pinwheel/tadpole: Add ed25519 ssh key

The command was hijacking auth for all users, including `gitea`, which
broke `git push` over SSH — `gitea`'s `authorized_keys` (with the
`gitea serv` command restriction) was being bypassed, and sshd would
try to exec the raw `git-receive-pack` instead.

Pass `%u` to the command and short-circuit unless the requested user
is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.

flake.lock

@@ -944,11 +944,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774202723,
-        "narHash": "sha256-z3kfGSm1EFzzUorewI5Jtgv79lPV128pZd8EEak4xZg=",
+        "lastModified": 1780482259,
+        "narHash": "sha256-buOczAkw78U+g7DYcB7nMabTGzQoN15HtVE3y0kIt3I=",
         "ref": "master",
-        "rev": "02ad04e1460d7ce84db24b3bb526339df1e76501",
-        "revCount": 372,
+        "rev": "b9ee418d14d6cb500506f9ef0cb9d54a8e78afa9",
+        "revCount": 373,
         "type": "git",
         "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
       },
@@ -965,11 +965,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1761508816,
-        "narHash": "sha256-adV/lyxcmuopyuzZ49v46Yt0gft+ioEL4yl1S+vUbus=",
+        "lastModified": 1780483645,
+        "narHash": "sha256-Nr0WTh72uBCSO5jCcvHPE+4dqAPn07HZ5U1lAE4/3II=",
         "ref": "master",
-        "rev": "ab10bf50cb6b023a1b99f91c7e8d550231135eef",
-        "revCount": 223,
+        "rev": "14f98eced1ccf1e62493ad65eb38502b38db5cba",
+        "revCount": 224,
         "type": "git",
         "url": "ssh://gitea@git.ppp.pm:1122/alex/whib-react.git"
       },

hosts/manatee/disk-config.nix

@@ -79,11 +79,16 @@
         { device = config.disko.devices.disk.root.device; }
         { device = config.disko.devices.disk.disk1.device; }
         { device = config.disko.devices.disk.disk2.device; }
+        { device = config.disko.devices.disk.disk3.device; }
+        { device = config.disko.devices.disk.disk4.device; }
       ];
     };
 
     services.zfs.autoScrub.enable = true;
 
+    # Don't force-import the pool if it appears in use elsewhere; safer default in 26.11+.
+    boot.zfs.forceImportRoot = false;
+
     networking.hostId = "0a9474e7"; # Required by ZFS
     disko.devices = {
       disk = {

hosts/manatee/modules/default.nix

@@ -23,6 +23,7 @@ in
       komga.enable = true;
       romm.enable = true;
       homepage.enable = true;
+      disk-smart.enable = true;
     };
   };
 }

hosts/manatee/modules/disk-smart/default.nix

@@ -0,0 +1,159 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.disk-smart.enable;
+
+  disks = [
+    { path = "/dev/disk/by-id/ata-ST8000VN004-3CP101_WWZ8QCG4"; name = "seagate_8tb_1"; label = "Seagate 8TB #1"; }
+    { path = "/dev/disk/by-id/ata-ST8000VN004-3CP101_WWZ8QDJ5"; name = "seagate_8tb_2"; label = "Seagate 8TB #2"; }
+    { path = "/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_85K2A0UCF4MJ"; name = "toshiba_20tb_1"; label = "Toshiba 20TB #1"; }
+    { path = "/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_85K2A0V6F4MJ"; name = "toshiba_20tb_2"; label = "Toshiba 20TB #2"; }
+  ];
+
+  outputDir = "/var/lib/disk-smart";
+
+  collectScript = pkgs.writeShellScript "disk-smart-collect" ''
+    set -euo pipefail
+    export PATH="${lib.makeBinPath [ pkgs.smartmontools pkgs.jq pkgs.coreutils ]}"
+
+    mkdir -p ${outputDir}
+
+    result="{"
+
+    ${lib.concatMapStringsSep "\n" (disk: ''
+      raw=$(smartctl -j -A -H ${disk.path} 2>/dev/null || true)
+
+      temp=$(echo "$raw" | jq -r '.temperature.current // empty')
+      power_on=$(echo "$raw" | jq -r '.power_on_time.hours // empty')
+      smart_status=$(echo "$raw" | jq -r '.smart_status.passed // empty')
+      reallocated=$(echo "$raw" | jq -r '[.ata_smart_attributes.table[] | select(.name == "Reallocated_Sector_Ct")][0].raw.value // empty')
+      pending=$(echo "$raw" | jq -r '[.ata_smart_attributes.table[] | select(.name == "Current_Pending_Sector")][0].raw.value // empty')
+
+      result="$result\"${disk.name}\":{\"temperature\":$temp,\"power_on_hours\":$power_on,\"smart_passed\":$smart_status,\"reallocated_sectors\":$reallocated,\"pending_sectors\":$pending},"
+    '') disks}
+
+    # Remove trailing comma, close object
+    result="''${result%,}}"
+
+    echo "$result" | jq . > ${outputDir}/smart.json.tmp
+    mv ${outputDir}/smart.json.tmp ${outputDir}/smart.json
+  '';
+
+  indent = prefix: s:
+    lib.concatMapStringsSep "\n"
+      (line: if line == "" then line else prefix + line)
+      (lib.splitString "\n" s);
+
+  mkSensor = disk: ''
+- name: "${disk.label} Temperature"
+  value_template: "{{ value_json.${disk.name}.temperature }}"
+  unit_of_measurement: "°C"
+  device_class: temperature
+  state_class: measurement
+- name: "${disk.label} Power On Hours"
+  value_template: "{{ value_json.${disk.name}.power_on_hours }}"
+  unit_of_measurement: "h"
+  state_class: total_increasing
+- name: "${disk.label} SMART Passed"
+  value_template: "{{ value_json.${disk.name}.smart_passed }}"
+- name: "${disk.label} Reallocated Sectors"
+  value_template: "{{ value_json.${disk.name}.reallocated_sectors }}"
+  state_class: measurement
+- name: "${disk.label} Pending Sectors"
+  value_template: "{{ value_json.${disk.name}.pending_sectors }}"
+  state_class: measurement
+'';
+
+  sensorYaml = indent "      " (lib.concatMapStrings mkSensor disks);
+
+  sectorEntities = lib.concatMap (disk: [
+    "sensor.${disk.name}_reallocated_sectors"
+    "sensor.${disk.name}_pending_sectors"
+  ]) disks;
+
+  sectorEntitiesYaml = lib.concatMapStringsSep "\n"
+    (id: "          - ${id}") sectorEntities;
+
+  smartPassedEntities = map (disk: "sensor.${disk.name}_smart_passed") disks;
+
+  smartPassedEntitiesYaml = lib.concatMapStringsSep "\n"
+    (id: "          - ${id}") smartPassedEntities;
+in
+{
+  options = {
+    mod.disk-smart = {
+      enable = lib.mkEnableOption "Enable disk SMART monitoring module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    mod.home-assistant.extraConfig = ''
+rest:
+  - resource: http://127.0.0.1:9633/smart.json
+    scan_interval: 60
+    sensor:
+${sensorYaml}
+automation disk_smart:
+  - alias: "Disk sector count increased"
+    trigger:
+      - platform: state
+        entity_id:
+${sectorEntitiesYaml}
+    condition:
+      - condition: template
+        value_template: "{{ trigger.from_state.state | int(-1) >= 0 and trigger.to_state.state | int(0) > trigger.from_state.state | int(0) }}"
+    action:
+      - service: notify.mobile_app_pixel_9_pro
+        data:
+          title: "Disk SMART warning"
+          message: "{{ trigger.to_state.attributes.friendly_name }} increased from {{ trigger.from_state.state }} to {{ trigger.to_state.state }}"
+  - alias: "Disk SMART check failed"
+    trigger:
+      - platform: state
+        entity_id:
+${smartPassedEntitiesYaml}
+    condition:
+      - condition: template
+        value_template: "{{ trigger.to_state.state | lower == 'false' }}"
+    action:
+      - service: notify.mobile_app_pixel_9_pro
+        data:
+          title: "Disk SMART FAILURE"
+          message: "{{ trigger.to_state.attributes.friendly_name }} reports SMART failure — drive is likely failing"
+'';
+
+    systemd.services.disk-smart-collect = {
+      description = "Collect disk SMART data";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = collectScript;
+      };
+    };
+
+    systemd.timers.disk-smart-collect = {
+      description = "Periodically collect disk SMART data";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "1min";
+        OnUnitActiveSec = "1min";
+      };
+    };
+
+    services.nginx.virtualHosts."127.0.0.1" = {
+      listen = [
+        { addr = "127.0.0.1"; port = 9633; }
+      ];
+
+      locations."= /smart.json" = {
+        alias = "${outputDir}/smart.json";
+        extraConfig = ''
+          default_type application/json;
+        '';
+      };
+    };
+  };
+}

hosts/manatee/modules/home-assistant/default.nix

@@ -6,8 +6,42 @@
 }:
 let
   nginxEnabled = config.mod.nginx.enable;
+  cfg = config.mod.home-assistant;
 
-  script = pkgs.writeShellScript "bt-reset" ''
+  configFile = pkgs.writeText "ha-configuration.yaml" ''
+# Loads default set of integrations. Do not remove.
+default_config:
+
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 127.0.0.1
+
+# Load frontend themes from the themes folder
+frontend:
+  themes: !include_dir_merge_named themes
+
+automation: !include automations.yaml
+script: !include scripts.yaml
+scene: !include scenes.yaml
+
+recorder:
+  purge_keep_days: 365
+
+alert:
+  fridge_door:
+    name: Fridge is open
+    done_message: Fride is closed
+    entity_id: binary_sensor.kyldorr
+    state: "on"
+    repeat: 2
+    skip_first: true
+    notifiers:
+      - mobile_app_pixel_9_pro
+
+${cfg.extraConfig}'';
+
+  btResetScript = pkgs.writeShellScript "bt-reset" ''
     set -euo pipefail
     export PATH="${
       lib.makeBinPath [
@@ -62,6 +96,17 @@ let
   '';
 in
 {
+  options = {
+    mod.home-assistant = {
+      extraConfig = lib.mkOption {
+        type = lib.types.lines;
+        default = "";
+        description = "Extra YAML to append to Home Assistant's configuration.yaml";
+      };
+    };
+  };
+
+  config = {
     mod.homepage.services = [
       {
         name = "Home Assistant";
@@ -80,6 +125,7 @@ in
 
         volumes = [
           "/home/alex/.config/home-assistant:/config"
+          "${configFile}:/config/configuration.yaml:ro"
           # Pass in bluetooth
           "/run/dbus:/run/dbus:ro"
         ];
@@ -140,7 +186,7 @@ in
 
           serviceConfig = {
             Type = "oneshot";
-          ExecStart = script;
+            ExecStart = btResetScript;
 
             Restart = "on-failure";
             RestartSec = "10s";
@@ -240,4 +286,5 @@ in
         };
       };
     };
+  };
 }

hosts/manatee/modules/romm/default.nix

@@ -69,8 +69,11 @@ in
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
-        ExecStart = "/run/current-system/sw/bin/podman network create romm-net";
-        ExecStop = "/run/current-system/sw/bin/podman network rm -f romm-net";
+        ExecStart = pkgs.writeShellScript "romm-net-create" ''
+          ${pkgs.podman}/bin/podman network exists romm-net \
+            || ${pkgs.podman}/bin/podman network create romm-net
+        '';
+        ExecStop = "${pkgs.podman}/bin/podman network rm -f romm-net";
       };
     };
 

hosts/manatee/modules/ssh/default.nix

@@ -21,8 +21,9 @@ in
     home-manager.users.alex = {
       programs.ssh = {
         enable = true;
+        enableDefaultConfig = false;
 
-        matchBlocks = {
+        settings = {
           "git.ppp.pm" = {
             hostname = "git.ppp.pm";
             identityFile = "/home/alex/.ssh/alex.manatee-git.ppp.pm";

hosts/pinwheel/modules/hyprlock/default.nix

@@ -45,7 +45,7 @@ in
               valign = "center";
               outline_thickness = 2;
               dots_center = true;
-              fade_on_empty = true;
+              fade_on_empty = false;
               placeholder_text = "";
             }
           ];

hosts/pinwheel/modules/javascript/default.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
   home-manager.users.alex = {
-    home.packages = [ pkgs.nodePackages.typescript-language-server ];
+    home.packages = [ pkgs.typescript-language-server ];
   };
 }

hosts/pinwheel/modules/ssh/default.nix

@@ -3,10 +3,14 @@
   # Enable gnome-keyring at system level for PAM integration
   services.gnome.gnome-keyring.enable = true;
 
+  # Use openssh's own ssh-agent — gcr's ssh-agent stalls signing RSA keys.
+  services.gnome.gcr-ssh-agent.enable = false;
+  programs.ssh.startAgent = true;
+
   home-manager.users.alex = {
     services.gnome-keyring = {
       enable = true;
-      components = [ "secrets" "ssh" ];
+      components = [ "secrets" ];
     };
 
     programs.ssh = {
@@ -131,6 +135,19 @@
       owner = "alex";
       group = "users";
     };
+
+    "alex.pinwheel-tadpole-ed25519" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.age;
+      path = "/home/alex/.ssh/alex.pinwheel-tadpole-ed25519";
+      owner = "alex";
+      group = "users";
+    };
+    "alex.pinwheel-tadpole-ed25519.pub" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.pub.age;
+      path = "/home/alex/.ssh/alex.pinwheel-tadpole-ed25519.pub";
+      owner = "alex";
+      group = "users";
+    };
   };
 
   services.openssh = {

hosts/pinwheel/modules/tailscale/default.nix

@@ -1,7 +1,23 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.tailscale.enable = true;
 
+  # Pinned to 1.96.5. 1.98.0 regressed split-DNS handling under work-vpn: the
+  # netmap's "resolve <tailnet>.ts.net locally via MagicDNS" hint is dropped
+  # when translated into systemd-resolved config, so *.ts.net queries get sent
+  # to a public resolver (199.247.155.53) that the corporate VPN's port-53
+  # egress filter blocks.
+  services.tailscale.package = pkgs.tailscale.overrideAttrs (_: rec {
+    version = "1.96.5";
+    src = pkgs.fetchFromGitHub {
+      owner = "tailscale";
+      repo = "tailscale";
+      tag = "v${version}";
+      hash = "sha256-vYYb+2OtuXftjGGG0zWJesHccrClB8YZpclv9KzNN/c=";
+    };
+    vendorHash = "sha256-rhuWEEN+CtumVxOw6Dy/IRxWIrZ2x6RJb6ULYwXCQc4=";
+  });
+
   networking.firewall = {
     checkReversePath = "loose";
     allowedUDPPorts = [ 41641 ];

hosts/pinwheel/modules/work/default.nix

@@ -22,6 +22,24 @@ in
         [[ "$PATH" == "${pkgs.bashInteractive}/bin:"* ]] || export PATH="${pkgs.bashInteractive}/bin:$PATH"
       }
       precmd_functions+=(_ensure_bash_interactive)
+
+      # Source the zsh-specific rc file that nix-direnv emits ($DIRENV_ZSH_RC)
+      # so devshell completions and zsh setup are picked up. direnv itself only
+      # exports env vars, so without this hook the zsh side of the devshell is
+      # never loaded. Guarded by LAST_LOADED_DIRENV_ZSH_RC so we don't re-source
+      # it on every precmd.
+      _nix_direnv_bridge_hook() {
+        if [[ -n "$DIRENV_ZSH_RC" && "$LAST_LOADED_DIRENV_ZSH_RC" != "$DIRENV_ZSH_RC" ]]; then
+          if [[ -f "$DIRENV_ZSH_RC" ]]; then
+            source "$DIRENV_ZSH_RC"
+            export LAST_LOADED_DIRENV_ZSH_RC="$DIRENV_ZSH_RC"
+            echo "❄️ direnv zsh loaded..."
+          fi
+        fi
+      }
+
+      autoload -Uz add-zsh-hook
+      add-zsh-hook precmd _nix_direnv_bridge_hook
     '';
 
     # Configure IntelliJ to exclude .direnv from indexing

hosts/tadpole/modules/ssh/default.nix

@@ -48,6 +48,7 @@ in
       mode = "0755";
       text = ''
         #!${pkgs.bash}/bin/bash
+        [ "$1" = "alex" ] || exit 0
         for file in ${authorizedKeysPath}/*; do
           ${pkgs.coreutils}/bin/cat "$file"
         done
@@ -71,7 +72,7 @@ in
           KbdInteractiveAuthentication = false;
         };
 
-        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
         authorizedKeysCommandUser = "root";
       };
     };
@@ -97,6 +98,11 @@ in
         path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
       };
 
+      "alex.pinwheel-tadpole-ed25519.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-tadpole-ed25519.pub";
+      };
+
       "alex.tadpole-git.ppp.pm" = {
         file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.age;
         path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";

secrets/secrets.nix

@@ -15,6 +15,8 @@ in {
   "pinwheel/alex.pinwheel-backwards.pub.age".publicKeys = [ pinwheel backwards alex ];
   "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
+  "pinwheel/alex.pinwheel-tadpole-ed25519.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-tadpole-ed25519.pub.age".publicKeys = [ pinwheel tadpole alex ];
   "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-github.com-signing.age".publicKeys = [ pinwheel alex ];