Rebase to flake parts #8

modules/hosts/14900k/_private/jellyfin-nfs-export.nix

@@ -0,0 +1,48 @@
+# Export large Jellyfin media trees to nix-server. Local path must already exist
+# (e.g. /mnt/test/jellyfin/{movies,tv}). On nix-server this is mounted at /mnt/nixdesk-jellyfin.
+#
+# After deploy: ensure Jellyfin can read files over NFS — typical fix:
+#   chmod -R a+rX /mnt/test/jellyfin
+{ ... }:
+{
+  # Avoid UID/GID mismatches across machines: map all NFS writes from nix-server to a single
+  # local system user/group on this server.
+  users.groups.nfsmedia = { gid = 990; };
+  users.users.nfsmedia = {
+    isSystemUser = true;
+    uid = 990;
+    group = "nfsmedia";
+  };
+
+  systemd.tmpfiles.settings."14900k-jellyfin-media-dirs" = {
+    "/mnt/test/jellyfin"."d" = { mode = "2775"; user = "nfsmedia"; group = "nfsmedia"; };
+    "/mnt/test/jellyfin/movies"."d" = { mode = "2775"; user = "nfsmedia"; group = "nfsmedia"; };
+    "/mnt/test/jellyfin/tv"."d" = { mode = "2775"; user = "nfsmedia"; group = "nfsmedia"; };
+  };
+
+  # Fixed ports so the firewall can allow NFS v3 helpers (see networking.firewall below).
+  services.nfs.server = {
+    enable = true;
+    mountdPort = 4000;
+    lockdPort = 4001;
+    statdPort = 4002;
+    exports = ''
+      /mnt/test/jellyfin 192.168.2.238(rw,sync,no_subtree_check,crossmnt,root_squash,all_squash,anonuid=990,anongid=990)
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    111 # portmapper
+    2049
+    4000
+    4001
+    4002
+  ];
+  networking.firewall.allowedUDPPorts = [
+    111
+    2049
+    4000
+    4001
+    4002
+  ];
+}

modules/hosts/14900k/configuration.nix

@@ -17,6 +17,7 @@
         ./_private/peripherals.nix
         # ./_private/printing-epson.nix
         ./_private/displays.nix
+        ./_private/jellyfin-nfs-export.nix
       ];
 
       sops = {
@@ -37,7 +38,24 @@
         group = "users";
         mode = "0400";
       };
+services.cloudflare-warp.enable = true;
 
+      # Intel iGPU video acceleration (VA-API / QSV via oneVPL).
+      # This fixes common NixOS issues like `vaInitialize failed` and missing QSV encoders in apps.
+      hardware.graphics = {
+        enable = true;
+        extraPackages = with pkgs; [
+          intel-media-driver # iHD (Gen8+)
+          vpl-gpu-rt # oneVPL runtime (QSV)
+          libvdpau-va-gl
+        ];
+      };
+
+      environment.sessionVariables = {
+        LIBVA_DRIVER_NAME = "iHD";
+        # Force VA-API to use the Intel iGPU render node (otherwise libva may pick NVIDIA and iHD fails).
+        LIBVA_DRM_DEVICE = "/dev/dri/renderD128";
+      };
 
       chiasson.system.caching.attic = {
         enable = true;
@@ -86,7 +104,20 @@
         palera1n.enable = true;
         uconsoleKernelBuilder.enable = true;
 
-        extraPackages = [ pkgs.sops pkgs.nodejs_22 ];
+        extraPackages = with pkgs; [
+          sops
+          nodejs_22
+          ffmpeg
+          bento4
+          yt-dlp
+
+          # Native install (avoid flatpak sandbox issues for QSV/VAAPI).
+          handbrake
+
+          # Diagnostics
+          libva-utils # vainfo
+        ];
+   
 
         networking = {
           hostName = "nixdesk";
@@ -102,6 +133,7 @@
         self.homeManagerModules.wisdomTerminalsKitty
         self.homeManagerModules.wisdomBrowsersEdge
         self.homeManagerModules.wisdomBrowsersFlow
+        self.homeManagerModules.wisdomBrowsersOrion
         self.homeManagerModules.wisdomEditorsCursor
         self.homeManagerModules.wisdomEditorsObsidian
         self.homeManagerModules.wisdomShellYazi
@@ -135,6 +167,7 @@
 
             browsers.edge.enable = true;
             browsers.flow.enable = false;
+            browsers.orion.enable = true;
 
             editors.cursor.enable = true;
             editors.obsidian.enable = true;