nixpkgs.stdenv.hostPlatform is not a valid NixOS option. The
deprecation warning comes from nixpkgs internals and is harmless.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove virtualisation.docker.enable (no longer used after native
migration of Authelia, go2rtc, and nginx)
- Add migration checklist documenting which state directories and
secrets to back up when moving to new hardware
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DynamicUser can't write to /run directly. RuntimeDirectory lets systemd
create and manage the directory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url
instead of embedding credentials in the nix store
- readme.md: add Mediaserver secrets section documenting all secrets
needed for a fresh deploy (Cloudflare, go2rtc, Authelia)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use /api/verify endpoint instead of /api/authz/forward-auth
- Add proxy_pass_request_body off to auth location
- Put redirect URL inline in error_page instead of using a variable
- Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
auth_request_set reads variables from the auth subrequest context where
$scheme/$http_host/$request_uri are empty, causing a 500 instead of a
302 redirect. Using set captures from the main request context.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CNAME interference is resolved so the default lego propagation check
(querying Cloudflare authoritative NS) should work correctly now.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous dnsPropagationCheck=false caused lego to ask LE to validate
before the TXT record was globally visible. Adding --dns.propagation-wait
gives Cloudflare time to serve the record from all edge locations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cloudflare is the authoritative NS so API-created TXT records are
immediately visible — the propagation poll was timing out unnecessarily.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01
- Native Authelia SSO with forward auth protecting homepage + camera
- Native go2rtc camera streaming (no more Docker)
- Auto-migration script for Authelia secrets and user database from Docker
- Homepage hrefs updated to use HTTPS domain names
- Fail2ban updated for native nginx log paths + new Authelia jail
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a systemd oneshot that runs before homepage-dashboard and:
- Reads *arr API keys from their config.xml files
- Reads Bazarr key from config.ini
- Creates a Jellyfin API key in the DB if one named "Homepage" doesn't exist
- Uses localhost for qBittorrent (LocalHostAuth=false, no creds needed)
- Writes everything to /etc/homepage-secrets
Zero manual setup — all keys are extracted or generated automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
40-char password from a manager is impractical for frequent sudo use.
SSH is already key-only, so local privilege escalation is the only
remaining threat — acceptable on a single-user home server.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Covers all running services: Jellyfin, Sonarr, Radarr, Bazarr, Prowlarr,
qBittorrent, Nginx Proxy Manager, Authelia, go2rtc. Live widgets for
*arr apps, Jellyfin now-playing, and qBittorrent speed use API keys
loaded from /etc/homepage-secrets (outside the Nix store).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds authorised keys for FredOS-Gaming and phone. Disables SSH password
authentication on FredOS-Mediaserver — key auth only going forward.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ES 8.x enables security and enrollment by default. Adding
xpack.security.enrollment.enabled=false to Elasticsearch and
xpack.security.enabled=false to Kibana suppresses the enrollment
token screen and lets Kibana connect directly over HTTP.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Elasticsearch + Kibana + Filebeat in Docker, bridged via an elk network.
Filebeat uses the Suricata module to parse eve.json and auto-installs
Kibana dashboards on first run. ES heap capped at 1g; Kibana Node heap
at 512m — total stack ~2-2.5 GB RAM.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Individual SID exclusions weren't enough — there are many more rules for
these industrial SCADA protocols than initially identified. Switch to
regex-based disable patterns (re:modbus, re:dnp3) so suricata-update
strips all of them from the generated rules file.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Modbus protocol detection is disabled in the NixOS build; the 5 Modbus
SIDs (2250005-2250009) cause the config test to fail and crash-loop the
service. Disable them alongside the existing DNP3 exclusions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Passive network monitoring via af-packet on eno1. Rulesets auto-updated
from ET/Open, abuse.ch, and other community sources via suricata-update.
Runs alongside fail2ban; IPS/blocking mode can be enabled later.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces bare enable flag with a dedicated service module covering:
- SSH brute force via journald
- Nginx Proxy Manager auth failures via Docker log files
- Jellyfin auth failures via journald
Includes incremental ban times (up to 1 week) and LAN ignore rules.
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
Replaces the incomplete nixpkgs NixOS module with the official
CrowdSec Docker image for the LAPI, while keeping the firewall
bouncer as a native systemd service. API key is read from
/var/lib/secrets/crowdsec-bouncer-key at start time so it
never enters the Nix store.
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
