module(helix): Change helix theme to gruvbox_dark_soft

home/david/configurations/Akun/default.nix

@@ -35,9 +35,9 @@
       sops.enable = true;
       mpv.enable = true;
       atuin.enable = true;
-      obs.enable = true;
       chromium.enable = true;
       thunderbird.enable = true;
+      alacritty.enable = true;
       # espanso.enable = true;
     };
   };

home/david/configurations/Tytonidae/default.nix

@@ -39,10 +39,10 @@
       kvm.enable = true;
       atuin.enable = true;
       thunderbird.enable = true;
-      obs.enable = true;
       chromium.enable = true;
       espanso.enable = true;
       ion.enable = true;
+      alacritty.enable = true;
     };
   };
 

home/david/modules/programs/niri/config.nix

@@ -35,7 +35,7 @@
   polkit-kde-agent = getExe' pkgs.kdePackages.polkit-kde-agent-1 "polkit-kde-agent";
   wpctl = getExe' pkgs.wireplumber "wpctl";
   swaybg = getExe pkgs.swaybg;
-  ghostty = getExe config.programs.ghostty.package;
+  alacritty = getExe config.programs.alacritty.package;
   wl-paste = getExe' pkgs.wl-clipboard "wl-paste";
   cliphist = getExe' pkgs.cliphist "cliphist";
   cliphist-fuzzel-img = getExe' pkgs.cliphist "cliphist-fuzzel-img";
@@ -57,7 +57,7 @@ in
         ])
         (plain "Mod+T" [
           (spawn [
-            ghostty
+            alacritty
           ])
         ])
         (plain "Mod+Shift+T" [
@@ -471,6 +471,10 @@ in
             app-id = "^com\\.mitchellh\\.ghostty$";
             is-active = true;
           }
+          {
+            app-id = "^Alacritty$";
+            is-active = true;
+          }
         ])
         (leaf "draw-border-with-background" [false])
       ])
@@ -480,6 +484,10 @@ in
             app-id = "^com\\.mitchellh\\.ghostty$";
             is-active = false;
           }
+          {
+            app-id = "^Alacritty$";
+            is-active = false;
+          }
         ])
         (leaf "opacity" [0.8])
         (leaf "draw-border-with-background" [false])

home/modules/programs/alacritty/alacritty.toml

@@ -0,0 +1,28 @@
+[general]
+ipc_socket = true
+live_config_reload = true
+
+[window]
+dynamic_padding = true
+opacity = 0.8
+blur = true
+
+[scrolling]
+history = 100000
+multiplier = 5
+
+[font]
+size = 16
+
+[bell]
+duration = 1
+
+[selection]
+save_to_clipboard = true
+
+[terminal]
+osc52 = "CopyPaste"
+
+[mouse]
+hide_when_typing = true
+

home/modules/programs/alacritty/default.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.youthlic.programs.alacritty;
+in {
+  options = {
+    youthlic.programs.alacritty = {
+      enable = lib.mkEnableOption "alacritty";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    programs.alacritty = {
+      enable = true;
+      package = pkgs.alacritty_git;
+      settings =
+        (./alacritty.toml |> builtins.readFile |> builtins.fromTOML)
+        // {
+          colors = lib.mkForce {};
+          font.size = lib.mkForce 16;
+          window.opacity = lib.mkForce 0.8;
+          general.import = [
+            "${pkgs.alacritty-theme}/share/alacritty-theme/gruvbox_dark.toml"
+          ];
+        };
+    };
+  };
+}

home/modules/programs/default.nix

@@ -11,7 +11,6 @@
     ./wluma.nix
     ./niri.nix
     ./starship
-    ./obs.nix
     ./fuzzel.nix
     ./mpv.nix
     ./swaylock.nix
@@ -31,5 +30,6 @@
     ./fzf.nix
     ./eza.nix
     ./ion.nix
+    ./alacritty
   ];
 }

home/modules/programs/helix/config.toml

@@ -1,4 +1,4 @@
-theme = "ayu_dark"
+theme = "gruvbox_dark_hard"
 
 [editor]
 line-number = "relative"

nixos/configurations/Akun/default.nix

@@ -32,6 +32,7 @@
       kanata.enable = true;
       tailscale.enable = true;
       wshowkeys.enable = true;
+      obs.enable = true;
     };
   };
   programs.gnupg.agent = {
@@ -69,6 +70,15 @@
     kernelPackages = pkgs.linuxPackages_cachyos;
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
+    kernelParams = ["i915.enable_guc=2"];
+  };
+  nix = {settings = {system-features = ["gccarch-skylake"];};};
+  hardware = {
+    graphics.package = pkgs.mesa_git;
+    intelgpu = {
+      vaapiDriver = "intel-vaapi-driver";
+      enableHybridCodec = true;
+    };
   };
 
   system.stateVersion = "24.11";

nixos/configurations/Cape/default.nix

@@ -62,6 +62,11 @@
   boot.loader.grub = {
     enable = true;
   };
+  nix = {
+    settings = {
+      system-features = ["gccarch-ivybridge"];
+    };
+  };
 
   system.stateVersion = "24.11";
 }

nixos/configurations/Tytonidae/default.nix

@@ -1,5 +1,4 @@
 {
-  lib,
   pkgs,
   inputs,
   ...
@@ -52,6 +51,7 @@
       juicity.client.enable = true;
       owncast.enable = true;
       wshowkeys.enable = true;
+      obs.enable = true;
     };
   };
 
@@ -104,16 +104,6 @@
     loader.efi.canTouchEfiVariables = true;
     initrd.systemd.enable = true;
   };
-  hardware.nvidia = {
-    modesetting.enable = true;
-    open = true;
-    prime = {
-      reverseSync.enable = lib.mkDefault true;
-      intelBusId = "PCI:0:2:0";
-      nvidiaBusId = "PCI:1:0:0";
-    };
-  };
-  nix = {settings = {system-features = ["gccarch-x86-64-v3"];};};
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions

nixos/configurations/Tytonidae/hardware.nix

@@ -1,27 +1,28 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   nixpkgs.config.cudaSupport = true;
   services = {
     hardware.bolt.enable = true;
     fstrim.enable = true;
   };
+  nix = {settings = {system-features = ["gccarch-alderlake"];};};
   hardware = {
-    graphics = {
-      extraPackages = with pkgs; [
-        vaapiIntel
-        libva
-        libvdpau-va-gl
-        vaapiVdpau
-        ocl-icd
-        intel-ocl
-        intel-compute-runtime
-        nvidia-vaapi-driver
-        intel-media-driver
-      ];
-      extraPackages32 = with pkgs.pkgsi686Linux; [
-        vaapiVdpau
-        libvdpau-va-gl
-        intel-media-driver
-      ];
+    graphics.package = pkgs.mesa_git;
+    intelgpu = {
+      driver = "xe";
+      vaapiDriver = "intel-media-driver";
+    };
+    nvidia = {
+      modesetting.enable = true;
+      open = true;
+      prime = {
+        reverseSync.enable = lib.mkDefault true;
+        intelBusId = "PCI:0:2:0";
+        nvidiaBusId = "PCI:1:0:0";
+      };
     };
   };
 }

nixos/modules/gui/niri.nix

@@ -29,7 +29,7 @@ in {
       terminal-exec = {
         enable = true;
         settings = {
-          default = ["com.mitchellh.ghostty.desktop"];
+          default = ["Alacritty.desktop"];
         };
       };
       mime = {

nixos/modules/programs/default.nix

@@ -26,5 +26,6 @@
     ./radicle.nix
     ./wshowkeys.nix
     ./bash.nix
+    ./obs.nix
   ];
 }

nixos/modules/programs/kvm.nix

@@ -26,6 +26,7 @@ in {
     virtualisation = {
       libvirtd = {
         enable = true;
+        qemu.vhostUserPackages = with pkgs; [virtiofsd];
       };
       spiceUSBRedirection = {
         enable = true;

nixos/modules/programs/obs.nix

@@ -1,7 +1,7 @@
 {
   pkgs,
-  config,
   lib,
+  config,
   ...
 }: let
   cfg = config.youthlic.programs.obs;
@@ -16,11 +16,9 @@ in {
       enable = true;
       plugins = with pkgs.obs-studio-plugins; [
         obs-source-record
-        obs-vaapi
-        obs-vkcapture
-        obs-webkitgtk
         obs-pipewire-audio-capture
       ];
+      enableVirtualCamera = true;
     };
   };
 }

overlays/additions/default.nix

@@ -5,6 +5,7 @@ in
     ./TrackersListCollection.nix
     ./OuterWildsTextAdventure.nix
     ./editor-runtime.nix
+    ./radicle-ci-broker.nix
   ]
   |> map (file: import file args)
   |> (overlays: (lib.composeManyExtensions overlays) final prev)

overlays/additions/radicle-ci-broker.nix

@@ -0,0 +1,5 @@
+{outputs, ...}: _final: prev: let
+  inherit (prev.stdenv.hostPlatform) system;
+in {
+  inherit (outputs.packages.${system}) radicle-ci-broker;
+}

overlays/modifications/default.nix

@@ -11,6 +11,8 @@ in
     # ./QQ.nix
     ./helix.nix
     ./cliphist.nix
+
+    ./fix-lix
   ]
   |> map (file: import file args)
   |> (overlays: (lib.composeManyExtensions overlays) final prev)

overlays/modifications/fix-lix/default.nix

@@ -0,0 +1,5 @@
+{...}: _final: prev: {
+  lix = prev.lix.overrideAttrs {
+    patches = [./fix-cve-2025-52992.diff];
+  };
+}

overlays/modifications/fix-lix/fix-cve-2025-52992.diff

@@ -0,0 +1,267 @@
+diff --git a/doc/manual/rl-next/correct-cleanup-redirected-stores.md b/doc/manual/rl-next/correct-cleanup-redirected-stores.md
+new file mode 100644
+index 000000000..a5d4a55a8
+--- /dev/null
++++ b/doc/manual/rl-next/correct-cleanup-redirected-stores.md
+@@ -0,0 +1,18 @@
++---
++synopsis: "Correct cleanup in redirected stores"
++issues: []
++cls: [3493]
++category: "Fixes"
++credits: ["horrors"]
++---
++
++Following CVE-2025-52992, the Lix team implemented automatic cleanup of
++*scratch outputs*, store paths written but not yet registered (e.g.
++`/nix/store/...`).
++
++In setups using redirected stores, cleanup was mistakenly applied to the
++logical store path (always under `/nix/store`) rather than the actual physical
++location on disk.
++
++This could result in accidental deletion from the system
++store instead of the intended redirected store.
+diff --git a/doc/manual/rl-next/infallible-build-dirs.md b/doc/manual/rl-next/infallible-build-dirs.md
+new file mode 100644
+index 000000000..563d4fcde
+--- /dev/null
++++ b/doc/manual/rl-next/infallible-build-dirs.md
+@@ -0,0 +1,25 @@
++---
++synopsis: "Fallback to safe temp dir when build-dir is unwritable"
++issues: [fj#876]
++cls: [3501]
++category: "Fixes"
++credits: ["raito", "horrors"]
++---
++
++Non-daemon builds started failing with a permission error after introducing the `build-dir` option:
++
++```
++$ nix build --store ~/scratch nixpkgs#hello --rebuild
++error: creating directory '/nix/var/nix/builds/nix-build-hello-2.12.2.drv-0': Permission denied
++```
++
++This happens because:
++
++1. These builds are not run via the daemon, which owns `/nix/var/nix/builds`.
++2. The user lacks permissions for that path.
++
++We considered making `build-dir` a store-level option and defaulting it to `<chroot-root>/nix/var/nix/builds` for chroot stores, but opted instead for a fallback: if the default fails, Nix now creates a safe build directory under `/tmp`.
++
++To avoid CVE-2025-52991, the fallback uses an extra path component between `/tmp` and the build dir.
++
++**Note**: this fallback clutters `/tmp` with build directories that are not cleaned up. To prevent this, explicitly set `build-dir` to a path managed by Lix, even for local workloads.
+diff --git a/doc/manual/rl-next/valid-outputs-deletion.md b/doc/manual/rl-next/valid-outputs-deletion.md
+new file mode 100644
+index 000000000..f56112f41
+--- /dev/null
++++ b/doc/manual/rl-next/valid-outputs-deletion.md
+@@ -0,0 +1,22 @@
++---
++synopsis: "Do not delete valid outputs after build"
++issues: [fj#883]
++cls: [3494]
++category: "Fixes"
++credits: ["horrors"]
++---
++
++In response to CVE-2025-52992, the Lix team introduced automatic deletion of
++*scratch outputs*, store paths written but not yet registered (e.g. in
++`/nix/store`).
++
++However, the control flow distinguishing scratch outputs from valid ones is
++complex. A logic error caused valid outputs, especially those obtained via
++closure copies (e.g. remote builds), to be deleted post-build.
++
++This led to breakage in Lix and could potentially render entire systems
++unusable by removing critical libraries.
++
++We are sorry for the severity of this bug and are taking steps to prevent its
++recurrence. If your system is affected, please reach out on our support
++channels for recovery assistance.
+diff --git a/lix/libstore/build/local-derivation-goal.cc b/lix/libstore/build/local-derivation-goal.cc
+index c866a3b66..247943e5c 100644
+--- a/lix/libstore/build/local-derivation-goal.cc
++++ b/lix/libstore/build/local-derivation-goal.cc
+@@ -487,17 +487,47 @@ try {
+         });
+     }
+ 
+-    createDirs(settings.buildDir.get());
+-
+-    /* Create a temporary directory where the build will take
+-       place. */
+-    tmpDir = createTempDir(
+-        settings.buildDir.get(),
+-        "nix-build-" + std::string(drvPath.name()),
+-        false,
+-        false,
+-        0700
+-    );
++    try {
++        auto buildDir = worker.buildDirOverride.value_or(settings.buildDir.get());
++
++        createDirs(buildDir);
++
++        /* Create a temporary directory where the build will take
++           place. */
++        tmpDir =
++            createTempDir(buildDir, "nix-build-" + std::string(drvPath.name()), false, false, 0700);
++    } catch (SysError & e) {
++        /*
++         * Fallback to the global tmpdir and create a safe space there
++         * only if it's a permission error.
++         */
++        if (e.errNo != EACCES) {
++            throw;
++        }
++
++        auto globalTmp = defaultTempDir();
++        createDirs(globalTmp);
++#if __APPLE__
++        /* macOS filesystem namespacing does not exist, to avoid breaking builds, we need to weaken
++         * the mode bits on the top-level directory. This avoids issues like
++         * https://github.com/NixOS/nix/pull/11031. */
++        constexpr int toplevelDirMode = 0755;
++#else
++        constexpr int toplevelDirMode = 0700;
++#endif
++        auto nixBuildsTmp =
++            createTempDir(globalTmp, fmt("nix-builds-%s", geteuid()), false, false, toplevelDirMode);
++        warn(
++            "Failed to use the system-wide build directory '%s', falling back to a temporary "
++            "directory inside '%s'",
++            settings.buildDir.get(),
++            nixBuildsTmp
++        );
++        worker.buildDirOverride = nixBuildsTmp;
++        tmpDir = createTempDir(
++            nixBuildsTmp, "nix-build-" + std::string(drvPath.name()), false, false, 0700
++        );
++    }
+     /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to
+      * POSIX semantics.*/
+     tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)};
+@@ -538,7 +568,9 @@ try {
+         /* Schedule this scratch output path for automatic deletion
+          * if we do not cancel it, e.g. when registering the outputs.
+          */
+-        scratchOutputsCleaner.insert_or_assign(outputName, worker.store.printStorePath(scratchPath));
++        scratchOutputsCleaner.emplace(
++            outputName, worker.store.toRealPath(worker.store.printStorePath(scratchPath))
++        );
+ 
+         /* Substitute output placeholders with the scratch output paths.
+            We'll use during the build. */
+@@ -1739,6 +1771,11 @@ try {
+                before this for loop. */
+             if (*scratchPath != finalStorePath)
+                 outputRewrites[std::string { scratchPath->hashPart() }] = std::string { finalStorePath.hashPart() };
++            /* Cancel automatic deletion of that output if it was a scratch output that we just
++             * registered. */
++            if (auto cleaner = scratchOutputsCleaner.extract(outputName)) {
++                cleaner.mapped().cancel();
++            }
+         };
+ 
+         auto orifu = get(outputReferencesIfUnregistered, outputName);
+@@ -2063,10 +2100,6 @@ try {
+            the next iteration */
+         if (newInfo.ca) {
+             TRY_AWAIT(localStore.registerValidPaths({{newInfo.path, newInfo}}));
+-            /* Cancel automatic deletion of that output if it was a scratch output. */
+-            if (auto cleaner = scratchOutputsCleaner.extract(outputName)) {
+-                cleaner.mapped().cancel();
+-            }
+         }
+ 
+         infos.emplace(outputName, std::move(newInfo));
+@@ -2107,13 +2140,6 @@ try {
+             infos2.insert_or_assign(newInfo.path, newInfo);
+         }
+         TRY_AWAIT(localStore.registerValidPaths(infos2));
+-
+-        /* Cancel automatic deletion of that output if it was a scratch output that we just registered. */
+-        for (auto & [outputName, _ ] : infos) {
+-            if (auto cleaner = scratchOutputsCleaner.extract(outputName)) {
+-                cleaner.mapped().cancel();
+-            }
+-        }
+     }
+ 
+     /* In case of a fixed-output derivation hash mismatch, throw an
+diff --git a/lix/libstore/build/worker.hh b/lix/libstore/build/worker.hh
+index 7fc3d1fe9..d9dc36e34 100644
+--- a/lix/libstore/build/worker.hh
++++ b/lix/libstore/build/worker.hh
+@@ -195,6 +195,7 @@ public:
+     Store & store;
+     Store & evalStore;
+     AsyncSemaphore substitutions, localBuilds;
++    std::optional<Path> buildDirOverride;
+ 
+ private:
+     kj::TaskSet children;
+diff --git a/tests/functional/build.sh b/tests/functional/build.sh
+index 58fba83aa..fc83f61f3 100644
+--- a/tests/functional/build.sh
++++ b/tests/functional/build.sh
+@@ -174,3 +174,8 @@ test "$(<<<"$out" grep -E '^error:' | wc -l)" = 3
+ <<<"$out" grepQuiet -E "error: 2 dependencies of derivation '.*-x4\\.drv' failed to build"
+ <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x3\\.drv'"
+ <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x2\\.drv'"
++
++# Ensure when if the system build dir is inaccessible, we can still build things
++BUILD_DIR=$(mktemp -d)
++chmod 0000 "$BUILD_DIR"
++nix --build-dir "$BUILD_DIR" build -E 'with import ./config.nix; mkDerivation { name = "test"; buildCommand = "echo rawr > $out"; }' --impure --no-link
+diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh
+index 82f363a09..526605e5f 100644
+--- a/tests/functional/linux-sandbox.sh
++++ b/tests/functional/linux-sandbox.sh
+@@ -81,3 +81,10 @@ testCert present fixed-output "$certsymlink"
+ 
+ # Symlinks should be added in the sandbox directly and not followed
+ nix-sandbox-build symlink-derivation.nix
++
++# Regression fj#883: derivations outputs disappearing after rebuild
++# build the derivation for both its outputs and delete one of them.
++# simulates substitution or copying only one output from a builder.
++nix-store --delete $(nix-sandbox-build --no-out-link ./regression-fj883.nix -A base.lib)
++# build a derivation depending on previous one. this should succeed
++nix-sandbox-build --no-out-link ./regression-fj883.nix -A downstream
+diff --git a/tests/functional/regression-fj883.nix b/tests/functional/regression-fj883.nix
+new file mode 100644
+index 000000000..2317145b7
+--- /dev/null
++++ b/tests/functional/regression-fj883.nix
+@@ -0,0 +1,15 @@
++with import ./config.nix;
++
++rec {
++  base = mkDerivation {
++    name = "base";
++    outputs = [ "out" "lib" ];
++    buildCommand = "echo > $out; echo > $lib";
++  };
++
++  downstream = mkDerivation {
++    name = "downstream";
++    deps = [ base.out base.lib ];
++    buildCommand = "echo $deps > $out";
++  };
++}
+diff --git a/version.json b/version.json
+index 22b83defe..a39a6e7e2 100644
+--- a/version.json
++++ b/version.json
+@@ -1,5 +1,5 @@
+ {
+-    "version": "2.93.1",
+-    "official_release": true,
++    "version": "2.93.2",
++    "official_release": false,
+     "release_name": "Bici Bici"
+ }

pkgs/_sources/generated.json

@@ -22,7 +22,7 @@
     },
     "TrackersListCollection": {
         "cargoLocks": null,
-        "date": "2025-06-22",
+        "date": "2025-06-25",
         "extract": null,
         "name": "TrackersListCollection",
         "passthru": null,
@@ -34,14 +34,14 @@
             "name": null,
             "owner": "XIU2",
             "repo": "TrackersListCollection",
-            "rev": "5a0135a913cd27cea026bd558d0319da3630f327",
-            "sha256": "sha256-YllDv9VEmBCWV0YrdD2yO54foDy/m+9FR2NBwEpSiCY=",
+            "rev": "f3079ce280d1597cc2b3adfd0a04e0632736e5f7",
+            "sha256": "sha256-GSG49cgGexdhn87tr8c6bCk0ySzsLWC23cWo6UvHDqE=",
             "sparseCheckout": [
                 "all.txt"
             ],
             "type": "github"
         },
-        "version": "5a0135a913cd27cea026bd558d0319da3630f327"
+        "version": "f3079ce280d1597cc2b3adfd0a04e0632736e5f7"
     },
     "cliphist": {
         "cargoLocks": null,
@@ -130,6 +130,26 @@
         },
         "version": "Serif2.003"
     },
+    "radicle-ci-broker": {
+        "cargoLocks": null,
+        "date": "2025-06-18",
+        "extract": null,
+        "name": "radicle-ci-broker",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "rev": "d824691e1aeccd557b2deeb2cdfb18d275e15f3e",
+            "sha256": "sha256-bj+JR26bqBE/WBcIbIUZU0r9JqgkEIGSb8nv3GdF72Q=",
+            "sparseCheckout": [],
+            "type": "git",
+            "url": "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git"
+        },
+        "version": "d824691e1aeccd557b2deeb2cdfb18d275e15f3e"
+    },
     "spotx": {
         "cargoLocks": null,
         "date": "2025-06-18",

pkgs/_sources/generated.nix

@@ -15,18 +15,18 @@
   };
   TrackersListCollection = {
     pname = "TrackersListCollection";
-    version = "5a0135a913cd27cea026bd558d0319da3630f327";
+    version = "f3079ce280d1597cc2b3adfd0a04e0632736e5f7";
     src = fetchFromGitHub {
       owner = "XIU2";
       repo = "TrackersListCollection";
-      rev = "5a0135a913cd27cea026bd558d0319da3630f327";
+      rev = "f3079ce280d1597cc2b3adfd0a04e0632736e5f7";
       fetchSubmodules = false;
       deepClone = false;
       leaveDotGit = false;
       sparseCheckout = [ "all.txt" ];
-      sha256 = "sha256-YllDv9VEmBCWV0YrdD2yO54foDy/m+9FR2NBwEpSiCY=";
+      sha256 = "sha256-GSG49cgGexdhn87tr8c6bCk0ySzsLWC23cWo6UvHDqE=";
     };
-    date = "2025-06-22";
+    date = "2025-06-25";
   };
   cliphist = {
     pname = "cliphist";
@@ -82,6 +82,20 @@
       sha256 = "sha256-mfbBSdJrUCZiUUmsmndtEW6H3z6KfBn+dEftBySf2j4=";
     };
   };
+  radicle-ci-broker = {
+    pname = "radicle-ci-broker";
+    version = "d824691e1aeccd557b2deeb2cdfb18d275e15f3e";
+    src = fetchgit {
+      url = "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git";
+      rev = "d824691e1aeccd557b2deeb2cdfb18d275e15f3e";
+      fetchSubmodules = false;
+      deepClone = false;
+      leaveDotGit = false;
+      sparseCheckout = [ ];
+      sha256 = "sha256-bj+JR26bqBE/WBcIbIUZU0r9JqgkEIGSb8nv3GdF72Q=";
+    };
+    date = "2025-06-18";
+  };
   spotx = {
     pname = "spotx";
     version = "181fd7fc8fe838237660a46ae096570d869bc30f";

pkgs/default.nix

@@ -21,6 +21,7 @@ in
     QQ = callPackage ./QQ.nix {};
     editor-runtime = callPackage ./editor-runtime.nix {};
     cliphist = callPackage ./cliphist.nix {};
+    radicle-ci-broker = callPackage ./radicle-ci-broker.nix {};
 
     noto-serif-cjk = callPackage ./noto-serif-cjk.nix {};
     noto-sans-cjk = callPackage ./noto-sans-cjk.nix {};

pkgs/nvfetcher.toml

@@ -37,3 +37,7 @@ fetch.github = "top-mind/OuterWildsTextAdventureWeb"
 [cliphist]
 src.git = "https://github.com/sentriz/cliphist.git"
 fetch.github = "sentriz/cliphist"
+
+[radicle-ci-broker]
+src.git = "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git"
+fetch.git = "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git"

pkgs/radicle-ci-broker.nix

@@ -0,0 +1,20 @@
+{
+  rustPlatform,
+  srcs,
+  git,
+}: let
+  inherit (srcs) radicle-ci-broker;
+in
+  rustPlatform.buildRustPackage (finalAttrs: {
+    pname = "radicle-ci-broker";
+    version = "0-unstable-${radicle-ci-broker.date}-git${radicle-ci-broker.version}";
+    inherit (radicle-ci-broker) src;
+    nativeBuildInputs = [git];
+
+    cargoLock = {
+      lockFile = "${finalAttrs.src}/Cargo.lock";
+      allowBuiltinFetchGit = true;
+    };
+
+    doCheck = false;
+  })

secrets/general.yaml

@@ -4,7 +4,7 @@ rustypaste:
     delete: ENC[AES256_GCM,data:fbhJiJhh4YSMZQ6/dfquesJE0sNSn2PUkbjtJmisj5qHtsM=,iv:M1R7giNyLhbj98iiCPENQy44Ixqnie1PHlNcsVs5TLs=,tag:zdBbZ4NR7D4HxsxCizTliw==,type:str]
 miniflux: ENC[AES256_GCM,data:8u9ElF2LAsIZmq7U8oZJM367y6EAy0si4ZXhpdisYa/PjV70SybUWhrahBft86QB71l8KtLUVuF3Ins=,iv:q7vJzxZICGNv/IaHKDpV50Pc9P4rIwcvfz2+uS1AnyI=,tag:ycwVU3RqfBoXRZQMv653xQ==,type:str]
 atuin-key: ENC[AES256_GCM,data:e3K7/7BaeXuR+vHJdtO79UQp3XRvROcD8ISkuCp3KGCSlBKUM3GuCwhIeFoIl0fOUqVYOzcCAcjsH2nBRqcXhtS8jhM=,iv:Mh3jsu6mdj0VOLSIoNz/0awyydVf7q3/E7iB7CJi+UA=,tag:xuHhUmK/J2stdjRrtbhQSw==,type:str]
-access-tokens: ENC[AES256_GCM,data:Y1qJQaOYHIednHAYpcMVWk+5j5E27QDXrlTAfu/jt7prCxucrQHV7GR2xp7TrXPENDD/lkx9IrRsEKCF7FKIwMDSsfXu5mHt5iRv1dI5itXSlxs4R+r11/rj8S7CHWG/ajOlOwxGyQKHf8O6Q2pHxnDsI7aP7qlC,iv:yrkY/Bb4+ZiLXaTNQ5VD+UO1jf8HfoqEloBCoSRR7l0=,tag:U53qyWVbrKI5tZVagyJSxQ==,type:str]
+access-tokens: ENC[AES256_GCM,data:/KBOmXN4LgRmO0axaeKqtmKy0W16OZQt6faNL/T7hxXYw1bDzImNNH4BAg6Lu6Tf15jaMgsqtr9eL3SRjVs7RelRhh7snaJVsrIs59bZ9awn5UvH4rHI0ktXvXwQnKMdwrHnrYURcCWOf+7s99I+50U1o1cDmJF0,iv:rhKP7qccP4DVxzgsaq3rEU39E9zn9EqNV9XzTJfs3O0=,tag:ezX0he1kidCkBGxeQHZNQw==,type:str]
 matrix-telegram-bot: ENC[AES256_GCM,data:4G9JSR4l3043SM63gvJr0xBFuS11eoesi9rrobTxN9HpEGNklYDWHH/+Bm7P/2Bxnye3CiO/Z8KffvbjH8slRHLtbSpo8lRsfi9uRAbeMl7aXe/nTjpN078QSN3WXXc9XqYq0sxwNKPrnW3bmPQsHUiykZ3Go5A9Qw1iIPvPpXITyNbeD0gA+2CBB7PIURI7X0PIgSfUtMFZvl2J9znqCnlfC41bj6aC3sywsEkpuFJiMEojrwl+XmVS/u4eNMq8KiofVn9QlGx5gdGZ9LfZZdc+8E6u5GovqP2JTwwfaeZPzdwdZ2YsdoAvmgAusMfjCNZvHF7msLsOyNJW4592ZC7+fHhRbkKnVKc3OwA4ILWd9Jl0p0BoS0Ckn3V5nUQFgxVJ2O0yd/FLFaEqbeBLHNqC6u9CTYk82Uy23ilXQYKIc9h2wQkM329E6j9Mk0f9uavoYVPkpz6ahLzcni2W26FUkeaZ7PkrHmHWfJvvvi32GB4+q1m0phPmcd3cKVhXhbhLXiBcx2Rj7Q==,iv:Br0w0SiYajFr8p5CZEg47x3KpJ+AOleHthsEc3ho4YI=,tag:k+wptcSnNzfefF66Ug824Q==,type:str]
 matrix-reg-token: ENC[AES256_GCM,data:Cr5560L9gQo/tKUz1sQOAg5dckI6SyDxeNyrjW4oI6qkV8bxUrMaAGnVkkeF9TF9FgAnRb+7Lm+axd2SmkPWnqrLll2NzLC01zXht9Mq9RroAPXFraEV1X1Ge1qAAtkr,iv:42r93HLVDKuDCOYlfem7oi3gcHfhDYiNbFKOCHxim+o=,tag:9hWGQrWHsv2eYNgFlHtfeA==,type:str]
 ssh-private-key:
@@ -54,7 +54,7 @@ sops:
             a1Y1NU9CK2h1SS83VW42bzBMa01yMXMKI1DBtgNlkNCrxUQvnD6a45mQKNfg5gM4
             Zb5buo9Jofj4dn/HFwng3T3gxKTrP2Dh74CAH4L0M5yrF9fzk5TCcQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-12T11:16:40Z"
-    mac: ENC[AES256_GCM,data:+c/i6oH4tOoBr8Uouej+v3lYGMbTjo3bti23Lh6IKA+o79pennRj9v7FEv21DcEwdlH+ebFvZgZwqS5c6cnbQFJkSKLPq15ecQXWEXAPklCV5C0tF3CHy5SgJxaQExYqcbq4/vdrWgKb1Bk53H32KfP1hzPdrr1aFe0jS8IZOSk=,iv:10G6Oc2Azeur1mt4pMj3kEI7g2CeDzhlUPfwz43C0QE=,tag:fN20RLv7pebWBV+trSSXsQ==,type:str]
+    lastmodified: "2025-06-27T15:03:19Z"
+    mac: ENC[AES256_GCM,data:G166RcgIytsJj7tVt40YNLPn3rmQu0KTIDmUECY3M7ft/+M1wz1JDlFKj7l8e1/xqa+FIE+Sny5yT/WLRUpbtv1fG4lJeqmJqbOoYiOOPgxR8Sse/aA+RU08ZvyYBV1Shm+NThjVjzJQWpwaDISYHkdUiwQ7bt+l5XXIJiveOoY=,iv:I4MkRMke8+quCnMhE6F1d/uhHXFV2blFk3pH+HRMs/k=,tag:r8LCUbaPsddtUghMUSYYww==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2