Commit graph

249 commits

Author SHA1 Message Date
94d5b6a2a1 pin NIC names to MAC + limit 7DTD restart loops
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
13fac2ffdf arr: use External auth method to fix auth reset on restart
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 22:15:45 +01:00
a18db710c0 nftables: allow podman bridges in input and forward chains
Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 15:02:09 +01:00
8b6029ca86 forgejo-runner: set explicit DNS to fix container resolution
Runner containers (via Podman compat) couldn't resolve external hosts
after AdGuard stopped binding to 0.0.0.0. Point them at 10.0.0.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:44:26 +01:00
fb2d3a1ff7 adguard: bind DNS to LAN + loopback only to avoid podman conflict
Binding to 0.0.0.0 claimed port 53 on podman bridge interfaces,
preventing aardvark-dns from starting and breaking Forgejo Actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:34:11 +01:00
1aebc200b6 remove matugen remnants — theming is now handled by stylix
Delete 8 unused matugen template files, remove the matugen package,
homepage custom.css watcher infrastructure, and the wallpaper shell
function. Update remaining comments to reference stylix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 17:45:11 +01:00
53c3fedf52 mediaserver: disable IPv6 to fix Jellyfin TMDb metadata fetches
No IPv6 upstream exists, but glibc still tried AAAA records first,
causing Jellyfin's TMDb client to get garbled responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 13:44:17 +01:00
6f3845aa1b mediaserver: enable podman for bazarr-sync container policy
Standalone podman run calls need virtualisation.podman.enable to get a
valid /etc/containers/policy.json. OCI container services got this
implicitly but our direct podman invocations did not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:54:44 +01:00
39d5a95866 mediaserver: fix bazarr config path (YAML, not INI)
Bazarr stores its config at /var/lib/bazarr/config/config.yaml, not
the old /var/lib/bazarr/data/config/config.ini path. Use yq to extract
auth.apikey from the YAML. Fixes both bazarr-sync and arr-interconnect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:51:53 +01:00
d83db8c555 mediaserver: add bazarr-sync for automatic subtitle synchronisation
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:46:36 +01:00
db413ad808 services: add Flatnotes note-sharing at notes.nordhammer.it
Replaces Vesktop for quick cross-device note-passing. Uses Flatnotes
with auth disabled so Authelia is the only login required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:19:52 +01:00
12253c23dd arr: patch AuthenticationRequired to suppress auth enforcement
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 21:01:11 +01:00
81b5fc84d1 authelia: extend session inactivity timeout to 2h
Inactivity was 5m which caused logouts while working in VS Code
(no new page loads). Bumped inactivity to 2h, expiration to 12h.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:42:17 +01:00
5eeab405c0 services: disable built-in auth on *arr stack; update readme
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.

Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:27:19 +01:00
ad7a45d143 code-server: fix Nix string interpolation in Firefox CORS patch
Escape \${q} as ''${q} so Nix doesn't try to evaluate it as a
variable in the activation script string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:25:30 +01:00
099ff8a093 code-server: patch Claude Code extension for Firefox CORS fix
Adds a NixOS activation script that patches the crossorigin attribute
onto the Claude Code extension's stylesheet link, fixing broken CSS in
Firefox due to stricter CORS handling than Chrome.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:10:11 +01:00
e59c239257 code-server: pin package to nixpkgs unstable for newer VS Code version
Adds nixpkgs unstable as a flake input and exposes pkgs-unstable via
specialArgs. code-server uses the unstable package so the Claude Code
extension version requirement is satisfied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 11:17:25 +01:00
b6eb5c055d services: add code-server web IDE at code.nordhammer.it
Deploys code-server on FredOS-Mediaserver (port 4444, user fred) with
Authelia one_factor auth and nginx reverse proxy. Includes claude-code
in system packages for use in the integrated terminal.

Also fixes anyrun launcher width to absolute 350px (was a tiny fraction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 10:59:35 +01:00
34e32e7ce4 Remove shitty ollama. 2026-05-13 10:24:14 +01:00
7c1f1501db fixed missing semicolon lol 2026-05-13 10:03:29 +01:00
e3ec0ea1a5 Allow ollama connections from local network on port 11434. 2026-05-13 10:02:52 +01:00
dc3eebb742 ollama: revert to CPU inference — M2000 CUDA incompatible with nixpkgs
CUDA ≤12.5 removed from nixpkgs as unmaintained; CUDA 12.6+ requires
driver ≥560 but legacy_535 (Maxwell's last supported branch) caps out
at 12.2. No compatible CUDA path exists for the Quadro M2000.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:25:39 +01:00
b86a92293c ollama: build against CUDA 12.2 for Quadro M2000 compatibility
The M2000's legacy_535 driver caps CUDA support at 12.2; nixpkgs'
default ollama-cuda targets 12.8 (requires driver ≥570), causing
the runner to crash immediately. Override to CUDA 12.2 with sm_52
arch target to match Maxwell GM206 compute capability.

Also open port 11434 on the mediaserver firewall for remote ollama
access from other LAN hosts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:23:23 +01:00
02cbd656e2 revert c8d0651bab
revert Fix cuda and openwebui
2026-05-13 00:39:53 -07:00
6dc6d327a0 Remove auth from ollama. 2026-05-12 21:27:12 +01:00
c8d0651bab Fix cuda and openwebui 2026-05-12 20:21:56 +01:00
219b20a32f Maybe fix ollama. 2026-05-12 19:26:49 +01:00
27be8e3452 Maybe fix failing dependency? 2026-05-12 15:31:26 +01:00
f202e7001e Formatting changes. 2026-05-12 15:28:38 +01:00
d23db30b7e Testing ollama fix 2026-05-12 15:17:01 +01:00
528189e87e Setting up open-webui for ollama. 2026-05-12 13:54:08 +01:00
a3d4cb0d1d Adding cuda acceleration to ollama. 2026-05-12 13:44:55 +01:00
227c2c8678 adding ; 2026-05-12 13:34:38 +01:00
505a50bf74 Adding ollama to server. 2026-05-12 13:34:07 +01:00
32f2a4df2b crowdsec: prune hub items the bundled binary can't parse
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".

Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:54:11 +01:00
0c1b23337f Revert "libvirtd: KVM stack on FredOS-Gaming for Win11 guest"
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:27:35 +01:00
db69615506 libvirtd: KVM stack on FredOS-Gaming for Win11 guest
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.

Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 12:00:22 +01:00
91670f0d28 dr-server: wrap wine64 in xvfb-run for headless Unity
Unity's Win64 build still creates a 1x1 hidden window via Win32 even
under -batchmode -nographics. Wine needs an X display to honor that;
without one, startup fails with "Failed to create batch mode window:
Success." after Mono initializes and PhysX comes up. xvfb-run -a gives
it a virtual display with no real X server cost.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:47:55 +01:00
8b83cf9bfb dr-server: run Dungeon Runners Reborn headless under Wine
New service module on FredOS-Mediaserver that launches the friend's
Windows-only Unity server (DR_Server.exe -batchmode -nographics) in a
Win64 wine prefix. wineboot initializes the prefix on first start.
Opens auth/game/queue ports 2110, 2603-2606 (TCP+UDP).

Build files staged separately at ~/dr-server-build on the server;
sudo-move into /var/lib/dr-server/Build after the rebuild.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:40:42 +01:00
7e36f95056 7dtd: disable storms (StormFreq=0) on both servers 2026-05-06 21:09:38 +01:00
7a96927221 crowdsec: whitelist LAN + loopback to prevent self-bans
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:05:14 +01:00
1f07b05c12 sabnzbd: tighten host_whitelist for *arr local calls + group consistency
Two small follow-ups to the SAB module:

- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
  local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
  verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
  No functional change since group = "media" already.

Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 19:25:07 +01:00
955524f489 Update services/sabnzbd.nix 2026-05-04 02:40:44 -07:00
30d9d836e4 Update services/sabnzbd.nix 2026-05-04 02:35:58 -07:00
58440af384 Update services/nginx.nix 2026-05-04 02:30:28 -07:00
dda93320d8 Update services/sabnzbd.nix 2026-05-04 02:29:10 -07:00
e77ca8fceb Update services/sabnzbd.nix 2026-05-04 02:27:50 -07:00
c7f7e75a38 Update services/nginx.nix 2026-05-04 01:53:01 -07:00
34b54e1aad Update services/nginx.nix 2026-05-04 01:52:04 -07:00
cce1e9ccea Update services/authelia.nix 2026-05-04 01:46:41 -07:00