hmm

2026-04-07 18:39:42 -05:00
parent a418d03b19
commit 70002a19e2
365 changed files with 51 additions and 18 deletions
--- a/systems/aarch64-darwin/macbook-pro/homebrew.nix
+++ b/systems/aarch64-darwin/macbook-pro/homebrew.nix
--- a/systems/aarch64-darwin/macbook-pro/programs.nix
+++ b/systems/aarch64-darwin/macbook-pro/programs.nix
--- a/systems/aarch64-darwin/macbook-pro/settings.nix
+++ b/systems/aarch64-darwin/macbook-pro/settings.nix
--- a/systems/aarch64-darwin/macbook-pro/system.nix
+++ b/systems/aarch64-darwin/macbook-pro/system.nix
--- a/systems/aarch64-linux/macbook-pro-nixos/NixOS.png
+++ b/systems/aarch64-linux/macbook-pro-nixos/NixOS.png
--- a/systems/aarch64-linux/macbook-pro-nixos/apple.png
+++ b/systems/aarch64-linux/macbook-pro-nixos/apple.png
--- a/systems/aarch64-linux/macbook-pro-nixos/boot.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/boot.nix
--- a/systems/aarch64-linux/macbook-pro-nixos/filesystems.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/filesystems.nix
--- a/systems/aarch64-linux/macbook-pro-nixos/hardware-configuration.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/hardware-configuration.nix
--- a/systems/aarch64-linux/macbook-pro-nixos/services.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/services.nix
--- a/systems/aarch64-linux/macbook-pro-nixos/specialisations/asahi-fairydust.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/specialisations/asahi-fairydust.nix
--- a/systems/aarch64-linux/pi5/adguard.nix
+++ b/systems/aarch64-linux/pi5/adguard.nix
--- a/systems/aarch64-linux/pi5/default.nix
+++ b/systems/aarch64-linux/pi5/default.nix
--- a/systems/x86_64-install-iso/graphical/default.nix
+++ b/systems/x86_64-install-iso/graphical/default.nix
--- a/systems/x86_64-linux/allyx/boot.nix
+++ b/systems/x86_64-linux/allyx/boot.nix
--- a/systems/x86_64-linux/allyx/default.nix
+++ b/systems/x86_64-linux/allyx/default.nix
--- a/systems/x86_64-linux/jallen-nas/default.nix
+++ b/systems/x86_64-linux/jallen-nas/default.nix
@@ -287,6 +287,9 @@ in
      options = [
        "version_upgrade=incompatible"
        "nofail"
+        # Allow bcachefs to self-heal journal errors (e.g. duplicate entries from unclean shutdown)
+        # instead of refusing to mount with fsck_errors_not_fixed.
+        "errors=fix_safe"
      ];
    };
  };
--- a/systems/x86_64-linux/jallen-nas/disabled.nix
+++ b/systems/x86_64-linux/jallen-nas/disabled.nix
@@ -23,22 +23,29 @@ in
            ai = mkForce disabled;
            arrs = mkForce disabled;
            attic = mkForce disabled;
+            bookshelf = mkForce disabled;
            authentik = mkForce disabled;
            authentikRac = mkForce disabled;
+            caddy = mkForce disabled;
            calibre = mkForce disabled;
            calibre-web = mkForce disabled;
            code-server = mkForce disabled;
            collabora = mkForce disabled;
+            coturn = mkForce disabled;
            crowdsec = mkForce disabled;
+            databasus = mkForce disabled;
            dispatcharr = mkForce disabled;
            tunarr = mkForce disabled;
            free-games-claimer = mkForce disabled;
            gitea = mkForce disabled;
            glance = mkForce disabled;
            glances = mkForce disabled;
+            grafana = mkForce disabled;
+            guacd = mkForce disabled;
            headscale = mkForce disabled;
            immich = mkForce disabled;
            jellyfin = mkForce disabled;
+            kavita = mkForce disabled;
            seerr = mkForce disabled;
            lubelogger = mkForce disabled;
            manyfold = mkForce disabled;
@@ -56,8 +63,12 @@ in
            paperless-ai = mkForce disabled;
            protonmail-bridge = mkForce disabled;
            restic-server = mkForce disabled;
+            sparky-fitness-server = mkForce disabled;
+            sparky-fitness = mkForce disabled;
+            suggestarr = mkForce disabled;
            sunshine = mkForce disabled;
            tdarr = mkForce disabled;
+            termix = mkForce disabled;
            unmanic = mkForce disabled;
            uptime-kuma = mkForce disabled;
            wyoming = mkForce disabled;
@@ -65,6 +76,7 @@ in
        };

        services = {
+          mysql = mkForce disabled;
          postgresql = mkForce disabled;
        };
      };
--- a/systems/x86_64-linux/jallen-nas/nas-defaults.nix
+++ b/systems/x86_64-linux/jallen-nas/nas-defaults.nix
--- a/systems/x86_64-linux/jallen-nas/nas-pool.nix
+++ b/systems/x86_64-linux/jallen-nas/nas-pool.nix
--- a/systems/x86_64-linux/jallen-nas/sops.nix
+++ b/systems/x86_64-linux/jallen-nas/sops.nix
@@ -351,19 +351,6 @@ in
        ];
      };

-      # Grafana reads ntfy credentials via systemd EnvironmentFile so the
-      # $__env{} provider works in alerting provisioning YAML.  The file
-      # provider ($__file{}) only works in grafana.ini, not in provisioning.
-      "grafana.env" = {
-        content = ''
-          GRAFANA_NTFY_USER=${config.sops.placeholder."jallen-nas/ntfy/user"}
-          GRAFANA_NTFY_PASSWORD=${config.sops.placeholder."jallen-nas/ntfy/password"}
-        '';
-        mode = "0400";
-        owner = "grafana";
-        restartUnits = [ "grafana.service" ];
-      };
-
      # CrowdSec HTTP notification plugin config with credentials baked in.
      # The plugin process spawned by crowdsec/cscli reads this file directly.
      # Credentials are embedded in the URL using HTTP basic auth so no
--- a/systems/x86_64-linux/jallen-nas/users.nix
+++ b/systems/x86_64-linux/jallen-nas/users.nix
@@ -53,6 +53,14 @@ in

      # Prometheus reads bearer_token_file for the Gitea scrape job at runtime.
      prometheus = {
+        isSystemUser = true;
+        group = "prometheus";
+        extraGroups = [ "keys" ];
+      };
+
+      grafana = {
+        isSystemUser = true;
+        group = "grafana";
        extraGroups = [ "keys" ];
      };

@@ -67,6 +75,8 @@ in
    groups = {
      nextcloud-exporter = { };
      crowdsec = { };
+      prometheus = { };
+      grafana = { };
      nut.name = "nut";
      "jallen-nas".name = "jallen-nas";
    };
--- a/systems/x86_64-linux/jallen-nas/vpn.nix
+++ b/systems/x86_64-linux/jallen-nas/vpn.nix
--- a/systems/x86_64-linux/matt-nixos/default.nix
+++ b/systems/x86_64-linux/matt-nixos/default.nix
--- a/systems/x86_64-linux/matt-nixos/disk.jwe
+++ b/systems/x86_64-linux/matt-nixos/disk.jwe
--- a/systems/x86_64-linux/matt-nixos/services/lsfg-vk/default.nix
+++ b/systems/x86_64-linux/matt-nixos/services/lsfg-vk/default.nix
--- a/systems/x86_64-linux/matt-nixos/services/ratbagd/default.nix
+++ b/systems/x86_64-linux/matt-nixos/services/ratbagd/default.nix
--- a/systems/x86_64-linux/matt-nixos/services/restic/default.nix
+++ b/systems/x86_64-linux/matt-nixos/services/restic/default.nix
--- a/systems/x86_64-linux/matt-nixos/wifi-fixer.nix
+++ b/systems/x86_64-linux/matt-nixos/wifi-fixer.nix
--- a/systems/x86_64-linux/nuc-nixos/boot.nix
+++ b/systems/x86_64-linux/nuc-nixos/boot.nix
--- a/systems/x86_64-linux/nuc-nixos/dashboard.nix
+++ b/systems/x86_64-linux/nuc-nixos/dashboard.nix
--- a/systems/x86_64-linux/nuc-nixos/default.nix
+++ b/systems/x86_64-linux/nuc-nixos/default.nix