Update inputs + move to nixos-unstable

Add Attic binary cache and containerize gitea runner
Replace nix-serve-only setup with Attic for managed binary caching with upstream filtering and GC. Move gitea actions runner from host into an isolated NixOS container with private networking. nix-serve kept alongside Attic during migration.
2026-02-21 13:00:28 -08:00 · 2026-02-21 12:32:45 -08:00
13 changed files with 113 additions and 137 deletions
--- a/.gitea/scripts/build-and-cache.sh
+++ b/.gitea/scripts/build-and-cache.sh
@@ -1,29 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Configure Attic cache
 attic login local "$ATTIC_ENDPOINT" "$ATTIC_TOKEN"
 attic use local:nixos
 # Check flake
 nix flake check --all-systems --print-build-logs --log-format raw --show-trace
 # Build all systems
 nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
  | jq -r '.[]' \
  | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" \
      --no-link --print-build-logs --log-format raw
 # Push to cache (only locally-built paths >= 0.5MB)
 toplevels=$(nix eval .#nixosConfigurations \
  --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' \
  --json | jq -r '.[]')
 echo "Found $(echo "$toplevels" | wc -l) system toplevels"
 paths=$(echo "$toplevels" \
  | xargs nix path-info -r --json \
  | jq -r '[to_entries[] | select(
      (.value.signatures | all(startswith("cache.nixos.org") | not))
      and .value.narSize >= 524288
    ) | .key] | unique[]')
 echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
 echo "$paths" | xargs attic push local:nixos
--- a/.gitea/workflows/auto-update.yaml
+++ b/.gitea/workflows/auto-update.yaml
@@ -1,42 +0,0 @@
 name: Auto Update Flake
 on:
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch: {}
 env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/
  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
 jobs:
  auto-update:
    runs-on: nixos
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          ref: master
      - name: Update flake inputs
        run: nix flake update --commit-lock-file
      - name: Build and cache
        run: bash .gitea/scripts/build-and-cache.sh
      - name: Push updated lockfile
        run: git push
      - name: Notify on failure
        if: failure()
        run: |
          curl -s \
            -H "Authorization: Bearer ${{ secrets.NTFY_TOKEN }}" \
            -H "Title: Flake auto-update failed" \
            -H "Priority: high" \
            -H "Tags: warning" \
            -d "Auto-update workflow failed. Check: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \
            ntfy.neet.dev/nix-flake-updates
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -6,8 +6,6 @@ env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/
  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
 jobs:
  check-flake:
@@ -18,5 +16,34 @@ jobs:
        with:
          fetch-depth: 0
-      - name: Build and cache
+      - name: Configure Attic cache
-        run: bash .gitea/scripts/build-and-cache.sh
+        run: |
          attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
          attic use local:nixos
      - name: Check Flake
        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
      - name: Build all systems
        run: |
          nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
            | jq -r '.[]' \
            | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" --no-link --print-build-logs --log-format raw
      - name: Push to cache
        run: |
          set -euo pipefail
          # Get all system toplevel store paths
          toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]')
          echo "Found $(echo "$toplevels" | wc -l) system toplevels"
          # Expand to full closures, deduplicate, and filter out paths that are:
          # - already signed by cache.nixos.org (available upstream)
          # - smaller than 0.5MB (insignificant build artifacts)
          paths=$(echo "$toplevels" \
            | xargs nix path-info -r --json \
            | jq -r '[to_entries[] | select(
                (.value.signatures | all(startswith("cache.nixos.org") | not))
                and .value.narSize >= 524288
              ) | .key] | unique[]')
          echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
          echo "$paths" | xargs attic push local:nixos
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -10,7 +10,7 @@
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "nixos:e5AMCUWWEX9MESWAAMjBkZdGUpl588NhgsUO3HsdhFw="
+        "nixos:SnTTQutdOJbAmxo6AQ3cbRt5w9f4byMXQODCieBH3PQ="
      ];
      # Allow substituters to be offline
--- a/common/nix-builder.nix
+++ b/common/nix-builder.nix
@@ -4,8 +4,8 @@ let
  builderUserName = "nix-builder";
  builderRole = "nix-builder";
-  builders = config.machines.withRole.${builderRole} or [];
+  builders = config.machines.withRole.${builderRole};
-  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole} or false;
+  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
  # builders don't include themselves as a remote builder
  otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -16,6 +16,5 @@
    ./librechat.nix
    ./actualbudget.nix
    ./unifi.nix
    ./ntfy.nix
  ];
 }
--- a/common/server/ntfy.nix
+++ b/common/server/ntfy.nix
@@ -1,40 +0,0 @@
 { lib, config, ... }:
 let
  cfg = config.services.ntfy-sh;
 in
 {
  options.services.ntfy-sh = {
    hostname = lib.mkOption {
      type = lib.types.str;
      example = "ntfy.example.com";
    };
  };
  config = lib.mkIf cfg.enable {
    services.ntfy-sh.settings = {
      base-url = "https://${cfg.hostname}";
      listen-http = "127.0.0.1:2586";
      auth-default-access = "deny-all";
      auth-file = "/var/lib/ntfy-sh/user.db";
      behind-proxy = true;
      enable-login = true;
      attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
    };
    # backups
    backup.group."ntfy".paths = [
      "/var/lib/ntfy-sh"
    ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:2586";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@@ -26,16 +26,6 @@
          "printcap name" = "cups";
          "hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
          # Samba 4.22+ enables SMB3 directory leases by default, allowing clients
          # to cache directory listings locally. When files are created locally on
          # the server (bypassing Samba), these cached listings go stale because
          # kernel oplocks — the mechanism that would break leases on local
          # changes — is incompatible with smb2 leases. Enabling kernel oplocks
          # would fix this but forces Samba to disable smb2 leases, durable
          # handles, and level2 oplocks, losing handle caching performance.
          # https://wiki.samba.org/index.php/Editing_files_locally_on_server:_interoperability
          "smb3 directory leases" = "no";
        };
        public = {
          path = "/data/samba/Public";
--- a/flake.nix
+++ b/flake.nix
@@ -175,10 +175,10 @@
            kexec = (mkEphemeral "x86_64-linux").config.system.build.images.kexec;
            iso = (mkEphemeral "x86_64-linux").config.system.build.images.iso;
          };
-          # "aarch64-linux" = {
+          "aarch64-linux" = {
-          #   kexec = (mkEphemeral "aarch64-linux").config.system.build.images.kexec;
+            kexec = (mkEphemeral "aarch64-linux").config.system.build.images.kexec;
-          #   iso = (mkEphemeral "aarch64-linux").config.system.build.images.iso;
+            iso = (mkEphemeral "aarch64-linux").config.system.build.images.iso;
-          # };
+          };
        };
      overlays.default = import ./overlays { inherit inputs; };
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@@ -0,0 +1,9 @@
 { lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  networking.hostName = "phil";
 }
--- a/machines/phil/hardware-configuration.nix
+++ b/machines/phil/hardware-configuration.nix
@@ -0,0 +1,46 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { lib, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
  # because grub just doesn't work for some reason
  boot.loader.systemd-boot.enable = true;
  remoteLuksUnlock.enable = true;
  remoteLuksUnlock.enableTorUnlock = false;
  boot.initrd.availableKernelModules = [ "xhci_pci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."enc-pv" = {
    device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
    allowDiscards = true;
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/F185-C4E5";
      fsType = "vfat";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -0,0 +1,20 @@
 {
  hostNames = [
    "phil"
    "phil.neet.dev"
  ];
  arch = "aarch64-linux";
  systemRoles = [
    "server"
    "nix-builder"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
    clearnetHost = "unlock.phil.neet.dev";
  };
 }
--- a/machines/ponyo/default.nix
+++ b/machines/ponyo/default.nix
@@ -108,8 +108,4 @@
  # librechat
  services.librechat-container.enable = true;
  services.librechat-container.host = "chat.neet.dev";
  # push notifications
  services.ntfy-sh.enable = true;
  services.ntfy-sh.hostname = "ntfy.neet.dev";
 }
Author	SHA1	Message	Date
Zuckerberg	e15402b8bc	Update inputs + move to nixos-unstable All checks were successful Check Flake / check-flake (push) Successful in 2m25s Details	2026-02-21 13:00:28 -08:00
Zuckerberg	911e081680	Add Attic binary cache and containerize gitea runner All checks were successful Check Flake / check-flake (push) Successful in 2m15s Details Replace nix-serve-only setup with Attic for managed binary caching with upstream filtering and GC. Move gitea actions runner from host into an isolated NixOS container with private networking. nix-serve kept alongside Attic during migration.	2026-02-21 12:32:45 -08:00