allow_tearing was causing visible tearing during window drags, and
misc.vrr=2 was set but never actually engaging — the G34WQCP doesn't
advertise FreeSync on the 190 Hz OC mode. Both were feeding Hyprland's
pacing logic bad signals.
Drops allow_tearing + the matching immediate windowrules, sets vrr=0
explicitly, and pins cursor.no_hardware_cursors=0 to make sure the HW
cursor plane is in use.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Removes the Hyprspace plugin entirely — blank-window snapshots from the
0.52.0/0.52.1 ABI skew aren't worth the patch-pin work right now. With
the overview gone, also rebalances the desktop for input latency:
- decoration.blur disabled (two passes at 3440x1440 were the biggest
per-frame GPU cost)
- render.direct_scanout = true so fullscreen apps bypass the compositor
- misc.vrr = 2 (always on) instead of fullscreen-only
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Native `plugin = ...` crashes Hyprland during config parse because the
nixpkgs hyprspace is built against 0.52.0 and the compositor is 0.52.1.
The runtime `hyprctl plugin load` path tolerates the skew, so route the
plugin back through HM's plugins option. Super+Space won't fire on every
boot until we land a more robust load mechanism, but the session is
usable again.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
home-manager's `plugins` option emits `exec-once = hyprctl plugin load`,
which races IPC socket readiness on startup and silently no-ops — `hyprctl
plugin list` showed nothing even though the .so existed and loaded fine
when invoked manually. Switch to Hyprland's native `plugin = /path`
directive in extraConfig so the load happens synchronously during config
parse, before any binds referencing its dispatchers.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bare-Super tap detection didn't actually trigger Hyprspace, and the
SUPER_L release-bind was firing on every combo release anyway. A plain
combo bind sidesteps both problems; Super+Space is free since the
launcher moved to Super+R.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Home-manager loads plugins via exec-once, so dispatchers registered by
Hyprspace don't exist when the config is first parsed — the bindr was
silently dropped with "invalid dispatcher". Route it through `exec,
hyprctl dispatch` instead so the lookup happens at keypress, after the
plugin is up.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Enables VRR for fullscreen, disables compositor VFR, and gates tearing
behind allow_tearing + immediate windowrules for Steam and gamescope.
Animations drop to 0.2s via a snappier bezier.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The default `,preferred,auto,1` line was selecting 60 Hz on the
G34WQCP. Pin the OC'd 190 Hz mode explicitly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Loads hyprlandPlugins.hyprspace via the home-manager plugins list and
binds overview:toggle to release-of-Super. Frees Super+Space and moves
wofi to Super+R to match the new gesture.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds settings/hyprland.nix as a sibling to the GNOME module, gated to
the Gaming host. GDM picks up the new session entry automatically; GNOME
remains the default and can be reselected at login.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
DR_Server binds UDP/2603 in addition to TCP/2603 — that's where the
DSOUND.dll mod's NAT-punched XP-report socket sends client kill XP
back to the server (see ChatCommandHandler.cs / [DLL XP REPORT] path
in the source). The original forward was tcp-only, so every WAN
client's UDP XP packet was dropped at the router. Symptom: every
character stuck at lvl 1/xp 0 regardless of how the client launched.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".
Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.
Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Pairs the LAN-side firewall openings already done in services/dr-server.nix
so the public can actually reach the Mediaserver. TCP for the listening
sockets we observed (2110/2603/2606), UDP for the 2604-2605 pair the
client setup expects per Play_DungeonRunners.bat.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Unity's Win64 build still creates a 1x1 hidden window via Win32 even
under -batchmode -nographics. Wine needs an X display to honor that;
without one, startup fails with "Failed to create batch mode window:
Success." after Mono initializes and PhysX comes up. xvfb-run -a gives
it a virtual display with no real X server cost.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
New service module on FredOS-Mediaserver that launches the friend's
Windows-only Unity server (DR_Server.exe -batchmode -nographics) in a
Win64 wine prefix. wineboot initializes the prefix on first start.
Opens auth/game/queue ports 2110, 2603-2606 (TCP+UDP).
Build files staged separately at ~/dr-server-build on the server;
sudo-move into /var/lib/dr-server/Build after the rebuild.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Same rationale as jq — useful when poking at the AdGuard / DNS path
during incidents, no package on the system currently provides dig/host.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
`nixos-rebuild switch` already builds — the prior `build && switch`
chain made nix evaluate the flake twice and pushed a second
empty-tree nom render to the terminal. With one switch, the nom
output stays clean: single dependency graph, then activation, then nvd.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Useful for ad-hoc shell scripts (e.g. downloads-cleanup.sh) — already a
build-time dep of arr-interconnect, just wasn't on the user PATH.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds nix-output-monitor to systemPackages and pipes nixos-rebuild's
internal-json log stream through `nom --json` for both the build and
switch steps. set -o pipefail at the top so a failed rebuild aborts the
chain (otherwise && only sees nom's exit code, which is always 0).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two small follow-ups to the SAB module:
- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
No functional change since group = "media" already.
Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
networking.enableIPv6 = false only sets the system sysctl; NetworkManager
keeps re-enabling disable_ipv6=0 per-interface because connection
defaults to ipv6.method = auto. The "?" icon comes back because NM's
v6 connectivity probe races over a SLAAC ULA with no real upstream.
Forces ipv6.method = disabled in NetworkManager's connection defaults
and stops the kernel from accepting router advertisements, so v6 never
gets brought up on any new or existing connection.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The catthehacker runner image runs jobs as root and Nix's install script
refuses to do a clean root install without the nixbld group + build users
already in place — even with --no-daemon. Adding them inline keeps the
workflow self-contained without swapping to a Nix-prebuilt container image.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>