Set jj signing behavior to `drop`

Pin docker images
Deploy headplane
2026-04-23 16:40:22 +02:00 · 2026-03-31 13:48:30 +02:00 · 2026-03-31 13:01:54 +02:00 · 2026-03-31 12:51:57 +02:00
14 changed files with 169 additions and 42 deletions
--- a/README.md
+++ b/README.md
@ -24,7 +24,6 @@
    - `matterbridge`
    - `mc-e2e`
    - `mc-enigmatica-8`
-    - `mstdn-ebooks`
    - `nyandroid`
    - `prometheus2`
    - `prosody`
--- a/common/fragments/bittorrent.nix
+++ b/common/fragments/bittorrent.nix
@ -10,7 +10,7 @@
    in
    {
      "gluetun" = {
-        image = "qmcgaw/gluetun:latest";
+        image = "qmcgaw/gluetun:v3@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab";
        autoStart = true;
        volumes = [
          "/var/lib/gluetun:/gluetun"
@ -35,7 +35,7 @@
        ];
      };
      "qbittorrent" = {
-        image = "lscr.io/linuxserver/qbittorrent:latest";
+        image = "lscr.io/linuxserver/qbittorrent:5.1.4@sha256:474ef1f1c63fc060236e85cd6ec4a3232aea5a0d7a033c6bab9911039933f147";
        autoStart = true;
        dependsOn = [ "gluetun" ];
        volumes = [
@ -53,7 +53,7 @@
        ];
      };
      "qui" = {
-        image = "ghcr.io/autobrr/qui:latest";
+        image = "ghcr.io/autobrr/qui:v1.15.0@sha256:da33f8c850f7d6f1bfaee26b9553b21411e872639d54193906fa2cec51af1d0f ";
        autoStart = true;
        dependsOn = [ "qbittorrent" ];
        volumes = [
--- a/common/fragments/headscale.nix
+++ b/common/fragments/headscale.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 {
  services.headscale = {
    enable = true;
@ -25,4 +25,64 @@
      proxyWebsockets = true;
    };
  };
+
+  sops.secrets."headplane/cookie-secret" = {
+    owner = config.services.headscale.user;
+  };
+  sops.secrets."headplane/integration-agent-authkey" = {
+    owner = config.services.headscale.user;
+  };
+  sops.secrets."headplane/oidc/client-secret" = {
+    owner = config.services.headscale.user;
+  };
+  sops.secrets."headplane/oidc/headscale-api-key" = {
+    owner = config.services.headscale.user;
+  };
+  services.headplane =
+    let
+      settings = pkgs.lib.recursiveUpdate config.services.headscale.settings {
+        tls_cert_path = "/dev/null";
+        tls_key_path = "/dev/null";
+        policy.path = "/dev/null";
+        oidc.client_secret_path = "/dev/null";
+      };
+      hs_config = (pkgs.formats.yaml { }).generate "headscale.yml" settings;
+    in
+    {
+      enable = true;
+      settings = {
+        server = {
+          port = 4000;
+          base_url = "https://mgmt.hs.technogothic.net";
+          cookie_secret_path = config.sops.secrets."headplane/cookie-secret".path;
+        };
+        headscale = {
+          url = "https://hs.technogothic.net";
+          config_path = hs_config;
+        };
+        integration.agent = {
+          enabled = true;
+          pre_authkey_path = config.sops.secrets."headplane/integration-agent-authkey".path;
+        };
+        oidc = {
+          issuer = "https://aphex.technogothic.net/oauth2/openid/headplane";
+          client_id = "headplane";
+          client_secret_path = config.sops.secrets."headplane/oidc/client-secret".path;
+          disable_api_key_login = true;
+          use_pkce = true;
+          headscale_api_key_path = config.sops.secrets."headplane/oidc/headscale-api-key".path;
+        };
+      };
+    };
+
+  security.acme.certs."technogothic.net".extraDomainNames = [ "*.hs.technogothic.net" ];
+  services.nginx.virtualHosts."mgmt.hs.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:4000";
+      proxyWebsockets = true;
+    };
+  };
 }
--- a/common/fragments/home-assistant.nix
+++ b/common/fragments/home-assistant.nix
@ -19,7 +19,7 @@

  virtualisation.oci-containers.containers = {
    "home-assistant" = {
-      image = "ghcr.io/home-assistant/home-assistant:stable";
+      image = "ghcr.io/home-assistant/home-assistant:stable@sha256:916682086154a7390114a9788782b8efb199852d4f7d47066722c2bc5d1829e6";
      autoStart = true;
      volumes = [
        "/var/lib/hass:/config"
--- a/common/fragments/mastodon-ebooks.nix
+++ b/common/fragments/mastodon-ebooks.nix
@ -1,22 +0,0 @@
-{ pkgs, ... }: {
-  virtualisation.oci-containers.containers = {
-    "ebooks-agatha" = {
-      image = "agathasorceress/mstdn-ebooks:v1.2";
-      environment = {
-        POST_TIMINGS = "0 */6 * * *";
-        FETCH_TIMINGS = "5 * */1 * *";
-      };
-      autoStart = true;
-      volumes = [ "/var/lib/mstdn-ebooks/agatha:/ebooks/data" ];
-    };
-    "ebooks-amelia" = {
-      image = "agathasorceress/mstdn-ebooks:v1.2";
-      environment = {
-        POST_TIMINGS = "0 */5 * * *";
-        FETCH_TIMINGS = "0 14 */1 * *";
-      };
-      autoStart = true;
-      volumes = [ "/var/lib/mstdn-ebooks/amelia:/ebooks/data" ];
-    };
-  };
-}
--- a/common/fragments/media.nix
+++ b/common/fragments/media.nix
@ -13,7 +13,7 @@
    format = "dotenv";
  };
  virtualisation.oci-containers.containers."jellyfin-prometheus-exporter" = {
-    image = "rebelcore/jellyfin-exporter:latest";
+    image = "rebelcore/jellyfin-exporter:v1.4.0@sha256:dd35d901df663141025670b4b44a62a178b331e9fa084b17016f6fba46343ce9";
    autoStart = true;
    ports = [
      "127.0.0.1:9007:9594"
--- a/common/fragments/nyandroid.nix
+++ b/common/fragments/nyandroid.nix
@ -1,7 +1,7 @@
 {
  virtualisation.oci-containers.containers = {
    "nyandroid" = {
-      image = "registry.gitlab.com/xenua/nyandroid:latest";
+      image = "registry.gitlab.com/xenua/nyandroid:latest@sha256:1aaf7a175edaf689940de4ca6d368467d922fb1d610de0f7787ae96eb960fed5";
      autoStart = true;
      volumes = [ "/var/lib/nyandroid:/nyandroid/code/data" ];
      environmentFiles = [ "/var/lib/secrets/nyandroid-token" ];
--- a/common/fragments/sponsorblock.nix
+++ b/common/fragments/sponsorblock.nix
@ -1,7 +1,7 @@
 {
  virtualisation.oci-containers.containers = {
    "isponsorblocktv" = {
-      image = "ghcr.io/dmunozv04/isponsorblocktv";
+      image = "ghcr.io/dmunozv04/isponsorblocktv:v2.6.1@sha256:545856523283753ebcf4b400a46895b9906844be5265a0f4cab98a6b0bdf84be";
      autoStart = true;
      volumes = [ "/var/lib/sponsorblock:/app/data" ];
      extraOptions = [ "--network=host" ];
--- a/common/home_manager/vcs.nix
+++ b/common/home_manager/vcs.nix
@ -34,7 +34,7 @@
        inherit (config.home-manager.users.agatha.programs.git.settings) user;
        signing = {
          backend = "ssh";
-          behavior = "own";
+          behavior = "drop";
          backends.ssh.allowed-signers = "~/.gitallowedsigners";
        };
        git.sign-on-push = true;
--- a/flake.lock
+++ b/flake.lock
@ -21,6 +21,27 @@
        "type": "github"
      }
    },
+    "devshell": {
+      "inputs": {
+        "nixpkgs": [
+          "headplane",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768818222,
+        "narHash": "sha256-460jc0+CZfyaO8+w8JNtlClB2n4ui1RbHfPTLkpwhU8=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "255a2b1725a20d060f566e4755dbf571bbbb5f76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -38,6 +59,24 @@
      }
    },
    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -52,6 +91,28 @@
        "type": "github"
      }
    },
+    "headplane": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773769413,
+        "narHash": "sha256-g0FBrMTSFL8zjKhdAN+uh5luhENI3WY+uh6l7VttCaM=",
+        "owner": "tale",
+        "repo": "headplane",
+        "rev": "b6b773fa6d879548a5be8613980ad31884617fc9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tale",
+        "repo": "headplane",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -114,7 +175,7 @@
    "mms": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nix": "nix",
        "nixpkgs": [
          "nixpkgs"
@ -329,6 +390,7 @@
    "root": {
      "inputs": {
        "ccase": "ccase",
+        "headplane": "headplane",
        "home-manager": "home-manager",
        "matrix-ril100": "matrix-ril100",
        "mms": "mms",
@ -421,6 +483,21 @@
        "type": "github"
      }
    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "url-eater": {
      "inputs": {
        "naersk": "naersk_2",
@ -463,7 +540,7 @@
    },
    "utils_2": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1687709756,
@ -481,7 +558,7 @@
    },
    "utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1731533236,
@ -499,7 +576,7 @@
    },
    "utils_4": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1681202837,
--- a/flake.nix
+++ b/flake.nix
@ -40,6 +40,11 @@
      url = "github:rutrum/ccase";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
+
+    headplane = {
+      url = "github:tale/headplane";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };
  outputs =
    {
@ -53,6 +58,7 @@
      matrix-ril100,
      vampysite,
      ccase,
+      headplane,
      ...
    }:
    let
@ -128,6 +134,8 @@
          ./hosts/synchronicity/configuration.nix
          (import "${home-manager}/nixos")
          sops-nix.nixosModules.sops
+          headplane.nixosModules.headplane
+          { nixpkgs.overlays = [ headplane.overlays.default ]; }
        ];
      };
      nixosConfigurations."watchtower" = nixpkgs.lib.nixosSystem {
--- a/hosts/bloodletting/configuration.nix
+++ b/hosts/bloodletting/configuration.nix
@ -10,7 +10,6 @@
    ../../common
    ../../common/linux-specific.nix
    ../../common/fragments/fail2ban.nix
-    ../../common/fragments/mastodon-ebooks.nix
    ../../common/fragments/mastodon.nix
    ../../common/fragments/matrix-ril100.nix
    ../../common/fragments/matterbridge.nix
--- a/secrets/hurricane-tokens.env
+++ b/secrets/hurricane-tokens.env
@ -1,11 +1,11 @@
-HURRICANE_TOKENS=ENC[AES256_GCM,data:wUBal5xSVjfe81pY3nw6WXNah8sGEiWmLz6FLk5Elan4JgPw70Q3+SiKlyo6IsyIMQ1GTgIkRu5wP8ijZV4sEi1emZzE0qPxYx8=,iv:ZJLRj0zFBfg0va+MC4OMUESXBEYw7tGZjBLWw/buRek=,tag:A0507C0hZ10wiMK8S7eALw==,type:str]
+HURRICANE_TOKENS=ENC[AES256_GCM,data:F3/j+lWh2t04FlWmR8FUAF7qfh40QuOr4FLynZ0guukMCFQTwTTkn/TIgNXflHRPQ2xeTxX8cWehxEylEr+9q0X+cH2zz+xIWVAZgIZ1iHVPBqgByb4AbZjaHChuhufyDtda5KYkngyKPbNvKyO6,iv:LpxjpOIsPCsY7Hhj7LGm1j46awKaKvmTROTpBFOgTd0=,tag:tEMQ3XicnpNz7wyihT6x8w==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBbGRTeXdh\nY2RLaXAvVTJwbGhMWFFCNjVUR0VCeDNHS28xVXFobjViWXJlSApoZzNnMmdHdENh\nOXRVeWt0RmoyL0lEY0h5a2N2cG84emFOdlNkdkoybEdNCi0tLSBFQWtROUF6eExl\neTFDZUErc3lScjJXRFZINE8rTjE5NXVJd0ZDUGNwS1hBCjGca3mxgf3e+V3dHLfu\n3+lLIPUVhrSqdyvS3blaW7pNosjjgJIOme6C0iV78vB5qvnF1U1W3DhKEfQaYRm0\n2PU=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWkZpaUJXZXlOZ3UydUF0\nTUZCRFhxcG9ndXFrc3J5U2VGRkZDT2tLSlZvCmN6Z3pQS29iamZIS2ZpbkI3c1M0\nMmZwbEhsSDY0VjNKeXkrZ2U5b3l4NFEKLS0tIG9jbUprMDF6ekE2ZVFCWEJ4SDkz\nNkpKeThmS0RiNG42bko5N0ZDT0JmVTQKDmiaRvZzTEP+FV5Cu0wdAq72ZTLO70nA\nCgcxktWG3vOW1tjcc2brMICiCBC1wKPg6AAxQTU7txGjWm1MA7cjPg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSFpwSEJheWo0RE5EZVVT\nNjAvd1l1WEwySkpNVzF0N2ZFVHhjZ0NoT2xZCjB6NWFWMytwNk4zZjFEZXE5OVpW\nVytweEdoVkZVYzBabm9IeHFPZC9DU28KLS0tIGx0eW1KUmJkVkc4a3owTmxpMmVL\nRTdCMTdWZXFLUWZtTUoxdG8xTzNVaUkKNbcqCB/7wNXfbNLvKTJ2XwHZmgAqVdbB\nLxSkLWp5ecdKfa1eK1I/NcWT2p6P9dWjRqYF1VzAxN51vv4FJ0ljUg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
-sops_lastmodified=2026-01-21T15:46:31Z
-sops_mac=ENC[AES256_GCM,data:ZPwm9aNsY0m95Db2BiwFTsybthS2SZPdS37uesTZEX77gnBt79UE55z3kaP66a5F2PUiUuEBMDC+Rl44qSOL67fWbUqmFPKQMz4U463oerAvCB9K5W9ZZai+EC9cia073ScmrC+4xrJ2OrIYqxA+WoKz+oUXU7SkDUy9Zll2eJw=,iv:du+q9lOlAySVWf8BbFPBydYL9geuPjOvRVmpq8E7whM=,tag:V2A+V35LCmfMHRT7wXgGzA==,type:str]
+sops_lastmodified=2026-03-17T19:17:40Z
+sops_mac=ENC[AES256_GCM,data:c3IXLegwe6MA84cYDg4zmiNPLwTbQgNuR5+Jd6LfxHCq8/V605qQm3jvYSv3YrSXRyWgIDzSJX7UYmPXkVmYPeGirGR2y3q6uCb/If3HYVrhxDpYcfgis4byXCtZJUSuAe+bweLmN2PEyT+aozuXnhuhqoHXNucUTYThUrzEY1E=,iv:8GE34IhdGplXIByAoUIhc9pc3zfAoncMqtUT4OPw81Q=,tag:iKz+ocHuyGbxonin+fafPg==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -4,6 +4,12 @@ create-ap-pass: ENC[AES256_GCM,data:iIq0ZUCWKYKZWNmvTjon0D8HkzxL9iqX5rJj6VBkkwI=
 qbittorrent-pass: ENC[AES256_GCM,data:J5m9y2pX5oI6ziIkhlMXXgszDum+rfQFfAQoImawW48=,iv:FqOYreDUX0CATPugra/dTlx2yMS4UMN0o8NesueRu3k=,tag:neKoHJhwdUdl/2mJKWkslg==,type:str]
 grafana-key: ENC[AES256_GCM,data:m/MJnidxdqnGk2GO6JXQ9Gw36a5gIWkVumggOx6NjZE=,iv:aCArsPNlDsp1b0+CAYRqAHV5n69wwUccSgvTXpKhEwQ=,tag:10rM/WytKNS3HqHMht4sMw==,type:str]
 grafana-oauth: ENC[AES256_GCM,data:en+OyzGDfNKYisyQxvlIRVrCXPNgyOgCIngtoEsJNTnO9RHqW4ny+rfKhZz0IZfl,iv:tI1q9UYI8ddi4KkSi/NiNJ50Eo21yi+vSHs9KZUsm58=,tag:SeGw6fJVshVAvuMfYcnDqg==,type:str]
+headplane:
+    cookie-secret: ENC[AES256_GCM,data:OS6Igw2D8o4KzHQDh6boGUAf4CA4/nrNnEMQfBoSpe4=,iv:AjV1bPUAUMX+Q97WNzlYo7pRxaj1gl/QsNBe7+1ld7k=,tag:dWV39QAqxnNpvUT0DsiBqA==,type:str]
+    integration-agent-authkey: ENC[AES256_GCM,data:AbjZ9xG+SQPjYtzCs8o8s/gMY9zRv02xupBpBn0Qn+GZKgCyxWw5nPEX+4ait68x,iv:1dgTUX1d6lkiJFnXPCGprlbrLycdqsDWa1LsZ8EDSaA=,tag:xqVjEqaoXnCDYCitRPDfjQ==,type:str]
+    oidc:
+        client-secret: ENC[AES256_GCM,data:F8LZWEqlG1NlfMKpQ4322wnD50xadolJN4Mp125hU0tqeiWAGwH+/utYKjx4EOhc,iv:8pTaDCZj4CAg+6BS9UUeZ8a3H6a5qXwsgU017XIhfTI=,tag:U8u4W+4dt1BeeFeAYhIvaw==,type:str]
+        headscale-api-key: ENC[AES256_GCM,data:J3aAOWuUfW8xRen5lUIuY5HedwnfDE7/7qaMFBOHDNS7E3m2s1KpzA==,iv:PbLFTibw4eFcuqCDFnRwN4EwvXk5ZglDycIdpR+4nuk=,tag:IJujjTsjL/ynCCYOXF1dBQ==,type:str]
 sops:
    age:
        - recipient: age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
@ -34,7 +40,7 @@ sops:
            RGtjY1V6U2tla3ZaS09haXYrYUNrVDgK0e3UVPshSTB7kwYzm4uVUDif2PwiIGg4
            Qb4P3L13Lg6tT0a1SBEs2gedbNVcWyA0YgGTWouWvZIhBmSCOvHYVQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-08T00:40:49Z"
-    mac: ENC[AES256_GCM,data:erZf2eNF422UBzmRDgviq+X+ghs+CfP6gKSCJQsYR/AMr2QYuewzAfPEQ9UKcw8LNRmdlRCcqp7CV0qpUk+38j4m54ETDMqUBS3bwRjaKD/RocJ/5VB3Paq8rt5eiNH0KK4deFmm6ZHp5bccJwH45ne/ys2tLGbp+EiDCjGkud0=,iv:AzzlewHvkTcAO9KLM1+lS4mvb8A75gPgquTNLzXEDvw=,tag:LY0+FTisigltO+pmrTzxgQ==,type:str]
+    lastmodified: "2026-03-18T11:02:40Z"
+    mac: ENC[AES256_GCM,data:+6kk7iEZrNwPvcSag/z5W86wSrVm0qzwVKM/l9FDWtcfinFITIioecgPP+UdJxD6DhDwGOem9NWIcMUNVC1vhAyChM6xNr9oXm1sRxkpR+LZe1hiUnj6mXiZf7kcpz9FgY+nigTtME8GQiePBwPfctkpYEAv4P6RgGYFFTTpGpE=,iv:6AuBekjDO0ibNLODN9tDxB8DqP+I0l/jmbCQO9n8g3Y=,tag:4yI58P3EjJlOapKsBDsC0A==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
Author	SHA1	Message	Date
Agatha Lovelace	46270f87e9	Set jj signing behavior to `drop`	2026-04-23 16:40:22 +02:00
Agatha Lovelace	577a45827c	Pin docker images	2026-03-31 13:48:30 +02:00
Agatha Lovelace	ae65e9768b	Deploy headplane	2026-03-31 13:01:54 +02:00
Agatha Lovelace	053fb996e5	Remove mstdn-ebooks	2026-03-31 12:51:57 +02:00