7 changed files with 88 additions and 24 deletions
--- a/common.nix
+++ b/common.nix
@ -59,20 +59,42 @@
  boot.initrd.verbose = false;
 #############################################################################

+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    # Default max-jobs is the host's core count, which on the 56-core
+    # mediaserver was launching ~56 parallel gcc builds and blowing past
+    # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build
+    # cores so a local rebuild storm can't OOM the box.
+    max-jobs = 4;
+    cores = 8;
+  };
+
  # Compressed in-memory swap as a safety net during local build storms.
-  # Cheap when idle; without it a transient OOM during an uncached build
-  # can stall AdGuard/Jellyfin to the point of freezing the box.
+  # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box.
  zramSwap = {
    enable = true;
    memoryPercent = 50;
  };

+  # Keep services responsive when nix-daemon is contending for CPU.
+  systemd.services.nix-daemon.serviceConfig.CPUWeight = 50;
+
  # Use latest kernel
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

+  # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on
+  # unstable's freshly-bumped revisions before Hydra has cached them. The
+  # mediaserver runs on the stable channel where openldap is always cached,
+  # so don't change its hash there — that would force a local rebuild.
+  nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [
+    (final: prev: {
+      openldap = prev.openldap.overrideAttrs (_: { doCheck = false; });
+    })
+  ];
+
  # Enable network-manager
  networking.networkmanager.enable = true;

--- a/flake.lock
+++ b/flake.lock
@ -66,6 +66,26 @@
        "type": "github"
      }
    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1777518431,
+        "narHash": "sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "2e54a938cdd4c8e414b2518edc3d82308027c670",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "home-manager-stable": {
      "inputs": {
        "nixpkgs": [
@ -143,11 +163,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1777428379,
-        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
+        "lastModified": 1777077449,
+        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "755f5aa91337890c432639c60b6064bb7fe67769",
+        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
        "type": "github"
      },
      "original": {
@ -157,10 +177,28 @@
        "type": "github"
      }
    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
+        "home-manager": "home-manager",
        "home-manager-stable": "home-manager-stable",
        "nix-cachyos-kernel": "nix-cachyos-kernel",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-stable": "nixpkgs-stable",
        "zen-browser": "zen-browser"
      }
@ -168,18 +206,18 @@
    "zen-browser": {
      "inputs": {
        "home-manager": [
-          "home-manager-stable"
+          "home-manager"
        ],
        "nixpkgs": [
-          "nixpkgs-stable"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1777564084,
-        "narHash": "sha256-O9VRkxg+2j+sh+c73wi4VeIBECoqW2PlnCR9Qe1nQKA=",
+        "lastModified": 1777484394,
+        "narHash": "sha256-03QK/lM/m4f1FjC4ldYtp8NobTGRdwGC24XBY6Vcdqo=",
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "d93443c0f6fdb3b179bed68856f322dba4842612",
+        "rev": "274e039947393bc90f45b8fc6d1af23e45937af0",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,7 +1,16 @@
 {
  description = "FredOS NixOS configuration";
  inputs = {
+    # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates.
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # Stable: mediaserver values cache hit-rate over fresh packages so it
+    # doesn't have to compile gnupg/openldap/v8 locally on every flake bump.
    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
+
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    home-manager-stable = {
      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs-stable";
@ -10,8 +19,8 @@
    zen-browser = {
      url = "github:0xc000022070/zen-browser-flake";
      inputs = {
-        nixpkgs.follows = "nixpkgs-stable";
-        home-manager.follows = "home-manager-stable";
+        nixpkgs.follows = "nixpkgs";
+        home-manager.follows = "home-manager";
      };
    };

@ -19,7 +28,9 @@
  };
  outputs =
    { self
+    , nixpkgs
    , nixpkgs-stable
+    , home-manager
    , home-manager-stable
    , zen-browser
    , nix-cachyos-kernel
@ -40,9 +51,9 @@
    in
    {
      nixosConfigurations = {
-        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs-stable home-manager-stable;
+        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs        home-manager;
        FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable;
-        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs-stable home-manager-stable;
+        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs        home-manager;
      };
    };
 }
--- a/hosts/FredOS-Gaming.nix
+++ b/hosts/FredOS-Gaming.nix
@ -20,7 +20,7 @@
      geary
      wowup-cf
      adwsteamgtk
-      protonvpn-gui
+      proton-vpn
      onlyoffice-desktopeditors
      vscodium
    ];
--- a/hosts/FredOS-Macbook.nix
+++ b/hosts/FredOS-Macbook.nix
@ -9,7 +9,7 @@
      mission-center
      vlc
      geary
-      protonvpn-gui
+      proton-vpn
      onlyoffice-desktopeditors
    ];

--- a/services/profilarr.nix
+++ b/services/profilarr.nix
@ -14,9 +14,7 @@
    ];

    virtualisation.oci-containers.containers.profilarr = {
-      # Canonical image lives on Docker Hub (santiagosayshey is the maintainer);
-      # the Dictionarry-Hub GHCR path that some docs mention isn't publicly pullable.
-      image = "santiagosayshey/profilarr:latest";
+      image = "ghcr.io/dictionarry-hub/profilarr:latest";
      volumes = [
        "/var/lib/profilarr:/config"
      ];
--- a/services/router.nix
+++ b/services/router.nix
@ -111,11 +111,6 @@ in
            iifname "lo" accept
            # LAN is trusted
            iifname "eth0" accept
-            # Docker containers reaching host services (e.g. Profilarr → Radarr
-            # on 10.0.0.1:7878). The forward chain already trusts docker0 for
-            # outbound; this is the matching INPUT rule for traffic landing on
-            # the host's own LAN/bridge IPs from a container.
-            iifname "docker0" accept
            # Phase 1: also trust the existing eero subnet on eno1 so SSH
            # and AdGuard DNS keep working during the transition.
            ${legacyTrustRules}