From 08669d7eb5c6278633571acaa136976cd782c8f0 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Tue, 7 Apr 2026 20:42:19 +0100
Subject: [PATCH] Update docs: add new services to readme, remove obsolete
 go2rtc-readme

- readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx
  description updated to mention ACME. Remove omnisearch, add cachyos
  kernel to flake inputs table.
- cloudflare-ddns.md: document shared token usage with ACME, note
  Zone:Zone:Read permission requirement.
- Delete go2rtc-readme.md (documented Docker setup, now native NixOS).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 readme.md                   |  9 +++--
 services/cloudflare-ddns.md | 26 +++++++++-----
 services/go2rtc-readme.md   | 67 -------------------------------------
 3 files changed, 23 insertions(+), 79 deletions(-)
 delete mode 100644 services/go2rtc-readme.md

diff --git a/readme.md b/readme.md
index fc63bb0..19e3d1e 100644
--- a/readme.md
+++ b/readme.md
@@ -32,13 +32,16 @@ Flake-based NixOS configuration for three machines, built and deployed directly
 │       ├── FredOS-Macbook.nix       # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
 │       └── FredOS-Mediaserver.nix   # Intel CPU, data disks, mergerfs pool, GRUB, hostname
 ├── services
+│   ├── arr-interconnect.nix         # Cross-service API key wiring for *arr apps
+│   ├── authelia.nix                 # SSO/2FA gateway (protects homepage & camera)
 │   ├── bazarr.nix                   # Subtitle management
 │   ├── cloudflare-ddns.nix          # Cloudflare dynamic DNS
+│   ├── fail2ban.nix                 # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.)
 │   ├── game-servers.nix             # Game server definitions
 │   ├── go2rtc.nix                   # Camera/RTSP streaming
+│   ├── homepage.nix                 # Homepage dashboard with auto-extracted API keys
 │   ├── jellyfin.nix                 # Media server
-│   ├── nginx.nix                    # Reverse proxy
-│   ├── omnisearch.nix               # OmniSearch service
+│   ├── nginx.nix                    # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
 │   ├── prowlarr.nix                 # Indexer manager
 │   ├── qbittorrent-nox.nix          # Torrent client
 │   ├── radarr.nix                   # Movie management
@@ -158,9 +161,9 @@ After this succeeds, the plain `update` alias works from then on.
 |---|---|
 | nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
 | home-manager | `github:nix-community/home-manager` |
-| omnisearch | `git+https://git.bwaaa.monster/omnisearch` |
 | zen-browser | `github:0xc000022070/zen-browser-flake` |
 | nix-flatpak | `github:gmodena/nix-flatpak` |
+| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
 
 ## Notes
 
diff --git a/services/cloudflare-ddns.md b/services/cloudflare-ddns.md
index bca101b..7ed3ebf 100644
--- a/services/cloudflare-ddns.md
+++ b/services/cloudflare-ddns.md
@@ -1,15 +1,23 @@
-1. Store your API key securely
+## Store your API key securely
+
 Create a file outside your /etc/nixos directory to store your Cloudflare API token:
-bashsudo mkdir -p /var/secrets
+
+```bash
+sudo mkdir -p /var/secrets
 sudo nano /var/secrets/cloudflare-token
-Put your Cloudflare API token in this file, then set appropriate permissions:
-bashsudo chmod 600 /var/secrets/cloudflare-token
+sudo chmod 600 /var/secrets/cloudflare-token
 sudo chown root:root /var/secrets/cloudflare-token
+```
 
+This token is shared by both `cloudflare-ddns.nix` (DDNS updates) and `nginx.nix` (ACME wildcard cert via DNS-01 challenge).
 
-3. Get your Cloudflare API Token
-If you haven't created one yet:
+## Get your Cloudflare API Token
 
-Go to Cloudflare Dashboard → My Profile → API Tokens
-Create a token with Zone:DNS:Edit permissions for your specific zone
-Copy the token to /var/secrets/cloudflare-token
+Go to Cloudflare Dashboard → My Profile → API Tokens and create a token with:
+
+- **Zone : Zone : Read**
+- **Zone : DNS : Edit**
+
+Both permissions are required — Zone:Read for ACME to locate the zone, DNS:Edit for DDNS updates and ACME challenge TXT records.
+
+Copy the token to `/var/secrets/cloudflare-token`.
diff --git a/services/go2rtc-readme.md b/services/go2rtc-readme.md
deleted file mode 100644
index 06d602b..0000000
--- a/services/go2rtc-readme.md
+++ /dev/null
@@ -1,67 +0,0 @@
-cat authelia configuration.yml
----
-theme: dark
-server:
-  address: 'tcp://0.0.0.0:9091/'
-
-log:
-  level: info
-
-authentication_backend:
-  file:
-    path: /config/users_database.yml
-
-access_control:
-  default_policy: deny
-  rules:
-    - domain: camera.domain.topdomain
-      policy: one_factor
-
-identity_validation:
-  reset_password:
-    jwt_secret: ""
-
-session:
-  secret: ""
-  cookies:
-    - domain: domain.topdomain
-      authelia_url: https://auth.domain.topdomain
-  expiration: 1h
-  inactivity: 5m
-
-storage:
-  encryption_key: ""
-  local:
-    path: /config/db.sqlite3
-
-notifier:
-  filesystem:
-    filename: /config/notification.txt
-fred ~/docker/authelia ❯ 
-
-
-cat users_database.yml 
----
-users:
-  username:
-    password: "secret"
-    displayname: Name
-    email: email
-
-  username:
-    password: "secret"
-    displayname: Name
-    email: email
-##########################################
-
-cat config.yml 
----
-streams:
-  kids_bedroom:
-    - rtsp://username:password@IP-address:554/stream1
-
-api:
-  listen: ":1984"
-
-webrtc:
-  listen: ":8555"