Commit graph

289 commits

Author SHA1 Message Date
6cc3fb6419 hardware-health: drop fwupd; no P700 BIOS published on LVFS
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 10:42:08 +01:00
34d44a619e hardware-health: enable fwupd to check LVFS for P700 BIOS update
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 10:37:07 +01:00
d69c9f624f hardware-health: rasdaemon MCE attribution + watchdog auto-reboot on mediaserver
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 19:37:35 +01:00
707f78c9d1 selkies: GPU-accelerate 32-bit GW via mounted 32-bit nvidia GL + vglrun launcher
Mount config.hardware.nvidia.package.lib32 into the container (CDI only carries
64-bit driver libs) and add a `gw` launcher that runs Guild Wars through
VirtualGL on the M2000. Drops GW from ~18 software-rendered CPU cores to <1.
Also bump stream to 60fps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 13:37:17 +01:00
21b0fa15ae selkies: enable internal TURN relay (LAN) so WebRTC media works behind nginx
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 11:52:28 +01:00
d31a4501f1 selkies: browser game streaming for GW (pointer-lock relative mouse), retire neko
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 11:42:45 +01:00
38901eee27 neko: add Mesa GL (i386) so Wine/Guild Wars gets an OpenGL context (llvmpipe)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:56:33 +01:00
c0ed58bcc2 neko: own /var/lib/neko/home as uid 1000 so the container desktop can start
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:42:13 +01:00
b00dee9dc6 neko: drop winetricks (not in Debian trixie main; GW needs only bare wine)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:39:20 +01:00
e5589907a3 neko: use real xfce image (software render), drop nonexistent nvidia-xfce + GPU
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:35:51 +01:00
e199933dce neko: build image from stdin Dockerfile (fix symlinked-context build failure)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:31:31 +01:00
fe0cb4663e neko: add Authelia access rule for neko.nordhammer.it
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:27:49 +01:00
448e44753f neko: Guild Wars in a browser (Xfce+Wine+NVIDIA), Authelia-gated
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 10:07:36 +01:00
5e870d0e8b arr-interconnect: auto-add Jellyfin library-refresh notification to Sonarr/Radarr
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 21:35:41 +01:00
0f92b3fbf5 Disable frigate for now
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 21:11:06 +01:00
ddbc8929e4 alerting: silence per-ban crowdsec pushes; ntfy alert on service down/recovery
- crowdsec.nix: drop the ntfy notifications (one push per ban was constant
  noise on the WAN-exposed box); bans still happen silently
- service-health.nix: OnFailure=notify-failure@%n on 16 core units sends an
  ntfy 'down' push when a unit truly fails (after exhausting Restart=), then
  a 'recovered' push when it comes back. Shares /var/secrets/ntfy-url.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-13 17:54:37 +01:00
8dd70a2d9d mediaserver: drop no-op firewall rules, close unused DR forwards
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 10:00:49 +01:00
f65675bd80 authelia: drop docker migration, tighten secret perms
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 10:00:49 +01:00
93e79509c4 crowdsec: inject ntfy url at runtime, drop obsolete hub prune
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 10:00:49 +01:00
e3fb0de10c fix 26.05 evaluation warnings
wineWowPackages → wineWow64Packages,
environmentFile → environmentFiles (list),
gtk.gtk4.theme = null for all hosts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 16:46:18 +01:00
458be246f0 try to fix code-server claude thing.
Firefox patches: CORS crossorigin on stylesheet link,
Shift+Enter line break via insertLineBreak + innerText,
nix-ld for Claude Code node binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 16:38:36 +01:00
d92c327cdf try to fix code-server claude thing. 2026-05-30 15:44:54 +01:00
72246fc440 pin to nixos 26.05, drop hyprland/anyrun flakes
Stable restore point before 26.05 — last known good unstable config.

Unify all hosts on nixos-26.05 + home-manager release-26.05.
Drop hyprland, anyrun, nixpkgs-stable, home-manager-stable,
stylix-stable inputs. Hyprland 0.55.2 and anyrun 25.12.0 from
nixpkgs. Anyrun config via xdg.configFile (no HM module in 26.05).
Stylix on master until release-26.05 branch exists.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-30 11:12:09 +01:00
1e7427ec0d nginx: add no-store cache header to code-server vhost
Prevents browser from restoring cached page with expired
Authelia session, which caused WebSocket 1006 on first load.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-27 09:21:55 +01:00
b0bf73f60e frigate: use 8 threads for CPU detection
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:19:01 +01:00
297fd631ff enable audio detection on kids_bedroom camera
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:13:06 +01:00
b957d88ff6 frigate: gate frontend with Authelia, not just API routes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:09:00 +01:00
ad11fb3033 frigate: lower detect resolution to 720p for CPU performance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:02:44 +01:00
ed71384885 frigate: double-proxy auth to inject Remote-Role header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 22:29:20 +01:00
818caf88a2 frigate: map Remote-Role header for admin access via Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 22:03:34 +01:00
4a5a30f018 frigate: try top-level proxy auth with Remote-User header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:57:38 +01:00
192db01be0 revert frigate auth to disabled mode
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:52:07 +01:00
e09cbb0cb5 frigate: use proxy auth mode with Authelia headers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:49:33 +01:00
6b113b0a72 move homepage to port 8084, 8081 used by crowdsec
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:35:50 +01:00
5e73fe6f1a add frigate to Authelia access control
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:31:32 +01:00
5a3d74d800 move homepage to port 8081, 8082 needed by frigate jsmpeg
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:24:04 +01:00
83b3653331 disable frigate built-in auth, Authelia handles it
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:18:03 +01:00
1ada3769c3 fix frigate config: remove invalid events.retain
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:13:13 +01:00
426d86645f add Frigate NVR service behind Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:08:50 +01:00
8560c11afa fix NIC naming: use udev rules instead of .link files
systemd.network.links didn't generate files; use udev extraRules
to pin NIC names to MACs. Also disable networking.useDHCP catch-all
that silently misconfigured the LAN NIC when it got a wrong name.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
94d5b6a2a1 pin NIC names to MAC + limit 7DTD restart loops
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
13fac2ffdf arr: use External auth method to fix auth reset on restart
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 22:15:45 +01:00
a18db710c0 nftables: allow podman bridges in input and forward chains
Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 15:02:09 +01:00
8b6029ca86 forgejo-runner: set explicit DNS to fix container resolution
Runner containers (via Podman compat) couldn't resolve external hosts
after AdGuard stopped binding to 0.0.0.0. Point them at 10.0.0.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:44:26 +01:00
fb2d3a1ff7 adguard: bind DNS to LAN + loopback only to avoid podman conflict
Binding to 0.0.0.0 claimed port 53 on podman bridge interfaces,
preventing aardvark-dns from starting and breaking Forgejo Actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:34:11 +01:00
1aebc200b6 remove matugen remnants — theming is now handled by stylix
Delete 8 unused matugen template files, remove the matugen package,
homepage custom.css watcher infrastructure, and the wallpaper shell
function. Update remaining comments to reference stylix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 17:45:11 +01:00
53c3fedf52 mediaserver: disable IPv6 to fix Jellyfin TMDb metadata fetches
No IPv6 upstream exists, but glibc still tried AAAA records first,
causing Jellyfin's TMDb client to get garbled responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 13:44:17 +01:00
6f3845aa1b mediaserver: enable podman for bazarr-sync container policy
Standalone podman run calls need virtualisation.podman.enable to get a
valid /etc/containers/policy.json. OCI container services got this
implicitly but our direct podman invocations did not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:54:44 +01:00
39d5a95866 mediaserver: fix bazarr config path (YAML, not INI)
Bazarr stores its config at /var/lib/bazarr/config/config.yaml, not
the old /var/lib/bazarr/data/config/config.ini path. Use yq to extract
auth.apikey from the YAML. Fixes both bazarr-sync and arr-interconnect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:51:53 +01:00
d83db8c555 mediaserver: add bazarr-sync for automatic subtitle synchronisation
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:46:36 +01:00