updated authorized keys

Merge pull request #4 from beatz174-bit/chore/update-flake-lock
chore: update flake.lock
2026-05-12 13:28:33 +10:00 · 2026-05-12 13:02:58 +10:00 · 2026-05-12 02:58:23 +00:00 · 2026-05-12 12:40:56 +10:00 · 2026-05-12 12:40:49 +10:00 · 2026-05-12 12:38:28 +10:00
8 changed files with 229 additions and 30 deletions
@@ -0,0 +1,27 @@
+name: Check NixOS configurations
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  eval-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Evaluate all NixOS hosts
+        run: |
+          set -euo pipefail
+          for host in nixos docker kuma server nix-cache nix-minimal; do
+            echo "Evaluating ${host}"
+            nix --extra-experimental-features 'nix-command flakes' eval \
+              ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw
+          done
@@ -0,0 +1,32 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Update and commit flake.lock
+        run: |
+          set -euo pipefail
+          nix --extra-experimental-features 'nix-command flakes' flake update
+
+          if git diff --quiet -- flake.lock; then
+            echo "No flake.lock changes detected"
+            exit 0
+          fi
+
+          git config user.name "gitea-actions"
+          git config user.email "gitea-actions@nix-cache.local"
+          git add flake.lock
+          git commit -m "chore: update flake.lock"
+          git push
@@ -0,0 +1,27 @@
+name: Check NixOS configurations
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  eval-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Evaluate all NixOS hosts
+        run: |
+          set -euo pipefail
+          for host in nixos docker kuma server nix-cache nix-minimal; do
+            echo "Evaluating ${host}"
+            nix --extra-experimental-features 'nix-command flakes' eval \
+              ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw
+          done
@@ -0,0 +1,37 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Update flake.lock
+        run: |
+          nix --extra-experimental-features 'nix-command flakes' flake update
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          add-paths: flake.lock
+          branch: chore/update-flake-lock
+          title: "chore: update flake.lock"
+          commit-message: "chore: update flake.lock"
+          body: |
+            This is an automated update of `flake.lock` generated by the scheduled workflow.
+            
+            It updates pinned flake inputs so dependency updates can be reviewed and merged via PR.
@@ -0,0 +1,71 @@
+# flake.lock automation
+
+This repository uses CI workflows to keep `flake.lock` up to date on a schedule and to verify that all declared NixOS hosts still evaluate after dependency updates.
+
+## What this automation does
+
+- A scheduled workflow runs `nix flake update` once per week.
+- On GitHub, any resulting `flake.lock` change is proposed through a pull request.
+- On Gitea, the workflow can commit and push `flake.lock` directly when PR automation is not configured.
+- A separate CI workflow evaluates every configured host before merge:
+  - `nixos`
+  - `docker`
+  - `kuma`
+  - `server`
+  - `nix-cache`
+  - `nix-minimal`
+
+## Why hosts should stop using `--upgrade-all`
+
+`flake.lock` is the source of truth for pinned dependency versions in a flake-based workflow. Normal host rebuilds should consume the committed lock file instead of upgrading dependencies ad-hoc on each machine.
+
+Recommended rebuild command:
+
+```bash
+sudo nixos-rebuild switch --flake git+https://gitea.lan.ddnsgeek.com/beatzaplenty/nixos.git#$(hostname)
+```
+
+Using the committed lock file keeps all hosts aligned and makes updates auditable through CI and code review.
+
+## Command differences
+
+- `nix flake update`
+  - Updates flake input pins in `flake.lock`.
+  - Should be run in CI or in a dedicated update PR workflow.
+- `nixos-rebuild --upgrade`
+  - Primarily for channel-based workflows; not the normal path for flake-pinned deployments.
+- `nixos-rebuild --upgrade-all`
+  - Aggressively updates package sources and bypasses coordinated lock-file updates.
+  - Avoid for routine flake-based host rebuilds.
+
+## nix-cache and remote builder fit
+
+With `nix-cache` acting as a binary cache and remote builder, lock-file updates become safer and more reproducible:
+
+- CI verifies host evaluations against the updated lock file.
+- Builds can be performed once on the remote builder.
+- Built artifacts can be served via `nix-cache` to other hosts, reducing rebuild time and drift.
+
+## Token and secret handling
+
+Do **not** commit access tokens into `flake.nix`, `flake.lock`, or any other tracked file.
+
+If private source access is needed:
+
+- configure tokens locally in `~/.config/nix/nix.conf` or equivalent machine-local config, or
+- provide tokens through CI secrets/environment variables.
+
+## GitHub Actions setup notes
+
+- Ensure `GITHUB_TOKEN` has permission to create branches and pull requests (workflow sets `contents: write` and `pull-requests: write`).
+- The update workflow uses `peter-evans/create-pull-request` with branch `chore/update-flake-lock`.
+- The evaluation workflow runs on pull requests, pushes to `main`, and manual dispatch.
+
+## Gitea Actions runner setup notes
+
+- Ensure the runner image includes Git and can execute the Nix installer action.
+- For direct push mode, grant workflow push permission to the repository.
+- The workflow sets commit identity to:
+  - `user.name = gitea-actions`
+  - `user.email = gitea-actions@nix-cache.local`
+- Commits are only created when `flake.lock` actually changes.
@@ -2,16 +2,17 @@
  "nodes": {
    "flake-compat": {
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "revCount": 57,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
      },
      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
      }
    },
    "flake-compat_2": {
@@ -53,16 +54,17 @@
        "flake-utils": "flake-utils"
      },
      "locked": {
-        "lastModified": 1696331477,
-        "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
+        "lastModified": 1715533576,
+        "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=",
        "owner": "gytis-ivaskevicius",
        "repo": "flake-utils-plus",
-        "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
+        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
        "type": "github"
      },
      "original": {
        "owner": "gytis-ivaskevicius",
        "repo": "flake-utils-plus",
+        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
        "type": "github"
      }
    },
@@ -73,15 +75,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1765860045,
-        "narHash": "sha256-7Lxp/PfOy4h3QIDtmWG/EgycaswqRSkDX4DGtet14NE=",
+        "lastModified": 1778401693,
+        "narHash": "sha256-OVHdCqXXUF5UdGkH+FF2ZL06OLZjj2kvP2dIUmzVWoo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "09de9577d47d8bffb11c449b6a3d24e32ac16c99",
+        "rev": "389b83002efc26f1145e89a6a8e6edc5a6435948",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
@@ -93,11 +96,11 @@
        "snowfall-lib": "snowfall-lib"
      },
      "locked": {
-        "lastModified": 1707338010,
-        "narHash": "sha256-UtLeZzDdk96sLTRcWsGrkWCslNUDytrGe0VmOTB/iig=",
+        "lastModified": 1771149335,
+        "narHash": "sha256-YPUIwyumbQOE2DUY8NIsHIUTGUQnDVhnTVUZMZDRwi4=",
        "owner": "snowfallorg",
        "repo": "nixos-conf-editor",
-        "rev": "27b5e92f580f794c690093503869aab242f075ab",
+        "rev": "9f8b4519a2e0e8919b69b7572bc26dab54274a6f",
        "type": "github"
      },
      "original": {
@@ -108,11 +111,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1698318101,
-        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "lastModified": 1771008912,
+        "narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "rev": "a82ccc39b39b621151d6732718e3e250109076fa",
        "type": "github"
      },
      "original": {
@@ -124,16 +127,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1765779637,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "lastModified": 1778430510,
+        "narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -155,11 +158,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1696432959,
-        "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
+        "lastModified": 1765361626,
+        "narHash": "sha256-kX0Dp/kYSRbQ+yd9e3lmmUWdNbipufvKfL2IzbrSpnY=",
        "owner": "snowfallorg",
        "repo": "lib",
-        "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
+        "rev": "c566ad8b7352c30ec3763435de7c8f1c46ebb357",
        "type": "github"
      },
      "original": {
@@ -149,7 +149,7 @@ systemd.timers.update-containers = {
      # Run as root so it can read /etc/secrets and access docker socket
     # User = "root";
      #EnvironmentFile = "-/etc/secrets/docker-health-alert.env";
-      ExecStart = "${pkgs.bash}/bin/bash /mnt/docker-persistent-data/docker/gotify/docker-health-to-gotify.sh";
+      ExecStart = "${pkgs.bash}/bin/bash /mnt/docker-persistent-data/docker/monitoring/gotify/docker-health-to-gotify.sh";
      StandardOutput = "journal";
      StandardError = "journal";
    };
@@ -38,7 +38,9 @@
    # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ];
    #
    # Avoid absolute keyFiles paths here because they break pure flake evaluation.
-    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server" ];
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server"
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker" 
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKKzoEPl/ZW9KBRHBcp6/ThOngGpwMv5EhkTlgC4aDf root@nixos"];
  };

  services.openssh.enable = true;
Author	SHA1	Message	Date
beatzaplenty	51a50faf69	updated authorized keys Check NixOS configurations / eval-hosts (push) Has been cancelled Details	2026-05-12 13:28:33 +10:00
beatz174-bit	193c10d4b7	Merge pull request #4 from beatz174-bit/chore/update-flake-lock Check NixOS configurations / eval-hosts (push) Has been cancelled Details chore: update flake.lock	2026-05-12 13:02:58 +10:00
beatz174-bit	def6be08e7	chore: update flake.lock	2026-05-12 02:58:23 +00:00
beatz174-bit	0633c60b9d	Merge pull request #3 from beatz174-bit/codex/implement-flake.lock-automation-in-nixos-26sknf Check NixOS configurations / eval-hosts (push) Has been cancelled Details Add scheduled flake.lock updater and NixOS evaluation workflows (GitHub + Gitea) and docs	2026-05-12 12:40:56 +10:00
beatz174-bit	7cbdcdf29e	Merge branch 'main' into codex/implement-flake.lock-automation-in-nixos-26sknf	2026-05-12 12:40:49 +10:00
beatz174-bit	cf1a4eefda	fix(ci): quote PR title fields in update workflow	2026-05-12 12:38:28 +10:00
beatz174-bit	5256b661a3	Merge pull request #2 from beatz174-bit/codex/implement-flake.lock-automation-in-nixos ci: add scheduled flake.lock updates and NixOS evaluation checks	2026-05-12 12:31:10 +10:00
beatz174-bit	bcccf523bf	ci: automate flake lock updates and host evaluation	2026-05-12 12:28:37 +10:00
beatzaplenty	1a4a0c47ef	updated docker container monitoring script path	2026-05-12 12:07:59 +10:00
beatzaplenty	286d7347a1	updated authorized keys	2026-05-12 11:55:56 +10:00
beatzaplenty	5a93bdeb28	updated authorized keys	2026-05-12 11:53:43 +10:00