dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

bd daemon sync: 2026-01-08 18:09:41

Browse source
This commit is contained in:
Dan 2026-01-08 18:09:41 -08:00
parent 45119741c6
commit cbadce5870
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.beads/issues.jsonl
View file

@ -121,6 +121,7 @@
{"id":"ops-jrz1-nwv","title":"Package graphite CLI (gt) for NixOS","description":"Graphite CLI (gt) is not in nixpkgs. Need to package it.\n\n## Research needed\n- How is gt distributed? (npm, binary, go?)\n- Is there an existing nix package or flake?\n- If not, create minimal derivation\n\n## Options\n1. Find existing flake/overlay\n2. Use buildNpmPackage if it's npm-based\n3. Fetch pre-built binary\n\n## Once packaged\nAdd to system packages via flake input pattern (same as beads).","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-02T16:36:04.374192123-08:00","created_by":"dan","updated_at":"2026-01-02T16:37:46.981193033-08:00","closed_at":"2026-01-02T16:37:46.981193033-08:00","close_reason":"Wrong tool - gt is gastown, not graphite"}
{"id":"ops-jrz1-o2h","title":"Consider making --archive default in dev-remove.sh","description":"scripts/dev-remove.sh defaults to permanent delete; archive is opt-in. Easy to accidentally lose data. Consider making --archive default with --force for delete.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-05T15:44:41.504268553-08:00","created_by":"dan","updated_at":"2026-01-05T15:44:41.504268553-08:00"}
{"id":"ops-jrz1-o9c","title":"Create admin-scripts package for systemPackages","description":"Package learner-add.sh, learner-remove.sh using writeShellApplication. Add to environment.systemPackages so they're available in PATH for interactive admin use.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-03T08:45:35.623169977-08:00","created_by":"dan","updated_at":"2026-01-03T09:20:08.655105165-08:00","closed_at":"2026-01-03T09:20:08.655105165-08:00","close_reason":"Implemented admin-scripts (learner-add, learner-remove) using writeShellApplication, added to systemPackages"}
{"id":"ops-jrz1-ofw","title":"Implement password delivery for Forgejo provisioning","description":"Choose and implement password delivery mechanism for auto-provisioned Forgejo users.\n\n## Options\n1. Print to terminal (simple, visible in scrollback)\n2. Write to ~/.forgejo-credentials (secure file, mode 600)\n3. Hybrid: file + pointer in onboarding message\n\n## Decision needed\n- Which approach fits our security/usability tradeoff?\n- Should file auto-delete after first use?\n\n## Depends on\n- s6p research findings","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-08T18:09:41.352537918-08:00","created_by":"dan","updated_at":"2026-01-08T18:09:41.352537918-08:00","dependencies":[{"issue_id":"ops-jrz1-ofw","depends_on_id":"ops-jrz1-s6p","type":"blocks","created_at":"2026-01-08T18:09:41.405676758-08:00","created_by":"dan"}]}
{"id":"ops-jrz1-oxx","title":"Add disk quota or watchdog for /home","description":"No disk limits for users. Could fill /home. Options: ext4 quotas, btrfs subvolume limits, or simple watchdog.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T08:40:26.188569342-08:00","created_by":"dan","updated_at":"2026-01-03T08:40:26.188569342-08:00"}
{"id":"ops-jrz1-p2d","title":"Add egress connection logging","description":"Log all new outbound connections for forensics.\n\n## Config\n```nix\nnetworking.firewall.extraCommands = ''\n # Log all new outbound from regular users\n iptables -A OUTPUT -m state --state NEW -m owner --uid-owner 1000:65534 \\\n -j LOG --log-prefix \"EGRESS: \" --log-level info\n'';\n```\n\n## Usage\n```bash\n# View egress logs\njournalctl -k | grep EGRESS\n\n# Watch live\njournalctl -kf | grep EGRESS\n```\n\n## Notes\n- Logs before rate limit rules (if both implemented)\n- Includes source UID, dest IP, dest port","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:17:39.566590459-08:00","created_by":"dan","updated_at":"2026-01-02T21:12:35.575052381-08:00","closed_at":"2026-01-02T21:12:35.575052381-08:00","close_reason":"Closed"}
{"id":"ops-jrz1-qgm","title":"Create musiclink NixOS service with buildGoModule","description":"Add systemd service for musiclink bot:\n\n1. Build Go binary with pkgs.buildGoModule from /home/dan/proj/musiclink\n2. Create systemd.services.musiclink with:\n - DynamicUser for isolation\n - StateDirectory for config\n - Hardening (ProtectSystem, ProtectHome, NoNewPrivileges)\n - After/Requires matterbridge.service\n3. Restart policy on failure\n\nAlternative: fetchFromGitHub if we push to git.clarun.xyz","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-08T12:59:08.021057917-08:00","created_by":"dan","updated_at":"2026-01-08T16:18:17.943916003-08:00","closed_at":"2026-01-08T16:18:17.943916003-08:00","close_reason":"Handed off to musiclink team. They can use Odesli API (free, no creds) or get Spotify creds themselves.","dependencies":[{"issue_id":"ops-jrz1-qgm","depends_on_id":"ops-jrz1-kpw","type":"blocks","created_at":"2026-01-08T15:56:08.088021978-08:00","created_by":"dan"}]}