Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runner containers (via Podman compat) couldn't resolve external hosts
after AdGuard stopped binding to 0.0.0.0. Point them at 10.0.0.1.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Binding to 0.0.0.0 claimed port 53 on podman bridge interfaces,
preventing aardvark-dns from starting and breaking Forgejo Actions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Delete 8 unused matugen template files, remove the matugen package,
homepage custom.css watcher infrastructure, and the wallpaper shell
function. Update remaining comments to reference stylix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
No IPv6 upstream exists, but glibc still tried AAAA records first,
causing Jellyfin's TMDb client to get garbled responses.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Standalone podman run calls need virtualisation.podman.enable to get a
valid /etc/containers/policy.json. OCI container services got this
implicitly but our direct podman invocations did not.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bazarr stores its config at /var/lib/bazarr/config/config.yaml, not
the old /var/lib/bazarr/data/config/config.ini path. Use yq to extract
auth.apikey from the YAML. Fixes both bazarr-sync and arr-interconnect.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces Vesktop for quick cross-device note-passing. Uses Flatnotes
with auth disabled so Authelia is the only login required.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Inactivity was 5m which caused logouts while working in VS Code
(no new page loads). Bumped inactivity to 2h, expiration to 12h.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.
Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Escape \${q} as ''${q} so Nix doesn't try to evaluate it as a
variable in the activation script string.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a NixOS activation script that patches the crossorigin attribute
onto the Claude Code extension's stylesheet link, fixing broken CSS in
Firefox due to stricter CORS handling than Chrome.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds nixpkgs unstable as a flake input and exposes pkgs-unstable via
specialArgs. code-server uses the unstable package so the Claude Code
extension version requirement is satisfied.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deploys code-server on FredOS-Mediaserver (port 4444, user fred) with
Authelia one_factor auth and nginx reverse proxy. Includes claude-code
in system packages for use in the integrated terminal.
Also fixes anyrun launcher width to absolute 350px (was a tiny fraction).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CUDA ≤12.5 removed from nixpkgs as unmaintained; CUDA 12.6+ requires
driver ≥560 but legacy_535 (Maxwell's last supported branch) caps out
at 12.2. No compatible CUDA path exists for the Quadro M2000.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The M2000's legacy_535 driver caps CUDA support at 12.2; nixpkgs'
default ollama-cuda targets 12.8 (requires driver ≥570), causing
the runner to crash immediately. Override to CUDA 12.2 with sm_52
arch target to match Maxwell GM206 compute capability.
Also open port 11434 on the mediaserver firewall for remote ollama
access from other LAN hosts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".
Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.
Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Unity's Win64 build still creates a 1x1 hidden window via Win32 even
under -batchmode -nographics. Wine needs an X display to honor that;
without one, startup fails with "Failed to create batch mode window:
Success." after Mono initializes and PhysX comes up. xvfb-run -a gives
it a virtual display with no real X server cost.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
New service module on FredOS-Mediaserver that launches the friend's
Windows-only Unity server (DR_Server.exe -batchmode -nographics) in a
Win64 wine prefix. wineboot initializes the prefix on first start.
Opens auth/game/queue ports 2110, 2603-2606 (TCP+UDP).
Build files staged separately at ~/dr-server-build on the server;
sudo-move into /var/lib/dr-server/Build after the rebuild.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two small follow-ups to the SAB module:
- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
No functional change since group = "media" already.
Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>