diff --git a/common.nix b/common.nix index b3a2c9e..1860e73 100644 --- a/common.nix +++ b/common.nix @@ -59,42 +59,20 @@ boot.initrd.verbose = false; ############################################################################# - nix.settings = { - experimental-features = [ "nix-command" "flakes" ]; - # Default max-jobs is the host's core count, which on the 56-core - # mediaserver was launching ~56 parallel gcc builds and blowing past - # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build - # cores so a local rebuild storm can't OOM the box. - max-jobs = 4; - cores = 8; - }; - # Compressed in-memory swap as a safety net during local build storms. - # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box. + # Cheap when idle; without it a transient OOM during an uncached build + # can stall AdGuard/Jellyfin to the point of freezing the box. zramSwap = { enable = true; memoryPercent = 50; }; - # Keep services responsive when nix-daemon is contending for CPU. - systemd.services.nix-daemon.serviceConfig.CPUWeight = 50; - # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; # Allow unfree packages nixpkgs.config.allowUnfree = true; - # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on - # unstable's freshly-bumped revisions before Hydra has cached them. The - # mediaserver runs on the stable channel where openldap is always cached, - # so don't change its hash there — that would force a local rebuild. - nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [ - (final: prev: { - openldap = prev.openldap.overrideAttrs (_: { doCheck = false; }); - }) - ]; - # Enable network-manager networking.networkmanager.enable = true; diff --git a/flake.lock b/flake.lock index ddd8a02..7746736 100644 --- a/flake.lock +++ b/flake.lock @@ -66,26 +66,6 @@ "type": "github" } }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1777518431, - "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "home-manager-stable": { "inputs": { "nixpkgs": [ @@ -163,11 +143,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1777077449, - "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=", + "lastModified": 1777428379, + "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", + "rev": "755f5aa91337890c432639c60b6064bb7fe67769", "type": "github" }, "original": { @@ -177,28 +157,10 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1777268161, - "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { - "home-manager": "home-manager", "home-manager-stable": "home-manager-stable", "nix-cachyos-kernel": "nix-cachyos-kernel", - "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "zen-browser": "zen-browser" } @@ -206,18 +168,18 @@ "zen-browser": { "inputs": { "home-manager": [ - "home-manager" + "home-manager-stable" ], "nixpkgs": [ - "nixpkgs" + "nixpkgs-stable" ] }, "locked": { - "lastModified": 1777484394, - "narHash": "sha256-03QK/lM/m4f1FjC4ldYtp8NobTGRdwGC24XBY6Vcdqo=", + "lastModified": 1777564084, + "narHash": "sha256-O9VRkxg+2j+sh+c73wi4VeIBECoqW2PlnCR9Qe1nQKA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "274e039947393bc90f45b8fc6d1af23e45937af0", + "rev": "d93443c0f6fdb3b179bed68856f322dba4842612", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 214774c..6cd08e6 100644 --- a/flake.nix +++ b/flake.nix @@ -1,16 +1,7 @@ { description = "FredOS NixOS configuration"; inputs = { - # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates. - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - # Stable: mediaserver values cache hit-rate over fresh packages so it - # doesn't have to compile gnupg/openldap/v8 locally on every flake bump. nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; - - home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - }; home-manager-stable = { url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs-stable"; @@ -19,8 +10,8 @@ zen-browser = { url = "github:0xc000022070/zen-browser-flake"; inputs = { - nixpkgs.follows = "nixpkgs"; - home-manager.follows = "home-manager"; + nixpkgs.follows = "nixpkgs-stable"; + home-manager.follows = "home-manager-stable"; }; }; @@ -28,9 +19,7 @@ }; outputs = { self - , nixpkgs , nixpkgs-stable - , home-manager , home-manager-stable , zen-browser , nix-cachyos-kernel @@ -51,9 +40,9 @@ in { nixosConfigurations = { - FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs home-manager; + FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs-stable home-manager-stable; FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable; - FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs home-manager; + FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs-stable home-manager-stable; }; }; } diff --git a/hosts/FredOS-Gaming.nix b/hosts/FredOS-Gaming.nix index 357ebd9..618b583 100644 --- a/hosts/FredOS-Gaming.nix +++ b/hosts/FredOS-Gaming.nix @@ -20,7 +20,7 @@ geary wowup-cf adwsteamgtk - proton-vpn + protonvpn-gui onlyoffice-desktopeditors vscodium ]; diff --git a/hosts/FredOS-Macbook.nix b/hosts/FredOS-Macbook.nix index a7b730c..3187f9e 100644 --- a/hosts/FredOS-Macbook.nix +++ b/hosts/FredOS-Macbook.nix @@ -9,7 +9,7 @@ mission-center vlc geary - proton-vpn + protonvpn-gui onlyoffice-desktopeditors ]; diff --git a/services/profilarr.nix b/services/profilarr.nix index 07bdac4..e47e755 100644 --- a/services/profilarr.nix +++ b/services/profilarr.nix @@ -14,7 +14,9 @@ ]; virtualisation.oci-containers.containers.profilarr = { - image = "ghcr.io/dictionarry-hub/profilarr:latest"; + # Canonical image lives on Docker Hub (santiagosayshey is the maintainer); + # the Dictionarry-Hub GHCR path that some docs mention isn't publicly pullable. + image = "santiagosayshey/profilarr:latest"; volumes = [ "/var/lib/profilarr:/config" ]; diff --git a/services/router.nix b/services/router.nix index 08cdbab..abfa20e 100644 --- a/services/router.nix +++ b/services/router.nix @@ -111,6 +111,11 @@ in iifname "lo" accept # LAN is trusted iifname "eth0" accept + # Docker containers reaching host services (e.g. Profilarr → Radarr + # on 10.0.0.1:7878). The forward chain already trusts docker0 for + # outbound; this is the matching INPUT rule for traffic landing on + # the host's own LAN/bridge IPs from a container. + iifname "docker0" accept # Phase 1: also trust the existing eero subnet on eno1 so SSH # and AdGuard DNS keep working during the transition. ${legacyTrustRules}