diff --git a/readme.md b/readme.md
index 6ceed3a..8d004a3 100644
--- a/readme.md
+++ b/readme.md
@@ -30,26 +30,35 @@ Flake-based NixOS configuration for three machines, built and deployed directly
│ ├── FredOS-Macbook.nix # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
│ └── FredOS-Mediaserver.nix # Intel CPU, data disks, mergerfs pool, GRUB, hostname
├── services
+│ ├── adguard.nix # Network-wide DNS ad blocking
│ ├── arr-interconnect.nix # Cross-service API key wiring for *arr apps
│ ├── authelia.nix # SSO/2FA gateway (protects homepage & camera)
│ ├── bazarr.nix # Subtitle management
│ ├── cloudflare-ddns.nix # Cloudflare dynamic DNS
-│ ├── fail2ban.nix # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.)
-│ ├── game-servers.nix # Game server definitions
+│ ├── code-server.nix # Browser-based VS Code IDE
+│ ├── crowdsec.nix # Intrusion prevention / bouncer
+│ ├── dr-server.nix # Disaster recovery / backup service
+│ ├── forgejo-runner.nix # CI/CD runner for Forgejo
+│ ├── game-servers.nix # Dockerised game servers (7 Days to Die)
│ ├── go2rtc.nix # Camera/RTSP streaming
│ ├── homepage.nix # Homepage dashboard with auto-extracted API keys
│ ├── jellyfin.nix # Media server
│ ├── nginx.nix # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
+│ ├── profilarr.nix # Quality profile manager for *arr apps
│ ├── prowlarr.nix # Indexer manager
│ ├── qbittorrent-nox.nix # Torrent client
│ ├── radarr.nix # Movie management
+│ ├── router.nix # Mediaserver as home router (NAT, DHCP, nftables)
+│ ├── sabnzbd.nix # Usenet downloader
│ ├── server-permissions.nix # File/dir permission setup
│ └── sonarr.nix # TV management
├── settings
│ ├── audio.nix # PipeWire / audio config
│ ├── gnome.nix # GNOME desktop settings
+│ ├── hyprland.nix # Hyprland Wayland compositor config
│ ├── locale.nix # Locale, timezone, keyboard
│ ├── shell.nix # Fish shell, powerline prompt, fastfetch, nerd fonts
+│ ├── stylix.nix # Unified colour theming (wallpaper-derived palette)
│ └── users.nix # User accounts
├── walls # Wallpapers
├── common.nix # Shared config imported by all hosts
@@ -159,9 +168,13 @@ After this succeeds, the plain `update` alias works from then on.
| Input | Source |
|---|---|
| nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
-| home-manager | `github:nix-community/home-manager` |
+| nixpkgs-stable | `github:NixOS/nixpkgs/nixos-25.11` |
+| home-manager-stable | `github:nix-community/home-manager/release-25.11` |
| zen-browser | `github:0xc000022070/zen-browser-flake` |
| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
+| proton-cachyos-nix | `github:powerofthe69/proton-cachyos-nix` |
+| hyprland | `github:hyprwm/Hyprland` |
+| stylix | `github:nix-community/stylix/release-25.11` |
## Mediaserver secrets
diff --git a/services/bazarr.nix b/services/bazarr.nix
index 57b5a64..2594a01 100644
--- a/services/bazarr.nix
+++ b/services/bazarr.nix
@@ -12,6 +12,14 @@
group = "media";
};
+ # Disable built-in auth — Authelia handles it at the reverse proxy
+ systemd.services.bazarr.preStart = lib.mkAfter ''
+ config_file="/var/lib/bazarr/config/config.ini"
+ if [ -f "$config_file" ]; then
+ sed -i 's/^type = .*/type = none/' "$config_file"
+ fi
+ '';
+
# Ensure subtitles written by bazarr are group-writable
systemd.services.bazarr.serviceConfig.UMask = lib.mkForce "0002";
diff --git a/services/prowlarr.nix b/services/prowlarr.nix
index bddb803..b38965b 100644
--- a/services/prowlarr.nix
+++ b/services/prowlarr.nix
@@ -3,7 +3,15 @@
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
- # Sonarr
+ # Disable built-in auth — Authelia handles it at the reverse proxy
+ systemd.services.prowlarr.preStart = lib.mkAfter ''
+ config_file="/var/lib/prowlarr/config.xml"
+ if [ -f "$config_file" ]; then
+ sed -i 's|.*|None|' "$config_file"
+ fi
+ '';
+
+ # Prowlarr
services.prowlarr = {
enable = true;
openFirewall = true;
diff --git a/services/radarr.nix b/services/radarr.nix
index 66470d4..1edf26f 100644
--- a/services/radarr.nix
+++ b/services/radarr.nix
@@ -12,6 +12,14 @@
group = "media";
};
+ # Disable built-in auth — Authelia handles it at the reverse proxy
+ systemd.services.radarr.preStart = lib.mkAfter ''
+ config_file="/var/lib/radarr/config.xml"
+ if [ -f "$config_file" ]; then
+ sed -i 's|.*|None|' "$config_file"
+ fi
+ '';
+
# Ensure files created by radarr are group-writable
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";
diff --git a/services/sonarr.nix b/services/sonarr.nix
index 375cf71..5404c35 100644
--- a/services/sonarr.nix
+++ b/services/sonarr.nix
@@ -12,6 +12,14 @@
group = "media";
};
+ # Disable built-in auth — Authelia handles it at the reverse proxy
+ systemd.services.sonarr.preStart = lib.mkAfter ''
+ config_file="/var/lib/sonarr/config.xml"
+ if [ -f "$config_file" ]; then
+ sed -i 's|.*|None|' "$config_file"
+ fi
+ '';
+
# Ensure files created by sonarr are group-writable
systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";