Update docs: add new services to readme, remove obsolete go2rtc-readme

- readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-07 20:42:19 +01:00 · 2026-04-07 20:42:19 +01:00 · 08669d7eb5
commit 08669d7eb5
parent 372275da5e
3 changed files with 23 additions and 79 deletions
--- a/readme.md
+++ b/readme.md
@ -32,13 +32,16 @@ Flake-based NixOS configuration for three machines, built and deployed directly
 │       ├── FredOS-Macbook.nix       # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
 │       └── FredOS-Mediaserver.nix   # Intel CPU, data disks, mergerfs pool, GRUB, hostname
 ├── services
+│   ├── arr-interconnect.nix         # Cross-service API key wiring for *arr apps
+│   ├── authelia.nix                 # SSO/2FA gateway (protects homepage & camera)
 │   ├── bazarr.nix                   # Subtitle management
 │   ├── cloudflare-ddns.nix          # Cloudflare dynamic DNS
+│   ├── fail2ban.nix                 # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.)
 │   ├── game-servers.nix             # Game server definitions
 │   ├── go2rtc.nix                   # Camera/RTSP streaming
+│   ├── homepage.nix                 # Homepage dashboard with auto-extracted API keys
 │   ├── jellyfin.nix                 # Media server
-│   ├── nginx.nix                    # Reverse proxy
-│   ├── omnisearch.nix               # OmniSearch service
+│   ├── nginx.nix                    # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
 │   ├── prowlarr.nix                 # Indexer manager
 │   ├── qbittorrent-nox.nix          # Torrent client
 │   ├── radarr.nix                   # Movie management
@ -158,9 +161,9 @@ After this succeeds, the plain `update` alias works from then on.
 |---|---|
 | nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
 | home-manager | `github:nix-community/home-manager` |
-| omnisearch | `git+https://git.bwaaa.monster/omnisearch` |
 | zen-browser | `github:0xc000022070/zen-browser-flake` |
 | nix-flatpak | `github:gmodena/nix-flatpak` |
+| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |

 ## Notes

--- a/services/cloudflare-ddns.md
+++ b/services/cloudflare-ddns.md
@ -1,15 +1,23 @@
-1. Store your API key securely
+## Store your API key securely
+
 Create a file outside your /etc/nixos directory to store your Cloudflare API token:
-bashsudo mkdir -p /var/secrets
+
+```bash
+sudo mkdir -p /var/secrets
 sudo nano /var/secrets/cloudflare-token
-Put your Cloudflare API token in this file, then set appropriate permissions:
-bashsudo chmod 600 /var/secrets/cloudflare-token
+sudo chmod 600 /var/secrets/cloudflare-token
 sudo chown root:root /var/secrets/cloudflare-token
+```

+This token is shared by both `cloudflare-ddns.nix` (DDNS updates) and `nginx.nix` (ACME wildcard cert via DNS-01 challenge).

-3. Get your Cloudflare API Token
-If you haven't created one yet:
+## Get your Cloudflare API Token

-Go to Cloudflare Dashboard → My Profile → API Tokens
-Create a token with Zone:DNS:Edit permissions for your specific zone
-Copy the token to /var/secrets/cloudflare-token
+Go to Cloudflare Dashboard → My Profile → API Tokens and create a token with:
+
+- **Zone : Zone : Read**
+- **Zone : DNS : Edit**
+
+Both permissions are required — Zone:Read for ACME to locate the zone, DNS:Edit for DDNS updates and ACME challenge TXT records.
+
+Copy the token to `/var/secrets/cloudflare-token`.
--- a/services/go2rtc-readme.md
+++ b/services/go2rtc-readme.md
@ -1,67 +0,0 @@
-cat authelia configuration.yml
---
-theme: dark
-server:
-  address: 'tcp://0.0.0.0:9091/'
-
-log:
-  level: info
-
-authentication_backend:
-  file:
-    path: /config/users_database.yml
-
-access_control:
-  default_policy: deny
-  rules:
-    - domain: camera.domain.topdomain
-      policy: one_factor
-
-identity_validation:
-  reset_password:
-    jwt_secret: ""
-
-session:
-  secret: ""
-  cookies:
-    - domain: domain.topdomain
-      authelia_url: https://auth.domain.topdomain
-  expiration: 1h
-  inactivity: 5m
-
-storage:
-  encryption_key: ""
-  local:
-    path: /config/db.sqlite3
-
-notifier:
-  filesystem:
-    filename: /config/notification.txt
-fred ~/docker/authelia ❯ 
-
-
-cat users_database.yml 
---
-users:
-  username:
-    password: "secret"
-    displayname: Name
-    email: email
-
-  username:
-    password: "secret"
-    displayname: Name
-    email: email
-##########################################
-
-cat config.yml 
---
-streams:
-  kids_bedroom:
-    - rtsp://username:password@IP-address:554/stream1
-
-api:
-  listen: ":1984"
-
-webrtc:
-  listen: ":8555"