The Nix build sandbox can't access ~/.config/sway/wallpaper.jpg,
so the config check fails. The config is valid at runtime.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Enable bluetooth with blueman for speaker pairing
- Pulseaudio: headphone icon, mute indicator
- Network: show bandwidth up/down instead of interface name
- Bluetooth waybar module with catppuccin styling
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wallpaper from ~/.config/sway/wallpaper.jpg
- Waybar modules styled as rounded pills with gaps
- Semi-transparent waybar background
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
python-build compiles from source and needs headers/library paths.
nix-ld only handles runtime linking for prebuilt binaries. Set
CFLAGS, LDFLAGS, and PKG_CONFIG_PATH via sessionVariables so
configure scripts find zlib, openssl, readline, etc.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Dynamically linked binaries (dotnet, python) need libraries in
NIX_LD_LIBRARY_PATH, not just on PATH via systemPackages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
gnupg fixes GPG verification warnings. nix-ld provides a dynamic
linker shim so generic Linux binaries (dotnet, rustup, etc.)
downloaded by mise can run on NixOS.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Configured via home-manager with workspaces, window title,
audio, network, clock, and tray modules.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Raw _1password-cli and _1password-gui packages don't set up the
onepassword-cli group, setgid bit, or polkit policy needed for
CLI-to-desktop-app communication. The NixOS modules handle this.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Crosshair VI Hero has no TPM module. systemd waits 90s for
/dev/tpm0 and /dev/tpmrm0 before timing out on every boot.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Drives mounted by disko default to root ownership. Use tmpfiles
rules to set eblume:users ownership at boot.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The nixos/nix container doesn't have flakes enabled by default.
Pass --extra-experimental-features flag. Also commit the updated
flake.lock with home-manager input resolved via Dagger.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- New `flake-lock` Dagger function: runs `nix flake lock` in a
nixos/nix container, returns the updated flake.lock file.
- provision-ringtail now: updates flake.lock via Dagger before
deploy, verifies current commit is pushed to forge, and passes
the exact commit SHA to the ansible playbook.
- Playbook accepts `ringtail_commit` var to deploy a specific ref.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The NixOS programs.sway module doesn't have extraConfig. Use
home-manager's wayland.windowManager.sway instead to set the
terminal to wezterm (which gives us $mod+Return automatically).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Queried ringtail directly for CPU, RAM, GPU, storage, monitor,
and peripheral details via dmidecode, edid-decode, and lsusb.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sway keybinding for wezterm, fish as default shell, remove
initialPassword, add 1Password/chezmoi/dev tool packages.
Add ringtail reference card and update host inventory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nixos-rebuild can dirty the tree (e.g. flake.lock updates), which
blocks the Ansible git module. Force ensures we always reset to the
upstream state.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NixOS doesn't include Python by default. Ansible needs it on the
managed host for module execution.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sway/wlroots refuses to start on proprietary NVIDIA by default.
Add --unsupported-gpu flag and disable hardware cursors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
- Bump Frigate image from `0.16.4-standard-arm64` to `0.17.0-rc2-standard-arm64`
- Adapt `record` config to 0.17 schema: `retain.days`/`mode: all` → `continuous.days`
- Update service docs and version tracker
This is the first step toward the Apple Silicon ZMQ detector. The existing ONNX detector is kept so we can validate the upgrade independently.
## What is NOT changing
- Detector config (still `type: onnx` with YOLO-NAS-s)
- go2rtc streams, MQTT, cameras, zones, review rules
- frigate-notify, storage PVs, Grafana dashboard
## Deployment and Testing
- [ ] `argocd app set frigate --revision upgrade-frigate-0.17 && argocd app sync frigate`
- [ ] Pod starts, `/api/version` returns `0.17.0-rc2`
- [ ] No config errors in pod logs
- [ ] Frigate web UI loads at `https://nvr.ops.eblu.me`
- [ ] Live view works, detection running (`/api/stats` shows `detection_fps > 0`)
- [ ] Recordings being created (`/api/recordings/summary`)
- [ ] MQTT events flowing (check frigate-notify logs)
- [ ] After merge: `argocd app set frigate --revision main && argocd app sync frigate`
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/205
## Summary
- Cap detect FPS to 2 to prevent recording segment backlog from ONNX inference bottleneck (~750ms/frame on ARM64 CPU)
- Sync motion masks from live config (added second mask area)
- Update driveway_entrance zone coordinates from live config
- Add explicit alert labels `[person, car]` while keeping `required_zones: [driveway_entrance]`
## Context
The "No frames have been received" error on the gablecam live view was caused by the detect stream falling behind — ONNX YOLO-NAS-s takes ~750ms per inference on ARM64 CPU, but the sub-stream sends 5 FPS. This caused recording segments to pile up and the ffmpeg watchdog to repeatedly kill/restart the process, creating gaps in the live view.
## Test plan
- [ ] Sync ArgoCD `frigate` app to branch and verify pod restarts cleanly
- [ ] Check `/api/stats` — `skipped_fps` should drop significantly, `process_fps` should be close to 2
- [ ] Verify live view at https://nvr.ops.eblu.me/#gablecam no longer shows "No frames" error
- [ ] Verify detections and alerts still work in the driveway_entrance zone
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/204
## Summary
- Bump External Secrets Operator Helm chart from `helm-chart-1.3.1` to `helm-chart-2.0.0` (operator v1.3.2)
- Updates both the operator app and CRDs app `targetRevision`
- No Helm values changes needed — `installCRDs`, `resources`, `webhook`, `certController` keys are unchanged
## Breaking changes in chart 2.0.0
- **Removed providers:** Alibaba and Device42 (unmaintained) — does not affect our 1Password setup
- **Templating engine v1 deprecated** — our ExternalSecrets don't set `engineVersion`, so they use the default (v2)
- **Webhook `failurePolicy`** for SecretStore is now dynamic
## Deployment
1. Sync CRDs first: `argocd app set external-secrets-crds --revision update/external-secrets-helm-2.0.0 && argocd app sync external-secrets-crds`
2. Sync operator: `argocd app set external-secrets --revision update/external-secrets-helm-2.0.0 && argocd app sync external-secrets`
3. Verify: `kubectl --context=minikube-indri -n external-secrets get pods`
4. After merge, set both apps back to `--revision main`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/203
## Summary
- Add `containers/ntfy/Dockerfile` — three-stage build (Node web UI, Go+CGO server, Alpine runtime) pinned to commit SHA `a03a37fe` (v2.17.0), sourced from forge mirror
- Update ntfy deployment image from `binwiederhier/ntfy:v2.17.0` to `registry.ops.eblu.me/blumeops/ntfy:v1.0.0`
- Note fish shell in CLAUDE.md
## Deployment
After merge, release the container image:
```fish
mise run container-tag-and-release ntfy v1.0.0
```
Then sync:
```fish
argocd app sync ntfy
```
## Test plan
- [x] `docker build` succeeds
- [x] `dagger call build --src=. --container-name=ntfy` succeeds (exit 0, container ID printed)
- [x] `ntfy --help` works in built container
- [ ] Tag and release `ntfy-v1.0.0` after merge
- [ ] Verify ntfy pod starts with new image
- [ ] Verify health endpoint responds at `ntfy.ops.eblu.me/v1/health`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/202
## Summary
- Upgrade ntfy from v2.11.0 to v2.17.0 (6 minor releases, no breaking changes)
- Add reference doc for ntfy service
- Add reference doc for frigate service (ntfy's sole producer via frigate-notify)
- Update reference index and service-versions.yaml tracking
## Notable upstream changes (v2.12.0–v2.17.0)
- **v2.14.0:** Declarative users/ACL config in files
- **v2.15.0:** `require-login` flag for topic-level auth
- **v2.16.0:** Dead man's switch (heartbeat) notifications, notification update/delete
- **v2.17.0:** Priority templating, crash fixes (nil pointer panics)
## Deployment and Testing
- [ ] ArgoCD sync ntfy after merge
- [ ] Verify ntfy pod healthy with new image
- [ ] Send a test notification via `curl -d "test" https://ntfy.ops.eblu.me/test`
- [ ] Verify frigate-notify still delivers alerts to ntfy
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/201
## Summary
- **Doc review:** Reviewed `gandi-operations.md` — added `last-reviewed` frontmatter, verified all wiki-links, confirmed Pulumi state has no drift
- **Gandi reference fix:** Added missing `cv.eblu.me` CNAME row to `gandi.md` DNS records table (was present in Pulumi but undocumented)
- **Pulumi comment fix:** Updated stale `README.md` reference in `__main__.py` to point to `docs/how-to/gandi-operations.md`
- **How-to reorg:** Moved 14 how-to guides into 3 subdirectories (`deployment/`, `configuration/`, `operations/`), collapsed the Documentation and Database index sections into Configuration and Operations respectively
## Verification
- `docs-check-links` — all 180 wiki-links valid
- `docs-check-filenames` — all 90 filenames unique
- `dns-preview` — 5 resources unchanged, no drift
- All pre-commit hooks pass
## Test plan
- [ ] Verify docs site builds correctly with new paths
- [ ] Spot-check a few wiki-links from other pages to moved how-to guides
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/200
## Summary
- Added a new `build_quartz` Dagger function that builds the Quartz site from a pre-processed source tree (no towncrier)
- Reordered the release workflow so towncrier runs **once** on the runner, then passes the updated working tree to `build-quartz`
- `build_docs` and `build_changelog` are preserved for standalone use — `build_docs` now delegates to `build_quartz` internally
## Motivation
Previously towncrier ran twice per release: once inside a Dagger container (via `build_docs` → `build_changelog`) and once on the runner to capture CHANGELOG.md changes for the git commit. This was wasteful and fragile — if towncrier behavior changed, the two runs could produce different results.
## Test plan
- [ ] Review diff to confirm workflow step ordering is correct
- [ ] Trigger a release and confirm towncrier runs only once
- [ ] Verify the docs tarball contains the updated CHANGELOG.md
- [ ] `dagger call build-quartz --src=. --version=vX.Y.Z` should work standalone
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/199
