Commit graph

1215 commits

Author SHA1 Message Date
58440af384 Update services/nginx.nix 2026-05-04 02:30:28 -07:00
dda93320d8 Update services/sabnzbd.nix 2026-05-04 02:29:10 -07:00
e77ca8fceb Update services/sabnzbd.nix 2026-05-04 02:27:50 -07:00
c7f7e75a38 Update services/nginx.nix 2026-05-04 01:53:01 -07:00
34b54e1aad Update services/nginx.nix 2026-05-04 01:52:04 -07:00
cce1e9ccea Update services/authelia.nix 2026-05-04 01:46:41 -07:00
66e9873678 Add services/sabnzbd.nix 2026-05-04 01:40:03 -07:00
40dfc403a3 Update services/nginx.nix 2026-05-04 01:39:08 -07:00
d4ab29699a Update common.nix 2026-05-04 01:38:14 -07:00
forgejo-actions[bot]
beae8c71f4 flake: update inputs 2026-05-04 04:01:16 +00:00
forgejo-actions[bot]
aec0456489 flake: update inputs 2026-05-03 04:01:18 +00:00
1aa6f26cab gaming: actually disable IPv6 on NetworkManager connections
networking.enableIPv6 = false only sets the system sysctl; NetworkManager
keeps re-enabling disable_ipv6=0 per-interface because connection
defaults to ipv6.method = auto. The "?" icon comes back because NM's
v6 connectivity probe races over a SLAAC ULA with no real upstream.

Forces ipv6.method = disabled in NetworkManager's connection defaults
and stops the kernel from accepting router advertisements, so v6 never
gets brought up on any new or existing connection.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-02 23:06:36 +01:00
2e527f0eb0 Update hosts/FredOS-Gaming.nix 2026-05-02 05:53:15 -07:00
91a0d296ba Update hosts/FredOS-Macbook.nix 2026-05-02 00:38:42 -07:00
b2b68603f7 workflow: pre-create nixbld group so the Nix install can run as root
The catthehacker runner image runs jobs as root and Nix's install script
refuses to do a clean root install without the nixbld group + build users
already in place — even with --no-daemon. Adding them inline keeps the
workflow self-contained without swapping to a Nix-prebuilt container image.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 19:14:20 +01:00
670ff0a9f9 router: also accept docker user-defined bridges (br-*)
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 19:10:29 +01:00
bcefe9aa26 workflow: drop GitHub-only actions for the update job
Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action
with inline shell so the workflow no longer touches github.com. Still pulls
the runner image from Docker Hub and the install script from nixos.org —
those are deliberately left for now and can be cut in a follow-up.

actions/checkout stays because it's mirrored on data.forgejo.org and the
runner already resolves it there.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:52:37 +01:00
046b4bff90 runner: resolve action refs against github.com by default
Forgejo's runner defaults to fetching `uses: org/repo@vN` from its
instance's mirror (data.forgejo.org), which doesn't host most
GitHub-marketplace actions like cachix/install-nix-action. Pointing
default_actions_url at github.com makes the existing workflow Just Work
without fully-qualified URLs in `uses:` lines.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:45:35 +01:00
dad207d19b runner: document tokenFile EnvironmentFile format
The gitea-actions-runner module loads tokenFile as a systemd
EnvironmentFile, so it needs KEY=value lines, not a raw token. Comment
updated to match — the runner failed to start the first time around
because the file just contained the bare registration token.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:04:32 +01:00
27a4e85693 runner: use forgejo-runner package (renamed in 25.11)
The forgejo-actions-runner attr was renamed to forgejo-runner upstream.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:00:00 +01:00
29e1185694 runner: add Forgejo Actions runner on the mediaserver
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.

Also drops the stray result/ build symlink from the worktree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:58:28 +01:00
af1f5c9a04 Update .forgejo/workflows/update.yml 2026-05-01 07:44:16 -07:00
4683d6953f common: point update alias at Forgejo
Migrating origin from GitHub to a private Forgejo repo at
forg.gregersen.it/rope/nixos. Each host needs the PAT in /root/.git-credentials
(host-local state, set up manually since the repo isn't publicly readable).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:35:07 +01:00
c1094e7352 Fix proton-vpn rename on Gaming, restore zramSwap
The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was
patched in an earlier commit but Gaming wasn't, breaking the build.

zramSwap goes back into common.nix as the cheap OOM-during-uncached-build
safety net — even on stable, --refresh against a freshly-bumped lock can
trigger local builds the box has no swap to absorb.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 13:38:27 +01:00
ediblerope
e1c193cdc3 flake: update inputs 2026-05-01 10:29:09 +00:00
f6e711044c
Update flake.nix 2026-05-01 11:27:32 +01:00
07f44724a0
Update flake.nix 2026-05-01 11:25:46 +01:00
7eb03c2245
Update FredOS-Macbook.nix 2026-05-01 11:07:04 +01:00
782054a0ea
Update flake.nix 2026-05-01 11:05:48 +01:00
695ac75daf
Update common.nix
removed some AI crap that's no longer needed on stable.
2026-05-01 11:00:57 +01:00
ediblerope
ab8c3ac92a flake: update inputs 2026-05-01 06:30:49 +00:00
c45811acf9 router: accept docker0 on input chain
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:47:46 +01:00
98ccee2221 profilarr: use Docker Hub image (santiagosayshey), not GHCR
The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't
publicly pullable — anonymous token requests get 403. Canonical image is
santiagosayshey/profilarr:latest on Docker Hub per the upstream README.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:05:30 +01:00
a9649be705 profilarr: swap recyclarr for Dictionarry's Profilarr
Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web
service that owns *arr profiles end-to-end via its own UI. Runs as an
oci-container on 127.0.0.1:6868, fronted by nginx at
profilarr.nordhammer.it behind Authelia (one_factor).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:00:33 +01:00
ediblerope
91a94adc26 flake: update inputs 2026-04-30 06:21:10 +00:00
728779daab 2026-04-29 20:40:54 +01:00
8fa1e4c112 recyclarr: prefer x265 on 1080p profiles for disk space
Override TRaSH's -10000 ban on x265 (HD) to +500 on Sonarr WEB-1080p
and Radarr HD Bluray + WEB. The Scene/No-RlsGroup/Retags/Obfuscated
custom formats (each at -10000) still filter the truly low-bitrate
x265 trash, so we get smaller files without inviting slop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 20:30:42 +01:00
17ea72e2ed common: drop --source-color-index from matugen update alias
The flag was removed in matugen 3.x; the call now exits with an arg
parse error on every update (caught by '|| true' but noisy). matugen
picks a sensible source color by default, so we just drop the flag.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 20:17:01 +01:00
79d7d3f88e adguard: explicitly enable LAN rewrites (schema change on stable)
AdGuard's recent config schema added an enabled flag on each rewrite
that defaults to false. Without it, the *.nordhammer.it -> 10.0.0.1
rules were silently disabled, so LAN clients resolved their own
domains to the public DDNS IP and tripped over NAT loopback.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 18:56:11 +01:00
4c80e26431 recyclarr: fix Sonarr UHD template name (web-2160p, not uhd-bluray-web)
The Sonarr 4K profile is sonarr-v4-quality-profile-web-2160p in TRaSH's
recyclarr templates — uhd-bluray-web exists for German content only.
The English UHD profile is WEB-only and named "WEB-2160p", so update
the include list and the AV1-ban score assignment to match.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 18:48:19 +01:00
3819cb6820 locale + crowdsec: pin timezone, declare static crowdsec user
Two failing services after the channel switch.

automatic-timezoned has been polkit-blocked since well before the
switch — replace with a static Europe/London timezone. Hosts that
travel can override locally if needed.

The vendored crowdsec module's setup unit chowns its config dir to
the (DynamicUser-allocated) crowdsec user via an ExecStartPre+ hack.
On stable's systemd the dynamic user isn't visible to chown via NSS
at that point, so it fails with 'invalid user'. Declaring crowdsec
as a static system user makes systemd use it (DynamicUser becomes a
no-op) and the chown resolves cleanly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 14:00:41 +01:00
5e1780b4fe mediaserver: pin kernel to 6.12 LTS for NVIDIA 535 compatibility
NVIDIA 535's kernel module won't compile against kernel 7.x — the
DMA mapping API changed in a way the 535 source doesn't handle.
6.12 LTS is the highest kernel branch that's a well-tested combo
with the 535 driver, which we need on stable's nixpkgs to retain
Maxwell support for Jellyfin NVENC.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 13:37:48 +01:00
877796173f mediaserver: use nvidia legacy_535 (available on stable channel)
legacy_580 only exists on unstable nixpkgs and isn't backported to
25.11. The Maxwell GM206 (Quadro M2000) is supported through the
535.x branch — last production driver to ship Maxwell support — so
this is a clean swap with no expected impact on Jellyfin's NVENC.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 13:31:13 +01:00
34a45af357 flake: split mediaserver onto nixos-25.11, keep desktops on unstable
The mediaserver kept hard-freezing on local builds (gnupg, openldap,
deno/rusty-v8) whenever a fresh unstable revision outran Hydra's
binary cache. It doesn't need bleeding-edge packages — every service
it runs is mature enough that 6-month-old versions are fine — so move
it onto the stable channel where the cache is essentially always
warm. Gaming and Macbook stay on unstable for fresh GPU/kernel work.

Implementation: add nixpkgs-stable + home-manager-stable inputs,
parameterise mkHost to accept a (nixpkgs, home-manager) pair.

Drive-by:
- Switch homepage.nix from environmentFiles (plural, unstable-only)
  to environmentFile (singular, present on both channels).
- Gate the openldap-skip-tests overlay to non-mediaserver hosts so
  it doesn't force a local rebuild on stable, where openldap is
  always cached.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 13:26:07 +01:00
47a72a0a81 users: gate bazaar to GUI hosts only
bazaar is a Flathub GUI app store — it has no business on the headless
mediaserver, where it was also pulling flatpak in transitively and
inflating local builds.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 11:57:42 +01:00
057d24517f common: cap parallel builds + zramSwap to survive local rebuild storms
The mediaserver (56 cores, 31 GiB RAM, no swap) was hard-freezing on
local builds of gnupg/openldap because Nix defaulted max-jobs=auto and
launched ~56 parallel gcc compilations, blowing past available memory
and OOM-stalling AdGuard.

Cap parallelism (max-jobs=4, cores=8 per build) and add zramSwap as a
compressed in-memory safety net so a build storm can't take services
with it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 11:57:40 +01:00
70ee0fc811 common: cap nix-daemon CPUWeight at 50 to keep services responsive
Heavy local builds (gnupg/openldap checkPhase under a freshly-bumped
nixpkgs lock) were saturating CPU and starving AdGuard on the
mediaserver, making DNS effectively unresponsive until the build
finished or got cancelled.

Halving the daemon's CPU share leaves headroom for latency-sensitive
services without meaningfully slowing builds on an otherwise idle box.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 11:17:51 +01:00
3f2c88da94 arr-interconnect: drop manual 1080p quality floors
Recyclarr now manages quality definitions via TRaSH templates, so the
hand-rolled minSize=10 floor is redundant — every sync would overwrite
it anyway.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 10:31:17 +01:00
e99bc7cc9b recyclarr: add weekly TRaSH-Guide profile sync for Sonarr & Radarr
Score-based release filtering replaces the brittle "minimum size" approach
— good HEVC encodes from reputable groups now win regardless of file
size, while obfuscated/no-group/lazy-x265 garbage gets banned.

Profiles installed:
  Sonarr: WEB-1080p (default), UHD Bluray + WEB (per-show opt-in)
  Radarr: HD Bluray + WEB (default), UHD Bluray + WEB (per-movie opt-in)

AV1 is banned across all four profiles since the GPU lacks hardware
decode. API keys are extracted at runtime from each *arr's config.xml,
matching the arr-interconnect pattern.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 10:31:09 +01:00
ediblerope
9405e4ffb5 flake: update inputs 2026-04-29 06:16:10 +00:00