diff --git a/.beads/.sync.lock b/.beads/.sync.lock new file mode 100644 index 0000000..e69de29 diff --git a/.beads/sync_base.jsonl b/.beads/sync_base.jsonl new file mode 100644 index 0000000..48529f6 --- /dev/null +++ b/.beads/sync_base.jsonl @@ -0,0 +1,2 @@ +{"id":"nixos-config-gx2","title":"form","status":"tombstone","priority":2,"issue_type":"task","created_at":"2026-01-11T11:49:21.688289476+01:00","created_by":"m3tam3re","updated_at":"2026-01-11T11:51:36.426124223+01:00","deleted_at":"2026-01-11T11:51:36.426124223+01:00","deleted_by":"daemon","delete_reason":"delete","original_type":"task"} +{"id":"nixos-config-n4l","title":"Create Gitea action for nix-update package updates","description":"Create a Gitea action to automatically update packages in this nixos-config repository using nix-update.\n\n**Context:**\n- Gitea instance is already running on m3-atlas at code.m3ta.dev (configured in hosts/m3-atlas/services/gitea.nix)\n- The repository is self-hosted on this Gitea instance\n- nix-update is already referenced in home/features/cli/default.nix\n- Currently no Gitea workflows exist (.gitea/ directory does not exist)\n\n**Goal:**\nAutomate package updates by creating a Gitea Actions workflow that:\n1. Runs nix-update periodically (e.g., weekly or on schedule)\n2. Updates package definitions in pkgs/ directory\n3. Creates pull requests with the updates\n4. Uses appropriate secrets/credentials for the Gitea instance\n\n**Requirements:**\n- Create .gitea/workflows/ directory structure\n- Define workflow file with nix-update command\n- Configure triggers (schedule, manual, or on repository events)\n- Set up proper permissions and secrets\n- Test the workflow execution\n\n**Current Repository State:**\n- pkgs/default.nix exists but is minimal (currently just a comment)\n- Multiple nixpkgs inputs are used (unstable, 25.11, locked, master)\n- Custom m3ta-nixpkgs overlay at code.m3ta.dev/m3tam3re/nixpkgs\n- Uses agenix for secrets management\n\n**Related Files:**\n- hosts/m3-atlas/services/gitea.nix (existing Gitea configuration)\n- hosts/common/ports.nix (port management)\n- home/features/cli/default.nix (nix-update reference)\n\n**Acceptance Criteria:**\n- [ ] Create .gitea/workflows directory\n- [ ] Implement nix-update workflow YAML\n- [ ] Configure appropriate triggers\n- [ ] Test workflow on the repository\n- [ ] Document setup and configuration","status":"closed","priority":2,"issue_type":"feature","owner":"p@m3ta.dev","created_at":"2026-01-13T20:39:49.838916335+01:00","created_by":"m3tm3re","updated_at":"2026-01-13T20:51:43.833041989+01:00","closed_at":"2026-01-13T20:51:43.833041989+01:00","close_reason":"Closed"} diff --git a/flake.lock b/flake.lock index 531561c..74205ff 100644 --- a/flake.lock +++ b/flake.lock @@ -24,11 +24,11 @@ "agents": { "flake": false, "locked": { - "lastModified": 1767965833, - "narHash": "sha256-8tKEfJU4bxlgPJwUTUDQkVJMbwWQMiYt+moLjMIFeVY=", + "lastModified": 1768312204, + "narHash": "sha256-wB1pEROaXzJzxCaJwOyXmD0gq8/hv7OeEw3jNXrPwAc=", "ref": "refs/heads/master", - "rev": "3e20c82603a4ddedf04ff001adf943723a49dc37", - "revCount": 7, + "rev": "cfa0f8f942545434a825fedf0a49061d26fff73d", + "revCount": 9, "type": "git", "url": "https://code.m3ta.dev/m3tam3re/AGENTS" }, @@ -243,8 +243,8 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1768245745, - "narHash": "sha256-CHspl0D+ougqFToY6d0ZQk5KtNfCyB8AWnmeVWkuuRk=", + "lastModified": 1768419432, + "narHash": "sha256-EwJZcXCEF1ExSfZP4asi1ATOhj1xcvH3tIe5nDSk9Oc=", "path": "/home/m3tam3re/p/NIX/nixpkgs", "type": "path" }, @@ -435,11 +435,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1766309749, - "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=", + "lastModified": 1768127708, + "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816", + "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e710e4d..8934457 100644 --- a/flake.nix +++ b/flake.nix @@ -22,12 +22,12 @@ nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0"; nixpkgs-master.url = "github:nixos/nixpkgs/master"; - m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs"; - # m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs"; + # m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs"; + m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs"; # nur = { url = "github:nix-community/NUR"; - ist456nputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs"; }; agenix.url = "github:ryantm/agenix"; diff --git a/home/features/coding/opencode.nix b/home/features/coding/opencode.nix index 0965512..824791e 100644 --- a/home/features/coding/opencode.nix +++ b/home/features/coding/opencode.nix @@ -22,8 +22,10 @@ enable = true; settings = { theme = "opencode"; - plugin = ["oh-my-opencode" "opencode-beads"]; - agent = builtins.fromJSON (builtins.readFile "${inputs.agents}/agent/agents.json"); + plugin = ["oh-my-opencode" "opencode-beads" "opencode-antigravity-auth@beta"]; + agent = + builtins.fromJSON + (builtins.readFile "${inputs.agents}/agent/agents.json"); formatter = { alejandra = { command = ["alejandra" "-q" "-"]; @@ -72,6 +74,129 @@ enabled = true; }; }; + provider = { + google = { + models = { + antigravity-gemini-3-pro = { + name = "Gemini 3 Pro (Antigravity)"; + limit = { + context = 1048576; + output = 65535; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + variants = { + low = {thinkingLevel = "low";}; + high = {thinkingLevel = "high";}; + }; + }; + antigravity-gemini-3-flash = { + name = "Gemini 3 Flash (Antigravity)"; + limit = { + context = 1048576; + output = 65536; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + variants = { + minimal = {thinkingLevel = "minimal";}; + low = {thinkingLevel = "low";}; + medium = {thinkingLevel = "medium";}; + high = {thinkingLevel = "high";}; + }; + }; + antigravity-claude-sonnet-4-5 = { + name = "Claude Sonnet 4.5 (Antigravity)"; + limit = { + context = 200000; + output = 64000; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + }; + antigravity-claude-sonnet-4-5-thinking = { + name = "Claude Sonnet 4.5 Thinking (Antigravity)"; + limit = { + context = 200000; + output = 64000; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + variants = { + low = {thinkingConfig = {thinkingBudget = 8192;};}; + max = {thinkingConfig = {thinkingBudget = 32768;};}; + }; + }; + antigravity-claude-opus-4-5-thinking = { + name = "Claude Opus 4.5 Thinking (Antigravity)"; + limit = { + context = 200000; + output = 64000; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + variants = { + low = {thinkingConfig = {thinkingBudget = 8192;};}; + max = {thinkingConfig = {thinkingBudget = 32768;};}; + }; + }; + "gemini-2.5-flash" = { + name = "Gemini 2.5 Flash (Gemini CLI)"; + limit = { + context = 1048576; + output = 65536; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + }; + "gemini-2.5-pro" = { + name = "Gemini 2.5 Pro (Gemini CLI)"; + limit = { + context = 1048576; + output = 65536; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + }; + "gemini-3-flash-preview" = { + name = "Gemini 3 Flash Preview (Gemini CLI)"; + limit = { + context = 1048576; + output = 65536; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + }; + "gemini-3-pro-preview" = { + name = "Gemini 3 Pro Preview (Gemini CLI)"; + limit = { + context = 1048576; + output = 65535; + }; + modalities = { + input = ["text" "image" "pdf"]; + output = ["text"]; + }; + }; + }; + }; + }; }; }; diff --git a/hosts/m3-atlas/secrets.nix b/hosts/m3-atlas/secrets.nix index 379d61e..7ea288a 100644 --- a/hosts/m3-atlas/secrets.nix +++ b/hosts/m3-atlas/secrets.nix @@ -1,51 +1,35 @@ { age = { secrets = { - baserow-env = { - file = ../../secrets/baserow-env.age; - }; - ghost-env = { - file = ../../secrets/ghost-env.age; - }; + baserow-env = { file = ../../secrets/baserow-env.age; }; + ghost-env = { file = ../../secrets/ghost-env.age; }; kestra-config = { file = ../../secrets/kestra-config.age; mode = "644"; }; - kestra-env = { - file = ../../secrets/kestra-env.age; - }; - littlelink-m3tam3re = { - file = ../../secrets/littlelink-m3tam3re.age; - }; - minio-root-cred = { - file = ../../secrets/minio-root-cred.age; - }; - n8n-env = { - file = ../../secrets/n8n-env.age; - }; - paperless-key = { - file = ../../secrets/paperless-key.age; - }; - restreamer-env = { - file = ../../secrets/restreamer-env.age; - }; - searx = { - file = ../../secrets/searx.age; - }; - tailscale-key = { - file = ../../secrets/tailscale-key.age; - }; + kestra-env = { file = ../../secrets/kestra-env.age; }; + littlelink-m3tam3re = { file = ../../secrets/littlelink-m3tam3re.age; }; + minio-root-cred = { file = ../../secrets/minio-root-cred.age; }; + n8n-env = { file = ../../secrets/n8n-env.age; }; + paperless-key = { file = ../../secrets/paperless-key.age; }; + restreamer-env = { file = ../../secrets/restreamer-env.age; }; + searx = { file = ../../secrets/searx.age; }; + tailscale-key = { file = ../../secrets/tailscale-key.age; }; traefik = { file = ../../secrets/traefik.age; owner = "traefik"; }; - vaultwarden-env = { - file = ../../secrets/vaultwarden-env.age; - }; + vaultwarden-env = { file = ../../secrets/vaultwarden-env.age; }; m3tam3re-secrets = { file = ../../secrets/m3tam3re-secrets.age; owner = "m3tam3re"; }; + gitea-runner-token = { + file = ../../secrets/gitea-runner-token.age; + mode = "600"; + owner = "gitea-runner"; + group = "gitea-runner"; + }; }; }; } diff --git a/hosts/m3-atlas/services/default.nix b/hosts/m3-atlas/services/default.nix index 0e6d78a..a449aa8 100644 --- a/hosts/m3-atlas/services/default.nix +++ b/hosts/m3-atlas/services/default.nix @@ -2,6 +2,7 @@ imports = [ ./containers ./gitea.nix + ./gitea-actions-runner.nix ./headscale.nix ./minio.nix ./mysql.nix diff --git a/hosts/m3-atlas/services/gitea-actions-runner.nix b/hosts/m3-atlas/services/gitea-actions-runner.nix new file mode 100644 index 0000000..b369fe8 --- /dev/null +++ b/hosts/m3-atlas/services/gitea-actions-runner.nix @@ -0,0 +1,58 @@ +{ + config, + pkgs, + ... +}: { + services.gitea-actions-runner = { + instances.default = { + enable = true; + name = "${config.networking.hostName}-runner"; + url = "https://code.m3ta.dev"; + tokenFile = config.age.secrets.gitea-runner-token.path; + + # nixos:host is primary, ubuntu is fallback + labels = [ + # Primary: Run directly on host (fastest, has Nix installed) + "nixos:host" + + # Fallback: Docker-based execution for compatibility + "ubuntu-latest:docker://node:18-bullseye" + "ubuntu-22.04:docker://node:20-bullseye" + ]; + + # Host execution packages + hostPackages = with pkgs; [ + git + bash + coreutils + nix + # Add any other tools you need for nix-update workflows + ]; + + # Advanced settings + settings = { + runner = { + capacity = 1; # One job at a time (increase if you have resources) + timeout = "4h"; # Nix builds can take a while + }; + cache = {enabled = true;}; + container = { + enable_ipv6 = true; + privileged = false; + }; + }; + }; + }; + + # User management (auto-created by module, but ensuring proper setup) + users.users.gitea-runner = { + home = "/var/lib/gitea-runner"; + group = "gitea-runner"; + isSystemUser = true; + createHome = true; + }; + users.groups.gitea-runner = {}; + + # Firewall: Allow Podman bridge networks for cache actions + networking.firewall.trustedInterfaces = ["br-+"]; +} diff --git a/secrets.nix b/secrets.nix index 5cb3f2d..380562a 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,22 +1,20 @@ let # SYSTEMS - m3-ares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s"; - m3-kratos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O"; - m3-helios = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ"; - m3-atlas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H"; + m3-ares = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s"; + m3-kratos = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O"; + m3-helios = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ"; + m3-atlas = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H"; # USERS - m3tam3re = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; - users = [ - m3tam3re - ]; + m3tam3re = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; + users = [ m3tam3re ]; - systems = [ - m3-atlas - m3-ares - m3-helios - m3-kratos - ]; + systems = [ m3-atlas m3-ares m3-helios m3-kratos ]; in { "secrets/anytype-key.age".publicKeys = systems ++ users; "secrets/anytype-key-ares.age".publicKeys = systems ++ users; @@ -31,6 +29,7 @@ in { "secrets/paperless-key.age".publicKeys = systems ++ users; "secrets/ref-key.age".publicKeys = systems ++ users; "secrets/exa-key.age".publicKeys = systems ++ users; + "secrets/gitea-runner-token.age".publicKeys = systems ++ users; "secrets/restreamer-env.age".publicKeys = systems ++ users; "secrets/searx.age".publicKeys = systems ++ users; "secrets/tailscale-key.age".publicKeys = systems ++ users; diff --git a/secrets/gitea-runner-token.age b/secrets/gitea-runner-token.age new file mode 100644 index 0000000..3216ba1 --- /dev/null +++ b/secrets/gitea-runner-token.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 4NLKrw yQsk1NS2ujPzm4WJLl/CYi0EZRCIFvgJP2aLG09KJQE +H2QT+huNTEpE2ndSeyL38e1JW1Z+UEHObqhZQ66E28M +--- 1lhPBj02CB6BsouveThOL4pyTKXQhrUro59YXz0+fRk +q=Vwܮ1A߲u!I(?CC"ދ3.s :"Ժ|ÆY2\ͨ \ No newline at end of file