Enable sysrq for debugging.

Otherwise, sshd will try and fail to bind on the tailscale IP before
tailscale is up.

CLAUDE.md

@@ -20,7 +20,8 @@ NixOS cluster configuration using flakes. Homelab infrastructure with Nomad/Cons
 ├── docs/
 │   ├── CLUSTER_REVAMP.md    # Master plan for architecture changes
 │   ├── MIGRATION_TODO.md    # Tracking checklist for migration
-│   └── NFS_FAILOVER.md      # NFS failover procedures
+│   ├── NFS_FAILOVER.md      # NFS failover procedures
+│   └── AUTH_SETUP.md        # Authentication (Pocket ID + Traefik OIDC)
 └── services/            # Nomad job specs (.hcl files)
 ```
 
@@ -76,6 +77,12 @@ NixOS cluster configuration using flakes. Homelab infrastructure with Nomad/Cons
 - SOPS for secrets, files in `secrets/`
 - Keys managed per-host
 
+**Authentication**:
+- Pocket ID (OIDC provider) at `pocket-id.v.paler.net`
+- Traefik uses `traefik-oidc-auth` plugin for SSO
+- Services add `middlewares=oidc-auth@file` tag to protect
+- See `docs/AUTH_SETUP.md` for details
+
 ## Migration Status
 
 **Phase 3 & 4**: COMPLETE! GlusterFS removed, all services on NFS

common/cifs-client.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 let
   # this line prevents hanging on network split
-  automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.mount-timeout=5s";
+  automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.mount-timeout=5s,nobrl";
 in
 {
   environment.systemPackages = [ pkgs.cifs-utils ];

docs/AUTH_SETUP.md

@@ -0,0 +1,55 @@
+# Authentication Setup
+
+SSO for homelab services using OIDC.
+
+## Architecture
+
+**Pocket ID** (`pocket-id.v.paler.net`) - Lightweight OIDC provider, data in `/data/services/pocket-id`
+
+**Traefik** - Uses `traefik-oidc-auth` plugin (v0.16.0) to protect services
+- Plugin downloaded from GitHub at startup, cached in `/data/services/traefik/plugins-storage`
+- Middleware config in `/data/services/traefik/rules/middlewares.yml`
+- Protected services add tag: `traefik.http.routers.<name>.middlewares=oidc-auth@file`
+
+## Flow
+
+1. User hits protected service → Traefik intercepts
+2. Redirects to Pocket ID for login
+3. Pocket ID returns OIDC token
+4. Traefik validates and forwards with `X-Oidc-Username` header
+
+## Protected Services
+
+Use `oidc-auth@file` middleware (grep codebase for full list):
+- Wikis (TiddlyWiki instances)
+- Media stack (Radarr, Sonarr, Plex, etc.)
+- Infrastructure (Traefik dashboard, Loki, Jupyter, Unifi)
+
+## Key Files
+
+- `services/pocket-id.hcl` - OIDC provider
+- `services/traefik.hcl` - Plugin declaration
+- `/data/services/traefik/rules/middlewares.yml` - Middleware definitions (oidc-auth, simple-auth fallback)
+
+## Cold Start Notes
+
+- Traefik needs internet to download plugin on first start
+- Pocket ID needs `/data/services` NFS mounted
+- Pocket ID down = all protected services inaccessible
+
+## Troubleshooting
+
+**Infinite redirects**: Check `TRUST_PROXY=true` on Pocket ID
+
+**Plugin not loading**: Clear cache in `/data/services/traefik/plugins-storage/`, restart Traefik
+
+**401 after login**: Verify client ID/secret in middlewares.yml matches Pocket ID client config
+
+## Migration History
+
+- Previous: Authentik with forwardAuth (removed Nov 2024)
+- Current: Pocket ID + traefik-oidc-auth (simpler, lighter)
+
+---
+
+*Manage users/clients via Pocket ID UI. Basic auth fallback available via `simple-auth` middleware.*

flake.lock

@@ -62,11 +62,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1762889327,
+        "lastModified": 1763766218,
-        "narHash": "sha256-BaWFCPKMsL8eh2aokQjDOnjnm/T0E9P8/bzeOXLvijo=",
+        "narHash": "sha256-CM694zS6IeO/tFvUW7zhlb8t67+6L9QfvCDgQy0nVyQ=",
         "owner": "nix-community",
         "repo": "browser-previews",
-        "rev": "cafc3bbbb81eb4c2b78b11bab434eca2b0d3cb39",
+        "rev": "04f8550aa62ccda42a6eb839a4ccf6cdcf3d953d",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741473158,
+        "lastModified": 1762521437,
-        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
+        "narHash": "sha256-RXN+lcx4DEn3ZS+LqEJSUu/HH+dwGvy0syN7hTo/Chg=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
+        "rev": "07bacc9531f5f4df6657c0a02a806443685f384a",
         "type": "github"
       },
       "original": {
@@ -125,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762276996,
+        "lastModified": 1764110879,
-        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
+        "narHash": "sha256-xanUzIb0tf3kJ+PoOFmXEXV1jM3PjkDT/TQ5DYeNYRc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
+        "rev": "aecba248f9a7d68c5d1ed15de2d1c8a4c994a3c5",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1762930906,
+        "lastModified": 1764174664,
-        "narHash": "sha256-jRmmOm0lsj4fslaPtZP0RIDIG/X/Mu1v1Rw1vBPkYe4=",
+        "narHash": "sha256-CYAjcXbI6RzQ3cWKiW/u3ZiJCeVX9PQd2J0+V8zX7c8=",
         "owner": "nix-community",
         "repo": "ethereum.nix",
-        "rev": "3454a125aab212f4a243feb623d6f495f6ad38d7",
+        "rev": "e3a1e2d86a6bc1ef25bdb395d9c770b471d53e7f",
         "type": "github"
       },
       "original": {
@@ -202,11 +202,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1762040540,
+        "lastModified": 1762980239,
-        "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
+        "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "0010412d62a25d959151790968765a70c436598b",
+        "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da",
         "type": "github"
       },
       "original": {
@@ -223,11 +223,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762810396,
+        "lastModified": 1763759067,
-        "narHash": "sha256-dxFVgQPG+R72dkhXTtqUm7KpxElw3u6E+YlQ2WaDgt8=",
+        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "0bdadb1b265fb4143a75bd1ec7d8c915898a9923",
+        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
         "type": "github"
       },
       "original": {
@@ -308,11 +308,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759569036,
+        "lastModified": 1762247499,
-        "narHash": "sha256-FuxbXLDArxD1NeRR8zNnsb8Xww5/+qdMwzN1m8Kow/M=",
+        "narHash": "sha256-dPBqjoBcP3yczY7EUQP6BXf58wauRl+lZVZ/fabgq3E=",
         "owner": "shazow",
         "repo": "foundry.nix",
-        "rev": "47ba6d3b02bf3faaa857d3572df82ff186d5279a",
+        "rev": "ae6473c7190edea0e505f433293688014b556b29",
         "type": "github"
       },
       "original": {
@@ -352,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758463745,
+        "lastModified": 1763992789,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
         "type": "github"
       },
       "original": {
@@ -716,11 +716,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762660502,
+        "lastModified": 1763870992,
-        "narHash": "sha256-C9F1C31ys0V7mnp4EcDy7L1cLZw/sCTEXqqTtGnvu08=",
+        "narHash": "sha256-NPyc76Wxmv/vAsXJ8F+/8fXECHYcv2YGSqdiSHp/F/A=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "15c5451c63f4c612874a43846bfe3fa828b03eee",
+        "rev": "d7423982c7a26586aa237d130b14c8b302c7a367",
         "type": "github"
       },
       "original": {
@@ -731,11 +731,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1762847253,
+        "lastModified": 1764328224,
-        "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=",
+        "narHash": "sha256-hFyF1XQd+XrRx7WZCrGJp544dykexD8Q5SrJJZpEQYg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9",
+        "rev": "d62603a997438e19182af69d3ce7be07565ecad4",
         "type": "github"
       },
       "original": {
@@ -747,11 +747,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1762756533,
+        "lastModified": 1763948260,
-        "narHash": "sha256-HiRDeUOD1VLklHeOmaKDzf+8Hb7vSWPVFcWwaTrpm+U=",
+        "narHash": "sha256-dY9qLD0H0zOUgU3vWacPY6Qc421BeQAfm8kBuBtPVE0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c2448301fb856e351aab33e64c33a3fc8bcf637d",
+        "rev": "1c8ba8d3f7634acac4a2094eef7c32ad9106532c",
         "type": "github"
       },
       "original": {
@@ -793,11 +793,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1761880412,
+        "lastModified": 1763191728,
-        "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
+        "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
+        "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c",
         "type": "github"
       },
       "original": {
@@ -809,11 +809,11 @@
     },
     "nixpkgs-unstable_2": {
       "locked": {
-        "lastModified": 1762844143,
+        "lastModified": 1764242076,
-        "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=",
+        "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4",
+        "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4",
         "type": "github"
       },
       "original": {
@@ -849,11 +849,11 @@
         "systems": "systems_5"
       },
       "locked": {
-        "lastModified": 1762904125,
+        "lastModified": 1764238240,
-        "narHash": "sha256-+T9oUulnXOQmy37GGOivHSvEyViA4gQ41mFZEPEDuOA=",
+        "narHash": "sha256-7Znm3koZ4sF+O41Y7rJqf651BPEbjIUYF3r9H23GRGw=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "84902b354fd0f122c40880b90dc8ac89d4d0daea",
+        "rev": "f1e07ba53abd0fb4872a365cba45562144ad6130",
         "type": "github"
       },
       "original": {
@@ -897,11 +897,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762734885,
+        "lastModified": 1762999930,
-        "narHash": "sha256-HvM+nF1iuD1AolgbJZe/hJp4WwXtezwhKQaD815lskQ=",
+        "narHash": "sha256-uKyxLwiN6sD6EmRSno66y1a8oqISr1XiWxbWHoMJT7I=",
         "owner": "henrysipp",
         "repo": "omarchy-nix",
-        "rev": "128a95235f39443cf77fbb4786626a5401291c65",
+        "rev": "308e0f85a0deb820c01cfbe1b4faee1daab4da12",
         "type": "github"
       },
       "original": {
@@ -958,11 +958,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762812535,
+        "lastModified": 1764021963,
-        "narHash": "sha256-A91a+K0Q9wfdPLwL06e/kbHeAWSzPYy2EGdTDsyfb+s=",
+        "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d75e4f89e58fdda39e4809f8c52013caa22483b7",
+        "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec",
         "type": "github"
       },
       "original": {
@@ -1069,11 +1069,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762305549,
+        "lastModified": 1762938485,
-        "narHash": "sha256-iHxl8YwQsCX9QyB0ImEvmr+C3FuZP0BR/9vMmjbaITA=",
+        "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "144d1e80d642c50c71846c0cb674e86c956e9a24",
+        "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
         "type": "github"
       },
       "original": {

hosts/alo-cloud-1/default.nix

@@ -24,4 +24,15 @@
     externalInterface = "enp1s0";
     internalInterfaces = [ "tailscale0" ];
   };
+
+  networking.firewall = {
+    enable = lib.mkForce true;
+    allowedTCPPorts = [ 80 443 ];  # Public web traffic only
+    allowedUDPPorts = [ 41641 ];   # Tailscale
+    trustedInterfaces = [ "tailscale0" ];  # Full access via VPN
+  };
+
+  services.openssh = {
+    settings.PasswordAuthentication = false;  # Keys only
+  };
 }

hosts/beefy/default.nix

@@ -18,4 +18,7 @@
   networking.hostName = "beefy";
   networking.cluster.primaryInterface = "enp1s0";
   services.tailscaleAutoconnect.authkey = "tskey-auth-k79UsDTw2v11CNTRL-oYqji35BE9c7CqM89Dzs9cBF14PmqYsi";
+
+  # Enable all SysRq functions for debugging hangs
+  boot.kernel.sysctl."kernel.sysrq" = 1;
 }

services/homepage.hcl

@@ -0,0 +1,50 @@
+job "homepage" {
+  datacenters = ["alo"]
+
+  group "app" {
+    network {
+      port "http" { to = 3000 }
+    }
+
+    task "homepage" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/gethomepage/homepage:latest"
+        ports = [ "http" ]
+        volumes = [
+          "/data/services/homepage:/app/config",
+        ]
+      }
+
+      env {
+        PUID = 1000
+        PGID = 1000
+        HOMEPAGE_ALLOWED_HOSTS = "homepage.v.paler.net"
+      }
+
+      resources {
+        cpu = 200
+        memory = 256
+      }
+
+      service {
+        name = "homepage"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.homepage.entryPoints=websecure",
+          "traefik.http.routers.homepage.middlewares=oidc-auth@file",
+        ]
+
+        check {
+          type     = "http"
+          path     = "/"
+          interval = "10s"
+          timeout  = "5s"
+        }
+      }
+    }
+  }
+}

services/media.hcl

@@ -7,9 +7,12 @@ job "media" {
 
   group "servers" {
     network {
-      port "radarr" { to = 7878 }
+      port "radarr" { static = 7878 }
-      port "sonarr" { to = 8989 }
+      port "sonarr" { static = 8989 }
       port "bazarr" { to = 6767 }
+      port "prowlarr" { static = 9696 }
+      port "jellyseerr" { static = 5055 }
+      port "flaresolverr" { static = 8191 }
       port "pms" { static = 32400 }
       port "qbt_ui" { static = 8080 }
       port "qbt_torrent" { static = 51413 }
@@ -34,7 +37,7 @@ job "media" {
       }
 
       resources {
-        cpu = 200
+        cpu = 1000
       }
 
       service {
@@ -68,7 +71,8 @@ job "media" {
       }
 
       resources {
-        cpu = 200
+        cpu = 1000
+        memory = 500
       }
 
       service {
@@ -83,15 +87,49 @@ job "media" {
       }
     }
 
-    task "bazarr" {
+#    task "bazarr" {
+#      driver = "docker"
+#
+#      config {
+#        image = "ghcr.io/hotio/bazarr:latest"
+#        ports = [ "bazarr" ]
+#        volumes = [
+#          "/data/services/media/bazarr:/config",
+#          "/data/media/media:/data/media",
+#        ]
+#      }
+#
+#      env {
+#        PUID = 1000
+#        PGID = 1000
+#        TZ = "Europe/Lisbon"
+#      }
+#
+#      resources {
+#        cpu = 200
+#        memory = 500
+#      }
+#
+#      service {
+#        name = "bazarr"
+#        port = "bazarr"
+#
+#        tags = [
+#          "traefik.enable=true",
+#          "traefik.http.routers.bazarr.entryPoints=websecure",
+#          "traefik.http.routers.bazarr.middlewares=oidc-auth@file",
+#        ]
+#      }
+#    }
+
+    task "prowlarr" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/hotio/bazarr:latest"
+        image = "ghcr.io/hotio/prowlarr:latest"
-        ports = [ "bazarr" ]
+        ports = [ "prowlarr" ]
         volumes = [
-          "/data/services/media/bazarr:/config",
+          "/data/services/media/prowlarr:/config",
-          "/data/media/media:/data/media",
         ]
       }
 
@@ -106,17 +144,93 @@ job "media" {
       }
 
       service {
-        name = "bazarr"
+        name = "prowlarr"
-        port = "bazarr"
+        port = "prowlarr"
 
         tags = [
           "traefik.enable=true",
-          "traefik.http.routers.bazarr.entryPoints=websecure",
+          "traefik.http.routers.prowlarr.entryPoints=websecure",
-          "traefik.http.routers.bazarr.middlewares=oidc-auth@file",
+          "traefik.http.routers.prowlarr.middlewares=oidc-auth@file",
         ]
       }
     }
 
+    task "jellyseerr" {
+      driver = "docker"
+
+      config {
+        image = "fallenbagel/jellyseerr:latest"
+        ports = [ "jellyseerr" ]
+        volumes = [
+          "/data/services/media/jellyseerr:/app/config",
+        ]
+      }
+
+      env {
+        TZ = "Europe/Lisbon"
+      }
+
+      resources {
+        cpu = 200
+      }
+
+      service {
+        name = "jellyseerr"
+        port = "jellyseerr"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.jellyseerr.entryPoints=websecure",
+          "traefik.http.routers.jellyseerr.middlewares=oidc-auth@file",
+        ]
+      }
+    }
+
+    task "flaresolverr" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/flaresolverr/flaresolverr:latest"
+        ports = [ "flaresolverr" ]
+      }
+
+      env {
+        LOG_LEVEL = "info"
+        TZ = "Europe/Lisbon"
+      }
+
+      resources {
+        cpu = 500
+        memory = 1024
+      }
+
+      service {
+        name = "flaresolverr"
+        port = "flaresolverr"
+      }
+    }
+
+    task "recyclarr" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/recyclarr/recyclarr:latest"
+        volumes = [
+          "/data/services/media/recyclarr:/config",
+        ]
+      }
+
+      env {
+        TZ = "Europe/Lisbon"
+        CRON_SCHEDULE = "0 0 * * *"  # Daily at midnight
+      }
+
+      resources {
+        cpu = 100
+        memory = 256
+      }
+    }
+
     task "plex" {
       driver = "docker"
 
@@ -138,7 +252,7 @@ job "media" {
 
       resources {
         cpu = 2000
-        memory = 1000
+        memory = 2000
       }
 
       service {
@@ -177,7 +291,7 @@ job "media" {
 
       resources {
         cpu = 2000
-        memory = 1000
+        memory = 1500
       }
 
       service {