- Remove incus-admin group from geir and sma users
- Fixes deployment issue where cowsql was being built despite incus being disabled
- Addresses congenital-optimist build failure
✅ Completed Tasks:
- Task 6: Successfully tested deploy-rs on all machines (grey-area, reverse-proxy, congenital-optimist)
- Task 7: Added deploy-rs status monitoring to lab tool
🔧 Infrastructure Improvements:
- Added sma user to local machine for consistent SSH access
- Created shared shell-aliases.nix module to eliminate conflicts
- Enhanced lab status command with deploy-rs deployment info
- Added generation tracking, build dates, and uptime monitoring
🚀 Deploy-rs Status:
- All 4 machines successfully tested with both dry-run and actual deployments
- Automatic rollback protection working correctly
- Health checks and magic rollback functioning properly
- Tailscale connectivity verified across all nodes
📊 New Status Features:
- lab status --deploy-rs: Shows deployment details
- lab status -v: Verbose SSH connection info
- lab status -vd: Combined verbose + deploy-rs info
- Real-time generation and system closure information
The hybrid deployment approach is now fully operational with modern safety features while maintaining legacy compatibility.
- Create shared media-group.nix module with fixed GID (993)
- Add both geir and sma users to media group for shared NFS access
- Update NFS server configuration to use root:media ownership with 0775 permissions
- Convert all media services to use media group instead of users group:
- Jellyfin, Calibre-web, Audiobookshelf, Transmission
- Enable group write access to all NFS shares (/mnt/storage/*)
- Maintain security with root ownership while allowing group collaboration
This resolves NFS permission issues by providing consistent group-based access
control across all media services and storage directories.
- Consolidated 25+ common CLI tools into modules/common/base.nix
- Added modern rust-based tools (eza, bat, ripgrep, etc.) system-wide
- Removed duplicated packages from user and machine configs
- Added consistent shell aliases for modern CLI tools
- Fixed gpa alias to properly push to all remotes
- Removed duplicate git-push-all alias from geir.nix
- Added comprehensive documentation in CLI_TOOLS_CONSOLIDATION.md
Benefits:
- Single source of truth for common CLI tools
- Reduced duplication across 7+ configuration files
- Improved git workflow with flexible multi-remote pushing
- Better maintainability and consistency
- Remove duplicate sma user definition from incus.nix module
- The sma user is properly defined in modules/users/sma.nix with incus-admin group
- This resolves the isNormalUser/isSystemUser assertion failure blocking congenital-optimist rebuild
- Clean up grey-area configuration and modularize services
- Update SSH keys with correct IP addresses for grey-area and reverse-proxy
- Fixed networking defaultGateway interface specification for sleeper-service
- Resolved shell alias conflict between geir and sma users
- Changed sma aliases from 'lab' to 'homelab' to avoid conflict
- Created modules/services/nfs.nix for network file sharing
- Updated sleeper-service configuration with NFS and Transmission
- Fixed SSH key management to use direct key configuration
- Updated hardware-configuration to use sleeper-service hostname
- Added firewall ports for Transmission RPC (9091)
- Add modules/security/ssh-keys.nix for centralized SSH key management
- Generate role-specific SSH keys with geir@geokkjer.eu email:
- Admin key (geir@geokkjer.eu-admin) for sma user server access
- Development key (geir@geokkjer.eu-dev) for geir user and git services
- Update SSH client config with role-based host patterns
- Configure users/geir.nix and users/sma.nix with appropriate key access
- Add SSH key setup to both machine configurations
- Create scripts/setup-ssh-keys.sh for key generation automation
- Update plan.md with completed SSH security implementation
Security benefits:
- Principle of least privilege (separate admin vs dev access)
- Limited blast radius if keys are compromised
- Clear usage patterns: ssh admin-sleeper vs ssh geir@sleeper-service.home
- Maintains compatibility with existing services during transition
