Commit graph

262 commits

Author SHA1 Message Date
ad11fb3033 frigate: lower detect resolution to 720p for CPU performance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:02:44 +01:00
ed71384885 frigate: double-proxy auth to inject Remote-Role header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 22:29:20 +01:00
818caf88a2 frigate: map Remote-Role header for admin access via Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 22:03:34 +01:00
4a5a30f018 frigate: try top-level proxy auth with Remote-User header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:57:38 +01:00
192db01be0 revert frigate auth to disabled mode
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:52:07 +01:00
e09cbb0cb5 frigate: use proxy auth mode with Authelia headers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:49:33 +01:00
6b113b0a72 move homepage to port 8084, 8081 used by crowdsec
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:35:50 +01:00
5e73fe6f1a add frigate to Authelia access control
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:31:32 +01:00
5a3d74d800 move homepage to port 8081, 8082 needed by frigate jsmpeg
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:24:04 +01:00
83b3653331 disable frigate built-in auth, Authelia handles it
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:18:03 +01:00
1ada3769c3 fix frigate config: remove invalid events.retain
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:13:13 +01:00
426d86645f add Frigate NVR service behind Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 21:08:50 +01:00
8560c11afa fix NIC naming: use udev rules instead of .link files
systemd.network.links didn't generate files; use udev extraRules
to pin NIC names to MACs. Also disable networking.useDHCP catch-all
that silently misconfigured the LAN NIC when it got a wrong name.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
94d5b6a2a1 pin NIC names to MAC + limit 7DTD restart loops
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 09:31:57 +01:00
13fac2ffdf arr: use External auth method to fix auth reset on restart
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 22:15:45 +01:00
a18db710c0 nftables: allow podman bridges in input and forward chains
Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 15:02:09 +01:00
8b6029ca86 forgejo-runner: set explicit DNS to fix container resolution
Runner containers (via Podman compat) couldn't resolve external hosts
after AdGuard stopped binding to 0.0.0.0. Point them at 10.0.0.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:44:26 +01:00
fb2d3a1ff7 adguard: bind DNS to LAN + loopback only to avoid podman conflict
Binding to 0.0.0.0 claimed port 53 on podman bridge interfaces,
preventing aardvark-dns from starting and breaking Forgejo Actions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-21 14:34:11 +01:00
1aebc200b6 remove matugen remnants — theming is now handled by stylix
Delete 8 unused matugen template files, remove the matugen package,
homepage custom.css watcher infrastructure, and the wallpaper shell
function. Update remaining comments to reference stylix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 17:45:11 +01:00
53c3fedf52 mediaserver: disable IPv6 to fix Jellyfin TMDb metadata fetches
No IPv6 upstream exists, but glibc still tried AAAA records first,
causing Jellyfin's TMDb client to get garbled responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-20 13:44:17 +01:00
6f3845aa1b mediaserver: enable podman for bazarr-sync container policy
Standalone podman run calls need virtualisation.podman.enable to get a
valid /etc/containers/policy.json. OCI container services got this
implicitly but our direct podman invocations did not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:54:44 +01:00
39d5a95866 mediaserver: fix bazarr config path (YAML, not INI)
Bazarr stores its config at /var/lib/bazarr/config/config.yaml, not
the old /var/lib/bazarr/data/config/config.ini path. Use yq to extract
auth.apikey from the YAML. Fixes both bazarr-sync and arr-interconnect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:51:53 +01:00
d83db8c555 mediaserver: add bazarr-sync for automatic subtitle synchronisation
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:46:36 +01:00
db413ad808 services: add Flatnotes note-sharing at notes.nordhammer.it
Replaces Vesktop for quick cross-device note-passing. Uses Flatnotes
with auth disabled so Authelia is the only login required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:19:52 +01:00
12253c23dd arr: patch AuthenticationRequired to suppress auth enforcement
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 21:01:11 +01:00
81b5fc84d1 authelia: extend session inactivity timeout to 2h
Inactivity was 5m which caused logouts while working in VS Code
(no new page loads). Bumped inactivity to 2h, expiration to 12h.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:42:17 +01:00
5eeab405c0 services: disable built-in auth on *arr stack; update readme
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.

Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:27:19 +01:00
ad7a45d143 code-server: fix Nix string interpolation in Firefox CORS patch
Escape \${q} as ''${q} so Nix doesn't try to evaluate it as a
variable in the activation script string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:25:30 +01:00
099ff8a093 code-server: patch Claude Code extension for Firefox CORS fix
Adds a NixOS activation script that patches the crossorigin attribute
onto the Claude Code extension's stylesheet link, fixing broken CSS in
Firefox due to stricter CORS handling than Chrome.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:10:11 +01:00
e59c239257 code-server: pin package to nixpkgs unstable for newer VS Code version
Adds nixpkgs unstable as a flake input and exposes pkgs-unstable via
specialArgs. code-server uses the unstable package so the Claude Code
extension version requirement is satisfied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 11:17:25 +01:00
b6eb5c055d services: add code-server web IDE at code.nordhammer.it
Deploys code-server on FredOS-Mediaserver (port 4444, user fred) with
Authelia one_factor auth and nginx reverse proxy. Includes claude-code
in system packages for use in the integrated terminal.

Also fixes anyrun launcher width to absolute 350px (was a tiny fraction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 10:59:35 +01:00
34e32e7ce4 Remove shitty ollama. 2026-05-13 10:24:14 +01:00
7c1f1501db fixed missing semicolon lol 2026-05-13 10:03:29 +01:00
e3ec0ea1a5 Allow ollama connections from local network on port 11434. 2026-05-13 10:02:52 +01:00
dc3eebb742 ollama: revert to CPU inference — M2000 CUDA incompatible with nixpkgs
CUDA ≤12.5 removed from nixpkgs as unmaintained; CUDA 12.6+ requires
driver ≥560 but legacy_535 (Maxwell's last supported branch) caps out
at 12.2. No compatible CUDA path exists for the Quadro M2000.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:25:39 +01:00
b86a92293c ollama: build against CUDA 12.2 for Quadro M2000 compatibility
The M2000's legacy_535 driver caps CUDA support at 12.2; nixpkgs'
default ollama-cuda targets 12.8 (requires driver ≥570), causing
the runner to crash immediately. Override to CUDA 12.2 with sm_52
arch target to match Maxwell GM206 compute capability.

Also open port 11434 on the mediaserver firewall for remote ollama
access from other LAN hosts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:23:23 +01:00
02cbd656e2 revert c8d0651bab
revert Fix cuda and openwebui
2026-05-13 00:39:53 -07:00
6dc6d327a0 Remove auth from ollama. 2026-05-12 21:27:12 +01:00
c8d0651bab Fix cuda and openwebui 2026-05-12 20:21:56 +01:00
219b20a32f Maybe fix ollama. 2026-05-12 19:26:49 +01:00
27be8e3452 Maybe fix failing dependency? 2026-05-12 15:31:26 +01:00
f202e7001e Formatting changes. 2026-05-12 15:28:38 +01:00
d23db30b7e Testing ollama fix 2026-05-12 15:17:01 +01:00
528189e87e Setting up open-webui for ollama. 2026-05-12 13:54:08 +01:00
a3d4cb0d1d Adding cuda acceleration to ollama. 2026-05-12 13:44:55 +01:00
227c2c8678 adding ; 2026-05-12 13:34:38 +01:00
505a50bf74 Adding ollama to server. 2026-05-12 13:34:07 +01:00
32f2a4df2b crowdsec: prune hub items the bundled binary can't parse
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".

Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:54:11 +01:00
0c1b23337f Revert "libvirtd: KVM stack on FredOS-Gaming for Win11 guest"
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:27:35 +01:00
db69615506 libvirtd: KVM stack on FredOS-Gaming for Win11 guest
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.

Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 12:00:22 +01:00