updated authorized keys

chore: update flake.lock

.gitea/workflows/check-nixos.yml

@@ -0,0 +1,27 @@
+name: Check NixOS configurations
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  eval-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Evaluate all NixOS hosts
+        run: |
+          set -euo pipefail
+          for host in nixos docker kuma server nix-cache nix-minimal; do
+            echo "Evaluating ${host}"
+            nix --extra-experimental-features 'nix-command flakes' eval \
+              ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw
+          done

.gitea/workflows/update-flake-lock.yml

@@ -0,0 +1,32 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Update and commit flake.lock
+        run: |
+          set -euo pipefail
+          nix --extra-experimental-features 'nix-command flakes' flake update
+
+          if git diff --quiet -- flake.lock; then
+            echo "No flake.lock changes detected"
+            exit 0
+          fi
+
+          git config user.name "gitea-actions"
+          git config user.email "gitea-actions@nix-cache.local"
+          git add flake.lock
+          git commit -m "chore: update flake.lock"
+          git push

.github/workflows/check-nixos.yml

@@ -0,0 +1,27 @@
+name: Check NixOS configurations
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  eval-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Evaluate all NixOS hosts
+        run: |
+          set -euo pipefail
+          for host in nixos docker kuma server nix-cache nix-minimal; do
+            echo "Evaluating ${host}"
+            nix --extra-experimental-features 'nix-command flakes' eval \
+              ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw
+          done

.github/workflows/update-flake-lock.yml

@@ -0,0 +1,37 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Update flake.lock
+        run: |
+          nix --extra-experimental-features 'nix-command flakes' flake update
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          add-paths: flake.lock
+          branch: chore/update-flake-lock
+          title: "chore: update flake.lock"
+          commit-message: "chore: update flake.lock"
+          body: |
+            This is an automated update of `flake.lock` generated by the scheduled workflow.
+            
+            It updates pinned flake inputs so dependency updates can be reviewed and merged via PR.

docs/flake-lock-automation.md

@@ -0,0 +1,71 @@
+# flake.lock automation
+
+This repository uses CI workflows to keep `flake.lock` up to date on a schedule and to verify that all declared NixOS hosts still evaluate after dependency updates.
+
+## What this automation does
+
+- A scheduled workflow runs `nix flake update` once per week.
+- On GitHub, any resulting `flake.lock` change is proposed through a pull request.
+- On Gitea, the workflow can commit and push `flake.lock` directly when PR automation is not configured.
+- A separate CI workflow evaluates every configured host before merge:
+  - `nixos`
+  - `docker`
+  - `kuma`
+  - `server`
+  - `nix-cache`
+  - `nix-minimal`
+
+## Why hosts should stop using `--upgrade-all`
+
+`flake.lock` is the source of truth for pinned dependency versions in a flake-based workflow. Normal host rebuilds should consume the committed lock file instead of upgrading dependencies ad-hoc on each machine.
+
+Recommended rebuild command:
+
+```bash
+sudo nixos-rebuild switch --flake git+https://gitea.lan.ddnsgeek.com/beatzaplenty/nixos.git#$(hostname)
+```
+
+Using the committed lock file keeps all hosts aligned and makes updates auditable through CI and code review.
+
+## Command differences
+
+- `nix flake update`
+  - Updates flake input pins in `flake.lock`.
+  - Should be run in CI or in a dedicated update PR workflow.
+- `nixos-rebuild --upgrade`
+  - Primarily for channel-based workflows; not the normal path for flake-pinned deployments.
+- `nixos-rebuild --upgrade-all`
+  - Aggressively updates package sources and bypasses coordinated lock-file updates.
+  - Avoid for routine flake-based host rebuilds.
+
+## nix-cache and remote builder fit
+
+With `nix-cache` acting as a binary cache and remote builder, lock-file updates become safer and more reproducible:
+
+- CI verifies host evaluations against the updated lock file.
+- Builds can be performed once on the remote builder.
+- Built artifacts can be served via `nix-cache` to other hosts, reducing rebuild time and drift.
+
+## Token and secret handling
+
+Do **not** commit access tokens into `flake.nix`, `flake.lock`, or any other tracked file.
+
+If private source access is needed:
+
+- configure tokens locally in `~/.config/nix/nix.conf` or equivalent machine-local config, or
+- provide tokens through CI secrets/environment variables.
+
+## GitHub Actions setup notes
+
+- Ensure `GITHUB_TOKEN` has permission to create branches and pull requests (workflow sets `contents: write` and `pull-requests: write`).
+- The update workflow uses `peter-evans/create-pull-request` with branch `chore/update-flake-lock`.
+- The evaluation workflow runs on pull requests, pushes to `main`, and manual dispatch.
+
+## Gitea Actions runner setup notes
+
+- Ensure the runner image includes Git and can execute the Nix installer action.
+- For direct push mode, grant workflow push permission to the repository.
+- The workflow sets commit identity to:
+  - `user.name = gitea-actions`
+  - `user.email = gitea-actions@nix-cache.local`
+- Commits are only created when `flake.lock` actually changes.

flake.lock

@@ -2,16 +2,17 @@
   "nodes": {
     "flake-compat": {
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1767039857,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "owner": "edolstra",
-        "revCount": 57,
+        "repo": "flake-compat",
-        "type": "tarball",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
+        "owner": "edolstra",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+        "repo": "flake-compat",
+        "type": "github"
       }
     },
     "flake-compat_2": {
@@ -53,16 +54,17 @@
         "flake-utils": "flake-utils"
       },
       "locked": {
-        "lastModified": 1696331477,
+        "lastModified": 1715533576,
-        "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
+        "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=",
         "owner": "gytis-ivaskevicius",
         "repo": "flake-utils-plus",
-        "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
+        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
         "type": "github"
       },
       "original": {
         "owner": "gytis-ivaskevicius",
         "repo": "flake-utils-plus",
+        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
         "type": "github"
       }
     },
@@ -73,15 +75,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1765860045,
+        "lastModified": 1778401693,
-        "narHash": "sha256-7Lxp/PfOy4h3QIDtmWG/EgycaswqRSkDX4DGtet14NE=",
+        "narHash": "sha256-OVHdCqXXUF5UdGkH+FF2ZL06OLZjj2kvP2dIUmzVWoo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "09de9577d47d8bffb11c449b6a3d24e32ac16c99",
+        "rev": "389b83002efc26f1145e89a6a8e6edc5a6435948",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -93,11 +96,11 @@
         "snowfall-lib": "snowfall-lib"
       },
       "locked": {
-        "lastModified": 1707338010,
+        "lastModified": 1771149335,
-        "narHash": "sha256-UtLeZzDdk96sLTRcWsGrkWCslNUDytrGe0VmOTB/iig=",
+        "narHash": "sha256-YPUIwyumbQOE2DUY8NIsHIUTGUQnDVhnTVUZMZDRwi4=",
         "owner": "snowfallorg",
         "repo": "nixos-conf-editor",
-        "rev": "27b5e92f580f794c690093503869aab242f075ab",
+        "rev": "9f8b4519a2e0e8919b69b7572bc26dab54274a6f",
         "type": "github"
       },
       "original": {
@@ -108,11 +111,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1698318101,
+        "lastModified": 1771008912,
-        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "rev": "a82ccc39b39b621151d6732718e3e250109076fa",
         "type": "github"
       },
       "original": {
@@ -124,16 +127,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1765779637,
+        "lastModified": 1778430510,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -155,11 +158,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696432959,
+        "lastModified": 1765361626,
-        "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
+        "narHash": "sha256-kX0Dp/kYSRbQ+yd9e3lmmUWdNbipufvKfL2IzbrSpnY=",
         "owner": "snowfallorg",
         "repo": "lib",
-        "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
+        "rev": "c566ad8b7352c30ec3763435de7c8f1c46ebb357",
         "type": "github"
       },
       "original": {
@@ -186,4 +189,4 @@
   },
   "root": "root",
   "version": 7
-}
+}

modules/nix/cache-server.nix

@@ -39,7 +39,8 @@
     #
     # Avoid absolute keyFiles paths here because they break pure flake evaluation.
     openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server"
-					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker" ];
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker" 
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKKzoEPl/ZW9KBRHBcp6/ThOngGpwMv5EhkTlgC4aDf root@nixos"];
   };
 
   services.openssh.enable = true;