From 98ccee222108820b74b3ec2760135a520b615e8f Mon Sep 17 00:00:00 2001 From: ediblerope Date: Thu, 30 Apr 2026 20:05:30 +0100 Subject: [PATCH 01/10] profilarr: use Docker Hub image (santiagosayshey), not GHCR MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't publicly pullable — anonymous token requests get 403. Canonical image is santiagosayshey/profilarr:latest on Docker Hub per the upstream README. Co-Authored-By: Claude Opus 4.7 --- services/profilarr.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/services/profilarr.nix b/services/profilarr.nix index 07bdac4..e47e755 100644 --- a/services/profilarr.nix +++ b/services/profilarr.nix @@ -14,7 +14,9 @@ ]; virtualisation.oci-containers.containers.profilarr = { - image = "ghcr.io/dictionarry-hub/profilarr:latest"; + # Canonical image lives on Docker Hub (santiagosayshey is the maintainer); + # the Dictionarry-Hub GHCR path that some docs mention isn't publicly pullable. + image = "santiagosayshey/profilarr:latest"; volumes = [ "/var/lib/profilarr:/config" ]; From c45811acf94d8a94c2544e5d6650af950a62ca1b Mon Sep 17 00:00:00 2001 From: ediblerope Date: Thu, 30 Apr 2026 20:47:46 +0100 Subject: [PATCH 02/10] router: accept docker0 on input chain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr at 10.0.0.1:7878) hit the input chain, not forward, because the destination is a local IP. The forward chain already trusts docker0 for outbound; this adds the matching input rule so the return path stops getting dropped. Co-Authored-By: Claude Opus 4.7 --- services/router.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/router.nix b/services/router.nix index 08cdbab..abfa20e 100644 --- a/services/router.nix +++ b/services/router.nix @@ -111,6 +111,11 @@ in iifname "lo" accept # LAN is trusted iifname "eth0" accept + # Docker containers reaching host services (e.g. Profilarr → Radarr + # on 10.0.0.1:7878). The forward chain already trusts docker0 for + # outbound; this is the matching INPUT rule for traffic landing on + # the host's own LAN/bridge IPs from a container. + iifname "docker0" accept # Phase 1: also trust the existing eero subnet on eno1 so SSH # and AdGuard DNS keep working during the transition. ${legacyTrustRules} From ab8c3ac92a3bebb6a99baa24af2d8de48dbb808d Mon Sep 17 00:00:00 2001 From: ediblerope <172910558+ediblerope@users.noreply.github.com> Date: Fri, 1 May 2026 06:30:49 +0000 Subject: [PATCH 03/10] flake: update inputs --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ddd8a02..5fe147b 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1777518431, - "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=", + "lastModified": 1777594677, + "narHash": "sha256-h90sHwoRJLRvaTpZroTvU2JRHDFj0czUafM8eqLe1RI=", "owner": "nix-community", "repo": "home-manager", - "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670", + "rev": "899c08a15beae5da51a5cecd6b2b994777a948da", "type": "github" }, "original": { @@ -163,11 +163,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1777077449, - "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=", + "lastModified": 1777428379, + "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", + "rev": "755f5aa91337890c432639c60b6064bb7fe67769", "type": "github" }, "original": { @@ -213,11 +213,11 @@ ] }, "locked": { - "lastModified": 1777484394, - "narHash": "sha256-03QK/lM/m4f1FjC4ldYtp8NobTGRdwGC24XBY6Vcdqo=", + "lastModified": 1777564084, + "narHash": "sha256-O9VRkxg+2j+sh+c73wi4VeIBECoqW2PlnCR9Qe1nQKA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "274e039947393bc90f45b8fc6d1af23e45937af0", + "rev": "d93443c0f6fdb3b179bed68856f322dba4842612", "type": "github" }, "original": { From 695ac75daf277edbf02e08c53f58303c3625c357 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 1 May 2026 11:00:57 +0100 Subject: [PATCH 04/10] Update common.nix removed some AI crap that's no longer needed on stable. --- common.nix | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/common.nix b/common.nix index b3a2c9e..dd47cb7 100644 --- a/common.nix +++ b/common.nix @@ -59,42 +59,12 @@ boot.initrd.verbose = false; ############################################################################# - nix.settings = { - experimental-features = [ "nix-command" "flakes" ]; - # Default max-jobs is the host's core count, which on the 56-core - # mediaserver was launching ~56 parallel gcc builds and blowing past - # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build - # cores so a local rebuild storm can't OOM the box. - max-jobs = 4; - cores = 8; - }; - - # Compressed in-memory swap as a safety net during local build storms. - # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box. - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - # Keep services responsive when nix-daemon is contending for CPU. - systemd.services.nix-daemon.serviceConfig.CPUWeight = 50; - # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; # Allow unfree packages nixpkgs.config.allowUnfree = true; - # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on - # unstable's freshly-bumped revisions before Hydra has cached them. The - # mediaserver runs on the stable channel where openldap is always cached, - # so don't change its hash there — that would force a local rebuild. - nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [ - (final: prev: { - openldap = prev.openldap.overrideAttrs (_: { doCheck = false; }); - }) - ]; - # Enable network-manager networking.networkmanager.enable = true; From 782054a0ea5ce3382c87f0f0d2b97583e35d7fc7 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 1 May 2026 11:05:48 +0100 Subject: [PATCH 05/10] Update flake.nix --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 214774c..4b1ee54 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,7 @@ nixosConfigurations = { FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs home-manager; FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable; - FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs home-manager; + FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs-stable home-manager-stable; }; }; } From 7eb03c2245b3abb34ddfa54aa65fdedefca42752 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 1 May 2026 11:07:04 +0100 Subject: [PATCH 06/10] Update FredOS-Macbook.nix --- hosts/FredOS-Macbook.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/FredOS-Macbook.nix b/hosts/FredOS-Macbook.nix index a7b730c..3187f9e 100644 --- a/hosts/FredOS-Macbook.nix +++ b/hosts/FredOS-Macbook.nix @@ -9,7 +9,7 @@ mission-center vlc geary - proton-vpn + protonvpn-gui onlyoffice-desktopeditors ]; From 07f44724a07e81a96dbfc7bcf8aea71b433bb078 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 1 May 2026 11:25:46 +0100 Subject: [PATCH 07/10] Update flake.nix --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 4b1ee54..f6cce75 100644 --- a/flake.nix +++ b/flake.nix @@ -51,7 +51,7 @@ in { nixosConfigurations = { - FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs home-manager; + FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs-stable home-manager-stable; FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable; FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs-stable home-manager-stable; }; From f6e711044cd09948295499eb555ac07398feba03 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 1 May 2026 11:27:32 +0100 Subject: [PATCH 08/10] Update flake.nix --- flake.nix | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/flake.nix b/flake.nix index f6cce75..6cd08e6 100644 --- a/flake.nix +++ b/flake.nix @@ -1,16 +1,7 @@ { description = "FredOS NixOS configuration"; inputs = { - # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates. - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - # Stable: mediaserver values cache hit-rate over fresh packages so it - # doesn't have to compile gnupg/openldap/v8 locally on every flake bump. nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; - - home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - }; home-manager-stable = { url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs-stable"; @@ -19,8 +10,8 @@ zen-browser = { url = "github:0xc000022070/zen-browser-flake"; inputs = { - nixpkgs.follows = "nixpkgs"; - home-manager.follows = "home-manager"; + nixpkgs.follows = "nixpkgs-stable"; + home-manager.follows = "home-manager-stable"; }; }; @@ -28,9 +19,7 @@ }; outputs = { self - , nixpkgs , nixpkgs-stable - , home-manager , home-manager-stable , zen-browser , nix-cachyos-kernel From e1c193cdc3907b6813afa7a0f820a58c0d19a7c2 Mon Sep 17 00:00:00 2001 From: ediblerope <172910558+ediblerope@users.noreply.github.com> Date: Fri, 1 May 2026 10:29:09 +0000 Subject: [PATCH 09/10] flake: update inputs --- flake.lock | 42 ++---------------------------------------- 1 file changed, 2 insertions(+), 40 deletions(-) diff --git a/flake.lock b/flake.lock index 5fe147b..7746736 100644 --- a/flake.lock +++ b/flake.lock @@ -66,26 +66,6 @@ "type": "github" } }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1777594677, - "narHash": "sha256-h90sHwoRJLRvaTpZroTvU2JRHDFj0czUafM8eqLe1RI=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "899c08a15beae5da51a5cecd6b2b994777a948da", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "home-manager-stable": { "inputs": { "nixpkgs": [ @@ -177,28 +157,10 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1777268161, - "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { - "home-manager": "home-manager", "home-manager-stable": "home-manager-stable", "nix-cachyos-kernel": "nix-cachyos-kernel", - "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "zen-browser": "zen-browser" } @@ -206,10 +168,10 @@ "zen-browser": { "inputs": { "home-manager": [ - "home-manager" + "home-manager-stable" ], "nixpkgs": [ - "nixpkgs" + "nixpkgs-stable" ] }, "locked": { From c1094e7352f6107867e5a24d318b6f8e895b18f2 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 1 May 2026 13:38:27 +0100 Subject: [PATCH 10/10] Fix proton-vpn rename on Gaming, restore zramSwap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was patched in an earlier commit but Gaming wasn't, breaking the build. zramSwap goes back into common.nix as the cheap OOM-during-uncached-build safety net — even on stable, --refresh against a freshly-bumped lock can trigger local builds the box has no swap to absorb. Co-Authored-By: Claude Opus 4.7 --- common.nix | 8 ++++++++ hosts/FredOS-Gaming.nix | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/common.nix b/common.nix index dd47cb7..1860e73 100644 --- a/common.nix +++ b/common.nix @@ -59,6 +59,14 @@ boot.initrd.verbose = false; ############################################################################# + # Compressed in-memory swap as a safety net during local build storms. + # Cheap when idle; without it a transient OOM during an uncached build + # can stall AdGuard/Jellyfin to the point of freezing the box. + zramSwap = { + enable = true; + memoryPercent = 50; + }; + # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/hosts/FredOS-Gaming.nix b/hosts/FredOS-Gaming.nix index 357ebd9..618b583 100644 --- a/hosts/FredOS-Gaming.nix +++ b/hosts/FredOS-Gaming.nix @@ -20,7 +20,7 @@ geary wowup-cf adwsteamgtk - proton-vpn + protonvpn-gui onlyoffice-desktopeditors vscodium ];