alyssum/samba: bind music

input delay :p

.git-crypt/.gitattributes

@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary

.gitattributes

@@ -0,0 +1 @@
+secrets.gcrypt/** filter=git-crypt diff=git-crypt

.github/workflows/cachix.yml

@@ -5,20 +5,6 @@ on:
   workflow_dispatch:
 
 jobs:
-  check:
-    name: Check flake
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v14
-        with:
-          name: lava
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix flake check --keep-going --verbose
-
   build:
     name: Build linux-lava for x86_64-linux
     runs-on: ubuntu-latest
@@ -35,7 +21,7 @@ jobs:
         with:
           fetch-depth: 0
       - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v14
+      - uses: cachix/cachix-action@v16
         with:
           name: lava
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

containers/amethyst/configuration.nix

@@ -0,0 +1,47 @@
+{ lib, pkgs, ... }: {
+  system.stateVersion = "23.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/transmission 755 transmission transmission"
+    "d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
+    "d /persist/transmission/.incomplete 750 transmission transmission"
+    "d /persist/transmission/Downloads 755 transmission transmission"
+    "d /persist/transmission/watchdir 755 transmission transmission"
+  ];
+  networking.wg-quick.interfaces.wg0 = {
+    configFile = "/persist/vpn.conf";
+    preUp = ''
+          # Try to access the DNS for up to 300s
+          for i in {1..60}; do
+            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
+            echo "Attempt $i: DNS still not available"
+            sleep 5s
+          done
+    '';
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/258793
+  systemd.services.transmission.serviceConfig = {
+    BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
+    RootDirectoryStartOnly = lib.mkForce false;
+    RootDirectory = lib.mkForce "";
+    PrivateMounts = lib.mkForce false;
+    PrivateUsers = lib.mkForce false;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
+  services.transmission = {
+    enable = true;
+    package = pkgs.transmission_4;
+    downloadDirPermissions = "775";
+    openFirewall = true;
+    home = "/persist/transmission";
+    settings = {
+      ratio-limit-enabled = true;
+      rpc-bind-address = "0.0.0.0";
+      rpc-enabled = true;
+      rpc-port = 9091;
+      rpc-host-whitelist-enabled = false;
+      rpc-whitelist-enabled = false;
+    };
+  };
+}

containers/amethyst/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/amethyst/flake.nix

@@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "amethyst";
+      fqdn = "amethyst.lava.moe";
+      subnet = "1";
+    in {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        hostAddress6 = "fd0d:1::${subnet}:1";
+        localAddress6 = "fd0d:1::${subnet}:2";
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/beryllium/configuration.nix

@@ -0,0 +1,23 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/private" = {
+    device = "/persist";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 6167 ];
+  networking.firewall.allowedUDPPorts = [ 6167 ];
+  # TODO: this should be generically set
+  networking.useHostResolvConf = false;
+  networking.nameservers = [ "8.8.8.8" ];
+
+  services.matrix-continuwuity = {
+    enable = true;
+    settings.global = {
+      # TODO: link this with outer container's address
+      address = [ "10.30.2.2" ];
+      server_name = "lava.moe";
+      rocksdb_recovery_mode = 2;
+    };
+  };
+}

containers/beryllium/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/beryllium/flake.nix

@@ -0,0 +1,69 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "beryllium";
+      fqdn = "beryllium.lava.moe";
+      subnet = "2";
+    in {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".extraConfig = "return 302 'https://lava.moe';";
+        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
+      };
+
+      services.nginx.virtualHosts."lava.moe" = {
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            server = { "m.server" = "${fqdn}:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+              # "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}

containers/citrine/configuration.nix

@@ -0,0 +1,53 @@
+{ config, fqdn, lib, ... }: {
+  system.stateVersion = "25.11";
+  networking.firewall.allowedTCPPorts = [ 22 3000 ];
+  networking.firewall.allowedUDPPorts = [ 22 3000 ];
+
+  systemd.tmpfiles.rules = [
+    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
+  ];
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      DEFAULT.APP_NAME = "cilly's botanical laboratory";
+      server = {
+        DOMAIN = fqdn;
+        ROOT_URL = "https://${fqdn}/";
+        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_DOMAIN = "git.lava.moe";
+        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
+      };
+      ui = lib.mkForce {
+        DEFAULT_THEME = "catppuccin-maroon-auto";
+        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
+          "catppuccin-pink"
+          "catppuccin-maroon"
+          "catppuccin-flamingo"
+          "catppuccin-rosewater"
+          "forgejo"
+          "gitea"
+        ];
+      };
+      api.ENABLE_SWAGGER = false;
+      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+      repository.ENABLE_PUSH_CREATE_USER = true;
+      repository.ENABLE_PUSH_CREATE_ORG = true;
+      service.DISABLE_REGISTRATION = true;
+    };
+    stateDir = "/persist/forgejo";
+  };
+
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
+  catppuccin.forgejo.enable = true;
+
+  environment.systemPackages = [ config.services.forgejo.package ];
+}

containers/citrine/flake.lock

@@ -0,0 +1,62 @@
+{
+  "nodes": {
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1773403535,
+        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773122722,
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "catppuccin": "catppuccin",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/citrine/flake.nix

@@ -0,0 +1,68 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    catppuccin.url = "github:catppuccin/nix";
+  };
+  outputs = { nixpkgs, catppuccin, ... }:
+  let
+    name = "citrine";
+    fqdn = "lab.lava.moe";
+    subnetId = "3";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      catppuccin.nixosModules.catppuccin
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:3000";
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/citrine/templates/base/footer_content.tmpl

@@ -0,0 +1,31 @@
+<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
+    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
+        {{if ShowFooterPoweredBy}}
+            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
+        {{end}}
+        {{if (or .ShowFooterVersion .PageIsAdmin)}}
+            {{if .IsAdmin}}
+                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
+            {{else}}
+                {{AppVerNoMetadata}}
+            {{end}}
+        {{end}}
+        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
+            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
+            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
+        {{end}}
+    </div>
+    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
+        <div class="ui dropdown upward language">
+            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
+            <div class="menu language-menu">
+                {{range .AllLangs}}
+                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
+                {{end}}
+            </div>
+        </div>
+        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
+        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
+        {{template "custom/extra_links_footer" .}}
+    </div>
+</footer>

containers/citrine/templates/home.tmpl

@@ -0,0 +1,19 @@
+{{template "base/head" .}}
+{{if not .IsSigned}}
+    <script>window.location.href = "/explore/repos";</script>
+{{end}}
+<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
+    <div class="tw-mb-8 tw-px-8">
+        <div class="center">
+            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
+            <div class="hero">
+                <h1 class="ui icon header title">
+                    {{AppDisplayName}}
+                </h1>
+                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
+            </div>
+        </div>
+    </div>
+    {{template "home_forgejo" .}}
+</div>
+{{template "base/footer" .}}

containers/diamond/configuration.nix

@@ -0,0 +1,22 @@
+{ fqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
+  ];
+  fileSystems."/var/lib/vaultwarden" = {
+    device = "/persist/vaultwarden";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+  networking.firewall.allowedUDPPorts = [ 8000 ];
+
+  services.vaultwarden = {
+    enable = true;
+    domain = fqdn;
+    config = {
+      DOMAIN = "https://${fqdn}";
+      ROCKET_ADDRESS = "::";
+    };
+  };
+}

containers/diamond/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/diamond/flake.nix

@@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "diamond";
+    fqdn = "astransia.lava.moe";
+    subnetId = "4";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    modules = [
+      ./configuration.nix
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:8000";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/emerald/configuration.nix

@@ -0,0 +1,23 @@
+{ fqdn, shareFqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/navidrome 755 navidrome navidrome"
+  ];
+  networking.firewall.allowedTCPPorts = [ 4533 ];
+  networking.firewall.allowedUDPPorts = [ 4533 ];
+
+  services.navidrome = {
+    enable = true;
+    environmentFile = "/binds/navidrome_env";
+    settings = {
+      Port = 4533;
+      Address = "[::]";
+      BaseUrl = "https://${fqdn}/";
+      ShareURL = "https://${shareFqdn}";
+      EnableSharing = true;
+      DataFolder = "/persist/navidrome";
+      MusicFolder = "/binds/music/main";
+    };
+  };
+  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
+}

containers/emerald/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/emerald/flake.nix

@@ -0,0 +1,78 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "emerald";
+    fqdn = "navia.lava.moe";
+    shareFqdn = "muse.lava.moe";
+    subnetId = "5";
+
+    subnet = x: "fd0d:2::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.32.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn shareFqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."music" = {
+          hostPath = "/flower/media/music";
+          mountPoint = "/binds/music";
+          isReadOnly = true;
+        };
+        bindMounts."navidrome_env" = {
+          hostPath = config.age.secrets.navidrome_env.path;
+          mountPoint = "/binds/navidrome_env";
+          isReadOnly = true;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/fluorite/configuration.nix

@@ -0,0 +1,22 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/slskd/Downloads 755 slskd slskd"
+  ];
+  fileSystems."/var/lib/slskd" = {
+    device = "/persist/slskd";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
+  networking.firewall.allowedUDPPorts = [ 5030 50300 ];
+
+  services.slskd = {
+    enable = true;
+    domain = null;
+    environmentFile = "/binds/slskd_env";
+    settings = {
+      shares.directories = [ "/binds/music/" ];
+    };
+  };
+}

containers/fluorite/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/fluorite/flake.nix

@@ -0,0 +1,89 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "fluorite";
+    fqdn = "fluorite.lava.moe";
+    subnetId = "6";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+      networking.firewall.allowedTCPPorts = [ 50300 ];
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:5030";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+        "d /persist/media/music 075 nobody users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        forwardPorts = [
+          {
+            containerPort = 50300;
+            hostPort = 50300;
+            protocol = "tcp";
+          }
+        ];
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."music" = {
+          hostPath = "/persist/media/music";
+          mountPoint = "/binds/music";
+          isReadOnly = true;
+        };
+        bindMounts."slskd_env" = {
+          hostPath = config.age.secrets.slskd_env.path;
+          mountPoint = "/binds/slskd_env";
+          isReadOnly = true;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/garnet/configuration.nix

@@ -0,0 +1,36 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/opencloud" = {
+    device = "/flower/data";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  fileSystems."/etc/opencloud" = {
+    device = "/persist/cfg";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  # TODO: hardcoded address
+  networking.extraHosts = ''
+    100.67.2.1 cloud.lava.moe
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 9200 ];
+  networking.firewall.allowedUDPPorts = [ 9200 ];
+
+  environment.etc."opencloud-admin-pass".text = ''
+    IDM_ADMIN_PASSWORD=supersillysecure
+  '';
+  services.opencloud = {
+    enable = true;
+    url = "https://cloud.lava.moe";
+    address = "10.30.7.2";
+    port = 9200;
+    environment = {
+      PROXY_TLS = "false";
+      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
+      IDP_ID_TOKEN_EXPIRATION = "2592000";
+    };
+    environmentFile = "/etc/opencloud-admin-pass";
+  };
+}

containers/garnet/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/garnet/flake.nix

@@ -0,0 +1,84 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "garnet";
+    fqdn = "cloud.lava.moe";
+    subnetId = "7";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://${client4}:9200";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          proxy_read_timeout 3600s;
+          proxy_send_timeout 3600s;
+          keepalive_requests 100000;
+          keepalive_timeout 5m;
+          http2_max_concurrent_streams 512;
+        '';
+        # TODO: hardcoded address
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."content" = {
+          hostPath = "/flower/opencloud";
+          mountPoint = "/flower";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}

flake.nix

@@ -2,24 +2,27 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     home-manager.url = "github:nix-community/home-manager";
-    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    agenix.url = "github:ryantm/agenix";
 
-    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
+    agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
+    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
     catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
     catppuccin.inputs.nixpkgs.follows = "nixpkgs";
     catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
     neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gaming.url = "github:fufexan/nix-gaming";
+    nix-index-database.url = "github:nix-community/nix-index-database";
+    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
     spicetify-nix.url = "github:Gerg-L/spicetify-nix";
     spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
 
     # services
-    # hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
+    pastel.url = "github:cillynder/pastel";
-    # website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
+    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
+    website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
 
     # zsh plugins
     zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
@@ -33,6 +36,15 @@
     spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
     tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
     wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
+
+    # containers
+    c-amethyst.url = "path:./containers/amethyst";
+    c-beryllium.url = "path:./containers/beryllium";
+    c-citrine.url = "path:./containers/citrine";
+    c-diamond.url = "path:./containers/diamond";
+    c-emerald.url = "path:./containers/emerald";
+    c-fluorite.url = "path:./containers/fluorite";
+    c-garnet.url = "path:./containers/garnet";
   };
 
   outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
@@ -64,11 +76,14 @@
           specialArgs = {
             inherit inputs;
             modules = import ./modules { lib = nixpkgs.lib; };
+            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
           };
         };
     in
     {
+      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
       nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
+      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
       nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
 
       packages."x86_64-linux" =

hosts/alyssum/default.nix

@@ -0,0 +1,45 @@
+{ inputs, lib, modules, modulesPath, ... }: {
+  networking.hostName = "alyssum";
+  system.stateVersion = "25.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+    passwd.file = ../../secrets/passwd.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
+    wpa_conf = {
+      file = ../../secrets/wpa_conf.age;
+      path = "/etc/wpa_supplicant/imperative.conf";
+      symlink = false;
+    };
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+    tailscale
+
+    modules.services.nginx
+    modules.services.syncthing
+
+    inputs.c-emerald.nixosModule
+    inputs.c-garnet.nixosModule
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./home.syncthing.nix
+    ./samba.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+  services.syncthing.user = lib.mkForce "hana";
+}

hosts/alyssum/filesystem.nix

@@ -0,0 +1,35 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "alyssum";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=8G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "stem" "vfat";
+
+    "/flower" = mkBtrfsMount "myosotis" "/@" true;
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}

hosts/alyssum/home.syncthing.nix

@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  configOn = user: port: {
+    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
+    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
+
+    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+      linger = true;
+    };
+    home-manager.users.${user} = { ... }: {
+      home = {
+        username = "${user}";
+        homeDirectory = "/home/${user}";
+        stateVersion = "26.05";
+      };
+      services.syncthing = {
+        enable = true;
+        guiAddress = "[::]:${toString port}";
+        overrideDevices = false;
+        overrideFolders = false;
+        settings = {
+          options.listenAddresses = [
+            "tcp://0.0.0.0:2${toString port}"
+            "quic://0.0.0.0:2${toString port}"
+            "dynamic+https://relays.syncthing.net/endpoint"
+          ];
+          defaults.folder.path = "/flower/syncthing/${user}";
+        };
+      };
+    };
+  };
+in lib.mkMerge [
+  (configOn "kujira" 8385)
+  (configOn "cilly" 8386)
+]

hosts/alyssum/kernel.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+  };
+  hardware.cpu.amd.updateMicrocode = true;
+}

hosts/alyssum/networking.nix

@@ -0,0 +1,15 @@
+{ config, ... }: {
+  networking = {
+    useDHCP = true;
+    wireless.enable = true;
+
+    interfaces.wlp1s0.useDHCP = false;
+    interfaces.wlp1s0.ipv4.addresses = [{
+      address = "192.168.1.167";
+      prefixLength = 24;
+    }];
+
+    defaultGateway = "192.168.1.1";
+    nameservers = [ "8.8.8.8" "8.8.4.4" ];
+  };
+}

hosts/alyssum/packages.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}

hosts/alyssum/samba.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+let
+  configOn = user: let
+    passwd_fname = "passwd_smb${user}";
+  in {
+    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
+    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
+    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+    };
+
+    system.activationScripts = {
+      init_smbpasswd.text = let
+        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+      in ''
+        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
+      '';
+    };
+    services.samba.settings."${user}" = {
+      "path" = "/flower/smb/${user}";
+      "browseable" = "yes";
+      "read only" = "no";
+      "guest ok" = "no";
+      "create mask" = "0644";
+      "directory mask" = "0755";
+      "force user" = user;
+      "force group" = "users";
+      "valid users" = user;
+    };
+  };
+in lib.mkMerge [
+  (configOn "cilly")
+  (configOn "kujira")
+  {
+    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
+
+    networking.firewall.allowPing = true;
+
+    services.samba = {
+      enable = true;
+      package = pkgs.samba4Full;
+      openFirewall = true;
+      settings = {
+        global = {
+          "server smb encrypt" = "required";
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "public" = {
+          "path" = "/flower/smb/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "hana";
+          "force group" = "users";
+        };
+      };
+    };
+
+    services.samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    services.avahi = {
+      enable = true;
+      openFirewall = true;
+      nssmdns4 = true;
+      publish.enable = true;
+      publish.userServices = true;
+    };
+  }
+]

hosts/anemone/default.nix

@@ -5,6 +5,7 @@
 
   nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
   age.secrets = {
+    wg_anemone.file = ../../secrets/wg_anemone.age;
     passwd.file = ../../secrets/passwd.age;
   };
 
@@ -16,6 +17,7 @@
     bluetooth
     ccache
     corectrl
+    docker
     flatpak
     greetd
     gui
@@ -26,12 +28,16 @@
     printing
     security
     snapper
+    tailscale
+    wireguard
 
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
 
     ../../users/rin
+
+    modules.services.syncthing
   ];
 
   me = {
@@ -39,13 +45,9 @@
     batteryDevice = "BATT";
     kbBacklightDevice = "asus::kbd_backlight";
     hasFingerprint = true;
+    hidpi = true;
   };
 
-  # For steam fhs-env
-  nixpkgs.config.permittedInsecurePackages = [
-    "openssl-1.1.1w"
-  ];
-
   programs.wireshark = {
     enable = true;
     package = pkgs.wireshark;
@@ -53,4 +55,6 @@
 
   services.fprintd.enable = true;
   services.tlp.enable = true;
+
+  programs.kdeconnect.enable = true;
 }

hosts/anemone/kernel.nix

@@ -23,17 +23,22 @@
     ];
   };
 
-  swapDevices = [{
+  # swapDevices = [{
-    device = "/persist/swapfile";
+  #   device = "/persist/swapfile";
-    size = 16 * 1024;
+  #   size = 16 * 1024;
-  }];
+  # }];
-
+  #
+  # systemd.sleep.extraConfig = ''
+  #   HibernateMode=shutdown
+  # '';
+  /*
   services.logind.lidSwitch = "suspend-then-hibernate";
   systemd.sleep.extraConfig = ''
     HibernateDelaySec=14400
     SuspendEstimationSec=3600
     HibernateOnACPower=true
   '';
+  */
 
   powerManagement.cpufreq.min = 400000;
 

hosts/anemone/networking.nix

@@ -1,18 +1,4 @@
 { config, ... }: {
-  networking = {
+  networking.wireless.iwd.enable = true;
-    #nameservers = [ "8.8.8.8" "8.8.4.4" ];
-
-    #wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf";
-
-    networkmanager = {
-      enable = true;
-      #dns = "none";
-    };
-
-    extraHosts = ''
-      192.168.100.16 hyacinth
-    '';
-  };
-
   environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
 }

hosts/dandelion/default.nix

@@ -0,0 +1,44 @@
+{ inputs, modules, modulesPath, ... }: {
+  networking.hostName = "dandelion";
+  system.stateVersion = "23.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+    slskd_env.file = ../../secrets/slskd_env.age;
+    wg_dandelion.file = ../../secrets/wg_dandelion.age;
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+    tailscale
+    wireguard
+
+    modules.services.banksia
+    modules.services.nginx
+    modules.services.unbound
+    modules.services.website
+
+    inputs.c-amethyst.nixosModule
+    inputs.c-beryllium.nixosModule
+    inputs.c-citrine.nixosModule
+    inputs.c-diamond.nixosModule
+    inputs.c-fluorite.nixosModule
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./nginx.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+}

hosts/dandelion/filesystem.nix

@@ -0,0 +1,34 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "DANDELION";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=6G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "UEFI" "vfat";
+
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}

hosts/dandelion/kernel.nix

@@ -0,0 +1,10 @@
+{ ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+    initrd.kernelModules = [ "nvme" ];
+  };
+}

hosts/dandelion/networking.nix

@@ -0,0 +1,4 @@
+{ ... }: {
+  networking.useDHCP = true;
+  networking.interfaces.enp2s0.useDHCP = false;
+}

hosts/dandelion/nginx.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  services.nginx.virtualHosts."muse.lava.moe" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    locations."/".return = "404";
+    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
+  };
+}

hosts/dandelion/packages.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}

hosts/hyacinth/default.nix

@@ -3,11 +3,10 @@
   system.stateVersion = "21.11";
   time.timeZone = "Australia/Melbourne";
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
   age.secrets = {
     passwd.file = ../../secrets/passwd.age;
-    wg_hyacinth.file = ../../secrets/wg_blossom.age;
+    wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
     wpa_conf.file = ../../secrets/wpa_conf.age;
   };
   imports = with modules.system; [
@@ -19,6 +18,7 @@
     bluetooth
     ccache
     corectrl
+    docker
     flatpak
     greetd
     gui
@@ -29,9 +29,10 @@
     printing
     security
     snapper
-    virtualisation
+    tailscale
+    wireguard
 
-    modules.services.postgres
+    modules.services.syncthing
 
     ./filesystem.nix
     ./kernel.nix
@@ -40,11 +41,7 @@
 
     ../../users/rin
   ];
-  services.postgresql.ensureDatabases = [ "barista" "barista-dev" ];
   systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
 
-  # For steam fhs-env
+  me.hasBluetooth = true;
-  nixpkgs.config.permittedInsecurePackages = [
-    "openssl-1.1.1w"
-  ];
 }

hosts/hyacinth/filesystem.nix

@@ -15,7 +15,7 @@ in
     "/" = {
       device = "rootfs";
       fsType = "tmpfs";
-      options = [ "defaults" "size=8G" "mode=755" ];
+      options = [ "defaults" "size=24G" "mode=755" ];
     };
     "/boot" = mkLabelMount "CUP" "vfat";
 

hosts/hyacinth/kernel.nix

@@ -13,4 +13,8 @@
     ];
     kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
   };
+  hardware.amdgpu.overdrive = {
+    enable = true;
+    ppfeaturemask = "0xffffffff";
+  };
 }

hosts/hyacinth/networking.nix

@@ -3,12 +3,13 @@
   networking = {
     useDHCP = true;
     interfaces.enp5s0.useDHCP = false;
+    interfaces.enp5s0.wakeOnLan.enable = true;
 
     interfaces.enp5s0.ipv4.addresses = [{
-      address = "192.168.0.151";
+      address = "192.168.1.201";
       prefixLength = 24;
     }];
-    defaultGateway = "192.168.0.1";
+    defaultGateway = "192.168.1.1";
     nameservers = [ "8.8.8.8" "8.8.4.4" ];
 
     extraHosts = ''

hosts/hyacinth/packages.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }: {
   environment.systemPackages = with pkgs; [
-    android-studio
+    discord
-    jetbrains.idea-community-bin
+    jetbrains.idea
     texliveFull
   ];
 }

modules/binds.nix

@@ -0,0 +1,13 @@
+{ config, lib, ...}: {
+  imports = [ ./options.nix ];
+  fileSystems = lib.mapAttrs (dest: key: let
+    target = if (lib.strings.hasPrefix "/" key)
+      then key
+      else "/persist/binds/${key}";
+  in {
+    depends = [ "/persist" ];
+    device = target;
+    fsType = "none";
+    options = [ "bind" ];
+  }) config.me.binds;
+}

modules/default.nix

@@ -14,16 +14,21 @@ let
     }) paths
   );
 in {
+  binds = ./binds.nix;
   options = ./options.nix;
   services = mkAttrsFromPaths [
+    ./services/banksia.nix
     ./services/jellyfin.nix
     ./services/nginx.nix
     ./services/postgres.nix
     ./services/sonarr.nix
     ./services/synapse.nix
+    ./services/syncthing.nix
     ./services/tmptsync.nix
+    ./services/transmission.nix
     ./services/unbound.nix
     ./services/vaultwarden.nix
+    ./services/website.nix
   ];
   system = mkAttrsFromPaths [
     ./system/aagl.nix
@@ -32,6 +37,7 @@ in {
     ./system/bluetooth.nix
     ./system/ccache.nix
     ./system/corectrl.nix
+    ./system/docker.nix
     ./system/flatpak.nix
     ./system/greetd.nix
     ./system/gui.nix
@@ -44,12 +50,13 @@ in {
     ./system/printing.nix
     ./system/security.nix
     ./system/snapper.nix
-    ./system/transmission.nix
+    ./system/tailscale.nix
     ./system/virtualisation.nix
     ./system/wireguard.nix
   ];
   user = mkAttrsFromPaths [
     ./user/catppuccin.nix
+    ./user/comma.nix
     ./user/direnv.nix
     ./user/dunst.nix
     ./user/eww.nix

modules/options.nix

@@ -39,5 +39,15 @@ in {
       type = types.bool;
       default = config.me.environment == "laptop";
     };
+
+    hidpi = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
+    binds = lib.mkOption {
+      type = with lib.types; attrsOf str;
+      default = {};
+    };
   };
 }

modules/services/banksia.nix

@@ -0,0 +1,11 @@
+# TODO ^^
+{ ... }: {
+  services.nginx.virtualHosts = {
+    "banksia.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
+      locations."/api".proxyPass = "http://localhost:8080/";
+    };
+  };
+}

modules/services/nginx.nix

@@ -1,18 +1,21 @@
-{ config, inputs, ... }: {
+{ config, ... }: {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme = {
     acceptTerms = true;
-    email = "me@lava.moe";
+    defaults = {
-    certs."lava.moe" = {
+      email = "me@lava.moe";
       group = "nginx";
-      domain = "lava.moe";
+      dnsProvider = "cloudflare";
+      environmentFile = config.age.secrets."acme_dns".path;
+    };
+    certs."lava.moe" = {
       extraDomainNames = [
         "*.lava.moe"
         "*.local.lava.moe"
       ];
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets."acme_dns".path;
     };
+    certs."cilly.moe" = {};
+    certs."cilly.dev" = {};
   };
 
   services.nginx = {
@@ -21,28 +24,5 @@
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
-
-    virtualHosts = {
-      "lava.moe" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        root = inputs.website.outPath;
-      };
-      "cdn.lava.moe" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        root = "/persist/cdn";
-      };
-      "_" = {
-        default = true;
-        addSSL = true;
-        # TODO generate this somewhere
-        sslCertificate = "/persist/fakeCerts/fake.crt";
-        sslCertificateKey = "/persist/fakeCerts/fake.key";
-        extraConfig = ''
-          return 444;
-        '';
-      };
-    };
   };
 }

modules/services/postgres.nix

@@ -8,6 +8,7 @@ in {
   services.postgresql = {
     enable = true;
     dataDir = dir;
+    # TODO: broken :3
     package = pkgs.postgresql_13;
     authentication = lib.mkOverride 10 ''
       #type  database  DBuser  origin-address      auth-method

modules/services/syncthing.nix

@@ -0,0 +1,23 @@
+{ config, ... }:
+let
+  dir = "/persist/shared/.syncthing";
+  user = if config.me.gui then "rin" else "hana";
+  uid = toString config.users.users."${user}".uid;
+  gid = toString config.users.groups.users.gid;
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${dir}/config 700 ${uid} ${gid}"
+    "d ${dir}/data 700 ${uid} ${gid}"
+  ];
+  systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    user = user;
+    group = "users";
+    dataDir = "/persist/shared/.syncthing/data";
+    configDir = "/persist/shared/.syncthing/config";
+    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
+  };
+}

modules/services/transmission.nix

@@ -5,13 +5,6 @@
     downloadDirPermissions = "775";
     openFirewall = true;
     settings = {
-      alt-speed-down = 512;
-      alt-speed-enabled = true;
-      alt-speed-time-begin = 360;
-      alt-speed-time-day = 127;
-      alt-speed-time-enabled = true;
-      alt-speed-time-end = 1380;
-      alt-speed-up = 256;
       download-dir = "/persist/transmission/Downloads";
       incomplete-dir = "/persist/transmission/.incomplete";
       ratio-limit-enabled = true;

modules/services/unbound.nix

@@ -1,8 +1,17 @@
-{ inputs, ... }:
+{ inputs, pkgs, gcSecrets, ... }:
 let
   dir = "/persist/unbound";
+
+  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
+    echo "server:" > "$out"
+    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
+  '';
 in {
-  networking.firewall.interfaces.wlan0 = {
+  networking.firewall.interfaces."ve-+" = {
+    allowedUDPPorts = [ 53 853 ];
+    allowedTCPPorts = [ 53 853 ];
+  };
+  networking.firewall.interfaces.wg0 = {
     allowedUDPPorts = [ 53 853 ];
     allowedTCPPorts = [ 53 853 ];
   };
@@ -16,17 +25,27 @@ in {
         name = ".";
         forward-tls-upstream = true;
         forward-addr = [
+          "2606:4700:4700::1111@853#cloudflare-dns.com"
+          "2606:4700:4700::1001@853#cloudflare-dns.com"
+          "2001:4860:4860::8888@853#dns.google"
+          "2001:4860:4860::8844@853#dns.google"
           "1.1.1.1@853#cloudflare-dns.com"
           "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
         ];
       }];
 
       server = {
-        interface = [ "0.0.0.0" ];
+        interface = [ "0.0.0.0" "::0" ];
         access-control = [
           "127.0.0.1/8      allow"
           "10.0.0.0/8       allow"
+          "100.64.0.0/10    allow"
           "192.168.100.0/24 allow"
+          "fd0d::/16        allow"
+          "fd7a:115c:a1e0::/48 allow"
+          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
         ];
         domain-insecure = [ "\"local.lava.moe\"" ];
         local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@@ -35,7 +54,7 @@ in {
         ];
       };
 
-      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+      include = "${converted}";
     };
   };
 

modules/services/website.nix

@@ -0,0 +1,43 @@
+{ inputs, pkgs, ... }: let
+  pastel = inputs.pastel.packages.${pkgs.system}.default;
+in {
+  services.nginx.virtualHosts = {
+    "cilly.moe" = {
+      useACMEHost = "cilly.moe";
+      forceSSL = true;
+      root = pastel.outPath;
+    };
+    "cilly.dev" = {
+      useACMEHost = "cilly.dev";
+      forceSSL = true;
+      root = pastel.outPath;
+    };
+    "lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = inputs.website.outPath;
+    };
+    "cdn.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      extraConfig = ''
+        return 301 https://sh.lava.moe$request_uri;
+      '';
+    };
+    "sh.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = "/persist/cdn";
+    };
+    "_" = {
+      default = true;
+      addSSL = true;
+      # TODO generate this somewhere
+      sslCertificate = "/persist/fakeCerts/fake.crt";
+      sslCertificateKey = "/persist/fakeCerts/fake.key";
+      extraConfig = ''
+        return 444;
+      '';
+    };
+  };
+}

modules/system/base.nix

@@ -1,5 +1,5 @@
 { config, inputs, modules, ... }: {
-  imports = [ modules.options ];
+  imports = [ modules.binds modules.options ];
 
   environment.etc = {
     "machine-id".source = "/persist/machine-id";
@@ -11,6 +11,8 @@
   environment.pathsToLink = [ "/share/zsh" ];
 
   i18n.defaultLocale = "en_AU.UTF-8";
+  i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
+
   users.mutableUsers = false;
 
   system = {
@@ -21,6 +23,5 @@
     };
   };
   nix.registry.config.flake = inputs.self;
-  nix.registry.nixpkgs.flake = inputs.nixpkgs;
   nix.registry.shells.flake = inputs.self;
 }

modules/system/corectrl.nix

@@ -1,9 +1,5 @@
 { ... }: {
   programs.corectrl = {
     enable = true;
-    gpuOverclock = {
-      enable = true;
-      ppfeaturemask = "0xffffffff";
-    };
   };
 }

modules/system/docker.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "btrfs";
+    # rootless = {
+    #   enable = true;
+    #   setSocketVariable = true;
+    # };
+  };
+  environment.systemPackages = [
+    pkgs.docker-compose
+  ];
+}

modules/system/greetd.nix

@@ -3,7 +3,7 @@
     enable = true;
     settings = {
       default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
+        command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
         user = "greeter";
       };
 

modules/system/gui.nix

@@ -15,7 +15,6 @@
       hanazono
       noto-fonts
       noto-fonts-cjk-sans
-      noto-fonts-extra
       open-sans
       twemoji-color-font
       unifont

modules/system/input.nix

@@ -6,7 +6,19 @@
         "-arinterval 15"
       ];
     };
-    xkb.options = "caps:escape";
   };
-  console.useXkbConfig = true;
+  services.keyd = {
+    enable = true;
+    keyboards = {
+      default = {
+        ids = [ "*" ];
+        settings = {
+          main = {
+            capslock = "esc";
+            esc = "capslock";
+          };
+        };
+      };
+    };
+  };
 }

modules/system/nix-stable.nix

@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }: {
   nix = {
+    package = pkgs.nixVersions.latest;
+
     settings = rec {
       substituters = [
         "https://cache.nixos.org?priority=10"
@@ -17,4 +19,5 @@
     '';
   };
   nixpkgs.config.allowUnfree = true;
+  programs.nh.enable = true;
 }

modules/system/nix.nix

@@ -1,6 +1,7 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, pkgs, ... }: {
   nix = {
-    package = pkgs.nixVersions.git;
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+    package = pkgs.nixVersions.latest;
 
     settings = rec {
       extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
@@ -23,4 +24,5 @@
     '';
   };
   nixpkgs.config.allowUnfree = true;
+  programs.nh.enable = true;
 }

modules/system/packages-gui.nix

@@ -1,16 +1,15 @@
 { config, lib, pkgs, ... }: {
   config = lib.mkIf config.me.gui {
     environment.systemPackages = with pkgs; [
+      android-tools
       gparted
       nautilus
     ];
-    programs.adb.enable = true;
     hardware.graphics.extraPackages = with pkgs; [
-      vaapiIntel
+      intel-vaapi-driver
-      vaapiVdpau
+      libva-vdpau-driver
       libvdpau-va-gl
     ];
-    programs.light.enable = true;
     hardware.opentabletdriver.enable = true;
     hardware.keyboard.qmk.enable = true;
     programs.steam = {

modules/system/packages.nix

@@ -1,12 +1,14 @@
 { pkgs, ... }: {
   imports = [ ./packages-gui.nix ];
   environment.systemPackages = with pkgs; [
-    comma
+    # ecryptfs
-    ecryptfs
     efibootmgr
+    fd
     git
+    git-crypt
     htop
     jq
+    kitty.terminfo
     libarchive
     lf
     msr-tools
@@ -14,8 +16,9 @@
     neovim
     nfs-utils
     ntfs3g
-    sshfs
+    ripgrep
     rsync
+    sshfs
     wget
   ];
   environment.variables.EDITOR = "nvim";

modules/system/security.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
   networking.firewall =
   let
     iptables = "${pkgs.iptables}/bin/iptables";
@@ -53,5 +53,33 @@
         }
       ];
     };
+    pam = lib.mkIf (config.me.environment != "headless") {
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true;
+          pinverification = 1;
+        };
+      };
+      services.doas.rules.auth = {
+        u2f.settings.pinverification = lib.mkForce 0;
+        u2f_int = lib.mkMerge [
+          {
+            enable = true;
+            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
+            control = "sufficient";
+            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
+            inherit (config.security.pam.u2f) settings;
+          }
+          {
+            settings = lib.mkForce {
+              interactive = true;
+              pinverification = 0;
+              userpresence = 0;
+            };
+          }
+        ];
+      };
+    };
   };
 }

modules/system/tailscale.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }: {
+  age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
+  me.binds."/var/lib/tailscale" = "tailscale";
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
+
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.age.secrets.tailscale_auth.path;
+    openFirewall = true;
+    useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
+  };
+}

modules/system/wireguard.nix

@@ -1,13 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, gcSecrets, ... }:
 let
-  port = 51820;
+  port = 51801;
-  serverName = "sugarcane";
+  serverName = "dandelion";
-  serverInterface = "ens3";
+  serverInterface = "enp0s6";
-  serverIp = "51.79.240.130";
+  serverIp = gcSecrets.wireguard.gateway;
 
   forwarding = {
-    "80" = [ "10.100.0.2" "80" ];
-    "443" = [ "10.100.0.2" "443" ];
     "22727" = [ "10.100.0.3" "7777" ];
   };
 
@@ -20,52 +18,61 @@ let
       in ''
         ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
         ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
+        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
       '') forwarding
     );
 
-  routeBypass = {
-    caramel = {
-      gateway = "192.168.100.1";
-      interface = "wlan0";
-      routes = [
-        serverIp
-      ];
-    };
-    hyacinth = {
-      gateway = "192.168.100.1";
-      interface = "enp5s0";
-      routes = [
-        serverIp
-      ];
-    };
-  };
-
   clients = {
-    caramel = {
-      publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA=";
-      allowedIPs = [ "10.100.0.2/32" ];
-    };
     hyacinth = {
       publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
-      allowedIPs = [ "10.100.0.3/32" ];
+      allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3" "fd0d::3" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
     };
-    strawberry = {
+    anemone = {
-      publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg=";
+      publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY=";
-      allowedIPs = [ "10.100.0.4/32" ];
+      allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" "fd0d::4" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
     };
-    maple = {
+    hibiscus = {
-      publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do=";
+      publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw=";
-      allowedIPs = [ "10.100.0.5/32" ];
+      allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" "fd0d::5" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
+    };
+    hazel = {
+      publicKey = "0zruTndObzHo+b1rbOuTsxCU97epygZycxXS/lgUHUc=";
+      allowedIPs = [ "10.100.0.21/32" "${gcSecrets.wireguard.ipv6Subnet}:21" "fd0d::21" ];
+      interfaces = {
+        wg0 = {
+          dns = [ "::1" "127.0.0.1" ];
+          peers = [ serverLocalOnlyPeer ];
+        };
+      };
     };
   };
 
-  clientPeers = builtins.attrValues clients;
+  clientPeers = builtins.map (client: builtins.removeAttrs client [ "interfaces" ]) (builtins.attrValues clients);
-  serverPeer = {
+  serverPeerWith = ips: {
     publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0=";
-    allowedIPs = [ "0.0.0.0/0" ];
+    allowedIPs = ips;
     endpoint = "${serverIp}:${toString port}";
     persistentKeepalive = 25;
   };
+  serverPeer = serverPeerWith [ "0.0.0.0/0" "::/0" ];
+  server6OnlyPeer = serverPeerWith [ "10.100.0.0/24" "::/0" ];
+  serverLocalOnlyPeer = serverPeerWith [ "10.100.0.0/24" "fd0d::/16" ];
 
   serverConfig = {
     nat = {
@@ -79,7 +86,7 @@ let
     };
 
     wireguard.interfaces.wg0 = {
-      ips = [ "10.100.0.1/24" ];
+      ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" "fd0d::1" ];
       listenPort = port;
 
       postSetup = ''
@@ -97,33 +104,24 @@ let
   };
 
   clientConfig = {
-    wireguard.interfaces.wg0 =
+    wg-quick.interfaces =
     let
       client = clients."${config.networking.hostName}";
-      routes = routeBypass."${config.networking.hostName}";
+    in
-      mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes;
+      builtins.mapAttrs (interface: conf: {
-    in {
+        address = client.allowedIPs;
-      ips = client.allowedIPs;
+        dns = [ "fd0d::1" "10.100.0.1" ];
-      listenPort = port;
+        privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
-
+      } // conf) client.interfaces;
-      postSetup = ''
-        ${mapRoutes "add"}
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
-      '';
-
-      postShutdown = ''
-        ${mapRoutes "del"}
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
-      '';
-
-      privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
-      peers = [ serverPeer ];
-    };
   };
 in {
+  boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({
+    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv6.conf.default.forwarding" = true;
+  });
   networking =
     lib.mkMerge [
       (lib.mkIf (config.networking.hostName == serverName) serverConfig)
-      (lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig)
+      (lib.mkIf (config.networking.hostName != serverName) clientConfig)
     ];
 }

modules/user/catppuccin.nix

@@ -14,7 +14,7 @@
 
   config = {
     catppuccin = {
-      accent = "maroon";
+      accent = lib.mkDefault "pink";
       flavor = lib.mkDefault "mocha";
       kitty.enable = true;
       gtk.enable = true;
@@ -53,7 +53,7 @@
         echo "invalid theme, valid values: [dark, light, restore]"
         exit 1
       fi
-      current="$HOME/.local/state/nix/profiles/home-manager"
+      current="$HOME/.local/state/home-manager/gcroots/current-home/"
       cached="$HOME/.local/state/last-parent-specialisation"
       if [ -d "$current/specialisation" ]; then
         if [ -d "$cached" ]; then

modules/user/comma.nix

@@ -0,0 +1,7 @@
+{ inputs, ... }: {
+  imports = [
+    inputs.nix-index-database.homeModules.default
+  ];
+  programs.nix-index.enable = true;
+  programs.nix-index-database.comma.enable = true;
+}

modules/user/direnv.nix

@@ -5,7 +5,7 @@
       enable = true;
     };
   };
-  programs.git.extraConfig.core.excludesFile = ".envrc";
+  programs.git.settings.core.excludesFile = ".envrc";
   # We can't use .source since hm manages this file too
   xdg.configFile."direnv/direnvrc".text = builtins.readFile ../../res/direnvrc;
   home.activation = {

modules/user/eww.nix

@@ -21,9 +21,9 @@ let
     '';
   };
 in {
-  home.packages = with pkgs; [ socat ];
+  home.packages = with pkgs; [ iw socat ];
   programs.eww = {
     enable = true;
-    configDir = res;
   };
+  xdg.configFile."eww".source = res;
 }

modules/user/git.nix

@@ -1,15 +1,16 @@
 { ... }: {
   programs.git = {
     enable = true;
-    userName = "LavaDesu";
-    userEmail = "me@lava.moe";
     signing = {
       key = "059F098EBF0E9A13E10A46BF6500251E087653C9";
       signByDefault = true;
     };
-    extraConfig = {
+    settings = {
+      user.name = "Cilly Leang";
+      user.email = "mini@cilly.moe";
       core.abbrev = 11;
       safe.directory = "/home/rin/Projects/flakes";
+      init.defaultBranch = "master";
     };
   };
 }

modules/user/gpg.nix

@@ -5,6 +5,6 @@
   };
   services.gpg-agent = {
     enable = true;
-    pinentryPackage = pkgs.pinentry-gnome3;
+    pinentry.package = pkgs.pinentry-gnome3;
   };
 }

modules/user/hypridle.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  kblight = "light -s sysfs/leds/${config.me.kbBacklightDevice}";
+  kblight = "brightnessctl -d ${config.me.kbBacklightDevice}";
 in
 {
   home.packages = [ config.services.hypridle.package ];
@@ -16,18 +16,18 @@ in
       listener = lib.optionals (config.me.kbBacklightDevice != null) [
         {
           timeout = 120;
-          on-timeout = "${kblight} -O && ${kblight} -S 0";
+          on-timeout = "${kblight} -s && ${kblight} 0";
-          on-resume = "${kblight} -I";
+          on-resume = "${kblight} -r";
         }
       ] ++ [
         {
           timeout = 150;
-          on-timeout = "light -O && light -T 0.5";
+          on-timeout = "brightnessctl -s && brightnessctl 50%-";
-          on-resume = "light -I";
+          on-resume = "brightnessctl -r";
         }
         {
           timeout = 180;
-          on-timeout = "light -I && loginctl lock-session";
+          on-timeout = "brightnessctl -r && loginctl lock-session";
         }
         {
           timeout = 195;

modules/user/hyprlock.nix

@@ -1,4 +1,17 @@
-{ config, lib, ... }: {
+{ config, lib, ... }:
+let
+  scaling = if config.me.hidpi then 1 else 0.5;
+  s = value: if builtins.isInt value || builtins.isFloat value
+  then
+    builtins.floor (value * scaling)
+  else if builtins.isList value
+  then
+    lib.strings.concatMapStringsSep "," (v: builtins.toString (scaling * v)) value
+  else
+    builtins.throw "invalid scaled value type ${builtins.typeOf value} for ${value}";
+  sn = value: s (builtins.map (v: (-v)) value);
+in
+{
   programs.hyprlock = {
     enable = true;
     settings = {
@@ -16,26 +29,27 @@
         monitor = "";
         color = "$base";
       };
-      shape = [
+      shape = lib.optionals (config.me.batteryDevice != null) [
         # Battery pill
         {
           monitor = "";
-          size = "165, 65";
+          size = s [165 65];
           color = "$crust";
           rounding = -1;
           halign = "right";
           valign = "top";
-          position = "-595,-10";
+          position = sn [595 10];
         }
+      ] ++ [
         # Time pill
         {
           monitor = "";
-          size = "545, 65";
+          size = s [545 65];
           color = "$crust";
           rounding = -1;
           halign = "right";
           valign = "top";
-          position = "-40,-10";
+          position = sn [40 10];
         }
       ];
       label = lib.optionals config.me.hasFingerprint [
@@ -44,10 +58,10 @@
             monitor = "";
             color = "$text";
             font_family = "Material Symbols Outlined";
-            font_size = 64;
+            font_size = s 64;
             halign = "center";
             valign = "top";
-            position = "0, -100";
+            position = sn [0 100];
             text = "";
         }
         # Fingerprint text
@@ -55,9 +69,9 @@
           monitor = "";
           color = "$text";
           text = "$FPRINTPROMPT";
-          font_size = 25;
+          font_size = s 25;
           font_family = "Open Sans";
-          position = "0, -235";
+          position = sn [0 235];
           halign = "center";
           valign = "top";
         }
@@ -68,8 +82,8 @@
           text = "";
           color = "$accent";
           font_family = "Material Symbols Outlined";
-          font_size = 27;
+          font_size = s 27;
-          position = "-695, -20";
+          position = sn [695 20];
           halign = "right";
           valign = "top";
         }
@@ -78,9 +92,9 @@
           monitor = "";
           text = ''cmd[update:60000] echo "<span weight='700'>$(cat /sys/class/power_supply/${config.me.batteryDevice}/capacity)%</span>"'';
           color = "$text";
-          font_size = 23;
+          font_size = s 23;
           font_family = "Open Sans";
-          position = "-625, -20";
+          position = sn [625 20];
           halign = "right";
           valign = "top";
         }
@@ -90,10 +104,10 @@
           monitor = "";
           color = "$text";
           font_family = "Open Sans";
-          font_size = 23;
+          font_size = s 23;
           halign = "right";
           valign = "top";
-          position = "-70, -20";
+          position = sn [70 20];
           text = ''cmd[update:1000] echo "<span alpha='70%' weight='550'>$(date '+%A, %d %B %Y')</span>  <span weight='700'>$(date +%H:%M)</span><span alpha='70%' weight='550'>$(date +:%S)</span>"'';
         }
 
@@ -102,17 +116,17 @@
           monitor = "";
           color = "$red";
           font_family = "Open Sans";
-          font_size = 25;
+          font_size = s 25;
           text = "$FAIL $ATTEMPTS[]";
-          position = "0, -200";
+          position = sn [0 200];
           halign = "center";
           valign = "center";
         }
       ];
       input-field = {
         monitor = "";
-        size = "600, 120";
+        size = s [600 120];
-        outline_thickness = 4;
+        outline_thickness = s 4;
         check_color = "$peach";
         dots_size = 0.2;
         dots_spacing = 0.2;
@@ -125,7 +139,7 @@
         fade_on_empty = false;
         hide_input = false;
         capslock_color = "$yellow";
-        position = "0, -47";
+        position = sn [0 47];
         halign = "center";
         valign = "center";
       };

modules/user/mpv.nix

@@ -1,8 +1,7 @@
-{ config, pkgs, ... }: {
+{ pkgs, ... }: {
   programs.mpv = {
     enable = true;
-    package = pkgs.mpv-unwrapped.wrapper {
+    package = pkgs.mpv.override {
-      mpv = pkgs.mpv-unwrapped;
       youtubeSupport = true;
       scripts = [ pkgs.mpvScripts.mpris ];
     };

modules/user/neovim-minimal.nix

@@ -9,11 +9,12 @@
     vimAlias = true;
     vimdiffAlias = true;
     withNodeJs = false;
+    withPython3 = false;
+    withRuby = false;
 
     plugins = with pkgs.vimPlugins; [
-      ctrlp-vim
+      fzf-vim
       lualine-nvim
-      nerdtree
       tokyonight-nvim
       vim-fugitive
       vim-nix
@@ -21,14 +22,7 @@
       vim-signify
       vim-surround
 
-      nvim-cmp
-      nvim-lspconfig
-      cmp-nvim-lsp
-      cmp_luasnip
-      luasnip
-
       (nvim-treesitter.withPlugins (p: with p; [
-        tree-sitter-comment
         tree-sitter-json
         tree-sitter-lua
         tree-sitter-nix

modules/user/neovim.nix

@@ -1,9 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sysConfig, ... }:
 let
   luaconf = pkgs.writeText "config.lua"
     (lib.replaceStrings
-      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
+      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"]
-      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
+      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName]
       (builtins.readFile ../../res/config.lua));
 in {
   systemd.user.tmpfiles.rules = [
@@ -17,25 +17,35 @@ in {
     vimdiffAlias = true;
     #package = pkgs.neovim-nightly;
     withNodeJs = true;
+    withPython3 = true;
+    withRuby = false;
 
     extraPackages = with pkgs; [
+      nixd
       rust-analyzer
-      nodePackages."@prisma/language-server"
+      texlab
-      nodePackages.diagnostic-languageserver
+      astro-language-server
-      nodePackages.eslint_d
+      tailwindcss-language-server
-      nodePackages.typescript-language-server
+      diagnostic-languageserver
-      nodePackages.vscode-langservers-extracted
+      eslint_d
-      nodePackages.yaml-language-server
+      typescript-language-server
+      vscode-langservers-extracted
+      yaml-language-server
     ];
 
     plugins = with pkgs.vimPlugins; [
+      autoclose-nvim
+      auto-save-nvim
       flutter-tools-nvim
       fzf-vim
       fzf-lsp-nvim
       lualine-nvim
+      nvim-ts-autotag
+      nvim-web-devicons
       plenary-nvim
       tokyonight-nvim
       vim-fugitive
+      vim-latex-live-preview
       vim-nix
       vim-repeat
       vim-signify
@@ -45,6 +55,7 @@ in {
 
       nvim-cmp
       nvim-dap
+      nvim-highlight-colors
       nvim-lspconfig
       cmp-nvim-lsp
       cmp_luasnip
@@ -52,27 +63,33 @@ in {
 
       #(pkgs.me.nvim-treesitter-nightly.withPlugins (p: with p; [
       (nvim-treesitter.withPlugins (p: with p; [
+        tree-sitter-astro
         tree-sitter-bash
         tree-sitter-c
         tree-sitter-c-sharp
         tree-sitter-cpp
+        tree-sitter-groovy
         tree-sitter-html
+        tree-sitter-java
         tree-sitter-javascript
         tree-sitter-json
+        tree-sitter-kotlin
+        tree-sitter-latex
         tree-sitter-lua
         tree-sitter-markdown
         tree-sitter-nix
         tree-sitter-php
-        tree-sitter-prisma
         tree-sitter-python
         tree-sitter-query
         tree-sitter-regex
         tree-sitter-rust
+        tree-sitter-swift
         tree-sitter-toml
         tree-sitter-tsx
         tree-sitter-typescript
         tree-sitter-vim
         tree-sitter-vimdoc
+        tree-sitter-xml
         tree-sitter-yaml
       ]))
     ];

modules/user/rofi.nix

@@ -16,7 +16,6 @@ let
 in {
   programs.rofi = {
     enable = true;
-    package = pkgs.rofi-wayland;
     theme = "theme";
   };
   xdg.configFile."rofi/theme.rasi".source = theme;

modules/user/spicetify.nix

@@ -40,7 +40,6 @@ in
       shuffle
       hidePodcasts
 
-      skipStats
       songStats
       history
       volumePercentage

modules/user/zsh.nix

@@ -38,7 +38,8 @@ let
     jf = "doas journalctl -f";
 
     fl = "cd ~/Projects/flakes";
-    nr = "doas nixos-rebuild switch --flake .#${sysConfig.networking.hostName} -v -L";
+    nr = "nh os switch";
+    nb = "nh os boot";
 
     gs = "git status";
     ga = "git add";
@@ -101,10 +102,9 @@ let
     bindkey -a -r ':'
   '';
 in {
-  programs.command-not-found.enable = true;
   programs.zsh = {
     enable = true;
-    dotDir = ".config/zsh";
+    dotDir = "${config.xdg.configHome}/zsh";
 
     autocd = true;
     defaultKeymap = "viins";
@@ -117,14 +117,6 @@ in {
     };
 
     enableCompletion = true;
-    initExtraBeforeCompInit = ''
-      fpath+=(/run/current-system/sw/share/zsh/site-functions)
-      zstyle ':completion:*' completer _complete
-      zstyle ':completion:*' matcher-list "" 'm:{[:lower:][:upper:]-_}={[:upper:][:lower:]_-}' '+l:|=* r:|=*'
-      zstyle ':completion:*' menu select
-      _comp_options+=(globdots)
-      zmodload zsh/complist
-    '';
 
     localVariables = {
       KEYTIMEOUT = "1";
@@ -138,16 +130,26 @@ in {
       ls = "ls --color=auto --group-directories-first -v";
       diff = "diff -Naur --color=auto";
     };
-    initExtraFirst = ''
+    initContent = lib.mkMerge [
-      autoload -U colors && colors
+      (lib.mkBefore ''
-    '';
+        autoload -U colors && colors
-    initExtra = lib.concatStringsSep "\n" [
+      '')
-      pure
+      (lib.mkOrder 550 ''
-      cursorShape
+        fpath+=(/run/current-system/sw/share/zsh/site-functions)
-      direnv
+        zstyle ':completion:*' completer _complete
-      genAbbrs
+        zstyle ':completion:*' matcher-list "" 'm:{[:lower:][:upper:]-_}={[:upper:][:lower:]_-}' '+l:|=* r:|=*'
-      viExtraNav
+        zstyle ':completion:*' menu select
-      disableExecute
+        _comp_options+=(globdots)
+        zmodload zsh/complist
+      '')
+      (lib.concatStringsSep "\n" [
+        pure
+        cursorShape
+        direnv
+        genAbbrs
+        viExtraNav
+        disableExecute
+      ])
     ];
 
     plugins = builtins.map (e: pluginFromInput e) [

overlays/android-studio.nix

@@ -1,27 +0,0 @@
-self: { bash, buildFHSEnv, cacert, ncurses5, runCommand, ... } @ super:
-let
-  drvName = super.android-studio.name;
-  fhsEnv = buildFHSEnv {
-    name = "${drvName}-fhs-env";
-    # google's analytics calls jdk's getOperatingSystemMXBean which tries to parse cgroups and ultimately fails for whatever reason with an npe
-    unshareCgroup = false;
-    multiPkgs = pkgs: [
-      ncurses5
-
-      (runCommand "fedoracert" {}
-        ''
-        mkdir -p $out/etc/pki/tls/
-        ln -s ${cacert}/etc/ssl/certs $out/etc/pki/tls/certs
-        '')
-    ];
-  };
-
-  startScript = ''
-    #!${bash}/bin/bash
-    ${fhsEnv}/bin/${drvName}-fhs-env ${super.android-studio.passthru.unwrapped}/bin/studio.sh "$@"
-  '';
-in {
-  android-studio = super.android-studio.overrideAttrs(_: {
-    inherit startScript;
-  });
-}

overlays/bitwarden-desktop.nix

@@ -0,0 +1,19 @@
+# https://github.com/NixOS/nixpkgs/pull/374068
+self: super: {
+  bitwarden-desktop = super.bitwarden-desktop.overrideAttrs (o: {
+    preBuild = o.preBuild + ''
+      pushd apps/desktop/desktop_native/proxy
+      cargo build --offline --bin desktop_proxy --release
+      popd
+    '';
+    installPhase = builtins.replaceStrings ["runHook preInstall"] [''
+      runHook preInstall
+
+      install -Dm755 -t $out/bin apps/desktop/desktop_native/target/release/desktop_proxy
+
+      mkdir -p $out/lib/mozilla/native-messaging-hosts
+      substituteAll ${./patches/firefox-native-messaging-host.json} $out/lib/mozilla/native-messaging-hosts/com.8bit.bitwarden.json
+
+    ''] o.installPhase;
+  });
+}

overlays/default.nix

@@ -1,10 +1,12 @@
 builtins.map (path: import path) [
-  ./android-studio.nix
+  ./bitwarden-desktop.nix
   ./cascadia-code.nix
   ./ccache.nix
   ./eww.nix
+  ./jetbrains.nix
   ./material-icons.nix
-  ./rofi.nix
+  ./openldap.nix
   ./steam.nix
   ./utillinux.nix
+  ./wpa-supplicant.nix
 ]

overlays/jetbrains.nix

@@ -0,0 +1,22 @@
+# https://github.com/NixOS/nixpkgs/issues/375254
+self: super: {
+  jetbrains = super.jetbrains // {
+    gateway = let
+      unwrapped = super.jetbrains.gateway;
+    in super.buildFHSEnv {
+      name = "gateway";
+      inherit (unwrapped) version;
+
+      runScript = super.writeScript "gateway-wrapper" ''
+        unset JETBRAINS_CLIENT_JDK
+        exec ${unwrapped}/bin/gateway "$@"
+      '';
+
+      meta = unwrapped.meta;
+
+      passthru = {
+        inherit unwrapped;
+      };
+    };
+  };
+}

overlays/linux-lava.nix

@@ -1,12 +1,16 @@
 self: super: let
   llvmPackages = super.llvmPackages_19;
   clangVersion = super.lib.versions.major llvmPackages.libclang.version;
+  addFlagsScript = "$out/nix-support/add-local-cc-cflags-before.sh";
   cc = llvmPackages.stdenv.cc.override {
     # :sob: see https://github.com/NixOS/nixpkgs/issues/142901
     bintools = llvmPackages.bintools;
+
+    # https://github.com/NixOS/nixpkgs/issues/368850
     extraBuildCommands = ''
+      cat <(echo "NIX_CC_WRAPPER_SUPPRESS_TARGET_WARNING=1") "${addFlagsScript}" > "${addFlagsScript}.new"
+      mv "${addFlagsScript}.new" "${addFlagsScript}"
       substituteInPlace "$out/nix-support/cc-cflags" --replace " -nostdlibinc" ""
-      substituteInPlace "$out/nix-support/add-local-cc-cflags-before.sh" --replace 'echo "Warning: supplying the --target argument to a nix-wrapped compiler may not work correctly - cc-wrapper is currently not designed with multi-target compilers in mind. You may want to use an un-wrapped compiler instead." >&2' ""
       echo " -resource-dir=${llvmPackages.libclang.lib}/lib/clang/${clangVersion}" >> $out/nix-support/cc-cflags
     '';
   };

overlays/openldap.nix

@@ -0,0 +1,9 @@
+self: super: {
+  # openldap i686 fails checks
+  # issue: https://github.com/NixOS/nixpkgs/issues/514113
+  # workaround: https://github.com/NixOS/nixpkgs/issues/513245#issuecomment-4320293674
+  # fix: https://github.com/NixOS/nixpkgs/pull/515956
+  openldap = super.openldap.overrideAttrs {
+    doCheck = !self.stdenv.hostPlatform.isi686;
+  };
+}

overlays/patches/firefox-native-messaging-host.json

@@ -0,0 +1,7 @@
+{
+  "name": "com.8bit.bitwarden",
+  "description": "Bitwarden desktop <-> browser bridge",
+  "path": "@out@/bin/desktop_proxy",
+  "type": "stdio",
+  "allowed_extensions": ["{446900e4-71c2-419f-a6a7-df9c091e268b}"]
+}

overlays/patches/wpa-supplicant.patch

@@ -0,0 +1,13 @@
+diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
+index 58a6228..fbe7de3 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
+@@ -7,7 +7,7 @@ Wants=network.target
+ [Service]
+ Type=dbus
+ BusName=fi.w1.wpa_supplicant1
+-ExecStart=@BINDIR@/wpa_supplicant -u
++ExecStart=@BINDIR@/wpa_supplicant -u -q
+ 
+ [Install]
+ WantedBy=multi-user.target

overlays/rofi.nix

@@ -1,13 +0,0 @@
-self: super: {
-  rofi-unwrapped = super.rofi-unwrapped.overrideAttrs (_: rec {
-    version = "1.7.2";
-
-    src = super.fetchFromGitHub {
-      owner = "davatorium";
-      repo = "rofi";
-      rev = version;
-      fetchSubmodules = true;
-      sha256 = "0yarkzhn7vxqxafmz196kvklzwdxygbhd0d29gxm7lrfba8brdxy";
-    };
-  });
-}

overlays/steam.nix

@@ -5,9 +5,5 @@ self: super: {
       keyutils
       gamescope
     ];
-
-    extraLibraries = pkgs: with pkgs; [
-      openssl_1_1
-    ];
   };
 }

overlays/wpa-supplicant.nix

@@ -0,0 +1,6 @@
+self: super: {
+  # Thanks https://discourse.nixos.org/t/journal-logs-spammed-with-ctrl-event-scan-failed/56316/5
+  wpa_supplicant = super.wpa_supplicant.overrideAttrs(o: {
+    patches = o.patches ++ [ ./patches/wpa-supplicant.patch ];
+  });
+}

packages/linux-lava/bluetooth.patch

@@ -0,0 +1,13 @@
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index ef9689f8776..aabbc031b5f 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -759,6 +759,8 @@ static const struct usb_device_id quirks_table[] = {
+ 						     BTUSB_WIDEBAND_SPEECH },
+ 	{ USB_DEVICE(0x2b89, 0x8761), .driver_info = BTUSB_REALTEK |
+ 						     BTUSB_WIDEBAND_SPEECH },
++	{ USB_DEVICE(0x2c4e, 0x0115), .driver_info = BTUSB_REALTEK |
++ 						     BTUSB_WIDEBAND_SPEECH },
+ 
+ 	/* Additional Realtek 8821AE Bluetooth devices */
+ 	{ USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },

packages/linux-lava/default.nix

@@ -56,6 +56,10 @@ let
       INIT_STACK_ALL_ZERO = yes;
       INIT_STACK_NONE = no;
 
+      # bore
+      SCHED_BORE = yes;
+      MIN_BASE_SLICE_NS = freeform "2000000";
+
       # tickless timers
       HZ_PERIODIC = no;
       NO_HZ = yes;