alyssum/samba: bind music

containers/emerald: bind music directory
containers/emerald: change mounts
2026-06-19 09:12:52 +10:00 · 2026-06-19 09:03:39 +10:00 · 2026-06-19 08:57:22 +10:00 · 2026-06-19 08:01:17 +10:00 · 2026-06-19 07:36:13 +10:00 · 2026-06-17 21:22:03 +10:00
204 changed files with 3732 additions and 2937 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -0,0 +1,4 @@
 # Do not edit this file.  To specify the files to encrypt, create your own
 # .gitattributes file in the directory where your files are.
 * !filter !diff
 *.gpg binary
--- a/.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
+++ b/.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
 secrets.gcrypt/** filter=git-crypt diff=git-crypt
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@ -0,0 +1,50 @@
 name: Auto update
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  update:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.PAT_TOKEN }}
      - name: Check for updates
        id: check
        run: |
          local=$(cat flake.lock | jq ".nodes.nixpkgs.locked.rev")
          remote=$(curl "https://api.github.com/repos/NixOS/nixpkgs/branches/nixos-unstable/commits?per_page=1" | jq ".commit.sha")
          if [[ $local == $remote ]]; then
            echo "skip=1" >> "$GITHUB_OUTPUT"
          else
            echo "skip=0" >> "$GITHUB_OUTPUT"
            branch=$(TZ='Australia/Melbourne' date '+staging_auto/%Y%m%d')
            echo "branch_name=${branch}" >> "$GITHUB_OUTPUT"
          fi
      - name: Install nix
        if: steps.check.outputs.skip == 0
        uses: cachix/install-nix-action@v31
      - name: Configure git
        if: steps.check.outputs.skip == 0
        run: |
          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
      - name: Update
        if: steps.check.outputs.skip == 0
        run: ./update.sh
      - name: Push
        if: steps.check.outputs.skip == 0
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.PAT_TOKEN }}
          branch: ${{ steps.check.outputs.branch_name }}
--- a/.github/workflows/cachix.yml
+++ b/.github/workflows/cachix.yml
@ -1,38 +1,27 @@
 name: CI
 on:
  push:
  workflow_dispatch:
 jobs:
  check:
    name: Check flake
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: cachix/install-nix-action@v17
        with:
          install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.12.0pre20220930_89ca75c/install
          extra_nix_config: experimental-features = nix-command flakes
      - uses: cachix/cachix-action@v10
        with:
          name: lava
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - run: nix flake check --keep-going --verbose
  build:
    name: Build linux-lava for x86_64-linux
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      # credits to https://github.com/easimon/maximize-build-space/issues/45
      - name: Remove unneeded packages to maximise build space
        shell: bash
        run: |
            df -h
            sudo rm -rf /usr/share/dotnet
            sudo rm -rf /usr/local/lib/android
            df -h
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-      - uses: cachix/install-nix-action@v17
+      - uses: cachix/install-nix-action@v31
-        with:
+      - uses: cachix/cachix-action@v16
          install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.12.0pre20220930_89ca75c/install
          extra_nix_config: experimental-features = nix-command flakes
      - uses: cachix/cachix-action@v10
        with:
          name: lava
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 result
--- a/README.md
+++ b/README.md
@ -14,17 +14,18 @@ to your liking. Open up `flake.nix`, add your new host config at the bottom, and
 ## Hosts
 | Name      | Description |
 | -------   | ----------- |
-| blossom   | Laptop and main PC |
+| hyacinth  | Main Desktop PC |
 | anemone   | Main Laptop |
 | caramel   | Raspberry Pi 400, stateless |
-| sugarcane | OVHCloud VPS, stateless |
+| dandelion | ARM OCI VPS, stateless |
 ## Users
 | Name | Description |
 | ---- | ----------- |
-| rin  | Main user for usage |
+| rin  | Main user for general usage |
 | hana | Lightweight user intended for inspecting stateless hosts |
 ## License
-Licensed under CC0; basically you can fork, modify, redistribute, or do whatever you want I don't really care.
+Licensed under CC0
 Credit is appreciated but not necessary
--- a/containers/amethyst/configuration.nix
+++ b/containers/amethyst/configuration.nix
@ -0,0 +1,47 @@
 { lib, pkgs, ... }: {
  system.stateVersion = "23.11";
  systemd.tmpfiles.rules = [
    "d /persist/transmission 755 transmission transmission"
    "d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
    "d /persist/transmission/.incomplete 750 transmission transmission"
    "d /persist/transmission/Downloads 755 transmission transmission"
    "d /persist/transmission/watchdir 755 transmission transmission"
  ];
  networking.wg-quick.interfaces.wg0 = {
    configFile = "/persist/vpn.conf";
    preUp = ''
          # Try to access the DNS for up to 300s
          for i in {1..60}; do
            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
            echo "Attempt $i: DNS still not available"
            sleep 5s
          done
    '';
  };
  # https://github.com/NixOS/nixpkgs/issues/258793
  systemd.services.transmission.serviceConfig = {
    BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
    RootDirectoryStartOnly = lib.mkForce false;
    RootDirectory = lib.mkForce "";
    PrivateMounts = lib.mkForce false;
    PrivateUsers = lib.mkForce false;
  };
  networking.firewall.allowedTCPPorts = [ 9091 ];
  services.transmission = {
    enable = true;
    package = pkgs.transmission_4;
    downloadDirPermissions = "775";
    openFirewall = true;
    home = "/persist/transmission";
    settings = {
      ratio-limit-enabled = true;
      rpc-bind-address = "0.0.0.0";
      rpc-enabled = true;
      rpc-port = 9091;
      rpc-host-whitelist-enabled = false;
      rpc-whitelist-enabled = false;
    };
  };
 }
--- a/containers/amethyst/flake.lock
+++ b/containers/amethyst/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -0,0 +1,51 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }: {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      modules = [ ./configuration.nix ];
    };
    nixosModule = { ... }:
    let
      name = "amethyst";
      fqdn = "amethyst.lava.moe";
      subnet = "1";
    in {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = "10.30.${subnet}.1";
        localAddress = "10.30.${subnet}.2";
        hostAddress6 = "fd0d:1::${subnet}:1";
        localAddress6 = "fd0d:1::${subnet}:2";
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = [ ./configuration.nix ]; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/beryllium/configuration.nix
+++ b/containers/beryllium/configuration.nix
@ -0,0 +1,23 @@
 { ... }: {
  system.stateVersion = "25.11";
  fileSystems."/var/lib/private" = {
    device = "/persist";
    fsType = "none";
    options = [ "bind" ];
  };
  networking.firewall.allowedTCPPorts = [ 6167 ];
  networking.firewall.allowedUDPPorts = [ 6167 ];
  # TODO: this should be generically set
  networking.useHostResolvConf = false;
  networking.nameservers = [ "8.8.8.8" ];
  services.matrix-continuwuity = {
    enable = true;
    settings.global = {
      # TODO: link this with outer container's address
      address = [ "10.30.2.2" ];
      server_name = "lava.moe";
      rocksdb_recovery_mode = 2;
    };
  };
 }
--- a/containers/beryllium/flake.lock
+++ b/containers/beryllium/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@ -0,0 +1,69 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }: {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      modules = [ ./configuration.nix ];
    };
    nixosModule = { ... }:
    let
      name = "beryllium";
      fqdn = "beryllium.lava.moe";
      subnet = "2";
    in {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".extraConfig = "return 302 'https://lava.moe';";
        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
      };
      services.nginx.virtualHosts."lava.moe" = {
        locations."= /.well-known/matrix/server".extraConfig =
          let
            server = { "m.server" = "${fqdn}:443"; };
          in ''
            add_header Content-Type application/json;
            return 200 '${builtins.toJSON server}';
          '';
        locations."= /.well-known/matrix/client".extraConfig =
          let
            client = {
              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
              # "m.identity_server" = { "base_url" = "https://vector.im"; };
            };
          in ''
            add_header Content-Type application/json;
            add_header Access-Control-Allow-Origin *;
            return 200 '${builtins.toJSON client}';
          '';
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = "10.30.${subnet}.1";
        localAddress = "10.30.${subnet}.2";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = [ ./configuration.nix ]; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
      };
    };
  };
 }
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -0,0 +1,53 @@
 { config, fqdn, lib, ... }: {
  system.stateVersion = "25.11";
  networking.firewall.allowedTCPPorts = [ 22 3000 ];
  networking.firewall.allowedUDPPorts = [ 22 3000 ];
  systemd.tmpfiles.rules = [
    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
  ];
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    settings = {
      DEFAULT.APP_NAME = "cilly's botanical laboratory";
      server = {
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
        HTTP_PORT = 3000;
        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
        SSH_DOMAIN = "git.lava.moe";
        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
      };
      ui = lib.mkForce {
        DEFAULT_THEME = "catppuccin-maroon-auto";
        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
          "catppuccin-pink"
          "catppuccin-maroon"
          "catppuccin-flamingo"
          "catppuccin-rosewater"
          "forgejo"
          "gitea"
        ];
      };
      api.ENABLE_SWAGGER = false;
      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
      repository.ENABLE_PUSH_CREATE_USER = true;
      repository.ENABLE_PUSH_CREATE_ORG = true;
      service.DISABLE_REGISTRATION = true;
    };
    stateDir = "/persist/forgejo";
  };
  systemd.services.forgejo.serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
    PrivateUsers = lib.mkForce false;
  };
  catppuccin.forgejo.enable = true;
  environment.systemPackages = [ config.services.forgejo.package ];
 }
--- a/containers/citrine/flake.lock
+++ b/containers/citrine/flake.lock
@ -0,0 +1,62 @@
 {
  "nodes": {
    "catppuccin": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1773403535,
        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
        "owner": "catppuccin",
        "repo": "nix",
        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
        "type": "github"
      },
      "original": {
        "owner": "catppuccin",
        "repo": "nix",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1773122722,
        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "catppuccin": "catppuccin",
        "nixpkgs": "nixpkgs_2"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -0,0 +1,68 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    catppuccin.url = "github:catppuccin/nix";
  };
  outputs = { nixpkgs, catppuccin, ... }:
  let
    name = "citrine";
    fqdn = "lab.lava.moe";
    subnetId = "3";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      catppuccin.nixosModules.catppuccin
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:3000";
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/citrine/templates/base/footer_content.tmpl
+++ b/containers/citrine/templates/base/footer_content.tmpl
@ -0,0 +1,31 @@
 <footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
        {{if ShowFooterPoweredBy}}
            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
        {{end}}
        {{if (or .ShowFooterVersion .PageIsAdmin)}}
            {{if .IsAdmin}}
                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
            {{else}}
                {{AppVerNoMetadata}}
            {{end}}
        {{end}}
        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
        {{end}}
    </div>
    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
        <div class="ui dropdown upward language">
            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
            <div class="menu language-menu">
                {{range .AllLangs}}
                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
                {{end}}
            </div>
        </div>
        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
        {{template "custom/extra_links_footer" .}}
    </div>
 </footer>
--- a/containers/citrine/templates/home.tmpl
+++ b/containers/citrine/templates/home.tmpl
@ -0,0 +1,19 @@
 {{template "base/head" .}}
 {{if not .IsSigned}}
    <script>window.location.href = "/explore/repos";</script>
 {{end}}
 <div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
    <div class="tw-mb-8 tw-px-8">
        <div class="center">
            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
            <div class="hero">
                <h1 class="ui icon header title">
                    {{AppDisplayName}}
                </h1>
                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
            </div>
        </div>
    </div>
    {{template "home_forgejo" .}}
 </div>
 {{template "base/footer" .}}
--- a/containers/diamond/configuration.nix
+++ b/containers/diamond/configuration.nix
@ -0,0 +1,22 @@
 { fqdn, ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
  ];
  fileSystems."/var/lib/vaultwarden" = {
    device = "/persist/vaultwarden";
    fsType = "none";
    options = [ "bind" ];
  };
  networking.firewall.allowedTCPPorts = [ 8000 ];
  networking.firewall.allowedUDPPorts = [ 8000 ];
  services.vaultwarden = {
    enable = true;
    domain = fqdn;
    config = {
      DOMAIN = "https://${fqdn}";
      ROCKET_ADDRESS = "::";
    };
  };
 }
--- a/containers/diamond/flake.lock
+++ b/containers/diamond/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/diamond/flake.nix
+++ b/containers/diamond/flake.nix
@ -0,0 +1,51 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "diamond";
    fqdn = "astransia.lava.moe";
    subnetId = "4";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    modules = [
      ./configuration.nix
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { ... }: {
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:8000";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@ -0,0 +1,23 @@
 { fqdn, shareFqdn, ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
    "d /persist/navidrome 755 navidrome navidrome"
  ];
  networking.firewall.allowedTCPPorts = [ 4533 ];
  networking.firewall.allowedUDPPorts = [ 4533 ];
  services.navidrome = {
    enable = true;
    environmentFile = "/binds/navidrome_env";
    settings = {
      Port = 4533;
      Address = "[::]";
      BaseUrl = "https://${fqdn}/";
      ShareURL = "https://${shareFqdn}";
      EnableSharing = true;
      DataFolder = "/persist/navidrome";
      MusicFolder = "/binds/music/main";
    };
  };
  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
 }
--- a/containers/emerald/flake.lock
+++ b/containers/emerald/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -0,0 +1,78 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "emerald";
    fqdn = "navia.lava.moe";
    shareFqdn = "muse.lava.moe";
    subnetId = "5";
    subnet = x: "fd0d:2::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.32.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:4533";
        listenAddresses = [ "100.67.2.1" ];
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn shareFqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."music" = {
          hostPath = "/flower/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
        bindMounts."navidrome_env" = {
          hostPath = config.age.secrets.navidrome_env.path;
          mountPoint = "/binds/navidrome_env";
          isReadOnly = true;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/fluorite/configuration.nix
+++ b/containers/fluorite/configuration.nix
@ -0,0 +1,22 @@
 { ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
    "d /persist/slskd/Downloads 755 slskd slskd"
  ];
  fileSystems."/var/lib/slskd" = {
    device = "/persist/slskd";
    fsType = "none";
    options = [ "bind" ];
  };
  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
  networking.firewall.allowedUDPPorts = [ 5030 50300 ];
  services.slskd = {
    enable = true;
    domain = null;
    environmentFile = "/binds/slskd_env";
    settings = {
      shares.directories = [ "/binds/music/" ];
    };
  };
 }
--- a/containers/fluorite/flake.lock
+++ b/containers/fluorite/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@ -0,0 +1,89 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "fluorite";
    fqdn = "fluorite.lava.moe";
    subnetId = "6";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      networking.firewall.allowedTCPPorts = [ 50300 ];
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:5030";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
      };
      systemd.tmpfiles.rules = [
        "d /persist/containers/${name} 755 root users"
        "d /persist/media/music 075 nobody users"
      ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        forwardPorts = [
          {
            containerPort = 50300;
            hostPort = 50300;
            protocol = "tcp";
          }
        ];
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."music" = {
          hostPath = "/persist/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
        bindMounts."slskd_env" = {
          hostPath = config.age.secrets.slskd_env.path;
          mountPoint = "/binds/slskd_env";
          isReadOnly = true;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/garnet/configuration.nix
+++ b/containers/garnet/configuration.nix
@ -0,0 +1,36 @@
 { ... }: {
  system.stateVersion = "25.11";
  fileSystems."/var/lib/opencloud" = {
    device = "/flower/data";
    fsType = "none";
    options = [ "bind" ];
  };
  fileSystems."/etc/opencloud" = {
    device = "/persist/cfg";
    fsType = "none";
    options = [ "bind" ];
  };
  # TODO: hardcoded address
  networking.extraHosts = ''
    100.67.2.1 cloud.lava.moe
  '';
  networking.firewall.allowedTCPPorts = [ 9200 ];
  networking.firewall.allowedUDPPorts = [ 9200 ];
  environment.etc."opencloud-admin-pass".text = ''
    IDM_ADMIN_PASSWORD=supersillysecure
  '';
  services.opencloud = {
    enable = true;
    url = "https://cloud.lava.moe";
    address = "10.30.7.2";
    port = 9200;
    environment = {
      PROXY_TLS = "false";
      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
      IDP_ID_TOKEN_EXPIRATION = "2592000";
    };
    environmentFile = "/etc/opencloud-admin-pass";
  };
 }
--- a/containers/garnet/flake.lock
+++ b/containers/garnet/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1779560665,
        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@ -0,0 +1,84 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "garnet";
    fqdn = "cloud.lava.moe";
    subnetId = "7";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://${client4}:9200";
          proxyWebsockets = true;
        };
        extraConfig = ''
          proxy_read_timeout 3600s;
          proxy_send_timeout 3600s;
          keepalive_requests 100000;
          keepalive_timeout 5m;
          http2_max_concurrent_streams 512;
        '';
        # TODO: hardcoded address
        listenAddresses = [ "100.67.2.1" ];
      };
      systemd.tmpfiles.rules = [
        "d /persist/containers/${name} 755 root users"
      ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."content" = {
          hostPath = "/flower/opencloud";
          mountPoint = "/flower";
          isReadOnly = false;
        };
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,114 +1,101 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-raccoon.url = "github:NixOS/nixpkgs/nixos-22.11";
    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
    home-manager.url = "github:nix-community/home-manager";
    home-manager-raccoon.url = "github:nix-community/home-manager/release-22.11";
    home-manager-stable.url = "github:nix-community/home-manager/release-23.11";
    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    agenix.url = "github:ryantm/agenix";
    nixos-generators.url = "github:nix-community/nixos-generators";
    spicetify-nix.url = "github:the-argus/spicetify-nix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    home-manager-raccoon.inputs.nixpkgs.follows = "nixpkgs-raccoon";
+
-    home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";
+    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
    catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
    catppuccin.inputs.nixpkgs.follows = "nixpkgs";
    catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
    neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
    spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
    nix-gaming.url = "github:fufexan/nix-gaming";
    nix-index-database.url = "github:nix-community/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
    spicetify-nix.url = "github:Gerg-L/spicetify-nix";
    spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
    # services
-    hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
+    pastel.url = "github:cillynder/pastel";
-    website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
+    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
-    spicetify-themes = { url = "github:spicetify/spicetify-themes"; flake = false; };
+    website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
    # zsh plugins
-    zsh-abbr = { url = "github:olets/zsh-abbr"; flake = false; };
+    zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
    zsh-history-substring-search = { url = "github:zsh-users/zsh-history-substring-search"; flake = false; };
    fast-syntax-highlighting = { url = "github:zdharma-continuum/fast-syntax-highlighting"; flake = false; };
    pure = { url = "github:sindresorhus/pure"; flake = false; };
    # overlays
    discord-tokyonight = { url = "github:DanisDGK/zelk-customizations"; flake = false; };
    discover = { url = "github:trigg/Discover"; flake = false; };
    linux-tkg = { url = "github:Frogging-Family/linux-tkg"; flake = false; };
    nvim-treesitter = { url = "github:nvim-treesitter/nvim-treesitter"; flake = false; };
    packwiz = { url = "github:comp500/packwiz"; flake = false; };
    spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
    tree-sitter-glimmer = { url = "github:alexlafroscia/tree-sitter-glimmer"; flake = false; };
    tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
    wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
-    # shells
+    # containers
-    rust-overlay.url = "github:oxalica/rust-overlay";
+    c-amethyst.url = "path:./containers/amethyst";
-    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    c-beryllium.url = "path:./containers/beryllium";
    c-citrine.url = "path:./containers/citrine";
    c-diamond.url = "path:./containers/diamond";
    c-emerald.url = "path:./containers/emerald";
    c-fluorite.url = "path:./containers/fluorite";
    c-garnet.url = "path:./containers/garnet";
  };
-  outputs = { self, agenix, nixos-generators, nixpkgs, nixpkgs-raccoon, nixpkgs-stable, ... } @ inputs:
+  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
    let
      overlays = (import ./overlays)
        ++ [(final: prev: {
          me = prev.callPackage ./packages { inherit inputs; } // { inherit inputs; };
        })];
        patchOverlaysWithLinuxLava = nixpkgs: arch: ([(self: super: {
          linuxLavaNixpkgs = import nixpkgs {
            overlays = [ (import ./overlays/linux-lava.nix) ] ++ overlays;
            system = arch;
          };
        })] ++ overlays);
      mkSystem =
        if !(self ? rev) then throw "Dirty git tree detected." else
-        nixpkgs: name: arch: enableGUI: extraModules: nixpkgs.lib.nixosSystem {
+        nixpkgs: name: arch: extraModules: nixpkgs.lib.nixosSystem {
          system = arch;
          modules = [
-            { nixpkgs.overlays = overlays; }
+            ({
              nixpkgs.overlays = patchOverlaysWithLinuxLava nixpkgs arch;
            })
            agenix.nixosModules.age
            catppuccin.nixosModules.catppuccin
            (./hosts + "/${name}")
          ] ++ extraModules;
          specialArgs = {
-            inherit inputs enableGUI;
+            inherit inputs;
            modules = import ./modules { lib = nixpkgs.lib; };
            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
          };
        };
    in
    {
-      nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" true [];
+      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
-      nixosConfigurations."blossom" = mkSystem nixpkgs "blossom" "x86_64-linux" true [];
+      nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
-      nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" true [];
+      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
-
+      nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
      nixosConfigurations."caramel" = mkSystem nixpkgs-raccoon "caramel" "aarch64-linux" false [{
        nixpkgs.overlays = [
          (self: super: {
            makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
          })
        ];
      }];
      nixosConfigurations."sugarcane" = mkSystem nixpkgs-raccoon "sugarcane" "x86_64-linux" false [];
      nixosConfigurations."dandelion" = mkSystem nixpkgs-stable "dandelion" "aarch64-linux" false [];
      packages."x86_64-linux" =
        let
-          pkgs = import nixpkgs {
+          pkgs = import nixpkgs rec {
-            inherit overlays;
+            overlays = patchOverlaysWithLinuxLava nixpkgs system;
            system = "x86_64-linux";
          };
        in
        {
-          inherit (pkgs.me) linux-lava;
+          inherit (pkgs.me) linux-lava spotify-adblock;
          linux-lava-ccache = pkgs.me.linux-lava.override { useCcache = true; };
        };
      packages."aarch64-linux" =
        let
          pkgs = import nixpkgs-raccoon {
            inherit overlays;
            system = "aarch64-linux";
          };
        in
        {
          caramel-img = self.nixosConfigurations."caramel".config.system.build.sdImage;
        };
      # TODO: currently broken
      # devShells.x86_64-linux = pkgs.callPackage ./shells { inherit inputs; };
    };
 }
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -0,0 +1,45 @@
 { inputs, lib, modules, modulesPath, ... }: {
  networking.hostName = "alyssum";
  system.stateVersion = "25.11";
  time.timeZone = "Australia/Melbourne";
  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
    passwd.file = ../../secrets/passwd.age;
    navidrome_env.file = ../../secrets/navidrome_env.age;
    wpa_conf = {
      file = ../../secrets/wpa_conf.age;
      path = "/etc/wpa_supplicant/imperative.conf";
      symlink = false;
    };
  };
  imports = with modules.system; [
    (modulesPath + "/profiles/qemu-guest.nix")
    home-manager
    base
    kernel
    nix-stable
    packages
    security
    tailscale
    modules.services.nginx
    modules.services.syncthing
    inputs.c-emerald.nixosModule
    inputs.c-garnet.nixosModule
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ./home.syncthing.nix
    ./samba.nix
    ../../users/hana
  ];
  me.environment = "headless";
  services.syncthing.user = lib.mkForce "hana";
 }
--- a/hosts/alyssum/filesystem.nix
+++ b/hosts/alyssum/filesystem.nix
@ -0,0 +1,35 @@
 { ... }:
 let
  bind = src: {
    depends = [ "/nix" ];
    device = src;
    fsType = "none";
    neededForBoot = true;
    options = [ "bind" ];
  };
  mkLabelMount = label: type: {
    device = "/dev/disk/by-label/${label}";
    fsType = type;
    options = [ "defaults" "relatime" ];
  };
  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
  };
  submount = mkBtrfsMount "alyssum";
 in {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=8G" "mode=755" ];
    };
    "/boot" = mkLabelMount "stem" "vfat";
    "/flower" = mkBtrfsMount "myosotis" "/@" true;
    "/nix" = submount "/@/nix" false;
    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
    "/persist/.snapshots" = submount "/snap/persist" false;
    "/var/log/journal" = bind "/persist/journal";
  };
 }
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@ -0,0 +1,39 @@
 { config, lib, ... }:
 let
  configOn = user: port: {
    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
    users.users.${user} = {
      hashedPasswordFile = config.age.secrets.passwd.path;
      isNormalUser = true;
      linger = true;
    };
    home-manager.users.${user} = { ... }: {
      home = {
        username = "${user}";
        homeDirectory = "/home/${user}";
        stateVersion = "26.05";
      };
      services.syncthing = {
        enable = true;
        guiAddress = "[::]:${toString port}";
        overrideDevices = false;
        overrideFolders = false;
        settings = {
          options.listenAddresses = [
            "tcp://0.0.0.0:2${toString port}"
            "quic://0.0.0.0:2${toString port}"
            "dynamic+https://relays.syncthing.net/endpoint"
          ];
          defaults.folder.path = "/flower/syncthing/${user}";
        };
      };
    };
  };
 in lib.mkMerge [
  (configOn "kujira" 8385)
  (configOn "cilly" 8386)
 ]
--- a/hosts/alyssum/kernel.nix
+++ b/hosts/alyssum/kernel.nix
@ -0,0 +1,12 @@
 { config, lib, ... }: {
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = true;
    };
    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-amd" ];
  };
  hardware.cpu.amd.updateMicrocode = true;
 }
--- a/hosts/alyssum/networking.nix
+++ b/hosts/alyssum/networking.nix
@ -0,0 +1,15 @@
 { config, ... }: {
  networking = {
    useDHCP = true;
    wireless.enable = true;
    interfaces.wlp1s0.useDHCP = false;
    interfaces.wlp1s0.ipv4.addresses = [{
      address = "192.168.1.167";
      prefixLength = 24;
    }];
    defaultGateway = "192.168.1.1";
    nameservers = [ "8.8.8.8" "8.8.4.4" ];
  };
 }
--- a/hosts/alyssum/packages.nix
+++ b/hosts/alyssum/packages.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }: {
+{ pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    git
    htop
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@ -0,0 +1,84 @@
 { config, lib, pkgs, ... }:
 let
  configOn = user: let
    passwd_fname = "passwd_smb${user}";
  in {
    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
    users.users.${user} = {
      hashedPasswordFile = config.age.secrets.passwd.path;
      isNormalUser = true;
    };
    system.activationScripts = {
      init_smbpasswd.text = let
        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
      in ''
        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
      '';
    };
    services.samba.settings."${user}" = {
      "path" = "/flower/smb/${user}";
      "browseable" = "yes";
      "read only" = "no";
      "guest ok" = "no";
      "create mask" = "0644";
      "directory mask" = "0755";
      "force user" = user;
      "force group" = "users";
      "valid users" = user;
    };
  };
 in lib.mkMerge [
  (configOn "cilly")
  (configOn "kujira")
  {
    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
    networking.firewall.allowPing = true;
    services.samba = {
      enable = true;
      package = pkgs.samba4Full;
      openFirewall = true;
      settings = {
        global = {
          "server smb encrypt" = "required";
          "workgroup" = "WORKGROUP";
          "server string" = "smbnix";
          "netbios name" = "smbnix";
          "security" = "user";
          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
          "hosts deny" = "0.0.0.0/0";
          "guest account" = "nobody";
          "map to guest" = "bad user";
        };
        "public" = {
          "path" = "/flower/smb/public";
          "browseable" = "yes";
          "read only" = "no";
          "guest ok" = "yes";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "hana";
          "force group" = "users";
        };
      };
    };
    services.samba-wsdd = {
      enable = true;
      openFirewall = true;
    };
    services.avahi = {
      enable = true;
      openFirewall = true;
      nssmdns4 = true;
      publish.enable = true;
      publish.userServices = true;
    };
  }
 ]
--- a/hosts/anemone/default.nix
+++ b/hosts/anemone/default.nix
@ -3,13 +3,13 @@
  system.stateVersion = "23.11";
  time.timeZone = "Australia/Melbourne";
-  nixpkgs.overlays = [ inputs.neovim-nightly.overlay ];
+  nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
  age.secrets = {
    wg_anemone.file = ../../secrets/wg_anemone.age;
    passwd.file = ../../secrets/passwd.age;
  };
  imports = with modules.system; [
    inputs.home-manager.nixosModule
    home-manager
    audio
@ -17,6 +17,7 @@
    bluetooth
    ccache
    corectrl
    docker
    flatpak
    greetd
    gui
@ -27,18 +28,33 @@
    printing
    security
    snapper
    tailscale
    wireguard
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ../../users/rin
    modules.services.syncthing
  ];
-  programs.hyprland.enable = true;
+  me = {
    environment = "laptop";
    batteryDevice = "BATT";
    kbBacklightDevice = "asus::kbd_backlight";
    hasFingerprint = true;
    hidpi = true;
  };
-  # For steam fhs-env
+  programs.wireshark = {
-  nixpkgs.config.permittedInsecurePackages = [
+    enable = true;
-    "openssl-1.1.1w"
+    package = pkgs.wireshark;
-  ];
+  };
  services.fprintd.enable = true;
  services.tlp.enable = true;
  programs.kdeconnect.enable = true;
 }
--- a/hosts/anemone/kernel.nix
+++ b/hosts/anemone/kernel.nix
@ -7,6 +7,7 @@
    };
    initrd = {
      availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
      systemd.enable = true;
      verbose = false;
    };
    kernelModules = [ "kvm-amd" ];
@ -22,6 +23,25 @@
    ];
  };
  # swapDevices = [{
  #   device = "/persist/swapfile";
  #   size = 16 * 1024;
  # }];
  #
  # systemd.sleep.extraConfig = ''
  #   HibernateMode=shutdown
  # '';
  /*
  services.logind.lidSwitch = "suspend-then-hibernate";
  systemd.sleep.extraConfig = ''
    HibernateDelaySec=14400
    SuspendEstimationSec=3600
    HibernateOnACPower=true
  '';
  */
  powerManagement.cpufreq.min = 400000;
  hardware.cpu.amd.updateMicrocode = true;
  hardware.firmware = let
@ -30,17 +50,12 @@
    pkgs.runCommandNoCC "cs35l41-10431683" { } ''
      mkdir -p $out/lib/firmware/cirrus
      cd $out/lib/firmware/cirrus
      cp ${fw}/cs35l41-dsp1-spk-cali-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-cali-10431683-spkid0-l0.bin
      cp ${fw}/cs35l41-dsp1-spk-cali-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-cali-10431683-spkid0-r0.bin
      cp ${fw}/cs35l41-dsp1-spk-cali-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-cali-10431683-spkid1-l0.bin
      cp ${fw}/cs35l41-dsp1-spk-cali-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-cali-10431683-spkid1-r0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-l0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-r0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-l0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-r0.bin
      cp ${fw}/cs35l41-dsp1-spk-cali-10431e12.wmfw cs35l41-dsp1-spk-cali-10431683.wmfw
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12.wmfw cs35l41-dsp1-spk-prot-10431683.wmfw
    ''
  )];
--- a/hosts/anemone/networking.nix
+++ b/hosts/anemone/networking.nix
@ -1,15 +1,4 @@
 { config, ... }: {
-  networking = {
+  networking.wireless.iwd.enable = true;
-    nameservers = [ "8.8.8.8" "8.8.4.4" ];
+  environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
    wireless.enable = true;
    networkmanager = {
      enable = true;
      dns = "none";
    };
    extraHosts = ''
      192.168.100.16 hyacinth
    '';
  };
 }
--- a/hosts/blossom/default.nix
+++ b/hosts/blossom/default.nix
@ -1,36 +0,0 @@
 { config, inputs, modules, overlays, pkgs, ... }: {
  networking.hostName = "blossom";
  system.stateVersion = "21.11";
  time.timeZone = "Asia/Phnom_Penh";
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  nixpkgs.overlays = [ inputs.neovim-nightly.overlay ];
  age.secrets = {
    passwd.file = ../../secrets/passwd.age;
    wg_blossom.file = ../../secrets/wg_blossom.age;
    wpa_conf.file = ../../secrets/wpa_conf.age;
  };
  imports = with modules.system; [
    inputs.home-manager.nixosModule
    home-manager
    audio
    base
    greetd
    gui
    input
    kernel
    nix
    packages
    security
    snapper
    wireguard
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ../../users/rin
  ];
 }
--- a/hosts/blossom/filesystem.nix
+++ b/hosts/blossom/filesystem.nix
@ -1,41 +0,0 @@
 { config, ... }:
 let
  mkMount = uuid: type: {
    device = "/dev/disk/by-uuid/${uuid}";
    fsType = type;
    options = [ "defaults" "relatime" ];
  };
  mkBtrfsMount = subvolid: atime: mkMount "cf0f4302-f006-46a5-afc7-ada04d17f6f2" "btrfs" // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvolid=${builtins.toString subvolid}" (if atime then "relatime" else "noatime") ];
  };
 in
 {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=4G" "mode=755" ];
    };
    "/boot" = mkMount "186A-A42E" "vfat";
    "/mnt/butter" = mkBtrfsMount 5 true;
    "/nix" = mkBtrfsMount 257 false;
    "/home" = mkBtrfsMount 259 true;
    "/home/.snapshots" = mkBtrfsMount 262 false;
    "/root" = mkBtrfsMount 260 false;
    "/var" = mkBtrfsMount 258 false;
    "/persist" = {
      depends = [ "/var" ];
      device = "/var/persist";
      fsType = "none";
      options = [ "bind" ];
      neededForBoot = true;
    };
    # "/mnt/nfs" = {
    #   device = "192.168.100.11:/srv/nfs";
    #   fsType = "nfs";
    #   options = [ "defaults" ];
    # };
  };
 }
--- a/hosts/blossom/kernel.nix
+++ b/hosts/blossom/kernel.nix
@ -1,25 +0,0 @@
 { config, lib, pkgs, ... }: {
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        efiSupport = true;
        device = "nodev";
        useOSProber = lib.mkForce false;
      };
    };
    initrd.kernelModules = [ "i915" ];
    kernelParams = [
      "amdgpu.gpu_recovery=1"
      "amdgpu.si_support=1"
      "radeon.si_support=0"
      "intel_pstate=passive"
      "msr.allow_writes=on"
    ];
    kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
    extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ];
    kernelModules = [ "v4l2loopback" ];
  };
 }
--- a/hosts/blossom/networking.nix
+++ b/hosts/blossom/networking.nix
@ -1,31 +0,0 @@
 { config, ... }: {
  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
  networking = {
    wireless = {
      enable = true;
      interfaces = [ "wlp3s0" ];
    };
    useDHCP = false;
    interfaces.eno1.useDHCP = false;
    interfaces.wlp3s0.useDHCP = false;
    interfaces.eno1.ipv4.addresses = [{
      address = "10.0.0.2";
      prefixLength = 24;
    }];
    interfaces.wlp3s0.ipv4.addresses = [{
      address = "192.168.100.13";
      prefixLength = 24;
    }];
    defaultGateway = "192.168.100.1";
    nameservers = [ "192.168.100.15" ];
    extraHosts = ''
      192.168.100.12 strawberry
      192.168.100.15 caramel
      10.100.0.1     sugarcane
    '';
  };
 }
--- a/hosts/caramel/default.nix
+++ b/hosts/caramel/default.nix
@ -1,43 +0,0 @@
 { config, inputs, modules, modulesPath, overlays, pkgs, ... }: {
  networking.hostName = "caramel";
  system.stateVersion = "22.11";
  time.timeZone = "Asia/Phnom_Penh";
  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
    passwd.file = ../../secrets/passwd.age;
    warden_admin.file = ../../secrets/warden_admin.age;
    wpa_conf.file = ../../secrets/wpa_conf.age;
    wg_caramel.file = ../../secrets/wg_caramel.age;
  };
  imports =
    (with modules.system; [
      "${builtins.toString modulesPath}/installer/sd-card/sd-image-aarch64.nix"
      inputs.home-manager-raccoon.nixosModule
      base
      home-manager
      input
      nix-stable
      security
      transmission
      wireguard
      ./filesystem.nix
      ./kernel.nix
      ./image.nix
      ./networking.nix
      ./packages.nix
      ../../users/hana
    ]) ++
    (with modules.services; [
 #       nginx
 #       postgres
 #       synapse
      jellyfin
      sonarr
      tmptsync
      unbound
    ]);
 }
--- a/hosts/caramel/filesystem.nix
+++ b/hosts/caramel/filesystem.nix
@ -1,50 +0,0 @@
 { config, lib, ... }:
 let
  bind = src: {
    depends = [ "/persist" ];
    device = src;
    fsType = "none";
    neededForBoot = true;
    options = [ "bind" ];
  };
 in {
  fileSystems = {
    "/" = lib.mkForce {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=1G" "mode=755" ];
    };
    # "/nix" = {
    #   device = "overlayfs";
    #   fsType = "overlay";
    #   options = [
    #     "lowerdir=/mnt/image/nix"
    #     "upperdir=/persist/nix-overlay"
    #     "workdir=/persist/.overlaytmp"
    #   ];
    #   noCheck = true;
    #   depends = [ "/mnt/image" "/persist" ];
    # };
    "/nix" = (bind "/mnt/image/nix") // { depends = [ "/mnt/image" ]; };
    "/mnt/image" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = [ "defaults" "noatime" ];
      neededForBoot = true;
    };
    "/persist" = {
      device = "/dev/disk/by-label/PI_HDD";
      fsType = "ext4";
      options = [ "defaults" "relatime" ];
      neededForBoot = true;
    };
    "/var/lib/acme" = bind "/persist/acme";
    "/var/log/journal" = bind "/persist/journal";
    "/boot" = (bind "/mnt/image/boot") // { depends = [ "/mnt/image" ]; };
  };
 }
--- a/hosts/caramel/image.nix
+++ b/hosts/caramel/image.nix
@ -1,29 +0,0 @@
 { config, lib, pkgs, ... }: {
  sdImage.expandOnBoot = false;
  boot.postBootCommands = ''
    # On the first boot do some maintenance tasks
    if [ -f /mnt/image/nix-path-registration ]; then
      set -euo pipefail
      set -x
      # Figure out device names for the boot device and root filesystem.
      rootPart=$(${pkgs.util-linux}/bin/findmnt -n -o SOURCE /mnt/image)
      bootDevice=$(lsblk -npo PKNAME $rootPart)
      partNum=$(lsblk -npo MAJ:MIN $rootPart | ${pkgs.gawk}/bin/awk -F: '{print $2}')
      # Resize the root partition and the filesystem to fit the disk
      echo ",+," | sfdisk -N$partNum --no-reread $bootDevice
      ${pkgs.parted}/bin/partprobe
      ${pkgs.e2fsprogs}/bin/resize2fs $rootPart
      # Register the contents of the initial Nix store
      ${config.nix.package.out}/bin/nix-store --load-db < /mnt/image/nix-path-registration
      # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag.
      touch /etc/NIXOS
      ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      # Prevents this from running on later boots.
      rm -f /mnt/image/nix-path-registration
    fi
  '';
 }
--- a/hosts/caramel/kernel.nix
+++ b/hosts/caramel/kernel.nix
@ -1,15 +0,0 @@
 { config, inputs, lib, pkgs, ... }: {
  imports = [
    inputs.nixos-hardware.nixosModules.raspberry-pi-4
  ];
  hardware.raspberry-pi."4".fkms-3d.enable = true;
  boot = {
    initrd.kernelModules = [ "overlay" ];
    supportedFilesystems = lib.mkForce [ "btrfs" "vfat" ];
    kernel.sysctl = {
      "kernel.core_pattern" = "|/bin/false";
      "kernel.sysrq" = 1;
    };
  };
 }
--- a/hosts/caramel/networking.nix
+++ b/hosts/caramel/networking.nix
@ -1,35 +0,0 @@
 { config, ... }: {
  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
  networking = {
    firewall.allowedTCPPorts = [ 80 443 ];
    wireless = {
      enable = true;
      interfaces = [ "wlan0" ];
    };
    useDHCP = false;
    interfaces.wlan0.useDHCP = false;
    interfaces.wlan0.ipv4.addresses = [{
      address = "192.168.100.15";
      prefixLength = 24;
    }];
    defaultGateway = "192.168.100.1";
    nameservers = [ "8.8.8.8" ];
    extraHosts = ''
      192.168.100.12 strawberry
      192.168.100.13 blossom
    '';
  };
  # wait for ntp before connecting to wireguard
  systemd = {
    additionalUpstreamSystemUnits = [ "systemd-time-wait-sync.service" ];
    services = {
      "systemd-time-wait-sync".wantedBy = [ "multi-user.target" ];
      "wireguard-wg0".after = [ "time-sync.target" ];
    };
  };
 }
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -1,26 +1,44 @@
-{ config, inputs, modules, modulesPath, overlays, pkgs, ... }: {
+{ inputs, modules, modulesPath, ... }: {
  networking.hostName = "dandelion";
  system.stateVersion = "23.11";
  time.timeZone = "Australia/Melbourne";
  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
    slskd_env.file = ../../secrets/slskd_env.age;
    wg_dandelion.file = ../../secrets/wg_dandelion.age;
  };
  imports = with modules.system; [
    (modulesPath + "/profiles/qemu-guest.nix")
-    inputs.home-manager-stable.nixosModule
+    home-manager
    base
-    home-manager
+    kernel
    input
    nix-stable
    packages
    security
-    #wireguard
+    tailscale
    wireguard
-    modules.services.postgres
+    modules.services.banksia
    modules.services.nginx
    modules.services.unbound
    modules.services.website
    inputs.c-amethyst.nixosModule
    inputs.c-beryllium.nixosModule
    inputs.c-citrine.nixosModule
    inputs.c-diamond.nixosModule
    inputs.c-fluorite.nixosModule
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
-    ./packages.nix
+    ./nginx.nix
    ../../users/hana
  ];
  me.environment = "headless";
 }
--- a/hosts/dandelion/filesystem.nix
+++ b/hosts/dandelion/filesystem.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ ... }:
 let
  bind = src: {
    depends = [ "/nix" ];
@ -8,12 +8,12 @@ let
    options = [ "bind" ];
  };
-  mkLabelMount = label: type: lazy: {
+  mkLabelMount = label: type: {
    device = "/dev/disk/by-label/${label}";
    fsType = type;
-    options = [ "defaults" "relatime" ] ++ lib.optionals lazy [ "nofail" ];
+    options = [ "defaults" "relatime" ];
  };
-  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" false // {
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
  };
  submount = mkBtrfsMount "DANDELION";
@ -22,10 +22,10 @@ in {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
-      options = [ "defaults" "size=12G" "mode=755" ];
+      options = [ "defaults" "size=6G" "mode=755" ];
    };
    "/boot" = mkLabelMount "UEFI" "vfat";
    "/boot" = mkLabelMount "UEFI" "vfat" true;
    "/nix" = submount "/@/nix" false;
    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
    "/persist/.snapshots" = submount "/snap/persist" false;
--- a/hosts/dandelion/kernel.nix
+++ b/hosts/dandelion/kernel.nix
@ -1,18 +1,10 @@
-{ config, inputs, pkgs, ... }: {
+{ ... }: {
  boot = {
    loader = {
      systemd-boot.enable = false;
      efi.canTouchEfiVariables = true;
-      grub = {
+      systemd-boot.enable = true;
        enable = true;
        device = "/dev/sda";
      };
    };
    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
    initrd.kernelModules = [ "nvme" ];
    kernel.sysctl = {
      "kernel.core_pattern" = "|/bin/false";
      "kernel.sysrq" = 1;
    };
  };
 }
--- a/hosts/dandelion/networking.nix
+++ b/hosts/dandelion/networking.nix
@ -1,10 +1,4 @@
-{ config, ... }: {
+{ ... }: {
-  networking = {
+  networking.useDHCP = true;
-    useDHCP = true;
+  networking.interfaces.enp2s0.useDHCP = false;
    # extraHosts = ''
    #   10.100.0.3 blossom
    #   10.100.0.4 strawberry
    # '';
  };
 }
--- a/hosts/dandelion/nginx.nix
+++ b/hosts/dandelion/nginx.nix
@ -0,0 +1,8 @@
 { ... }: {
  services.nginx.virtualHosts."muse.lava.moe" = {
    useACMEHost = "lava.moe";
    forceSSL = true;
    locations."/".return = "404";
    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
  };
 }
--- a/hosts/dandelion/packages.nix
+++ b/hosts/dandelion/packages.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }: {
+{ pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    git
    htop
--- a/hosts/hyacinth/default.nix
+++ b/hosts/hyacinth/default.nix
@ -1,23 +1,24 @@
 { config, inputs, modules, overlays, pkgs, ... }: {
  networking.hostName = "hyacinth";
  system.stateVersion = "21.11";
-  time.timeZone = "Asia/Phnom_Penh";
+  time.timeZone = "Australia/Melbourne";
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
  nixpkgs.overlays = [ inputs.neovim-nightly.overlay ];
  age.secrets = {
    passwd.file = ../../secrets/passwd.age;
-    wg_hyacinth.file = ../../secrets/wg_blossom.age;
+    wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
    wpa_conf.file = ../../secrets/wpa_conf.age;
  };
  imports = with modules.system; [
    inputs.home-manager.nixosModule
    home-manager
    aagl
    audio
    base
    bluetooth
    ccache
    corectrl
    docker
    flatpak
    greetd
    gui
@ -28,21 +29,19 @@
    printing
    security
    snapper
-    virtualisation
+    tailscale
    wireguard
-    modules.services.postgres
+    modules.services.syncthing
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ./packages.nix
    ../../users/rin
  ];
-  services.postgresql.ensureDatabases = [ "barista" "barista-dev" ];
+  systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
-  # For steam fhs-env
+  me.hasBluetooth = true;
  nixpkgs.config.permittedInsecurePackages = [
    "openssl-1.1.1w"
  ];
 }
--- a/hosts/hyacinth/filesystem.nix
+++ b/hosts/hyacinth/filesystem.nix
@ -15,7 +15,7 @@ in
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
-      options = [ "defaults" "size=8G" "mode=755" ];
+      options = [ "defaults" "size=24G" "mode=755" ];
    };
    "/boot" = mkLabelMount "CUP" "vfat";
--- a/hosts/hyacinth/kernel.nix
+++ b/hosts/hyacinth/kernel.nix
@ -13,12 +13,8 @@
    ];
    kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
  };
-  services.xserver.xrandrHeads = [{
+  hardware.amdgpu.overdrive = {
-    output = "DP-1";
+    enable = true;
-    primary = true;
+    ppfeaturemask = "0xffffffff";
-    monitorConfig = ''
+  };
      Modeline "1920x1080_165.00"  525.00  1920 2088 2296 2672  1080 1083 1088 1192 -hsync +vsync
      Option "PreferredMode" "1920x1080_165.00"
    '';
  }];
 }
--- a/hosts/hyacinth/networking.nix
+++ b/hosts/hyacinth/networking.nix
@ -1,20 +1,18 @@
 { config, ... }: {
  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
  networking = {
-    useDHCP = false;
+    useDHCP = true;
    interfaces.enp5s0.useDHCP = false;
    interfaces.enp5s0.wakeOnLan.enable = true;
    interfaces.enp5s0.ipv4.addresses = [{
-      address = "192.168.100.16";
+      address = "192.168.1.201";
      prefixLength = 24;
    }];
-    defaultGateway = "192.168.100.1";
+    defaultGateway = "192.168.1.1";
-    nameservers = [ "1.1.1.1" ];
+    nameservers = [ "8.8.8.8" "8.8.4.4" ];
    extraHosts = ''
      192.168.100.12 strawberry
      192.168.100.15 caramel
      10.100.0.1     sugarcane
    '';
  };
--- a/hosts/hyacinth/packages.nix
+++ b/hosts/hyacinth/packages.nix
@ -0,0 +1,7 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    discord
    jetbrains.idea
    texliveFull
  ];
 }
--- a/hosts/sugarcane/default.nix
+++ b/hosts/sugarcane/default.nix
@ -1,28 +0,0 @@
 { config, inputs, modules, modulesPath, overlays, pkgs, ... }: {
  networking.hostName = "sugarcane";
  system.stateVersion = "21.11";
  time.timeZone = "Asia/Singapore";
  age.secrets = {
    passwd.file = ../../secrets/passwd.age;
    wg_sugarcane.file = ../../secrets/wg_sugarcane.age;
  };
  imports = with modules.system; [
    (modulesPath + "/profiles/qemu-guest.nix")
    inputs.home-manager-raccoon.nixosModule
    base
    home-manager
    input
    nix-stable
    security
    wireguard
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ./packages.nix
    ../../users/hana
  ];
 }
--- a/hosts/sugarcane/filesystem.nix
+++ b/hosts/sugarcane/filesystem.nix
@ -1,29 +0,0 @@
 { config, ... }:
 let
  bind = src: {
    depends = [ "/nix" ];
    device = src;
    fsType = "none";
    neededForBoot = true;
    options = [ "bind" ];
  };
 in {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=1G" "mode=755" ];
    };
    "/nix" = {
      device = "/dev/disk/by-uuid/19d572a8-1cf6-4b9c-94c6-3ce6be54f719";
      fsType = "ext4";
      options = [ "defaults" "noatime" ];
      neededForBoot = true;
    };
    "/persist" = bind "/nix/persist";
    "/var/log/journal" = bind "/nix/persist/journal";
    "/boot" = bind "/nix/persist/boot";
  };
 }
--- a/hosts/sugarcane/kernel.nix
+++ b/hosts/sugarcane/kernel.nix
@ -1,17 +0,0 @@
 { config, inputs, pkgs, ... }: {
  boot = {
    loader = {
      systemd-boot.enable = false;
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        device = "/dev/sda";
      };
    };
    initrd.kernelModules = [ "nvme" ];
    kernel.sysctl = {
      "kernel.core_pattern" = "|/bin/false";
      "kernel.sysrq" = 1;
    };
  };
 }
--- a/hosts/sugarcane/networking.nix
+++ b/hosts/sugarcane/networking.nix
@ -1,11 +0,0 @@
 { config, ... }: {
  networking = {
    useDHCP = false;
    interfaces.ens3.useDHCP = true;
    extraHosts = ''
      10.100.0.3 blossom
      10.100.0.4 strawberry
    '';
  };
 }
--- a/hosts/sugarcane/packages.nix
+++ b/hosts/sugarcane/packages.nix
@ -1,14 +0,0 @@
 { lib, pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    git
    htop
    jq
    neovim
    rsync
    sshfs
    wget
    kitty.terminfo
  ];
  environment.variables.EDITOR = "nvim";
 }
--- a/modules/binds.nix
+++ b/modules/binds.nix
@ -0,0 +1,13 @@
 { config, lib, ...}: {
  imports = [ ./options.nix ];
  fileSystems = lib.mapAttrs (dest: key: let
    target = if (lib.strings.hasPrefix "/" key)
      then key
      else "/persist/binds/${key}";
  in {
    depends = [ "/persist" ];
    device = target;
    fsType = "none";
    options = [ "bind" ];
  }) config.me.binds;
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -14,22 +14,30 @@ let
    }) paths
  );
 in {
  binds = ./binds.nix;
  options = ./options.nix;
  services = mkAttrsFromPaths [
    ./services/banksia.nix
    ./services/jellyfin.nix
    ./services/nginx.nix
    ./services/postgres.nix
    ./services/sonarr.nix
    ./services/synapse.nix
    ./services/syncthing.nix
    ./services/tmptsync.nix
    ./services/transmission.nix
    ./services/unbound.nix
    ./services/vaultwarden.nix
    ./services/website.nix
  ];
  system = mkAttrsFromPaths [
    ./system/aagl.nix
    ./system/audio.nix
    ./system/base.nix
    ./system/bluetooth.nix
    ./system/ccache.nix
    ./system/corectrl.nix
    ./system/docker.nix
    ./system/flatpak.nix
    ./system/greetd.nix
    ./system/gui.nix
@ -42,36 +50,31 @@ in {
    ./system/printing.nix
    ./system/security.nix
    ./system/snapper.nix
-    ./system/transmission.nix
+    ./system/tailscale.nix
    ./system/virtualisation.nix
    ./system/wireguard.nix
  ];
  user = mkAttrsFromPaths [
-    ./user/bspwm.nix
+    ./user/catppuccin.nix
    ./user/comma.nix
    ./user/direnv.nix
    ./user/dunst.nix
    ./user/eww.nix
    ./user/eww-wayland.nix
    ./user/git.nix
    ./user/gpg.nix
    ./user/hypridle.nix
    ./user/hyprlock.nix
    ./user/kitty.nix
    ./user/mpv.nix
    ./user/neovim.nix
    ./user/neovim-minimal.nix
    ./user/npm.nix
    ./user/obs.nix
    ./user/packages-rin.nix
    ./user/pass.nix
    ./user/picom.nix
    ./user/polybar.nix
    ./user/rofi.nix
    ./user/rofi-wayland.nix
    ./user/sessionVariables.nix
    ./user/spicetify.nix
    ./user/sxhkd.nix
    ./user/theming.nix
    ./user/xdg.nix
    ./user/xorg.nix
    ./user/zsh.nix
  ];
 }
--- a/modules/options.nix
+++ b/modules/options.nix
@ -0,0 +1,53 @@
 { config, lib, ... }:
 let
  inherit (lib)
    mkOption
    types;
 in {
  options.me = {
    environment = mkOption {
      type = types.enum [ "desktop" "laptop" "headless" ];
      default = "desktop";
    };
    hasFingerprint = mkOption {
      type = types.bool;
      default = false;
    };
    gui = mkOption {
      type = types.bool;
      default = config.me.environment != "headless";
    };
    batteryDevice = mkOption {
      type = with types; nullOr (uniq str);
      default = null;
    };
    kbBacklightDevice = mkOption {
      type = with types; nullOr (uniq str);
      default = null;
    };
    hasBluetooth = mkOption {
      type = types.bool;
      default = config.me.environment == "laptop";
    };
    hasWifi = mkOption {
      type = types.bool;
      default = config.me.environment == "laptop";
    };
    hidpi = mkOption {
      type = types.bool;
      default = false;
    };
    binds = lib.mkOption {
      type = with lib.types; attrsOf str;
      default = {};
    };
  };
 }
--- a/modules/services/banksia.nix
+++ b/modules/services/banksia.nix
@ -0,0 +1,11 @@
 # TODO ^^
 { ... }: {
  services.nginx.virtualHosts = {
    "banksia.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
      locations."/api".proxyPass = "http://localhost:8080/";
    };
  };
 }
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -1,17 +1,21 @@
-{ config, inputs, ... }: {
+{ config, ... }: {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "me@lava.moe";
    certs."lava.moe" = {
      group = "nginx";
-      domain = "lava.moe";
+      dnsProvider = "cloudflare";
      environmentFile = config.age.secrets."acme_dns".path;
    };
    certs."lava.moe" = {
      extraDomainNames = [
        "*.lava.moe"
        "*.local.lava.moe"
      ];
      dnsProvider = "cloudflare";
      credentialsFile = config.age.secrets."acme_dns".path;
    };
    certs."cilly.moe" = {};
    certs."cilly.dev" = {};
  };
  services.nginx = {
@ -20,23 +24,5 @@
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "lava.moe" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        root = inputs.website.outPath;
      };
      "_" = {
        default = true;
        addSSL = true;
        # TODO generate this somewhere
        sslCertificate = "/persist/fakeCerts/fake.crt";
        sslCertificateKey = "/persist/fakeCerts/fake.key";
        extraConfig = ''
          return 444;
        '';
      };
    };
  };
 }
--- a/modules/services/postgres.nix
+++ b/modules/services/postgres.nix
@ -8,6 +8,7 @@ in {
  services.postgresql = {
    enable = true;
    dataDir = dir;
    # TODO: broken :3
    package = pkgs.postgresql_13;
    authentication = lib.mkOverride 10 ''
      #type  database  DBuser  origin-address      auth-method
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@ -0,0 +1,23 @@
 { config, ... }:
 let
  dir = "/persist/shared/.syncthing";
  user = if config.me.gui then "rin" else "hana";
  uid = toString config.users.users."${user}".uid;
  gid = toString config.users.groups.users.gid;
 in
 {
  systemd.tmpfiles.rules = [
    "d ${dir}/config 700 ${uid} ${gid}"
    "d ${dir}/data 700 ${uid} ${gid}"
  ];
  systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
  services.syncthing = {
    enable = true;
    openDefaultPorts = true;
    user = user;
    group = "users";
    dataDir = "/persist/shared/.syncthing/data";
    configDir = "/persist/shared/.syncthing/config";
    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
  };
 }
--- a/modules/services/transmission.nix
+++ b/modules/services/transmission.nix
@ -5,13 +5,6 @@
    downloadDirPermissions = "775";
    openFirewall = true;
    settings = {
      alt-speed-down = 512;
      alt-speed-enabled = true;
      alt-speed-time-begin = 360;
      alt-speed-time-day = 127;
      alt-speed-time-enabled = true;
      alt-speed-time-end = 1380;
      alt-speed-up = 256;
      download-dir = "/persist/transmission/Downloads";
      incomplete-dir = "/persist/transmission/.incomplete";
      ratio-limit-enabled = true;
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@ -1,8 +1,17 @@
-{ inputs, ... }:
+{ inputs, pkgs, gcSecrets, ... }:
 let
  dir = "/persist/unbound";
  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
    echo "server:" > "$out"
    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
  '';
 in {
-  networking.firewall.interfaces.wlan0 = {
+  networking.firewall.interfaces."ve-+" = {
    allowedUDPPorts = [ 53 853 ];
    allowedTCPPorts = [ 53 853 ];
  };
  networking.firewall.interfaces.wg0 = {
    allowedUDPPorts = [ 53 853 ];
    allowedTCPPorts = [ 53 853 ];
  };
@ -16,17 +25,27 @@ in {
        name = ".";
        forward-tls-upstream = true;
        forward-addr = [
          "2606:4700:4700::1111@853#cloudflare-dns.com"
          "2606:4700:4700::1001@853#cloudflare-dns.com"
          "2001:4860:4860::8888@853#dns.google"
          "2001:4860:4860::8844@853#dns.google"
          "1.1.1.1@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
          "8.8.8.8@853#dns.google"
          "8.8.4.4@853#dns.google"
        ];
      }];
      server = {
-        interface = [ "0.0.0.0" ];
+        interface = [ "0.0.0.0" "::0" ];
        access-control = [
          "127.0.0.1/8      allow"
          "10.0.0.0/8       allow"
          "100.64.0.0/10    allow"
          "192.168.100.0/24 allow"
          "fd0d::/16        allow"
          "fd7a:115c:a1e0::/48 allow"
          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
        ];
        domain-insecure = [ "\"local.lava.moe\"" ];
        local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@ -35,7 +54,7 @@ in {
        ];
      };
-      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+      include = "${converted}";
    };
  };
--- a/modules/services/website.nix
+++ b/modules/services/website.nix
@ -0,0 +1,43 @@
 { inputs, pkgs, ... }: let
  pastel = inputs.pastel.packages.${pkgs.system}.default;
 in {
  services.nginx.virtualHosts = {
    "cilly.moe" = {
      useACMEHost = "cilly.moe";
      forceSSL = true;
      root = pastel.outPath;
    };
    "cilly.dev" = {
      useACMEHost = "cilly.dev";
      forceSSL = true;
      root = pastel.outPath;
    };
    "lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      root = inputs.website.outPath;
    };
    "cdn.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      extraConfig = ''
        return 301 https://sh.lava.moe$request_uri;
      '';
    };
    "sh.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      root = "/persist/cdn";
    };
    "_" = {
      default = true;
      addSSL = true;
      # TODO generate this somewhere
      sslCertificate = "/persist/fakeCerts/fake.crt";
      sslCertificateKey = "/persist/fakeCerts/fake.key";
      extraConfig = ''
        return 444;
      '';
    };
  };
 }
--- a/modules/system/aagl.nix
+++ b/modules/system/aagl.nix
@ -0,0 +1,6 @@
 { inputs, ... }: {
  imports = [ inputs.aagl.nixosModules.default ];
  nix.settings = inputs.aagl.nixConfig;
  programs.anime-game-launcher.enable = true;
  programs.sleepy-launcher.enable = true;
 }
--- a/modules/system/audio.nix
+++ b/modules/system/audio.nix
@ -17,7 +17,6 @@ let
    rate = toString int.rate;
  };
 in {
  sound.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
@ -26,7 +25,7 @@ in {
    pulse.enable = true;
    jack.enable = true;
  };
-  environment.etc."pipewire/pipewire.conf.d/99-config.conf".text = builtins.toJSON {
+  services.pipewire.extraConfig.pipewire = {
    "context.properties" = {
      "default.clock.rate" = int.rate;
      "default.clock.quantum" = int.quantum.def;
@ -50,7 +49,7 @@ in {
      "resample.quality" = 1;
    };
  };
-  environment.etc."pipewire/pipewire-pulse.conf.d/99-config.conf".text = builtins.toJSON {
+  services.pipewire.extraConfig.pipewire-pulse = {
      "context.modules" = [
        {
          name = "libpipewire-module-rtkit";
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@ -1,4 +1,6 @@
-{ config, enableGUI, inputs, modules, overlays, ... }: {
+{ config, inputs, modules, ... }: {
  imports = [ modules.binds modules.options ];
  environment.etc = {
    "machine-id".source = "/persist/machine-id";
    "ssh/ssh_host_rsa_key".source = "/persist/ssh_host_rsa_key";
@ -8,7 +10,9 @@
  };
  environment.pathsToLink = [ "/share/zsh" ];
-  i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.defaultLocale = "en_AU.UTF-8";
  i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
  users.mutableUsers = false;
  system = {
@ -19,6 +23,5 @@
    };
  };
  nix.registry.config.flake = inputs.self;
  nix.registry.nixpkgs.flake = inputs.nixpkgs;
  nix.registry.shells.flake = inputs.self;
 }
--- a/modules/system/corectrl.nix
+++ b/modules/system/corectrl.nix
@ -1,9 +1,5 @@
 { ... }: {
  programs.corectrl = {
    enable = true;
    gpuOverclock = {
      enable = true;
      ppfeaturemask = "0xffffffff";
    };
  };
 }
--- a/modules/system/docker.nix
+++ b/modules/system/docker.nix
@ -0,0 +1,13 @@
 { pkgs, ... }: {
  virtualisation.docker = {
    enable = true;
    storageDriver = "btrfs";
    # rootless = {
    #   enable = true;
    #   setSocketVariable = true;
    # };
  };
  environment.systemPackages = [
    pkgs.docker-compose
  ];
 }
--- a/modules/system/greetd.nix
+++ b/modules/system/greetd.nix
@ -1,16 +1,18 @@
-{ pkgs, lib, ... }: {
+{ pkgs, ... }: {
  services.greetd = {
    enable = true;
    settings = {
      default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
+        command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
        user = "greeter";
      };
    };
  };
-  services.xserver = {
+      initial_session = {
-    autorun = false;
+        command = "${pkgs.writeShellScript "launch.sh" ''
-    displayManager.startx.enable = true;
+          zsh -c "source $HOME/.config/zsh/.zshrc && Hyprland > \"$XDG_RUNTIME_DIR/Hyprland.out\""
        ''}";
        user = "rin";
      };
    };
  };
 }
--- a/modules/system/gui.nix
+++ b/modules/system/gui.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }: {
  fonts = {
-    enableDefaultFonts = true;
+    enableDefaultPackages = true;
    fontconfig = {
      defaultFonts = {
        serif = [ "NotoSerif" ];
@ -8,15 +8,13 @@
        monospace = [ "CascadiaCode" ];
      };
    };
-    fonts = with pkgs; [
+    packages = with pkgs; [
-      cascadia-code
+      material-symbols
      font-awesome
      font-awesome_4
      hanazono
      material-icons
      cascadia-code
      hanazono
      noto-fonts
-      noto-fonts-cjk
+      noto-fonts-cjk-sans
      noto-fonts-extra
      open-sans
      twemoji-color-font
      unifont
@ -27,4 +25,7 @@
    displayManager.lightdm.enable = lib.mkForce false;
    desktopManager.xterm.enable = false;
  };
  programs.hyprland.enable = true;
  security.pam.services.hyprlock = {};
 }
--- a/modules/system/home-manager.nix
+++ b/modules/system/home-manager.nix
@ -1,10 +1,19 @@
-{ config, enableGUI, inputs, modules, ... }: {
+{ config, inputs, modules, ... }: {
  imports = [
    inputs.home-manager.nixosModules.home-manager
  ];
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
    extraSpecialArgs = {
-      inherit enableGUI inputs modules;
+      inherit inputs modules;
      sysConfig = config;
    };
    sharedModules = [
      {
        imports = [ modules.options ];
        config.me = config.me;
      }
    ];
  };
 }
--- a/modules/system/input.nix
+++ b/modules/system/input.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ ... }: {
  services.xserver = {
    displayManager = {
      xserverArgs = [
@ -6,14 +6,19 @@
        "-arinterval 15"
      ];
    };
-    libinput = {
+  };
  services.keyd = {
    enable = true;
-      mouse = {
+    keyboards = {
-        accelSpeed = "0";
+      default = {
-        accelProfile = "flat";
+        ids = [ "*" ];
        settings = {
          main = {
            capslock = "esc";
            esc = "capslock";
          };
        };
      };
    };
    xkbOptions = "caps:escape";
  };
  console.useXkbConfig = true;
 }
--- a/modules/system/kernel.nix
+++ b/modules/system/kernel.nix
@ -11,5 +11,8 @@
    };
  };
  hardware.enableRedistributableFirmware = true;
-  zramSwap.enable = true;
+  zramSwap = {
    enable = true;
    priority = 100;
  };
 }
--- a/modules/system/nix-stable.nix
+++ b/modules/system/nix-stable.nix
@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }: {
  nix = {
    package = pkgs.nixVersions.latest;
    settings = rec {
      substituters = [
        "https://cache.nixos.org?priority=10"
@ -17,4 +19,5 @@
    '';
  };
  nixpkgs.config.allowUnfree = true;
  programs.nh.enable = true;
 }
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -1,6 +1,7 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, pkgs, ... }: {
  nix = {
-    package = pkgs.nixUnstable;
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    package = pkgs.nixVersions.latest;
    settings = rec {
      extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
@ -23,4 +24,5 @@
    '';
  };
  nixpkgs.config.allowUnfree = true;
  programs.nh.enable = true;
 }
--- a/modules/system/packages-gui.nix
+++ b/modules/system/packages-gui.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }: {
  config = lib.mkIf config.me.gui {
    environment.systemPackages = with pkgs; [
      android-tools
      gparted
      nautilus
    ];
    hardware.graphics.extraPackages = with pkgs; [
      intel-vaapi-driver
      libva-vdpau-driver
      libvdpau-va-gl
    ];
    hardware.opentabletdriver.enable = true;
    hardware.keyboard.qmk.enable = true;
    programs.steam = {
      enable = true;
      package = pkgs.steam.override {
        extraPkgs = pkgs: with pkgs; [
          gsettings-desktop-schemas
        ];
      };
    };
    services.dbus.packages = [ pkgs.dconf pkgs.gcr ];
    services.gnome.sushi.enable = true;
  };
 }
--- a/modules/system/packages.nix
+++ b/modules/system/packages.nix
@ -1,9 +1,14 @@
-{ config, enableGUI, lib, pkgs, ... }: {
+{ pkgs, ... }: {
  imports = [ ./packages-gui.nix ];
  environment.systemPackages = with pkgs; [
    # ecryptfs
    efibootmgr
    fd
    git
    git-crypt
    htop
    jq
    kitty.terminfo
    libarchive
    lf
    msr-tools
@ -11,35 +16,10 @@
    neovim
    nfs-utils
    ntfs3g
-    sshfs
+    ripgrep
    rsync
    sshfs
    wget
  ] ++ lib.optionals enableGUI [
    gparted
    gnome.nautilus
  ];
  environment.variables.EDITOR = "nvim";
 }
 // (if !enableGUI then {} else {
  programs.adb.enable = true;
  hardware.opengl.extraPackages = with pkgs; [
    vaapiIntel
    vaapiVdpau
    libvdpau-va-gl
    rocm-opencl-icd
    rocm-opencl-runtime
  ];
  programs.light.enable = true;
  hardware.opentabletdriver.enable = true;
  hardware.keyboard.qmk.enable = true;
  programs.steam = {
    enable = true;
    package = pkgs.steam.override {
      extraPkgs = pkgs: with pkgs; [
        gsettings-desktop-schemas
      ];
    };
  };
  services.dbus.packages = [ pkgs.dconf pkgs.gcr ];
  services.gnome.sushi.enable = true;
 })
--- a/modules/system/printing.nix
+++ b/modules/system/printing.nix
@ -3,7 +3,7 @@
    enable = true;
    drivers = with pkgs; [
      epson-escpr
-      me.epson-201112j
+      #me.epson-201112j
    ];
  };
 }
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
  networking.firewall =
  let
    iptables = "${pkgs.iptables}/bin/iptables";
@ -53,5 +53,33 @@
        }
      ];
    };
    pam = lib.mkIf (config.me.environment != "headless") {
      u2f = {
        enable = true;
        settings = {
          cue = true;
          pinverification = 1;
        };
      };
      services.doas.rules.auth = {
        u2f.settings.pinverification = lib.mkForce 0;
        u2f_int = lib.mkMerge [
          {
            enable = true;
            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
            control = "sufficient";
            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
            inherit (config.security.pam.u2f) settings;
          }
          {
            settings = lib.mkForce {
              interactive = true;
              pinverification = 0;
              userpresence = 0;
            };
          }
        ];
      };
    };
  };
 }
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@ -0,0 +1,13 @@
 { config, lib, ... }: {
  age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
  me.binds."/var/lib/tailscale" = "tailscale";
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale_auth.path;
    openFirewall = true;
    useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
  };
 }
--- a/modules/system/wireguard.nix
+++ b/modules/system/wireguard.nix
@ -1,13 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, gcSecrets, ... }:
 let
-  port = 51820;
+  port = 51801;
-  serverName = "sugarcane";
+  serverName = "dandelion";
-  serverInterface = "ens3";
+  serverInterface = "enp0s6";
-  serverIp = "51.79.240.130";
+  serverIp = gcSecrets.wireguard.gateway;
  forwarding = {
    "80" = [ "10.100.0.2" "80" ];
    "443" = [ "10.100.0.2" "443" ];
    "22727" = [ "10.100.0.3" "7777" ];
  };
@ -20,52 +18,61 @@ let
      in ''
        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
      '') forwarding
    );
  routeBypass = {
    caramel = {
      gateway = "192.168.100.1";
      interface = "wlan0";
      routes = [
        serverIp
      ];
    };
    hyacinth = {
      gateway = "192.168.100.1";
      interface = "enp5s0";
      routes = [
        serverIp
      ];
    };
  };
  clients = {
    caramel = {
      publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA=";
      allowedIPs = [ "10.100.0.2/32" ];
    };
    hyacinth = {
      publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
-      allowedIPs = [ "10.100.0.3/32" ];
+      allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3" "fd0d::3" ];
      interfaces = {
        wg0 = { peers = [ server6OnlyPeer ]; };
        wg1 = { peers = [ serverPeer ]; autostart = false; };
        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
      };
    };
    anemone = {
      publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY=";
      allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" "fd0d::4" ];
      interfaces = {
        wg0 = { peers = [ server6OnlyPeer ]; };
        wg1 = { peers = [ serverPeer ]; autostart = false; };
        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
      };
    };
    hibiscus = {
      publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw=";
      allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" "fd0d::5" ];
      interfaces = {
        wg0 = { peers = [ server6OnlyPeer ]; };
        wg1 = { peers = [ serverPeer ]; autostart = false; };
        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
      };
    };
    hazel = {
      publicKey = "0zruTndObzHo+b1rbOuTsxCU97epygZycxXS/lgUHUc=";
      allowedIPs = [ "10.100.0.21/32" "${gcSecrets.wireguard.ipv6Subnet}:21" "fd0d::21" ];
      interfaces = {
        wg0 = {
          dns = [ "::1" "127.0.0.1" ];
          peers = [ serverLocalOnlyPeer ];
        };
    strawberry = {
      publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg=";
      allowedIPs = [ "10.100.0.4/32" ];
      };
    maple = {
      publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do=";
      allowedIPs = [ "10.100.0.5/32" ];
    };
  };
-  clientPeers = builtins.attrValues clients;
+  clientPeers = builtins.map (client: builtins.removeAttrs client [ "interfaces" ]) (builtins.attrValues clients);
-  serverPeer = {
+  serverPeerWith = ips: {
    publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0=";
-    allowedIPs = [ "0.0.0.0/0" ];
+    allowedIPs = ips;
    endpoint = "${serverIp}:${toString port}";
    persistentKeepalive = 25;
  };
  serverPeer = serverPeerWith [ "0.0.0.0/0" "::/0" ];
  server6OnlyPeer = serverPeerWith [ "10.100.0.0/24" "::/0" ];
  serverLocalOnlyPeer = serverPeerWith [ "10.100.0.0/24" "fd0d::/16" ];
  serverConfig = {
    nat = {
@ -79,7 +86,7 @@ let
    };
    wireguard.interfaces.wg0 = {
-      ips = [ "10.100.0.1/24" ];
+      ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" "fd0d::1" ];
      listenPort = port;
      postSetup = ''
@ -97,33 +104,24 @@ let
  };
  clientConfig = {
-    wireguard.interfaces.wg0 =
+    wg-quick.interfaces =
    let
      client = clients."${config.networking.hostName}";
-      routes = routeBypass."${config.networking.hostName}";
+    in
-      mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes;
+      builtins.mapAttrs (interface: conf: {
-    in {
+        address = client.allowedIPs;
-      ips = client.allowedIPs;
+        dns = [ "fd0d::1" "10.100.0.1" ];
      listenPort = port;
      postSetup = ''
        ${mapRoutes "add"}
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
      '';
      postShutdown = ''
        ${mapRoutes "del"}
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
      '';
        privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
-      peers = [ serverPeer ];
+      } // conf) client.interfaces;
    };
  };
 in {
  boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({
    "net.ipv6.conf.all.forwarding" = true;
    "net.ipv6.conf.default.forwarding" = true;
  });
  networking =
    lib.mkMerge [
      (lib.mkIf (config.networking.hostName == serverName) serverConfig)
-      (lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig)
+      (lib.mkIf (config.networking.hostName != serverName) clientConfig)
    ];
 }
--- a/modules/user/bspwm.nix
+++ b/modules/user/bspwm.nix
@ -1,19 +0,0 @@
 # Depends on eww
 { config, pkgs, ... }: {
  xsession.windowManager.bspwm = {
    enable = true;
    monitors = { "DP-1" = [ "1" "2" "3" "4" "5" "6" "7" "8" "9" "0"]; };
    settings = {
      window_gap = 10;
      border_width = 0;
      split_ratio = 0.5;
      top_padding = 0;
    };
    extraConfig = ''
      ${pkgs.feh}/bin/feh --no-fehbg --bg-fill ~/Pictures/Wallpapers/current
      ${pkgs.procps}/bin/pkill -SIGINT eww
      ${pkgs.eww}/bin/eww open linebar
    '';
  };
 }
--- a/modules/user/catppuccin.nix
+++ b/modules/user/catppuccin.nix
@ -0,0 +1,75 @@
 { config, inputs, lib, pkgs, ... }: {
  imports = [
    inputs.catppuccin.homeManagerModules.catppuccin
  ];
  options.catppuccin.colors = lib.mkOption {
    type = lib.types.attrs;
    default = (builtins.fromJSON (builtins.readFile "${inputs.catppuccin-palette}/palette.json"))."${config.catppuccin.flavor}".colors;
  };
  options.catppuccin.hexcolors = lib.mkOption {
    type = lib.types.attrs;
    default = builtins.mapAttrs (name: value: value.hex) config.catppuccin.colors;
  };
  config = {
    catppuccin = {
      accent = lib.mkDefault "pink";
      flavor = lib.mkDefault "mocha";
      kitty.enable = true;
      gtk.enable = true;
      hyprlock.enable = true;
      nvim.enable = true;
    };
    specialisation = {
      light.configuration.catppuccin.flavor = "latte";
      dark.configuration.catppuccin.flavor = "mocha";
    };
    home.packages = [(pkgs.writeShellScriptBin "theme" ''
      last_path="$HOME/.local/state/last-theme"
      target="$1"
      if [ "$target" == "get_last" ]; then
        if [ ! -e "$last_path" ]; then
          echo "no last theme found; assuming dark" >&2
          target="dark"
        else
          target=$(cat "$last_path" | tr -d "\n")
        fi
        echo "$target"
        exit 0
      fi
      if [ "$target" == "restore" ]; then
        echo "restoring theme"
        if [ ! -e "$last_path" ]; then
          echo "no last theme found; assuming dark" >&2
          target="dark"
        else
          target=$(cat "$last_path" | tr -d "\n")
        fi
      fi
      if [ "$target" != "dark" ] && [ "$target" != "light" ]; then
        echo "invalid theme, valid values: [dark, light, restore]"
        exit 1
      fi
      current="$HOME/.local/state/home-manager/gcroots/current-home/"
      cached="$HOME/.local/state/last-parent-specialisation"
      if [ -d "$current/specialisation" ]; then
        if [ -d "$cached" ]; then
          rm -f "$cached"
        fi
        ln -sf "$(readlink -f $current)" "$cached"
      fi
      if [ ! -d "$cached/specialisation" ]; then
        echo "no specialisations found"
        exit 1
      fi
      "$cached/specialisation/$target/activate"
      echo "$target" > "$last_path"
    '')];
  };
 }
--- a/modules/user/comma.nix
+++ b/modules/user/comma.nix
@ -0,0 +1,7 @@
 { inputs, ... }: {
  imports = [
    inputs.nix-index-database.homeModules.default
  ];
  programs.nix-index.enable = true;
  programs.nix-index-database.comma.enable = true;
 }
--- a/modules/user/direnv.nix
+++ b/modules/user/direnv.nix
@ -5,7 +5,7 @@
      enable = true;
    };
  };
-  programs.git.extraConfig.core.excludesFile = ".envrc";
+  programs.git.settings.core.excludesFile = ".envrc";
  # We can't use .source since hm manages this file too
  xdg.configFile."direnv/direnvrc".text = builtins.readFile ../../res/direnvrc;
  home.activation = {
--- a/modules/user/dunst.nix
+++ b/modules/user/dunst.nix
@ -12,9 +12,9 @@ in {
      global = {
        monitor = 0;
        follow = "mouse";
-        width = 460;
+        width = "(100, 450)";
        origin = "top-right";
-        offset = "24x35";
+        offset = "24x50";
        notification_limit = 0;
        indicate_hidden = true;
        shrink = true;
@ -36,7 +36,7 @@ in {
        hide_duplicate_count = true;
        show_indicators = false;
        icon_position = "left";
-        max_icon_size = 32;
+        max_icon_size = 40;
        sticky_history = true;
        history_length = 100;
        browser = "${pkgs.firefox}/bin/firefox -new-tab";
@ -49,21 +49,21 @@ in {
      };
      urgency_low = {
-        background = "#12131b";
+        background = config.catppuccin.hexcolors.crust;
-        foreground = "#d8dee8";
+        foreground = config.catppuccin.hexcolors.text;
        timeout = 3;
      };
      urgency_normal = {
-        background = "#12131b";
+        background = config.catppuccin.hexcolors.crust;
-        foreground = "#d8dee8";
+        foreground = config.catppuccin.hexcolors.text;
        timeout = 5;
      };
      urgency_critical = {
-        background = "#12131b";
+        background = config.catppuccin.hexcolors.crust;
-        foreground = "#d8dee8";
+        foreground = config.catppuccin.hexcolors.text;
-        # frame_color = "#bf616a";
+        frame_color = config.catppuccin.hexcolors.red;
        timeout = 0;
      };
    };
--- a/Show more
+++ b/Show more
		`@ -0,0 +1 @@`
							`secrets.gcrypt/** filter=git-crypt diff=git-crypt`