Fix proton-vpn rename on Gaming, restore zramSwap

The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was
patched in an earlier commit but Gaming wasn't, breaking the build.

zramSwap goes back into common.nix as the cheap OOM-during-uncached-build
safety net — even on stable, --refresh against a freshly-bumped lock can
trigger local builds the box has no swap to absorb.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

common.nix

@@ -59,42 +59,20 @@
   boot.initrd.verbose = false;
 #############################################################################
 
-  nix.settings = {
-    experimental-features = [ "nix-command" "flakes" ];
-    # Default max-jobs is the host's core count, which on the 56-core
-    # mediaserver was launching ~56 parallel gcc builds and blowing past
-    # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build
-    # cores so a local rebuild storm can't OOM the box.
-    max-jobs = 4;
-    cores = 8;
-  };
-
   # Compressed in-memory swap as a safety net during local build storms.
-  # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box.
+  # Cheap when idle; without it a transient OOM during an uncached build
+  # can stall AdGuard/Jellyfin to the point of freezing the box.
   zramSwap = {
     enable = true;
     memoryPercent = 50;
   };
 
-  # Keep services responsive when nix-daemon is contending for CPU.
-  systemd.services.nix-daemon.serviceConfig.CPUWeight = 50;
-
   # Use latest kernel
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
-  # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on
-  # unstable's freshly-bumped revisions before Hydra has cached them. The
-  # mediaserver runs on the stable channel where openldap is always cached,
-  # so don't change its hash there — that would force a local rebuild.
-  nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [
-    (final: prev: {
-      openldap = prev.openldap.overrideAttrs (_: { doCheck = false; });
-    })
-  ];
-
   # Enable network-manager
   networking.networkmanager.enable = true;
 

flake.lock

@@ -66,26 +66,6 @@
         "type": "github"
       }
     },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1777518431,
-        "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "home-manager-stable": {
       "inputs": {
         "nixpkgs": [
@@ -163,11 +143,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1777077449,
+        "lastModified": 1777428379,
-        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
+        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "rev": "755f5aa91337890c432639c60b6064bb7fe67769",
         "type": "github"
       },
       "original": {
@@ -177,28 +157,10 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1777268161,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
         "home-manager-stable": "home-manager-stable",
         "nix-cachyos-kernel": "nix-cachyos-kernel",
-        "nixpkgs": "nixpkgs_2",
         "nixpkgs-stable": "nixpkgs-stable",
         "zen-browser": "zen-browser"
       }
@@ -206,18 +168,18 @@
     "zen-browser": {
       "inputs": {
         "home-manager": [
-          "home-manager"
+          "home-manager-stable"
         ],
         "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-stable"
         ]
       },
       "locked": {
-        "lastModified": 1777484394,
+        "lastModified": 1777564084,
-        "narHash": "sha256-03QK/lM/m4f1FjC4ldYtp8NobTGRdwGC24XBY6Vcdqo=",
+        "narHash": "sha256-O9VRkxg+2j+sh+c73wi4VeIBECoqW2PlnCR9Qe1nQKA=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "274e039947393bc90f45b8fc6d1af23e45937af0",
+        "rev": "d93443c0f6fdb3b179bed68856f322dba4842612",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,16 +1,7 @@
 {
   description = "FredOS NixOS configuration";
   inputs = {
-    # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates.
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    # Stable: mediaserver values cache hit-rate over fresh packages so it
-    # doesn't have to compile gnupg/openldap/v8 locally on every flake bump.
     nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
-
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     home-manager-stable = {
       url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs-stable";
@@ -19,8 +10,8 @@
     zen-browser = {
       url = "github:0xc000022070/zen-browser-flake";
       inputs = {
-        nixpkgs.follows = "nixpkgs";
+        nixpkgs.follows = "nixpkgs-stable";
-        home-manager.follows = "home-manager";
+        home-manager.follows = "home-manager-stable";
       };
     };
 
@@ -28,9 +19,7 @@
   };
   outputs =
     { self
-    , nixpkgs
     , nixpkgs-stable
-    , home-manager
     , home-manager-stable
     , zen-browser
     , nix-cachyos-kernel
@@ -51,9 +40,9 @@
     in
     {
       nixosConfigurations = {
-        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs        home-manager;
+        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs-stable home-manager-stable;
         FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable;
-        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs        home-manager;
+        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs-stable home-manager-stable;
       };
     };
 }

hosts/FredOS-Gaming.nix

@@ -20,7 +20,7 @@
       geary
       wowup-cf
       adwsteamgtk
-      proton-vpn
+      protonvpn-gui
       onlyoffice-desktopeditors
       vscodium
     ];

hosts/FredOS-Macbook.nix

@@ -9,7 +9,7 @@
       mission-center
       vlc
       geary
-      proton-vpn
+      protonvpn-gui
       onlyoffice-desktopeditors
     ];
 

services/profilarr.nix

@@ -14,7 +14,9 @@
     ];
 
     virtualisation.oci-containers.containers.profilarr = {
-      image = "ghcr.io/dictionarry-hub/profilarr:latest";
+      # Canonical image lives on Docker Hub (santiagosayshey is the maintainer);
+      # the Dictionarry-Hub GHCR path that some docs mention isn't publicly pullable.
+      image = "santiagosayshey/profilarr:latest";
       volumes = [
         "/var/lib/profilarr:/config"
       ];

services/router.nix

@@ -111,6 +111,11 @@ in
             iifname "lo" accept
             # LAN is trusted
             iifname "eth0" accept
+            # Docker containers reaching host services (e.g. Profilarr → Radarr
+            # on 10.0.0.1:7878). The forward chain already trusts docker0 for
+            # outbound; this is the matching INPUT rule for traffic landing on
+            # the host's own LAN/bridge IPs from a container.
+            iifname "docker0" accept
             # Phase 1: also trust the existing eero subnet on eno1 so SSH
             # and AdGuard DNS keep working during the transition.
             ${legacyTrustRules}