updated authorized keys

chore: update flake.lock

.gitea/workflows/check-nixos.yml

@@ -0,0 +1,27 @@
+name: Check NixOS configurations
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  eval-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Evaluate all NixOS hosts
+        run: |
+          set -euo pipefail
+          for host in nixos docker kuma server nix-cache nix-minimal; do
+            echo "Evaluating ${host}"
+            nix --extra-experimental-features 'nix-command flakes' eval \
+              ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw
+          done

.gitea/workflows/update-flake-lock.yml

@@ -0,0 +1,32 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Update and commit flake.lock
+        run: |
+          set -euo pipefail
+          nix --extra-experimental-features 'nix-command flakes' flake update
+
+          if git diff --quiet -- flake.lock; then
+            echo "No flake.lock changes detected"
+            exit 0
+          fi
+
+          git config user.name "gitea-actions"
+          git config user.email "gitea-actions@nix-cache.local"
+          git add flake.lock
+          git commit -m "chore: update flake.lock"
+          git push

.github/workflows/check-nixos.yml

@@ -0,0 +1,27 @@
+name: Check NixOS configurations
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  eval-hosts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Evaluate all NixOS hosts
+        run: |
+          set -euo pipefail
+          for host in nixos docker kuma server nix-cache nix-minimal; do
+            echo "Evaluating ${host}"
+            nix --extra-experimental-features 'nix-command flakes' eval \
+              ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw
+          done

.github/workflows/update-flake-lock.yml

@@ -0,0 +1,37 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v19
+
+      - name: Update flake.lock
+        run: |
+          nix --extra-experimental-features 'nix-command flakes' flake update
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          add-paths: flake.lock
+          branch: chore/update-flake-lock
+          title: "chore: update flake.lock"
+          commit-message: "chore: update flake.lock"
+          body: |
+            This is an automated update of `flake.lock` generated by the scheduled workflow.
+            
+            It updates pinned flake inputs so dependency updates can be reviewed and merged via PR.

AGENTS.md

@@ -0,0 +1,33 @@
+# AGENTS.md
+
+## Repo purpose
+
+This repository contains flake-based NixOS configurations for Wayne’s LAN servers and workstation.
+
+The flake currently exposes these NixOS configurations:
+
+- `nixos`
+- `docker`
+- `kuma`
+- `server`
+- `nix-cache`
+- `nix-minimal`
+
+Do not deploy, switch, reboot, repartition, format disks, or run destructive install commands from this repository unless explicitly asked.
+
+## Safety rules
+
+- Never run `nixos-rebuild switch`, `boot`, `test`, `nixos-install`, `parted`, `mkfs`, `mkswap`, `swapon`, `mount`, or destructive disk commands in Codex.
+- Validation work should be limited to evaluation, linting, formatting checks, and `nix build --dry-run --no-link`.
+- Do not add secrets, tokens, private keys, password hashes, or live credentials to the repo.
+- Treat `flake.nix`, Home Manager config, and Nix config files as public.
+- If you find committed tokens or hashes, flag them immediately and recommend rotation/removal.
+
+## Expected commands
+
+Use these commands when validating changes:
+
+```bash
+bash scripts/codex-setup.sh
+bash scripts/codex-maintenance.sh
+bash scripts/codex-maintenance.sh dry-run

README.md

@@ -1,2 +1,25 @@
-# nixos
 
+## `README.md`
+
+```markdown
+# NixOS LAN Configurations
+
+Flake-based NixOS configuration repository for Wayne’s LAN machines.
+
+## Hosts
+
+This flake currently defines:
+
+| Host | Purpose |
+|---|---|
+| `nixos` | Main NixOS workstation / desktop |
+| `docker` | Docker host for the main container stack |
+| `kuma` | Docker-enabled Uptime Kuma style host |
+| `server` | Storage / NFS / backup style server |
+| `nix-cache` | Local Nix binary cache host |
+| `nix-minimal` | Minimal NixOS host profile |
+
+List hosts with:
+
+```bash
+nix eval --json .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'

common/configuration.nix

@@ -49,18 +49,10 @@ users.users.root = {
 
   #Enable flakes
 
-  nix.settings.experimental-features = "nix-command flakes";
+  nix.settings = {
-
+    experimental-features = [ "nix-command" "flakes" ];
-nix.settings = {
+    auto-optimise-store = true;
-  substituters = [
+  };
-    "http://nix-cache"
-#    "https://cache.nixos.org/"
-  ];
-  trusted-public-keys = [
-    "cache.local-1:usoWYanY3Kpq2+kDIS2nhWoLZiRxanmdysdzqCFBHW4="
-    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-  ];
-};
 
 
   programs.git = {

docs/flake-lock-automation.md

@@ -0,0 +1,71 @@
+# flake.lock automation
+
+This repository uses CI workflows to keep `flake.lock` up to date on a schedule and to verify that all declared NixOS hosts still evaluate after dependency updates.
+
+## What this automation does
+
+- A scheduled workflow runs `nix flake update` once per week.
+- On GitHub, any resulting `flake.lock` change is proposed through a pull request.
+- On Gitea, the workflow can commit and push `flake.lock` directly when PR automation is not configured.
+- A separate CI workflow evaluates every configured host before merge:
+  - `nixos`
+  - `docker`
+  - `kuma`
+  - `server`
+  - `nix-cache`
+  - `nix-minimal`
+
+## Why hosts should stop using `--upgrade-all`
+
+`flake.lock` is the source of truth for pinned dependency versions in a flake-based workflow. Normal host rebuilds should consume the committed lock file instead of upgrading dependencies ad-hoc on each machine.
+
+Recommended rebuild command:
+
+```bash
+sudo nixos-rebuild switch --flake git+https://gitea.lan.ddnsgeek.com/beatzaplenty/nixos.git#$(hostname)
+```
+
+Using the committed lock file keeps all hosts aligned and makes updates auditable through CI and code review.
+
+## Command differences
+
+- `nix flake update`
+  - Updates flake input pins in `flake.lock`.
+  - Should be run in CI or in a dedicated update PR workflow.
+- `nixos-rebuild --upgrade`
+  - Primarily for channel-based workflows; not the normal path for flake-pinned deployments.
+- `nixos-rebuild --upgrade-all`
+  - Aggressively updates package sources and bypasses coordinated lock-file updates.
+  - Avoid for routine flake-based host rebuilds.
+
+## nix-cache and remote builder fit
+
+With `nix-cache` acting as a binary cache and remote builder, lock-file updates become safer and more reproducible:
+
+- CI verifies host evaluations against the updated lock file.
+- Builds can be performed once on the remote builder.
+- Built artifacts can be served via `nix-cache` to other hosts, reducing rebuild time and drift.
+
+## Token and secret handling
+
+Do **not** commit access tokens into `flake.nix`, `flake.lock`, or any other tracked file.
+
+If private source access is needed:
+
+- configure tokens locally in `~/.config/nix/nix.conf` or equivalent machine-local config, or
+- provide tokens through CI secrets/environment variables.
+
+## GitHub Actions setup notes
+
+- Ensure `GITHUB_TOKEN` has permission to create branches and pull requests (workflow sets `contents: write` and `pull-requests: write`).
+- The update workflow uses `peter-evans/create-pull-request` with branch `chore/update-flake-lock`.
+- The evaluation workflow runs on pull requests, pushes to `main`, and manual dispatch.
+
+## Gitea Actions runner setup notes
+
+- Ensure the runner image includes Git and can execute the Nix installer action.
+- For direct push mode, grant workflow push permission to the repository.
+- The workflow sets commit identity to:
+  - `user.name = gitea-actions`
+  - `user.email = gitea-actions@nix-cache.local`
+- Commits are only created when `flake.lock` actually changes.

docs/nix-cache.md

@@ -0,0 +1,48 @@
+# nix-cache architecture
+
+This repository configures `nix-cache` as a **binary cache server** and a **remote builder** for other hosts.
+
+## Important design notes
+
+- This is **not** a shared `/nix/store` setup.
+- Every machine still keeps and uses its own local `/nix/store`.
+- Clients prefer `http://nix-cache` for substitutes and keep `https://cache.nixos.org/` as fallback.
+- Clients can offload builds to `nix-cache` through SSH (`nix.distributedBuilds`).
+
+## Binary cache signing keys (on nix-cache)
+
+```bash
+sudo install -d -m 0700 /etc/nix
+sudo nix-store --generate-binary-cache-key nix-cache-1   /etc/nix/cache-priv.pem   /etc/nix/cache-pub.pem
+sudo chmod 0600 /etc/nix/cache-priv.pem
+sudo chmod 0644 /etc/nix/cache-pub.pem
+cat /etc/nix/cache-pub.pem
+```
+
+Do not commit private keys.
+
+## Remote builder SSH keys
+
+On each client, install the private key used to authenticate as `nixremote`:
+
+```bash
+sudo install -d -m 0700 /root/.ssh
+sudo install -m 0600 ./nixremote /root/.ssh/nixremote
+sudo ssh -i /root/.ssh/nixremote nixremote@nix-cache nix-store --version
+```
+
+On `nix-cache`, install the matching public key used by `nixremote` authorized keys.
+
+## Manual verification
+
+After deployment:
+
+```bash
+curl http://nix-cache/nix-cache-info
+nix store ping --store http://nix-cache
+nix show-config | grep -E 'substituters|trusted-public-keys|builders-use-substitutes'
+sudo ssh -i /root/.ssh/nixremote nixremote@nix-cache nix-store --version
+nix build nixpkgs#hello --builders 'ssh://nixremote@nix-cache x86_64-linux /root/.ssh/nixremote 4 2 big-parallel,kvm,nixos-test,benchmark' -L
+nix path-info -r nixpkgs#hello
+curl -I "http://nix-cache/$(basename "$(nix path-info nixpkgs#hello)").narinfo"
+```

flake.lock

@@ -2,16 +2,17 @@
   "nodes": {
     "flake-compat": {
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1767039857,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "owner": "edolstra",
-        "revCount": 57,
+        "repo": "flake-compat",
-        "type": "tarball",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
+        "owner": "edolstra",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+        "repo": "flake-compat",
+        "type": "github"
       }
     },
     "flake-compat_2": {
@@ -53,16 +54,17 @@
         "flake-utils": "flake-utils"
       },
       "locked": {
-        "lastModified": 1696331477,
+        "lastModified": 1715533576,
-        "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
+        "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=",
         "owner": "gytis-ivaskevicius",
         "repo": "flake-utils-plus",
-        "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
+        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
         "type": "github"
       },
       "original": {
         "owner": "gytis-ivaskevicius",
         "repo": "flake-utils-plus",
+        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
         "type": "github"
       }
     },
@@ -73,15 +75,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1765860045,
+        "lastModified": 1778401693,
-        "narHash": "sha256-7Lxp/PfOy4h3QIDtmWG/EgycaswqRSkDX4DGtet14NE=",
+        "narHash": "sha256-OVHdCqXXUF5UdGkH+FF2ZL06OLZjj2kvP2dIUmzVWoo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "09de9577d47d8bffb11c449b6a3d24e32ac16c99",
+        "rev": "389b83002efc26f1145e89a6a8e6edc5a6435948",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -93,11 +96,11 @@
         "snowfall-lib": "snowfall-lib"
       },
       "locked": {
-        "lastModified": 1707338010,
+        "lastModified": 1771149335,
-        "narHash": "sha256-UtLeZzDdk96sLTRcWsGrkWCslNUDytrGe0VmOTB/iig=",
+        "narHash": "sha256-YPUIwyumbQOE2DUY8NIsHIUTGUQnDVhnTVUZMZDRwi4=",
         "owner": "snowfallorg",
         "repo": "nixos-conf-editor",
-        "rev": "27b5e92f580f794c690093503869aab242f075ab",
+        "rev": "9f8b4519a2e0e8919b69b7572bc26dab54274a6f",
         "type": "github"
       },
       "original": {
@@ -108,11 +111,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1698318101,
+        "lastModified": 1771008912,
-        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "rev": "a82ccc39b39b621151d6732718e3e250109076fa",
         "type": "github"
       },
       "original": {
@@ -124,16 +127,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1765779637,
+        "lastModified": 1778430510,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -155,11 +158,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696432959,
+        "lastModified": 1765361626,
-        "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
+        "narHash": "sha256-kX0Dp/kYSRbQ+yd9e3lmmUWdNbipufvKfL2IzbrSpnY=",
         "owner": "snowfallorg",
         "repo": "lib",
-        "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
+        "rev": "c566ad8b7352c30ec3763435de7c8f1c46ebb357",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,11 +1,7 @@
 {
   
   description = "LAN NixOS configs";
-      nixConfig = {
+  # GitHub tokens must be provided outside this repository (local nix.conf, env, or deployment secrets).
-        access-tokens = [
-          "github.com=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"
-        ];
-      };          
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixos-conf-editor.url = "github:snowfallorg/nixos-conf-editor";

hosts/docker/configuration.nix

@@ -15,6 +15,8 @@ in
   imports =
     [ # Include the results of the hardware scan.
       ../../common/configuration.nix
+      ../../modules/nix/cache-client.nix
+      ../../modules/nix/remote-builder-client.nix
     ];
 
   networking.hostName = "docker"; # Define your hostname.
@@ -147,7 +149,7 @@ systemd.timers.update-containers = {
       # Run as root so it can read /etc/secrets and access docker socket
      # User = "root";
       #EnvironmentFile = "-/etc/secrets/docker-health-alert.env";
-      ExecStart = "${pkgs.bash}/bin/bash /mnt/docker-persistent-data/docker/gotify/docker-health-to-gotify.sh";
+      ExecStart = "${pkgs.bash}/bin/bash /mnt/docker-persistent-data/docker/monitoring/gotify/docker-health-to-gotify.sh";
       StandardOutput = "journal";
       StandardError = "journal";
     };

hosts/kuma/configuration.nix

@@ -15,6 +15,8 @@ in
   imports =
     [ # Include the results of the hardware scan.
       ../../common/configuration.nix
+      ../../modules/nix/cache-client.nix
+      ../../modules/nix/remote-builder-client.nix
     ];
 
   networking.hostName = "kuma"; # Define your hostname.

hosts/nix-cache/configuration.nix

@@ -8,26 +8,16 @@
   imports =
     [ # Include the results of the hardware scan.
       ../../common/configuration.nix
+      ../../modules/nix/cache-server.nix
     ];
 
   networking.hostName = "nix-cache"; # Define your hostname.
 
-  services.nix-serve.enable = true;
-  services.nix-serve.secretKeyFile = "/etc/nix/cache-priv.pem";
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    virtualHosts."cache.local" = {
-      locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
-    };
-  };
 services.prometheus.exporters.node = {
   enable = true;
   openFirewall = true;
 };
 
-  networking.firewall.allowedTCPPorts = [ config.services.nginx.defaultHTTPListenPort ];
   # Open ports in the firewall.
 #  networking.firewall.allowedTCPPorts = [ 80 8080 443 ];
   # networking.firewall.allowedUDPPorts = [ ... ];

hosts/nix-minimal/configuration.nix

@@ -8,6 +8,8 @@
   imports =
     [ # Include the results of the hardware scan.
       ../../common/configuration.nix
+      ../../modules/nix/cache-client.nix
+      ../../modules/nix/remote-builder-client.nix
     ];
 
   networking.hostName = "nix-minimal"; # Define your hostname.

hosts/nixos/configuration.nix

@@ -28,6 +28,8 @@ in {
   imports =
     [ # Include the results of the hardware scan.
       ../../common/configuration.nix
+      ../../modules/nix/cache-client.nix
+      ../../modules/nix/remote-builder-client.nix
     ];
 
   # Bootloader.
@@ -94,8 +96,6 @@ in {
 
   system.stateVersion = "25.05"; # Did you read the comment?
 
-
-  nix.settings.experimental-features = "nix-command flakes";
 services.xrdp.enable = true;
 services.xrdp.defaultWindowManager = "cinnamon-session";
 services.xrdp.openFirewall = true;

hosts/server/configuration.nix

@@ -8,6 +8,8 @@
   imports =
     [ # Include the results of the hardware scan.
       ../../common/configuration.nix
+      ../../modules/nix/cache-client.nix
+      ../../modules/nix/remote-builder-client.nix
     ];
 
   networking.hostName = "server"; # Define your hostname.

modules/nix/cache-client.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  nix.settings = {
+    substituters = [
+      "http://nix-cache"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [
+      "cache.local-1:usoWYanY3Kpq2+kDIS2nhWoLZiRxanmdysdzqCFBHW4="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+    auto-optimise-store = true;
+  };
+}

modules/nix/cache-server.nix

@@ -0,0 +1,60 @@
+{ config, pkgs, ... }:
+
+{
+  # Generate the binary cache key pair on the nix-cache host:
+  #   sudo install -d -m 0700 /etc/nix
+  #   sudo nix-store --generate-binary-cache-key nix-cache-1 \
+  #     /etc/nix/cache-priv.pem \
+  #     /etc/nix/cache-pub.pem
+  #   sudo chmod 0600 /etc/nix/cache-priv.pem
+  #   sudo chmod 0644 /etc/nix/cache-pub.pem
+  #   cat /etc/nix/cache-pub.pem
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = "/etc/nix/cache-priv.pem";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts."nix-cache" = {
+      locations."/" = {
+        proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  users.groups.nixremote = {};
+
+  users.users.nixremote = {
+    isSystemUser = true;
+    group = "nixremote";
+    createHome = true;
+    home = "/var/lib/nixremote";
+    shell = pkgs.bashInteractive;
+    # Provide remote builder public keys here (safe to commit public keys only):
+    # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ];
+    #
+    # Avoid absolute keyFiles paths here because they break pure flake evaluation.
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server"
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker" 
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKKzoEPl/ZW9KBRHBcp6/ThOngGpwMv5EhkTlgC4aDf root@nixos"];
+  };
+
+  services.openssh.enable = true;
+
+  nix.settings = {
+    trusted-users = [ "root" "nixremote" ];
+    experimental-features = [ "nix-command" "flakes" ];
+    auto-optimise-store = true;
+    builders-use-substitutes = true;
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+}

modules/nix/remote-builder-client.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+
+{
+  # Install the remote builder key on each client host (do not commit private keys):
+  #   sudo install -d -m 0700 /root/.ssh
+  #   sudo install -m 0600 ./nixremote /root/.ssh/nixremote
+  #   sudo ssh -i /root/.ssh/nixremote nixremote@nix-cache nix-store --version
+  nix.distributedBuilds = true;
+
+  nix.buildMachines = [
+    {
+      hostName = "nix-cache";
+      sshUser = "nixremote";
+      sshKey = "/root/.ssh/nixremote";
+      system = pkgs.stdenv.hostPlatform.system;
+      maxJobs = 4;
+      speedFactor = 2;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    }
+  ];
+
+  nix.settings = {
+    builders-use-substitutes = true;
+    max-jobs = "auto";
+  };
+}

scripts/codex-maintenance.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export NIX_CONFIG="${NIX_CONFIG:-}
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+"
+
+MODE="${1:-validate}"
+
+ensure_nix_profile() {
+  if [ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+  elif [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
+    . "$HOME/.nix-profile/etc/profile.d/nix.sh"
+  fi
+}
+
+ensure_nix_profile
+
+if ! command -v nix >/dev/null 2>&1; then
+  echo "ERROR: nix is not available in PATH. Run bash scripts/codex-setup.sh first." >&2
+  exit 127
+fi
+
+hosts_json="$(nix eval --json --no-use-registries --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames)"
+hosts="$(echo "$hosts_json" | jq -r '.[]')"
+
+echo "Hosts:"
+echo "$hosts"
+
+echo
+echo "Checking for obvious committed secrets..."
+if grep -RInE 'github_pat_|ghp_|access-tokens|hashedPassword[[:space:]]*=' \
+  --exclude-dir=.git \
+  --exclude=flake.lock \
+  .; then
+  echo
+  echo "WARNING: Potential secrets or password hashes found. Review before committing."
+else
+  echo "No obvious token patterns found."
+fi
+
+echo
+echo "Checking Nix formatting with nixpkgs-fmt..."
+nix run --no-use-registries --no-accept-flake-config github:NixOS/nixpkgs/nixos-25.11#nixpkgs-fmt -- --check .
+
+echo
+echo "Running statix lint..."
+nix run --no-use-registries --no-accept-flake-config github:NixOS/nixpkgs/nixos-25.11#statix -- check .
+
+echo
+echo "Evaluating host toplevel derivations..."
+for host in $hosts; do
+  echo "==> $host"
+  nix eval --raw --no-use-registries --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
+done
+
+if [[ "$MODE" == "dry-run" ]]; then
+  echo
+  echo "Running dry-run builds for all hosts. This will not create result symlinks."
+  for host in $hosts; do
+    echo "==> Dry-run build: $host"
+    nix build --dry-run --no-link --no-use-registries --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel"
+  done
+fi
+
+echo
+echo "Maintenance checks complete."

scripts/codex-setup.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export NIX_CONFIG="${NIX_CONFIG:-}
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+"
+
+ensure_nix_profile() {
+  if [ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+  elif [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
+    . "$HOME/.nix-profile/etc/profile.d/nix.sh"
+  fi
+}
+
+install_nix_if_missing() {
+  if command -v nix >/dev/null 2>&1; then
+    return
+  fi
+
+  echo "Nix not found. Installing Nix..."
+
+  if [ "$(id -u)" -eq 0 ]; then
+    echo "Running as root; preparing nixbld users for container/Codex environment..."
+
+    if ! getent group nixbld >/dev/null; then
+      groupadd -r nixbld
+    fi
+
+    for i in $(seq 1 10); do
+      if ! id "nixbld$i" >/dev/null 2>&1; then
+        useradd \
+          -r \
+          -g nixbld \
+          -G nixbld \
+          -d /var/empty \
+          -s /usr/sbin/nologin \
+          "nixbld$i" || true
+      fi
+    done
+
+    mkdir -p /etc/nix
+    cat > /etc/nix/nix.conf <<'EOF'
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+build-users-group = nixbld
+EOF
+
+    sh <(curl -L https://nixos.org/nix/install) --no-daemon
+  else
+    sh <(curl -L https://nixos.org/nix/install) --no-daemon
+  fi
+
+  ensure_nix_profile
+}
+
+install_nix_if_missing
+ensure_nix_profile
+
+mkdir -p "$HOME/.config/nix"
+cat > "$HOME/.config/nix/nix.conf" <<'EOF'
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+EOF
+
+echo "Nix version:"
+nix --version
+
+echo "Installing jq if unavailable..."
+if ! command -v jq >/dev/null 2>&1; then
+  nix profile install nixpkgs#jq
+fi
+
+echo "Available NixOS hosts:"
+hosts="$(nix eval --json --no-use-registries --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]')"
+echo "$hosts"
+
+echo "Evaluating all host toplevel derivations..."
+for host in $hosts; do
+  echo "==> Evaluating $host"
+  nix eval --raw --no-use-registries --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
+done
+
+echo "Codex setup complete."