chore(deps): update beads digest to 83d3e4f

Merge branch 'polecat/dust/x-fqaob@mlfbyrhb': add harmonia binary cache service
feat(john-endesktop): add harmonia binary cache service
2026-02-09 20:02:42 +00:00 · 2026-02-09 08:14:09 -08:00 · 2026-02-09 08:10:17 -08:00 · 2026-02-08 20:26:48 -08:00 · 2026-02-08 20:17:44 -08:00 · 2026-02-08 20:17:40 -08:00
7 changed files with 92 additions and 10 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -18,3 +18,50 @@ jobs:
        run: nix flake check
        env:
          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-cache:
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    strategy:
+      fail-fast: false
+      matrix:
+        machine:
+          - nix-book
+          - boxy
+          - zix790prors
+          - nix-deck
+          - john-endesktop
+          - live-usb
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Build ${{ matrix.machine }}
+        id: build
+        run: |
+          OUT_PATH=$(nix build .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel --no-link --print-out-paths)
+          echo "out_path=$OUT_PATH" >> "$GITHUB_OUTPUT"
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+      - name: Sign and push to cache
+        run: |
+          # Write signing key
+          echo "${{ secrets.NIX_SIGNING_KEY }}" > /tmp/signing-key
+          chmod 600 /tmp/signing-key
+
+          # Sign the closure
+          nix store sign --key-file /tmp/signing-key -r "${{ steps.build.outputs.out_path }}"
+
+          # Setup SSH key for cache push
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+          # Push to cache
+          nix copy --to "ssh-ng://${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }}?ssh-key=$HOME/.ssh/cache_key" "${{ steps.build.outputs.out_path }}"
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
--- a/flake.lock
+++ b/flake.lock
@@ -8,17 +8,17 @@
        ]
      },
      "locked": {
-        "lastModified": 1769840331,
-        "narHash": "sha256-Yp0K4JoXX8EcHp1juH4OZ7dcCmkopDu4VvAgZEOxgL8=",
+        "lastModified": 1770666901,
+        "narHash": "sha256-IsZlmSnEZUA1o0T3wcN+KKOft7D8+Qt/uoN+wQ/YLAA=",
        "owner": "steveyegge",
        "repo": "beads",
-        "rev": "93965b4abeed920a4701e03571d1b6bb75810722",
+        "rev": "83d3e4fe20b2efcac7689f06ad1969d9e20a815a",
        "type": "github"
      },
      "original": {
        "owner": "steveyegge",
        "repo": "beads",
-        "rev": "93965b4abeed920a4701e03571d1b6bb75810722",
+        "rev": "83d3e4fe20b2efcac7689f06ad1969d9e20a815a",
        "type": "github"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@@ -48,7 +48,7 @@
    beads = {
      # v0.49.1 has dolt server mode support (gt-1mf.3)
      # Pinned to 259ddd92 - uses Go 1.24 compatible with nixpkgs
-      url = "github:steveyegge/beads/93965b4abeed920a4701e03571d1b6bb75810722";
+      url = "github:steveyegge/beads/83d3e4fe20b2efcac7689f06ad1969d9e20a815a";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

--- a/machines/john-endesktop/configuration.nix
+++ b/machines/john-endesktop/configuration.nix
@@ -54,6 +54,7 @@ with lib;
      4000  # nfs callback
      4001  # nlockmgr
      4002  # mountd
+      5000  # harmonia binary cache
      20048 # mountd
    ];
    allowedUDPPorts = [
@@ -148,6 +149,16 @@ with lib;
    };
  };

+  # Harmonia binary cache server
+  # Replaces the broken k8s deployment with native NixOS service
+  services.harmonia = {
+    enable = true;
+    signKeyPath = "/etc/harmonia/signing-key.private";
+    settings = {
+      bind = "[::]:5000";
+    };
+  };
+
  # Time zone
  time.timeZone = "America/Los_Angeles"; # Adjust as needed

--- a/renovate.json
+++ b/renovate.json
@@ -13,7 +13,7 @@
  "lockFileMaintenance": {
    "enabled": true,
    "schedule": [
-      "before 5am on monday"
+      "after 2pm and before 4pm on Saturday"
    ]
  },
  "dependencyDashboard": true,
@@ -37,6 +37,9 @@
        "/^nixpkgs$/",
        "/^home-manager$/",
        "/^nix-darwin$/"
+      ],
+      "schedule": [
+        "after 2pm and before 4pm on Saturday"
      ]
    },
    {
@@ -48,6 +51,21 @@
      "matchPackageNames": [
        "/nixpkgs-unstable/",
        "/home-manager-unstable/"
+      ],
+      "schedule": [
+        "after 2pm and before 4pm on Saturday"
+      ]
+    },
+    {
+      "description": "nixpkgs-qt updates on Saturday (staggered from main ecosystem)",
+      "matchManagers": [
+        "nix"
+      ],
+      "matchPackageNames": [
+        "/nixpkgs-qt/"
+      ],
+      "schedule": [
+        "after 4pm and before 6pm on Saturday"
      ]
    },
    {
--- a/roles/common.nix
+++ b/roles/common.nix
@@ -23,7 +23,13 @@
        max-jobs = "auto";
        trusted-users = [ "johno" ];
        substituters = [
+          "https://nix-cache.johnogle.info"
        ];
+        trusted-public-keys = [
+          "nix-cache.johnogle.info-1:G0ZGQwcSC4+4SDDFHZI/ZX3a6uFrs/5cjA5Jvaypj0I="
+        ];
+        fallback = true;
+        connect-timeout = 5;
      };

      gc = {
--- a/roles/kodi/default.nix
+++ b/roles/kodi/default.nix
@@ -47,23 +47,23 @@ in
      if cfg.jellyfinScaleFactor != null
      then pkgs.symlinkJoin {
        name = "jellyfin-media-player-scaled";
-        paths = [ pkgs.jellyfin-media-player ];
+        paths = [ pkgs.qt-pinned.jellyfin-media-player ];
        nativeBuildInputs = [ pkgs.makeWrapper ];
        postBuild = ''
          mkdir -p $out/bin
          rm -f $out/bin/jellyfin-desktop
-          makeWrapper ${pkgs.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
+          makeWrapper ${pkgs.qt-pinned.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
            --add-flags "--tv --scale-factor ${toString cfg.jellyfinScaleFactor}"

          # Update .desktop file to include scale factor and TV mode arguments
          mkdir -p $out/share/applications
          rm -f $out/share/applications/org.jellyfin.JellyfinDesktop.desktop
-          substitute ${pkgs.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
+          substitute ${pkgs.qt-pinned.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
            $out/share/applications/org.jellyfin.JellyfinDesktop.desktop \
            --replace-fail "Exec=jellyfin-desktop" "Exec=jellyfin-desktop --tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
        '';
      }
-      else pkgs.jellyfin-media-player;
+      else pkgs.qt-pinned.jellyfin-media-player;
  in mkIf cfg.enable
    {
      users.extraUsers.kodi = {
Author	SHA1	Message	Date
Renovate Bot	aa0475161f	chore(deps): update beads digest to 83d3e4f All checks were successful CI / check (pull_request) Successful in 6m32s Details CI / build-and-cache (boxy) (pull_request) Has been skipped Details CI / build-and-cache (john-endesktop) (pull_request) Has been skipped Details CI / build-and-cache (live-usb) (pull_request) Has been skipped Details CI / build-and-cache (nix-book) (pull_request) Has been skipped Details CI / build-and-cache (nix-deck) (pull_request) Has been skipped Details CI / build-and-cache (zix790prors) (pull_request) Has been skipped Details	2026-02-09 20:02:42 +00:00
nixos_configs/refinery	e2a81e7290	Merge branch 'polecat/dust/x-fqaob@mlfbyrhb': add harmonia binary cache service Some checks failed CI / check (push) Successful in 5m34s Details CI / build-and-cache (boxy) (push) Failing after 10m3s Details CI / build-and-cache (john-endesktop) (push) Failing after 8m49s Details CI / build-and-cache (live-usb) (push) Failing after 1m54s Details CI / build-and-cache (nix-book) (push) Failing after 1m52s Details CI / build-and-cache (nix-deck) (push) Failing after 2m20s Details CI / build-and-cache (zix790prors) (push) Failing after 1m48s Details	2026-02-09 08:14:09 -08:00
dust	7610a9c0e1	feat(john-endesktop): add harmonia binary cache service Replace broken k8s harmonia deployment with native NixOS service. Configuration: - services.harmonia.enable = true - Bind to [::]:5000 (IPv4 and IPv6) - Sign key at /etc/harmonia/signing-key.private - Open firewall port 5000 The signing key must be placed manually on john-endesktop at /etc/harmonia/signing-key.private using the key generated earlier. Closes: x-fqaob	2026-02-09 08:10:17 -08:00
mayor	ff57d3c043	fix: update harmonia signing public key Some checks failed CI / check (push) Successful in 6m48s Details CI / build-and-cache (boxy) (push) Failing after 27m9s Details CI / build-and-cache (john-endesktop) (push) Failing after 9m35s Details CI / build-and-cache (live-usb) (push) Failing after 18m27s Details CI / build-and-cache (nix-book) (push) Failing after 29m17s Details CI / build-and-cache (nix-deck) (push) Failing after 1h12m5s Details CI / build-and-cache (zix790prors) (push) Failing after 20m0s Details	2026-02-08 20:26:48 -08:00
nixos_configs/refinery	3a36594dc9	Merge branch 'polecat/fury/x-iyz0w@mlecbczk': add build-and-cache job for all nixosConfigurations Some checks failed CI / build-and-cache (boxy) (push) Has been cancelled Details CI / build-and-cache (john-endesktop) (push) Has been cancelled Details CI / check (push) Has been cancelled Details CI / build-and-cache (live-usb) (push) Has been cancelled Details CI / build-and-cache (nix-book) (push) Has been cancelled Details CI / build-and-cache (nix-deck) (push) Has been cancelled Details CI / build-and-cache (zix790prors) (push) Has been cancelled Details	2026-02-08 20:17:44 -08:00
fury	5a7064d07b	feat(ci): add build-and-cache job for all nixosConfigurations - Build all 6 machines (nix-book, boxy, zix790prors, nix-deck, john-endesktop, live-usb) in parallel matrix - Only runs on push to main after check passes - Signs closures with NIX_SIGNING_KEY secret - Pushes to cache via SSH using CACHE_SSH_KEY, CACHE_HOST, CACHE_USER secrets - Skips Darwin as no builder available Required Gitea secrets: - NIX_SIGNING_KEY: Cache signing private key - CACHE_SSH_KEY: SSH key for cache server access - CACHE_HOST: Cache server hostname - CACHE_USER: SSH user for cache server Closes: x-iyz0w Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 20:17:40 -08:00
nixos_configs/refinery	8afdf287ee	Merge branch 'polecat/shiny/x-qdkuu@mlec8nfv': add harmonia cache to nix.settings Some checks failed CI / check (push) Has been cancelled Details	2026-02-08 20:17:15 -08:00
shiny	bb3cdd8046	feat(nix): add harmonia cache to nix.settings Configure all NixOS machines to use the internal harmonia binary cache: - Add nix-cache.johnogle.info as substituter - Add harmonia signing public key to trusted-public-keys - Enable fallback for local builds when cache unreachable - Set 5s connect-timeout for faster fallback Refs: x-qdkuu Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 20:17:08 -08:00
nixos_configs/refinery	1380fb307a	Merge branch 'polecat/nitro/x-xiiep@mlebx809': source jellyfin-media-player from qt-pinned namespace Some checks failed CI / check (push) Has been cancelled Details	2026-02-08 20:16:42 -08:00
nitro	6ccfb5097c	feat(roles/kodi): source jellyfin-media-player from qt-pinned namespace Update kodi role to use pkgs.qt-pinned.jellyfin-media-player instead of pkgs.jellyfin-media-player. This decouples jellyfin from the main nixpkgs update cycle, avoiding massive qt5webengine rebuilds when updating other packages. The qt-pinned namespace was added in commit `03f1692`. Closes: x-xiiep Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 16:49:12 -08:00
nixos_configs/refinery	1b585847ab	Merge branch 'polecat/chrome/x-ymkgu@mlebby8e': update renovate schedules to Saturday afternoon All checks were successful CI / check (push) Successful in 16m9s Details	2026-02-08 14:58:17 -08:00
chrome	e7906331dc	feat(renovate): update schedules to Saturday afternoon - lockFileMaintenance: Saturday 2-4pm (was Monday 5am) - nix-stable-ecosystem: Saturday 2-4pm - nix-unstable-ecosystem: Saturday 2-4pm - Add nixpkgs-qt rule: Saturday 4-6pm (staggered) This allows CI builds to run overnight Saturday→Sunday, with human review Saturday evening and builds complete by Sunday morning. Closes: x-ymkgu	2026-02-08 14:58:05 -08:00
nixos_configs/refinery	dc722843a9	Merge branch 'polecat/rust/x-lnr8g@mlebamik': add nixpkgs-qt input for qt5webengine Some checks failed CI / check (push) Has been cancelled Details	2026-02-08 14:57:19 -08:00