Commit graph

240 commits

Author SHA1 Message Date
d83db8c555 mediaserver: add bazarr-sync for automatic subtitle synchronisation
Hourly timer syncs only recently added content (last 2h) by querying
Radarr/Sonarr APIs for new items. Weekly full-library sync runs Sunday
04:00 as a catch-all. Both run the bazarr-sync container via podman.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-19 10:46:36 +01:00
db413ad808 services: add Flatnotes note-sharing at notes.nordhammer.it
Replaces Vesktop for quick cross-device note-passing. Uses Flatnotes
with auth disabled so Authelia is the only login required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:19:52 +01:00
12253c23dd arr: patch AuthenticationRequired to suppress auth enforcement
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 21:01:11 +01:00
81b5fc84d1 authelia: extend session inactivity timeout to 2h
Inactivity was 5m which caused logouts while working in VS Code
(no new page loads). Bumped inactivity to 2h, expiration to 12h.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:42:17 +01:00
5eeab405c0 services: disable built-in auth on *arr stack; update readme
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.

Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:27:19 +01:00
ad7a45d143 code-server: fix Nix string interpolation in Firefox CORS patch
Escape \${q} as ''${q} so Nix doesn't try to evaluate it as a
variable in the activation script string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:25:30 +01:00
099ff8a093 code-server: patch Claude Code extension for Firefox CORS fix
Adds a NixOS activation script that patches the crossorigin attribute
onto the Claude Code extension's stylesheet link, fixing broken CSS in
Firefox due to stricter CORS handling than Chrome.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 12:10:11 +01:00
e59c239257 code-server: pin package to nixpkgs unstable for newer VS Code version
Adds nixpkgs unstable as a flake input and exposes pkgs-unstable via
specialArgs. code-server uses the unstable package so the Claude Code
extension version requirement is satisfied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 11:17:25 +01:00
b6eb5c055d services: add code-server web IDE at code.nordhammer.it
Deploys code-server on FredOS-Mediaserver (port 4444, user fred) with
Authelia one_factor auth and nginx reverse proxy. Includes claude-code
in system packages for use in the integrated terminal.

Also fixes anyrun launcher width to absolute 350px (was a tiny fraction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 10:59:35 +01:00
34e32e7ce4 Remove shitty ollama. 2026-05-13 10:24:14 +01:00
7c1f1501db fixed missing semicolon lol 2026-05-13 10:03:29 +01:00
e3ec0ea1a5 Allow ollama connections from local network on port 11434. 2026-05-13 10:02:52 +01:00
dc3eebb742 ollama: revert to CPU inference — M2000 CUDA incompatible with nixpkgs
CUDA ≤12.5 removed from nixpkgs as unmaintained; CUDA 12.6+ requires
driver ≥560 but legacy_535 (Maxwell's last supported branch) caps out
at 12.2. No compatible CUDA path exists for the Quadro M2000.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:25:39 +01:00
b86a92293c ollama: build against CUDA 12.2 for Quadro M2000 compatibility
The M2000's legacy_535 driver caps CUDA support at 12.2; nixpkgs'
default ollama-cuda targets 12.8 (requires driver ≥570), causing
the runner to crash immediately. Override to CUDA 12.2 with sm_52
arch target to match Maxwell GM206 compute capability.

Also open port 11434 on the mediaserver firewall for remote ollama
access from other LAN hosts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 09:23:23 +01:00
02cbd656e2 revert c8d0651bab
revert Fix cuda and openwebui
2026-05-13 00:39:53 -07:00
6dc6d327a0 Remove auth from ollama. 2026-05-12 21:27:12 +01:00
c8d0651bab Fix cuda and openwebui 2026-05-12 20:21:56 +01:00
219b20a32f Maybe fix ollama. 2026-05-12 19:26:49 +01:00
27be8e3452 Maybe fix failing dependency? 2026-05-12 15:31:26 +01:00
f202e7001e Formatting changes. 2026-05-12 15:28:38 +01:00
d23db30b7e Testing ollama fix 2026-05-12 15:17:01 +01:00
528189e87e Setting up open-webui for ollama. 2026-05-12 13:54:08 +01:00
a3d4cb0d1d Adding cuda acceleration to ollama. 2026-05-12 13:44:55 +01:00
227c2c8678 adding ; 2026-05-12 13:34:38 +01:00
505a50bf74 Adding ollama to server. 2026-05-12 13:34:07 +01:00
32f2a4df2b crowdsec: prune hub items the bundled binary can't parse
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".

Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:54:11 +01:00
0c1b23337f Revert "libvirtd: KVM stack on FredOS-Gaming for Win11 guest"
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:27:35 +01:00
db69615506 libvirtd: KVM stack on FredOS-Gaming for Win11 guest
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.

Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 12:00:22 +01:00
91670f0d28 dr-server: wrap wine64 in xvfb-run for headless Unity
Unity's Win64 build still creates a 1x1 hidden window via Win32 even
under -batchmode -nographics. Wine needs an X display to honor that;
without one, startup fails with "Failed to create batch mode window:
Success." after Mono initializes and PhysX comes up. xvfb-run -a gives
it a virtual display with no real X server cost.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:47:55 +01:00
8b83cf9bfb dr-server: run Dungeon Runners Reborn headless under Wine
New service module on FredOS-Mediaserver that launches the friend's
Windows-only Unity server (DR_Server.exe -batchmode -nographics) in a
Win64 wine prefix. wineboot initializes the prefix on first start.
Opens auth/game/queue ports 2110, 2603-2606 (TCP+UDP).

Build files staged separately at ~/dr-server-build on the server;
sudo-move into /var/lib/dr-server/Build after the rebuild.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:40:42 +01:00
7e36f95056 7dtd: disable storms (StormFreq=0) on both servers 2026-05-06 21:09:38 +01:00
7a96927221 crowdsec: whitelist LAN + loopback to prevent self-bans
Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:05:14 +01:00
1f07b05c12 sabnzbd: tighten host_whitelist for *arr local calls + group consistency
Two small follow-ups to the SAB module:

- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
  local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
  verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
  No functional change since group = "media" already.

Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 19:25:07 +01:00
955524f489 Update services/sabnzbd.nix 2026-05-04 02:40:44 -07:00
30d9d836e4 Update services/sabnzbd.nix 2026-05-04 02:35:58 -07:00
58440af384 Update services/nginx.nix 2026-05-04 02:30:28 -07:00
dda93320d8 Update services/sabnzbd.nix 2026-05-04 02:29:10 -07:00
e77ca8fceb Update services/sabnzbd.nix 2026-05-04 02:27:50 -07:00
c7f7e75a38 Update services/nginx.nix 2026-05-04 01:53:01 -07:00
34b54e1aad Update services/nginx.nix 2026-05-04 01:52:04 -07:00
cce1e9ccea Update services/authelia.nix 2026-05-04 01:46:41 -07:00
66e9873678 Add services/sabnzbd.nix 2026-05-04 01:40:03 -07:00
40dfc403a3 Update services/nginx.nix 2026-05-04 01:39:08 -07:00
670ff0a9f9 router: also accept docker user-defined bridges (br-*)
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 19:10:29 +01:00
046b4bff90 runner: resolve action refs against github.com by default
Forgejo's runner defaults to fetching `uses: org/repo@vN` from its
instance's mirror (data.forgejo.org), which doesn't host most
GitHub-marketplace actions like cachix/install-nix-action. Pointing
default_actions_url at github.com makes the existing workflow Just Work
without fully-qualified URLs in `uses:` lines.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:45:35 +01:00
dad207d19b runner: document tokenFile EnvironmentFile format
The gitea-actions-runner module loads tokenFile as a systemd
EnvironmentFile, so it needs KEY=value lines, not a raw token. Comment
updated to match — the runner failed to start the first time around
because the file just contained the bare registration token.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:04:32 +01:00
27a4e85693 runner: use forgejo-runner package (renamed in 25.11)
The forgejo-actions-runner attr was renamed to forgejo-runner upstream.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 16:00:00 +01:00
29e1185694 runner: add Forgejo Actions runner on the mediaserver
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.

Also drops the stray result/ build symlink from the worktree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:58:28 +01:00
c45811acf9 router: accept docker0 on input chain
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:47:46 +01:00
98ccee2221 profilarr: use Docker Hub image (santiagosayshey), not GHCR
The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't
publicly pullable — anonymous token requests get 403. Canonical image is
santiagosayshey/profilarr:latest on Docker Hub per the upstream README.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:05:30 +01:00