Add daily auto-update workflow with shared build script

.gitea/scripts/build-and-cache.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Configure Attic cache
+attic login local "$ATTIC_ENDPOINT" "$ATTIC_TOKEN"
+attic use local:nixos
+
+# Check flake
+nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+
+# Build all systems
+nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
+  | jq -r '.[]' \
+  | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" \
+      --no-link --print-build-logs --log-format raw
+
+# Push to cache (only locally-built paths >= 0.5MB)
+toplevels=$(nix eval .#nixosConfigurations \
+  --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' \
+  --json | jq -r '.[]')
+echo "Found $(echo "$toplevels" | wc -l) system toplevels"
+paths=$(echo "$toplevels" \
+  | xargs nix path-info -r --json \
+  | jq -r '[to_entries[] | select(
+      (.value.signatures | all(startswith("cache.nixos.org") | not))
+      and .value.narSize >= 524288
+    ) | .key] | unique[]')
+echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
+echo "$paths" | xargs attic push local:nixos

.gitea/workflows/auto-update.yaml

@@ -0,0 +1,42 @@
+name: Auto Update Flake
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch: {}
+
+env:
+  DEBIAN_FRONTEND: noninteractive
+  PATH: /run/current-system/sw/bin/
+  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+
+jobs:
+  auto-update:
+    runs-on: nixos
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: master
+
+      - name: Update flake inputs
+        run: nix flake update --commit-lock-file
+
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh
+
+      - name: Push updated lockfile
+        run: git push
+
+      - name: Notify on failure
+        if: failure()
+        run: |
+          curl -s \
+            -H "Authorization: Bearer ${{ secrets.NTFY_TOKEN }}" \
+            -H "Title: Flake auto-update failed" \
+            -H "Priority: high" \
+            -H "Tags: warning" \
+            -d "Auto-update workflow failed. Check: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \
+            ntfy.neet.dev/nix-flake-updates

.gitea/workflows/check-flake.yaml

@@ -6,6 +6,8 @@ env:
   DEBIAN_FRONTEND: noninteractive
   PATH: /run/current-system/sw/bin/
   XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
 
 jobs:
   check-flake:
@@ -16,34 +18,5 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Configure Attic cache
-        run: |
-          attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
-          attic use local:nixos
-
-      - name: Check Flake
-        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
-
-      - name: Build all systems
-        run: |
-          nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
-            | jq -r '.[]' \
-            | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" --no-link --print-build-logs --log-format raw
-
-      - name: Push to cache
-        run: |
-          set -euo pipefail
-          # Get all system toplevel store paths
-          toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]')
-          echo "Found $(echo "$toplevels" | wc -l) system toplevels"
-          # Expand to full closures, deduplicate, and filter out paths that are:
-          # - already signed by cache.nixos.org (available upstream)
-          # - smaller than 0.5MB (insignificant build artifacts)
-          paths=$(echo "$toplevels" \
-            | xargs nix path-info -r --json \
-            | jq -r '[to_entries[] | select(
-                (.value.signatures | all(startswith("cache.nixos.org") | not))
-                and .value.narSize >= 524288
-              ) | .key] | unique[]')
-          echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
-          echo "$paths" | xargs attic push local:nixos
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh

common/server/default.nix

@@ -16,5 +16,6 @@
     ./librechat.nix
     ./actualbudget.nix
     ./unifi.nix
+    ./ntfy.nix
   ];
 }

common/server/ntfy.nix

@@ -0,0 +1,40 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.services.ntfy-sh;
+in
+{
+  options.services.ntfy-sh = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      example = "ntfy.example.com";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.ntfy-sh.settings = {
+      base-url = "https://${cfg.hostname}";
+      listen-http = "127.0.0.1:2586";
+      auth-default-access = "deny-all";
+      auth-file = "/var/lib/ntfy-sh/user.db";
+      behind-proxy = true;
+      enable-login = true;
+      attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
+    };
+
+    # backups
+    backup.group."ntfy".paths = [
+      "/var/lib/ntfy-sh"
+    ];
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:2586";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

machines/ponyo/default.nix

@@ -108,4 +108,8 @@
   # librechat
   services.librechat-container.enable = true;
   services.librechat-container.host = "chat.neet.dev";
+
+  # push notifications
+  services.ntfy-sh.enable = true;
+  services.ntfy-sh.hostname = "ntfy.neet.dev";
 }