diff --git a/flake-modules/clan.nix b/flake-modules/clan.nix index d8fe760..2207db4 100644 --- a/flake-modules/clan.nix +++ b/flake-modules/clan.nix @@ -125,7 +125,6 @@ in { } clanHostsModule ../nixos/hosts/sunken-ship.nix - config.flake.nixosModules.dotfiles-rebuild config.flake.nixosModules.server-debug-tools config.flake.nixosModules.monitoring-node-exporter config.flake.nixosModules.monitoring-prometheus-server @@ -169,7 +168,6 @@ in { inputs.nix-openclaw.nixosModules.openclaw-gateway inputs.catppuccin.nixosModules.catppuccin ../nixos/hosts/phantom-ship.nix - config.flake.nixosModules.dotfiles-rebuild config.flake.nixosModules.server-debug-tools config.flake.nixosModules.monitoring-node-exporter inputs.home-manager.nixosModules.home-manager diff --git a/flake-modules/nixos-modules.nix b/flake-modules/nixos-modules.nix index 3f6bf96..3dd7929 100644 --- a/flake-modules/nixos-modules.nix +++ b/flake-modules/nixos-modules.nix @@ -1,9 +1,8 @@ # Expose reusable NixOS modules via `flake.nixosModules`. # # Consume from a host's flake-module via: -# modules = [ config.flake.nixosModules.dotfiles-rebuild ]; +# modules = [ config.flake.nixosModules.server-debug-tools ]; { ... }: { - flake.nixosModules.dotfiles-rebuild = ../modules/dotfiles-rebuild.nix; flake.nixosModules.server-debug-tools = ../modules/server-debug-tools.nix; flake.nixosModules.monitoring-node-exporter = ../modules/monitoring-node-exporter.nix; flake.nixosModules.monitoring-prometheus-server = ../modules/monitoring-prometheus-server.nix; diff --git a/modules/dotfiles-rebuild.nix b/modules/dotfiles-rebuild.nix deleted file mode 100644 index de6ac87..0000000 --- a/modules/dotfiles-rebuild.nix +++ /dev/null @@ -1,44 +0,0 @@ -# Shared auto-rebuild-from-git service for homelab hosts. -# -# Every 15 min: git fetch origin, fast-forward main, and if there were any -# new commits run nixos-rebuild switch against `#`. -# -# Assumes /etc/dotfiles is an already-cloned checkout of the dotfiles repo. -{ config, lib, pkgs, ... }: -let - dotfilesDir = "/etc/dotfiles"; - flakeRef = "${dotfilesDir}#${config.networking.hostName}"; -in { - environment.systemPackages = [ pkgs.git ]; - - # Trust /etc/dotfiles as root even though it's owned by `danny`. - # nix/libgit2 reads safe.directory from /etc/gitconfig; the GIT_CONFIG_* - # env vars on the service only affect the git CLI, not nix. - programs.git.enable = true; - programs.git.config.safe.directory = [ dotfilesDir ]; - - systemd.services.dotfiles-rebuild = { - description = "Pull dotfiles and run nixos-rebuild if repo changed"; - path = with pkgs; [ git nix nixos-rebuild ]; - environment.GIT_CONFIG_COUNT = "1"; - environment.GIT_CONFIG_KEY_0 = "safe.directory"; - environment.GIT_CONFIG_VALUE_0 = dotfilesDir; - script = '' - set -euo pipefail - cd ${dotfilesDir} - git fetch origin - if [ "$(git rev-parse HEAD)" = "$(git rev-parse origin/main)" ]; then - exit 0 - fi - git pull origin main - exec nixos-rebuild switch --flake ${flakeRef} - ''; - serviceConfig.Type = "oneshot"; - }; - - systemd.timers.dotfiles-rebuild = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "*-*-* *:00/15:00"; # every 15 minutes - timerConfig.RandomizedDelaySec = "2min"; - }; -} diff --git a/nixos/home/danny/home.nix b/nixos/home/danny/home.nix index 739abc2..c110a83 100644 --- a/nixos/home/danny/home.nix +++ b/nixos/home/danny/home.nix @@ -231,6 +231,7 @@ zed-editor code-cursor cursor-cli + cinny-desktop # Matrix client (Tauri wrapper around the Cinny web app) dfu-util # USB DFU firmware flasher (Flipper Zero etc.) discord mapscii diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix index 095b986..fd14e1b 100644 --- a/nixos/hosts/sunken-ship.nix +++ b/nixos/hosts/sunken-ship.nix @@ -72,7 +72,7 @@ # x86_64-linux builds here via ssh-ng://danny@sunken-ship-zt). nix.settings.trusted-users = [ "root" "danny" ]; environment.systemPackages = with pkgs; [ - git # clone/bootstrap and dotfiles-rebuild timer + git # clone/bootstrap, repo-pull timers, dm-pull-deploy push brightnessctl # manual backlight; replaces removed `light` from nixpkgs uxplay # AirPlay mirroring receiver alsa-utils # aplay, amixer, arecord for audio debugging @@ -347,7 +347,10 @@ # not in the repo, so they survive pulls. systemd.services.mulbo-pull = { description = "Pull mulbo repo and restart mulbo-server if changed"; - path = with pkgs; [ git systemd ]; + # openssh: `git fetch origin` over an SSH remote forks `ssh`; without + # it git dies with "cannot run ssh: No such file or directory" and the + # unit fails (shows up as system `degraded`). + path = with pkgs; [ git openssh systemd ]; environment = { GIT_CONFIG_COUNT = "1"; GIT_CONFIG_KEY_0 = "safe.directory"; @@ -372,6 +375,33 @@ timerConfig.RandomizedDelaySec = "2min"; }; + # dm-pull-deploy push automation. sunken-ship is the push node for the + # clan dm-pull-deploy instance (wired in flake-modules/clan.nix), but + # the upstream module only ships a manual `dm-send-deploy` binary — no + # scheduler. This timer announces the latest origin/main rev over + # data-mesher gossip; the watchers (dm-pull-deploy.path on sunken + + # phantom) compare and only rebuild when the rev actually changes, so + # re-announcing the same rev is a cheap no-op. This is the replacement + # for the legacy dotfiles-rebuild pull timer (being retired). + # + # dm-send-deploy self-discovers the rev via `git ls-remote` and signs + # with /run/secrets/vars/dm-pull-deploy-signing-key — needs root. + systemd.services.dm-pull-deploy-push = { + description = "Announce latest origin/main rev via data-mesher (dm-pull-deploy push)"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "/run/current-system/sw/bin/dm-send-deploy"; + User = "root"; + }; + }; + + systemd.timers.dm-pull-deploy-push = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*-*-* *:04/15:00"; # every 15 min, offset from the other pull timers + timerConfig.RandomizedDelaySec = "2min"; + timerConfig.Persistent = true; + }; + # One-shot backfill: walks Navidrome's media_file, computes # (sha256, chromaprint) per file, populates mulbo-server's tracks_index # with the corresponding navidrome_track_id. Idempotent — existing rows @@ -443,6 +473,8 @@ }; }; - # Auto-rebuild service/timer + safe.directory provided by the - # shared dotfiles-rebuild NixOS module (see nixos/modules/dotfiles-rebuild.nix). + # Deploys now flow through clan dm-pull-deploy: the dm-pull-deploy-push + # timer above announces origin/main, and the dm-pull-deploy.path watcher + # rebuilds on change. The legacy pull-based dotfiles-rebuild module was + # retired 2026-05-19. } diff --git a/nixos/hosts/vps-relay.nix b/nixos/hosts/vps-relay.nix index bd93b25..85ed329 100644 --- a/nixos/hosts/vps-relay.nix +++ b/nixos/hosts/vps-relay.nix @@ -46,8 +46,13 @@ isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ - # Same pubkey used to reach sunken-ship; set at install via clan. - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship" + # Mac admin key (~/.ssh/id_ed25519_sunken_ship on the laptop — the + # key the Mac uses to reach the fleet). Used for `clan machines + # update vps-relay` from the Mac and at install via clan. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@mac-admin" + # sunken-ship's own key, so the push node can SSH into vps-relay + # over ZeroTier for mesh introspection / debugging. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9t4YAaoHvVouqp+qyFOq8o3SAtXMiAmjF6J0ldyx4g danny@sunken-ship" ]; }; users.users.root.openssh.authorizedKeys.keys = diff --git a/nixos/neovim.nix b/nixos/neovim.nix index 59a6f85..75b2335 100644 --- a/nixos/neovim.nix +++ b/nixos/neovim.nix @@ -41,6 +41,7 @@ end -- General options + vim.opt.cursorline = true vim.opt.mouse = "a" vim.opt.listchars = { tab = "→ ", space = "·", nbsp = "␣", trail = "•", eol = "¶", precedes = "«", extends = "»" } vim.opt.clipboard:append("unnamedplus")