14/24" ];
+        dns = [
+          "192.168.99.1"
+          "2600:4040:abfb:d700::1"
+        ];
         routes = [ { Gateway = "192.168.99.1"; } ];
         vlan = [ "internet-vlan" ];
+        dhcpV4Config.UseDNS = false;
+        dhcpV6Config.UseDNS = false;
+        ipv6AcceptRAConfig.UseDNS = false;
         linkConfig.RequiredForOnline = "routable";
       };
       "50-internet-vlan" = {
@@ -49,23 +65,10 @@
       "60-br-nix-builder" = {
         matchConfig.Name = "br-nix-builder";
         bridgeConfig = { };
-        address = [ "192.168.3.10/24" ];
-        routingPolicyRules = [
-          {
-            From = "192.168.3.0/24";
-            Table = 100;
-            Priority = 100;
-          }
-        ];
-        routes = [
-          {
-            Gateway = "192.168.3.1";
-            Table = 100;
-            GatewayOnLink = false;
-            Metric = 2048;
-            PreferredSource = "192.168.3.10";
-          }
-        ];
+        networkConfig = {
+          IPv6AcceptRA = false;
+          LinkLocalAddressing = "no";
+        };
         linkConfig.RequiredForOnline = "no";
       };
     };

systems/jeeves/programs.nix

@@ -3,5 +3,6 @@
   environment.systemPackages = with pkgs; [
     filebot
     docker-compose
+    ffmpeg
   ];
 }

systems/jeeves/runners/default.nix

@@ -1,20 +1,7 @@
-{ pkgs, ... }:
+{ ... }:
 {
   imports = [ ./nix_builder.nix ];
 
-  users = {
-    users.github-runners = {
-      shell = pkgs.bash;
-      isSystemUser = true;
-      group = "github-runners";
-      uid = 601;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/S8i+BNX/12JNKg+5EKGX7Aqimt5KM+ve3wt/SyWuO github-runners" # cspell:disable-line
-      ];
-    };
-    groups.github-runners.gid = 601;
-  };
-
   services.nix_builder.containers = {
     nix-builder-00.enable = true;
     nix-builder-01.enable = true;

systems/jeeves/runners/nix_builder.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   outputs,
+  utils,
   ...
 }:
 
@@ -9,6 +10,8 @@ with lib;
 let
   vars = import ../vars.nix;
   cfg = config.services.nix_builder;
+  runnerUsername = "gitea-runner";
+  runnerUserid = 601;
 in
 {
   options.services.nix_builder = {
@@ -23,37 +26,40 @@ in
         types.submodule (
           { name, ... }:
           {
-            options.enable = mkEnableOption "GitHub runner container";
+            options.enable = mkEnableOption "Gitea runner container";
           }
         )
       );
       default = { };
-      description = "GitHub runner container configurations";
+      description = "Gitea runner container configurations";
     };
   };
 
   config = {
+    users = {
+      users.${runnerUsername} = {
+        isSystemUser = true;
+        group = runnerUsername;
+        uid = runnerUserid;
+      };
+      groups.${runnerUsername}.gid = runnerUserid;
+    };
+
     containers = mapAttrs (
       name: containerCfg:
       mkIf containerCfg.enable {
         autoStart = true;
         privateNetwork = true;
         hostBridge = cfg.bridgeName;
-        ephemeral = true;
         bindMounts = {
-          storage = {
-            hostPath = "/zfs/media/github-runners/${name}";
-            mountPoint = "/zfs/media/github-runners/${name}";
-            isReadOnly = false;
-          };
           host-nix = {
             mountPoint = "/host-nix/var/nix/daemon-socket";
             hostPath = "/nix/var/nix/daemon-socket";
             isReadOnly = false;
           };
-          pat = {
-            hostPath = "${vars.secrets}/services/github-runners/runner_pat";
-            mountPoint = "${vars.secrets}/services/github-runners/runner_pat";
+          token = {
+            hostPath = "${vars.secrets}/services/gitea-runners";
+            mountPoint = "/run/secrets/gitea-runners";
             isReadOnly = true;
           };
         };
@@ -92,46 +98,69 @@ in
                 "nix-command"
               ];
               sandbox = true;
-              allowed-users = [ "github-runners" ];
+              allowed-users = [ "gitea-runner" ];
               trusted-users = [
                 "root"
-                "github-runners"
+                "gitea-runner"
               ];
             };
             nixpkgs = {
               overlays = builtins.attrValues outputs.overlays;
               config.allowUnfree = true;
             };
-            services.github-runners.${name} = {
+            users = {
+              users.${runnerUsername} = {
+                isSystemUser = true;
+                group = runnerUsername;
+                uid = runnerUserid;
+              };
+              groups.${runnerUsername}.gid = runnerUserid;
+            };
+            services.gitea-actions-runner.instances.${name} = {
               enable = true;
-              replace = true;
-              workDir = "/zfs/media/github-runners/${name}";
-              url = "https://github.com/RichieCahill/dotfiles";
-              extraLabels = [ "nixos" ];
-              tokenFile = "${vars.secrets}/services/github-runners/runner_pat";
-              user = "github-runners";
-              group = "github-runners";
-              extraPackages = with pkgs; [
+              name = "jeeves-${name}";
+              url = "http://192.168.99.14:6443/";
+              labels = [
+                "self-hosted:host"
+                "nixos:host"
+              ];
+              tokenFile = "/run/secrets/gitea-runners/registration-token";
+              hostPackages = with pkgs; [
+                bash
+                coreutils
+                curl
+                gawk
                 gitMinimal
-                gh
+                gnused
+                my_python
+                nix
                 nixfmt
                 nixos-rebuild
+                nodejs
                 treefmt
-                my_python
+                wget
               ];
             };
-            users = {
-              users.github-runners = {
-                shell = pkgs.bash;
-                isSystemUser = true;
-                group = "github-runners";
-                uid = 601;
+            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
+              serviceConfig = {
+                DynamicUser = mkForce false;
+                User = mkForce runnerUsername;
+                Group = mkForce runnerUsername;
               };
-              groups.github-runners.gid = 601;
             };
             system.stateVersion = "24.05";
           };
       }
     ) cfg.containers;
+
+    systemd.services = builtins.listToAttrs (
+      map (name: {
+        name = "container@${name}";
+        value = {
+          requires = [ "gitea.service" ];
+          after = [ "gitea.service" ];
+        };
+      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
+    );
   };
 }

systems/jeeves/scripts/zfs.sh

@@ -15,18 +15,21 @@ sudo zpool add storage -o ashift=12 logs mirror
 sudo zpool create scratch -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -O encryption=aes-256-gcm -O keyformat=hex -O keylocation=file:///key -m /zfs/scratch
 
 # media datasets
+sudo zfs create media/temp -o sync=disabled -o redundant_metadata=none
 sudo zfs create media/secure -o encryption=aes-256-gcm -o keyformat=hex -o keylocation=file:///root/zfs.key
 sudo zfs create media/secure/docker -o compression=zstd-9
 sudo zfs create media/secure/github-runners -o compression=zstd-9 -o sync=disabled
 sudo zfs create media/secure/home_assistant -o compression=zstd-19
 sudo zfs create media/secure/notes -o copies=2
-sudo zfs create media/secure/postgres -o recordsize=16k -o primarycache=metadata
+sudo zfs create media/secure/postgres -o mountpoint=/zfs/media/database/postgres -o recordsize=16k -o primarycache=metadata
+sudo zfs create media/secure/postgres-wal -o mountpoint=/zfs/media/database/postgres-wal -o recordsize=32k -o primarycache=metadata -o special_small_blocks=32K -o compression=lz4 -o secondarycache=none -o logbias=latency
+sudo zfs create media/secure/prometheus -o mountpoint=/zfs/media/database/prometheus -o compression=lz4
 sudo zfs create media/secure/services -o compression=zstd-9
 sudo zfs create media/secure/share -o mountpoint=/zfs/media/share -o exec=off
 
 # scratch datasets
 sudo zfs create scratch/kafka -o mountpoint=/zfs/scratch/kafka -o recordsize=1M
-sudo zfs create scratch/transmission -o mountpoint=/zfs/scratch/transmission -o recordsize=16k -o sync=disabled
+sudo zfs create scratch/transmission -o mountpoint=/zfs/scratch/transmission -o recordsize=16k -o sync=disabled -o redundant_metadata=none
 
 # storage datasets
 sudo zfs create storage/ollama -o recordsize=1M -o compression=zstd-19 -o sync=disabled
@@ -39,3 +42,4 @@ sudo zfs create storage/secure/plex -o recordsize=1M -o compression=zstd-19
 sudo zfs create storage/secure/secrets -o compression=zstd-19 -o copies=3
 sudo zfs create storage/secure/syncthing -o compression=zstd-19
 sudo zfs create storage/secure/transmission -o recordsize=1M -o compression=zstd-9 -o exec=off -o sync=disabled
+sudo zfs create storage/secure/important -o compression=zstd-19 -o copies=2 -o mountpoint=/zfs/storage/important

systems/jeeves/services/audiobookshelf.nix

@@ -3,7 +3,10 @@ let
   vars = import ../vars.nix;
 in
 {
-  services.audiobookshelf.enable = true;
+  services.audiobookshelf = {
+    enable = true;
+    port = 8000;
+  };
   systemd.services.audiobookshelf.serviceConfig.WorkingDirectory =
     lib.mkForce "${vars.docker_configs}/audiobookshelf";
   users.users.audiobookshelf.home = lib.mkForce "${vars.docker_configs}/audiobookshelf";

systems/jeeves/services/camofox-browser.nix

@@ -0,0 +1,80 @@
+{
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
+  ];
+
+  containers.camofox-browser = {
+    autoStart = true;
+    privateNetwork = false;
+    bindMounts = {
+      camofox-browser = {
+        hostPath = "${vars.docker_configs}/camofox-browser";
+        mountPoint = "/var/lib/camofox-browser";
+        isReadOnly = false;
+      };
+    };
+    config =
+      {
+        pkgs,
+        lib,
+        ...
+      }:
+      {
+        networking.hostName = "camofox-browser";
+
+        environment.systemPackages = with pkgs; [
+          ffmpeg
+          git
+          nodejs
+          python3Packages.yt-dlp
+        ];
+
+        systemd.services.camofox-browser = {
+          description = "Camofox browser server";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          environment = {
+            CAMOFOX_HOST = "127.0.0.1";
+            CAMOFOX_PORT = "9377";
+            HOME = "/var/lib/camofox-browser";
+          };
+          path = with pkgs; [
+            bash
+            coreutils
+            git
+            nodejs
+          ];
+          serviceConfig = {
+            Restart = "always";
+            RestartSec = "5s";
+            WorkingDirectory = "/var/lib/camofox-browser";
+          };
+          script = ''
+            set -eu
+
+            app_dir=/var/lib/camofox-browser/app
+
+            if [ ! -d "$app_dir/.git" ]; then
+              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
+            fi
+
+            cd "$app_dir"
+
+            if [ ! -d node_modules ]; then
+              npm install
+            fi
+
+            exec npm start
+          '';
+        };
+
+        system.stateVersion = lib.mkDefault "24.05";
+      };
+  };
+}

systems/jeeves/services/cloud_flare_tunnel.nix

@@ -1,17 +0,0 @@
-{ pkgs, ... }:
-let
-  vars = import ../vars.nix;
-in
-{
-  systemd.services.cloud_flare_tunnel = {
-    description = "cloud_flare_tunnel proxy's traffic through cloudflare";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "simple";
-      EnvironmentFile = "${vars.secrets}/docker/cloud_flare_tunnel";
-      ExecStart = "${pkgs.cloudflared}/bin/cloudflared --no-autoupdate tunnel run";
-      Restart = "on-failure";
-    };
-  };
-}

systems/jeeves/services/gitea.nix

@@ -2,7 +2,10 @@ let
   vars = import ../vars.nix;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 6443 ];
+  networking.firewall.allowedTCPPorts = [
+    6443
+    2223
+  ];
 
   services.gitea = {
     enable = true;
@@ -18,13 +21,17 @@ in
       createDatabase = false;
     };
     settings = {
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
       service.DISABLE_REGISTRATION = true;
       server = {
         DOMAIN = "tmmworkshop.com";
         ROOT_URL = "https://gitea.tmmworkshop.com/";
         HTTP_PORT = 6443;
         SSH_PORT = 2223;
-        SSH_LISTEN_PORT = 2224;
+        SSH_LISTEN_PORT = 2223;
         START_SSH_SERVER = true;
         PUBLIC_URL_DETECTION = "auto";
       };

systems/jeeves/services/grafana.nix

@@ -0,0 +1,80 @@
+{
+  ...
+}:
+let
+  vars = import ../vars.nix;
+  grafanaDataDir = "${vars.services}/grafana";
+in
+{
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+
+  services.grafana = {
+    enable = true;
+    dataDir = grafanaDataDir;
+    settings = {
+      database.type = "sqlite3";
+      security = {
+        admin_password = "$__file{${vars.secrets}/services/grafana/admin_password}";
+        admin_user = "admin";
+        secret_key = "$__file{${vars.secrets}/services/grafana/secret_key}";
+      };
+      server = {
+        http_addr = "192.168.90.40";
+        http_port = 3000;
+        root_url = "http://192.168.90.40:3000/";
+      };
+    };
+    provision = {
+      enable = true;
+      dashboards.settings = {
+        apiVersion = 1;
+        providers = [
+          {
+            name = "monitoring";
+            folder = "Monitoring";
+            type = "file";
+            disableDeletion = false;
+            editable = false;
+            allowUiUpdates = false;
+            updateIntervalSeconds = 30;
+            options.path = ../monitoring/dashboards;
+          }
+        ];
+      };
+      datasources.settings = {
+        apiVersion = 1;
+        prune = true;
+        datasources = [
+          {
+            access = "proxy";
+            editable = false;
+            isDefault = true;
+            name = "prom-main";
+            type = "prometheus";
+            uid = "prom-main";
+            url = "http://127.0.0.1:9090";
+          }
+          {
+            access = "proxy";
+            editable = false;
+            name = "prom-pid-short";
+            type = "prometheus";
+            uid = "prom-pid-short";
+            url = "http://127.0.0.1:9092";
+          }
+        ];
+      };
+    };
+  };
+
+  systemd = {
+    services.grafana.after = [
+      "prometheus-main.service"
+      "prometheus-pid-short.service"
+    ];
+
+    tmpfiles.rules = [
+      "d ${grafanaDataDir} 0750 grafana grafana - -"
+    ];
+  };
+}

systems/jeeves/services/kafka.nix

@@ -7,6 +7,13 @@ in
     settings = {
       listeners = [ "PLAINTEXT://localhost:9092" ];
       "log.dirs" = [ vars.kafka ];
+      "num.partitions" = 6;
+      "default.replication.factor" = 1;
+      "log.retention.hours" = 168;
+      "log.retention.bytes" = 10737418240;
+      "log.segment.bytes" = 1073741824;
+      "log.cleanup.policy" = "delete";
+      "auto.create.topics.enable" = false;
     };
   };
 }

systems/jeeves/services/nornsight.nix

@@ -0,0 +1,107 @@
+{ pkgs, ... }:
+let
+  vars = import ../vars.nix;
+  stateDir = "${vars.services}/nornsight";
+  appDir = "${stateDir}/app";
+  binPath = pkgs.lib.makeBinPath [
+    pkgs.binutils
+    pkgs.libpq
+    pkgs.postgresql
+    pkgs.stdenv.cc
+  ];
+  libraryPath = pkgs.lib.makeLibraryPath [
+    pkgs.libpq
+    pkgs.postgresql.lib
+  ];
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${stateDir} 0750 nornsight nornsight - -"
+  ];
+
+  users.users.nornsight = {
+    isSystemUser = true;
+    group = "nornsight";
+    home = stateDir;
+  };
+
+  systemd.services.nornsight = {
+    description = "Norn Sight";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      HOME = stateDir;
+      UV_CACHE_DIR = "${stateDir}/.cache/uv";
+      UV_PROJECT_ENVIRONMENT = "${appDir}/.venv";
+      UV_PYTHON = "${pkgs.python313}/bin/python3.13";
+      UV_PYTHON_DOWNLOADS = "never";
+      LD_LIBRARY_PATH = libraryPath;
+      LIBRARY_PATH = libraryPath;
+      PSYCOPG_IMPL = "python";
+    };
+
+    path = with pkgs; [
+      bash
+      coreutils
+      git
+      uv
+    ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "nornsight";
+      Group = "nornsight";
+      EnvironmentFile = "-${vars.secrets}/services/nornsight";
+      WorkingDirectory = stateDir;
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = true;
+      ProtectSystem = "strict";
+      ReadWritePaths = [ stateDir ];
+    };
+
+    script = ''
+      set -eu
+      export PATH="${binPath}:$PATH"
+      export LD_LIBRARY_PATH="${libraryPath}:''${LD_LIBRARY_PATH:-}"
+      export LIBRARY_PATH="${libraryPath}:''${LIBRARY_PATH:-}"
+
+      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
+      branch="''${NORN_SIGHT_BRANCH:-main}"
+
+      if [ -d "${appDir}/.git" ]; then
+        current_origin="$(git -C "${appDir}" remote get-url origin)"
+        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
+          rm -rf "${appDir}"
+        fi
+      fi
+
+      if [ ! -d "${appDir}/.git" ]; then
+        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
+      else
+        cd "${appDir}"
+        git fetch origin "$branch"
+        git checkout "$branch"
+        git pull --ff-only origin "$branch"
+      fi
+
+      cd "${appDir}"
+      uv sync --upgrade
+      uv run python - <<'PY'
+      import ctypes.util
+      import os
+
+      print(f"LD_LIBRARY_PATH={os.environ.get('LD_LIBRARY_PATH')}")
+      print(f"LIBRARY_PATH={os.environ.get('LIBRARY_PATH')}")
+      print(f"libpq={ctypes.util.find_library('pq')}")
+      PY
+      exec uv run uvicorn pipelines.web.main:app --host 0.0.0.0 --port 8001
+    '';
+  };
+}

systems/jeeves/services/postgress.nix

@@ -5,9 +5,14 @@ in
 {
   networking.firewall.allowedTCPPorts = [ 5432 ];
 
+  # Symlink pg_wal to a ZFS dataset on the special (metadata) vdev for fast WAL writes
+  # this is required for systemd sandboxing
+  systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/zfs/media/database/postgres-wal" ];
+
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_17_jit;
+    extensions = ps: with ps; [ pgvector ];
     enableTCPIP = true;
     enableJIT = true;
     dataDir = "${vars.database}/postgres";
@@ -33,12 +38,19 @@ in
       # signalbot
       local signalbot  signalbot   trust
 
+      # hedgedoc
+      local hedgedoc   hedgedoc    trust
+
       # math
       local postgres  math   trust
       host  postgres  math   127.0.0.1/32    trust
       host  postgres  math   ::1/128         trust
       host  postgres  math   192.168.90.1/24 trust
 
+      local data_science_dev  math   trust
+      host  data_science_dev  math   127.0.0.1/32    trust
+      host  data_science_dev  math   ::1/128         trust
+      host  data_science_dev  math   192.168.90.1/24 trust
     '';
 
     identMap = ''
@@ -108,10 +120,19 @@ in
           login = true;
         };
       }
+      {
+        name = "hedgedoc";
+        ensureDBOwnership = true;
+        ensureClauses = {
+          login = true;
+        };
+      }
     ];
     ensureDatabases = [
+      "data_science_dev"
       "hass"
       "gitea"
+      "hedgedoc"
       "math"
       "n8n"
       "richie"

systems/jeeves/services/signal_bot.nix

@@ -1,57 +0,0 @@
-{
-  pkgs,
-  inputs,
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  users = {
-    users.signalbot = {
-      isSystemUser = true;
-      group = "signalbot";
-    };
-    groups.signalbot = { };
-  };
-
-  systemd.services.signal-bot = {
-    description = "Signal command and control bot";
-    after = [
-      "network.target"
-      "podman-signal_cli_rest_api.service"
-    ];
-    wants = [ "podman-signal_cli_rest_api.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    environment = {
-      PYTHONPATH = "${inputs.self}";
-      SIGNALBOT_DB = "signalbot";
-      SIGNALBOT_USER = "signalbot";
-      SIGNALBOT_HOST = "/run/postgresql";
-      SIGNALBOT_PORT = "5432";
-    };
-
-    serviceConfig = {
-      Type = "simple";
-      WorkingDirectory = "${inputs.self}";
-      User = "signalbot";
-      Group = "signalbot";
-      EnvironmentFile = "${vars.secrets}/services/signal-bot";
-      ExecStart = "${pkgs.my_python}/bin/python -m python.signal_bot.main";
-      StateDirectory = "signal-bot";
-      Restart = "on-failure";
-      RestartSec = "10s";
-      StandardOutput = "journal";
-      StandardError = "journal";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = "read-only";
-      PrivateTmp = true;
-      ReadWritePaths = [ "/var/lib/signal-bot" ];
-      ReadOnlyPaths = [
-        "${inputs.self}"
-      ];
-    };
-  };
-}

systems/jeeves/services/validate_system.toml

@@ -1,7 +1,6 @@
 zpool = ["root_pool", "storage", "media"]
 services = [
     "audiobookshelf",
-    "cloud_flare_tunnel",
     "haproxy",
     "docker",
     "home-assistant",

systems/jeeves/snapshot_config.toml

@@ -4,6 +4,7 @@ hourly = 24
 daily = 0
 monthly = 0
 
+# root_pool
 ["root_pool/home"]
 15_min = 8
 hourly = 24
@@ -27,57 +28,96 @@ monthly = 0
 hourly = 24
 daily = 30
 monthly = 6
+# storage
+["storage/ollama"]
+15_min = 2
+hourly = 0
+daily = 0
+monthly = 0
 
-["storage/plex"]
+["storage/secure"]
+15_min = 0
+hourly = 0
+daily = 0
+monthly = 0
+
+["storage/secure/plex"]
 15_min = 6
 hourly = 2
 daily = 1
 monthly = 0
 
-["media/plex"]
-15_min = 6
-hourly = 2
-daily = 1
+["storage/secure/transmission"]
+15_min = 4
+hourly = 0
+daily = 0
 monthly = 0
 
-["media/notes"]
+["storage/secure/secrets"]
 15_min = 8
 hourly = 24
 daily = 30
 monthly = 12
 
-["media/docker"]
-15_min = 3
-hourly = 12
-daily = 14
-monthly = 2
-
-["media/services"]
-15_min = 3
-hourly = 12
-daily = 14
-monthly = 2
-
-["media/home_assistant"]
+# media
+["media/temp"]
+15_min = 2
+hourly = 0
+daily = 0
+monthly = 0
+
+["media/secure"]
+15_min = 0
+hourly = 0
+daily = 0
+monthly = 0
+
+["media/secure/plex"]
+15_min = 6
+hourly = 2
+daily = 1
+monthly = 0
+
+["media/secure/postgres-wal"]
+15_min = 4
+hourly = 2
+daily = 0
+monthly = 0
+
+
+["media/secure/postgres"]
+15_min = 8
+hourly = 24
+daily = 7
+monthly = 0
+
+["media/secure/share"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["media/secure/github-runners"]
+15_min = 6
+hourly = 2
+daily = 1
+monthly = 0
+
+["media/secure/notes"]
+15_min = 8
+hourly = 24
+daily = 30
+monthly = 12
+
+["media/secure/docker"]
 15_min = 3
 hourly = 12
 daily = 14
 monthly = 2
 
+# scratch
 ["scratch/transmission"]
-15_min = 0
-hourly = 0
-daily = 0
-monthly = 0
-
-["storage/transmission"]
-15_min = 0
-hourly = 0
-daily = 0
-monthly = 0
-
-["storage/ollama"]
-15_min = 0
+15_min = 2
 hourly = 0
 daily = 0
 monthly = 0

systems/jeeves/syncthing.nix

@@ -10,6 +10,14 @@ in
     settings = {
       devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
       folders = {
+        photos = {
+          path = "${vars.syncthing}/important";
+          devices = [
+            "rhapsody-in-green"
+            "phone"
+          ];
+          fsWatcherEnabled = true;
+        };
         "dotfiles" = {
           path = "/home/richie/dotfiles";
           devices = [
@@ -89,7 +97,16 @@ in
           ];
           fsWatcherEnabled = true;
         };
-        #
+        "recordings" = {
+          path = "/home/richie/recordings";
+          devices = [
+            "bob"
+            "phone"
+            "rhapsody-in-green"
+          ];
+          fsWatcherEnabled = true;
+        };
+        # davids-server
         "davids-backup1" = {
           id = "8229p-8z3tm"; # cspell:disable-line
           path = "${vars.syncthing}/davids_backups/1";

systems/jeeves/web_services/acme.nix

@@ -0,0 +1,74 @@
+let
+  domains = [
+    "audiobookshelf"
+    "cache"
+    "gitea"
+    "jellyfin"
+    "share"
+  ];
+  extraDomains = [ "www.norn-sight.com" ];
+
+  makeCert = name: {
+    name = "${name}.tmmworkshop.com";
+    value = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+  };
+
+  makeExtraCert = name: {
+    inherit name;
+    value = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+  };
+
+  acmeServices =
+    map (domain: "acme-${domain}.tmmworkshop.com.service") domains
+    ++ map (domain: "acme-${domain}.service") extraDomains;
+in
+{
+  users.users.haproxy.extraGroups = [ "acme" ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "Richie@tmmworkshop.com";
+    certs = builtins.listToAttrs ((map makeCert domains) ++ (map makeExtraCert extraDomains));
+  };
+
+  # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
+  services.nginx = {
+    enable = true;
+    virtualHosts."acme-challenge" = {
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 8402;
+        }
+      ];
+      locations."/.well-known/acme-challenge/" = {
+        root = "/var/lib/acme/.challenges";
+      };
+    };
+  };
+
+  # Ensure the challenge directory exists with correct permissions
+  systemd.tmpfiles.rules = [
+    "d /var/lib/acme/.challenges 0750 acme acme - -"
+    "d /var/lib/acme/.challenges/.well-known 0750 acme acme - -"
+    "d /var/lib/acme/.challenges/.well-known/acme-challenge 0750 acme acme - -"
+  ];
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  # HAProxy needs certs to exist before it can bind :443.
+  # NixOS's acme module generates self-signed placeholders on first boot
+  # via acme-<domain>.service — just make HAProxy wait for them.
+  systemd.services.haproxy = {
+    after = acmeServices;
+    wants = acmeServices;
+  };
+}

systems/jeeves/web_services/default.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  imports =
+    let
+      files = builtins.attrNames (builtins.readDir ./.);
+      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
+    in
+    map (file: ./. + "/${file}") nixFiles;
+}

systems/jeeves/web_services/haproxy.cfg

@@ -6,6 +6,7 @@ global
 defaults
   log global
   mode http
+  option httplog
   retries 3
   maxconn 2000
   timeout connect 5s
@@ -22,24 +23,38 @@ defaults
 #Application Setup
 frontend ContentSwitching
   bind *:80 v4v6
-  bind *:443 v4v6 ssl crt /zfs/storage/secrets/docker/cloudflare.pem
+  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem crt /var/lib/acme/www.norn-sight.com/full.pem
   mode  http
+
+  # ACME challenge routing (must be first)
+  acl is_acme path_beg /.well-known/acme-challenge/
+
   # tmmworkshop.com
   acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
   acl host_cache  hdr(host) -i cache.tmmworkshop.com
   acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
   acl host_share  hdr(host) -i share.tmmworkshop.com
-  acl host_gcw  hdr(host) -i gcw.tmmworkshop.com
-  acl host_n8n  hdr(host) -i n8n.tmmworkshop.com
   acl host_gitea  hdr(host) -i gitea.tmmworkshop.com
+  acl host_norn_sight  hdr(host) -i www.norn-sight.com
 
+  # Hosts allowed to serve plain HTTP (add entries to skip the HTTPS redirect)
+  acl allow_http hdr(host) -i __none__
+  # acl allow_http hdr(host) -i example.tmmworkshop.com
+
+  # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
+  http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme
+
+  use_backend acme_challenge if is_acme
   use_backend audiobookshelf_nodes if host_audiobookshelf
   use_backend cache_nodes  if host_cache
   use_backend jellyfin if host_jellyfin
   use_backend share_nodes  if host_share
-  use_backend gcw_nodes  if host_gcw
-  use_backend n8n  if host_n8n
   use_backend gitea  if host_gitea
+  use_backend norn_sight  if host_norn_sight
+
+backend acme_challenge
+  mode http
+  server acme 127.0.0.1:8402
 
 backend audiobookshelf_nodes
   mode http
@@ -60,14 +75,10 @@ backend share_nodes
   mode http
   server server 127.0.0.1:8091
 
-backend gcw_nodes
-  mode http
-  server server 127.0.0.1:8092
-
-backend n8n
-  mode http
-  server server 127.0.0.1:5678
-
 backend gitea
   mode http
-  server server 127.0.0.1:6443
+  server server 127.0.0.1:6443
+
+backend norn_sight
+  mode http
+  server server 127.0.0.1:8001

systems/rhapsody-in-green/agent_logger.nix

@@ -0,0 +1,35 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  systemd.services.agent-logger = {
+    description = "Unified agent logger";
+    after = [ "local-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      AGENT_LOG_DB = "/var/lib/agent-logger/agent_log.sqlite";
+      HOME = "/home/richie";
+      PYTHONPATH = "${inputs.self}";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = "richie";
+      WorkingDirectory = "/home/richie";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.agent_logger.main";
+      StateDirectory = "agent-logger";
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadOnlyPaths = [ "${inputs.self}" ];
+    };
+  };
+}

systems/rhapsody-in-green/default.nix

@@ -11,8 +11,8 @@
     "${inputs.self}/common/optional/yubikey.nix"
     "${inputs.self}/common/optional/zerotier.nix"
     ./hardware.nix
-    ./llms.nix
     ./open_webui.nix
+    ./programs.nix
     ./qmk.nix
     ./syncthing.nix
     inputs.nixos-hardware.nixosModules.framework-13-7040-amd
@@ -23,11 +23,20 @@
     hostId = "6404140d";
     firewall = {
       enable = true;
-      allowedTCPPorts = [ ];
+      allowedTCPPorts = [
+        8000
+        8080
+        8081
+      ];
     };
     networkmanager.enable = true;
   };
 
+  programs.appimage = {
+    enable = true;
+    binfmt = true; # allows *.AppImage to be run directly
+  };
+
   services = {
     openssh.ports = [ 922 ];
     flatpak.enable = true;

systems/rhapsody-in-green/llms.nix

@@ -1,30 +0,0 @@
-{
-  services.ollama = {
-    user = "ollama";
-    enable = true;
-    host = "127.0.0.1";
-    syncModels = true;
-    loadModels = [
-      "deepscaler:1.5b"
-      "deepseek-r1:8b"
-      "gemma3:12b"
-      "gemma3:27b"
-      "gpt-oss:20b"
-      "lfm2:24b"
-      "qwen3:14b"
-      "qwen3.5:27b"
-    ];
-  };
-  systemd.services = {
-    ollama.serviceConfig = {
-      Nice = 19;
-      IOSchedulingPriority = 7;
-    };
-    ollama-model-loader.serviceConfig = {
-      Nice = 19;
-      CPUWeight = 50;
-      IOSchedulingClass = "idle";
-      IOSchedulingPriority = 7;
-    };
-  };
-}

systems/rhapsody-in-green/open_webui.nix

@@ -1,6 +1,7 @@
 {
   services.open-webui = {
     enable = true;
+    host = "0.0.0.0";
     environment = {
       ANONYMIZED_TELEMETRY = "False";
       DO_NOT_TRACK = "True";

systems/rhapsody-in-green/programs.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    ffmpeg
+  ];
+}

systems/rhapsody-in-green/syncthing.nix

@@ -39,6 +39,14 @@
       ];
       fsWatcherEnabled = true;
     };
+    photos = {
+      path = "/home/richie/photos";
+      devices = [
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
     "projects" = {
       id = "vyma6-lqqrz"; # cspell:disable-line
       path = "/home/richie/projects";
@@ -55,6 +63,15 @@
       ];
       fsWatcherEnabled = true;
     };
+    "recordings" = {
+      path = "/home/richie/recordings";
+      devices = [
+        "bob"
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
     "vault" = {
       path = "/home/richie/vault";
       devices = [

tests/conftest.py

@@ -1,40 +0,0 @@
-"""Shared test fixtures."""
-
-from __future__ import annotations
-
-from typing import TYPE_CHECKING
-
-import pytest
-from sqlalchemy import create_engine, event
-
-from python.orm.signal_bot.base import SignalBotBase
-
-if TYPE_CHECKING:
-    from collections.abc import Generator
-
-    from sqlalchemy.engine import Engine
-
-
-@pytest.fixture(scope="session")
-def sqlite_engine() -> Generator[Engine]:
-    """Create an in-memory SQLite engine for testing."""
-    engine = create_engine("sqlite:///:memory:")
-
-    @event.listens_for(engine, "connect")
-    def _set_sqlite_pragma(dbapi_connection, _connection_record):
-        cursor = dbapi_connection.cursor()
-        cursor.execute("PRAGMA foreign_keys=ON")
-        cursor.close()
-
-    SignalBotBase.metadata.create_all(engine)
-    yield engine
-    engine.dispose()
-
-
-@pytest.fixture
-def engine(sqlite_engine: Engine) -> Generator[Engine]:
-    """Yield the shared engine after cleaning all tables between tests."""
-    yield sqlite_engine
-    with sqlite_engine.begin() as connection:
-        for table in reversed(SignalBotBase.metadata.sorted_tables):
-            connection.execute(table.delete())

tests/test_gitea_flake_lock.py

@@ -0,0 +1,113 @@
+"""Tests for Gitea flake.lock automation."""
+
+from __future__ import annotations
+
+from python.gitea import PullRequest
+from python.gitea_flake_lock import (
+    PR_CHECK_WORKFLOWS,
+    PR_LABELS,
+    dispatch_pull_request_checks,
+    ensure_flake_lock_pull_request,
+    find_flake_lock_pull_request,
+)
+
+
+def _pull_request(number=1, head_branch="automation/update-flake-lock"):
+    return PullRequest(
+        number=number,
+        title="Update flake.lock",
+        html_url=f"https://gitea.example.test/pulls/{number}",
+        labels=(),
+        head_branch=head_branch,
+        base_branch="main",
+    )
+
+
+class FakeGiteaClient:
+    def __init__(self, pull_requests=None):
+        self.pull_requests = pull_requests or []
+        self.dispatch_calls = []
+        self.list_calls = []
+        self.create_calls = []
+
+    def list_open_pull_requests(self, **kwargs):
+        self.list_calls.append(kwargs)
+        return self.pull_requests
+
+    def create_pull_request(self, **kwargs):
+        self.create_calls.append(kwargs)
+        return _pull_request()
+
+    def dispatch_workflow(self, **kwargs):
+        self.dispatch_calls.append(kwargs)
+
+
+def test_ensure_flake_lock_pull_request_finds_by_branch():
+    pull_request = _pull_request()
+    client = FakeGiteaClient([pull_request])
+
+    result = ensure_flake_lock_pull_request(
+        client,
+        owner="Richie",
+        repo="dotfiles",
+        branch="automation/update-flake-lock",
+        base="main",
+    )
+
+    assert result == pull_request
+    assert client.list_calls == [
+        {"owner": "Richie", "repo": "dotfiles", "head": "automation/update-flake-lock"},
+    ]
+    assert client.create_calls == []
+
+
+def test_ensure_flake_lock_pull_request_creates_with_labels():
+    client = FakeGiteaClient()
+
+    ensure_flake_lock_pull_request(
+        client,
+        owner="Richie",
+        repo="dotfiles",
+        branch="automation/update-flake-lock",
+        base="main",
+    )
+
+    assert client.create_calls == [
+        {
+            "owner": "Richie",
+            "repo": "dotfiles",
+            "title": "Update flake.lock",
+            "body": "Automated flake.lock update.",
+            "head": "automation/update-flake-lock",
+            "base": "main",
+            "labels": PR_LABELS,
+        },
+    ]
+
+
+def test_find_flake_lock_pull_request_finds_by_label():
+    pull_request = _pull_request()
+    client = FakeGiteaClient([pull_request])
+
+    result = find_flake_lock_pull_request(client, owner="Richie", repo="dotfiles")
+
+    assert result == pull_request
+    assert client.list_calls == [
+        {"owner": "Richie", "repo": "dotfiles", "labels": ["flake_lock_update"]},
+    ]
+
+
+def test_dispatch_pull_request_checks_runs_each_workflow():
+    client = FakeGiteaClient()
+
+    dispatch_pull_request_checks(client, owner="Richie", repo="dotfiles", branch="automation/update-flake-lock")
+
+    assert client.dispatch_calls == [
+        {
+            "owner": "Richie",
+            "repo": "dotfiles",
+            "workflow_id": workflow,
+            "ref": "automation/update-flake-lock",
+        }
+        for workflow in PR_CHECK_WORKFLOWS
+    ]

tests/test_signal_bot.py

@@ -1,321 +0,0 @@
-"""Tests for the Signal command and control bot."""
-
-from __future__ import annotations
-
-import json
-from datetime import timedelta
-from unittest.mock import MagicMock, patch
-
-import pytest
-
-from python.signal_bot.commands.inventory import (
-    _format_summary,
-    parse_llm_response,
-)
-from python.signal_bot.commands.location import _format_location, handle_location_request
-from python.signal_bot.device_registry import _BLOCKED_TTL, _DEFAULT_TTL, DeviceRegistry, _CacheEntry
-from python.signal_bot.llm_client import LLMClient
-from python.signal_bot.main import Bot
-from python.signal_bot.models import (
-    BotConfig,
-    InventoryItem,
-    SignalMessage,
-    TrustLevel,
-)
-from python.signal_bot.signal_client import SignalClient
-
-
-class TestModels:
-    def test_trust_level_values(self):
-        assert TrustLevel.VERIFIED == "verified"
-        assert TrustLevel.UNVERIFIED == "unverified"
-        assert TrustLevel.BLOCKED == "blocked"
-
-    def test_signal_message_defaults(self):
-        msg = SignalMessage(source="+1234", timestamp=0)
-        assert msg.message == ""
-        assert msg.attachments == []
-        assert msg.group_id is None
-
-    def test_inventory_item_defaults(self):
-        item = InventoryItem(name="wrench")
-        assert item.quantity == 1
-        assert item.unit == "each"
-        assert item.category == ""
-
-
-class TestInventoryParsing:
-    def test_parse_llm_response_basic(self):
-        raw = '[{"name": "water", "quantity": 6, "unit": "gallon", "category": "supplies", "notes": ""}]'
-        items = parse_llm_response(raw)
-        assert len(items) == 1
-        assert items[0].name == "water"
-        assert items[0].quantity == 6
-        assert items[0].unit == "gallon"
-
-    def test_parse_llm_response_with_code_fence(self):
-        raw = '```json\n[{"name": "tape", "quantity": 1, "unit": "each", "category": "tools", "notes": ""}]\n```'
-        items = parse_llm_response(raw)
-        assert len(items) == 1
-        assert items[0].name == "tape"
-
-    def test_parse_llm_response_invalid_json(self):
-        with pytest.raises(json.JSONDecodeError):
-            parse_llm_response("not json at all")
-
-    def test_format_summary(self):
-        items = [InventoryItem(name="water", quantity=6, unit="gallon", category="supplies")]
-        summary = _format_summary(items)
-        assert "water" in summary
-        assert "x6" in summary
-        assert "gallon" in summary
-
-
-class TestDeviceRegistry:
-    @pytest.fixture
-    def signal_mock(self):
-        return MagicMock(spec=SignalClient)
-
-    @pytest.fixture
-    def registry(self, signal_mock, engine):
-        return DeviceRegistry(signal_mock, engine)
-
-    def test_new_device_is_unverified(self, registry):
-        registry.record_contact("+1234", "abc123")
-        assert not registry.is_verified("+1234")
-
-    def test_verify_device(self, registry):
-        registry.record_contact("+1234", "abc123")
-        assert registry.verify("+1234")
-        assert registry.is_verified("+1234")
-
-    def test_verify_unknown_device(self, registry):
-        assert not registry.verify("+9999")
-
-    def test_block_device(self, registry):
-        registry.record_contact("+1234", "abc123")
-        assert registry.block("+1234")
-        assert not registry.is_verified("+1234")
-
-    def test_safety_number_change_resets_trust(self, registry):
-        registry.record_contact("+1234", "abc123")
-        registry.verify("+1234")
-        assert registry.is_verified("+1234")
-        registry.record_contact("+1234", "different_safety_number")
-        assert not registry.is_verified("+1234")
-
-    def test_persistence(self, signal_mock, engine):
-        reg1 = DeviceRegistry(signal_mock, engine)
-        reg1.record_contact("+1234", "abc123")
-        reg1.verify("+1234")
-
-        reg2 = DeviceRegistry(signal_mock, engine)
-        assert reg2.is_verified("+1234")
-
-    def test_list_devices(self, registry):
-        registry.record_contact("+1234", "abc")
-        registry.record_contact("+5678", "def")
-        assert len(registry.list_devices()) == 2
-
-
-class TestContactCache:
-    @pytest.fixture
-    def signal_mock(self):
-        return MagicMock(spec=SignalClient)
-
-    @pytest.fixture
-    def registry(self, signal_mock, engine):
-        return DeviceRegistry(signal_mock, engine)
-
-    def test_second_call_uses_cache(self, registry):
-        registry.record_contact("+1234", "abc")
-        assert "+1234" in registry._contact_cache
-
-        with patch.object(registry, "engine") as mock_engine:
-            registry.record_contact("+1234", "abc")
-            mock_engine.assert_not_called()
-
-    def test_unverified_gets_default_ttl(self, registry):
-        registry.record_contact("+1234", "abc")
-        from python.common import utcnow
-
-        entry = registry._contact_cache["+1234"]
-        expected = utcnow() + _DEFAULT_TTL
-        assert abs((entry.expires - expected).total_seconds()) < 2
-        assert entry.trust_level == TrustLevel.UNVERIFIED
-        assert entry.has_safety_number is True
-
-    def test_blocked_gets_blocked_ttl(self, registry):
-        registry.record_contact("+1234", "abc")
-        registry.block("+1234")
-        from python.common import utcnow
-
-        entry = registry._contact_cache["+1234"]
-        expected = utcnow() + _BLOCKED_TTL
-        assert abs((entry.expires - expected).total_seconds()) < 2
-        assert entry.trust_level == TrustLevel.BLOCKED
-
-    def test_verify_updates_cache(self, registry):
-        registry.record_contact("+1234", "abc")
-        registry.verify("+1234")
-        entry = registry._contact_cache["+1234"]
-        assert entry.trust_level == TrustLevel.VERIFIED
-
-    def test_block_updates_cache(self, registry):
-        registry.record_contact("+1234", "abc")
-        registry.block("+1234")
-        entry = registry._contact_cache["+1234"]
-        assert entry.trust_level == TrustLevel.BLOCKED
-
-    def test_unverify_updates_cache(self, registry):
-        registry.record_contact("+1234", "abc")
-        registry.verify("+1234")
-        registry.unverify("+1234")
-        entry = registry._contact_cache["+1234"]
-        assert entry.trust_level == TrustLevel.UNVERIFIED
-
-    def test_is_verified_uses_cache(self, registry):
-        registry.record_contact("+1234", "abc")
-        registry.verify("+1234")
-        with patch.object(registry, "engine") as mock_engine:
-            assert registry.is_verified("+1234") is True
-            mock_engine.assert_not_called()
-
-    def test_has_safety_number_uses_cache(self, registry):
-        registry.record_contact("+1234", "abc")
-        with patch.object(registry, "engine") as mock_engine:
-            assert registry.has_safety_number("+1234") is True
-            mock_engine.assert_not_called()
-
-    def test_no_safety_number_cached(self, registry):
-        registry.record_contact("+1234", None)
-        with patch.object(registry, "engine") as mock_engine:
-            assert registry.has_safety_number("+1234") is False
-            mock_engine.assert_not_called()
-
-    def test_expired_cache_hits_db(self, registry):
-        registry.record_contact("+1234", "abc")
-        old = registry._contact_cache["+1234"]
-        registry._contact_cache["+1234"] = _CacheEntry(
-            expires=old.expires - timedelta(minutes=10),
-            trust_level=old.trust_level,
-            has_safety_number=old.has_safety_number,
-            safety_number=old.safety_number,
-            roles=old.roles,
-        )
-
-        with patch("python.signal_bot.device_registry.Session") as mock_session_cls:
-            mock_session = MagicMock()
-            mock_session_cls.return_value.__enter__ = MagicMock(return_value=mock_session)
-            mock_session_cls.return_value.__exit__ = MagicMock(return_value=False)
-            mock_device = MagicMock()
-            mock_device.trust_level = TrustLevel.UNVERIFIED
-            mock_session.execute.return_value.scalar_one_or_none.return_value = mock_device
-            registry.record_contact("+1234", "abc")
-            mock_session.execute.assert_called_once()
-
-
-class TestLocationCommand:
-    def test_format_location(self):
-        response = _format_location("12.34", "56.78")
-        assert "12.34, 56.78" in response
-        assert "maps.google.com" in response
-
-    def test_handle_location_request_without_config(self):
-        signal = MagicMock(spec=SignalClient)
-        message = SignalMessage(source="+1234", timestamp=0, message="location")
-        handle_location_request(message, signal, None, None)
-        signal.reply.assert_called_once()
-        assert "not configured" in signal.reply.call_args[0][1]
-
-
-class TestDispatch:
-    @pytest.fixture
-    def signal_mock(self):
-        return MagicMock(spec=SignalClient)
-
-    @pytest.fixture
-    def llm_mock(self):
-        return MagicMock(spec=LLMClient)
-
-    @pytest.fixture
-    def registry_mock(self):
-        mock = MagicMock(spec=DeviceRegistry)
-        mock.is_verified.return_value = True
-        mock.has_safety_number.return_value = True
-        mock.has_role.return_value = False
-        mock.get_roles.return_value = []
-        return mock
-
-    @pytest.fixture
-    def config(self, engine):
-        return BotConfig(
-            signal_api_url="http://localhost:8080",
-            phone_number="+1234567890",
-            inventory_api_url="http://localhost:9090",
-            engine=engine,
-        )
-
-    @pytest.fixture
-    def bot(self, signal_mock, llm_mock, registry_mock, config):
-        return Bot(signal_mock, llm_mock, registry_mock, config)
-
-    def test_unverified_device_ignored(self, bot, signal_mock, registry_mock):
-        registry_mock.is_verified.return_value = False
-        msg = SignalMessage(source="+1234", timestamp=0, message="help")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_not_called()
-
-    def test_admin_without_safety_number_ignored(self, bot, signal_mock, registry_mock):
-        registry_mock.has_safety_number.return_value = False
-        registry_mock.has_role.return_value = True
-        msg = SignalMessage(source="+1234", timestamp=0, message="help")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_not_called()
-
-    def test_non_admin_without_safety_number_allowed(self, bot, signal_mock, registry_mock):
-        registry_mock.has_safety_number.return_value = False
-        registry_mock.has_role.return_value = False
-        registry_mock.get_roles.return_value = []
-        msg = SignalMessage(source="+1234", timestamp=0, message="help")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_called_once()
-
-    def test_help_command(self, bot, signal_mock, registry_mock):
-        msg = SignalMessage(source="+1234", timestamp=0, message="help")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_called_once()
-        assert "Available commands" in signal_mock.reply.call_args[0][1]
-
-    def test_unknown_command_ignored(self, bot, signal_mock):
-        msg = SignalMessage(source="+1234", timestamp=0, message="foobar")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_not_called()
-
-    def test_non_command_message_ignored(self, bot, signal_mock):
-        msg = SignalMessage(source="+1234", timestamp=0, message="hello there")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_not_called()
-
-    def test_status_command(self, bot, signal_mock, llm_mock, registry_mock):
-        llm_mock.list_models.return_value = ["model1", "model2"]
-        llm_mock.model = "test:7b"
-        registry_mock.list_devices.return_value = []
-        registry_mock.has_role.return_value = True
-        msg = SignalMessage(source="+1234", timestamp=0, message="status")
-        bot.dispatch(msg)
-        signal_mock.reply.assert_called_once()
-        assert "Bot online" in signal_mock.reply.call_args[0][1]
-
-    def test_location_command(self, bot, signal_mock, registry_mock, config):
-        registry_mock.has_role.return_value = True
-        msg = SignalMessage(source="+1234", timestamp=0, message="location")
-        with patch("python.signal_bot.main.handle_location_request") as mock_location:
-            bot.dispatch(msg)
-
-        mock_location.assert_called_once_with(
-            msg,
-            signal_mock,
-            config.ha_url,
-            config.ha_token,
-        )

users/dov/home/cli/git.nix

@@ -1,6 +1,7 @@
 {
   programs.git = {
     enable = true;
+    signing.format = null;
     settings = {
       user = {
         email = "dov.kruger@gmail.com";

users/elise/home/cli/git.nix

@@ -1,6 +1,7 @@
 {
   programs.git = {
     enable = true;
+    signing.format = null;
     settings = {
       user = {
         email = "DumbPuppy208@gmail.com";

users/math/default.nix

@@ -36,6 +36,8 @@ in
         "hass"
         "libvirtd"
         "networkmanager"
+        "nornsight"
+        "nornsight-admin"
         "plugdev"
         "scanner"
         "transmission"

users/math/home/cli/git.nix

@@ -1,6 +1,7 @@
 {
   programs.git = {
     enable = true;
+    signing.format = null;
     settings = {
       user = {
         email = "matthew.michal11@gmail.com";

users/math/systems/bob.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../home/global.nix
+  ];
+}

users/richie/default.nix

@@ -36,6 +36,8 @@ in
         "hass"
         "libvirtd"
         "networkmanager"
+        "nornsight"
+        "nornsight-admin"
         "ollama"
         "plugdev"
         "scanner"

users/richie/home/cli/git.nix

@@ -1,6 +1,7 @@
 {
   programs.git = {
     enable = true;
+    signing.format = null;
     settings = {
       user = {
         email = "Richie@tmmworkshop.com";

users/richie/home/gui/default.nix

@@ -6,6 +6,7 @@
     "${inputs.self}/users/shared/sweet.nix"
     ./firefox
     ./kitty.nix
+    ./llm_tools.nix
     ./vscode
   ];
 
@@ -19,12 +20,11 @@
     qalculate-gtk
     vlc
     # browser
+    brave
     chromium
     # dev tools
-    claude-code
     gparted
     jetbrains.datagrip
     proxychains
-    opencode
   ];
 }

users/richie/home/gui/firefox/default.nix

@@ -1,8 +1,9 @@
-{ inputs, ... }:
+{ config, inputs, ... }:
 {
   imports = [ ./search_engines.nix ];
 
   programs.firefox = {
+    configPath = "${config.xdg.configHome}/mozilla/firefox";
     enable = true;
     profiles.richie = {
       extensions.packages = with inputs.firefox-addons.packages.x86_64-linux; [

users/richie/home/gui/kitty.nix

@@ -6,11 +6,13 @@
     settings = {
       allow_remote_control = "yes";
       shell = "${pkgs.zsh}/bin/zsh";
+      scrollback_lines = 50000;
       wayland_titlebar_color = "background";
       background_opacity = "0.75";
       tab_bar_edge = "top";
       tab_bar_style = "powerline";
       enabled_layouts = "splits";
+      enable_audio_bell = "no";
     };
     keybindings = {
       "ctrl+alt+1" = "launch --type=tab --tab-title jeeves kitten ssh jeeves";

users/richie/home/gui/llm_tools.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  home.packages = [
+    pkgs.master.claude-code
+    pkgs.master.codex
+    pkgs.master.opencode
+    pkgs.master.pi-coding-agent
+  ];
+}

users/richie/home/gui/vscode/keybindings.json

@@ -2,28 +2,32 @@
   {
     "key": "shift+alt+f",
     "command": "editor.action.formatDocument",
-    "when": "editorHasDocumentFormattingProvider && editorTextFocus && !editorReadonly && !inCompositeEditor"
+    "when": "editorHasDocumentFormattingProvider && editorTextFocus && !editorReadonly && !inCompositeEditor",
   },
   {
     "key": "alt+a d",
-    "command": "cSpell.addWordToWorkspaceSettings"
+    "command": "cSpell.addWordToWorkspaceSettings",
   },
   {
     "key": "ctrl+shift+`",
-    "command": "workbench.action.createTerminalEditor"
+    "command": "workbench.action.createTerminalEditor",
   },
   {
     "key": "ctrl+shift+`",
     "command": "-workbench.action.terminal.new",
-    "when": "terminalProcessSupported || terminalWebExtensionContributedProfile"
+    "when": "terminalProcessSupported || terminalWebExtensionContributedProfile",
   },
   {
     "key": "ctrl+shift+g r",
-    "command": "gitlens.git.rebase"
+    "command": "gitlens.git.rebase",
   },
   {
     "key": "ctrl+shift+g c",
     "command": "-gitlens.showQuickCommitFileDetails",
-    "when": "editorTextFocus && !gitlens:disabled && config.gitlens.keymap == 'chorded'"
-  }
+    "when": "editorTextFocus && !gitlens:disabled && config.gitlens.keymap == 'chorded'",
+  },
+  {
+    "key": "ctrl+shift+g p",
+    "command": "gitlens.pushRepositories",
+  },
 ]