From c36a3f09dee81bded5256c546c64cc270c09f485 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:02:43 +1000 Subject: [PATCH 01/39] services/soulbeet: init and add to alyssum --- containers/fluorite/flake.nix | 8 ++++++++ hosts/alyssum/default.nix | 2 ++ modules/default.nix | 1 + modules/services/soulbeet.nix | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 43 insertions(+) create mode 100644 modules/services/soulbeet.nix diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 33fcdb1..8c87fac 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -6,6 +6,7 @@ let name = "fluorite"; fqdn = "fluorite.lava.moe"; + altfqdn = hostname: "fluorite.${hostname}.lava.moe"; subnetId = "6"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; @@ -42,6 +43,13 @@ listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; + services.nginx.virtualHosts."${altfqdn config.networking.hostname}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".proxyPass = "http://[${client}]:5030"; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + }; + systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" "d /persist/media/music 075 nobody users" diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 3eb7289..2deecfb 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -24,8 +24,10 @@ tailscale modules.services.nginx + modules.services.soulbeet modules.services.syncthing + inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/modules/default.nix b/modules/default.nix index 6775c55..c52cde3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -22,6 +22,7 @@ in { ./services/nginx.nix ./services/postgres.nix ./services/sonarr.nix + ./services/soulbeet.nix ./services/synapse.nix ./services/syncthing.nix ./services/tmptsync.nix diff --git a/modules/services/soulbeet.nix b/modules/services/soulbeet.nix new file mode 100644 index 0000000..57b7cc0 --- /dev/null +++ b/modules/services/soulbeet.nix @@ -0,0 +1,32 @@ +{ ... }: +let + dir_data = "/persist/services/soulbeet/data"; + dir_downloads = "/persist/containers/fluorite/slskd/downloads"; + dir_music = "/persist/media/music"; +in { + systemd.tmpfiles.rules = [ + "d ${dir_data} 700 root root" + "d ${dir_downloads} 755 root users" + "d ${dir_music} 075 nobody users" + ]; + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + container-name = { + image = "docker.io/docccccc/soulbeet:latest"; + autoStart = true; + ports = [ "9765:9765" ]; + environment = { + DATABASE_URL = "sqlite:/data/soulbeet.db"; + DOWNLOAD_PATH = "/downloads"; + SECRET_KEY = "change-me-in-production"; + NAVIDROME_URL = "http://navidrome:4533"; + BEETS_CONFIG = "/config/config.yaml"; + }; + volumes = [ + "${dir_data}:/data" + "${dir_downloads}:/downloads" + "${dir_music}:/music" + ]; + }; + }; +} From 4e19a6378b807c25a0335e46ab982c92aededdae Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:04:02 +1000 Subject: [PATCH 02/39] containers/fluorite: hostname -> hostName --- containers/fluorite/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 8c87fac..c5a1391 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -43,7 +43,7 @@ listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; }; - services.nginx.virtualHosts."${altfqdn config.networking.hostname}" = { + services.nginx.virtualHosts."${altfqdn config.networking.hostName}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; From 0d89b2a64f09c679618a070a7e83000860d3c480 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:07:25 +1000 Subject: [PATCH 03/39] hosts/alyssum: add slskd_env --- hosts/alyssum/default.nix | 1 + secrets.nix | 2 +- secrets/slskd_env.age | 18 ++++++++++-------- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 2deecfb..9db08f5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + slskd_env.file = ../../secrets/slskd_env.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; diff --git a/secrets.nix b/secrets.nix index d2dbc82..0c9c9b2 100644 --- a/secrets.nix +++ b/secrets.nix @@ -12,7 +12,7 @@ in { "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; - "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/slskd_env.age".publicKeys = [ alyssum anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index eded5d0..287ef9b 100644 --- a/secrets/slskd_env.age +++ b/secrets/slskd_env.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 ohyStA 3Do7MsCBX9ZgP6pIekvkRisFgF74jq2cKxrjUi2NlhM -EdfLIUk40isfNBY4CKA0JjHc2RaCM/LJmvQJuue+aYs --> ssh-ed25519 bRFqeQ XcjdLy6CEELgdN133BkgTG0cUffU6N9nsapB3c9Swyc -+ILEkir7XMK/xLNrTs2R+pBoucIN7fVEBRZSZwBo7Fs --> ssh-ed25519 U9FXlg bqpdUcMN/bk7WlIruWmhj0hpFL/CliDHto/P/KaMdxk -z6wKPbT1OAW7sDjeziwdqs6mf9Rk37xsU9pw4wYMOF4 ---- wNvTtQPOTxetOpazjBXo4fR3wPL7CVQq4R30gOj/qQw -&P+Sy=}~1C^.?zLHR`akER(4R!*l!A~@VG<2-K8HPu2jS#WДl>@a . MƞHg[$Wˌ["%N, rGNmf9Fk&~OWZ70t?eOfAz,hq/Z&Fy5ɾBQw/"JS섘5f}%BPĮ,rF`NmnCÎrJaf i?0pzaV[yjX4B>R,tyOIW!(n#ܒj>589d0 mi% t CR˄^IrM")֙S&.)lzӨq:rbrE@JǺsMd?Sk \ No newline at end of file +-> ssh-ed25519 kOMSPw 4dkSpYLuqrGWDAO3YAjmbQyAunL0yDH+rgbIxp4KOFM ++48t/iYYa22ytIMXlH9/SgKHHVSmMaO0KlDealyvYs4 +-> ssh-ed25519 ohyStA tUx1MDlXIU/fV0lS8NGiGUCM5f8iupew0IEUSP8Ys0g +Fp8bxpyUGO2QipmsLHVj0Jm7Iwue7ZVxD/RQ5BZ2yL0 +-> ssh-ed25519 bRFqeQ 4xLmKSjaPn7scYn9pLet9Boy0Tlbns8qHzKsIrVZzGA +XFYQZ9kETCPG4S0fwy+I7ZBjCWFgmyjh0YkI4jdEWio +-> ssh-ed25519 U9FXlg zYqj8zjq2TRi/sfYSGxpVt2nSo4G81SMJatE0j5KaEE +JSK/TUcGg8xRaYT42o6tHjQjwxi9GmV8/eO3hdFFvqI +--- 6SJBfqAWFNHQ4IXx6359aUP1mTturgjuSteQgrOGzdg +̄w/>kU*Rd@oX*Y=Eg?̤\Ƭij#pYrU|| j CU(;φT/W;GlOK+-t~'w?8Wde2$>-aЧ?u`&_OBQ-T?^2ib$5nE~I]v]$,h[v}08@?OCw"JCvs**Z \ No newline at end of file From 042a04cbfc33a20569cff7dbdfd808eb7d28d642 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:15:49 +1000 Subject: [PATCH 04/39] containers/fluorite: fixup multiple hosts --- containers/fluorite/flake.nix | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index c5a1391..4a447f9 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -6,7 +6,6 @@ let name = "fluorite"; fqdn = "fluorite.lava.moe"; - altfqdn = hostname: "fluorite.${hostname}.lava.moe"; subnetId = "6"; subnet = x: "fd0d:1::${subnetId}:${toString x}"; @@ -28,7 +27,13 @@ nixosConfigurations.container = nixpkgs.lib.nixosSystem { inherit modules; }; - nixosModule = { config, ... }: { + nixosModule = { config, ... }: let + altfqdn = "fluorite.${config.networking.hostName}.lava.moe"; + # TODO: HACK + listenAddr = if (config.networking.hostName == "alyssum") + then [ "100.67.2.1" ] + else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + in { networking.nat = { enable = true; enableIPv6 = true; @@ -40,14 +45,14 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + listenAddresses = listenAddr; }; - services.nginx.virtualHosts."${altfqdn config.networking.hostName}" = { + services.nginx.virtualHosts."${altfqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + listenAddresses = listenAddr; }; systemd.tmpfiles.rules = [ From f1defd435aa85e77a985348c9e50afe36038df63 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:22:18 +1000 Subject: [PATCH 05/39] containers/fluorite: configure ssl cert correctly --- containers/fluorite/flake.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 4a447f9..746c702 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -28,7 +28,8 @@ inherit modules; }; nixosModule = { config, ... }: let - altfqdn = "fluorite.${config.networking.hostName}.lava.moe"; + hostfqdn = "${config.networking.hostName}.lava.moe"; + altfqdn = "fluorite.${hostfqdn}"; # TODO: HACK listenAddr = if (config.networking.hostName == "alyssum") then [ "100.67.2.1" ] @@ -48,8 +49,9 @@ listenAddresses = listenAddr; }; + security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; }; services.nginx.virtualHosts."${altfqdn}" = { - useACMEHost = "lava.moe"; + useACMEHost = hostfqdn; forceSSL = true; locations."/".proxyPass = "http://[${client}]:5030"; listenAddresses = listenAddr; From 4b19491ec7612dbdb28dc19366e998d46adbf4b4 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Tue, 16 Jun 2026 23:41:32 +1000 Subject: [PATCH 06/39] hosts/alyssum: remove fluorite --- hosts/alyssum/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 9db08f5..8af107d 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -28,7 +28,6 @@ modules.services.soulbeet modules.services.syncthing - inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix From 20b5d96686a2c29a40b8890b1c38b64894c4f8d3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:07:01 +1000 Subject: [PATCH 07/39] containers/fluorite: socks5 via tailscale --- containers/fluorite/configuration.nix | 16 +++++++++++++++- containers/fluorite/flake.nix | 7 ++++++- hosts/alyssum/default.nix | 1 + hosts/dandelion/default.nix | 1 - modules/system/tailscale.nix | 11 +++++++++++ secrets/slskd_env.age | Bin 765 -> 849 bytes 6 files changed, 33 insertions(+), 3 deletions(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 9fcb5f5..002c2f0 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -1,16 +1,30 @@ { ... }: { system.stateVersion = "25.11"; systemd.tmpfiles.rules = [ - "d /persist/slskd/Downloads 755 slskd slskd" + "d /persist/slskd/downloads 755 slskd slskd" ]; fileSystems."/var/lib/slskd" = { device = "/persist/slskd"; fsType = "none"; options = [ "bind" ]; }; + fileSystems."/var/lib/tailscale" = { + device = "/persist/tailscale"; + fsType = "none"; + options = [ "bind" ]; + }; networking.firewall.allowedTCPPorts = [ 5030 50300 ]; networking.firewall.allowedUDPPorts = [ 5030 50300 ]; + services.tailscale = { + enable = true; + authKeyFile = "/binds/tailscale_auth"; + openFirewall = true; + interfaceName = "userspace-networking"; + extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; + extraUpFlags = [ "--exit-node=dandelion" ]; + }; + services.slskd = { enable = true; domain = null; diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 746c702..25e43f6 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -20,7 +20,7 @@ ./configuration.nix { networking.useHostResolvConf = false; - networking.nameservers = [ host ]; + networking.nameservers = [ 8.8.8.8 ]; } ]; in { @@ -97,6 +97,11 @@ mountPoint = "/binds/slskd_env"; isReadOnly = true; }; + bindMounts."tailscale_auth" = { + hostPath = config.age.secrets.tailscale_auth.path; + mountPoint = "/binds/tailscale_auth"; + isReadOnly = true; + }; # flake = "path:" + ./.; }; }; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 8af107d..9db08f5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -28,6 +28,7 @@ modules.services.soulbeet modules.services.syncthing + inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 33b6eec..540008d 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -32,7 +32,6 @@ inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule inputs.c-emerald.nixosModule - inputs.c-fluorite.nixosModule ./filesystem.nix ./kernel.nix diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 5e3e044..4e16aac 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -4,6 +4,17 @@ networking.firewall.trustedInterfaces = [ "tailscale0" ]; networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ]; + networking.nat = { + enable = true; + internalInterfaces = [ "tailscaled0" ]; + forwardPorts = [ + { + sourcePort = 50300; + proto = "tcp"; + destination = "100.67.2.101:50300"; + } + ]; + }; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 287ef9b7bf3926a3064436a41d6f2174aa7c3d17..f5bc05ea67ec338add401fa62d642f5dbfe090cd 100644 GIT binary patch delta 779 zcmey%dXa5{PQ7VqqQ9w^pTE07c%{2#QchW_QBp}&NqI(*S#X%MYm#}eagj+>kz+=l zFPBGhQdydRlBr3hL2kZRdTDq@fKf$7fw#URORXHxD+0KQgp#^E-m5!!?1(9Ky=D}_zCW&4i`eo+9xxucJ;~B;4U9x;Ua;i+C zic)e)k_wzdOPwPEeR9$YytB>H{lk;etCEwP1HFUIOdKt^LW526d<>GST$9qxwF_Jl zJ)A9yLws|cqs-mH-ApWV!?FVmBhyO4^<6BubaizVQVorb9JPZ@1G7_&5{(m`&0RBG zlPwJj{M=mA+|%6M^$jiSEz6@yvO=p&xKz*H_4M5q6XaUlA?dne(W;5NtrzUil@%Ah zuG^%G zGJWpxXya1tLf z$GFVx;rc~e-%76LX8*FeByn-E-?1s)v*RL!BTr1Lc&Humf3CBq;g^e-COq51lb;g1 zzgs}lyvteZT&}(sXX;fx7Yn_jdogDxe5+cYJ=G^XA!%cUsIrbh*$IQ+yZ*B%*Tp<| Z_&dAxwdkW#o__)vRyn0h1X!sJp*WU}iyXv5!YsmVsBUxo3H4s(Dmcg^PYrps7=oQKgT; z#E;_PCKW!p-oaUk0eR-d$&q=M1wN@ImQMMV1|c~~dBqlm9#!7Oo<(6%Rql>l5pI!z zQI^@RAr&f#w9xs_QN29epGCRr)2;hFi9;~B;4t0D`tEUK~! zjY5Jl^^4OYgWW3%!b*(tg7Zz>EewNwy%I}Y4YEwV6J1@oyn?;;Lqe0?(=9535+g%Q zjPlJ&JhB3_$}2K0-E+e%^i%zfGg92#$_hQXbaizV%!0j~(h42J-TXWPO*|ti%#2Mf z6GHi_)`7gG*BD1JjHA-K$d4x$d56*(q19Z?`-W&+#)^>vkNR z%k3OGb?Rv;xg%m4*5}&}gyu_r@79 zPHg$zpV@UR>AQ-QY1^zku`jN5Ejyb%AADTZ8at_MwPfs9m3dEfGNQ|xdsa8pJ~yy% o5S?xR{eqakob$DEC9fwh#V6go>b$> Date: Wed, 17 Jun 2026 00:10:23 +1000 Subject: [PATCH 08/39] system/tailscale: only nat for dandelion --- modules/system/tailscale.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 4e16aac..79cbba9 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -4,8 +4,9 @@ networking.firewall.trustedInterfaces = [ "tailscale0" ]; networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ]; - networking.nat = { + networking.nat = lib.mkIf (config.networking.hostName == "dandelion") { enable = true; + externalInterface = "enp0s6"; internalInterfaces = [ "tailscaled0" ]; forwardPorts = [ { From 59bbe127d64d88870138e9d97876d869041a9f5f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:12:01 +1000 Subject: [PATCH 09/39] containers/fluorite: wrap dns as str --- containers/fluorite/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 25e43f6..af3e111 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -20,7 +20,7 @@ ./configuration.nix { networking.useHostResolvConf = false; - networking.nameservers = [ 8.8.8.8 ]; + networking.nameservers = [ "8.8.8.8" ]; } ]; in { From 30d3063c9bbb45b42f013d5107203525a2d00a8a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:17:02 +1000 Subject: [PATCH 10/39] containers/fluorite: use set flag for exit node --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 002c2f0..fafbd68 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -22,7 +22,7 @@ openFirewall = true; interfaceName = "userspace-networking"; extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; - extraUpFlags = [ "--exit-node=dandelion" ]; + extraSetFlags = [ "--exit-node=100.67.1.1" ]; }; services.slskd = { From 8778adf3bc03b85f1befb3d9396e5c9bfea94aa3 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:22:47 +1000 Subject: [PATCH 11/39] containers/fluorite: use routing features --- containers/fluorite/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index fafbd68..e18bdeb 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -23,6 +23,7 @@ interfaceName = "userspace-networking"; extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; extraSetFlags = [ "--exit-node=100.67.1.1" ]; + useRoutingFeatures = "client"; }; services.slskd = { From 02a3207d089699b3abb1f2a07eddd27722c88e93 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:26:09 +1000 Subject: [PATCH 12/39] system/tailscale: open tcp port 50300 --- modules/system/tailscale.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 79cbba9..5da4652 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -16,6 +16,7 @@ } ]; }; + networking.firewall.allowedTCPPorts = [ 50300 ]; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; From cb34055830f76cfc95cf8bc7051a7c8de683c016 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:30:58 +1000 Subject: [PATCH 13/39] containers/fluorite: fixup env --- secrets/slskd_env.age | Bin 849 -> 846 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index f5bc05ea67ec338add401fa62d642f5dbfe090cd..3f1bc1997ee8925037b1bca751df3d4d634ca614 100644 GIT binary patch delta 776 zcmcb}c8+a=PQ9a>Q$$u~xqF#eXoO=Q-MNvUOnR9YVwtHZSi$zkTqgP~bu(`RbOJSm6Mz(QgF_*5LLUD11 zZfc5=si~o*LViYNaEYTrc3DMAskxD{VR24qmbZIKft!m#m2Xm-k56tzRC+~DWu;k~ zrGBuvM|!0Rmt~lbdv2nBo^zzWMOwIduCYawad3`dc9@}lNtS<Jt4i}zJVPSVll)Cgok}8-@4igPrRJ|R_>?eWBU!w;N9}j{~D_9Fh?IL@pa<3&ZfjYeVgvuiw=KkHGS>Y{8ifb zXkN8eptM$D!PNfSxv|;j4EYYH?_S9`*RZ0^OtHY>+!~D;mG(v%K1N^Uo-Ar#v{zx# Wj<-uZG+36u@;qa?Sm1^F96JExCpLQk delta 779 zcmX@dc9Cs@PQ7VqqQ9w^pTE07c%{2#QchW_QBp}&NqI(*S#X%MYm#}eagj+>kz+=l zFPBGhQdydRlBr3hL2kZRdTDq@fKf$7fw#URORXHxD+0KQgp#^E-m5!!?1(9Ky=D}_zCW&4i`eo+9xxucJ;~B;4U9x;Ua;i+C zic)e)k_wzdOPwPEeR9$YytB>H{lk;etCEwP1HFUIOdKt^LW526d<>GST$9qxwF_Jl zJ)A9yLws|cqs-mH-ApWV!?FVmBhyO4^<6BubaizVQVorb9JPZ@1G7_&5{(m`&0RBG zlPwJj{M=mA+|%6M^$jiSEz6@yvO=p&xKz*H_4M5q6XaUlA?dne(W;5NtrzUil@%Ah zuG^%G zGJWpxXya1tLf z$GFVx;rc~e-%76LX8*FeByn-E-?1s)v*RL!BTr1Lc&Humf3CBq;g^e-COq51lb;g1 zzgs}lyvteZT&}(sXX;fx7Yn_jdogDxe5+cYJ=G^XA!%cUsIrbh*$IQ+yZ*B%*Tp<| Z_&dAxwdkW#o__)vRyn0h1X Date: Wed, 17 Jun 2026 00:39:11 +1000 Subject: [PATCH 14/39] containers/fluorite: config proxy --- containers/fluorite/configuration.nix | 5 +++++ secrets/slskd_env.age | Bin 846 -> 765 bytes 2 files changed, 5 insertions(+) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index e18bdeb..f834a22 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -32,6 +32,11 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; + connection.proxy = { + enabled = true; + address = "localhost"; + port = "1055"; + }; }; }; } diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 3f1bc1997ee8925037b1bca751df3d4d634ca614..4e7e23f884fcb50909d1b54c7a85084dbfad4ecb 100644 GIT binary patch delta 695 zcmX@d_Lp^nPJLF2dx5@Zrk7zwSh9US7>B$WJP$0f1ZU;sJFjIUZ}a3MX+uwhuRi;H(oxIvLyMMX$K zSgx5_rg5ePS6HN9fU}#UyJuu(q?e~laB@URRA!K8X{143fknAll3{vTKuM&9QAR=F z#E;_P1qSYx+QzwME?y?Nksje0o}~em1|>h#(8-WE?L=J9+8=0 z=8<0BuEsfj5$RQCX~`i0;d#Er$p)@fx%!D&;dvIGCb?Om-T|(Y;~B;4O%470T%5E^ zD{_6R99=RZqx7>2oKp%sebWq5^0OjyGm7*bwLMeKGTcJBDnoos4D!6gDvFCz!h#|S zf=XOmjm;Ak;SZyQ0qt(CFW8?Y1XT?O^r~gX7xoK(i!mgWvH?LfOpKNTm z+(|8i?Unx%&5MrrrK8py75eJ`(V}6kQJ(Xuy?LD%)EE|U7yZ?$*m=74N@{)jayPC0 zjn%*He>@LUJ3KG?j!Nm|yK#DZq&;86&hx+7@aDrD0|yrqyQZABh1Zw!vgtf|85p*J zo0D~FM6chje delta 776 zcmey%dX8;^PQ9a>Q$$u~xqF#eXoO=Q-MNvUOnR9YVwtHZSi$zkTqgP~bu(`RbOJSm6Mz(QgF_*5LLUD11 zZfc5=si~o*LViYNaEYTrc3DMAskxD{VR24qmbZIKft!m#m2Xm-k56tzRC+~DWu;k~ zrGBuvM|!0Rmt~lbdv2nBo^zzWMOwIduCYawad3`dc9@}lNtS<Jt4i}zJVPSVll)Cgok}8-@4igPrRJ|R_>?eWBU!w;N9}j{~D_9Fh?IL@pa<3&ZfjYeVgvuiw=KkHGS>Y{8ifb zXkN8eptM$D!PNfSxv|;j4EYYH?_S9`*RZ0^OtHY>+!~D;mG(v%K1N^Uo-Ar#v{zx# Wj<-uZG+36u@;qa?Sm1^F96JDIk2a Date: Wed, 17 Jun 2026 00:43:20 +1000 Subject: [PATCH 15/39] containers/fluorite: config proxy againn --- containers/fluorite/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index f834a22..77dc629 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -32,7 +32,7 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; - connection.proxy = { + soulseek.connection.proxy = { enabled = true; address = "localhost"; port = "1055"; From 0462478d7eba3fa3934e6a0b5d521e4440c62c5b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:52:50 +1000 Subject: [PATCH 16/39] containers/fluorite: try without socks5 --- containers/fluorite/configuration.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 77dc629..67dc279 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -20,8 +20,8 @@ enable = true; authKeyFile = "/binds/tailscale_auth"; openFirewall = true; - interfaceName = "userspace-networking"; - extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; + # interfaceName = "userspace-networking"; + # extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; extraSetFlags = [ "--exit-node=100.67.1.1" ]; useRoutingFeatures = "client"; }; @@ -32,11 +32,11 @@ environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; - soulseek.connection.proxy = { - enabled = true; - address = "localhost"; - port = "1055"; - }; + # soulseek.connection.proxy = { + # enabled = true; + # address = "localhost"; + # port = "1055"; + # }; }; }; } From 003b6c277b42a6e88ea2f478de1328f7a80aa24d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 00:56:02 +1000 Subject: [PATCH 17/39] containers/fluorite: enable tun --- containers/fluorite/flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index af3e111..eee70b1 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -64,6 +64,7 @@ containers.${name} = { autoStart = true; privateNetwork = true; + enableTun = true; hostAddress = host4; localAddress = client4; hostAddress6 = host; From d6fc70612a017a2927c863cc1f150fff97934d9a Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 01:02:59 +1000 Subject: [PATCH 18/39] containers/fluorite: use tun address for proxy --- containers/fluorite/flake.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index eee70b1..4fadd89 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -16,6 +16,8 @@ host4 = subnet4 1; client4 = subnet4 2; + clientTun = "100.67.2.101"; + modules = [ ./configuration.nix { @@ -45,7 +47,7 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:5030"; + locations."/".proxyPass = "http://[${clientTun}]:5030"; listenAddresses = listenAddr; }; @@ -53,7 +55,7 @@ services.nginx.virtualHosts."${altfqdn}" = { useACMEHost = hostfqdn; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:5030"; + locations."/".proxyPass = "http://[${clientTun}]:5030"; listenAddresses = listenAddr; }; From d99ec5e25b01568c0202605a5d511c8847616d43 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 01:05:23 +1000 Subject: [PATCH 19/39] containers/fluorite: uuuuuuuuuuuuuuuuuuuuuuu --- containers/fluorite/flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 4fadd89..5b9d4d1 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -47,7 +47,7 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${clientTun}]:5030"; + locations."/".proxyPass = "http://${clientTun}:5030"; listenAddresses = listenAddr; }; @@ -55,7 +55,7 @@ services.nginx.virtualHosts."${altfqdn}" = { useACMEHost = hostfqdn; forceSSL = true; - locations."/".proxyPass = "http://[${clientTun}]:5030"; + locations."/".proxyPass = "http://${clientTun}:5030"; listenAddresses = listenAddr; }; From b782d746473fa554d969435e24d082472c3f2222 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 01:08:27 +1000 Subject: [PATCH 20/39] system/tailscale: correct wrong nat interface --- modules/system/tailscale.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 5da4652..fe0e8bb 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -7,7 +7,7 @@ networking.nat = lib.mkIf (config.networking.hostName == "dandelion") { enable = true; externalInterface = "enp0s6"; - internalInterfaces = [ "tailscaled0" ]; + internalInterfaces = [ "tailscale0" ]; forwardPorts = [ { sourcePort = 50300; From d1a8e7222f0dd930f945a4f101cd885ce6001357 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:11:09 +1000 Subject: [PATCH 21/39] alyssum/samba: init --- hosts/alyssum/default.nix | 1 + hosts/alyssum/samba.nix | 81 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 hosts/alyssum/samba.nix diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 3eb7289..d471011 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -31,6 +31,7 @@ ./filesystem.nix ./kernel.nix ./networking.nix + ./samba.nix ../../users/hana ]; diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix new file mode 100644 index 0000000..9e957e9 --- /dev/null +++ b/hosts/alyssum/samba.nix @@ -0,0 +1,81 @@ +{ config, ... }: { + networking.firewall.allowPing = true; + + users.users.cilly = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + }; + users.users.kujira = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + }; + system.activationScripts = { + init_smbpasswd.text = '' + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly + + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira + ''; + }; + + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; + "security" = "user"; + "hosts allow" = "100.67.2.1 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "public" = { + "path" = "/flower/smb/public"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "hana"; + "force group" = "users"; + }; + "cilly" = { + "path" = "/flower/smb/cilly"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "cilly"; + "force group" = "users"; + "valid users" = "cilly"; + }; + "kujira" = { + "path" = "/flower/smb/kujira"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "kujira"; + "force group" = "users"; + "valid users" = "kujira"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + enable = true; + openFirewall = true; + nssmdns4 = true; + publish.enable = true; + publish.userServices = true; + }; +} From 4f8249b780b00add8a8a8d22543a54229faa696d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:16:21 +1000 Subject: [PATCH 22/39] alyssum/samba: use proper credentials --- hosts/alyssum/samba.nix | 7 +++++-- secrets.nix | 2 ++ secrets/passwd_smbcilly.age | 7 +++++++ secrets/passwd_smbkujira.age | 7 +++++++ 4 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 secrets/passwd_smbcilly.age create mode 100644 secrets/passwd_smbkujira.age diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 9e957e9..6be8e09 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -1,6 +1,9 @@ { config, ... }: { networking.firewall.allowPing = true; + age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age; + age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age; + users.users.cilly = { hashedPasswordFile = config.age.secrets.passwd.path; isNormalUser = true; @@ -11,9 +14,9 @@ }; system.activationScripts = { init_smbpasswd.text = '' - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_kujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira ''; }; diff --git a/secrets.nix b/secrets.nix index d2dbc82..ec20648 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,6 +8,8 @@ let rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15"; in { "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; + "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ]; + "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; diff --git a/secrets/passwd_smbcilly.age b/secrets/passwd_smbcilly.age new file mode 100644 index 0000000..41ad172 --- /dev/null +++ b/secrets/passwd_smbcilly.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ +i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI +-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o ++pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM +--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew +*l\W!J7E/"f@%\[j8fӶ \ No newline at end of file diff --git a/secrets/passwd_smbkujira.age b/secrets/passwd_smbkujira.age new file mode 100644 index 0000000..71b6bb8 --- /dev/null +++ b/secrets/passwd_smbkujira.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8 +IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE +-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg +QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk +--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw +T <R#d Ć̎lLkN8c_N)T \ No newline at end of file From c782bd5e5398534f81214e3bced2aa73e08e10b6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:23:10 +1000 Subject: [PATCH 23/39] hosts/alyssum: add passwd age --- hosts/alyssum/default.nix | 1 + secrets.nix | 2 +- secrets/passwd.age | Bin 531 -> 641 bytes 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index d471011..a2eb166 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + passwd.file = ../../secrets/passwd.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; diff --git a/secrets.nix b/secrets.nix index ec20648..bec70ef 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,7 +7,7 @@ let rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15"; in { - "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; + "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ]; "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ]; "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; diff --git a/secrets/passwd.age b/secrets/passwd.age index 64ec8611ddf1a1d3f837caf32b53d5843f7b6e07..05ad90670240bfe01391eb8392cd02ad35d1c5bd 100644 GIT binary patch delta 596 zcmbQt(#SeNwLaV5H#neNp(s2%!q_7?$j7C~J=oCKE5oy-BsrwWr64rBz`L|8y{an9 zBFsIqJm0{8D>c(3I5)q`JxHv;MHO0u()X-8PKch0Z#8DyB*uU7sB+Dr%qdv>Az{ywJ$H~awsl?ATEYZ}- zBq+}^uh=leG%DSrIIEm1IU~@_EZfLm-?Yp-P~XEi)LTEepwcm{(l;|J)vYQZF*m9x zwA9fk-OUx93pU|@G%n*z02+xqv4C6e*?2M97@1TsTVAr(597AoN#E=5_%7_xz zi66!5J)J#+EP_p{d>vCFGLt>bjXbKnQd0xd($cd0LNdyNU9#PiEz`1tyaNNda*B*A zTrb|^HnZYzWY=cufpN-;@7gMf=O#Hn1hI;KPb=lf^lIPl6HZS=2L%5*v`cv-> YJkH)xEW9(@zeyiIH`!pOX{Em>0JK!tjsO4v delta 466 zcmZok^FqSVba!Z-*7L(g6wo-1M{@Z+(1XJlyqb7 zC~r^0#MI365OWKE9}mkM^YUg2CC+YMPLZVn zmM&3=UdH9x#W}ui8Low<-e!R*kxo&L1}Q$;fx(uhk3$ZDUR4EYCYcqMr3R5)y1Kdweg%1!i558-K1JHW+FmBw<%#8y zegP(CCdr9;CN6%V`N`(>N#@}Jt|g%+To*((7~f_+q00A8b`fLhp}Xt*if!Dl#T{c2 zE_hU5lHW2pfMsudL!P8U<-)y>#9xJKr5oAp;QEw$;d8I0!J~UpO?>m(ioP9UQxcqb zdDVFa?#j+-DXlZDYLD)8&D4Iu%zD>h!HX%(zs|p!7N2uW{HitM>x2#5(|Mgg3b4ye MK7Ppl$Cj<;0P3%*4gdfE From 509684d0bd094bd96fcef03ceacba6be33446a63 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:28:39 +1000 Subject: [PATCH 24/39] alyssum/samba: use proper smbpasswd path --- hosts/alyssum/samba.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 6be8e09..ba89a00 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -13,10 +13,12 @@ isNormalUser = true; }; system.activationScripts = { - init_smbpasswd.text = '' - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly + init_smbpasswd.text = let + smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; + in '' + printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly - /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira + printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira ''; }; From 4bb20124a791bdce70acdd4bdcfe1a2eb4acacb6 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:34:34 +1000 Subject: [PATCH 25/39] alyssum/samba: use full package for discovery --- hosts/alyssum/samba.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index ba89a00..708286a 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{ config, pkgs, ... }: { networking.firewall.allowPing = true; age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age; @@ -24,9 +24,11 @@ services.samba = { enable = true; + package = pkgs.samba4Full; openFirewall = true; settings = { global = { + "server smb encrypt" = "required"; "workgroup" = "WORKGROUP"; "server string" = "smbnix"; "netbios name" = "smbnix"; From 024a6bdbe2f56232d63c2f62b20bf509b65f7fb0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 18:47:15 +1000 Subject: [PATCH 26/39] alyssum/samba: relax hosts --- hosts/alyssum/samba.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 708286a..1a32e38 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -33,7 +33,7 @@ "server string" = "smbnix"; "netbios name" = "smbnix"; "security" = "user"; - "hosts allow" = "100.67.2.1 127.0.0.1 localhost"; + "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; "hosts deny" = "0.0.0.0/0"; "guest account" = "nobody"; "map to guest" = "bad user"; From 8157d0d5617bb0780f46c3e0aa1c97e8c9447488 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 19:49:10 +1000 Subject: [PATCH 27/39] alyssum/home.syncthing: init --- hosts/alyssum/default.nix | 1 + hosts/alyssum/home.syncthing.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 hosts/alyssum/home.syncthing.nix diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index a2eb166..661e3d5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -32,6 +32,7 @@ ./filesystem.nix ./kernel.nix ./networking.nix + ./home.syncthing.nix ./samba.nix ../../users/hana diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix new file mode 100644 index 0000000..3335625 --- /dev/null +++ b/hosts/alyssum/home.syncthing.nix @@ -0,0 +1,16 @@ +{ config, ... }: { + me.binds."/home/kujira/.config/syncthing" = "kujira/syncthing/config"; + me.binds."/home/kujira/.local/state/syncthing" = "kujira/syncthing/state"; + + users.users.kujira = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + linger = true; + }; + home-manager.users.kujira = { ... }: { + services.syncthing = { + enable = true; + guiAddress = ":8385"; + }; + }; +} From 9a821fda94f380a741a25e77760571a6aa77761f Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 19:50:02 +1000 Subject: [PATCH 28/39] alyssum/home.syncthing: fixup hm config --- hosts/alyssum/home.syncthing.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 3335625..5895716 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -8,6 +8,11 @@ linger = true; }; home-manager.users.kujira = { ... }: { + home = { + username = "kujira"; + homeDirectory = "/home/kujira"; + stateVersion = "26.05"; + }; services.syncthing = { enable = true; guiAddress = ":8385"; From 63d9d6b0044edd9a520aedbe1ab25dc9e9ec0b2e Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 19:58:03 +1000 Subject: [PATCH 29/39] alyssum/home.syncthing: add host to gui address --- hosts/alyssum/home.syncthing.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 5895716..929436b 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -15,7 +15,7 @@ }; services.syncthing = { enable = true; - guiAddress = ":8385"; + guiAddress = "[::]:8385"; }; }; } From bc3269a814934ccd8dfa95462735125cdc5d5762 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 20:29:22 +1000 Subject: [PATCH 30/39] alyssum/home.syncthing: create another instance --- hosts/alyssum/home.syncthing.nix | 40 ++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 929436b..1e20f97 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -1,21 +1,27 @@ -{ config, ... }: { - me.binds."/home/kujira/.config/syncthing" = "kujira/syncthing/config"; - me.binds."/home/kujira/.local/state/syncthing" = "kujira/syncthing/state"; +{ config, lib, ... }: +let + configOn = user: port: { + me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config"; + me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state"; - users.users.kujira = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - linger = true; - }; - home-manager.users.kujira = { ... }: { - home = { - username = "kujira"; - homeDirectory = "/home/kujira"; - stateVersion = "26.05"; + users.users.${user} = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + linger = true; }; - services.syncthing = { - enable = true; - guiAddress = "[::]:8385"; + home-manager.users.${user} = { ... }: { + home = { + username = "${user}"; + homeDirectory = "/home/${user}"; + stateVersion = "26.05"; + }; + services.syncthing = { + enable = true; + guiAddress = "[::]:${toString port}"; + }; }; }; -} +in lib.mkMerge [ + (configOn "kujira" 8385) + (configOn "cilly" 8386) +] From 5c13051b4b291967d070e3d41dae2801bab17819 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:05:38 +1000 Subject: [PATCH 31/39] alyssum/samba: bind some directories --- hosts/alyssum/samba.nix | 159 +++++++++++++++++++--------------------- modules/binds.nix | 8 +- 2 files changed, 83 insertions(+), 84 deletions(-) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index 1a32e38..f14365b 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -1,88 +1,83 @@ -{ config, pkgs, ... }: { - networking.firewall.allowPing = true; +{ config, lib, pkgs, ... }: +let + configOn = user: let + passwd_fname = "passwd_smb${user}"; + in { + age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age; + me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}"; - age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age; - age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age; + users.users.${user} = { + hashedPasswordFile = config.age.secrets.passwd.path; + isNormalUser = true; + }; - users.users.cilly = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - }; - users.users.kujira = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - }; - system.activationScripts = { - init_smbpasswd.text = let - smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; - in '' - printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly - - printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira - ''; - }; - - services.samba = { - enable = true; - package = pkgs.samba4Full; - openFirewall = true; - settings = { - global = { - "server smb encrypt" = "required"; - "workgroup" = "WORKGROUP"; - "server string" = "smbnix"; - "netbios name" = "smbnix"; - "security" = "user"; - "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "public" = { - "path" = "/flower/smb/public"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "yes"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "hana"; - "force group" = "users"; - }; - "cilly" = { - "path" = "/flower/smb/cilly"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "cilly"; - "force group" = "users"; - "valid users" = "cilly"; - }; - "kujira" = { - "path" = "/flower/smb/kujira"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "kujira"; - "force group" = "users"; - "valid users" = "kujira"; - }; + system.activationScripts = { + init_smbpasswd.text = let + smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; + in '' + printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user} + ''; + }; + services.samba.settings."${user}" = { + "path" = "/flower/smb/${user}"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = user; + "force group" = "users"; + "valid users" = user; }; }; +in lib.mkMerge [ + (configOn "cilly") + (configOn "kujira") + { + me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43"; - services.samba-wsdd = { - enable = true; - openFirewall = true; - }; + networking.firewall.allowPing = true; - services.avahi = { - enable = true; - openFirewall = true; - nssmdns4 = true; - publish.enable = true; - publish.userServices = true; - }; -} + services.samba = { + enable = true; + package = pkgs.samba4Full; + openFirewall = true; + settings = { + global = { + "server smb encrypt" = "required"; + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; + "security" = "user"; + "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "public" = { + "path" = "/flower/smb/public"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "hana"; + "force group" = "users"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + enable = true; + openFirewall = true; + nssmdns4 = true; + publish.enable = true; + publish.userServices = true; + }; + } +] diff --git a/modules/binds.nix b/modules/binds.nix index 9c7d4ad..c9ffe18 100644 --- a/modules/binds.nix +++ b/modules/binds.nix @@ -1,8 +1,12 @@ { config, lib, ...}: { imports = [ ./options.nix ]; - fileSystems = lib.mapAttrs (dest: key: { + fileSystems = lib.mapAttrs (dest: key: let + target = if (lib.strings.hasPrefix "/" key) + then key + else "/persist/binds/${key}"; + in { depends = [ "/persist" ]; - device = "/persist/binds/${key}"; + device = target; fsType = "none"; options = [ "bind" ]; }) config.me.binds; From 907f2cabcadb6223c28fc6960b542f60bbadc860 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:14:47 +1000 Subject: [PATCH 32/39] alyssum/home.syncthing: set proper defaults --- hosts/alyssum/home.syncthing.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 1e20f97..33545fe 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -4,6 +4,8 @@ let me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config"; me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state"; + systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ]; + users.users.${user} = { hashedPasswordFile = config.age.secrets.passwd.path; isNormalUser = true; @@ -18,6 +20,12 @@ let services.syncthing = { enable = true; guiAddress = "[::]:${toString port}"; + options.listenAddresses = [ + "tcp://0.0.0.0:2${toString port}" + "quic://0.0.0.0:2${toString port}" + "dynamic+https://relays.syncthing.net/endpoint" + ]; + settings.defaults.folder.path = "/flower/syncthing/${user}"; }; }; }; From 6c80606b7ea743fca6ec146ab30cfb378d395d09 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:15:22 +1000 Subject: [PATCH 33/39] alyssum/home.syncthing: fixup conf --- hosts/alyssum/home.syncthing.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 33545fe..4408fb7 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -20,12 +20,14 @@ let services.syncthing = { enable = true; guiAddress = "[::]:${toString port}"; - options.listenAddresses = [ - "tcp://0.0.0.0:2${toString port}" - "quic://0.0.0.0:2${toString port}" - "dynamic+https://relays.syncthing.net/endpoint" - ]; - settings.defaults.folder.path = "/flower/syncthing/${user}"; + settings = { + options.listenAddresses = [ + "tcp://0.0.0.0:2${toString port}" + "quic://0.0.0.0:2${toString port}" + "dynamic+https://relays.syncthing.net/endpoint" + ]; + defaults.folder.path = "/flower/syncthing/${user}"; + }; }; }; }; From 21dc584199e72285d0ec07083f604b439aa41b34 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Wed, 17 Jun 2026 21:22:03 +1000 Subject: [PATCH 34/39] alyssum/home.syncthing: don't override devices and folders --- hosts/alyssum/home.syncthing.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix index 4408fb7..8d5a1cc 100644 --- a/hosts/alyssum/home.syncthing.nix +++ b/hosts/alyssum/home.syncthing.nix @@ -20,6 +20,8 @@ let services.syncthing = { enable = true; guiAddress = "[::]:${toString port}"; + overrideDevices = false; + overrideFolders = false; settings = { options.listenAddresses = [ "tcp://0.0.0.0:2${toString port}" From 4dfc89814003566d4fb55dbd84b29c4427b254b0 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 07:36:13 +1000 Subject: [PATCH 35/39] user/neovim: switch to nixd --- modules/system/nix.nix | 3 ++- modules/user/neovim.nix | 7 ++++--- res/config.lua | 28 +++++++++++++++++++++++++++- users/rin/packages.nix | 1 - 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/modules/system/nix.nix b/modules/system/nix.nix index 6a6fd04..eb14f73 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -1,5 +1,6 @@ -{ config, lib, pkgs, ... }: { +{ config, inputs, pkgs, ... }: { nix = { + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; package = pkgs.nixVersions.latest; settings = rec { diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix index d691c61..2b8d4c1 100644 --- a/modules/user/neovim.nix +++ b/modules/user/neovim.nix @@ -1,9 +1,9 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, sysConfig, ... }: let luaconf = pkgs.writeText "config.lua" (lib.replaceStrings - ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"] - ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor] + ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"] + ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName] (builtins.readFile ../../res/config.lua)); in { systemd.user.tmpfiles.rules = [ @@ -21,6 +21,7 @@ in { withRuby = false; extraPackages = with pkgs; [ + nixd rust-analyzer texlab astro-language-server diff --git a/res/config.lua b/res/config.lua index 3e91e28..c0b5dad 100644 --- a/res/config.lua +++ b/res/config.lua @@ -167,7 +167,7 @@ vim.diagnostic.config({ capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities) -local servers = { 'astro', 'clangd', 'cssls', 'html', 'nil_ls', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' } +local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' } for _, lsp in ipairs(servers) do vim.lsp.config(lsp, { capabilities = capabilities, @@ -292,6 +292,32 @@ vim.lsp.config("diagnosticls", { }) vim.lsp.enable("diagnosticls") +-- LSP/nixd +vim.lsp.config("nixd", { + cmd = { "nixd" }, + filetypes = { "nix" }, + root_markers = { "flake.nix", ".git" }, + settings = { + nixd = { + nixpkgs = { + expr = "import { }", + }, + formatting = { + command = { "nixfmt" }, + }, + options = { + nixos = { + expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options', + }, + home_manager = { + expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []', + }, + }, + }, + }, +}) +vim.lsp.enable("nixd") + -- LSP/Signatures require("lsp_signature").setup { hint_enable = false, diff --git a/users/rin/packages.nix b/users/rin/packages.nix index afc711b..3fe0129 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -15,7 +15,6 @@ in { ffmpeg gnupg kitty - nil nodejs_latest pamixer pnpm From e1c02d7a91eb1b6c4c25c243fcc861de6611ce39 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 08:01:17 +1000 Subject: [PATCH 36/39] containers/emerald: move to alyssum --- containers/emerald/flake.nix | 12 +++--------- hosts/alyssum/default.nix | 2 ++ hosts/dandelion/default.nix | 3 +-- hosts/dandelion/nginx.nix | 8 ++++++++ secrets.nix | 2 +- secrets/navidrome_env.age | Bin 630 -> 630 bytes 6 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 hosts/dandelion/nginx.nix diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 9c9acdc..7e79b23 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -9,11 +9,11 @@ shareFqdn = "muse.lava.moe"; subnetId = "5"; - subnet = x: "fd0d:1::${subnetId}:${toString x}"; + subnet = x: "fd0d:2::${subnetId}:${toString x}"; host = subnet 1; client = subnet 2; - subnet4 = x: "10.30.${subnetId}.${toString x}"; + subnet4 = x: "10.32.${subnetId}.${toString x}"; host4 = subnet4 1; client4 = subnet4 2; @@ -39,13 +39,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:4533"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; - }; - services.nginx.virtualHosts."${shareFqdn}" = { - useACMEHost = "lava.moe"; - forceSSL = true; - locations."/".return = "404"; - locations."/share/".proxyPass = "http://[${client}]:4533"; + listenAddresses = [ "100.67.2.1" ]; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 661e3d5..06c415f 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -6,6 +6,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; passwd.file = ../../secrets/passwd.age; + navidrome_env.file = ../../secrets/navidrome_env.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; @@ -27,6 +28,7 @@ modules.services.nginx modules.services.syncthing + inputs.c-emerald.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 33b6eec..f65dfd1 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -5,7 +5,6 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; - navidrome_env.file = ../../secrets/navidrome_env.age; slskd_env.file = ../../secrets/slskd_env.age; wg_dandelion.file = ../../secrets/wg_dandelion.age; }; @@ -31,12 +30,12 @@ inputs.c-beryllium.nixosModule inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule - inputs.c-emerald.nixosModule inputs.c-fluorite.nixosModule ./filesystem.nix ./kernel.nix ./networking.nix + ./nginx.nix ../../users/hana ]; diff --git a/hosts/dandelion/nginx.nix b/hosts/dandelion/nginx.nix new file mode 100644 index 0000000..c29de38 --- /dev/null +++ b/hosts/dandelion/nginx.nix @@ -0,0 +1,8 @@ +{ ... }: { + services.nginx.virtualHosts."muse.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".return = "404"; + locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533"; + }; +} diff --git a/secrets.nix b/secrets.nix index bec70ef..b1f55e5 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,7 +13,7 @@ in { "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; - "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age index 6cb705c5d12523d7e403ecd2736ad062cc9756fe..7df364f2e273e47d57332c4379af715fc8a5212e 100644 GIT binary patch delta 584 zcmeyy@{MJJYJIl9Z*V}lLa~0SOIE(8PgRsjZmNfANJe2wPNjZ9K&nwvh`)KUw?}|y zah|!8zGG!ES3tUPYCwulX0BsVR8p0bmsfUvPO5&2S!h;hVwzuKWp+uHcVUTTdSRIf zm#&>cadC!jYKoDmsiCDpQjl9=YM_FCWl?sip<%gqwy#lonvqFjKvu9*l%cm%RD_Rz zPH>2SdRe%kae7vjv#~E%MTm2_M@pe-SdoEInPr7bzH3yWbF#aSXG&I7h-I;nrF%|F zewC4Ve!0QKkK*+n8Nr2a7A`?m`eorJM!{*uCTWH4zMkn>mQe-CroO3>ei?;@#Z~5M zPT5>0o>h*aL4~FUMUjSP2Kt4LRrw~C$+;O}=K96i8Rh}*z7`plg`Sq-?yg+Ay1EL9 z!TyHDId0x**{;q$X6{A#7A9%FnJ!TVfj&NdN&ZD?nSS-D>3-hk*~Q6ROqpWpMWV|d z&c4vI?M;r-tE{--Z%Xm=Lj$CDFLGWutD?BcP;&a@f0uoCZ!2GWs`sk3vUqjk;%iK` z+P^Q@zJ8i|WunSt<>I|nf4nn)t!g;n)&0q3m!$nYJ2|(F-vj?sG`WCg#Y;CB32Co4)>MRlf4+kK9tCZCbg>R9kL#Qr5a2&Gw+g7Uxv}q{-wD delta 584 zcmeyy@{MJJYJGl2WpIh3LZG*ASzdXWbADmIYe+zTa7bu&lwWarXh?RTdtpFIpi5Ga zyPJ7%nzx51S5k3cm}RK1et2$DNMw0dR$)$*x3h7Un^R$UQdDSAUSv^ZScPSXPf21r zm#&>cadC!jYKoDmsiCDpQjl9=YM_E;sAqUkqNAfxg>QjNvU_A|X@<7Gt5c+>c4bM4 zVP%kMn1@q%X--9UnMWv>VWC@Qk!gx=Rk&+va#@acqN7(zu7QD1QK@@id8uh~a%ymf zk%fDBQl-VjkK*;YsoG@~9(kUn6<$f6F8(e~-jkrv?<`6gazg)WY{CGJK+mA>^Rd6~u*mEnP0+oFBUOCsE* z3bwpzlgKR$u9$3^^ZVfWqPNN?4)f&tr`cQQ=D&Xa?73?U-wn%@sp~tnL(+v$>}C*F zxA`xn%JX>ouLo-iPxHCPx(V+O*cJKu@s3=59#dX}h>yFj?Z5ZfGA|o$zklp6 zX|@|&xOuuKjLFleVCnh`Z_lSp+>)?)gVX#Q4P6t?pZWIe&UJ&$5F8pXE@ck*9i%4 Date: Fri, 19 Jun 2026 08:57:22 +1000 Subject: [PATCH 37/39] containers/emerald: change mounts --- containers/emerald/configuration.nix | 2 +- containers/emerald/flake.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index f69a4c6..7f1f1fc 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -16,7 +16,7 @@ ShareURL = "https://${shareFqdn}"; EnableSharing = true; DataFolder = "/persist/navidrome"; - MusicFolder = "/binds/music"; + MusicFolder = "/binds/music/main"; }; }; } diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 7e79b23..5ee69e4 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -62,7 +62,7 @@ isReadOnly = false; }; bindMounts."music" = { - hostPath = "/persist/media/music"; + hostPath = "/flower/media/music"; mountPoint = "/binds/music"; isReadOnly = true; }; From 004832fc066bc76a95cbb46d22e9833b5446dbff Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:03:39 +1000 Subject: [PATCH 38/39] containers/emerald: bind music directory --- containers/emerald/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index 7f1f1fc..421ddb0 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -19,4 +19,5 @@ MusicFolder = "/binds/music/main"; }; }; + systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"]; } From c0004409d7aa14c8aacf166c7bf21b9cd5431135 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:12:52 +1000 Subject: [PATCH 39/39] alyssum/samba: bind music --- hosts/alyssum/samba.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix index f14365b..d876981 100644 --- a/hosts/alyssum/samba.nix +++ b/hosts/alyssum/samba.nix @@ -4,6 +4,7 @@ let passwd_fname = "passwd_smb${user}"; in { age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age; + me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}"; me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}"; users.users.${user} = {