diff --git a/readme.md b/readme.md index 6ceed3a..8d004a3 100644 --- a/readme.md +++ b/readme.md @@ -30,26 +30,35 @@ Flake-based NixOS configuration for three machines, built and deployed directly │ ├── FredOS-Macbook.nix # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname │ └── FredOS-Mediaserver.nix # Intel CPU, data disks, mergerfs pool, GRUB, hostname ├── services +│ ├── adguard.nix # Network-wide DNS ad blocking │ ├── arr-interconnect.nix # Cross-service API key wiring for *arr apps │ ├── authelia.nix # SSO/2FA gateway (protects homepage & camera) │ ├── bazarr.nix # Subtitle management │ ├── cloudflare-ddns.nix # Cloudflare dynamic DNS -│ ├── fail2ban.nix # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.) -│ ├── game-servers.nix # Game server definitions +│ ├── code-server.nix # Browser-based VS Code IDE +│ ├── crowdsec.nix # Intrusion prevention / bouncer +│ ├── dr-server.nix # Disaster recovery / backup service +│ ├── forgejo-runner.nix # CI/CD runner for Forgejo +│ ├── game-servers.nix # Dockerised game servers (7 Days to Die) │ ├── go2rtc.nix # Camera/RTSP streaming │ ├── homepage.nix # Homepage dashboard with auto-extracted API keys │ ├── jellyfin.nix # Media server │ ├── nginx.nix # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01 +│ ├── profilarr.nix # Quality profile manager for *arr apps │ ├── prowlarr.nix # Indexer manager │ ├── qbittorrent-nox.nix # Torrent client │ ├── radarr.nix # Movie management +│ ├── router.nix # Mediaserver as home router (NAT, DHCP, nftables) +│ ├── sabnzbd.nix # Usenet downloader │ ├── server-permissions.nix # File/dir permission setup │ └── sonarr.nix # TV management ├── settings │ ├── audio.nix # PipeWire / audio config │ ├── gnome.nix # GNOME desktop settings +│ ├── hyprland.nix # Hyprland Wayland compositor config │ ├── locale.nix # Locale, timezone, keyboard │ ├── shell.nix # Fish shell, powerline prompt, fastfetch, nerd fonts +│ ├── stylix.nix # Unified colour theming (wallpaper-derived palette) │ └── users.nix # User accounts ├── walls # Wallpapers ├── common.nix # Shared config imported by all hosts @@ -159,9 +168,13 @@ After this succeeds, the plain `update` alias works from then on. | Input | Source | |---|---| | nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` | -| home-manager | `github:nix-community/home-manager` | +| nixpkgs-stable | `github:NixOS/nixpkgs/nixos-25.11` | +| home-manager-stable | `github:nix-community/home-manager/release-25.11` | | zen-browser | `github:0xc000022070/zen-browser-flake` | | nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` | +| proton-cachyos-nix | `github:powerofthe69/proton-cachyos-nix` | +| hyprland | `github:hyprwm/Hyprland` | +| stylix | `github:nix-community/stylix/release-25.11` | ## Mediaserver secrets diff --git a/services/bazarr.nix b/services/bazarr.nix index 57b5a64..2594a01 100644 --- a/services/bazarr.nix +++ b/services/bazarr.nix @@ -12,6 +12,14 @@ group = "media"; }; + # Disable built-in auth — Authelia handles it at the reverse proxy + systemd.services.bazarr.preStart = lib.mkAfter '' + config_file="/var/lib/bazarr/config/config.ini" + if [ -f "$config_file" ]; then + sed -i 's/^type = .*/type = none/' "$config_file" + fi + ''; + # Ensure subtitles written by bazarr are group-writable systemd.services.bazarr.serviceConfig.UMask = lib.mkForce "0002"; diff --git a/services/prowlarr.nix b/services/prowlarr.nix index bddb803..b38965b 100644 --- a/services/prowlarr.nix +++ b/services/prowlarr.nix @@ -3,7 +3,15 @@ { config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { - # Sonarr + # Disable built-in auth — Authelia handles it at the reverse proxy + systemd.services.prowlarr.preStart = lib.mkAfter '' + config_file="/var/lib/prowlarr/config.xml" + if [ -f "$config_file" ]; then + sed -i 's|.*|None|' "$config_file" + fi + ''; + + # Prowlarr services.prowlarr = { enable = true; openFirewall = true; diff --git a/services/radarr.nix b/services/radarr.nix index 66470d4..1edf26f 100644 --- a/services/radarr.nix +++ b/services/radarr.nix @@ -12,6 +12,14 @@ group = "media"; }; + # Disable built-in auth — Authelia handles it at the reverse proxy + systemd.services.radarr.preStart = lib.mkAfter '' + config_file="/var/lib/radarr/config.xml" + if [ -f "$config_file" ]; then + sed -i 's|.*|None|' "$config_file" + fi + ''; + # Ensure files created by radarr are group-writable systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002"; diff --git a/services/sonarr.nix b/services/sonarr.nix index 375cf71..5404c35 100644 --- a/services/sonarr.nix +++ b/services/sonarr.nix @@ -12,6 +12,14 @@ group = "media"; }; + # Disable built-in auth — Authelia handles it at the reverse proxy + systemd.services.sonarr.preStart = lib.mkAfter '' + config_file="/var/lib/sonarr/config.xml" + if [ -f "$config_file" ]; then + sed -i 's|.*|None|' "$config_file" + fi + ''; + # Ensure files created by sonarr are group-writable systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";