Same rationale as jq — useful when poking at the AdGuard / DNS path
during incidents, no package on the system currently provides dig/host.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
`nixos-rebuild switch` already builds — the prior `build && switch`
chain made nix evaluate the flake twice and pushed a second
empty-tree nom render to the terminal. With one switch, the nom
output stays clean: single dependency graph, then activation, then nvd.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Useful for ad-hoc shell scripts (e.g. downloads-cleanup.sh) — already a
build-time dep of arr-interconnect, just wasn't on the user PATH.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds nix-output-monitor to systemPackages and pipes nixos-rebuild's
internal-json log stream through `nom --json` for both the build and
switch steps. set -o pipefail at the top so a failed rebuild aborts the
chain (otherwise && only sees nom's exit code, which is always 0).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two small follow-ups to the SAB module:
- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
No functional change since group = "media" already.
Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
networking.enableIPv6 = false only sets the system sysctl; NetworkManager
keeps re-enabling disable_ipv6=0 per-interface because connection
defaults to ipv6.method = auto. The "?" icon comes back because NM's
v6 connectivity probe races over a SLAAC ULA with no real upstream.
Forces ipv6.method = disabled in NetworkManager's connection defaults
and stops the kernel from accepting router advertisements, so v6 never
gets brought up on any new or existing connection.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The catthehacker runner image runs jobs as root and Nix's install script
refuses to do a clean root install without the nixbld group + build users
already in place — even with --no-daemon. Adding them inline keeps the
workflow self-contained without swapping to a Nix-prebuilt container image.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action
with inline shell so the workflow no longer touches github.com. Still pulls
the runner image from Docker Hub and the install script from nixos.org —
those are deliberately left for now and can be cut in a follow-up.
actions/checkout stays because it's mirrored on data.forgejo.org and the
runner already resolves it there.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Forgejo's runner defaults to fetching `uses: org/repo@vN` from its
instance's mirror (data.forgejo.org), which doesn't host most
GitHub-marketplace actions like cachix/install-nix-action. Pointing
default_actions_url at github.com makes the existing workflow Just Work
without fully-qualified URLs in `uses:` lines.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The gitea-actions-runner module loads tokenFile as a systemd
EnvironmentFile, so it needs KEY=value lines, not a raw token. Comment
updated to match — the runner failed to start the first time around
because the file just contained the bare registration token.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.
Also drops the stray result/ build symlink from the worktree.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Migrating origin from GitHub to a private Forgejo repo at
forg.gregersen.it/rope/nixos. Each host needs the PAT in /root/.git-credentials
(host-local state, set up manually since the repo isn't publicly readable).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was
patched in an earlier commit but Gaming wasn't, breaking the build.
zramSwap goes back into common.nix as the cheap OOM-during-uncached-build
safety net — even on stable, --refresh against a freshly-bumped lock can
trigger local builds the box has no swap to absorb.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't
publicly pullable — anonymous token requests get 403. Canonical image is
santiagosayshey/profilarr:latest on Docker Hub per the upstream README.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web
service that owns *arr profiles end-to-end via its own UI. Runs as an
oci-container on 127.0.0.1:6868, fronted by nginx at
profilarr.nordhammer.it behind Authelia (one_factor).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Override TRaSH's -10000 ban on x265 (HD) to +500 on Sonarr WEB-1080p
and Radarr HD Bluray + WEB. The Scene/No-RlsGroup/Retags/Obfuscated
custom formats (each at -10000) still filter the truly low-bitrate
x265 trash, so we get smaller files without inviting slop.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>