9 changed files with 19 additions and 196 deletions
--- a/containers/garnet/configuration.nix
+++ b/containers/garnet/configuration.nix
@ -1,34 +0,0 @@
 { ... }: {
  system.stateVersion = "25.11";
  fileSystems."/var/lib/opencloud" = {
    device = "/flower/data";
    fsType = "none";
    options = [ "bind" ];
  };
  fileSystems."/etc/opencloud" = {
    device = "/persist/cfg";
    fsType = "none";
    options = [ "bind" ];
  };
  # TODO: hardcoded address
  networking.extraHosts = ''
    100.67.2.1 cloud.lava.moe
  '';
  networking.firewall.allowedTCPPorts = [ 9200 ];
  networking.firewall.allowedUDPPorts = [ 9200 ];
  environment.etc."opencloud-admin-pass".text = ''
    IDM_ADMIN_PASSWORD=supersillysecure
  '';
  services.opencloud = {
    enable = true;
    url = "https://cloud.lava.moe";
    address = "10.30.7.2";
    port = 9200;
    environment = {
      PROXY_TLS = "false";
    };
    environmentFile = "/etc/opencloud-admin-pass";
  };
 }
--- a/containers/garnet/flake.lock
+++ b/containers/garnet/flake.lock
@ -1,27 +0,0 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1779560665,
        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@ -1,77 +0,0 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "garnet";
    fqdn = "cloud.lava.moe";
    subnetId = "7";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://${client4}:9200";
          proxyWebsockets = true;
        };
        # TODO: hardcoded address
        listenAddresses = [ "100.67.2.1" ];
      };
      systemd.tmpfiles.rules = [
        "d /persist/containers/${name} 755 root users"
      ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."content" = {
          hostPath = "/flower/opencloud";
          mountPoint = "/flower";
          isReadOnly = false;
        };
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -128,20 +128,6 @@
      },
      "parent": []
    },
    "c-garnet": {
      "inputs": {
        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "path": "./containers/garnet",
        "type": "path"
      },
      "original": {
        "path": "./containers/garnet",
        "type": "path"
      },
      "parent": []
    },
    "catppuccin": {
      "inputs": {
        "nixpkgs": "nixpkgs_4"
@ -609,7 +595,7 @@
      "inputs": {
        "flake-parts": "flake-parts_2",
        "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_10"
+        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "lastModified": 1779768228,
@ -693,22 +679,6 @@
      }
    },
    "nixpkgs_10": {
      "locked": {
        "lastModified": 1779536132,
        "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_11": {
      "locked": {
        "lastModified": 1779560665,
        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
@ -724,7 +694,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_12": {
+    "nixpkgs_11": {
      "locked": {
        "lastModified": 1770019141,
        "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
@ -854,16 +824,16 @@
    },
    "nixpkgs_9": {
      "locked": {
-        "lastModified": 1779560665,
+        "lastModified": 1779536132,
-        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -910,7 +880,7 @@
    "pastel": {
      "inputs": {
        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_12",
+        "nixpkgs": "nixpkgs_11",
        "pnpm2nix": "pnpm2nix"
      },
      "locked": {
@ -976,7 +946,6 @@
        "c-diamond": "c-diamond",
        "c-emerald": "c-emerald",
        "c-fluorite": "c-fluorite",
        "c-garnet": "c-garnet",
        "catppuccin": "catppuccin_2",
        "catppuccin-palette": "catppuccin-palette",
        "fast-syntax-highlighting": "fast-syntax-highlighting",
@ -985,7 +954,7 @@
        "neovim-nightly": "neovim-nightly",
        "nix-gaming": "nix-gaming",
        "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_11",
+        "nixpkgs": "nixpkgs_10",
        "nvim-treesitter": "nvim-treesitter",
        "pastel": "pastel",
        "pure": "pure",
--- a/flake.nix
+++ b/flake.nix
@ -44,7 +44,6 @@
    c-diamond.url = "path:./containers/diamond";
    c-emerald.url = "path:./containers/emerald";
    c-fluorite.url = "path:./containers/fluorite";
    c-garnet.url = "path:./containers/garnet";
  };
  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -1,10 +1,9 @@
-{ inputs, modules, modulesPath, ... }: {
+{ lib, modules, modulesPath, ... }: {
  networking.hostName = "alyssum";
  system.stateVersion = "25.11";
  time.timeZone = "Australia/Melbourne";
  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
    wpa_conf = {
      file = ../../secrets/wpa_conf.age;
      path = "/etc/wpa_supplicant/imperative.conf";
@ -23,10 +22,6 @@
    security
    tailscale
    modules.services.nginx
    inputs.c-garnet.nixosModule
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
--- a/hosts/alyssum/filesystem.nix
+++ b/hosts/alyssum/filesystem.nix
@ -26,7 +26,6 @@ in {
    };
    "/boot" = mkLabelMount "stem" "vfat";
    "/flower" = mkBtrfsMount "myosotis" "/@" true;
    "/nix" = submount "/@/nix" false;
    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
    "/persist/.snapshots" = submount "/snap/persist" false;
--- a/secrets.nix
+++ b/secrets.nix
@ -10,7 +10,7 @@ in {
  "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
  "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
-  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
+  "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ];
  "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
  "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
--- a/secrets/acme_dns.age
+++ b/secrets/acme_dns.age
@ -1,11 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 kOMSPw vqjZO82kILUQaoD9EwOgnmXKD9IyscgtzP65BVKkGhs
+-> ssh-ed25519 bRFqeQ trK7wfJ1fObF70yD3a6axuXaZv/EzzFI7he1dvUajH8
-07f0vL5fSq+EVdJ4n3L/q0tGsh0SVLCueTzbrMQC2ok
+1C5IrwITtma/um0zUo6by0llVTnla7TBdyRD07azTT8
-> ssh-ed25519 bRFqeQ qZAsyhdIY/fg7weEBYfB/WwFBrr/fDRrjt0J/m+57W4
+-> ssh-ed25519 ZAcXHw f+n0WJKTViwizwTIgRpbLGqk458SnuAFVVj5FQS0nwA
-FOWjbk7efoVdL9WxjWvaZ/0mJrQ4yj0fN/Fa3zztz84
+MRinOTxWGwfeg16VWJYD+1Uta+7xF6G9oyqtYSfEq80
-> ssh-ed25519 ZAcXHw UHpAQ4nKoGGaZWXVj4UM6uBanOgDpBvG6XdoBvhz6y8
+-> ssh-ed25519 U9FXlg 24QGfemIAHZYMwroayNJp91fUkbwUF7ACuXIk+7qdBg
-xF1orqajQxp2QzU/e1sq8lMxz4AQ2Vr5a3wEU55QqyE
+RNGpjxUgfzV/e1Ab/NcA8A0zzxsXU06xmVbLpG3x+iI
-> ssh-ed25519 U9FXlg n/LPuRDZ7N0VbZYLNr86hH/yRuqd2zFC7Nnpooz8d0o
+--- mekieJNQOl4vcg+hsSOQsFC7mVUZf/oRl/dT7AeTRKg
-aZig/wjd5vitGaJwQ89w2M7fj8fAiqTpdDOmLae74sM
+ºöHì¦<C3AC>)kñÞ#%3cªQÎÚº¿Ï•žè1?žad|‚ì³„Ù—²õo2Š¡
--- mXuALIh6k4n0cErsTFnwKemo/r2jFG7mGSTz2M8zXF8
+Bð)¾ä=ÿZió˜9çpR<70>¦î	ÉKl<>žgû Õž’éhŒ
 Zr2îŽ.	Òõ~Mú’P€þXÅ¹1¼)pÌ9Rî–9ªScLzhQü™ßO†Ä0íH7£•ŽLÌj¦5½
üâÏöÒ\©›l9˜7ÓôçÜ«nœ©¡>¹æ¢