From 4e49291a403244cb99d928d1b8279d18615457c5 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Feb 2026 15:43:23 +1100 Subject: [PATCH 001/178] rin/packages: add jetbrains gateway --- users/rin/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/users/rin/packages.nix b/users/rin/packages.nix index 3b07cab..e3db022 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -37,6 +37,7 @@ in { gamescope gimp3 grim + jetbrains.gateway #kotatogram-desktop krita lm_sensors From 3b73bd8f14b051790e2b0bd5592ebca82476df98 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Feb 2026 16:00:25 +1100 Subject: [PATCH 002/178] overlays/jetbrains: init --- overlays/default.nix | 1 + overlays/jetbrains.nix | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 overlays/jetbrains.nix diff --git a/overlays/default.nix b/overlays/default.nix index 31648cc..a84cba5 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -3,6 +3,7 @@ builtins.map (path: import path) [ ./cascadia-code.nix ./ccache.nix ./eww.nix + ./jetbrains.nix ./material-icons.nix ./steam.nix ./utillinux.nix diff --git a/overlays/jetbrains.nix b/overlays/jetbrains.nix new file mode 100644 index 0000000..dd1d1ad --- /dev/null +++ b/overlays/jetbrains.nix @@ -0,0 +1,22 @@ +# https://github.com/NixOS/nixpkgs/issues/375254 +self: super: { + jetbrains = super.jetbrains // { + gateway = let + unwrapped = super.jetbrains.gateway; + in super.buildFHSEnv { + name = "gateway"; + inherit (unwrapped) version; + + runScript = super.writeScript "gateway-wrapper" '' + unset JETBRAINS_CLIENT_JDK + exec ${unwrapped}/bin/gateway "$@" + ''; + + meta = unwrapped.meta; + + passthru = { + inherit unwrapped; + }; + }; + }; +} From cf47ffc5267e8104ce121b75eed9eccf92465b95 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 24 Feb 2026 17:26:26 +1100 Subject: [PATCH 003/178] workflow: remove check job SHUTUPSHUTUPSHUTUPSHOUSHTOSHTOUSTHSROUTSHJSBUJFSBHIDh --- .github/workflows/cachix.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.github/workflows/cachix.yml b/.github/workflows/cachix.yml index 2a4d902..06bed3e 100644 --- a/.github/workflows/cachix.yml +++ b/.github/workflows/cachix.yml @@ -5,27 +5,6 @@ on: workflow_dispatch: jobs: - check: - name: Check flake - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Unlock secrets - uses: sliteteam/github-action-git-crypt-unlock@1.2.0 - env: - GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }} - - uses: cachix/install-nix-action@v31 - - uses: cachix/cachix-action@v16 - with: - name: lava - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: | - cd / - cd - - - run: nix flake check --keep-going --verbose - build: name: Build linux-lava for x86_64-linux runs-on: ubuntu-latest From 1fd2ebedb0dfa4742a77024b017576d7691a0ef4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 2 Mar 2026 13:17:36 +1100 Subject: [PATCH 004/178] anemone/networking: disable wpa_supplicant hardening --- hosts/anemone/networking.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/anemone/networking.nix b/hosts/anemone/networking.nix index 8b6bdf9..18c0d87 100644 --- a/hosts/anemone/networking.nix +++ b/hosts/anemone/networking.nix @@ -3,6 +3,7 @@ #nameservers = [ "8.8.8.8" "8.8.4.4" ]; #wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf"; + wireless.enableHardening = false; networkmanager = { enable = true; From e73f9d612ce7010b5a4d5e37d82064eadcb22fcd Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 3 Mar 2026 13:37:03 +1100 Subject: [PATCH 005/178] rin/packages: use dotnet10 --- users/rin/packages.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/users/rin/packages.nix b/users/rin/packages.nix index e3db022..77e8a2e 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -1,10 +1,8 @@ { config, inputs, pkgs, ... }: let dotnet-combined = (with pkgs.dotnetCorePackages; combinePackages [ - dotnet_8.sdk - dotnet_9.sdk - aspnetcore_8_0-bin - aspnetcore_9_0-bin + dotnet_10.sdk + aspnetcore_10_0-bin ]); in { programs.firefox = { From 09aceb18f4da7714e515ca302f08d880e202b64c Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 6 Mar 2026 21:07:12 +1100 Subject: [PATCH 006/178] user/eww: display multiple bluetooth devices in one line --- res/eww/eww.yuck | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/res/eww/eww.yuck b/res/eww/eww.yuck index c153154..2598788 100644 --- a/res/eww/eww.yuck +++ b/res/eww/eww.yuck @@ -43,6 +43,8 @@ `nmcli -f IN-USE,SIGNAL device wifi | grep '*' | tr -d -c 0-9`) (defpoll bluetooth_device :interval "1s" :run-while bt-enabled `bluetoothctl devices Connected | grep Device | cut -d" " -f3-`) +(defpoll bluetooth_device_count :interval "1s" :run-while bt-enabled + `bluetoothctl devices Connected | wc -l`) (deflisten lnetwork :initial "" :run-while wifi-enabled "./scripts/network.sh") (deflisten ltitle :initial "" "./scripts/title.sh") @@ -99,7 +101,7 @@ (revealer :transition "slideleft" :reveal {bluetooth-extended && bluetooth_device != ""} :duration 150 - (label :text bluetooth_device + (label :text { bluetooth_device_count == "1" ? bluetooth_device : (bluetooth_device_count + " devices") } :class "base"))))) (defwidget network [] From 12a18435873419e4257ad7124daa177e01afbebb Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 8 Mar 2026 18:12:28 +1100 Subject: [PATCH 007/178] system/docker: init --- hosts/anemone/default.nix | 1 + modules/default.nix | 1 + modules/system/docker.nix | 13 +++++++++++++ 3 files changed, 15 insertions(+) create mode 100644 modules/system/docker.nix diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index dda36f5..a630d81 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -17,6 +17,7 @@ bluetooth ccache corectrl + docker flatpak greetd gui diff --git a/modules/default.nix b/modules/default.nix index 9a1898a..8237922 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -35,6 +35,7 @@ in { ./system/bluetooth.nix ./system/ccache.nix ./system/corectrl.nix + ./system/docker.nix ./system/flatpak.nix ./system/greetd.nix ./system/gui.nix diff --git a/modules/system/docker.nix b/modules/system/docker.nix new file mode 100644 index 0000000..08dfe23 --- /dev/null +++ b/modules/system/docker.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: { + virtualisation.docker = { + enable = true; + storageDriver = "btrfs"; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; + environment.systemPackages = [ + pkgs.docker-compose + ]; +} From 2f1ca6402571369273a04a561df6f28cec899237 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 8 Mar 2026 18:12:59 +1100 Subject: [PATCH 008/178] user/zsh: update nix abbrs --- modules/user/zsh.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/user/zsh.nix b/modules/user/zsh.nix index 3fefce6..6e8db74 100644 --- a/modules/user/zsh.nix +++ b/modules/user/zsh.nix @@ -38,7 +38,8 @@ let jf = "doas journalctl -f"; fl = "cd ~/Projects/flakes"; - nr = "doas nixos-rebuild switch --flake .#${sysConfig.networking.hostName} -v -L"; + nr = "nh os switch"; + nb = "nh os boot"; gs = "git status"; ga = "git add"; From 2baffcb7a5506338d6fdc80f0676a421118ab9f3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 8 Mar 2026 23:58:32 +1100 Subject: [PATCH 009/178] hosts/anemone: enable kde connect --- hosts/anemone/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index a630d81..aa4c81b 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -54,4 +54,6 @@ services.fprintd.enable = true; services.tlp.enable = true; + + programs.kdeconnect.enable = true; } From 12681f2087b9e3ea22772c2fd09d2be0f72783b7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 9 Mar 2026 00:39:07 +1100 Subject: [PATCH 010/178] system/docker: disable rootless --- modules/system/docker.nix | 8 ++++---- users/rin/default.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/system/docker.nix b/modules/system/docker.nix index 08dfe23..1ebd190 100644 --- a/modules/system/docker.nix +++ b/modules/system/docker.nix @@ -2,10 +2,10 @@ virtualisation.docker = { enable = true; storageDriver = "btrfs"; - rootless = { - enable = true; - setSocketVariable = true; - }; + # rootless = { + # enable = true; + # setSocketVariable = true; + # }; }; environment.systemPackages = [ pkgs.docker-compose diff --git a/users/rin/default.nix b/users/rin/default.nix index e8d6f5c..91166ed 100644 --- a/users/rin/default.nix +++ b/users/rin/default.nix @@ -3,7 +3,7 @@ programs.zsh.enable = true; users.users.rin = { isNormalUser = true; - extraGroups = [ "adbusers" "audio" "corectrl" "dialout" "libvirtd" "networkmanager" "video" "wheel" "wireshark" ]; + extraGroups = [ "adbusers" "audio" "corectrl" "dialout" "docker" "libvirtd" "networkmanager" "video" "wheel" "wireshark" ]; shell = pkgs.zsh; uid = 1001; hashedPasswordFile = config.age.secrets.passwd.path; From e2832de9684d7f3fbd8e6f44f73a5e40bab9f2dd Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 15:53:14 +1100 Subject: [PATCH 011/178] containers/amethyst: init --- containers/amethyst/configuration.nix | 47 +++++++++++++++++++++++++++ containers/amethyst/flake.lock | 27 +++++++++++++++ containers/amethyst/flake.nix | 38 ++++++++++++++++++++++ flake.lock | 37 +++++++++++++++++++-- flake.nix | 3 ++ hosts/anemone/default.nix | 2 ++ 6 files changed, 151 insertions(+), 3 deletions(-) create mode 100644 containers/amethyst/configuration.nix create mode 100644 containers/amethyst/flake.lock create mode 100644 containers/amethyst/flake.nix diff --git a/containers/amethyst/configuration.nix b/containers/amethyst/configuration.nix new file mode 100644 index 0000000..b9d496d --- /dev/null +++ b/containers/amethyst/configuration.nix @@ -0,0 +1,47 @@ +{ lib, pkgs, ... }: { + system.stateVersion = "23.11"; + systemd.tmpfiles.rules = [ + "d /persist/transmission 755 transmission transmission" + "d /persist/transmission/.config/transmission-daemon 750 transmission transmission" + "d /persist/transmission/.incomplete 750 transmission transmission" + "d /persist/transmission/Downloads 755 transmission transmission" + "d /persist/transmission/watchdir 755 transmission transmission" + ]; + networking.wg-quick.interfaces.wg0 = { + configFile = "/persist/vpn.conf"; + preUp = '' + # Try to access the DNS for up to 300s + for i in {1..60}; do + ${pkgs.iputils}/bin/ping -c1 'google.com' && break + echo "Attempt $i: DNS still not available" + sleep 5s + done + ''; + }; + + # https://github.com/NixOS/nixpkgs/issues/258793 + systemd.services.transmission.serviceConfig = { + BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ]; + RootDirectoryStartOnly = lib.mkForce false; + RootDirectory = lib.mkForce ""; + PrivateMounts = lib.mkForce false; + PrivateUsers = lib.mkForce false; + }; + + networking.firewall.allowedTCPPorts = [ 9091 ]; + services.transmission = { + enable = true; + package = pkgs.transmission_4; + downloadDirPermissions = "775"; + openFirewall = true; + home = "/persist/transmission"; + settings = { + ratio-limit-enabled = true; + rpc-bind-address = "0.0.0.0"; + rpc-enabled = true; + rpc-port = 9091; + rpc-host-whitelist-enabled = false; + rpc-whitelist-enabled = false; + }; + }; +} diff --git a/containers/amethyst/flake.lock b/containers/amethyst/flake.lock new file mode 100644 index 0000000..88ab73f --- /dev/null +++ b/containers/amethyst/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix new file mode 100644 index 0000000..e025a5b --- /dev/null +++ b/containers/amethyst/flake.nix @@ -0,0 +1,38 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + modules = [ ./configuration.nix ]; + }; + nixosModule = { ... }: { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-+" ]; + }; + + systemd.tmpfiles.rules = [ "d /persist/containers/amethyst 755 root users" ]; + containers.amethyst = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.30.1.1"; + localAddress = "10.30.1.2"; + hostAddress6 = "fd0d:1::1:1"; + localAddress6 = "fd0d:1::1:2"; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = [ ./configuration.nix ]; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/amethyst"; + mountPoint = "/persist"; + isReadOnly = false; + }; + # flake = "path:" + ./.; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 4eeaaa3..4d2cc7a 100644 --- a/flake.lock +++ b/flake.lock @@ -43,6 +43,20 @@ "type": "github" } }, + "c-amethyst": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "path": "./containers/amethyst", + "type": "path" + }, + "original": { + "path": "./containers/amethyst", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "catppuccin-v1_1": "catppuccin-v1_1", @@ -415,7 +429,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1770778188, @@ -511,6 +525,22 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1770537093, "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", @@ -526,7 +556,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -601,6 +631,7 @@ "inputs": { "aagl": "aagl", "agenix": "agenix", + "c-amethyst": "c-amethyst", "catppuccin": "catppuccin", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -609,7 +640,7 @@ "linux-tkg": "linux-tkg", "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgs-stable": "nixpkgs-stable_2", "nvim-treesitter": "nvim-treesitter", "pure": "pure", diff --git a/flake.nix b/flake.nix index 98a4505..3ee112e 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,9 @@ spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; }; tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; }; wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; }; + + # containers + c-amethyst.url = "path:./containers/amethyst"; }; outputs = { self, agenix, catppuccin, nixpkgs, nixpkgs-stable, ... } @ inputs: diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index aa4c81b..ee08a68 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -37,6 +37,8 @@ ../../users/rin modules.services.syncthing + + inputs.c-amethyst.nixosModule ]; me = { From acc4d31f467d4403aa87f499270156a366c20ef5 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:27:29 +1100 Subject: [PATCH 012/178] containers/beryllium: init --- containers/beryllium/configuration.nix | 15 +++++++++ containers/beryllium/flake.lock | 27 +++++++++++++++++ containers/beryllium/flake.nix | 42 ++++++++++++++++++++++++++ flake.lock | 37 +++++++++++++++++++++-- flake.nix | 1 + hosts/anemone/default.nix | 1 + 6 files changed, 120 insertions(+), 3 deletions(-) create mode 100644 containers/beryllium/configuration.nix create mode 100644 containers/beryllium/flake.lock create mode 100644 containers/beryllium/flake.nix diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix new file mode 100644 index 0000000..d877f3b --- /dev/null +++ b/containers/beryllium/configuration.nix @@ -0,0 +1,15 @@ +{ ... }: { + system.stateVersion = "25.11"; + fileSystems."/var/lib/private" = { + device = "/persist"; + fsType = "none"; + options = [ "bind" ]; + }; + + services.matrix-continuwuity = { + enable = true; + settings.global = { + server_name = "lava.moe"; + }; + }; +} diff --git a/containers/beryllium/flake.lock b/containers/beryllium/flake.lock new file mode 100644 index 0000000..88ab73f --- /dev/null +++ b/containers/beryllium/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix new file mode 100644 index 0000000..af3d7aa --- /dev/null +++ b/containers/beryllium/flake.nix @@ -0,0 +1,42 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + modules = [ ./configuration.nix ]; + }; + nixosModule = { ... }: + let + name = "beryllium"; + subnet = "2"; + in { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-+" ]; + }; + + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.30.${subnet}.1"; + localAddress = "10.30.${subnet}.2"; + hostAddress6 = "fd0d:1::${subnet}:1"; + localAddress6 = "fd0d:1::${subnet}:2"; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = [ ./configuration.nix ]; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + # flake = "path:" + ./.; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 4d2cc7a..c3e63fc 100644 --- a/flake.lock +++ b/flake.lock @@ -57,6 +57,20 @@ }, "parent": [] }, + "c-beryllium": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "path": "./containers/beryllium", + "type": "path" + }, + "original": { + "path": "./containers/beryllium", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "catppuccin-v1_1": "catppuccin-v1_1", @@ -429,7 +443,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1770778188, @@ -541,6 +555,22 @@ } }, "nixpkgs_4": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1770537093, "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", @@ -556,7 +586,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -632,6 +662,7 @@ "aagl": "aagl", "agenix": "agenix", "c-amethyst": "c-amethyst", + "c-beryllium": "c-beryllium", "catppuccin": "catppuccin", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -640,7 +671,7 @@ "linux-tkg": "linux-tkg", "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "nixpkgs-stable": "nixpkgs-stable_2", "nvim-treesitter": "nvim-treesitter", "pure": "pure", diff --git a/flake.nix b/flake.nix index 3ee112e..03840e1 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,7 @@ # containers c-amethyst.url = "path:./containers/amethyst"; + c-beryllium.url = "path:./containers/beryllium"; }; outputs = { self, agenix, catppuccin, nixpkgs, nixpkgs-stable, ... } @ inputs: diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index ee08a68..65e9d43 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -39,6 +39,7 @@ modules.services.syncthing inputs.c-amethyst.nixosModule + inputs.c-beryllium.nixosModule ]; me = { From 5a24bf690f85e9d306bc78ec1c7a3b5cdf68ac21 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:32:34 +1100 Subject: [PATCH 013/178] containers/amethyst: refactor --- containers/amethyst/flake.nix | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index e025a5b..a8bbeee 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -6,28 +6,32 @@ nixosConfigurations.container = nixpkgs.lib.nixosSystem { modules = [ ./configuration.nix ]; }; - nixosModule = { ... }: { + nixosModule = { ... }: + let + name = "amethyst"; + subnet = "1"; + in { networking.nat = { enable = true; enableIPv6 = true; internalInterfaces = [ "ve-+" ]; }; - systemd.tmpfiles.rules = [ "d /persist/containers/amethyst 755 root users" ]; - containers.amethyst = { + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + containers.${name} = { autoStart = true; privateNetwork = true; - hostAddress = "10.30.1.1"; - localAddress = "10.30.1.2"; - hostAddress6 = "fd0d:1::1:1"; - localAddress6 = "fd0d:1::1:2"; + hostAddress = "10.30.${subnet}.1"; + localAddress = "10.30.${subnet}.2"; + hostAddress6 = "fd0d:1::${subnet}:1"; + localAddress6 = "fd0d:1::${subnet}:2"; # privateUsers = "pick"; nixpkgs = nixpkgs; ephemeral = true; config = { imports = [ ./configuration.nix ]; }; bindMounts."persist" = { - hostPath = "/persist/containers/amethyst"; + hostPath = "/persist/containers/${name}"; mountPoint = "/persist"; isReadOnly = false; }; From 6bea3918586612998bce927478f1827718aa5ab9 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:41:44 +1100 Subject: [PATCH 014/178] hosts/dandelion: pull changes --- flake.lock | 132 ++++++++++++++++++++++++++++++++++- flake.nix | 3 +- hosts/dandelion/default.nix | 1 + modules/default.nix | 1 + modules/services/banksia.nix | 11 +++ modules/services/nginx.nix | 13 ++-- modules/services/website.nix | 14 +++- 7 files changed, 165 insertions(+), 10 deletions(-) create mode 100644 modules/services/banksia.nix diff --git a/flake.lock b/flake.lock index c3e63fc..2afebb7 100644 --- a/flake.lock +++ b/flake.lock @@ -253,6 +253,42 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -602,6 +638,22 @@ "type": "github" } }, + "nixpkgs_7": { + "locked": { + "lastModified": 1770019141, + "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nuscht-search": { "inputs": { "flake-utils": "flake-utils", @@ -641,6 +693,49 @@ "type": "github" } }, + "pastel": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_7", + "pnpm2nix": "pnpm2nix" + }, + "locked": { + "lastModified": 1772103435, + "narHash": "sha256-dtsWJl+DBigaZlszH4UVI8JZltJl9O6MESDyH4RepNI=", + "owner": "cillynder", + "repo": "pastel", + "rev": "8e2b1b80d711eaf41c010949bef0a512db9e4452", + "type": "github" + }, + "original": { + "owner": "cillynder", + "repo": "pastel", + "type": "github" + } + }, + "pnpm2nix": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "pastel", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717937937, + "narHash": "sha256-bKoHjG5P15vCVpDndIXFfoJC65XhrBPQ9GWcXtXNuDA=", + "owner": "wrvsrx", + "repo": "pnpm2nix-nzbr", + "rev": "a2d285ad5718cb202f45e98a4f839a5b2608c4b1", + "type": "github" + }, + "original": { + "owner": "wrvsrx", + "ref": "adapt-to-v9", + "repo": "pnpm2nix-nzbr", + "type": "github" + } + }, "pure": { "flake": false, "locked": { @@ -674,6 +769,7 @@ "nixpkgs": "nixpkgs_6", "nixpkgs-stable": "nixpkgs-stable_2", "nvim-treesitter": "nvim-treesitter", + "pastel": "pastel", "pure": "pure", "spicetify-nix": "spicetify-nix", "spotify-adblock": "spotify-adblock", @@ -708,7 +804,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_3" + "systems": "systems_5" }, "locked": { "lastModified": 1770846656, @@ -801,6 +897,36 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tree-sitter-jsonc": { "flake": false, "locked": { @@ -822,13 +948,13 @@ "locked": { "lastModified": 1668017714, "narHash": "sha256-ywy/7xeT6FHkF7lcs+stW1WPV+piE8ztSwcQ161iico=", - "owner": "LavaDesu", + "owner": "cillynder", "repo": "lavadesu.github.io", "rev": "4e30c50be520a0a1bbecf408f056e6aaf135df67", "type": "github" }, "original": { - "owner": "LavaDesu", + "owner": "cillynder", "ref": "master", "repo": "lavadesu.github.io", "type": "github" diff --git a/flake.nix b/flake.nix index 03840e1..9719bd8 100644 --- a/flake.nix +++ b/flake.nix @@ -22,8 +22,9 @@ spicetify-nix.inputs.nixpkgs.follows = "nixpkgs"; # services + pastel.url = "github:cillynder/pastel"; stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; }; - website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; }; + website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; }; # zsh plugins zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; }; diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index b9f5e42..ee386bf 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -19,6 +19,7 @@ security wireguard + modules.services.banksia modules.services.nginx modules.services.postgres modules.services.unbound diff --git a/modules/default.nix b/modules/default.nix index 8237922..014a61a 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -16,6 +16,7 @@ let in { options = ./options.nix; services = mkAttrsFromPaths [ + ./services/banksia.nix ./services/jellyfin.nix ./services/nginx.nix ./services/postgres.nix diff --git a/modules/services/banksia.nix b/modules/services/banksia.nix new file mode 100644 index 0000000..d6532f6 --- /dev/null +++ b/modules/services/banksia.nix @@ -0,0 +1,11 @@ +# TODO ^^ +{ ... }: { + services.nginx.virtualHosts = { + "banksia.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".return = "302 https://github.com/cillynder/Banksia"; + locations."/api".proxyPass = "http://localhost:8080/"; + }; + }; +} diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index 10a2d84..51641b4 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -2,17 +2,20 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; security.acme = { acceptTerms = true; - defaults.email = "me@lava.moe"; - certs."lava.moe" = { + defaults = { + email = "me@lava.moe"; group = "nginx"; - domain = "lava.moe"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets."acme_dns".path; + }; + certs."lava.moe" = { extraDomainNames = [ "*.lava.moe" "*.local.lava.moe" ]; - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets."acme_dns".path; }; + certs."cilly.moe" = {}; + certs."cilly.dev" = {}; }; services.nginx = { diff --git a/modules/services/website.nix b/modules/services/website.nix index 5e7a223..2ef679b 100644 --- a/modules/services/website.nix +++ b/modules/services/website.nix @@ -1,5 +1,17 @@ -{ inputs, ... }: { +{ inputs, pkgs, ... }: let + pastel = inputs.pastel.packages.${pkgs.system}.default; +in { services.nginx.virtualHosts = { + "cilly.moe" = { + useACMEHost = "cilly.moe"; + forceSSL = true; + root = pastel.outPath; + }; + "cilly.dev" = { + useACMEHost = "cilly.dev"; + forceSSL = true; + root = pastel.outPath; + }; "lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; From 5c5579313444a2a7ea93c4f470b06cc9ca594fa8 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:47:08 +1100 Subject: [PATCH 015/178] hosts/dandelion: follow unstable nixpkgs --- flake.nix | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index 9719bd8..57befbc 100644 --- a/flake.nix +++ b/flake.nix @@ -4,10 +4,6 @@ home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-stable.url = "github:NixOS/nixpkgs/release-25.05"; - home-manager-stable.url = "github:nix-community/home-manager/release-25.05"; - home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable"; - agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; aagl.url = "github:ezKEa/aagl-gtk-on-nix"; @@ -44,7 +40,7 @@ c-beryllium.url = "path:./containers/beryllium"; }; - outputs = { self, agenix, catppuccin, nixpkgs, nixpkgs-stable, ... } @ inputs: + outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: let overlays = (import ./overlays) ++ [(final: prev: { @@ -79,8 +75,8 @@ in { nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" []; - nixosConfigurations."dandelion" = mkSystem nixpkgs-stable "dandelion" "aarch64-linux" []; - nixosConfigurations."hazel" = mkSystem nixpkgs-stable "hazel" "x86_64-linux" []; + nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" []; + nixosConfigurations."hazel" = mkSystem nixpkgs "hazel" "x86_64-linux" []; nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" []; packages."x86_64-linux" = From f84e8c1013bdbbc4592da2f774aef71cd9b7e47b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:48:08 +1100 Subject: [PATCH 016/178] hosts/hazel: decommission --- flake.nix | 1 - hosts/hazel/default.nix | 95 -------------------------------------- hosts/hazel/filesystem.nix | 53 --------------------- hosts/hazel/fs-decrypt.nix | 0 hosts/hazel/kernel.nix | 10 ---- hosts/hazel/networking.nix | 15 ------ 6 files changed, 174 deletions(-) delete mode 100644 hosts/hazel/default.nix delete mode 100644 hosts/hazel/filesystem.nix delete mode 100644 hosts/hazel/fs-decrypt.nix delete mode 100644 hosts/hazel/kernel.nix delete mode 100644 hosts/hazel/networking.nix diff --git a/flake.nix b/flake.nix index 57befbc..c359c93 100644 --- a/flake.nix +++ b/flake.nix @@ -76,7 +76,6 @@ { nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" []; nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" []; - nixosConfigurations."hazel" = mkSystem nixpkgs "hazel" "x86_64-linux" []; nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" []; packages."x86_64-linux" = diff --git a/hosts/hazel/default.nix b/hosts/hazel/default.nix deleted file mode 100644 index cd568c3..0000000 --- a/hosts/hazel/default.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, modules, pkgs, ... }: -let - dirs = [ - ["immich" "immich"] - ["nextcloud" "nextcloud"] - ["postgresql" "postgres"] - ["redis-immich" "redis-immich"] - ]; - - rules = builtins.map (d: "d /flower/${builtins.elemAt d 0} 750 ${builtins.elemAt d 1} ${builtins.elemAt d 1}") dirs; - mounts = builtins.listToAttrs (builtins.map (d: { - name = "/var/lib/${builtins.elemAt d 0}"; - value = { - depends = [ "/flower" ]; - device = "/flower/${builtins.elemAt d 0}"; - fsType = "none"; - options = [ "bind" ]; - }; - }) dirs); -in -{ - networking.hostName = "hazel"; - system.stateVersion = "24.11"; - time.timeZone = "Australia/Melbourne"; - - age.secrets = { - acme_dns.file = ../../secrets/acme_dns.age; - wg_hazel.file = ../../secrets/wg_hazel.age; - }; - - imports = with modules.system; with modules.services; [ - home-manager-stable - - base - kernel - nix-stable - packages - security - - nginx - unbound - wireguard - - ./filesystem.nix - ./kernel.nix - ./networking.nix - - ../../users/hana - ]; - - me.environment = "headless"; - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud31; - hostName = "cloud.lava.moe"; - database.createLocally = true; - config = { - dbtype = "pgsql"; - adminpassFile = "/persist/nextcloud-admin-pass"; - }; - https = true; - }; - - services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { - forceSSL = true; - enableACME = true; - }; - - services.immich = { - enable = true; - port = 2283; - }; - - users.users.immich.extraGroups = [ "video" "render" ]; - hardware.graphics.enable = true; - services.nginx.virtualHosts."photos.lava.moe" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://[::1]:${toString config.services.immich.port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - extraConfig = '' - client_max_body_size 50000M; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - }; - }; - - systemd.tmpfiles.rules = rules; - fileSystems = mounts; -} diff --git a/hosts/hazel/filesystem.nix b/hosts/hazel/filesystem.nix deleted file mode 100644 index 2a60898..0000000 --- a/hosts/hazel/filesystem.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ ... }: -let - mkLabelMount = label: type: options: { - device = "/dev/disk/by-label/${label}"; - fsType = type; - options = [ "defaults" ] ++ options; - }; - mkBtrfsMount = name: ext: subvol: atime: mkLabelMount name "btrfs" - ([ - "autodefrag" - "compress=zstd:4" - "compress-force=zstd:4" - "defaults" - "nossd" - "space_cache=v2" - "subvol=${subvol}" - (if atime then "relatime" else "noatime") - ] ++ ext); - - mkHazelMount = mkBtrfsMount "HAZEL" []; -in -{ - boot.supportedFilesystems = [ "btrfs" ]; - fileSystems = { - "/" = { - device = "rootfs"; - fsType = "tmpfs"; - options = [ "defaults" "mode=755" ]; - }; - "/boot" = mkLabelMount "ROOT" "vfat" []; - - "/flower" = mkHazelMount "/current/flower" true; - "/persist" = mkHazelMount "/current/persist" true; - "/var" = mkHazelMount "/current/var" true; - "/nix" = mkHazelMount "/current/nix" false; - - "/mnt" = mkHazelMount "/" true; - }; - - services.snapper.cleanupInterval = "1h"; - services.snapper.configs.flower = { - FSTYPE = "btrfs"; - SUBVOLUME = "/mnt/current/flower"; - TIMELINE_CLEANUP = true; - TIMELINE_CREATE = true; - TIMELINE_MIN_AGE = "1800"; - TIMELINE_LIMIT_HOURLY = "5"; - TIMELINE_LIMIT_DAILY = "7"; - TIMELINE_LIMIT_WEEKLY = "0"; - TIMELINE_LIMIT_MONTHLY = "0"; - TIMELINE_LIMIT_YEARLY = "0"; - }; -} diff --git a/hosts/hazel/fs-decrypt.nix b/hosts/hazel/fs-decrypt.nix deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/hazel/kernel.nix b/hosts/hazel/kernel.nix deleted file mode 100644 index 20be1ed..0000000 --- a/hosts/hazel/kernel.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: { - boot = { - loader = { - efi.canTouchEfiVariables = true; - systemd-boot.enable = true; - }; - initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - kernelModules = [ "kvm-amd" ]; - }; -} diff --git a/hosts/hazel/networking.nix b/hosts/hazel/networking.nix deleted file mode 100644 index 42656e4..0000000 --- a/hosts/hazel/networking.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ gcSecrets, ... }: { - networking = { - useDHCP = true; - interfaces.enp8s0.ipv6.addresses = [ - { - address = gcSecrets.hazel.ipv6Addr; - prefixLength = 64; - } - ]; - defaultGateway6 = { - address = "fe80::1"; - interface = "enp8s0"; - }; - }; -} From 1a8e042be5aa94edf28606cae589cd86c9b75b1d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:48:37 +1100 Subject: [PATCH 017/178] flake: lock --- flake.lock | 39 --------------------------------------- 1 file changed, 39 deletions(-) diff --git a/flake.lock b/flake.lock index 2afebb7..a5f3b81 100644 --- a/flake.lock +++ b/flake.lock @@ -332,27 +332,6 @@ "type": "github" } }, - "home-manager-stable_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-stable" - ] - }, - "locked": { - "lastModified": 1763992789, - "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-25.05", - "repo": "home-manager", - "type": "github" - } - }, "home-manager_2": { "inputs": { "nixpkgs": [ @@ -542,22 +521,6 @@ "type": "github" } }, - "nixpkgs-stable_2": { - "locked": { - "lastModified": 1768649915, - "narHash": "sha256-jc21hKogFnxU7KXSVTRmxC7u5D4RHwm9BAvDf5/Z1Uo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3e3f3c7f9977dc123c23ee21e8085ed63daf8c37", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1744536153, @@ -762,12 +725,10 @@ "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", "home-manager": "home-manager_3", - "home-manager-stable": "home-manager-stable_2", "linux-tkg": "linux-tkg", "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nixpkgs": "nixpkgs_6", - "nixpkgs-stable": "nixpkgs-stable_2", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", From e78c666635e0abbff39f3964da5fd5308abf80a1 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:50:47 +1100 Subject: [PATCH 018/178] system/home-manager-stable: remove --- hosts/dandelion/default.nix | 2 +- modules/default.nix | 1 - modules/system/home-manager-stable.nix | 19 ------------------- 3 files changed, 1 insertion(+), 21 deletions(-) delete mode 100644 modules/system/home-manager-stable.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index ee386bf..eefe5db 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -10,7 +10,7 @@ imports = with modules.system; [ (modulesPath + "/profiles/qemu-guest.nix") - home-manager-stable + home-manager base kernel diff --git a/modules/default.nix b/modules/default.nix index 014a61a..93b3c88 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -41,7 +41,6 @@ in { ./system/greetd.nix ./system/gui.nix ./system/home-manager.nix - ./system/home-manager-stable.nix ./system/input.nix ./system/kernel.nix ./system/nix.nix diff --git a/modules/system/home-manager-stable.nix b/modules/system/home-manager-stable.nix deleted file mode 100644 index 43842d7..0000000 --- a/modules/system/home-manager-stable.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, inputs, modules, ... }: { - imports = [ - inputs.home-manager-stable.nixosModules.home-manager - ]; - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = { - inherit inputs modules; - sysConfig = config; - }; - sharedModules = [ - { - imports = [ modules.options ]; - config.me = config.me; - } - ]; - }; -} From c0679f7e7969fcc76c45e8adbb91802da0d26289 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 19:53:38 +1100 Subject: [PATCH 019/178] hosts/dandelion: remove postgres not sure why it's still there, hopefully nothing breaks :) --- hosts/dandelion/default.nix | 1 - modules/services/postgres.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index eefe5db..a3b2e88 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -21,7 +21,6 @@ modules.services.banksia modules.services.nginx - modules.services.postgres modules.services.unbound modules.services.website diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix index bffdcee..bbbeaa1 100644 --- a/modules/services/postgres.nix +++ b/modules/services/postgres.nix @@ -8,6 +8,7 @@ in { services.postgresql = { enable = true; dataDir = dir; + # TODO: broken :3 package = pkgs.postgresql_13; authentication = lib.mkOverride 10 '' #type database DBuser origin-address auth-method From dfd00aad38db6415981b876715e86558d372f7f4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 20:03:07 +1100 Subject: [PATCH 020/178] hosts/dandelion: use new containers --- hosts/anemone/default.nix | 3 --- hosts/dandelion/default.nix | 6 ++++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index 65e9d43..aa4c81b 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -37,9 +37,6 @@ ../../users/rin modules.services.syncthing - - inputs.c-amethyst.nixosModule - inputs.c-beryllium.nixosModule ]; me = { diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index a3b2e88..7500d21 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -1,4 +1,4 @@ -{ modules, modulesPath, ... }: { +{ inputs, modules, modulesPath, ... }: { networking.hostName = "dandelion"; system.stateVersion = "23.11"; time.timeZone = "Australia/Melbourne"; @@ -24,10 +24,12 @@ modules.services.unbound modules.services.website + inputs.c-amethyst.nixosModule + inputs.c-beryllium.nixosModule + ./filesystem.nix ./kernel.nix ./networking.nix - ./transmission-container.nix ../../users/hana ]; From a9e9ae41acfcddfe20930620234e68e63fe9de05 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 20:52:24 +1100 Subject: [PATCH 021/178] containers/amethyst: expose under local nginx --- containers/amethyst/flake.nix | 5 ++ hosts/dandelion/transmission-container.nix | 68 ---------------------- 2 files changed, 5 insertions(+), 68 deletions(-) delete mode 100644 hosts/dandelion/transmission-container.nix diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index a8bbeee..7ee705a 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -17,6 +17,11 @@ internalInterfaces = [ "ve-+" ]; }; + services.nginx.virtualHosts."amethyst.local.lava.moe" = { + locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; + listenAddresses = [ "10.0.0.0/24" "fd0d::/16" ]; + }; + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; containers.${name} = { autoStart = true; diff --git a/hosts/dandelion/transmission-container.nix b/hosts/dandelion/transmission-container.nix deleted file mode 100644 index e3ee5ae..0000000 --- a/hosts/dandelion/transmission-container.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ lib, modules, pkgs, gcSecrets, ... }: { - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - externalInterface = "enp0s6"; - }; - - networking.firewall = { - extraCommands = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE - ''; - extraStopCommands = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE || true - ''; - }; - - services.nginx.virtualHosts."tr.dandelion.gw.lava.moe" = { - locations."/".proxyPass = "http://10.25.0.11:9091"; - }; - - containers.transmission = { - autoStart = true; - privateNetwork = true; - hostAddress = "10.25.0.10"; - localAddress = "10.25.0.11"; - bindMounts."vpn" = { - hostPath = "/persist/aus.conf"; - mountPoint = "/vpn.conf"; - isReadOnly = true; - }; - bindMounts."transmission" = { - hostPath = "/persist/transmission"; - mountPoint = "/persist/transmission"; - isReadOnly = false; - }; - config = { - system.stateVersion = "23.11"; - networking.wg-quick.interfaces.wg0 = { - configFile = "/vpn.conf"; - preUp = '' - # Try to access the DNS for up to 300s - for i in {1..60}; do - ${pkgs.iputils}/bin/ping -c1 'google.com' && break - echo "Attempt $i: DNS still not available" - sleep 5s - done - ''; - }; - - networking.firewall.enable = false; - # https://github.com/NixOS/nixpkgs/issues/258793 - systemd.services.transmission.serviceConfig = { - BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ]; - RootDirectoryStartOnly = lib.mkForce false; - RootDirectory = lib.mkForce ""; - PrivateMounts = lib.mkForce false; - PrivateUsers = lib.mkForce false; - }; - imports = [ modules.services.transmission ]; - services.transmission.settings = { - rpc-host-whitelist-enabled = false; - rpc-whitelist = lib.mkForce "10.100.0.*,10.0.0.*,10.25.0.*,192.168.100.*"; - rpc-username = gcSecrets.transmission.username; - rpc-password = gcSecrets.transmission.password; - }; - }; - }; -} From 54fd3373d02adec4834dd0f9776d78bb36d2ca34 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 20:53:08 +1100 Subject: [PATCH 022/178] system/nix-stable: enable nh --- modules/system/nix-stable.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/nix-stable.nix b/modules/system/nix-stable.nix index a88612a..fcd1662 100644 --- a/modules/system/nix-stable.nix +++ b/modules/system/nix-stable.nix @@ -17,4 +17,5 @@ ''; }; nixpkgs.config.allowUnfree = true; + programs.nh.enable = true; } From 2f4cbd382c4436ffe06afbad8f671fdbc226fdab Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 21:06:20 +1100 Subject: [PATCH 023/178] user/comma: init --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 2 ++ modules/default.nix | 1 + modules/system/packages.nix | 1 - modules/user/comma.nix | 7 +++++++ modules/user/zsh.nix | 1 - users/hana/default.nix | 1 + users/rin/default.nix | 1 + 8 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 modules/user/comma.nix diff --git a/flake.lock b/flake.lock index a5f3b81..3099d30 100644 --- a/flake.lock +++ b/flake.lock @@ -474,6 +474,26 @@ "type": "github" } }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1773552174, + "narHash": "sha256-mHSRNrT1rjeYBgkAlj07dW3+1nFEgAd8Gu6lgyfT9DU=", + "owner": "nix-community", + "repo": "nix-index-database", + "rev": "8faeb68130df077450451b6734a221ba0d6cde42", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-index-database", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1764242076, @@ -728,6 +748,7 @@ "linux-tkg": "linux-tkg", "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", + "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs_6", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", diff --git a/flake.nix b/flake.nix index c359c93..407c4fa 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,8 @@ neovim-nightly.inputs.nixpkgs.follows = "nixpkgs"; nix-gaming.url = "github:fufexan/nix-gaming"; + nix-index-database.url = "github:nix-community/nix-index-database"; + nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; spicetify-nix.url = "github:Gerg-L/spicetify-nix"; spicetify-nix.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/default.nix b/modules/default.nix index 93b3c88..f47d4ee 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -54,6 +54,7 @@ in { ]; user = mkAttrsFromPaths [ ./user/catppuccin.nix + ./user/comma.nix ./user/direnv.nix ./user/dunst.nix ./user/eww.nix diff --git a/modules/system/packages.nix b/modules/system/packages.nix index 8670e6e..afeef4e 100644 --- a/modules/system/packages.nix +++ b/modules/system/packages.nix @@ -1,7 +1,6 @@ { pkgs, ... }: { imports = [ ./packages-gui.nix ]; environment.systemPackages = with pkgs; [ - comma # ecryptfs efibootmgr fd diff --git a/modules/user/comma.nix b/modules/user/comma.nix new file mode 100644 index 0000000..5ae7f03 --- /dev/null +++ b/modules/user/comma.nix @@ -0,0 +1,7 @@ +{ inputs, ... }: { + imports = [ + inputs.nix-index-database.homeModules.default + ]; + programs.nix-index.enable = true; + programs.nix-index-database.comma.enable = true; +} diff --git a/modules/user/zsh.nix b/modules/user/zsh.nix index 6e8db74..1eb736c 100644 --- a/modules/user/zsh.nix +++ b/modules/user/zsh.nix @@ -102,7 +102,6 @@ let bindkey -a -r ':' ''; in { - programs.command-not-found.enable = true; programs.zsh = { enable = true; dotDir = "${config.xdg.configHome}/zsh"; diff --git a/users/hana/default.nix b/users/hana/default.nix index ed7a464..da2022a 100644 --- a/users/hana/default.nix +++ b/users/hana/default.nix @@ -21,6 +21,7 @@ }; imports = with modules.user; [ + comma direnv git neovim-minimal diff --git a/users/rin/default.nix b/users/rin/default.nix index 91166ed..a70d716 100644 --- a/users/rin/default.nix +++ b/users/rin/default.nix @@ -21,6 +21,7 @@ sessionVariables catppuccin + comma direnv git gpg From e0f148251199d8168f15e52f0fa28c3e29f0391c Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 21:17:35 +1100 Subject: [PATCH 024/178] containers/amethyst: fix nginx listen address --- containers/amethyst/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index 7ee705a..b332f23 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -19,7 +19,7 @@ services.nginx.virtualHosts."amethyst.local.lava.moe" = { locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; - listenAddresses = [ "10.0.0.0/24" "fd0d::/16" ]; + listenAddresses = [ "10.0.0.1" "fd0d::1" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; From 42eeba3a9fb8a2dc0cb25aaa2e00694c1b9461c9 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 21:18:24 +1100 Subject: [PATCH 025/178] system/nix-stable: use latest nix --- modules/system/nix-stable.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/system/nix-stable.nix b/modules/system/nix-stable.nix index fcd1662..1884c04 100644 --- a/modules/system/nix-stable.nix +++ b/modules/system/nix-stable.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: { nix = { + package = pkgs.nixVersions.latest; + settings = rec { substituters = [ "https://cache.nixos.org?priority=10" From f8d4e05080b510ada8685427c82df603ff4f9227 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 21:31:54 +1100 Subject: [PATCH 026/178] containers/amethyst: fix nginx ipv6 listenaddr --- containers/amethyst/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index b332f23..8bea1ff 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -19,7 +19,7 @@ services.nginx.virtualHosts."amethyst.local.lava.moe" = { locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; - listenAddresses = [ "10.0.0.1" "fd0d::1" ]; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; From d4768ea7bfc4bc7d40e4d11a7b51b935aa9e0547 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 21:34:04 +1100 Subject: [PATCH 027/178] users/hana: add nh flake path --- users/hana/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/users/hana/default.nix b/users/hana/default.nix index da2022a..69558ea 100644 --- a/users/hana/default.nix +++ b/users/hana/default.nix @@ -1,4 +1,5 @@ { config, lib, modules, pkgs, ... }: { + programs.nh.flake = "/persist/hana/flakes"; programs.zsh.enable = true; users.users.hana = { isNormalUser = true; From 2a4a4c5d47d787fa79990ccf9b3b23deb7743f9a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 21:38:10 +1100 Subject: [PATCH 028/178] containers/amethyst: enable ssl --- containers/amethyst/flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index 8bea1ff..23d3ab6 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -18,6 +18,8 @@ }; services.nginx.virtualHosts."amethyst.local.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; From 52a3e8557e70d4cbc27550bfff15409be69f3753 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 22:27:47 +1100 Subject: [PATCH 029/178] containers/amethyst: use ipv6 for proxy --- containers/amethyst/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index 23d3ab6..ff70120 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -20,7 +20,7 @@ services.nginx.virtualHosts."amethyst.local.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; + locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; From c42fdb7940de4a319c09a1651ab179b2a237a77c Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 22:33:23 +1100 Subject: [PATCH 030/178] containers/beryllium: add nginx configuration --- containers/beryllium/configuration.nix | 2 ++ containers/beryllium/flake.nix | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix index d877f3b..057ae8f 100644 --- a/containers/beryllium/configuration.nix +++ b/containers/beryllium/configuration.nix @@ -9,6 +9,8 @@ services.matrix-continuwuity = { enable = true; settings.global = { + # TODO: link this with outer container's address + address = [ "fd0d:1::2:2" ]; server_name = "lava.moe"; }; }; diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index af3d7aa..4e7cb5b 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -17,6 +17,13 @@ internalInterfaces = [ "ve-+" ]; }; + services.nginx.virtualHosts."beryllium.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; + }; + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; containers.${name} = { autoStart = true; From 16703bade1f45d09b21e96c3e4e608eea81555a6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 22:38:53 +1100 Subject: [PATCH 031/178] containers/beryllium: open firewall --- containers/beryllium/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix index 057ae8f..752b5a3 100644 --- a/containers/beryllium/configuration.nix +++ b/containers/beryllium/configuration.nix @@ -5,6 +5,8 @@ fsType = "none"; options = [ "bind" ]; }; + networking.firewall.allowedTCPPorts = [ 6167 ]; + networking.firewall.allowedUDPPorts = [ 6167 ]; services.matrix-continuwuity = { enable = true; From 1486058b905f0967dd13783177f538a11ee5387a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 22:48:04 +1100 Subject: [PATCH 032/178] containers/beryllium: configure proper delegation --- containers/beryllium/flake.nix | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index 4e7cb5b..e1799ac 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -20,10 +20,36 @@ services.nginx.virtualHosts."beryllium.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; + # locations."/".extraConfig = "return 302 'https://lava.moe'"; locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; + # locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; + locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; + locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; + services.nginx.virtualHosts."lava.moe" = { + locations."= /.well-known/matrix/server".extraConfig = + let + server = { "m.server" = "beryllium.lava.moe:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://beryllium.lava.moe"; }; + # "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; containers.${name} = { autoStart = true; From d02d1dbb337da59d182f444ec33593b7ff490864 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 22:54:24 +1100 Subject: [PATCH 033/178] containers/beryllium: listen on all addresses --- containers/beryllium/flake.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index e1799ac..8dfa150 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -26,7 +26,6 @@ locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; services.nginx.virtualHosts."lava.moe" = { From a2337566da87cbc78d84fa3625f49203528a9e3d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 22:57:49 +1100 Subject: [PATCH 034/178] containers/beryllium: redirect root to website --- containers/beryllium/flake.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index 8dfa150..f857406 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -20,9 +20,7 @@ services.nginx.virtualHosts."beryllium.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; - # locations."/".extraConfig = "return 302 'https://lava.moe'"; - locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; - # locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/".extraConfig = "return 302 'https://lava.moe'"; locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; From 3bbaf8785c2477fe697936290c0a7a526918bf45 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 23:01:21 +1100 Subject: [PATCH 035/178] containers/beryllium: add missing semicolon --- containers/beryllium/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index f857406..46d3428 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -20,7 +20,7 @@ services.nginx.virtualHosts."beryllium.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".extraConfig = "return 302 'https://lava.moe'"; + locations."/".extraConfig = "return 302 'https://lava.moe';"; locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; From a06d0d86fc61bafbac8f99a8425a8b705b1cd5ab Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 23:23:16 +1100 Subject: [PATCH 036/178] containers/beryllium: properly set dns resolver --- containers/beryllium/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix index 752b5a3..8c01248 100644 --- a/containers/beryllium/configuration.nix +++ b/containers/beryllium/configuration.nix @@ -7,6 +7,8 @@ }; networking.firewall.allowedTCPPorts = [ 6167 ]; networking.firewall.allowedUDPPorts = [ 6167 ]; + # TODO: this should be generically set + networking.nameservers = [ "fd0d:1::2:1" ]; services.matrix-continuwuity = { enable = true; From a2f82bc7d5b521ab8a5719ea1dc2fc0349909401 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 23:31:20 +1100 Subject: [PATCH 037/178] containers/beryllium: don't use host resolvconf --- containers/beryllium/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix index 8c01248..07740d2 100644 --- a/containers/beryllium/configuration.nix +++ b/containers/beryllium/configuration.nix @@ -8,6 +8,7 @@ networking.firewall.allowedTCPPorts = [ 6167 ]; networking.firewall.allowedUDPPorts = [ 6167 ]; # TODO: this should be generically set + networking.useHostResolvConf = false; networking.nameservers = [ "fd0d:1::2:1" ]; services.matrix-continuwuity = { From 5722249dd2046398bd0657748016d09f46fb92ab Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 15 Mar 2026 23:34:58 +1100 Subject: [PATCH 038/178] services/unbound: open firewall for dns from containers --- modules/services/unbound.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix index e6ec4ad..349f9e8 100644 --- a/modules/services/unbound.nix +++ b/modules/services/unbound.nix @@ -7,6 +7,10 @@ let grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out" ''; in { + networking.firewall.interfaces."ve-+" = { + allowedUDPPorts = [ 53 853 ]; + allowedTCPPorts = [ 53 853 ]; + }; networking.firewall.interfaces.wg0 = { allowedUDPPorts = [ 53 853 ]; allowedTCPPorts = [ 53 853 ]; From 249942280d9ac010633eb110a42f21412487c9f0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 00:45:05 +1100 Subject: [PATCH 039/178] containers: don't use wildcard nat interfaces --- containers/amethyst/flake.nix | 4 ++-- containers/beryllium/flake.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index ff70120..4865e29 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -14,10 +14,10 @@ networking.nat = { enable = true; enableIPv6 = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = [ "ve-${name}" ]; }; - services.nginx.virtualHosts."amethyst.local.lava.moe" = { + services.nginx.virtualHosts."${name}.local.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index 46d3428..adab4f0 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -14,10 +14,10 @@ networking.nat = { enable = true; enableIPv6 = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = [ "ve-${name}" ]; }; - services.nginx.virtualHosts."beryllium.lava.moe" = { + services.nginx.virtualHosts."${name}.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".extraConfig = "return 302 'https://lava.moe';"; From 36f214f2a464ec16395893a06cae66cb6e57128d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 00:48:51 +1100 Subject: [PATCH 040/178] containers/citrine: init --- containers/citrine/configuration.nix | 19 +++++++++++ containers/citrine/flake.lock | 27 ++++++++++++++++ containers/citrine/flake.nix | 48 ++++++++++++++++++++++++++++ flake.lock | 41 +++++++++++++++++++++--- flake.nix | 1 + hosts/anemone/default.nix | 2 ++ 6 files changed, 133 insertions(+), 5 deletions(-) create mode 100644 containers/citrine/configuration.nix create mode 100644 containers/citrine/flake.lock create mode 100644 containers/citrine/flake.nix diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix new file mode 100644 index 0000000..90cdb0d --- /dev/null +++ b/containers/citrine/configuration.nix @@ -0,0 +1,19 @@ +{ ... }: { + system.stateVersion = "25.11"; + networking.firewall.allowedTCPPorts = [ 3000 ]; + networking.firewall.allowedUDPPorts = [ 3000 ]; + + services.forgejo = { + enable = true; + lfs.enable = true; + settings = { + server = { + DOMAIN = "garden.lava.moe"; + ROOT_URL = "https://garden.lava.moe/"; + HTTP_PORT = 3000; + }; + service.DISABLE_REGISTRATION = false; + }; + stateDir = "/persist/forgejo"; + }; +} diff --git a/containers/citrine/flake.lock b/containers/citrine/flake.lock new file mode 100644 index 0000000..88ab73f --- /dev/null +++ b/containers/citrine/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix new file mode 100644 index 0000000..bd6ccdf --- /dev/null +++ b/containers/citrine/flake.nix @@ -0,0 +1,48 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + modules = [ ./configuration.nix ]; + }; + nixosModule = { ... }: + let + name = "citrine"; + subnet = "3"; + in { + # networking.nat = { + # enable = true; + # enableIPv6 = true; + # internalInterfaces = [ "ve-${name}" ]; + # }; + + services.nginx.virtualHosts."garden.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:3000"; + }; + + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.30.${subnet}.1"; + localAddress = "10.30.${subnet}.2"; + hostAddress6 = "fd0d:1::${subnet}:1"; + localAddress6 = "fd0d:1::${subnet}:2"; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = [ ./configuration.nix ]; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + # flake = "path:" + ./.; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 3099d30..cd62ccb 100644 --- a/flake.lock +++ b/flake.lock @@ -71,6 +71,20 @@ }, "parent": [] }, + "c-citrine": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "path": "./containers/citrine", + "type": "path" + }, + "original": { + "path": "./containers/citrine", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "catppuccin-v1_1": "catppuccin-v1_1", @@ -458,7 +472,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1770778188, @@ -590,6 +604,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1770537093, "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", @@ -605,7 +635,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -621,7 +651,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -679,7 +709,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -741,6 +771,7 @@ "agenix": "agenix", "c-amethyst": "c-amethyst", "c-beryllium": "c-beryllium", + "c-citrine": "c-citrine", "catppuccin": "catppuccin", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -749,7 +780,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/flake.nix b/flake.nix index 407c4fa..f8866db 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,7 @@ # containers c-amethyst.url = "path:./containers/amethyst"; c-beryllium.url = "path:./containers/beryllium"; + c-citrine.url = "path:./containers/citrine"; }; outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index aa4c81b..367e975 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -37,6 +37,8 @@ ../../users/rin modules.services.syncthing + + inputs.c-citrine.nixosModule ]; me = { From 18c6cb6773947ef80f23d2dbb42fe282bb8d0823 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 01:02:28 +1100 Subject: [PATCH 041/178] containers/citrine: add cli to packages --- containers/citrine/configuration.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index 90cdb0d..35d4e8b 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ config, ... }: { system.stateVersion = "25.11"; networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedUDPPorts = [ 3000 ]; @@ -16,4 +16,6 @@ }; stateDir = "/persist/forgejo"; }; + + environment.systemPackages = [ config.services.forgejo.package ]; } From fd3e877d3d5093bac8244c195c15ff246553d830 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 01:12:40 +1100 Subject: [PATCH 042/178] containers/citrine: simplify networking --- containers/citrine/flake.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index bd6ccdf..bb4c1f4 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -11,12 +11,6 @@ name = "citrine"; subnet = "3"; in { - # networking.nat = { - # enable = true; - # enableIPv6 = true; - # internalInterfaces = [ "ve-${name}" ]; - # }; - services.nginx.virtualHosts."garden.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; @@ -27,8 +21,6 @@ containers.${name} = { autoStart = true; privateNetwork = true; - hostAddress = "10.30.${subnet}.1"; - localAddress = "10.30.${subnet}.2"; hostAddress6 = "fd0d:1::${subnet}:1"; localAddress6 = "fd0d:1::${subnet}:2"; # privateUsers = "pick"; From 2a27838974be5a23f399a37d0d9a529da9e88237 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 01:13:36 +1100 Subject: [PATCH 043/178] hosts/dandelion: move citrine from anemone --- hosts/anemone/default.nix | 2 -- hosts/dandelion/default.nix | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index 367e975..aa4c81b 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -37,8 +37,6 @@ ../../users/rin modules.services.syncthing - - inputs.c-citrine.nixosModule ]; me = { diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 7500d21..3f87d87 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -26,6 +26,7 @@ inputs.c-amethyst.nixosModule inputs.c-beryllium.nixosModule + inputs.c-citrine.nixosModule ./filesystem.nix ./kernel.nix From d57703089247253842032ddfd7ce383e14587619 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 02:04:31 +1100 Subject: [PATCH 044/178] containers/citrine: customise homepage and disable registrations --- containers/citrine/configuration.nix | 7 ++++++- containers/citrine/templates/home.tmpl | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 containers/citrine/templates/home.tmpl diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index 35d4e8b..b7106a1 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -3,16 +3,21 @@ networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedUDPPorts = [ 3000 ]; + systemd.tmpfiles.rules = [ + "L+ /persist/forgejo/custom/templates - - - - ${./templates}" + ]; + services.forgejo = { enable = true; lfs.enable = true; settings = { + DEFAULT.APP_NAME = "Garden"; server = { DOMAIN = "garden.lava.moe"; ROOT_URL = "https://garden.lava.moe/"; HTTP_PORT = 3000; }; - service.DISABLE_REGISTRATION = false; + service.DISABLE_REGISTRATION = true; }; stateDir = "/persist/forgejo"; }; diff --git a/containers/citrine/templates/home.tmpl b/containers/citrine/templates/home.tmpl new file mode 100644 index 0000000..853077a --- /dev/null +++ b/containers/citrine/templates/home.tmpl @@ -0,0 +1,19 @@ +{{template "base/head" .}} +{{if not .IsSigned}} + +{{end}} +
+
+
+ +
+

+ {{AppDisplayName}} +

+

{{ctx.Locale.Tr "startpage.app_desc"}}

+
+
+
+ {{template "home_forgejo" .}} +
+{{template "base/footer" .}} From 15c4e4fc51553e6cec7b36a5ba9d925b8b49c3bb Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 02:32:09 +1100 Subject: [PATCH 045/178] containers/citrine: catppuccin theming --- containers/citrine/configuration.nix | 17 +++- containers/citrine/flake.lock | 37 ++++++++- containers/citrine/flake.nix | 13 +++- .../templates/base/footer_content.tmpl | 31 ++++++++ containers/citrine/templates/home.tmpl | 24 +++--- flake.lock | 77 ++++++++++++++----- hosts/anemone/default.nix | 2 + 7 files changed, 163 insertions(+), 38 deletions(-) create mode 100644 containers/citrine/templates/base/footer_content.tmpl diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index b7106a1..fccb236 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{ config, lib, ... }: { system.stateVersion = "25.11"; networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedUDPPorts = [ 3000 ]; @@ -17,10 +17,25 @@ ROOT_URL = "https://garden.lava.moe/"; HTTP_PORT = 3000; }; + ui = lib.mkForce { + DEFAULT_THEME = "catppuccin-maroon-auto"; + THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [ + "catppuccin-pink" + "catppuccin-maroon" + "catppuccin-flamingo" + "catppuccin-rosewater" + "forgejo" + "gitea" + ]; + }; + api.ENABLE_SWAGGER = false; + other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; service.DISABLE_REGISTRATION = true; }; stateDir = "/persist/forgejo"; }; + catppuccin.forgejo.enable = true; + environment.systemPackages = [ config.services.forgejo.package ]; } diff --git a/containers/citrine/flake.lock b/containers/citrine/flake.lock index 88ab73f..d627614 100644 --- a/containers/citrine/flake.lock +++ b/containers/citrine/flake.lock @@ -1,6 +1,40 @@ { "nodes": { + "catppuccin": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1773403535, + "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=", + "owner": "catppuccin", + "repo": "nix", + "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47", + "type": "github" + }, + "original": { + "owner": "catppuccin", + "repo": "nix", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1773282481, "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", @@ -18,7 +52,8 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "catppuccin": "catppuccin", + "nixpkgs": "nixpkgs_2" } } }, diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index bb4c1f4..72ff573 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -1,10 +1,17 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + catppuccin.url = "github:catppuccin/nix"; }; - outputs = { nixpkgs, ... }: { + outputs = { nixpkgs, catppuccin, ... }: + let + modules = [ + ./configuration.nix + catppuccin.nixosModules.catppuccin + ]; + in { nixosConfigurations.container = nixpkgs.lib.nixosSystem { - modules = [ ./configuration.nix ]; + inherit modules; }; nixosModule = { ... }: let @@ -26,7 +33,7 @@ # privateUsers = "pick"; nixpkgs = nixpkgs; ephemeral = true; - config = { imports = [ ./configuration.nix ]; }; + config = { imports = modules; }; bindMounts."persist" = { hostPath = "/persist/containers/${name}"; diff --git a/containers/citrine/templates/base/footer_content.tmpl b/containers/citrine/templates/base/footer_content.tmpl new file mode 100644 index 0000000..a9238c3 --- /dev/null +++ b/containers/citrine/templates/base/footer_content.tmpl @@ -0,0 +1,31 @@ +
+ +
+
+ {{svg "octicon-globe" 14}} {{ctx.Locale.LangName}} +
+ {{range .AllLangs}} + {{.Name}} + {{end}} +
+
+ {{ctx.Locale.Tr "licenses"}} + {{if .EnableSwagger}}API{{end}} + {{template "custom/extra_links_footer" .}} +
+
diff --git a/containers/citrine/templates/home.tmpl b/containers/citrine/templates/home.tmpl index 853077a..d460caf 100644 --- a/containers/citrine/templates/home.tmpl +++ b/containers/citrine/templates/home.tmpl @@ -3,17 +3,17 @@ {{end}}
-
-
- -
-

- {{AppDisplayName}} -

-

{{ctx.Locale.Tr "startpage.app_desc"}}

-
-
-
- {{template "home_forgejo" .}} +
+
+ +
+

+ {{AppDisplayName}} +

+

{{ctx.Locale.Tr "startpage.app_desc"}}

+
+
+
+ {{template "home_forgejo" .}}
{{template "base/footer" .}} diff --git a/flake.lock b/flake.lock index cd62ccb..1484f08 100644 --- a/flake.lock +++ b/flake.lock @@ -73,7 +73,8 @@ }, "c-citrine": { "inputs": { - "nixpkgs": "nixpkgs_5" + "catppuccin": "catppuccin", + "nixpkgs": "nixpkgs_6" }, "locked": { "path": "./containers/citrine", @@ -87,28 +88,19 @@ }, "catppuccin": { "inputs": { - "catppuccin-v1_1": "catppuccin-v1_1", - "catppuccin-v1_2": "catppuccin-v1_2", - "home-manager": "home-manager_2", - "home-manager-stable": "home-manager-stable", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable", - "nuscht-search": "nuscht-search" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1736069220, - "narHash": "sha256-76MaB3COao55nlhWmSmq9PKgu2iGIs54C1cAE0E5J6Y=", + "lastModified": 1773403535, + "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=", "owner": "catppuccin", "repo": "nix", - "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e", + "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47", "type": "github" }, "original": { "owner": "catppuccin", "repo": "nix", - "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e", "type": "github" } }, @@ -156,6 +148,33 @@ "url": "https://flakehub.com/f/catppuccin/nix/1.2.%2A.tar.gz" } }, + "catppuccin_2": { + "inputs": { + "catppuccin-v1_1": "catppuccin-v1_1", + "catppuccin-v1_2": "catppuccin-v1_2", + "home-manager": "home-manager_2", + "home-manager-stable": "home-manager-stable", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable", + "nuscht-search": "nuscht-search" + }, + "locked": { + "lastModified": 1736069220, + "narHash": "sha256-76MaB3COao55nlhWmSmq9PKgu2iGIs54C1cAE0E5J6Y=", + "owner": "catppuccin", + "repo": "nix", + "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e", + "type": "github" + }, + "original": { + "owner": "catppuccin", + "repo": "nix", + "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -472,7 +491,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1770778188, @@ -604,6 +623,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1773282481, "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", @@ -619,7 +654,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1770537093, "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", @@ -635,7 +670,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -651,7 +686,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -709,7 +744,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -772,7 +807,7 @@ "c-amethyst": "c-amethyst", "c-beryllium": "c-beryllium", "c-citrine": "c-citrine", - "catppuccin": "catppuccin", + "catppuccin": "catppuccin_2", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", "home-manager": "home-manager_3", @@ -780,7 +815,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index aa4c81b..1d0bdab 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -30,6 +30,8 @@ snapper wireguard + inputs.c-citrine.nixosModule + ./filesystem.nix ./kernel.nix ./networking.nix From fa3872647d0f514942f449ffd0cb4cb4aa888423 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 03:40:35 +1100 Subject: [PATCH 046/178] containers/citrine: forward ssh --- containers/citrine/flake.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 72ff573..4326ff7 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -18,6 +18,16 @@ name = "citrine"; subnet = "3"; in { + # TODO: this is likely dandelion specific + networking.firewall.extraCommands = '' + ip6tables -t nat -A PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 + ip6tables -t nat -A POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 + ''; + networking.firewall.extraStopCommands = '' + ip6tables -t nat -D PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 || true + ip6tables -t nat -D POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 || true + ''; + services.nginx.virtualHosts."garden.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; From 49c161e8abb84cb267650173f00513247bcd769d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 03:43:07 +1100 Subject: [PATCH 047/178] hosts/anemone: remove citrine --- hosts/anemone/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index 1d0bdab..aa4c81b 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -30,8 +30,6 @@ snapper wireguard - inputs.c-citrine.nixosModule - ./filesystem.nix ./kernel.nix ./networking.nix From 27cf526c4760667e07ce6618194150294e3fee78 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 16:07:08 +1100 Subject: [PATCH 048/178] containers/citrine: fix forwarding --- containers/citrine/configuration.nix | 13 +++++++++++-- containers/citrine/flake.nix | 10 ---------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index fccb236..f84f8b6 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -1,7 +1,7 @@ { config, lib, ... }: { system.stateVersion = "25.11"; - networking.firewall.allowedTCPPorts = [ 3000 ]; - networking.firewall.allowedUDPPorts = [ 3000 ]; + networking.firewall.allowedTCPPorts = [ 22 3000 ]; + networking.firewall.allowedUDPPorts = [ 22 3000 ]; systemd.tmpfiles.rules = [ "L+ /persist/forgejo/custom/templates - - - - ${./templates}" @@ -16,6 +16,9 @@ DOMAIN = "garden.lava.moe"; ROOT_URL = "https://garden.lava.moe/"; HTTP_PORT = 3000; + START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_DOMAIN = "git.lava.moe"; }; ui = lib.mkForce { DEFAULT_THEME = "catppuccin-maroon-auto"; @@ -35,6 +38,12 @@ stateDir = "/persist/forgejo"; }; + systemd.services.forgejo.serviceConfig = { + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + PrivateUsers = lib.mkForce false; + }; + catppuccin.forgejo.enable = true; environment.systemPackages = [ config.services.forgejo.package ]; diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 4326ff7..72ff573 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -18,16 +18,6 @@ name = "citrine"; subnet = "3"; in { - # TODO: this is likely dandelion specific - networking.firewall.extraCommands = '' - ip6tables -t nat -A PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 - ip6tables -t nat -A POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 - ''; - networking.firewall.extraStopCommands = '' - ip6tables -t nat -D PREROUTING -d fd0d::1:1003 -p tcp --dport 22 -j DNAT --to-destination fd0d:1::${subnet}:2 || true - ip6tables -t nat -D POSTROUTING -d fd0d:1::${subnet}:2 -p tcp --dport 22 -j SNAT --to-source fd0d::1:1003 || true - ''; - services.nginx.virtualHosts."garden.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; From ffcd5c93d2258e6d719bbd9077332b36267ca6b9 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 16:18:41 +1100 Subject: [PATCH 049/178] containers/citrine: enable nat --- containers/citrine/flake.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 72ff573..5f6c381 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -18,6 +18,12 @@ name = "citrine"; subnet = "3"; in { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-${name}" ]; + }; + services.nginx.virtualHosts."garden.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; From a7afbda1091c85eb012aa6495f13b91bf632db9f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 16:24:12 +1100 Subject: [PATCH 050/178] containers/citrine: refactor networking and use proper nameservers --- containers/citrine/flake.nix | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 5f6c381..1a2573e 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -5,19 +5,25 @@ }; outputs = { nixpkgs, catppuccin, ... }: let + name = "citrine"; + subnetId = "3"; + subnet = x: "fd0d:1::${subnetId}:${x}"; + host = subnet 1; + client = subnet 2; + modules = [ ./configuration.nix catppuccin.nixosModules.catppuccin + { + networking.useHostResolvConf = false; + networking.nameservers = [ host ]; + } ]; in { nixosConfigurations.container = nixpkgs.lib.nixosSystem { inherit modules; }; - nixosModule = { ... }: - let - name = "citrine"; - subnet = "3"; - in { + nixosModule = { ... }: { networking.nat = { enable = true; enableIPv6 = true; @@ -27,15 +33,15 @@ services.nginx.virtualHosts."garden.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:3000"; + locations."/".proxyPass = "http://[${client}]:3000"; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; containers.${name} = { autoStart = true; privateNetwork = true; - hostAddress6 = "fd0d:1::${subnet}:1"; - localAddress6 = "fd0d:1::${subnet}:2"; + hostAddress6 = host; + localAddress6 = client; # privateUsers = "pick"; nixpkgs = nixpkgs; ephemeral = true; From 1936294ea4a67602aada8f3369c26bb95af4ff95 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 16:25:25 +1100 Subject: [PATCH 051/178] containers/citrine: oops --- containers/citrine/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 1a2573e..5ac3fe3 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -7,7 +7,7 @@ let name = "citrine"; subnetId = "3"; - subnet = x: "fd0d:1::${subnetId}:${x}"; + subnet = x: "fd0d:1::${subnetId}:${toString x}"; host = subnet 1; client = subnet 2; From 7226266c30a4a57051a049767787187e7f425f70 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 16:31:58 +1100 Subject: [PATCH 052/178] containers/citrine: enable ipv4 bc ipv6 is broken and i cba :sob: --- containers/citrine/flake.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 5ac3fe3..17eef3e 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -7,10 +7,15 @@ let name = "citrine"; subnetId = "3"; + subnet = x: "fd0d:1::${subnetId}:${toString x}"; host = subnet 1; client = subnet 2; + subnet4 = x: "10.30.${subnetId}.${toString x}"; + host4 = subnet4 1; + client4 = subnet4 2; + modules = [ ./configuration.nix catppuccin.nixosModules.catppuccin @@ -40,6 +45,8 @@ containers.${name} = { autoStart = true; privateNetwork = true; + hostAddress = host4; + localAddress = client4; hostAddress6 = host; localAddress6 = client; # privateUsers = "pick"; From c4bd8d3fa15d7af8a47e287db0526536e36b973f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 16 Mar 2026 16:36:46 +1100 Subject: [PATCH 053/178] containers/citrine: use pq kex algorithms for ssh --- containers/citrine/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index f84f8b6..05a099a 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -19,6 +19,7 @@ START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; SSH_DOMAIN = "git.lava.moe"; + SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"; }; ui = lib.mkForce { DEFAULT_THEME = "catppuccin-maroon-auto"; From 3a45f85c37507ef234782f2c2606e28f69ebb161 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 02:10:11 +1100 Subject: [PATCH 054/178] dandelion/networking: disable dhcp on enp2s0 --- hosts/dandelion/networking.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/dandelion/networking.nix b/hosts/dandelion/networking.nix index ee27faf..322719e 100644 --- a/hosts/dandelion/networking.nix +++ b/hosts/dandelion/networking.nix @@ -1,3 +1,4 @@ { ... }: { networking.useDHCP = true; + networking.interfaces.enp2s0.useDHCP = false; } From 66332a980a14ac976ac5c88db79b8eaaf7a10bce Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 14:37:36 +1100 Subject: [PATCH 055/178] containers/diamond: init --- containers/diamond/configuration.nix | 18 +++++ containers/diamond/flake.lock | 27 +++++++ containers/diamond/flake.nix | 48 +++++++++++++ .../templates/base/footer_content.tmpl | 31 ++++++++ containers/diamond/templates/home.tmpl | 19 +++++ flake.lock | 71 +++++++++++++------ flake.nix | 1 + hosts/dandelion/default.nix | 1 + 8 files changed, 196 insertions(+), 20 deletions(-) create mode 100644 containers/diamond/configuration.nix create mode 100644 containers/diamond/flake.lock create mode 100644 containers/diamond/flake.nix create mode 100644 containers/diamond/templates/base/footer_content.tmpl create mode 100644 containers/diamond/templates/home.tmpl diff --git a/containers/diamond/configuration.nix b/containers/diamond/configuration.nix new file mode 100644 index 0000000..60a98d0 --- /dev/null +++ b/containers/diamond/configuration.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: { + system.stateVersion = "25.11"; + systemd.tmpfiles.rules = [ + "d /persist/vaultwarden 755 vaultwarden vaultwarden" + ]; + fileSystems."/var/lib/vaultwarden" = { + device = "/persist/vaultwarden"; + fsType = "none"; + options = [ "bind" ]; + }; + networking.firewall.allowedTCPPorts = [ 8000 ]; + networking.firewall.allowedUDPPorts = [ 8000 ]; + + services.vaultwarden = { + enable = true; + domain = "diamond.local.lava.moe"; + }; +} diff --git a/containers/diamond/flake.lock b/containers/diamond/flake.lock new file mode 100644 index 0000000..88ab73f --- /dev/null +++ b/containers/diamond/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/diamond/flake.nix b/containers/diamond/flake.nix new file mode 100644 index 0000000..d22af24 --- /dev/null +++ b/containers/diamond/flake.nix @@ -0,0 +1,48 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: + let + name = "diamond"; + subnetId = "4"; + + subnet = x: "fd0d:1::${subnetId}:${toString x}"; + host = subnet 1; + client = subnet 2; + + modules = [ + ./configuration.nix + ]; + in { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + inherit modules; + }; + nixosModule = { ... }: { + services.nginx.virtualHosts."diamond.local.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[${client}]:8000"; + }; + + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress6 = host; + localAddress6 = client; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = modules; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + # flake = "path:" + ./.; + }; + }; + }; +} diff --git a/containers/diamond/templates/base/footer_content.tmpl b/containers/diamond/templates/base/footer_content.tmpl new file mode 100644 index 0000000..a9238c3 --- /dev/null +++ b/containers/diamond/templates/base/footer_content.tmpl @@ -0,0 +1,31 @@ +
+ +
+
+ {{svg "octicon-globe" 14}} {{ctx.Locale.LangName}} +
+ {{range .AllLangs}} + {{.Name}} + {{end}} +
+
+ {{ctx.Locale.Tr "licenses"}} + {{if .EnableSwagger}}API{{end}} + {{template "custom/extra_links_footer" .}} +
+
diff --git a/containers/diamond/templates/home.tmpl b/containers/diamond/templates/home.tmpl new file mode 100644 index 0000000..d460caf --- /dev/null +++ b/containers/diamond/templates/home.tmpl @@ -0,0 +1,19 @@ +{{template "base/head" .}} +{{if not .IsSigned}} + +{{end}} +
+
+
+ +
+

+ {{AppDisplayName}} +

+

{{ctx.Locale.Tr "startpage.app_desc"}}

+
+
+
+ {{template "home_forgejo" .}} +
+{{template "base/footer" .}} diff --git a/flake.lock b/flake.lock index 1484f08..5215cc5 100644 --- a/flake.lock +++ b/flake.lock @@ -86,6 +86,20 @@ }, "parent": [] }, + "c-diamond": { + "inputs": { + "nixpkgs": "nixpkgs_7" + }, + "locked": { + "path": "./containers/diamond", + "type": "path" + }, + "original": { + "path": "./containers/diamond", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "nixpkgs": "nixpkgs_5" @@ -491,7 +505,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1770778188, @@ -574,6 +588,22 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1770019141, + "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1744536153, @@ -655,6 +685,22 @@ } }, "nixpkgs_7": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_8": { "locked": { "lastModified": 1770537093, "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", @@ -670,7 +716,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -686,22 +732,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1770019141, - "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nuscht-search": { "inputs": { "flake-utils": "flake-utils", @@ -744,7 +774,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -807,6 +837,7 @@ "c-amethyst": "c-amethyst", "c-beryllium": "c-beryllium", "c-citrine": "c-citrine", + "c-diamond": "c-diamond", "catppuccin": "catppuccin_2", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -815,7 +846,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/flake.nix b/flake.nix index f8866db..db68cbd 100644 --- a/flake.nix +++ b/flake.nix @@ -41,6 +41,7 @@ c-amethyst.url = "path:./containers/amethyst"; c-beryllium.url = "path:./containers/beryllium"; c-citrine.url = "path:./containers/citrine"; + c-diamond.url = "path:./containers/diamond"; }; outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 3f87d87..e7c332a 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -27,6 +27,7 @@ inputs.c-amethyst.nixosModule inputs.c-beryllium.nixosModule inputs.c-citrine.nixosModule + inputs.c-diamond.nixosModule ./filesystem.nix ./kernel.nix From 518c718a5da01fcf912b218e4bd94c0c37aef043 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 17:01:15 +1100 Subject: [PATCH 056/178] containers: clean up domain names --- containers/amethyst/flake.nix | 3 ++- containers/beryllium/flake.nix | 9 ++++----- containers/citrine/configuration.nix | 6 +++--- containers/citrine/flake.nix | 4 +++- containers/diamond/configuration.nix | 4 ++-- containers/diamond/flake.nix | 4 +++- 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index 4865e29..5b9817e 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -9,6 +9,7 @@ nixosModule = { ... }: let name = "amethyst"; + fqdn = "amethyst.lava.moe"; subnet = "1"; in { networking.nat = { @@ -17,7 +18,7 @@ internalInterfaces = [ "ve-${name}" ]; }; - services.nginx.virtualHosts."${name}.local.lava.moe" = { + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index adab4f0..c6b6cae 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -9,6 +9,7 @@ nixosModule = { ... }: let name = "beryllium"; + fqdn = "beryllium.lava.moe"; subnet = "2"; in { networking.nat = { @@ -17,7 +18,7 @@ internalInterfaces = [ "ve-${name}" ]; }; - services.nginx.virtualHosts."${name}.lava.moe" = { + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".extraConfig = "return 302 'https://lava.moe';"; @@ -29,7 +30,7 @@ services.nginx.virtualHosts."lava.moe" = { locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "beryllium.lava.moe:443"; }; + server = { "m.server" = "${fqdn}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; @@ -37,7 +38,7 @@ locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://beryllium.lava.moe"; }; + "m.homeserver" = { "base_url" = "https://${fqdn}"; }; # "m.identity_server" = { "base_url" = "https://vector.im"; }; }; in '' @@ -51,8 +52,6 @@ containers.${name} = { autoStart = true; privateNetwork = true; - hostAddress = "10.30.${subnet}.1"; - localAddress = "10.30.${subnet}.2"; hostAddress6 = "fd0d:1::${subnet}:1"; localAddress6 = "fd0d:1::${subnet}:2"; # privateUsers = "pick"; diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index 05a099a..996ffb2 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: { +{ config, fqdn, lib, ... }: { system.stateVersion = "25.11"; networking.firewall.allowedTCPPorts = [ 22 3000 ]; networking.firewall.allowedUDPPorts = [ 22 3000 ]; @@ -13,8 +13,8 @@ settings = { DEFAULT.APP_NAME = "Garden"; server = { - DOMAIN = "garden.lava.moe"; - ROOT_URL = "https://garden.lava.moe/"; + DOMAIN = fqdn; + ROOT_URL = "https://${fqdn}/"; HTTP_PORT = 3000; START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 17eef3e..5673c9e 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -6,6 +6,7 @@ outputs = { nixpkgs, catppuccin, ... }: let name = "citrine"; + fqdn = "garden.lava.moe"; subnetId = "3"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; @@ -35,7 +36,7 @@ internalInterfaces = [ "ve-${name}" ]; }; - services.nginx.virtualHosts."garden.lava.moe" = { + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:3000"; @@ -53,6 +54,7 @@ nixpkgs = nixpkgs; ephemeral = true; config = { imports = modules; }; + specialArgs = { inherit fqdn; }; bindMounts."persist" = { hostPath = "/persist/containers/${name}"; diff --git a/containers/diamond/configuration.nix b/containers/diamond/configuration.nix index 60a98d0..c002e08 100644 --- a/containers/diamond/configuration.nix +++ b/containers/diamond/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: { +{ fqdn, ... }: { system.stateVersion = "25.11"; systemd.tmpfiles.rules = [ "d /persist/vaultwarden 755 vaultwarden vaultwarden" @@ -13,6 +13,6 @@ services.vaultwarden = { enable = true; - domain = "diamond.local.lava.moe"; + domain = fqdn; }; } diff --git a/containers/diamond/flake.nix b/containers/diamond/flake.nix index d22af24..f64f4f9 100644 --- a/containers/diamond/flake.nix +++ b/containers/diamond/flake.nix @@ -5,6 +5,7 @@ outputs = { nixpkgs, ... }: let name = "diamond"; + fqdn = "astransia.lava.moe"; subnetId = "4"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; @@ -19,7 +20,7 @@ inherit modules; }; nixosModule = { ... }: { - services.nginx.virtualHosts."diamond.local.lava.moe" = { + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:8000"; @@ -35,6 +36,7 @@ nixpkgs = nixpkgs; ephemeral = true; config = { imports = modules; }; + specialArgs = { inherit fqdn; }; bindMounts."persist" = { hostPath = "/persist/containers/${name}"; From 55e0d2525169d4e6332e36400a0aaadf7db66731 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 17:06:49 +1100 Subject: [PATCH 057/178] containers/diamond: listen on ipv6 --- containers/diamond/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/containers/diamond/configuration.nix b/containers/diamond/configuration.nix index c002e08..01b4311 100644 --- a/containers/diamond/configuration.nix +++ b/containers/diamond/configuration.nix @@ -14,5 +14,9 @@ services.vaultwarden = { enable = true; domain = fqdn; + config = { + DOMAIN = "https://${fqdn}"; + ROCKET_ADDRESS = "::"; + }; }; } From b7665d9bd52226eca5a5ca25bf79b92d213e5143 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 17:25:35 +1100 Subject: [PATCH 058/178] containers/diamond: only listen on local addresses TIL nginx will only route via amethyst if it's on local address, even if hostname doesn't match --- containers/diamond/flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/diamond/flake.nix b/containers/diamond/flake.nix index f64f4f9..13b6b1e 100644 --- a/containers/diamond/flake.nix +++ b/containers/diamond/flake.nix @@ -24,6 +24,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:8000"; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; From 0567313fa25c98519c2cc75ea72c0f9f2eacc928 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 18:13:53 +1100 Subject: [PATCH 059/178] containers/emerald: init --- containers/emerald/configuration.nix | 21 +++++++++ containers/emerald/flake.lock | 27 +++++++++++ containers/emerald/flake.nix | 57 +++++++++++++++++++++++ flake.lock | 69 ++++++++++++++++++++-------- flake.nix | 1 + 5 files changed, 156 insertions(+), 19 deletions(-) create mode 100644 containers/emerald/configuration.nix create mode 100644 containers/emerald/flake.lock create mode 100644 containers/emerald/flake.nix diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix new file mode 100644 index 0000000..ca7a920 --- /dev/null +++ b/containers/emerald/configuration.nix @@ -0,0 +1,21 @@ +{ fqdn, shareFqdn, ... }: { + system.stateVersion = "25.11"; + systemd.tmpfiles.rules = [ + "d /persist/music 755 navidrome navidrome" + "d /persist/navidrome 755 navidrome navidrome" + ]; + networking.firewall.allowedTCPPorts = [ 4533 ]; + networking.firewall.allowedUDPPorts = [ 4533 ]; + + services.navidrome = { + enable = true; + settings = { + Port = 4533; + Address = "[::]"; + BaseUrl = "https://${fqdn}/"; + ShareURL = shareFqdn; + DataFolder = "/persist/navidrome"; + MusicFolder = "/persist/music"; + }; + }; +} diff --git a/containers/emerald/flake.lock b/containers/emerald/flake.lock new file mode 100644 index 0000000..88ab73f --- /dev/null +++ b/containers/emerald/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix new file mode 100644 index 0000000..d9fe5d0 --- /dev/null +++ b/containers/emerald/flake.nix @@ -0,0 +1,57 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: + let + name = "emerald"; + fqdn = "navia.lava.moe"; + shareFqdn = "share.navia.lava.moe"; + subnetId = "5"; + + subnet = x: "fd0d:1::${subnetId}:${toString x}"; + host = subnet 1; + client = subnet 2; + + modules = [ + ./configuration.nix + ]; + in { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + inherit modules; + }; + nixosModule = { ... }: { + services.nginx.virtualHosts."${fqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[${client}]:4533"; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; + }; + services.nginx.virtualHosts."${shareFqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[${client}]:4533/share"; + }; + + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress6 = host; + localAddress6 = client; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = modules; }; + specialArgs = { inherit fqdn shareFqdn; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + # flake = "path:" + ./.; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 5215cc5..305fddb 100644 --- a/flake.lock +++ b/flake.lock @@ -100,6 +100,20 @@ }, "parent": [] }, + "c-emerald": { + "inputs": { + "nixpkgs": "nixpkgs_8" + }, + "locked": { + "path": "./containers/emerald", + "type": "path" + }, + "original": { + "path": "./containers/emerald", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "nixpkgs": "nixpkgs_5" @@ -505,7 +519,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1770778188, @@ -589,6 +603,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1770562336, + "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -701,6 +731,22 @@ } }, "nixpkgs_8": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_9": { "locked": { "lastModified": 1770537093, "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", @@ -716,22 +762,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1770562336, - "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nuscht-search": { "inputs": { "flake-utils": "flake-utils", @@ -774,7 +804,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_11", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -838,6 +868,7 @@ "c-beryllium": "c-beryllium", "c-citrine": "c-citrine", "c-diamond": "c-diamond", + "c-emerald": "c-emerald", "catppuccin": "catppuccin_2", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -846,7 +877,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/flake.nix b/flake.nix index db68cbd..3746d08 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,7 @@ c-beryllium.url = "path:./containers/beryllium"; c-citrine.url = "path:./containers/citrine"; c-diamond.url = "path:./containers/diamond"; + c-emerald.url = "path:./containers/emerald"; }; outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: From 8cf7c1815e104dd0acc94936c750dc62a84540fb Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 18:57:18 +1100 Subject: [PATCH 060/178] containers/emerald: enable sharing --- containers/emerald/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index ca7a920..b2500a4 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -14,6 +14,7 @@ Address = "[::]"; BaseUrl = "https://${fqdn}/"; ShareURL = shareFqdn; + EnableSharing = true; DataFolder = "/persist/navidrome"; MusicFolder = "/persist/music"; }; From 75c7e7b193e154adb7528e7ac7efa4ce5be81479 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 18:58:49 +1100 Subject: [PATCH 061/178] hosts/dandelion: add emerald --- hosts/dandelion/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index e7c332a..5174cc7 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -28,6 +28,7 @@ inputs.c-beryllium.nixosModule inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule + inputs.c-emerald.nixosModule ./filesystem.nix ./kernel.nix From 4aaeefa97a219c1c886027d478c4bdb82fc5467a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 17 Mar 2026 23:43:23 +1100 Subject: [PATCH 062/178] containers/emerald: use alternative share fqdn insane, ssl cert extra domains' wildcard only goes one level deep --- containers/emerald/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index d9fe5d0..69a66f0 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -6,7 +6,7 @@ let name = "emerald"; fqdn = "navia.lava.moe"; - shareFqdn = "share.navia.lava.moe"; + shareFqdn = "muse.lava.moe"; subnetId = "5"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; From ccafbd8ae06146885c4163e0049a7091e0a415b7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 00:07:52 +1100 Subject: [PATCH 063/178] containers/emerald: use correct shareurl format navidrome always add /share at the end :( --- containers/emerald/configuration.nix | 2 +- containers/emerald/flake.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index b2500a4..68b06fa 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -13,7 +13,7 @@ Port = 4533; Address = "[::]"; BaseUrl = "https://${fqdn}/"; - ShareURL = shareFqdn; + ShareURL = "https://${shareFqdn}"; EnableSharing = true; DataFolder = "/persist/navidrome"; MusicFolder = "/persist/music"; diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 69a66f0..315194d 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -30,7 +30,7 @@ services.nginx.virtualHosts."${shareFqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:4533/share"; + locations."/".proxyPass = "http://[${client}]:4533"; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; From 52fbdfe8cfcba27d033d0b459b8682799ccddff8 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 01:11:20 +1100 Subject: [PATCH 064/178] containers/emerald: only allow urls under /share --- containers/emerald/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 315194d..6447bf2 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -30,7 +30,7 @@ services.nginx.virtualHosts."${shareFqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:4533"; + locations."/share/".proxyPass = "http://[${client}]:4533"; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; From 68ae736c2cc2c582007e0cf14009a98475e135f1 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 01:22:07 +1100 Subject: [PATCH 065/178] containers/emerald: return 404 on / --- containers/emerald/flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 6447bf2..276dba4 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -30,6 +30,7 @@ services.nginx.virtualHosts."${shareFqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; + locations."/".return = "404"; locations."/share/".proxyPass = "http://[${client}]:4533"; }; From d3ab0012225fc21f2ee877c76a0d125283c7ee14 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 01:52:34 +1100 Subject: [PATCH 066/178] containers/fluorite: init --- containers/fluorite/configuration.nix | 16 +++++++ containers/fluorite/flake.lock | 27 ++++++++++++ containers/fluorite/flake.nix | 62 +++++++++++++++++++++++++++ flake.lock | 47 ++++++++++++++++---- flake.nix | 1 + 5 files changed, 145 insertions(+), 8 deletions(-) create mode 100644 containers/fluorite/configuration.nix create mode 100644 containers/fluorite/flake.lock create mode 100644 containers/fluorite/flake.nix diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix new file mode 100644 index 0000000..09dd485 --- /dev/null +++ b/containers/fluorite/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: { + system.stateVersion = "25.11"; + systemd.tmpfiles.rules = [ + "d /persist/slskd/Downloads 755 slskd slskd" + ]; + networking.firewall.allowedTCPPorts = [ 5030 50300 ]; + networking.firewall.allowedUDPPorts = [ 5030 50300 ]; + + services.slskd = { + enable = true; + settings = { + directories.downloads = "/persist/slskd/Downloads"; + shares.downloads = "/binds/shared/"; + }; + }; +} diff --git a/containers/fluorite/flake.lock b/containers/fluorite/flake.lock new file mode 100644 index 0000000..88ab73f --- /dev/null +++ b/containers/fluorite/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix new file mode 100644 index 0000000..a589f7c --- /dev/null +++ b/containers/fluorite/flake.nix @@ -0,0 +1,62 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: + let + name = "fluorite"; + fqdn = "fluorite.lava.moe"; + subnetId = "6"; + + subnet = x: "fd0d:1::${subnetId}:${toString x}"; + host = subnet 1; + client = subnet 2; + + subnet4 = x: "10.30.${subnetId}.${toString x}"; + host4 = subnet4 1; + client4 = subnet4 2; + + modules = [ + ./configuration.nix + ]; + in { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + inherit modules; + }; + nixosModule = { ... }: { + services.nginx.virtualHosts."${fqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[${client}]:5030"; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; + }; + + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress = host4; + localAddress = client4; + hostAddress6 = host; + localAddress6 = client; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = modules; }; + specialArgs = { inherit fqdn; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + bindMounts."shared" = { + hostPath = "/persist/media/music"; + mountPoint = "/binds/shared"; + isReadOnly = true; + }; + # flake = "path:" + ./.; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 305fddb..2bd4720 100644 --- a/flake.lock +++ b/flake.lock @@ -114,6 +114,20 @@ }, "parent": [] }, + "c-fluorite": { + "inputs": { + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "path": "./containers/fluorite", + "type": "path" + }, + "original": { + "path": "./containers/fluorite", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "nixpkgs": "nixpkgs_5" @@ -519,7 +533,7 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1770778188, @@ -603,6 +617,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1770537093, + "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fef9403a3e4d31b0a23f0bacebbec52c248fbb51", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -618,7 +648,7 @@ "type": "github" } }, - "nixpkgs_11": { + "nixpkgs_12": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -748,16 +778,16 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1770537093, - "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fef9403a3e4d31b0a23f0bacebbec52c248fbb51", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -804,7 +834,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_12", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -869,6 +899,7 @@ "c-citrine": "c-citrine", "c-diamond": "c-diamond", "c-emerald": "c-emerald", + "c-fluorite": "c-fluorite", "catppuccin": "catppuccin_2", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -877,7 +908,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_11", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/flake.nix b/flake.nix index 3746d08..8b91291 100644 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,7 @@ c-citrine.url = "path:./containers/citrine"; c-diamond.url = "path:./containers/diamond"; c-emerald.url = "path:./containers/emerald"; + c-fluorite.url = "path:./containers/fluorite"; }; outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: From 3419ab4b775ddedfc5e7c3255ab930a0e28bf8b0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 01:55:53 +1100 Subject: [PATCH 067/178] containers/fluorite: set domain to null --- containers/fluorite/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 09dd485..3bfa0a6 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -8,6 +8,7 @@ services.slskd = { enable = true; + domain = null; settings = { directories.downloads = "/persist/slskd/Downloads"; shares.downloads = "/binds/shared/"; From dd076fab3c7f6ced8ec508f42e01541ff22c317b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 02:09:54 +1100 Subject: [PATCH 068/178] containers/fluorite: setup env file --- containers/fluorite/configuration.nix | 1 + containers/fluorite/flake.nix | 7 ++++++- hosts/anemone/default.nix | 1 + secrets.nix | 1 + secrets/slskd_env.age | Bin 0 -> 538 bytes 5 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 secrets/slskd_env.age diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 3bfa0a6..1163397 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -9,6 +9,7 @@ services.slskd = { enable = true; domain = null; + environmentFile = "/binds/slskd_env"; settings = { directories.downloads = "/persist/slskd/Downloads"; shares.downloads = "/binds/shared/"; diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index a589f7c..b6cdd49 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -23,7 +23,7 @@ nixosConfigurations.container = nixpkgs.lib.nixosSystem { inherit modules; }; - nixosModule = { ... }: { + nixosModule = { config, ... }: { services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; @@ -55,6 +55,11 @@ mountPoint = "/binds/shared"; isReadOnly = true; }; + bindMounts."slskd_env" = { + hostPath = config.age.secrets.slskd_env.path; + mountPoint = "/binds/slskd_env"; + isReadOnly = true; + }; # flake = "path:" + ./.; }; }; diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index aa4c81b..858a33b 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -5,6 +5,7 @@ nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ]; age.secrets = { + slskd_env.file = ../../secrets/slskd_env.age; wg_anemone.file = ../../secrets/wg_anemone.age; passwd.file = ../../secrets/passwd.age; }; diff --git a/secrets.nix b/secrets.nix index 4fc6c4a..bab8c08 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,6 +10,7 @@ in { "secrets/wpa_conf.age".publicKeys = [ blossom rin ]; "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; + "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; "secrets/wg_dandelion.age".publicKeys = [ dandelion rin ]; diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age new file mode 100644 index 0000000000000000000000000000000000000000..f0cb208351ddb960afc68d46a8c5485f4f9fb93e GIT binary patch literal 538 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7&!`M8aa8cCEYJ4v zEy~GtHp&Z2cdV*1k1{PyE;sNhPD;#AF)k>|EO0I}PE9S#%je2=^9v0LsdUTB3Meru ziOMOe(hm(wHqXi{C^RrEh|CnDafrbHBiCVt)SR2&o|1_Cnu?_ zsLU)--yT^*gM3y z$|caUs5CLxC@9b`%fd8A-@+icBpcnfP)oOnoOFe#U<*r&2!kXygOqZYpipD82&d9i z14m=$%p~n{Z{P3`zluYzp!=Q};2x-V2$`Z;UxCR=MT81`M|xK*;lq<+rF@+n6@9y|WL`I?W*v$De0 z1^qlv>J!yZFMhN}Y^zS(ty5NKkH?9MPnogb_~fNmw<7;c+55$zXUg}xWubi&U$=)9 F0|2Y6#d-h$ literal 0 HcmV?d00001 From 4932dad23f3f627f127796630d33354b00745b75 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 02:12:41 +1100 Subject: [PATCH 069/178] containers/fluorite: ensure music folder exists --- containers/fluorite/flake.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index b6cdd49..6a0116b 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -31,7 +31,10 @@ listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; - systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; + systemd.tmpfiles.rules = [ + "d /persist/containers/${name} 755 root users" + "d /persist/media/music 075 nobody users" + ]; containers.${name} = { autoStart = true; privateNetwork = true; From 215e017cd3d8da92887cb467cc98d62aacf87037 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 02:20:08 +1100 Subject: [PATCH 070/178] containers/fluorite: use correct share directory config name oops tehee --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 1163397..14e39ff 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -12,7 +12,7 @@ environmentFile = "/binds/slskd_env"; settings = { directories.downloads = "/persist/slskd/Downloads"; - shares.downloads = "/binds/shared/"; + shares.directories = [ "/binds/shared/" ]; }; }; } From b3ffc41b76a0dc7faf6915666c2815b296e7dc97 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 02:25:27 +1100 Subject: [PATCH 071/178] containers/fluorite: provide internet access --- containers/fluorite/flake.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 6a0116b..2fac909 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -24,6 +24,12 @@ inherit modules; }; nixosModule = { config, ... }: { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-${name}" ]; + }; + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; From 48db46051dcf37dc49012dfb977d8ed7b468ac79 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 02:59:12 +1100 Subject: [PATCH 072/178] containers/emerald: enable ipv4 and provide internet access --- containers/emerald/flake.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 276dba4..d8578fc 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -13,6 +13,10 @@ host = subnet 1; client = subnet 2; + subnet4 = x: "10.30.${subnetId}.${toString x}"; + host4 = subnet4 1; + client4 = subnet4 2; + modules = [ ./configuration.nix ]; @@ -21,6 +25,12 @@ inherit modules; }; nixosModule = { ... }: { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-${name}" ]; + }; + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; @@ -38,6 +48,8 @@ containers.${name} = { autoStart = true; privateNetwork = true; + hostAddress = host4; + localAddress = client4; hostAddress6 = host; localAddress6 = client; # privateUsers = "pick"; From 7d479007d99fb7b790e52158d1d07f7bb43c7e0f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 03:08:18 +1100 Subject: [PATCH 073/178] containers/emerald: add navidrome env for lastfm and spotify --- containers/emerald/configuration.nix | 1 + containers/emerald/flake.nix | 7 ++++++- hosts/dandelion/default.nix | 1 + secrets.nix | 1 + secrets/navidrome_env.age | Bin 0 -> 630 bytes 5 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 secrets/navidrome_env.age diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index 68b06fa..e3f8c57 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -9,6 +9,7 @@ services.navidrome = { enable = true; + environmentFile = "/binds/navidrome_env"; settings = { Port = 4533; Address = "[::]"; diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index d8578fc..80f6dac 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -24,7 +24,7 @@ nixosConfigurations.container = nixpkgs.lib.nixosSystem { inherit modules; }; - nixosModule = { ... }: { + nixosModule = { config, ... }: { networking.nat = { enable = true; enableIPv6 = true; @@ -63,6 +63,11 @@ mountPoint = "/persist"; isReadOnly = false; }; + bindMounts."navidrome_env" = { + hostPath = config.age.secrets.navidrome_env.path; + mountPoint = "/binds/navidrome_env"; + isReadOnly = true; + }; # flake = "path:" + ./.; }; }; diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 5174cc7..58a0b80 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + navidrome_env.file = ../../secrets/navidrome_env.age; wg_dandelion.file = ../../secrets/wg_dandelion.age; }; diff --git a/secrets.nix b/secrets.nix index bab8c08..b2d0d0e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,6 +10,7 @@ in { "secrets/wpa_conf.age".publicKeys = [ blossom rin ]; "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; + "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age new file mode 100644 index 0000000000000000000000000000000000000000..6cb705c5d12523d7e403ecd2736ad062cc9756fe GIT binary patch literal 630 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7&!`M8aa0KO_ASdR zFLTZ>%y$h5$PW$)&5rUbP7e*q4smZDafrbHBiAa)H6IN(b3VUqQE8D zJu+M@Qje`NQ>}_d=syJ?5%V2Uq65L z+%<;phGojs^_|)w>B1*=GYG5O{FhSYc|85sgEfVx`CMb&g!c#RihTWeN3K4PDX&4q z$6eR<-+OGC7ZG|QH2?J9KlYb2+YK(Ioc^_-jfBY|AI7{w~uH)nq>3`2e+Ahq{p0N0X#+Kysg;R~<+l4#%FEQmc ypShYQ9`#3<#qYo0^Z5PR3}2s1-?BZQ`hJCU{jaarEM`=4rt5r7N!FRuR0RN&X85cC literal 0 HcmV?d00001 From 465ec6f2fc6fa970247ca0877e448299c51a7a99 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 03:10:34 +1100 Subject: [PATCH 074/178] hosts/dandelion: add fluorite --- hosts/anemone/default.nix | 1 - hosts/dandelion/default.nix | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index 858a33b..aa4c81b 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -5,7 +5,6 @@ nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ]; age.secrets = { - slskd_env.file = ../../secrets/slskd_env.age; wg_anemone.file = ../../secrets/wg_anemone.age; passwd.file = ../../secrets/passwd.age; }; diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 58a0b80..92e53be 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -6,6 +6,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; navidrome_env.file = ../../secrets/navidrome_env.age; + slskd_env.file = ../../secrets/slskd_env.age; wg_dandelion.file = ../../secrets/wg_dandelion.age; }; @@ -30,6 +31,7 @@ inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule inputs.c-emerald.nixosModule + inputs.c-fluorite.nixosModule ./filesystem.nix ./kernel.nix From ecdd594a1bd30357c79f4402429be70d618c8d0f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 03:14:59 +1100 Subject: [PATCH 075/178] containers/{emerald,fluorite}: fix dns --- containers/emerald/flake.nix | 4 ++++ containers/fluorite/flake.nix | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 80f6dac..2b3b483 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -19,6 +19,10 @@ modules = [ ./configuration.nix + { + networking.useHostResolvConf = false; + networking.nameservers = [ host ]; + } ]; in { nixosConfigurations.container = nixpkgs.lib.nixosSystem { diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 2fac909..3205815 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -18,6 +18,10 @@ modules = [ ./configuration.nix + { + networking.useHostResolvConf = false; + networking.nameservers = [ host ]; + } ]; in { nixosConfigurations.container = nixpkgs.lib.nixosSystem { From de7402576dd10317d34fd54c84b54d566b543de9 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 03:25:06 +1100 Subject: [PATCH 076/178] secrets/slskd_env: update --- secrets/slskd_env.age | Bin 538 -> 534 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index f0cb208351ddb960afc68d46a8c5485f4f9fb93e..6c4a42e51010cb8559104ccba60a246deaa160cf 100644 GIT binary patch delta 481 zcmbQmGL2<|PJL*ZXJS}!NP)Shd6i$FMTNh!Q2N`muW;fmxZ~ffq7Y~xu?5{d#ImtzP3STL1?O}bC79TzGb+1xvy!8cDb)tQIL=8 z#E;_jAyNKe;Ra!OC8=&H$=<2ng%y?Ajy_ds+C~;-S;e8H&d%W>1!Z}uej&bGo(4{Z zB?j&WZn*)T$vN77>1HWzd1i)A;X&!Xp~2?4emUNesqXGZX2JPfy1KdwCFzNVuC77l zRmPFYhHjQ#C7CV;`jLr|X4(10ZXTf_mD%p~j+L3^W|5BhT!jy{gtjw3_dY+x>FfKp zSKGtF&t6=3E3Rkb6NMSm+7IkoI9nvbbMrN~>C+n4ZatT&E0kjD;pf@6RbDr&E=DDD zw#o|e=g#voD{s6os`Y5q*Wdl_hqT+5os4^xZ~t0i&>VMSTH^1nN&M>4u0}`nZ!Qtt cSJlHcD^cM7s#D6nkLU6}*cR-0Q|8uV0Q0r8j{pDw delta 485 zcmbQnGK*z`PQ6!UdA5gdQBJP2QC?WOV^x)Tlxb;lxq(-4Qeu9JaY0dLfpeL0YHC?t zK3BGzUuZ~3rCVNBK#5UFR8CQqerQ;-c~)LQp@CsRlzwhdrHP+oj(M4sg9;bez}&~Nq+t&k$EP8X3iE|y1Kdwg^7M9E}7nG zfjRj>1^zCsm7bw#mKKi1Ste;t#-?R~8K%bdky+lBZpFEtT>9bOIdf+Rr?5`*+I=hi z&QxVqn=`Ye^)G68rG0aqmoC%vu4!&!*g4_ko95L)jV{i2dO~$ysIK&L*5FOH)?hH~ zyUKB^WQR%poR8&Gj($9L{CV>=AD3rkg{=$vd7jiKs-Ir`XpPubow!@4tj->f6BVB_ gW54mqOCqmsMgEzx_lrZ%l<#-TLi;AZZVxL40FvLfSO5S3 From 5eef477e0b6230e0a2b7977ab245ac78fb1d7bef Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 03:43:35 +1100 Subject: [PATCH 077/178] containers/fluorite: forward ports --- containers/fluorite/flake.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 3205815..7acbc55 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -33,6 +33,7 @@ enableIPv6 = true; internalInterfaces = [ "ve-${name}" ]; }; + networking.firewall.allowedTCPPorts = [ 50300 ]; services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; @@ -58,6 +59,14 @@ config = { imports = modules; }; specialArgs = { inherit fqdn; }; + forwardPorts = [ + { + containerPort = 50300; + hostPort = 50300; + protocol = "tcp"; + } + ]; + bindMounts."persist" = { hostPath = "/persist/containers/${name}"; mountPoint = "/persist"; From 3381630a7ad9098f700e75a9805c96d945275886 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 03:45:26 +1100 Subject: [PATCH 078/178] containers/emerald: bind music media dir --- containers/emerald/configuration.nix | 3 +-- containers/emerald/flake.nix | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index e3f8c57..f69a4c6 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -1,7 +1,6 @@ { fqdn, shareFqdn, ... }: { system.stateVersion = "25.11"; systemd.tmpfiles.rules = [ - "d /persist/music 755 navidrome navidrome" "d /persist/navidrome 755 navidrome navidrome" ]; networking.firewall.allowedTCPPorts = [ 4533 ]; @@ -17,7 +16,7 @@ ShareURL = "https://${shareFqdn}"; EnableSharing = true; DataFolder = "/persist/navidrome"; - MusicFolder = "/persist/music"; + MusicFolder = "/binds/music"; }; }; } diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 2b3b483..5ecf768 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -67,6 +67,11 @@ mountPoint = "/persist"; isReadOnly = false; }; + bindMounts."music" = { + hostPath = "/persist/media/music"; + mountPoint = "/binds/music"; + isReadOnly = true; + }; bindMounts."navidrome_env" = { hostPath = config.age.secrets.navidrome_env.path; mountPoint = "/binds/navidrome_env"; From 3a612d3e90279c75e214806febc56897c88e6b27 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 20:11:21 +1100 Subject: [PATCH 079/178] containers/diamond: remove stray templates --- .../templates/base/footer_content.tmpl | 31 ------------------- containers/diamond/templates/home.tmpl | 19 ------------ 2 files changed, 50 deletions(-) delete mode 100644 containers/diamond/templates/base/footer_content.tmpl delete mode 100644 containers/diamond/templates/home.tmpl diff --git a/containers/diamond/templates/base/footer_content.tmpl b/containers/diamond/templates/base/footer_content.tmpl deleted file mode 100644 index a9238c3..0000000 --- a/containers/diamond/templates/base/footer_content.tmpl +++ /dev/null @@ -1,31 +0,0 @@ -
- -
-
- {{svg "octicon-globe" 14}} {{ctx.Locale.LangName}} -
- {{range .AllLangs}} - {{.Name}} - {{end}} -
-
- {{ctx.Locale.Tr "licenses"}} - {{if .EnableSwagger}}API{{end}} - {{template "custom/extra_links_footer" .}} -
-
diff --git a/containers/diamond/templates/home.tmpl b/containers/diamond/templates/home.tmpl deleted file mode 100644 index d460caf..0000000 --- a/containers/diamond/templates/home.tmpl +++ /dev/null @@ -1,19 +0,0 @@ -{{template "base/head" .}} -{{if not .IsSigned}} - -{{end}} -
-
-
- -
-

- {{AppDisplayName}} -

-

{{ctx.Locale.Tr "startpage.app_desc"}}

-
-
-
- {{template "home_forgejo" .}} -
-{{template "base/footer" .}} From c9c6ef4a167af9c120a0f185c2e22412aeb35c09 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 20:21:33 +1100 Subject: [PATCH 080/178] rin/packages: add feishin --- users/rin/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/users/rin/packages.nix b/users/rin/packages.nix index 77e8a2e..93608e1 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -31,6 +31,7 @@ in { evince eww feh + feishin file-roller gamescope gimp3 From 3e56c780dd7b1524790aaee961012b6161caf71a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 20:43:04 +1100 Subject: [PATCH 081/178] services/website: redirect cdn.lava.moe to sh.lava.moe --- modules/services/website.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/website.nix b/modules/services/website.nix index 2ef679b..3fba609 100644 --- a/modules/services/website.nix +++ b/modules/services/website.nix @@ -18,6 +18,13 @@ in { root = inputs.website.outPath; }; "cdn.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + extraConfig = '' + return 301 https://sh.lava.moe$request_uri; + ''; + }; + "sh.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; root = "/persist/cdn"; From 36a161d1df1f5ea914a338f4cc3375272e10f59a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 21:39:02 +1100 Subject: [PATCH 082/178] containers/fluorite: store all data --- containers/fluorite/configuration.nix | 8 ++++++-- containers/fluorite/flake.nix | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 14e39ff..9fcb5f5 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -3,6 +3,11 @@ systemd.tmpfiles.rules = [ "d /persist/slskd/Downloads 755 slskd slskd" ]; + fileSystems."/var/lib/slskd" = { + device = "/persist/slskd"; + fsType = "none"; + options = [ "bind" ]; + }; networking.firewall.allowedTCPPorts = [ 5030 50300 ]; networking.firewall.allowedUDPPorts = [ 5030 50300 ]; @@ -11,8 +16,7 @@ domain = null; environmentFile = "/binds/slskd_env"; settings = { - directories.downloads = "/persist/slskd/Downloads"; - shares.directories = [ "/binds/shared/" ]; + shares.directories = [ "/binds/music/" ]; }; }; } diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 7acbc55..c49e63b 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -72,9 +72,9 @@ mountPoint = "/persist"; isReadOnly = false; }; - bindMounts."shared" = { + bindMounts."music" = { hostPath = "/persist/media/music"; - mountPoint = "/binds/shared"; + mountPoint = "/binds/music"; isReadOnly = true; }; bindMounts."slskd_env" = { From 6c7393228e842cd24d7df8e1ab5695e305a5a24c Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 21:54:43 +1100 Subject: [PATCH 083/178] containers/fluorite: add description and picture --- containers/fluorite/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 9fcb5f5..f1acc93 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -17,6 +17,8 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; + soulseek.description = "🌸 | sv.sl@lava.moe | slskd"; + soulseek.picture = "/var/lib/slskd/picture.gif"; }; }; } From b06c78285004660477f17f18f3f9e8ade41939f3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 22:08:23 +1100 Subject: [PATCH 084/178] containers/fluorite: use png picture --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index f1acc93..2dce952 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -18,7 +18,7 @@ settings = { shares.directories = [ "/binds/music/" ]; soulseek.description = "🌸 | sv.sl@lava.moe | slskd"; - soulseek.picture = "/var/lib/slskd/picture.gif"; + soulseek.picture = "/var/lib/slskd/picture.png"; }; }; } From 2d15fb3a5e216e8787ce5252591de959ee938ff4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 18 Mar 2026 22:09:04 +1100 Subject: [PATCH 085/178] containers/fluorite: use jpg picture --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 2dce952..c83eb25 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -18,7 +18,7 @@ settings = { shares.directories = [ "/binds/music/" ]; soulseek.description = "🌸 | sv.sl@lava.moe | slskd"; - soulseek.picture = "/var/lib/slskd/picture.png"; + soulseek.picture = "/var/lib/slskd/picture.jpg"; }; }; } From f8312bc6f26c5f17094c202d7782c730b8fb74bf Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 19 Mar 2026 20:42:32 +1100 Subject: [PATCH 086/178] user/neovim-minimal: fix treesitter errors --- res/config-minimal.lua | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/res/config-minimal.lua b/res/config-minimal.lua index f941c9e..c2d3f06 100644 --- a/res/config-minimal.lua +++ b/res/config-minimal.lua @@ -1,5 +1,5 @@ -- Keybindings -local map = vim.api.nvim_set_keymap +local map = vim.keymap.set map('n', '', 'h', { noremap = true }) map('n', '', 'j', { noremap = true }) map('n', '', 'k', { noremap = true }) @@ -18,6 +18,7 @@ vim.opt.number = true vim.opt.cursorline = true vim.opt.signcolumn = "yes:3" vim.opt.title = true +vim.opt.termguicolors = true vim.opt.updatetime = 0 vim.opt.clipboard:prepend('unnamedplus') @@ -47,7 +48,7 @@ vim.g.signify_sign_change = vim.g.signify_sign_add vim.g.signify_sign_change_delete = vim.g.signify_sign_delete -- Plugins -require('nvim-treesitter.configs').setup { +require('nvim-treesitter').setup { highlight = { enable = true }, indent = { enable = false } } From d8c016e933fd885bac2295c69200c5caf3b41231 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 23 Mar 2026 02:38:48 +1100 Subject: [PATCH 087/178] containers/fluorite: move desc and pic to secrets --- containers/fluorite/configuration.nix | 2 -- secrets/slskd_env.age | Bin 534 -> 853 bytes 2 files changed, 2 deletions(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index c83eb25..9fcb5f5 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -17,8 +17,6 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; - soulseek.description = "🌸 | sv.sl@lava.moe | slskd"; - soulseek.picture = "/var/lib/slskd/picture.jpg"; }; }; } diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 6c4a42e51010cb8559104ccba60a246deaa160cf..7515e1fe0856de4165a345ca9d18941d86466845 100644 GIT binary patch delta 802 zcmbQna+Pg@PJND%L5jOig-c~px{0@;V|YY?V}5y5QbBl`n@ggzv9o!pQF?}VXljaa zK3BeLNo8(9Ns(Kmd1|nKgr9#|dAMVuM@ou^sdi#iieF(^ikYida+E`9R#m=5#KEX-pAudT~*{)uZ83rj%rC9+crtSt@y1KdwJ}DJ>ffgP~ z-emzksh){d5#iYtX(ap9V`X;r?>Wvg`-oiQ*JPCw`&4#&{akq2 zZ}#+WUG?kv?Rms`{`Q}_$#HDEXwi-^?`w9hPq)`F>91^lyIi_`>xFrH*S_X@kharj z%gc$A-ly&<=5kymp44jd`G~j%|G!@K`-UQC^Af}g;@C9#oZeV*KK|kN=%K)7?)P7w ze!R%o*B6j}Aa}yXqe16hT#o#%w(`4Dy>n9WnVOHRRtyGA^_RY{aM+UfhMQr>|edy|_G~?!? zUCrUm+a4{`e80Kr*_`k82OsYe-g4x`Z=v_zPsIbj#ZM4@R`$w7CsD9%Cu<#h=t+O4 zO;*gx8|**Kdmp=!`IqXvz@s2N`muW;fmxZ~ffq7Y~xu?5{d#ImtzP3STL1?O}bC79TzGb+1xvy!8cDb)tQIL=8 z#E;_jAyNKe;Ra!OC8=&H$=<2ng%y?Ajy_ds+C~;-S;e8H&d%W>1!Z}uej&bGo(4{Z zB?j&WZn*)T$vN77>1HWzd1i)A;X&!Xp~2?4emUNesqXGZX2JPfy1KdwCFzNVuC77l zRmPFYhHjQ#C7CV;`jLr|X4(10ZXTf_mD%p~j+L3^W|5BhT!jy{gtjw3_dY+x>FfKp zSKGtF&t6=3E3Rkb6NMSm+7IkoI9nvbbMrN~>C+n4ZatT&E0kjD;pf@6RbDr&E=DDD zw#o|e=g#voD{s6os`Y5q*Wdl_hqT+5os4^xZ~t0i&>VMSTH^1nN&M>4u0}`nZ!Qtt cSJlHcD^cM7s#D6nkLU6}*cR-0Q|8uV0A^pa%m4rY From 9fd117c50ca903589d88595be790b9171b10dfa6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 20 Mar 2026 22:08:19 +1100 Subject: [PATCH 088/178] rin/packages: add temurin-25 to prismlauncher --- users/rin/packages.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/users/rin/packages.nix b/users/rin/packages.nix index 93608e1..d29d22b 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -49,7 +49,12 @@ in { # inputs.nix-gaming.packages.x86_64-linux.wine-osu obsidian pavucontrol - prismlauncher + (prismlauncher.override { + jdks = [ + jdk21 + temurin-bin-25 + ]; + }) qbittorrent rivalcfg screenkey From 576fd7604f5b08c152d0d5960045913a31075400 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 02:31:02 +0000 Subject: [PATCH 089/178] flake: bump inputs --- flake.lock | 176 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 119 insertions(+), 57 deletions(-) diff --git a/flake.lock b/flake.lock index 2bd4720..13fbf66 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1770327417, - "narHash": "sha256-WNS+wDUeqfegOXf5emDRnNs2bPiJ7rhdARo4jyd3+Yw=", + "lastModified": 1772290697, + "narHash": "sha256-MyLNx13P+pv1RszO1rMd3144NEeU/oU4iL+xOTpRoaU=", "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "26670347cca9feddb31e075d23b474149d8902e1", + "rev": "dcb53a4cb4cb09ef7f08328428ba559be5b9f01b", "type": "github" }, "original": { @@ -258,11 +258,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", "owner": "edolstra", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { @@ -271,6 +271,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -279,11 +295,11 @@ ] }, "locked": { - "lastModified": 1769996383, - "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", + "lastModified": 1772408722, + "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", + "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", "type": "github" }, "original": { @@ -297,11 +313,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1769996383, - "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", + "lastModified": 1772408722, + "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", + "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", "type": "github" }, "original": { @@ -364,6 +380,51 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nix-gaming", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1772893680, + "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nix-gaming", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -435,11 +496,11 @@ ] }, "locked": { - "lastModified": 1770818644, - "narHash": "sha256-DYS4jIRpRoKOzJjnR/QqEd/MlT4OZZpt8CrBLv+cjsE=", + "lastModified": 1773962693, + "narHash": "sha256-nf9pgktDE4E2TCavUT1vh3Nd/tfKixL1BK6P32Zp3hI=", "owner": "nix-community", "repo": "home-manager", - "rev": "0acbd1180697de56724821184ad2c3e6e7202cd7", + "rev": "9d3c1d636e7b8ab10f357cd9bee653cd400437de", "type": "github" }, "original": { @@ -479,11 +540,11 @@ "linux-tkg": { "flake": false, "locked": { - "lastModified": 1770607339, - "narHash": "sha256-/j7IEdwbaaN4SGKAl5gE3vRdKIdIw8f7RNMrM9Lc28M=", + "lastModified": 1773696903, + "narHash": "sha256-OkKN/5waWcPNqq/9tWsR9q4oxSJeMCyeBl1RQGctq9Q=", "owner": "Frogging-Family", "repo": "linux-tkg", - "rev": "9498fb9bc0c3323d1c291667d8cb16cb2a37bcee", + "rev": "e4eabe3978f0e6ed967e5d969487f9335af8062f", "type": "github" }, "original": { @@ -501,11 +562,11 @@ ] }, "locked": { - "lastModified": 1770857573, - "narHash": "sha256-pSeFA1qRAdivDrrKoybJ1DOcbkXx2v/ExIc6n0DbT4U=", + "lastModified": 1773965157, + "narHash": "sha256-u6Ceko/AQ30asd/P68Y7gD0x3LtsjiPwC31TlwVnsac=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "31e79c73c444b2e51eb34f2305792809839c58e8", + "rev": "7e711c5abd3b0ca9c0038606edeee6bcf09b055c", "type": "github" }, "original": { @@ -517,11 +578,11 @@ "neovim-src": { "flake": false, "locked": { - "lastModified": 1770810897, - "narHash": "sha256-6F/Z/UQxalaSoqewSQ4fL8zSws3Vy4wgA5DgyTaeqTo=", + "lastModified": 1773942472, + "narHash": "sha256-VRtGTA4WWgrVrjZg+XrnRgMcbAa0EkYkWV5Wcn76/0g=", "owner": "neovim", "repo": "neovim", - "rev": "6b4ec2264e1d8ba027b85f3883d532c5068be92a", + "rev": "06befe1e348bf540bb04a8c0cafe116616e71715", "type": "github" }, "original": { @@ -533,14 +594,15 @@ "nix-gaming": { "inputs": { "flake-parts": "flake-parts_2", + "git-hooks": "git-hooks", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1770778188, - "narHash": "sha256-KZHPn3L6veRgRwOyfhaeM5ZTJfpkoY9EICIzUcQn4w8=", + "lastModified": 1773888274, + "narHash": "sha256-PujDYvxi8Hbm/EB706mi+UWRRzoBaAVhpJREH13Gepg=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "59e3b8189047bc591635645d2c682020c13eeac5", + "rev": "6e734655941171e75e64511c7c643f854753f52e", "type": "github" }, "original": { @@ -571,11 +633,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1764242076, - "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", + "lastModified": 1770841267, + "narHash": "sha256-9xejG0KoqsoKEGp2kVbXRlEYtFFcDTHjidiuX8hGO44=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", + "rev": "ec7c70d12ce2fc37cb92aff673dcdca89d187bae", "type": "github" }, "original": { @@ -587,11 +649,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1769909678, - "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", + "lastModified": 1772328832, + "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "72716169fe93074c333e8d0173151350670b824c", + "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", "type": "github" }, "original": { @@ -618,11 +680,11 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1770537093, - "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=", + "lastModified": 1773507054, + "narHash": "sha256-Q8U5VXgrcxmCxPtCCJCIZkcAX3FCZwGh1GNVIXxMND0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fef9403a3e4d31b0a23f0bacebbec52c248fbb51", + "rev": "e80236013dc8b77aa49ca90e7a12d86f5d8d64c9", "type": "github" }, "original": { @@ -634,11 +696,11 @@ }, "nixpkgs_11": { "locked": { - "lastModified": 1770562336, - "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "lastModified": 1773821835, + "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0", "type": "github" }, "original": { @@ -818,11 +880,11 @@ "nvim-treesitter": { "flake": false, "locked": { - "lastModified": 1770808440, - "narHash": "sha256-paM9v2DKiHEwN0fTXuX9eY0KwVsB+9Bv6mOX9u/eyAI=", + "lastModified": 1773768003, + "narHash": "sha256-lQMRGqObOxoESWDD8+RSZAKmevVXzHS3IipBthvi3To=", "owner": "nvim-treesitter", "repo": "nvim-treesitter", - "rev": "9f2dad22ef8bb14fd1e0a3aa8859cdc88170668b", + "rev": "2b50ab5ccbcd9e5708deb351308edd738adbf84c", "type": "github" }, "original": { @@ -927,11 +989,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1764470739, - "narHash": "sha256-sa9f81B1dWO16QtgDTWHX8DQbiHKzHndpaunY5EQtwE=", + "lastModified": 1770952264, + "narHash": "sha256-CjymNrJZWBtpavyuTkfPVPaZkwzIzGaf0E/3WgcwM14=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3bfa664055e1a09c6aedab5533c5fc8d6ca5741a", + "rev": "ec6a3d5cdf14bb5a1dd03652bd3f6351004d2188", "type": "github" }, "original": { @@ -948,11 +1010,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1770846656, - "narHash": "sha256-wdYpo8++TqKp3GdRgLFykjuIVW1m9GlUnxID2FG74cE=", + "lastModified": 1773619901, + "narHash": "sha256-Br8CQy4ht+a2OxyzaRwuP5+oIFfoRvCxYgsmdrgid40=", "owner": "Gerg-L", "repo": "spicetify-nix", - "rev": "40e65cfc4608402674e1efaac3fccce20d2a72d3", + "rev": "6f06ff05cd536b790b7662550a10b61a1ac4619e", "type": "github" }, "original": { @@ -964,11 +1026,11 @@ "spotify-adblock": { "flake": false, "locked": { - "lastModified": 1739206126, + "lastModified": 1773417310, "narHash": "sha256-nwiX2wCZBKRTNPhmrurWQWISQdxgomdNwcIKG2kSQsE=", "owner": "abba23", "repo": "spotify-adblock", - "rev": "8e0312d6085a6e4f9afeb7c2457517a75e8b8f9d", + "rev": "813d3451c53126bf1941baaf8dd37f1152c3f412", "type": "github" }, "original": { @@ -980,11 +1042,11 @@ "stevenblack-hosts": { "flake": false, "locked": { - "lastModified": 1770244988, - "narHash": "sha256-DT9HK9iYTmXUfjKcTxLRMZOeCLb9CAoFEpBiDpEku3g=", + "lastModified": 1773769816, + "narHash": "sha256-OSN3K2lSag5aA58UmfI1JMvmksuEVwlT7TOeBOsEmX8=", "owner": "StevenBlack", "repo": "hosts", - "rev": "7ea67ed353b27e1dbe36363074d1b6c3ca6be46b", + "rev": "5090055e2d36e9fc5539551656e1d8107a84ad7e", "type": "github" }, "original": { @@ -1120,11 +1182,11 @@ "zsh-abbr": { "flake": false, "locked": { - "lastModified": 1770748719, - "narHash": "sha256-RvdMEk1bQ/mCbcTneg8mMJJh6j60km0/wchBBQQ+Ugo=", + "lastModified": 1773890443, + "narHash": "sha256-SVuwDeHIBg8yArKGzDEfsG3fz0UwABQoJkyKTQAPUiw=", "ref": "refs/heads/main", - "rev": "2de4a08c5e0d9dbe8447e11e0a177b59b5b6d6ea", - "revCount": 1137, + "rev": "889f4772c12b9dbe4965bbd56f2572af0a28fa3b", + "revCount": 1139, "submodules": true, "type": "git", "url": "https://github.com/olets/zsh-abbr" From 2239c1cc6496843c079fdfeeb3624d0b362735ce Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 02:31:05 +0000 Subject: [PATCH 090/178] packages/linux-lava: bump to 6.19.9 --- packages/linux-lava/sources.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/linux-lava/sources.nix b/packages/linux-lava/sources.nix index dc198a6..dd2f171 100644 --- a/packages/linux-lava/sources.nix +++ b/packages/linux-lava/sources.nix @@ -1,8 +1,8 @@ { fetchFromGitHub, inputs, lib }: let - version = "6.19"; + version = "6.19.9"; kernelHash = "0mqka8ii7bvmx9hvfjdiyva9ib0j7m390gxhh8gki3qb4nl7jc1h"; - kernelPatchHash = "0w36sxwwhfqpc1if9d52rg0g1k20xjl2cairlyiyk10ns17mjxlb"; + kernelPatchHash = "19pwgvifkadsgfsx3w29mi0ks2vwwk88gw4jsya1gjy0jfk1h6qr"; mm = lib.versions.majorMinor version; hasPatch = (builtins.length (builtins.splitVersion version)) == 3; From d11d080c946853d24f36d9ca832c293d32a5f921 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 20 Mar 2026 22:43:04 +1100 Subject: [PATCH 091/178] system/packages-gui: move light to brightnessctl in home --- modules/system/packages-gui.nix | 1 - modules/user/hypridle.nix | 12 ++++++------ users/rin/packages.nix | 1 + 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/system/packages-gui.nix b/modules/system/packages-gui.nix index 77eb510..d853c40 100644 --- a/modules/system/packages-gui.nix +++ b/modules/system/packages-gui.nix @@ -10,7 +10,6 @@ libva-vdpau-driver libvdpau-va-gl ]; - programs.light.enable = true; hardware.opentabletdriver.enable = true; hardware.keyboard.qmk.enable = true; programs.steam = { diff --git a/modules/user/hypridle.nix b/modules/user/hypridle.nix index 68203b1..af7af86 100644 --- a/modules/user/hypridle.nix +++ b/modules/user/hypridle.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - kblight = "light -s sysfs/leds/${config.me.kbBacklightDevice}"; + kblight = "brightnessctl -d ${config.me.kbBacklightDevice}"; in { home.packages = [ config.services.hypridle.package ]; @@ -16,18 +16,18 @@ in listener = lib.optionals (config.me.kbBacklightDevice != null) [ { timeout = 120; - on-timeout = "${kblight} -O && ${kblight} -S 0"; - on-resume = "${kblight} -I"; + on-timeout = "${kblight} -s && ${kblight} 0"; + on-resume = "${kblight} -r"; } ] ++ [ { timeout = 150; - on-timeout = "light -O && light -T 0.5"; - on-resume = "light -I"; + on-timeout = "brightnessctl -s && brightnessctl 50%-"; + on-resume = "brightnessctl -r"; } { timeout = 180; - on-timeout = "light -I && loginctl lock-session"; + on-timeout = "brightnessctl -r && loginctl lock-session"; } { timeout = 195; diff --git a/users/rin/packages.nix b/users/rin/packages.nix index d29d22b..c2569c7 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -26,6 +26,7 @@ in { nodePackages_latest.pnpm ] ++ lib.optionals config.me.gui [ android-studio + brightnessctl drawio element-desktop evince From e303fee58d98dcf0056153068d011b42ece25f02 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 6 Apr 2026 23:16:57 +1000 Subject: [PATCH 092/178] system/wireguard: change port to 51801 --- modules/system/wireguard.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix index dbc8938..bdfe900 100644 --- a/modules/system/wireguard.nix +++ b/modules/system/wireguard.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, gcSecrets, ... }: let - port = 123; + port = 51801; serverName = "dandelion"; serverInterface = "enp0s6"; serverIp = gcSecrets.wireguard.gateway; From 087ed1c323b1f26824858e29df96363d0a69e87a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 18 Apr 2026 15:10:44 +1000 Subject: [PATCH 093/178] user/neovim: fix logs opening on tex save --- res/config.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/res/config.lua b/res/config.lua index ef10504..5d205d7 100644 --- a/res/config.lua +++ b/res/config.lua @@ -51,6 +51,7 @@ vim.g.signify_sign_change_delete = vim.g.signify_sign_delete -- VimTeX vim.g.vimtex_view_method = "zathura" +vim.g.vimtex_quickfix_open_on_warning = 0 -- Theming vim.api.nvim_command("syntax enable") From 27ba1aaede433225bfc9ad429e76c53c6f865860 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 26 Apr 2026 15:47:39 +1000 Subject: [PATCH 094/178] anemone/networking: switch to iwd --- hosts/anemone/networking.nix | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/hosts/anemone/networking.nix b/hosts/anemone/networking.nix index 18c0d87..f5a4dc5 100644 --- a/hosts/anemone/networking.nix +++ b/hosts/anemone/networking.nix @@ -1,19 +1,4 @@ { config, ... }: { - networking = { - #nameservers = [ "8.8.8.8" "8.8.4.4" ]; - - #wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf"; - wireless.enableHardening = false; - - networkmanager = { - enable = true; - #dns = "none"; - }; - - extraHosts = '' - 192.168.100.16 hyacinth - ''; - }; - + networking.wireless.iwd.enable = true; environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections"; } From 75e0c8f6acefa8d98d5581a3e2d2de9813aee82f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 10 May 2026 03:42:00 +0000 Subject: [PATCH 095/178] flake: bump inputs --- flake.lock | 173 +++++++++++++++++++++++++---------------------------- 1 file changed, 80 insertions(+), 93 deletions(-) diff --git a/flake.lock b/flake.lock index 13fbf66..d6070b9 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1772290697, - "narHash": "sha256-MyLNx13P+pv1RszO1rMd3144NEeU/oU4iL+xOTpRoaU=", + "lastModified": 1777475243, + "narHash": "sha256-EiCeDGJewyWq2Mtdt5m8qyo/W5PXVUCacLuZJ/diBQ8=", "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "dcb53a4cb4cb09ef7f08328428ba559be5b9f01b", + "rev": "12e7b06163456e4c3685ee83b8fdc277fe03bdc8", "type": "github" }, "original": { @@ -45,7 +45,7 @@ }, "c-amethyst": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { "path": "./containers/amethyst", @@ -59,7 +59,7 @@ }, "c-beryllium": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { "path": "./containers/beryllium", @@ -74,7 +74,7 @@ "c-citrine": { "inputs": { "catppuccin": "catppuccin", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { "path": "./containers/citrine", @@ -88,7 +88,7 @@ }, "c-diamond": { "inputs": { - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_6" }, "locked": { "path": "./containers/diamond", @@ -102,7 +102,7 @@ }, "c-emerald": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_7" }, "locked": { "path": "./containers/emerald", @@ -116,7 +116,7 @@ }, "c-fluorite": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_8" }, "locked": { "path": "./containers/fluorite", @@ -130,7 +130,7 @@ }, "catppuccin": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1773403535, @@ -149,11 +149,11 @@ "catppuccin-palette": { "flake": false, "locked": { - "lastModified": 1742245182, - "narHash": "sha256-R52Q1FVAclvBk7xNgj/Jl+GPCIbORNf6YbJ1nxH3Gzs=", + "lastModified": 1774131488, + "narHash": "sha256-hsy+GhuM4MSjnwGq1YJSLBFIbVm67SSdPRgObP00mxw=", "owner": "catppuccin", "repo": "palette", - "rev": "0df7db6fe201b437d91e7288fa22807bb0e44701", + "rev": "07d02aa110ef9eb7e7427afca5c73ba9cf7f8ebd", "type": "github" }, "original": { @@ -295,11 +295,11 @@ ] }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1777988971, + "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff", "type": "github" }, "original": { @@ -313,11 +313,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1777988971, + "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff", "type": "github" }, "original": { @@ -390,11 +390,11 @@ ] }, "locked": { - "lastModified": 1772893680, - "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", + "lastModified": 1776796298, + "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", + "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad", "type": "github" }, "original": { @@ -496,11 +496,11 @@ ] }, "locked": { - "lastModified": 1773962693, - "narHash": "sha256-nf9pgktDE4E2TCavUT1vh3Nd/tfKixL1BK6P32Zp3hI=", + "lastModified": 1778365864, + "narHash": "sha256-ImoT/wqmgMImf2dAC+E0MverAdA4QXsedOeES9B7Ezw=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d3c1d636e7b8ab10f357cd9bee653cd400437de", + "rev": "2f419037039a152448c5f4ae9494154753d1b399", "type": "github" }, "original": { @@ -540,11 +540,11 @@ "linux-tkg": { "flake": false, "locked": { - "lastModified": 1773696903, - "narHash": "sha256-OkKN/5waWcPNqq/9tWsR9q4oxSJeMCyeBl1RQGctq9Q=", + "lastModified": 1778301982, + "narHash": "sha256-M8a1VqhhI3Ii0KFY4n1UdzUIFwZbET+G464cCb5ye5U=", "owner": "Frogging-Family", "repo": "linux-tkg", - "rev": "e4eabe3978f0e6ed967e5d969487f9335af8062f", + "rev": "d20b99557a90663a016f741398098d4d7b3ad119", "type": "github" }, "original": { @@ -562,11 +562,11 @@ ] }, "locked": { - "lastModified": 1773965157, - "narHash": "sha256-u6Ceko/AQ30asd/P68Y7gD0x3LtsjiPwC31TlwVnsac=", + "lastModified": 1778371477, + "narHash": "sha256-sVlZeFIds47ABfBbAmBLexCFnkE1GIBTNGjAMRh+BfA=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "7e711c5abd3b0ca9c0038606edeee6bcf09b055c", + "rev": "b9ee678fadf59b3c998e180d62f4cee0641d21d9", "type": "github" }, "original": { @@ -578,11 +578,11 @@ "neovim-src": { "flake": false, "locked": { - "lastModified": 1773942472, - "narHash": "sha256-VRtGTA4WWgrVrjZg+XrnRgMcbAa0EkYkWV5Wcn76/0g=", + "lastModified": 1778321961, + "narHash": "sha256-lrPZ0C+uixk+6jx+maWM998GZaj4lAuicAz/dZHFNBk=", "owner": "neovim", "repo": "neovim", - "rev": "06befe1e348bf540bb04a8c0cafe116616e71715", + "rev": "b44c2bdd16226f6caa5324d91f1ae9781ffdc12b", "type": "github" }, "original": { @@ -595,14 +595,14 @@ "inputs": { "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1773888274, - "narHash": "sha256-PujDYvxi8Hbm/EB706mi+UWRRzoBaAVhpJREH13Gepg=", + "lastModified": 1778384395, + "narHash": "sha256-ymn6ivl8RbUK8oevC+aRQ3IY3cB3Jg0dCv7LR5XSBVo=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "6e734655941171e75e64511c7c643f854753f52e", + "rev": "8368f981774ee25774d016e810d426891174a993", "type": "github" }, "original": { @@ -618,11 +618,11 @@ ] }, "locked": { - "lastModified": 1773552174, - "narHash": "sha256-mHSRNrT1rjeYBgkAlj07dW3+1nFEgAd8Gu6lgyfT9DU=", + "lastModified": 1778240325, + "narHash": "sha256-d2HIS7LpfI0lgxiXCXLjxrHl3eIdNvAVexOu0xiM488=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "8faeb68130df077450451b6734a221ba0d6cde42", + "rev": "dd2d0e3f6ba00af01b9498f5697173bdc2524bee", "type": "github" }, "original": { @@ -649,11 +649,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1772328832, - "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", + "lastModified": 1777168982, + "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", + "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14", "type": "github" }, "original": { @@ -680,27 +680,11 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1773507054, - "narHash": "sha256-Q8U5VXgrcxmCxPtCCJCIZkcAX3FCZwGh1GNVIXxMND0=", + "lastModified": 1777954456, + "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e80236013dc8b77aa49ca90e7a12d86f5d8d64c9", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_11": { - "locked": { - "lastModified": 1773821835, - "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0", + "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1", "type": "github" }, "original": { @@ -710,7 +694,7 @@ "type": "github" } }, - "nixpkgs_12": { + "nixpkgs_11": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -728,16 +712,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1744536153, - "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -760,11 +744,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1773282481, - "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", "type": "github" }, "original": { @@ -776,11 +760,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1773122722, - "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", + "lastModified": 1773282481, + "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", + "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", "type": "github" }, "original": { @@ -840,16 +824,16 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1773282481, - "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "lastModified": 1778274207, + "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -880,11 +864,11 @@ "nvim-treesitter": { "flake": false, "locked": { - "lastModified": 1773768003, - "narHash": "sha256-lQMRGqObOxoESWDD8+RSZAKmevVXzHS3IipBthvi3To=", + "lastModified": 1775221900, + "narHash": "sha256-PQR6tFt4lCrAZNQG7BLMD1IiCKja9wDS1S4laGJf/HE=", "owner": "nvim-treesitter", "repo": "nvim-treesitter", - "rev": "2b50ab5ccbcd9e5708deb351308edd738adbf84c", + "rev": "4916d6592ede8c07973490d9322f187e07dfefac", "type": "github" }, "original": { @@ -896,15 +880,15 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_12", + "nixpkgs": "nixpkgs_11", "pnpm2nix": "pnpm2nix" }, "locked": { - "lastModified": 1772103435, - "narHash": "sha256-dtsWJl+DBigaZlszH4UVI8JZltJl9O6MESDyH4RepNI=", + "lastModified": 1775622883, + "narHash": "sha256-2+7uCRXn+tn4LVaO7hLKPaezdKPW6HGvTr00aO4Tcxs=", "owner": "cillynder", "repo": "pastel", - "rev": "8e2b1b80d711eaf41c010949bef0a512db9e4452", + "rev": "46f6569d5ad41ec1256dbf999d21701f73d6077b", "type": "github" }, "original": { @@ -970,7 +954,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_10", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", @@ -986,7 +970,10 @@ }, "rust-overlay": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "aagl", + "nixpkgs" + ] }, "locked": { "lastModified": 1770952264, @@ -1010,11 +997,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1773619901, - "narHash": "sha256-Br8CQy4ht+a2OxyzaRwuP5+oIFfoRvCxYgsmdrgid40=", + "lastModified": 1777789800, + "narHash": "sha256-XHCvLGu/bEEZRzXVKFu1i+2YB102Nr00n8e7xrzsfVs=", "owner": "Gerg-L", "repo": "spicetify-nix", - "rev": "6f06ff05cd536b790b7662550a10b61a1ac4619e", + "rev": "d0e921cc48aab6137d203a3eab19601dc2bdc0c3", "type": "github" }, "original": { @@ -1042,11 +1029,11 @@ "stevenblack-hosts": { "flake": false, "locked": { - "lastModified": 1773769816, - "narHash": "sha256-OSN3K2lSag5aA58UmfI1JMvmksuEVwlT7TOeBOsEmX8=", + "lastModified": 1778258800, + "narHash": "sha256-wTiDXFiBKV4M4jv1JrVLL/kkIyE1FK4qino07BYU5fc=", "owner": "StevenBlack", "repo": "hosts", - "rev": "5090055e2d36e9fc5539551656e1d8107a84ad7e", + "rev": "8ce06e1ed6f063d3d58cf9c980793415085f5d89", "type": "github" }, "original": { From 58d4b60f5b20662b49b28a16e4997268eb6897eb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 10 May 2026 03:42:02 +0000 Subject: [PATCH 096/178] packages/linux-lava: bump to 7.0.5 --- packages/linux-lava/sources.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/linux-lava/sources.nix b/packages/linux-lava/sources.nix index dd2f171..c24fa57 100644 --- a/packages/linux-lava/sources.nix +++ b/packages/linux-lava/sources.nix @@ -1,8 +1,8 @@ { fetchFromGitHub, inputs, lib }: let - version = "6.19.9"; - kernelHash = "0mqka8ii7bvmx9hvfjdiyva9ib0j7m390gxhh8gki3qb4nl7jc1h"; - kernelPatchHash = "19pwgvifkadsgfsx3w29mi0ks2vwwk88gw4jsya1gjy0jfk1h6qr"; + version = "7.0.5"; + kernelHash = "1w4i705i0nl1xqv7fdhdbhy7j3xrzhl31fabs6vmgiw7nf06szxv"; + kernelPatchHash = "15a173sx7nw4qkp45f5ksnqd3a1flhpiq3zzsa6gzzcww433hm8d"; mm = lib.versions.majorMinor version; hasPatch = (builtins.length (builtins.splitVersion version)) == 3; From 575a0e96105da68be0c52e5bf20e71cc0c78d94b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 10 May 2026 22:44:46 +1000 Subject: [PATCH 097/178] treewide: remove nodePackages --- modules/user/neovim.nix | 14 +++++++------- users/rin/packages.nix | 3 +-- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix index 4dc4830..30ffac9 100644 --- a/modules/user/neovim.nix +++ b/modules/user/neovim.nix @@ -21,13 +21,13 @@ in { extraPackages = with pkgs; [ rust-analyzer texlab - nodePackages."@astrojs/language-server" - nodePackages."@tailwindcss/language-server" - nodePackages.diagnostic-languageserver - nodePackages.eslint_d - nodePackages.typescript-language-server - nodePackages.vscode-langservers-extracted - nodePackages.yaml-language-server + astro-language-server + tailwindcss-language-server + diagnostic-languageserver + eslint_d + typescript-language-server + vscode-langservers-extracted + yaml-language-server ]; plugins = with pkgs.vimPlugins; [ diff --git a/users/rin/packages.nix b/users/rin/packages.nix index c2569c7..8b15c60 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -18,12 +18,11 @@ in { nil nodejs_latest pamixer + pnpm qmk unrar weechat yt-dlp - - nodePackages_latest.pnpm ] ++ lib.optionals config.me.gui [ android-studio brightnessctl From 4c28a3eecbe91ca12be8559c68c17c9c11d7abf0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 11 May 2026 01:05:27 +1000 Subject: [PATCH 098/178] overlays/openldap: skip failing checks for 32-bit --- overlays/default.nix | 1 + overlays/openldap.nix | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 overlays/openldap.nix diff --git a/overlays/default.nix b/overlays/default.nix index a84cba5..cbe3e7e 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -5,6 +5,7 @@ builtins.map (path: import path) [ ./eww.nix ./jetbrains.nix ./material-icons.nix + ./openldap.nix ./steam.nix ./utillinux.nix ./wpa-supplicant.nix diff --git a/overlays/openldap.nix b/overlays/openldap.nix new file mode 100644 index 0000000..f9b2b46 --- /dev/null +++ b/overlays/openldap.nix @@ -0,0 +1,9 @@ +self: super: { + # openldap i686 fails checks + # issue: https://github.com/NixOS/nixpkgs/issues/514113 + # workaround: https://github.com/NixOS/nixpkgs/issues/513245#issuecomment-4320293674 + # fix: https://github.com/NixOS/nixpkgs/pull/515956 + openldap = super.openldap.overrideAttrs { + doCheck = !self.stdenv.hostPlatform.isi686; + }; +} From cc43450dd1d9c57d236ccfaf3a5cbe9e72629ec4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 17:43:08 +1000 Subject: [PATCH 099/178] system/security: enable pam_u2f --- modules/system/security.nix | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/modules/system/security.nix b/modules/system/security.nix index 602f108..3b4e8a7 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: { +{ config, lib, pkgs, ... }: { networking.firewall = let iptables = "${pkgs.iptables}/bin/iptables"; @@ -49,9 +49,37 @@ { groups = [ "wheel" ]; keepEnv = true; - persist = true; + persist = config.me.environment != "laptop"; } ]; }; + pam = lib.mkIf (config.me.environment != "headless") { + u2f = { + enable = true; + settings = { + cue = true; + pinverification = 1; + }; + }; + services.doas.rules.auth = { + u2f.settings.pinverification = lib.mkForce 0; + u2f_int = lib.mkMerge [ + { + enable = true; + order = config.security.pam.services.doas.rules.auth.u2f.order + 1; + control = "sufficient"; + modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; + inherit (config.security.pam.u2f) settings; + } + { + settings = lib.mkForce { + interactive = true; + pinverification = 0; + userpresence = 0; + }; + } + ]; + }; + }; }; } From 0f7393714f61cad82d1c99133416b300eb080331 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 18:08:15 +1000 Subject: [PATCH 100/178] hosts/alyssum: init --- flake.nix | 1 + hosts/alyssum/default.nix | 28 ++++++++++++++++++++++++++++ hosts/alyssum/filesystem.nix | 34 ++++++++++++++++++++++++++++++++++ hosts/alyssum/kernel.nix | 10 ++++++++++ hosts/alyssum/networking.nix | 3 +++ hosts/alyssum/packages.nix | 14 ++++++++++++++ 6 files changed, 90 insertions(+) create mode 100644 hosts/alyssum/default.nix create mode 100644 hosts/alyssum/filesystem.nix create mode 100644 hosts/alyssum/kernel.nix create mode 100644 hosts/alyssum/networking.nix create mode 100644 hosts/alyssum/packages.nix diff --git a/flake.nix b/flake.nix index 8b91291..377e601 100644 --- a/flake.nix +++ b/flake.nix @@ -80,6 +80,7 @@ }; in { + nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" []; nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" []; nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" []; nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" []; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix new file mode 100644 index 0000000..5506e55 --- /dev/null +++ b/hosts/alyssum/default.nix @@ -0,0 +1,28 @@ +{ inputs, modules, modulesPath, ... }: { + networking.hostName = "alyssum"; + system.stateVersion = "25.11"; + time.timeZone = "Australia/Melbourne"; + + age.secrets = { + # acme_dns.file = ../../secrets/acme_dns.age; + }; + + imports = with modules.system; [ + (modulesPath + "/profiles/qemu-guest.nix") + home-manager + + base + kernel + nix-stable + packages + security + + ./filesystem.nix + ./kernel.nix + ./networking.nix + + ../../users/hana + ]; + + me.environment = "headless"; +} diff --git a/hosts/alyssum/filesystem.nix b/hosts/alyssum/filesystem.nix new file mode 100644 index 0000000..205106a --- /dev/null +++ b/hosts/alyssum/filesystem.nix @@ -0,0 +1,34 @@ +{ ... }: +let + bind = src: { + depends = [ "/nix" ]; + device = src; + fsType = "none"; + neededForBoot = true; + options = [ "bind" ]; + }; + + mkLabelMount = label: type: { + device = "/dev/disk/by-label/${label}"; + fsType = type; + options = [ "defaults" "relatime" ]; + }; + mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // { + options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ]; + }; + submount = mkBtrfsMount "alyssum"; +in { + fileSystems = { + "/" = { + device = "rootfs"; + fsType = "tmpfs"; + options = [ "defaults" "size=8G" "mode=755" ]; + }; + "/boot" = mkLabelMount "stem" "vfat"; + + "/nix" = submount "/@/nix" false; + "/persist" = (submount "/@/persist" true) // { neededForBoot = true; }; + "/persist/.snapshots" = submount "/snap/persist" false; + "/var/log/journal" = bind "/persist/journal"; + }; +} diff --git a/hosts/alyssum/kernel.nix b/hosts/alyssum/kernel.nix new file mode 100644 index 0000000..7ea7d43 --- /dev/null +++ b/hosts/alyssum/kernel.nix @@ -0,0 +1,10 @@ +{ ... }: { + boot = { + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + initrd.kernelModules = [ "nvme" ]; + }; +} diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix new file mode 100644 index 0000000..ee27faf --- /dev/null +++ b/hosts/alyssum/networking.nix @@ -0,0 +1,3 @@ +{ ... }: { + networking.useDHCP = true; +} diff --git a/hosts/alyssum/packages.nix b/hosts/alyssum/packages.nix new file mode 100644 index 0000000..2d4bd30 --- /dev/null +++ b/hosts/alyssum/packages.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + git + htop + jq + neovim + rsync + sshfs + wget + + kitty.terminfo + ]; + environment.variables.EDITOR = "nvim"; +} From 0638cf6f5ff5e3c45d951bc514bcd3a941c9efb1 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 18:19:13 +1000 Subject: [PATCH 101/178] alyssum/kernel: update --- hosts/alyssum/kernel.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hosts/alyssum/kernel.nix b/hosts/alyssum/kernel.nix index 7ea7d43..5e9b300 100644 --- a/hosts/alyssum/kernel.nix +++ b/hosts/alyssum/kernel.nix @@ -1,10 +1,12 @@ -{ ... }: { +{ config, lib, ... }: { boot = { loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; }; - initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; - initrd.kernelModules = [ "nvme" ]; + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; }; + hardware.cpu.amd.updateMicrocode = true; } From 880316173f1941ae6192420be5c6bf0e41f2fb42 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 18:43:52 +1000 Subject: [PATCH 102/178] hosts/alyssum: (temporarily) allow password login --- hosts/alyssum/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 5506e55..e5165d8 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -1,4 +1,4 @@ -{ inputs, modules, modulesPath, ... }: { +{ lib, modules, modulesPath, ... }: { networking.hostName = "alyssum"; system.stateVersion = "25.11"; time.timeZone = "Australia/Melbourne"; @@ -25,4 +25,7 @@ ]; me.environment = "headless"; + + services.openssh.settings.PermitRootLogin = lib.mkForce "yes"; + services.openssh.settings.PasswordAuthentication = lib.mkForce true; } From ae707d33ea89d9ff84e99c770bf9e03c452b723b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 18:55:41 +1000 Subject: [PATCH 103/178] alyssum/networking: use wpa_conf --- hosts/alyssum/default.nix | 2 +- hosts/alyssum/networking.nix | 15 +++++++++++++-- secrets.nix | 3 ++- secrets/wpa_conf.age | Bin 420 -> 538 bytes 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index e5165d8..e6a7e58 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -4,7 +4,7 @@ time.timeZone = "Australia/Melbourne"; age.secrets = { - # acme_dns.file = ../../secrets/acme_dns.age; + wpa_conf.file = ../../secrets/wpa_conf.age; }; imports = with modules.system; [ diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix index ee27faf..9d1fdf9 100644 --- a/hosts/alyssum/networking.nix +++ b/hosts/alyssum/networking.nix @@ -1,3 +1,14 @@ -{ ... }: { - networking.useDHCP = true; +{ config, ... }: { + environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path; + networking = { + useDHCP = true; + interfaces.wlp1s0.useDHCP = false; + interfaces.wlp1s0.ipv4.addresses = [{ + address = "192.168.1.167"; + prefixLength = 24; + }]; + + defaultGateway = "192.168.1.1"; + nameservers = [ "8.8.8.8" "8.8.4.4" ]; + }; } diff --git a/secrets.nix b/secrets.nix index b2d0d0e..b4d5b2c 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,4 +1,5 @@ let + alyssum = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp00i2DTwMk9i2WBEwpNTDA51TQJEqzpyCka6znmRzR"; anemone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEPFifSAybe97xDP/cq6AAjy7Fm0go0dtQ9ICK6JRUgc"; blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj"; dandelion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUk99ku7+eiIO7Q9sIPlPx3GiUljLv7W404W/zwrtzI"; @@ -7,7 +8,7 @@ let rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15"; in { "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; - "secrets/wpa_conf.age".publicKeys = [ blossom rin ]; + "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; diff --git a/secrets/wpa_conf.age b/secrets/wpa_conf.age index 2b6862e53af790780d4fcfd88e1ef7ed6cc3f47c..555b5946deead8ef44060e3b0217f4b9c009db03 100644 GIT binary patch delta 511 zcmZ3&Jd0(5YJIl9Z*V}lLU>kqWLQdoqiLSArJ=WZXh^1MPH|FhPFA{MUYNJDdv=9k zMM-#gZjiAfS5#qnQD~xBsIRwgv3XcPK#q@jpm}a;Sy-?|fOnFcadC!jYKoDmsiCEUbEtDxM4*D1UwA>GiAQ*Gc72JnzlB+dzeQkKfTN*tdZ}q( zSiYIBONK>(pL?WdNuCLpk5gfKjzOVmn47+liJ6mMvZ1zbfk~csdVyO?agwi@lfH+3 zijPsMaSn!cp_XnDIq3?O;a(XYfdNHDuKNCEVZk9@l>zx>sh0YwmCp4p{`pm|PN5mW z0R^ruWx>T=8f)qn~#$p87h3xd9;4T zrnNzf|IH582;94@ckd31{D*rc>}FlY*0ss2()?AL_cFU#&y-iXG0H#w8hSt>c-vQ< r#Rt}$ay)eO7W2ddY>%%5GB4jyThSI~5IDjA-Mz;4Xw~%s_N8(Fb4s7MZYAkvWtmYSIc3@Dsd-L`j+w=-K9MaAQ9((0zLlZ*`auy(p|KKD_DpibKDcGPtOnl|3s2Z From 220af6cf157e12bfe447658abfe5d90edf36d2dc Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 18:59:38 +1000 Subject: [PATCH 104/178] alyssum/networking: enable wpa_supplicant --- hosts/alyssum/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix index 9d1fdf9..64c1bff 100644 --- a/hosts/alyssum/networking.nix +++ b/hosts/alyssum/networking.nix @@ -2,6 +2,8 @@ environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path; networking = { useDHCP = true; + wireless.enable = true; + interfaces.wlp1s0.useDHCP = false; interfaces.wlp1s0.ipv4.addresses = [{ address = "192.168.1.167"; From c323f004f19cf5b1e043a8b6c06f2d1f072b2533 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 20:06:36 +1000 Subject: [PATCH 105/178] alyssum/networking: point to wpa_conf correctly --- hosts/alyssum/networking.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix index 64c1bff..901c3c4 100644 --- a/hosts/alyssum/networking.nix +++ b/hosts/alyssum/networking.nix @@ -1,8 +1,8 @@ { config, ... }: { - environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path; networking = { useDHCP = true; wireless.enable = true; + wireless.extraConfigFiles = [ config.age.secrets.wpa_conf.path ]; interfaces.wlp1s0.useDHCP = false; interfaces.wlp1s0.ipv4.addresses = [{ From 865b473df7a2135f0e3dd7988723fede4a9cdf02 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 20:13:54 +1000 Subject: [PATCH 106/178] alyssum/networking: point to wpa_conf correctly, attempt 2 why was this changed????? --- hosts/alyssum/networking.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix index 901c3c4..760e8a5 100644 --- a/hosts/alyssum/networking.nix +++ b/hosts/alyssum/networking.nix @@ -1,8 +1,8 @@ { config, ... }: { + environment.etc."wpa_supplicant/imperative.conf".source = config.age.secrets.wpa_conf.path; networking = { useDHCP = true; wireless.enable = true; - wireless.extraConfigFiles = [ config.age.secrets.wpa_conf.path ]; interfaces.wlp1s0.useDHCP = false; interfaces.wlp1s0.ipv4.addresses = [{ From 0d99bd6015d1dcce8d7ee02bdca434df358bf524 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 20:16:59 +1000 Subject: [PATCH 107/178] alyssum/networking: point to wpa_conf correctly, attempt 3 --- hosts/alyssum/default.nix | 6 +++++- hosts/alyssum/networking.nix | 1 - 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index e6a7e58..fecf4b3 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -4,7 +4,11 @@ time.timeZone = "Australia/Melbourne"; age.secrets = { - wpa_conf.file = ../../secrets/wpa_conf.age; + wpa_conf = { + file = ../../secrets/wpa_conf.age; + path = "/etc/wpa_supplicant/imperative.conf"; + symlink = false; + }; }; imports = with modules.system; [ diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix index 760e8a5..281cbb6 100644 --- a/hosts/alyssum/networking.nix +++ b/hosts/alyssum/networking.nix @@ -1,5 +1,4 @@ { config, ... }: { - environment.etc."wpa_supplicant/imperative.conf".source = config.age.secrets.wpa_conf.path; networking = { useDHCP = true; wireless.enable = true; From 59f5913b680665d1e895bc5347c29ad2132687ea Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 20:19:04 +1000 Subject: [PATCH 108/178] hosts/alyssum: disable insecure ssh --- hosts/alyssum/default.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index fecf4b3..4a6ef0c 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -29,7 +29,4 @@ ]; me.environment = "headless"; - - services.openssh.settings.PermitRootLogin = lib.mkForce "yes"; - services.openssh.settings.PasswordAuthentication = lib.mkForce true; } From c8c6fb1b5e94b61e5880a8eff8e63417b64309b6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 20:55:11 +1000 Subject: [PATCH 109/178] system/tailscale: init --- hosts/anemone/default.nix | 1 + modules/default.nix | 1 + modules/system/tailscale.nix | 8 ++++++++ secrets.nix | 1 + secrets/tailscale_auth.age | 13 +++++++++++++ 5 files changed, 24 insertions(+) create mode 100644 modules/system/tailscale.nix create mode 100644 secrets/tailscale_auth.age diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index aa4c81b..841e909 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -28,6 +28,7 @@ printing security snapper + tailscale wireguard ./filesystem.nix diff --git a/modules/default.nix b/modules/default.nix index f47d4ee..d55b54a 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -49,6 +49,7 @@ in { ./system/printing.nix ./system/security.nix ./system/snapper.nix + ./system/tailscale.nix ./system/virtualisation.nix ./system/wireguard.nix ]; diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix new file mode 100644 index 0000000..9de220d --- /dev/null +++ b/modules/system/tailscale.nix @@ -0,0 +1,8 @@ +{ config, ... }: { + age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age; + services.tailscale = { + enable = true; + authKeyFile = config.age.secrets.tailscale_auth.path; + openFirewall = true; + }; +} diff --git a/secrets.nix b/secrets.nix index b4d5b2c..5a8bf1b 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,6 +13,7 @@ in { "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; "secrets/wg_dandelion.age".publicKeys = [ dandelion rin ]; diff --git a/secrets/tailscale_auth.age b/secrets/tailscale_auth.age new file mode 100644 index 0000000..be7af43 --- /dev/null +++ b/secrets/tailscale_auth.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 kOMSPw judP6VmZDGErkHfUpCp3xTgJtWVmGv3/tZw3WGyhfhM +10jxPIR6Qaf/iWLzbWOrFq9XBsm8OC3mcMrxEt+BYQ8 +-> ssh-ed25519 ohyStA Xc6TjSJYtJkK1VEauNJKn+RcTdwdkyJ0Sr+tbAJ8rGc +vzQt4zMdktY5tNvfu9HsKBgJb52uM7x8bhF+WXwpWZ8 +-> ssh-ed25519 CUCjXQ r8WxaXpWtaBdMJ2ubaAwJ4ipSz/UtnMs0x3+eI8p0VU +CdicUH7AE4E4XVHDAeYzQdsYMYA0sCLlt2P4eR24vvs +-> ssh-ed25519 bRFqeQ E9sknPioO9leKqs8bFJDLrAMuRAJf0ZRyGMvy7O5wVA +KX93oSqGHimM/PaeaoHq1aYVXGG1YsVMO2ihZaM8xVE +-> ssh-ed25519 U9FXlg u7yG7cLylPUgu/Is4xx0BXVhX31vUtgStV5CYa8Cowg +xAuGYZpMPVQpZYASXrMuqNE9wqqEG3kMLUNjLzPmL4g +--- EoeqIMnX5tR3J51Cz2QEyjsgD/7h468bqjRmt3mOEjY +xHQ)k)ĉB~ە֖Zv?%lQx OwZIsۄf4D ǔ*Otݳ 0.m[q_[v \ No newline at end of file From 724d30a092902b27988fc2a3cdc41b18b8023898 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Mon, 23 Mar 2026 02:53:15 +1100 Subject: [PATCH 110/178] containers/fluorite: change slskd env --- secrets/slskd_env.age | Bin 853 -> 847 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 7515e1fe0856de4165a345ca9d18941d86466845..eded5d0ff812e08ea3ca7644c655ca94e63b764b 100644 GIT binary patch delta 796 zcmcc0cAjm5PQ9^9zPWF)vr~j+RC<6}foE!VS$0rnv0J*Exk*-`QL=YMQC4WCkzY=R zFPCddnvZ8_wuwPzahjh~q=~b)qk&hJN3u~+qO-5Qk5_J4pjT;Ws&-;zF_*5LLUD11 zZfc5=si~o*LQ;@hVQQd4L~>S&PoZCgqX7{%$5*y1Kdw<$h%$C4m9{ zAr+}5{soCuSxyo8CTT&&A;`h|hzTxtQ@iv_+&ZW8;+-g>`_I)GK5?G)u;;^%dvSUncP_E7^4Z_#vEWINTtZ^D>;JZ(_4hSQCIu<7 z|I^Ajr1*QvaYxCv`*jXsa_)P7uRmk+_p4F&VqI?wkFNoxr;Vhtf|bKBOcC9}{P5P5 z?>Tl3o9hJu)f{%b=8Kd8#)<+ zh5ARLKC3nScdKMSX?k*Bhf`qr<-6bXZzw(6@`K&$bnu&&`WdFP(rSfOoupUo4LGvy z3WpA3QLkHq+!VjuWry>YJHI;IH*<24*W|lj64M?i9Lro|zn*FSbc64ERu)wKPYk;n z{kGwC<>9Q25hm~2zB$}&MQp(rvOv);x4(yF%H&S_r@`3(=>}4) delta 802 zcmX@lc9m^{PJND%L5jOig-c~px{0@;V|YY?V}5y5QbBl`n@ggzv9o!pQF?}VXljaa zK3BeLNo8(9Ns(Kmd1|nKgr9#|dAMVuM@ou^sdi#iieF(^ikYida+E`9R#m=5#KEX-pAudT~*{)uZ83rj%rC9+crtSt@y1KdwJ}DJ>ffgP~ z-emzksh){d5#iYtX(ap9V`X;r?>Wvg`-oiQ*JPCw`&4#&{akq2 zZ}#+WUG?kv?Rms`{`Q}_$#HDEXwi-^?`w9hPq)`F>91^lyIi_`>xFrH*S_X@kharj z%gc$A-ly&<=5kymp44jd`G~j%|G!@K`-UQC^Af}g;@C9#oZeV*KK|kN=%K)7?)P7w ze!R%o*B6j}Aa}yXqe16hT#o#%w(`4Dy>n9WnVOHRRtyGA^_RY{aM+UfhMQr>|edy|_G~?!? zUCrUm+a4{`e80Kr*_`k82OsYe-g4x`Z=v_zPsIbj#ZM4@R`$w7CsD9%Cu<#h=t+O4 zO;*gx8|**Kdmp=!`IqXvz@s Date: Thu, 26 Mar 2026 19:01:45 +1100 Subject: [PATCH 111/178] containers/beryllium: use ipv4 --- containers/beryllium/configuration.nix | 5 +++-- containers/beryllium/flake.nix | 12 +++++------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix index 07740d2..6629a31 100644 --- a/containers/beryllium/configuration.nix +++ b/containers/beryllium/configuration.nix @@ -9,14 +9,15 @@ networking.firewall.allowedUDPPorts = [ 6167 ]; # TODO: this should be generically set networking.useHostResolvConf = false; - networking.nameservers = [ "fd0d:1::2:1" ]; + networking.nameservers = [ "8.8.8.8" ]; services.matrix-continuwuity = { enable = true; settings.global = { # TODO: link this with outer container's address - address = [ "fd0d:1::2:2" ]; + address = [ "10.30.2.2" ]; server_name = "lava.moe"; + rocksdb_recovery_mode = 2; }; }; } diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index c6b6cae..5805401 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -22,9 +22,9 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".extraConfig = "return 302 'https://lava.moe';"; - locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; - locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; - locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; + locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167"; + locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167"; + locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167"; }; services.nginx.virtualHosts."lava.moe" = { @@ -52,9 +52,8 @@ containers.${name} = { autoStart = true; privateNetwork = true; - hostAddress6 = "fd0d:1::${subnet}:1"; - localAddress6 = "fd0d:1::${subnet}:2"; - # privateUsers = "pick"; + hostAddress = "10.30.${subnet}.1"; + localAddress = "10.30.${subnet}.2"; nixpkgs = nixpkgs; ephemeral = true; config = { imports = [ ./configuration.nix ]; }; @@ -64,7 +63,6 @@ mountPoint = "/persist"; isReadOnly = false; }; - # flake = "path:" + ./.; }; }; }; From 52e53ba5b3b877a829c1b445b33167cb7051c48e Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 5 Apr 2026 09:32:33 +1000 Subject: [PATCH 112/178] containers/amethyst: use ipv4 proxy --- containers/amethyst/flake.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index 5b9817e..739c3e5 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -21,7 +21,8 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; + #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; + locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; From 4a91f8a1652eaabd7bc933428d76aeb86263c0b4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 10 Apr 2026 01:02:28 +1000 Subject: [PATCH 113/178] system/wireguard: also forward udp --- modules/system/wireguard.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix index bdfe900..71f85ad 100644 --- a/modules/system/wireguard.nix +++ b/modules/system/wireguard.nix @@ -6,7 +6,7 @@ let serverIp = gcSecrets.wireguard.gateway; forwarding = { -# "22727" = [ "10.100.0.3" "7777" ]; + "22727" = [ "10.100.0.3" "7777" ]; }; mapForwards = type: @@ -18,6 +18,8 @@ let in '' ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport} ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT + ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport} + ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT '') forwarding ); From 5680e29cd2ba1572cfcb59d536455f959cecfec9 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 11 Apr 2026 22:47:29 +1000 Subject: [PATCH 114/178] services/unbound: add google to dns --- modules/services/unbound.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix index 349f9e8..a1b4ac4 100644 --- a/modules/services/unbound.nix +++ b/modules/services/unbound.nix @@ -27,8 +27,12 @@ in { forward-addr = [ "2606:4700:4700::1111@853#cloudflare-dns.com" "2606:4700:4700::1001@853#cloudflare-dns.com" + "2001:4860:4860::8888@853#dns.google" + "2001:4860:4860::8844@853#dns.google" "1.1.1.1@853#cloudflare-dns.com" "1.0.0.1@853#cloudflare-dns.com" + "8.8.8.8@853#dns.google" + "8.8.4.4@853#dns.google" ]; }]; From de857dcfbfc60d39161b14257d7661841dc06d13 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 21:20:27 +1000 Subject: [PATCH 115/178] services/nginx: credentialsFile -> environmentFile --- modules/services/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index 51641b4..a02b7e9 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -6,7 +6,7 @@ email = "me@lava.moe"; group = "nginx"; dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets."acme_dns".path; + environmentFile = config.age.secrets."acme_dns".path; }; certs."lava.moe" = { extraDomainNames = [ From d13f18a1899628e8b9cc2875abe61e1c40be2c67 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 21:21:49 +1000 Subject: [PATCH 116/178] user/neovim{,-minimal}: set defaults to suppress warning --- modules/user/neovim-minimal.nix | 2 ++ modules/user/neovim.nix | 2 ++ 2 files changed, 4 insertions(+) diff --git a/modules/user/neovim-minimal.nix b/modules/user/neovim-minimal.nix index a7d3f8c..392097d 100644 --- a/modules/user/neovim-minimal.nix +++ b/modules/user/neovim-minimal.nix @@ -9,6 +9,8 @@ vimAlias = true; vimdiffAlias = true; withNodeJs = false; + withPython3 = false; + withRuby = false; plugins = with pkgs.vimPlugins; [ fzf-vim diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix index 30ffac9..d691c61 100644 --- a/modules/user/neovim.nix +++ b/modules/user/neovim.nix @@ -17,6 +17,8 @@ in { vimdiffAlias = true; #package = pkgs.neovim-nightly; withNodeJs = true; + withPython3 = true; + withRuby = false; extraPackages = with pkgs; [ rust-analyzer From 69717ef92ba8cb0763b17af502c5174d95de65a3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 21:33:57 +1000 Subject: [PATCH 117/178] hosts/dandelion: enable tailscale --- hosts/dandelion/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 92e53be..33b6eec 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -19,6 +19,7 @@ nix-stable packages security + tailscale wireguard modules.services.banksia From e5e608c580e9598d897485f66a14bce0e0740d1d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 21:56:34 +1000 Subject: [PATCH 118/178] services/unbound: allow access from tailscale --- modules/services/unbound.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix index a1b4ac4..8aae0fd 100644 --- a/modules/services/unbound.nix +++ b/modules/services/unbound.nix @@ -41,8 +41,10 @@ in { access-control = [ "127.0.0.1/8 allow" "10.0.0.0/8 allow" + "100.64.0.0/10 allow" "192.168.100.0/24 allow" - "fd0d::/16 allow" + "fd0d::/16 allow" + "fd7a:115c:a1e0::/48 allow" "${gcSecrets.wireguard.ipv6Subnet}:/80 allow" ]; domain-insecure = [ "\"local.lava.moe\"" ]; From d0e090bb6815110376b9bceb40880a9a5ee00ee3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 22:10:44 +1000 Subject: [PATCH 119/178] hosts/alyssum: enable tailscale --- hosts/alyssum/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 4a6ef0c..087c77f 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -20,6 +20,7 @@ nix-stable packages security + tailscale ./filesystem.nix ./kernel.nix From b8a7dfa8a87ea914c99861dfbfcdbfab200de5f3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 22:19:54 +1000 Subject: [PATCH 120/178] system/tailscale: enable routing features --- modules/system/tailscale.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 9de220d..4bded31 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -4,5 +4,6 @@ enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; openFirewall = true; + useRoutingFeatures = if config.me.environment == "headless" then "both" else "client"; }; } From 81c17720eb4858d2c69ba7e79e1e96494f7b40de Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 22:40:19 +1000 Subject: [PATCH 121/178] containers/{d,e,f}: listen on tailscale --- containers/diamond/flake.nix | 2 +- containers/emerald/flake.nix | 2 +- containers/fluorite/flake.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/containers/diamond/flake.nix b/containers/diamond/flake.nix index 13b6b1e..71ab4fd 100644 --- a/containers/diamond/flake.nix +++ b/containers/diamond/flake.nix @@ -24,7 +24,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:8000"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 5ecf768..9c9acdc 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -39,7 +39,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:4533"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; services.nginx.virtualHosts."${shareFqdn}" = { useACMEHost = "lava.moe"; diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index c49e63b..33fcdb1 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -39,7 +39,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; systemd.tmpfiles.rules = [ From 604983800f2b0f072160f4afa65823872bceae07 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 30 May 2026 01:27:12 +1000 Subject: [PATCH 122/178] hyacinth/packages: add discord --- hosts/hyacinth/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/hyacinth/packages.nix b/hosts/hyacinth/packages.nix index f4e4fe4..69f9ba1 100644 --- a/hosts/hyacinth/packages.nix +++ b/hosts/hyacinth/packages.nix @@ -1,5 +1,6 @@ { pkgs, ... }: { environment.systemPackages = with pkgs; [ + discord jetbrains.idea texliveFull ]; From 4a82035d825230d6ef4f304a61c90f235dd528af Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 30 May 2026 01:45:45 +1000 Subject: [PATCH 123/178] hosts/hyacinth: enable tailscale --- hosts/hyacinth/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/hyacinth/default.nix b/hosts/hyacinth/default.nix index 620798b..c307ce8 100644 --- a/hosts/hyacinth/default.nix +++ b/hosts/hyacinth/default.nix @@ -28,6 +28,7 @@ printing security snapper + tailscale wireguard modules.services.syncthing From 1941deb004910565e1f08ad7736dfa49a22dc452 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 29 May 2026 04:02:18 +0000 Subject: [PATCH 124/178] flake: bump inputs --- flake.lock | 102 ++++++++++++++++++++++++++--------------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/flake.lock b/flake.lock index d6070b9..db4bae9 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1777475243, - "narHash": "sha256-EiCeDGJewyWq2Mtdt5m8qyo/W5PXVUCacLuZJ/diBQ8=", + "lastModified": 1779903856, + "narHash": "sha256-uRShMtD6xW3ZKZbCQ6sDzKWEnbBXUg3IGfOARYogKhg=", "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "12e7b06163456e4c3685ee83b8fdc277fe03bdc8", + "rev": "50671fc7f29d686f63ef34b603320d44ad7f2d29", "type": "github" }, "original": { @@ -295,11 +295,11 @@ ] }, "locked": { - "lastModified": 1777988971, - "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=", + "lastModified": 1778716662, + "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff", + "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb", "type": "github" }, "original": { @@ -313,11 +313,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1777988971, - "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=", + "lastModified": 1778716662, + "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff", + "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb", "type": "github" }, "original": { @@ -390,11 +390,11 @@ ] }, "locked": { - "lastModified": 1776796298, - "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=", + "lastModified": 1778507602, + "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad", + "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a", "type": "github" }, "original": { @@ -496,11 +496,11 @@ ] }, "locked": { - "lastModified": 1778365864, - "narHash": "sha256-ImoT/wqmgMImf2dAC+E0MverAdA4QXsedOeES9B7Ezw=", + "lastModified": 1779969295, + "narHash": "sha256-HwIJ3tOcwSMiV75L7KqJXciXR9UfT+d7rwOZMX7cTnA=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f419037039a152448c5f4ae9494154753d1b399", + "rev": "61e2c9659324181e0f0ed911958c536333b1d4f6", "type": "github" }, "original": { @@ -540,11 +540,11 @@ "linux-tkg": { "flake": false, "locked": { - "lastModified": 1778301982, - "narHash": "sha256-M8a1VqhhI3Ii0KFY4n1UdzUIFwZbET+G464cCb5ye5U=", + "lastModified": 1779857514, + "narHash": "sha256-dCrVB3cFvv1d/9wuEejYN131b1phyf6SDy1bcEvtWGo=", "owner": "Frogging-Family", "repo": "linux-tkg", - "rev": "d20b99557a90663a016f741398098d4d7b3ad119", + "rev": "c9196dea7ee464f7792f94cd39c32431ad9e25ab", "type": "github" }, "original": { @@ -562,11 +562,11 @@ ] }, "locked": { - "lastModified": 1778371477, - "narHash": "sha256-sVlZeFIds47ABfBbAmBLexCFnkE1GIBTNGjAMRh+BfA=", + "lastModified": 1780013080, + "narHash": "sha256-m984DKbcIeNNuLYFjN3780rPEd55Xe9/cB4BNKkIDvg=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "b9ee678fadf59b3c998e180d62f4cee0641d21d9", + "rev": "c6cc238427db8f61b786a66d7e02cf7724b30226", "type": "github" }, "original": { @@ -578,11 +578,11 @@ "neovim-src": { "flake": false, "locked": { - "lastModified": 1778321961, - "narHash": "sha256-lrPZ0C+uixk+6jx+maWM998GZaj4lAuicAz/dZHFNBk=", + "lastModified": 1779979065, + "narHash": "sha256-3uF/oP2D4Jka3DU2G8qqml75UOzPRrK+FIp+jghOq0s=", "owner": "neovim", "repo": "neovim", - "rev": "b44c2bdd16226f6caa5324d91f1ae9781ffdc12b", + "rev": "5d85669a33e10f1f156b086562458cbbc8054438", "type": "github" }, "original": { @@ -598,11 +598,11 @@ "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1778384395, - "narHash": "sha256-ymn6ivl8RbUK8oevC+aRQ3IY3cB3Jg0dCv7LR5XSBVo=", + "lastModified": 1779768228, + "narHash": "sha256-/dRavNAx/Mp67xcQQ3JBIMyf0cLoXqKedafB1+wksAE=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "8368f981774ee25774d016e810d426891174a993", + "rev": "6e7a8414c0f547a86646eb0b56ebf89e7cc217a2", "type": "github" }, "original": { @@ -618,11 +618,11 @@ ] }, "locked": { - "lastModified": 1778240325, - "narHash": "sha256-d2HIS7LpfI0lgxiXCXLjxrHl3eIdNvAVexOu0xiM488=", + "lastModified": 1779604987, + "narHash": "sha256-ZQ5z+fVhxYKtIFwtqGp5O0PD84BM1riASvqDaN5Xs+s=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "dd2d0e3f6ba00af01b9498f5697173bdc2524bee", + "rev": "8fba98c80b48fa013820e0163c5096922fea4ddd", "type": "github" }, "original": { @@ -633,11 +633,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1770841267, - "narHash": "sha256-9xejG0KoqsoKEGp2kVbXRlEYtFFcDTHjidiuX8hGO44=", + "lastModified": 1777268161, + "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ec7c70d12ce2fc37cb92aff673dcdca89d187bae", + "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76", "type": "github" }, "original": { @@ -680,11 +680,11 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1777954456, - "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=", + "lastModified": 1779560665, + "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1", + "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786", "type": "github" }, "original": { @@ -824,11 +824,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1778274207, - "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=", + "lastModified": 1779536132, + "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7", + "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456", "type": "github" }, "original": { @@ -923,11 +923,11 @@ "pure": { "flake": false, "locked": { - "lastModified": 1770811375, - "narHash": "sha256-Fhk4nlVPS09oh0coLsBnjrKncQGE6cUEynzDO2Skiq8=", + "lastModified": 1779255807, + "narHash": "sha256-UQ0hP3qJd4Qxiw1LXPdb9d0Dc4OSD3HJpgYzaCfujno=", "owner": "sindresorhus", "repo": "pure", - "rev": "dbefd0dcafaa3ac7d7222ca50890d9d0c97f7ca2", + "rev": "cc0759a0de620f191510e2e2f9748194a605b54d", "type": "github" }, "original": { @@ -976,11 +976,11 @@ ] }, "locked": { - "lastModified": 1770952264, - "narHash": "sha256-CjymNrJZWBtpavyuTkfPVPaZkwzIzGaf0E/3WgcwM14=", + "lastModified": 1777605393, + "narHash": "sha256-Hjp0VOOHgHcTrX23iVvnfAudPcuCmfkfpQNFwv2v/ks=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "ec6a3d5cdf14bb5a1dd03652bd3f6351004d2188", + "rev": "ff88db34cfa486fc4964a6991cab1678d82eee8c", "type": "github" }, "original": { @@ -997,11 +997,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1777789800, - "narHash": "sha256-XHCvLGu/bEEZRzXVKFu1i+2YB102Nr00n8e7xrzsfVs=", + "lastModified": 1779824049, + "narHash": "sha256-dWHVUjP03KSVG1PaLKA6j9EdxWSxSQvipMUIcSyuA/U=", "owner": "Gerg-L", "repo": "spicetify-nix", - "rev": "d0e921cc48aab6137d203a3eab19601dc2bdc0c3", + "rev": "1362178e5f5f7a848c49fe9dee004ef8824f100a", "type": "github" }, "original": { @@ -1029,11 +1029,11 @@ "stevenblack-hosts": { "flake": false, "locked": { - "lastModified": 1778258800, - "narHash": "sha256-wTiDXFiBKV4M4jv1JrVLL/kkIyE1FK4qino07BYU5fc=", + "lastModified": 1779976382, + "narHash": "sha256-wt5NGa4K8/vda669UYUmTUt+BR9X5fPnuTZFfQdpLYo=", "owner": "StevenBlack", "repo": "hosts", - "rev": "8ce06e1ed6f063d3d58cf9c980793415085f5d89", + "rev": "d3e838712512490260f051150e3573eeebecfadb", "type": "github" }, "original": { From 1d9f9f4927fcedfdc810ce98a3f2666f0d7b8ae4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 29 May 2026 04:02:19 +0000 Subject: [PATCH 125/178] packages/linux-lava: bump to 7.0.10 --- packages/linux-lava/sources.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/linux-lava/sources.nix b/packages/linux-lava/sources.nix index c24fa57..1ea7dcb 100644 --- a/packages/linux-lava/sources.nix +++ b/packages/linux-lava/sources.nix @@ -1,8 +1,8 @@ { fetchFromGitHub, inputs, lib }: let - version = "7.0.5"; + version = "7.0.10"; kernelHash = "1w4i705i0nl1xqv7fdhdbhy7j3xrzhl31fabs6vmgiw7nf06szxv"; - kernelPatchHash = "15a173sx7nw4qkp45f5ksnqd3a1flhpiq3zzsa6gzzcww433hm8d"; + kernelPatchHash = "0h7gxqcnww7sj5cdyblzj04775zhavwdylkm2pm91v6xkjbnz1zj"; mm = lib.versions.majorMinor version; hasPatch = (builtins.length (builtins.splitVersion version)) == 3; From 10fbeac1404f2719437b1d229e128d078ac54694 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 30 May 2026 01:57:08 +1000 Subject: [PATCH 126/178] user/eww: manually set configDir why was this changed??? --- modules/user/eww.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/user/eww.nix b/modules/user/eww.nix index 9d839e0..fa5fd4e 100644 --- a/modules/user/eww.nix +++ b/modules/user/eww.nix @@ -24,6 +24,6 @@ in { home.packages = with pkgs; [ socat ]; programs.eww = { enable = true; - configDir = res; }; + xdg.configFile."eww".source = res; } From 0edeac9f4c06b2dcf20a2338d81dc8ec55643946 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 30 May 2026 19:38:31 +1000 Subject: [PATCH 127/178] user/neovim: remove lsp.with --- res/config.lua | 39 +++++++++++++++++---------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/res/config.lua b/res/config.lua index 5d205d7..3e91e28 100644 --- a/res/config.lua +++ b/res/config.lua @@ -108,18 +108,18 @@ require('lualine').setup { -- many thanks to @kristijanhusak -- https://github.com/nvim-treesitter/nvim-treesitter/issues/1167#issuecomment-920824125 function _G.javascript_indent() - local line = vim.fn.getline(vim.v.lnum) - local prev_line = vim.fn.getline(vim.v.lnum - 1) - if line:match('^%s*[%*/]%s*') then - if prev_line:match('^%s*%*%s*') then - return vim.fn.indent(vim.v.lnum - 1) + local line = vim.fn.getline(vim.v.lnum) + local prev_line = vim.fn.getline(vim.v.lnum - 1) + if line:match('^%s*[%*/]%s*') then + if prev_line:match('^%s*%*%s*') then + return vim.fn.indent(vim.v.lnum - 1) + end + if prev_line:match('^%s*/%*%*%s*$') then + return vim.fn.indent(vim.v.lnum - 1) + 1 + end end - if prev_line:match('^%s*/%*%*%s*$') then - return vim.fn.indent(vim.v.lnum - 1) + 1 - end - end - return vim.fn['GetJavascriptIndent']() + return vim.fn['GetJavascriptIndent']() end vim.cmd('au FileType javascript setlocal indentexpr=v:lua.javascript_indent()') @@ -157,18 +157,13 @@ vim.api.nvim_create_autocmd("LspAttach", { end }) -vim.lsp.handlers["textDocument/publishDiagnostics"] = vim.lsp.with( - vim.lsp.diagnostic.on_publish_diagnostics, { - focusable = false, - virtual_text = false, - underline = true, - signs = true, - update_in_insert = true - } -) -vim.lsp.handlers["textDocument/signatureHelp"] = vim.lsp.with( - vim.lsp.handlers.signature_help, { focusable = false } -) +vim.diagnostic.config({ + focusable = false, + virtual_text = false, + underline = true, + signs = true, + update_in_insert = true +}) capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities) From 939d0cc861132ef4f1c6577fcfe4c0ebbf3c7c52 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 30 May 2026 20:37:42 +1000 Subject: [PATCH 128/178] system/tailscale: persist tailscale state --- modules/binds.nix | 9 +++++++++ modules/default.nix | 1 + modules/options.nix | 5 +++++ modules/system/base.nix | 2 +- modules/system/tailscale.nix | 1 + 5 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 modules/binds.nix diff --git a/modules/binds.nix b/modules/binds.nix new file mode 100644 index 0000000..9c7d4ad --- /dev/null +++ b/modules/binds.nix @@ -0,0 +1,9 @@ +{ config, lib, ...}: { + imports = [ ./options.nix ]; + fileSystems = lib.mapAttrs (dest: key: { + depends = [ "/persist" ]; + device = "/persist/binds/${key}"; + fsType = "none"; + options = [ "bind" ]; + }) config.me.binds; +} diff --git a/modules/default.nix b/modules/default.nix index d55b54a..6775c55 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -14,6 +14,7 @@ let }) paths ); in { + binds = ./binds.nix; options = ./options.nix; services = mkAttrsFromPaths [ ./services/banksia.nix diff --git a/modules/options.nix b/modules/options.nix index b522127..e861c12 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -44,5 +44,10 @@ in { type = types.bool; default = false; }; + + binds = lib.mkOption { + type = with lib.types; attrsOf str; + default = {}; + }; }; } diff --git a/modules/system/base.nix b/modules/system/base.nix index 36c9993..c45eb99 100644 --- a/modules/system/base.nix +++ b/modules/system/base.nix @@ -1,5 +1,5 @@ { config, inputs, modules, ... }: { - imports = [ modules.options ]; + imports = [ modules.binds modules.options ]; environment.etc = { "machine-id".source = "/persist/machine-id"; diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 4bded31..732a9bb 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -1,5 +1,6 @@ { config, ... }: { age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age; + me.binds."/var/lib/tailscale" = "tailscale"; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; From babc27c8be3385495c04d8841ec8f94346fa5cc9 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:01:43 +1000 Subject: [PATCH 129/178] containers/garnet: init --- containers/garnet/configuration.nix | 32 ++++++++++++ containers/garnet/flake.lock | 27 ++++++++++ containers/garnet/flake.nix | 80 +++++++++++++++++++++++++++++ flake.lock | 47 ++++++++++++++--- flake.nix | 1 + 5 files changed, 179 insertions(+), 8 deletions(-) create mode 100644 containers/garnet/configuration.nix create mode 100644 containers/garnet/flake.lock create mode 100644 containers/garnet/flake.nix diff --git a/containers/garnet/configuration.nix b/containers/garnet/configuration.nix new file mode 100644 index 0000000..930ae67 --- /dev/null +++ b/containers/garnet/configuration.nix @@ -0,0 +1,32 @@ +{ ... }: { + system.stateVersion = "25.11"; + fileSystems."/var/lib/opencloud" = { + device = "/persist/opencloud"; + fsType = "none"; + options = [ "bind" ]; + }; + networking.firewall.allowedTCPPorts = [ 9200 ]; + networking.firewall.allowedUDPPorts = [ 9200 ]; + + services.slskd = { + enable = true; + domain = null; + environmentFile = "/binds/slskd_env"; + settings = { + shares.directories = [ "/binds/music/" ]; + }; + }; + environment.etc."opencloud-admin-pass".text = '' + IDM_ADMIN_PASSWORD=supersillysecure + ''; + services.opencloud = { + enable = true; + url = "https://cloud.lava.moe"; + address = "127.0.0.1"; + port = 9200; + environment = { + PROXY_TLS = "false"; + }; + environmentFile = "/etc/opencloud-admin-pass"; + }; +} diff --git a/containers/garnet/flake.lock b/containers/garnet/flake.lock new file mode 100644 index 0000000..4070242 --- /dev/null +++ b/containers/garnet/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1779560665, + "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix new file mode 100644 index 0000000..7cb7559 --- /dev/null +++ b/containers/garnet/flake.nix @@ -0,0 +1,80 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: + let + name = "garnet"; + fqdn = "cloud.lava.moe"; + subnetId = "7"; + + subnet = x: "fd0d:1::${subnetId}:${toString x}"; + host = subnet 1; + client = subnet 2; + + subnet4 = x: "10.30.${subnetId}.${toString x}"; + host4 = subnet4 1; + client4 = subnet4 2; + + modules = [ + ./configuration.nix + { + networking.useHostResolvConf = false; + networking.nameservers = [ host ]; + } + ]; + in { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + inherit modules; + }; + nixosModule = { config, ... }: { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-${name}" ]; + }; + + services.nginx.virtualHosts."${fqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/" = { + proxyPass = "http://[${client}]:9200"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + }; + + systemd.tmpfiles.rules = [ + "d /persist/containers/${name} 755 root users" + "d /persist/flower 755 root users" + ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress = host4; + localAddress = client4; + hostAddress6 = host; + localAddress6 = client; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = modules; }; + specialArgs = { inherit fqdn; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + bindMounts."content" = { + hostPath = "/persist/flower"; + mountPoint = "/flower"; + isReadOnly = false; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index db4bae9..2578a7e 100644 --- a/flake.lock +++ b/flake.lock @@ -128,6 +128,20 @@ }, "parent": [] }, + "c-garnet": { + "inputs": { + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "path": "./containers/garnet", + "type": "path" + }, + "original": { + "path": "./containers/garnet", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "nixpkgs": "nixpkgs_4" @@ -595,7 +609,7 @@ "inputs": { "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1779768228, @@ -679,6 +693,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1779536132, + "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1779560665, "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=", @@ -694,7 +724,7 @@ "type": "github" } }, - "nixpkgs_11": { + "nixpkgs_12": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -824,16 +854,16 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1779536132, - "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=", + "lastModified": 1779560665, + "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456", + "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -880,7 +910,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_12", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -946,6 +976,7 @@ "c-diamond": "c-diamond", "c-emerald": "c-emerald", "c-fluorite": "c-fluorite", + "c-garnet": "c-garnet", "catppuccin": "catppuccin_2", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -954,7 +985,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_11", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/flake.nix b/flake.nix index 377e601..5cf3457 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,7 @@ c-diamond.url = "path:./containers/diamond"; c-emerald.url = "path:./containers/emerald"; c-fluorite.url = "path:./containers/fluorite"; + c-garnet.url = "path:./containers/garnet"; }; outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: From 140b12fa5d95ee0a77c6233ba537dc9fab64c0b7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:02:40 +1000 Subject: [PATCH 130/178] hosts/alyssum: enable garnet --- hosts/alyssum/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 087c77f..1c1db61 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -1,4 +1,4 @@ -{ lib, modules, modulesPath, ... }: { +{ inputs, modules, modulesPath, ... }: { networking.hostName = "alyssum"; system.stateVersion = "25.11"; time.timeZone = "Australia/Melbourne"; @@ -22,6 +22,8 @@ security tailscale + inputs.c-garnet.nixosModule + ./filesystem.nix ./kernel.nix ./networking.nix From 27e9546327e2d9f2a756f3f65b657ea61e34bfca Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:04:35 +1000 Subject: [PATCH 131/178] containers/garnet: better ip filtering --- containers/garnet/flake.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix index 7cb7559..b5e4ba5 100644 --- a/containers/garnet/flake.nix +++ b/containers/garnet/flake.nix @@ -44,7 +44,13 @@ proxy_set_header Host $host; ''; }; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + extraConfig = '' + allow 10.0.0.0/8; + allow 100.0.0.0/8; + allow 192.168.1.0/24; + allow fd0d::/8; + deny all; + ''; }; systemd.tmpfiles.rules = [ From a25d214b82c4459e1e71599bf8917cc12090b337 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:10:40 +1000 Subject: [PATCH 132/178] hosts/alyssum: enable nginx --- hosts/alyssum/default.nix | 3 +++ secrets.nix | 2 +- secrets/acme_dns.age | 19 ++++++++++--------- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 1c1db61..9a53926 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -4,6 +4,7 @@ time.timeZone = "Australia/Melbourne"; age.secrets = { + acme_dns.file = ../../secrets/acme_dns.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; @@ -22,6 +23,8 @@ security tailscale + modules.services.nginx + inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/secrets.nix b/secrets.nix index 5a8bf1b..d2dbc82 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,7 +10,7 @@ in { "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; - "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; + "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; diff --git a/secrets/acme_dns.age b/secrets/acme_dns.age index a573417..c440de6 100644 --- a/secrets/acme_dns.age +++ b/secrets/acme_dns.age @@ -1,10 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 bRFqeQ trK7wfJ1fObF70yD3a6axuXaZv/EzzFI7he1dvUajH8 -1C5IrwITtma/um0zUo6by0llVTnla7TBdyRD07azTT8 --> ssh-ed25519 ZAcXHw f+n0WJKTViwizwTIgRpbLGqk458SnuAFVVj5FQS0nwA -MRinOTxWGwfeg16VWJYD+1Uta+7xF6G9oyqtYSfEq80 --> ssh-ed25519 U9FXlg 24QGfemIAHZYMwroayNJp91fUkbwUF7ACuXIk+7qdBg -RNGpjxUgfzV/e1Ab/NcA8A0zzxsXU06xmVbLpG3x+iI ---- mekieJNQOl4vcg+hsSOQsFC7mVUZf/oRl/dT7AeTRKg -H즏)k#%3cQں1?ad| 쳄ٗo2 -B)=Zi9pR Klg ՞h \ No newline at end of file +-> ssh-ed25519 kOMSPw vqjZO82kILUQaoD9EwOgnmXKD9IyscgtzP65BVKkGhs +07f0vL5fSq+EVdJ4n3L/q0tGsh0SVLCueTzbrMQC2ok +-> ssh-ed25519 bRFqeQ qZAsyhdIY/fg7weEBYfB/WwFBrr/fDRrjt0J/m+57W4 +FOWjbk7efoVdL9WxjWvaZ/0mJrQ4yj0fN/Fa3zztz84 +-> ssh-ed25519 ZAcXHw UHpAQ4nKoGGaZWXVj4UM6uBanOgDpBvG6XdoBvhz6y8 +xF1orqajQxp2QzU/e1sq8lMxz4AQ2Vr5a3wEU55QqyE +-> ssh-ed25519 U9FXlg n/LPuRDZ7N0VbZYLNr86hH/yRuqd2zFC7Nnpooz8d0o +aZig/wjd5vitGaJwQ89w2M7fj8fAiqTpdDOmLae74sM +--- mXuALIh6k4n0cErsTFnwKemo/r2jFG7mGSTz2M8zXF8 +Zr2. ~MPXŹ1)p9R9S cLzhQO0H7Lj5 \l97ܫn> From 0735ffdb69516426106e51d1a6f7a96b6c50b1fa Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:22:19 +1000 Subject: [PATCH 133/178] containers/garnet: remove stray sv and set address to local ip --- containers/garnet/configuration.nix | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/containers/garnet/configuration.nix b/containers/garnet/configuration.nix index 930ae67..4f09e34 100644 --- a/containers/garnet/configuration.nix +++ b/containers/garnet/configuration.nix @@ -8,21 +8,13 @@ networking.firewall.allowedTCPPorts = [ 9200 ]; networking.firewall.allowedUDPPorts = [ 9200 ]; - services.slskd = { - enable = true; - domain = null; - environmentFile = "/binds/slskd_env"; - settings = { - shares.directories = [ "/binds/music/" ]; - }; - }; environment.etc."opencloud-admin-pass".text = '' IDM_ADMIN_PASSWORD=supersillysecure ''; services.opencloud = { enable = true; url = "https://cloud.lava.moe"; - address = "127.0.0.1"; + address = "10.30.7.2"; port = 9200; environment = { PROXY_TLS = "false"; From 011ceee498a0c1361b662c4ffc7e01859086cdea Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:27:19 +1000 Subject: [PATCH 134/178] containers/garnet: use ipv4 for proxy --- containers/garnet/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix index b5e4ba5..e5bdcbc 100644 --- a/containers/garnet/flake.nix +++ b/containers/garnet/flake.nix @@ -38,7 +38,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/" = { - proxyPass = "http://[${client}]:9200"; + proxyPass = "http://${client4}:9200"; proxyWebsockets = true; extraConfig = '' proxy_set_header Host $host; From c4bedfd86e8bdcf9e2a58be5d96d43b4a50677a7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:34:25 +1000 Subject: [PATCH 135/178] containers/garnet: move back to listen addrs --- containers/garnet/flake.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix index e5bdcbc..c1694a0 100644 --- a/containers/garnet/flake.nix +++ b/containers/garnet/flake.nix @@ -44,13 +44,7 @@ proxy_set_header Host $host; ''; }; - extraConfig = '' - allow 10.0.0.0/8; - allow 100.0.0.0/8; - allow 192.168.1.0/24; - allow fd0d::/8; - deny all; - ''; + listenAddresses = [ "100.67.2.1" ]; }; systemd.tmpfiles.rules = [ From f622d5f5771d6866b7ee3b3c88ed97d4641a5c49 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Thu, 28 May 2026 23:43:07 +1000 Subject: [PATCH 136/178] containers/garnet: try removing host header --- containers/garnet/flake.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix index c1694a0..29540db 100644 --- a/containers/garnet/flake.nix +++ b/containers/garnet/flake.nix @@ -40,9 +40,6 @@ locations."/" = { proxyPass = "http://${client4}:9200"; proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - ''; }; listenAddresses = [ "100.67.2.1" ]; }; From 34e649e6210ced9f692e2cc300e40236c058a994 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 29 May 2026 00:43:32 +1000 Subject: [PATCH 137/178] alyssum/filesystem: add myosotis --- hosts/alyssum/filesystem.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/alyssum/filesystem.nix b/hosts/alyssum/filesystem.nix index 205106a..bdea423 100644 --- a/hosts/alyssum/filesystem.nix +++ b/hosts/alyssum/filesystem.nix @@ -26,6 +26,7 @@ in { }; "/boot" = mkLabelMount "stem" "vfat"; + "/flower" = mkBtrfsMount "myosotis" "/@" true; "/nix" = submount "/@/nix" false; "/persist" = (submount "/@/persist" true) // { neededForBoot = true; }; "/persist/.snapshots" = submount "/snap/persist" false; From 48513690982288b4e84daf7e05db8681a1fbab4c Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 29 May 2026 00:44:13 +1000 Subject: [PATCH 138/178] containers/garnet: add hosts and correct bind mounts --- containers/garnet/configuration.nix | 12 +++++++++++- containers/garnet/flake.nix | 4 ++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/containers/garnet/configuration.nix b/containers/garnet/configuration.nix index 4f09e34..ff514e8 100644 --- a/containers/garnet/configuration.nix +++ b/containers/garnet/configuration.nix @@ -1,10 +1,20 @@ { ... }: { system.stateVersion = "25.11"; fileSystems."/var/lib/opencloud" = { - device = "/persist/opencloud"; + device = "/flower/data"; fsType = "none"; options = [ "bind" ]; }; + fileSystems."/etc/opencloud" = { + device = "/persist/cfg"; + fsType = "none"; + options = [ "bind" ]; + }; + # TODO: hardcoded address + networking.extraHosts = '' + 100.67.2.1 cloud.lava.moe + ''; + networking.firewall.allowedTCPPorts = [ 9200 ]; networking.firewall.allowedUDPPorts = [ 9200 ]; diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix index 29540db..93c3304 100644 --- a/containers/garnet/flake.nix +++ b/containers/garnet/flake.nix @@ -41,12 +41,12 @@ proxyPass = "http://${client4}:9200"; proxyWebsockets = true; }; + # TODO: hardcoded address listenAddresses = [ "100.67.2.1" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" - "d /persist/flower 755 root users" ]; containers.${name} = { autoStart = true; @@ -67,7 +67,7 @@ isReadOnly = false; }; bindMounts."content" = { - hostPath = "/persist/flower"; + hostPath = "/flower/opencloud"; mountPoint = "/flower"; isReadOnly = false; }; From e7588e0be0ec335a262f37f3c96f2af4031b132d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 30 May 2026 21:24:30 +1000 Subject: [PATCH 139/178] {system,rin}/packages: cleanup --- modules/system/packages.nix | 1 - users/rin/packages.nix | 37 ++++++++++++++++--------------------- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/modules/system/packages.nix b/modules/system/packages.nix index afeef4e..d4e2e3c 100644 --- a/modules/system/packages.nix +++ b/modules/system/packages.nix @@ -16,7 +16,6 @@ neovim nfs-utils ntfs3g - oci-cli ripgrep rsync sshfs diff --git a/users/rin/packages.nix b/users/rin/packages.nix index 8b15c60..0916865 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -19,15 +19,28 @@ in { nodejs_latest pamixer pnpm - qmk unrar - weechat yt-dlp + ] ++ lib.optionals (config.me.environment == "desktop") [ + krita + lutris + mangohud + (prismlauncher.override { + jdks = [ + jdk21 + temurin-bin-25 + ]; + }) + inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin + qmk + tetrio-desktop + tor-browser + virt-manager + winetricks ] ++ lib.optionals config.me.gui [ android-studio brightnessctl drawio - element-desktop evince eww feh @@ -36,37 +49,19 @@ in { gamescope gimp3 grim - jetbrains.gateway - #kotatogram-desktop - krita lm_sensors - lutris - insomnia maim - mangohud me.psensor - inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin - # inputs.nix-gaming.packages.x86_64-linux.wine-osu obsidian pavucontrol - (prismlauncher.override { - jdks = [ - jdk21 - temurin-bin-25 - ]; - }) qbittorrent rivalcfg screenkey slurp swaybg - tetrio-desktop texliveFull - tor-browser transmission-remote-gtk vesktop - virt-manager - winetricks zathura zenity From cc2e9d1a90da5b9e16da55a864cd07deec24b727 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 31 May 2026 02:15:37 +1000 Subject: [PATCH 140/178] user/eww: use iwd tools instead of nmcli --- modules/user/eww.nix | 2 +- res/eww/eww.yuck | 28 +++++++++++++++------------- res/eww/scripts/network.sh | 19 ------------------- 3 files changed, 16 insertions(+), 33 deletions(-) delete mode 100755 res/eww/scripts/network.sh diff --git a/modules/user/eww.nix b/modules/user/eww.nix index fa5fd4e..13db70e 100644 --- a/modules/user/eww.nix +++ b/modules/user/eww.nix @@ -21,7 +21,7 @@ let ''; }; in { - home.packages = with pkgs; [ socat ]; + home.packages = with pkgs; [ iw socat ]; programs.eww = { enable = true; }; diff --git a/res/eww/eww.yuck b/res/eww/eww.yuck index 2598788..d72a2cc 100644 --- a/res/eww/eww.yuck +++ b/res/eww/eww.yuck @@ -1,4 +1,5 @@ (defwindow mainbar :monitor 0 + :geometry (geometry :x "0%" :y "0%" :width "100%" @@ -39,14 +40,15 @@ `cat /sys/class/power_supply/_BAT_PATH_/capacity`) (defpoll pbat_status :interval "1s" :run-while bat-enabled `cat /sys/class/power_supply/_BAT_PATH_/status`) -(defpoll network_strength :interval "1s" :run-while wifi-enabled - `nmcli -f IN-USE,SIGNAL device wifi | grep '*' | tr -d -c 0-9`) +(defpoll wifi_ssid :interval "1s" :run-while wifi-enabled + `iwctl station wlan0 show | grep "Connected network" | awk '{print $3}'`) +(defpoll wifi_strength :interval "1s" :run-while wifi-enabled + `iw dev wlan0 link | awk '/signal/ {gsub("-",""); print $2}'`) (defpoll bluetooth_device :interval "1s" :run-while bt-enabled `bluetoothctl devices Connected | grep Device | cut -d" " -f3-`) (defpoll bluetooth_device_count :interval "1s" :run-while bt-enabled `bluetoothctl devices Connected | wc -l`) -(deflisten lnetwork :initial "" :run-while wifi-enabled "./scripts/network.sh") (deflisten ltitle :initial "" "./scripts/title.sh") (deflisten lworkspaces :initial "[]" "./scripts/workspaces.sh") (deflisten lcurrent_workspace :initial "1" "./scripts/active-workspace.sh") @@ -107,22 +109,22 @@ (defwidget network [] (button :onclick `eww update network-extended=${network-extended ? "false" : "true"}` (box :orientation "horizontal" - :class {"widget pill" + ((network-extended && lnetwork != "Disconnected") ? " extended" : "")} - :spacing {(network-extended && lnetwork != "Disconnected") ? 5 : 0} + :class {"widget pill" + ((network-extended && wifi_ssid != "") ? " extended" : "")} + :spacing {(network-extended && wifi_ssid != "") ? 5 : 0} :space-evenly false (label :text { - (lnetwork == "Disconnected") ? "" - : (network_strength == "") ? "" - : (network_strength < 20) ? "" - : (network_strength < 30) ? "" - : (network_strength < 55) ? "" - : (network_strength < 80) ? "" + (wifi_ssid == "") ? "" + : (wifi_strength == "") ? "" + : (wifi_strength < 75) ? "" + : (wifi_strength < 65) ? "" + : (wifi_strength < 60) ? "" + : (wifi_strength < 50) ? "" : ""} :class "base pill-icon") (revealer :transition "slideleft" - :reveal {network-extended && lnetwork != "Disconnected"} + :reveal {network-extended && wifi_ssid != ""} :duration 150 - (label :text lnetwork + (label :text wifi_ssid :class "base"))))) (defwidget battery [] diff --git a/res/eww/scripts/network.sh b/res/eww/scripts/network.sh deleted file mode 100755 index 7d0c2c8..0000000 --- a/res/eww/scripts/network.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -init=$(nmcli -t -f name,device connection show --active | grep wlp1s0 | cut -d\: -f1) - -if [[ -z $init ]]; then - echo Disconnected -else - echo $init -fi - -nmcli monitor | while read -r line ; do - if [[ $line == *"is now the primary connection" ]]; then - conn=$(echo $line | cut -d\' -f2) - echo $conn - fi - if [[ $line == "There's no primary connection" ]]; then - echo Disconnected - fi -done From 93354e641927c07672e32cd453be5b4c1394a762 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 2 Jun 2026 19:50:01 +1000 Subject: [PATCH 141/178] containers/citrine: garden -> lab --- containers/citrine/configuration.nix | 2 +- containers/citrine/flake.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index 996ffb2..392062c 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -11,7 +11,7 @@ enable = true; lfs.enable = true; settings = { - DEFAULT.APP_NAME = "Garden"; + DEFAULT.APP_NAME = "cilly's botanical laboratory"; server = { DOMAIN = fqdn; ROOT_URL = "https://${fqdn}/"; diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix index 5673c9e..c2a81b7 100644 --- a/containers/citrine/flake.nix +++ b/containers/citrine/flake.nix @@ -6,7 +6,7 @@ outputs = { nixpkgs, catppuccin, ... }: let name = "citrine"; - fqdn = "garden.lava.moe"; + fqdn = "lab.lava.moe"; subnetId = "3"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; From 91abcbed1984e86981e95b395202e240ed13fbf7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 2 Jun 2026 19:54:09 +1000 Subject: [PATCH 142/178] services/banksia: redirect to lab --- modules/services/banksia.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/banksia.nix b/modules/services/banksia.nix index d6532f6..2ace618 100644 --- a/modules/services/banksia.nix +++ b/modules/services/banksia.nix @@ -4,7 +4,7 @@ "banksia.lava.moe" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".return = "302 https://github.com/cillynder/Banksia"; + locations."/".return = "302 https://lab.lava.moe/cilly/Banksia"; locations."/api".proxyPass = "http://localhost:8080/"; }; }; From ee3e0868a8338ab92d34a434e9c3add7dca3db5d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 6 Jun 2026 20:14:37 +1000 Subject: [PATCH 143/178] system/tailscale: loosen firewall for tailnet --- modules/system/tailscale.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 732a9bb..02bce52 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -1,6 +1,7 @@ { config, ... }: { age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age; me.binds."/var/lib/tailscale" = "tailscale"; + networking.firewall.trustedInterfaces = [ "tailscale0" ]; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; From abe0027e5dc405174f7d8993db14e57cadda7b29 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 6 Jun 2026 20:23:56 +1000 Subject: [PATCH 144/178] hosts/alyssum: add syncthing --- hosts/alyssum/default.nix | 4 +++- modules/services/syncthing.nix | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 9a53926..3eb7289 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -1,4 +1,4 @@ -{ inputs, modules, modulesPath, ... }: { +{ inputs, lib, modules, modulesPath, ... }: { networking.hostName = "alyssum"; system.stateVersion = "25.11"; time.timeZone = "Australia/Melbourne"; @@ -24,6 +24,7 @@ tailscale modules.services.nginx + modules.services.syncthing inputs.c-garnet.nixosModule @@ -35,4 +36,5 @@ ]; me.environment = "headless"; + services.syncthing.user = lib.mkForce "hana"; } diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix index 2316f9f..d27f911 100644 --- a/modules/services/syncthing.nix +++ b/modules/services/syncthing.nix @@ -1,7 +1,7 @@ { config, ... }: let dir = "/persist/shared/.syncthing"; - uid = toString config.users.users.rin.uid; + uid = toString config.services.syncthing.user; gid = toString config.users.groups.users.gid; in { From 72078aad6c6142b84c873ceafbad4a6ea464ede7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 6 Jun 2026 20:33:19 +1000 Subject: [PATCH 145/178] services/syncthing: listen on all ports for headless --- modules/services/syncthing.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix index d27f911..8ec331b 100644 --- a/modules/services/syncthing.nix +++ b/modules/services/syncthing.nix @@ -1,7 +1,8 @@ { config, ... }: let dir = "/persist/shared/.syncthing"; - uid = toString config.services.syncthing.user; + user = if config.me.gui then "rin" else "hana"; + uid = toString config.users.users."${user}".uid; gid = toString config.users.groups.users.gid; in { @@ -13,9 +14,10 @@ in services.syncthing = { enable = true; openDefaultPorts = true; - user = "rin"; + user = user; group = "users"; dataDir = "/persist/shared/.syncthing/data"; configDir = "/persist/shared/.syncthing/config"; + guiAddress = if config.me.gui then "127.0.0.1:8384" else ""; }; } From 1ad05857b7566f15575dd03d09f31da80669744d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 6 Jun 2026 20:35:10 +1000 Subject: [PATCH 146/178] services/syncthing: setup correct guiAddress --- modules/services/syncthing.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix index 8ec331b..db32371 100644 --- a/modules/services/syncthing.nix +++ b/modules/services/syncthing.nix @@ -18,6 +18,6 @@ in group = "users"; dataDir = "/persist/shared/.syncthing/data"; configDir = "/persist/shared/.syncthing/config"; - guiAddress = if config.me.gui then "127.0.0.1:8384" else ""; + guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384"; }; } From 9a87dc63c3f2cdd80c5918ff61864471e6186cc3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 5 Jun 2026 00:12:18 +1000 Subject: [PATCH 147/178] rin/packages: move prism back to shared gui --- users/rin/packages.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/users/rin/packages.nix b/users/rin/packages.nix index 0916865..afc711b 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -25,12 +25,6 @@ in { krita lutris mangohud - (prismlauncher.override { - jdks = [ - jdk21 - temurin-bin-25 - ]; - }) inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin qmk tetrio-desktop @@ -54,6 +48,12 @@ in { me.psensor obsidian pavucontrol + (prismlauncher.override { + jdks = [ + jdk21 + temurin-bin-25 + ]; + }) qbittorrent rivalcfg screenkey From 8ca9e393ea1b9d89d49d44d8c2af4bfd4b5aaac0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 5 Jun 2026 00:16:15 +1000 Subject: [PATCH 148/178] system/input: swap esc using keyd --- modules/system/input.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/modules/system/input.nix b/modules/system/input.nix index 2ef1eab..44da34b 100644 --- a/modules/system/input.nix +++ b/modules/system/input.nix @@ -6,7 +6,18 @@ "-arinterval 15" ]; }; - xkb.options = "caps:escape"; }; - console.useXkbConfig = true; + services.keyd = { + enable = true; + keyboards = { + default = { + ids = [ "*" ]; + settings = { + main = { + capslock = "overload(control, esc)"; + }; + }; + }; + }; + }; } From 9a6a29831b751dd2a6bb15bf26e6174ebc5ffe8b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 5 Jun 2026 00:18:29 +1000 Subject: [PATCH 149/178] system/security: reenable doas persist --- modules/system/security.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/security.nix b/modules/system/security.nix index 3b4e8a7..f1f087b 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -49,7 +49,7 @@ { groups = [ "wheel" ]; keepEnv = true; - persist = config.me.environment != "laptop"; + persist = true; } ]; }; From 8a85e25d720376b4e8dc4bcdfcbc39d549ce008e Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 5 Jun 2026 00:20:29 +1000 Subject: [PATCH 150/178] system/input: don't overload capslock input delay :p --- modules/system/input.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/input.nix b/modules/system/input.nix index 44da34b..67b1a96 100644 --- a/modules/system/input.nix +++ b/modules/system/input.nix @@ -14,7 +14,7 @@ ids = [ "*" ]; settings = { main = { - capslock = "overload(control, esc)"; + capslock = "esc"; }; }; }; From ea17ef30c609d67155a61579a27fac460112feaa Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 5 Jun 2026 00:22:49 +1000 Subject: [PATCH 151/178] system/input: map esc to capslock --- modules/system/input.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/input.nix b/modules/system/input.nix index 67b1a96..a0bf2ff 100644 --- a/modules/system/input.nix +++ b/modules/system/input.nix @@ -15,6 +15,7 @@ settings = { main = { capslock = "esc"; + esc = "capslock"; }; }; }; From 75f9cc9d2bdd32fbcb1e28b7a300d61fc04da2b3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 10 Jun 2026 15:05:05 +1000 Subject: [PATCH 152/178] system/tailscale: open port 123 on headless --- modules/system/tailscale.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 02bce52..e7e6e0c 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -1,7 +1,9 @@ -{ config, ... }: { +{ config, lib, ... }: { age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age; me.binds."/var/lib/tailscale" = "tailscale"; networking.firewall.trustedInterfaces = [ "tailscale0" ]; + networking.firewall.allowedUdpPorts = lib.mkIf config.me.environment == "headless" [ 123 ]; + services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; From b705a21478d057b5bcbebd24ac5ffd3652e747c7 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 10 Jun 2026 15:06:38 +1000 Subject: [PATCH 153/178] system/tailscale: fix syntax --- modules/system/tailscale.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index e7e6e0c..5e3e044 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -2,7 +2,7 @@ age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age; me.binds."/var/lib/tailscale" = "tailscale"; networking.firewall.trustedInterfaces = [ "tailscale0" ]; - networking.firewall.allowedUdpPorts = lib.mkIf config.me.environment == "headless" [ 123 ]; + networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ]; services.tailscale = { enable = true; From 29909729897e4085370656f6ab19f8d280fafbbf Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 10 Jun 2026 16:01:23 +1000 Subject: [PATCH 154/178] user/git: set default branch name --- modules/user/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/user/git.nix b/modules/user/git.nix index 6c21f20..ca2762e 100644 --- a/modules/user/git.nix +++ b/modules/user/git.nix @@ -10,6 +10,7 @@ user.email = "mini@cilly.moe"; core.abbrev = 11; safe.directory = "/home/rin/Projects/flakes"; + init.defaultBranch = "master"; }; }; } From 37f271bed8d08dc44b47620d47f5142e4f81202e Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 10 Jun 2026 16:05:24 +1000 Subject: [PATCH 155/178] containers/citrine: enable push to create --- containers/citrine/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix index 392062c..0f4242a 100644 --- a/containers/citrine/configuration.nix +++ b/containers/citrine/configuration.nix @@ -34,6 +34,8 @@ }; api.ENABLE_SWAGGER = false; other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + repository.ENABLE_PUSH_CREATE_USER = true; + repository.ENABLE_PUSH_CREATE_ORG = true; service.DISABLE_REGISTRATION = true; }; stateDir = "/persist/forgejo"; From 6fc74bd778317c578b8c7532056dfcd469514475 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 9 Jun 2026 18:15:04 +1000 Subject: [PATCH 156/178] hosts/hyacinth: add docker --- hosts/hyacinth/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/hyacinth/default.nix b/hosts/hyacinth/default.nix index c307ce8..a32d4bd 100644 --- a/hosts/hyacinth/default.nix +++ b/hosts/hyacinth/default.nix @@ -18,6 +18,7 @@ bluetooth ccache corectrl + docker flatpak greetd gui From e98a71cd1ed09eb93a39e5cb1be797b620a4f9aa Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 13 Jun 2026 22:12:32 +1000 Subject: [PATCH 157/178] containers/garnet: config nginx to avoid errors --- containers/garnet/flake.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix index 93c3304..df835a4 100644 --- a/containers/garnet/flake.nix +++ b/containers/garnet/flake.nix @@ -41,6 +41,13 @@ proxyPass = "http://${client4}:9200"; proxyWebsockets = true; }; + extraConfig = '' + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + keepalive_requests 100000; + keepalive_timeout 5m; + http2_max_concurrent_streams 512; + ''; # TODO: hardcoded address listenAddresses = [ "100.67.2.1" ]; }; From 2a9e8e6c0372c1eacb9fd91a062acd9c657be694 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 13 Jun 2026 23:44:29 +1000 Subject: [PATCH 158/178] containers/garnet: extend token expiration --- containers/garnet/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/containers/garnet/configuration.nix b/containers/garnet/configuration.nix index ff514e8..21400c5 100644 --- a/containers/garnet/configuration.nix +++ b/containers/garnet/configuration.nix @@ -28,6 +28,8 @@ port = 9200; environment = { PROXY_TLS = "false"; + IDP_ACCESS_TOKEN_EXPIRATION = "2592000"; + IDP_ID_TOKEN_EXPIRATION = "2592000"; }; environmentFile = "/etc/opencloud-admin-pass"; }; From 402c847f3cd7f457e7946b4b3431a71a47963828 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sun, 14 Jun 2026 20:32:32 +1000 Subject: [PATCH 159/178] dandelion/filesystem: reduce rootfs from 12G to 6G --- hosts/dandelion/filesystem.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/dandelion/filesystem.nix b/hosts/dandelion/filesystem.nix index 4dd6a55..861bc15 100644 --- a/hosts/dandelion/filesystem.nix +++ b/hosts/dandelion/filesystem.nix @@ -22,7 +22,7 @@ in { "/" = { device = "rootfs"; fsType = "tmpfs"; - options = [ "defaults" "size=12G" "mode=755" ]; + options = [ "defaults" "size=6G" "mode=755" ]; }; "/boot" = mkLabelMount "UEFI" "vfat"; From d1a8e7222f0dd930f945a4f101cd885ce6001357 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:11:09 +1000 Subject: [PATCH 160/178] alyssum/samba: init --- hosts/alyssum/default.nix | 1 + hosts/alyssum/samba.nix | 81 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 hosts/alyssum/samba.nix diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 3eb7289..d471011 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -31,6 +31,7 @@ ./filesystem.nix ./kernel.nix ./networking.nix + ./samba.nix ../../users/hana ]; diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix new file mode 100644 index 0000000..9e957e9 --- /dev/null +++ b/hosts/alyssum/samba.nix @@ -0,0 +1,81 @@ +{ config, ... }: { + networking.firewall.allowPing = true; + + users.users.cilly = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + }; + users.users.kujira = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + }; + system.activationScripts = { + init_smbpasswd.text = '' + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly + + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira + ''; + }; + + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; + "security" = "user"; + "hosts allow" = "100.67.2.1 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "public" = { + "path" = "/flower/smb/public"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "hana"; + "force group" = "users"; + }; + "cilly" = { + "path" = "/flower/smb/cilly"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "cilly"; + "force group" = "users"; + "valid users" = "cilly"; + }; + "kujira" = { + "path" = "/flower/smb/kujira"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "kujira"; + "force group" = "users"; + "valid users" = "kujira"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + enable = true; + openFirewall = true; + nssmdns4 = true; + publish.enable = true; + publish.userServices = true; + }; +} From 4f8249b780b00add8a8a8d22543a54229faa696d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:16:21 +1000 Subject: [PATCH 161/178] alyssum/samba: use proper credentials --- hosts/alyssum/samba.nix | 7 +++++-- secrets.nix | 2 ++ secrets/passwd_smbcilly.age | 7 +++++++ secrets/passwd_smbkujira.age | 7 +++++++ 4 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 secrets/passwd_smbcilly.age create mode 100644 secrets/passwd_smbkujira.age diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 9e957e9..6be8e09 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -1,6 +1,9 @@ { config, ... }: { networking.firewall.allowPing = true; + age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age; + age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age; + users.users.cilly = { hashedPasswordFile = config.age.secrets.passwd.path; isNormalUser = true; @@ -11,9 +14,9 @@ }; system.activationScripts = { init_smbpasswd.text = '' - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira ''; }; diff --git a/secrets.nix b/secrets.nix index d2dbc82..ec20648 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,6 +8,8 @@ let rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15"; in { "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; + "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ]; + "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; diff --git a/secrets/passwd_smbcilly.age b/secrets/passwd_smbcilly.age new file mode 100644 index 0000000..41ad172 --- /dev/null +++ b/secrets/passwd_smbcilly.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ +i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI +-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o ++pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM +--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew +*l\W!J7E/"f@%\[j8fӶ \ No newline at end of file diff --git a/secrets/passwd_smbkujira.age b/secrets/passwd_smbkujira.age new file mode 100644 index 0000000..71b6bb8 --- /dev/null +++ b/secrets/passwd_smbkujira.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8 +IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE +-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg +QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk +--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw +T <R#d Ć̎lLkN8c_N)T \ No newline at end of file From c782bd5e5398534f81214e3bced2aa73e08e10b6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:23:10 +1000 Subject: [PATCH 162/178] hosts/alyssum: add passwd age --- hosts/alyssum/default.nix | 1 + secrets.nix | 2 +- secrets/passwd.age | Bin 531 -> 641 bytes 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index d471011..a2eb166 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + passwd.file = ../../secrets/passwd.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; diff --git a/secrets.nix b/secrets.nix index ec20648..bec70ef 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,7 +7,7 @@ let rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15"; in { - "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; + "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ]; "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ]; "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; diff --git a/secrets/passwd.age b/secrets/passwd.age index 64ec8611ddf1a1d3f837caf32b53d5843f7b6e07..05ad90670240bfe01391eb8392cd02ad35d1c5bd 100644 GIT binary patch delta 596 zcmbQt(#SeNwLaV5H#neNp(s2%!q_7?$j7C~J=oCKE5oy-BsrwWr64rBz`L|8y{an9 zBFsIqJm0{8D>c(3I5)q`JxHv;MHO0u()X-8PKch0Z#8DyB*uU7sB+Dr%qdv>Az{ywJ$H~awsl?ATEYZ}- zBq+}^uh=leG%DSrIIEm1IU~@_EZfLm-?Yp-P~XEi)LTEepwcm{(l;|J)vYQZF*m9x zwA9fk-OUx93pU|@G%n*z02+xqv4C6e*?2M97@1TsTVAr(597AoN#E=5_%7_xz zi66!5J)J#+EP_p{d>vCFGLt>bjXbKnQd0xd($cd0LNdyNU9#PiEz`1tyaNNda*B*A zTrb|^HnZYzWY=cufpN-;@7gMf=O#Hn1hI;KPb=lf^lIPl6HZS=2L%5*v`cv-> YJkH)xEW9(@zeyiIH`!pOX{Em>0JK!tjsO4v delta 466 zcmZok^FqSVba!Z-*7L(g6wo-1M{@Z+(1XJlyqb7 zC~r^0#MI365OWKE9}mkM^YUg2CC+YMPLZVn zmM&3=UdH9x#W}ui8Low<-e!R*kxo&L1}Q$;fx(uhk3$ZDUR4EYCYcqMr3R5)y1Kdweg%1!i558-K1JHW+FmBw<%#8y zegP(CCdr9;CN6%V`N`(>N#@}Jt|g%+To*((7~f_+q00A8b`fLhp}Xt*if!Dl#T{c2 zE_hU5lHW2pfMsudL!P8U<-)y>#9xJKr5oAp;QEw$;d8I0!J~UpO?>m(ioP9UQxcqb zdDVFa?#j+-DXlZDYLD)8&D4Iu%zD>h!HX%(zs|p!7N2uW{HitM>x2#5(|Mgg3b4ye MK7Ppl$Cj<;0P3%*4gdfE From 509684d0bd094bd96fcef03ceacba6be33446a63 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:28:39 +1000 Subject: [PATCH 163/178] alyssum/samba: use proper smbpasswd path --- hosts/alyssum/samba.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 6be8e09..ba89a00 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -13,10 +13,12 @@ isNormalUser = true; }; system.activationScripts = { - init_smbpasswd.text = '' - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly + init_smbpasswd.text = let + smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; + in '' + printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira + printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira ''; }; From 4bb20124a791bdce70acdd4bdcfe1a2eb4acacb6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:34:34 +1000 Subject: [PATCH 164/178] alyssum/samba: use full package for discovery --- hosts/alyssum/samba.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index ba89a00..708286a 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{ config, pkgs, ... }: { networking.firewall.allowPing = true; age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age; @@ -24,9 +24,11 @@ services.samba = { enable = true; + package = pkgs.samba4Full; openFirewall = true; settings = { global = { + "server smb encrypt" = "required"; "workgroup" = "WORKGROUP"; "server string" = "smbnix"; "netbios name" = "smbnix"; From 024a6bdbe2f56232d63c2f62b20bf509b65f7fb0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:47:15 +1000 Subject: [PATCH 165/178] alyssum/samba: relax hosts --- hosts/alyssum/samba.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 708286a..1a32e38 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -33,7 +33,7 @@ "server string" = "smbnix"; "netbios name" = "smbnix"; "security" = "user"; - "hosts allow" = "100.67.2.1 127.0.0.1 localhost"; + "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; "hosts deny" = "0.0.0.0/0"; "guest account" = "nobody"; "map to guest" = "bad user"; From 8157d0d5617bb0780f46c3e0aa1c97e8c9447488 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 19:49:10 +1000 Subject: [PATCH 166/178] alyssum/home.syncthing: init --- hosts/alyssum/default.nix | 1 + hosts/alyssum/home.syncthing.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 hosts/alyssum/home.syncthing.nix diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index a2eb166..661e3d5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -32,6 +32,7 @@ ./filesystem.nix ./kernel.nix ./networking.nix + ./home.syncthing.nix ./samba.nix ../../users/hana diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix new file mode 100644 index 0000000..3335625 --- /dev/null +++ b/hosts/alyssum/home.syncthing.nix @@ -0,0 +1,16 @@ +{ config, ... }: { + me.binds."/home/kujira/.config/syncthing" = "kujira/syncthing/config"; + me.binds."/home/kujira/.local/state/syncthing" = "kujira/syncthing/state"; + + users.users.kujira = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + linger = true; + }; + home-manager.users.kujira = { ... }: { + services.syncthing = { + enable = true; + guiAddress = ":8385"; + }; + }; +} From 9a821fda94f380a741a25e77760571a6aa77761f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 19:50:02 +1000 Subject: [PATCH 167/178] alyssum/home.syncthing: fixup hm config --- hosts/alyssum/home.syncthing.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 3335625..5895716 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -8,6 +8,11 @@ linger = true; }; home-manager.users.kujira = { ... }: { + home = { + username = "kujira"; + homeDirectory = "/home/kujira"; + stateVersion = "26.05"; + }; services.syncthing = { enable = true; guiAddress = ":8385"; From 63d9d6b0044edd9a520aedbe1ab25dc9e9ec0b2e Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 19:58:03 +1000 Subject: [PATCH 168/178] alyssum/home.syncthing: add host to gui address --- hosts/alyssum/home.syncthing.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 5895716..929436b 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -15,7 +15,7 @@ }; services.syncthing = { enable = true; - guiAddress = ":8385"; + guiAddress = "[::]:8385"; }; }; } From bc3269a814934ccd8dfa95462735125cdc5d5762 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 20:29:22 +1000 Subject: [PATCH 169/178] alyssum/home.syncthing: create another instance --- hosts/alyssum/home.syncthing.nix | 40 ++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 929436b..1e20f97 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -1,21 +1,27 @@ -{ config, ... }: { - me.binds."/home/kujira/.config/syncthing" = "kujira/syncthing/config"; - me.binds."/home/kujira/.local/state/syncthing" = "kujira/syncthing/state"; +{ config, lib, ... }: +let + configOn = user: port: { + me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config"; + me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state"; - users.users.kujira = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - linger = true; - }; - home-manager.users.kujira = { ... }: { - home = { - username = "kujira"; - homeDirectory = "/home/kujira"; - stateVersion = "26.05"; + users.users.${user} = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + linger = true; }; - services.syncthing = { - enable = true; - guiAddress = "[::]:8385"; + home-manager.users.${user} = { ... }: { + home = { + username = "${user}"; + homeDirectory = "/home/${user}"; + stateVersion = "26.05"; + }; + services.syncthing = { + enable = true; + guiAddress = "[::]:${toString port}"; + }; }; }; -} +in lib.mkMerge [ + (configOn "kujira" 8385) + (configOn "cilly" 8386) +] From 5c13051b4b291967d070e3d41dae2801bab17819 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:05:38 +1000 Subject: [PATCH 170/178] alyssum/samba: bind some directories --- hosts/alyssum/samba.nix | 159 +++++++++++++++++++--------------------- modules/binds.nix | 8 +- 2 files changed, 83 insertions(+), 84 deletions(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 1a32e38..f14365b 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -1,88 +1,83 @@ -{ config, pkgs, ... }: { - networking.firewall.allowPing = true; +{ config, lib, pkgs, ... }: +let + configOn = user: let + passwd_fname = "passwd_smb${user}"; + in { + age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age; + me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}"; - age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age; - age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age; + users.users.${user} = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + }; - users.users.cilly = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - }; - users.users.kujira = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - }; - system.activationScripts = { - init_smbpasswd.text = let - smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; - in '' - printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly - - printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira - ''; - }; - - services.samba = { - enable = true; - package = pkgs.samba4Full; - openFirewall = true; - settings = { - global = { - "server smb encrypt" = "required"; - "workgroup" = "WORKGROUP"; - "server string" = "smbnix"; - "netbios name" = "smbnix"; - "security" = "user"; - "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "public" = { - "path" = "/flower/smb/public"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "yes"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "hana"; - "force group" = "users"; - }; - "cilly" = { - "path" = "/flower/smb/cilly"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "cilly"; - "force group" = "users"; - "valid users" = "cilly"; - }; - "kujira" = { - "path" = "/flower/smb/kujira"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "kujira"; - "force group" = "users"; - "valid users" = "kujira"; - }; + system.activationScripts = { + init_smbpasswd.text = let + smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; + in '' + printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user} + ''; + }; + services.samba.settings."${user}" = { + "path" = "/flower/smb/${user}"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = user; + "force group" = "users"; + "valid users" = user; }; }; +in lib.mkMerge [ + (configOn "cilly") + (configOn "kujira") + { + me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43"; - services.samba-wsdd = { - enable = true; - openFirewall = true; - }; + networking.firewall.allowPing = true; - services.avahi = { - enable = true; - openFirewall = true; - nssmdns4 = true; - publish.enable = true; - publish.userServices = true; - }; -} + services.samba = { + enable = true; + package = pkgs.samba4Full; + openFirewall = true; + settings = { + global = { + "server smb encrypt" = "required"; + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; + "security" = "user"; + "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "public" = { + "path" = "/flower/smb/public"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "hana"; + "force group" = "users"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + enable = true; + openFirewall = true; + nssmdns4 = true; + publish.enable = true; + publish.userServices = true; + }; + } +] diff --git a/modules/binds.nix b/modules/binds.nix index 9c7d4ad..c9ffe18 100644 --- a/modules/binds.nix +++ b/modules/binds.nix @@ -1,8 +1,12 @@ { config, lib, ...}: { imports = [ ./options.nix ]; - fileSystems = lib.mapAttrs (dest: key: { + fileSystems = lib.mapAttrs (dest: key: let + target = if (lib.strings.hasPrefix "/" key) + then key + else "/persist/binds/${key}"; + in { depends = [ "/persist" ]; - device = "/persist/binds/${key}"; + device = target; fsType = "none"; options = [ "bind" ]; }) config.me.binds; From 907f2cabcadb6223c28fc6960b542f60bbadc860 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:14:47 +1000 Subject: [PATCH 171/178] alyssum/home.syncthing: set proper defaults --- hosts/alyssum/home.syncthing.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 1e20f97..33545fe 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -4,6 +4,8 @@ let me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config"; me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state"; + systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ]; + users.users.${user} = { hashedPasswordFile = config.age.secrets.passwd.path; isNormalUser = true; @@ -18,6 +20,12 @@ let services.syncthing = { enable = true; guiAddress = "[::]:${toString port}"; + options.listenAddresses = [ + "tcp://0.0.0.0:2${toString port}" + "quic://0.0.0.0:2${toString port}" + "dynamic+https://relays.syncthing.net/endpoint" + ]; + settings.defaults.folder.path = "/flower/syncthing/${user}"; }; }; }; From 6c80606b7ea743fca6ec146ab30cfb378d395d09 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:15:22 +1000 Subject: [PATCH 172/178] alyssum/home.syncthing: fixup conf --- hosts/alyssum/home.syncthing.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 33545fe..4408fb7 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -20,12 +20,14 @@ let services.syncthing = { enable = true; guiAddress = "[::]:${toString port}"; - options.listenAddresses = [ - "tcp://0.0.0.0:2${toString port}" - "quic://0.0.0.0:2${toString port}" - "dynamic+https://relays.syncthing.net/endpoint" - ]; - settings.defaults.folder.path = "/flower/syncthing/${user}"; + settings = { + options.listenAddresses = [ + "tcp://0.0.0.0:2${toString port}" + "quic://0.0.0.0:2${toString port}" + "dynamic+https://relays.syncthing.net/endpoint" + ]; + defaults.folder.path = "/flower/syncthing/${user}"; + }; }; }; }; From 21dc584199e72285d0ec07083f604b439aa41b34 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:22:03 +1000 Subject: [PATCH 173/178] alyssum/home.syncthing: don't override devices and folders --- hosts/alyssum/home.syncthing.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 4408fb7..8d5a1cc 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -20,6 +20,8 @@ let services.syncthing = { enable = true; guiAddress = "[::]:${toString port}"; + overrideDevices = false; + overrideFolders = false; settings = { options.listenAddresses = [ "tcp://0.0.0.0:2${toString port}" From 4dfc89814003566d4fb55dbd84b29c4427b254b0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 07:36:13 +1000 Subject: [PATCH 174/178] user/neovim: switch to nixd --- modules/system/nix.nix | 3 ++- modules/user/neovim.nix | 7 ++++--- res/config.lua | 28 +++++++++++++++++++++++++++- users/rin/packages.nix | 1 - 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/modules/system/nix.nix b/modules/system/nix.nix index 6a6fd04..eb14f73 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -1,5 +1,6 @@ -{ config, lib, pkgs, ... }: { +{ config, inputs, pkgs, ... }: { nix = { + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; package = pkgs.nixVersions.latest; settings = rec { diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix index d691c61..2b8d4c1 100644 --- a/modules/user/neovim.nix +++ b/modules/user/neovim.nix @@ -1,9 +1,9 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, sysConfig, ... }: let luaconf = pkgs.writeText "config.lua" (lib.replaceStrings - ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"] - ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor] + ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"] + ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName] (builtins.readFile ../../res/config.lua)); in { systemd.user.tmpfiles.rules = [ @@ -21,6 +21,7 @@ in { withRuby = false; extraPackages = with pkgs; [ + nixd rust-analyzer texlab astro-language-server diff --git a/res/config.lua b/res/config.lua index 3e91e28..c0b5dad 100644 --- a/res/config.lua +++ b/res/config.lua @@ -167,7 +167,7 @@ vim.diagnostic.config({ capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities) -local servers = { 'astro', 'clangd', 'cssls', 'html', 'nil_ls', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' } +local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' } for _, lsp in ipairs(servers) do vim.lsp.config(lsp, { capabilities = capabilities, @@ -292,6 +292,32 @@ vim.lsp.config("diagnosticls", { }) vim.lsp.enable("diagnosticls") +-- LSP/nixd +vim.lsp.config("nixd", { + cmd = { "nixd" }, + filetypes = { "nix" }, + root_markers = { "flake.nix", ".git" }, + settings = { + nixd = { + nixpkgs = { + expr = "import { }", + }, + formatting = { + command = { "nixfmt" }, + }, + options = { + nixos = { + expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options', + }, + home_manager = { + expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []', + }, + }, + }, + }, +}) +vim.lsp.enable("nixd") + -- LSP/Signatures require("lsp_signature").setup { hint_enable = false, diff --git a/users/rin/packages.nix b/users/rin/packages.nix index afc711b..3fe0129 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -15,7 +15,6 @@ in { ffmpeg gnupg kitty - nil nodejs_latest pamixer pnpm From e1c02d7a91eb1b6c4c25c243fcc861de6611ce39 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 08:01:17 +1000 Subject: [PATCH 175/178] containers/emerald: move to alyssum --- containers/emerald/flake.nix | 12 +++--------- hosts/alyssum/default.nix | 2 ++ hosts/dandelion/default.nix | 3 +-- hosts/dandelion/nginx.nix | 8 ++++++++ secrets.nix | 2 +- secrets/navidrome_env.age | Bin 630 -> 630 bytes 6 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 hosts/dandelion/nginx.nix diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 9c9acdc..7e79b23 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -9,11 +9,11 @@ shareFqdn = "muse.lava.moe"; subnetId = "5"; - subnet = x: "fd0d:1::${subnetId}:${toString x}"; + subnet = x: "fd0d:2::${subnetId}:${toString x}"; host = subnet 1; client = subnet 2; - subnet4 = x: "10.30.${subnetId}.${toString x}"; + subnet4 = x: "10.32.${subnetId}.${toString x}"; host4 = subnet4 1; client4 = subnet4 2; @@ -39,13 +39,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:4533"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; - }; - services.nginx.virtualHosts."${shareFqdn}" = { - useACMEHost = "lava.moe"; - forceSSL = true; - locations."/".return = "404"; - locations."/share/".proxyPass = "http://[${client}]:4533"; + listenAddresses = [ "100.67.2.1" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 661e3d5..06c415f 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -6,6 +6,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; passwd.file = ../../secrets/passwd.age; + navidrome_env.file = ../../secrets/navidrome_env.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; @@ -27,6 +28,7 @@ modules.services.nginx modules.services.syncthing + inputs.c-emerald.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 33b6eec..f65dfd1 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -5,7 +5,6 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; - navidrome_env.file = ../../secrets/navidrome_env.age; slskd_env.file = ../../secrets/slskd_env.age; wg_dandelion.file = ../../secrets/wg_dandelion.age; }; @@ -31,12 +30,12 @@ inputs.c-beryllium.nixosModule inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule - inputs.c-emerald.nixosModule inputs.c-fluorite.nixosModule ./filesystem.nix ./kernel.nix ./networking.nix + ./nginx.nix ../../users/hana ]; diff --git a/hosts/dandelion/nginx.nix b/hosts/dandelion/nginx.nix new file mode 100644 index 0000000..c29de38 --- /dev/null +++ b/hosts/dandelion/nginx.nix @@ -0,0 +1,8 @@ +{ ... }: { + services.nginx.virtualHosts."muse.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".return = "404"; + locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533"; + }; +} diff --git a/secrets.nix b/secrets.nix index bec70ef..b1f55e5 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,7 +13,7 @@ in { "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; - "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age index 6cb705c5d12523d7e403ecd2736ad062cc9756fe..7df364f2e273e47d57332c4379af715fc8a5212e 100644 GIT binary patch delta 584 zcmeyy@{MJJYJIl9Z*V}lLa~0SOIE(8PgRsjZmNfANJe2wPNjZ9K&nwvh`)KUw?}|y zah|!8zGG!ES3tUPYCwulX0BsVR8p0bmsfUvPO5&2S!h;hVwzuKWp+uHcVUTTdSRIf zm#&>cadC!jYKoDmsiCDpQjl9=YM_FCWl?sip<%gqwy#lonvqFjKvu9*l%cm%RD_Rz zPH>2SdRe%kae7vjv#~E%MTm2_M@pe-SdoEInPr7bzH3yWbF#aSXG&I7h-I;nrF%|F zewC4Ve!0QKkK*+n8Nr2a7A`?m`eorJM!{*uCTWH4zMkn>mQe-CroO3>ei?;@#Z~5M zPT5>0o>h*aL4~FUMUjSP2Kt4LRrw~C$+;O}=K96i8Rh}*z7`plg`Sq-?yg+Ay1EL9 z!TyHDId0x**{;q$X6{A#7A9%FnJ!TVfj&NdN&ZD?nSS-D>3-hk*~Q6ROqpWpMWV|d z&c4vI?M;r-tE{--Z%Xm=Lj$CDFLGWutD?BcP;&a@f0uoCZ!2GWs`sk3vUqjk;%iK` z+P^Q@zJ8i|WunSt<>I|nf4nn)t!g;n)&0q3m!$nYJ2|(F-vj?sG`WCg#Y;CB32Co4)>MRlf4+kK9tCZCbg>R9kL#Qr5a2&Gw+g7Uxv}q{-wD delta 584 zcmeyy@{MJJYJGl2WpIh3LZG*ASzdXWbADmIYe+zTa7bu&lwWarXh?RTdtpFIpi5Ga zyPJ7%nzx51S5k3cm}RK1et2$DNMw0dR$)$*x3h7Un^R$UQdDSAUSv^ZScPSXPf21r zm#&>cadC!jYKoDmsiCDpQjl9=YM_E;sAqUkqNAfxg>QjNvU_A|X@<7Gt5c+>c4bM4 zVP%kMn1@q%X--9UnMWv>VWC@Qk!gx=Rk&+va#@acqN7(zu7QD1QK@@id8uh~a%ymf zk%fDBQl-VjkK*;YsoG@~9(kUn6<$f6F8(e~-jkrv?<`6gazg)WY{CGJK+mA>^Rd6~u*mEnP0+oFBUOCsE* z3bwpzlgKR$u9$3^^ZVfWqPNN?4)f&tr`cQQ=D&Xa?73?U-wn%@sp~tnL(+v$>}C*F zxA`xn%JX>ouLo-iPxHCPx(V+O*cJKu@s3=59#dX}h>yFj?Z5ZfGA|o$zklp6 zX|@|&xOuuKjLFleVCnh`Z_lSp+>)?)gVX#Q4P6t?pZWIe&UJ&$5F8pXE@ck*9i%4 Date: Fri, 19 Jun 2026 08:57:22 +1000 Subject: [PATCH 176/178] containers/emerald: change mounts --- containers/emerald/configuration.nix | 2 +- containers/emerald/flake.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index f69a4c6..7f1f1fc 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -16,7 +16,7 @@ ShareURL = "https://${shareFqdn}"; EnableSharing = true; DataFolder = "/persist/navidrome"; - MusicFolder = "/binds/music"; + MusicFolder = "/binds/music/main"; }; }; } diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 7e79b23..5ee69e4 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -62,7 +62,7 @@ isReadOnly = false; }; bindMounts."music" = { - hostPath = "/persist/media/music"; + hostPath = "/flower/media/music"; mountPoint = "/binds/music"; isReadOnly = true; }; From 004832fc066bc76a95cbb46d22e9833b5446dbff Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:03:39 +1000 Subject: [PATCH 177/178] containers/emerald: bind music directory --- containers/emerald/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index 7f1f1fc..421ddb0 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -19,4 +19,5 @@ MusicFolder = "/binds/music/main"; }; }; + systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"]; } From c0004409d7aa14c8aacf166c7bf21b9cd5431135 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:12:52 +1000 Subject: [PATCH 178/178] alyssum/samba: bind music --- hosts/alyssum/samba.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index f14365b..d876981 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -4,6 +4,7 @@ let passwd_fname = "passwd_smb${user}"; in { age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age; + me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}"; me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}"; users.users.${user} = {