diff --git a/common.nix b/common.nix index 1860e73..b3a2c9e 100644 --- a/common.nix +++ b/common.nix @@ -59,20 +59,42 @@ boot.initrd.verbose = false; ############################################################################# + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + # Default max-jobs is the host's core count, which on the 56-core + # mediaserver was launching ~56 parallel gcc builds and blowing past + # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build + # cores so a local rebuild storm can't OOM the box. + max-jobs = 4; + cores = 8; + }; + # Compressed in-memory swap as a safety net during local build storms. - # Cheap when idle; without it a transient OOM during an uncached build - # can stall AdGuard/Jellyfin to the point of freezing the box. + # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box. zramSwap = { enable = true; memoryPercent = 50; }; + # Keep services responsive when nix-daemon is contending for CPU. + systemd.services.nix-daemon.serviceConfig.CPUWeight = 50; + # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; # Allow unfree packages nixpkgs.config.allowUnfree = true; + # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on + # unstable's freshly-bumped revisions before Hydra has cached them. The + # mediaserver runs on the stable channel where openldap is always cached, + # so don't change its hash there — that would force a local rebuild. + nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [ + (final: prev: { + openldap = prev.openldap.overrideAttrs (_: { doCheck = false; }); + }) + ]; + # Enable network-manager networking.networkmanager.enable = true; diff --git a/flake.lock b/flake.lock index 7746736..ddd8a02 100644 --- a/flake.lock +++ b/flake.lock @@ -66,6 +66,26 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1777518431, + "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "home-manager-stable": { "inputs": { "nixpkgs": [ @@ -143,11 +163,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1777428379, - "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", + "lastModified": 1777077449, + "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "755f5aa91337890c432639c60b6064bb7fe67769", + "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", "type": "github" }, "original": { @@ -157,10 +177,28 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1777268161, + "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "home-manager": "home-manager", "home-manager-stable": "home-manager-stable", "nix-cachyos-kernel": "nix-cachyos-kernel", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "zen-browser": "zen-browser" } @@ -168,18 +206,18 @@ "zen-browser": { "inputs": { "home-manager": [ - "home-manager-stable" + "home-manager" ], "nixpkgs": [ - "nixpkgs-stable" + "nixpkgs" ] }, "locked": { - "lastModified": 1777564084, - "narHash": "sha256-O9VRkxg+2j+sh+c73wi4VeIBECoqW2PlnCR9Qe1nQKA=", + "lastModified": 1777484394, + "narHash": "sha256-03QK/lM/m4f1FjC4ldYtp8NobTGRdwGC24XBY6Vcdqo=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "d93443c0f6fdb3b179bed68856f322dba4842612", + "rev": "274e039947393bc90f45b8fc6d1af23e45937af0", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 6cd08e6..214774c 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,16 @@ { description = "FredOS NixOS configuration"; inputs = { + # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates. + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + # Stable: mediaserver values cache hit-rate over fresh packages so it + # doesn't have to compile gnupg/openldap/v8 locally on every flake bump. nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; + + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; home-manager-stable = { url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs-stable"; @@ -10,8 +19,8 @@ zen-browser = { url = "github:0xc000022070/zen-browser-flake"; inputs = { - nixpkgs.follows = "nixpkgs-stable"; - home-manager.follows = "home-manager-stable"; + nixpkgs.follows = "nixpkgs"; + home-manager.follows = "home-manager"; }; }; @@ -19,7 +28,9 @@ }; outputs = { self + , nixpkgs , nixpkgs-stable + , home-manager , home-manager-stable , zen-browser , nix-cachyos-kernel @@ -40,9 +51,9 @@ in { nixosConfigurations = { - FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs-stable home-manager-stable; + FredOS-Gaming = mkHost "FredOS-Gaming" nixpkgs home-manager; FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable; - FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs-stable home-manager-stable; + FredOS-Macbook = mkHost "FredOS-Macbook" nixpkgs home-manager; }; }; } diff --git a/hosts/FredOS-Gaming.nix b/hosts/FredOS-Gaming.nix index 618b583..357ebd9 100644 --- a/hosts/FredOS-Gaming.nix +++ b/hosts/FredOS-Gaming.nix @@ -20,7 +20,7 @@ geary wowup-cf adwsteamgtk - protonvpn-gui + proton-vpn onlyoffice-desktopeditors vscodium ]; diff --git a/hosts/FredOS-Macbook.nix b/hosts/FredOS-Macbook.nix index 3187f9e..a7b730c 100644 --- a/hosts/FredOS-Macbook.nix +++ b/hosts/FredOS-Macbook.nix @@ -9,7 +9,7 @@ mission-center vlc geary - protonvpn-gui + proton-vpn onlyoffice-desktopeditors ]; diff --git a/services/profilarr.nix b/services/profilarr.nix index e47e755..07bdac4 100644 --- a/services/profilarr.nix +++ b/services/profilarr.nix @@ -14,9 +14,7 @@ ]; virtualisation.oci-containers.containers.profilarr = { - # Canonical image lives on Docker Hub (santiagosayshey is the maintainer); - # the Dictionarry-Hub GHCR path that some docs mention isn't publicly pullable. - image = "santiagosayshey/profilarr:latest"; + image = "ghcr.io/dictionarry-hub/profilarr:latest"; volumes = [ "/var/lib/profilarr:/config" ]; diff --git a/services/router.nix b/services/router.nix index abfa20e..08cdbab 100644 --- a/services/router.nix +++ b/services/router.nix @@ -111,11 +111,6 @@ in iifname "lo" accept # LAN is trusted iifname "eth0" accept - # Docker containers reaching host services (e.g. Profilarr → Radarr - # on 10.0.0.1:7878). The forward chain already trusts docker0 for - # outbound; this is the matching INPUT rule for traffic landing on - # the host's own LAN/bridge IPs from a container. - iifname "docker0" accept # Phase 1: also trust the existing eero subnet on eno1 so SSH # and AdGuard DNS keep working during the transition. ${legacyTrustRules}