Fix proton-vpn rename on Gaming, restore zramSwap

The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was patched in an earlier commit but Gaming wasn't, breaking the build. zramSwap goes back into common.nix as the cheap OOM-during-uncached-build safety net — even on stable, --refresh against a freshly-bumped lock can trigger local builds the box has no swap to absorb. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
flake: update inputs
2026-05-01 13:38:27 +01:00 · 2026-05-01 10:29:09 +00:00 · 2026-05-01 11:27:32 +01:00 · 2026-05-01 11:25:46 +01:00 · 2026-05-01 11:07:04 +01:00 · 2026-05-01 11:05:48 +01:00
7 changed files with 24 additions and 88 deletions
--- a/common.nix
+++ b/common.nix
@ -59,42 +59,20 @@
  boot.initrd.verbose = false;
 #############################################################################

-  nix.settings = {
-    experimental-features = [ "nix-command" "flakes" ];
-    # Default max-jobs is the host's core count, which on the 56-core
-    # mediaserver was launching ~56 parallel gcc builds and blowing past
-    # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build
-    # cores so a local rebuild storm can't OOM the box.
-    max-jobs = 4;
-    cores = 8;
-  };
-
  # Compressed in-memory swap as a safety net during local build storms.
-  # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box.
+  # Cheap when idle; without it a transient OOM during an uncached build
+  # can stall AdGuard/Jellyfin to the point of freezing the box.
  zramSwap = {
    enable = true;
    memoryPercent = 50;
  };

-  # Keep services responsive when nix-daemon is contending for CPU.
-  systemd.services.nix-daemon.serviceConfig.CPUWeight = 50;
-
  # Use latest kernel
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

-  # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on
-  # unstable's freshly-bumped revisions before Hydra has cached them. The
-  # mediaserver runs on the stable channel where openldap is always cached,
-  # so don't change its hash there — that would force a local rebuild.
-  nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [
-    (final: prev: {
-      openldap = prev.openldap.overrideAttrs (_: { doCheck = false; });
-    })
-  ];
-
  # Enable network-manager
  networking.networkmanager.enable = true;

--- a/flake.lock
+++ b/flake.lock
@ -66,26 +66,6 @@
        "type": "github"
      }
    },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1777518431,
-        "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
    "home-manager-stable": {
      "inputs": {
        "nixpkgs": [
@ -163,11 +143,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1777077449,
-        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
+        "lastModified": 1777428379,
+        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "rev": "755f5aa91337890c432639c60b6064bb7fe67769",
        "type": "github"
      },
      "original": {
@ -177,28 +157,10 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1777268161,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
-        "home-manager": "home-manager",
        "home-manager-stable": "home-manager-stable",
        "nix-cachyos-kernel": "nix-cachyos-kernel",
-        "nixpkgs": "nixpkgs_2",
        "nixpkgs-stable": "nixpkgs-stable",
        "zen-browser": "zen-browser"
      }
@ -206,18 +168,18 @@
    "zen-browser": {
      "inputs": {
        "home-manager": [
-          "home-manager"
+          "home-manager-stable"
        ],
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1777484394,
-        "narHash": "sha256-03QK/lM/m4f1FjC4ldYtp8NobTGRdwGC24XBY6Vcdqo=",
+        "lastModified": 1777564084,
+        "narHash": "sha256-O9VRkxg+2j+sh+c73wi4VeIBECoqW2PlnCR9Qe1nQKA=",
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "274e039947393bc90f45b8fc6d1af23e45937af0",
+        "rev": "d93443c0f6fdb3b179bed68856f322dba4842612",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,16 +1,7 @@
 {
  description = "FredOS NixOS configuration";
  inputs = {
-    # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates.
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    # Stable: mediaserver values cache hit-rate over fresh packages so it
-    # doesn't have to compile gnupg/openldap/v8 locally on every flake bump.
    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
-
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
    home-manager-stable = {
      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs-stable";
@ -19,8 +10,8 @@
    zen-browser = {
      url = "github:0xc000022070/zen-browser-flake";
      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        home-manager.follows = "home-manager";
+        nixpkgs.follows = "nixpkgs-stable";
+        home-manager.follows = "home-manager-stable";
      };
    };

@ -28,9 +19,7 @@
  };
  outputs =
    { self
-    , nixpkgs
    , nixpkgs-stable
-    , home-manager
    , home-manager-stable
    , zen-browser
    , nix-cachyos-kernel
@ -51,9 +40,9 @@
    in
    {
      nixosConfigurations = {
-        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs        home-manager;
+        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs-stable home-manager-stable;
        FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable;
-        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs        home-manager;
+        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs-stable home-manager-stable;
      };
    };
 }
--- a/hosts/FredOS-Gaming.nix
+++ b/hosts/FredOS-Gaming.nix
@ -20,7 +20,7 @@
      geary
      wowup-cf
      adwsteamgtk
-      proton-vpn
+      protonvpn-gui
      onlyoffice-desktopeditors
      vscodium
    ];
--- a/hosts/FredOS-Macbook.nix
+++ b/hosts/FredOS-Macbook.nix
@ -9,7 +9,7 @@
      mission-center
      vlc
      geary
-      proton-vpn
+      protonvpn-gui
      onlyoffice-desktopeditors
    ];

--- a/services/profilarr.nix
+++ b/services/profilarr.nix
@ -14,7 +14,9 @@
    ];

    virtualisation.oci-containers.containers.profilarr = {
-      image = "ghcr.io/dictionarry-hub/profilarr:latest";
+      # Canonical image lives on Docker Hub (santiagosayshey is the maintainer);
+      # the Dictionarry-Hub GHCR path that some docs mention isn't publicly pullable.
+      image = "santiagosayshey/profilarr:latest";
      volumes = [
        "/var/lib/profilarr:/config"
      ];
--- a/services/router.nix
+++ b/services/router.nix
@ -111,6 +111,11 @@ in
            iifname "lo" accept
            # LAN is trusted
            iifname "eth0" accept
+            # Docker containers reaching host services (e.g. Profilarr → Radarr
+            # on 10.0.0.1:7878). The forward chain already trusts docker0 for
+            # outbound; this is the matching INPUT rule for traffic landing on
+            # the host's own LAN/bridge IPs from a container.
+            iifname "docker0" accept
            # Phase 1: also trust the existing eero subnet on eno1 so SSH
            # and AdGuard DNS keep working during the transition.
            ${legacyTrustRules}
Author	SHA1	Message	Date
ediblerope	c1094e7352	Fix proton-vpn rename on Gaming, restore zramSwap The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was patched in an earlier commit but Gaming wasn't, breaking the build. zramSwap goes back into common.nix as the cheap OOM-during-uncached-build safety net — even on stable, --refresh against a freshly-bumped lock can trigger local builds the box has no swap to absorb. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-01 13:38:27 +01:00
ediblerope	e1c193cdc3	flake: update inputs	2026-05-01 10:29:09 +00:00
ediblerope	f6e711044c	Update flake.nix	2026-05-01 11:27:32 +01:00
ediblerope	07f44724a0	Update flake.nix	2026-05-01 11:25:46 +01:00
ediblerope	7eb03c2245	Update FredOS-Macbook.nix	2026-05-01 11:07:04 +01:00
ediblerope	782054a0ea	Update flake.nix	2026-05-01 11:05:48 +01:00
ediblerope	695ac75daf	Update common.nix removed some AI crap that's no longer needed on stable.	2026-05-01 11:00:57 +01:00
ediblerope	ab8c3ac92a	flake: update inputs	2026-05-01 06:30:49 +00:00
ediblerope	c45811acf9	router: accept docker0 on input chain Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr at 10.0.0.1:7878) hit the input chain, not forward, because the destination is a local IP. The forward chain already trusts docker0 for outbound; this adds the matching input rule so the return path stops getting dropped. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-30 20:47:46 +01:00
ediblerope	98ccee2221	profilarr: use Docker Hub image (santiagosayshey), not GHCR The ghcr.io/dictionarry-hub/profilarr path mentioned in some docs isn't publicly pullable — anonymous token requests get 403. Canonical image is santiagosayshey/profilarr:latest on Docker Hub per the upstream README. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-30 20:05:30 +01:00