From 724d30a092902b27988fc2a3cdc41b18b8023898 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Mon, 23 Mar 2026 02:53:15 +1100
Subject: [PATCH 01/10] containers/fluorite: change slskd env

---
 secrets/slskd_env.age | Bin 853 -> 847 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age
index 7515e1fe0856de4165a345ca9d18941d86466845..eded5d0ff812e08ea3ca7644c655ca94e63b764b 100644
GIT binary patch
delta 796
zcmcc0cAjm5PQ9^9zPWF)vr~j+RC<6}foE!VS$0rnv0J*Exk*-`QL=YMQC4WCkzY=R
zFPCddnvZ8_wuwPzahjh~q=~b)qk&hJN3u~+qO-5Qk5_J4pjT;Ws&-;zF_*5LLUD11
zZfc5=si~o*LQ;@hVQQd4L~>S&Po<f&tE*3Xil3pev71wNdWgG0a%fswsF|N-UU6c9
zlX0?TaCv1im$s*mYj$Rld4#XGeua-;QAn{-kamGnerd9&pLtrCt5Z-^a8$WdzPVfR
z#E;_jNreR|p~=2}`bpX5;W?f~rQx|5Sq2#eZa(_XIhigVCHeXR`re7YDHYjVRc7Vh
z0ZAc-{*K}1#V%Q?Rhi`}g~evMX_i6R#^x2pp_T>ZCgqX7{%$5*y1Kdw<$h%$C4m9{
zAr+}5{soCuSxyo8CTT&&<pDnC&S8OtCPBva2I>A;`h|hzTxtQ@iv_+&ZW8;<BD1DG
zc-!~N>+-g>`_I)GK5?G)u;;^%dvSUncP_E7^4Z_#vEWINTtZ^D>;JZ(_4hSQCIu<7
z|I^Ajr1*QvaYxCv`*jXsa_)P7uRmk+_p4F&VqI?wkFNoxr;Vhtf|bKBOcC9}{P5P5
z?>Tl3o9hJ<IrX?%eUHs+-2UGqJ$mNv%_?idPxrjr8$I)vlB%E76=t1F3PtXI6LQnG
zSh^kknXSfGH{CycMwGe1X_?kZC8s~jG|A4HZ9jM0^i=<}xo;h>u)f{%b=8Kd8#)<+
zh5ARLKC3nScdKMSX?k*Bhf`qr<-6bXZzw(6@`K&$bnu&&`WdFP(rSfOoupUo4LGvy
z3WpA3QLkHq+!VjuWry>YJHI;IH*<24*W|lj64M?i9Lro|zn*FSbc64ERu)wKPYk;n
z{kGwC<>9Q25hm~2zB$<i=`1U$^ndf!GhFe2#>}&MQp(rvOv<urUbuMEJX4G7(w566
zZb&&T*=NABtX1~MuXVZJe3^5OiFK>);x4(y<NQ77bW5CPOVJ76&q|utX5I{bpr)sp
vv%PBh<rRg`ThHG+XLYG)@5cE_MXnBSy@ZeNDwgnl`@Q>F%H&S_r@`3(=>}4)

delta 802
zcmX@lc9m^{PJND%L5jOig-c~px{0@;V|YY?V}5y5QbBl`n@ggzv9o!pQF?}VXljaa
zK3BeLNo8(9Ns(Kmd1|nKgr9#|dAMVuM@ou^sdi#iieF(^ikYida+<Hd374*&LUD11
zZfc5=si~o*LQ;@hVQQd4fOAk}c!_zAk!i6(sZ)@CfLmTsSVU@tX=PcOiJ@6RfRm|{
zcVco?V6JO6SFUGegiE5MN19V&xV~?Nc~D-3XGvDFS6ZS;nqi7}c(P%JQB+ApWJN*#
z#E;_j5n)x49@=3gAq7R5epyZtdCo?;22PG{&S6GTY2GQhW?oL(S*~HZh3URrg&u}x
z{y70T20@Nd>E`9R#m=5#KEX-pAudT~*{)uZ83rj%rC9+crtSt@y1KdwJ}DJ>ffgP~
z-emzksh){d5#iYtX(<KXMk%2wxsFa1p`n%aCjQP|rJiP<T*00f)PAIDvd7j=bYQl+
z^mL+`<0?;C#g(~Y3085z7MDxqP98I0({<cbXSn6uksY4ud8U@{l0Q5Q3<~*pWPfZo
zYx@U_Z%#rDf6HIT8a?)UcbZ#x*Xw|y8>ap9V`X;r?>Wvg`-oiQ*JPCw`&4#&{akq2
zZ}#+WUG?kv?Rms`{`Q}_$#HDEXwi-^?`w9hPq)`F>91^lyIi_`>xFrH*S_X@kharj
z%gc$A-ly&<=5kymp44jd`G~j%|G!@K`-UQC^Af}g;@C9#oZeV*KK|kN=%K)7?)P7w
ze!R%o*B6j}Aa}yXqe16hT#o#%w(`4Dy>n9WnVOHRRtyGA^_RY{aM+UfhMQr><u21-
z$8&sD9_u*WYb$0uS66(o-CpbM^_M;`1b80)-M*pnvmN`cBeweMV%{>|edy|_G~?!?
zUCrUm+a4{`e80Kr*_`k82OsYe-g4x`Z=v_zPsIbj#ZM4@R`$w7CsD9%Cu<#h=t+O4
zO;*gx8|**Kdmp=!`IqXvz@s<H0#Bde=H=e?<=yFhoSRA`BDEVQez(8$K(spfisXiM
za^@V%H?1pA`u+0Tl^l<dEIs{cM;K?=%-lBd8~f|O=g;WPQTd_l&OP;CjaT$yE~dW#
Dmw#9E


From 218da089364d1f0062ecd4a0202746f85002c52d Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 26 Mar 2026 19:01:45 +1100
Subject: [PATCH 02/10] containers/beryllium: use ipv4

---
 containers/beryllium/configuration.nix |  5 +++--
 containers/beryllium/flake.nix         | 12 +++++-------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix
index 07740d2..6629a31 100644
--- a/containers/beryllium/configuration.nix
+++ b/containers/beryllium/configuration.nix
@@ -9,14 +9,15 @@
   networking.firewall.allowedUDPPorts = [ 6167 ];
   # TODO: this should be generically set
   networking.useHostResolvConf = false;
-  networking.nameservers = [ "fd0d:1::2:1" ];
+  networking.nameservers = [ "8.8.8.8" ];
 
   services.matrix-continuwuity = {
     enable = true;
     settings.global = {
       # TODO: link this with outer container's address
-      address = [ "fd0d:1::2:2" ];
+      address = [ "10.30.2.2" ];
       server_name = "lava.moe";
+      rocksdb_recovery_mode = 2;
     };
   };
 }
diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix
index c6b6cae..5805401 100644
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@@ -22,9 +22,9 @@
         useACMEHost = "lava.moe";
         forceSSL = true;
         locations."/".extraConfig = "return 302 'https://lava.moe';";
-        locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
-        locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
-        locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
+        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
       };
 
       services.nginx.virtualHosts."lava.moe" = {
@@ -52,9 +52,8 @@
       containers.${name} = {
         autoStart = true;
         privateNetwork = true;
-        hostAddress6 = "fd0d:1::${subnet}:1";
-        localAddress6 = "fd0d:1::${subnet}:2";
-        # privateUsers = "pick";
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
         nixpkgs = nixpkgs;
         ephemeral = true;
         config = { imports = [ ./configuration.nix ]; };
@@ -64,7 +63,6 @@
           mountPoint = "/persist";
           isReadOnly = false;
         };
-        # flake = "path:" + ./.;
       };
     };
   };

From 52e53ba5b3b877a829c1b445b33167cb7051c48e Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Sun, 5 Apr 2026 09:32:33 +1000
Subject: [PATCH 03/10] containers/amethyst: use ipv4 proxy

---
 containers/amethyst/flake.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix
index 5b9817e..739c3e5 100644
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@@ -21,7 +21,8 @@
       services.nginx.virtualHosts."${fqdn}" = {
         useACMEHost = "lava.moe";
         forceSSL = true;
-        locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
         listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
       };
 

From 4a91f8a1652eaabd7bc933428d76aeb86263c0b4 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Fri, 10 Apr 2026 01:02:28 +1000
Subject: [PATCH 04/10] system/wireguard: also forward udp

---
 modules/system/wireguard.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix
index bdfe900..71f85ad 100644
--- a/modules/system/wireguard.nix
+++ b/modules/system/wireguard.nix
@@ -6,7 +6,7 @@ let
   serverIp = gcSecrets.wireguard.gateway;
 
   forwarding = {
-#    "22727" = [ "10.100.0.3" "7777" ];
+    "22727" = [ "10.100.0.3" "7777" ];
   };
 
   mapForwards = type:
@@ -18,6 +18,8 @@ let
       in ''
         ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
         ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
+        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
       '') forwarding
     );
 

From 5680e29cd2ba1572cfcb59d536455f959cecfec9 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Sat, 11 Apr 2026 22:47:29 +1000
Subject: [PATCH 05/10] services/unbound: add google to dns

---
 modules/services/unbound.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix
index 349f9e8..a1b4ac4 100644
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@@ -27,8 +27,12 @@ in {
         forward-addr = [
           "2606:4700:4700::1111@853#cloudflare-dns.com"
           "2606:4700:4700::1001@853#cloudflare-dns.com"
+          "2001:4860:4860::8888@853#dns.google"
+          "2001:4860:4860::8844@853#dns.google"
           "1.1.1.1@853#cloudflare-dns.com"
           "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
         ];
       }];
 

From de857dcfbfc60d39161b14257d7661841dc06d13 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 21:20:27 +1000
Subject: [PATCH 06/10] services/nginx: credentialsFile -> environmentFile

---
 modules/services/nginx.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index 51641b4..a02b7e9 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -6,7 +6,7 @@
       email = "me@lava.moe";
       group = "nginx";
       dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets."acme_dns".path;
+      environmentFile = config.age.secrets."acme_dns".path;
     };
     certs."lava.moe" = {
       extraDomainNames = [

From d13f18a1899628e8b9cc2875abe61e1c40be2c67 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 21:21:49 +1000
Subject: [PATCH 07/10] user/neovim{,-minimal}: set defaults to suppress
 warning

---
 modules/user/neovim-minimal.nix | 2 ++
 modules/user/neovim.nix         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/modules/user/neovim-minimal.nix b/modules/user/neovim-minimal.nix
index a7d3f8c..392097d 100644
--- a/modules/user/neovim-minimal.nix
+++ b/modules/user/neovim-minimal.nix
@@ -9,6 +9,8 @@
     vimAlias = true;
     vimdiffAlias = true;
     withNodeJs = false;
+    withPython3 = false;
+    withRuby = false;
 
     plugins = with pkgs.vimPlugins; [
       fzf-vim
diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix
index 30ffac9..d691c61 100644
--- a/modules/user/neovim.nix
+++ b/modules/user/neovim.nix
@@ -17,6 +17,8 @@ in {
     vimdiffAlias = true;
     #package = pkgs.neovim-nightly;
     withNodeJs = true;
+    withPython3 = true;
+    withRuby = false;
 
     extraPackages = with pkgs; [
       rust-analyzer

From 69717ef92ba8cb0763b17af502c5174d95de65a3 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 21:33:57 +1000
Subject: [PATCH 08/10] hosts/dandelion: enable tailscale

---
 hosts/dandelion/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 92e53be..33b6eec 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -19,6 +19,7 @@
     nix-stable
     packages
     security
+    tailscale
     wireguard
 
     modules.services.banksia

From e5e608c580e9598d897485f66a14bce0e0740d1d Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 21:56:34 +1000
Subject: [PATCH 09/10] services/unbound: allow access from tailscale

---
 modules/services/unbound.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix
index a1b4ac4..8aae0fd 100644
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@@ -41,8 +41,10 @@ in {
         access-control = [
           "127.0.0.1/8      allow"
           "10.0.0.0/8       allow"
+          "100.64.0.0/10    allow"
           "192.168.100.0/24 allow"
-          "fd0d::/16 allow"
+          "fd0d::/16        allow"
+          "fd7a:115c:a1e0::/48 allow"
           "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
         ];
         domain-insecure = [ "\"local.lava.moe\"" ];

From d0e090bb6815110376b9bceb40880a9a5ee00ee3 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Thu, 28 May 2026 22:10:44 +1000
Subject: [PATCH 10/10] hosts/alyssum: enable tailscale

---
 hosts/alyssum/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
index 4a6ef0c..087c77f 100644
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@@ -20,6 +20,7 @@
     nix-stable
     packages
     security
+    tailscale
 
     ./filesystem.nix
     ./kernel.nix