Compare commits
65 commits
quickshell
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a76add2da8 | ||
| 9813812dfc | |||
| 7d0c729e91 | |||
| 6cc3fb6419 | |||
| ad1ceba28e | |||
| 34d44a619e | |||
| ebef93f618 | |||
|
|
7a9cf0e1f0 | ||
|
|
0678a43a89 | ||
|
|
f21f7ac6f8 | ||
|
|
8bf1d03dd2 | ||
| c7b3f8a306 | |||
| ee630bac30 | |||
|
|
6622ed6864 | ||
| d69c9f624f | |||
| 707f78c9d1 | |||
| 21b0fa15ae | |||
| d31a4501f1 | |||
| 38901eee27 | |||
| 370b69bd5a | |||
| c0ed58bcc2 | |||
| cb9a03cbf4 | |||
| b00dee9dc6 | |||
| e5589907a3 | |||
| e199933dce | |||
| fe0cb4663e | |||
| 448e44753f | |||
|
|
cdf5184a52 | ||
| 5e870d0e8b | |||
|
|
1ed7cda25c | ||
|
|
00e02c28ff | ||
|
|
4807be6cb0 | ||
|
|
4d328af16b | ||
|
|
d300b9d30d | ||
|
|
3396401e92 | ||
| 0f92b3fbf5 | |||
| 85c230457b | |||
|
|
128143bc74 | ||
| 23a5ad2914 | |||
| 7cd7a0e3dc | |||
| f0193eedd3 | |||
| c901b9b56d | |||
| af35c81514 | |||
| 150f362998 | |||
| a772034220 | |||
| 83b4c5ef09 | |||
| 215239e7aa | |||
| 6846f38b9a | |||
| 700d3f7de1 | |||
| 2697614e1b | |||
| 2f51d2b4f1 | |||
| 6977568bf2 | |||
| 98699b5346 | |||
|
|
7fc29c82bf | ||
| 792ecb80bb | |||
| 4e3aa498e0 | |||
|
|
cc9ef378f6 | ||
|
|
bf7d24d740 | ||
|
|
0397a5391b | ||
| ad70441589 | |||
| faa345d016 | |||
| ddbc8929e4 | |||
| 3047ea547c | |||
| f1b8d5d57d | |||
|
|
479c6c6906 |
17 changed files with 1630 additions and 1175 deletions
100
.claude/skills/ponytail/SKILL.md
Normal file
100
.claude/skills/ponytail/SKILL.md
Normal file
|
|
@ -0,0 +1,100 @@
|
|||
---
|
||||
name: ponytail
|
||||
description: >
|
||||
Forces the laziest solution that actually works, simplest, shortest, most
|
||||
minimal. Channels a senior dev who has seen everything: question whether the
|
||||
task needs to exist at all (YAGNI), reach for the standard library before
|
||||
custom code, native platform features before dependencies, one line before
|
||||
fifty. Supports intensity levels: lite, full (default), ultra. Use whenever
|
||||
the user says "ponytail", "be lazy", "lazy mode", "simplest solution",
|
||||
"minimal solution", "yagni", "do less", or "shortest path", and whenever
|
||||
they complain about over-engineering, bloat, boilerplate, or unnecessary
|
||||
dependencies.
|
||||
license: MIT
|
||||
---
|
||||
|
||||
# Ponytail
|
||||
|
||||
You are a lazy senior developer. Lazy means efficient, not careless. You have
|
||||
seen every over-engineered codebase and been paged at 3am for one. The best
|
||||
code is the code never written.
|
||||
|
||||
## Persistence
|
||||
|
||||
ACTIVE EVERY RESPONSE. No drift back to over-building. Still active if
|
||||
unsure. Off only: "stop ponytail" / "normal mode". Default: **full**.
|
||||
Switch: `/ponytail lite|full|ultra`.
|
||||
|
||||
## The ladder
|
||||
|
||||
Stop at the first rung that holds:
|
||||
|
||||
1. **Does this need to exist at all?** Speculative need = skip it, say so in one line. (YAGNI)
|
||||
2. **Stdlib does it?** Use it.
|
||||
3. **Native platform feature covers it?** `<input type="date">` over a picker lib, CSS over JS, DB constraint over app code.
|
||||
4. **Already-installed dependency solves it?** Use it. Never add a new one for what a few lines can do.
|
||||
5. **Can it be one line?** One line.
|
||||
6. **Only then:** the minimum code that works.
|
||||
|
||||
The ladder is a reflex, not a research project. Two rungs work → take the
|
||||
higher one and move on. The first lazy solution that works is the right one.
|
||||
|
||||
## Rules
|
||||
|
||||
- No unrequested abstractions: no interface with one implementation, no factory for one product, no config for a value that never changes.
|
||||
- No boilerplate, no scaffolding "for later", later can scaffold for itself.
|
||||
- Deletion over addition. Boring over clever, clever is what someone decodes at 3am.
|
||||
- Fewest files possible. Shortest working diff wins.
|
||||
- Complex request? Ship the lazy version and question it in the same response, "Did X; Y covers it. Need full X? Say so." Never stall on an answer you can default.
|
||||
- Two stdlib options, same size? Take the one that's correct on edge cases. Lazy means writing less code, not picking the flimsier algorithm.
|
||||
- Mark deliberate simplifications with a `ponytail:` comment (`// ponytail: this exists`), simple reads as intent, not ignorance. Shortcut with a known ceiling (global lock, O(n²) scan, naive heuristic)? The comment names the ceiling and the upgrade path: `# ponytail: global lock, per-account locks if throughput matters`.
|
||||
|
||||
## Output
|
||||
|
||||
Code first. Then at most three short lines: what was skipped, when to add it.
|
||||
No essays, no feature tours, no design notes. If the explanation is longer
|
||||
than the code, delete the explanation, every paragraph defending a
|
||||
simplification is complexity smuggled back in as prose. Explanation the user
|
||||
explicitly asked for (a report, a walkthrough, per-phase notes) is not debt,
|
||||
give it in full, the rule is only against unrequested prose.
|
||||
|
||||
Pattern: `[code] → skipped: [X], add when [Y].`
|
||||
|
||||
## Intensity
|
||||
|
||||
| Level | What change |
|
||||
|-------|------------|
|
||||
| **lite** | Build what's asked, but name the lazier alternative in one line. User picks. |
|
||||
| **full** | The ladder enforced. Stdlib and native first. Shortest diff, shortest explanation. Default. |
|
||||
| **ultra** | YAGNI extremist. Deletion before addition. Ship the one-liner and challenge the rest of the requirement in the same breath. |
|
||||
|
||||
Example: "Add a cache for these API responses."
|
||||
- lite: "Done, cache added. FYI: `functools.lru_cache` covers this in one line if you'd rather not own a cache class."
|
||||
- full: "`@lru_cache(maxsize=1000)` on the fetch function. Skipped custom cache class, add when lru_cache measurably falls short."
|
||||
- ultra: "No cache until a profiler says so. When it does: `@lru_cache`. A hand-rolled TTL cache class is a bug farm with a hit rate."
|
||||
|
||||
## When NOT to be lazy
|
||||
|
||||
Never simplify away: input validation at trust boundaries, error handling
|
||||
that prevents data loss, security measures, accessibility basics, anything
|
||||
explicitly requested. User insists on the full version → build it, no
|
||||
re-arguing.
|
||||
|
||||
Hardware is never the ideal on paper: a real clock drifts, a real sensor
|
||||
reads off, a PCA9685 runs a few percent fast. Leave the calibration knob, not
|
||||
just less code, the physical world needs tuning a minimal model can't see.
|
||||
|
||||
Lazy code without its check is unfinished. Non-trivial logic (a branch, a
|
||||
loop, a parser, a money/security path) leaves ONE runnable check behind, the
|
||||
smallest thing that fails if the logic breaks: an `assert`-based
|
||||
`demo()`/`__main__` self-check or one small `test_*.py`. No frameworks, no
|
||||
fixtures, no per-function suites unless asked. Trivial one-liners need no
|
||||
test, YAGNI applies to tests too.
|
||||
|
||||
## Boundaries
|
||||
|
||||
Ponytail governs what you build, not how you talk (pair with Caveman for
|
||||
terse prose). "stop ponytail" / "normal mode": revert. Level persists until
|
||||
changed or session end.
|
||||
|
||||
The shortest path to done is the right path.
|
||||
14
.mcp.json
Normal file
14
.mcp.json
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"mcpServers": {
|
||||
"nixos": {
|
||||
"type": "stdio",
|
||||
"command": "nix",
|
||||
"args": [
|
||||
"run",
|
||||
"github:utensils/mcp-nixos",
|
||||
"--"
|
||||
],
|
||||
"env": {}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -27,6 +27,11 @@ That means evaluation is **pure**: config can never read files outside the repo
|
|||
|
||||
## Code Evaluation
|
||||
|
||||
Before writing or changing any NixOS / Home Manager option, verify it exists and
|
||||
has the expected name and type using the `nixos` MCP server tools (`nix` /
|
||||
`nix_versions`, configured in `.mcp.json`). Don't rely on memory for option or
|
||||
package names — look them up first to avoid invented attributes that fail at eval.
|
||||
|
||||
Always validate Nix expressions with `nix eval` before committing. For example:
|
||||
|
||||
```bash
|
||||
|
|
|
|||
12
common.nix
12
common.nix
|
|
@ -22,7 +22,7 @@
|
|||
./services/qbittorrent-nox.nix
|
||||
./services/nginx.nix
|
||||
./services/go2rtc.nix
|
||||
./services/frigate.nix
|
||||
# ./services/frigate.nix
|
||||
./services/sonarr.nix
|
||||
./services/radarr.nix
|
||||
./services/prowlarr.nix
|
||||
|
|
@ -37,10 +37,14 @@
|
|||
./services/adguard.nix
|
||||
./services/router.nix
|
||||
./services/crowdsec.nix
|
||||
./services/service-health.nix
|
||||
./services/sabnzbd.nix
|
||||
./services/forgejo-runner.nix
|
||||
./services/code-server.nix
|
||||
./services/memos.nix
|
||||
# ./services/neko.nix # superseded by selkies.nix (Neko can't handle GW's mouse grab)
|
||||
./services/selkies.nix
|
||||
./services/hardware-health.nix
|
||||
];
|
||||
|
||||
### Make build time quicker
|
||||
|
|
@ -87,6 +91,12 @@
|
|||
# Allow unfree packages
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
# vesktop (multiple hosts) builds with pnpm via fetchPnpmDeps, which nixpkgs
|
||||
# marks insecure (build-time only, hash-pinned FOD — not in PATH). broadcom-sta
|
||||
# is Macbook-only Wi-Fi but allowing it everywhere is harmless (absent on others).
|
||||
nixpkgs.config.allowInsecurePredicate = pkg:
|
||||
lib.any (p: lib.hasPrefix p (lib.getName pkg)) [ "broadcom-sta" "pnpm" ];
|
||||
|
||||
# Flakes — nixos-rebuild self-enables these, but plain `nix eval` /
|
||||
# `nix flake check` on the hosts need them too.
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
|
|
|||
60
flake.lock
generated
60
flake.lock
generated
|
|
@ -71,11 +71,11 @@
|
|||
"cachyos-kernel": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1780413908,
|
||||
"narHash": "sha256-T15bnskj20rdc4vJ55bFF2lVCVR8edilWn0hiYR7vVs=",
|
||||
"lastModified": 1781883168,
|
||||
"narHash": "sha256-raAojJGk0aWdscfFn/9ikZ6V5oUuAZcAz5kjAZ2QN3E=",
|
||||
"owner": "CachyOS",
|
||||
"repo": "linux-cachyos",
|
||||
"rev": "a61f943f5e94b75c5600a2968cb699d0e37945b3",
|
||||
"rev": "daed450e9b1a4fadfef68fb4fa5e2f3391fedb34",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -87,11 +87,11 @@
|
|||
"cachyos-kernel-patches": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1780462466,
|
||||
"narHash": "sha256-t6c7FTqMB0skEz+4tei5v8GEyL4fRDgx24oW3LrnYiE=",
|
||||
"lastModified": 1782242233,
|
||||
"narHash": "sha256-AUwTZq++PBq0qjDVFKqD0AZNNwa0b1RK41bM9XMbkW8=",
|
||||
"owner": "CachyOS",
|
||||
"repo": "kernel-patches",
|
||||
"rev": "bb41330bd4372672f552beda66712fb70b17f0fa",
|
||||
"rev": "19250dcc39862169961756c733b8a6ba77754c22",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -211,11 +211,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1781184346,
|
||||
"narHash": "sha256-cZRlW47U6A2nWvAmnZeeO6Xvq23gxYbVLel4KxqOrcQ=",
|
||||
"lastModified": 1782704057,
|
||||
"narHash": "sha256-G1I1gd32F7mp9LAe1DaZ4ZL7NX5gyiKwdCMwro1Vrck=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "ea6d221d7aa85652d014b6f719dddf036037515b",
|
||||
"rev": "868d0a692de703c2de98fab61968e4e310b7c28e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -234,11 +234,11 @@
|
|||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1780771919,
|
||||
"narHash": "sha256-cbace1ZTWYFG0luPL7OFlUxDh/t9lmPj+Isvg9hLN0k=",
|
||||
"lastModified": 1782415778,
|
||||
"narHash": "sha256-Qts73QQA+lADfxWjonL3Q1JcZssVZPsQI38L3qZyS0o=",
|
||||
"owner": "xddxdd",
|
||||
"repo": "nix-cachyos-kernel",
|
||||
"rev": "3d940a534da0ba6bce60e345ff2c9c7b062087fb",
|
||||
"rev": "1740ec90e7b07730c212a3a1ff5e71af08a5270b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -250,11 +250,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1780751787,
|
||||
"narHash": "sha256-nWR7F46SyrLvN8Ot39XJDpVCswekGakXlOD4KsTYKW0=",
|
||||
"lastModified": 1782378976,
|
||||
"narHash": "sha256-UqQgBlQATXM3aBvzTRE/1wxHrCdKg5/ePlXfG/7Eqd8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "00fa9a692bafc08a86061886f888b843bf7fbdb0",
|
||||
"rev": "5df71f3d167f0aad71658608361c1301147b9eb6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -281,11 +281,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1780902259,
|
||||
"narHash": "sha256-q8yYEC5f1mFlQO9RGna4LTc9QrcvWunX6FYp83munkQ=",
|
||||
"lastModified": 1782691344,
|
||||
"narHash": "sha256-i5nw9BYYsMDAaOC4J+JmTof6b2GhlyH076awYRNrTV8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bd0ff2d3eac24699c3664d5966b9ef36f388e2ca",
|
||||
"rev": "1f01958ffb5b3545c96d9ef2f4e24c5e5e1eb846",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -297,11 +297,11 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1780749050,
|
||||
"narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
|
||||
"lastModified": 1782723713,
|
||||
"narHash": "sha256-oPXCU/SSUokcGaJREHibG1CBX3+s/W7orDWQOZDsEeQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
|
||||
"rev": "b5aa0fbd538984f6e3d201be0005b4463d8b09f8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -357,11 +357,11 @@
|
|||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1781218261,
|
||||
"narHash": "sha256-09ZzpMMfszYPp+SV+P48smeTG2cqttf9oO5BrgTRrzk=",
|
||||
"lastModified": 1782797297,
|
||||
"narHash": "sha256-mscJSstGLRHQ4shBSQOtsElODg+mnRPBDlsA3Mi2A50=",
|
||||
"owner": "powerofthe69",
|
||||
"repo": "proton-cachyos-nix",
|
||||
"rev": "8c0236830281dffa4ae4236e2ea8b6361d63407f",
|
||||
"rev": "5cf94db45bd823e8a432ba8aae9745a43f32d24d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -398,11 +398,11 @@
|
|||
"tinted-zed": "tinted-zed"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1780702455,
|
||||
"narHash": "sha256-+srjPGNy67nKytYwdlepycL51IG6S34sS4MKRZXK8G0=",
|
||||
"lastModified": 1782770679,
|
||||
"narHash": "sha256-+8RpmHKn5n2tYmoRCwiKJ6PeU85q15qnXzGQ2WGMn9Q=",
|
||||
"owner": "nix-community",
|
||||
"repo": "stylix",
|
||||
"rev": "54fa19702f4f2c7f6a981a92850678933588af9a",
|
||||
"rev": "3ed763829fc06d32cab3c1f31672379a1f53450e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -501,11 +501,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1781173532,
|
||||
"narHash": "sha256-MwnZpL82aQO1I15JH525vz6REI/OULEAmXDp6cIcgNg=",
|
||||
"lastModified": 1782812215,
|
||||
"narHash": "sha256-OPVK9WW9QsO2aj1R+Ln3p7fniFj5h441vb3LyrzpeE4=",
|
||||
"owner": "0xc000022070",
|
||||
"repo": "zen-browser-flake",
|
||||
"rev": "f13e82162fae68af7716147207fa5f868f5ca381",
|
||||
"rev": "a7c2a9a5e492e0e62072547f7e4c2abf138425c5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -34,10 +34,17 @@
|
|||
hardware.enableRedistributableFirmware = true;
|
||||
hardware.facetimehd.enable = true;
|
||||
|
||||
# Pin to the 6.12 LTS kernel: the out-of-tree broadcom_sta (Wi-Fi) and
|
||||
# facetimehd (iSight) modules don't build against linuxPackages_latest
|
||||
# (7.x) — broadcom-sta's wl_cfg80211 ops no longer match the cfg80211 API.
|
||||
# 6.12 LTS is the newest kernel both modules compile against. Overrides
|
||||
# common.nix's linuxPackages_latest.
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_6_12;
|
||||
|
||||
# wait_prepare/wait_finish were removed from struct vb2_ops in Linux 6.8
|
||||
nixpkgs.overlays = [
|
||||
(final: prev: {
|
||||
linuxPackages_latest = prev.linuxPackages_latest.extend (lpFinal: lpPrev: {
|
||||
linuxPackages_6_12 = prev.linuxPackages_6_12.extend (lpFinal: lpPrev: {
|
||||
facetimehd = lpPrev.facetimehd.overrideAttrs (old: {
|
||||
postPatch = (old.postPatch or "") + ''
|
||||
sed -i '/\.wait_prepare[[:space:]]*=.*vb2_ops_wait_prepare/d' fthd_v4l2.c
|
||||
|
|
@ -48,8 +55,7 @@
|
|||
})
|
||||
];
|
||||
|
||||
nixpkgs.config.allowInsecurePredicate = pkg:
|
||||
(lib.hasPrefix "broadcom-sta" (lib.getName pkg));
|
||||
# allowInsecurePredicate (broadcom-sta + pnpm) lives in common.nix now.
|
||||
|
||||
services.xserver.deviceSection = lib.mkDefault ''
|
||||
Option "TearFree" "true"
|
||||
|
|
|
|||
|
|
@ -45,5 +45,10 @@ name = "7DTD-coop voice/dynamic"
|
|||
ports = "26911-26912"
|
||||
protocol = "udp"
|
||||
|
||||
[[forward]]
|
||||
name = "Neko WebRTC"
|
||||
port = 59000
|
||||
protocol = "udp"
|
||||
|
||||
# DR (Dungeon Runners) forwards removed — services/dr-server.nix is disabled.
|
||||
# Re-add 2110 tcp, 2603 both, 2604-2605 udp, 2606 tcp if it comes back.
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
let
|
||||
interconnectScript = pkgs.writeShellScript "arr-interconnect" ''
|
||||
set -euo pipefail
|
||||
PATH="${lib.makeBinPath [ pkgs.curl pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.coreutils pkgs.systemd ]}:$PATH"
|
||||
PATH="${lib.makeBinPath [ pkgs.curl pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.coreutils pkgs.systemd pkgs.sqlite ]}:$PATH"
|
||||
|
||||
BASE="http://127.0.0.1"
|
||||
|
||||
|
|
@ -30,6 +30,14 @@ let
|
|||
SABNZBD_KEY=$(grep -oP '^api_key\s*=\s*\K\S+' /var/lib/sabnzbd/sabnzbd.ini | head -n1 || true)
|
||||
fi
|
||||
|
||||
# Jellyfin has no config.xml api key; any AccessToken in its db works as
|
||||
# an API key. Reuse the first one (create one in the Jellyfin UI once if
|
||||
# the table is empty — same first-run caveat as SAB above).
|
||||
JELLYFIN_KEY=""
|
||||
if [ -f "/var/lib/jellyfin/data/jellyfin.db" ]; then
|
||||
JELLYFIN_KEY=$(sqlite3 /var/lib/jellyfin/data/jellyfin.db "SELECT AccessToken FROM ApiKeys LIMIT 1;" 2>/dev/null || true)
|
||||
fi
|
||||
|
||||
# --- Helpers ---
|
||||
wait_for() {
|
||||
local name="$1" url="$2" key="$3"
|
||||
|
|
@ -341,6 +349,79 @@ let
|
|||
fi
|
||||
fi
|
||||
|
||||
##########################################################################
|
||||
# Sonarr → Jellyfin (refresh library on import so new shows appear
|
||||
# without waiting for Jellyfin's flaky filesystem watcher / full scan)
|
||||
##########################################################################
|
||||
if [ -n "$SONARR_KEY" ] && [ -n "$JELLYFIN_KEY" ]; then
|
||||
if ! exists_by_name "$BASE:8989/api/v3/notification" "$SONARR_KEY" "Jellyfin"; then
|
||||
echo "Adding Jellyfin notification to Sonarr..."
|
||||
curl -sf -X POST \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: $SONARR_KEY" \
|
||||
"$BASE:8989/api/v3/notification" \
|
||||
-d "$(jq -n --arg key "$JELLYFIN_KEY" '{
|
||||
name: "Jellyfin",
|
||||
implementation: "MediaBrowser",
|
||||
configContract: "MediaBrowserSettings",
|
||||
implementationName: "Emby / Jellyfin",
|
||||
onDownload: true,
|
||||
onUpgrade: true,
|
||||
onRename: true,
|
||||
onSeriesDelete: true,
|
||||
onEpisodeFileDelete: true,
|
||||
onEpisodeFileDeleteForUpgrade: true,
|
||||
fields: [
|
||||
{name: "host", value: "localhost"},
|
||||
{name: "port", value: 8096},
|
||||
{name: "useSsl", value: false},
|
||||
{name: "apiKey", value: $key},
|
||||
{name: "notify", value: false},
|
||||
{name: "updateLibrary", value: true}
|
||||
],
|
||||
tags: []
|
||||
}')" > /dev/null && echo " done" || echo " failed"
|
||||
else
|
||||
echo "Sonarr → Jellyfin already configured"
|
||||
fi
|
||||
fi
|
||||
|
||||
##########################################################################
|
||||
# Radarr → Jellyfin (refresh library on import)
|
||||
##########################################################################
|
||||
if [ -n "$RADARR_KEY" ] && [ -n "$JELLYFIN_KEY" ]; then
|
||||
if ! exists_by_name "$BASE:7878/api/v3/notification" "$RADARR_KEY" "Jellyfin"; then
|
||||
echo "Adding Jellyfin notification to Radarr..."
|
||||
curl -sf -X POST \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: $RADARR_KEY" \
|
||||
"$BASE:7878/api/v3/notification" \
|
||||
-d "$(jq -n --arg key "$JELLYFIN_KEY" '{
|
||||
name: "Jellyfin",
|
||||
implementation: "MediaBrowser",
|
||||
configContract: "MediaBrowserSettings",
|
||||
implementationName: "Emby / Jellyfin",
|
||||
onDownload: true,
|
||||
onUpgrade: true,
|
||||
onRename: true,
|
||||
onMovieDelete: true,
|
||||
onMovieFileDelete: true,
|
||||
onMovieFileDeleteForUpgrade: true,
|
||||
fields: [
|
||||
{name: "host", value: "localhost"},
|
||||
{name: "port", value: 8096},
|
||||
{name: "useSsl", value: false},
|
||||
{name: "apiKey", value: $key},
|
||||
{name: "notify", value: false},
|
||||
{name: "updateLibrary", value: true}
|
||||
],
|
||||
tags: []
|
||||
}')" > /dev/null && echo " done" || echo " failed"
|
||||
else
|
||||
echo "Radarr → Jellyfin already configured"
|
||||
fi
|
||||
fi
|
||||
|
||||
##########################################################################
|
||||
# Prowlarr auth — trust localhost so Authelia is the only gate. Other
|
||||
# *arr apps default to this; Prowlarr does not.
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@
|
|||
{ domain = "sabnzbd.nordhammer.it"; policy = "one_factor"; }
|
||||
{ domain = "code.nordhammer.it"; policy = "one_factor"; }
|
||||
{ domain = "notes.nordhammer.it"; policy = "one_factor"; }
|
||||
{ domain = "selkies.nordhammer.it"; policy = "one_factor"; }
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -9,37 +9,10 @@
|
|||
# 2. Delete ../modules/crowdsec/ and the disabledModules + imports lines below
|
||||
# 3. The settings/option API is the same as the PR's, so config below is forward-compatible
|
||||
#
|
||||
# Before first deploy, create /var/secrets/ntfy-url with your topic URL:
|
||||
# echo 'https://ntfy.sh/nordhammer-<random>' | sudo tee /var/secrets/ntfy-url
|
||||
# sudo chmod 600 /var/secrets/ntfy-url
|
||||
# CrowdSec bans silently — no ntfy pushes (they were constant noise).
|
||||
# The /var/secrets/ntfy-url topic is used by services/service-health.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
# The real URL is injected at service start (see ExecStartPre below) —
|
||||
# eval-time builtins.readFile can't see /var/secrets under pure flake
|
||||
# evaluation, which is how the `update` alias builds.
|
||||
ntfyUrlPlaceholder = "@NTFY_URL@";
|
||||
|
||||
# The module renders settings.notifications into /etc/crowdsec/notifications/
|
||||
# as a symlink into /etc/static (the store). Re-render it from the static
|
||||
# source with the secret substituted on every service start; nixos-rebuild
|
||||
# restores the symlink on activation, so this never goes stale.
|
||||
injectNtfyUrl = pkgs.writeShellScript "crowdsec-inject-ntfy-url" ''
|
||||
set -euo pipefail
|
||||
src=/etc/static/crowdsec/notifications/0-nixos-generated.yaml
|
||||
dst=/etc/crowdsec/notifications/0-nixos-generated.yaml
|
||||
secret=/var/secrets/ntfy-url
|
||||
if [ ! -f "$secret" ]; then
|
||||
echo "WARNING: $secret not found; ntfy notifications will not work" >&2
|
||||
exit 0
|
||||
fi
|
||||
url=$(${pkgs.coreutils}/bin/tr -d '\n' < "$secret")
|
||||
tmp=$(${pkgs.coreutils}/bin/mktemp "$dst.XXXXXX")
|
||||
${pkgs.gnused}/bin/sed "s|${ntfyUrlPlaceholder}|$url|g" "$src" > "$tmp"
|
||||
${pkgs.coreutils}/bin/chmod 600 "$tmp"
|
||||
${pkgs.coreutils}/bin/chown crowdsec:crowdsec "$tmp"
|
||||
${pkgs.coreutils}/bin/mv "$tmp" "$dst"
|
||||
'';
|
||||
|
||||
# nixpkgs only builds the agent + cscli; the new module also expects
|
||||
# notification plugins at $out/libexec/crowdsec/plugins/. Compile them
|
||||
# from the same source tree (cmd/notification-*) and move them there.
|
||||
|
|
@ -142,52 +115,27 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
# Push notifications via ntfy.sh
|
||||
notifications = [
|
||||
{
|
||||
name = "ntfy_http";
|
||||
type = "http";
|
||||
log_level = "info";
|
||||
url = ntfyUrlPlaceholder;
|
||||
method = "POST";
|
||||
headers = {
|
||||
Title = "CrowdSec alert";
|
||||
Priority = "high";
|
||||
Tags = "rotating_light";
|
||||
};
|
||||
format = ''
|
||||
{{range . -}}
|
||||
{{.Scenario}} from {{.Source.IP}} ({{.Source.Cn}}) — {{len .Decisions}} decision(s) taken
|
||||
{{end -}}
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
# Override default profiles to attach the ntfy notifier
|
||||
# Profiles set ban duration to 4h. No ntfy notifications: a push per
|
||||
# ban was constant noise on a WAN-exposed box. ntfy is now reserved
|
||||
# for service-down alerts (see services/service-health.nix); CrowdSec
|
||||
# still bans silently.
|
||||
profiles = [
|
||||
{
|
||||
name = "default_ip_remediation";
|
||||
filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
|
||||
decisions = [{ type = "ban"; duration = "4h"; }];
|
||||
notifications = [ "ntfy_http" ];
|
||||
on_success = "break";
|
||||
}
|
||||
{
|
||||
name = "default_range_remediation";
|
||||
filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Range'" ];
|
||||
decisions = [{ type = "ban"; duration = "4h"; }];
|
||||
notifications = [ "ntfy_http" ];
|
||||
on_success = "break";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Inject the ntfy topic URL into the rendered notification config before
|
||||
# every start. "+" runs the script with full privileges (it reads the
|
||||
# root-owned secret and replaces a root-owned /etc symlink).
|
||||
systemd.services.crowdsec.serviceConfig.ExecStartPre = [ "+${injectNtfyUrl}" ];
|
||||
|
||||
# Firewall bouncer enforces decisions via nftables; auto-registers with LAPI
|
||||
services.crowdsec-firewall-bouncer = {
|
||||
enable = true;
|
||||
|
|
|
|||
35
services/hardware-health.nix
Normal file
35
services/hardware-health.nix
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# services/hardware-health.nix — RAS error attribution + watchdog auto-recovery
|
||||
#
|
||||
# Context: Jun 2026 the dual Xeon E5-2697 v3 began throwing a storm of
|
||||
# *corrected* Machine Check Exceptions on both sockets (Bank 5 / Bank 20),
|
||||
# ~18k events in 36h, eventually hanging the box. Since this host is the
|
||||
# router, a hang takes the whole LAN offline until a manual power-cycle.
|
||||
#
|
||||
# This module:
|
||||
# - rasdaemon: decodes every MCE to a specific DIMM/channel/socket and
|
||||
# persists a per-component error DB, so a failing part can be named
|
||||
# (needed for the seller's warranty claim). Query with `ras-mc-ctl
|
||||
# --error-count` and `ras-mc-ctl --summary`.
|
||||
# - hardware watchdog: if userspace hangs again, systemd stops petting
|
||||
# /dev/watchdog0 and the chipset watchdog reboots the box (~30s),
|
||||
# restoring the LAN without physical access.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
# Decode + log + persist machine-check / memory errors per component.
|
||||
hardware.rasdaemon.enable = true;
|
||||
|
||||
# ras-mc-ctl on PATH for manual inspection.
|
||||
environment.systemPackages = [ pkgs.rasdaemon ];
|
||||
|
||||
# Hardware watchdog: auto-reboot a hung box instead of a dead LAN.
|
||||
# systemd pets /dev/watchdog0 at half the runtime interval; if it stops
|
||||
# (hang), the chipset resets after RuntimeWatchdogSec.
|
||||
systemd.settings.Manager = {
|
||||
RuntimeWatchdogSec = "30s";
|
||||
RebootWatchdogSec = "10min";
|
||||
};
|
||||
};
|
||||
}
|
||||
92
services/neko.nix
Normal file
92
services/neko.nix
Normal file
|
|
@ -0,0 +1,92 @@
|
|||
# services/neko.nix — Guild Wars (2005) in a browser via Neko
|
||||
#
|
||||
# Streams an Xfce desktop running the Windows Guild Wars client (under Wine)
|
||||
# to a browser tab over WebRTC. Reach it at neko.nordhammer.it (Authelia-gated).
|
||||
#
|
||||
# Neko's stock images don't ship Wine, and apt installs land in /usr — which is
|
||||
# wiped whenever the container is recreated. So we bake Wine into a locally-built
|
||||
# image (FROM the upstream nvidia-xfce base) instead of relying on a volume.
|
||||
# Guild Wars' own data installs into the persistent /home/neko volume on first run.
|
||||
#
|
||||
# Rendering is software-only (no GPU): neko doesn't ship a prebuilt NVIDIA Xfce
|
||||
# desktop image, and building one from nvidia-base is a big detour for a 2005
|
||||
# game. Wine renders via llvmpipe (software OpenGL) and neko encodes via x264 —
|
||||
# both are heavily multithreaded and this box has 56 Xeon threads to spare, so
|
||||
# Guild Wars is comfortably playable this way.
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
# Wine-enabled image definition. Fed to `docker build` over stdin (see below)
|
||||
# so there's no build context — we have no COPY/ADD, and a Nix-store symlinked
|
||||
# context dir breaks BuildKit's Dockerfile resolution. Pinned to the v3.1
|
||||
# series so the NEKO_MEMBER_*/NEKO_WEBRTC_* env schema below stays valid.
|
||||
dockerfile = pkgs.writeText "neko-gw.Dockerfile" ''
|
||||
FROM ghcr.io/m1k1o/neko/xfce:3.1
|
||||
USER root
|
||||
RUN dpkg --add-architecture i386 \
|
||||
&& apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||
wine wine64 wine32 winbind ca-certificates wget \
|
||||
libgl1 libgl1:i386 libglx-mesa0 libglx-mesa0:i386 \
|
||||
libgl1-mesa-dri libgl1-mesa-dri:i386 \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
'';
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/neko 0755 root root -"
|
||||
# The container's neko user is uid/gid 1000 and must own its home, or the
|
||||
# X server / Xfce can't create ~/.config, ~/.cache, etc. and the desktop
|
||||
# never starts.
|
||||
"d /var/lib/neko/home 0755 1000 1000 -"
|
||||
];
|
||||
|
||||
systemd.services.neko = {
|
||||
description = "Neko — Guild Wars in a browser (Xfce + Wine + NVIDIA)";
|
||||
after = [ "docker.service" "network-online.target" ];
|
||||
requires = [ "docker.service" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# First start pulls a multi-GB base image and runs apt — give it room.
|
||||
# If it fails, back off but don't crash-loop (see 7dtd veth-flood note).
|
||||
startLimitIntervalSec = 600;
|
||||
startLimitBurst = 3;
|
||||
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
RestartSec = "30s";
|
||||
TimeoutStartSec = "3600";
|
||||
ExecStartPre = [
|
||||
"-${pkgs.docker}/bin/docker rm -f neko"
|
||||
"${pkgs.writeShellScript "neko-build" ''
|
||||
exec ${pkgs.docker}/bin/docker build -t neko-gw:local - < ${dockerfile}
|
||||
''}"
|
||||
];
|
||||
# Wrapped in a shell script so the ICE-server JSON survives quoting
|
||||
# (systemd's own ExecStart parser would strip the inner double quotes).
|
||||
ExecStart = pkgs.writeShellScript "neko-run" ''
|
||||
exec ${pkgs.docker}/bin/docker run --rm --name neko \
|
||||
--shm-size=1g \
|
||||
-e LIBGL_ALWAYS_SOFTWARE=1 \
|
||||
-p 127.0.0.1:8092:8080 \
|
||||
-p 59000:59000/udp \
|
||||
-e NEKO_DESKTOP_SCREEN=1280x720@30 \
|
||||
-e NEKO_MEMBER_PROVIDER=multiuser \
|
||||
-e NEKO_MEMBER_MULTIUSER_USER_PASSWORD=neko \
|
||||
-e NEKO_MEMBER_MULTIUSER_ADMIN_PASSWORD=neko-admin \
|
||||
-e NEKO_WEBRTC_UDPMUX=59000 \
|
||||
-e NEKO_WEBRTC_NAT1TO1=10.0.0.1 \
|
||||
-e 'NEKO_WEBRTC_ICESERVERS_FRONTEND=[{"urls":["stun:stun.l.google.com:19302"]}]' \
|
||||
-e 'NEKO_WEBRTC_ICESERVERS_BACKEND=[{"urls":["stun:stun.l.google.com:19302"]}]' \
|
||||
-v /var/lib/neko/home:/home/neko \
|
||||
neko-gw:local
|
||||
'';
|
||||
ExecStop = "${pkgs.docker}/bin/docker stop neko";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -123,6 +123,7 @@ in
|
|||
'';
|
||||
};
|
||||
"notes.nordhammer.it" = protectedProxy 5230;
|
||||
"selkies.nordhammer.it" = protectedProxy 8093;
|
||||
|
||||
# --- Local-only: serves update history JSON to Homepage's customapi widget ---
|
||||
"homepage-updates.local" = {
|
||||
|
|
|
|||
99
services/selkies.nix
Normal file
99
services/selkies.nix
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
# services/selkies.nix — Guild Wars in a browser via Selkies
|
||||
#
|
||||
# Replaces the Neko attempt (services/neko.nix, now unimported): Neko's
|
||||
# absolute-pointer input model can't handle Guild Wars' exclusive mouse grab.
|
||||
# Selkies captures the mouse client-side with the browser Pointer Lock API and
|
||||
# sends *relative* movement, so the grab is a non-issue — and it uses the GPU
|
||||
# (NVENC + EGL) instead of software rendering.
|
||||
#
|
||||
# Reach it at selkies.nordhammer.it (Authelia-gated). The Wine prefix with
|
||||
# Guild Wars already installed is reused from the old Neko home, seeded into
|
||||
# /var/lib/selkies/home/.wine (see the deploy note in the repo).
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
# Selkies' NVIDIA EGL desktop (Ubuntu 24.04) plus Wine for the 32-bit GW
|
||||
# client. Built from stdin (no build context); see neko.nix for the why.
|
||||
dockerfile = pkgs.writeText "selkies-gw.Dockerfile" ''
|
||||
FROM ghcr.io/selkies-project/nvidia-egl-desktop:24.04
|
||||
USER root
|
||||
RUN add-apt-repository -y multiverse \
|
||||
&& dpkg --add-architecture i386 \
|
||||
&& apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||
wine wine32 wine64 winbind cabextract ca-certificates wget \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
# `gw` launcher: GW is 32-bit, so it needs the 32-bit NVIDIA GL libs (mounted
|
||||
# at /usr/lib/i386-linux-gnu/nvidia by the service) on the loader path, and
|
||||
# VirtualGL (EGL backend) to render on the M2000. Without this GW falls back
|
||||
# to llvmpipe (software) and pegs ~18 CPU cores at <20 fps.
|
||||
RUN printf '#!/bin/bash\nexport LD_LIBRARY_PATH=/usr/lib/i386-linux-gnu/nvidia\nexport VGL_DISPLAY=egl VGL_FPS=60\ncd "$HOME/.wine/drive_c/Program Files (x86)/Guild Wars/"\nexec vglrun wine Gw.exe "$@"\n' > /usr/local/bin/gw \
|
||||
&& chmod +x /usr/local/bin/gw
|
||||
USER 1000
|
||||
'';
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
# GPU into the container via CDI (nvidia.com/gpu=all). The CDI spec only
|
||||
# carries the 64-bit driver libs, so the 32-bit set (for 32-bit Wine/GW) is
|
||||
# bind-mounted separately below; enable32Bit makes them exist on the host.
|
||||
hardware.nvidia-container-toolkit.enable = true;
|
||||
hardware.graphics.enable32Bit = true;
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/selkies 0755 root root -"
|
||||
# Container user is uid/gid 1000 and must own its home.
|
||||
"d /var/lib/selkies/home 0755 1000 1000 -"
|
||||
];
|
||||
|
||||
systemd.services.selkies = {
|
||||
description = "Selkies — Guild Wars in a browser (EGL desktop + Wine + NVENC)";
|
||||
after = [ "docker.service" "network-online.target" ];
|
||||
requires = [ "docker.service" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
startLimitIntervalSec = 600;
|
||||
startLimitBurst = 3;
|
||||
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
RestartSec = "30s";
|
||||
TimeoutStartSec = "3600";
|
||||
ExecStartPre = [
|
||||
"-${pkgs.docker}/bin/docker rm -f selkies"
|
||||
"${pkgs.writeShellScript "selkies-build" ''
|
||||
exec ${pkgs.docker}/bin/docker build -t selkies-gw:local - < ${dockerfile}
|
||||
''}"
|
||||
];
|
||||
ExecStart = pkgs.writeShellScript "selkies-run" ''
|
||||
exec ${pkgs.docker}/bin/docker run --rm --name selkies \
|
||||
--device=nvidia.com/gpu=all \
|
||||
-e NVIDIA_VISIBLE_DEVICES=all \
|
||||
-e NVIDIA_DRIVER_CAPABILITIES=all \
|
||||
--shm-size=2g \
|
||||
-p 127.0.0.1:8093:8080 \
|
||||
-p 3478:3478 -p 3478:3478/udp \
|
||||
-p 65532-65535:65532-65535/udp \
|
||||
-e TZ=Europe/Stockholm \
|
||||
-e DISPLAY_SIZEW=1280 -e DISPLAY_SIZEH=720 \
|
||||
-e DISPLAY_REFRESH=60 -e DISPLAY_DPI=96 -e DISPLAY_CDEPTH=24 \
|
||||
-e PASSWD=selkies \
|
||||
-e SELKIES_ENCODER=nvh264enc \
|
||||
-e SELKIES_VIDEO_BITRATE=8000 \
|
||||
-e SELKIES_FRAMERATE=60 \
|
||||
-e SELKIES_ENABLE_BASIC_AUTH=false \
|
||||
-e SELKIES_TURN_HOST=10.0.0.1 \
|
||||
-e SELKIES_TURN_PROTOCOL=udp \
|
||||
-e SELKIES_TURN_PORT=3478 \
|
||||
-e TURN_MIN_PORT=65532 -e TURN_MAX_PORT=65535 \
|
||||
-v ${config.hardware.nvidia.package.lib32}/lib:/usr/lib/i386-linux-gnu/nvidia:ro \
|
||||
-v /var/lib/selkies/home:/home/ubuntu \
|
||||
selkies-gw:local
|
||||
'';
|
||||
ExecStop = "${pkgs.docker}/bin/docker stop selkies";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
77
services/service-health.nix
Normal file
77
services/service-health.nix
Normal file
|
|
@ -0,0 +1,77 @@
|
|||
# services/service-health.nix — ntfy alert when a watched systemd unit fails,
|
||||
# and again when it recovers. Replaces the noisy per-ban CrowdSec pushes
|
||||
# (silenced in services/crowdsec.nix); both share the /var/secrets/ntfy-url topic.
|
||||
#
|
||||
# Detection is event-driven: each watched unit gets OnFailure=notify-failure@%n.
|
||||
# OnFailure fires only once a unit truly enters "failed" state — i.e. after it
|
||||
# has exhausted its Restart= attempts — so transient restarts stay silent and
|
||||
# you're only paged when a service has genuinely given up. The handler sends a
|
||||
# "down" push, then waits for the unit to come back and sends "recovered".
|
||||
#
|
||||
# Requires /var/secrets/ntfy-url (the same topic file CrowdSec used):
|
||||
# echo 'https://ntfy.sh/your-topic' | sudo tee /var/secrets/ntfy-url
|
||||
# sudo chmod 600 /var/secrets/ntfy-url
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
# Core media + infra units to page on. All verified to exist on the box;
|
||||
# adding a name that isn't a real unit would create a stray stub service.
|
||||
watched = [
|
||||
"jellyfin" "sonarr" "radarr" "prowlarr" "bazarr"
|
||||
"qbittorrent-nox" "sabnzbd" "authelia-main" "nginx"
|
||||
"adguardhome" "crowdsec" "go2rtc"
|
||||
"homepage-dashboard" "cloudflare-dyndns" "gitea-runner-default"
|
||||
];
|
||||
|
||||
# Reads the topic at runtime (pure flake eval can't see /var/secrets).
|
||||
# $1 = the failed unit's full name, e.g. "jellyfin.service".
|
||||
notify = pkgs.writeShellScript "service-health-notify" ''
|
||||
set -uo pipefail
|
||||
unit="$1"
|
||||
name="''${unit%.service}"
|
||||
host="${config.networking.hostName}"
|
||||
secret=/var/secrets/ntfy-url
|
||||
if [ ! -f "$secret" ]; then
|
||||
echo "service-health: $secret missing; cannot notify" >&2
|
||||
exit 0
|
||||
fi
|
||||
url=$(${pkgs.coreutils}/bin/tr -d '\n' < "$secret")
|
||||
|
||||
post() { # title priority tags body
|
||||
${pkgs.curl}/bin/curl -fsS --max-time 10 \
|
||||
-H "Title: $1" -H "Priority: $2" -H "Tags: $3" \
|
||||
-d "$4" "$url" >/dev/null 2>&1 || true
|
||||
}
|
||||
|
||||
post "Service down" high rotating_light "$name failed on $host"
|
||||
|
||||
# Wait for recovery: up to 2h, polling every 20s.
|
||||
for _ in $(${pkgs.coreutils}/bin/seq 1 360); do
|
||||
${pkgs.coreutils}/bin/sleep 20
|
||||
if ${pkgs.systemd}/bin/systemctl is-active --quiet "$unit"; then
|
||||
post "Service recovered" default white_check_mark "$name is running again on $host"
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
'';
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
systemd.services = lib.mkMerge [
|
||||
# Templated handler: %i is the failed unit's full name (jellyfin.service).
|
||||
{
|
||||
"notify-failure@" = {
|
||||
description = "ntfy alert: %i failed";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${notify} %i";
|
||||
};
|
||||
};
|
||||
}
|
||||
# Wire OnFailure onto each watched unit (merges with its existing config).
|
||||
(lib.genAttrs watched (_: {
|
||||
unitConfig.OnFailure = [ "notify-failure@%n.service" ];
|
||||
}))
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
@ -227,12 +227,32 @@ in
|
|||
hl.animation({ leaf = "workspaces", enabled = true, speed = 1, bezier = "snap" })
|
||||
|
||||
-- Window rules
|
||||
-- Don't lock/idle while any window is fullscreen (video, games).
|
||||
hl.window_rule({
|
||||
match = { class = ".*" },
|
||||
idle_inhibit = "fullscreen",
|
||||
})
|
||||
|
||||
-- Battle.net tray icon leaks as a tiny floating XWayland window.
|
||||
hl.window_rule({
|
||||
match = { class = "steam_app_0", title = "^$", float = true },
|
||||
workspace = "special silent",
|
||||
})
|
||||
|
||||
-- Tiny Terraces opens floating by default; force it to tile.
|
||||
hl.window_rule({
|
||||
match = { class = "steam_app_3136330" },
|
||||
tile = true,
|
||||
})
|
||||
|
||||
-- Battle.net (a non-Steam shortcut, so class steam_app_0) spams
|
||||
-- window-activation events that clear quickshell's focus grab and
|
||||
-- instantly close the launcher / power menu. Drop those events.
|
||||
hl.window_rule({
|
||||
match = { class = "steam_app_0" },
|
||||
suppress_event = "activate activatefocus",
|
||||
})
|
||||
|
||||
-- Binds
|
||||
local mod = "SUPER"
|
||||
|
||||
|
|
@ -275,8 +295,10 @@ in
|
|||
end
|
||||
|
||||
-- Screenshots — Shift+Super+S matches GNOME binding
|
||||
hl.bind(mod .. " + SHIFT + S", hl.dsp.exec_cmd("hyprshot -m region --clipboard-only"))
|
||||
hl.bind("Print", hl.dsp.exec_cmd("hyprshot -m output --clipboard-only"))
|
||||
-- Pin/unpin quickshell's focus grab around the region select so an
|
||||
-- open menu survives slurp's input grab (no-ops if qs isn't up).
|
||||
hl.bind(mod .. " + SHIFT + S", hl.dsp.exec_cmd("sh -c 'qs ipc call screenshot pin; hyprshot -m region; qs ipc call screenshot unpin'"))
|
||||
hl.bind("Print", hl.dsp.exec_cmd("hyprshot -m output"))
|
||||
|
||||
-- Settings shortcut — Super+I matches GNOME binding
|
||||
hl.bind(mod .. " + I", hl.dsp.exec_cmd("pavucontrol"))
|
||||
|
|
@ -356,7 +378,13 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.hypridle = lib.mkIf isMacbook {
|
||||
services.hypridle = lib.mkIf isMacbook (
|
||||
let
|
||||
# Skip the action if any MPRIS player is playing — covers windowed
|
||||
# video (Jellyfin in a browser, mpv, …) that the fullscreen
|
||||
# idle_inhibit rule misses. Browsers expose MPRIS via playerctl.
|
||||
unlessPlaying = cmd: "playerctl -a status 2>/dev/null | grep -q Playing || ${cmd}";
|
||||
in {
|
||||
enable = true;
|
||||
settings = {
|
||||
general = {
|
||||
|
|
@ -367,20 +395,21 @@ in
|
|||
listener = [
|
||||
{
|
||||
timeout = 300; # 5 min — lock
|
||||
on-timeout = "loginctl lock-session";
|
||||
on-timeout = unlessPlaying "loginctl lock-session";
|
||||
}
|
||||
{
|
||||
timeout = 420; # 7 min — display off
|
||||
on-timeout = "hyprctl dispatch dpms off";
|
||||
on-timeout = unlessPlaying "hyprctl dispatch dpms off";
|
||||
on-resume = "hyprctl dispatch dpms on";
|
||||
}
|
||||
{
|
||||
timeout = 600; # 10 min — suspend
|
||||
on-timeout = "systemctl suspend";
|
||||
on-timeout = unlessPlaying "systemctl suspend";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
# Scope all HM Wayland services (hyprpaper, etc.) to the
|
||||
# Hyprland session so they don't crash-loop in a GNOME session.
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
Loading…
Add table
Add a link
Reference in a new issue