Commit graph

1424 commits

Author SHA1 Message Date
7a96927221 crowdsec: whitelist LAN + loopback to prevent self-bans
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:05:14 +01:00
forgejo-actions[bot]
e7896f02d3 flake: update inputs 2026-05-06 04:01:20 +00:00
f1eb467fd4 common: drop redundant build step from update alias
`nixos-rebuild switch` already builds — the prior `build && switch`
chain made nix evaluate the flake twice and pushed a second
empty-tree nom render to the terminal. With one switch, the nom
output stays clean: single dependency graph, then activation, then nvd.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 16:20:06 +01:00
forgejo-actions[bot]
2d4f723b8e flake: update inputs 2026-05-05 04:01:20 +00:00
2ea40eb22c common: install jq globally
Useful for ad-hoc shell scripts (e.g. downloads-cleanup.sh) — already a
build-time dep of arr-interconnect, just wasn't on the user PATH.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 20:08:15 +01:00
287053b909 common: wire nix-output-monitor into the update alias
Adds nix-output-monitor to systemPackages and pipes nixos-rebuild's
internal-json log stream through `nom --json` for both the build and
switch steps. set -o pipefail at the top so a failed rebuild aborts the
chain (otherwise && only sees nom's exit code, which is always 0).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 19:58:49 +01:00
1f07b05c12 sabnzbd: tighten host_whitelist for *arr local calls + group consistency
Two small follow-ups to the SAB module:

- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
  local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
  verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
  No functional change since group = "media" already.

Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 19:25:07 +01:00
955524f489 Update services/sabnzbd.nix 2026-05-04 02:40:44 -07:00
30d9d836e4 Update services/sabnzbd.nix 2026-05-04 02:35:58 -07:00
58440af384 Update services/nginx.nix 2026-05-04 02:30:28 -07:00
dda93320d8 Update services/sabnzbd.nix 2026-05-04 02:29:10 -07:00
e77ca8fceb Update services/sabnzbd.nix 2026-05-04 02:27:50 -07:00
c7f7e75a38 Update services/nginx.nix 2026-05-04 01:53:01 -07:00
34b54e1aad Update services/nginx.nix 2026-05-04 01:52:04 -07:00
cce1e9ccea Update services/authelia.nix 2026-05-04 01:46:41 -07:00
66e9873678 Add services/sabnzbd.nix 2026-05-04 01:40:03 -07:00
40dfc403a3 Update services/nginx.nix 2026-05-04 01:39:08 -07:00
d4ab29699a Update common.nix 2026-05-04 01:38:14 -07:00
forgejo-actions[bot]
beae8c71f4 flake: update inputs 2026-05-04 04:01:16 +00:00
forgejo-actions[bot]
aec0456489 flake: update inputs 2026-05-03 04:01:18 +00:00
1aa6f26cab gaming: actually disable IPv6 on NetworkManager connections
networking.enableIPv6 = false only sets the system sysctl; NetworkManager
keeps re-enabling disable_ipv6=0 per-interface because connection
defaults to ipv6.method = auto. The "?" icon comes back because NM's
v6 connectivity probe races over a SLAAC ULA with no real upstream.

Forces ipv6.method = disabled in NetworkManager's connection defaults
and stops the kernel from accepting router advertisements, so v6 never
gets brought up on any new or existing connection.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-02 23:06:36 +01:00
2e527f0eb0 Update hosts/FredOS-Gaming.nix 2026-05-02 05:53:15 -07:00
91a0d296ba Update hosts/FredOS-Macbook.nix 2026-05-02 00:38:42 -07:00
b2b68603f7 workflow: pre-create nixbld group so the Nix install can run as root
The catthehacker runner image runs jobs as root and Nix's install script
refuses to do a clean root install without the nixbld group + build users
already in place — even with --no-daemon. Adding them inline keeps the
workflow self-contained without swapping to a Nix-prebuilt container image.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 19:14:20 +01:00
670ff0a9f9 router: also accept docker user-defined bridges (br-*)
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 19:10:29 +01:00
bcefe9aa26 workflow: drop GitHub-only actions for the update job
Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action
with inline shell so the workflow no longer touches github.com. Still pulls
the runner image from Docker Hub and the install script from nixos.org —
those are deliberately left for now and can be cut in a follow-up.

actions/checkout stays because it's mirrored on data.forgejo.org and the
runner already resolves it there.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:52:37 +01:00
046b4bff90 runner: resolve action refs against github.com by default
Forgejo's runner defaults to fetching `uses: org/repo@vN` from its
instance's mirror (data.forgejo.org), which doesn't host most
GitHub-marketplace actions like cachix/install-nix-action. Pointing
default_actions_url at github.com makes the existing workflow Just Work
without fully-qualified URLs in `uses:` lines.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:45:35 +01:00
dad207d19b runner: document tokenFile EnvironmentFile format
The gitea-actions-runner module loads tokenFile as a systemd
EnvironmentFile, so it needs KEY=value lines, not a raw token. Comment
updated to match — the runner failed to start the first time around
because the file just contained the bare registration token.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:04:32 +01:00
27a4e85693 runner: use forgejo-runner package (renamed in 25.11)
The forgejo-actions-runner attr was renamed to forgejo-runner upstream.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:00:00 +01:00
29e1185694 runner: add Forgejo Actions runner on the mediaserver
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.

Also drops the stray result/ build symlink from the worktree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:58:28 +01:00
af1f5c9a04 Update .forgejo/workflows/update.yml 2026-05-01 07:44:16 -07:00
4683d6953f common: point update alias at Forgejo
Migrating origin from GitHub to a private Forgejo repo at
forg.gregersen.it/rope/nixos. Each host needs the PAT in /root/.git-credentials
(host-local state, set up manually since the repo isn't publicly readable).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:35:07 +01:00
c1094e7352 Fix proton-vpn rename on Gaming, restore zramSwap
The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was
patched in an earlier commit but Gaming wasn't, breaking the build.

zramSwap goes back into common.nix as the cheap OOM-during-uncached-build
safety net — even on stable, --refresh against a freshly-bumped lock can
trigger local builds the box has no swap to absorb.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 13:38:27 +01:00
ediblerope
e1c193cdc3 flake: update inputs 2026-05-01 10:29:09 +00:00
f6e711044c
Update flake.nix 2026-05-01 11:27:32 +01:00
07f44724a0
Update flake.nix 2026-05-01 11:25:46 +01:00
7eb03c2245
Update FredOS-Macbook.nix 2026-05-01 11:07:04 +01:00
782054a0ea
Update flake.nix 2026-05-01 11:05:48 +01:00
695ac75daf
Update common.nix
removed some AI crap that's no longer needed on stable.
2026-05-01 11:00:57 +01:00
ediblerope
ab8c3ac92a flake: update inputs 2026-05-01 06:30:49 +00:00
c45811acf9 router: accept docker0 on input chain
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:47:46 +01:00
98ccee2221 profilarr: use Docker Hub image (santiagosayshey), not GHCR
The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't
publicly pullable — anonymous token requests get 403. Canonical image is
santiagosayshey/profilarr:latest on Docker Hub per the upstream README.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:05:30 +01:00
a9649be705 profilarr: swap recyclarr for Dictionarry's Profilarr
Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web
service that owns *arr profiles end-to-end via its own UI. Runs as an
oci-container on 127.0.0.1:6868, fronted by nginx at
profilarr.nordhammer.it behind Authelia (one_factor).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:00:33 +01:00
ediblerope
91a94adc26 flake: update inputs 2026-04-30 06:21:10 +00:00
728779daab 2026-04-29 20:40:54 +01:00
8fa1e4c112 recyclarr: prefer x265 on 1080p profiles for disk space
Override TRaSH's -10000 ban on x265 (HD) to +500 on Sonarr WEB-1080p
and Radarr HD Bluray + WEB. The Scene/No-RlsGroup/Retags/Obfuscated
custom formats (each at -10000) still filter the truly low-bitrate
x265 trash, so we get smaller files without inviting slop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 20:30:42 +01:00
17ea72e2ed common: drop --source-color-index from matugen update alias
The flag was removed in matugen 3.x; the call now exits with an arg
parse error on every update (caught by '|| true' but noisy). matugen
picks a sensible source color by default, so we just drop the flag.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 20:17:01 +01:00
79d7d3f88e adguard: explicitly enable LAN rewrites (schema change on stable)
AdGuard's recent config schema added an enabled flag on each rewrite
that defaults to false. Without it, the *.nordhammer.it -> 10.0.0.1
rules were silently disabled, so LAN clients resolved their own
domains to the public DDNS IP and tripped over NAT loopback.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 18:56:11 +01:00
4c80e26431 recyclarr: fix Sonarr UHD template name (web-2160p, not uhd-bluray-web)
The Sonarr 4K profile is sonarr-v4-quality-profile-web-2160p in TRaSH's
recyclarr templates — uhd-bluray-web exists for German content only.
The English UHD profile is WEB-only and named "WEB-2160p", so update
the include list and the AV1-ban score assignment to match.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 18:48:19 +01:00
3819cb6820 locale + crowdsec: pin timezone, declare static crowdsec user
Two failing services after the channel switch.

automatic-timezoned has been polkit-blocked since well before the
switch — replace with a static Europe/London timezone. Hosts that
travel can override locally if needed.

The vendored crowdsec module's setup unit chowns its config dir to
the (DynamicUser-allocated) crowdsec user via an ExecStartPre+ hack.
On stable's systemd the dynamic user isn't visible to chown via NSS
at that point, so it fails with 'invalid user'. Declaring crowdsec
as a static system user makes systemd use it (DynamicUser becomes a
no-op) and the chown resolves cleanly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 14:00:41 +01:00