networking.enableIPv6 = false only sets the system sysctl; NetworkManager
keeps re-enabling disable_ipv6=0 per-interface because connection
defaults to ipv6.method = auto. The "?" icon comes back because NM's
v6 connectivity probe races over a SLAAC ULA with no real upstream.
Forces ipv6.method = disabled in NetworkManager's connection defaults
and stops the kernel from accepting router advertisements, so v6 never
gets brought up on any new or existing connection.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The catthehacker runner image runs jobs as root and Nix's install script
refuses to do a clean root install without the nixbld group + build users
already in place — even with --no-daemon. Adding them inline keeps the
workflow self-contained without swapping to a Nix-prebuilt container image.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action
with inline shell so the workflow no longer touches github.com. Still pulls
the runner image from Docker Hub and the install script from nixos.org —
those are deliberately left for now and can be cut in a follow-up.
actions/checkout stays because it's mirrored on data.forgejo.org and the
runner already resolves it there.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Forgejo's runner defaults to fetching `uses: org/repo@vN` from its
instance's mirror (data.forgejo.org), which doesn't host most
GitHub-marketplace actions like cachix/install-nix-action. Pointing
default_actions_url at github.com makes the existing workflow Just Work
without fully-qualified URLs in `uses:` lines.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The gitea-actions-runner module loads tokenFile as a systemd
EnvironmentFile, so it needs KEY=value lines, not a raw token. Comment
updated to match — the runner failed to start the first time around
because the file just contained the bare registration token.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.
Also drops the stray result/ build symlink from the worktree.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Migrating origin from GitHub to a private Forgejo repo at
forg.gregersen.it/rope/nixos. Each host needs the PAT in /root/.git-credentials
(host-local state, set up manually since the repo isn't publicly readable).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was
patched in an earlier commit but Gaming wasn't, breaking the build.
zramSwap goes back into common.nix as the cheap OOM-during-uncached-build
safety net — even on stable, --refresh against a freshly-bumped lock can
trigger local builds the box has no swap to absorb.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't
publicly pullable — anonymous token requests get 403. Canonical image is
santiagosayshey/profilarr:latest on Docker Hub per the upstream README.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web
service that owns *arr profiles end-to-end via its own UI. Runs as an
oci-container on 127.0.0.1:6868, fronted by nginx at
profilarr.nordhammer.it behind Authelia (one_factor).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Override TRaSH's -10000 ban on x265 (HD) to +500 on Sonarr WEB-1080p
and Radarr HD Bluray + WEB. The Scene/No-RlsGroup/Retags/Obfuscated
custom formats (each at -10000) still filter the truly low-bitrate
x265 trash, so we get smaller files without inviting slop.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The flag was removed in matugen 3.x; the call now exits with an arg
parse error on every update (caught by '|| true' but noisy). matugen
picks a sensible source color by default, so we just drop the flag.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AdGuard's recent config schema added an enabled flag on each rewrite
that defaults to false. Without it, the *.nordhammer.it -> 10.0.0.1
rules were silently disabled, so LAN clients resolved their own
domains to the public DDNS IP and tripped over NAT loopback.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The Sonarr 4K profile is sonarr-v4-quality-profile-web-2160p in TRaSH's
recyclarr templates — uhd-bluray-web exists for German content only.
The English UHD profile is WEB-only and named "WEB-2160p", so update
the include list and the AV1-ban score assignment to match.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two failing services after the channel switch.
automatic-timezoned has been polkit-blocked since well before the
switch — replace with a static Europe/London timezone. Hosts that
travel can override locally if needed.
The vendored crowdsec module's setup unit chowns its config dir to
the (DynamicUser-allocated) crowdsec user via an ExecStartPre+ hack.
On stable's systemd the dynamic user isn't visible to chown via NSS
at that point, so it fails with 'invalid user'. Declaring crowdsec
as a static system user makes systemd use it (DynamicUser becomes a
no-op) and the chown resolves cleanly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
NVIDIA 535's kernel module won't compile against kernel 7.x — the
DMA mapping API changed in a way the 535 source doesn't handle.
6.12 LTS is the highest kernel branch that's a well-tested combo
with the 535 driver, which we need on stable's nixpkgs to retain
Maxwell support for Jellyfin NVENC.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
legacy_580 only exists on unstable nixpkgs and isn't backported to
25.11. The Maxwell GM206 (Quadro M2000) is supported through the
535.x branch — last production driver to ship Maxwell support — so
this is a clean swap with no expected impact on Jellyfin's NVENC.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The mediaserver kept hard-freezing on local builds (gnupg, openldap,
deno/rusty-v8) whenever a fresh unstable revision outran Hydra's
binary cache. It doesn't need bleeding-edge packages — every service
it runs is mature enough that 6-month-old versions are fine — so move
it onto the stable channel where the cache is essentially always
warm. Gaming and Macbook stay on unstable for fresh GPU/kernel work.
Implementation: add nixpkgs-stable + home-manager-stable inputs,
parameterise mkHost to accept a (nixpkgs, home-manager) pair.
Drive-by:
- Switch homepage.nix from environmentFiles (plural, unstable-only)
to environmentFile (singular, present on both channels).
- Gate the openldap-skip-tests overlay to non-mediaserver hosts so
it doesn't force a local rebuild on stable, where openldap is
always cached.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
bazaar is a Flathub GUI app store — it has no business on the headless
mediaserver, where it was also pulling flatpak in transitively and
inflating local builds.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The mediaserver (56 cores, 31 GiB RAM, no swap) was hard-freezing on
local builds of gnupg/openldap because Nix defaulted max-jobs=auto and
launched ~56 parallel gcc compilations, blowing past available memory
and OOM-stalling AdGuard.
Cap parallelism (max-jobs=4, cores=8 per build) and add zramSwap as a
compressed in-memory safety net so a build storm can't take services
with it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Heavy local builds (gnupg/openldap checkPhase under a freshly-bumped
nixpkgs lock) were saturating CPU and starving AdGuard on the
mediaserver, making DNS effectively unresponsive until the build
finished or got cancelled.
Halving the daemon's CPU share leaves headroom for latency-sensitive
services without meaningfully slowing builds on an otherwise idle box.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Recyclarr now manages quality definitions via TRaSH templates, so the
hand-rolled minSize=10 floor is redundant — every sync would overwrite
it anyway.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Score-based release filtering replaces the brittle "minimum size" approach
— good HEVC encodes from reputable groups now win regardless of file
size, while obfuscated/no-group/lazy-x265 garbage gets banned.
Profiles installed:
Sonarr: WEB-1080p (default), UHD Bluray + WEB (per-show opt-in)
Radarr: HD Bluray + WEB (default), UHD Bluray + WEB (per-movie opt-in)
AV1 is banned across all four profiles since the GPU lacks hardware
decode. API keys are extracted at runtime from each *arr's config.xml,
matching the arr-interconnect pattern.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test017-syncreplication-refresh is timing-flaky and fails reliably on
local builds when Hydra's binary cache hasn't yet served the upstream
artifact. Overlay sets doCheck=false so the build can proceed. Remove
once the substituter catches up to the pinned nixpkgs revision.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
LAN has no v6 route, so AAAA lookups succeed but connect fails. NM's
connectivity probe was reporting "limited" at boot (GNOME's "?" icon)
until the next 5-min repoll cleared it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
NixOS's nftables module rebuilds the tables it owns on every activation,
which previously wiped Docker's DOCKER/PREROUTING chains in ip nat
(both Docker and the router were defining 'ip nat'). Renaming our
table sidesteps the collision — kernel hooks across separate tables
at the same priority all run, so functionality is unchanged.
Eliminates the need to run 'systemctl restart docker' after every
nixos-rebuild to restore container port-forwards.
The forward rule only accepted iifname=eno1 oifname=eth0 ct status=dnat,
which worked when port-forwards always landed on a LAN host. Docker
DNAT routes to docker0, so external traffic to 26900 was being DNAT'd
correctly but then dropped at the forward filter. Drop the oifname
constraint — the prerouting DNAT rule already controls what gets
forwarded; the filter doesn't need to second-guess it.
CrowdSec reads the ntfy topic URL from /var/secrets/ntfy-url at eval
time via builtins.readFile. Pure flake mode forbids reading paths
outside the source tree, so without --impure the read silently falls
through to the placeholder URL on every rebuild. Adding --impure to
both build and switch keeps the secret-file pattern working.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CrowdSec covers the same surface (sshd, authelia, nginx, *arr apps,
qBit) with the addition of community-sourced threat intel and ntfy
push alerts. Keeping both was redundant. State at /var/lib/fail2ban
will sit unused until cleaned up by hand.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
