Add daily auto-update workflow with shared build script

Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.

.gitea/scripts/build-and-cache.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Configure Attic cache
+attic login local "$ATTIC_ENDPOINT" "$ATTIC_TOKEN"
+attic use local:nixos
+
+# Check flake
+nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+
+# Build all systems
+nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
+  | jq -r '.[]' \
+  | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" \
+      --no-link --print-build-logs --log-format raw
+
+# Push to cache (only locally-built paths >= 0.5MB)
+toplevels=$(nix eval .#nixosConfigurations \
+  --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' \
+  --json | jq -r '.[]')
+echo "Found $(echo "$toplevels" | wc -l) system toplevels"
+paths=$(echo "$toplevels" \
+  | xargs nix path-info -r --json \
+  | jq -r '[to_entries[] | select(
+      (.value.signatures | all(startswith("cache.nixos.org") | not))
+      and .value.narSize >= 524288
+    ) | .key] | unique[]')
+echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
+echo "$paths" | xargs attic push local:nixos

.gitea/workflows/auto-update.yaml

@@ -0,0 +1,42 @@
+name: Auto Update Flake
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch: {}
+
+env:
+  DEBIAN_FRONTEND: noninteractive
+  PATH: /run/current-system/sw/bin/
+  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+
+jobs:
+  auto-update:
+    runs-on: nixos
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: master
+
+      - name: Update flake inputs
+        run: nix flake update --commit-lock-file
+
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh
+
+      - name: Push updated lockfile
+        run: git push
+
+      - name: Notify on failure
+        if: failure()
+        run: |
+          curl -s \
+            -H "Authorization: Bearer ${{ secrets.NTFY_TOKEN }}" \
+            -H "Title: Flake auto-update failed" \
+            -H "Priority: high" \
+            -H "Tags: warning" \
+            -d "Auto-update workflow failed. Check: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \
+            ntfy.neet.dev/nix-flake-updates

.gitea/workflows/check-flake.yaml

@@ -5,6 +5,9 @@ on: [push]
 env:
   DEBIAN_FRONTEND: noninteractive
   PATH: /run/current-system/sw/bin/
+  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
 
 jobs:
   check-flake:
@@ -15,5 +18,5 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Check Flake
-        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh

common/binary-cache.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 
 {
   nix = {
@@ -6,11 +6,11 @@
       substituters = [
         "https://cache.nixos.org/"
         "https://nix-community.cachix.org"
-        "http://s0.koi-bebop.ts.net:5000"
+        "http://s0.koi-bebop.ts.net:28338/nixos"
       ];
       trusted-public-keys = [
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+        "nixos:e5AMCUWWEX9MESWAAMjBkZdGUpl588NhgsUO3HsdhFw="
       ];
 
       # Allow substituters to be offline
@@ -19,6 +19,11 @@
       # and use this flag as intended for deciding if it should build missing
       # derivations locally. See https://github.com/NixOS/nix/issues/6901
       fallback = true;
+
+      # Authenticate to private nixos cache
+      netrc-file = config.age.secrets.attic-netrc.path;
     };
   };
+
+  age.secrets.attic-netrc.file = ../secrets/attic-netrc.age;
 }

common/nix-builder.nix

@@ -4,8 +4,8 @@ let
   builderUserName = "nix-builder";
 
   builderRole = "nix-builder";
-  builders = config.machines.withRole.${builderRole};
-  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
+  builders = config.machines.withRole.${builderRole} or [];
+  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole} or false;
 
   # builders don't include themselves as a remote builder
   otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;

common/server/atticd.nix

@@ -0,0 +1,61 @@
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf (config.thisMachine.hasRole."binary-cache") {
+    services.atticd = {
+      enable = true;
+      environmentFile = config.age.secrets.atticd-credentials.path;
+      settings = {
+        listen = "[::]:28338";
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+        require-proof-of-possession = false;
+
+        # Disable chunking — the dedup savings don't justify the CPU/IO
+        # overhead for local storage, especially on ZFS which already
+        # does block-level compression.
+        chunking = {
+          nar-size-threshold = 0;
+          min-size = 16 * 1024;
+          avg-size = 64 * 1024;
+          max-size = 256 * 1024;
+        };
+
+        # Let ZFS handle compression instead of double-compressing.
+        compression.type = "none";
+
+        garbage-collection.default-retention-period = "6 months";
+      };
+    };
+
+    # PostgreSQL for atticd
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [{
+        name = "atticd";
+        ensureDBOwnership = true;
+      }];
+    };
+
+    # Use a static user so the ZFS mountpoint at /var/lib/atticd works
+    # (DynamicUser conflicts with ZFS mountpoints)
+    users.users.atticd = {
+      isSystemUser = true;
+      group = "atticd";
+      home = "/var/lib/atticd";
+    };
+    users.groups.atticd = { };
+
+    systemd.services.atticd = {
+      after = [ "postgresql.service" ];
+      requires = [ "postgresql.service" ];
+      serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "atticd";
+        Group = "atticd";
+      };
+    };
+
+    age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
+  };
+}

common/server/default.nix

@@ -12,8 +12,10 @@
     ./mailserver.nix
     ./nextcloud.nix
     ./gitea-actions-runner.nix
+    ./atticd.nix
     ./librechat.nix
     ./actualbudget.nix
     ./unifi.nix
+    ./ntfy.nix
   ];
 }

common/server/gitea-actions-runner.nix

@@ -1,132 +1,85 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 
-# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
-# This is useful for providing a real Nix/OS builder to gitea.
-# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
-# Therefore, this should not be used to run untrusted code.
-# To enable, assign a machine the 'gitea-actions-runner' system role
-
-# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
+# Gitea Actions Runner inside a NixOS container.
+# The container shares the host's /nix/store (read-only) and nix-daemon socket,
+# so builds go through the host daemon and outputs land in the host store.
+# Warning: NixOS containers are not fully secure — do not run untrusted code.
+# To enable, assign a machine the 'gitea-actions-runner' system role.
 
 let
   thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
   containerName = "gitea-runner";
+  giteaRunnerUid = 991;
+  giteaRunnerGid = 989;
 in
 {
   config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
-    # containers.${containerName} = {
-    #   ephemeral = true;
-    #   autoStart = true;
 
-    #   # for podman
-    #   enableTun = true;
+    containers.${containerName} = {
+      autoStart = true;
+      ephemeral = true;
 
-    #   # privateNetwork = true;
-    #   # hostAddress = "172.16.101.1";
-    #   # localAddress = "172.16.101.2";
+      bindMounts = {
+        "/run/agenix/gitea-actions-runner-token" = {
+          hostPath = "/run/agenix/gitea-actions-runner-token";
+          isReadOnly = true;
+        };
+        "/var/lib/gitea-runner" = {
+          hostPath = "/var/lib/gitea-runner";
+          isReadOnly = false;
+        };
+      };
 
-    #   bindMounts =
-    #     {
-    #       "/run/agenix/gitea-actions-runner-token" = {
-    #         hostPath = "/run/agenix/gitea-actions-runner-token";
-    #         isReadOnly = true;
-    #       };
-    #       "/var/lib/gitea-runner" = {
-    #         hostPath = "/var/lib/gitea-runner";
-    #         isReadOnly = false;
-    #       };
-    #     };
-
-    #   extraFlags = [
-    #     # Allow podman
-    #     ''--system-call-filter=thisystemcalldoesnotexistforsure''
-    #   ];
-
-    #   additionalCapabilities = [
-    #     "CAP_SYS_ADMIN"
-    #   ];
-
-    #   config = {
-    #     imports = allModules;
-
-    #     # speeds up evaluation
-    #     nixpkgs.pkgs = pkgs;
-
-    #     networking.hostName = lib.mkForce containerName;
-
-    #     # don't use remote builders
-    #     nix.distributedBuilds = lib.mkForce false;
-
-    #     environment.systemPackages = with pkgs; [
-    #       git
-    #       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
-    #       nodejs
-    #     ];
-
-    #     services.gitea-actions-runner.instances.inst = {
-    #       enable = true;
-    #       name = config.networking.hostName;
-    #       url = "https://git.neet.dev/";
-    #       tokenFile = "/run/agenix/gitea-actions-runner-token";
-    #       labels = [
-    #         "ubuntu-latest:docker://node:18-bullseye"
-    #         "nixos:host"
-    #       ];
-    #     };
-
-    #     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
-    #     systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
-    #     users.users.gitea-runner = {
-    #       home = "/var/lib/gitea-runner";
-    #       group = "gitea-runner";
-    #       isSystemUser = true;
-    #       createHome = true;
-    #     };
-    #     users.groups.gitea-runner = { };
-
-    #     virtualisation.podman.enable = true;
-    #     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    #   };
-    # };
-
-    # networking.nat.enable = true;
-    # networking.nat.internalInterfaces = [
-    #   "ve-${containerName}"
-    # ];
-    # networking.ip_forward = true;
-
-    # don't use remote builders
-    nix.distributedBuilds = lib.mkForce false;
+      config = { config, lib, pkgs, ... }: {
+        system.stateVersion = "25.11";
 
         services.gitea-actions-runner.instances.inst = {
           enable = true;
-      name = config.networking.hostName;
+          name = containerName;
           url = "https://git.neet.dev/";
           tokenFile = "/run/agenix/gitea-actions-runner-token";
-      labels = [
-        "ubuntu-latest:docker://node:18-bullseye"
-        "nixos:host"
-      ];
+          labels = [ "nixos:host" ];
         };
 
-    environment.systemPackages = with pkgs; [
-      git
-      # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
-      nodejs
-    ];
-
-    # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
+        # Disable dynamic user so runner state persists via bind mount
+        assertions = [{
+          assertion = config.systemd.services.gitea-runner-inst.enable;
+          message = "Expected systemd service 'gitea-runner-inst' is not enabled — the gitea-actions-runner module may have changed its naming scheme.";
+        }];
         systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
         users.users.gitea-runner = {
+          uid = giteaRunnerUid;
           home = "/var/lib/gitea-runner";
           group = "gitea-runner";
           isSystemUser = true;
           createHome = true;
         };
-    users.groups.gitea-runner = { };
+        users.groups.gitea-runner.gid = giteaRunnerGid;
 
-    virtualisation.podman.enable = true;
-    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+        environment.systemPackages = with pkgs; [
+          git
+          nodejs
+          jq
+          attic-client
+        ];
+      };
+    };
+
+    # Needs to be outside of the container because container uses's the host's nix-daemon
+    nix.settings.trusted-users = [ "gitea-runner" ];
+
+    # Matching user on host — the container's gitea-runner UID must be
+    # recognized by the host's nix-daemon as trusted (shared UID namespace)
+    users.users.gitea-runner = {
+      uid = giteaRunnerUid;
+      home = "/var/lib/gitea-runner";
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+    };
+    users.groups.gitea-runner.gid = giteaRunnerGid;
 
     age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
   };

common/server/ntfy.nix

@@ -0,0 +1,40 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.services.ntfy-sh;
+in
+{
+  options.services.ntfy-sh = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      example = "ntfy.example.com";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.ntfy-sh.settings = {
+      base-url = "https://${cfg.hostname}";
+      listen-http = "127.0.0.1:2586";
+      auth-default-access = "deny-all";
+      auth-file = "/var/lib/ntfy-sh/user.db";
+      behind-proxy = true;
+      enable-login = true;
+      attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
+    };
+
+    # backups
+    backup.group."ntfy".paths = [
+      "/var/lib/ntfy-sh"
+    ];
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:2586";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

common/server/samba.nix

@@ -26,6 +26,16 @@
           "printcap name" = "cups";
 
           "hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
+
+          # Samba 4.22+ enables SMB3 directory leases by default, allowing clients
+          # to cache directory listings locally. When files are created locally on
+          # the server (bypassing Samba), these cached listings go stale because
+          # kernel oplocks — the mechanism that would break leases on local
+          # changes — is incompatible with smb2 leases. Enabling kernel oplocks
+          # would fix this but forces Samba to disable smb2 leases, durable
+          # handles, and level2 oplocks, losing handle caching performance.
+          # https://wiki.samba.org/index.php/Editing_files_locally_on_server:_interoperability
+          "smb3 directory leases" = "no";
         };
         public = {
           path = "/data/samba/Public";

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762618334,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770491193,
-        "narHash": "sha256-zdnWeXmPZT8BpBo52s4oansT1Rq0SNzksXKpEcMc5lE=",
+        "lastModified": 1771632347,
+        "narHash": "sha256-kNm0YX9RUwf7GZaWQu2F71ccm4OUMz0xFkXn6mGPfps=",
         "owner": "sadjow",
         "repo": "claude-code-nix",
-        "rev": "f68a2683e812d1e4f9a022ff3e0206d46347d019",
+        "rev": "ec90f84b2ea21f6d2272e00d1becbc13030d1895",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766051518,
-        "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
+        "lastModified": 1770019181,
+        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
+        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
         "type": "github"
       },
       "original": {
@@ -186,11 +186,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763988335,
-        "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
+        "lastModified": 1769939035,
+        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
+        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
         "type": "github"
       },
       "original": {
@@ -228,11 +228,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768068402,
-        "narHash": "sha256-bAXnnJZKJiF7Xr6eNW6+PhBf1lg2P1aFUO9+xgWkXfA=",
+        "lastModified": 1771683283,
+        "narHash": "sha256-WxAEkAbo8dP7qiyPM6VN4ZGAxfuBVlNBNPkrqkrXVEc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8bc5473b6bc2b6e1529a9c4040411e1199c43b4c",
+        "rev": "c6ed3eab64d23520bcbb858aa53fe2b533725d4a",
         "type": "github"
       },
       "original": {
@@ -250,11 +250,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1770310890,
-        "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
+        "lastModified": 1771365290,
+        "narHash": "sha256-1XJOslVyF7yzf6yd/yl1VjGLywsbtwmQh3X1LuJcLI4=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
+        "rev": "789c90b164b55b4379e7a94af8b9c01489024c18",
         "type": "github"
       },
       "original": {
@@ -270,11 +270,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765267181,
-        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
+        "lastModified": 1771130777,
+        "narHash": "sha256-UIKOwG0D9XVIJfNWg6+gENAvQP+7LO46eO0Jpe+ItJ0=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
+        "rev": "efec7aaad8d43f8e5194df46a007456093c40f88",
         "type": "github"
       },
       "original": {
@@ -285,11 +285,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1767185284,
-        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
+        "lastModified": 1771423359,
+        "narHash": "sha256-yRKJ7gpVmXbX2ZcA8nFi6CMPkJXZGjie2unsiMzj3Ig=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
+        "rev": "740a22363033e9f1bb6270fbfb5a9574067af15b",
         "type": "github"
       },
       "original": {
@@ -301,16 +301,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768250893,
-        "narHash": "sha256-fWNJYFx0QvnlGlcw54EoOYs/wv2icINHUz0FVdh9RIo=",
+        "lastModified": 1771369470,
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3971af1a8fc3646b1d554cb1269b26c84539c22e",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "master",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -344,11 +344,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766321686,
-        "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
+        "lastModified": 1770659507,
+        "narHash": "sha256-RVZno9CypFN3eHxfULKN1K7mb/Cq0HkznnWqnshxpWY=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
+        "rev": "781e833633ebc0873d251772a74e4400a73f5d78",
         "type": "gitlab"
       },
       "original": {

flake.nix

@@ -1,7 +1,7 @@
 {
   inputs = {
     # nixpkgs
-    nixpkgs.url = "github:NixOS/nixpkgs/master";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     # Common Utils Among flake inputs
     systems.url = "github:nix-systems/default";
@@ -175,10 +175,10 @@
             kexec = (mkEphemeral "x86_64-linux").config.system.build.images.kexec;
             iso = (mkEphemeral "x86_64-linux").config.system.build.images.iso;
           };
-          "aarch64-linux" = {
-            kexec = (mkEphemeral "aarch64-linux").config.system.build.images.kexec;
-            iso = (mkEphemeral "aarch64-linux").config.system.build.images.iso;
-          };
+          # "aarch64-linux" = {
+          #   kexec = (mkEphemeral "aarch64-linux").config.system.build.images.kexec;
+          #   iso = (mkEphemeral "aarch64-linux").config.system.build.images.iso;
+          # };
         };
 
       overlays.default = import ./overlays { inherit inputs; };

machines/phil/default.nix

@@ -1,9 +0,0 @@
-{ lib, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  networking.hostName = "phil";
-}

machines/phil/hardware-configuration.nix

@@ -1,46 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ lib, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  # because grub just doesn't work for some reason
-  boot.loader.systemd-boot.enable = true;
-
-  remoteLuksUnlock.enable = true;
-  remoteLuksUnlock.enableTorUnlock = false;
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  boot.initrd.luks.devices."enc-pv" = {
-    device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
-    allowDiscards = true;
-  };
-
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/F185-C4E5";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
-
-  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}

machines/phil/properties.nix

@@ -1,20 +0,0 @@
-{
-  hostNames = [
-    "phil"
-    "phil.neet.dev"
-  ];
-
-  arch = "aarch64-linux";
-
-  systemRoles = [
-    "server"
-    "nix-builder"
-  ];
-
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
-
-  remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
-    clearnetHost = "unlock.phil.neet.dev";
-  };
-}

machines/ponyo/default.nix

@@ -108,4 +108,8 @@
   # librechat
   services.librechat-container.enable = true;
   services.librechat-container.host = "chat.neet.dev";
+
+  # push notifications
+  services.ntfy-sh.enable = true;
+  services.ntfy-sh.hostname = "ntfy.neet.dev";
 }

machines/storage/s0/hardware-configuration.nix

@@ -72,5 +72,5 @@
     };
   };
 
-  powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.cpuFreqGovernor = "schedutil";
 }

secrets/secrets.nix

@@ -7,6 +7,9 @@ let
 
   # nobody is using this secret but I still need to be able to r/w it
   nobody = sshKeys.userKeys;
+
+  # For secrets that all machines need to know
+  everyone = roles.personal ++ roles.server;
 in
 
 with roles;
@@ -22,8 +25,10 @@ with roles;
   # nix binary cache
   # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
   "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
+
+  # attic binary cache
+  "atticd-credentials.age".publicKeys = binary-cache;
+  "attic-netrc.age".publicKeys = everyone;
 
   # vpn
   "pia-login.age".publicKeys = pia;