Backport zhaofengli/attic#246 to work around a hyper connection pool
race condition that causes spurious "connection closed before message
completed" errors during cache uploads in CI.
UniFi's Java process crashes during shutdown (Spring context race
condition) leaving mongod orphaned in the cgroup. The upstream module
sets KillSignal=SIGCONT so systemd won't interrupt the graceful
shutdown, but with the default KillMode=control-group this means
mongod also only gets SIGCONT (a no-op) and sits there until the
5-minute timeout triggers SIGKILL.
Switch to KillMode=mixed so the main Java process still gets the
harmless SIGCONT while mongod gets a proper SIGTERM for a clean
database shutdown.
ProtectSystem=strict with ReadWritePaths fails silently on ZFS submounts
(/var/lib is a separate dataset), leaving the data dir read-only. Downgrade
to ProtectSystem=full which leaves /var writable while still protecting
/usr and /boot.
Gatus: Add Roundcube, Collabora, and all s0 services (Jellyfin,
servarr stack, Home Assistant, ESPHome, Zigbee2MQTT, Frigate,
Valetudo, Sandman, Vikunja, Actual Budget, Linkwarden, Memos,
Outline, LanguageTool, Unifi) in a new "s0" group.
Dashy: Add missing public services (ntfy, Librechat, Owncast,
Navidrome, Collabora, Gatus) to Services section. Add new Home
Automation and Productivity sections. Add Unifi to Network.
Remove disabled Jitsi Meet.
The server list endpoint returns JSON on line 1 with a base64-encoded
RSA-SHA256 signature on lines 3+. This was previously ignored. Add
verifyServerList() that checks the signature against PIA's public
signing key before trusting the data. On failure the service aborts
and systemd restarts it.
Also bump RestartSec to 5m to avoid hammering PIA servers on repeated
failures, and add openssl to container dependencies.
Replace the single VPN container (veth pair, host-side auth scripts) with a
multi-container setup on a shared bridge network:
- Dedicated VPN container handles all PIA auth, WireGuard config, NAT, and
optional port forwarding DNAT
- Service containers default-route through VPN container (leak-proof by topology)
- Host runs tinyproxy on bridge for PIA API bootstrap before WG is up
- WG interface is still created in host netns and moved into VPN container
namespace
- Monthly renewal to ensure that connection stays up (PIA allows connections to
last up to 2 months)
- Drop OpenVPN support entirely
Gatus is configured entirely via YAML (mapped from Nix attrsets),
making nix-config the single source of truth for all monitoring
config instead of Uptime Kuma's web UI/SQLite database.
Update the attic cache URL from s0.koi-bebop.ts.net to s0.neet.dev
and configure sandboxed workspaces to inherit the host's binary cache
settings (substituters, trusted keys, netrc auth via agenix).
Add a zfs-alerts module that runs a daily health check on ZFS machines,
sending detailed ntfy notifications for degraded pools, data errors, or
drive errors. Introduce an "ntfy" system role to decouple ntfy alerting
from the server/personal roles, and assign it to all machines.
Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.
