Without this rule the subdomain falls under default_policy=deny,
which returns 403 instead of the 401 that nginx needs to redirect
to the Authelia login page.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Proton-based clients (e.g. CachyOS native install hitting 7DTD via
the Proton runtime) fail EAC handshake against a Linux dedicated
server. Disabling server-side lets Proton clients join via the
"Play without EasyAntiCheat" splash option.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Lets 7DTD (and other native titles lacking built-in FSR) render
internally at a lower resolution and upscale to the 3440x1440
display via gamescope's FSR filter.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Publishes the container's web dashboard port only on host loopback
(127.0.0.1:8090) so nginx can reverse-proxy it with Authelia
forward-auth, matching the Homepage/camera vhost pattern. Also flips
WebDashboardEnabled to true in the XML patcher so the server actually
starts the web server.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Enables the previously-disabled game-servers module with a new 7DTD
container (vinanrra/7dtd-server) on ports 26900 TCP + 26900-26902 UDP.
A oneshot systemd service waits for LGSM's first install to drop
sdtdserver.xml, then patches in the server name, password, and
random-gen world before restarting the container. V-Rising is removed
— the module hadn't been imported, so this just drops dead code.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sonarr was silently removing torrents from qBittorrent once imports
completed, killing seeding. Set removeCompletedDownloads to false for
both clients so torrents stick around and keep seeding post-import.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
record-update parses nvd diff after switch and writes latest.json;
Homepage polls a local-only nginx listener and renders date/changes/
closure/kernel via a customapi widget.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous template targeted CSS variables that Homepage doesn't
actually expose at runtime, so only a handful of containers picked up
the theme. Targeting .bg-slate-*/text-slate-* directly replaces the
compiled Tailwind palette with matugen colors across the dashboard.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
btop is shared across all hosts, Homepage is mediaserver-only, and the
GNOME/Ghostty/VSCodium/Vesktop templates only apply to desktop hosts.
Emitting them everywhere made matugen error loudly on the server.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mediaserver already had a btop.conf outside home-manager control, so
declarative adoption was refused. Setting force=true lets the managed
version take over.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New nixpkgs defaults for the *arr services set UMask=0022, which
conflicts with the media-group-writable overrides. Wrap with
lib.mkForce alongside the existing Jellyfin fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nixpkgs now sets UMask=0077 on the Jellyfin service, conflicting with
our override that ensures media-group writes. Wrapping with lib.mkForce
restores the intended permission bits.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Share the wallpaper symlink across all hosts by moving it from gnome.nix
into home-manager/fred.nix, and add matugen templates for btop and the
Homepage dashboard.
The Homepage NixOS module writes custom.css into /etc (read-only), so
bind-mount /var/lib/homepage-custom-css/custom.css over it. A systemd
path unit restarts homepage-dashboard whenever matugen rewrites the
file, so regeneration works without sudo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Parse every Saved: entry in the log to compute cumulative original
size, new size, bytes saved, and percentage reduction so we have a
single command for the transcode impact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wayland/Mutter forces server-side decorations when the custom title bar
is collapsed, which looked worse than the slim custom bar. Reverting to
stock VSCodium with compact menu + no command center handled in user
settings.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Using display:none removed the drag region entirely, which caused
GNOME/Mutter to fall back to server-side decorations. Collapsing the
title bar to 0 height keeps VSCodium's frameless state intact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Override vscodium with a postFixup step that appends a style tag to
workbench.html hiding the titlebar part, so the window sits flush
against GNOME's edge without native or custom decorations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Override the base grid-template-rows to replace the 32px title bar
reservation with 12px padding that matches the bottom window edge.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hide Midnight's window controls and trailing section since GNOME
handles decorations, and remove the 158px padding gap left behind.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The focus ring overrides didn't take effect and the accent color
change made some elements look worse.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace custom Discord CSS selectors with Midnight theme (loaded via
online URL) and simple color variable overrides from matugen. Also add
wallpaper-colored focus rings, edit button, and running dot to GNOME
shell app grid.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create
files that are writable by the media group. Without this, Jellyfin
can't write thumbnails/artwork to media directories and services
can't collaborate on shared files. Also fixes radarr movies directory
to use setgid (2775) consistently.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Removes any .transcode-* files left behind by interrupted runs
before starting the encoding loop.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Map only the first video stream, all audio, and all subtitles instead
of mapping everything. This avoids feeding cover art images through
the libx265 encoder which caused hangs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Queries qBittorrent for individual file sizes of all active torrents.
Files whose size matches a seeded torrent file are skipped, catching
cross-filesystem copies where hardlink detection doesn't work.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Files with multiple hardlinks are likely linked from downloads/ where
they are still being seeded. Transcoding would break the hardlink and
cause both copies to take up disk space separately.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MP4 containers don't support all subtitle/codec combinations with HEVC.
MKV handles everything, so always output .mkv and remove the original
if it was a different format.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resumable batch script that finds H.264 files, re-encodes to HEVC
(libx265 CRF 24), verifies duration, and replaces originals.
Tracks completed files in /var/lib/transcode-hevc/completed.log.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runs Tdarr server with internal node on the mediaserver for managing
library-wide re-encoding to save disk space. Web UI at tdarr.nordhammer.it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The latest 595.x driver dropped Maxwell GPU support. The Quadro M2000
(GM206) requires the legacy_580 branch for CUDA/NVENC to function.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add sudo to reboot alias so it doesn't prompt for password.
Add blank line before networking.hostName in hardware config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On a headless system, services.xserver.videoDrivers doesn't guarantee
the NVIDIA modules load. Add nvidia, nvidia_modeset, nvidia_uvm, and
nvidia_drm to boot.kernelModules explicitly.
nvidia_uvm is particularly critical — without it, CUDA initialisation
fails with CUDA_ERROR_NO_DEVICE, which is exactly what broke Jellyfin
NVENC transcoding.
https://claude.ai/code/session_016jJU8ZtWLSnJQBdbMr5pxK
- Add NVIDIA proprietary driver config to FredOS-Mediaserver hardware
(Maxwell/GM206, open=false, modesetting enabled, headless)
- Enable hardware.graphics for DRM/KMS infrastructure
- Add jellyfin user to video and render groups for device access
After deploying, enable NVENC in Jellyfin: Dashboard → Playback →
Transcoding → Hardware acceleration: Nvidia NVENC.
https://claude.ai/code/session_016jJU8ZtWLSnJQBdbMr5pxK
Cloudflare's authoritative nameservers take longer than the
default 2-minute timeout to propagate TXT records created via
API. Set CLOUDFLARE_PROPAGATION_TIMEOUT=600 to give enough
time for DNS-01 challenge validation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
