Merge home-manager GNOME settings (dconf, keybinds, GTK CSS, wallpaper)
from gnome-hm.nix into settings/gnome.nix so the entire DE config lives
in one file and can be toggled with a single import.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Set button-layout to empty string (removes close/min/max buttons)
- Add GTK 3/4 CSS to shrink headerbar height and hide title text
- Ghostty opacity adjusted to 0.98
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The nix-flatpak flake module was removed (no declarative packages) but
the flatpak service itself is still needed for Bazaar/manual installs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move shell/prompt/font config from apps/fastfetch.nix to settings/shell.nix
- Remove flatpaks.nix and nix-flatpak flake input (no flatpak packages in use)
- Update readme structure and flake inputs table
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fish set_color takes bare hex (394b70) not CSS-style (#394b70).
All color references were silently failing, causing broken rendering.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Python generated '''''' (6 quotes) instead of '' (2 quotes) for Nix
multi-line string delimiters, causing a parse error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Starship can't color individual path segments separately. Custom fish
prompt with proper Unicode powerline glyphs (U+E0B0 arrows, U+E0B6
left cap). Each folder gets its own colored segment cycling through
teal/green/blue, with chevron transitions between all segments.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The powerline arrow characters were not being saved to the file,
resulting in empty brackets and square segment edges.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Dark blue NixOS icon segment, amber hostname, teal path, purple git
- Better contrast between adjacent segments
- JetBrainsMono Nerd Font for reliable powerline glyph rendering
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Starship handles the powerline segments with proper rounded transitions
between colored backgrounds. Layout:
[ hostname ~/path branch]
❯
- Cyan NixOS icon, yellow hostname, green path, purple git branch
- Dark text on colored backgrounds with powerline arrow transitions
- Nix-shell indicator, red ❯ on error
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Background-colored pills were unreadable on dark themes. Use bold
foreground colors instead: cyan NixOS icon, yellow hostname, green path.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Prompt segments now have background colors (green/yellow/blue pills)
- NixOS icon visible in green pill segment
- Remove fastfetch from terminal startup and clear alias
- fastfetch still available via manual `fastfetch` command
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Theme names need spaces: "Catppuccin Mocha" not "catppuccin-mocha"
- Prompt now shows hostname instead of username: " FredOS-Gaming ~"
- Disable default fish greeting message
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nixpkgs.stdenv.hostPlatform is not a valid NixOS option. The
deprecation warning comes from nixpkgs internals and is harmless.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove virtualisation.docker.enable (no longer used after native
migration of Authelia, go2rtc, and nginx)
- Add migration checklist documenting which state directories and
secrets to back up when moving to new hardware
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DynamicUser can't write to /run directly. RuntimeDirectory lets systemd
create and manage the directory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url
instead of embedding credentials in the nix store
- readme.md: add Mediaserver secrets section documenting all secrets
needed for a fresh deploy (Cloudflare, go2rtc, Authelia)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use /api/verify endpoint instead of /api/authz/forward-auth
- Add proxy_pass_request_body off to auth location
- Put redirect URL inline in error_page instead of using a variable
- Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
auth_request_set reads variables from the auth subrequest context where
$scheme/$http_host/$request_uri are empty, causing a 500 instead of a
302 redirect. Using set captures from the main request context.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CNAME interference is resolved so the default lego propagation check
(querying Cloudflare authoritative NS) should work correctly now.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous dnsPropagationCheck=false caused lego to ask LE to validate
before the TXT record was globally visible. Adding --dns.propagation-wait
gives Cloudflare time to serve the record from all edge locations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cloudflare is the authoritative NS so API-created TXT records are
immediately visible — the propagation poll was timing out unnecessarily.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01
- Native Authelia SSO with forward auth protecting homepage + camera
- Native go2rtc camera streaming (no more Docker)
- Auto-migration script for Authelia secrets and user database from Docker
- Homepage hrefs updated to use HTTPS domain names
- Fail2ban updated for native nginx log paths + new Authelia jail
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a systemd oneshot that runs before homepage-dashboard and:
- Reads *arr API keys from their config.xml files
- Reads Bazarr key from config.ini
- Creates a Jellyfin API key in the DB if one named "Homepage" doesn't exist
- Uses localhost for qBittorrent (LocalHostAuth=false, no creds needed)
- Writes everything to /etc/homepage-secrets
Zero manual setup — all keys are extracted or generated automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
40-char password from a manager is impractical for frequent sudo use.
SSH is already key-only, so local privilege escalation is the only
remaining threat — acceptable on a single-user home server.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
