pinned python 3.12

.gitignore

@@ -1,3 +1,5 @@
 # git.nix
 *.env
 .devenv
+
+*.log

.sops.yaml

@@ -1,7 +1,9 @@
 keys:
-  - &primary age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+  - &1password age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+  - &lola-ad age1qf4c4asf7wcqqyd9aju8fq9dvum4ptcqr8dd6xqengsf6jx7daqqtgup30
 creation_rules:
-  - path_regex: secrets/secrets.yaml$
+  - path_regex: yaml$
     key_groups:
     - age:
-      - *primary
+      - *1password
+      - *lola-ad

README.md

@@ -2,19 +2,20 @@
 
 ## Objectives
 
-- Use flakes
+- SSH remote with VSCode
+- Debugger must work
+- Multiple dev versions (different branches, forks)
+- Multiple config directories - deployment and test
 - `devenv`-based workflow
     - Shell
         - Makes `uv` available
         - Syncs `devenv` virtual environment
         - `appdaemon`
     - Build Docker
-- SSH remote with VSCode 
+- Use flakes
 - Jupyter through VSCode
     - `autoreload` must work with editable install of the dev version
-- Multiple dev versions
+    - could always work in a dev container
-- Multiple config directories
-- Debugger must work
 - Observation - telegraf/promtail
 - Utility - portainer, watchtower
 
@@ -30,7 +31,9 @@ Used to enter the development shell. Be careful, as this will create a `.devenv`
 
 ### venv
 
-Activated with `.devenv/state/venv/bin/activate`. Used in VSCode for type hints, running, and debugging
+`.devenv/state/venv/bin/python`
+
+Used in VSCode for type hints, running, and debugging
 
 ### Jupyter
 
@@ -49,11 +52,40 @@ SSH keys are pre-authorized from `secrets/authorized_keys` which contains the pu
 
 - `secrets/secrets.yaml` contains the encrypted keys.
 - There needs to be a `~/.config/sops/age/keys.txt` file with the age secret key. This file has to be manually placed.
-- `sops.yaml` indicates to SOPS that the yaml file is encrypted with that secret key.
+- `.sops.yaml` indicates to SOPS that the yaml file is encrypted with that secret key.
 - `sops-ad` is a convenience script for editing the secrets.yaml file.
 
 ## Setup
 
-`secrets/secrets.yaml` needs to have
+### Bootstrapping
+
+SSH in to the host as root and get into a shell with `git`.
+
+```shell
+nix-channel --update && nix-shell -p git
+```
+
+Then build the system from the flake
+
+```shell
+nixos-rebuild switch --flake git+https://gitea.john-stream.com/john/ad-nix#ad-nix --impure
+```
+
+### Secrets
+
+During build time `/etc/ssh/ssh_host_ed25519_key` automatically gets imported as an age key. If that fingerprint is included in the `.sops.yaml` file, then `secrets/secrets.yaml` can be decrypted during the build. Otherwise `~/.config/sops/age/keys.txt` needs to already be populated.
+
+`secrets/secrets.yaml` needs to be edited from the terminal. There's a `sops-ad` command for convenience. The following keys are required:
 
 - `telegraf_influx_token`
+
+`~/.config/sops/age/keys.txt` needs to be set for the `sops-ad` command to work.
+
+### Tailscale
+
+Needs this in the `/etc/pve/lxc/<vmid>.conf` file on the proxmox host.
+
+```
+lxc.cgroup2.devices.allow: c 10:200 rwm
+lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
+```

ad-nix.code-workspace

@@ -1,25 +1,78 @@
 {
 	"folders": [
 		{
-			"path": "/usr/src/app"
+			"path": "/home/appdaemon/ad-lola"
 		},
 		{
-			"path": "/conf"
+			"path": "/conf/lola"
 		},
 		{
-			"path": "/srv/appdaemon/snippets"
+			"path": "/home/appdaemon/ad-nix"
 		},
 		{
-			"path": "/srv/appdaemon/ad-nix"
+			"path": "/home/appdaemon/ad-test"
 		},
 	],
 	"settings": {
-        "python.defaultInterpreterPath": "/usr/src/app/.devenv/state/venv/bin/python3",
+		// Python
+		"[python]": {
+			"editor.autoClosingDelete": "always",
+			"editor.autoClosingBrackets": "always",
+			"editor.defaultFormatter": "charliermarsh.ruff",
+			// "editor.formatOnSave": true,
+			"editor.codeActionsOnSave": {
+				"source.organizeImports.ruff": "explicit",
+				// "source.fixAll": "explicit"
+			}
+		},
+		"python.defaultInterpreterPath": "${workspaceFolder}/.devenv/state/venv/bin/python3",
+		"python.autoComplete.extraPaths": ["~/ad-lola", "${fileWorkspaceFolder}/apps/room_control/src"],
 		"python.analysis.extraPaths": [
-			"/usr/src/app"
+			"~/ad-lola",
+			"${workspaceFolder:conf}/lola/apps/room_control/src",
+			"${workspaceFolder:conf}/lola/apps/lola-parking/src"
 		],
-		"ruff.interpreter": [
+		"python.analysis.autoFormatStrings": true,
-			"/usr/src/app/.devenv/state/venv/bin/python3"
+		"python.analysis.completeFunctionParens": true,
+		"python.analysis.autoImportCompletions": true,
+		"python.analysis.importFormat": "relative",
+		"python.analysis.autoIndent": true,
+		"python.analysis.useLibraryCodeForTypes": true,
+		"python.analysis.languageServerMode": "full",
+		"python.analysis.typeEvaluation.enableReachabilityAnalysis": true,
+		"python.languageServer": "Pylance",
+		"python.terminal.shellIntegration.enabled": true,
+
+		// Ruff settings
+		"ruff.enable": true,
+		"ruff.organizeImports": true,
+		"ruff.importStrategy": "fromEnvironment",
+		"ruff.nativeServer": true,
+		"ruff.configurationPreference": "filesystemFirst",
+		"ruff.configuration": "${workspaceFolder}/pyproject.toml",
+		"ruff.fixAll": true,
+		"ruff.lint.enable": true,
+		// https://docs.astral.sh/ruff/rules/
+		"ruff.lint.extendSelect": [
+			"F", "W", "I",
+			"E1", "E2", "E3", "E4", "E5", "E7", "E9"
 		],
+
+	 
+		// Notebooks
+		// "jupyter.askForKernelRestart": false,
+		"notebook.defaultFormatter": "charliermarsh.ruff",
+		"notebook.formatOnSave.enabled": true,
+		"notebook.codeActionsOnSave": {
+			"notebook.source.fixAll": "explicit",
+			"notebook.source.organizeImports": "explicit"
+		},
+
+		"editor.rulers": [120],
+		"editor.wordWrap": "on",
+		"editor.wordWrapColumn": 120,
+		// https://docs.astral.sh/ruff/rules/#pycodestyle-e-w
+		// https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes
+		
     }
 }

configuration.nix

@@ -1,7 +1,7 @@
 { pkgs, lib, userSettings, systemSettings, ... }:
 {
   imports = [
-    (import ./home-manager/home.nix {inherit systemSettings userSettings lib;})
+    # (import ./home-manager {inherit systemSettings userSettings lib pkgs;})
      ./nixos
      ./scripts
   ];
@@ -10,18 +10,21 @@
 
   nix.settings.trusted-users = [ "root" "@wheel" ];
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.download-buffer-size = 524288000; # 500MB
   
   programs.nix-ld.enable = true;
 
-  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.defaultSopsFile = ./secrets/encrypted_secrets.yaml;
   sops.defaultSopsFormat = "yaml";
   
+  # This is needed for nix to access the secrets at build time.
+  # It doesn't affect for the `sops ...` command
+  # Optional if the system has the key age for /etc/ssh/ssh_host_ed25519_key in .sops.yaml
+  # sops.age.keyFile = "${userSettings.adHome}/.config/sops/age/keys.txt";
+
   environment.systemPackages = with pkgs; [
-    bash
-    git
-    eza
-    gh
     sops
+    gdbm
   ];
 
   virtualisation.docker.enable = true;
@@ -30,4 +33,43 @@
   services.vscode-server.enable = true;
   services.openssh.enable = true;
   services.tailscale.enable = true;
+
+  # services.cron = {
+  #   enable = true;
+  #   systemCronJobs = [
+  #     "30 2 * * * /run/current-system/sw/bin/nfsu > /etc/nixos/auto_update.log 2>&1"
+  #   ];
+  # };
+
+  # systemd.timers."auto-update" = {
+  #   wantedBy = [ "timers.target" ];
+  #     timerConfig = {
+  #       OnCalendar="*-*-* 4:00:00";
+  #       Unit = "auto-update.service";
+  #     };
+  # };
+
+  # systemd.services."auto-update" = {
+  #   script = ''
+  #     ${pkgs.coreutils}/bin/echo "Running auto-update"
+  #     FLAKE=$(${pkgs.coreutils}/bin/readlink -f /etc/nixos)
+  #     ${pkgs.coreutils}/bin/echo "FLAKE: $FLAKE"
+  #     ${pkgs.nix}/bin/nix flake update --flake $FLAKE --impure
+  #     ${pkgs.git}/bin/git -C $FLAKE add "$FLAKE/flake.lock" > /dev/null 2>&1
+  #     ${pkgs.sudo}/bin/sudo ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --flake $FLAKE#${systemSettings.hostName} --impure
+  #   '';
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     User = "${userSettings.userName}";
+  #   };
+  # };
+
+  # https://nixos.wiki/wiki/Storage_optimization
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+  nix.optimise.automatic = true;
+  nix.optimise.dates = [ "Mon *-*-* 05:00:00" ];
 }

flake.lock

@@ -9,16 +9,20 @@
           "devenv"
         ],
         "git-hooks": [
-          "devenv"
+          "devenv",
+          "git-hooks"
         ],
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1728672398,
+        "lastModified": 1748883665,
-        "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
+        "narHash": "sha256-R0W7uAg+BLoHjMRMQ8+oiSbTq8nkGz5RDpQ+ZfxxP3A=",
         "owner": "cachix",
         "repo": "cachix",
-        "rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
+        "rev": "f707778d902af4d62d8dd92c269f8e70de09acbe",
         "type": "github"
       },
       "original": {
@@ -39,11 +43,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734441494,
+        "lastModified": 1756048064,
-        "narHash": "sha256-/SZXjdKlo6NgVR+/RT0eYCUUJLcQndy7lIl2Bc0qjlY=",
+        "narHash": "sha256-mVgB6qWhLrCW6AciLyFXosDKKZFtBgqvixcA8a07s+g=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "bdc1a2cefdda8f89e31b1a0f3771786ba9e5d052",
+        "rev": "3fb20c149d329b01a2b519fbb2a9ca3e6e6e1b05",
         "type": "github"
       },
       "original": {
@@ -55,11 +59,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1747046372,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -71,11 +75,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1747046372,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -93,11 +97,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712014858,
+        "lastModified": 1733312601,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -127,23 +131,21 @@
     "git-hooks": {
       "inputs": {
         "flake-compat": [
-          "devenv"
+          "devenv",
+          "flake-compat"
         ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "devenv",
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "devenv"
         ]
       },
       "locked": {
-        "lastModified": 1730302582,
+        "lastModified": 1750779888,
-        "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
         "type": "github"
       },
       "original": {
@@ -181,11 +183,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734344598,
+        "lastModified": 1756022458,
-        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
+        "narHash": "sha256-J1i35r4HfNDdPpwL0vOBaZopQudAUVtartEerc1Jryc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
+        "rev": "9e3a33c0bcbc25619e540b9dfea372282f8a9740",
         "type": "github"
       },
       "original": {
@@ -194,62 +196,92 @@
         "type": "github"
       }
     },
-    "libgit2": {
+    "home-manager_2": {
-      "flake": false,
+      "inputs": {
+        "nixpkgs": [
+          "nix-home",
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1697646580,
+        "lastModified": 1750033262,
-        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
+        "narHash": "sha256-TcFN78w6kPspxpbPsxW/8vQ1GAtY8Y3mjBaC+oB8jo4=",
-        "owner": "libgit2",
+        "owner": "nix-community",
-        "repo": "libgit2",
+        "repo": "home-manager",
-        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
+        "rev": "66523b0efe93ce5b0ba96dcddcda15d36673c1f0",
         "type": "github"
       },
       "original": {
-        "owner": "libgit2",
+        "owner": "nix-community",
-        "repo": "libgit2",
+        "repo": "home-manager",
         "type": "github"
       }
     },
     "nix": {
       "inputs": {
         "flake-compat": [
-          "devenv"
+          "devenv",
+          "flake-compat"
         ],
         "flake-parts": "flake-parts",
-        "libgit2": "libgit2",
+        "git-hooks-nix": [
-        "nixpkgs": "nixpkgs_2",
+          "devenv",
+          "git-hooks"
+        ],
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
+        ],
         "nixpkgs-23-11": [
           "devenv"
         ],
         "nixpkgs-regression": [
           "devenv"
-        ],
-        "pre-commit-hooks": [
-          "devenv"
         ]
       },
       "locked": {
-        "lastModified": 1727438425,
+        "lastModified": 1755029779,
-        "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
+        "narHash": "sha256-3+GHIYGg4U9XKUN4rg473frIVNn8YD06bjwxKS1IPrU=",
-        "owner": "domenkozar",
+        "owner": "cachix",
         "repo": "nix",
-        "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
+        "rev": "b0972b0eee6726081d10b1199f54de6d2917f861",
         "type": "github"
       },
       "original": {
-        "owner": "domenkozar",
+        "owner": "cachix",
-        "ref": "devenv-2.24",
+        "ref": "devenv-2.30",
         "repo": "nix",
         "type": "github"
       }
     },
+    "nix-home": {
+      "inputs": {
+        "home-manager": "home-manager_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750825763,
+        "narHash": "sha256-gUtcO/8Bcw4YerJpSIRu+Q2MYKxWrtT+8Bp3Mh1Qfmw=",
+        "ref": "refs/heads/main",
+        "rev": "1ab1e4b9e610dcd40a3d728f377b6ac8a302d977",
+        "revCount": 26,
+        "type": "git",
+        "url": "https://gitea.john-stream.com/john/nix-home"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://gitea.john-stream.com/john/nix-home"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730531603,
+        "lastModified": 1755615617,
-        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
         "type": "github"
       },
       "original": {
@@ -267,11 +299,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733319315,
+        "lastModified": 1755249745,
-        "narHash": "sha256-cFQBdRmtIZFVjr2P6NkaCOp7dddF93BC0CXBwFZFaN0=",
+        "narHash": "sha256-lDIbUfJ8xK62ekG+qojTlA1raHpKdScBTx8IFlQYx9U=",
         "owner": "cachix",
         "repo": "nixpkgs-python",
-        "rev": "01263eeb28c09f143d59cd6b0b7c4cc8478efd48",
+        "rev": "b6632af2db9f47c79dac8f4466388c7b1b6c3071",
         "type": "github"
       },
       "original": {
@@ -281,38 +313,6 @@
       }
     },
     "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1717432640,
-        "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1734119587,
-        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
       "locked": {
         "lastModified": 1682134069,
         "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@@ -330,7 +330,8 @@
       "inputs": {
         "devenv": "devenv",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_3",
+        "nix-home": "nix-home",
+        "nixpkgs": "nixpkgs",
         "nixpkgs-python": "nixpkgs-python",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"
@@ -343,11 +344,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733965552,
+        "lastModified": 1754988908,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
         "type": "github"
       },
       "original": {
@@ -374,14 +375,14 @@
     "vscode-server": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1729422940,
+        "lastModified": 1753541826,
-        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
+        "narHash": "sha256-foGgZu8+bCNIGeuDqQ84jNbmKZpd+JvnrL2WlyU4tuU=",
         "owner": "nix-community",
         "repo": "nixos-vscode-server",
-        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
+        "rev": "6d5f074e4811d143d44169ba4af09b20ddb6937d",
         "type": "github"
       },
       "original": {

flake.nix

@@ -18,6 +18,10 @@
       url = "github:cachix/devenv";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nix-home = {
+      url = "git+https://gitea.john-stream.com/john/nix-home";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   nixConfig = {
@@ -25,16 +29,12 @@
     extra-substituters = "https://devenv.cachix.org";
   };
 
-  outputs = { self, ... }@args:
+  outputs = { self, ... }@inputs:
   let
     inherit (self) outputs;
-    nixosSystem = args.nixpkgs.lib.nixosSystem;
+    nixosSystem = inputs.nixpkgs.lib.nixosSystem;
 
     userSettings = {
-      gitUserName = "John Lancaster";
-      gitUserEmail = "32917998+jsl12@users.noreply.github.com";
-      adRepo = "https://github.com/jsl12/appdaemon";
-      adBranch = "hass";
       userName = "appdaemon";
       adHome = "/home/appdaemon";
     };
@@ -45,29 +45,26 @@
       system = "x86_64-linux";
       timeZone = "America/Chicago";
       locale = "en_US.UTF-8";
-      pythonVersion = "3.12.7";
+      pythonVersion = "3.12"; # This is largely irrelevant because uv will handle it
     };
 
-    pkgs = args.nixpkgs.legacyPackages.${systemSettings.system};
+    pkgs = inputs.nixpkgs.legacyPackages.${systemSettings.system};
 
   in
   {
     nixosConfigurations.${systemSettings.hostName} = nixosSystem {
       system = systemSettings.system;
-      specialArgs =
+      specialArgs = {
-      let
-        inputs = args;
-      in
-      {
         inherit inputs;
         inherit systemSettings;
         inherit userSettings;
       };
       modules = [
-        (args.nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix")
+        (inputs.nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix")
-        args.home-manager.nixosModules.default
+        inputs.home-manager.nixosModules.default
-        args.vscode-server.nixosModules.default
+        inputs.nix-home.nixosModules.default { user = "${userSettings.userName}"; }
-        args.sops-nix.nixosModules.sops
+        inputs.vscode-server.nixosModules.default
+        inputs.sops-nix.nixosModules.sops
         ./configuration.nix
       ];
     };
@@ -78,18 +75,14 @@
       devenv-test = self.devShells.${systemSettings.system}.default.config.test;
     };
 
-    devShells.${systemSettings.system}.default =
+    devShells.${systemSettings.system}.default = inputs.devenv.lib.mkShell {
-      let
-        inputs = args;
-      in
-      args.devenv.lib.mkShell {
       inherit inputs pkgs;
       modules = [
         ({ pkgs, config, ... }: {
           # This is your devenv configuration
 
           # https://devenv.sh/reference/options/#pre-commithooks
-            pre-commit.hooks = {
+          git-hooks.hooks = {
             end-of-file-fixer.enable = true;
             trim-trailing-whitespace.enable = true;
           };
@@ -111,29 +104,33 @@
 
           packages = with pkgs; [
             git
-              (pkgs.python312.withPackages (python-pkgs: with python-pkgs; [
+            gdbm
-                pip
+            # (python312.withPackages (python-pkgs: with python-pkgs; [ gdbm ]))
-                setuptools
+            (python312.withPackages (python-pkgs: with python-pkgs; [
-                wheel
+              gdbm
-                notebook
+              notebook # kinda hacky, but needed so that jupyter notebook has some shared library it needs?
-                rich
             ]))
+            (writeShellScriptBin "docs" "${pkgs.uv}/bin/uv run sphinx-autobuild -E ./docs/ ./docs_build --port 9999")
+            (writeShellScriptBin "ab" "${pkgs.uv}/bin/uv build --wheel --refresh")
+            (writeShellScriptBin "adb" "ab && ${pkgs.docker}/bin/docker build -t acockburn/appdaemon:local-dev .")
+            # (writeShellScriptBin "ad-nb" "cd $(readlink -f /etc/nixos) && devenv up")
           ];
 
-            processes = {
+          # processes = {
-              my-jup.exec = "uv run jupyter notebook";
+          #   my-jup.exec = "uv run jupyter notebook";
-            };
+          # };
 
           enterShell = ''
-              alias appdaemon="${pkgs.uv}/bin/uv run --frozen python -m appdaemon"
+            alias fix="${pkgs.uv}/bin/uv run ruff check --fix"
-              alias ad="appdaemon"
+            alias appdaemon="${pkgs.uv}/bin/uv run --frozen appdaemon"
+            # alias ad="appdaemon"
 
-              export PS1="\[\e[0;34m\](AppDaemon)\[\e[0m\] ''${PS1-}"
+            export PS1="\[\e[0;34m\](AppDaemon)\[\e[0m\] \[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
 
             export VIRTUAL_ENV=$UV_PROJECT_ENVIRONMENT
 
             echo -e "URL:        \e[34m$(${pkgs.git}/bin/git config --get remote.origin.url)\e[0m"
-              echo -e "Branch: \e[32m$(${pkgs.git}/bin/git rev-parse --abbrev-ref HEAD)\e[0m"
+            echo -e "Branch/Tag: \e[32m$(${pkgs.git}/bin/git describe --tags --exact-match 2>/dev/null || ${pkgs.git}/bin/git rev-parse --abbrev-ref HEAD)\e[0m"
             echo -e "Hash:       \e[33m$(${pkgs.git}/bin/git rev-parse --short HEAD)\e[0m"
             echo "AppDaemon v$(${pkgs.uv}/bin/uv pip show appdaemon | awk '/^Version:/ {print $2}') development shell started"
           '';

home-manager/git.nix

@@ -1,9 +0,0 @@
-{ userSettings, ... }:
-{
-  programs.git = {
-    enable = true;
-    extraConfig.credential.helper = "store --file ~/.git-credentials";
-    userName = "${userSettings.gitUserName}";
-    userEmail = "${userSettings.gitUserEmail}";
-  };
-}

nixos/default.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   imports = [
+    ./home-manager.nix
     ./docker
+    ./services
   ];
 }

nixos/home-manager.nix

@@ -1,4 +1,4 @@
-{ lib, systemSettings, userSettings, ... }:
+{ lib, pkgs, systemSettings, userSettings, ... }:
 {
   security.sudo-rs = {
     enable = true;
@@ -9,20 +9,19 @@
   users.users.${userSettings.userName} = {
     isNormalUser = true;
     extraGroups = [ "wheel" "docker" ];
-    openssh.authorizedKeys.keyFiles = [ ../secrets/authorized_keys ];
   };
 
   home-manager = {
     useGlobalPkgs = true;
-    users.${userSettings.userName} = { ... }: {
+    users.${userSettings.userName} = {
       home.stateVersion = systemSettings.stateVersion;
       home.homeDirectory = lib.mkForce "${userSettings.adHome}";
       systemd.user.startServices = "sd-switch"; # helps with handling systemd services when switching
-      imports = [ (import ./git.nix {inherit userSettings;}) ];
+      programs.gh.enable = true;
-      programs = {
+      programs.git.extraConfig.safe.directory = "/home/appdaemon/ad-nix";
-        ssh.enable = true;
+      home.packages = with pkgs; [
-        bash.enable = true;
+        lazydocker
-      };
+      ];
     };
   };
 }

nixos/services/default.nix

@@ -3,5 +3,6 @@
   imports = [
     ./promtail.nix
     ./telegraf.nix
+    ./restic.nix
   ];
 }

nixos/services/promtail.nix

@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 let
-  lokiHost = "192.168.1.174:3100";
+  lokiHost = "https://loki.john-stream.com";
 in
 {
   systemd.services.promtail.serviceConfig = {
@@ -8,8 +8,8 @@ in
   };
 
   environment.systemPackages = with pkgs; [
-    (pkgs.writeShellScriptBin "pc" "systemctl status promtail.service")
+    (pkgs.writeShellScriptBin "promtail-check" "systemctl status promtail.service")
-    (pkgs.writeShellScriptBin "pw" "journalctl -u promtail.service -b -n 25 -f")
+    (pkgs.writeShellScriptBin "promtail-watch" "journalctl -u promtail.service -b -n 25 -f")
   ];
 
   services.promtail = {
@@ -22,7 +22,7 @@ in
       positions = {
         filename = "/tmp/positions.yaml";
       };
-      clients = [{url = "http://${lokiHost}/loki/api/v1/push";}];
+      clients = [{url = "${lokiHost}/loki/api/v1/push";}];
       scrape_configs = [
         {
           job_name = "journal";

nixos/services/restic.nix

@@ -0,0 +1,49 @@
+{ config, pkgs, userSettings, ... }:
+{
+
+  sops.secrets.restic_password = {
+    owner = config.users.users.${userSettings.userName}.name;
+    mode = "0440";
+  };
+
+  environment.systemPackages = with pkgs; [
+    restic
+    (pkgs.writeShellScriptBin "restic-backup" "sudo systemctl start restic-backups-localBackup.service")
+    (pkgs.writeShellScriptBin "restic-backup-check" "sudo journalctl -b -u restic-backups-localBackup.service")
+  ];
+
+  environment.variables = {
+    RESTIC_REPOSITORY = "/mnt/restic/appdaemon";
+    RESTIC_PASSWORD = "${builtins.readFile config.sops.secrets."restic_password".path}";
+  };
+
+  services.restic.backups = {
+    localBackup = {
+      repository = "/mnt/restic/appdaemon";
+      passwordFile = config.sops.secrets."restic_password".path;
+      initialize = true;
+      timerConfig = {
+        OnCalendar = "03:00";
+        RandomizedDelaySec = "2h";
+        Persistent = true;
+      };
+      paths = [
+        "/home"
+        "/conf"
+        "/etc/nixos"
+        "/etc/ssh"  # necessary for SOPS nix to have the same keys
+      ];
+      exclude = [
+        ".cache"
+        ".vscode*"
+        ".devenv"
+        ".venv"
+        "build"
+        "dist"
+        "__pycache__"
+        "*.egg-info"
+        "namespaces"
+      ];
+    };
+  };
+}

nixos/services/telegraf.nix

@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 let
-  influxURL = "http://panoptes.john-stream.com:8086";
+  influxURL = "https://influxdb.john-stream.com";
   organization = "homelab";
   bucket = "docker";
   token = "${builtins.readFile config.sops.secrets."telegraf_influx_token".path}";
@@ -9,14 +9,12 @@ in
   sops.secrets."telegraf_influx_token" = { };
 
   environment.systemPackages = with pkgs; [
-    (pkgs.writeShellScriptBin "tc" "systemctl status telegraf.service")
+    (pkgs.writeShellScriptBin "telegraf-check" "systemctl status telegraf.service")
-    (pkgs.writeShellScriptBin "tw" "journalctl -u telegraf.service -b -n 25 -f")
+    (pkgs.writeShellScriptBin "telegraf-watch" "journalctl -u telegraf.service -b -n 25 -f")
   ];
 
   systemd.services.telegraf = {
-    environment = {
+    environment.INFLUX_WRITE_TOKEN = token;
-      INFLUX_WRITE_TOKEN = token;
-    };
     serviceConfig.SupplementaryGroups = [ "docker" ];
   };
 
@@ -43,7 +41,6 @@ in
           container_name_include = [];
           timeout = "5s";
           perdevice_include = ["cpu" "blkio" "network"];
-          total = false;
           docker_label_include = [];
         };
       };

scripts/default.nix

@@ -1,13 +1,9 @@
 { pkgs, systemSettings, ... }:
 {
   environment.systemPackages = with pkgs; [
-    (pkgs.writeShellScriptBin "nrbs" "sudo nixos-rebuild switch")
-    (pkgs.writeShellScriptBin "nrbsu" "sudo nix-channel --update && sudo nixos-rebuild switch")
-    (pkgs.writeShellScriptBin "nfs" ''
-      sudo nixos-rebuild switch --flake $(readlink -f /etc/nixos)#${systemSettings.hostName}
-    '')
     (pkgs.writeShellScriptBin "ads" "nix develop --no-pure-eval $(readlink -f /etc/nixos)")
     (pkgs.writeShellScriptBin "link-nix" "${builtins.readFile ./link-nix.sh}")
-    (pkgs.writeShellScriptBin "sops-ad" "sops $(readlink -f /etc/nixos)/secrets/secrets.yaml")
+    (pkgs.writeShellScriptBin "sops-ad" "sops $(readlink -f /etc/nixos)/secrets/encrypted_secrets.yaml")
+    (pkgs.writeShellScriptBin "lola-up" "docker compose -f /conf/lola/docker-compose.yml up -d")
   ];
 }

scripts/link-nix.sh

@@ -9,7 +9,9 @@ exit 1
 fi
 
 CURRENT=$(readlink -f /etc/nixos)
-sudo rm /etc/nixos
+if [ -d "/etc/nixos" ]; then
+    sudo rm -r /etc/nixos
+fi
 echo "Unlinked $CURRENT"
 
 sudo ln -s $1 /etc/nixos

secrets/encrypted_secrets.yaml

@@ -0,0 +1,31 @@
+telegraf_influx_token: ENC[AES256_GCM,data:XHT7lvRrw9MeC0Jxe2EYTTa/iB5QLVTzp9TDJaljssRR+kGdK3va1u14NX5b6jFrHnAXLiMdMQ5UTdbsnYH43TnRkY29mcVHxwaQv+rbCgEIKOAYFeIw0g==,iv:uzBYXWYRDH6bHZ3pubWh5Qn/2dN2Rz+sjEmrqpKhA4o=,tag:wemgU05aTl9S1rwt+fVQug==,type:str]
+restic_password: ENC[AES256_GCM,data:8ArxlyulTejzZ2eA9LqLptAZdBfBZJpeNmaw7r9H2ZPQsPAuT4uMcGRgvYF3tD1d9msyUC5yFy5trQfUxUMhXUrnPnFgZEYUrq+BVG/VraYjH74N1YTSKHksz7kqEGmTpMh6DpNLSq3JWfUT/T2GWDhIjRfQf1O++nlAWHDLT0+aEPT633+o63k8+GZuC38Khsv22dYHki1U57QQusk8x5Rj/0ZwuftJe7ItKs28nXZyLejFq+c+OTvJxjQb70FvHY0QfrGFA8RPteJgoLuTDrnKtkw2CuTpfnfhQXQw9oxUnT6x3L34RMY6Tla1PZt/xp07VZC1vnmmLB1prwJtUgvtQfzp8hLVNipoNAfg9ujg7eTq0Dwm7yHVe5hSkOxp1qh47mwA7Og9yb0t7FZE3ZiVT0P5dH/+Qvp76KhCCQUDA4ttKKw8TNjsiqrcEMyDBj+c1mXRpcXfgoAhJpgtEgHT28GEwVl927Zz3zpGG23Gu9pn5ow09GRWJOzvInwnEI/3Thz+DKySzKB2xDK/Nu8hXsmF37iYafLBSnDRGw8RPp6DQBBFNT84WlncCz71yNt7diiAmdxFVESIv3P0sXMVEXEJ3yx/8ke/2quGiCvYUfvxFsU8xsPIkA3gQodHJY+8q16kjafuMUZkuhZxhFZuScKEThlSkJcvlX+C19dlJYbQM/NoLN8KEeJ+ULoTd+CgGtlK7gXEE9GC5i+rTW/9pZrsg8MaPJAxw/jnZO9ikxJtxRPiJGJ7r2zkEwM9DdlPNlbPWw3BQO/ikOS6UhtcuQI2dj0KJC1b4jzrHCALa7h4tRZmT40isEC1KuGcj02CR0QFAVYWWCz9S6TE2RR8y+OiEJosRfTWFg1CbWyGjBAsZ8WbyAhufB6EhF2F5CA3bMnGc1D6JAgrQw0rowce1Znzs2hYQP4ysaDMLoUhRfDjdfUlb9byOeRwKnLFxg67mAHO1ON8DUT+ZnLeNH3rEmams5g9irtLcH3nxV45ESZfFDqVLr645gmfPNs92a8K1ZUwU3XpO6mOR7+iLiKpFIhlVavtsJPKE1XAxnhilH6Hekd78PAdKc+aZLeDGHUZcTZYEN76mxRfBe20GpkUlx9ekHN4ZP1qvQl301vefNpmfflcJheJ/fgsLjDW5US5hyG6PZ/+GG1xAEhBEmSKH9GvN7sk+FwaxdVSzZwcL7Dj2fyX89kSWoZdKMbE6RwsUHNo1Pdfc1w1M8RxSnOLZL7ijG/nJFLn0T6I5cjnKQ+qscsRQz+62aUczTRp80jFHnNo1VOrsO9Oz0YX1/t9Pnq1mR/X/UzZFwiRKrdLacTwRSEWUFi5zf4PX5rcd6EeZbp5DuvP7RZt39npAmzNz+TBKZP06RymG5CdDVzO41xNJWt7bQ/sd3tw3MUXJaz87Glbg7xq+5EdoUE9J/PaJfO5i+9CAaKCOiFBUfr/NjWv3zpfMCZ50HzqlsQCLnOMWS8S65V5xh2a1h77sOYsrWESvUcdg1ryfGd98znyNE5P7BEBo83P8DIKdYrRoPaWPWHRC6ldOOvFDEeaHy6GedV6k0qKcueGHNYRHG4aMOV9lnlc3qMOpXkNFWk45Mv5pmFgGlgrmutjXzi3ljxa0cGe5UUdPbr4lDZ+U2yPvCOu7Lg7FpVyCR77QMerF0xENKrhB4G57QBUhtx8TUdYH/B6+vka1LiKz/i09VEDiQ2K1q5831hUfrS6GyXN8p7JdhCQ3C66V8cMpb9/llO06LLV5Cc4ooB0svSigMuQ4UFDO5bTkrt7wGJLG/mHrb8DjDPI5nuWhyoxs6OqCvg2t2/HJwK9,iv:wiW/f7wLO7kfd3CKDfoYZnXj697qIFRokAut7VXALVM=,tag:VzKJ/BrCL6zNbglsDqJx9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAralB5SnNwckUxMkRad0Jr
+            U2xMRVpnUU9GNHpZTEtLdnpwc2tmT08rQmpNCnFzdHpOdWFpZzBNR1lUSHR5U3lr
+            Vk1HTEQ3REFvdUg1T0hMM014N3BtcVEKLS0tIE5LUTF4Qk1XSXlNNkxNN2pnVi9P
+            TXd3eUJyYTZYaENSV3FEU2pGbFc1RDQKMj8dOska8lpMAFKV2w6bbO/r01K/9Dw5
+            Q/jp5XdYtyaGSZcxRnHHbJYldyKKYII9Rcm/uDNuMNA/gCFvbSLccA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qf4c4asf7wcqqyd9aju8fq9dvum4ptcqr8dd6xqengsf6jx7daqqtgup30
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWmtMR1Vuc0g2OCsxSjJ2
+            eCs1bWJyT3g3QktRRHlzVFB6bkZjVjIwRlRFCmVtam9HWWErdlVwYkFrSUprZHR4
+            bllDcWdCT2ZiRFpaQ1lVZVBSb05kb2MKLS0tIGgrRUx4TTljdDVGVCtxN0kyZGRL
+            Vm1ldGhPRmNyZHErekRlbFBZQy8wK0EKY2vsWzqtX5w4vM0aLGEN2ZO0Rm9slcKk
+            6Yx2KvJAT6dNg2lqjzXYYS/MvnpOrW6fA46bmWKaAl9IzKhyW+2avw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-17T06:15:17Z"
+    mac: ENC[AES256_GCM,data:zbnP62SqnI7UUb5lP4UlgzWPDkUegvVX2lAbRcDqWqZJsXTkRPefdUIFPO3aZn2EW0aKlFQGEwARTtOtQ9hLYhbqcvAvh5Ur5eFh3szp9ejgF59JBdYGH8PTR/6FkCaVnyuMA1t3940gVhs8eIRdfdjihTHsIe254/3xzBtVG4o=,iv:j7EImL80FgAt7bjlkgB5KIKduKniUaoyz8fnHr/v2rM=,tag:5vK0s6Qf6t2HRhDPaZkT6Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/secrets.yaml

@@ -1,21 +0,0 @@
-telegraf_influx_token: ENC[AES256_GCM,data:XHT7lvRrw9MeC0Jxe2EYTTa/iB5QLVTzp9TDJaljssRR+kGdK3va1u14NX5b6jFrHnAXLiMdMQ5UTdbsnYH43TnRkY29mcVHxwaQv+rbCgEIKOAYFeIw0g==,iv:uzBYXWYRDH6bHZ3pubWh5Qn/2dN2Rz+sjEmrqpKhA4o=,tag:wemgU05aTl9S1rwt+fVQug==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Tkc4Yml1R28zdlppY1dN
-            dnJMS0tLZTZQSWtNVGZDbHBKaUJ5RjJhdkZRClQ4K08rbUVoRm5jTGV0M3RzdUZv
-            T0tWbnFrYnNOQ1dXV21ka0dZZ0QyNk0KLS0tIC9FLzBHSVhXT0FYalc4L3VSVXNa
-            dmR2a2QvZVRPc3ZFc1EvVWZqMTdQcncKTc4D3riTbEcv3eeREFMIZYQk7aDvDZEt
-            xBCoMNVjYaLIy9ljNfLGKh0J/wed0MC6wBIfABuH6eanEvV4ob+xnw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-18T02:36:09Z"
-    mac: ENC[AES256_GCM,data:lXFJxFQJy9qNu2dVo+UBIfDNAeZ4U2n5c085qYmAShJrY2OiX0+Dv6n4kLg1ohgPni0VG6tAayPghHkStQPT7chFZwlAlvRol1kELWDukygWgPfZqvooDlPlH3ews16TtEM/B/cTOYFZA3X82nJgjcoEFjUHasWg2Ryic5mWe0I=,iv:ys1nRfNV6gawPjPfjfJfLGSSSsiauNEJVMMTAzcoGf4=,tag:UowQI9F59EzDEyTROACI0A==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2