Commit graph

282 commits

Author SHA1 Message Date
c0ed58bcc2 neko: own /var/lib/neko/home as uid 1000 so the container desktop can start
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:42:13 +01:00
b00dee9dc6 neko: drop winetricks (not in Debian trixie main; GW needs only bare wine)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:39:20 +01:00
e5589907a3 neko: use real xfce image (software render), drop nonexistent nvidia-xfce + GPU
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:35:51 +01:00
e199933dce neko: build image from stdin Dockerfile (fix symlinked-context build failure)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:31:31 +01:00
fe0cb4663e neko: add Authelia access rule for neko.nordhammer.it
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:27:49 +01:00
448e44753f neko: Guild Wars in a browser (Xfce+Wine+NVIDIA), Authelia-gated
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:07:36 +01:00
5e870d0e8b arr-interconnect: auto-add Jellyfin library-refresh notification to Sonarr/Radarr
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 21:35:41 +01:00
0f92b3fbf5 Disable frigate for now
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 21:11:06 +01:00
ddbc8929e4 alerting: silence per-ban crowdsec pushes; ntfy alert on service down/recovery
- crowdsec.nix: drop the ntfy notifications (one push per ban was constant
  noise on the WAN-exposed box); bans still happen silently
- service-health.nix: OnFailure=notify-failure@%n on 16 core units sends an
  ntfy 'down' push when a unit truly fails (after exhausting Restart=), then
  a 'recovered' push when it comes back. Shares /var/secrets/ntfy-url.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-13 17:54:37 +01:00
8dd70a2d9d mediaserver: drop no-op firewall rules, close unused DR forwards
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 10:00:49 +01:00
f65675bd80 authelia: drop docker migration, tighten secret perms
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 10:00:49 +01:00
93e79509c4 crowdsec: inject ntfy url at runtime, drop obsolete hub prune
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 10:00:49 +01:00
e3fb0de10c fix 26.05 evaluation warnings
wineWowPackages → wineWow64Packages,
environmentFile → environmentFiles (list),
gtk.gtk4.theme = null for all hosts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 16:46:18 +01:00
458be246f0 try to fix code-server claude thing.
Firefox patches: CORS crossorigin on stylesheet link,
Shift+Enter line break via insertLineBreak + innerText,
nix-ld for Claude Code node binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 16:38:36 +01:00
d92c327cdf try to fix code-server claude thing. 2026-05-30 15:44:54 +01:00
72246fc440 pin to nixos 26.05, drop hyprland/anyrun flakes
Stable restore point before 26.05 — last known good unstable config.

Unify all hosts on nixos-26.05 + home-manager release-26.05.
Drop hyprland, anyrun, nixpkgs-stable, home-manager-stable,
stylix-stable inputs. Hyprland 0.55.2 and anyrun 25.12.0 from
nixpkgs. Anyrun config via xdg.configFile (no HM module in 26.05).
Stylix on master until release-26.05 branch exists.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 11:12:09 +01:00
1e7427ec0d nginx: add no-store cache header to code-server vhost
Prevents browser from restoring cached page with expired
Authelia session, which caused WebSocket 1006 on first load.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-27 09:21:55 +01:00
b0bf73f60e frigate: use 8 threads for CPU detection
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:19:01 +01:00
297fd631ff enable audio detection on kids_bedroom camera
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:13:06 +01:00
b957d88ff6 frigate: gate frontend with Authelia, not just API routes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:09:00 +01:00
ad11fb3033 frigate: lower detect resolution to 720p for CPU performance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:02:44 +01:00
ed71384885 frigate: double-proxy auth to inject Remote-Role header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 22:29:20 +01:00
818caf88a2 frigate: map Remote-Role header for admin access via Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 22:03:34 +01:00
4a5a30f018 frigate: try top-level proxy auth with Remote-User header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:57:38 +01:00
192db01be0 revert frigate auth to disabled mode
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:52:07 +01:00
e09cbb0cb5 frigate: use proxy auth mode with Authelia headers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:49:33 +01:00
6b113b0a72 move homepage to port 8084, 8081 used by crowdsec
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:35:50 +01:00
5e73fe6f1a add frigate to Authelia access control
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:31:32 +01:00
5a3d74d800 move homepage to port 8081, 8082 needed by frigate jsmpeg
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:24:04 +01:00
83b3653331 disable frigate built-in auth, Authelia handles it
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:18:03 +01:00
1ada3769c3 fix frigate config: remove invalid events.retain
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:13:13 +01:00
426d86645f add Frigate NVR service behind Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:08:50 +01:00
8560c11afa fix NIC naming: use udev rules instead of .link files
systemd.network.links didn't generate files; use udev extraRules
to pin NIC names to MACs. Also disable networking.useDHCP catch-all
that silently misconfigured the LAN NIC when it got a wrong name.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
94d5b6a2a1 pin NIC names to MAC + limit 7DTD restart loops
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
13fac2ffdf arr: use External auth method to fix auth reset on restart
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 22:15:45 +01:00
a18db710c0 nftables: allow podman bridges in input and forward chains
Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 15:02:09 +01:00
8b6029ca86 forgejo-runner: set explicit DNS to fix container resolution
Runner containers (via Podman compat) couldn't resolve external hosts
after AdGuard stopped binding to 0.0.0.0. Point them at 10.0.0.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:44:26 +01:00
fb2d3a1ff7 adguard: bind DNS to LAN + loopback only to avoid podman conflict
Binding to 0.0.0.0 claimed port 53 on podman bridge interfaces,
preventing aardvark-dns from starting and breaking Forgejo Actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:34:11 +01:00
1aebc200b6 remove matugen remnants — theming is now handled by stylix
Delete 8 unused matugen template files, remove the matugen package,
homepage custom.css watcher infrastructure, and the wallpaper shell
function. Update remaining comments to reference stylix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 17:45:11 +01:00
53c3fedf52 mediaserver: disable IPv6 to fix Jellyfin TMDb metadata fetches
No IPv6 upstream exists, but glibc still tried AAAA records first,
causing Jellyfin's TMDb client to get garbled responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 13:44:17 +01:00
6f3845aa1b mediaserver: enable podman for bazarr-sync container policy
Standalone podman run calls need virtualisation.podman.enable to get a
valid /etc/containers/policy.json. OCI container services got this
implicitly but our direct podman invocations did not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:54:44 +01:00
39d5a95866 mediaserver: fix bazarr config path (YAML, not INI)
Bazarr stores its config at /var/lib/bazarr/config/config.yaml, not
the old /var/lib/bazarr/data/config/config.ini path. Use yq to extract
auth.apikey from the YAML. Fixes both bazarr-sync and arr-interconnect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:51:53 +01:00
d83db8c555 mediaserver: add bazarr-sync for automatic subtitle synchronisation
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:46:36 +01:00
db413ad808 services: add Flatnotes note-sharing at notes.nordhammer.it
Replaces Vesktop for quick cross-device note-passing. Uses Flatnotes
with auth disabled so Authelia is the only login required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:19:52 +01:00
12253c23dd arr: patch AuthenticationRequired to suppress auth enforcement
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 21:01:11 +01:00
81b5fc84d1 authelia: extend session inactivity timeout to 2h
Inactivity was 5m which caused logouts while working in VS Code
(no new page loads). Bumped inactivity to 2h, expiration to 12h.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:42:17 +01:00
5eeab405c0 services: disable built-in auth on *arr stack; update readme
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.

Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:27:19 +01:00
ad7a45d143 code-server: fix Nix string interpolation in Firefox CORS patch
Escape \${q} as ''${q} so Nix doesn't try to evaluate it as a
variable in the activation script string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:25:30 +01:00
099ff8a093 code-server: patch Claude Code extension for Firefox CORS fix
Adds a NixOS activation script that patches the crossorigin attribute
onto the Claude Code extension's stylesheet link, fixing broken CSS in
Firefox due to stricter CORS handling than Chrome.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:10:11 +01:00
e59c239257 code-server: pin package to nixpkgs unstable for newer VS Code version
Adds nixpkgs unstable as a flake input and exposes pkgs-unstable via
specialArgs. code-server uses the unstable package so the Claude Code
extension version requirement is satisfied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 11:17:25 +01:00