Commit graph

235 commits

Author SHA1 Message Date
ad7a45d143 code-server: fix Nix string interpolation in Firefox CORS patch
Escape \${q} as ''${q} so Nix doesn't try to evaluate it as a
variable in the activation script string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:25:30 +01:00
099ff8a093 code-server: patch Claude Code extension for Firefox CORS fix
Adds a NixOS activation script that patches the crossorigin attribute
onto the Claude Code extension's stylesheet link, fixing broken CSS in
Firefox due to stricter CORS handling than Chrome.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:10:11 +01:00
e59c239257 code-server: pin package to nixpkgs unstable for newer VS Code version
Adds nixpkgs unstable as a flake input and exposes pkgs-unstable via
specialArgs. code-server uses the unstable package so the Claude Code
extension version requirement is satisfied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 11:17:25 +01:00
b6eb5c055d services: add code-server web IDE at code.nordhammer.it
Deploys code-server on FredOS-Mediaserver (port 4444, user fred) with
Authelia one_factor auth and nginx reverse proxy. Includes claude-code
in system packages for use in the integrated terminal.

Also fixes anyrun launcher width to absolute 350px (was a tiny fraction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 10:59:35 +01:00
34e32e7ce4 Remove shitty ollama. 2026-05-13 10:24:14 +01:00
7c1f1501db fixed missing semicolon lol 2026-05-13 10:03:29 +01:00
e3ec0ea1a5 Allow ollama connections from local network on port 11434. 2026-05-13 10:02:52 +01:00
dc3eebb742 ollama: revert to CPU inference — M2000 CUDA incompatible with nixpkgs
CUDA ≤12.5 removed from nixpkgs as unmaintained; CUDA 12.6+ requires
driver ≥560 but legacy_535 (Maxwell's last supported branch) caps out
at 12.2. No compatible CUDA path exists for the Quadro M2000.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:25:39 +01:00
b86a92293c ollama: build against CUDA 12.2 for Quadro M2000 compatibility
The M2000's legacy_535 driver caps CUDA support at 12.2; nixpkgs'
default ollama-cuda targets 12.8 (requires driver ≥570), causing
the runner to crash immediately. Override to CUDA 12.2 with sm_52
arch target to match Maxwell GM206 compute capability.

Also open port 11434 on the mediaserver firewall for remote ollama
access from other LAN hosts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:23:23 +01:00
02cbd656e2 revert c8d0651bab
revert Fix cuda and openwebui
2026-05-13 00:39:53 -07:00
6dc6d327a0 Remove auth from ollama. 2026-05-12 21:27:12 +01:00
c8d0651bab Fix cuda and openwebui 2026-05-12 20:21:56 +01:00
219b20a32f Maybe fix ollama. 2026-05-12 19:26:49 +01:00
27be8e3452 Maybe fix failing dependency? 2026-05-12 15:31:26 +01:00
f202e7001e Formatting changes. 2026-05-12 15:28:38 +01:00
d23db30b7e Testing ollama fix 2026-05-12 15:17:01 +01:00
528189e87e Setting up open-webui for ollama. 2026-05-12 13:54:08 +01:00
a3d4cb0d1d Adding cuda acceleration to ollama. 2026-05-12 13:44:55 +01:00
227c2c8678 adding ; 2026-05-12 13:34:38 +01:00
505a50bf74 Adding ollama to server. 2026-05-12 13:34:07 +01:00
32f2a4df2b crowdsec: prune hub items the bundled binary can't parse
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".

Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:54:11 +01:00
0c1b23337f Revert "libvirtd: KVM stack on FredOS-Gaming for Win11 guest"
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:27:35 +01:00
db69615506 libvirtd: KVM stack on FredOS-Gaming for Win11 guest
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.

Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 12:00:22 +01:00
91670f0d28 dr-server: wrap wine64 in xvfb-run for headless Unity
Unity's Win64 build still creates a 1x1 hidden window via Win32 even
under -batchmode -nographics. Wine needs an X display to honor that;
without one, startup fails with "Failed to create batch mode window:
Success." after Mono initializes and PhysX comes up. xvfb-run -a gives
it a virtual display with no real X server cost.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:47:55 +01:00
8b83cf9bfb dr-server: run Dungeon Runners Reborn headless under Wine
New service module on FredOS-Mediaserver that launches the friend's
Windows-only Unity server (DR_Server.exe -batchmode -nographics) in a
Win64 wine prefix. wineboot initializes the prefix on first start.
Opens auth/game/queue ports 2110, 2603-2606 (TCP+UDP).

Build files staged separately at ~/dr-server-build on the server;
sudo-move into /var/lib/dr-server/Build after the rebuild.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:40:42 +01:00
7e36f95056 7dtd: disable storms (StormFreq=0) on both servers 2026-05-06 21:09:38 +01:00
7a96927221 crowdsec: whitelist LAN + loopback to prevent self-bans
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:05:14 +01:00
1f07b05c12 sabnzbd: tighten host_whitelist for *arr local calls + group consistency
Two small follow-ups to the SAB module:

- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
  local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
  verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
  No functional change since group = "media" already.

Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 19:25:07 +01:00
955524f489 Update services/sabnzbd.nix 2026-05-04 02:40:44 -07:00
30d9d836e4 Update services/sabnzbd.nix 2026-05-04 02:35:58 -07:00
58440af384 Update services/nginx.nix 2026-05-04 02:30:28 -07:00
dda93320d8 Update services/sabnzbd.nix 2026-05-04 02:29:10 -07:00
e77ca8fceb Update services/sabnzbd.nix 2026-05-04 02:27:50 -07:00
c7f7e75a38 Update services/nginx.nix 2026-05-04 01:53:01 -07:00
34b54e1aad Update services/nginx.nix 2026-05-04 01:52:04 -07:00
cce1e9ccea Update services/authelia.nix 2026-05-04 01:46:41 -07:00
66e9873678 Add services/sabnzbd.nix 2026-05-04 01:40:03 -07:00
40dfc403a3 Update services/nginx.nix 2026-05-04 01:39:08 -07:00
670ff0a9f9 router: also accept docker user-defined bridges (br-*)
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 19:10:29 +01:00
046b4bff90 runner: resolve action refs against github.com by default
Forgejo's runner defaults to fetching `uses: org/repo@vN` from its
instance's mirror (data.forgejo.org), which doesn't host most
GitHub-marketplace actions like cachix/install-nix-action. Pointing
default_actions_url at github.com makes the existing workflow Just Work
without fully-qualified URLs in `uses:` lines.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:45:35 +01:00
dad207d19b runner: document tokenFile EnvironmentFile format
The gitea-actions-runner module loads tokenFile as a systemd
EnvironmentFile, so it needs KEY=value lines, not a raw token. Comment
updated to match — the runner failed to start the first time around
because the file just contained the bare registration token.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:04:32 +01:00
27a4e85693 runner: use forgejo-runner package (renamed in 25.11)
The forgejo-actions-runner attr was renamed to forgejo-runner upstream.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:00:00 +01:00
29e1185694 runner: add Forgejo Actions runner on the mediaserver
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.

Also drops the stray result/ build symlink from the worktree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:58:28 +01:00
c45811acf9 router: accept docker0 on input chain
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:47:46 +01:00
98ccee2221 profilarr: use Docker Hub image (santiagosayshey), not GHCR
The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't
publicly pullable — anonymous token requests get 403. Canonical image is
santiagosayshey/profilarr:latest on Docker Hub per the upstream README.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:05:30 +01:00
a9649be705 profilarr: swap recyclarr for Dictionarry's Profilarr
Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web
service that owns *arr profiles end-to-end via its own UI. Runs as an
oci-container on 127.0.0.1:6868, fronted by nginx at
profilarr.nordhammer.it behind Authelia (one_factor).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:00:33 +01:00
728779daab 2026-04-29 20:40:54 +01:00
8fa1e4c112 recyclarr: prefer x265 on 1080p profiles for disk space
Override TRaSH's -10000 ban on x265 (HD) to +500 on Sonarr WEB-1080p
and Radarr HD Bluray + WEB. The Scene/No-RlsGroup/Retags/Obfuscated
custom formats (each at -10000) still filter the truly low-bitrate
x265 trash, so we get smaller files without inviting slop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 20:30:42 +01:00
79d7d3f88e adguard: explicitly enable LAN rewrites (schema change on stable)
AdGuard's recent config schema added an enabled flag on each rewrite
that defaults to false. Without it, the *.nordhammer.it -> 10.0.0.1
rules were silently disabled, so LAN clients resolved their own
domains to the public DDNS IP and tripped over NAT loopback.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 18:56:11 +01:00
4c80e26431 recyclarr: fix Sonarr UHD template name (web-2160p, not uhd-bluray-web)
The Sonarr 4K profile is sonarr-v4-quality-profile-web-2160p in TRaSH's
recyclarr templates — uhd-bluray-web exists for German content only.
The English UHD profile is WEB-only and named "WEB-2160p", so update
the include list and the AV1-ban score assignment to match.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 18:48:19 +01:00