cleaned up old_installer.py

moved installer.py to old_installer.py
deleting data_science code
2026-06-13 22:27:11 -04:00 · 2026-06-13 22:20:58 -04:00 · 2026-06-13 21:14:42 -04:00 · 2026-06-13 21:09:34 -04:00 · 2026-06-13 20:47:55 -04:00 · 2026-06-12 13:06:18 -04:00
134 changed files with 4063 additions and 9301 deletions
@@ -23,6 +23,6 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Build default package
-        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
+        run: "nixos-rebuild build --accept-flake-config --flake ./#${{ matrix.system }}"
      - name: copy to nix-cache
        run: nix copy --accept-flake-config --to unix:///host-nix/var/nix/daemon-socket/socket .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel
@@ -1,30 +0,0 @@
 name: fix_eval_warnings
 on:
  workflow_run:
    workflows: ["build_systems"]
    types: [completed]
 jobs:
  check-warnings:
    if: >-
      github.event.workflow_run.conclusion != 'cancelled' &&
      github.event.workflow_run.head_branch == 'main' &&
      (github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'schedule')
    runs-on: self-hosted
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - name: Fix eval warnings
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
        run: >-
          nix develop .#devShells.x86_64-linux.default -c
          python -m python.eval_warnings.main
          --run-id "${{ github.event.workflow_run.id }}"
          --repo "${{ github.repository }}"
          --ollama-url "${{ secrets.OLLAMA_URL }}"
          --run-url "${{ github.event.workflow_run.html_url }}"
@@ -6,24 +6,18 @@ on:
 jobs:
  merge:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: merge_flake_lock_update
-        run: |
+        run: >-
-          pr_number=$(gh pr list --state open --author RichieCahill --label flake_lock_update --json number --jq '.[0].number')
+          nix develop .#devShells.x86_64-linux.default -c
-          echo "pr_number=$pr_number" >> $GITHUB_ENV
+          python -m python.gitea_flake_lock merge
-          if [ -n "$pr_number" ]; then
+          --repo "${{ github.repository }}"
            gh pr merge "$pr_number" --rebase
          else
            echo "No open PR found with label flake_lock_update"
          fi
        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          GITEA_URL: https://gitea.tmmworkshop.com
@@ -1,13 +1,13 @@
 name: pytest
 on:
  workflow_dispatch:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  merge_group:
 jobs:
  pytest:
@@ -6,18 +6,21 @@ on:
 jobs:
  lockfile:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
    permissions:
      actions: write
      contents: write
      pull-requests: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@main
+        run: nix flake update
-        with:
+      - name: Create or update flake.lock PR
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+        env:
-          pr-title: "Update flake.lock"
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-          pr-labels: |
+          GITEA_URL: https://gitea.tmmworkshop.com
-            dependencies
+        run: >-
-            automated
+          nix develop .#devShells.x86_64-linux.default -c
-            flake_lock_update
+          python -m python.gitea_flake_lock update
          --repo "${{ github.repository }}"
@@ -169,3 +169,6 @@ test.*
 # Frontend build output
 frontend/dist/
 frontend/node_modules/
 # data from testing llms
 data/*
@@ -40,7 +40,6 @@
    "cgroupdriver",
    "charliermarsh",
    "Checkpointing",
    "cloudflared",
    "codellama",
    "codezombiech",
    "compactmode",
@@ -204,6 +203,7 @@
    "peerconnection",
    "PESKYFOX",
    "PGID",
    "pgvector",
    "pipewire",
    "pkgs",
    "plugdev",
@@ -308,6 +308,7 @@
    "usernamehw",
    "userprefs",
    "vaninventory",
    "vdev",
    "vfat",
    "victron",
    "virt",
@@ -1,12 +0,0 @@
 ## Dev environment tips
 - use treefmt to format all files
 - make python code ruff compliant
 - use pytest to test python code
 - always use the minimum amount of complexity
 - if judgment calls are easy to reverse make them. if not ask me first
 - Match existing code style.
 - Use builtin helpers getenv() over os.environ.get.
 - Prefer single-purpose functions over “do everything” helpers.
 - Avoid compatibility branches like PG_USER and POSTGRESQL_URL unless requested.
 - Keep helpers only if reused or they simplify the code otherwise inline.
@@ -23,7 +23,10 @@
  boot = {
    tmp.useTmpfs = true;
    kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
-    zfs.package = lib.mkDefault pkgs.zfs_2_4;
+    zfs = {
      package = lib.mkDefault pkgs.zfs_2_4;
      forceImportRoot = lib.mkDefault false;
    };
  };
  hardware.enableRedistributableFirmware = true;
@@ -37,10 +40,17 @@
  nixpkgs = {
    overlays = builtins.attrValues outputs.overlays;
-    config.allowUnfree = true;
+    config = {
      allowUnfree = true;
      permittedInsecurePackages = [
        "openssl-1.1.1w" # This is for discord-canary
      ];
    };
  };
  services = {
    dbus.implementation = "dbus";
    # firmware update
    fwupd.enable = true;
@@ -34,6 +34,7 @@ in
      warn-dirty = false;
      flake-registry = ""; # disable global flake registries
      connect-timeout = 10;
      download-buffer-size = 536870912;
      fallback = true;
    };
@@ -0,0 +1,256 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  monitoringInterface = "ztwfunumly";
  nodeTextfileDir = "/var/lib/prometheus-node-exporter-textfile";
  mkProcessNameTemplate =
    perPid: template: if perPid then "${template}:{{.PID}}:{{.StartTime}}" else template;
  mkProcessMatchers = perPid: [
    {
      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Module}}";
      cmdline = [ "^/nix/store[^ ]*/bin/python[^ ]* -m (?P<Module>[^ ]+)" ];
    }
    {
      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
      cmdline = [
        "^/nix/store[^ ]*/bin/python[^ ]* /nix/store[^ ]*/bin/\\.?(?P<Wrapped>[^ /]+?)(?:-wrapped)?(?:\\s|$)"
      ];
    }
    {
      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
      cmdline = [
        "^/nix/store[^ ]*/bin/node /nix/store[^ ]*-(?P<Wrapped>[A-Za-z0-9._+-]+)-[0-9][^ /]*/"
      ];
    }
    {
      name = mkProcessNameTemplate perPid "{{.Username}}:{{.Matches.Wrapped}}";
      cmdline = [ "^/nix/store[^ ]*/(?:bin/|lib/[^ ]*/)?\\.?(?P<Wrapped>[^ /]+?)(?:-wrapped)?(?:\\s|$)" ];
    }
    {
      name = mkProcessNameTemplate perPid "{{.Username}}:{{.ExeBase}}";
      cmdline = [ ".+" ];
    }
  ];
  perPidConfig = pkgs.writeText "process-exporter-per-pid.yaml" (
    builtins.toJSON {
      process_names = mkProcessMatchers true;
    }
  );
  zpoolLatencyScript = pkgs.writeShellScript "zpool-latency-exporter" ''
        set -euo pipefail
        out_dir=${lib.escapeShellArg nodeTextfileDir}
        host=${lib.escapeShellArg config.networking.hostName}
        tmp_file="$(mktemp "$out_dir/zpool.prom.XXXXXX")"
        trap 'rm -f "$tmp_file"' EXIT
        pools="$(zpool list -H -o name | paste -sd, -)"
        cat >"$tmp_file" <<'EOF'
    # HELP zpool_iostat_total_wait_read_ns Average total read wait time reported by zpool iostat.
    # TYPE zpool_iostat_total_wait_read_ns gauge
    # HELP zpool_iostat_total_wait_write_ns Average total write wait time reported by zpool iostat.
    # TYPE zpool_iostat_total_wait_write_ns gauge
    # HELP zpool_iostat_disk_wait_read_ns Average disk read wait time reported by zpool iostat.
    # TYPE zpool_iostat_disk_wait_read_ns gauge
    # HELP zpool_iostat_disk_wait_write_ns Average disk write wait time reported by zpool iostat.
    # TYPE zpool_iostat_disk_wait_write_ns gauge
    # HELP zpool_iostat_syncq_wait_read_ns Average synchronous queue read wait time reported by zpool iostat.
    # TYPE zpool_iostat_syncq_wait_read_ns gauge
    # HELP zpool_iostat_syncq_wait_write_ns Average synchronous queue write wait time reported by zpool iostat.
    # TYPE zpool_iostat_syncq_wait_write_ns gauge
    # HELP zpool_iostat_asyncq_wait_read_ns Average asynchronous queue read wait time reported by zpool iostat.
    # TYPE zpool_iostat_asyncq_wait_read_ns gauge
    # HELP zpool_iostat_asyncq_wait_write_ns Average asynchronous queue write wait time reported by zpool iostat.
    # TYPE zpool_iostat_asyncq_wait_write_ns gauge
    EOF
        zpool iostat -Hplvy -y 1 1 | awk -F '\t' -v host="$host" -v pools="$pools" '
          function esc(str, out) {
            out = str
            gsub(/\\/, "\\\\", out)
            gsub(/"/, "\\\"", out)
            return out
          }
          function emit(metric, pool, vdev, value) {
            if (value == "" || value == "-") {
              return
            }
            printf "%s{host=\"%s\",pool=\"%s\",vdev=\"%s\"} %s\n",
              metric,
              esc(host),
              esc(pool),
              esc(vdev),
              value
          }
          BEGIN {
            split(pools, pool_names, ",")
            for (idx in pool_names) {
              if (pool_names[idx] != "") {
                known_pools[pool_names[idx]] = 1
              }
            }
          }
          NF == 0 {
            next
          }
          {
            row_name = $1
            if (row_name in known_pools) {
              current_pool = row_name
              current_vdev = "_pool"
            } else if (current_pool == "") {
              next
            } else {
              current_vdev = row_name
            }
            emit("zpool_iostat_total_wait_read_ns", current_pool, current_vdev, $8)
            emit("zpool_iostat_total_wait_write_ns", current_pool, current_vdev, $9)
            emit("zpool_iostat_disk_wait_read_ns", current_pool, current_vdev, $10)
            emit("zpool_iostat_disk_wait_write_ns", current_pool, current_vdev, $11)
            emit("zpool_iostat_syncq_wait_read_ns", current_pool, current_vdev, $12)
            emit("zpool_iostat_syncq_wait_write_ns", current_pool, current_vdev, $13)
            emit("zpool_iostat_asyncq_wait_read_ns", current_pool, current_vdev, $14)
            emit("zpool_iostat_asyncq_wait_write_ns", current_pool, current_vdev, $15)
          }
        ' >>"$tmp_file"
        mv "$tmp_file" "$out_dir/zpool.prom"
        trap - EXIT
  '';
 in
 {
  networking.firewall.interfaces.${monitoringInterface}.allowedTCPPorts = [
    9100
    9134
    9256
    9257
    9633
  ];
  services.prometheus.exporters = {
    node = {
      enable = true;
      enabledCollectors = [
        "pressure"
        "processes"
        "systemd"
      ];
      extraFlags = [ "--collector.textfile.directory=${nodeTextfileDir}" ];
    };
    process = {
      enable = true;
      user = "root";
      group = "root";
      settings.process_names = mkProcessMatchers false;
      extraFlags = [
        "-gather-smaps=false"
        "-remove-empty-groups=true"
        "-threads=false"
      ];
    };
    smartctl.enable = true;
    zfs.enable = true;
  };
  programs.atop = {
    enable = true;
    atopService.enable = true;
    atopRotateTimer.enable = true;
    atopacctService.enable = true;
    settings.interval = 30;
  };
  systemd = {
    services = {
      prometheus-process-pid-exporter = {
        description = "Prometheus process exporter with per-PID naming";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = {
          ExecStart = ''
            ${pkgs.prometheus-process-exporter}/bin/process-exporter \
              --web.listen-address 0.0.0.0:9257 \
              --config.path ${perPidConfig} \
              -children=false \
              -gather-smaps=false \
              -remove-empty-groups=true \
              -threads=false
          '';
          User = "root";
          Group = "root";
          Restart = "always";
          WorkingDirectory = "/tmp";
          CapabilityBoundingSet = [ "" ];
          DeviceAllow = [ "" ];
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateTmp = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          UMask = "0077";
        };
      };
      zpool-latency-exporter = {
        description = "Exports ZFS latency metrics for node_exporter textfile collection";
        after = [ "zfs-import.target" ];
        requires = [ "zfs-import.target" ];
        path = [
          config.boot.zfs.package
          pkgs.coreutils
          pkgs.gawk
        ];
        serviceConfig = {
          Type = "oneshot";
          ExecStart = zpoolLatencyScript;
        };
      };
    };
    timers.zpool-latency-exporter = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "2m";
        OnUnitActiveSec = "60s";
        Unit = "zpool-latency-exporter.service";
      };
    };
    tmpfiles.rules = [ "d ${nodeTextfileDir} 0755 root root - -" ];
  };
 }
@@ -12,7 +12,7 @@
      brain.id = "SSCGIPI-IV3VYKB-TRNIJE3-COV4T2H-CDBER7F-I2CGHYA-NWOEUDU-3T5QAAN"; # cspell:disable-line
      ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
      jeeves.id = "ICRHXZW-ECYJCUZ-I4CZ64R-3XRK7CG-LL2HAAK-FGOHD22-BQA4AI6-5OAL6AG"; # cspell:disable-line
-      phone.id = "TBRULKD-7DZPGGZ-F6LLB7J-MSO54AY-7KLPBIN-QOFK6PX-W2HBEWI-PHM2CQI"; # cspell:disable-line
+      phone.id = "JPVQKQW-CFXOJXT-Q5G5F3H-QIDHDRE-GKHPTQB-GXZUQSP-U7FR7F7-INP3AAH"; # cspell:disable-line
      rhapsody-in-green.id = "ASL3KC4-3XEN6PA-7BQBRKE-A7JXLI6-DJT43BY-Q4WPOER-7UALUAZ-VTPQ6Q4"; # cspell:disable-line
    };
  };
@@ -4,7 +4,7 @@
    flags = [ "--accept-flake-config" ];
    randomizedDelaySec = "1h";
    persistent = true;
-    flake = "github:RichieCahill/dotfiles";
+    flake = "git+https://gitea.tmmworkshop.com/richie/dotfiles?ref=main";
    allowReboot = true;
    dates = "Sat *-*-* 06:00:00";
  };
@@ -0,0 +1,76 @@
 # ZFS failed root import recovery
 ## Fast path
 If the machine fails to boot because ZFS refuses to import `root_pool`:
 ### GRUB
 1. At the bootloader menu, select the normal NixOS entry.
 2. Press `e`.
 3. Find the line that starts with `linux`.
 4. Append this to the end of that line:
 ```text
 zfs_force=1
 ```
 5. Boot once with `Ctrl+x` or `F10`.
 ### systemd-boot
 1. At the bootloader menu, highlight the normal NixOS entry.
 2. Press `e`.
 3. Append this to the end of the options line:
 ```text
 zfs_force=1
 ```
 4. Press `Enter` to boot once.
 ## After boot
 Run:
 ```bash
 sudo zpool status
 sudo zpool import
 journalctl -b | rg "ZFS|zfs|import|root_pool"
 ```
 ## Expected result
 `sudo zpool status` should show `root_pool` as `ONLINE`.
 ## Reboot test
 Run:
 ```bash
 sudo reboot
 ```
 Do not add `zfs_force=1` the second time.
 ## If it still fails
 Boot once more with:
 ```text
 zfs_force=1
 ```
 Then run:
 ```bash
 sudo zpool status -v
 sudo zpool history | tail -n 50
 journalctl -b | rg "ZFS|zfs|import|root_pool"
 ```
 ## Notes
 - Root pool name is `root_pool`.
 - This is a one-time recovery path after disk moves, controller changes, dirty exports, or interrupted imports.
 - Some hosts also need the LUKS unlock USB key inserted before boot.
@@ -8,11 +8,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1773979456,
+        "lastModified": 1781150628,
-        "narHash": "sha256-9kBMJ5IvxqNlkkj/swmE8uK1Sc7TL/LIRUI958m7uBM=",
+        "narHash": "sha256-b4mp8l3qWuSCyYYo9HSngDtcB3PpecYiOXjULrjwwlw=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "81e28f47ac18d9e89513929c77e711e657b64851",
+        "rev": "753319310f4673a2dabbfab87482187b40bf9bac",
        "type": "gitlab"
      },
      "original": {
@@ -29,11 +29,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774007980,
+        "lastModified": 1781189114,
-        "narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
+        "narHash": "sha256-5inaamLgUMWy+MOBE9ChF9QAF1o/74LFuHkI0W/9rqc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
+        "rev": "486595d2cf49cfcd649b58a284fa11ac0e34da22",
        "type": "github"
      },
      "original": {
@@ -43,12 +43,15 @@
      }
    },
    "nixos-hardware": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1774018263,
+        "lastModified": 1781168557,
-        "narHash": "sha256-HHYEwK1A22aSaxv2ibhMMkKvrDGKGlA/qObG4smrSqc=",
+        "narHash": "sha256-LOnLQ2tpYF9gqIDDr3+j3DbpJJr/QCH6zPRT2GzEUOE=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "2d4b4717b2534fad5c715968c1cece04a172b365",
+        "rev": "6358ff76821101c178e3ab4919a62799bfe3652e",
        "type": "github"
      },
      "original": {
@@ -60,27 +63,24 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1773821835,
+        "lastModified": 1767892417,
-        "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
-        "owner": "nixos",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
-        "repo": "nixpkgs",
+        "type": "tarball",
-        "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "type": "tarball",
-        "ref": "nixos-unstable",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1774051532,
+        "lastModified": 1781229721,
-        "narHash": "sha256-d3CGMweyYIcPuTj5BKq+1Lx4zwlgL31nVtN647tOZKo=",
+        "narHash": "sha256-ORvqDbb/LYxiJljGIejapjkc/kJbVote2N1WSb9W45I=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8620c0b5cc8fbe76502442181be1d0514bc3a1b7",
+        "rev": "173d0ad7a974f8543a9ab01d2271b2e290341b33",
        "type": "github"
      },
      "original": {
@@ -106,12 +106,28 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1781074563,
        "narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "firefox-addons": "firefox-addons",
        "home-manager": "home-manager",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-master": "nixpkgs-master",
        "nixpkgs-stable": "nixpkgs-stable",
        "sops-nix": "sops-nix",
@@ -125,11 +141,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773889674,
+        "lastModified": 1780547341,
-        "narHash": "sha256-+ycaiVAk3MEshJTg35cBTUa0MizGiS+bgpYw/f8ohkg=",
+        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "29b6519f3e0780452bca0ac0be4584f04ac16cc5",
+        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
        "type": "github"
      },
      "original": {
@@ -21,7 +21,6 @@
        alembic
        apprise
        apscheduler
        confluent-kafka
        fastapi
        fastapi-cli
        httpx
@@ -42,6 +41,7 @@
        sqlalchemy
        tenacity
        textual
        tiktoken
        tinytuya
        typer
        websockets
@@ -26,6 +26,7 @@ dependencies = [
 [project.scripts]
 database = "python.database_cli:app"
 van-inventory = "python.van_inventory.main:serve"
 whisper-transcribe = "python.tools.whisper.transcribe:main"
 [dependency-groups]
 dev = [
@@ -50,6 +51,7 @@ lint.ignore = [
    "COM812", # (TEMP) conflicts when used with the formatter
    "ISC001", # (TEMP) conflicts when used with the formatter
    "S603",   # (PERM) This is known to cause a false positive
    "S607",   # (PERM) This is becoming a consistent annoyance
 ]
 [tool.ruff.lint.per-file-ignores]
@@ -78,15 +80,10 @@ lint.ignore = [
 "python/congress_tracker/**" = [
    "TC003", # (perm) this creates issues because sqlalchemy uses these at runtime
 ]
-"python/eval_warnings/**" = [
+
    "S607", # (perm) gh and git are expected on PATH in the runner environment
 ]
 "python/alembic/**" = [
    "INP001", # (perm) this creates LSP issues for alembic
 ]
 "python/signal_bot/**" = [
    "D107", # (perm) class docstrings cover __init__
 ]
 [tool.ruff.lint.pydocstyle]
 convention = "google"
@@ -1,50 +0,0 @@
 """adding FailedIngestion.
 Revision ID: 2f43120e3ffc
 Revises: f99be864fe69
 Create Date: 2026-03-24 23:46:17.277897
 """
 from __future__ import annotations
 from typing import TYPE_CHECKING
 import sqlalchemy as sa
 from alembic import op
 from python.orm import DataScienceDevBase
 if TYPE_CHECKING:
    from collections.abc import Sequence
 # revision identifiers, used by Alembic.
 revision: str = "2f43120e3ffc"
 down_revision: str | None = "f99be864fe69"
 branch_labels: str | Sequence[str] | None = None
 depends_on: str | Sequence[str] | None = None
 schema = DataScienceDevBase.schema_name
 def upgrade() -> None:
    """Upgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.create_table(
        "failed_ingestion",
        sa.Column("raw_line", sa.Text(), nullable=False),
        sa.Column("error", sa.Text(), nullable=False),
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_failed_ingestion")),
        schema=schema,
    )
    # ### end Alembic commands ###
 def downgrade() -> None:
    """Downgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_table("failed_ingestion", schema=schema)
    # ### end Alembic commands ###
@@ -1,80 +0,0 @@
 """Attach all partition tables to the posts parent table.
 Alembic autogenerate creates partition tables as standalone tables but does not
 emit the ALTER TABLE ... ATTACH PARTITION statements needed for PostgreSQL to
 route inserts to the correct partition.
 Revision ID: a1b2c3d4e5f6
 Revises: 605b1794838f
 Create Date: 2026-03-25 10:00:00.000000
 """
 from __future__ import annotations
 from typing import TYPE_CHECKING
 from alembic import op
 from sqlalchemy import text
 from python.orm import DataScienceDevBase
 from python.orm.data_science_dev.posts.partitions import (
    PARTITION_END_YEAR,
    PARTITION_START_YEAR,
    iso_weeks_in_year,
    week_bounds,
 )
 if TYPE_CHECKING:
    from collections.abc import Sequence
 # revision identifiers, used by Alembic.
 revision: str = "a1b2c3d4e5f6"
 down_revision: str | None = "605b1794838f"
 branch_labels: str | Sequence[str] | None = None
 depends_on: str | Sequence[str] | None = None
 schema = DataScienceDevBase.schema_name
 ALREADY_ATTACHED_QUERY = text("""
    SELECT inhrelid::regclass::text
    FROM pg_inherits
    WHERE inhparent = :parent::regclass
 """)
 def upgrade() -> None:
    """Attach all weekly partition tables to the posts parent table."""
    connection = op.get_bind()
    already_attached = {
        row[0]
        for row in connection.execute(
            ALREADY_ATTACHED_QUERY, {"parent": f"{schema}.posts"}
        )
    }
    for year in range(PARTITION_START_YEAR, PARTITION_END_YEAR + 1):
        for week in range(1, iso_weeks_in_year(year) + 1):
            table_name = f"posts_{year}_{week:02d}"
            qualified_name = f"{schema}.{table_name}"
            if qualified_name in already_attached:
                continue
            start, end = week_bounds(year, week)
            start_str = start.strftime("%Y-%m-%d %H:%M:%S")
            end_str = end.strftime("%Y-%m-%d %H:%M:%S")
            op.execute(
                f"ALTER TABLE {schema}.posts "
                f"ATTACH PARTITION {qualified_name} "
                f"FOR VALUES FROM ('{start_str}') TO ('{end_str}')"
            )
 def downgrade() -> None:
    """Detach all weekly partition tables from the posts parent table."""
    for year in range(PARTITION_START_YEAR, PARTITION_END_YEAR + 1):
        for week in range(1, iso_weeks_in_year(year) + 1):
            table_name = f"posts_{year}_{week:02d}"
            op.execute(
                f"ALTER TABLE {schema}.posts "
                f"DETACH PARTITION {schema}.{table_name}"
            )
@@ -3,7 +3,6 @@
 from __future__ import annotations
 import logging
 import re
 import sys
 from pathlib import Path
 from typing import TYPE_CHECKING, Any, Literal
@@ -0,0 +1,187 @@
 """removed ds table from richie DB.
 Revision ID: c8a794340928
 Revises: 6b275323f435
 Create Date: 2026-03-29 15:29:23.643146
 """
 from __future__ import annotations
 from typing import TYPE_CHECKING
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql
 from python.orm import RichieBase
 if TYPE_CHECKING:
    from collections.abc import Sequence
 # revision identifiers, used by Alembic.
 revision: str = "c8a794340928"
 down_revision: str | None = "6b275323f435"
 branch_labels: str | Sequence[str] | None = None
 depends_on: str | Sequence[str] | None = None
 schema = RichieBase.schema_name
 def upgrade() -> None:
    """Upgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_table("vote_record", schema=schema)
    op.drop_index(op.f("ix_vote_congress_chamber"), table_name="vote", schema=schema)
    op.drop_index(op.f("ix_vote_date"), table_name="vote", schema=schema)
    op.drop_index(op.f("ix_legislator_bioguide_id"), table_name="legislator", schema=schema)
    op.drop_table("legislator", schema=schema)
    op.drop_table("vote", schema=schema)
    op.drop_index(op.f("ix_bill_congress"), table_name="bill", schema=schema)
    op.drop_table("bill", schema=schema)
    # ### end Alembic commands ###
 def downgrade() -> None:
    """Downgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.create_table(
        "vote",
        sa.Column("congress", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("chamber", sa.VARCHAR(), autoincrement=False, nullable=False),
        sa.Column("session", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("number", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("vote_type", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("question", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("result", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("result_text", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("vote_date", sa.DATE(), autoincrement=False, nullable=False),
        sa.Column("yea_count", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("nay_count", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("not_voting_count", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("present_count", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("bill_id", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("id", sa.INTEGER(), autoincrement=True, nullable=False),
        sa.Column(
            "created",
            postgresql.TIMESTAMP(timezone=True),
            server_default=sa.text("now()"),
            autoincrement=False,
            nullable=False,
        ),
        sa.Column(
            "updated",
            postgresql.TIMESTAMP(timezone=True),
            server_default=sa.text("now()"),
            autoincrement=False,
            nullable=False,
        ),
        sa.ForeignKeyConstraint(["bill_id"], [f"{schema}.bill.id"], name=op.f("fk_vote_bill_id_bill")),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_vote")),
        sa.UniqueConstraint(
            "congress",
            "chamber",
            "session",
            "number",
            name=op.f("uq_vote_congress_chamber_session_number"),
            postgresql_include=[],
            postgresql_nulls_not_distinct=False,
        ),
        schema=schema,
    )
    op.create_index(op.f("ix_vote_date"), "vote", ["vote_date"], unique=False, schema=schema)
    op.create_index(op.f("ix_vote_congress_chamber"), "vote", ["congress", "chamber"], unique=False, schema=schema)
    op.create_table(
        "vote_record",
        sa.Column("vote_id", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("legislator_id", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("position", sa.VARCHAR(), autoincrement=False, nullable=False),
        sa.ForeignKeyConstraint(
            ["legislator_id"],
            [f"{schema}.legislator.id"],
            name=op.f("fk_vote_record_legislator_id_legislator"),
            ondelete="CASCADE",
        ),
        sa.ForeignKeyConstraint(
            ["vote_id"], [f"{schema}.vote.id"], name=op.f("fk_vote_record_vote_id_vote"), ondelete="CASCADE"
        ),
        sa.PrimaryKeyConstraint("vote_id", "legislator_id", name=op.f("pk_vote_record")),
        schema=schema,
    )
    op.create_table(
        "legislator",
        sa.Column("bioguide_id", sa.TEXT(), autoincrement=False, nullable=False),
        sa.Column("thomas_id", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("lis_id", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("govtrack_id", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("opensecrets_id", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("fec_ids", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("first_name", sa.VARCHAR(), autoincrement=False, nullable=False),
        sa.Column("last_name", sa.VARCHAR(), autoincrement=False, nullable=False),
        sa.Column("official_full_name", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("nickname", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("birthday", sa.DATE(), autoincrement=False, nullable=True),
        sa.Column("gender", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("current_party", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("current_state", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("current_district", sa.INTEGER(), autoincrement=False, nullable=True),
        sa.Column("current_chamber", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("id", sa.INTEGER(), autoincrement=True, nullable=False),
        sa.Column(
            "created",
            postgresql.TIMESTAMP(timezone=True),
            server_default=sa.text("now()"),
            autoincrement=False,
            nullable=False,
        ),
        sa.Column(
            "updated",
            postgresql.TIMESTAMP(timezone=True),
            server_default=sa.text("now()"),
            autoincrement=False,
            nullable=False,
        ),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_legislator")),
        schema=schema,
    )
    op.create_index(op.f("ix_legislator_bioguide_id"), "legislator", ["bioguide_id"], unique=True, schema=schema)
    op.create_table(
        "bill",
        sa.Column("congress", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("bill_type", sa.VARCHAR(), autoincrement=False, nullable=False),
        sa.Column("number", sa.INTEGER(), autoincrement=False, nullable=False),
        sa.Column("title", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("title_short", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("official_title", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("status", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("status_at", sa.DATE(), autoincrement=False, nullable=True),
        sa.Column("sponsor_bioguide_id", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("subjects_top_term", sa.VARCHAR(), autoincrement=False, nullable=True),
        sa.Column("id", sa.INTEGER(), autoincrement=True, nullable=False),
        sa.Column(
            "created",
            postgresql.TIMESTAMP(timezone=True),
            server_default=sa.text("now()"),
            autoincrement=False,
            nullable=False,
        ),
        sa.Column(
            "updated",
            postgresql.TIMESTAMP(timezone=True),
            server_default=sa.text("now()"),
            autoincrement=False,
            nullable=False,
        ),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_bill")),
        sa.UniqueConstraint(
            "congress",
            "bill_type",
            "number",
            name=op.f("uq_bill_congress_type_number"),
            postgresql_include=[],
            postgresql_nulls_not_distinct=False,
        ),
        schema=schema,
    )
    op.create_index(op.f("ix_bill_congress"), "bill", ["congress"], unique=False, schema=schema)
    # ### end Alembic commands ###
@@ -1,100 +0,0 @@
 """seprating signal_bot database.
 Revision ID: 6eaf696e07a5
 Revises:
 Create Date: 2026-03-17 21:35:37.612672
 """
 from __future__ import annotations
 from typing import TYPE_CHECKING
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql
 from python.orm import SignalBotBase
 if TYPE_CHECKING:
    from collections.abc import Sequence
 # revision identifiers, used by Alembic.
 revision: str = "6eaf696e07a5"
 down_revision: str | None = None
 branch_labels: str | Sequence[str] | None = None
 depends_on: str | Sequence[str] | None = None
 schema = SignalBotBase.schema_name
 def upgrade() -> None:
    """Upgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.create_table(
        "dead_letter_message",
        sa.Column("source", sa.String(), nullable=False),
        sa.Column("message", sa.Text(), nullable=False),
        sa.Column("received_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column(
            "status", postgresql.ENUM("UNPROCESSED", "PROCESSED", name="message_status", schema=schema), nullable=False
        ),
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_dead_letter_message")),
        schema=schema,
    )
    op.create_table(
        "role",
        sa.Column("name", sa.String(length=50), nullable=False),
        sa.Column("id", sa.SmallInteger(), nullable=False),
        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_role")),
        sa.UniqueConstraint("name", name=op.f("uq_role_name")),
        schema=schema,
    )
    op.create_table(
        "signal_device",
        sa.Column("phone_number", sa.String(length=50), nullable=False),
        sa.Column("safety_number", sa.String(), nullable=True),
        sa.Column(
            "trust_level",
            postgresql.ENUM("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", schema=schema),
            nullable=False,
        ),
        sa.Column("last_seen", sa.DateTime(timezone=True), nullable=False),
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_signal_device")),
        sa.UniqueConstraint("phone_number", name=op.f("uq_signal_device_phone_number")),
        schema=schema,
    )
    op.create_table(
        "device_role",
        sa.Column("device_id", sa.Integer(), nullable=False),
        sa.Column("role_id", sa.SmallInteger(), nullable=False),
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("created", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.Column("updated", sa.DateTime(timezone=True), server_default=sa.text("now()"), nullable=False),
        sa.ForeignKeyConstraint(
            ["device_id"], [f"{schema}.signal_device.id"], name=op.f("fk_device_role_device_id_signal_device")
        ),
        sa.ForeignKeyConstraint(["role_id"], [f"{schema}.role.id"], name=op.f("fk_device_role_role_id_role")),
        sa.PrimaryKeyConstraint("id", name=op.f("pk_device_role")),
        sa.UniqueConstraint("device_id", "role_id", name="uq_device_role_device_role"),
        schema=schema,
    )
    # ### end Alembic commands ###
 def downgrade() -> None:
    """Downgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_table("device_role", schema=schema)
    op.drop_table("signal_device", schema=schema)
    op.drop_table("role", schema=schema)
    op.drop_table("dead_letter_message", schema=schema)
    # ### end Alembic commands ###
@@ -1,72 +0,0 @@
 """test.
 Revision ID: 66bdd532bcab
 Revises: 6eaf696e07a5
 Create Date: 2026-03-18 19:21:14.561568
 """
 from __future__ import annotations
 from typing import TYPE_CHECKING
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy.dialects import postgresql
 from python.orm import SignalBotBase
 if TYPE_CHECKING:
    from collections.abc import Sequence
 # revision identifiers, used by Alembic.
 revision: str = "66bdd532bcab"
 down_revision: str | None = "6eaf696e07a5"
 branch_labels: str | Sequence[str] | None = None
 depends_on: str | Sequence[str] | None = None
 schema = SignalBotBase.schema_name
 def upgrade() -> None:
    """Upgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.alter_column(
        "dead_letter_message",
        "status",
        existing_type=postgresql.ENUM("UNPROCESSED", "PROCESSED", name="message_status", schema=schema),
        type_=sa.Enum("UNPROCESSED", "PROCESSED", name="message_status", native_enum=False),
        existing_nullable=False,
        schema=schema,
    )
    op.alter_column(
        "signal_device",
        "trust_level",
        existing_type=postgresql.ENUM("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", schema=schema),
        type_=sa.Enum("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", native_enum=False),
        existing_nullable=False,
        schema=schema,
    )
    # ### end Alembic commands ###
 def downgrade() -> None:
    """Downgrade."""
    # ### commands auto generated by Alembic - please adjust! ###
    op.alter_column(
        "signal_device",
        "trust_level",
        existing_type=sa.Enum("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", native_enum=False),
        type_=postgresql.ENUM("VERIFIED", "UNVERIFIED", "BLOCKED", name="trust_level", schema=schema),
        existing_nullable=False,
        schema=schema,
    )
    op.alter_column(
        "dead_letter_message",
        "status",
        existing_type=sa.Enum("UNPROCESSED", "PROCESSED", name="message_status", native_enum=False),
        type_=postgresql.ENUM("UNPROCESSED", "PROCESSED", name="message_status", schema=schema),
        existing_nullable=False,
        schema=schema,
    )
    # ### end Alembic commands ###
@@ -1,3 +0,0 @@
 """Data science CLI tools."""
 from __future__ import annotations
@@ -1,104 +0,0 @@
 """Utilities for converting Bluesky identifiers to numeric database IDs.
 Handles DID-to-user_id hashing, TID-to-post_id decoding, and AT-URI parsing.
 """
 from __future__ import annotations
 import hashlib
 TID_CHARSET = "234567abcdefghijklmnopqrstuvwxyz"
 _TID_LENGTH = 13
 _BIGINT_MASK = 0x7FFFFFFFFFFFFFFF
 _AT_URI_SEGMENT_COUNT = 3
 def did_to_user_id(did: str) -> int:
    """Convert a DID string to a deterministic 63-bit integer for user_id.
    Uses SHA-256, truncated to 63 bits (positive signed BigInteger range).
    Collision probability is negligible at Bluesky's scale (~tens of millions of users).
    Args:
        did: A Bluesky DID string, e.g. "did:plc:abc123".
    Returns:
        A positive 63-bit integer suitable for BigInteger storage.
    """
    digest = hashlib.sha256(did.encode()).digest()
    return int.from_bytes(digest[:8], "big") & _BIGINT_MASK
 def tid_to_integer(tid: str) -> int:
    """Decode a Bluesky TID (base32-sortbase) into a 64-bit integer for post_id.
    TIDs are 13-character, base32-sortbase encoded identifiers that encode a
    microsecond timestamp plus a clock ID. They are globally unique by construction.
    Args:
        tid: A 13-character TID string, e.g. "3abc2defghijk".
    Returns:
        A positive integer suitable for BigInteger storage.
    Raises:
        ValueError: If the TID is malformed (wrong length or invalid characters).
    """
    if len(tid) != _TID_LENGTH:
        message = f"TID must be {_TID_LENGTH} characters, got {len(tid)}: {tid!r}"
        raise ValueError(message)
    result = 0
    for char in tid:
        index = TID_CHARSET.find(char)
        if index == -1:
            message = f"Invalid character {char!r} in TID {tid!r}"
            raise ValueError(message)
        result = result * 32 + index
    return result
 def parse_at_uri(uri: str) -> tuple[str, str, str]:
    """Parse an AT-URI into its components.
    Args:
        uri: An AT-URI string, e.g. "at://did:plc:abc123/app.bsky.feed.post/3abc2defghijk".
    Returns:
        A tuple of (did, collection, rkey).
    Raises:
        ValueError: If the URI doesn't have the expected format.
    """
    stripped = uri.removeprefix("at://")
    parts = stripped.split("/", maxsplit=2)
    if len(parts) != _AT_URI_SEGMENT_COUNT:
        message = f"Expected {_AT_URI_SEGMENT_COUNT} path segments in AT-URI, got {len(parts)}: {uri!r}"
        raise ValueError(message)
    return parts[0], parts[1], parts[2]
 def post_id_from_uri(uri: str) -> int:
    """Extract and decode the post_id (TID) from an AT-URI.
    Args:
        uri: An AT-URI pointing to a post.
    Returns:
        The post_id as an integer.
    """
    _did, _collection, rkey = parse_at_uri(uri)
    return tid_to_integer(rkey)
 def user_id_from_uri(uri: str) -> int:
    """Extract and hash the user_id (DID) from an AT-URI.
    Args:
        uri: An AT-URI pointing to a post.
    Returns:
        The user_id as an integer.
    """
    did, _collection, _rkey = parse_at_uri(uri)
    return did_to_user_id(did)
@@ -1,143 +0,0 @@
 """Transform Bluesky Jetstream messages into rows matching the Posts table schema."""
 from __future__ import annotations
 import json
 import logging
 from datetime import datetime
 from python.data_science.bluesky_ids import (
    did_to_user_id,
    post_id_from_uri,
    tid_to_integer,
    user_id_from_uri,
 )
 logger = logging.getLogger(__name__)
 INSTANCE = "bsky"
 POST_COLLECTION = "app.bsky.feed.post"
 EMBED_RECORD_TYPE = "app.bsky.embed.record"
 EMBED_RECORD_WITH_MEDIA_TYPE = "app.bsky.embed.recordWithMedia"
 def transform_jetstream_post(message: dict) -> dict:
    """Transform a Jetstream commit message into a dict matching Posts table columns.
    Expects a Jetstream message with kind=commit, operation=create,
    collection=app.bsky.feed.post.
    Args:
        message: The full Jetstream JSON message.
    Returns:
        A dict with keys matching the Posts table columns.
    """
    did = message["did"]
    commit = message["commit"]
    record = commit["record"]
    row: dict = {
        "post_id": tid_to_integer(commit["rkey"]),
        "user_id": did_to_user_id(did),
        "instance": INSTANCE,
        "date": datetime.fromisoformat(record["createdAt"]),
        "text": record.get("text", ""),
        "langs": _extract_langs(record),
        "like_count": 0,
        "reply_count": 0,
        "repost_count": 0,
        "reply_to": None,
        "replied_author": None,
        "thread_root": None,
        "thread_root_author": None,
        "repost_from": None,
        "reposted_author": None,
        "quotes": None,
        "quoted_author": None,
        "labels": _extract_labels(record),
        "sent_label": None,
        "sent_score": None,
    }
    _extract_reply_refs(record, row)
    _extract_quote_refs(record, row)
    return row
 def is_post_create(message: dict) -> bool:
    """Check if a Jetstream message is a post creation event.
    Args:
        message: The full Jetstream JSON message.
    Returns:
        True if this is a create commit for app.bsky.feed.post.
    """
    if message.get("kind") != "commit":
        return False
    commit = message.get("commit", {})
    return commit.get("operation") == "create" and commit.get("collection") == POST_COLLECTION
 def _extract_langs(record: dict) -> str | None:
    """Extract langs array as a JSON string, or None if absent."""
    langs = record.get("langs")
    if langs is None:
        return None
    return json.dumps(langs)
 def _extract_labels(record: dict) -> str | None:
    """Extract self-labels as a JSON string, or None if absent."""
    labels_obj = record.get("labels")
    if labels_obj is None:
        return None
    values = labels_obj.get("values", [])
    if not values:
        return None
    label_strings = [label.get("val", "") for label in values]
    return json.dumps(label_strings)
 def _extract_reply_refs(record: dict, row: dict) -> None:
    """Populate reply_to, replied_author, thread_root, thread_root_author from record.reply."""
    reply = record.get("reply")
    if reply is None:
        return
    parent = reply.get("parent", {})
    parent_uri = parent.get("uri")
    if parent_uri:
        row["reply_to"] = post_id_from_uri(parent_uri)
        row["replied_author"] = user_id_from_uri(parent_uri)
    root = reply.get("root", {})
    root_uri = root.get("uri")
    if root_uri:
        row["thread_root"] = post_id_from_uri(root_uri)
        row["thread_root_author"] = user_id_from_uri(root_uri)
 def _extract_quote_refs(record: dict, row: dict) -> None:
    """Populate quotes and quoted_author from embed record references."""
    embed = record.get("embed")
    if embed is None:
        return
    embed_type = embed.get("$type", "")
    if embed_type == EMBED_RECORD_TYPE:
        _set_quote_from_record(embed.get("record", {}), row)
    elif embed_type == EMBED_RECORD_WITH_MEDIA_TYPE:
        inner_record = embed.get("record", {}).get("record", {})
        _set_quote_from_record(inner_record, row)
 def _set_quote_from_record(record_ref: dict, row: dict) -> None:
    """Set quotes and quoted_author from a record reference object."""
    uri = record_ref.get("uri")
    if uri and POST_COLLECTION in uri:
        row["quotes"] = post_id_from_uri(uri)
        row["quoted_author"] = user_id_from_uri(uri)
@@ -1,203 +0,0 @@
 """Kafka consumer that ingests Bluesky posts into the partitioned Posts table.
 Consumes Jetstream messages from Kafka, transforms them into Posts rows,
 and batch-inserts them into PostgreSQL with manual offset commits.
 Usage:
    firehose-consumer
    firehose-consumer --kafka-servers kafka:9092 --batch-size 500
 """
 from __future__ import annotations
 import json
 import logging
 import signal
 from os import getenv
 from threading import Event
 from typing import Annotated
 import typer
 from confluent_kafka import Consumer, KafkaError, KafkaException
 from sqlalchemy.orm import Session
 from python.data_science.bluesky_transform import is_post_create, transform_jetstream_post
 from python.data_science.ingest_posts import ingest_batch
 from python.orm.common import get_postgres_engine
 from python.orm.data_science_dev.posts.failed_ingestion import FailedIngestion
 logger = logging.getLogger(__name__)
 DEFAULT_TOPIC = "bluesky.firehose.posts"
 DEFAULT_KAFKA_SERVERS = "localhost:9092"
 DEFAULT_GROUP_ID = "bluesky-posts-ingestor"
 DEFAULT_BATCH_SIZE = 500
 POLL_TIMEOUT_SECONDS = 5.0
 shutdown_event = Event()
 app = typer.Typer(help="Consume Bluesky posts from Kafka and ingest into PostgreSQL.")
@app.command()
 def main(
    kafka_servers: Annotated[str, typer.Option(help="Kafka bootstrap servers")] = "",
    topic: Annotated[str, typer.Option(help="Kafka topic to consume from")] = "",
    group_id: Annotated[str, typer.Option(help="Kafka consumer group ID")] = "",
    batch_size: Annotated[int, typer.Option(help="Messages per DB insert batch")] = DEFAULT_BATCH_SIZE,
 ) -> None:
    """Consume Bluesky posts from Kafka and ingest into the partitioned posts table."""
    logging.basicConfig(
        level=logging.INFO,
        format="%(asctime)s %(levelname)s %(message)s",
        datefmt="%H:%M:%S",
    )
    servers = kafka_servers or getenv("KAFKA_BOOTSTRAP_SERVERS", DEFAULT_KAFKA_SERVERS)
    topic_name = topic or getenv("BLUESKY_FIREHOSE_TOPIC", DEFAULT_TOPIC)
    group = group_id or getenv("KAFKA_GROUP_ID", DEFAULT_GROUP_ID)
    signal.signal(signal.SIGTERM, _handle_shutdown)
    signal.signal(signal.SIGINT, _handle_shutdown)
    consumer = _create_consumer(servers, group)
    consumer.subscribe([topic_name])
    engine = get_postgres_engine(name="DATA_SCIENCE_DEV")
    total_inserted = 0
    logger.info("Starting firehose consumer: topic=%s group=%s batch_size=%d", topic_name, group, batch_size)
    try:
        with Session(engine) as session:
            while not shutdown_event.is_set():
                inserted = _consume_batch(consumer, session, batch_size)
                total_inserted += inserted
                if inserted > 0:
                    logger.info("Batch inserted %d rows (total: %d)", inserted, total_inserted)
    except KafkaException:
        logger.exception("Fatal Kafka error")
    finally:
        logger.info("Closing consumer (total inserted: %d)", total_inserted)
        consumer.close()
 def _consume_batch(consumer: Consumer, session: Session, batch_size: int) -> int:
    """Poll a batch of messages, transform, and insert into the database.
    Args:
        consumer: The Kafka consumer instance.
        session: SQLAlchemy database session.
        batch_size: Maximum number of messages to consume per batch.
    Returns:
        Number of rows successfully inserted.
    """
    messages = consumer.consume(num_messages=batch_size, timeout=POLL_TIMEOUT_SECONDS)
    if not messages:
        return 0
    rows: list[dict] = []
    for message in messages:
        error = message.error()
        if error is not None:
            if error.code() == KafkaError._PARTITION_EOF:  # noqa: SLF001 — confluent-kafka exposes this as a pseudo-private constant; no public alternative exists
                continue
            logger.error("Consumer error: %s", error)
            continue
        row = _safe_transform(message.value(), session)
        if row is not None:
            rows.append(row)
    if not rows:
        consumer.commit(asynchronous=False)
        return 0
    inserted = ingest_batch(session, rows)
    consumer.commit(asynchronous=False)
    return inserted
 def _safe_transform(raw_value: bytes | None, session: Session) -> dict | None:
    """Transform a Kafka message value into a Posts row, logging failures.
    Args:
        raw_value: Raw message bytes from Kafka.
        session: SQLAlchemy session for logging failures.
    Returns:
        A transformed row dict, or None if transformation failed.
    """
    if raw_value is None:
        return None
    try:
        message = json.loads(raw_value)
    except (json.JSONDecodeError, UnicodeDecodeError):
        logger.exception("Failed to decode Kafka message")
        _log_failed_ingestion(session, raw_value, "JSON decode error")
        return None
    if not is_post_create(message):
        return None
    try:
        return transform_jetstream_post(message)
    except (KeyError, ValueError, TypeError):
        logger.exception("Failed to transform Jetstream message")
        _log_failed_ingestion(session, raw_value, "Transform error")
        return None
 def _log_failed_ingestion(session: Session, raw_value: bytes, error: str) -> None:
    """Log a failed ingestion to the FailedIngestion table.
    Args:
        session: SQLAlchemy session.
        raw_value: The raw message bytes.
        error: Description of the error.
    """
    try:
        session.add(
            FailedIngestion(
                raw_line=raw_value.decode(errors="replace")[:10000],
                error=error,
            )
        )
        session.commit()
    except Exception:
        session.rollback()
        logger.exception("Failed to log ingestion failure")
 def _create_consumer(servers: str, group: str) -> Consumer:
    """Create a configured Kafka consumer.
    Args:
        servers: Kafka bootstrap servers string.
        group: Consumer group ID.
    Returns:
        A configured confluent_kafka.Consumer.
    """
    config = {
        "bootstrap.servers": servers,
        "group.id": group,
        "auto.offset.reset": "earliest",
        "enable.auto.commit": False,
        "max.poll.interval.ms": 300000,
        "fetch.min.bytes": 1024,
        "session.timeout.ms": 30000,
    }
    return Consumer(config)
 def _handle_shutdown(_signum: int, _frame: object) -> None:
    """Signal handler to trigger graceful shutdown."""
    logger.info("Shutdown signal received")
    shutdown_event.set()
 if __name__ == "__main__":
    app()
@@ -1,230 +0,0 @@
 """Bluesky Jetstream firehose to Kafka producer.
 Connects to the Bluesky Jetstream WebSocket API with zstd compression,
 filters for post creation events, and produces them to a Kafka topic.
 Usage:
    firehose-producer
    firehose-producer --kafka-servers kafka:9092 --topic bluesky.firehose.posts
 """
 from __future__ import annotations
 import json
 import logging
 import signal
 from os import getenv
 from threading import Event
 from typing import Annotated
 import typer
 from compression import zstd
 from confluent_kafka import KafkaError, KafkaException, Producer
 from websockets.exceptions import ConnectionClosed
 from websockets.sync.client import connect
 logger = logging.getLogger(__name__)
 JETSTREAM_URL = "wss://jetstream2.us-east.bsky.network/subscribe"
 DEFAULT_TOPIC = "bluesky.firehose.posts"
 DEFAULT_KAFKA_SERVERS = "localhost:9092"
 POLL_INTERVAL = 100
 POST_COLLECTION = "app.bsky.feed.post"
 shutdown_event = Event()
 app = typer.Typer(help="Stream Bluesky firehose posts into Kafka.")
@app.command()
 def main(
    kafka_servers: Annotated[str, typer.Option(help="Kafka bootstrap servers")] = "",
    topic: Annotated[str, typer.Option(help="Kafka topic to produce to")] = "",
    collections: Annotated[str, typer.Option(help="Comma-separated collections to subscribe to")] = POST_COLLECTION,
 ) -> None:
    """Connect to Bluesky Jetstream and produce post events to Kafka."""
    logging.basicConfig(
        level=logging.INFO,
        format="%(asctime)s %(levelname)s %(message)s",
        datefmt="%H:%M:%S",
    )
    servers = kafka_servers or getenv("KAFKA_BOOTSTRAP_SERVERS", DEFAULT_KAFKA_SERVERS)
    topic_name = topic or getenv("BLUESKY_FIREHOSE_TOPIC", DEFAULT_TOPIC)
    signal.signal(signal.SIGTERM, _handle_shutdown)
    signal.signal(signal.SIGINT, _handle_shutdown)
    producer = _create_producer(servers)
    cursor: int | None = None
    logger.info("Starting firehose producer → %s on %s", topic_name, servers)
    while not shutdown_event.is_set():
        try:
            cursor = _stream_loop(producer, topic_name, collections, cursor)
        except (ConnectionClosed, OSError):
            logger.exception("WebSocket disconnected, reconnecting")
        except KafkaException:
            logger.exception("Kafka error, reconnecting")
        if not shutdown_event.is_set():
            logger.info("Reconnecting in 5 seconds (cursor=%s)", cursor)
            shutdown_event.wait(timeout=5)
    logger.info("Shutting down, flushing producer")
    producer.flush(timeout=30)
    logger.info("Producer shutdown complete")
 def _stream_loop(
    producer: Producer,
    topic: str,
    collections: str,
    cursor: int | None,
 ) -> int | None:
    """Connect to Jetstream and stream messages to Kafka until disconnected.
    Args:
        producer: The Kafka producer instance.
        topic: Kafka topic name.
        collections: Comma-separated AT Protocol collections to subscribe to.
        cursor: Optional microsecond timestamp to resume from.
    Returns:
        The last processed time_us cursor value.
    """
    url = _build_jetstream_url(collections, cursor)
    logger.info("Connecting to %s", url)
    message_count = 0
    last_cursor = cursor
    with connect(url, additional_headers={"Accept-Encoding": "zstd"}) as websocket:
        logger.info("Connected to Jetstream")
        while not shutdown_event.is_set():
            try:
                raw_frame = websocket.recv(timeout=10)
            except TimeoutError:
                producer.poll(0)
                continue
            text = _decode_frame(raw_frame)
            message = json.loads(text)
            time_us = message.get("time_us")
            if time_us is not None:
                last_cursor = time_us
            if not _is_post_create(message):
                continue
            did = message.get("did", "")
            try:
                producer.produce(
                    topic,
                    key=did.encode(),
                    value=text.encode() if isinstance(text, str) else text,
                    callback=_delivery_callback,
                )
            except BufferError:
                logger.warning("Producer buffer full, flushing")
                producer.flush(timeout=10)
                producer.produce(
                    topic,
                    key=did.encode(),
                    value=text.encode() if isinstance(text, str) else text,
                    callback=_delivery_callback,
                )
            message_count += 1
            if message_count % POLL_INTERVAL == 0:
                producer.poll(0)
            if message_count % 10000 == 0:
                logger.info("Produced %d messages (cursor=%s)", message_count, last_cursor)
    return last_cursor
 def _build_jetstream_url(collections: str, cursor: int | None) -> str:
    """Build the Jetstream WebSocket URL with query parameters.
    Args:
        collections: Comma-separated collection names.
        cursor: Optional microsecond timestamp for resumption.
    Returns:
        The full WebSocket URL.
    """
    params = ["compress=true"]
    for raw_collection in collections.split(","):
        cleaned = raw_collection.strip()
        if cleaned:
            params.append(f"wantedCollections={cleaned}")
    if cursor is not None:
        params.append(f"cursor={cursor}")
    return f"{JETSTREAM_URL}?{'&'.join(params)}"
 def _decode_frame(frame: str | bytes) -> str:
    """Decode a WebSocket frame, decompressing zstd if binary.
    Jetstream with compress=true sends zstd-compressed binary frames.
    Args:
        frame: Raw WebSocket frame data.
    Returns:
        The decoded JSON string.
    """
    if isinstance(frame, bytes):
        return zstd.decompress(frame).decode()
    return frame
 def _is_post_create(message: dict) -> bool:
    """Check if a Jetstream message is a post creation commit."""
    if message.get("kind") != "commit":
        return False
    commit = message.get("commit", {})
    return commit.get("operation") == "create" and commit.get("collection") == POST_COLLECTION
 def _create_producer(servers: str) -> Producer:
    """Create a configured Kafka producer.
    Args:
        servers: Kafka bootstrap servers string.
    Returns:
        A configured confluent_kafka.Producer.
    """
    config = {
        "bootstrap.servers": servers,
        "linger.ms": 50,
        "batch.size": 65536,
        "compression.type": "zstd",
        "acks": "all",
        "retries": 5,
        "retry.backoff.ms": 500,
    }
    return Producer(config)
 def _delivery_callback(error: KafkaError | None, _message: object) -> None:
    """Log delivery failures from the Kafka producer."""
    if error is not None:
        logger.error("Kafka delivery failed: %s", error)
 def _handle_shutdown(_signum: int, _frame: object) -> None:
    """Signal handler to trigger graceful shutdown."""
    logger.info("Shutdown signal received")
    shutdown_event.set()
 if __name__ == "__main__":
    app()
@@ -1,247 +0,0 @@
 """Ingestion pipeline for loading JSONL post files into the weekly-partitioned posts table.
 Usage:
    ingest-posts /path/to/files/
    ingest-posts /path/to/single_file.jsonl
    ingest-posts /data/dir/ --workers 4 --batch-size 5000
 """
 from __future__ import annotations
 import logging
 from datetime import UTC, datetime
 from pathlib import Path  # noqa: TC003 this is needed for typer
 from typing import TYPE_CHECKING, Annotated
 import orjson
 import psycopg
 import typer
 from python.common import configure_logger
 from python.orm.common import get_connection_info
 from python.parallelize import parallelize_process
 if TYPE_CHECKING:
    from collections.abc import Iterator
 logger = logging.getLogger(__name__)
 app = typer.Typer(help="Ingest JSONL post files into the partitioned posts table.")
@app.command()
 def main(
    path: Annotated[Path, typer.Argument(help="Directory containing JSONL files, or a single JSONL file")],
    batch_size: Annotated[int, typer.Option(help="Rows per INSERT batch")] = 10000,
    workers: Annotated[int, typer.Option(help="Parallel workers for multi-file ingestion")] = 4,
    pattern: Annotated[str, typer.Option(help="Glob pattern for JSONL files")] = "*.jsonl",
 ) -> None:
    """Ingest JSONL post files into the weekly-partitioned posts table."""
    configure_logger(level="INFO")
    logger.info("starting ingest-posts")
    logger.info("path=%s batch_size=%d workers=%d pattern=%s", path, batch_size, workers, pattern)
    if path.is_file():
        ingest_file(path, batch_size=batch_size)
    elif path.is_dir():
        ingest_directory(path, batch_size=batch_size, max_workers=workers, pattern=pattern)
    else:
        typer.echo(f"Path does not exist: {path}", err=True)
        raise typer.Exit(code=1)
    logger.info("ingest-posts done")
 def ingest_directory(
    directory: Path,
    *,
    batch_size: int,
    max_workers: int,
    pattern: str = "*.jsonl",
 ) -> None:
    """Ingest all JSONL files in a directory using parallel workers."""
    files = sorted(directory.glob(pattern))
    if not files:
        logger.warning("No JSONL files found in %s", directory)
        return
    logger.info("Found %d JSONL files to ingest", len(files))
    kwargs_list = [{"path": fp, "batch_size": batch_size} for fp in files]
    parallelize_process(ingest_file, kwargs_list, max_workers=max_workers)
 SCHEMA = "main"
 COLUMNS = (
    "post_id",
    "user_id",
    "instance",
    "date",
    "text",
    "langs",
    "like_count",
    "reply_count",
    "repost_count",
    "reply_to",
    "replied_author",
    "thread_root",
    "thread_root_author",
    "repost_from",
    "reposted_author",
    "quotes",
    "quoted_author",
    "labels",
    "sent_label",
    "sent_score",
 )
 INSERT_FROM_STAGING = f"""
    INSERT INTO {SCHEMA}.posts ({", ".join(COLUMNS)})
    SELECT {", ".join(COLUMNS)} FROM pg_temp.staging
    ON CONFLICT (post_id, date) DO NOTHING
 """  # noqa: S608
 FAILED_INSERT = f"""
    INSERT INTO {SCHEMA}.failed_ingestion (raw_line, error)
    VALUES (%(raw_line)s, %(error)s)
 """  # noqa: S608
 def get_psycopg_connection() -> psycopg.Connection:
    """Create a raw psycopg3 connection from environment variables."""
    database, host, port, username, password = get_connection_info("DATA_SCIENCE_DEV")
    return psycopg.connect(
        dbname=database,
        host=host,
        port=int(port),
        user=username,
        password=password,
        autocommit=False,
    )
 def ingest_file(path: Path, *, batch_size: int) -> None:
    """Ingest a single JSONL file into the posts table."""
    log_trigger = max(100_000 // batch_size, 1)
    failed_lines: list[dict] = []
    try:
        with get_psycopg_connection() as connection:
            for index, batch in enumerate(read_jsonl_batches(path, batch_size, failed_lines), 1):
                ingest_batch(connection, batch)
                if index % log_trigger == 0:
                    logger.info("Ingested %d batches (%d rows) from %s", index, index * batch_size, path)
            if failed_lines:
                logger.warning("Recording %d malformed lines from %s", len(failed_lines), path.name)
                with connection.cursor() as cursor:
                    cursor.executemany(FAILED_INSERT, failed_lines)
                connection.commit()
    except Exception:
        logger.exception("Failed to ingest file: %s", path)
        raise
 def ingest_batch(connection: psycopg.Connection, batch: list[dict]) -> None:
    """COPY batch into a temp staging table, then INSERT ... ON CONFLICT into posts."""
    if not batch:
        return
    try:
        with connection.cursor() as cursor:
            cursor.execute(f"""
                CREATE TEMP TABLE IF NOT EXISTS staging
                (LIKE {SCHEMA}.posts INCLUDING DEFAULTS)
                ON COMMIT DELETE ROWS
            """)
            cursor.execute("TRUNCATE pg_temp.staging")
            with cursor.copy(f"COPY pg_temp.staging ({', '.join(COLUMNS)}) FROM STDIN") as copy:
                for row in batch:
                    copy.write_row(tuple(row.get(column) for column in COLUMNS))
            cursor.execute(INSERT_FROM_STAGING)
        connection.commit()
    except Exception as error:
        connection.rollback()
        if len(batch) == 1:
            logger.exception("Skipping bad row post_id=%s", batch[0].get("post_id"))
            with connection.cursor() as cursor:
                cursor.execute(
                    FAILED_INSERT,
                    {
                        "raw_line": orjson.dumps(batch[0], default=str).decode(),
                        "error": str(error),
                    },
                )
            connection.commit()
            return
        midpoint = len(batch) // 2
        ingest_batch(connection, batch[:midpoint])
        ingest_batch(connection, batch[midpoint:])
 def read_jsonl_batches(file_path: Path, batch_size: int, failed_lines: list[dict]) -> Iterator[list[dict]]:
    """Stream a JSONL file and yield batches of transformed rows."""
    batch: list[dict] = []
    with file_path.open("r", encoding="utf-8") as handle:
        for raw_line in handle:
            line = raw_line.strip()
            if not line:
                continue
            batch.extend(parse_line(line, file_path, failed_lines))
            if len(batch) >= batch_size:
                yield batch
                batch = []
    if batch:
        yield batch
 def parse_line(line: str, file_path: Path, failed_lines: list[dict]) -> Iterator[dict]:
    """Parse a JSONL line, handling concatenated JSON objects."""
    try:
        yield transform_row(orjson.loads(line))
    except orjson.JSONDecodeError:
        if "}{" not in line:
            logger.warning("Skipping malformed line in %s: %s", file_path.name, line[:120])
            failed_lines.append({"raw_line": line, "error": "malformed JSON"})
            return
        fragments = line.replace("}{", "}\n{").split("\n")
        for fragment in fragments:
            try:
                yield transform_row(orjson.loads(fragment))
            except (orjson.JSONDecodeError, KeyError, ValueError) as error:
                logger.warning("Skipping malformed fragment in %s: %s", file_path.name, fragment[:120])
                failed_lines.append({"raw_line": fragment, "error": str(error)})
    except Exception as error:
        logger.exception("Skipping bad row in %s: %s", file_path.name, line[:120])
        failed_lines.append({"raw_line": line, "error": str(error)})
 def transform_row(raw: dict) -> dict:
    """Transform a raw JSONL row into a dict matching the Posts table columns."""
    raw["date"] = parse_date(raw["date"])
    if raw.get("langs") is not None:
        raw["langs"] = orjson.dumps(raw["langs"])
    if raw.get("text") is not None:
        raw["text"] = raw["text"].replace("\x00", "")
    return raw
 def parse_date(raw_date: int) -> datetime:
    """Parse compact YYYYMMDDHHmm integer into a naive datetime (input is UTC by spec)."""
    return datetime(
        raw_date // 100000000,
        (raw_date // 1000000) % 100,
        (raw_date // 10000) % 100,
        (raw_date // 100) % 100,
        raw_date % 100,
        tzinfo=UTC,
    )
 if __name__ == "__main__":
    app()
@@ -83,20 +83,6 @@ DATABASES: dict[str, DatabaseConfig] = {
        base_class_name="VanInventoryBase",
        models_module="python.orm.van_inventory.models",
    ),
    "signal_bot": DatabaseConfig(
        env_prefix="SIGNALBOT",
        version_location="python/alembic/signal_bot/versions",
        base_module="python.orm.signal_bot.base",
        base_class_name="SignalBotBase",
        models_module="python.orm.signal_bot.models",
    ),
    "data_science_dev": DatabaseConfig(
        env_prefix="DATA_SCIENCE_DEV",
        version_location="python/alembic/data_science_dev/versions",
        base_module="python.orm.data_science_dev.base",
        base_class_name="DataScienceDevBase",
        models_module="python.orm.data_science_dev.models",
    ),
 }
@@ -0,0 +1,347 @@
 """Small Gitea API client for repository automation."""
 from __future__ import annotations
 from dataclasses import dataclass
 from typing import Self
 from urllib.parse import quote
 import httpx
 DEFAULT_PAGE_SIZE = 100
 EXPECTED_NO_CONTENT = 204
 EXPECTED_CREATED = 201
 EXPECTED_OK = 200
@dataclass(frozen=True)
 class CreatedIssue:
    """Issue data returned by Gitea."""
    number: int | None
    html_url: str | None
    title: str
@dataclass(frozen=True)
 class PullRequest:
    """Pull request data returned by Gitea."""
    number: int
    title: str
    html_url: str | None
    labels: tuple[str, ...]
    head_branch: str | None
    base_branch: str | None
@dataclass(frozen=True)
 class WorkflowJob:
    """Workflow job data returned by Gitea Actions."""
    id: int
    name: str
    run_id: int | None
    status: str | None
    conclusion: str | None
 class GiteaError(RuntimeError):
    """Raised when Gitea rejects an API request."""
 def split_repo_name(repo: str) -> tuple[str, str]:
    """Split an owner/repo string into its parts."""
    owner, separator, repo_name = repo.partition("/")
    if not separator or not owner or not repo_name:
        msg = f"Invalid repository name: {repo}"
        raise ValueError(msg)
    return owner, repo_name
 class GiteaClient:
    """HTTP client for the subset of Gitea APIs used in this repository."""
    def __init__(
        self,
        *,
        base_url: str,
        token: str,
        timeout: int = 30,
        transport: httpx.BaseTransport | None = None,
    ) -> None:
        """Initialize the Gitea client."""
        self._client = httpx.Client(
            base_url=base_url.rstrip("/"),
            timeout=timeout,
            headers={"Authorization": f"token {token}"},
            transport=transport,
        )
    def create_issue(
        self,
        *,
        owner: str,
        repo: str,
        title: str,
        body: str,
        labels: list[int] | None = None,
    ) -> CreatedIssue:
        """Create a Gitea issue."""
        payload: dict[str, object] = {"title": title, "body": body, "labels": labels or []}
        response = self._request(
            "POST",
            f"/api/v1/repos/{owner}/{repo}/issues",
            expected_statuses={EXPECTED_CREATED},
            json=payload,
        )
        data = response.json()
        return CreatedIssue(
            number=_optional_int(data.get("number")),
            html_url=_optional_str(data.get("html_url")),
            title=str(data.get("title", title)),
        )
    def resolve_label_ids(self, *, owner: str, repo: str, labels: list[str]) -> list[int]:
        """Resolve label names to Gitea label IDs."""
        if not labels:
            return []
        available_labels: dict[str, int] = {}
        page = 1
        while True:
            response = self._request(
                "GET",
                f"/api/v1/repos/{owner}/{repo}/labels",
                params={"page": page, "limit": DEFAULT_PAGE_SIZE},
            )
            batch = response.json()
            if not batch:
                break
            for label in batch:
                label_name = str(label.get("name", ""))
                label_id = _optional_int(label.get("id"))
                if label_name and label_id is not None:
                    available_labels[label_name] = label_id
            if len(batch) < DEFAULT_PAGE_SIZE:
                break
            page += 1
        missing = [label for label in labels if label not in available_labels]
        if missing:
            missing_names = ", ".join(sorted(missing))
            msg = f"Missing Gitea labels: {missing_names}"
            raise GiteaError(msg)
        return [available_labels[label] for label in labels]
    def list_open_pull_requests(
        self,
        *,
        owner: str,
        repo: str,
        labels: list[str] | None = None,
        head: str | None = None,
    ) -> list[PullRequest]:
        """List open pull requests for a repository."""
        expected_labels = set(labels or [])
        pull_requests: list[PullRequest] = []
        page = 1
        while True:
            response = self._request(
                "GET",
                f"/api/v1/repos/{owner}/{repo}/pulls",
                params={"state": "open", "page": page, "limit": DEFAULT_PAGE_SIZE},
            )
            batch = response.json()
            if not batch:
                break
            for item in batch:
                pull_request = _pull_request_from_api(item)
                if head and pull_request.head_branch != head:
                    continue
                if expected_labels and not expected_labels.issubset(set(pull_request.labels)):
                    continue
                pull_requests.append(pull_request)
            if len(batch) < DEFAULT_PAGE_SIZE:
                break
            page += 1
        return pull_requests
    def create_pull_request(
        self,
        *,
        owner: str,
        repo: str,
        title: str,
        body: str,
        head: str,
        base: str,
        labels: list[str] | None = None,
    ) -> PullRequest:
        """Create a pull request."""
        payload: dict[str, object] = {
            "title": title,
            "body": body,
            "head": head,
            "base": base,
        }
        if labels:
            payload["labels"] = self.resolve_label_ids(owner=owner, repo=repo, labels=labels)
        response = self._request(
            "POST",
            f"/api/v1/repos/{owner}/{repo}/pulls",
            expected_statuses={EXPECTED_CREATED},
            json=payload,
        )
        return _pull_request_from_api(response.json())
    def merge_pull_request(
        self,
        *,
        owner: str,
        repo: str,
        number: int,
        merge_method: str = "rebase",
        head_commit_id: str | None = None,
        delete_branch_after_merge: bool = False,
    ) -> None:
        """Merge a pull request."""
        payload: dict[str, object] = {
            "Do": merge_method,
            "delete_branch_after_merge": delete_branch_after_merge,
        }
        if head_commit_id:
            payload["head_commit_id"] = head_commit_id
        self._request(
            "POST",
            f"/api/v1/repos/{owner}/{repo}/pulls/{number}/merge",
            json=payload,
        )
    def dispatch_workflow(self, *, owner: str, repo: str, workflow_id: str, ref: str) -> None:
        """Trigger a workflow_dispatch run."""
        workflow_path = quote(workflow_id, safe="")
        self._request(
            "POST",
            f"/api/v1/repos/{owner}/{repo}/actions/workflows/{workflow_path}/dispatches",
            expected_statuses={EXPECTED_OK, EXPECTED_NO_CONTENT},
            json={"ref": ref},
        )
    def list_run_jobs(self, *, owner: str, repo: str, run_id: str | int) -> list[WorkflowJob]:
        """List workflow jobs for a specific run."""
        jobs: list[WorkflowJob] = []
        page = 1
        while True:
            response = self._request(
                "GET",
                f"/api/v1/repos/{owner}/{repo}/actions/jobs",
                params={"page": page, "limit": DEFAULT_PAGE_SIZE},
            )
            payload = response.json()
            batch = payload.get("jobs", [])
            if not batch:
                break
            for item in batch:
                if str(item.get("run_id")) != str(run_id):
                    continue
                jobs.append(_workflow_job_from_api(item))
            if len(batch) < DEFAULT_PAGE_SIZE:
                break
            page += 1
        return jobs
    def download_job_logs(self, *, owner: str, repo: str, job_id: int) -> str:
        """Download logs for a workflow job."""
        response = self._request(
            "GET",
            f"/api/v1/repos/{owner}/{repo}/actions/jobs/{job_id}/logs",
        )
        return response.text
    def close(self) -> None:
        """Close the underlying HTTP client."""
        self._client.close()
    def __enter__(self) -> Self:
        """Enter the context manager."""
        return self
    def __exit__(self, *args: object) -> None:
        """Close the HTTP client."""
        self.close()
    def _request(
        self,
        method: str,
        path: str,
        *,
        expected_statuses: set[int] | None = None,
        **kwargs: object,
    ) -> httpx.Response:
        """Send an HTTP request and validate the response status."""
        response = self._client.request(method, path, **kwargs)
        statuses = expected_statuses or {EXPECTED_OK}
        if response.status_code not in statuses:
            msg = f"Gitea request failed ({response.status_code}): {response.text}"
            raise GiteaError(msg)
        return response
 def _pull_request_from_api(data: dict[str, object]) -> PullRequest:
    """Convert Gitea API pull-request data into a dataclass."""
    number = _optional_int(data.get("number")) or _optional_int(data.get("index"))
    if number is None:
        msg = "Gitea pull request payload is missing a number"
        raise GiteaError(msg)
    labels = tuple(str(label.get("name", "")) for label in data.get("labels", []))
    head = data.get("head", {})
    base = data.get("base", {})
    return PullRequest(
        number=number,
        title=str(data.get("title", "")),
        html_url=_optional_str(data.get("html_url")),
        labels=tuple(label for label in labels if label),
        head_branch=_optional_str(head.get("ref")) or _optional_str(data.get("head_branch")),
        base_branch=_optional_str(base.get("ref")) or _optional_str(data.get("base_branch")),
    )
 def _workflow_job_from_api(data: dict[str, object]) -> WorkflowJob:
    """Convert Gitea API workflow-job data into a dataclass."""
    job_id = _optional_int(data.get("id"))
    if job_id is None:
        msg = "Gitea workflow job payload is missing an ID"
        raise GiteaError(msg)
    return WorkflowJob(
        id=job_id,
        name=str(data.get("name", "")),
        run_id=_optional_int(data.get("run_id")),
        status=_optional_str(data.get("status")),
        conclusion=_optional_str(data.get("conclusion")),
    )
 def _optional_int(value: object) -> int | None:
    """Convert an API value to an integer when present."""
    if value is None:
        return None
    return int(value)
 def _optional_str(value: object) -> str | None:
    """Convert an API value to a string when present."""
    if value is None:
        return None
    return str(value)
@@ -0,0 +1,148 @@
 """Automation helpers for flake.lock pull requests on Gitea."""
 from __future__ import annotations
 import subprocess
 from os import getenv
 from typing import Annotated
 import typer
 from python.gitea import GiteaClient, PullRequest, split_repo_name
 DEFAULT_BASE_BRANCH = "main"
 DEFAULT_BRANCH = "automation/update-flake-lock"
 DEFAULT_GITEA_URL = "https://gitea.tmmworkshop.com"
 PR_LABELS = ["dependencies", "automated", "flake_lock_update"]
 PR_CHECK_WORKFLOWS = ["build_systems.yml", "treefmt.yml", "pytest.yml"]
 PR_TITLE = "Update flake.lock"
 PR_BODY = "Automated flake.lock update."
 app = typer.Typer(add_completion=False)
 def run_cmd(cmd: list[str], *, check: bool = True) -> subprocess.CompletedProcess[str]:
    """Run a subprocess command."""
    return subprocess.run(cmd, capture_output=True, text=True, check=check)
 def ensure_flake_lock_pull_request(
    client: GiteaClient,
    *,
    owner: str,
    repo: str,
    branch: str,
    base: str,
 ) -> PullRequest:
    """Return an existing flake.lock PR for the branch or create one."""
    pull_requests = client.list_open_pull_requests(owner=owner, repo=repo, head=branch)
    if pull_requests:
        return pull_requests[0]
    return client.create_pull_request(
        owner=owner,
        repo=repo,
        title=PR_TITLE,
        body=PR_BODY,
        head=branch,
        base=base,
        labels=PR_LABELS,
    )
 def find_flake_lock_pull_request(client: GiteaClient, *, owner: str, repo: str) -> PullRequest | None:
    """Find the first open flake.lock pull request."""
    pull_requests = client.list_open_pull_requests(owner=owner, repo=repo, labels=["flake_lock_update"])
    if not pull_requests:
        return None
    return pull_requests[0]
 def dispatch_pull_request_checks(client: GiteaClient, *, owner: str, repo: str, branch: str) -> None:
    """Dispatch the workflows that normally run for pull requests."""
    for workflow in PR_CHECK_WORKFLOWS:
        client.dispatch_workflow(owner=owner, repo=repo, workflow_id=workflow, ref=branch)
 def has_worktree_changes() -> bool:
    """Return whether `flake.lock` has worktree changes."""
    result = run_cmd(["git", "diff", "--quiet", "--", "flake.lock"], check=False)
    return result.returncode != 0
 def commit_flake_lock_update(*, branch: str) -> None:
    """Commit the updated lock file to the automation branch."""
    run_cmd(["git", "config", "user.name", "gitea-actions[bot]"])
    run_cmd(["git", "config", "user.email", "gitea-actions@tmmworkshop.com"])
    run_cmd(["git", "checkout", "-B", branch])
    run_cmd(["git", "add", "flake.lock"])
    run_cmd(["git", "commit", "-m", "chore: update flake.lock"])
 def push_branch(*, branch: str) -> None:
    """Push the automation branch to origin."""
    run_cmd(["git", "push", "origin", f"HEAD:{branch}", "--force"])
 def _required_gitea_token() -> str:
    """Read the required Gitea token from the environment."""
    token = getenv("GITEA_TOKEN")
    if token:
        return token
    msg = "GITEA_TOKEN environment variable is required"
    raise RuntimeError(msg)
@app.command()
 def update(
    repo: Annotated[str, typer.Option("--repo", help="Gitea repository in owner/repo form")],
    base: Annotated[str, typer.Option("--base", help="Base branch")] = DEFAULT_BASE_BRANCH,
    branch: Annotated[str, typer.Option("--branch", help="Automation branch")] = DEFAULT_BRANCH,
 ) -> None:
    """Commit flake.lock changes and ensure a pull request exists."""
    if not has_worktree_changes():
        typer.echo("No flake.lock changes detected")
        return
    commit_flake_lock_update(branch=branch)
    push_branch(branch=branch)
    owner, repo_name = split_repo_name(repo)
    with GiteaClient(
        base_url=getenv("GITEA_URL", DEFAULT_GITEA_URL),
        token=_required_gitea_token(),
    ) as client:
        pull_request = ensure_flake_lock_pull_request(
            client,
            owner=owner,
            repo=repo_name,
            branch=branch,
            base=base,
        )
        # We can remove this if Gitea fixes the following issue:
        # https://github.com/go-gitea/gitea/issues/33963
        dispatch_pull_request_checks(client, owner=owner, repo=repo_name, branch=branch)
    typer.echo(pull_request.html_url or f"Pull request #{pull_request.number}")
@app.command()
 def merge(
    repo: Annotated[str, typer.Option("--repo", help="Gitea repository in owner/repo form")],
 ) -> None:
    """Merge the first open flake.lock pull request."""
    owner, repo_name = split_repo_name(repo)
    with GiteaClient(
        base_url=getenv("GITEA_URL", DEFAULT_GITEA_URL),
        token=_required_gitea_token(),
    ) as client:
        pull_request = find_flake_lock_pull_request(client, owner=owner, repo=repo_name)
        if not pull_request:
            typer.echo("No open PR found with label flake_lock_update")
            return
        client.merge_pull_request(owner=owner, repo=repo_name, number=pull_request.number, merge_method="rebase")
    typer.echo(f"Merged PR #{pull_request.number}")
 if __name__ == "__main__":
    app()
@@ -16,9 +16,13 @@ from typing import TYPE_CHECKING
 if TYPE_CHECKING:
    from collections.abc import Sequence
 logger = logging.getLogger(__name__)
 ESCAPE_KEY = 27
 def configure_logger(level: str = "INFO") -> None:
    """Configure the logger.
    Args:
        level (str, optional): The logging level. Defaults to "INFO".
    """
@@ -32,15 +36,17 @@ def configure_logger(level: str = "INFO") -> None:
 def bash_wrapper(command: str) -> str:
    """Execute a bash command and capture the output.
    Args:
        command (str): The bash command to be executed.
    Returns:
        Tuple[str, int]: A tuple containing the output of the command (stdout) as a string,
        the error output (stderr) as a string (optional), and the return code as an integer.
    """
-    logging.debug(f"running {command=}")
+    logger.debug(f"running {command=}")
    # This is a acceptable risk
-    process = Popen(command.split(), stdout=PIPE, stderr=PIPE)  # noqa: S603
+    process = Popen(command.split(), stdout=PIPE, stderr=PIPE)
    output, _ = process.communicate()
    if process.returncode != 0:
        error = f"Failed to run command {command=} return code {process.returncode=}"
@@ -51,6 +57,7 @@ def bash_wrapper(command: str) -> str:
 def partition_disk(disk: str, swap_size: int, reserve: int = 0) -> None:
    """Partition a disk.
    Args:
        disk (str): The disk to partition.
        swap_size (int): The size of the swap partition in GB.
@@ -58,7 +65,7 @@ def partition_disk(disk: str, swap_size: int, reserve: int = 0) -> None:
        reserve (int, optional): The size of the reserve partition in GB. Defaults to 0.
            minimum value is 0.
    """
-    logging.info(f"partitioning {disk=}")
+    logger.info(f"partitioning {disk=}")
    swap_size = max(swap_size, 1)
    reserve = max(reserve, 0)
@@ -66,16 +73,16 @@ def partition_disk(disk: str, swap_size: int, reserve: int = 0) -> None:
    if reserve > 0:
        msg = f"Creating swap partition on {disk=} with size {swap_size=}GiB and reserve {reserve=}GiB"
-        logging.info(msg)
+        logger.info(msg)
        swap_start = swap_size + reserve
        swap_partition = f"mkpart swap -{swap_start}GiB -{reserve}GiB "
    else:
-        logging.info(f"Creating swap partition on {disk=} with size {swap_size=}GiB")
+        logger.info(f"Creating swap partition on {disk=} with size {swap_size=}GiB")
        swap_start = swap_size
        swap_partition = f"mkpart swap -{swap_start}GiB 100% "
-    logging.debug(f"{swap_partition=}")
+    logger.debug(f"{swap_partition=}")
    create_partitions = (
        f"parted --script --align=optimal {disk} -- "
@@ -87,13 +94,14 @@ def partition_disk(disk: str, swap_size: int, reserve: int = 0) -> None:
    )
    bash_wrapper(create_partitions)
-    logging.info(f"{disk=} successfully partitioned")
+    logger.info(f"{disk=} successfully partitioned")
 def create_zfs_pool(pool_disks: Sequence[str], mnt_dir: str) -> None:
    """Create a ZFS pool.
    Args:
-        disks (Sequence[str]): A tuple of disks to use for the pool.
+        pool_disks (Sequence[str]): A tuple of disks to use for the pool.
        mnt_dir (str): The mount directory.
    """
    if len(pool_disks) <= 0:
@@ -125,13 +133,12 @@ def create_zfs_pool(pool_disks: Sequence[str], mnt_dir: str) -> None:
    bash_wrapper(zpool_create)
    zpools = bash_wrapper("zpool list -o name")
    if "root_pool" not in zpools.splitlines():
-        logging.critical("Failed to create root_pool")
+        logger.critical("Failed to create root_pool")
        sys.exit(1)
 def create_zfs_datasets() -> None:
    """Create ZFS datasets."""
    bash_wrapper("zfs create -o canmount=noauto -o reservation=10G root_pool/root")
    bash_wrapper("zfs create root_pool/home")
    bash_wrapper("zfs create root_pool/var -o reservation=1G")
@@ -146,7 +153,7 @@ def create_zfs_datasets() -> None:
    }
    missing_datasets = expected_datasets.difference(datasets.splitlines())
    if missing_datasets:
-        logging.critical(f"Failed to create pools {missing_datasets}")
+        logger.critical(f"Failed to create pools {missing_datasets}")
        sys.exit(1)
@@ -159,6 +166,8 @@ def get_cpu_manufacturer() -> str:
    for line in output.splitlines():
        if "vendor_id" in line:
            return id_vendor[line.split(": ")[1].strip()]
    error = "Failed to get CPU manufacturer"
    raise RuntimeError(error)
 def get_boot_drive_id(disk: str) -> str:
@@ -167,9 +176,8 @@ def get_boot_drive_id(disk: str) -> str:
    return output.splitlines()[1]
-def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
+def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], *, encrypt: bool) -> None:
    """Create a NixOS hardware file."""
    cpu_manufacturer = get_cpu_manufacturer()
    devices = ""
@@ -193,7 +201,15 @@ def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], encrypt: bool)
        '  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];\n\n'
        "  boot = {\n"
        "    initrd = {\n"
-        '      availableKernelModules = [ \n        "ahci"\n        "ehci_pci"\n        "nvme"\n        "sd_mod"\n        "usb_storage"\n        "usbhid"\n        "xhci_pci"\n      ];\n'
+        "      availableKernelModules = [ \n"
        '        "ahci"\n'
        '        "ehci_pci"\n'
        '        "nvme"\n'
        '        "sd_mod"\n'
        '        "usb_storage"\n'
        '        "usbhid"\n'
        '        "xhci_pci"\n'
        "      ];\n"
        "      kernelModules = [ ];\n"
        f" {devices}"
        "    };\n"
@@ -207,11 +223,18 @@ def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], encrypt: bool)
        '    "/nix" = {\n      device = "root_pool/nix";\n      fsType = "zfs";\n    };\n\n'
        '    "/boot" = {\n'
        f'      device = "/dev/disk/by-uuid/{get_boot_drive_id(disks[0])}";\n'
-        '      fsType = "vfat";\n      options = [\n        "fmask=0077"\n        "dmask=0077"\n      ];\n    };\n  };\n\n'
+        '      fsType = "vfat";\n'
        "      options = [\n"
        '        "fmask=0077"\n'
        '        "dmask=0077"\n'
        "      ];\n"
        "    };\n"
        "  };\n\n"
        "  swapDevices = [ ];\n\n"
        "  networking.useDHCP = lib.mkDefault true;\n\n"
        '  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";\n'
-        f"  hardware.cpu.{cpu_manufacturer}.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;\n"
+        f"  hardware.cpu.{cpu_manufacturer}.updateMicrocode = lib.mkDefault "
        "config.hardware.enableRedistributableFirmware;\n"
        f'  networking.hostId = "{host_id}";\n'
        "}\n"
    )
@@ -219,7 +242,7 @@ def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], encrypt: bool)
    Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").write_text(nix_hardware)
-def install_nixos(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
+def install_nixos(mnt_dir: str, disks: Sequence[str], *, encrypt: bool) -> None:
    """Install NixOS."""
    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/root {mnt_dir}")
    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/home {mnt_dir}/home")
@@ -230,14 +253,16 @@ def install_nixos(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
        bash_wrapper(f"mkfs.vfat -n EFI {disk}-part1")
    # set up mirroring afterwards if more than one disk
-    boot_partition = f"mount -t vfat -o fmask=0077,dmask=0077,iocharset=iso8859-1,X-mount.mkdir {disks[0]}-part1 {mnt_dir}/boot"
+    boot_partition = (
        f"mount -t vfat -o fmask=0077,dmask=0077,iocharset=iso8859-1,X-mount.mkdir {disks[0]}-part1 {mnt_dir}/boot"
    )
    bash_wrapper(boot_partition)
    bash_wrapper(f"nixos-generate-config --root {mnt_dir}")
-    create_nix_hardware_file(mnt_dir, disks, encrypt)
+    create_nix_hardware_file(mnt_dir, disks, encrypt=encrypt)
-    run(("nixos-install", "--root", mnt_dir), check=True)  # noqa: S603
+    run(("nixos-install", "--root", mnt_dir), check=True)
 def installer(
@@ -247,27 +272,37 @@ def installer(
    encrypt_key: str | None,
 ) -> None:
    """Main."""
-    logging.info("Starting installation")
+    logger.info("Starting installation")
    for disk in disks:
        partition_disk(disk, swap_size, reserve)
        if encrypt_key:
            sleep(1)
-            for command in (
+            key_input = encrypt_key.encode()
-                f'printf "{encrypt_key}" | cryptsetup luksFormat --type luks2 {disk}-part2 -',
+            run(
-                f'printf "{encrypt_key}" | cryptsetup luksOpen {disk}-part2 luks-root-pool-{disk.split("/")[-1]}-part2 -',
+                ("cryptsetup", "luksFormat", "--type", "luks2", f"{disk}-part2", "-"),
-            ):
+                input=key_input,
-                run(command, shell=True, check=True)
+                check=True,
            )
            run(
                (
                    "cryptsetup",
                    "luksOpen",
                    f"{disk}-part2",
                    f"luks-root-pool-{disk.split('/')[-1]}-part2",
                    "-",
                ),
                input=key_input,
                check=True,
            )
    mnt_dir = "/tmp/nix_install"  # noqa: S108
    Path(mnt_dir).mkdir(parents=True, exist_ok=True)
    if encrypt_key:
-        pool_disks = [
+        pool_disks = [f"/dev/mapper/luks-root-pool-{disk.split('/')[-1]}-part2" for disk in disks]
            f"/dev/mapper/luks-root-pool-{disk.split('/')[-1]}-part2" for disk in disks
        ]
    else:
        pool_disks = [f"{disk}-part2" for disk in disks]
@@ -275,57 +310,73 @@ def installer(
    create_zfs_datasets()
-    install_nixos(mnt_dir, disks, encrypt_key)
+    install_nixos(mnt_dir, disks, encrypt=bool(encrypt_key))
-    logging.info("Installation complete")
+    logger.info("Installation complete")
 class Cursor:
-    def __init__(self):
+    """Track cursor position and constrain movement to screen bounds."""
    def __init__(self) -> None:
        """Initialize cursor position and screen dimensions."""
        self.x_position = 0
        self.y_position = 0
        self.height = 0
        self.width = 0
-    def set_height(self, height: int):
+    def set_height(self, height: int) -> None:
        """Set the maximum screen height."""
        self.height = height
-    def set_width(self, width: int):
+    def set_width(self, width: int) -> None:
        """Set the maximum screen width."""
        self.width = width
    def x_bounce_check(self, cursor: int) -> int:
        """Clamp an x position to the screen width."""
        cursor = max(0, cursor)
        return min(self.width - 1, cursor)
    def y_bounce_check(self, cursor: int) -> int:
        """Clamp a y position to the screen height."""
        cursor = max(0, cursor)
        return min(self.height - 1, cursor)
-    def set_x(self, x: int):
+    def set_x(self, x: int) -> None:
        """Set the cursor x position."""
        self.x_position = self.x_bounce_check(x)
-    def set_y(self, y: int):
+    def set_y(self, y: int) -> None:
        """Set the cursor y position."""
        self.y_position = self.y_bounce_check(y)
    def get_x(self) -> int:
        """Get the cursor x position."""
        return self.x_position
    def get_y(self) -> int:
        """Get the cursor y position."""
        return self.y_position
-    def move_up(self):
+    def move_up(self) -> None:
        """Move the cursor up one row."""
        self.set_y(self.y_position - 1)
-    def move_down(self):
+    def move_down(self) -> None:
        """Move the cursor down one row."""
        self.set_y(self.y_position + 1)
-    def move_left(self):
+    def move_left(self) -> None:
        """Move the cursor left one column."""
        self.set_x(self.x_position - 1)
-    def move_right(self):
+    def move_right(self) -> None:
        """Move the cursor right one column."""
        self.set_x(self.x_position + 1)
    def navigation(self, key: int) -> None:
        """Move the cursor for a curses navigation key."""
        action = {
            curses.KEY_DOWN: self.move_down,
            curses.KEY_UP: self.move_up,
@@ -339,7 +390,8 @@ class Cursor:
 class State:
    """State class to store the state of the program."""
-    def __init__(self):
+    def __init__(self) -> None:
        """Initialize installer menu state."""
        self.key = 0
        self.cursor = Cursor()
@@ -357,11 +409,9 @@ class State:
 def get_device(raw_device: str) -> dict[str, str]:
    """Parse an lsblk key-value device row."""
    raw_device_components = raw_device.split(" ")
-    return {
+    return {thing.split("=")[0].lower(): thing.split("=")[1].strip('"') for thing in raw_device_components}
        thing.split("=")[0].lower(): thing.split("=")[1].strip('"')
        for thing in raw_device_components
    }
 def get_devices() -> list[dict[str, str]]:
@@ -373,6 +423,7 @@ def get_devices() -> list[dict[str, str]]:
 def get_device_id_mapping() -> dict[str, set[str]]:
    """Get a list of device ids.
    Returns:
        list[str]: the list of device ids
    """
@@ -387,9 +438,8 @@ def get_device_id_mapping() -> dict[str, set[str]]:
    return device_id_mapping
-def calculate_device_menu_padding(
+def calculate_device_menu_padding(devices: list[dict[str, str]], column: str, padding: int = 0) -> int:
-    devices: list[dict[str, str]], column: str, padding: int = 0
+    """Calculate the width needed for a device menu column."""
 ) -> int:
    return max(len(device[column]) for device in devices) + padding
@@ -401,6 +451,7 @@ def draw_device_ids(
    menu_width: list[int],
    device_ids: set[str],
 ) -> tuple[State, int]:
    """Draw selectable device IDs for a device row."""
    for device_id in sorted(device_ids):
        row_number = row_number + 1
        if row_number == state.cursor.get_y() and state.cursor.get_x() in menu_width:
@@ -429,8 +480,9 @@ def draw_device_menu(
    state: State,
    menu_start_y: int = 0,
    menu_start_x: int = 0,
-) -> State:
+) -> tuple[State, int]:
-    """draw the device menu and handle user input
+    """Draw the device menu and handle user input.
    Args:
        std_screen (curses.window): the curses window to draw on
        devices (list[dict[str, str]]): the list of devices to draw
@@ -438,6 +490,7 @@ def draw_device_menu(
        state (State): the state object to update
        menu_start_y (int, optional): the y position to start drawing the menu. Defaults to 0.
        menu_start_x (int, optional): the x position to start drawing the menu. Defaults to 0.
    Returns:
        State: the updated state object
    """
@@ -448,7 +501,9 @@ def draw_device_menu(
    type_padding = calculate_device_menu_padding(devices, "type", padding)
    mountpoints_padding = calculate_device_menu_padding(devices, "mountpoints", padding)
-    device_header = f"{'Name':{name_padding}}{'Size':{size_padding}}{'Type':{type_padding}}{'Mountpoints':{mountpoints_padding}}"
+    device_header = (
        f"{'Name':{name_padding}}{'Size':{size_padding}}{'Type':{type_padding}}{'Mountpoints':{mountpoints_padding}}"
    )
    menu_width = range(menu_start_x, len(device_header) + menu_start_x)
@@ -481,8 +536,9 @@ def draw_device_menu(
 def debug_menu(std_screen: curses.window, key: int) -> None:
    """Draw debug information for the current curses screen."""
    height, width = std_screen.getmaxyx()
-    width_height = "Width: {}, Height: {}".format(width, height)
+    width_height = f"Width: {width}, Height: {height}"
    std_screen.addstr(height - 4, 0, width_height, curses.color_pair(5))
    key_pressed = f"Last key pressed: {key}"[: width - 1]
@@ -490,7 +546,7 @@ def debug_menu(std_screen: curses.window, key: int) -> None:
        key_pressed = "No key press detected..."[: width - 1]
    std_screen.addstr(height - 3, 0, key_pressed)
-    for i in range(0, 8):
+    for i in range(8):
        std_screen.addstr(height - 2, i * 3, f"{i}██", curses.color_pair(i))
@@ -500,12 +556,11 @@ def status_bar(
    width: int,
    height: int,
 ) -> None:
    """Draw the footer status bar."""
    std_screen.attron(curses.A_REVERSE)
    std_screen.attron(curses.color_pair(3))
-    status_bar = (
+    status_bar = f"Press 'q' to exit | STATUS BAR | Pos: {cursor.get_x()}, {cursor.get_y()}"
        f"Press 'q' to exit | STATUS BAR | Pos: {cursor.get_x()}, {cursor.get_y()}"
    )
    std_screen.addstr(height - 1, 0, status_bar)
    std_screen.addstr(height - 1, len(status_bar), " " * (width - len(status_bar) - 1))
@@ -514,13 +569,15 @@ def status_bar(
 def set_color() -> None:
    """Initialize curses color pairs."""
    curses.start_color()
    curses.use_default_colors()
-    for i in range(0, curses.COLORS):
+    for i in range(curses.COLORS):
        curses.init_pair(i + 1, i, -1)
 def get_text_input(std_screen: curses.window, prompt: str, y: int, x: int) -> str:
    """Read text input from a curses screen."""
    curses.echo()
    std_screen.addstr(y, x, prompt)
    input_str = ""
@@ -528,10 +585,10 @@ def get_text_input(std_screen: curses.window, prompt: str, y: int, x: int) -> st
        key = std_screen.getch()
        if key == ord("\n"):
            break
-        elif key == 27:  # ESC key
+        if key == ESCAPE_KEY:
            input_str = ""
            break
-        elif key in (curses.KEY_BACKSPACE, ord("\b"), 127):
+        if key in (curses.KEY_BACKSPACE, ord("\b"), 127):
            input_str = input_str[:-1]
            std_screen.addstr(y, x + len(prompt), input_str + " ")
        else:
@@ -546,6 +603,7 @@ def swap_size_input(
    state: State,
    swap_offset: int,
 ) -> State:
    """Handle swap size input."""
    swap_size_text = "Swap size (GB): "
    std_screen.addstr(swap_offset, 0, f"{swap_size_text}{state.swap_size}")
    if state.key == ord("\n") and state.cursor.get_y() == swap_offset:
@@ -557,9 +615,7 @@ def swap_size_input(
            state.swap_size = int(swap_size_str)
            state.show_swap_input = False
        except ValueError:
-            std_screen.addstr(
+            std_screen.addstr(swap_offset, 0, "Invalid input. Press any key to continue.")
                swap_offset, 0, "Invalid input. Press any key to continue."
            )
            std_screen.getch()
            state.show_swap_input = False
@@ -571,22 +627,19 @@ def reserve_size_input(
    state: State,
    reserve_offset: int,
 ) -> State:
    """Handle reserve size input."""
    reserve_size_text = "reserve size (GB): "
    std_screen.addstr(reserve_offset, 0, f"{reserve_size_text}{state.reserve_size}")
    if state.key == ord("\n") and state.cursor.get_y() == reserve_offset:
        state.show_reserve_input = True
    if state.show_reserve_input:
-        reserve_size_str = get_text_input(
+        reserve_size_str = get_text_input(std_screen, reserve_size_text, reserve_offset, 0)
            std_screen, reserve_size_text, reserve_offset, 0
        )
        try:
            state.reserve_size = int(reserve_size_str)
            state.show_reserve_input = False
        except ValueError:
-            std_screen.addstr(
+            std_screen.addstr(reserve_offset, 0, "Invalid input. Press any key to continue.")
                reserve_offset, 0, "Invalid input. Press any key to continue."
            )
            std_screen.getch()
            state.show_reserve_input = False
@@ -594,9 +647,11 @@ def reserve_size_input(
 def draw_menu(std_screen: curses.window) -> State:
-    """draw the menu and handle user input
+    """Draw the menu and handle user input.
    Args:
        std_screen (curses.window): the curses window to draw on
    Returns:
        State: the state object
    """
@@ -656,17 +711,18 @@ def draw_menu(std_screen: curses.window) -> State:
 def main() -> None:
    """Run the installer menu and start installation."""
    configure_logger("DEBUG")
    state = curses.wrapper(draw_menu)
    encrypt_key = getenv("ENCRYPT_KEY")
-    logging.info("installing_nixos")
+    logger.info("installing_nixos")
-    logging.info(f"disks: {state.selected_device_ids}")
+    logger.info(f"disks: {state.selected_device_ids}")
-    logging.info(f"swap_size: {state.swap_size}")
+    logger.info(f"swap_size: {state.swap_size}")
-    logging.info(f"reserve: {state.reserve_size}")
+    logger.info(f"reserve: {state.reserve_size}")
-    logging.info(f"encrypted: {bool(encrypt_key)}")
+    logger.info(f"encrypted: {bool(encrypt_key)}")
    sleep(3)
@@ -1,13 +1,9 @@
 """ORM package exports."""
 from python.orm.data_science_dev.base import DataScienceDevBase
 from python.orm.richie.base import RichieBase
 from python.orm.signal_bot.base import SignalBotBase
 from python.orm.van_inventory.base import VanInventoryBase
 __all__ = [
    "DataScienceDevBase",
    "RichieBase",
    "SignalBotBase",
    "VanInventoryBase",
 ]
@@ -1,11 +0,0 @@
 """Data science dev database ORM exports."""
 from __future__ import annotations
 from python.orm.data_science_dev.base import DataScienceDevBase, DataScienceDevTableBase, DataScienceDevTableBaseBig
 __all__ = [
    "DataScienceDevBase",
    "DataScienceDevTableBase",
    "DataScienceDevTableBaseBig",
 ]
@@ -1,52 +0,0 @@
 """Data science dev database ORM base."""
 from __future__ import annotations
 from datetime import datetime
 from sqlalchemy import BigInteger, DateTime, MetaData, func
 from sqlalchemy.ext.declarative import AbstractConcreteBase
 from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
 from python.orm.common import NAMING_CONVENTION
 class DataScienceDevBase(DeclarativeBase):
    """Base class for data_science_dev database ORM models."""
    schema_name = "main"
    metadata = MetaData(
        schema=schema_name,
        naming_convention=NAMING_CONVENTION,
    )
 class _TableMixin:
    """Shared timestamp columns for all table bases."""
    created: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
    )
    updated: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
        onupdate=func.now(),
    )
 class DataScienceDevTableBase(_TableMixin, AbstractConcreteBase, DataScienceDevBase):
    """Table with Integer primary key."""
    __abstract__ = True
    id: Mapped[int] = mapped_column(primary_key=True)
 class DataScienceDevTableBaseBig(_TableMixin, AbstractConcreteBase, DataScienceDevBase):
    """Table with BigInteger primary key."""
    __abstract__ = True
    id: Mapped[int] = mapped_column(BigInteger, primary_key=True)
@@ -1,10 +0,0 @@
 """Data science dev database ORM models."""
 from __future__ import annotations
 from python.orm.data_science_dev.posts import partitions  # noqa: F401 — registers partition classes in metadata
 from python.orm.data_science_dev.posts.tables import Posts
 __all__ = [
    "Posts",
 ]
@@ -1,11 +0,0 @@
 """Posts module — weekly-partitioned posts table and partition ORM models."""
 from __future__ import annotations
 from python.orm.data_science_dev.posts.failed_ingestion import FailedIngestion
 from python.orm.data_science_dev.posts.tables import Posts
 __all__ = [
    "FailedIngestion",
    "Posts",
 ]
@@ -1,33 +0,0 @@
 """Shared column definitions for the posts partitioned table family."""
 from __future__ import annotations
 from datetime import datetime
 from sqlalchemy import BigInteger, SmallInteger, Text
 from sqlalchemy.orm import Mapped, mapped_column
 class PostsColumns:
    """Mixin providing all posts columns. Used by both the parent table and partitions."""
    post_id: Mapped[int] = mapped_column(BigInteger, primary_key=True)
    user_id: Mapped[int] = mapped_column(BigInteger)
    instance: Mapped[str]
    date: Mapped[datetime] = mapped_column(primary_key=True)
    text: Mapped[str] = mapped_column(Text)
    langs: Mapped[str | None]
    like_count: Mapped[int]
    reply_count: Mapped[int]
    repost_count: Mapped[int]
    reply_to: Mapped[int | None] = mapped_column(BigInteger)
    replied_author: Mapped[int | None] = mapped_column(BigInteger)
    thread_root: Mapped[int | None] = mapped_column(BigInteger)
    thread_root_author: Mapped[int | None] = mapped_column(BigInteger)
    repost_from: Mapped[int | None] = mapped_column(BigInteger)
    reposted_author: Mapped[int | None] = mapped_column(BigInteger)
    quotes: Mapped[int | None] = mapped_column(BigInteger)
    quoted_author: Mapped[int | None] = mapped_column(BigInteger)
    labels: Mapped[str | None]
    sent_label: Mapped[int | None] = mapped_column(SmallInteger)
    sent_score: Mapped[float | None]
@@ -1,17 +0,0 @@
 """Table for storing JSONL lines that failed during post ingestion."""
 from __future__ import annotations
 from sqlalchemy import Text
 from sqlalchemy.orm import Mapped, mapped_column
 from python.orm.data_science_dev.base import DataScienceDevTableBase
 class FailedIngestion(DataScienceDevTableBase):
    """Stores raw JSONL lines and their error messages when ingestion fails."""
    __tablename__ = "failed_ingestion"
    raw_line: Mapped[str] = mapped_column(Text)
    error: Mapped[str] = mapped_column(Text)
@@ -1,71 +0,0 @@
 """Dynamically generated ORM classes for each weekly partition of the posts table.
 Each class maps to a PostgreSQL partition table (e.g. posts_2024_01).
 These are real ORM models tracked by Alembic autogenerate.
 Uses ISO week numbering (datetime.isocalendar().week). ISO years can have
 52 or 53 weeks, and week boundaries are always Monday to Monday.
 """
 from __future__ import annotations
 import sys
 from datetime import UTC, datetime
 from python.orm.data_science_dev.base import DataScienceDevBase
 from python.orm.data_science_dev.posts.columns import PostsColumns
 PARTITION_START_YEAR = 2023
 PARTITION_END_YEAR = 2026
 _current_module = sys.modules[__name__]
 def iso_weeks_in_year(year: int) -> int:
    """Return the number of ISO weeks in a given year (52 or 53)."""
    dec_28 = datetime(year, 12, 28, tzinfo=UTC)
    return dec_28.isocalendar().week
 def week_bounds(year: int, week: int) -> tuple[datetime, datetime]:
    """Return (start, end) datetimes for an ISO week.
    Start = Monday 00:00:00 UTC of the given ISO week.
    End   = Monday 00:00:00 UTC of the following ISO week.
    """
    start = datetime.fromisocalendar(year, week, 1).replace(tzinfo=UTC)
    if week < iso_weeks_in_year(year):
        end = datetime.fromisocalendar(year, week + 1, 1).replace(tzinfo=UTC)
    else:
        end = datetime.fromisocalendar(year + 1, 1, 1).replace(tzinfo=UTC)
    return start, end
 def _build_partition_classes() -> dict[str, type]:
    """Generate one ORM class per ISO week partition."""
    classes: dict[str, type] = {}
    for year in range(PARTITION_START_YEAR, PARTITION_END_YEAR + 1):
        for week in range(1, iso_weeks_in_year(year) + 1):
            class_name = f"PostsWeek{year}W{week:02d}"
            table_name = f"posts_{year}_{week:02d}"
            partition_class = type(
                class_name,
                (PostsColumns, DataScienceDevBase),
                {
                    "__tablename__": table_name,
                    "__table_args__": ({"implicit_returning": False},),
                },
            )
            classes[class_name] = partition_class
    return classes
 # Generate all partition classes and register them on this module
 _partition_classes = _build_partition_classes()
 for _name, _cls in _partition_classes.items():
    setattr(_current_module, _name, _cls)
 __all__ = list(_partition_classes.keys())
@@ -1,13 +0,0 @@
 """Posts parent table with PostgreSQL weekly range partitioning on date column."""
 from __future__ import annotations
 from python.orm.data_science_dev.base import DataScienceDevBase
 from python.orm.data_science_dev.posts.columns import PostsColumns
 class Posts(PostsColumns, DataScienceDevBase):
    """Parent partitioned table for posts, partitioned by week on `date`."""
    __tablename__ = "posts"
    __table_args__ = ({"postgresql_partition_by": "RANGE (date)"},)
@@ -3,7 +3,6 @@
 from __future__ import annotations
 from python.orm.richie.base import RichieBase, TableBase, TableBaseBig, TableBaseSmall
 from python.orm.richie.congress import Bill, Legislator, Vote, VoteRecord
 from python.orm.richie.contact import (
    Contact,
    ContactNeed,
@@ -13,17 +12,13 @@ from python.orm.richie.contact import (
 )
 __all__ = [
    "Bill",
    "Contact",
    "ContactNeed",
    "ContactRelationship",
    "Legislator",
    "Need",
    "RelationshipType",
    "RichieBase",
    "TableBase",
    "TableBaseBig",
    "TableBaseSmall",
    "Vote",
    "VoteRecord",
 ]
@@ -1,150 +0,0 @@
 """Congress Tracker database models."""
 from __future__ import annotations
 from datetime import date
 from sqlalchemy import ForeignKey, Index, Text, UniqueConstraint
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from python.orm.richie.base import RichieBase, TableBase
 class Legislator(TableBase):
    """Legislator model - members of Congress."""
    __tablename__ = "legislator"
    # Natural key - bioguide ID is the authoritative identifier
    bioguide_id: Mapped[str] = mapped_column(Text, unique=True, index=True)
    # Other IDs for cross-referencing
    thomas_id: Mapped[str | None]
    lis_id: Mapped[str | None]
    govtrack_id: Mapped[int | None]
    opensecrets_id: Mapped[str | None]
    fec_ids: Mapped[str | None]  # JSON array stored as string
    # Name info
    first_name: Mapped[str]
    last_name: Mapped[str]
    official_full_name: Mapped[str | None]
    nickname: Mapped[str | None]
    # Bio
    birthday: Mapped[date | None]
    gender: Mapped[str | None]  # M/F
    # Current term info (denormalized for query efficiency)
    current_party: Mapped[str | None]
    current_state: Mapped[str | None]
    current_district: Mapped[int | None]  # House only
    current_chamber: Mapped[str | None]  # rep/sen
    # Relationships
    vote_records: Mapped[list[VoteRecord]] = relationship(
        "VoteRecord",
        back_populates="legislator",
        cascade="all, delete-orphan",
    )
 class Bill(TableBase):
    """Bill model - legislation introduced in Congress."""
    __tablename__ = "bill"
    # Composite natural key: congress + bill_type + number
    congress: Mapped[int]
    bill_type: Mapped[str]  # hr, s, hres, sres, hjres, sjres
    number: Mapped[int]
    # Bill info
    title: Mapped[str | None]
    title_short: Mapped[str | None]
    official_title: Mapped[str | None]
    # Status
    status: Mapped[str | None]
    status_at: Mapped[date | None]
    # Sponsor
    sponsor_bioguide_id: Mapped[str | None]
    # Subjects
    subjects_top_term: Mapped[str | None]
    # Relationships
    votes: Mapped[list[Vote]] = relationship(
        "Vote",
        back_populates="bill",
    )
    __table_args__ = (
        UniqueConstraint("congress", "bill_type", "number", name="uq_bill_congress_type_number"),
        Index("ix_bill_congress", "congress"),
    )
 class Vote(TableBase):
    """Vote model - roll call votes in Congress."""
    __tablename__ = "vote"
    # Composite natural key: congress + chamber + session + number
    congress: Mapped[int]
    chamber: Mapped[str]  # house/senate
    session: Mapped[int]
    number: Mapped[int]
    # Vote details
    vote_type: Mapped[str | None]
    question: Mapped[str | None]
    result: Mapped[str | None]
    result_text: Mapped[str | None]
    # Timing
    vote_date: Mapped[date]
    # Vote counts (denormalized for efficiency)
    yea_count: Mapped[int | None]
    nay_count: Mapped[int | None]
    not_voting_count: Mapped[int | None]
    present_count: Mapped[int | None]
    # Related bill (optional - not all votes are on bills)
    bill_id: Mapped[int | None] = mapped_column(ForeignKey("main.bill.id"))
    # Relationships
    bill: Mapped[Bill | None] = relationship("Bill", back_populates="votes")
    vote_records: Mapped[list[VoteRecord]] = relationship(
        "VoteRecord",
        back_populates="vote",
        cascade="all, delete-orphan",
    )
    __table_args__ = (
        UniqueConstraint("congress", "chamber", "session", "number", name="uq_vote_congress_chamber_session_number"),
        Index("ix_vote_date", "vote_date"),
        Index("ix_vote_congress_chamber", "congress", "chamber"),
    )
 class VoteRecord(RichieBase):
    """Association table: Vote <-> Legislator with position."""
    __tablename__ = "vote_record"
    vote_id: Mapped[int] = mapped_column(
        ForeignKey("main.vote.id", ondelete="CASCADE"),
        primary_key=True,
    )
    legislator_id: Mapped[int] = mapped_column(
        ForeignKey("main.legislator.id", ondelete="CASCADE"),
        primary_key=True,
    )
    position: Mapped[str]  # Yea, Nay, Not Voting, Present
    # Relationships
    vote: Mapped[Vote] = relationship("Vote", back_populates="vote_records")
    legislator: Mapped[Legislator] = relationship("Legislator", back_populates="vote_records")
@@ -1,16 +0,0 @@
 """Signal bot database ORM exports."""
 from __future__ import annotations
 from python.orm.signal_bot.base import SignalBotBase, SignalBotTableBase, SignalBotTableBaseSmall
 from python.orm.signal_bot.models import DeadLetterMessage, DeviceRole, RoleRecord, SignalDevice
 __all__ = [
    "DeadLetterMessage",
    "DeviceRole",
    "RoleRecord",
    "SignalBotBase",
    "SignalBotTableBase",
    "SignalBotTableBaseSmall",
    "SignalDevice",
 ]
@@ -1,52 +0,0 @@
 """Signal bot database ORM base."""
 from __future__ import annotations
 from datetime import datetime
 from sqlalchemy import DateTime, MetaData, SmallInteger, func
 from sqlalchemy.ext.declarative import AbstractConcreteBase
 from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
 from python.orm.common import NAMING_CONVENTION
 class SignalBotBase(DeclarativeBase):
    """Base class for signal_bot database ORM models."""
    schema_name = "main"
    metadata = MetaData(
        schema=schema_name,
        naming_convention=NAMING_CONVENTION,
    )
 class _TableMixin:
    """Shared timestamp columns for all table bases."""
    created: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
    )
    updated: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
        onupdate=func.now(),
    )
 class SignalBotTableBaseSmall(_TableMixin, AbstractConcreteBase, SignalBotBase):
    """Table with SmallInteger primary key."""
    __abstract__ = True
    id: Mapped[int] = mapped_column(SmallInteger, primary_key=True)
 class SignalBotTableBase(_TableMixin, AbstractConcreteBase, SignalBotBase):
    """Table with Integer primary key."""
    __abstract__ = True
    id: Mapped[int] = mapped_column(primary_key=True)
@@ -1,62 +0,0 @@
 """Signal bot device, role, and dead letter ORM models."""
 from __future__ import annotations
 from datetime import datetime
 from sqlalchemy import DateTime, Enum, ForeignKey, SmallInteger, String, Text, UniqueConstraint
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from python.orm.signal_bot.base import SignalBotTableBase, SignalBotTableBaseSmall
 from python.signal_bot.models import MessageStatus, TrustLevel
 class RoleRecord(SignalBotTableBaseSmall):
    """Lookup table for RBAC roles, keyed by smallint."""
    __tablename__ = "role"
    name: Mapped[str] = mapped_column(String(50), unique=True)
 class DeviceRole(SignalBotTableBase):
    """Association between a device and a role."""
    __tablename__ = "device_role"
    __table_args__ = (
        UniqueConstraint("device_id", "role_id", name="uq_device_role_device_role"),
        {"schema": "main"},
    )
    device_id: Mapped[int] = mapped_column(ForeignKey("main.signal_device.id"))
    role_id: Mapped[int] = mapped_column(SmallInteger, ForeignKey("main.role.id"))
 class SignalDevice(SignalBotTableBase):
    """A Signal device tracked by phone number and safety number."""
    __tablename__ = "signal_device"
    phone_number: Mapped[str] = mapped_column(String(50), unique=True)
    safety_number: Mapped[str | None]
    trust_level: Mapped[TrustLevel] = mapped_column(
        Enum(TrustLevel, name="trust_level", create_constraint=False, native_enum=False),
        default=TrustLevel.UNVERIFIED,
    )
    last_seen: Mapped[datetime] = mapped_column(DateTime(timezone=True))
    roles: Mapped[list[RoleRecord]] = relationship(secondary=DeviceRole.__table__)
 class DeadLetterMessage(SignalBotTableBase):
    """A Signal message that failed processing and was sent to the dead letter queue."""
    __tablename__ = "dead_letter_message"
    source: Mapped[str]
    message: Mapped[str] = mapped_column(Text)
    received_at: Mapped[datetime] = mapped_column(DateTime(timezone=True))
    status: Mapped[MessageStatus] = mapped_column(
        Enum(MessageStatus, name="message_status", create_constraint=False, native_enum=False),
        default=MessageStatus.UNPROCESSED,
    )
@@ -1 +0,0 @@
 """Signal command and control bot."""
@@ -1 +0,0 @@
 """Signal bot commands."""
@@ -1,137 +0,0 @@
 """Van inventory command — parse receipts and item lists via LLM, push to API."""
 from __future__ import annotations
 import json
 import logging
 from typing import TYPE_CHECKING, Any
 import httpx
 from python.signal_bot.models import InventoryItem, InventoryUpdate
 if TYPE_CHECKING:
    from python.signal_bot.llm_client import LLMClient
    from python.signal_bot.models import SignalMessage
    from python.signal_bot.signal_client import SignalClient
 logger = logging.getLogger(__name__)
 SYSTEM_PROMPT = """\
 You are an inventory assistant. Extract items from the input and return ONLY
 a JSON array. Each element must have these fields:
  - "name": item name (string)
  - "quantity": numeric count or amount (default 1)
  - "unit": unit of measure (e.g. "each", "lb", "oz", "gallon", "bag", "box")
  - "category": category like "food", "tools", "supplies", etc.
  - "notes": any extra detail (empty string if none)
 Example output:
 [{"name": "water bottles", "quantity": 6, "unit": "gallon", "category": "supplies", "notes": "1 gallon each"}]
 Return ONLY the JSON array, no other text.\
 """
 IMAGE_PROMPT = "Extract all items from this receipt or inventory photo."
 TEXT_PROMPT = "Extract all items from this inventory list."
 def parse_llm_response(raw: str) -> list[InventoryItem]:
    """Parse the LLM JSON response into InventoryItem list."""
    text = raw.strip()
    # Strip markdown code fences if present
    if text.startswith("```"):
        lines = text.split("\n")
        lines = [line for line in lines if not line.startswith("```")]
        text = "\n".join(lines)
    items_data: list[dict[str, Any]] = json.loads(text)
    return [InventoryItem.model_validate(item) for item in items_data]
 def _upsert_item(api_url: str, item: InventoryItem) -> None:
    """Create or update an item via the van_inventory API.
    Fetches existing items, and if one with the same name exists,
    patches its quantity (summing). Otherwise creates a new item.
    """
    base = api_url.rstrip("/")
    response = httpx.get(f"{base}/api/items", timeout=10)
    response.raise_for_status()
    existing: list[dict[str, Any]] = response.json()
    match = next((e for e in existing if e["name"].lower() == item.name.lower()), None)
    if match:
        new_qty = match["quantity"] + item.quantity
        patch = {"quantity": new_qty}
        if item.category:
            patch["category"] = item.category
        response = httpx.patch(f"{base}/api/items/{match['id']}", json=patch, timeout=10)
        response.raise_for_status()
        return
    payload = {
        "name": item.name,
        "quantity": item.quantity,
        "unit": item.unit,
        "category": item.category or None,
    }
    response = httpx.post(f"{base}/api/items", json=payload, timeout=10)
    response.raise_for_status()
 def handle_inventory_update(
    message: SignalMessage,
    signal: SignalClient,
    llm: LLMClient,
    api_url: str,
 ) -> InventoryUpdate:
    """Process an inventory update from a Signal message.
    Accepts either an image (receipt photo) or text list.
    Uses the LLM to extract structured items, then pushes to the van_inventory API.
    """
    try:
        logger.info(f"Processing inventory update from {message.source}")
        if message.attachments:
            image_data = signal.get_attachment(message.attachments[0])
            raw_response = llm.chat(
                IMAGE_PROMPT,
                image_data=image_data,
                system=SYSTEM_PROMPT,
            )
            source_type = "receipt_photo"
        elif message.message.strip():
            raw_response = llm.chat(
                f"{TEXT_PROMPT}\n\n{message.message}",
                system=SYSTEM_PROMPT,
            )
            source_type = "text_list"
        else:
            signal.reply(message, "Send a photo of a receipt or a text list of items to update inventory.")
            return InventoryUpdate()
        logger.info(f"{raw_response=}")
        new_items = parse_llm_response(raw_response)
        logger.info(f"{new_items=}")
        for item in new_items:
            _upsert_item(api_url, item)
        summary = _format_summary(new_items)
        signal.reply(message, f"Inventory updated with {len(new_items)} item(s):\n{summary}")
        return InventoryUpdate(items=new_items, raw_response=raw_response, source_type=source_type)
    except Exception:
        logger.exception("Failed to process inventory update")
        signal.reply(message, "Failed to process inventory update. Check logs for details.")
        return InventoryUpdate()
 def _format_summary(items: list[InventoryItem]) -> str:
    """Format items into a readable summary."""
    lines = [f"  - {item.name} x{item.quantity} {item.unit} [{item.category}]" for item in items]
    return "\n".join(lines)
@@ -1,64 +0,0 @@
 """Location command for the Signal bot."""
 from __future__ import annotations
 import logging
 from typing import TYPE_CHECKING, Any
 import httpx
 if TYPE_CHECKING:
    from python.signal_bot.models import SignalMessage
    from python.signal_bot.signal_client import SignalClient
 logger = logging.getLogger(__name__)
 def _get_entity_state(ha_url: str, ha_token: str, entity_id: str) -> dict[str, Any]:
    """Fetch an entity's state from Home Assistant."""
    entity_url = f"{ha_url}/api/states/{entity_id}"
    logger.debug(f"Fetching {entity_url=}")
    response = httpx.get(
        entity_url,
        headers={"Authorization": f"Bearer {ha_token}"},
        timeout=30,
    )
    response.raise_for_status()
    return response.json()
 def _format_location(latitude: str, longitude: str) -> str:
    """Render a friendly location response."""
    return f"Van location: {latitude}, {longitude}\nhttps://maps.google.com/?q={latitude},{longitude}"
 def handle_location_request(
    message: SignalMessage,
    signal: SignalClient,
    ha_url: str | None,
    ha_token: str | None,
 ) -> None:
    """Reply with van location from Home Assistant."""
    if ha_url is None or ha_token is None:
        signal.reply(message, "Location command is not configured (missing HA_URL or HA_TOKEN).")
        return
    lat_payload = None
    lon_payload = None
    try:
        lat_payload = _get_entity_state(ha_url, ha_token, "sensor.van_last_known_latitude")
        lon_payload = _get_entity_state(ha_url, ha_token, "sensor.van_last_known_longitude")
    except httpx.HTTPError:
        logger.exception("Couldn't fetch van location from Home Assistant right now.")
        logger.debug(f"{ha_url=} {lat_payload=} {lon_payload=}")
        signal.reply(message, "Couldn't fetch van location from Home Assistant right now.")
        return
    latitude = lat_payload.get("state", "")
    longitude = lon_payload.get("state", "")
    if not latitude or not longitude or latitude == "unavailable" or longitude == "unavailable":
        signal.reply(message, "Van location is unavailable in Home Assistant right now.")
        return
    signal.reply(message, _format_location(latitude, longitude))
@@ -1,286 +0,0 @@
 """Device registry — tracks verified/unverified devices by safety number."""
 from __future__ import annotations
 import logging
 from datetime import datetime, timedelta
 from typing import TYPE_CHECKING, NamedTuple
 from sqlalchemy import delete, select
 from sqlalchemy.orm import Session
 from python.common import utcnow
 from python.orm.signal_bot.models import RoleRecord, SignalDevice
 from python.signal_bot.models import Role, TrustLevel
 if TYPE_CHECKING:
    from sqlalchemy.engine import Engine
    from python.signal_bot.signal_client import SignalClient
 logger = logging.getLogger(__name__)
 _BLOCKED_TTL = timedelta(minutes=60)
 _DEFAULT_TTL = timedelta(minutes=5)
 class _CacheEntry(NamedTuple):
    expires: datetime
    trust_level: TrustLevel
    has_safety_number: bool
    safety_number: str | None
    roles: list[Role]
 class DeviceRegistry:
    """Manage device trust based on Signal safety numbers.
    Devices start as UNVERIFIED. An admin verifies them over SSH by calling
    ``verify(phone_number)`` which marks the device VERIFIED and also tells
    signal-cli to trust the identity.
    Only VERIFIED devices may execute commands.
    """
    def __init__(self, signal_client: SignalClient, engine: Engine) -> None:
        self.signal_client = signal_client
        self.engine = engine
        self._contact_cache: dict[str, _CacheEntry] = {}
    def is_verified(self, phone_number: str) -> bool:
        """Check if a phone number is verified."""
        if entry := self._cached(phone_number):
            return entry.trust_level == TrustLevel.VERIFIED
        device = self._load_device(phone_number)
        return device is not None and device.trust_level == TrustLevel.VERIFIED
    def record_contact(self, phone_number: str, safety_number: str | None = None) -> None:
        """Record seeing a device. Creates entry if new, updates last_seen."""
        now = utcnow()
        entry = self._cached(phone_number)
        if entry and entry.safety_number == safety_number:
            return
        with Session(self.engine) as session:
            device = session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
            if device:
                if device.safety_number != safety_number and device.trust_level != TrustLevel.BLOCKED:
                    logger.warning(f"Safety number changed for {phone_number}, resetting to UNVERIFIED")
                    device.safety_number = safety_number
                    device.trust_level = TrustLevel.UNVERIFIED
                device.last_seen = now
            else:
                device = SignalDevice(
                    phone_number=phone_number,
                    safety_number=safety_number,
                    trust_level=TrustLevel.UNVERIFIED,
                    last_seen=now,
                )
                session.add(device)
                logger.info(f"New device registered: {phone_number}")
            session.commit()
            self._update_cache(phone_number, device)
    def has_safety_number(self, phone_number: str) -> bool:
        """Check if a device has a safety number on file."""
        if entry := self._cached(phone_number):
            return entry.has_safety_number
        device = self._load_device(phone_number)
        return device is not None and device.safety_number is not None
    def verify(self, phone_number: str) -> bool:
        """Mark a device as verified. Called by admin over SSH.
        Returns True if the device was found and verified.
        """
        with Session(self.engine) as session:
            device = session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
            if not device:
                logger.warning(f"Cannot verify unknown device: {phone_number}")
                return False
            device.trust_level = TrustLevel.VERIFIED
            self.signal_client.trust_identity(phone_number, trust_all_known_keys=True)
            session.commit()
            self._update_cache(phone_number, device)
            logger.info(f"Device verified: {phone_number}")
            return True
    def block(self, phone_number: str) -> bool:
        """Block a device."""
        return self._set_trust(phone_number, TrustLevel.BLOCKED, "Device blocked")
    def unverify(self, phone_number: str) -> bool:
        """Reset a device to unverified."""
        return self._set_trust(phone_number, TrustLevel.UNVERIFIED)
    # -- role management ------------------------------------------------------
    def get_roles(self, phone_number: str) -> list[Role]:
        """Return the roles for a device, defaulting to empty."""
        if entry := self._cached(phone_number):
            return entry.roles
        device = self._load_device(phone_number)
        return _extract_roles(device) if device else []
    def has_role(self, phone_number: str, role: Role) -> bool:
        """Check if a device has a specific role or is admin."""
        roles = self.get_roles(phone_number)
        return Role.ADMIN in roles or role in roles
    def grant_role(self, phone_number: str, role: Role) -> bool:
        """Add a role to a device. Called by admin over SSH."""
        with Session(self.engine) as session:
            device = session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
            if not device:
                logger.warning(f"Cannot grant role for unknown device: {phone_number}")
                return False
            if any(record.name == role for record in device.roles):
                return True
            role_record = session.execute(select(RoleRecord).where(RoleRecord.name == role)).scalar_one_or_none()
            if not role_record:
                logger.warning(f"Unknown role: {role}")
                return False
            device.roles.append(role_record)
            session.commit()
            self._update_cache(phone_number, device)
            logger.info(f"Device {phone_number} granted role {role}")
            return True
    def revoke_role(self, phone_number: str, role: Role) -> bool:
        """Remove a role from a device. Called by admin over SSH."""
        with Session(self.engine) as session:
            device = session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
            if not device:
                logger.warning(f"Cannot revoke role for unknown device: {phone_number}")
                return False
            device.roles = [record for record in device.roles if record.name != role]
            session.commit()
            self._update_cache(phone_number, device)
            logger.info(f"Device {phone_number} revoked role {role}")
            return True
    def set_roles(self, phone_number: str, roles: list[Role]) -> bool:
        """Replace all roles for a device. Called by admin over SSH."""
        with Session(self.engine) as session:
            device = session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
            if not device:
                logger.warning(f"Cannot set roles for unknown device: {phone_number}")
                return False
            role_names = [str(role) for role in roles]
            records = list(session.execute(select(RoleRecord).where(RoleRecord.name.in_(role_names))).scalars().all())
            device.roles = records
            session.commit()
            self._update_cache(phone_number, device)
            logger.info(f"Device {phone_number} roles set to {role_names}")
            return True
    # -- queries --------------------------------------------------------------
    def list_devices(self) -> list[SignalDevice]:
        """Return all known devices."""
        with Session(self.engine) as session:
            return list(session.execute(select(SignalDevice)).scalars().all())
    def sync_identities(self) -> None:
        """Pull identity list from signal-cli and record any new ones."""
        identities = self.signal_client.get_identities()
        for identity in identities:
            number = identity.get("number", "")
            safety = identity.get("safety_number", identity.get("fingerprint", ""))
            if number:
                self.record_contact(number, safety)
    # -- internals ------------------------------------------------------------
    def _cached(self, phone_number: str) -> _CacheEntry | None:
        """Return the cache entry if it exists and hasn't expired."""
        entry = self._contact_cache.get(phone_number)
        if entry and utcnow() < entry.expires:
            return entry
        return None
    def _load_device(self, phone_number: str) -> SignalDevice | None:
        """Fetch a device by phone number (with joined roles)."""
        with Session(self.engine) as session:
            return session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
    def _update_cache(self, phone_number: str, device: SignalDevice) -> None:
        """Refresh the cache entry for a device."""
        ttl = _BLOCKED_TTL if device.trust_level == TrustLevel.BLOCKED else _DEFAULT_TTL
        self._contact_cache[phone_number] = _CacheEntry(
            expires=utcnow() + ttl,
            trust_level=device.trust_level,
            has_safety_number=device.safety_number is not None,
            safety_number=device.safety_number,
            roles=_extract_roles(device),
        )
    def _set_trust(self, phone_number: str, level: str, log_msg: str | None = None) -> bool:
        """Update the trust level for a device."""
        with Session(self.engine) as session:
            device = session.execute(
                select(SignalDevice).where(SignalDevice.phone_number == phone_number)
            ).scalar_one_or_none()
            if not device:
                return False
            device.trust_level = level
            session.commit()
            self._update_cache(phone_number, device)
            if log_msg:
                logger.info(f"{log_msg}: {phone_number}")
            return True
 def _extract_roles(device: SignalDevice) -> list[Role]:
    """Convert a device's RoleRecord objects to a list of Role enums."""
    return [Role(record.name) for record in device.roles]
 def sync_roles(engine: Engine) -> None:
    """Sync the Role enum to the role table, adding new and removing stale entries."""
    expected = {role.value for role in Role}
    with Session(engine) as session:
        existing = {record.name for record in session.execute(select(RoleRecord)).scalars().all()}
        to_add = expected - existing
        to_remove = existing - expected
        for name in to_add:
            session.add(RoleRecord(name=name))
            logger.info(f"Role added: {name}")
        if to_remove:
            session.execute(delete(RoleRecord).where(RoleRecord.name.in_(to_remove)))
            for name in to_remove:
                logger.info(f"Role removed: {name}")
        session.commit()
@@ -1,80 +0,0 @@
 """Flexible LLM client for ollama backends."""
 from __future__ import annotations
 import base64
 import logging
 from typing import Any, Self
 import httpx
 logger = logging.getLogger(__name__)
 class LLMClient:
    """Talk to an ollama instance.
    Args:
        model: Ollama model name.
        host: Ollama host.
        port: Ollama port.
        temperature: Sampling temperature.
    """
    def __init__(
        self,
        *,
        model: str,
        host: str,
        port: int = 11434,
        temperature: float = 0.1,
        timeout: int = 300,
    ) -> None:
        self.model = model
        self.temperature = temperature
        self._client = httpx.Client(base_url=f"http://{host}:{port}", timeout=timeout)
    def chat(self, prompt: str, image_data: bytes | None = None, system: str | None = None) -> str:
        """Send a text prompt and return the response."""
        messages: list[dict[str, Any]] = []
        if system:
            messages.append({"role": "system", "content": system})
        user_msg = {"role": "user", "content": prompt}
        if image_data:
            user_msg["images"] = [base64.b64encode(image_data).decode()]
        messages.append(user_msg)
        return self._generate(messages)
    def _generate(self, messages: list[dict[str, Any]]) -> str:
        """Call the ollama chat API."""
        payload = {
            "model": self.model,
            "messages": messages,
            "stream": False,
            "options": {"temperature": self.temperature},
        }
        logger.info(f"LLM request to {self.model}")
        response = self._client.post("/api/chat", json=payload)
        response.raise_for_status()
        data = response.json()
        return data["message"]["content"]
    def list_models(self) -> list[str]:
        """List available models on the ollama instance."""
        response = self._client.get("/api/tags")
        response.raise_for_status()
        return [m["name"] for m in response.json().get("models", [])]
    def __enter__(self) -> Self:
        """Enter the context manager."""
        return self
    def __exit__(self, *args: object) -> None:
        """Close the HTTP client on exit."""
        self.close()
    def close(self) -> None:
        """Close the HTTP client."""
        self._client.close()
@@ -1,239 +0,0 @@
 """Signal command and control bot — main entry point."""
 from __future__ import annotations
 import logging
 from dataclasses import dataclass
 from os import getenv
 from typing import TYPE_CHECKING, Annotated
 if TYPE_CHECKING:
    from collections.abc import Callable
 import typer
 from alembic.command import upgrade
 from sqlalchemy.orm import Session
 from tenacity import before_sleep_log, retry, stop_after_attempt, wait_exponential
 from python.common import configure_logger, utcnow
 from python.database_cli import DATABASES
 from python.orm.common import get_postgres_engine
 from python.orm.signal_bot.models import DeadLetterMessage
 from python.signal_bot.commands.inventory import handle_inventory_update
 from python.signal_bot.commands.location import handle_location_request
 from python.signal_bot.device_registry import DeviceRegistry, sync_roles
 from python.signal_bot.llm_client import LLMClient
 from python.signal_bot.models import BotConfig, MessageStatus, Role, SignalMessage
 from python.signal_bot.signal_client import SignalClient
 logger = logging.getLogger(__name__)
@dataclass(frozen=True, slots=True)
 class Command:
    """A registered bot command."""
    action: Callable[[SignalMessage, str], None]
    help_text: str
    role: Role | None  # None = no role required (always allowed)
 class Bot:
    """Holds shared resources and dispatches incoming messages to command handlers."""
    def __init__(
        self,
        signal: SignalClient,
        llm: LLMClient,
        registry: DeviceRegistry,
        config: BotConfig,
    ) -> None:
        self.signal = signal
        self.llm = llm
        self.registry = registry
        self.config = config
        self.commands: dict[str, Command] = {
            "help": Command(action=self._help, help_text="show this help message", role=None),
            "status": Command(action=self._status, help_text="show bot status", role=Role.STATUS),
            "inventory": Command(
                action=self._inventory,
                help_text="update van inventory from a text list or receipt photo",
                role=Role.INVENTORY,
            ),
            "location": Command(
                action=self._location,
                help_text="get current van location",
                role=Role.LOCATION,
            ),
        }
    # -- actions --------------------------------------------------------------
    def _help(self, message: SignalMessage, _cmd: str) -> None:
        """Return help text filtered to the sender's roles."""
        self.signal.reply(message, self._build_help(self.registry.get_roles(message.source)))
    def _status(self, message: SignalMessage, _cmd: str) -> None:
        """Return the status of the bot."""
        models = self.llm.list_models()
        model_list = ", ".join(models[:10])
        device_count = len(self.registry.list_devices())
        self.signal.reply(
            message,
            f"Bot online.\nLLM: {self.llm.model}\nAvailable models: {model_list}\nKnown devices: {device_count}",
        )
    def _inventory(self, message: SignalMessage, _cmd: str) -> None:
        """Process an inventory update."""
        handle_inventory_update(message, self.signal, self.llm, self.config.inventory_api_url)
    def _location(self, message: SignalMessage, _cmd: str) -> None:
        """Reply with current van location."""
        handle_location_request(message, self.signal, self.config.ha_url, self.config.ha_token)
    # -- dispatch -------------------------------------------------------------
    def _build_help(self, roles: list[Role]) -> str:
        """Build help text showing only the commands the user can access."""
        is_admin = Role.ADMIN in roles
        lines = ["Available commands:"]
        for name, cmd in self.commands.items():
            if cmd.role is None or is_admin or cmd.role in roles:
                lines.append(f"  {name:20s} — {cmd.help_text}")
        return "\n".join(lines)
    def dispatch(self, message: SignalMessage) -> None:
        """Route an incoming message to the right command handler."""
        source = message.source
        if not self.registry.is_verified(source):
            logger.info(f"Device {source} not verified, ignoring message")
            return
        if not self.registry.has_safety_number(source) and self.registry.has_role(source, Role.ADMIN):
            logger.warning(f"Admin device {source} missing safety number, ignoring message")
            return
        text = message.message.strip()
        parts = text.split()
        if not parts and not message.attachments:
            return
        cmd = parts[0].lower() if parts else ""
        logger.info(f"f{source=} running {cmd=} with {message=}")
        command = self.commands.get(cmd)
        if command is None:
            if message.attachments:
                command = self.commands["inventory"]
                cmd = "inventory"
            else:
                return
        if command.role is not None and not self.registry.has_role(source, command.role):
            logger.warning(f"Device {source} denied access to {cmd!r}")
            self.signal.reply(message, f"Permission denied: you do not have the '{command.role}' role.")
            return
        command.action(message, cmd)
    def process_message(self, message: SignalMessage) -> None:
        """Process a single message, sending it to the dead letter queue after repeated failures."""
        max_attempts = self.config.max_message_attempts
        for attempt in range(1, max_attempts + 1):
            try:
                safety_number = self.signal.get_safety_number(message.source)
                self.registry.record_contact(message.source, safety_number)
                self.dispatch(message)
            except Exception:
                logger.exception(f"Failed to process message (attempt {attempt}/{max_attempts})")
            else:
                return
        logger.error(f"Message from {message.source} failed {max_attempts} times, sending to dead letter queue")
        with Session(self.config.engine) as session:
            session.add(
                DeadLetterMessage(
                    source=message.source,
                    message=message.message,
                    received_at=utcnow(),
                    status=MessageStatus.UNPROCESSED,
                )
            )
            session.commit()
    def run(self) -> None:
        """Listen for messages via WebSocket, reconnecting on failure."""
        logger.info("Bot started — listening via WebSocket")
        @retry(
            stop=stop_after_attempt(self.config.max_retries),
            wait=wait_exponential(multiplier=self.config.reconnect_delay, max=self.config.max_reconnect_delay),
            before_sleep=before_sleep_log(logger, logging.WARNING),
            reraise=True,
        )
        def _listen() -> None:
            for message in self.signal.listen():
                logger.info(f"Message from {message.source}: {message.message[:80]}")
                self.process_message(message)
        try:
            _listen()
        except Exception:
            logger.critical("Max retries exceeded, shutting down")
            raise
 def main(
    log_level: Annotated[str, typer.Option()] = "DEBUG",
    llm_timeout: Annotated[int, typer.Option()] = 600,
 ) -> None:
    """Run the Signal command and control bot."""
    configure_logger(log_level)
    signal_api_url = getenv("SIGNAL_API_URL")
    phone_number = getenv("SIGNAL_PHONE_NUMBER")
    inventory_api_url = getenv("INVENTORY_API_URL")
    if signal_api_url is None:
        error = "SIGNAL_API_URL environment variable not set"
        raise ValueError(error)
    if phone_number is None:
        error = "SIGNAL_PHONE_NUMBER environment variable not set"
        raise ValueError(error)
    if inventory_api_url is None:
        error = "INVENTORY_API_URL environment variable not set"
        raise ValueError(error)
    signal_bot_config = DATABASES["signal_bot"].alembic_config()
    upgrade(signal_bot_config, "head")
    engine = get_postgres_engine(name="SIGNALBOT")
    sync_roles(engine)
    config = BotConfig(
        signal_api_url=signal_api_url,
        phone_number=phone_number,
        inventory_api_url=inventory_api_url,
        ha_url=getenv("HA_URL"),
        ha_token=getenv("HA_TOKEN"),
        engine=engine,
    )
    llm_host = getenv("LLM_HOST")
    llm_model = getenv("LLM_MODEL", "qwen3-vl:32b")
    llm_port = int(getenv("LLM_PORT", "11434"))
    if llm_host is None:
        error = "LLM_HOST environment variable not set"
        raise ValueError(error)
    with (
        SignalClient(config.signal_api_url, config.phone_number) as signal,
        LLMClient(model=llm_model, host=llm_host, port=llm_port, timeout=llm_timeout) as llm,
    ):
        registry = DeviceRegistry(signal, engine)
        bot = Bot(signal, llm, registry, config)
        bot.run()
 if __name__ == "__main__":
    typer.run(main)
@@ -1,97 +0,0 @@
 """Models for the Signal command and control bot."""
 from __future__ import annotations
 from datetime import datetime  # noqa: TC003 - pydantic needs this at runtime
 from enum import StrEnum
 from typing import Any
 from pydantic import BaseModel, ConfigDict
 from sqlalchemy.engine import Engine  # noqa: TC002 - pydantic needs this at runtime
 class TrustLevel(StrEnum):
    """Device trust level."""
    VERIFIED = "verified"
    UNVERIFIED = "unverified"
    BLOCKED = "blocked"
 class Role(StrEnum):
    """RBAC roles — one per command, plus admin which grants all."""
    ADMIN = "admin"
    STATUS = "status"
    INVENTORY = "inventory"
    LOCATION = "location"
 class MessageStatus(StrEnum):
    """Dead letter queue message status."""
    UNPROCESSED = "unprocessed"
    PROCESSED = "processed"
 class Device(BaseModel):
    """A registered device tracked by safety number."""
    phone_number: str
    safety_number: str
    trust_level: TrustLevel = TrustLevel.UNVERIFIED
    first_seen: datetime
    last_seen: datetime
 class SignalMessage(BaseModel):
    """An incoming Signal message."""
    source: str
    timestamp: int
    message: str = ""
    attachments: list[str] = []
    group_id: str | None = None
    is_receipt: bool = False
 class SignalEnvelope(BaseModel):
    """Raw envelope from signal-cli-rest-api."""
    envelope: dict[str, Any]
    account: str | None = None
 class InventoryItem(BaseModel):
    """An item in the van inventory."""
    name: str
    quantity: float = 1
    unit: str = "each"
    category: str = ""
    notes: str = ""
 class InventoryUpdate(BaseModel):
    """Result of processing an inventory update."""
    items: list[InventoryItem] = []
    raw_response: str = ""
    source_type: str = ""  # "receipt_photo" or "text_list"
 class BotConfig(BaseModel):
    """Top-level bot configuration."""
    model_config = ConfigDict(arbitrary_types_allowed=True)
    signal_api_url: str
    phone_number: str
    inventory_api_url: str
    ha_url: str | None = None
    ha_token: str | None = None
    engine: Engine
    reconnect_delay: int = 5
    max_reconnect_delay: int = 300
    max_retries: int = 10
    max_message_attempts: int = 3
@@ -1,141 +0,0 @@
 """Client for the signal-cli-rest-api."""
 from __future__ import annotations
 import json
 import logging
 from typing import TYPE_CHECKING, Any, Self
 import httpx
 import websockets.sync.client
 if TYPE_CHECKING:
    from collections.abc import Generator
 from python.signal_bot.models import SignalMessage
 logger = logging.getLogger(__name__)
 def _parse_envelope(envelope: dict[str, Any]) -> SignalMessage | None:
    """Parse a signal-cli envelope into a SignalMessage, or None if not a data message."""
    data_message = envelope.get("dataMessage")
    if not data_message:
        return None
    attachment_ids = [att["id"] for att in data_message.get("attachments", []) if "id" in att]
    group_info = data_message.get("groupInfo")
    group_id = group_info.get("groupId") if group_info else None
    return SignalMessage(
        source=envelope.get("source", ""),
        timestamp=envelope.get("timestamp", 0),
        message=data_message.get("message", "") or "",
        attachments=attachment_ids,
        group_id=group_id,
    )
 class SignalClient:
    """Communicate with signal-cli-rest-api.
    Args:
        base_url: URL of the signal-cli-rest-api (e.g. http://localhost:8989).
        phone_number: The registered phone number to send/receive as.
    """
    def __init__(self, base_url: str, phone_number: str) -> None:
        self.base_url = base_url.rstrip("/")
        self.phone_number = phone_number
        self._client = httpx.Client(base_url=self.base_url, timeout=30)
    def _ws_url(self) -> str:
        """Build the WebSocket URL from the base HTTP URL."""
        url = self.base_url.replace("http://", "ws://").replace("https://", "wss://")
        return f"{url}/v1/receive/{self.phone_number}"
    def listen(self) -> Generator[SignalMessage]:
        """Connect via WebSocket and yield messages as they arrive."""
        ws_url = self._ws_url()
        logger.info(f"Connecting to WebSocket: {ws_url}")
        with websockets.sync.client.connect(ws_url) as ws:
            for raw in ws:
                try:
                    data = json.loads(raw)
                    envelope = data.get("envelope", {})
                    message = _parse_envelope(envelope)
                    if message:
                        yield message
                except json.JSONDecodeError:
                    logger.warning(f"Non-JSON WebSocket frame: {raw[:200]}")
    def send(self, recipient: str, message: str) -> None:
        """Send a text message."""
        payload = {
            "message": message,
            "number": self.phone_number,
            "recipients": [recipient],
        }
        response = self._client.post("/v2/send", json=payload)
        response.raise_for_status()
    def send_to_group(self, group_id: str, message: str) -> None:
        """Send a message to a group."""
        payload = {
            "message": message,
            "number": self.phone_number,
            "recipients": [group_id],
        }
        response = self._client.post("/v2/send", json=payload)
        response.raise_for_status()
    def get_attachment(self, attachment_id: str) -> bytes:
        """Download an attachment by ID."""
        response = self._client.get(f"/v1/attachments/{attachment_id}")
        response.raise_for_status()
        return response.content
    def get_identities(self) -> list[dict[str, Any]]:
        """List known identities and their trust levels."""
        response = self._client.get(f"/v1/identities/{self.phone_number}")
        response.raise_for_status()
        return response.json()
    def get_safety_number(self, phone_number: str) -> str | None:
        """Look up the safety number for a contact from signal-cli's local store."""
        for identity in self.get_identities():
            if identity.get("number") == phone_number:
                return identity.get("safety_number", identity.get("fingerprint", ""))
        return None
    def trust_identity(self, number_to_trust: str, *, trust_all_known_keys: bool = False) -> None:
        """Trust an identity (verify safety number)."""
        payload: dict[str, Any] = {}
        if trust_all_known_keys:
            payload["trust_all_known_keys"] = True
        response = self._client.put(
            f"/v1/identities/{self.phone_number}/trust/{number_to_trust}",
            json=payload,
        )
        response.raise_for_status()
    def reply(self, message: SignalMessage, text: str) -> None:
        """Reply to a message, routing to group or individual."""
        if message.group_id:
            self.send_to_group(message.group_id, text)
        else:
            self.send(message.source, text)
    def __enter__(self) -> Self:
        """Enter the context manager."""
        return self
    def __exit__(self, *args: object) -> None:
        """Close the HTTP client on exit."""
        self.close()
    def close(self) -> None:
        """Close the HTTP client."""
        self._client.close()
@@ -34,8 +34,9 @@ def main(config_file: Path) -> None:
                logger.error(msg)
                signal_alert(msg)
                continue
-
+            count_lookup = get_count_lookup(config_file, dataset.name)
-            get_snapshots_to_delete(dataset, get_count_lookup(config_file, dataset.name))
+            logger.info(f"using {count_lookup} for {dataset.name}")
            get_snapshots_to_delete(dataset, count_lookup)
    except Exception:
        logger.exception("snapshot_manager failed")
        signal_alert("snapshot_manager failed")
@@ -99,6 +100,7 @@ def get_snapshots_to_delete(
    """
    snapshots = dataset.get_snapshots()
    logger.info(f"calculating snapshots for {dataset.name} to be deleted")
    if not snapshots:
        logger.info(f"{dataset.name} has no snapshots")
        return
@@ -0,0 +1,17 @@
 FROM nvidia/cuda:12.4.1-cudnn-runtime-ubuntu22.04
 ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1
 RUN apt-get update \
    && apt-get install -y --no-install-recommends python3 python3-pip ffmpeg \
    && rm -rf /var/lib/apt/lists/*
 RUN pip3 install --no-cache-dir --upgrade pip \
    && pip3 install --no-cache-dir faster-whisper requests
 WORKDIR /app
 COPY python/tools/whisper/inference.py /app/inference.py
 ENTRYPOINT ["python3", "/app/inference.py"]
@@ -0,0 +1,2 @@
 *
 !python/tools/whisper/inference.py
@@ -0,0 +1 @@
 """Whisper transcription tools (host orchestrator and container entrypoint)."""
@@ -0,0 +1,136 @@
 """Container entrypoint that transcribes a directory of audio files with faster-whisper.
 Run inside the whisper-transcribe docker image; segment timestamps are grouped
 into one-minute buckets so the output reads as ``[HH:MM:00] text``.
 """
 from __future__ import annotations
 import argparse
 import logging
 from pathlib import Path
 from faster_whisper import WhisperModel
 logger = logging.getLogger(__name__)
 AUDIO_EXTENSIONS = {".mp3", ".wav", ".m4a", ".flac", ".ogg", ".opus", ".mp4", ".mkv", ".webm", ".aac"}
 BUCKET_SECONDS = 60
 BEAM_SIZE = 5
 SECONDS_PER_HOUR = 3600
 SECONDS_PER_MINUTE = 60
 def format_timestamp(total_seconds: float) -> str:
    """Render a whole-minute timestamp as ``HH:MM:00``.
    Args:
        total_seconds: Offset in seconds from the start of the audio.
    Returns:
        A zero-padded ``HH:MM:00`` string.
    """
    hours = int(total_seconds // SECONDS_PER_HOUR)
    minutes = int((total_seconds % SECONDS_PER_HOUR) // SECONDS_PER_MINUTE)
    return f"{hours:02d}:{minutes:02d}:00"
 def transcribe_file(model: WhisperModel, audio_path: Path, output_path: Path) -> None:
    """Transcribe one audio file and write the bucketed transcript to disk.
    Args:
        model: Loaded faster-whisper model.
        audio_path: Source audio file.
        output_path: Destination ``.txt`` path.
    """
    logger.info("Transcribing %s", audio_path)
    segments, info = model.transcribe(
        str(audio_path),
        language="en",
        beam_size=BEAM_SIZE,
        vad_filter=True,
    )
    logger.info("Duration %.1fs", info.duration)
    buckets: dict[int, list[str]] = {}
    for segment in segments:
        bucket = int(segment.start // BUCKET_SECONDS)
        buckets.setdefault(bucket, []).append(segment.text.strip())
    lines = [f"[{format_timestamp(bucket * BUCKET_SECONDS)}] {' '.join(buckets[bucket])}" for bucket in sorted(buckets)]
    output_path.write_text("\n\n".join(lines) + "\n", encoding="utf-8")
    logger.info("Wrote %s", output_path)
 def find_audio_files(input_directory: Path) -> list[Path]:
    """Collect every audio file under ``input_directory``.
    Args:
        input_directory: Directory to walk recursively.
    Returns:
        Sorted list of audio file paths.
    """
    return sorted(
        path for path in input_directory.rglob("*") if path.is_file() and path.suffix.lower() in AUDIO_EXTENSIONS
    )
 def configure_container_logger() -> None:
    """Configure logging for the container (stdout, INFO)."""
    logging.basicConfig(
        level=logging.INFO,
        format="%(asctime)s %(levelname)s %(message)s",
    )
 def parse_arguments() -> argparse.Namespace:
    """Parse CLI arguments for the container entrypoint.
    Returns:
        Parsed argparse namespace.
    """
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument("--input", type=Path, default=Path("/audio"))
    parser.add_argument("--output", type=Path, default=Path("/output"))
    parser.add_argument("--model", default="large-v3")
    parser.add_argument(
        "--download-only",
        action="store_true",
        help="Download the model into the cache volume and exit without transcribing.",
    )
    return parser.parse_args()
 def main() -> None:
    """Load the model, then either exit (download-only) or transcribe the directory."""
    configure_container_logger()
    arguments = parse_arguments()
    logger.info("Loading model %s on CUDA", arguments.model)
    model = WhisperModel(arguments.model, device="cuda", compute_type="float16")
    if arguments.download_only:
        logger.info("Model ready; exiting (download-only mode)")
        return
    arguments.output.mkdir(parents=True, exist_ok=True)
    audio_files = find_audio_files(arguments.input)
    if not audio_files:
        logger.warning("No audio files found in %s", arguments.input)
        return
    logger.info("Found %d audio file(s)", len(audio_files))
    for audio_path in audio_files:
        relative = audio_path.relative_to(arguments.input)
        output_path = arguments.output / relative.with_suffix(".txt")
        output_path.parent.mkdir(parents=True, exist_ok=True)
        if output_path.exists():
            logger.info("Skip %s (already transcribed)", relative)
            continue
        transcribe_file(model, audio_path, output_path)
 if __name__ == "__main__":
    main()
@@ -0,0 +1,167 @@
 """Build and run the whisper transcription docker container on demand.
 The container is started fresh for each invocation and removed on exit
 (``docker run --rm``). The model is cached in a named docker volume so
 only the first run pays the download cost.
 """
 from __future__ import annotations
 import logging
 import subprocess
 from pathlib import Path
 from typing import Annotated
 import typer
 from python.common import configure_logger
 logger = logging.getLogger(__name__)
 class Config:
    """Paths and names for the whisper-transcribe Docker workflow."""
    image_tag = "whisper-transcribe:latest"
    model_volume = "whisper-models"
    repo_root = Path(__file__).resolve().parents[3]
    dockerfile = Path(__file__).resolve().parent / "Dockerfile"
    huggingface_cache = "/root/.cache/huggingface"
 def run_docker(arguments: list[str]) -> None:
    """Run a docker subcommand, streaming output and raising on failure.
    Args:
        arguments: Arguments to pass to the ``docker`` binary.
    Raises:
        subprocess.CalledProcessError: If docker exits non-zero.
    """
    logger.info("docker %s", " ".join(arguments))
    subprocess.run(["docker", *arguments], check=True)
 def build_image() -> None:
    """Build the whisper-transcribe image using the repo root as build context."""
    logger.info("Building image %s", Config.image_tag)
    run_docker(
        [
            "build",
            "--tag",
            Config.image_tag,
            "--file",
            str(Config.dockerfile),
            str(Config.repo_root),
        ],
    )
 def model_cache_present(model: str) -> bool:
    """Check whether the given model is already downloaded in the cache volume.
    Args:
        model: faster-whisper model name (e.g. ``large-v3``).
    Returns:
        True if the HuggingFace cache directory for the model exists in the volume.
    """
    cache_directory = f"hub/models--Systran--faster-whisper-{model}"
    completed = subprocess.run(
        [
            "docker",
            "run",
            "--rm",
            "--volume",
            f"{Config.model_volume}:/cache",
            "alpine",
            "test",
            "-d",
            f"/cache/{cache_directory}",
        ],
        check=False,
    )
    return completed.returncode == 0
 def download_model(model: str) -> None:
    """Download the model into the cache volume and exit.
    Args:
        model: faster-whisper model name.
    """
    logger.info("Downloading model %s into volume %s", model, Config.model_volume)
    run_docker(
        [
            "run",
            "--rm",
            "--device=nvidia.com/gpu=all",
            "--ipc=host",
            "--volume",
            f"{Config.model_volume}:{Config.huggingface_cache}",
            Config.image_tag,
            "--model",
            model,
            "--download-only",
        ],
    )
 def transcribe(input_directory: Path, output_directory: Path, model: str) -> None:
    """Run transcription on every audio file under ``input_directory``.
    Args:
        input_directory: Host path containing audio files (mounted read-only).
        output_directory: Host path for ``.txt`` transcripts.
        model: faster-whisper model name.
    """
    logger.info("Transcribing %s -> %s (model=%s)", input_directory, output_directory, model)
    run_docker(
        [
            "run",
            "--rm",
            "--device=nvidia.com/gpu=all",
            "--ipc=host",
            "--volume",
            f"{input_directory}:/audio:ro",
            "--volume",
            f"{output_directory}:/output",
            "--volume",
            f"{Config.model_volume}:{Config.huggingface_cache}",
            Config.image_tag,
            "--model",
            model,
        ],
    )
 def main(
    input_directory: Annotated[Path, typer.Argument(help="Directory of audio files to transcribe.")],
    output_directory: Annotated[Path, typer.Argument(help="Directory to write .txt transcripts to.")],
    model: Annotated[str, typer.Option(help="faster-whisper model name.")] = "large-v3",
    *,
    force_download: Annotated[
        bool,
        typer.Option("--force-download", help="Re-download the model even if already cached."),
    ] = False,
 ) -> None:
    """Build the image, ensure the model is cached, then transcribe and stop."""
    configure_logger()
    resolved_input = input_directory.resolve(strict=True)
    output_directory.mkdir(parents=True, exist_ok=True)
    resolved_output = output_directory.resolve()
    build_image()
    if force_download or not model_cache_present(model):
        download_model(model)
    else:
        logger.info("Model %s already cached in volume %s", model, Config.model_volume)
    transcribe(resolved_input, resolved_output, model)
    logger.info("Done. Container stopped.")
 if __name__ == "__main__":
    typer.run(main)
@@ -1,28 +1,39 @@
-{ inputs, ... }:
+{ inputs, pkgs, ... }:
 {
  imports = [
    "${inputs.self}/users/math"
    "${inputs.self}/users/richie"
    "${inputs.self}/users/steve"
    "${inputs.self}/common/global"
    "${inputs.self}/common/optional/desktop.nix"
    "${inputs.self}/common/optional/docker.nix"
    "${inputs.self}/common/optional/scanner.nix"
    "${inputs.self}/common/optional/monitoring-agent.nix"
    "${inputs.self}/common/optional/steam.nix"
    "${inputs.self}/common/optional/syncthing_base.nix"
    "${inputs.self}/common/optional/systemd-boot.nix"
    "${inputs.self}/common/optional/update.nix"
    "${inputs.self}/common/optional/yubikey.nix"
    "${inputs.self}/common/optional/zerotier.nix"
    "${inputs.self}/common/optional/brain_substituter.nix"
    "${inputs.self}/common/optional/nvidia.nix"
    ./hardware.nix
    ./syncthing.nix
    ./llms.nix
  ];
  boot = {
    kernelPackages = pkgs.linuxPackages_6_18;
    zfs.package = pkgs.zfs_2_4;
  };
  networking = {
    hostName = "bob";
    hostId = "7c678a41";
-    firewall.enable = true;
+    firewall = {
      enable = true;
      allowedTCPPorts = [
        8000
      ];
    };
    networkmanager.enable = true;
  };
@@ -28,9 +28,13 @@
        allowDiscards = true;
        keyFileSize = 4096;
        keyFile = "/dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0374620080067131-0:0";
        fallbackToPassword = true;
      };
    };
    zfs.extraPools = [
      "storage"
    ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
@@ -23,6 +23,7 @@
      "magistral:24b"
      "ministral-3:14b"
      "nemotron-3-nano:30b"
      "nemotron-3-nano:4b"
      "nemotron-cascade-2:30b"
      "qwen3-coder:30b"
      "qwen3-embedding:0.6b"
@@ -41,11 +42,14 @@
      "qwen3:8b"
      "qwen3.5:27b"
      "qwen3.5:35b"
      "qwen3.6:27b"
      "qwen3.6:35b"
      "rinex20/translategemma3:12b"
      "translategemma:12b"
      "translategemma:27b"
      "translategemma:4b"
    ];
-    models = "/zfs/models";
+    models = "/zfs/storage/models";
    openFirewall = true;
  };
 }
@@ -31,5 +31,15 @@
      ];
      fsWatcherEnabled = true;
    };
    "recordings" = {
      path = "/home/richie/recordings";
      devices = [
        "jeeves"
        "phone"
        "rhapsody-in-green"
      ];
      fsWatcherEnabled = true;
    };
  };
 }
@@ -26,7 +26,6 @@
        allowDiscards = true;
        keyFileSize = 4096;
        keyFile = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_03021630090925173333-0:0";
        fallbackToPassword = true;
      };
    };
    kernelModules = [ "kvm-intel" ];
@@ -4,17 +4,21 @@ let
 in
 {
  imports = [
    "${inputs.self}/users/richie"
    "${inputs.self}/users/math"
    "${inputs.self}/users/dov"
    "${inputs.self}/users/math"
    "${inputs.self}/users/richie"
    "${inputs.self}/users/steve"
    "${inputs.self}/common/global"
    "${inputs.self}/common/optional/docker.nix"
    "${inputs.self}/common/optional/monitoring-agent.nix"
    "${inputs.self}/common/optional/ssh_decrypt.nix"
    "${inputs.self}/common/optional/syncthing_base.nix"
    "${inputs.self}/common/optional/update.nix"
    "${inputs.self}/common/optional/zerotier.nix"
    ./monitoring
    ./docker
    ./services
    ./web_services
    ./hardware.nix
    ./networking.nix
    ./programs.nix
@@ -35,5 +39,10 @@ in
    zerotierone.joinNetworks = [ "a09acf02330d37b9" ];
  };
  users.groups = {
    nornsight = { };
    nornsight-admin = { };
  };
  system.stateVersion = "24.05";
 }
@@ -9,7 +9,6 @@ let
    inherit device;
    keyFileSize = 4096;
    keyFile = "/dev/disk/by-id/usb-XIAO_USB_Drive_24587CE29074-0:0";
    fallbackToPassword = true;
  };
  makeLuksSSD =
    device:
@@ -0,0 +1,426 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percent"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "100 * (1 - avg by (instance) (rate(node_cpu_seconds_total{mode=\"idle\"}[5m])))",
          "legendFormat": "{{instance}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "CPU Used",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percent"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 6,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "100 * (1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes))",
          "legendFormat": "{{instance}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "RAM Used",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percent"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 12,
        "y": 0
      },
      "id": 3,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "100 * (1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes))",
          "legendFormat": "{{instance}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Swap Used",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "short"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 18,
        "y": 0
      },
      "id": 4,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "node_load1",
          "legendFormat": "{{instance}} load1",
          "range": true,
          "refId": "A"
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "node_load5",
          "legendFormat": "{{instance}} load5",
          "range": true,
          "refId": "B"
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "node_load15",
          "legendFormat": "{{instance}} load15",
          "range": true,
          "refId": "C"
        }
      ],
      "title": "Load",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "Bps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 9,
        "w": 12,
        "x": 0,
        "y": 8
      },
      "id": 5,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "sum by (instance) (rate(node_disk_read_bytes_total[5m]))",
          "legendFormat": "{{instance}} read",
          "range": true,
          "refId": "A"
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "sum by (instance) (rate(node_disk_written_bytes_total[5m]))",
          "legendFormat": "{{instance}} write",
          "range": true,
          "refId": "B"
        }
      ],
      "title": "Disk Throughput",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percent"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 9,
        "w": 12,
        "x": 12,
        "y": 8
      },
      "id": 6,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "100 * (1 - (node_filesystem_avail_bytes{mountpoint=~\"(/|/home|/var|/zfs.*)\",fstype!=\"\"} / node_filesystem_size_bytes{mountpoint=~\"(/|/home|/var|/zfs.*)\",fstype!=\"\"}))",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{mountpoint}}",
          "refId": "A"
        }
      ],
      "title": "Filesystem Usage",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percentunit"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 17
      },
      "id": 7,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(10, rate(namedprocess_namegroup_cpu_seconds_total[5m]))",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{groupname}}",
          "refId": "A"
        }
      ],
      "title": "Top Grouped CPU",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "bytes"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 17
      },
      "id": 8,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(10, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{groupname}}",
          "refId": "A"
        }
      ],
      "title": "Top Grouped Memory",
      "type": "table"
    }
  ],
  "refresh": "30s",
  "schemaVersion": 39,
  "style": "dark",
  "tags": [
    "monitoring"
  ],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-24h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "Overview",
  "uid": "monitor-overview",
  "version": 1,
  "weekStart": ""
 }
@@ -0,0 +1,216 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percentunit"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(10, rate(namedprocess_namegroup_cpu_seconds_total[5m]))",
          "legendFormat": "{{instance}} {{groupname}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Grouped CPU",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "bytes"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(10, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
          "legendFormat": "{{instance}} {{groupname}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Grouped Resident Memory",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "Bps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 10
      },
      "id": 3,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(10, rate(namedprocess_namegroup_read_bytes_total[5m]))",
          "legendFormat": "{{instance}} {{groupname}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Grouped Read I/O",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "Bps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 10
      },
      "id": 4,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(10, rate(namedprocess_namegroup_write_bytes_total[5m]))",
          "legendFormat": "{{instance}} {{groupname}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Grouped Write I/O",
      "type": "timeseries"
    }
  ],
  "refresh": "30s",
  "schemaVersion": 39,
  "style": "dark",
  "tags": [
    "monitoring",
    "process"
  ],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-7d",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "Process History Grouped",
  "uid": "monitor-process-history",
  "version": 1,
  "weekStart": ""
 }
@@ -0,0 +1,224 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-pid-short"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percentunit"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-pid-short"
          },
          "editorMode": "code",
          "expr": "topk(20, rate(namedprocess_namegroup_cpu_seconds_total[2m]))",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{groupname}}",
          "refId": "A"
        }
      ],
      "title": "Top PID CPU",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-pid-short"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "bytes"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 0
      },
      "id": 2,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-pid-short"
          },
          "editorMode": "code",
          "expr": "topk(20, namedprocess_namegroup_memory_bytes{memtype=\"resident\"})",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{groupname}}",
          "refId": "A"
        }
      ],
      "title": "Top PID RSS",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-pid-short"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "Bps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 10
      },
      "id": 3,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-pid-short"
          },
          "editorMode": "code",
          "expr": "topk(20, rate(namedprocess_namegroup_read_bytes_total[2m]))",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{groupname}}",
          "refId": "A"
        }
      ],
      "title": "Top PID Read I/O",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-pid-short"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "Bps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 10
      },
      "id": 4,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-pid-short"
          },
          "editorMode": "code",
          "expr": "topk(20, rate(namedprocess_namegroup_write_bytes_total[2m]))",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{groupname}}",
          "refId": "A"
        }
      ],
      "title": "Top PID Write I/O",
      "type": "table"
    }
  ],
  "refresh": "15s",
  "schemaVersion": 39,
  "style": "dark",
  "tags": [
    "monitoring",
    "process"
  ],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-10m",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "Process Live PID",
  "uid": "monitor-process-pid",
  "version": 1,
  "weekStart": ""
 }
@@ -0,0 +1,351 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "percent"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 8,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "100 * (zfs_pool_allocated_bytes / zfs_pool_size_bytes)",
          "legendFormat": "{{instance}} {{pool}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Pool Usage",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "bytes"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 8,
        "x": 8,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "zfs_pool_free_bytes",
          "legendFormat": "{{instance}} {{pool}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Pool Free Bytes",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "bytes"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 8,
        "x": 16,
        "y": 0
      },
      "id": 3,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(20, zfs_dataset_used_bytes{type=\"filesystem\"})",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{name}}",
          "refId": "A"
        }
      ],
      "title": "Top Filesystems by Used Bytes",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "ns"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 9,
        "w": 12,
        "x": 0,
        "y": 8
      },
      "id": 4,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(20, zpool_iostat_total_wait_read_ns{vdev!=\"_pool\"})",
          "legendFormat": "{{host}} {{pool}} {{vdev}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "ZFS Read Wait",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "ns"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 9,
        "w": 12,
        "x": 12,
        "y": 8
      },
      "id": 5,
      "options": {
        "legend": {
          "displayMode": "list",
          "placement": "bottom"
        },
        "tooltip": {
          "mode": "multi"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "topk(20, zpool_iostat_total_wait_write_ns{vdev!=\"_pool\"})",
          "legendFormat": "{{host}} {{pool}} {{vdev}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "ZFS Write Wait",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "celsius"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 9,
        "w": 12,
        "x": 0,
        "y": 17
      },
      "id": 6,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": true,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "smartctl_device_temperature{temperature_type=\"current\"}",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{device}}",
          "refId": "A"
        }
      ],
      "title": "Disk Temperature",
      "type": "table"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "prom-main"
      },
      "fieldConfig": {
        "defaults": {
          "unit": "short"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 9,
        "w": 12,
        "x": 12,
        "y": 17
      },
      "id": 7,
      "options": {
        "cellHeight": "sm",
        "showHeader": true,
        "sortBy": [
          {
            "desc": false,
            "displayName": "Value"
          }
        ]
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "prom-main"
          },
          "editorMode": "code",
          "expr": "smartctl_device_smart_status",
          "format": "table",
          "instant": true,
          "legendFormat": "{{instance}} {{device}}",
          "refId": "A"
        }
      ],
      "title": "SMART Health",
      "type": "table"
    }
  ],
  "refresh": "30s",
  "schemaVersion": 39,
  "style": "dark",
  "tags": [
    "monitoring",
    "zfs"
  ],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-24h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "Storage and ZFS",
  "uid": "monitor-storage",
  "version": 1,
  "weekStart": ""
 }
@@ -0,0 +1,186 @@
 {
  lib,
  pkgs,
  ...
 }:
 let
  vars = import ../vars.nix;
  prometheusDataRoot = "${vars.database}/prometheus";
  mainPrometheusDataDir = "${prometheusDataRoot}/main";
  pidPrometheusDataDir = "${prometheusDataRoot}/pid-short";
  prometheusYaml = pkgs.formats.yaml { };
  mkPrometheusConfig =
    name: cfg:
    let
      configFile = prometheusYaml.generate "${name}.yaml" cfg;
    in
    pkgs.runCommand "${name}-checked.yaml"
      {
        nativeBuildInputs = [ pkgs.prometheus.cli ];
      }
      ''
        promtool check config ${configFile}
        cp ${configFile} $out
      '';
  mkTarget = host: address: {
    targets = [ address ];
    labels.instance = host;
  };
  mainPrometheusConfig = mkPrometheusConfig "prometheus-main" {
    global = {
      scrape_interval = "30s";
      scrape_timeout = "10s";
      evaluation_interval = "30s";
    };
    scrape_configs = [
      {
        job_name = "node";
        static_configs = [
          (mkTarget "jeeves" "192.168.90.40:9100")
          (mkTarget "bob" "192.168.90.25:9100")
        ];
      }
      {
        job_name = "process_grouped";
        static_configs = [
          (mkTarget "jeeves" "192.168.90.40:9256")
          (mkTarget "bob" "192.168.90.25:9256")
        ];
      }
      {
        job_name = "smartctl";
        static_configs = [
          (mkTarget "jeeves" "192.168.90.40:9633")
          (mkTarget "bob" "192.168.90.25:9633")
        ];
      }
      {
        job_name = "zfs";
        static_configs = [
          (mkTarget "jeeves" "192.168.90.40:9134")
          (mkTarget "bob" "192.168.90.25:9134")
        ];
      }
    ];
  };
  pidPrometheusConfig = mkPrometheusConfig "prometheus-pid-short" {
    global = {
      scrape_interval = "15s";
      scrape_timeout = "10s";
      evaluation_interval = "15s";
    };
    scrape_configs = [
      {
        job_name = "process_pid";
        static_configs = [
          (mkTarget "jeeves" "192.168.90.40:9257")
          (mkTarget "bob" "192.168.90.25:9257")
        ];
      }
    ];
  };
  mkPrometheusService =
    {
      dataDir,
      configFile,
      port,
      retention,
    }:
    {
      after = [
        "zfs-media-database-prometheus.mount"
        "network.target"
      ];
      requires = [ "zfs-media-database-prometheus.mount" ];
      wantedBy = [ "multi-user.target" ];
      unitConfig.RequiresMountsFor = [ dataDir ];
      serviceConfig = {
        ExecStart = "${lib.getExe pkgs.prometheus} ${
          lib.escapeShellArgs [
            "--config.file=${configFile}"
            "--storage.tsdb.path=${dataDir}"
            "--storage.tsdb.retention.time=${retention}"
            "--web.listen-address=127.0.0.1:${toString port}"
          ]
        }";
        User = "prometheus";
        Group = "prometheus";
        Restart = "always";
        RestartSec = "5s";
        WorkingDirectory = dataDir;
        ReadWritePaths = [ dataDir ];
        CapabilityBoundingSet = [ "" ];
        DeviceAllow = [ "/dev/null rw" ];
        DevicePolicy = "strict";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        RemoveIPC = true;
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
      };
    };
 in
 {
  users = {
    groups.prometheus = { };
    users.prometheus = {
      isSystemUser = true;
      group = "prometheus";
      description = "Prometheus daemon user";
    };
  };
  systemd = {
    services = {
      prometheus-main = mkPrometheusService {
        configFile = mainPrometheusConfig;
        dataDir = mainPrometheusDataDir;
        port = 9090;
        retention = "90d";
      };
      prometheus-pid-short = mkPrometheusService {
        configFile = pidPrometheusConfig;
        dataDir = pidPrometheusDataDir;
        port = 9092;
        retention = "10m";
      };
    };
    tmpfiles.rules = [
      "d ${prometheusDataRoot} 0755 root root - -"
      "d ${mainPrometheusDataDir} 0750 prometheus prometheus - -"
      "d ${pidPrometheusDataDir} 0750 prometheus prometheus - -"
    ];
  };
 }
@@ -1,4 +1,13 @@
 {
  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
  # does not hit the host firewall/rpfilter path.
  boot.kernel.sysctl = {
    "net.bridge.bridge-nf-call-arptables" = 0;
    "net.bridge.bridge-nf-call-ip6tables" = 0;
    "net.bridge.bridge-nf-call-iptables" = 0;
  };
  networking = {
    hostName = "jeeves";
    hostId = "0e15ce35";
@@ -34,11 +43,18 @@
      };
    };
    networks = {
-      "10-1GB_Primary" = {
+      "10-Primary" = {
-        matchConfig.Name = "enp97s0f1";
+        matchConfig.Name = "enp97s0";
        address = [ "192.168.99.14/24" ];
        dns = [
          "192.168.99.1"
          "2600:4040:abfb:d700::1"
        ];
        routes = [ { Gateway = "192.168.99.1"; } ];
        vlan = [ "internet-vlan" ];
        dhcpV4Config.UseDNS = false;
        dhcpV6Config.UseDNS = false;
        ipv6AcceptRAConfig.UseDNS = false;
        linkConfig.RequiredForOnline = "routable";
      };
      "50-internet-vlan" = {
@@ -49,23 +65,10 @@
      "60-br-nix-builder" = {
        matchConfig.Name = "br-nix-builder";
        bridgeConfig = { };
-        address = [ "192.168.3.10/24" ];
+        networkConfig = {
-        routingPolicyRules = [
+          IPv6AcceptRA = false;
-          {
+          LinkLocalAddressing = "no";
-            From = "192.168.3.0/24";
+        };
            Table = 100;
            Priority = 100;
          }
        ];
        routes = [
          {
            Gateway = "192.168.3.1";
            Table = 100;
            GatewayOnLink = false;
            Metric = 2048;
            PreferredSource = "192.168.3.10";
          }
        ];
        linkConfig.RequiredForOnline = "no";
      };
    };
@@ -3,5 +3,6 @@
  environment.systemPackages = with pkgs; [
    filebot
    docker-compose
    ffmpeg
  ];
 }
@@ -1,20 +1,7 @@
-{ pkgs, ... }:
+{ ... }:
 {
  imports = [ ./nix_builder.nix ];
  users = {
    users.github-runners = {
      shell = pkgs.bash;
      isSystemUser = true;
      group = "github-runners";
      uid = 601;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/S8i+BNX/12JNKg+5EKGX7Aqimt5KM+ve3wt/SyWuO github-runners" # cspell:disable-line
      ];
    };
    groups.github-runners.gid = 601;
  };
  services.nix_builder.containers = {
    nix-builder-00.enable = true;
    nix-builder-01.enable = true;
@@ -2,6 +2,7 @@
  config,
  lib,
  outputs,
  utils,
  ...
 }:
@@ -9,6 +10,8 @@ with lib;
 let
  vars = import ../vars.nix;
  cfg = config.services.nix_builder;
  runnerUsername = "gitea-runner";
  runnerUserid = 601;
 in
 {
  options.services.nix_builder = {
@@ -23,37 +26,40 @@ in
        types.submodule (
          { name, ... }:
          {
-            options.enable = mkEnableOption "GitHub runner container";
+            options.enable = mkEnableOption "Gitea runner container";
          }
        )
      );
      default = { };
-      description = "GitHub runner container configurations";
+      description = "Gitea runner container configurations";
    };
  };
  config = {
    users = {
      users.${runnerUsername} = {
        isSystemUser = true;
        group = runnerUsername;
        uid = runnerUserid;
      };
      groups.${runnerUsername}.gid = runnerUserid;
    };
    containers = mapAttrs (
      name: containerCfg:
      mkIf containerCfg.enable {
        autoStart = true;
        privateNetwork = true;
        hostBridge = cfg.bridgeName;
        ephemeral = true;
        bindMounts = {
          storage = {
            hostPath = "/zfs/media/github-runners/${name}";
            mountPoint = "/zfs/media/github-runners/${name}";
            isReadOnly = false;
          };
          host-nix = {
            mountPoint = "/host-nix/var/nix/daemon-socket";
            hostPath = "/nix/var/nix/daemon-socket";
            isReadOnly = false;
          };
-          pat = {
+          token = {
-            hostPath = "${vars.secrets}/services/github-runners/runner_pat";
+            hostPath = "${vars.secrets}/services/gitea-runners";
-            mountPoint = "${vars.secrets}/services/github-runners/runner_pat";
+            mountPoint = "/run/secrets/gitea-runners";
            isReadOnly = true;
          };
        };
@@ -92,46 +98,69 @@ in
                "nix-command"
              ];
              sandbox = true;
-              allowed-users = [ "github-runners" ];
+              allowed-users = [ "gitea-runner" ];
              trusted-users = [
                "root"
-                "github-runners"
+                "gitea-runner"
              ];
            };
            nixpkgs = {
              overlays = builtins.attrValues outputs.overlays;
              config.allowUnfree = true;
            };
-            services.github-runners.${name} = {
+            users = {
              users.${runnerUsername} = {
                isSystemUser = true;
                group = runnerUsername;
                uid = runnerUserid;
              };
              groups.${runnerUsername}.gid = runnerUserid;
            };
            services.gitea-actions-runner.instances.${name} = {
              enable = true;
-              replace = true;
+              name = "jeeves-${name}";
-              workDir = "/zfs/media/github-runners/${name}";
+              url = "http://192.168.99.14:6443/";
-              url = "https://github.com/RichieCahill/dotfiles";
+              labels = [
-              extraLabels = [ "nixos" ];
+                "self-hosted:host"
-              tokenFile = "${vars.secrets}/services/github-runners/runner_pat";
+                "nixos:host"
-              user = "github-runners";
+              ];
-              group = "github-runners";
+              tokenFile = "/run/secrets/gitea-runners/registration-token";
-              extraPackages = with pkgs; [
+              hostPackages = with pkgs; [
                bash
                coreutils
                curl
                gawk
                gitMinimal
-                gh
+                gnused
                my_python
                nix
                nixfmt
                nixos-rebuild
                nodejs
                treefmt
-                my_python
+                wget
              ];
            };
-            users = {
+            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
-              users.github-runners = {
+              serviceConfig = {
-                shell = pkgs.bash;
+                DynamicUser = mkForce false;
-                isSystemUser = true;
+                User = mkForce runnerUsername;
-                group = "github-runners";
+                Group = mkForce runnerUsername;
                uid = 601;
              };
              groups.github-runners.gid = 601;
            };
            system.stateVersion = "24.05";
          };
      }
    ) cfg.containers;
    systemd.services = builtins.listToAttrs (
      map (name: {
        name = "container@${name}";
        value = {
          requires = [ "gitea.service" ];
          after = [ "gitea.service" ];
        };
      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
    );
  };
 }
@@ -21,7 +21,9 @@ sudo zfs create media/secure/docker -o compression=zstd-9
 sudo zfs create media/secure/github-runners -o compression=zstd-9 -o sync=disabled
 sudo zfs create media/secure/home_assistant -o compression=zstd-19
 sudo zfs create media/secure/notes -o copies=2
-sudo zfs create media/secure/postgres -o recordsize=16k -o primarycache=metadata
+sudo zfs create media/secure/postgres -o mountpoint=/zfs/media/database/postgres -o recordsize=16k -o primarycache=metadata
 sudo zfs create media/secure/postgres-wal -o mountpoint=/zfs/media/database/postgres-wal -o recordsize=32k -o primarycache=metadata -o special_small_blocks=32K -o compression=lz4 -o secondarycache=none -o logbias=latency
 sudo zfs create media/secure/prometheus -o mountpoint=/zfs/media/database/prometheus -o compression=lz4
 sudo zfs create media/secure/services -o compression=zstd-9
 sudo zfs create media/secure/share -o mountpoint=/zfs/media/share -o exec=off
@@ -40,3 +42,4 @@ sudo zfs create storage/secure/plex -o recordsize=1M -o compression=zstd-19
 sudo zfs create storage/secure/secrets -o compression=zstd-19 -o copies=3
 sudo zfs create storage/secure/syncthing -o compression=zstd-19
 sudo zfs create storage/secure/transmission -o recordsize=1M -o compression=zstd-9 -o exec=off -o sync=disabled
 sudo zfs create storage/secure/important -o compression=zstd-19 -o copies=2 -o mountpoint=/zfs/storage/important
@@ -3,7 +3,10 @@ let
  vars = import ../vars.nix;
 in
 {
-  services.audiobookshelf.enable = true;
+  services.audiobookshelf = {
    enable = true;
    port = 8000;
  };
  systemd.services.audiobookshelf.serviceConfig.WorkingDirectory =
    lib.mkForce "${vars.docker_configs}/audiobookshelf";
  users.users.audiobookshelf.home = lib.mkForce "${vars.docker_configs}/audiobookshelf";
@@ -1,96 +0,0 @@
 {
  pkgs,
  inputs,
  ...
 }:
 let
  commonEnv = {
    PYTHONPATH = "${inputs.self}";
    KAFKA_BOOTSTRAP_SERVERS = "localhost:9092";
    BLUESKY_FIREHOSE_TOPIC = "bluesky.firehose.posts";
  };
  commonServiceConfig = {
    Type = "simple";
    WorkingDirectory = "${inputs.self}";
    User = "richie";
    Group = "users";
    Restart = "on-failure";
    RestartSec = "10s";
    StandardOutput = "journal";
    StandardError = "journal";
    NoNewPrivileges = true;
    ProtectSystem = "strict";
    ProtectHome = "read-only";
    PrivateTmp = true;
    ReadOnlyPaths = [ "${inputs.self}" ];
  };
 in
 {
  systemd.services.bluesky-firehose-topic-init = {
    description = "Create Kafka topic for Bluesky firehose";
    after = [ "apache-kafka.service" ];
    requires = [ "apache-kafka.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = pkgs.writeShellScript "create-bluesky-topic" ''
        ${pkgs.apacheKafka}/bin/kafka-topics.sh \
          --bootstrap-server localhost:9092 \
          --create \
          --if-not-exists \
          --topic bluesky.firehose.posts \
          --partitions 6 \
          --replication-factor 1
      '';
    };
  };
  systemd.services.bluesky-firehose-producer = {
    description = "Bluesky Jetstream to Kafka producer";
    after = [
      "network.target"
      "apache-kafka.service"
      "bluesky-firehose-topic-init.service"
    ];
    requires = [
      "apache-kafka.service"
      "bluesky-firehose-topic-init.service"
    ];
    wantedBy = [ "multi-user.target" ];
    environment = commonEnv;
    serviceConfig = commonServiceConfig // {
      ExecStart = "${pkgs.my_python}/bin/python -m python.data_science.firehose_producer";
    };
  };
  systemd.services.bluesky-firehose-consumer = {
    description = "Bluesky Kafka to PostgreSQL consumer";
    after = [
      "network.target"
      "apache-kafka.service"
      "bluesky-firehose-topic-init.service"
      "postgresql.service"
    ];
    requires = [
      "apache-kafka.service"
      "bluesky-firehose-topic-init.service"
      "postgresql.service"
    ];
    wantedBy = [ "multi-user.target" ];
    environment = commonEnv // {
      DATA_SCIENCE_DEV_DB = "data_science_dev";
      DATA_SCIENCE_DEV_USER = "richie";
      DATA_SCIENCE_DEV_HOST = "/run/postgresql";
      DATA_SCIENCE_DEV_PORT = "5432";
    };
    serviceConfig = commonServiceConfig // {
      ExecStart = "${pkgs.my_python}/bin/python -m python.data_science.firehose_consumer";
    };
  };
 }
@@ -0,0 +1,80 @@
 {
  ...
 }:
 let
  vars = import ../vars.nix;
 in
 {
  systemd.tmpfiles.rules = [
    "d ${vars.docker_configs}/camofox-browser 0750 root root - -"
  ];
  containers.camofox-browser = {
    autoStart = true;
    privateNetwork = false;
    bindMounts = {
      camofox-browser = {
        hostPath = "${vars.docker_configs}/camofox-browser";
        mountPoint = "/var/lib/camofox-browser";
        isReadOnly = false;
      };
    };
    config =
      {
        pkgs,
        lib,
        ...
      }:
      {
        networking.hostName = "camofox-browser";
        environment.systemPackages = with pkgs; [
          ffmpeg
          git
          nodejs
          python3Packages.yt-dlp
        ];
        systemd.services.camofox-browser = {
          description = "Camofox browser server";
          wantedBy = [ "multi-user.target" ];
          after = [ "network.target" ];
          environment = {
            CAMOFOX_HOST = "127.0.0.1";
            CAMOFOX_PORT = "9377";
            HOME = "/var/lib/camofox-browser";
          };
          path = with pkgs; [
            bash
            coreutils
            git
            nodejs
          ];
          serviceConfig = {
            Restart = "always";
            RestartSec = "5s";
            WorkingDirectory = "/var/lib/camofox-browser";
          };
          script = ''
            set -eu
            app_dir=/var/lib/camofox-browser/app
            if [ ! -d "$app_dir/.git" ]; then
              git clone --depth 1 https://github.com/jo-inc/camofox-browser "$app_dir"
            fi
            cd "$app_dir"
            if [ ! -d node_modules ]; then
              npm install
            fi
            exec npm start
          '';
        };
        system.stateVersion = lib.mkDefault "24.05";
      };
  };
 }
@@ -1,17 +0,0 @@
 { pkgs, ... }:
 let
  vars = import ../vars.nix;
 in
 {
  systemd.services.cloud_flare_tunnel = {
    description = "cloud_flare_tunnel proxy's traffic through cloudflare";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      EnvironmentFile = "${vars.secrets}/docker/cloud_flare_tunnel";
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared --no-autoupdate tunnel run";
      Restart = "on-failure";
    };
  };
 }
@@ -2,7 +2,10 @@ let
  vars = import ../vars.nix;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 6443 ];
+  networking.firewall.allowedTCPPorts = [
    6443
    2223
  ];
  services.gitea = {
    enable = true;
@@ -18,13 +21,17 @@ in
      createDatabase = false;
    };
    settings = {
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      service.DISABLE_REGISTRATION = true;
      server = {
        DOMAIN = "tmmworkshop.com";
        ROOT_URL = "https://gitea.tmmworkshop.com/";
        HTTP_PORT = 6443;
        SSH_PORT = 2223;
-        SSH_LISTEN_PORT = 2224;
+        SSH_LISTEN_PORT = 2223;
        START_SSH_SERVER = true;
        PUBLIC_URL_DETECTION = "auto";
      };
@@ -0,0 +1,80 @@
 {
  ...
 }:
 let
  vars = import ../vars.nix;
  grafanaDataDir = "${vars.services}/grafana";
 in
 {
  networking.firewall.allowedTCPPorts = [ 3000 ];
  services.grafana = {
    enable = true;
    dataDir = grafanaDataDir;
    settings = {
      database.type = "sqlite3";
      security = {
        admin_password = "$__file{${vars.secrets}/services/grafana/admin_password}";
        admin_user = "admin";
        secret_key = "$__file{${vars.secrets}/services/grafana/secret_key}";
      };
      server = {
        http_addr = "192.168.90.40";
        http_port = 3000;
        root_url = "http://192.168.90.40:3000/";
      };
    };
    provision = {
      enable = true;
      dashboards.settings = {
        apiVersion = 1;
        providers = [
          {
            name = "monitoring";
            folder = "Monitoring";
            type = "file";
            disableDeletion = false;
            editable = false;
            allowUiUpdates = false;
            updateIntervalSeconds = 30;
            options.path = ../monitoring/dashboards;
          }
        ];
      };
      datasources.settings = {
        apiVersion = 1;
        prune = true;
        datasources = [
          {
            access = "proxy";
            editable = false;
            isDefault = true;
            name = "prom-main";
            type = "prometheus";
            uid = "prom-main";
            url = "http://127.0.0.1:9090";
          }
          {
            access = "proxy";
            editable = false;
            name = "prom-pid-short";
            type = "prometheus";
            uid = "prom-pid-short";
            url = "http://127.0.0.1:9092";
          }
        ];
      };
    };
  };
  systemd = {
    services.grafana.after = [
      "prometheus-main.service"
      "prometheus-pid-short.service"
    ];
    tmpfiles.rules = [
      "d ${grafanaDataDir} 0750 grafana grafana - -"
    ];
  };
 }
@@ -7,6 +7,13 @@ in
    settings = {
      listeners = [ "PLAINTEXT://localhost:9092" ];
      "log.dirs" = [ vars.kafka ];
      "num.partitions" = 6;
      "default.replication.factor" = 1;
      "log.retention.hours" = 168;
      "log.retention.bytes" = 10737418240;
      "log.segment.bytes" = 1073741824;
      "log.cleanup.policy" = "delete";
      "auto.create.topics.enable" = false;
    };
  };
 }
@@ -0,0 +1,107 @@
 { pkgs, ... }:
 let
  vars = import ../vars.nix;
  stateDir = "${vars.services}/nornsight";
  appDir = "${stateDir}/app";
  binPath = pkgs.lib.makeBinPath [
    pkgs.binutils
    pkgs.libpq
    pkgs.postgresql
    pkgs.stdenv.cc
  ];
  libraryPath = pkgs.lib.makeLibraryPath [
    pkgs.libpq
    pkgs.postgresql.lib
  ];
 in
 {
  systemd.tmpfiles.rules = [
    "d ${stateDir} 0750 nornsight nornsight - -"
  ];
  users.users.nornsight = {
    isSystemUser = true;
    group = "nornsight";
    home = stateDir;
  };
  systemd.services.nornsight = {
    description = "Norn Sight";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      HOME = stateDir;
      UV_CACHE_DIR = "${stateDir}/.cache/uv";
      UV_PROJECT_ENVIRONMENT = "${appDir}/.venv";
      UV_PYTHON = "${pkgs.python313}/bin/python3.13";
      UV_PYTHON_DOWNLOADS = "never";
      LD_LIBRARY_PATH = libraryPath;
      LIBRARY_PATH = libraryPath;
      PSYCOPG_IMPL = "python";
    };
    path = with pkgs; [
      bash
      coreutils
      git
      uv
    ];
    serviceConfig = {
      Type = "simple";
      User = "nornsight";
      Group = "nornsight";
      EnvironmentFile = "-${vars.secrets}/services/nornsight";
      WorkingDirectory = stateDir;
      Restart = "on-failure";
      RestartSec = "5s";
      StandardOutput = "journal";
      StandardError = "journal";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = true;
      ProtectSystem = "strict";
      ReadWritePaths = [ stateDir ];
    };
    script = ''
      set -eu
      export PATH="${binPath}:$PATH"
      export LD_LIBRARY_PATH="${libraryPath}:''${LD_LIBRARY_PATH:-}"
      export LIBRARY_PATH="${libraryPath}:''${LIBRARY_PATH:-}"
      : "''${NORN_SIGHT_REPO_URL:?NORN_SIGHT_REPO_URL is required}"
      branch="''${NORN_SIGHT_BRANCH:-main}"
      if [ -d "${appDir}/.git" ]; then
        current_origin="$(git -C "${appDir}" remote get-url origin)"
        if [ "$current_origin" != "$NORN_SIGHT_REPO_URL" ]; then
          rm -rf "${appDir}"
        fi
      fi
      if [ ! -d "${appDir}/.git" ]; then
        git clone --branch "$branch" "$NORN_SIGHT_REPO_URL" "${appDir}"
      else
        cd "${appDir}"
        git fetch origin "$branch"
        git checkout "$branch"
        git pull --ff-only origin "$branch"
      fi
      cd "${appDir}"
      uv sync --upgrade
      uv run python - <<'PY'
      import ctypes.util
      import os
      print(f"LD_LIBRARY_PATH={os.environ.get('LD_LIBRARY_PATH')}")
      print(f"LIBRARY_PATH={os.environ.get('LIBRARY_PATH')}")
      print(f"libpq={ctypes.util.find_library('pq')}")
      PY
      exec uv run uvicorn pipelines.web.main:app --host 0.0.0.0 --port 8001
    '';
  };
 }
@@ -5,9 +5,14 @@ in
 {
  networking.firewall.allowedTCPPorts = [ 5432 ];
  # Symlink pg_wal to a ZFS dataset on the special (metadata) vdev for fast WAL writes
  # this is required for systemd sandboxing
  systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/zfs/media/database/postgres-wal" ];
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_17_jit;
    extensions = ps: with ps; [ pgvector ];
    enableTCPIP = true;
    enableJIT = true;
    dataDir = "${vars.database}/postgres";
@@ -33,6 +38,9 @@ in
      # signalbot
      local signalbot  signalbot   trust
      # hedgedoc
      local hedgedoc   hedgedoc    trust
      # math
      local postgres  math   trust
      host  postgres  math   127.0.0.1/32    trust
@@ -112,11 +120,19 @@ in
          login = true;
        };
      }
      {
        name = "hedgedoc";
        ensureDBOwnership = true;
        ensureClauses = {
          login = true;
        };
      }
    ];
    ensureDatabases = [
      "data_science_dev"
      "hass"
      "gitea"
      "hedgedoc"
      "math"
      "n8n"
      "richie"
@@ -1,57 +0,0 @@
 {
  pkgs,
  inputs,
  ...
 }:
 let
  vars = import ../vars.nix;
 in
 {
  users = {
    users.signalbot = {
      isSystemUser = true;
      group = "signalbot";
    };
    groups.signalbot = { };
  };
  systemd.services.signal-bot = {
    description = "Signal command and control bot";
    after = [
      "network.target"
      "podman-signal_cli_rest_api.service"
    ];
    wants = [ "podman-signal_cli_rest_api.service" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      PYTHONPATH = "${inputs.self}";
      SIGNALBOT_DB = "signalbot";
      SIGNALBOT_USER = "signalbot";
      SIGNALBOT_HOST = "/run/postgresql";
      SIGNALBOT_PORT = "5432";
    };
    serviceConfig = {
      Type = "simple";
      WorkingDirectory = "${inputs.self}";
      User = "signalbot";
      Group = "signalbot";
      EnvironmentFile = "${vars.secrets}/services/signal-bot";
      ExecStart = "${pkgs.my_python}/bin/python -m python.signal_bot.main";
      StateDirectory = "signal-bot";
      Restart = "on-failure";
      RestartSec = "10s";
      StandardOutput = "journal";
      StandardError = "journal";
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = "read-only";
      PrivateTmp = true;
      ReadWritePaths = [ "/var/lib/signal-bot" ];
      ReadOnlyPaths = [
        "${inputs.self}"
      ];
    };
  };
 }
@@ -1,7 +1,6 @@
 zpool = ["root_pool", "storage", "media"]
 services = [
    "audiobookshelf",
    "cloud_flare_tunnel",
    "haproxy",
    "docker",
    "home-assistant",
@@ -4,6 +4,7 @@ hourly = 24
 daily = 0
 monthly = 0
 # root_pool
 ["root_pool/home"]
 15_min = 8
 hourly = 24
@@ -27,57 +28,96 @@ monthly = 0
 hourly = 24
 daily = 30
 monthly = 6
 # storage
 ["storage/ollama"]
 15_min = 2
 hourly = 0
 daily = 0
 monthly = 0
-["storage/plex"]
+["storage/secure"]
 15_min = 0
 hourly = 0
 daily = 0
 monthly = 0
 ["storage/secure/plex"]
 15_min = 6
 hourly = 2
 daily = 1
 monthly = 0
-["media/plex"]
+["storage/secure/transmission"]
-15_min = 6
+15_min = 4
-hourly = 2
+hourly = 0
-daily = 1
+daily = 0
 monthly = 0
-["media/notes"]
+["storage/secure/secrets"]
 15_min = 8
 hourly = 24
 daily = 30
 monthly = 12
-["media/docker"]
+# media
-15_min = 3
+["media/temp"]
-hourly = 12
+15_min = 2
-daily = 14
+hourly = 0
-monthly = 2
+daily = 0
-
+monthly = 0
-["media/services"]
+
-15_min = 3
+["media/secure"]
-hourly = 12
+15_min = 0
-daily = 14
+hourly = 0
-monthly = 2
+daily = 0
-
+monthly = 0
-["media/home_assistant"]
+
 ["media/secure/plex"]
 15_min = 6
 hourly = 2
 daily = 1
 monthly = 0
 ["media/secure/postgres-wal"]
 15_min = 4
 hourly = 2
 daily = 0
 monthly = 0
 ["media/secure/postgres"]
 15_min = 8
 hourly = 24
 daily = 7
 monthly = 0
 ["media/secure/share"]
 15_min = 4
 hourly = 0
 daily = 0
 monthly = 0
 ["media/secure/github-runners"]
 15_min = 6
 hourly = 2
 daily = 1
 monthly = 0
 ["media/secure/notes"]
 15_min = 8
 hourly = 24
 daily = 30
 monthly = 12
 ["media/secure/docker"]
 15_min = 3
 hourly = 12
 daily = 14
 monthly = 2
 # scratch
 ["scratch/transmission"]
-15_min = 0
+15_min = 2
 hourly = 0
 daily = 0
 monthly = 0
 ["storage/transmission"]
 15_min = 0
 hourly = 0
 daily = 0
 monthly = 0
 ["storage/ollama"]
 15_min = 0
 hourly = 0
 daily = 0
 monthly = 0
@@ -10,6 +10,14 @@ in
    settings = {
      devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
      folders = {
        photos = {
          path = "${vars.syncthing}/important";
          devices = [
            "rhapsody-in-green"
            "phone"
          ];
          fsWatcherEnabled = true;
        };
        "dotfiles" = {
          path = "/home/richie/dotfiles";
          devices = [
@@ -89,7 +97,16 @@ in
          ];
          fsWatcherEnabled = true;
        };
-        #
+        "recordings" = {
          path = "/home/richie/recordings";
          devices = [
            "bob"
            "phone"
            "rhapsody-in-green"
          ];
          fsWatcherEnabled = true;
        };
        # davids-server
        "davids-backup1" = {
          id = "8229p-8z3tm"; # cspell:disable-line
          path = "${vars.syncthing}/davids_backups/1";
@@ -0,0 +1,74 @@
 let
  domains = [
    "audiobookshelf"
    "cache"
    "gitea"
    "jellyfin"
    "share"
  ];
  extraDomains = [ "www.norn-sight.com" ];
  makeCert = name: {
    name = "${name}.tmmworkshop.com";
    value = {
      webroot = "/var/lib/acme/.challenges";
      group = "acme";
      reloadServices = [ "haproxy.service" ];
    };
  };
  makeExtraCert = name: {
    inherit name;
    value = {
      webroot = "/var/lib/acme/.challenges";
      group = "acme";
      reloadServices = [ "haproxy.service" ];
    };
  };
  acmeServices =
    map (domain: "acme-${domain}.tmmworkshop.com.service") domains
    ++ map (domain: "acme-${domain}.service") extraDomains;
 in
 {
  users.users.haproxy.extraGroups = [ "acme" ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "Richie@tmmworkshop.com";
    certs = builtins.listToAttrs ((map makeCert domains) ++ (map makeExtraCert extraDomains));
  };
  # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
  services.nginx = {
    enable = true;
    virtualHosts."acme-challenge" = {
      listen = [
        {
          addr = "127.0.0.1";
          port = 8402;
        }
      ];
      locations."/.well-known/acme-challenge/" = {
        root = "/var/lib/acme/.challenges";
      };
    };
  };
  # Ensure the challenge directory exists with correct permissions
  systemd.tmpfiles.rules = [
    "d /var/lib/acme/.challenges 0750 acme acme - -"
    "d /var/lib/acme/.challenges/.well-known 0750 acme acme - -"
    "d /var/lib/acme/.challenges/.well-known/acme-challenge 0750 acme acme - -"
  ];
  users.users.nginx.extraGroups = [ "acme" ];
  # HAProxy needs certs to exist before it can bind :443.
  # NixOS's acme module generates self-signed placeholders on first boot
  # via acme-<domain>.service — just make HAProxy wait for them.
  systemd.services.haproxy = {
    after = acmeServices;
    wants = acmeServices;
  };
 }
@@ -0,0 +1,9 @@
 { lib, ... }:
 {
  imports =
    let
      files = builtins.attrNames (builtins.readDir ./.);
      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
    in
    map (file: ./. + "/${file}") nixFiles;
 }
@@ -6,6 +6,7 @@ global
 defaults
  log global
  mode http
  option httplog
  retries 3
  maxconn 2000
  timeout connect 5s
@@ -22,24 +23,38 @@ defaults
 #Application Setup
 frontend ContentSwitching
  bind *:80 v4v6
-  bind *:443 v4v6 ssl crt /zfs/storage/secrets/docker/cloudflare.pem
+  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem crt /var/lib/acme/www.norn-sight.com/full.pem
  mode  http
  # ACME challenge routing (must be first)
  acl is_acme path_beg /.well-known/acme-challenge/
  # tmmworkshop.com
  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
  acl host_cache  hdr(host) -i cache.tmmworkshop.com
  acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
  acl host_share  hdr(host) -i share.tmmworkshop.com
  acl host_gcw  hdr(host) -i gcw.tmmworkshop.com
  acl host_n8n  hdr(host) -i n8n.tmmworkshop.com
  acl host_gitea  hdr(host) -i gitea.tmmworkshop.com
  acl host_norn_sight  hdr(host) -i www.norn-sight.com
  # Hosts allowed to serve plain HTTP (add entries to skip the HTTPS redirect)
  acl allow_http hdr(host) -i __none__
  # acl allow_http hdr(host) -i example.tmmworkshop.com
  # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
  http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme
  use_backend acme_challenge if is_acme
  use_backend audiobookshelf_nodes if host_audiobookshelf
  use_backend cache_nodes  if host_cache
  use_backend jellyfin if host_jellyfin
  use_backend share_nodes  if host_share
  use_backend gcw_nodes  if host_gcw
  use_backend n8n  if host_n8n
  use_backend gitea  if host_gitea
  use_backend norn_sight  if host_norn_sight
 backend acme_challenge
  mode http
  server acme 127.0.0.1:8402
 backend audiobookshelf_nodes
  mode http
@@ -60,14 +75,10 @@ backend share_nodes
  mode http
  server server 127.0.0.1:8091
 backend gcw_nodes
  mode http
  server server 127.0.0.1:8092
 backend n8n
  mode http
  server server 127.0.0.1:5678
 backend gitea
  mode http
-  server server 127.0.0.1:6443
+  server server 127.0.0.1:6443
 backend norn_sight
  mode http
  server server 127.0.0.1:8001
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`"""Data science CLI tools."""`

			`from __future__ import annotations`
		`@@ -0,0 +1 @@`
							`"""Whisper transcription tools (host orchestrator and container entrypoint)."""`