- adguard.nordhammer.it now routes through Authelia forward auth
(AdGuard Home itself has no login, so this becomes the single gate)
- Added Authelia ACL rule for the subdomain so default_policy=deny
returns 401 for redirect instead of 403
- Added AdGuard Home widget to Homepage under Infrastructure
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
DoH-only sequential upstreams made first-time lookups slow. Add plain
UDP 1.1.1.1/9.9.9.9 alongside DoH and set upstream_mode=parallel so
AdGuard queries all four simultaneously and uses the fastest response.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
New services/adguard.nix runs AdGuard Home on the mediaserver with DoH
upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens
on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Thread cap didn't move the thermals, so the real culprit is likely
dried-out thermal paste rather than concurrency. Reverting to the
unbounded default while the compound gets redone; running one stream
at a time is enough of a workaround in the meantime.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Concurrent transcodes on the 56-core mediaserver were running hot.
Limits each ffmpeg invocation to 8 threads via -threads and x265's
pools= param (libx265 ignores -threads alone). Overridable with
TRANSCODE_THREADS env var.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Overriding linuxPackagesFor doesn't affect the already-evaluated
linuxPackages_latest attribute. Extend it directly so the patched
facetimehd is picked up by boot.kernelPackages = pkgs.linuxPackages_latest.
https://claude.ai/code/session_01XEMg2HskwRaQW3nrCd1q2z
Without this rule the subdomain falls under default_policy=deny,
which returns 403 instead of the 401 that nginx needs to redirect
to the Authelia login page.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Proton-based clients (e.g. CachyOS native install hitting 7DTD via
the Proton runtime) fail EAC handshake against a Linux dedicated
server. Disabling server-side lets Proton clients join via the
"Play without EasyAntiCheat" splash option.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Lets 7DTD (and other native titles lacking built-in FSR) render
internally at a lower resolution and upscale to the 3440x1440
display via gamescope's FSR filter.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Publishes the container's web dashboard port only on host loopback
(127.0.0.1:8090) so nginx can reverse-proxy it with Authelia
forward-auth, matching the Homepage/camera vhost pattern. Also flips
WebDashboardEnabled to true in the XML patcher so the server actually
starts the web server.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Enables the previously-disabled game-servers module with a new 7DTD
container (vinanrra/7dtd-server) on ports 26900 TCP + 26900-26902 UDP.
A oneshot systemd service waits for LGSM's first install to drop
sdtdserver.xml, then patches in the server name, password, and
random-gen world before restarting the container. V-Rising is removed
— the module hadn't been imported, so this just drops dead code.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sonarr was silently removing torrents from qBittorrent once imports
completed, killing seeding. Set removeCompletedDownloads to false for
both clients so torrents stick around and keep seeding post-import.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
record-update parses nvd diff after switch and writes latest.json;
Homepage polls a local-only nginx listener and renders date/changes/
closure/kernel via a customapi widget.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous template targeted CSS variables that Homepage doesn't
actually expose at runtime, so only a handful of containers picked up
the theme. Targeting .bg-slate-*/text-slate-* directly replaces the
compiled Tailwind palette with matugen colors across the dashboard.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
btop is shared across all hosts, Homepage is mediaserver-only, and the
GNOME/Ghostty/VSCodium/Vesktop templates only apply to desktop hosts.
Emitting them everywhere made matugen error loudly on the server.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mediaserver already had a btop.conf outside home-manager control, so
declarative adoption was refused. Setting force=true lets the managed
version take over.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New nixpkgs defaults for the *arr services set UMask=0022, which
conflicts with the media-group-writable overrides. Wrap with
lib.mkForce alongside the existing Jellyfin fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nixpkgs now sets UMask=0077 on the Jellyfin service, conflicting with
our override that ensures media-group writes. Wrapping with lib.mkForce
restores the intended permission bits.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Share the wallpaper symlink across all hosts by moving it from gnome.nix
into home-manager/fred.nix, and add matugen templates for btop and the
Homepage dashboard.
The Homepage NixOS module writes custom.css into /etc (read-only), so
bind-mount /var/lib/homepage-custom-css/custom.css over it. A systemd
path unit restarts homepage-dashboard whenever matugen rewrites the
file, so regeneration works without sudo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Parse every Saved: entry in the log to compute cumulative original
size, new size, bytes saved, and percentage reduction so we have a
single command for the transcode impact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wayland/Mutter forces server-side decorations when the custom title bar
is collapsed, which looked worse than the slim custom bar. Reverting to
stock VSCodium with compact menu + no command center handled in user
settings.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Using display:none removed the drag region entirely, which caused
GNOME/Mutter to fall back to server-side decorations. Collapsing the
title bar to 0 height keeps VSCodium's frameless state intact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Override vscodium with a postFixup step that appends a style tag to
workbench.html hiding the titlebar part, so the window sits flush
against GNOME's edge without native or custom decorations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Override the base grid-template-rows to replace the 32px title bar
reservation with 12px padding that matches the bottom window edge.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hide Midnight's window controls and trailing section since GNOME
handles decorations, and remove the 158px padding gap left behind.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The focus ring overrides didn't take effect and the accent color
change made some elements look worse.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace custom Discord CSS selectors with Midnight theme (loaded via
online URL) and simple color variable overrides from matugen. Also add
wallpaper-colored focus rings, edit button, and running dot to GNOME
shell app grid.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create
files that are writable by the media group. Without this, Jellyfin
can't write thumbnails/artwork to media directories and services
can't collaborate on shared files. Also fixes radarr movies directory
to use setgid (2775) consistently.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Removes any .transcode-* files left behind by interrupted runs
before starting the encoding loop.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Map only the first video stream, all audio, and all subtitles instead
of mapping everything. This avoids feeding cover art images through
the libx265 encoder which caused hangs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Queries qBittorrent for individual file sizes of all active torrents.
Files whose size matches a seeded torrent file are skipped, catching
cross-filesystem copies where hardlink detection doesn't work.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
