Rebase to flake parts #11

modules/hosts/14900k/_private/jellyfin-nfs-export.nix

@@ -1,8 +1,7 @@
 # NFS exports from nixdesk (14900k) to nix-server (192.168.2.238):
-# - /mnt/test/jellyfin → nix-server /mnt/nixdesk-jellyfin (Jellyfin bulk libraries)
-# - /mnt/media → nix-server /mnt/media (Btrfs MediaLibrary disk; see media-disk.nix)
+# - /mnt/deep/jellyfin → nix-server /mnt/nixdesk-jellyfin (Jellyfin bulk libraries)
 #
-# NTFS on nixdesk uses uid=olivier + gid=nfsmedia (990); dirs here are olivier:nfsmedia 2775 so
+# Jellyfin root on nixdesk uses owner olivier + group nfsmedia (990); dirs here are 2775 so
 # local writes and NFS all_squash (anonuid=olivier, anongid=990) get rwx via owner or group.
 #
 # Legacy trees may still need a one-time `chgrp -R nfsmedia` / `chmod -R g+rwX` on deep folders.
@@ -20,16 +19,9 @@ in
     group = "nfsmedia";
   };
 
-  # olivier: owner for local use; nfsmedia: group matches NTFS gid=990 and NFS all_squash (990).
+  # olivier: owner for local use; nfsmedia: group used by NFS all_squash (990).
   systemd.tmpfiles.settings."14900k-nfs-export-paths" = {
-    "/mnt/test"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/test/jellyfin"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/test/jellyfin/movies"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/test/jellyfin/tv"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/media"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/media/Movies"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/media/TV"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
-    "/mnt/media/Videos"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
+    "/mnt/deep/jellyfin"."d" = { mode = "2775"; user = "olivier"; group = "nfsmedia"; };
   };
 
   # After exports are up, ensure group nfsmedia can write throughout library roots (idempotent;
@@ -37,9 +29,7 @@ in
   system.activationScripts.nfs-export-group-write = {
     deps = [ "specialfs" ];
     text = ''
-      for d in \
-        /mnt/media/TV /mnt/media/Movies /mnt/media/Videos \
-        /mnt/test/jellyfin/tv /mnt/test/jellyfin/movies
+      for d in /mnt/deep/jellyfin
       do
         [ -d "$d" ] || continue
         ${pkgs.acl}/bin/setfacl -R -m g:nfsmedia:rwx "$d" 2>/dev/null || true
@@ -58,8 +48,7 @@ in
     # Squash nix-server clients to olivier:nfsmedia so Jellyfin can write .nfo/posters into
     # existing olivier-owned library folders (990-only squash was "other" r-x on typical 755 trees).
     exports = ''
-      /mnt/test/jellyfin 192.168.2.238(rw,sync,no_subtree_check,crossmnt,root_squash,all_squash,anonuid=${toString olivierUid},anongid=990,fsid=1)
-      /mnt/media 192.168.2.238(rw,sync,no_subtree_check,crossmnt,root_squash,all_squash,anonuid=${toString olivierUid},anongid=990,fsid=2)
+      /mnt/deep/jellyfin 192.168.2.238(rw,sync,no_subtree_check,crossmnt,root_squash,all_squash,anonuid=${toString olivierUid},anongid=990,fsid=1)
     '';
   };
 

modules/hosts/14900k/_private/media-disk.nix

@@ -6,29 +6,42 @@ let
 in
 {
   users.users.olivier.uid = lib.mkDefault 1000;
-
-  fileSystems."/mnt/media" = {
+  # LABEL="MediaLibrary" (btrfs on sda1 by UUID). No subvol=@ — this disk has no @ subvolume.
+  fileSystems."/mnt/2nd" = {
     device = "/dev/disk/by-uuid/17d8a981-db3b-415e-a0f7-7dbc519e04ab";
     fsType = "btrfs";
     options = [
-      "subvol=@"
       "compress=zstd"
       "noatime"
+      "nofail"
+      "x-systemd.device-timeout=30"
+    ];
+  };
+
+#new deep storage unit
+  fileSystems."/mnt/deep" = {
+    device = "/dev/disk/by-uuid/64fb08fe-da5d-4405-afa3-1603a411e9e5";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "noatime"
+      "nofail"
+      "x-systemd.device-timeout=30"
     ];
   };
 
   # LABEL="Deep Storage Unit". Owner olivier, group nfsmedia (990) so:
   # - local logins write as user 1000 (owner rwx);
   # - NFS (all_squash → uid/gid 990) matches group 990 → rwx (see jellyfin-nfs-export).
-  fileSystems."/mnt/test" = {
-    device = "/dev/disk/by-uuid/BC12E55E12E51DE0";
-    fsType = "ntfs-3g";
-    options = [
-      "rw"
-      "force"
-      "uid=${toString olivierUid}"
-      "gid=990"
-      "umask=0002"
-    ];
-  };
+  #fileSystems."/mnt/test" = {
+  #  device = "/dev/disk/by-uuid/BC12E55E12E51DE0";
+  #  fsType = "ntfs-3g";
+  #  options = [
+  #    "rw"
+  #    "force"
+  #    "uid=${toString olivierUid}"
+  #    "gid=990"
+  #    "umask=0002"
+  #  ];
+  #};
 }

modules/hosts/14900k/_private/nvidia.nix

@@ -12,7 +12,7 @@
     powerManagement.finegrained = false;
     open = true;
     nvidiaSettings = true;
-    package = config.boot.kernelPackages.nvidiaPackages.stable;
+    package = config.boot.kernelPackages.nvidiaPackages.latest;
   };
 
   hardware.nvidia-container-toolkit.enable = true;

modules/hosts/14900k/_private/platform.nix

@@ -7,6 +7,7 @@
 
   hardware.enableRedistributableFirmware = true;
   hardware.enableAllFirmware = true;
+  hardware.cpu.intel.updateMicrocode = true;
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 

modules/hosts/14900k/configuration.nix

@@ -45,6 +45,7 @@ services.cloudflare-warp.enable = true;
       # This fixes common NixOS issues like `vaInitialize failed` and missing QSV encoders in apps.
       hardware.graphics = {
         enable = true;
+        enable32Bit = true; # Required by Wine/DXVK for 32-bit Vulkan userspace.
         extraPackages = with pkgs; [
           intel-media-driver # iHD (Gen8+)
           vpl-gpu-rt # oneVPL runtime (QSV)
@@ -84,17 +85,22 @@ services.cloudflare-warp.enable = true;
         };
       };
 
+      chiasson.system.chromiumHevc.enable = true;
+
       chiasson.system = {
         ytDlpTelequebecPatch.enable = true;
 
         audio.enable = true;
         docker.enable = true;
         gaming.enable = true;
+        gaming.launchers.enableBottles = false;
+        gaming.gamescope.enable = true;
         gaming.steam.steamTinkerLaunch.enable = true;
 
         monitorInput.enable = true;
 
         flatpak.enable = true;
+        flatpak.flathub.appIds = [ "com.usebottles.bottles" ];
 
         palera1n.enable = true;
         uconsoleKernelBuilder.enable = true;
@@ -116,6 +122,8 @@ services.cloudflare-warp.enable = true;
           vlc
           element-desktop
           thunderbird
+
+          prismlauncher
         ];
    
 
@@ -134,6 +142,8 @@ services.cloudflare-warp.enable = true;
         self.homeManagerModules.wisdomBrowsersEdge
         self.homeManagerModules.wisdomBrowsersFlow
         self.homeManagerModules.wisdomBrowsersOrion
+        self.homeManagerModules.wisdomBrowsersZen
+        self.homeManagerModules.wisdomBrowsersChromiumHevc
         self.homeManagerModules.wisdomEditorsCursor
         self.homeManagerModules.wisdomEditorsObsidian
         self.homeManagerModules.wisdomShellYazi
@@ -142,7 +152,6 @@ services.cloudflare-warp.enable = true;
         self.homeManagerModules.wisdomAppsDiscord
         self.homeManagerModules.wisdomAppsSpotify
         self.homeManagerModules.wisdomAppsLocalsend
-        self.homeManagerModules.wisdomAppsSpacedrive
         self.homeManagerModules.wisdomAppsPokeclicker
         self.homeManagerModules.wisdomDesktopScreenshot
         self.homeManagerModules.wisdomDesktopGtkQtTheming
@@ -169,6 +178,12 @@ services.cloudflare-warp.enable = true;
             browsers.edge.enable = true;
             browsers.flow.enable = false;
             browsers.orion.enable = true;
+            browsers.zen.enable = true;
+            browsers.chromiumHevc = {
+              enable = true;
+              packages = [ "google-chrome" ];
+              vaapi.gpu = "intel"; # Chromium + NVIDIA VA-API → frame pool errors in Jellyfin cuz chrome is proprietary rats nests, gecko engine might support NVIDIA VA-API
+            };
 
             editors.cursor.enable = true;
             editors.obsidian.enable = true;
@@ -178,7 +193,6 @@ services.cloudflare-warp.enable = true;
               spotify.enable = true;
               spotify.openDiscoveryFirewall = true;
               localsend.enable = true;
-              spacedrive.enable = true;
               pokeclicker.enable = true;
             };
 

modules/hosts/ideapad/configuration.nix

@@ -141,7 +141,6 @@
         self.homeManagerModules.wisdomShellOhMyPosh
         self.homeManagerModules.wisdomAppsSpotify
         self.homeManagerModules.wisdomAppsLocalsend
-        self.homeManagerModules.wisdomAppsSpacedrive
         self.homeManagerModules.wisdomDesktopScreenshot
         {
           chiasson.home = {
@@ -156,7 +155,6 @@
             editors.cursor.enable = true;
             apps.spotify.enable = true;
             apps.localsend.enable = true;
-            apps.spacedrive.enable = true;
             desktop = {
               screenshot = {
                 enable = true;

modules/hosts/nix-server/_services/attic-cache-server.nix

@@ -1,4 +1,5 @@
-{ config, ... }: {
+{ config, lib, ... }:
+{
   sops = {
     templates."atticd.env" = {
       owner = "root";
@@ -17,14 +18,48 @@
     mode = "0400";
   };
 
+  # SQLite on disk was the main source of random multi-minute stalls (see attic#113).
+  # NAR blobs stay in /var/lib/atticd/storage; only metadata moves to Postgres.
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "atticd" ];
+    ensureUsers = [
+      {
+        name = "atticd";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
   services.atticd = {
     enable = true;
     environmentFile = config.sops.templates."atticd.env".path;
     settings = {
-      listen = "[::]:8080";
+      listen = "0.0.0.0:8080";
       jwt = { };
+      # Use a libpq socket URI format accepted by Attic's parser.
+      database.url = "postgresql:///atticd?host=/run/postgresql&user=atticd";
+      chunking = {
+        nar-size-threshold = 65536;
+        min-size = 16384;
+        avg-size = 65536;
+        max-size = 262144;
+      };
+      storage = {
+        type = "local";
+        path = "/var/lib/atticd/storage";
+      };
+    };
+  };
+
+  systemd.services.atticd = {
+    serviceConfig = {
+      Restart = lib.mkForce "always";
+      RestartSec = lib.mkForce 5;
+      # Large closures; default limits can wedge uploads under load.
+      LimitNOFILE = 1048576;
     };
   };
 
   chiasson.system.networking.firewall.allowedTCPPorts = [ 8080 ];
-}
+}

modules/hosts/nix-server/_services/jellyfin.nix

@@ -53,7 +53,7 @@
   # not writable by uid jellyfin (it only had group `jellyfin`), so deletes fail.
   systemd.services.jellyfin.serviceConfig = {
     SupplementaryGroups = [ "media" ];
-    # Jellyfin libraries on NFS (e.g. /mnt/media, /mnt/nixdesk-jellyfin). PrivateUsers breaks
+    # Jellyfin libraries on NFS (e.g. /mnt/nixdesk-jellyfin). PrivateUsers breaks
     # uid mapping for NFS auth in practice; disable so metadata writes use the real jellyfin uid
     # (squashed to olivier:nfsmedia on nixdesk exports).
     PrivateUsers = lib.mkForce false;

modules/hosts/nix-server/_services/nixdesk-nfs-client.nix

@@ -28,13 +28,7 @@ let
 in
 {
   fileSystems."/mnt/nixdesk-jellyfin" = {
-    device = "${nfsExportHost}:/mnt/test/jellyfin";
-    fsType = "nfs";
-    options = nfsClientOpts;
-  };
-
-  fileSystems."/mnt/media" = {
-    device = "${nfsExportHost}:/mnt/media";
+    device = "${nfsExportHost}:/mnt/deep/jellyfin";
     fsType = "nfs";
     options = nfsClientOpts;
   };

modules/hosts/uConsole/_private/cockpit.nix

@@ -10,7 +10,7 @@ in
     openFirewall = true;
     allowed-origins = [
       "https://${config.networking.hostName}:${toString config.services.cockpit.port}"
-      "https://192.168.2.60:${toString config.services.cockpit.port}"
+      "https://192.168.2.99:${toString config.services.cockpit.port}"
     ];
     plugins = with pkgs; [
       cockpit-files