- crowdsec.nix: drop the ntfy notifications (one push per ban was constant
noise on the WAN-exposed box); bans still happen silently
- service-health.nix: OnFailure=notify-failure@%n on 16 core units sends an
ntfy 'down' push when a unit truly fails (after exhausting Restart=), then
a 'recovered' push when it comes back. Shares /var/secrets/ntfy-url.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
wineWowPackages → wineWow64Packages,
environmentFile → environmentFiles (list),
gtk.gtk4.theme = null for all hosts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Firefox patches: CORS crossorigin on stylesheet link,
Shift+Enter line break via insertLineBreak + innerText,
nix-ld for Claude Code node binary.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Stable restore point before 26.05 — last known good unstable config.
Unify all hosts on nixos-26.05 + home-manager release-26.05.
Drop hyprland, anyrun, nixpkgs-stable, home-manager-stable,
stylix-stable inputs. Hyprland 0.55.2 and anyrun 25.12.0 from
nixpkgs. Anyrun config via xdg.configFile (no HM module in 26.05).
Stylix on master until release-26.05 branch exists.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prevents browser from restoring cached page with expired
Authelia session, which caused WebSocket 1006 on first load.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
systemd.network.links didn't generate files; use udev extraRules
to pin NIC names to MACs. Also disable networking.useDHCP catch-all
that silently misconfigured the LAN NIC when it got a wrong name.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runner containers (via Podman compat) couldn't resolve external hosts
after AdGuard stopped binding to 0.0.0.0. Point them at 10.0.0.1.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Binding to 0.0.0.0 claimed port 53 on podman bridge interfaces,
preventing aardvark-dns from starting and breaking Forgejo Actions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Delete 8 unused matugen template files, remove the matugen package,
homepage custom.css watcher infrastructure, and the wallpaper shell
function. Update remaining comments to reference stylix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
No IPv6 upstream exists, but glibc still tried AAAA records first,
causing Jellyfin's TMDb client to get garbled responses.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Standalone podman run calls need virtualisation.podman.enable to get a
valid /etc/containers/policy.json. OCI container services got this
implicitly but our direct podman invocations did not.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bazarr stores its config at /var/lib/bazarr/config/config.yaml, not
the old /var/lib/bazarr/data/config/config.ini path. Use yq to extract
auth.apikey from the YAML. Fixes both bazarr-sync and arr-interconnect.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces Vesktop for quick cross-device note-passing. Uses Flatnotes
with auth disabled so Authelia is the only login required.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Inactivity was 5m which caused logouts while working in VS Code
(no new page loads). Bumped inactivity to 2h, expiration to 12h.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.
Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>