zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity
815 Commits 5 Branches 0 Tags
45417aa7ee821602adf4fd829070d42bc229ffb2
Commit Graph

815 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
zuckerberg 712b52a48d Capture full systemd unit name for ntfy error alerts 2026-03-03 21:46:45 -08:00
zuckerberg c6eeea982e Add ignoredUnits option; skip logrotate failures on s0 because they are spurious 2026-03-03 21:46:19 -08:00
zuckerberg 6bd1b4466e Update claude.md 2026-03-03 21:43:36 -08:00
zuckerberg d806d4df0a Increase tinyproxy wait-online timeout to 180s
Check Flake / check-flake (push) Failing after 5m29s
Details 
The bridge takes ~62s to come up on s0, exceeding the 60s timeout
and causing tinyproxy to fail on first start.
 2026-03-03 21:04:40 -08:00
zuckerberg 8997e996ba See if limiting upload jobs helps with push reliability
Check Flake / check-flake (push) Successful in 14m14s
Details
Auto Update Flake / auto-update (push) Failing after 19s
Details
2026-03-01 21:36:31 -08:00
zuckerberg 9914d03ba2 Embed flake git revision in NixOS configuration
Check Flake / check-flake (push) Has been cancelled
Details
2026-03-01 19:03:47 -08:00
zuckerberg 55204b5074 Upgrade to nextcloud 33
Check Flake / check-flake (push) Has been cancelled
Details
2026-03-01 18:23:55 -08:00
zuckerberg 43ec75741d Fix memos failing to open SQLite database on ZFS
Check Flake / check-flake (push) Failing after 18s
Details 
ProtectSystem=strict with ReadWritePaths fails silently on ZFS submounts
(/var/lib is a separate dataset), leaving the data dir read-only. Downgrade
to ProtectSystem=full which leaves /var writable while still protecting
/usr and /boot.
 2026-03-01 17:54:11 -08:00
zuckerberg 000bbd7f4d Update interface names because usePredictableInterfaceNames is now off 2026-03-01 17:52:42 -08:00
zuckerberg e4f0d065f9 Fix tinyproxy starting before VPN bridge is configured 
tinyproxy binds to the bridge IP but had no ordering dependency on
systemd-networkd, so it could start before the bridge existed.
 2026-03-01 17:52:35 -08:00
zuckerberg 7ec85cb406 Move s0 to using systemd networkd 2026-03-01 12:36:10 -08:00
zuckerberg e9e925eb46 Fix annoying 'refused connection' logs spamming dmesg due to spotify connect 2026-03-01 12:36:10 -08:00
zuckerberg 2ed58e1ec5 Update flake inputs; drop navidrome; fix noto-fonts subset glob 
- Update nixpkgs (Feb 27), home-manager, microvm, nix-index-database,
  claude-code-nix, dailybot
- Remove navidrome service, nginx proxy, dashy entry, and gatus monitor
- Add noto-fonts-subset patch for libreoffice/collabora (noto-fonts
  2026.02.01 switched from variable to static font filenames)
- Add incus-lts writableTmpDirAsHomeHook overlay for sandbox HOME fix
- Add samba4Full overlay to disable CephFS (ceph pinned to python3.11)
 2026-03-01 12:36:10 -08:00
zuckerberg facaa261bc Add missing services to Gatus monitoring and Dashy dashboard
Check Flake / check-flake (push) Successful in 3m50s
Details 
Gatus: Add Roundcube, Collabora, and all s0 services (Jellyfin,
servarr stack, Home Assistant, ESPHome, Zigbee2MQTT, Frigate,
Valetudo, Sandman, Vikunja, Actual Budget, Linkwarden, Memos,
Outline, LanguageTool, Unifi) in a new "s0" group.

Dashy: Add missing public services (ntfy, Librechat, Owncast,
Navidrome, Collabora, Gatus) to Services section. Add new Home
Automation and Productivity sections. Add Unifi to Network.
Remove disabled Jitsi Meet.
 2026-02-26 23:41:06 -08:00
zuckerberg 1d915f9524 Add update flake and skill creator skills
Check Flake / check-flake (push) Successful in 3m14s
Details
2026-02-26 23:09:32 -08:00
zuckerberg 73633eaddc non-nix managed nextcloud apps isn't worth the headache
Check Flake / check-flake (push) Successful in 3m25s
Details
2026-02-26 22:51:42 -08:00
zuckerberg 6a0540dddd Update attic-netrc
Check Flake / check-flake (push) Has been cancelled
Details
2026-02-26 22:47:28 -08:00
zuckerberg ce9bda8a0b Verify RSA-SHA256 signature on PIA server list response
Check Flake / check-flake (push) Successful in 3m20s
Details 
The server list endpoint returns JSON on line 1 with a base64-encoded
RSA-SHA256 signature on lines 3+. This was previously ignored. Add
verifyServerList() that checks the signature against PIA's public
signing key before trusting the data. On failure the service aborts
and systemd restarts it.

Also bump RestartSec to 5m to avoid hammering PIA servers on repeated
failures, and add openssl to container dependencies.
 2026-02-26 22:32:23 -08:00
zuckerberg 1dd1b420d5 Add ntfy ssh login alerts. Include systemd service logs with service errors
Check Flake / check-flake (push) Successful in 3m34s
Details
2026-02-26 21:40:51 -08:00
zuckerberg 59623c8a3b fix nextcloud auto-update crashing on nix-managed apps
Check Flake / check-flake (push) Has been cancelled
Details
2026-02-26 21:39:11 -08:00
zuckerberg f2f5761c83 Rewrite PIA VPN as multi-container bridge architecture
Check Flake / check-flake (push) Successful in 3m15s
Details 
Replace the single VPN container (veth pair, host-side auth scripts) with a
multi-container setup on a shared bridge network:

- Dedicated VPN container handles all PIA auth, WireGuard config, NAT, and
  optional port forwarding DNAT
- Service containers default-route through VPN container (leak-proof by topology)
- Host runs tinyproxy on bridge for PIA API bootstrap before WG is up
- WG interface is still created in host netns and moved into VPN container
  namespace
- Monthly renewal to ensure that connection stays up (PIA allows connections to
  last up to 2 months)
- Drop OpenVPN support entirely
 2026-02-26 19:51:35 -08:00
gitea-runner 412dd12b5a flake.lock: update inputs
Check Flake / check-flake (push) Successful in 2m22s
Details
Auto Update Flake / auto-update (push) Failing after 50s
Details
2026-02-22 22:01:06 -08:00
zuckerberg 684851d641 Prevent containers from running non-container services
Check Flake / check-flake (push) Successful in 2m21s
Details
Auto Update Flake / auto-update (push) Successful in 3m29s
Details
2026-02-22 18:18:05 -08:00
zuckerberg 4cf50b5fb1 Restart atticd whenever PostgreSQL restarts
Check Flake / check-flake (push) Successful in 3m7s
Details
2026-02-22 17:53:46 -08:00
zuckerberg 288a2841aa Replace Uptime Kuma with Gatus for declarative uptime monitoring
Check Flake / check-flake (push) Successful in 2m4s
Details 
Gatus is configured entirely via YAML (mapped from Nix attrsets),
making nix-config the single source of truth for all monitoring
config instead of Uptime Kuma's web UI/SQLite database.
 2026-02-22 17:30:03 -08:00
zuckerberg 0589ca5748 Add attic binary cache to sandboxed workspaces 
Update the attic cache URL from s0.koi-bebop.ts.net to s0.neet.dev
and configure sandboxed workspaces to inherit the host's binary cache
settings (substituters, trusted keys, netrc auth via agenix).
 2026-02-22 17:22:44 -08:00
zuckerberg a4c5cb589a Claude workspaces 2026-02-22 17:19:48 -08:00
zuckerberg a697ea10ad Add daily ZFS health check with ntfy alerts and introduce ntfy role 
Add a zfs-alerts module that runs a daily health check on ZFS machines,
sending detailed ntfy notifications for degraded pools, data errors, or
drive errors. Introduce an "ntfy" system role to decouple ntfy alerting
from the server/personal roles, and assign it to all machines.
 2026-02-22 17:17:40 -08:00
zuckerberg 200d5a5d22 Add ntfy failure alerts for all systemd services
Check Flake / check-flake (push) Successful in 3m18s
Details
2026-02-22 16:19:43 -08:00
zuckerberg 339eac52c6 Add uptime kuma
Check Flake / check-flake (push) Successful in 9m15s
Details
2026-02-22 15:49:26 -08:00
zuckerberg bab4b3ff8e Skip build and push when flake.lock has no changes
Check Flake / check-flake (push) Successful in 2m0s
Details
2026-02-22 15:12:45 -08:00
zuckerberg 54ab576914 Fix push auth with PAT, correct run link, and add ntfy to check-flake 2026-02-22 15:12:45 -08:00
zuckerberg c84c0716ce Fix push auth with PAT and use correct run_number in ntfy link 2026-02-22 15:12:45 -08:00
zuckerberg a921f40644 Fix git identity and ntfy URL in auto-update workflow 2026-02-22 15:12:45 -08:00
gitea-runner a6c17164fa flake.lock: Update
Check Flake / check-flake (push) Successful in 2m1s
Details 
Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/c6ed3eab64d23520bcbb858aa53fe2b533725d4a?narHash=sha256-WxAEkAbo8dP7qiyPM6VN4ZGAxfuBVlNBNPkrqkrXVEc%3D' (2026-02-21)
  → 'github:nix-community/home-manager/5bd3589390b431a63072868a90c0f24771ff4cbb?narHash=sha256-Tl2I0YXdhSTufGqAaD1ySh8x%2BcvVsEI1mJyJg12lxhI%3D' (2026-02-22)
• Updated input 'microvm':
    'github:astro/microvm.nix/789c90b164b55b4379e7a94af8b9c01489024c18?narHash=sha256-1XJOslVyF7yzf6yd/yl1VjGLywsbtwmQh3X1LuJcLI4%3D' (2026-02-17)
  → 'github:astro/microvm.nix/a3abc020a3d8e624e145f4144ed40702f788ea32?narHash=sha256-Pf4CaRoOLQV02m2POPA%2B0EWvb3gVdpaiS0hNNVZhO3c%3D' (2026-02-21)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/efec7aaad8d43f8e5194df46a007456093c40f88?narHash=sha256-UIKOwG0D9XVIJfNWg6%2BgENAvQP%2B7LO46eO0Jpe%2BItJ0%3D' (2026-02-15)
  → 'github:Mic92/nix-index-database/8f590b832326ab9699444f3a48240595954a4b10?narHash=sha256-/phvMgr1yutyAMjKnZlxkVplzxHiz60i4rc%2BgKzpwhg%3D' (2026-02-22)
 2026-02-22 15:04:48 -08:00
zuckerberg 9df8390f1f Add daily auto-update workflow with shared build script
Check Flake / check-flake (push) Successful in 2m7s
Details
2026-02-21 23:29:41 -08:00
zuckerberg 156f0183bd Add ntfy push notification server on ponyo 2026-02-21 23:29:36 -08:00
zuckerberg 8b92e51ef7 Remove phil machine and aarch64 ISO/kexec 2026-02-21 21:43:12 -08:00
zuckerberg 7798872bbf Disable SMB3 directory leases to fix stale listings from local file changes 2026-02-21 21:43:12 -08:00
zuckerberg cf41285cb8 Update inputs + move to nixos-unstable 2026-02-21 21:43:12 -08:00
zuckerberg 5a0a525f64 Add Attic binary cache and containerize gitea runner 
Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.
 2026-02-21 21:43:08 -08:00
zuckerberg 9154595910 Ad Incus sandbox on fry I've already been using for a while now
Check Flake / check-flake (push) Successful in 3m35s
Details
2026-02-17 21:35:23 -08:00
zuckerberg 1b92363b08 Fix rust analyzer in vscode 2026-02-17 21:28:50 -08:00
zuckerberg 136f024cf0 Fix tailscale networking when incus is on 2026-02-17 21:28:28 -08:00
zuckerberg 3d08a3e9bc Improve nix settings for sandboxed workspaces
Check Flake / check-flake (push) Successful in 1m15s
Details
2026-02-14 11:29:02 -08:00
zuckerberg 99ef62d31a Fix unused vars
Check Flake / check-flake (push) Successful in 1m21s
Details
2026-02-11 23:12:00 -08:00
zuckerberg 298f473ceb Remove unused vscode-server module 2026-02-11 23:00:48 -08:00
zuckerberg 546bd08f83 Fix CI build. Ephemeral targets should not be in nixosConfigurations
Check Flake / check-flake (push) Successful in 17m45s
Details
2026-02-11 22:49:11 -08:00
zuckerberg 10f3e3a7bf Remove old stale/unused configuration 2026-02-11 22:47:38 -08:00
zuckerberg d44bd12e17 Update README.md 2026-02-11 21:58:38 -08:00