From e1c02d7a91eb1b6c4c25c243fcc861de6611ce39 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 19 Jun 2026 08:01:17 +1000
Subject: [PATCH] containers/emerald: move to alyssum

---
 containers/emerald/flake.nix |  12 +++---------
 hosts/alyssum/default.nix    |   2 ++
 hosts/dandelion/default.nix  |   3 +--
 hosts/dandelion/nginx.nix    |   8 ++++++++
 secrets.nix                  |   2 +-
 secrets/navidrome_env.age    | Bin 630 -> 630 bytes
 6 files changed, 15 insertions(+), 12 deletions(-)
 create mode 100644 hosts/dandelion/nginx.nix

diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix
index 9c9acdc..7e79b23 100644
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@@ -9,11 +9,11 @@
     shareFqdn = "muse.lava.moe";
     subnetId = "5";
 
-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    subnet = x: "fd0d:2::${subnetId}:${toString x}";
     host = subnet 1;
     client = subnet 2;
 
-    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    subnet4 = x: "10.32.${subnetId}.${toString x}";
     host4 = subnet4 1;
     client4 = subnet4 2;
 
@@ -39,13 +39,7 @@
         useACMEHost = "lava.moe";
         forceSSL = true;
         locations."/".proxyPass = "http://[${client}]:4533";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
-      };
-      services.nginx.virtualHosts."${shareFqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".return = "404";
-        locations."/share/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "100.67.2.1" ];
       };
 
       systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 661e3d5..06c415f 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -6,6 +6,7 @@
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
     passwd.file = ../../secrets/passwd.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
     wpa_conf = {
       file = ../../secrets/wpa_conf.age;
       path = "/etc/wpa_supplicant/imperative.conf";
@@ -27,6 +28,7 @@
     modules.services.nginx
     modules.services.syncthing
 
+    inputs.c-emerald.nixosModule
     inputs.c-garnet.nixosModule
 
     ./filesystem.nix
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 33b6eec..f65dfd1 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -5,7 +5,6 @@
 
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
-    navidrome_env.file = ../../secrets/navidrome_env.age;
     slskd_env.file = ../../secrets/slskd_env.age;
     wg_dandelion.file = ../../secrets/wg_dandelion.age;
   };
@@ -31,12 +30,12 @@
     inputs.c-beryllium.nixosModule
     inputs.c-citrine.nixosModule
     inputs.c-diamond.nixosModule
-    inputs.c-emerald.nixosModule
     inputs.c-fluorite.nixosModule
 
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
+    ./nginx.nix
 
     ../../users/hana
   ];
diff --git a/hosts/dandelion/nginx.nix b/hosts/dandelion/nginx.nix
new file mode 100644
index 0000000..c29de38
--- /dev/null
+++ b/hosts/dandelion/nginx.nix
@@ -0,0 +1,8 @@
+{ ... }: {
+  services.nginx.virtualHosts."muse.lava.moe" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    locations."/".return = "404";
+    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index bec70ef..b1f55e5 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,7 +13,7 @@ in {
   "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
 
   "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
-  "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ];
   "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
   "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
   "secrets/warden_admin.age".publicKeys = [ rin ];
diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age
index 6cb705c5d12523d7e403ecd2736ad062cc9756fe..7df364f2e273e47d57332c4379af715fc8a5212e 100644
GIT binary patch
delta 584
zcmeyy@{MJJYJIl9Z*V}lLa~0SOIE(8PgRsjZmNfANJe2wPNjZ9K&nwvh`)KUw?}|y
zah|!8zGG!ES3tUPYCwulX0BsVR8p0bmsfUvPO5&2S!h;hVwzuKWp+uHcVUTTdSRIf
zm#&>cadC!jYKoDmsiCDpQjl9=YM_FCWl?sip<%gqwy#lonvqFjKvu9*l%cm%RD_Rz
zPH>2SdRe%kae7vjv#~E%MTm2_M@pe-SdoEInPr7bzH3yWbF#aSXG&I7h-I;nrF%|F
zewC4Ve!0QKkK*+n8Nr2a7A`?m`eorJM!{*uCTWH4zMkn>mQe-CroO3>ei?;@#Z~5M
zPT5>0o>h*aL4~FUMUjSP2Kt4LRrw~C$+;O}=K96i8Rh}*z7`plg`Sq-?yg+Ay1EL9
z!TyHDId0x**{;q$X6{A#7A9%FnJ!TVfj&NdN&ZD?nSS-D>3-hk*~Q6ROqpWpMWV|d
z&c4vI?M;r-tE{--Z%Xm=Lj$CDFLGWutD?BcP;&a@f0uoCZ!2GWs`sk3vUqjk;%iK`
z+P^Q@zJ8i|WunSt<>I|nf4nn)t!g;n)&0q3m!$nYJ2|(F-<d74-$iL`IQpjB`p8Y8
zi<%dsm%mEVzL?+QP_RweXq^wc&Xl#{Zx>vj?sG`WCg#Y;CB32Co4)>MRlf4+k<eN@
z!+PV_1xztb&piV*@9mv2OU_~Kn}XRo&fm9~9%3)E@D=1xUGC?|S!B-g{A5FSUXR@W
f5^2U)>K9tCZCbg>R9kL#Qr5a2&Gw+g7Uxv}q{-wD

delta 584
zcmeyy@{MJJYJGl2WpIh3LZG*ASzdXWbADmIYe+zTa7bu&lwWarXh?RTdtpFIpi5Ga
zyPJ7%nzx51S5k3cm}RK1et2$DNMw0dR$)$*x3h7Un^R$UQdDSAUSv^ZScPSXPf21r
zm#&>cadC!jYKoDmsiCDpQjl9=YM_E;sAqUkqNAfxg>QjNvU_A|X@<7Gt5c+>c4bM4
zVP%kMn1@q%X--9UnMWv>VWC@Qk!gx=Rk&+va#@acqN7(zu7QD1QK@@id8uh~a%ymf
zk%fDBQl-VjkK*;YsoG@~9(kUn6<$f6F8(e~-j<F<VM)m$0lpC_c^-ZthGnT)RhBMg
znZ8`1&fcDG+DSp-`av#{N#-ejfgYiSrCy1lWmRF8L6N07hLPz`$xhiWsgYc|y1EKJ
zrK#ariB;wX`T8zi;Ta*>krv?<`6gazg)WY{CGJK+mA>^Rd6~u*mEnP0+oFBUOCsE*
z3bwpzlgKR$u9$3^^ZVfWqPNN?4)f&tr`cQQ=D&Xa?73?U-wn%@sp~tnL(+v$>}C*F
zxA`xn%JX>ouLo-iPxHCPx(V+O*cJKu@s3=59#dX}h>yFj?Z5ZfGA|<ZL}>o$zklp6
zX|@|&xOuuKjLFleVCnh`Z_lSp+>)?)gVX#Q4P6t?pZWIe&UJ&<dyn!y)~5gXU%YUZ
z+!<ZR$tBYNo{6+wn4vvk@du49$>$5F8pXE@ck*9i%4<GzHBCI~k1&hhf4}GP`?VRq
gK9{~_dp`C33hDY^U$0rrsN_u7`I?ffGpDHv0E8s%8UO$Q