diff --git a/.forgejo/workflows/auto-deploy-rs.yml b/.forgejo/workflows/auto-deploy-rs.yml
new file mode 100644
index 00000000..b317deac
--- /dev/null
+++ b/.forgejo/workflows/auto-deploy-rs.yml
@@ -0,0 +1,89 @@
+# yamllint disable rule:line-length rule:truthy
+---
+name: Cron - deploy-rs
+run-name: ${{ github.actor }} - deploy-rs
+on:
+ schedule:
+ - cron: '0 2 * * 0'
+ # “At 02:00 Sunday."
+ workflow_dispatch:
+
+jobs:
+ deploy-rs:
+ runs-on: headscale-runner
+ container:
+ image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
+ options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
+ steps:
+ - name: "Install SSH Keys"
+ run: |
+ echo "${{ secrets.SSH_PUBLIC_KEY }}" > /root/.ssh/id_ed25519.pub
+ echo "${{ secrets.SSH_PRIVATE_KEY }}" > /root/.ssh/id_ed25519
+ chmod 700 /root/.ssh
+ chmod 600 /root/.ssh/id_ed25519
+ chmod 644 /root/.ssh/id_ed25519.pub
+ cat /etc/hosts.template > /etc/hosts
+
+ - name: "Connect to Headscale"
+ run: |
+ set -x
+ sudo tailscaled --cleanup
+ sudo tailscaled --no-logs-no-support --state=mem: 2> ~/tailscaled.log &
+ sudo tailscale up \
+ --login-server=https://headscale.sysctl.io \
+ --accept-routes \
+ --accept-dns \
+ --authkey ${{ secrets.TAILSCALE_KEY }} \
+ --hostname forgejo-runner \
+ --advertise-tags "tag:forgejo,tag:container,tag:ephemeral"
+
+ - name: "nixos-version (Pre)"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01 \
+ "
+ nixos-version
+ "
+
+ - name: "SSH and Deploy"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01 \
+ "
+ set -x
+ eval (ssh-agent -c)
+ ssh-add
+ env | grep SSH
+ cd /etc/nixos/git
+ git pull
+ ssh -qA osaka-linode-01 'sudo systemctl restart podman-derp'
+ ssh -qA frankfurt-linode-01 'sudo systemctl restart podman-derp'
+ ssh -qA milan-linode-01 'sudo systemctl restart podman-derp'
+ ssh -qA warsaw-ovh-01 'sudo systemctl restart container@rdesktop'
+ sleep 30
+ deploy -sd
+ deploy -sd
+ "
+
+ - name: "nixos-version (Post)"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01 \
+ "
+ nixos-version
+ "
+ tailscale down
+
+ - if: success()
+ uses: https://git.sysctl.io/actions/gotify-action@master
+ with:
+ gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+ gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
+ notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] NixOS Deployed'
+ notification_message: 'Deployment completed successfully.'
+ name: "Send Notification - Success"
+ - if: failure()
+ uses: https://git.sysctl.io/actions/gotify-action@master
+ with:
+ gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+ gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
+ notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] Deployment Failed'
+ notification_message: 'Your deployment has failed. Check Forgejo.'
+ name: "Send Notification - Failure"
diff --git a/.forgejo/workflows/update-flake-lock.yml b/.forgejo/workflows/update-flake-lock.yml
new file mode 100644
index 00000000..76ea4806
--- /dev/null
+++ b/.forgejo/workflows/update-flake-lock.yml
@@ -0,0 +1,82 @@
+# yamllint disable rule:line-length rule:truthy
+---
+name: Cron - Flake Lock Update
+run-name: ${{ github.actor }} - update-flake-lock
+on:
+ schedule:
+ - cron: '0 0 * * 0'
+ # “At 00:00 Sunday."
+ workflow_dispatch:
+
+jobs:
+ update-flake-lock:
+ runs-on: headscale-runner
+ container:
+ image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
+ options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
+ steps:
+ - name: "Install SSH Keys"
+ run: |
+ echo "${{ secrets.SSH_PUBLIC_KEY }}" > /root/.ssh/id_ed25519.pub
+ echo "${{ secrets.SSH_PRIVATE_KEY }}" > /root/.ssh/id_ed25519
+ chmod 700 /root/.ssh
+ chmod 600 /root/.ssh/id_ed25519
+ chmod 644 /root/.ssh/id_ed25519.pub
+ cat /etc/hosts.template > /etc/hosts
+
+ - name: "Connect to Headscale"
+ run: |
+ set -x
+ sudo tailscaled --cleanup
+ sudo tailscaled --no-logs-no-support --state=mem: 2> ~/tailscaled.log &
+ sudo tailscale up \
+ --login-server=https://headscale.sysctl.io \
+ --accept-routes \
+ --accept-dns \
+ --authkey ${{ secrets.TAILSCALE_KEY }} \
+ --hostname forgejo-runner \
+ --advertise-tags "tag:forgejo,tag:container,tag:ephemeral"
+
+ - name: "SSH and Update / Check"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01 \
+ "
+ set -x
+ eval (ssh-agent -c)
+ ssh-add
+ env | grep SSH
+ cd /etc/nixos/git
+ git pull
+ nix flake update
+ nix flake check --show-trace
+ "
+
+ - if: success()
+ name: "Sucess: Git Commit & Push"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01 \
+ "
+ set -x
+ eval (ssh-agent -c)
+ ssh-add
+ env | grep SSH
+ cd /etc/nixos/git
+ git -c commit.gpgsign=false commit -am '[ACTIONS] Flake Update (`date +%Y-%m-%d`)' \
+ && git push
+ "
+
+ - if: success()
+ uses: https://git.sysctl.io/actions/gotify-action@master
+ with:
+ gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+ gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
+ notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] NixOS Flake Updated'
+ notification_message: 'Build completed successfully.'
+ - if: failure()
+ uses: https://git.sysctl.io/actions/gotify-action@master
+ with:
+ gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+ gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
+ notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] Build Failed'
+ notification_message: 'Your build has failed. Check Forgejo.'
+ name: "Send Notification"
diff --git a/.forgejo/workflows/update-steamdeck.yml b/.forgejo/workflows/update-steamdeck.yml
new file mode 100644
index 00000000..0791c6c2
--- /dev/null
+++ b/.forgejo/workflows/update-steamdeck.yml
@@ -0,0 +1,82 @@
+# yamllint disable rule:line-length rule:truthy
+---
+name: Cron - Update Steam Deck
+run-name: ${{ github.actor }} - update-steamdeck
+on:
+ schedule:
+ - cron: '0 2 * * 1'
+ # “At 02:00 Monday"
+ workflow_dispatch:
+
+jobs:
+ deploy-rs:
+ runs-on: headscale-runner
+ container:
+ image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
+ options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
+ steps:
+ - name: "Install SSH Keys"
+ run: |
+ echo "${{ secrets.SSH_PUBLIC_KEY }}" > /root/.ssh/id_ed25519.pub
+ echo "${{ secrets.SSH_PRIVATE_KEY }}" > /root/.ssh/id_ed25519
+ chmod 700 /root/.ssh
+ chmod 600 /root/.ssh/id_ed25519
+ chmod 644 /root/.ssh/id_ed25519.pub
+ cat /etc/hosts.template > /etc/hosts
+
+ - name: "Connect to Headscale"
+ run: |
+ set -x
+ sudo tailscaled --cleanup
+ sudo tailscaled --no-logs-no-support --state=mem: 2> ~/tailscaled.log &
+ sudo tailscale up \
+ --login-server=https://headscale.sysctl.io \
+ --accept-routes \
+ --accept-dns \
+ --authkey ${{ secrets.TAILSCALE_KEY }} \
+ --hostname forgejo-runner \
+ --advertise-tags "tag:forgejo,tag:container,tag:ephemeral"
+
+ - name: "nixos-version (Pre)"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@steamdeck \
+ "
+ nixos-version
+ "
+
+ - name: "SSH and Deploy"
+ run: |
+ ssh -o StrictHostKeyChecking=no albert@steamdeck \
+ "
+ set -x
+ source ~/.config/fish/config.fish
+ cd /etc/nixos/git
+ git pull
+ sudo nixos-rebuild switch --flake /etc/nixos/git
+ home-manager switch -b backup --flake /etc/nixos/git
+ "
+
+ - name: "nixos-version (Post)"
+ run: |
+ ssh -q -A -o StrictHostKeyChecking=no albert@steamdeck \
+ "
+ nixos-version
+ "
+ tailscale down
+
+ - if: success()
+ uses: https://git.sysctl.io/actions/gotify-action@master
+ with:
+ gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+ gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
+ notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] Steam Deck Updated'
+ notification_message: 'Deployment completed successfully.'
+ name: "Send Notification - Success"
+ - if: failure()
+ uses: https://git.sysctl.io/actions/gotify-action@master
+ with:
+ gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+ gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
+ notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] Deployment Failed'
+ notification_message: 'Your deployment has failed. Check Forgejo.'
+ name: "Send Notification - Failure"