Merge pull request 'scale down act runners' (#56) from feature/scale-act into main

Reviewed-on: #56

.github/settings.yml

@@ -1,204 +1,173 @@
 # Have borrowed this config from nix-community/infra
 repository:
-  # See https://developer.github.com/v3/repos/#edit for all available settings.
+    # See https://developer.github.com/v3/repos/#edit for all available settings.
 
-  # The name of the repository. Changing this will rename the repository
+    # The name of the repository. Changing this will rename the repository
-  name: nix-dotfiles
+    name: nix-dotfiles
-
+    # A short description of the repository that will show up on GitHub
-  # A short description of the repository that will show up on GitHub
+    description: RAD-Dev Infra
-  description: RAD-Dev Infra
+    # A URL with more information about the repository
-
+    # homepage: "https://nix-community.org"
-  # A URL with more information about the repository
-  # homepage: "https://nix-community.org"
-
-  # A comma-separated list of topics to set on the repository
-  topics: "nixos"
-
-  # Either `true` to make the repository private, or `false` to make it public.
-  private: false
-
-  # Either `true` to enable issues for this repository, `false` to disable them.
-  has_issues: true
-
-  # Either `true` to enable projects for this repository, or `false` to disable them.
-  # If projects are disabled for the organization, passing `true` will cause an API error.
-  has_projects: true
-
-  # Either `true` to enable the wiki for this repository, `false` to disable it.
-  has_wiki: false
-
-  # Either `true` to enable downloads for this repository, `false` to disable them.
-  has_downloads: false
-
-  # Updates the default branch for this repository.
-  default_branch: main
-
-  # Either `true` to allow squash-merging pull requests, or `false` to prevent
-  # squash-merging.
-  allow_squash_merge: true
-
-  # Either `true` to allow merging pull requests with a merge commit, or `false`
-  # to prevent merging pull requests with merge commits.
-  allow_merge_commit: false
-
-  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
-  # rebase-merging.
-  allow_rebase_merge: true
-
-  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
-  delete_branch_on_merge: true
-
-  # Either `true` to enable automated security fixes, or `false` to disable
-  # automated security fixes.
-  enable_automated_security_fixes: true
-
-  # Either `true` to enable vulnerability alerts, or `false` to disable
-  # vulnerability alerts.
-  enable_vulnerability_alerts: true
-
-  allow_auto_merge: true
 
+    # A comma-separated list of topics to set on the repository
+    topics: "nixos"
+    # Either `true` to make the repository private, or `false` to make it public.
+    private: false
+    # Either `true` to enable issues for this repository, `false` to disable them.
+    has_issues: true
+    # Either `true` to enable projects for this repository, or `false` to disable them.
+    # If projects are disabled for the organization, passing `true` will cause an API error.
+    has_projects: true
+    # Either `true` to enable the wiki for this repository, `false` to disable it.
+    has_wiki: false
+    # Either `true` to enable downloads for this repository, `false` to disable them.
+    has_downloads: false
+    # Updates the default branch for this repository.
+    default_branch: main
+    # Either `true` to allow squash-merging pull requests, or `false` to prevent
+    # squash-merging.
+    allow_squash_merge: true
+    # Either `true` to allow merging pull requests with a merge commit, or `false`
+    # to prevent merging pull requests with merge commits.
+    allow_merge_commit: false
+    # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+    # rebase-merging.
+    allow_rebase_merge: true
+    # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+    delete_branch_on_merge: true
+    # Either `true` to enable automated security fixes, or `false` to disable
+    # automated security fixes.
+    enable_automated_security_fixes: true
+    # Either `true` to enable vulnerability alerts, or `false` to disable
+    # vulnerability alerts.
+    enable_vulnerability_alerts: true
+    allow_auto_merge: true
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
-  - name: bug
+    - name: bug
-    color: '#d73a4a'
+      color: '#d73a4a'
-    description: Something isn't working
+      description: Something isn't working
-  - name: CI/CD
+    - name: CI/CD
-    # If including a `#`, make sure to wrap it with quotes!
+      # If including a `#`, make sure to wrap it with quotes!
-    color: '#0e8a16'
+      color: '#0e8a16'
-    description: Related to GH Actions or Hydra
+      description: Related to GH Actions or Hydra
-  - name: documentation
+    - name: documentation
-    color: '#0075ca'
+      color: '#0075ca'
-    description: Improvements or additions to documentation
+      description: Improvements or additions to documentation
-  - name: duplicate
+    - name: duplicate
-    color: '#cfd3d7'
+      color: '#cfd3d7'
-    description: This issue or pull request already exists
+      description: This issue or pull request already exists
-  - name: enhancement
+    - name: enhancement
-    color: '#a2eeef'
+      color: '#a2eeef'
-    description: New feature or request
+      description: New feature or request
-  - name: good first issue
+    - name: good first issue
-    color: '#7057ff'
+      color: '#7057ff'
-    description: Good for newcomers
+      description: Good for newcomers
-  - name: help wanted
+    - name: help wanted
-    color: '#008672'
+      color: '#008672'
-    description: Extra attention is needed
+      description: Extra attention is needed
-  - name: high priority
+    - name: high priority
-    color: '#BF480A'
+      color: '#BF480A'
-    description: A major vurnability was detected
+      description: A major vurnability was detected
-  - name: invalid
+    - name: invalid
-    color: '#e4e669'
+      color: '#e4e669'
-    description: This doesn't seem right
+      description: This doesn't seem right
-  - name: new user
+    - name: new user
-    color: '#C302A1'
+      color: '#C302A1'
-    description: A new user was added to the Flake
+      description: A new user was added to the Flake
-  - name: question
+    - name: question
-    color: '#d876e3'
+      color: '#d876e3'
-    description: Further information is requested
+      description: Further information is requested
-  - name: wontfix
+    - name: wontfix
-    color: '#ffffff'
+      color: '#ffffff'
-    description: This will not be worked on
+      description: This will not be worked on
-  - name: dependencies
+    - name: dependencies
-    color: '#cb4ed5'
+      color: '#cb4ed5'
-    description: Used for PR's related to flake.lock updates
+      description: Used for PR's related to flake.lock updates
-  - name: automated
+    - name: automated
-    color: '#42b528'
+      color: '#42b528'
-    description: PR was automatically generated (through a bot or CI/CD)
+      description: PR was automatically generated (through a bot or CI/CD)
-
 # Milestones: define milestones for Issues and Pull Requests
 milestones:
-  - title: Go-Live
+    - title: Go-Live
-    description: >-
+      description: >-
-      All requirements for official go-live:
+        All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
-      - Automated testing via Hydra/Actions
+      # The state of the milestone. Either `open` or `closed`
-      - Automated deployments via Hydra/Actions
+      state: open
-      - 90+% testing coverage
+    - title: Jeeves Migration
-      - Functional formatter with custom rules
+      description: >-
-      - palatine-hill is fully stable, enough so that jeeves can be migrated
+        Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
-    # The state of the milestone. Either `open` or `closed`
-    state: open
-  - title: Jeeves Migration
-    description: >-
-      Test common use-cases for Jeeves
-      - Quadro GPU support
-      - Multi-GPU support
-      - Plex support
-      - Docker support
-      - ZFS support
-
-
 # Collaborators: give specific users access to this repository.
 # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
 collaborators:
-  # - username: numtide-bot
+# - username: numtide-bot
-  # Note: `permission` is only valid on organization-owned repositories.
+# Note: `permission` is only valid on organization-owned repositories.
-  # The permission to grant the collaborator. Can be one of:
+# The permission to grant the collaborator. Can be one of:
-  # * `pull` - can pull, but not push to or administer this repository.
+# * `pull` - can pull, but not push to or administer this repository.
-  # * `push` - can pull and push, but not administer this repository.
+# * `push` - can pull and push, but not administer this repository.
-  # * `admin` - can pull, push and administer this repository.
+# * `admin` - can pull, push and administer this repository.
-  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-  # permission: push
+# permission: push
 
 # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
 teams:
-  # - name: admin
+# - name: admin
-    # The permission to grant the team. Can be one of:
+# The permission to grant the team. Can be one of:
-    # * `pull` - can pull, but not push to or administer this repository.
+# * `pull` - can pull, but not push to or administer this repository.
-    # * `push` - can pull and push, but not administer this repository.
+# * `push` - can pull and push, but not administer this repository.
-    # * `admin` - can pull, push and administer this repository.
+# * `admin` - can pull, push and administer this repository.
-    # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-    # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-    # permission: admin
+# permission: admin
-
 branches:
-  # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
+    # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
 
-  # not available in the api yet
+    # not available in the api yet
-  # `Require merge queue`: true
+    # `Require merge queue`: true
-  # `Merge method`: Rebase and merge
+    # `Merge method`: Rebase and merge
-  # `Maximum pull requests to build`: 1
+    # `Maximum pull requests to build`: 1
-  # `Maximum pull requests to merge`: 1
+    # `Maximum pull requests to merge`: 1
-  # defaults:
+    # defaults:
-  # `Maximum pull requests to build`: 5
+    # `Maximum pull requests to build`: 5
-  # `Minimum pull requests to merge`: 1 or 5 minutes
+    # `Minimum pull requests to merge`: 1 or 5 minutes
-  # `Maximum pull requests to merge`: 5
+    # `Maximum pull requests to merge`: 5
-  # `Only merge non-failing pull requests`: true
+    # `Only merge non-failing pull requests`: true
-  # `Consider check failed after`: 60 minutes
+    # `Consider check failed after`: 60 minutes
+    - name: main
+      # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+      # Branch Protection settings. Set to null to disable
+      protection:
+        # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
 
-  - name: main
+        # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
-    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+        required_pull_request_reviews:
-    # Branch Protection settings. Set to null to disable
+            # # The number of approvals required. (1-6)
-    protection:
+            required_approving_review_count: 1
-      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+            # # Dismiss approved reviews automatically when a new commit is pushed.
-
+            dismiss_stale_reviews: true
-      # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
+            # # Blocks merge until code owners have reviewed.
-      required_pull_request_reviews:
+            require_code_owner_reviews: false
-        # # The number of approvals required. (1-6)
+            # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
-        required_approving_review_count: 1
+            # dismissal_restrictions:
-        # # Dismiss approved reviews automatically when a new commit is pushed.
+            #   users: []
-        dismiss_stale_reviews: true
+            #   teams: []
-        # # Blocks merge until code owners have reviewed.
+            require_last_push_approval: false
-        require_code_owner_reviews: false
+        # Required. Require status checks to pass before merging. Set to null to disable
-        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        # required_status_checks:
-        # dismissal_restrictions:
-        #   users: []
-        #   teams: []
-        require_last_push_approval: false
-      # Required. Require status checks to pass before merging. Set to null to disable
-      # required_status_checks:
         # Required. Require branches to be up to date before merging.
         # strict: false
         # Required. The list of status checks to require in order to merge into this branch
         # contexts:
         #   - buildbot/nix-eval
-      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+        # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
-      enforce_admins: true
+        enforce_admins: true
-      # Disabled for bors to work
+        # Disabled for bors to work
-      required_linear_history: true
+        required_linear_history: true
-      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+        # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
-      restrictions:
+        restrictions:
-        apps: []
+            apps: []
-        # TODO: make a buildbot instance
+            # TODO: make a buildbot instance
-        # users: ["nix-infra-bot"]
+            # users: ["nix-infra-bot"]
-        teams: []
+            teams: []

.github/workflows/cache-merge.yml

@@ -1,90 +0,0 @@
-name: Nix CI
-on:
-  push:
-    # don't run on tags, run on commits
-    # https://github.com/orgs/community/discussions/25615
-    tags-ignore:
-      - "**"
-    branches:
-      - main
-  merge_group:
-  schedule:
-    - cron: 0 0 * * *
-  workflow_dispatch:
-
-jobs:
-  # Merge similar `individual` caches
-  # Purge `individual` caches and old `common` caches
-  # Save new `common` caches
-  merge-similar-caches:
-    name: Merge similar caches
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout this repo
-        uses: actions/checkout@v4
-
-      - name: Install nix
-        uses: https://github.com/DeterminateSystems/nix-installer-action@main
-
-      - run: nix profile install nixpkgs#sqlite
-
-      - uses: nix-community/cache-nix-action@v6
-        name: create and purge common cache
-        with:
-          primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
-          # if no hit on the primary key, restore individual caches that match `ci.yaml`
-          restore-prefixes-all-matches: |
-            similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-          # do purge caches
-          purge: true
-          # purge old versions of the `common` cache and any versions of individual caches
-          purge-prefixes: |
-            similar-cache-${{ matrix.os }}-common-
-          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
-          purge-created: 0
-          # except the version with the `primary-key`, if it exists
-          purge-primary-key: never
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
-
-      - uses: nix-community/cache-nix-action@v6
-        name: purge some individual caches
-        with:
-          primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
-          # if no hit on the primary key, restore individual caches that match `ci.yaml`
-          restore-prefixes-all-matches: |
-            similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-          # do purge caches
-          purge: true
-          # purge old versions of the `common` cache and any versions of individual caches
-          purge-prefixes: |
-            similar-cache-${{ matrix.os }}-individual-
-          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
-          purge-created: 259200
-          # except the version with the `primary-key`, if it exists
-          purge-primary-key: never
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
-
-  # Check that the `common` cache is restored correctly
-  merge-similar-caches-check:
-    name: Check a `common` cache is restored correctly
-    needs: merge-similar-caches
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout this repo
-        uses: actions/checkout@v4
-
-      - name: Install nix
-        uses: https://github.com/DeterminateSystems/nix-installer-action@main
-
-      - run: nix profile install nixpkgs#sqlite
-
-      - name: Restore Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}

.github/workflows/flake-health-checks.yml

@@ -1,94 +1,47 @@
 name: "Check Nix flake"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
-
 jobs:
-  health-check:
+    health-check:
-    name: "Perform Nix flake checks"
+        name: "Perform Nix flake checks"
-    runs-on: ${{ matrix.os }}
+        runs-on: ${{ matrix.os }}
-    strategy:
+        strategy:
-      matrix:
+            matrix:
-        os: [ubuntu-latest]
+                os: [ubuntu-latest]
-    steps:
+        steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+            - uses: DeterminateSystems/nix-installer-action@main
-
+            - name: Setup Attic cache
-      - uses: actions/checkout@v4
+              uses: ryanccn/attic-action@v0
-
+              with:
-      - run: nix profile install nixpkgs#sqlite
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-
+                cache: ${{ secrets.ATTIC_CACHE }}
-      - name: Restore Nix store
+                token: ${{ secrets.ATTIC_TOKEN }}
-        id: restore
+                skip-push: "true"
-        uses: nix-community/cache-nix-action@v6
+            - uses: actions/checkout@v4
-        with:
+            - run: nix flake check --accept-flake-config
-          # save a new cache every time `ci.yaml` changes
+            - run: nix ./utils/attic-push.bash
-          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
+    build-checks:
-          # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
+        name: "Build nix outputs"
-          restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
+        runs-on: ${{ matrix.os }}
-
+        strategy:
-      - name: Setup Attic cache
+            matrix:
-        uses: ryanccn/attic-action@v0
+                os: [ubuntu-latest]
-        with:
+        steps:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+            - uses: DeterminateSystems/nix-installer-action@main
-          cache: ${{ secrets.ATTIC_CACHE }}
+            - name: Setup Attic cache
-          token: ${{ secrets.ATTIC_TOKEN }}
+              uses: ryanccn/attic-action@v0
-          skip-push: "true"
+              with:
-
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-      - run: nix flake check --accept-flake-config
+                cache: ${{ secrets.ATTIC_CACHE }}
-
+                token: ${{ secrets.ATTIC_TOKEN }}
-      - run: nix ./utils/attic-push.bash
+                skip-push: "true"
-
+            - uses: actions/checkout@v4
-  build-checks:
+            - name: Build all outputs
-    name: "Build nix outputs"
+              run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
-    runs-on: ${{ matrix.os }}
+            - name: Push to Attic
-    strategy:
+              run: nix ./utils/attic-push.bash
-      matrix:
+              continue-on-error: true
-        os: [ubuntu-latest]
-    steps:
-      - uses: DeterminateSystems/nix-installer-action@main
-
-      - uses: actions/checkout@v4
-
-      - run: nix profile install nixpkgs#sqlite
-
-      - name: Restore Nix store
-        id: restore
-        uses: nix-community/cache-nix-action@v6
-        with:
-          # save a new cache every time `ci.yaml` changes
-          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-          # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
-          restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
-
-      - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0
-        with:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
-
-      - name: Build all outputs
-        run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
-
-      - name: Push to Attic
-        run: nix ./utils/attic-push.bash
-        continue-on-error: true
-
-      - name: Save Nix store
-        if: steps.restore.outputs.hit == 'false'
-        uses: nix-community/cache-nix-action@v6
-        with:
-          # save a new cache every time `ci.yaml` changes
-          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-          # do purge caches
-          purge: true
-          # purge all versions of the individual cache
-          purge-prefixes: similar-cache-${{ matrix.os }}-individual-
-          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
-          purge-created: 0
-          # except the version with the `primary-key`, if it exists
-          purge-primary-key: never

.github/workflows/flake-update.yml

@@ -1,155 +1,112 @@
 name: "Update flakes"
 on:
-  repository_dispatch:
+    repository_dispatch:
-  workflow_dispatch:
+    workflow_dispatch:
-  schedule:
+    schedule:
-    - cron: "00 12 * * *"
+        - cron: "00 12 * * *"
 jobs:
-  update_lockfile:
+    update_lockfile:
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
+        #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
-    steps:
+        steps:
-      - name: Checkout repository
+            - name: Checkout repository
-        uses: actions/checkout@v4
+              uses: actions/checkout@v4
+            - name: Install nix
+              uses: https://github.com/DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - name: Get pre-snapshot of evaluations
+              run: nix ./utils/eval-to-drv.sh pre
+            - name: Update flake.lock
+              id: update
+              run: |
+                nix flake update 2> >(tee /dev/stderr) | awk '
+                  /^• Updated input/ {in_update = 1; print; next}
+                  in_update && !/^warning:/ {print}
+                  /^$/ {in_update = 0}
+                ' > update.log
 
-      - name: Install nix
+                echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
-        uses: https://github.com/DeterminateSystems/nix-installer-action@main
+                cat update.log >> $GITHUB_ENV
+                echo "EOF" >> $GITHUB_ENV
 
-      - run: nix profile install nixpkgs#sqlite
+                rm update.log
+            - name: Get post-snapshot of evaluations
+              run: nix ./utils/eval-to-drv.sh post
+            - name: Calculate diff
+              run: nix ./utils/diff-evals.sh
+            - name: Read file contents
+              id: read_file
+              uses: guibranco/github-file-reader-action-v2@latest
+              with:
+                path: "post-diff"
+            - name: Write PR body template
+              uses: https://github.com/DamianReeves/write-file-action@v1.3
+              with:
+                path: pr_body.template
+                contents: |
+                    - The following Nix Flake inputs were updated:
 
-      - name: Restore Nix store
+                    ```
-        id: restore
+                    ${{ env.UPDATE_LOG }}
-        uses: nix-community/cache-nix-action@v6
+                    ```
-        with:
-          # save a new cache every time `ci.yaml` changes
-          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-          # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
-          restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
 
-      - name: Setup Attic cache
+                    ```
-        uses: ryanccn/attic-action@v0
+                    ${{ steps.read_file.outputs.contents }}
-        with:
+                    ```
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
 
-      - name: Get pre-snapshot of evaluations
+                    Auto-generated by [update.yml][1] with the help of
-        run: nix ./utils/eval-to-drv.sh pre
+                    [create-pull-request][2].
 
-      - name: Update flake.lock
+                    [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
-        id: update
+                    [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
-        run: |
+            - name: Generate PR body
-          nix flake update 2> >(tee /dev/stderr) | awk '
+              uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
-            /^• Updated input/ {in_update = 1; print; next}
+              with:
-            in_update && !/^warning:/ {print}
+                files: "pr_body.template"
-            /^$/ {in_update = 0}
+                output-filename: "pr_body.md"
-          ' > update.log
+            - name: Save PR body
+              id: pr_body
+              uses: juliangruber/read-file-action@v1
+              with:
+                path: "pr_body.md"
+            - name: Remove temporary files
+              run: |
+                rm pr_body.template
+                rm pr_body.md
+                rm pre.json
+                rm post.json
+                rm post-diff
+            - name: Create Pull Request
+              id: create-pull-request
+              # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
+              uses: https://nayeonie.com/ahuston-0/create-pull-request@main
+              with:
+                token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
+                body: ${{ steps.pr_body.outputs.content }}
+                author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
+                title: 'automated: Update `flake.lock`'
+                commit-message: |
+                    automated: Update `flake.lock`
 
-          echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
+                    ${{ steps.pr_body.outputs.content }}
-          cat update.log >> $GITHUB_ENV
+                branch: update-flake-lock
-          echo "EOF" >> $GITHUB_ENV
+                delete-branch: true
-
+                pr-labels: | # Labels to be set on the PR
-          rm update.log
+                    dependencies
-
+                    automated
-      - name: Get post-snapshot of evaluations
+            - name: Push to Attic
-        run: nix ./utils/eval-to-drv.sh post
+              run: nix ./utils/attic-push.bash
-
+              continue-on-error: true
-      - name: Calculate diff
+            - name: Print PR number
-        run: nix ./utils/diff-evals.sh
+              run: |
-
+                echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
-      - name: Read diff into environment
+                echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
-        run: |
-          delimiter="$(openssl rand -hex 8)"
-          {
-          echo "POSTDIFF<<${delimiter}"
-          cat post-diff
-          echo "${delimiter}"
-          } >> $GITHUB_ENV
-
-      - name: Write PR body template
-        uses: https://github.com/DamianReeves/write-file-action@v1.3
-        with:
-          path: pr_body.template
-          contents: |
-            - The following Nix Flake inputs were updated:
-
-            ```
-            ${{ env.UPDATE_LOG }}
-            ```
-
-            ```
-            {{ env.POSTDIFF }}
-            ```
-
-            Auto-generated by [update.yml][1] with the help of
-            [create-pull-request][2].
-
-            [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
-            [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
-
-      - name: Generate PR body
-        uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
-        with:
-          files: "pr_body.template"
-          output-filename: "pr_body.md"
-
-      - name: Save PR body
-        id: pr_body
-        uses: juliangruber/read-file-action@v1
-        with:
-          path: "pr_body.md"
-
-      - name: Remove temporary files
-        run: |
-          rm pr_body.template
-          rm pr_body.md
-          rm pre.json
-          rm post.json
-          rm post-diff
-
-      - name: Create Pull Request
-        id: create-pull-request
-        # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
-        uses: https://nayeonie.com/ahuston-0/create-pull-request@main
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
-          body: ${{ steps.pr_body.outputs.content }}
-          author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
-          title: 'automated: Update `flake.lock`'
-          commit-message: |
-            automated: Update `flake.lock`
-
-            ${{ steps.pr_body.outputs.content }}
-
-          branch: update-flake-lock
-          delete-branch: true
-          pr-labels: |                  # Labels to be set on the PR
-            dependencies
-            automated
-
-      - name: Push to Attic
-        run: nix ./utils/attic-push.bash
-        continue-on-error: true
-
-      - name: Save Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          # save a new cache every time `ci.yaml` changes
-          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-          # do purge caches
-          purge: true
-          # purge all versions of the individual cache
-          purge-prefixes: similar-cache-${{ matrix.os }}-individual-
-          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
-          purge-created: 0
-          # except the version with the `primary-key`, if it exists
-          purge-primary-key: never
-
-      - name: Print PR number
-        run: |
-          echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
-          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 permissions:
-  pull-requests: write
+    pull-requests: write
-  contents: write
+    contents: write

.github/workflows/lock-health-checks.yml

@@ -1,17 +1,16 @@
 name: "Check flake.lock"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
-
 jobs:
-  health-check:
+    health-check:
-    name: "Check health of `flake.lock`"
+        name: "Check health of `flake.lock`"
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    steps:
+        steps:
-      - uses: actions/checkout@v4
+            - uses: actions/checkout@v4
-      - uses: DeterminateSystems/flake-checker-action@main
+            - uses: DeterminateSystems/flake-checker-action@main
-        with:
+              with:
-          fail-mode: true
+                fail-mode: true

.github/workflows/nix-fmt.yml

@@ -1,26 +1,25 @@
 name: "Check Nix formatting"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
-
 jobs:
-  health-check:
+    health-check:
-    name: "Perform Nix format checks"
+        name: "Perform Nix format checks"
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    steps:
+        steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+            - uses: DeterminateSystems/nix-installer-action@main
-      - name: Setup Attic cache
+            - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0
+              uses: ryanccn/attic-action@v0
-        with:
+              with:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
+                cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
+                token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
+                skip-push: "true"
-      - uses: actions/checkout@v4
+            - uses: actions/checkout@v4
-      - run: nix fmt -- --check .
+            - run: nix fmt -- --check .
-      - name: Push to Attic
+            - name: Push to Attic
-        run: nix ./utils/attic-push.bash
+              run: nix ./utils/attic-push.bash
-        continue-on-error: true
+              continue-on-error: true

.sops.yaml

@@ -1,51 +1,46 @@
 keys:
-  # The PGP keys in keys/
+    # The PGP keys in keys/
-  - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
+    - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
-
+    # Generate AGE keys from SSH keys with:
-  # Generate AGE keys from SSH keys with:
+    #   ssh-keygen -A
-  #   ssh-keygen -A
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
-  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # cspell:disable
-  # cspell:disable
+    - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
-  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
-  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
     #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
-  # cspell:enable
+    # cspell:enable
-
 servers: &servers
-  - *palatine-hill
+    - *palatine-hill
-
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
-  - path_regex: users/alice/secrets.*\.yaml$
+    - path_regex: users/alice/secrets.*\.yaml$
-    key_groups:
+      key_groups:
-      - pgp:
+        - pgp:
-          - *admin_alice
+            - *admin_alice
-        age:
+          age:
-          - *palatine-hill
+            - *palatine-hill
-          - *artemision
+            - *artemision
-          - *artemision-home
+            - *artemision-home
-
+    - path_regex: systems/palatine-hill/secrets.*\.yaml$
-  - path_regex: systems/palatine-hill/secrets.*\.yaml$
+      key_groups:
-    key_groups:
+        - pgp:
-      - pgp: 
+            - *admin_alice
-          - *admin_alice
+          age:
-        age:
+            - *palatine-hill
-          - *palatine-hill
+    - path_regex: systems/artemision/secrets.*\.yaml$
-
+      key_groups:
-  - path_regex: systems/artemision/secrets.*\.yaml$
+        - pgp:
-    key_groups:
+            - *admin_alice
-      - pgp:
+          age:
-          - *admin_alice
+            - *artemision
-        age:
+    - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
-          - *artemision
+      key_groups:
-  - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
+        - pgp:
-    key_groups:
+            - *admin_alice
-      - pgp:
+          age:
-          - *admin_alice
+            - *palatine-hill
-        age:
-          - *palatine-hill

.vscode/settings.json

@@ -1,5 +1,7 @@
 {
-  "cSpell.enableFiletypes": ["nix"],
+  "cSpell.enableFiletypes": [
+    "nix"
+  ],
   "cSpell.words": [
     "aarch",
     "abmlevel",

docs/CONTRIBUTING.md

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
 | Branch Name      | Use Case                                                                                                                                                                                                                      |
 |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
-| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
+| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
-| fixup/\<item\>   | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
+| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
-| hotfix/\<item\>  | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
+| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
-| urgent/\<item\>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
+| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
-| exp/\<item\>     | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
+| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
-| merge/\<item\>   | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
+| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
 
 ### Review Process
 
@@ -94,11 +94,11 @@ rules.
   PR has been tested on at least one machine
    - Issues which bypass the quorum process must have a second reviewer tagged
    - All critical issues which bypass the approval process must have an RCA issue
-    opened and the RCA logged into the `inc/` folder
+     opened and the RCA logged into the `inc/` folder
    - The second reviewer has 2 weeks to retroactively review and approve the PR
    - If the retro does not happen in the given window, an issue shall be opened
-    to either re-review the PR or to revert and replace the fix with a
+     to either re-review the PR or to revert and replace the fix with a
-    permanent solution
+     permanent solution
 - Critical issues must be tagged to `Nix Flake Features` project, and must have
   a priority of `High` and an estimate tagged. Start and end date are not needed
 

docs/sample-setup.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#git --command bash
 
-set -o errexit   # abort on nonzero exitstatus
+set -o errexit  # abort on nonzero exitstatus
-set -o nounset   # abort on unbound variable
+set -o nounset  # abort on unbound variable
-set -o pipefail  # don't hide errors within pipes
+set -o pipefail # don't hide errors within pipes
 
 PROCEED="N"
 
@@ -50,60 +50,58 @@ GITBASE="systems"
 FEATUREBRANCH="feature/adding-$MACHINENAME"
 
 if [ $PROCEED != "Y" ]; then
-    echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
+  echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
-
-
 if [ $CREATEPARTS = "Y" ]; then
-    # Create partition table
+  # Create partition table
-    sudo parted "/dev/$DRIVE" -- mklabel gpt
+  sudo parted "/dev/$DRIVE" -- mklabel gpt
 
-    # Create boot part
+  # Create boot part
-    sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
+  sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
-    sudo parted "/dev/$DRIVE" -- set 1 esp on
+  sudo parted "/dev/$DRIVE" -- set 1 esp on
-    sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
+  sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
 
-    # Create luks part
+  # Create luks part
-    sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
+  sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
-    sudo parted "/dev/$DRIVE" -- set 2 lvm on
+  sudo parted "/dev/$DRIVE" -- set 2 lvm on
-    
-    LUKSPART="nixos-pv"
-    sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
 
-    # Create lvm part
+  LUKSPART="nixos-pv"
-    sudo pvcreate "/dev/mapper/$LUKSPART"
+  sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo pvresize "/dev/mapper/$LUKSPART"
+  sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
-    sudo pvdisplay
 
-    # Create volume group
+  # Create lvm part
-    sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
+  sudo pvcreate "/dev/mapper/$LUKSPART"
-    sudo vgchange -a y "$VOLGROUP"
+  sudo pvresize "/dev/mapper/$LUKSPART"
-    sudo vgdisplay
+  sudo pvdisplay
 
-    # Create swap part on LVM
+  # Create volume group
-    if [ $SWAPSIZE != 0 ]; then
+  sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
-        sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+  sudo vgchange -a y "$VOLGROUP"
-        sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  sudo vgdisplay
-    fi
 
-    # Create home part on LVM, leaving plenty of room for snapshots
+  # Create swap part on LVM
-    sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
+  if [ $SWAPSIZE != 0 ]; then
-    sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
+    sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+    sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  fi
 
-    # Create root part on LVM, keeping in mind most data will be on /home or /nix
+  # Create home part on LVM, leaving plenty of room for snapshots
-    sudo lvcreate -L 5G "$VOLGROUP" -n root
+  sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
-    sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
+  sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
 
-    # Create nix part on LVM
+  # Create root part on LVM, keeping in mind most data will be on /home or /nix
-    sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo lvcreate -L 5G "$VOLGROUP" -n root
-    sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
+  sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
 
-    sudo lvdisplay
+  # Create nix part on LVM
+  sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
 
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  sudo lvdisplay
+
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
 # Mount partitions
@@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
 
 # Enable swap if SWAPSIZE is non-zero
 if [ $SWAPSIZE != 0 ]; then
-    sudo swapon "/dev/$VOLGROUP/swap"
+  sudo swapon "/dev/$VOLGROUP/swap"
 fi
 
 # Clone the repo
@@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
 cat "$DOTS/id_ed25519_ghdeploy.pub"
 
 if [ $SOPS == "Y" ]; then
-    # Create ssh host-keys
+  # Create ssh host-keys
-    sudo ssh-keygen -A
+  sudo ssh-keygen -A
-    sudo mkdir -p /mnt/etc/ssh
+  sudo mkdir -p /mnt/etc/ssh
-    sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
+  sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
 
-    # Get line where AGE comment is and insert new AGE key two lines down
+  # Get line where AGE comment is and insert new AGE key two lines down
-    AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
+  AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
-    AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
+  AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
-    sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
 
-    # Add server name
+  # Add server name
-    SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
 
-    # Add creation rules
+  # Add creation rules
-    CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    # TODO: below was not working when last attempted
+  # TODO: below was not working when last attempted
-    read -r -d '' PATHRULE <<-EOF
+  read -r -d '' PATHRULE <<-EOF
   - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
     key_groups:
       - pgp: *$OWNERORADMINS
         age:
           - *$MACHINENAME
 EOF
-    sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
 fi
 
 read -r -p "press enter to continue"

flake.lock

@@ -78,11 +78,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1740974607,
+        "lastModified": 1742773104,
-        "narHash": "sha256-YbAnhXYYOjG8OHX7v4BGj/tDQiFgkwe4JsqCjbFYjB0=",
+        "narHash": "sha256-dAhrL+gEjNN5U/Sosy7IrX0Y0qPA0U7Gp9TBhqEliNU=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "093c063a23aa38f31082a554f03899127750aee3",
+        "rev": "d74460da63a8c08a69a1f143b04f2ab1a6b2f5c2",
         "type": "gitlab"
       },
       "original": {
@@ -95,11 +95,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1739223196,
+        "lastModified": 1741628778,
-        "narHash": "sha256-vAxN2f3rvl5q62gQQjZGVSvF93nAsOxntuFz+e/655w=",
+        "narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "a89108e6272426f4eddd93ba17d0ea101c34fb21",
+        "rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
         "type": "github"
       },
       "original": {
@@ -127,11 +127,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1740872218,
+        "lastModified": 1741352980,
-        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
         "type": "github"
       },
       "original": {
@@ -232,11 +232,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737465171,
+        "lastModified": 1741379162,
-        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
+        "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
         "type": "github"
       },
       "original": {
@@ -312,11 +312,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740845322,
+        "lastModified": 1742771635,
-        "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
+        "narHash": "sha256-HQHzQPrg+g22tb3/K/4tgJjPzM+/5jbaujCZd8s2Mls=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
+        "rev": "ad0614a1ec9cce3b13169e20ceb7e55dfaf2a818",
         "type": "github"
       },
       "original": {
@@ -332,11 +332,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740923452,
+        "lastModified": 1742213523,
-        "narHash": "sha256-iQNkVG0368H3kiwSYSs1N6sU7GhHSmx0b9y+Z+eO1+c=",
+        "narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "6f0d5e16c534aeda47d99b4d20bb2a22bfc60c23",
+        "rev": "bd81329944be53b0ffb99e05864804b95f1d7c65",
         "type": "github"
       },
       "original": {
@@ -352,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740886574,
+        "lastModified": 1742701275,
-        "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
+        "narHash": "sha256-AulwPVrS9859t+eJ61v24wH/nfBEIDSXYxlRo3fL/SA=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
+        "rev": "36dc43cb50d5d20f90a28d53abb33a32b0a2aae6",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740947705,
+        "lastModified": 1742568034,
-        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -403,11 +403,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1740646007,
+        "lastModified": 1742806253,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726",
         "type": "github"
       },
       "original": {
@@ -426,11 +426,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741017582,
+        "lastModified": 1742419596,
-        "narHash": "sha256-2tscHztx6UxqeQTK0U1kLM74+6mSzROMNYJpKRDLMPM=",
+        "narHash": "sha256-+Bw1HR4oX6vUbCMhwWbW+Nr20F+UesNdUd7b17s3ESE=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "c7c9219eb6ff26c203d22ba733e9e988499290f0",
+        "rev": "82491ff311152b87fe7cfbdaf545f727e0750aa9",
         "type": "github"
       },
       "original": {
@@ -441,11 +441,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740981371,
+        "lastModified": 1742800061,
-        "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
+        "narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
+        "rev": "1750f3c1c89488e2ffdd47cab9d05454dddfb734",
         "type": "github"
       },
       "original": {
@@ -457,28 +457,31 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1740872140,
+        "lastModified": 1740877520,
-        "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
+        "repo": "nixpkgs.lib",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
+        "repo": "nixpkgs.lib",
+        "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1735563628,
+        "lastModified": 1742751704,
-        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+        "narHash": "sha256-rBfc+H1dDBUQ2mgVITMGBPI1PGuCznf9rcWX/XIULyE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+        "rev": "f0946fa5f1fb876a9dc2e1850d9d3a4e3f914092",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -493,11 +496,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1740408283,
+        "lastModified": 1741693509,
-        "narHash": "sha256-2xECnhgF3MU9YjmvOkrRp8wRFo2OjjewgCtlfckhL5s=",
+        "narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "496a4a11162bdffb9a7b258942de138873f019f7",
+        "rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
         "type": "github"
       },
       "original": {
@@ -517,11 +520,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740915799,
+        "lastModified": 1742649964,
-        "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
         "type": "github"
       },
       "original": {
@@ -559,11 +562,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740969088,
+        "lastModified": 1742783666,
-        "narHash": "sha256-BajboqzFnDhxVT0SXTDKVJCKtFP96lZXccBlT/43mao=",
+        "narHash": "sha256-IwdSl51NL6V0f+mYXZR0UTKaGleOsk9zV3l6kt5SUWw=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "20fdb02098fdda9a25a2939b975abdd7bc03f62d",
+        "rev": "60766d63c227d576510ecfb5edd3a687d56f6bc7",
         "type": "github"
       },
       "original": {
@@ -579,11 +582,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
+        "lastModified": 1742700801,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
         "type": "github"
       },
       "original": {
@@ -620,11 +623,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1740959323,
+        "lastModified": 1742753562,
-        "narHash": "sha256-UtSKsLCWwA4wPFm7mgl33qeu8sj0on9Hyt3YhDWWkAM=",
+        "narHash": "sha256-EBXgl3sPi5AQUM58XGuuC8HQl/Df+Dbt6pOLInInJ/k=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "489833b201a84488c6b4371a261fdbcafa6abcb6",
+        "rev": "d9df91c55643a8b5229a3ae3a496a30f14965457",
         "type": "github"
       },
       "original": {
@@ -700,11 +703,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1740351358,
+        "lastModified": 1741468895,
-        "narHash": "sha256-Hdk850xgAd3DL8KX0AbyU7tC834d3Lej1jOo3duWiOA=",
+        "narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "a1bc2bd89e693e7e3f5764cfe8114e2ae150e184",
+        "rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
         "type": "github"
       },
       "original": {
@@ -716,11 +719,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1740272597,
+        "lastModified": 1740877430,
-        "narHash": "sha256-/etfUV3HzAaLW3RSJVwUaW8ULbMn3v6wbTlXSKbcoWQ=",
+        "narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "b6c7f46c8718cc484f2db8b485b06e2a98304cd0",
+        "rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
         "type": "github"
       },
       "original": {

flake.nix

@@ -26,7 +26,8 @@
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
     systems.url = "github:nix-systems/default";
 
     # attic = {

modules/update.nix

@@ -10,10 +10,10 @@
   };
 
   system.autoUpgrade = {
-    enable = lib.mkDefault false;
+    enable = lib.mkDefault true;
     flags = [ "--accept-flake-config" ];
     randomizedDelaySec = "1h";
     persistent = true;
-    flake = "github:RAD-Development/nix-dotfiles";
+    flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
   };
 }

shell.nix

@@ -45,6 +45,10 @@ forEachSystem (
         treefmt
         statix
         nixfmt-rfc-style
+        jsonfmt
+        mdformat
+        shfmt
+        yamlfmt
       ];
     };
   in

systems/artemision/configuration.nix

@@ -32,7 +32,7 @@
   };
 
   boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
+    #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
     useSystemdBoot = true;
     default = true;
   };
@@ -83,11 +83,14 @@
 
   users.users.alice.extraGroups = [ "calibre-web" ];
 
-  system.autoUpgrade.enable = false;
   system.stateVersion = "24.05";
 
   programs.adb.enable = true;
 
+  environment.variables = {
+    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
+  };
+
   sops = {
     defaultSopsFile = ./secrets.yaml;
     #secrets = {

systems/artemision/desktop.nix

@@ -7,6 +7,7 @@
     hyprland = {
       enable = true;
       xwayland.enable = true;
+      withUWSM = true;
     };
     hyprlock.enable = true;
     gnupg.agent = {

systems/artemision/programs.nix

@@ -18,8 +18,6 @@
     croc
     deadnix
     direnv
-    discord
-    discord-canary
     easyeffects
     eza
     fanficfare
@@ -44,6 +42,7 @@
     kitty
     kubectl
     kubernetes-helm
+    libreoffice-fresh
     libtool
     lsof
     lynis

systems/palatine-hill/attic/sync-attic.bash

@@ -2,9 +2,9 @@
 #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
 
 sync_directories=(
-    /ZFS/ZFS-primary/hydra
+  /ZFS/ZFS-primary/hydra
 )
 
 for dir in "${sync_directories[@]}"; do
-    find "$dir"  -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
+  find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
 done

systems/palatine-hill/docker/act-runner.nix

@@ -23,6 +23,7 @@ in
         "${act_path}/stable-latest-main/config.yaml:/config.yaml"
         "${act_path}/stable-latest-main/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -45,6 +46,7 @@ in
         "${act_path}/stable-latest-1/config.yaml:/config.yaml"
         "${act_path}/stable-latest-1/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -67,6 +69,7 @@ in
         "${act_path}/stable-latest-2/config.yaml:/config.yaml"
         "${act_path}/stable-latest-2/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -75,72 +78,6 @@ in
       environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
       log-driver = "local";
     };
-
-    act-stable-latest-3 = {
-      image = "gitea/act_runner:latest";
-      extraOptions = [
-        "--stop-signal=SIGINT"
-      ];
-      labels = {
-        "com.centurylinklabs.watchtower.enable" = "true";
-        "com.centurylinklabs.watchtower.scope" = "act-runner";
-      };
-      volumes = [
-        "${act_path}/stable-latest-3/config.yaml:/config.yaml"
-        "${act_path}/stable-latest-3/data:/data"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environment = {
-        CONFIG_FILE = "/config.yaml";
-        GITEA_RUNNER_NAME = "stable-latest-3";
-      };
-      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
-      log-driver = "local";
-    };
-
-    act-stable-latest-4 = {
-      image = "gitea/act_runner:latest";
-      extraOptions = [
-        "--stop-signal=SIGINT"
-      ];
-      labels = {
-        "com.centurylinklabs.watchtower.enable" = "true";
-        "com.centurylinklabs.watchtower.scope" = "act-runner";
-      };
-      volumes = [
-        "${act_path}/stable-latest-4/config.yaml:/config.yaml"
-        "${act_path}/stable-latest-4/data:/data"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environment = {
-        CONFIG_FILE = "/config.yaml";
-        GITEA_RUNNER_NAME = "stable-latest-4";
-      };
-      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
-      log-driver = "local";
-    };
-
-    act-stable-latest-5 = {
-      image = "gitea/act_runner:latest";
-      extraOptions = [
-        "--stop-signal=SIGINT"
-      ];
-      labels = {
-        "com.centurylinklabs.watchtower.enable" = "true";
-        "com.centurylinklabs.watchtower.scope" = "act-runner";
-      };
-      volumes = [
-        "${act_path}/stable-latest-5/config.yaml:/config.yaml"
-        "${act_path}/stable-latest-5/data:/data"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environment = {
-        CONFIG_FILE = "/config.yaml";
-        GITEA_RUNNER_NAME = "stable-latest-5";
-      };
-      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
-      log-driver = "local";
-    };
   };
 
   systemd = {
@@ -168,7 +105,9 @@ in
     "docker/act-runner" = {
       owner = "root";
       restartUnits = [
+        "docker-act-stable-latest-main.service"
         "docker-act-stable-latest-1.service"
+        "docker-act-stable-latest-2.service"
       ];
     };
   };

systems/palatine-hill/docker/default.nix

@@ -31,47 +31,47 @@
     default-address-pools = [
       {
         base = "169.254.2.0/23";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.4.0/22";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.8.0/21";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.16.0/20";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.32.0/19";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.64.0/18";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.128.0/18";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.192.0/19";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.224.0/20";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.240.0/21";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.248.0/22";
-        size = "28";
+        size = 28;
       }
     ];
     mtu = 9000;

systems/palatine-hill/docker/nextcloud.nix

@@ -100,7 +100,7 @@ in
       };
       "docker/collabora" = {
         owner = "www-data";
-        restartUnits = [ "docker-collabora.service" ];
+        restartUnits = [ "docker-collabora-code.service" ];
       };
     };
   };

systems/palatine-hill/docker/watchtower.bash

@@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
 label="$1"
 label_val="$2"
 
-if (( $# != 2 )); then
+if (($# != 2)); then
-    echo "usage: $0 label label_value"
+  echo "usage: $0 label label_value"
 fi
 
 containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")

treefmt.toml

@@ -12,3 +12,21 @@ command = "nixfmt"
 #options = []
 # Glob pattern of files to include
 includes = [ "*.nix" ]
+
+[formatter.jsonfmt]
+command = "jsonfmt"
+excludes = []
+includes = ["*.json"]
+options = ["-w"]
+
+[formatter.shfmt]
+command = "shfmt"
+excludes = []
+includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
+options = ["-i", "2", "-s", "-w"]
+
+[formatter.yamlfmt]
+command = "yamlfmt"
+excludes = []
+includes = ["*.yaml", "*.yml"]
+options = ["-formatter","indent=4"]

users/alice/home.nix

@@ -16,6 +16,7 @@
       ./home/gammastep.nix
       ./home/doom
       ./home/hypr
+      ./home/waybar.nix
       ./non-server.nix
     ];
 

users/alice/home/hypr/default.nix

@@ -8,6 +8,7 @@
 {
   xdg.configFile = {
     "hypr/hyprland.conf".source = ./hyprland.conf;
+    "hypr/show-hide.sh".source = ./show-hide.sh;
   };
 
   imports = [

users/alice/home/hypr/hypridle.nix

@@ -18,14 +18,14 @@
       listener = [
         {
           timeout = 150; # 2.5min.
-          on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
-          on-resume = "brightnessctl -r"; # monitor backlight restore.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
         }
         # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
         {
           timeout = 150; # 2.5min.
-          on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
-          on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
         }
         {
           timeout = 300; # 5min

users/alice/home/hypr/hyprland.conf

@@ -22,6 +22,9 @@ monitor=,preferred,auto,auto
 # exec-once = waybar & hyprpaper & firefox
 exec-once = wired &
 
+exec-once = wired
+exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
+
 # Source a file (multi-file configs)
 # source = ~/.config/hypr/myColors.conf
 
@@ -207,3 +210,7 @@ bind = $mainMod, P, exec, bwm
 
 # lock screen
 bind = $mainMod, L, exec, loginctl lock-session
+# hide active window
+bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
+# show hide window
+bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

users/alice/home/hypr/hyprlock.nix

@@ -11,7 +11,8 @@
     settings = {
       general = {
         immediate_render = true;
-        no_fade_in = true;
+        # disabling as config doesn't exist
+        #no_fade_in = true;
       };
       background = {
         monitor = "";
@@ -54,7 +55,8 @@
         dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
         dots_center = false;
         dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
-        dots_fade_time = 200; # Milliseconds until a dot fully fades in
+        # disabling as config doesn't exist
+        # dots_fade_time = 200; # Milliseconds until a dot fully fades in
         dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
         # disabling due to stylix
         # outer_color = "rgb(151515)";
@@ -70,7 +72,8 @@
         #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
         fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
         fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
-        fail_transition = 300; # transition time in ms between normal outer_color and fail_color
+        # disabling as config doesn't exist
+        #fail_transition = 300; # transition time in ms between normal outer_color and fail_color
         capslock_color = -1;
         numlock_color = -1;
         bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)

users/alice/home/hypr/show-hide.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+stack_file="/tmp/hide_window_pid_stack.txt"
+
+function hide_window() {
+  pid=$(hyprctl activewindow -j | jq '.pid')
+  hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
+  echo "$pid" >>$stack_file
+}
+
+function show_window() {
+  pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
+  [ -z "$pid" ] && exit
+
+  current_workspace=$(hyprctl activeworkspace -j | jq '.id')
+  hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
+}
+
+if [ -n "$1" ]; then
+  if [ "$1" == "h" ]; then
+    hide_window >>/dev/null
+  else
+    show_window >>/dev/null
+  fi
+fi

users/alice/home/waybar.json

@@ -0,0 +1,40 @@
+[
+  {
+    "height": 20,
+    "layer": "top",
+    "position": "top",
+    "output": [
+      "eDP-2",
+      "eDP-1",
+      "HDMI-0",
+      "DP-0"
+    ],
+    "hyprland/workspaces": {
+      "active-only": true,
+      "all-outputs": false,
+      "show-special": true,
+      "move-to-monitor": true,
+      "format": "{icon} {windows}",
+      "format-window-separator": " ",
+      "format-icons": {
+        "1": "󰎤",
+        "2": "󰎧",
+        "3": "󰎪",
+        "default": "",
+        "empty": "󱓼",
+        "urgent": "󱨇"
+      },
+      "persistent-workspaces": {
+        "1": "HDMI-0"
+      },
+      "on-scroll-down": "hyprctl dispatch workspace e-1",
+      "on-scroll-up": "hyprctl dispatch workspace e+1",
+      "window-rewrite": {
+        "title<Steam>": ""
+      },
+      "window-rewrite-default": "",
+      "window-rewrite-separator": " ",
+      "sort-by": "number"
+    }
+  }
+]

users/alice/home/waybar.nix

@@ -2,6 +2,6 @@
 lib.mkIf (!machineConfig.server) {
   programs.waybar = {
     enable = true;
-    #settings = builtins.fromJSON (import ./waybar.json);
+    settings = builtins.fromJSON (builtins.readFile ./waybar.json);
   };
 }

users/alice/non-server.nix

@@ -64,5 +64,6 @@
     zathura
     obsidian
     libreoffice-qt-fresh
+    wlr-randr
   ];
 }

users/alice/secrets.yaml

@@ -8,6 +8,7 @@ alice:
     attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
     attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
     attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
+    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -41,8 +42,8 @@ sops:
             ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
             7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-26T04:17:36Z"
+    lastmodified: "2025-03-18T22:08:52Z"
-    mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
+    mac: ENC[AES256_GCM,data:3Hr8FyzfZvvtyusqdDOjggDGFlBwyOq2VND+/jtNbY5i5JPK+qTkamn98IKkcHSPooaIVzEAek91fZDo90mYRhCzEwfbLATmFXPHsZHUg+5nD8VzcNUWQDb2/ey4RPhzTMtXfY9v9wdIcTdBKYKSZ61puptSX8nJ2S74ag6B5AY=,iv:J+VxUvwWE496DqTsVXdlpxgkf8zGT9uDvt6RLrmc0n0=,tag:X2Qg3DDzOTBDqo+6eQPHvw==,type:str]
     pgp:
         - created_at: "2024-09-05T06:10:22Z"
           enc: |-
@@ -57,4 +58,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.3
+    version: 3.9.4

utils/attic-push.bash

@@ -11,18 +11,16 @@ set -e
 #   | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 
 # retrieve all paths
-nix_paths=$(nix path-info --json --all --closure-size \
+nix_paths=$(nix path-info --json --all --closure-size |
-  | jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
+  jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
-  | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+  jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
-
 
 readarray -t nix_path_array < <(echo "$nix_paths")
 
 batchsize=1000
 
-for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
+for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
-do
+  part=("${nix_path_array[@]:i:batchsize}")
-    part=( "${nix_path_array[@]:i:batchsize}" )
 
-    attic push nix-cache "${part[@]}"
+  attic push nix-cache "${part[@]}"
 done

utils/attic-token.bash

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
-if (( $# != 3 )); then
+if (($# != 3)); then
-   echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
+  echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
-   exit 1
+  exit 1
 fi
 
 cache="$1"
@@ -10,27 +10,27 @@ cache_pattern="$2"
 token_type="$3"
 
 case $token_type in
-    "cache-creator")
+"cache-creator")
-        atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
+  atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
-            --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
+    --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
-            --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
+    --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
-            --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
+    --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
-        ;;
+  ;;
-    "admin")
+"admin")
-        atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
+  atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
-            --push "$cache_pattern" --configure-cache "$cache_pattern" \
+    --push "$cache_pattern" --configure-cache "$cache_pattern" \
-            --configure-cache-retention "$cache_pattern"
+    --configure-cache-retention "$cache_pattern"
-        ;;
+  ;;
-    "writer")
+"writer")
-        atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
+  atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
-            --push "$cache_pattern"
+    --push "$cache_pattern"
-        ;;
+  ;;
-    "reader")
+"reader")
-        atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
+  atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
-        ;;
+  ;;
-    *)
+*)
-        echo "invalid token type: $token_type"
+  echo "invalid token type: $token_type"
-        echo "available options: cache-creator, admin, writer, reader"
+  echo "available options: cache-creator, admin, writer, reader"
-        exit 1
+  exit 1
-        ;;
+  ;;
 esac

utils/eval-to-drv.sh

@@ -8,8 +8,8 @@ set -v
 set -e
 
 if [ "$#" -ne 1 ]; then
-    echo "$0 (pre|post)"
+  echo "$0 (pre|post)"
-    exit 1
+  exit 1
 fi
 
 script_path=$(dirname "$(readlink -f $0)")

utils/fetch-docker.sh

@@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path")
 # relpath is the relative path to the parent_path where you want the file written
 # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
 images=(
-    "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
+  "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
 )
 IFS=","
 while read -r name tag arch os relpath; do
-    nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
+  nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
-    git --no-pager diff "$parent_path/$relpath"
+  git --no-pager diff "$parent_path/$relpath"
-done<<< "${images[@]}"
+done <<<"${images[@]}"

utils/manual-update.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e 
+set -e
 set -v
 set -x
 

utils/sops-mergetool-new.sh

@@ -2,7 +2,10 @@
 
 # Rename CLI parameters to friendlier names
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
+local_="$2"
+remote="$3"
+merged="$4"
 
 # Load the mergetool scripts
 TOOL_MODE=merge
@@ -20,7 +23,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 
 # If anything goes wrong, then delete our decrypted files
-handle_trap_exit () {
+handle_trap_exit() {
   rm $base_decrypted || true
   rm $local_decrypted || true
   rm $remote_decrypted || true
@@ -30,12 +33,12 @@ handle_trap_exit () {
 trap handle_trap_exit EXIT
 
 # Decrypt our file contents
-sops --decrypt --show-master-keys "$base" > "$base_decrypted"
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
-sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
-sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 
 # Create a merge-diff to compare against
-git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 cp "$merged_decrypted" "$backup_decrypted"
 
 # Set up variables for the mergetool
@@ -48,7 +51,7 @@ MERGED="$merged_decrypted"
 BACKUP="$backup_decrypted"
 
 # Override `check_unchanged` with a custom script
-check_unchanged () {
+check_unchanged() {
   # If the contents haven't changed, then fail
   if test "$MERGED" -nt "$BACKUP"; then
     return 0
@@ -61,5 +64,4 @@ check_unchanged () {
 run_merge_tool "${mergetool}" true
 
 # Re-encrypt content
-sops --encrypt "$merged_decrypted" > "$merged"
+sops --encrypt "$merged_decrypted" >"$merged"
-

utils/sops-mergetool.sh

@@ -6,7 +6,10 @@ set -x
 
 # Rename our variables to friendlier equivalents
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
+local_="$2"
+remote="$3"
+merged="$4"
 
 echo "$base"
 echo "$local_"
@@ -18,7 +21,7 @@ echo "$merged"
 mergetool="$(git config --get merge.tool)"
 GIT_DIR="$(git --exec-path)"
 if test "$mergetool" = ""; then
-  echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
+  echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
   exit 1
 fi
 
@@ -32,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 
 # If anything goes wrong, then delete our decrypted files
-handle_trap_exit () {
+handle_trap_exit() {
   rm $base_decrypted || true
   rm $local_decrypted || true
   rm $remote_decrypted || true
@@ -42,13 +45,13 @@ handle_trap_exit () {
 trap handle_trap_exit EXIT
 
 # Decrypt our file contents
-sops --decrypt --show-master-keys "$base" > "$base_decrypted"
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
-sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
-sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 
 # Create a merge-diff to compare against
 set +e
-git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 set -e
 cp "$merged_decrypted" "$backup_decrypted"
 
@@ -66,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib"
 source "$GIT_DIR/mergetools/$mergetool"
 
 # Override `check_unchanged` with a custom script
-check_unchanged () {
+check_unchanged() {
   # If the contents haven't changed, then fail
   if test "$MERGED" -nt "$BACKUP"; then
     return 0
@@ -82,5 +85,4 @@ merge_cmd
 set -eu
 
 # Re-encrypt content
-sops --encrypt "$merged_decrypted" > "$merged"
+sops --encrypt "$merged_decrypted" >"$merged"
-