From 402c847f3cd7f457e7946b4b3431a71a47963828 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Sun, 14 Jun 2026 20:32:32 +1000
Subject: [PATCH 01/20] dandelion/filesystem: reduce rootfs from 12G to 6G

---
 hosts/dandelion/filesystem.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/dandelion/filesystem.nix b/hosts/dandelion/filesystem.nix
index 4dd6a55..861bc15 100644
--- a/hosts/dandelion/filesystem.nix
+++ b/hosts/dandelion/filesystem.nix
@@ -22,7 +22,7 @@ in {
     "/" = {
       device = "rootfs";
       fsType = "tmpfs";
-      options = [ "defaults" "size=12G" "mode=755" ];
+      options = [ "defaults" "size=6G" "mode=755" ];
     };
     "/boot" = mkLabelMount "UEFI" "vfat";
 

From d1a8e7222f0dd930f945a4f101cd885ce6001357 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 18:11:09 +1000
Subject: [PATCH 02/20] alyssum/samba: init

---
 hosts/alyssum/default.nix |  1 +
 hosts/alyssum/samba.nix   | 81 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 hosts/alyssum/samba.nix

diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 3eb7289..d471011 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -31,6 +31,7 @@
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
+    ./samba.nix
 
     ../../users/hana
   ];
diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
new file mode 100644
index 0000000..9e957e9
--- /dev/null
+++ b/hosts/alyssum/samba.nix
@@ -0,0 +1,81 @@
+{ config, ... }: {
+  networking.firewall.allowPing = true;
+
+  users.users.cilly = {
+    hashedPasswordFile = config.age.secrets.passwd.path;
+    isNormalUser = true;
+  };
+  users.users.kujira = {
+    hashedPasswordFile = config.age.secrets.passwd.path;
+    isNormalUser = true;
+  };
+  system.activationScripts = {
+    init_smbpasswd.text = ''
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly
+
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira
+    '';
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "security" = "user";
+        "hosts allow" = "100.67.2.1 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      "public" = {
+        "path" = "/flower/smb/public";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "yes";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "hana";
+        "force group" = "users";
+      };
+      "cilly" = {
+        "path" = "/flower/smb/cilly";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "cilly";
+        "force group" = "users";
+        "valid users" = "cilly";
+      };
+      "kujira" = {
+        "path" = "/flower/smb/kujira";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "kujira";
+        "force group" = "users";
+        "valid users" = "kujira";
+      };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.avahi = {
+    enable = true;
+    openFirewall = true;
+    nssmdns4 = true;
+    publish.enable = true;
+    publish.userServices = true;
+  };
+}

From 4f8249b780b00add8a8a8d22543a54229faa696d Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 18:16:21 +1000
Subject: [PATCH 03/20] alyssum/samba: use proper credentials

---
 hosts/alyssum/samba.nix      | 7 +++++--
 secrets.nix                  | 2 ++
 secrets/passwd_smbcilly.age  | 7 +++++++
 secrets/passwd_smbkujira.age | 7 +++++++
 4 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 secrets/passwd_smbcilly.age
 create mode 100644 secrets/passwd_smbkujira.age

diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
index 9e957e9..6be8e09 100644
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@@ -1,6 +1,9 @@
 { config, ... }: {
   networking.firewall.allowPing = true;
 
+  age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age;
+  age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age;
+
   users.users.cilly = {
     hashedPasswordFile = config.age.secrets.passwd.path;
     isNormalUser = true;
@@ -11,9 +14,9 @@
   };
   system.activationScripts = {
     init_smbpasswd.text = ''
-      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly
 
-      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira
     '';
   };
 
diff --git a/secrets.nix b/secrets.nix
index d2dbc82..ec20648 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -8,6 +8,8 @@ let
   rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
   "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
+  "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ];
+  "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
   "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
 
   "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
diff --git a/secrets/passwd_smbcilly.age b/secrets/passwd_smbcilly.age
new file mode 100644
index 0000000..41ad172
--- /dev/null
+++ b/secrets/passwd_smbcilly.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ
+i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI
+-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o
++pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM
+--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew
+Æ*Œl\ÈWç!J7E/´»îò"f@%\ìüÏ[¨òj8fÓ¶›ž
\ No newline at end of file
diff --git a/secrets/passwd_smbkujira.age b/secrets/passwd_smbkujira.age
new file mode 100644
index 0000000..71b6bb8
--- /dev/null
+++ b/secrets/passwd_smbkujira.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8
+IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE
+-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg
+QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk
+--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw
+TÎ <ç‘R#d�ĆÌŽlLkáN¦½º8´cÃ_N¬)±ŠT
\ No newline at end of file

From c782bd5e5398534f81214e3bced2aa73e08e10b6 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 18:23:10 +1000
Subject: [PATCH 04/20] hosts/alyssum: add passwd age

---
 hosts/alyssum/default.nix |   1 +
 secrets.nix               |   2 +-
 secrets/passwd.age        | Bin 531 -> 641 bytes
 3 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index d471011..a2eb166 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -5,6 +5,7 @@
 
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
+    passwd.file = ../../secrets/passwd.age;
     wpa_conf = {
       file = ../../secrets/wpa_conf.age;
       path = "/etc/wpa_supplicant/imperative.conf";
diff --git a/secrets.nix b/secrets.nix
index ec20648..bec70ef 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,7 +7,7 @@ let
 
   rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
-  "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
+  "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ];
   "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ];
   "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
   "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
diff --git a/secrets/passwd.age b/secrets/passwd.age
index 64ec8611ddf1a1d3f837caf32b53d5843f7b6e07..05ad90670240bfe01391eb8392cd02ad35d1c5bd 100644
GIT binary patch
delta 596
zcmbQt(#SeNwLaV5H#neNp(s2%!q_7?$j7C~J=oCKE5oy-BsrwWr64rBz`L|8y{an9
zBFsIqJm0{8D>c(3I5)q<JfzCQ-N?+mB+5U;Bg#EMzsTIcBCIl^xFo~OE4#EL-^IX}
zOV>`JxHv;MHO0u()X-8PKch0Z#8DyB*uU7sB+Dr%qdv>Az{ywJ$H~awsl?ATEYZ}-
zBq+}^uh=leG%DSrIIEm1IU~@_EZfLm-?Yp-P~XEi)LTEepwcm{(l;|J)vYQZF*m9x
zwA9fk-OUx<I_FU5tcXB`q~v@z%h1Bg5FgL%GK;eOP-EXhKZ_{i)ba?MB+qP@@{|x4
z17F7^zszz+uH>93pU|@G%n*z02+xqv4C6e*?2M97@1TsTVAr(597AoN#E=5_%7_xz
zi66!5J)J#+EP_p{d>vCFGLt>bjXbKnQd0xd($cd0LNdyNU9#PiEz`1tyaNNda*B*A
zTr<s#Q-ZXME6d9~i<109!m}eQQ!KMWBFqdeeLTvdLM=TkwVlejbaizV0?e~AbJAQg
zy}iu*&B`LOO^c1)GIO1MJc0uA!xBrv%JW_8v#RnV^O952xjr<gv?g9Hej9ydVM5dD
zn%}d`Tk<Bqii`|3Q@&{7ma}N`u5fAfrf0i6the^~Yx?^xbDG0qcql1;gFxnm;Fqrp
z(%bHq>b|^HnZYzWY=cufpN-;@7gMf=O#Hn1hI;KPb=lf^lIPl6HZS=2L%5*v`cv->
YJkH)xEW9(@zeyiIH`!pOX{Em>0JK!tjsO4v

delta 466
zcmZo<oy;;pH7-A+GPuN1p`xfTD8nKpEYUDGG&kL{*tf#Xu}nWADJ<JLJlV_Gptv-t
zEGf#eQrjb&tEezvKg-lD)zc!pGR2}K->k^FqSVba!Z<fL#n9U{Go{oluhKZsH_{+^
z;z#lDaF?{g;y^Q3LreW~mptz@<I+g&(26YIfLy}>-*7L(g6wo-1M{@Z+(1XJlyqb7
zC~r^0#MI365OWKE9}mkM^YU<y(x9}!l8CHaFVm15{q)jACl`~+@r>g2CC+YMPLZVn
zmM&3=UdH9x#W}ui8Low<-e!R*kxo&L1}Q$;fx(uhk<J!e0e%IgrT(5qZU){J=5Cfo
zxlu-bd3i~tCF#al>3$ZDUR4EYCYcqMr3R5)y1Kdweg%1!i558-K1JHW+FmBw<%#8y
zegP(CCdr9;CN6%V`N`(>N#@}Jt|g%+To*((7~f_+q00A8b`fLhp}Xt*if!Dl#T{c2
zE_hU5lHW2pfMsudL!P8U<-)y>#9xJKr5oAp;QEw$;d8I0!J~UpO?>m(ioP9UQxcqb
zdDVFa?#j+-DXlZDYLD)8&D4Iu%zD>h!HX%(zs|p!7N2uW{HitM>x2#5(|Mgg3b4ye
MK7Ppl$Cj<;0P3%*4gdfE


From 509684d0bd094bd96fcef03ceacba6be33446a63 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 18:28:39 +1000
Subject: [PATCH 05/20] alyssum/samba: use proper smbpasswd path

---
 hosts/alyssum/samba.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
index 6be8e09..ba89a00 100644
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@@ -13,10 +13,12 @@
     isNormalUser = true;
   };
   system.activationScripts = {
-    init_smbpasswd.text = ''
-      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly
+    init_smbpasswd.text = let
+      smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+    in ''
+      printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly
 
-      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira
+      printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira
     '';
   };
 

From 4bb20124a791bdce70acdd4bdcfe1a2eb4acacb6 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 18:34:34 +1000
Subject: [PATCH 06/20] alyssum/samba: use full package for discovery

---
 hosts/alyssum/samba.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
index ba89a00..708286a 100644
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, pkgs, ... }: {
   networking.firewall.allowPing = true;
 
   age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age;
@@ -24,9 +24,11 @@
 
   services.samba = {
     enable = true;
+    package = pkgs.samba4Full;
     openFirewall = true;
     settings = {
       global = {
+        "server smb encrypt" = "required";
         "workgroup" = "WORKGROUP";
         "server string" = "smbnix";
         "netbios name" = "smbnix";

From 024a6bdbe2f56232d63c2f62b20bf509b65f7fb0 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 18:47:15 +1000
Subject: [PATCH 07/20] alyssum/samba: relax hosts

---
 hosts/alyssum/samba.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
index 708286a..1a32e38 100644
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@@ -33,7 +33,7 @@
         "server string" = "smbnix";
         "netbios name" = "smbnix";
         "security" = "user";
-        "hosts allow" = "100.67.2.1 127.0.0.1 localhost";
+        "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
         "hosts deny" = "0.0.0.0/0";
         "guest account" = "nobody";
         "map to guest" = "bad user";

From 8157d0d5617bb0780f46c3e0aa1c97e8c9447488 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 19:49:10 +1000
Subject: [PATCH 08/20] alyssum/home.syncthing: init

---
 hosts/alyssum/default.nix        |  1 +
 hosts/alyssum/home.syncthing.nix | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 hosts/alyssum/home.syncthing.nix

diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index a2eb166..661e3d5 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -32,6 +32,7 @@
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
+    ./home.syncthing.nix
     ./samba.nix
 
     ../../users/hana
diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
new file mode 100644
index 0000000..3335625
--- /dev/null
+++ b/hosts/alyssum/home.syncthing.nix
@@ -0,0 +1,16 @@
+{ config, ... }: {
+  me.binds."/home/kujira/.config/syncthing" = "kujira/syncthing/config";
+  me.binds."/home/kujira/.local/state/syncthing" = "kujira/syncthing/state";
+
+  users.users.kujira = {
+    hashedPasswordFile = config.age.secrets.passwd.path;
+    isNormalUser = true;
+    linger = true;
+  };
+  home-manager.users.kujira = { ... }: {
+    services.syncthing = {
+      enable = true;
+      guiAddress = ":8385";
+    };
+  };
+}

From 9a821fda94f380a741a25e77760571a6aa77761f Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 19:50:02 +1000
Subject: [PATCH 09/20] alyssum/home.syncthing: fixup hm config

---
 hosts/alyssum/home.syncthing.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
index 3335625..5895716 100644
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@@ -8,6 +8,11 @@
     linger = true;
   };
   home-manager.users.kujira = { ... }: {
+    home = {
+      username = "kujira";
+      homeDirectory = "/home/kujira";
+      stateVersion = "26.05";
+    };
     services.syncthing = {
       enable = true;
       guiAddress = ":8385";

From 63d9d6b0044edd9a520aedbe1ab25dc9e9ec0b2e Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 19:58:03 +1000
Subject: [PATCH 10/20] alyssum/home.syncthing: add host to gui address

---
 hosts/alyssum/home.syncthing.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
index 5895716..929436b 100644
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@@ -15,7 +15,7 @@
     };
     services.syncthing = {
       enable = true;
-      guiAddress = ":8385";
+      guiAddress = "[::]:8385";
     };
   };
 }

From bc3269a814934ccd8dfa95462735125cdc5d5762 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 20:29:22 +1000
Subject: [PATCH 11/20] alyssum/home.syncthing: create another instance

---
 hosts/alyssum/home.syncthing.nix | 40 ++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 17 deletions(-)

diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
index 929436b..1e20f97 100644
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@@ -1,21 +1,27 @@
-{ config, ... }: {
-  me.binds."/home/kujira/.config/syncthing" = "kujira/syncthing/config";
-  me.binds."/home/kujira/.local/state/syncthing" = "kujira/syncthing/state";
+{ config, lib, ... }:
+let
+  configOn = user: port: {
+    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
+    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
 
-  users.users.kujira = {
-    hashedPasswordFile = config.age.secrets.passwd.path;
-    isNormalUser = true;
-    linger = true;
-  };
-  home-manager.users.kujira = { ... }: {
-    home = {
-      username = "kujira";
-      homeDirectory = "/home/kujira";
-      stateVersion = "26.05";
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+      linger = true;
     };
-    services.syncthing = {
-      enable = true;
-      guiAddress = "[::]:8385";
+    home-manager.users.${user} = { ... }: {
+      home = {
+        username = "${user}";
+        homeDirectory = "/home/${user}";
+        stateVersion = "26.05";
+      };
+      services.syncthing = {
+        enable = true;
+        guiAddress = "[::]:${toString port}";
+      };
     };
   };
-}
+in lib.mkMerge [
+  (configOn "kujira" 8385)
+  (configOn "cilly" 8386)
+]

From 5c13051b4b291967d070e3d41dae2801bab17819 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 21:05:38 +1000
Subject: [PATCH 12/20] alyssum/samba: bind some directories

---
 hosts/alyssum/samba.nix | 159 +++++++++++++++++++---------------------
 modules/binds.nix       |   8 +-
 2 files changed, 83 insertions(+), 84 deletions(-)

diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
index 1a32e38..f14365b 100644
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@@ -1,88 +1,83 @@
-{ config, pkgs, ... }: {
-  networking.firewall.allowPing = true;
+{ config, lib, pkgs, ... }:
+let
+  configOn = user: let
+    passwd_fname = "passwd_smb${user}";
+  in {
+    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
+    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
 
-  age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age;
-  age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age;
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+    };
 
-  users.users.cilly = {
-    hashedPasswordFile = config.age.secrets.passwd.path;
-    isNormalUser = true;
-  };
-  users.users.kujira = {
-    hashedPasswordFile = config.age.secrets.passwd.path;
-    isNormalUser = true;
-  };
-  system.activationScripts = {
-    init_smbpasswd.text = let
-      smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
-    in ''
-      printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly
-
-      printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira
-    '';
-  };
-
-  services.samba = {
-    enable = true;
-    package = pkgs.samba4Full;
-    openFirewall = true;
-    settings = {
-      global = {
-        "server smb encrypt" = "required";
-        "workgroup" = "WORKGROUP";
-        "server string" = "smbnix";
-        "netbios name" = "smbnix";
-        "security" = "user";
-        "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
-        "hosts deny" = "0.0.0.0/0";
-        "guest account" = "nobody";
-        "map to guest" = "bad user";
-      };
-      "public" = {
-        "path" = "/flower/smb/public";
-        "browseable" = "yes";
-        "read only" = "no";
-        "guest ok" = "yes";
-        "create mask" = "0644";
-        "directory mask" = "0755";
-        "force user" = "hana";
-        "force group" = "users";
-      };
-      "cilly" = {
-        "path" = "/flower/smb/cilly";
-        "browseable" = "yes";
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0644";
-        "directory mask" = "0755";
-        "force user" = "cilly";
-        "force group" = "users";
-        "valid users" = "cilly";
-      };
-      "kujira" = {
-        "path" = "/flower/smb/kujira";
-        "browseable" = "yes";
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0644";
-        "directory mask" = "0755";
-        "force user" = "kujira";
-        "force group" = "users";
-        "valid users" = "kujira";
-      };
+    system.activationScripts = {
+      init_smbpasswd.text = let
+        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+      in ''
+        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
+      '';
+    };
+    services.samba.settings."${user}" = {
+      "path" = "/flower/smb/${user}";
+      "browseable" = "yes";
+      "read only" = "no";
+      "guest ok" = "no";
+      "create mask" = "0644";
+      "directory mask" = "0755";
+      "force user" = user;
+      "force group" = "users";
+      "valid users" = user;
     };
   };
+in lib.mkMerge [
+  (configOn "cilly")
+  (configOn "kujira")
+  {
+    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
 
-  services.samba-wsdd = {
-    enable = true;
-    openFirewall = true;
-  };
+    networking.firewall.allowPing = true;
 
-  services.avahi = {
-    enable = true;
-    openFirewall = true;
-    nssmdns4 = true;
-    publish.enable = true;
-    publish.userServices = true;
-  };
-}
+    services.samba = {
+      enable = true;
+      package = pkgs.samba4Full;
+      openFirewall = true;
+      settings = {
+        global = {
+          "server smb encrypt" = "required";
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "public" = {
+          "path" = "/flower/smb/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "hana";
+          "force group" = "users";
+        };
+      };
+    };
+
+    services.samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    services.avahi = {
+      enable = true;
+      openFirewall = true;
+      nssmdns4 = true;
+      publish.enable = true;
+      publish.userServices = true;
+    };
+  }
+]
diff --git a/modules/binds.nix b/modules/binds.nix
index 9c7d4ad..c9ffe18 100644
--- a/modules/binds.nix
+++ b/modules/binds.nix
@@ -1,8 +1,12 @@
 { config, lib, ...}: {
   imports = [ ./options.nix ];
-  fileSystems = lib.mapAttrs (dest: key: {
+  fileSystems = lib.mapAttrs (dest: key: let
+    target = if (lib.strings.hasPrefix "/" key)
+      then key
+      else "/persist/binds/${key}";
+  in {
     depends = [ "/persist" ];
-    device = "/persist/binds/${key}";
+    device = target;
     fsType = "none";
     options = [ "bind" ];
   }) config.me.binds;

From 907f2cabcadb6223c28fc6960b542f60bbadc860 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 21:14:47 +1000
Subject: [PATCH 13/20] alyssum/home.syncthing: set proper defaults

---
 hosts/alyssum/home.syncthing.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
index 1e20f97..33545fe 100644
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@@ -4,6 +4,8 @@ let
     me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
     me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
 
+    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
+
     users.users.${user} = {
       hashedPasswordFile = config.age.secrets.passwd.path;
       isNormalUser = true;
@@ -18,6 +20,12 @@ let
       services.syncthing = {
         enable = true;
         guiAddress = "[::]:${toString port}";
+        options.listenAddresses = [
+          "tcp://0.0.0.0:2${toString port}"
+          "quic://0.0.0.0:2${toString port}"
+          "dynamic+https://relays.syncthing.net/endpoint"
+        ];
+        settings.defaults.folder.path = "/flower/syncthing/${user}";
       };
     };
   };

From 6c80606b7ea743fca6ec146ab30cfb378d395d09 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 21:15:22 +1000
Subject: [PATCH 14/20] alyssum/home.syncthing: fixup conf

---
 hosts/alyssum/home.syncthing.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
index 33545fe..4408fb7 100644
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@@ -20,12 +20,14 @@ let
       services.syncthing = {
         enable = true;
         guiAddress = "[::]:${toString port}";
-        options.listenAddresses = [
-          "tcp://0.0.0.0:2${toString port}"
-          "quic://0.0.0.0:2${toString port}"
-          "dynamic+https://relays.syncthing.net/endpoint"
-        ];
-        settings.defaults.folder.path = "/flower/syncthing/${user}";
+        settings = {
+          options.listenAddresses = [
+            "tcp://0.0.0.0:2${toString port}"
+            "quic://0.0.0.0:2${toString port}"
+            "dynamic+https://relays.syncthing.net/endpoint"
+          ];
+          defaults.folder.path = "/flower/syncthing/${user}";
+        };
       };
     };
   };

From 21dc584199e72285d0ec07083f604b439aa41b34 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 17 Jun 2026 21:22:03 +1000
Subject: [PATCH 15/20] alyssum/home.syncthing: don't override devices and
 folders

---
 hosts/alyssum/home.syncthing.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
index 4408fb7..8d5a1cc 100644
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@@ -20,6 +20,8 @@ let
       services.syncthing = {
         enable = true;
         guiAddress = "[::]:${toString port}";
+        overrideDevices = false;
+        overrideFolders = false;
         settings = {
           options.listenAddresses = [
             "tcp://0.0.0.0:2${toString port}"

From 4dfc89814003566d4fb55dbd84b29c4427b254b0 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 19 Jun 2026 07:36:13 +1000
Subject: [PATCH 16/20] user/neovim: switch to nixd

---
 modules/system/nix.nix  |  3 ++-
 modules/user/neovim.nix |  7 ++++---
 res/config.lua          | 28 +++++++++++++++++++++++++++-
 users/rin/packages.nix  |  1 -
 4 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/modules/system/nix.nix b/modules/system/nix.nix
index 6a6fd04..eb14f73 100644
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@@ -1,5 +1,6 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, pkgs, ... }: {
   nix = {
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     package = pkgs.nixVersions.latest;
 
     settings = rec {
diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix
index d691c61..2b8d4c1 100644
--- a/modules/user/neovim.nix
+++ b/modules/user/neovim.nix
@@ -1,9 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sysConfig, ... }:
 let
   luaconf = pkgs.writeText "config.lua"
     (lib.replaceStrings
-      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
-      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
+      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"]
+      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName]
       (builtins.readFile ../../res/config.lua));
 in {
   systemd.user.tmpfiles.rules = [
@@ -21,6 +21,7 @@ in {
     withRuby = false;
 
     extraPackages = with pkgs; [
+      nixd
       rust-analyzer
       texlab
       astro-language-server
diff --git a/res/config.lua b/res/config.lua
index 3e91e28..c0b5dad 100644
--- a/res/config.lua
+++ b/res/config.lua
@@ -167,7 +167,7 @@ vim.diagnostic.config({
 
 capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)
 
-local servers = { 'astro', 'clangd', 'cssls', 'html', 'nil_ls', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
+local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
 for _, lsp in ipairs(servers) do
     vim.lsp.config(lsp, {
         capabilities = capabilities,
@@ -292,6 +292,32 @@ vim.lsp.config("diagnosticls", {
 })
 vim.lsp.enable("diagnosticls")
 
+-- LSP/nixd
+vim.lsp.config("nixd", {
+  cmd = { "nixd" },
+  filetypes = { "nix" },
+  root_markers = { "flake.nix", ".git" },
+  settings = {
+    nixd = {
+      nixpkgs = {
+        expr = "import <nixpkgs> { }",
+      },
+      formatting = {
+        command = { "nixfmt" },
+      },
+      options = {
+        nixos = {
+          expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options',
+        },
+        home_manager = {
+          expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []',
+        },
+      },
+    },
+  },
+})
+vim.lsp.enable("nixd")
+
 -- LSP/Signatures
 require("lsp_signature").setup {
     hint_enable = false,
diff --git a/users/rin/packages.nix b/users/rin/packages.nix
index afc711b..3fe0129 100644
--- a/users/rin/packages.nix
+++ b/users/rin/packages.nix
@@ -15,7 +15,6 @@ in {
     ffmpeg
     gnupg
     kitty
-    nil
     nodejs_latest
     pamixer
     pnpm

From e1c02d7a91eb1b6c4c25c243fcc861de6611ce39 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 19 Jun 2026 08:01:17 +1000
Subject: [PATCH 17/20] containers/emerald: move to alyssum

---
 containers/emerald/flake.nix |  12 +++---------
 hosts/alyssum/default.nix    |   2 ++
 hosts/dandelion/default.nix  |   3 +--
 hosts/dandelion/nginx.nix    |   8 ++++++++
 secrets.nix                  |   2 +-
 secrets/navidrome_env.age    | Bin 630 -> 630 bytes
 6 files changed, 15 insertions(+), 12 deletions(-)
 create mode 100644 hosts/dandelion/nginx.nix

diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix
index 9c9acdc..7e79b23 100644
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@@ -9,11 +9,11 @@
     shareFqdn = "muse.lava.moe";
     subnetId = "5";
 
-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    subnet = x: "fd0d:2::${subnetId}:${toString x}";
     host = subnet 1;
     client = subnet 2;
 
-    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    subnet4 = x: "10.32.${subnetId}.${toString x}";
     host4 = subnet4 1;
     client4 = subnet4 2;
 
@@ -39,13 +39,7 @@
         useACMEHost = "lava.moe";
         forceSSL = true;
         locations."/".proxyPass = "http://[${client}]:4533";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
-      };
-      services.nginx.virtualHosts."${shareFqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".return = "404";
-        locations."/share/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "100.67.2.1" ];
       };
 
       systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 661e3d5..06c415f 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -6,6 +6,7 @@
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
     passwd.file = ../../secrets/passwd.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
     wpa_conf = {
       file = ../../secrets/wpa_conf.age;
       path = "/etc/wpa_supplicant/imperative.conf";
@@ -27,6 +28,7 @@
     modules.services.nginx
     modules.services.syncthing
 
+    inputs.c-emerald.nixosModule
     inputs.c-garnet.nixosModule
 
     ./filesystem.nix
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 33b6eec..f65dfd1 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -5,7 +5,6 @@
 
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
-    navidrome_env.file = ../../secrets/navidrome_env.age;
     slskd_env.file = ../../secrets/slskd_env.age;
     wg_dandelion.file = ../../secrets/wg_dandelion.age;
   };
@@ -31,12 +30,12 @@
     inputs.c-beryllium.nixosModule
     inputs.c-citrine.nixosModule
     inputs.c-diamond.nixosModule
-    inputs.c-emerald.nixosModule
     inputs.c-fluorite.nixosModule
 
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
+    ./nginx.nix
 
     ../../users/hana
   ];
diff --git a/hosts/dandelion/nginx.nix b/hosts/dandelion/nginx.nix
new file mode 100644
index 0000000..c29de38
--- /dev/null
+++ b/hosts/dandelion/nginx.nix
@@ -0,0 +1,8 @@
+{ ... }: {
+  services.nginx.virtualHosts."muse.lava.moe" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    locations."/".return = "404";
+    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index bec70ef..b1f55e5 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,7 +13,7 @@ in {
   "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
 
   "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
-  "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ];
   "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
   "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
   "secrets/warden_admin.age".publicKeys = [ rin ];
diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age
index 6cb705c5d12523d7e403ecd2736ad062cc9756fe..7df364f2e273e47d57332c4379af715fc8a5212e 100644
GIT binary patch
delta 584
zcmeyy@{MJJYJIl9Z*V}lLa~0SOIE(8PgRsjZmNfANJe2wPNjZ9K&nwvh`)KUw?}|y
zah|!8zGG!ES3tUPYCwulX0BsVR8p0bmsfUvPO5&2S!h;hVwzuKWp+uHcVUTTdSRIf
zm#&>cadC!jYKoDmsiCDpQjl9=YM_FCWl?sip<%gqwy#lonvqFjKvu9*l%cm%RD_Rz
zPH>2SdRe%kae7vjv#~E%MTm2_M@pe-SdoEInPr7bzH3yWbF#aSXG&I7h-I;nrF%|F
zewC4Ve!0QKkK*+n8Nr2a7A`?m`eorJM!{*uCTWH4zMkn>mQe-CroO3>ei?;@#Z~5M
zPT5>0o>h*aL4~FUMUjSP2Kt4LRrw~C$+;O}=K96i8Rh}*z7`plg`Sq-?yg+Ay1EL9
z!TyHDId0x**{;q$X6{A#7A9%FnJ!TVfj&NdN&ZD?nSS-D>3-hk*~Q6ROqpWpMWV|d
z&c4vI?M;r-tE{--Z%Xm=Lj$CDFLGWutD?BcP;&a@f0uoCZ!2GWs`sk3vUqjk;%iK`
z+P^Q@zJ8i|WunSt<>I|nf4nn)t!g;n)&0q3m!$nYJ2|(F-<d74-$iL`IQpjB`p8Y8
zi<%dsm%mEVzL?+QP_RweXq^wc&Xl#{Zx>vj?sG`WCg#Y;CB32Co4)>MRlf4+k<eN@
z!+PV_1xztb&piV*@9mv2OU_~Kn}XRo&fm9~9%3)E@D=1xUGC?|S!B-g{A5FSUXR@W
f5^2U)>K9tCZCbg>R9kL#Qr5a2&Gw+g7Uxv}q{-wD

delta 584
zcmeyy@{MJJYJGl2WpIh3LZG*ASzdXWbADmIYe+zTa7bu&lwWarXh?RTdtpFIpi5Ga
zyPJ7%nzx51S5k3cm}RK1et2$DNMw0dR$)$*x3h7Un^R$UQdDSAUSv^ZScPSXPf21r
zm#&>cadC!jYKoDmsiCDpQjl9=YM_E;sAqUkqNAfxg>QjNvU_A|X@<7Gt5c+>c4bM4
zVP%kMn1@q%X--9UnMWv>VWC@Qk!gx=Rk&+va#@acqN7(zu7QD1QK@@id8uh~a%ymf
zk%fDBQl-VjkK*;YsoG@~9(kUn6<$f6F8(e~-j<F<VM)m$0lpC_c^-ZthGnT)RhBMg
znZ8`1&fcDG+DSp-`av#{N#-ejfgYiSrCy1lWmRF8L6N07hLPz`$xhiWsgYc|y1EKJ
zrK#ariB;wX`T8zi;Ta*>krv?<`6gazg)WY{CGJK+mA>^Rd6~u*mEnP0+oFBUOCsE*
z3bwpzlgKR$u9$3^^ZVfWqPNN?4)f&tr`cQQ=D&Xa?73?U-wn%@sp~tnL(+v$>}C*F
zxA`xn%JX>ouLo-iPxHCPx(V+O*cJKu@s3=59#dX}h>yFj?Z5ZfGA|<ZL}>o$zklp6
zX|@|&xOuuKjLFleVCnh`Z_lSp+>)?)gVX#Q4P6t?pZWIe&UJ&<dyn!y)~5gXU%YUZ
z+!<ZR$tBYNo{6+wn4vvk@du49$>$5F8pXE@ck*9i%4<GzHBCI~k1&hhf4}GP`?VRq
gK9{~_dp`C33hDY^U$0rrsN_u7`I?ffGpDHv0E8s%8UO$Q


From 83371117d47c11f9e11dab792c414506fda1b3a0 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 19 Jun 2026 08:57:22 +1000
Subject: [PATCH 18/20] containers/emerald: change mounts

---
 containers/emerald/configuration.nix | 2 +-
 containers/emerald/flake.nix         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix
index f69a4c6..7f1f1fc 100644
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@@ -16,7 +16,7 @@
       ShareURL = "https://${shareFqdn}";
       EnableSharing = true;
       DataFolder = "/persist/navidrome";
-      MusicFolder = "/binds/music";
+      MusicFolder = "/binds/music/main";
     };
   };
 }
diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix
index 7e79b23..5ee69e4 100644
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@@ -62,7 +62,7 @@
           isReadOnly = false;
         };
         bindMounts."music" = {
-          hostPath = "/persist/media/music";
+          hostPath = "/flower/media/music";
           mountPoint = "/binds/music";
           isReadOnly = true;
         };

From 004832fc066bc76a95cbb46d22e9833b5446dbff Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 19 Jun 2026 09:03:39 +1000
Subject: [PATCH 19/20] containers/emerald: bind music directory

---
 containers/emerald/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix
index 7f1f1fc..421ddb0 100644
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@@ -19,4 +19,5 @@
       MusicFolder = "/binds/music/main";
     };
   };
+  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
 }

From c0004409d7aa14c8aacf166c7bf21b9cd5431135 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 19 Jun 2026 09:12:52 +1000
Subject: [PATCH 20/20] alyssum/samba: bind music

---
 hosts/alyssum/samba.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
index f14365b..d876981 100644
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@@ -4,6 +4,7 @@ let
     passwd_fname = "passwd_smb${user}";
   in {
     age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
+    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
     me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
 
     users.users.${user} = {