Commit 5b3323164705
Changed files (1)
systems
okinawa
systems/okinawa/extra.nix
@@ -20,6 +20,10 @@
../common/services/prometheus-exporters-node.nix
../common/services/oomd.nix
../../modules/laptop-keyboard-inhibit
+ # Build and cache infrastructure
+ ../../modules/harmonia
+ ../../modules/job-notify
+ ../../modules/nix-flake-updater
];
# Disable built-in MediaTek MT7922 WiFi (using USB TP-Link AC600 instead)
@@ -125,6 +129,124 @@
group = "users";
};
+ # Binary cache server (x86_64-linux)
+ services.harmonia-cache = {
+ enable = true;
+ signKeyPath = config.age.secrets."harmonia-okinawa-signing-key".path;
+ port = 5000;
+ workers = 4;
+ priority = 30;
+
+ # Nightly cache pre-population
+ builder = {
+ enable = true;
+ systems = [
+ "okinawa" # Self
+ "kyushu" # Work laptop
+ "sakhalin" # Server
+ ];
+ schedule = "02:00"; # 2 AM daily
+ notification = {
+ enable = true;
+ tokenFile = config.age.secrets."ntfy-token".path;
+ };
+ };
+ };
+
+ # Remote build system
+ services.job-notify = {
+ enable = true;
+ ntfyServer = "https://ntfy.sbr.pm";
+ ntfyTokenFile = config.age.secrets."ntfy-token".path;
+ defaultTopic = "builds";
+ };
+
+ # Automated flake.lock updates with build verification
+ services.nix-flake-updater = {
+ # Weekly updates for all inputs
+ weekly = {
+ enable = true;
+ repoPath = "/home/vincent/src/home";
+
+ # Build systems across both architectures for verification
+ buildSystems = [
+ # x86_64-linux systems
+ "okinawa" # Self (desktop/build server)
+ "kyushu" # Work laptop
+ "sakhalin" # Server
+ "kerkouane" # VPS server
+
+ # aarch64-linux systems
+ "rhea" # Main media server
+ "aion" # XMPP/podcast server
+ "athena" # Raspberry Pi 4
+ "demeter" # Raspberry Pi 4
+ "aix" # Raspberry Pi 4
+ ];
+
+ # Run weekly on Sunday at 2 AM
+ schedule = "Sun *-*-* 02:00:00";
+
+ # Notifications via ntfy
+ ntfyServer = "https://ntfy.sbr.pm";
+ ntfyTopic = "nix-updates";
+ ntfyTokenFile = config.age.secrets."ntfy-token".path;
+
+ # Git settings
+ gitRemote = "origin";
+ branchPrefix = "flake-update-";
+
+ # Run as vincent (has git push access)
+ user = "vincent";
+
+ # Add randomized delay to avoid conflicts
+ randomizedDelaySec = 1800; # 0-30 min delay
+ };
+
+ # Daily automated updates for chick-group and chapeau-rouge with auto-merge
+ daily = {
+ enable = true;
+ repoPath = "/home/vincent/src/home";
+
+ # Update only personal repos
+ flakeInputs = [
+ "chick-group"
+ "chapeau-rouge"
+ ];
+
+ # Auto-merge to main on successful build
+ autoMerge = true;
+
+ # Build fewer systems for faster daily updates
+ buildSystems = [
+ "okinawa" # Self (x86_64-linux)
+ "kyushu" # Work laptop (x86_64-linux)
+ ];
+
+ # Run daily at 4 AM
+ schedule = "*-*-* 04:00:00";
+
+ # Notifications via ntfy (same topic as weekly)
+ ntfyServer = "https://ntfy.sbr.pm";
+ ntfyTopic = "nix-updates";
+ ntfyTokenFile = config.age.secrets."ntfy-token".path;
+
+ # Git settings
+ gitRemote = "origin";
+ mainBranch = "main";
+ branchPrefix = "auto-update-daily-";
+
+ # Org inbox for failure TODOs
+ inboxOrg = "/home/vincent/desktop/org/inbox.org";
+
+ # Run as vincent (has git push access)
+ user = "vincent";
+
+ # Smaller delay for daily updates
+ randomizedDelaySec = 600; # 0-10 min delay
+ };
+ };
+
# OpenCode web interface for remote AI coding
# Accessible via opencode.sbr.pm through rhea's Traefik reverse proxy
systemd.services.opencode-web =
@@ -225,8 +347,9 @@
"d /run/opencode/config 0755 vincent users -"
];
- # Firewall: OpenCode web + llama-server (VPN access) + monitoring
+ # Firewall: OpenCode web + llama-server (VPN access) + monitoring + Harmonia
networking.firewall.allowedTCPPorts = [
+ 5000 # Harmonia binary cache
5555 # OpenCode web
8090 # llama-server
9000 # Prometheus node exporter