flake.lock: update inputs

Prevent containers from running non-container services
Restart atticd whenever PostgreSQL restarts
2026-02-22 22:01:06 -08:00 · 2026-02-22 18:18:05 -08:00 · 2026-02-22 17:53:46 -08:00 · 2026-02-22 17:30:03 -08:00 · 2026-02-22 17:22:44 -08:00 · 2026-02-22 17:19:48 -08:00
39 changed files with 713 additions and 231 deletions
--- a/.gitea/scripts/build-and-cache.sh
+++ b/.gitea/scripts/build-and-cache.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Configure Attic cache
+attic login local "$ATTIC_ENDPOINT" "$ATTIC_TOKEN"
+attic use local:nixos
+
+# Check flake
+nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+
+# Build all systems
+nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
+  | jq -r '.[]' \
+  | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" \
+      --no-link --print-build-logs --log-format raw
+
+# Push to cache (only locally-built paths >= 0.5MB)
+toplevels=$(nix eval .#nixosConfigurations \
+  --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' \
+  --json | jq -r '.[]')
+echo "Found $(echo "$toplevels" | wc -l) system toplevels"
+paths=$(echo "$toplevels" \
+  | xargs nix path-info -r --json \
+  | jq -r '[to_entries[] | select(
+      (.value.signatures | all(startswith("cache.nixos.org") | not))
+      and .value.narSize >= 524288
+    ) | .key] | unique[]')
+echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
+echo "$paths" | xargs attic push local:nixos
--- a/.gitea/workflows/auto-update.yaml
+++ b/.gitea/workflows/auto-update.yaml
@@ -0,0 +1,60 @@
+name: Auto Update Flake
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch: {}
+
+env:
+  DEBIAN_FRONTEND: noninteractive
+  PATH: /run/current-system/sw/bin/
+  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+
+jobs:
+  auto-update:
+    runs-on: nixos
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: master
+          token: ${{ secrets.PUSH_TOKEN }}
+
+      - name: Configure git identity
+        run: |
+          git config user.name "gitea-runner"
+          git config user.email "gitea-runner@neet.dev"
+
+      - name: Update flake inputs
+        id: update
+        run: |
+          nix flake update
+          if git diff --quiet flake.lock; then
+            echo "No changes to flake.lock, nothing to do"
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            git add flake.lock
+            git commit -m "flake.lock: update inputs"
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build and cache
+        if: steps.update.outputs.changed == 'true'
+        run: bash .gitea/scripts/build-and-cache.sh
+
+      - name: Push updated lockfile
+        if: steps.update.outputs.changed == 'true'
+        run: git push
+
+      - name: Notify on failure
+        if: failure() && steps.update.outputs.changed == 'true'
+        run: |
+          curl -s \
+            -H "Authorization: Bearer ${{ secrets.NTFY_TOKEN }}" \
+            -H "Title: Flake auto-update failed" \
+            -H "Priority: high" \
+            -H "Tags: warning" \
+            -d "Auto-update workflow failed. Check: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}" \
+            https://ntfy.neet.dev/nix-flake-updates
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -5,6 +5,9 @@ on: [push]
 env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/
+  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}

 jobs:
  check-flake:
@@ -15,5 +18,16 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Check Flake
-        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh
+
+      - name: Notify on failure
+        if: failure()
+        run: |
+          curl -s \
+            -H "Authorization: Bearer ${{ secrets.NTFY_TOKEN }}" \
+            -H "Title: Flake check failed" \
+            -H "Priority: high" \
+            -H "Tags: warning" \
+            -d "Check failed for ${{ gitea.ref_name }}. Check: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}" \
+            https://ntfy.neet.dev/nix-flake-updates
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 result
+.claude/worktrees
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -67,6 +67,12 @@ IP allocation convention: VMs `.10-.49`, containers `.50-.89`, incus `.90-.129`

 `flake.nix` applies patches from `/patches/` to nixpkgs before building (workaround for nix#3920).

+### Service Dashboard & Monitoring
+
+When adding or removing a web-facing service, update both:
+- **Gatus** (`common/server/gatus.nix`) — add/remove the endpoint monitor
+- **Dashy** — add/remove the service entry from the dashboard config
+
 ### Key Conventions

 - Uses `doas` instead of `sudo` everywhere
@@ -79,3 +85,9 @@ IP allocation convention: VMs `.10-.49`, containers `.50-.89`, incus `.90-.129`
 - Always use `--no-link` when running `nix build`
 - Don't use `nix build --dry-run` unless you only need evaluation — it skips the actual build
 - Avoid `2>&1` on nix commands — it can cause error output to be missed
+
+## Git Worktree Requirement
+
+When instructed to work in a git worktree (e.g., via `isolation: "worktree"` or told to use a worktree), you **MUST** do so. If you are unable to create or use a git worktree, you **MUST** stop work immediately and report the failure to the user. Do not fall back to working in the main working tree.
+
+When applying work from a git worktree back to the main branch, commit in the worktree first, then use `git cherry-pick` from the main working tree to bring the commit over. Do not use `git checkout` or `git apply` to copy files directly. Do **not** automatically apply worktree work to the main branch — always ask the user for approval first.
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:

 {
  nix = {
@@ -6,11 +6,11 @@
      substituters = [
        "https://cache.nixos.org/"
        "https://nix-community.cachix.org"
-        "http://s0.koi-bebop.ts.net:5000"
+        "http://s0.neet.dev:28338/nixos"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+        "nixos:e5AMCUWWEX9MESWAAMjBkZdGUpl588NhgsUO3HsdhFw="
      ];

      # Allow substituters to be offline
@@ -19,6 +19,11 @@
      # and use this flag as intended for deciding if it should build missing
      # derivations locally. See https://github.com/NixOS/nix/issues/6901
      fallback = true;
+
+      # Authenticate to private nixos cache
+      netrc-file = config.age.secrets.attic-netrc.path;
    };
  };
+
+  age.secrets.attic-netrc.file = ../secrets/attic-netrc.age;
 }
--- a/common/default.nix
+++ b/common/default.nix
@@ -6,6 +6,8 @@
    ./binary-cache.nix
    ./flakes.nix
    ./auto-update.nix
+    ./ntfy-alerts.nix
+    ./zfs-alerts.nix
    ./shell.nix
    ./network
    ./boot
@@ -100,5 +102,5 @@
  security.acme.defaults.email = "zuckerberg@neet.dev";

  # Enable Desktop Environment if this is a PC (machine role is "personal")
-  de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
+  de.enable = lib.mkDefault (config.thisMachine.hasRole."personal" && !config.boot.isContainer);
 }
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -10,6 +10,10 @@ in

  config.services.tailscale.enable = mkDefault (!config.boot.isContainer);

+  # Trust Tailscale interface - access control is handled by Tailscale ACLs.
+  # Required because nftables (used by Incus) breaks Tailscale's automatic iptables rules.
+  config.networking.firewall.trustedInterfaces = mkIf cfg.enable [ "tailscale0" ];
+
  # MagicDNS
  config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
  config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
--- a/common/nix-builder.nix
+++ b/common/nix-builder.nix
@@ -4,15 +4,15 @@ let
  builderUserName = "nix-builder";

  builderRole = "nix-builder";
-  builders = config.machines.withRole.${builderRole};
-  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
+  builders = config.machines.withRole.${builderRole} or [];
+  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole} or false;

  # builders don't include themselves as a remote builder
  otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
 in
 lib.mkMerge [
  # configure builder
-  (lib.mkIf thisMachineIsABuilder {
+  (lib.mkIf (thisMachineIsABuilder && !config.boot.isContainer) {
    users.users.${builderUserName} = {
      description = "Distributed Nix Build User";
      group = builderUserName;
--- a/common/ntfy-alerts.nix
+++ b/common/ntfy-alerts.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.ntfy-alerts;
+in
+{
+  options.ntfy-alerts = {
+    serverUrl = lib.mkOption {
+      type = lib.types.str;
+      default = "https://ntfy.neet.dev";
+      description = "Base URL of the ntfy server.";
+    };
+
+    topic = lib.mkOption {
+      type = lib.types.str;
+      default = "service-failures";
+      description = "ntfy topic to publish alerts to.";
+    };
+  };
+
+  config = lib.mkIf config.thisMachine.hasRole."ntfy" {
+    age.secrets.ntfy-token.file = ../secrets/ntfy-token.age;
+
+    systemd.services."ntfy-failure@" = {
+      description = "Send ntfy alert for failed unit %i";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = "/run/agenix/ntfy-token";
+        ExecStart = "${pkgs.writeShellScript "ntfy-failure-notify" ''
+          unit="$1"
+          ${lib.getExe pkgs.curl} \
+            --fail --silent --show-error \
+            --max-time 30 --retry 3 \
+            -H "Authorization: Bearer $NTFY_TOKEN" \
+            -H "Title: Service failure on ${config.networking.hostName}" \
+            -H "Priority: high" \
+            -H "Tags: rotating_light" \
+            -d "Unit $unit failed at $(date +%c)" \
+            "${cfg.serverUrl}/${cfg.topic}"
+        ''} %i";
+      };
+    };
+
+    # Apply OnFailure to all services via a systemd drop-in
+    systemd.packages = [
+      (pkgs.runCommand "ntfy-on-failure-dropin" { } ''
+        mkdir -p $out/lib/systemd/system/service.d
+        cat > $out/lib/systemd/system/service.d/ntfy-on-failure.conf <<'EOF'
+        [Unit]
+        OnFailure=ntfy-failure@%p.service
+        EOF
+      '')
+    ];
+  };
+}
--- a/common/sandboxed-workspace/base.nix
+++ b/common/sandboxed-workspace/base.nix
@@ -27,6 +27,7 @@ in
    ../shell.nix
    hostConfig.inputs.home-manager.nixosModules.home-manager
    hostConfig.inputs.nix-index-database.nixosModules.default
+    hostConfig.inputs.agenix.nixosModules.default
  ];

  nixpkgs.overlays = [
@@ -114,6 +115,14 @@ in

  # Enable flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.trusted-users = [ "googlebot" ];
+
+  # Binary cache configuration (inherited from host's common/binary-cache.nix)
+  nix.settings.substituters = hostConfig.nix.settings.substituters;
+  nix.settings.trusted-public-keys = hostConfig.nix.settings.trusted-public-keys;
+  nix.settings.fallback = true;
+  nix.settings.netrc-file = config.age.secrets.attic-netrc.path;
+  age.secrets.attic-netrc.file = ../../secrets/attic-netrc.age;

  # Make nixpkgs available in NIX_PATH and registry (like the NixOS ISO)
  # This allows `nix-shell -p`, `nix repl '<nixpkgs>'`, etc. to work
--- a/common/sandboxed-workspace/incus.nix
+++ b/common/sandboxed-workspace/incus.nix
@@ -32,6 +32,9 @@ let
            networking.useHostResolvConf = false;
            nixpkgs.config.allowUnfree = true;

+            # Incus containers don't support the kernel features nix sandbox requires
+            nix.settings.sandbox = false;
+
            environment.systemPackages = [
              (lib.hiPrio (pkgs.writeShellScriptBin "claude" ''
                exec ${pkgs.claude-code}/bin/claude --dangerously-skip-permissions "$@"
--- a/common/server/atticd.nix
+++ b/common/server/atticd.nix
@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf (config.thisMachine.hasRole."binary-cache" && !config.boot.isContainer) {
+    services.atticd = {
+      enable = true;
+      environmentFile = config.age.secrets.atticd-credentials.path;
+      settings = {
+        listen = "[::]:28338";
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+        require-proof-of-possession = false;
+
+        # Disable chunking — the dedup savings don't justify the CPU/IO
+        # overhead for local storage, especially on ZFS which already
+        # does block-level compression.
+        chunking = {
+          nar-size-threshold = 0;
+          min-size = 16 * 1024;
+          avg-size = 64 * 1024;
+          max-size = 256 * 1024;
+        };
+
+        # Let ZFS handle compression instead of double-compressing.
+        compression.type = "none";
+
+        garbage-collection.default-retention-period = "6 months";
+      };
+    };
+
+    # PostgreSQL for atticd
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [{
+        name = "atticd";
+        ensureDBOwnership = true;
+      }];
+    };
+
+    # Use a static user so the ZFS mountpoint at /var/lib/atticd works
+    # (DynamicUser conflicts with ZFS mountpoints)
+    users.users.atticd = {
+      isSystemUser = true;
+      group = "atticd";
+      home = "/var/lib/atticd";
+    };
+    users.groups.atticd = { };
+
+    systemd.services.atticd = {
+      after = [ "postgresql.service" ];
+      requires = [ "postgresql.service" ];
+      partOf = [ "postgresql.service" ];
+      serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "atticd";
+        Group = "atticd";
+      };
+    };
+
+    age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
+  };
+}
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -12,8 +12,11 @@
    ./mailserver.nix
    ./nextcloud.nix
    ./gitea-actions-runner.nix
+    ./atticd.nix
    ./librechat.nix
    ./actualbudget.nix
    ./unifi.nix
+    ./ntfy.nix
+    ./gatus.nix
  ];
 }
--- a/common/server/gatus.nix
+++ b/common/server/gatus.nix
@@ -0,0 +1,146 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.services.gatus;
+  port = 31103;
+in
+{
+  options.services.gatus = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      example = "status.example.com";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.gatus = {
+      environmentFile = "/run/agenix/ntfy-token";
+      settings = {
+        storage = {
+          type = "sqlite";
+          path = "/var/lib/gatus/data.db";
+        };
+
+        web = {
+          address = "127.0.0.1";
+          port = port;
+        };
+
+        alerting.ntfy = {
+          url = "https://ntfy.neet.dev";
+          topic = "service-failures";
+          priority = 4;
+          default-alert = {
+            enabled = true;
+            failure-threshold = 3;
+            success-threshold = 2;
+            send-on-resolved = true;
+          };
+          token = "$NTFY_TOKEN";
+        };
+
+        endpoints = [
+          {
+            name = "Gitea";
+            group = "services";
+            url = "https://git.neet.dev";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "The Lounge";
+            group = "services";
+            url = "https://irc.neet.dev";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "ntfy";
+            group = "services";
+            url = "https://ntfy.neet.dev/v1/health";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "Librechat";
+            group = "services";
+            url = "https://chat.neet.dev";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "Owncast";
+            group = "services";
+            url = "https://live.neet.dev";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "Nextcloud";
+            group = "services";
+            url = "https://neet.cloud";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == any(200, 302)"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "Element Web";
+            group = "services";
+            url = "https://chat.neet.space";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "Mumble";
+            group = "services";
+            url = "tcp://voice.neet.space:23563";
+            interval = "5m";
+            conditions = [
+              "[CONNECTED] == true"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+          {
+            name = "Navidrome";
+            group = "services";
+            url = "https://navidrome.neet.cloud";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
+        ];
+      };
+    };
+    services.nginx.enable = true;
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@@ -1,132 +1,85 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:

-# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
-# This is useful for providing a real Nix/OS builder to gitea.
-# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
-# Therefore, this should not be used to run untrusted code.
-# To enable, assign a machine the 'gitea-actions-runner' system role
-
-# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
+# Gitea Actions Runner inside a NixOS container.
+# The container shares the host's /nix/store (read-only) and nix-daemon socket,
+# so builds go through the host daemon and outputs land in the host store.
+# Warning: NixOS containers are not fully secure — do not run untrusted code.
+# To enable, assign a machine the 'gitea-actions-runner' system role.

 let
  thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
  containerName = "gitea-runner";
+  giteaRunnerUid = 991;
+  giteaRunnerGid = 989;
 in
 {
  config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
-    # containers.${containerName} = {
-    #   ephemeral = true;
-    #   autoStart = true;

-    #   # for podman
-    #   enableTun = true;
+    containers.${containerName} = {
+      autoStart = true;
+      ephemeral = true;

-    #   # privateNetwork = true;
-    #   # hostAddress = "172.16.101.1";
-    #   # localAddress = "172.16.101.2";
+      bindMounts = {
+        "/run/agenix/gitea-actions-runner-token" = {
+          hostPath = "/run/agenix/gitea-actions-runner-token";
+          isReadOnly = true;
+        };
+        "/var/lib/gitea-runner" = {
+          hostPath = "/var/lib/gitea-runner";
+          isReadOnly = false;
+        };
+      };

-    #   bindMounts =
-    #     {
-    #       "/run/agenix/gitea-actions-runner-token" = {
-    #         hostPath = "/run/agenix/gitea-actions-runner-token";
-    #         isReadOnly = true;
-    #       };
-    #       "/var/lib/gitea-runner" = {
-    #         hostPath = "/var/lib/gitea-runner";
-    #         isReadOnly = false;
-    #       };
-    #     };
-
-    #   extraFlags = [
-    #     # Allow podman
-    #     ''--system-call-filter=thisystemcalldoesnotexistforsure''
-    #   ];
-
-    #   additionalCapabilities = [
-    #     "CAP_SYS_ADMIN"
-    #   ];
-
-    #   config = {
-    #     imports = allModules;
-
-    #     # speeds up evaluation
-    #     nixpkgs.pkgs = pkgs;
-
-    #     networking.hostName = lib.mkForce containerName;
-
-    #     # don't use remote builders
-    #     nix.distributedBuilds = lib.mkForce false;
-
-    #     environment.systemPackages = with pkgs; [
-    #       git
-    #       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
-    #       nodejs
-    #     ];
-
-    #     services.gitea-actions-runner.instances.inst = {
-    #       enable = true;
-    #       name = config.networking.hostName;
-    #       url = "https://git.neet.dev/";
-    #       tokenFile = "/run/agenix/gitea-actions-runner-token";
-    #       labels = [
-    #         "ubuntu-latest:docker://node:18-bullseye"
-    #         "nixos:host"
-    #       ];
-    #     };
-
-    #     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
-    #     systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
-    #     users.users.gitea-runner = {
-    #       home = "/var/lib/gitea-runner";
-    #       group = "gitea-runner";
-    #       isSystemUser = true;
-    #       createHome = true;
-    #     };
-    #     users.groups.gitea-runner = { };
-
-    #     virtualisation.podman.enable = true;
-    #     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    #   };
-    # };
-
-    # networking.nat.enable = true;
-    # networking.nat.internalInterfaces = [
-    #   "ve-${containerName}"
-    # ];
-    # networking.ip_forward = true;
-
-    # don't use remote builders
-    nix.distributedBuilds = lib.mkForce false;
+      config = { config, lib, pkgs, ... }: {
+        system.stateVersion = "25.11";

        services.gitea-actions-runner.instances.inst = {
          enable = true;
-      name = config.networking.hostName;
+          name = containerName;
          url = "https://git.neet.dev/";
          tokenFile = "/run/agenix/gitea-actions-runner-token";
-      labels = [
-        "ubuntu-latest:docker://node:18-bullseye"
-        "nixos:host"
-      ];
+          labels = [ "nixos:host" ];
        };

-    environment.systemPackages = with pkgs; [
-      git
-      # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
-      nodejs
-    ];
-
-    # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
+        # Disable dynamic user so runner state persists via bind mount
+        assertions = [{
+          assertion = config.systemd.services.gitea-runner-inst.enable;
+          message = "Expected systemd service 'gitea-runner-inst' is not enabled — the gitea-actions-runner module may have changed its naming scheme.";
+        }];
        systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
        users.users.gitea-runner = {
+          uid = giteaRunnerUid;
          home = "/var/lib/gitea-runner";
          group = "gitea-runner";
          isSystemUser = true;
          createHome = true;
        };
-    users.groups.gitea-runner = { };
+        users.groups.gitea-runner.gid = giteaRunnerGid;

-    virtualisation.podman.enable = true;
-    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+        environment.systemPackages = with pkgs; [
+          git
+          nodejs
+          jq
+          attic-client
+        ];
+      };
+    };
+
+    # Needs to be outside of the container because container uses's the host's nix-daemon
+    nix.settings.trusted-users = [ "gitea-runner" ];
+
+    # Matching user on host — the container's gitea-runner UID must be
+    # recognized by the host's nix-daemon as trusted (shared UID namespace)
+    users.users.gitea-runner = {
+      uid = giteaRunnerUid;
+      home = "/var/lib/gitea-runner";
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+    };
+    users.groups.gitea-runner.gid = giteaRunnerGid;

    age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
  };
--- a/common/server/ntfy.nix
+++ b/common/server/ntfy.nix
@@ -0,0 +1,38 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.services.ntfy-sh;
+in
+{
+  options.services.ntfy-sh = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      example = "ntfy.example.com";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.ntfy-sh.settings = {
+      base-url = "https://${cfg.hostname}";
+      listen-http = "127.0.0.1:2586";
+      auth-default-access = "deny-all";
+      behind-proxy = true;
+      enable-login = true;
+    };
+
+    # backups
+    backup.group."ntfy".paths = [
+      "/var/lib/ntfy-sh"
+    ];
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:2586";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@@ -26,6 +26,16 @@
          "printcap name" = "cups";

          "hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
+
+          # Samba 4.22+ enables SMB3 directory leases by default, allowing clients
+          # to cache directory listings locally. When files are created locally on
+          # the server (bypassing Samba), these cached listings go stale because
+          # kernel oplocks — the mechanism that would break leases on local
+          # changes — is incompatible with smb2 leases. Enabling kernel oplocks
+          # would fix this but forces Samba to disable smb2 leases, durable
+          # handles, and level2 oplocks, losing handle caching performance.
+          # https://wiki.samba.org/index.php/Editing_files_locally_on_server:_interoperability
+          "smb3 directory leases" = "no";
        };
        public = {
          path = "/data/samba/Public";
--- a/common/zfs-alerts.nix
+++ b/common/zfs-alerts.nix
@@ -0,0 +1,87 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.ntfy-alerts;
+  hasZfs = config.boot.supportedFilesystems.zfs or false;
+  hasNtfy = config.thisMachine.hasRole."ntfy";
+
+  checkScript = pkgs.writeShellScript "zfs-health-check" ''
+    PATH="${lib.makeBinPath [ pkgs.zfs pkgs.coreutils pkgs.gawk pkgs.curl ]}"
+
+    unhealthy=""
+
+    # Check pool health status
+    while IFS=$'\t' read -r pool state; do
+      if [ "$state" != "ONLINE" ]; then
+        unhealthy="$unhealthy"$'\n'"Pool '$pool' is $state"
+      fi
+    done < <(zpool list -H -o name,health)
+
+    # Check for errors (read, write, checksum) on any vdev
+    while IFS=$'\t' read -r pool errors; do
+      if [ "$errors" != "No known data errors" ] && [ -n "$errors" ]; then
+        unhealthy="$unhealthy"$'\n'"Pool '$pool' has errors: $errors"
+      fi
+    done < <(zpool status -x 2>/dev/null | awk '
+      /pool:/ { pool=$2 }
+      /errors:/ { sub(/^[[:space:]]*errors: /, ""); print pool "\t" $0 }
+    ')
+
+    # Check for any drives with non-zero error counts
+    drive_errors=$(zpool status 2>/dev/null | awk '
+      /DEGRADED|FAULTED|OFFLINE|UNAVAIL|REMOVED/ && !/pool:/ && !/state:/ {
+        print "  " $0
+      }
+      /[0-9]+[[:space:]]+[0-9]+[[:space:]]+[0-9]+/ {
+        if ($3 > 0 || $4 > 0 || $5 > 0) {
+          print "  " $1 " (read:" $3 " write:" $4 " cksum:" $5 ")"
+        }
+      }
+    ')
+    if [ -n "$drive_errors" ]; then
+      unhealthy="$unhealthy"$'\n'"Device errors:"$'\n'"$drive_errors"
+    fi
+
+    if [ -n "$unhealthy" ]; then
+      message="ZFS health check failed on ${config.networking.hostName}:$unhealthy"
+
+      curl \
+        --fail --silent --show-error \
+        --max-time 30 --retry 3 \
+        -H "Authorization: Bearer $NTFY_TOKEN" \
+        -H "Title: ZFS issue on ${config.networking.hostName}" \
+        -H "Priority: urgent" \
+        -H "Tags: warning" \
+        -d "$message" \
+        "${cfg.serverUrl}/${cfg.topic}"
+
+      echo "$message" >&2
+    fi
+
+    echo "All ZFS pools healthy"
+  '';
+in
+{
+  config = lib.mkIf (hasZfs && hasNtfy) {
+    systemd.services.zfs-health-check = {
+      description = "Check ZFS pool health and alert on issues";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" "zfs.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = "/run/agenix/ntfy-token";
+        ExecStart = checkScript;
+      };
+    };
+
+    systemd.timers.zfs-health-check = {
+      description = "Periodic ZFS health check";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+        RandomizedDelaySec = "1h";
+      };
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@@ -14,11 +14,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1762618334,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
        "type": "github"
      },
      "original": {
@@ -53,11 +53,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770491193,
-        "narHash": "sha256-zdnWeXmPZT8BpBo52s4oansT1Rq0SNzksXKpEcMc5lE=",
+        "lastModified": 1771632347,
+        "narHash": "sha256-kNm0YX9RUwf7GZaWQu2F71ccm4OUMz0xFkXn6mGPfps=",
        "owner": "sadjow",
        "repo": "claude-code-nix",
-        "rev": "f68a2683e812d1e4f9a022ff3e0206d46347d019",
+        "rev": "ec90f84b2ea21f6d2272e00d1becbc13030d1895",
        "type": "github"
      },
      "original": {
@@ -124,11 +124,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1766051518,
-        "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
+        "lastModified": 1770019181,
+        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
+        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
        "type": "github"
      },
      "original": {
@@ -186,11 +186,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1763988335,
-        "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
+        "lastModified": 1769939035,
+        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
+        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
        "type": "github"
      },
      "original": {
@@ -228,11 +228,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768068402,
-        "narHash": "sha256-bAXnnJZKJiF7Xr6eNW6+PhBf1lg2P1aFUO9+xgWkXfA=",
+        "lastModified": 1771756436,
+        "narHash": "sha256-Tl2I0YXdhSTufGqAaD1ySh8x+cvVsEI1mJyJg12lxhI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "8bc5473b6bc2b6e1529a9c4040411e1199c43b4c",
+        "rev": "5bd3589390b431a63072868a90c0f24771ff4cbb",
        "type": "github"
      },
      "original": {
@@ -250,11 +250,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1770310890,
-        "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
+        "lastModified": 1771802632,
+        "narHash": "sha256-UAH8YfrHRvXAMeFxUzJ4h4B1loz1K1wiNUNI8KiPqOg=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
+        "rev": "b67e3d80df3ec35bdfd3a00ad64ee437ef4fcded",
        "type": "github"
      },
      "original": {
@@ -270,11 +270,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765267181,
-        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
+        "lastModified": 1771734689,
+        "narHash": "sha256-/phvMgr1yutyAMjKnZlxkVplzxHiz60i4rc+gKzpwhg=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
+        "rev": "8f590b832326ab9699444f3a48240595954a4b10",
        "type": "github"
      },
      "original": {
@@ -285,11 +285,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1767185284,
-        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
+        "lastModified": 1771423359,
+        "narHash": "sha256-yRKJ7gpVmXbX2ZcA8nFi6CMPkJXZGjie2unsiMzj3Ig=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
+        "rev": "740a22363033e9f1bb6270fbfb5a9574067af15b",
        "type": "github"
      },
      "original": {
@@ -301,16 +301,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1768250893,
-        "narHash": "sha256-fWNJYFx0QvnlGlcw54EoOYs/wv2icINHUz0FVdh9RIo=",
+        "lastModified": 1771369470,
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3971af1a8fc3646b1d554cb1269b26c84539c22e",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "master",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -344,11 +344,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1766321686,
-        "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
+        "lastModified": 1770659507,
+        "narHash": "sha256-RVZno9CypFN3eHxfULKN1K7mb/Cq0HkznnWqnshxpWY=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
+        "rev": "781e833633ebc0873d251772a74e4400a73f5d78",
        "type": "gitlab"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,7 @@
 {
  inputs = {
    # nixpkgs
-    nixpkgs.url = "github:NixOS/nixpkgs/master";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

    # Common Utils Among flake inputs
    systems.url = "github:nix-systems/default";
@@ -175,10 +175,10 @@
            kexec = (mkEphemeral "x86_64-linux").config.system.build.images.kexec;
            iso = (mkEphemeral "x86_64-linux").config.system.build.images.iso;
          };
-          "aarch64-linux" = {
-            kexec = (mkEphemeral "aarch64-linux").config.system.build.images.kexec;
-            iso = (mkEphemeral "aarch64-linux").config.system.build.images.iso;
-          };
+          # "aarch64-linux" = {
+          #   kexec = (mkEphemeral "aarch64-linux").config.system.build.images.kexec;
+          #   iso = (mkEphemeral "aarch64-linux").config.system.build.images.iso;
+          # };
        };

      overlays.default = import ./overlays { inherit inputs; };
--- a/home/googlebot.nix
+++ b/home/googlebot.nix
@@ -61,7 +61,8 @@ in

  programs.vscode = {
    enable = thisMachineIsPersonal;
-    package = pkgs.vscodium;
+    # Must use fhs version for vscode-lldb
+    package = pkgs.vscodium-fhs;
    profiles.default = {
      userSettings = {
        editor.formatOnSave = true;
@@ -78,6 +79,15 @@ in
          lsp.serverPort = 6005; # port needs to match Godot configuration
          editorPath.godot4 = "godot-mono";
        };
+        rust-analyzer = {
+          restartServerOnConfigChange = true;
+          testExplorer = true;
+          server.path = "rust-analyzer"; # Use the rust-analyzer from PATH (which is set by nixEnvSelector from the project's flake)
+        };
+        nixEnvSelector = {
+          useFlakes = true; # This hasn't ever worked for me and I have to use shell.nix... but maybe someday
+          suggestion = false; # Stop really annoy nagging
+        };
      };
      extensions = with pkgs.vscode-extensions; [
        bbenoist.nix # nix syntax support
--- a/machines/fry/default.nix
+++ b/machines/fry/default.nix
@@ -13,6 +13,18 @@
  # Upstream interface for sandbox networking (NAT)
  networking.sandbox.upstreamInterface = lib.mkDefault "enp191s0";

+  # Enable sandboxed workspace
+  sandboxed-workspace = {
+    enable = true;
+    workspaces.test-incus = {
+      type = "incus";
+      autoStart = true;
+      config = ./workspaces/test-container.nix;
+      ip = "192.168.83.90";
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0SNSy/MdW38NqKzLr1SG8WKrs8XkrqibacaJtJPzgW";
+    };
+  };
+
  environment.systemPackages = with pkgs; [
    system76-keyboard-configurator
  ];
--- a/machines/fry/properties.nix
+++ b/machines/fry/properties.nix
@@ -8,6 +8,7 @@
  systemRoles = [
    "personal"
    "dns-challenge"
+    "ntfy"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/Df5lG07Il7fizEgZR/T9bMlR0joESRJ7cqM9BkOyP";
--- a/machines/howl/properties.nix
+++ b/machines/howl/properties.nix
@@ -7,6 +7,7 @@

  systemRoles = [
    "personal"
+    "ntfy"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQi3q8jU6vRruExAL60J7GFO1gS8HsmXVJuKRT4ljrG";
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@@ -1,9 +0,0 @@
-{ lib, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  networking.hostName = "phil";
-}
--- a/machines/phil/hardware-configuration.nix
+++ b/machines/phil/hardware-configuration.nix
@@ -1,46 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ lib, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  # because grub just doesn't work for some reason
-  boot.loader.systemd-boot.enable = true;
-
-  remoteLuksUnlock.enable = true;
-  remoteLuksUnlock.enableTorUnlock = false;
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  boot.initrd.luks.devices."enc-pv" = {
-    device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
-    allowDiscards = true;
-  };
-
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/F185-C4E5";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
-
-  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -1,20 +0,0 @@
-{
-  hostNames = [
-    "phil"
-    "phil.neet.dev"
-  ];
-
-  arch = "aarch64-linux";
-
-  systemRoles = [
-    "server"
-    "nix-builder"
-  ];
-
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
-
-  remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
-    clearnetHost = "unlock.phil.neet.dev";
-  };
-}
--- a/machines/ponyo/default.nix
+++ b/machines/ponyo/default.nix
@@ -108,4 +108,12 @@
  # librechat
  services.librechat-container.enable = true;
  services.librechat-container.host = "chat.neet.dev";
+
+  # push notifications
+  services.ntfy-sh.enable = true;
+  services.ntfy-sh.hostname = "ntfy.neet.dev";
+
+  # uptime monitoring
+  services.gatus.enable = true;
+  services.gatus.hostname = "status.neet.dev";
 }
--- a/machines/ponyo/properties.nix
+++ b/machines/ponyo/properties.nix
@@ -15,6 +15,7 @@
    "dailybot"
    "gitea"
    "librechat"
+    "ntfy"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@@ -72,5 +72,5 @@
    };
  };

-  powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.cpuFreqGovernor = "schedutil";
 }
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -18,6 +18,7 @@
    "linkwarden"
    "outline"
    "dns-challenge"
+    "ntfy"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
--- a/machines/zoidberg/properties.nix
+++ b/machines/zoidberg/properties.nix
@@ -8,6 +8,7 @@
  systemRoles = [
    "personal"
    "media-center"
+    "ntfy"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvdC1EiLqSNVmk5L1p7cWRIrrlelbK+NMj6tEBrwqIq";
--- a/secrets/attic-netrc.age
+++ b/secrets/attic-netrc.age
--- a/secrets/atticd-credentials.age
+++ b/secrets/atticd-credentials.age
--- a/secrets/binary-cache-push-sshkey.age
+++ b/secrets/binary-cache-push-sshkey.age
--- a/secrets/gitea-actions-runner-token.age
+++ b/secrets/gitea-actions-runner-token.age
--- a/secrets/ntfy-token.age
+++ b/secrets/ntfy-token.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 qEbiMg 5JtpNApPNiFqAB/gQcAsE1gz0Fg/uHW92f6Kx1J2ggQ
+RzC1MQxyDYW1IuMo+OtSgcsND4v7XIRn0rCSkKCFA3A
+-> ssh-ed25519 N7drjg mn6LWo+2zWEtUavbFQar966+j+g5su+lcBfWYz1aZDQ
+EmKpdfkCSQao1+O/HJdOiam7UvBnDYcEEkgH6KrudQI
+-> ssh-ed25519 jQaHAA an3Ukqz3BVoz0FEAA6/Lw1XKOkQWHwmTut+XD4E4vS8
+9N2ePtXG2FPJSmOwcAO9p92MJKJJpTlEhKSmgMiinB0
+-> ssh-ed25519 ZDy34A v98HzmBgwgOpUk2WrRuFsCdNR+nF2veVLzyT2pU2ZXY
+o2pO5JbVEeaOFQ3beBvej6qgDdT9mgPCVHxmw2umhA0
+-> ssh-ed25519 w3nu8g Uba2LWQueJ50Ds1/RjvkXI+VH7calMiM7dbL02sRJ3U
+mFj5skmDXhJV9lK5iwUpebqxqVPAexdUntrbWJEix+Q
+-> ssh-ed25519 evqvfg wLEEdTdmDRiFGYDrYFQjvRzc3zmGXgvztIy3UuFXnWg
+CtCV/PpaxBmtDV+6InmcbKxNDmbPUTzyCm8tCf1Qw/4
+-> ssh-ed25519 6AT2/g NaA1AhOdb+FGOCoWFEX0QN4cXS1CxlpFwpsH1L6vBA0
+Z9aMYAofQ4Ath0zsg0YdZG3GTnCN2uQW7EG02bMZRsc
+-> ssh-ed25519 hPp1nw +shAZrydcbjXfYxm1UW1YosKg5ZwBBKO6cct4HdotBo
+GxnopKlmZQ/I6kMZPNurLgqwwkFHpUradaNYTPnlMFU
+--- W6DrhCmU08IEIyPpHDiRV21xVeALNk1bDHrLYc2YcC4
+'+Æ©<C386>CËl”i.Z£t;ýL²1Eãk#5ŸŠÑ£38‰?± šFWhö6?±_Ã=Âæ<C382>ãj/æÌRFÆáãåiÿóãÌZ{‘
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,6 +7,9 @@ let

  # nobody is using this secret but I still need to be able to r/w it
  nobody = sshKeys.userKeys;
+
+  # For secrets that all machines need to know
+  everyone = lib.unique (roles.personal ++ roles.server);
 in

 with roles;
@@ -22,8 +25,10 @@ with roles;
  # nix binary cache
  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
  "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
+
+  # attic binary cache
+  "atticd-credentials.age".publicKeys = binary-cache;
+  "attic-netrc.age".publicKeys = everyone;

  # vpn
  "pia-login.age".publicKeys = pia;
@@ -38,8 +43,11 @@ with roles;
  "linkwarden-environment.age".publicKeys = linkwarden;

  # backups
-  "backblaze-s3-backups.age".publicKeys = personal ++ server;
-  "restic-password.age".publicKeys = personal ++ server;
+  "backblaze-s3-backups.age".publicKeys = everyone;
+  "restic-password.age".publicKeys = everyone;
+
+  # ntfy alerts
+  "ntfy-token.age".publicKeys = everyone;

  # gitea actions runner
  "gitea-actions-runner-token.age".publicKeys = gitea-actions-runner;
Author	SHA1	Message	Date
gitea-runner	412dd12b5a	flake.lock: update inputs Some checks failed Check Flake / check-flake (push) Successful in 2m22s Details Auto Update Flake / auto-update (push) Failing after 2m40s Details	2026-02-22 22:01:06 -08:00
Zuckerberg	684851d641	Prevent containers from running non-container services All checks were successful Check Flake / check-flake (push) Successful in 2m21s Details Auto Update Flake / auto-update (push) Successful in 3m29s Details	2026-02-22 18:18:05 -08:00
Zuckerberg	4cf50b5fb1	Restart atticd whenever PostgreSQL restarts All checks were successful Check Flake / check-flake (push) Successful in 3m7s Details	2026-02-22 17:53:46 -08:00
googlebot	288a2841aa	Replace Uptime Kuma with Gatus for declarative uptime monitoring All checks were successful Check Flake / check-flake (push) Successful in 2m4s Details Gatus is configured entirely via YAML (mapped from Nix attrsets), making nix-config the single source of truth for all monitoring config instead of Uptime Kuma's web UI/SQLite database.	2026-02-22 17:30:03 -08:00
googlebot	0589ca5748	Add attic binary cache to sandboxed workspaces Update the attic cache URL from s0.koi-bebop.ts.net to s0.neet.dev and configure sandboxed workspaces to inherit the host's binary cache settings (substituters, trusted keys, netrc auth via agenix).	2026-02-22 17:22:44 -08:00
googlebot	a4c5cb589a	Claude workspaces	2026-02-22 17:19:48 -08:00
googlebot	a697ea10ad	Add daily ZFS health check with ntfy alerts and introduce ntfy role Add a zfs-alerts module that runs a daily health check on ZFS machines, sending detailed ntfy notifications for degraded pools, data errors, or drive errors. Introduce an "ntfy" system role to decouple ntfy alerting from the server/personal roles, and assign it to all machines.	2026-02-22 17:17:40 -08:00
Zuckerberg	200d5a5d22	Add ntfy failure alerts for all systemd services All checks were successful Check Flake / check-flake (push) Successful in 3m18s Details	2026-02-22 16:19:43 -08:00
Zuckerberg	339eac52c6	Add uptime kuma All checks were successful Check Flake / check-flake (push) Successful in 9m15s Details	2026-02-22 15:49:26 -08:00
Zuckerberg	bab4b3ff8e	Skip build and push when flake.lock has no changes All checks were successful Check Flake / check-flake (push) Successful in 2m0s Details	2026-02-22 15:12:45 -08:00
Zuckerberg	54ab576914	Fix push auth with PAT, correct run link, and add ntfy to check-flake	2026-02-22 15:12:45 -08:00
Zuckerberg	c84c0716ce	Fix push auth with PAT and use correct run_number in ntfy link	2026-02-22 15:12:45 -08:00
Zuckerberg	a921f40644	Fix git identity and ntfy URL in auto-update workflow	2026-02-22 15:12:45 -08:00
gitea-runner	a6c17164fa	flake.lock: Update All checks were successful Check Flake / check-flake (push) Successful in 2m1s Details Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/c6ed3eab64d23520bcbb858aa53fe2b533725d4a?narHash=sha256-WxAEkAbo8dP7qiyPM6VN4ZGAxfuBVlNBNPkrqkrXVEc%3D' (2026-02-21) → 'github:nix-community/home-manager/5bd3589390b431a63072868a90c0f24771ff4cbb?narHash=sha256-Tl2I0YXdhSTufGqAaD1ySh8x%2BcvVsEI1mJyJg12lxhI%3D' (2026-02-22) • Updated input 'microvm': 'github:astro/microvm.nix/789c90b164b55b4379e7a94af8b9c01489024c18?narHash=sha256-1XJOslVyF7yzf6yd/yl1VjGLywsbtwmQh3X1LuJcLI4%3D' (2026-02-17) → 'github:astro/microvm.nix/a3abc020a3d8e624e145f4144ed40702f788ea32?narHash=sha256-Pf4CaRoOLQV02m2POPA%2B0EWvb3gVdpaiS0hNNVZhO3c%3D' (2026-02-21) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/efec7aaad8d43f8e5194df46a007456093c40f88?narHash=sha256-UIKOwG0D9XVIJfNWg6%2BgENAvQP%2B7LO46eO0Jpe%2BItJ0%3D' (2026-02-15) → 'github:Mic92/nix-index-database/8f590b832326ab9699444f3a48240595954a4b10?narHash=sha256-/phvMgr1yutyAMjKnZlxkVplzxHiz60i4rc%2BgKzpwhg%3D' (2026-02-22)	2026-02-22 15:04:48 -08:00
Zuckerberg	9df8390f1f	Add daily auto-update workflow with shared build script All checks were successful Check Flake / check-flake (push) Successful in 2m7s Details	2026-02-21 23:29:41 -08:00
Zuckerberg	156f0183bd	Add ntfy push notification server on ponyo	2026-02-21 23:29:36 -08:00
Zuckerberg	8b92e51ef7	Remove phil machine and aarch64 ISO/kexec	2026-02-21 21:43:12 -08:00
Zuckerberg	7798872bbf	Disable SMB3 directory leases to fix stale listings from local file changes	2026-02-21 21:43:12 -08:00
Zuckerberg	cf41285cb8	Update inputs + move to nixos-unstable	2026-02-21 21:43:12 -08:00
Zuckerberg	5a0a525f64	Add Attic binary cache and containerize gitea runner Replace nix-serve-only setup with Attic for managed binary caching with upstream filtering and GC. Move gitea actions runner from host into an isolated NixOS container with private networking. nix-serve kept alongside Attic during migration.	2026-02-21 21:43:08 -08:00
Zuckerberg	9154595910	Ad Incus sandbox on fry I've already been using for a while now All checks were successful Check Flake / check-flake (push) Successful in 3m35s Details	2026-02-17 21:35:23 -08:00
Zuckerberg	1b92363b08	Fix rust analyzer in vscode	2026-02-17 21:28:50 -08:00
Zuckerberg	136f024cf0	Fix tailscale networking when incus is on	2026-02-17 21:28:28 -08:00
Zuckerberg	3d08a3e9bc	Improve nix settings for sandboxed workspaces All checks were successful Check Flake / check-flake (push) Successful in 1m15s Details	2026-02-14 11:29:02 -08:00