Merge branch 'main' into bot/handy-0.7.10

update handy to 0.7.10
2026-03-11 16:36:22 +00:00 · 2026-03-11 06:40:25 +00:00
19 changed files with 377 additions and 537 deletions
@@ -1,20 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 : "${BRANCH:?BRANCH is required}"
 : "${FILE:?FILE is required}"
 : "${COMMIT_MESSAGE:?COMMIT_MESSAGE is required}"
 git config user.name "gitea actions"
 git config user.email "actions@localhost"
 git checkout -B "$BRANCH"
 git add "$FILE"
 if git diff --cached --quiet; then
  echo "No staged changes for ${FILE}; skipping commit"
  exit 0
 fi
 git commit -m "$COMMIT_MESSAGE"
 git push --force origin "$BRANCH"
@@ -1,48 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 : "${GITEA_API:?GITEA_API is required}"
 : "${GITEA_TOKEN:?GITEA_TOKEN is required}"
 : "${BRANCH:?BRANCH is required}"
 : "${TITLE:?TITLE is required}"
 : "${BODY:?BODY is required}"
 owner_prefix="${HEAD_OWNER_PREFIX:-thomas}"
 existing=$(curl -fsS \
  -H "Authorization: token ${GITEA_TOKEN}" \
  "${GITEA_API}/pulls?state=open" \
  | python -c 'import json,sys,os; d=json.load(sys.stdin); b=os.environ["BRANCH"]; print(next((str(pr["number"]) for pr in d if isinstance(pr,dict) and pr.get("head",{}).get("ref")==b), ""))')
 if [ -n "$existing" ]; then
  echo "PR already exists: #$existing"
  exit 0
 fi
 echo "Creating PR..."
 created="false"
 for head in "${BRANCH}" "${owner_prefix}:${BRANCH}"; do
  echo "Trying head=${head}"
  payload=$(HEAD_REF="$head" TITLE="$TITLE" BODY="$BODY" python -c 'import json,os; print(json.dumps({"title": os.environ["TITLE"], "head": os.environ["HEAD_REF"], "base": "main", "body": os.environ["BODY"]}))')
  response=$(curl -sS -w '\n%{http_code}' -X POST \
    -H "Authorization: token ${GITEA_TOKEN}" \
    -H "Content-Type: application/json" \
    "${GITEA_API}/pulls" \
    -d "$payload")
  body=$(printf '%s\n' "$response" | sed '$d')
  code=$(printf '%s\n' "$response" | tail -n1)
  echo "Create PR status: $code"
  echo "$body"
  if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
    created="true"
    break
  fi
 done
 if [ "$created" != "true" ]; then
  echo "PR creation failed"
  exit 1
 fi
@@ -1,72 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 : "${FILE:?FILE is required}"
 : "${LATEST_RELEASE_URL:?LATEST_RELEASE_URL is required}"
 : "${DOWNLOAD_URL_TEMPLATE:?DOWNLOAD_URL_TEMPLATE is required}"
 if command -v python >/dev/null 2>&1; then
  PYTHON_BIN=python
 elif command -v python3 >/dev/null 2>&1; then
  PYTHON_BIN=python3
 else
  echo "python is required but was not found"
  exit 1
 fi
 version_strip_prefix="${LATEST_VERSION_STRIP_PREFIX:-v}"
 release_tag_template="${RELEASE_TAG_TEMPLATE:-{version}}"
 release_tag_template="${release_tag_template//$'\r'/}"
 current_version=$($PYTHON_BIN - <<'PY'
 import re
 import os
 p=os.environ["FILE"]
 s=open(p).read()
 m=re.search(r'version\s*=\s*"([^"]+)";', s)
 print(m.group(1) if m else "")
 PY
 )
 latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' "$LATEST_RELEASE_URL" \
  | sed -E 's#.*/##')
 if [ -n "$version_strip_prefix" ]; then
  latest_version="${latest_version#${version_strip_prefix}}"
 fi
 echo "current=$current_version"
 echo "latest=$latest_version"
 if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
  echo "updated=false" >> "$GITHUB_OUTPUT"
  exit 0
 fi
 download_url="${DOWNLOAD_URL_TEMPLATE//\{version\}/$latest_version}"
 new_hash=$(nix store prefetch-file --json "$download_url" | "$PYTHON_BIN" -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
 export LATEST_VERSION="$latest_version"
 export NEW_HASH="$new_hash"
 "$PYTHON_BIN" - <<'PY'
 import os
 import re
 p=os.environ["FILE"]
 s=open(p).read()
 s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
 s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
 open(p,"w").write(s)
 PY
 release_tag="${release_tag_template//\{version\}/$latest_version}"
 release_tag="${release_tag#\{}"
 release_tag="${release_tag%\}}"
 release_tag="${release_tag#\'}"
 release_tag="${release_tag%\'}"
 release_url="${LATEST_RELEASE_URL%/latest}/tag/${release_tag}"
 echo "updated=true" >> "$GITHUB_OUTPUT"
 echo "version=$latest_version" >> "$GITHUB_OUTPUT"
 echo "previous_version=$current_version" >> "$GITHUB_OUTPUT"
 echo "release_url=$release_url" >> "$GITHUB_OUTPUT"
@@ -21,25 +21,66 @@ jobs:
      - name: check latest handy release and update file
        id: update
        env:
          FILE: modules/pkgs/handy.nix
          LATEST_RELEASE_URL: https://github.com/cjpais/Handy/releases/latest
          DOWNLOAD_URL_TEMPLATE: https://github.com/cjpais/Handy/releases/download/v{version}/Handy_{version}_amd64.AppImage
          RELEASE_TAG_TEMPLATE: v{version}
        shell: bash
-        run: bash .gitea/scripts/update-appimage-nix.sh
+        run: |
          set -euo pipefail
          FILE="modules/pkgs/handy.nix"
          current_version=$(python - <<'PY'
          import re
          s=open('modules/pkgs/handy.nix').read()
          m=re.search(r'version\s*=\s*"([^"]+)";', s)
          print(m.group(1) if m else "")
          PY
          )
          latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
            'https://github.com/cjpais/Handy/releases/latest' \
            | sed -E 's#.*/##' \
            | sed 's/^v//')
          echo "current=$current_version"
          echo "latest=$latest_version"
          if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
            echo "updated=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          url="https://github.com/cjpais/Handy/releases/download/v${latest_version}/Handy_${latest_version}_amd64.AppImage"
          new_hash=$(nix store prefetch-file --json "$url" | python -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
          export LATEST_VERSION="$latest_version"
          export NEW_HASH="$new_hash"
          python - <<PY
          import re
          import os
          p='modules/pkgs/handy.nix'
          s=open(p).read()
          s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
          s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
          open(p,'w').write(s)
          PY
          echo "updated=true" >> "$GITHUB_OUTPUT"
          echo "version=$latest_version" >> "$GITHUB_OUTPUT"
      - name: create branch and commit
        if: steps.update.outputs.updated == 'true'
        shell: bash
        run: |
          set -euo pipefail
-          version="${{ steps.update.outputs.version }}"
+          branch="bot/handy-${{ steps.update.outputs.version }}"
-          BRANCH="bot/handy-${version}" \
+          git config user.name "gitea actions"
-          FILE="modules/pkgs/handy.nix" \
+          git config user.email "actions@localhost"
-          COMMIT_MESSAGE="update handy to ${version}" \
+
-          bash .gitea/scripts/commit-update.sh
+          git checkout -B "$branch"
          git add modules/pkgs/handy.nix
          git commit -m "update handy to ${{ steps.update.outputs.version }}"
          git push --force origin "$branch"
      - name: open pull request
        if: steps.update.outputs.updated == 'true'
@@ -49,22 +90,50 @@ jobs:
        run: |
          set -euo pipefail
-          version="${{ steps.update.outputs.version }}"
+          api="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config"
-          previous_version="${{ steps.update.outputs.previous_version }}"
+          branch="bot/handy-${{ steps.update.outputs.version }}"
          release_url="${{ steps.update.outputs.release_url }}"
-          pr_body=$(cat <<EOF
+          if [ -z "${GITEA_TOKEN:-}" ]; then
-          automated update of handy appimage version and hash
+            echo "GITEA_TOKEN is empty (check repo secret tea_token/TEA_TOKEN)"
            exit 1
          fi
-          ## changelog
+          echo "Checking for existing PRs..."
-          from \`${previous_version}\` to \`${version}\`
+          existing=$(curl -fsS \
            -H "Authorization: token ${GITEA_TOKEN}" \
            "${api}/pulls?state=open" \
            | python -c 'import json,sys; d=json.load(sys.stdin); b="'"$branch"'"; print(next((str(pr["number"]) for pr in d if isinstance(pr,dict) and pr.get("head",{}).get("ref")==b), ""))')
-          upstream release: ${release_url}
+          if [ -n "$existing" ]; then
-          EOF
+            echo "PR already exists: #$existing"
-          )
+            exit 0
          fi
-          GITEA_API="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config" \
+          echo "Creating PR..."
-          BRANCH="bot/handy-${version}" \
+          created="false"
-          TITLE="update handy to ${version}" \
+          for head in "${branch}" "thomas:${branch}"; do
-          BODY="$pr_body" \
+            echo "Trying head=${head}"
-          bash .gitea/scripts/create-gitea-pr.sh
+            payload=$(printf '{"title":"update handy to %s","head":"%s","base":"main","body":"automated update of handy appimage version and hash"}' \
              "${{ steps.update.outputs.version }}" "$head")
            response=$(curl -sS -w '\n%{http_code}' -X POST \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "${api}/pulls" \
              -d "$payload")
            body=$(printf '%s\n' "$response" | sed '$d')
            code=$(printf '%s\n' "$response" | tail -n1)
            echo "Create PR status: $code"
            echo "$body"
            if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
              created="true"
              break
            fi
          done
          if [ "$created" != "true" ]; then
            echo "PR creation failed"
            exit 1
          fi
@@ -21,25 +21,67 @@ jobs:
      - name: check latest helium release and update file
        id: update
        env:
          FILE: modules/pkgs/helium.nix
          LATEST_RELEASE_URL: https://github.com/imputnet/helium-linux/releases/latest
          DOWNLOAD_URL_TEMPLATE: https://github.com/imputnet/helium-linux/releases/download/{version}/helium-{version}-x86_64.AppImage
          RELEASE_TAG_TEMPLATE: '{version}'
        shell: bash
-        run: bash .gitea/scripts/update-appimage-nix.sh
+        run: |
          set -euo pipefail
          FILE="modules/pkgs/helium.nix"
          current_version=$(python - <<'PY'
          import re
          p='modules/pkgs/helium.nix'
          s=open(p).read()
          m=re.search(r'version\s*=\s*"([^"]+)";', s)
          print(m.group(1) if m else "")
          PY
          )
          latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
            'https://github.com/imputnet/helium-linux/releases/latest' \
            | sed -E 's#.*/##' \
            | sed 's/^v//')
          echo "current=$current_version"
          echo "latest=$latest_version"
          if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
            echo "updated=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          url="https://github.com/imputnet/helium-linux/releases/download/${latest_version}/helium-${latest_version}-x86_64.AppImage"
          new_hash=$(nix store prefetch-file --json "$url" | python -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
          export LATEST_VERSION="$latest_version"
          export NEW_HASH="$new_hash"
          python - <<PY
          import re
          import os
          p='modules/pkgs/helium.nix'
          s=open(p).read()
          s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
          s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
          open(p,'w').write(s)
          PY
          echo "updated=true" >> "$GITHUB_OUTPUT"
          echo "version=$latest_version" >> "$GITHUB_OUTPUT"
      - name: create branch and commit
        if: steps.update.outputs.updated == 'true'
        shell: bash
        run: |
          set -euo pipefail
-          version="${{ steps.update.outputs.version }}"
+          branch="bot/helium-${{ steps.update.outputs.version }}"
-          BRANCH="bot/helium-${version}" \
+          git config user.name "gitea actions"
-          FILE="modules/pkgs/helium.nix" \
+          git config user.email "actions@localhost"
-          COMMIT_MESSAGE="update helium to ${version}" \
+
-          bash .gitea/scripts/commit-update.sh
+          git checkout -B "$branch"
          git add modules/pkgs/helium.nix
          git commit -m "update helium to ${{ steps.update.outputs.version }}"
          git push --force origin "$branch"
      - name: open pull request
        if: steps.update.outputs.updated == 'true'
@@ -49,22 +91,50 @@ jobs:
        run: |
          set -euo pipefail
-          version="${{ steps.update.outputs.version }}"
+          api="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config"
-          previous_version="${{ steps.update.outputs.previous_version }}"
+          branch="bot/helium-${{ steps.update.outputs.version }}"
          release_url="${{ steps.update.outputs.release_url }}"
-          pr_body=$(cat <<EOF
+          if [ -z "${GITEA_TOKEN:-}" ]; then
-          automated update of helium appimage version and hash
+            echo "GITEA_TOKEN is empty (check repo secret tea_token/TEA_TOKEN)"
            exit 1
          fi
-          ## changelog
+          # Skip if PR for this branch already exists
-          from \`${previous_version}\` to \`${version}\`
+          existing=$(curl -fsS \
            -H "Authorization: token ${GITEA_TOKEN}" \
            "${api}/pulls?state=open" \
            | python -c 'import json,sys; d=json.load(sys.stdin); b="'"$branch"'"; print(next((str(pr["number"]) for pr in d if pr.get("head",{}).get("ref")==b), ""))')
-          upstream release: ${release_url}
+          if [ -n "$existing" ]; then
-          EOF
+            echo "PR already exists: #$existing"
-          )
+            exit 0
          fi
-          GITEA_API="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config" \
+          echo "Creating PR..."
-          BRANCH="bot/helium-${version}" \
+          created="false"
-          TITLE="update helium to ${version}" \
+          for head in "${branch}" "thomas:${branch}"; do
-          BODY="$pr_body" \
+            echo "Trying head=${head}"
-          bash .gitea/scripts/create-gitea-pr.sh
+            payload=$(printf '{"title":"update helium to %s","head":"%s","base":"main","body":"automated update of helium appimage version and hash"}' \
              "${{ steps.update.outputs.version }}" "$head")
            response=$(curl -sS -w '\n%{http_code}' -X POST \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "${api}/pulls" \
              -d "$payload")
            body=$(printf '%s\n' "$response" | sed '$d')
            code=$(printf '%s\n' "$response" | tail -n1)
            echo "Create PR status: $code"
            echo "$body"
            if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
              created="true"
              break
            fi
          done
          if [ "$created" != "true" ]; then
            echo "PR creation failed"
            exit 1
          fi
@@ -21,25 +21,66 @@ jobs:
      - name: check latest zen browser release and update file
        id: update
        env:
          FILE: modules/pkgs/zen-browser.nix
          LATEST_RELEASE_URL: https://github.com/zen-browser/desktop/releases/latest
          DOWNLOAD_URL_TEMPLATE: https://github.com/zen-browser/desktop/releases/download/{version}/zen-x86_64.AppImage
          RELEASE_TAG_TEMPLATE: '{version}'
        shell: bash
-        run: bash .gitea/scripts/update-appimage-nix.sh
+        run: |
          set -euo pipefail
          FILE="modules/pkgs/zen-browser.nix"
          current_version=$(python - <<'PY'
          import re
          s=open('modules/pkgs/zen-browser.nix').read()
          m=re.search(r'version\s*=\s*"([^"]+)";', s)
          print(m.group(1) if m else "")
          PY
          )
          latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
            'https://github.com/zen-browser/desktop/releases/latest' \
            | sed -E 's#.*/##' \
            | sed 's/^v//')
          echo "current=$current_version"
          echo "latest=$latest_version"
          if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
            echo "updated=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          url="https://github.com/zen-browser/desktop/releases/download/${latest_version}/zen-x86_64.AppImage"
          new_hash=$(nix store prefetch-file --json "$url" | python -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
          export LATEST_VERSION="$latest_version"
          export NEW_HASH="$new_hash"
          python - <<PY
          import re
          import os
          p='modules/pkgs/zen-browser.nix'
          s=open(p).read()
          s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
          s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
          open(p,'w').write(s)
          PY
          echo "updated=true" >> "$GITHUB_OUTPUT"
          echo "version=$latest_version" >> "$GITHUB_OUTPUT"
      - name: create branch and commit
        if: steps.update.outputs.updated == 'true'
        shell: bash
        run: |
          set -euo pipefail
-          version="${{ steps.update.outputs.version }}"
+          branch="bot/zen-browser-${{ steps.update.outputs.version }}"
-          BRANCH="bot/zen-browser-${version}" \
+          git config user.name "gitea actions"
-          FILE="modules/pkgs/zen-browser.nix" \
+          git config user.email "actions@localhost"
-          COMMIT_MESSAGE="update zen browser to ${version}" \
+
-          bash .gitea/scripts/commit-update.sh
+          git checkout -B "$branch"
          git add modules/pkgs/zen-browser.nix
          git commit -m "update zen browser to ${{ steps.update.outputs.version }}"
          git push --force origin "$branch"
      - name: open pull request
        if: steps.update.outputs.updated == 'true'
@@ -49,22 +90,49 @@ jobs:
        run: |
          set -euo pipefail
-          version="${{ steps.update.outputs.version }}"
+          api="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config"
-          previous_version="${{ steps.update.outputs.previous_version }}"
+          branch="bot/zen-browser-${{ steps.update.outputs.version }}"
          release_url="${{ steps.update.outputs.release_url }}"
-          pr_body=$(cat <<EOF
+          if [ -z "${GITEA_TOKEN:-}" ]; then
-          automated update of zen browser appimage version and hash
+            echo "GITEA_TOKEN is empty (check repo secret tea_token/TEA_TOKEN)"
            exit 1
          fi
-          ## changelog
+          existing=$(curl -fsS \
-          from \`${previous_version}\` to \`${version}\`
+            -H "Authorization: token ${GITEA_TOKEN}" \
            "${api}/pulls?state=open" \
            | python -c 'import json,sys; d=json.load(sys.stdin); b="'"$branch"'"; print(next((str(pr["number"]) for pr in d if isinstance(pr,dict) and pr.get("head",{}).get("ref")==b), ""))')
-          upstream release: ${release_url}
+          if [ -n "$existing" ]; then
-          EOF
+            echo "PR already exists: #$existing"
-          )
+            exit 0
          fi
-          GITEA_API="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config" \
+          echo "Creating PR..."
-          BRANCH="bot/zen-browser-${version}" \
+          created="false"
-          TITLE="update zen browser to ${version}" \
+          for head in "${branch}" "thomas:${branch}"; do
-          BODY="$pr_body" \
+            echo "Trying head=${head}"
-          bash .gitea/scripts/create-gitea-pr.sh
+            payload=$(printf '{"title":"update zen browser to %s","head":"%s","base":"main","body":"automated update of zen browser appimage version and hash"}' \
              "${{ steps.update.outputs.version }}" "$head")
            response=$(curl -sS -w '\n%{http_code}' -X POST \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "${api}/pulls" \
              -d "$payload")
            body=$(printf '%s\n' "$response" | sed '$d')
            code=$(printf '%s\n' "$response" | tail -n1)
            echo "Create PR status: $code"
            echo "$body"
            if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
              created="true"
              break
            fi
          done
          if [ "$created" != "true" ]; then
            echo "PR creation failed"
            exit 1
          fi
@@ -20,36 +20,3 @@ NixOS configuration using a dendritic structure — `flake.nix` at the root, wit
 ```bash
 sudo nixos-rebuild switch --flake .#nixos
 ```
 ## SMB share secrets (agenix)
 SMB automount is configured in `modules/hosts/nixos.nix` and activates once
 `secrets/smb-credentials.age` exists.
 1. Edit recipients in `secrets/secrets.nix` if needed.
 2. Create the encrypted secret (using the host SSH private key via sudo):
 ```bash
 sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key
 ```
 Use this content:
 ```text
 username=YOUR_SMB_USER
 password=YOUR_SMB_PASSWORD
 # optional
 # domain=WORKGROUP
 ```
 Configured shares mirror your Endeavour setup:
 - `//192.168.1.102/data` → `/mnt/unraid-data`
 - `//192.168.1.102/appdata` → `/mnt/unraid-appdata`
 Then apply:
 ```bash
 sudo nixos-rebuild switch --flake .#nixos
 ```
@@ -1,48 +1,5 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1770165109,
        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1744478979,
        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@@ -63,27 +20,6 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "import-tree": {
      "locked": {
        "lastModified": 1772999353,
@@ -100,22 +36,6 @@
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1754028485,
        "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1772773019,
        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
@@ -133,25 +53,9 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "flake-parts": "flake-parts",
        "import-tree": "import-tree",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
@@ -9,7 +9,6 @@
    };
    import-tree.url = "github:vic/import-tree";
    agenix.url = "github:ryantm/agenix";
  };
  outputs =
@@ -8,11 +8,8 @@
      zellij
      nixd
      git
      jujutsu
      lazygit
      pnpm
      ni
      code-cursor-fhs
      # LSPs and formatters (previously via Mason)
      stylua
@@ -20,7 +17,6 @@
      pyright
      vscode-langservers-extracted # includes css-lsp, eslint-lsp, html-lsp, json-lsp
      tailwindcss-language-server
      svelte-language-server
      biome
      typescript-go
@@ -1,164 +1,88 @@
-{
+{ inputs, self, config, ... }: {
  inputs,
  self,
  config,
  ...
 }: let
  flakeConfig = config;
 in {
  flake.nixosModules.nixos-host = {
    pkgs,
    lib,
    config,
    ...
  }: let
    smbSecretFile = ../../secrets/smb-credentials.age;
    hasSmbSecret = builtins.pathExists smbSecretFile;
  in {
    imports = [
      inputs.agenix.nixosModules.default
      ../../hardware-configuration.nix
    ];
-    # Bootloader
+flake.nixosModules.nixos-host = {pkgs, ...}: {
-    boot.loader.systemd-boot.enable = true;
+  imports = [
-    boot.loader.efi.canTouchEfiVariables = true;
+    ../../hardware-configuration.nix
  ];
-    # Use latest kernel
+  # Bootloader
-    boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
-    # Custom EDID override for Samsung 240Hz on DP-1
+  # Use latest kernel
-    boot.kernelParams = ["drm.edid_firmware=DP-1:edid/g80.bin"];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
    hardware.firmware = [
      (pkgs.runCommand "g80-edid-firmware" {} ''
        install -Dm444 ${../assets/edid/g80.bin} $out/lib/firmware/edid/g80.bin
      '')
    ];
-    # Hostname
+  # Hostname
-    networking.hostName = "nixos";
+  networking.hostName = "nixos";
-    # Networking
+  # Networking
-    networking.networkmanager.enable = true;
+  networking.networkmanager.enable = true;
-    # Time zone
+  # Time zone
-    time.timeZone = "Europe/Lisbon";
+  time.timeZone = "Europe/Lisbon";
-    # Locale
+  # Locale
-    i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.defaultLocale = "en_GB.UTF-8";
-    i18n.extraLocaleSettings = {
+  i18n.extraLocaleSettings = {
-      LC_ADDRESS = "pt_PT.UTF-8";
+    LC_ADDRESS = "pt_PT.UTF-8";
-      LC_IDENTIFICATION = "pt_PT.UTF-8";
+    LC_IDENTIFICATION = "pt_PT.UTF-8";
-      LC_MEASUREMENT = "pt_PT.UTF-8";
+    LC_MEASUREMENT = "pt_PT.UTF-8";
-      LC_MONETARY = "pt_PT.UTF-8";
+    LC_MONETARY = "pt_PT.UTF-8";
-      LC_NAME = "pt_PT.UTF-8";
+    LC_NAME = "pt_PT.UTF-8";
-      LC_NUMERIC = "pt_PT.UTF-8";
+    LC_NUMERIC = "pt_PT.UTF-8";
-      LC_PAPER = "pt_PT.UTF-8";
+    LC_PAPER = "pt_PT.UTF-8";
-      LC_TELEPHONE = "pt_PT.UTF-8";
+    LC_TELEPHONE = "pt_PT.UTF-8";
-      LC_TIME = "pt_PT.UTF-8";
+    LC_TIME = "pt_PT.UTF-8";
-    };
+  };
-    # Printing
+  # Printing
-    services.printing.enable = true;
+  services.printing.enable = true;
-    # Audio
+  # Audio
-    services.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
-    security.rtkit.enable = true;
+  security.rtkit.enable = true;
-    services.pipewire = {
+  services.pipewire = {
-      enable = true;
+    enable = true;
-      alsa.enable = true;
+    alsa.enable = true;
-      alsa.support32Bit = true;
+    alsa.support32Bit = true;
-      pulse.enable = true;
+    pulse.enable = true;
-    };
+  };
-    # SSH
+  # SSH
-    services.openssh = {
+  services.openssh = {
-      enable = true;
+    enable = true;
-      settings = {
+    settings = {
-        PermitRootLogin = "no";
+      PermitRootLogin = "no";
      };
    };
    # User account
    users.users.${flakeConfig.username} = {
      isNormalUser = true;
      description = "Thomas Gouveia Lopes";
      extraGroups = ["networkmanager" "wheel"];
    };
    # Programs
    # Allow unfree
    nixpkgs.config.allowUnfree = true;
    # Enable flakes
    nix.settings.experimental-features = ["nix-command" "flakes"];
    # Auto-unlock gnome-keyring on login
    security.pam.services.login.enableGnomeKeyring = true;
    security.pam.services.gdm.enableGnomeKeyring = true;
    security.pam.services.gdm-password.enableGnomeKeyring = true;
    # State version
    system.stateVersion = "25.11";
    boot.supportedFilesystems = ["cifs"];
    warnings = lib.optional (!hasSmbSecret) ''
      SMB automount is disabled: missing ${toString smbSecretFile}.
      Create it with agenix:
      sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key
      and set:
      username=...
      password=...
      # optional
      # domain=WORKGROUP
    '';
    age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    age.secrets."smb-credentials" = lib.mkIf hasSmbSecret {
      file = smbSecretFile;
      mode = "0400";
      owner = "root";
      group = "root";
    };
    fileSystems."/mnt/unraid-data" = lib.mkIf hasSmbSecret {
      device = "//192.168.1.102/data";
      fsType = "cifs";
      options = [
        "credentials=${config.age.secrets."smb-credentials".path}"
        "uid=1000"
        "gid=1000"
        "iocharset=utf8"
        "nofail"
        "x-systemd.automount"
        "_netdev"
        "noserverino"
        "vers=3.0"
      ];
    };
    fileSystems."/mnt/unraid-appdata" = lib.mkIf hasSmbSecret {
      device = "//192.168.1.102/appdata";
      fsType = "cifs";
      options = [
        "credentials=${config.age.secrets."smb-credentials".path}"
        "uid=1000"
        "gid=1000"
        "iocharset=utf8"
        "nofail"
        "x-systemd.automount"
        "_netdev"
        "noserverino"
        "vers=3.0"
      ];
    };
    fileSystems."/mnt/endeavour" = {
      device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5";
      fsType = "ext4";
      options = ["defaults" "noatime"];
    };
  };
  # User account
  users.users.${config.username} = {
    isNormalUser = true;
    description = "Thomas Gouveia Lopes";
    extraGroups = [ "networkmanager" "wheel" ];
  };
  # Programs
  # Allow unfree
  nixpkgs.config.allowUnfree = true;
  # Enable flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  # Auto-unlock gnome-keyring on login
  security.pam.services.login.enableGnomeKeyring = true;
  security.pam.services.gdm.enableGnomeKeyring = true;
  security.pam.services.gdm-password.enableGnomeKeyring = true;
  # State version
  system.stateVersion = "25.11";
 	fileSystems."/mnt/endeavour" = {
 	 device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5";
 	 fsType = "ext4";
 	 options = [ "defaults" "noatime" ];
 	};
 };
 }
@@ -1,4 +1,8 @@
-{self, ...}: {
+{
  inputs,
  self,
  ...
 }: {
  flake.nixosModules.packages = {pkgs, ...}: {
    environment.systemPackages = with pkgs; [
      fd
@@ -8,10 +12,6 @@
      alacritty
      fzf
      autojump
      yazi
      ueberzugpp
      chafa
      wl-clipboard
      pulseaudio
      legcord
      quickshell
@@ -22,10 +22,6 @@
      self.packages.${pkgs.stdenv.hostPlatform.system}.handy
      mpv
      ffmpeg
      tmux
      obs-studio
      jjui
      bat
    ];
  };
 }
@@ -2,11 +2,11 @@
  perSystem = {pkgs, ...}: {
    packages.handy = pkgs.appimageTools.wrapType2 rec {
      pname = "handy";
-      version = "0.8.0";
+      version = "0.7.10";
      src = pkgs.fetchurl {
        url = "https://github.com/cjpais/Handy/releases/download/v${version}/Handy_${version}_amd64.AppImage";
-        hash = "sha256-PLcssfd6iMx51mglAJ7D4+67HFazwfhJMImgU9WiNDk=";
+        hash = "sha256-vBOcXCCJr9D0u0h27nN4XLPPngx4m+toAfi6O6Fuojk=";
      };
      extraInstallCommands = let
@@ -2,11 +2,11 @@
  perSystem = { pkgs, ... }: {
    packages.helium = pkgs.appimageTools.wrapType2 rec {
      pname = "helium";
-      version = "0.10.6.1";
+      version = "0.9.4.1";
      src = pkgs.fetchurl {
        url = "https://github.com/imputnet/helium-linux/releases/download/${version}/${pname}-${version}-x86_64.AppImage";
-        hash = "sha256-6xqNRaP3aqitEseexRVEEjKkJClC0j1HHZoRGQanhSk=";
+        hash = "sha256-N5gdWuxOrIudJx/4nYo4/SKSxakpTFvL4zzByv6Cnug=";
      };
      extraInstallCommands = let
@@ -1,19 +1,19 @@
-{lib, ...}: {
+{ lib, ... }: {
-  perSystem = {pkgs, ...}: let
+  perSystem = { pkgs, ... }: let
    pname = "zen-browser";
-    version = "1.19.3b";
+    version = "1.19.1b";
    src = pkgs.fetchurl {
      url = "https://github.com/zen-browser/desktop/releases/download/${version}/zen-x86_64.AppImage";
-      hash = "sha256-p00Irv2z6brDXMx3cr0234lOZZ2a7FmJMDzN494nzMw=";
+      hash = "sha256-h3lza2C+SxptpcX897Uf/nM8dNILUBXScSNQZlvSIQg=";
    };
-    appimageContents = pkgs.appimageTools.extract {inherit pname version src;};
+    appimageContents = pkgs.appimageTools.extract { inherit pname version src; };
  in {
    packages.zen-browser = pkgs.appimageTools.wrapType2 {
      inherit pname version src;
-      extraPkgs = pkgs: [pkgs.ffmpeg-full];
+      extraPkgs = pkgs: [ pkgs.ffmpeg-full ];
      extraInstallCommands = ''
        desktop_file=$(find ${appimageContents} -name "*.desktop" | head -n1)
@@ -34,7 +34,7 @@
        description = "Experience tranquillity while browsing the web without people tracking you!";
        homepage = "https://zen-browser.app";
        license = lib.licenses.mpl20;
-        platforms = ["x86_64-linux"];
+        platforms = [ "x86_64-linux" ];
      };
    };
  };
@@ -2,7 +2,6 @@
 	flake.nixosModules.ui = { pkgs, lib, ... }: {
 		# Desktop environment
 		services.xserver.enable = true;
 		services.xserver.xkb.options = "compose:ralt,cedilla:cacute";
 		services.displayManager.gdm.enable = true;
 		services.displayManager.gdm.wayland = true;
 		services.desktopManager.gnome.enable = true;
@@ -1,7 +0,0 @@
 let
  nixos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIg62Co6P+CYcvINrW9IYM1D8W7A3LNlEphAqP6vCzrv root@nixos";
 in {
  "secrets/smb-credentials.age".publicKeys = [
    nixos
  ];
 }
@@ -1,5 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 eoxNoQ +//j26EmOrSLqTMUaKWy4X/GZZ3XoJmKlT+ArQejODU
 olSV7FU5URhIcB4JczmPhGZsaQjQCs7kTm/IISCePsk
 --- r7Gpe55fXHr9lghoFvwAZZVvDVckENBxTDXW3sXEjUI
 ã{„Â&ffÇj?ÛSŠÈy´|Ô™tÀÜ¾_3äûOÇÒåjp»	‹tS!Î,†!5iÿó©¡�ÙGoê‹_?tFKË†%üÊ´ØÔh%up„ÁX;'•.ÿXÙðóœo=
Author	SHA1	Message	Date
thomas	d7a82d8801	Merge branch 'main' into bot/handy-0.7.10	2026-03-11 16:36:22 +00:00
gitea actions	56f2da8d22	update handy to 0.7.10	2026-03-11 06:40:25 +00:00