Runs Tdarr server with internal node on the mediaserver for managing
library-wide re-encoding to save disk space. Web UI at tdarr.nordhammer.it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add sudo to reboot alias so it doesn't prompt for password.
Add blank line before networking.hostName in hardware config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Commented out nginx, go2rtc, cloudflare-ddns, fail2ban, and authelia
until secrets are migrated to the new server hardware.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Guard matugen call with command -v check so the update alias
works on hosts without GNOME/matugen (e.g. mediaserver).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Matugen templates for Ghostty theme and GTK4 colors
- Ghostty uses generated wallpaper theme instead of Catppuccin
- GTK4 CSS imports generated color overrides
- Update alias runs matugen after switch to regenerate colors
- Add wallpaper fish function to change wallpaper + regen colors
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Saves the old system path before switching so nvd can compare
old vs new after everything else finishes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The update alias now builds first, shows a readable diff of
added/removed/upgraded packages via nvd, then switches.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Consolidates V-Rising into the existing game-servers module instead of
a separate file. Also uncomments the game-servers import in common.nix
and adds UDP 9876/9877 to the shared firewall rules.
https://claude.ai/code/session_01Ays1x4CUUJE1jPLkeNMojV
Uses NixOS virtualisation.oci-containers (Docker backend) with the
trueosiris/vrising image. Persists server files and save data under
/var/lib/v-rising/. Opens UDP 9876/9877 in the firewall.
https://claude.ai/code/session_01Ays1x4CUUJE1jPLkeNMojV
- Move shell/prompt/font config from apps/fastfetch.nix to settings/shell.nix
- Remove flatpaks.nix and nix-flatpak flake input (no flatpak packages in use)
- Update readme structure and flake inputs table
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Prompt segments now have background colors (green/yellow/blue pills)
- NixOS icon visible in green pill segment
- Remove fastfetch from terminal startup and clear alias
- fastfetch still available via manual `fastfetch` command
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01
- Native Authelia SSO with forward auth protecting homepage + camera
- Native go2rtc camera streaming (no more Docker)
- Auto-migration script for Authelia secrets and user database from Docker
- Homepage hrefs updated to use HTTPS domain names
- Fail2ban updated for native nginx log paths + new Authelia jail
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Covers all running services: Jellyfin, Sonarr, Radarr, Bazarr, Prowlarr,
qBittorrent, Nginx Proxy Manager, Authelia, go2rtc. Live widgets for
*arr apps, Jellyfin now-playing, and qBittorrent speed use API keys
loaded from /etc/homepage-secrets (outside the Nix store).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds authorised keys for FredOS-Gaming and phone. Disables SSH password
authentication on FredOS-Mediaserver — key auth only going forward.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Elasticsearch + Kibana + Filebeat in Docker, bridged via an elk network.
Filebeat uses the Suricata module to parse eve.json and auto-installs
Kibana dashboards on first run. ES heap capped at 1g; Kibana Node heap
at 512m — total stack ~2-2.5 GB RAM.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Passive network monitoring via af-packet on eno1. Rulesets auto-updated
from ET/Open, abuse.ch, and other community sources via suricata-update.
Runs alongside fail2ban; IPS/blocking mode can be enabled later.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces bare enable flag with a dedicated service module covering:
- SSH brute force via journald
- Nginx Proxy Manager auth failures via Docker log files
- Jellyfin auth failures via journald
Includes incremental ban times (up to 1 week) and LAN ignore rules.
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
