alyssum/samba: bind music

containers/emerald: bind music directory
containers/emerald: change mounts
2026-06-19 09:12:52 +10:00 · 2026-06-19 09:03:39 +10:00 · 2026-06-19 08:57:22 +10:00 · 2026-06-19 08:01:17 +10:00 · 2026-06-19 07:36:13 +10:00 · 2026-06-17 21:22:03 +10:00
64 changed files with 857 additions and 256 deletions
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -21,7 +21,8 @@
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
-        locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
      };

--- a/containers/beryllium/configuration.nix
+++ b/containers/beryllium/configuration.nix
@ -9,14 +9,15 @@
  networking.firewall.allowedUDPPorts = [ 6167 ];
  # TODO: this should be generically set
  networking.useHostResolvConf = false;
-  networking.nameservers = [ "fd0d:1::2:1" ];
+  networking.nameservers = [ "8.8.8.8" ];

  services.matrix-continuwuity = {
    enable = true;
    settings.global = {
      # TODO: link this with outer container's address
-      address = [ "fd0d:1::2:2" ];
+      address = [ "10.30.2.2" ];
      server_name = "lava.moe";
+      rocksdb_recovery_mode = 2;
    };
  };
 }
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@ -22,9 +22,9 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".extraConfig = "return 302 'https://lava.moe';";
-        locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
-        locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
-        locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
+        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
      };

      services.nginx.virtualHosts."lava.moe" = {
@ -52,9 +52,8 @@
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
-        hostAddress6 = "fd0d:1::${subnet}:1";
-        localAddress6 = "fd0d:1::${subnet}:2";
-        # privateUsers = "pick";
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = [ ./configuration.nix ]; };
@ -64,7 +63,6 @@
          mountPoint = "/persist";
          isReadOnly = false;
        };
-        # flake = "path:" + ./.;
      };
    };
  };
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -11,7 +11,7 @@
    enable = true;
    lfs.enable = true;
    settings = {
-      DEFAULT.APP_NAME = "Garden";
+      DEFAULT.APP_NAME = "cilly's botanical laboratory";
      server = {
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
@ -34,6 +34,8 @@
      };
      api.ENABLE_SWAGGER = false;
      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+      repository.ENABLE_PUSH_CREATE_USER = true;
+      repository.ENABLE_PUSH_CREATE_ORG = true;
      service.DISABLE_REGISTRATION = true;
    };
    stateDir = "/persist/forgejo";
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -6,7 +6,7 @@
  outputs = { nixpkgs, catppuccin, ... }:
  let
    name = "citrine";
-    fqdn = "garden.lava.moe";
+    fqdn = "lab.lava.moe";
    subnetId = "3";

    subnet = x: "fd0d:1::${subnetId}:${toString x}";
--- a/containers/diamond/flake.nix
+++ b/containers/diamond/flake.nix
@ -24,7 +24,7 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:8000";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
      };

      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@ -16,7 +16,8 @@
      ShareURL = "https://${shareFqdn}";
      EnableSharing = true;
      DataFolder = "/persist/navidrome";
-      MusicFolder = "/binds/music";
+      MusicFolder = "/binds/music/main";
    };
  };
+  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
 }
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -9,11 +9,11 @@
    shareFqdn = "muse.lava.moe";
    subnetId = "5";

-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    subnet = x: "fd0d:2::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;

-    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    subnet4 = x: "10.32.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;

@ -39,13 +39,7 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:4533";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
-      };
-      services.nginx.virtualHosts."${shareFqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".return = "404";
-        locations."/share/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "100.67.2.1" ];
      };

      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
@ -68,7 +62,7 @@
          isReadOnly = false;
        };
        bindMounts."music" = {
-          hostPath = "/persist/media/music";
+          hostPath = "/flower/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@ -39,7 +39,7 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:5030";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
      };

      systemd.tmpfiles.rules = [
--- a/containers/garnet/configuration.nix
+++ b/containers/garnet/configuration.nix
@ -0,0 +1,36 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/opencloud" = {
+    device = "/flower/data";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  fileSystems."/etc/opencloud" = {
+    device = "/persist/cfg";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  # TODO: hardcoded address
+  networking.extraHosts = ''
+    100.67.2.1 cloud.lava.moe
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 9200 ];
+  networking.firewall.allowedUDPPorts = [ 9200 ];
+
+  environment.etc."opencloud-admin-pass".text = ''
+    IDM_ADMIN_PASSWORD=supersillysecure
+  '';
+  services.opencloud = {
+    enable = true;
+    url = "https://cloud.lava.moe";
+    address = "10.30.7.2";
+    port = 9200;
+    environment = {
+      PROXY_TLS = "false";
+      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
+      IDP_ID_TOKEN_EXPIRATION = "2592000";
+    };
+    environmentFile = "/etc/opencloud-admin-pass";
+  };
+}
--- a/containers/garnet/flake.lock
+++ b/containers/garnet/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@ -0,0 +1,84 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "garnet";
+    fqdn = "cloud.lava.moe";
+    subnetId = "7";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://${client4}:9200";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          proxy_read_timeout 3600s;
+          proxy_send_timeout 3600s;
+          keepalive_requests 100000;
+          keepalive_timeout 5m;
+          http2_max_concurrent_streams 512;
+        '';
+        # TODO: hardcoded address
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."content" = {
+          hostPath = "/flower/opencloud";
+          mountPoint = "/flower";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1770327417,
-        "narHash": "sha256-WNS+wDUeqfegOXf5emDRnNs2bPiJ7rhdARo4jyd3+Yw=",
+        "lastModified": 1779903856,
+        "narHash": "sha256-uRShMtD6xW3ZKZbCQ6sDzKWEnbBXUg3IGfOARYogKhg=",
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "26670347cca9feddb31e075d23b474149d8902e1",
+        "rev": "50671fc7f29d686f63ef34b603320d44ad7f2d29",
        "type": "github"
      },
      "original": {
@ -45,7 +45,7 @@
    },
    "c-amethyst": {
      "inputs": {
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "path": "./containers/amethyst",
@ -59,7 +59,7 @@
    },
    "c-beryllium": {
      "inputs": {
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "path": "./containers/beryllium",
@ -74,7 +74,7 @@
    "c-citrine": {
      "inputs": {
        "catppuccin": "catppuccin",
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "path": "./containers/citrine",
@ -88,7 +88,7 @@
    },
    "c-diamond": {
      "inputs": {
-        "nixpkgs": "nixpkgs_7"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "path": "./containers/diamond",
@ -102,7 +102,7 @@
    },
    "c-emerald": {
      "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
        "path": "./containers/emerald",
@ -116,7 +116,7 @@
    },
    "c-fluorite": {
      "inputs": {
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_8"
      },
      "locked": {
        "path": "./containers/fluorite",
@ -128,9 +128,23 @@
      },
      "parent": []
    },
+    "c-garnet": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_9"
+      },
+      "locked": {
+        "path": "./containers/garnet",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/garnet",
+        "type": "path"
+      },
+      "parent": []
+    },
    "catppuccin": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
        "lastModified": 1773403535,
@ -149,11 +163,11 @@
    "catppuccin-palette": {
      "flake": false,
      "locked": {
-        "lastModified": 1742245182,
-        "narHash": "sha256-R52Q1FVAclvBk7xNgj/Jl+GPCIbORNf6YbJ1nxH3Gzs=",
+        "lastModified": 1774131488,
+        "narHash": "sha256-hsy+GhuM4MSjnwGq1YJSLBFIbVm67SSdPRgObP00mxw=",
        "owner": "catppuccin",
        "repo": "palette",
-        "rev": "0df7db6fe201b437d91e7288fa22807bb0e44701",
+        "rev": "07d02aa110ef9eb7e7427afca5c73ba9cf7f8ebd",
        "type": "github"
      },
      "original": {
@ -258,11 +272,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1761588595,
-        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
@ -271,6 +285,22 @@
        "type": "github"
      }
    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@ -279,11 +309,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
        "type": "github"
      },
      "original": {
@ -297,11 +327,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
        "type": "github"
      },
      "original": {
@ -364,6 +394,51 @@
        "type": "github"
      }
    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nix-gaming",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1778507602,
+        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-gaming",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -435,11 +510,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770818644,
-        "narHash": "sha256-DYS4jIRpRoKOzJjnR/QqEd/MlT4OZZpt8CrBLv+cjsE=",
+        "lastModified": 1779969295,
+        "narHash": "sha256-HwIJ3tOcwSMiV75L7KqJXciXR9UfT+d7rwOZMX7cTnA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "0acbd1180697de56724821184ad2c3e6e7202cd7",
+        "rev": "61e2c9659324181e0f0ed911958c536333b1d4f6",
        "type": "github"
      },
      "original": {
@ -479,11 +554,11 @@
    "linux-tkg": {
      "flake": false,
      "locked": {
-        "lastModified": 1770607339,
-        "narHash": "sha256-/j7IEdwbaaN4SGKAl5gE3vRdKIdIw8f7RNMrM9Lc28M=",
+        "lastModified": 1779857514,
+        "narHash": "sha256-dCrVB3cFvv1d/9wuEejYN131b1phyf6SDy1bcEvtWGo=",
        "owner": "Frogging-Family",
        "repo": "linux-tkg",
-        "rev": "9498fb9bc0c3323d1c291667d8cb16cb2a37bcee",
+        "rev": "c9196dea7ee464f7792f94cd39c32431ad9e25ab",
        "type": "github"
      },
      "original": {
@ -501,11 +576,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770857573,
-        "narHash": "sha256-pSeFA1qRAdivDrrKoybJ1DOcbkXx2v/ExIc6n0DbT4U=",
+        "lastModified": 1780013080,
+        "narHash": "sha256-m984DKbcIeNNuLYFjN3780rPEd55Xe9/cB4BNKkIDvg=",
        "owner": "nix-community",
        "repo": "neovim-nightly-overlay",
-        "rev": "31e79c73c444b2e51eb34f2305792809839c58e8",
+        "rev": "c6cc238427db8f61b786a66d7e02cf7724b30226",
        "type": "github"
      },
      "original": {
@ -517,11 +592,11 @@
    "neovim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1770810897,
-        "narHash": "sha256-6F/Z/UQxalaSoqewSQ4fL8zSws3Vy4wgA5DgyTaeqTo=",
+        "lastModified": 1779979065,
+        "narHash": "sha256-3uF/oP2D4Jka3DU2G8qqml75UOzPRrK+FIp+jghOq0s=",
        "owner": "neovim",
        "repo": "neovim",
-        "rev": "6b4ec2264e1d8ba027b85f3883d532c5068be92a",
+        "rev": "5d85669a33e10f1f156b086562458cbbc8054438",
        "type": "github"
      },
      "original": {
@ -533,14 +608,15 @@
    "nix-gaming": {
      "inputs": {
        "flake-parts": "flake-parts_2",
+        "git-hooks": "git-hooks",
        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
-        "lastModified": 1770778188,
-        "narHash": "sha256-KZHPn3L6veRgRwOyfhaeM5ZTJfpkoY9EICIzUcQn4w8=",
+        "lastModified": 1779768228,
+        "narHash": "sha256-/dRavNAx/Mp67xcQQ3JBIMyf0cLoXqKedafB1+wksAE=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "59e3b8189047bc591635645d2c682020c13eeac5",
+        "rev": "6e7a8414c0f547a86646eb0b56ebf89e7cc217a2",
        "type": "github"
      },
      "original": {
@ -556,11 +632,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773552174,
-        "narHash": "sha256-mHSRNrT1rjeYBgkAlj07dW3+1nFEgAd8Gu6lgyfT9DU=",
+        "lastModified": 1779604987,
+        "narHash": "sha256-ZQ5z+fVhxYKtIFwtqGp5O0PD84BM1riASvqDaN5Xs+s=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "8faeb68130df077450451b6734a221ba0d6cde42",
+        "rev": "8fba98c80b48fa013820e0163c5096922fea4ddd",
        "type": "github"
      },
      "original": {
@ -571,11 +647,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1764242076,
-        "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
@ -587,11 +663,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1769909678,
-        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
+        "lastModified": 1777168982,
+        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "72716169fe93074c333e8d0173151350670b824c",
+        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
        "type": "github"
      },
      "original": {
@ -618,11 +694,11 @@
    },
    "nixpkgs_10": {
      "locked": {
-        "lastModified": 1770537093,
-        "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=",
+        "lastModified": 1779536132,
+        "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fef9403a3e4d31b0a23f0bacebbec52c248fbb51",
+        "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
        "type": "github"
      },
      "original": {
@ -634,11 +710,11 @@
    },
    "nixpkgs_11": {
      "locked": {
-        "lastModified": 1770562336,
-        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
        "type": "github"
      },
      "original": {
@ -666,16 +742,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1744536153,
-        "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=",
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -698,11 +774,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "lastModified": 1773122722,
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
        "type": "github"
      },
      "original": {
@ -714,11 +790,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1773122722,
-        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
@ -778,11 +854,11 @@
    },
    "nixpkgs_9": {
      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
        "type": "github"
      },
      "original": {
@ -818,11 +894,11 @@
    "nvim-treesitter": {
      "flake": false,
      "locked": {
-        "lastModified": 1770808440,
-        "narHash": "sha256-paM9v2DKiHEwN0fTXuX9eY0KwVsB+9Bv6mOX9u/eyAI=",
+        "lastModified": 1775221900,
+        "narHash": "sha256-PQR6tFt4lCrAZNQG7BLMD1IiCKja9wDS1S4laGJf/HE=",
        "owner": "nvim-treesitter",
        "repo": "nvim-treesitter",
-        "rev": "9f2dad22ef8bb14fd1e0a3aa8859cdc88170668b",
+        "rev": "4916d6592ede8c07973490d9322f187e07dfefac",
        "type": "github"
      },
      "original": {
@ -838,11 +914,11 @@
        "pnpm2nix": "pnpm2nix"
      },
      "locked": {
-        "lastModified": 1772103435,
-        "narHash": "sha256-dtsWJl+DBigaZlszH4UVI8JZltJl9O6MESDyH4RepNI=",
+        "lastModified": 1775622883,
+        "narHash": "sha256-2+7uCRXn+tn4LVaO7hLKPaezdKPW6HGvTr00aO4Tcxs=",
        "owner": "cillynder",
        "repo": "pastel",
-        "rev": "8e2b1b80d711eaf41c010949bef0a512db9e4452",
+        "rev": "46f6569d5ad41ec1256dbf999d21701f73d6077b",
        "type": "github"
      },
      "original": {
@ -877,11 +953,11 @@
    "pure": {
      "flake": false,
      "locked": {
-        "lastModified": 1770811375,
-        "narHash": "sha256-Fhk4nlVPS09oh0coLsBnjrKncQGE6cUEynzDO2Skiq8=",
+        "lastModified": 1779255807,
+        "narHash": "sha256-UQ0hP3qJd4Qxiw1LXPdb9d0Dc4OSD3HJpgYzaCfujno=",
        "owner": "sindresorhus",
        "repo": "pure",
-        "rev": "dbefd0dcafaa3ac7d7222ca50890d9d0c97f7ca2",
+        "rev": "cc0759a0de620f191510e2e2f9748194a605b54d",
        "type": "github"
      },
      "original": {
@ -900,6 +976,7 @@
        "c-diamond": "c-diamond",
        "c-emerald": "c-emerald",
        "c-fluorite": "c-fluorite",
+        "c-garnet": "c-garnet",
        "catppuccin": "catppuccin_2",
        "catppuccin-palette": "catppuccin-palette",
        "fast-syntax-highlighting": "fast-syntax-highlighting",
@ -924,14 +1001,17 @@
    },
    "rust-overlay": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
+          "aagl",
+          "nixpkgs"
+        ]
      },
      "locked": {
-        "lastModified": 1764470739,
-        "narHash": "sha256-sa9f81B1dWO16QtgDTWHX8DQbiHKzHndpaunY5EQtwE=",
+        "lastModified": 1777605393,
+        "narHash": "sha256-Hjp0VOOHgHcTrX23iVvnfAudPcuCmfkfpQNFwv2v/ks=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "3bfa664055e1a09c6aedab5533c5fc8d6ca5741a",
+        "rev": "ff88db34cfa486fc4964a6991cab1678d82eee8c",
        "type": "github"
      },
      "original": {
@ -948,11 +1028,11 @@
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1770846656,
-        "narHash": "sha256-wdYpo8++TqKp3GdRgLFykjuIVW1m9GlUnxID2FG74cE=",
+        "lastModified": 1779824049,
+        "narHash": "sha256-dWHVUjP03KSVG1PaLKA6j9EdxWSxSQvipMUIcSyuA/U=",
        "owner": "Gerg-L",
        "repo": "spicetify-nix",
-        "rev": "40e65cfc4608402674e1efaac3fccce20d2a72d3",
+        "rev": "1362178e5f5f7a848c49fe9dee004ef8824f100a",
        "type": "github"
      },
      "original": {
@ -964,11 +1044,11 @@
    "spotify-adblock": {
      "flake": false,
      "locked": {
-        "lastModified": 1739206126,
+        "lastModified": 1773417310,
        "narHash": "sha256-nwiX2wCZBKRTNPhmrurWQWISQdxgomdNwcIKG2kSQsE=",
        "owner": "abba23",
        "repo": "spotify-adblock",
-        "rev": "8e0312d6085a6e4f9afeb7c2457517a75e8b8f9d",
+        "rev": "813d3451c53126bf1941baaf8dd37f1152c3f412",
        "type": "github"
      },
      "original": {
@ -980,11 +1060,11 @@
    "stevenblack-hosts": {
      "flake": false,
      "locked": {
-        "lastModified": 1770244988,
-        "narHash": "sha256-DT9HK9iYTmXUfjKcTxLRMZOeCLb9CAoFEpBiDpEku3g=",
+        "lastModified": 1779976382,
+        "narHash": "sha256-wt5NGa4K8/vda669UYUmTUt+BR9X5fPnuTZFfQdpLYo=",
        "owner": "StevenBlack",
        "repo": "hosts",
-        "rev": "7ea67ed353b27e1dbe36363074d1b6c3ca6be46b",
+        "rev": "d3e838712512490260f051150e3573eeebecfadb",
        "type": "github"
      },
      "original": {
@ -1120,11 +1200,11 @@
    "zsh-abbr": {
      "flake": false,
      "locked": {
-        "lastModified": 1770748719,
-        "narHash": "sha256-RvdMEk1bQ/mCbcTneg8mMJJh6j60km0/wchBBQQ+Ugo=",
+        "lastModified": 1773890443,
+        "narHash": "sha256-SVuwDeHIBg8yArKGzDEfsG3fz0UwABQoJkyKTQAPUiw=",
        "ref": "refs/heads/main",
-        "rev": "2de4a08c5e0d9dbe8447e11e0a177b59b5b6d6ea",
-        "revCount": 1137,
+        "rev": "889f4772c12b9dbe4965bbd56f2572af0a28fa3b",
+        "revCount": 1139,
        "submodules": true,
        "type": "git",
        "url": "https://github.com/olets/zsh-abbr"
--- a/flake.nix
+++ b/flake.nix
@ -44,6 +44,7 @@
    c-diamond.url = "path:./containers/diamond";
    c-emerald.url = "path:./containers/emerald";
    c-fluorite.url = "path:./containers/fluorite";
+    c-garnet.url = "path:./containers/garnet";
  };

  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
@ -80,6 +81,7 @@
        };
    in
    {
+      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
      nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
      nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -0,0 +1,45 @@
+{ inputs, lib, modules, modulesPath, ... }: {
+  networking.hostName = "alyssum";
+  system.stateVersion = "25.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+    passwd.file = ../../secrets/passwd.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
+    wpa_conf = {
+      file = ../../secrets/wpa_conf.age;
+      path = "/etc/wpa_supplicant/imperative.conf";
+      symlink = false;
+    };
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+    tailscale
+
+    modules.services.nginx
+    modules.services.syncthing
+
+    inputs.c-emerald.nixosModule
+    inputs.c-garnet.nixosModule
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./home.syncthing.nix
+    ./samba.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+  services.syncthing.user = lib.mkForce "hana";
+}
--- a/hosts/alyssum/filesystem.nix
+++ b/hosts/alyssum/filesystem.nix
@ -0,0 +1,35 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "alyssum";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=8G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "stem" "vfat";
+
+    "/flower" = mkBtrfsMount "myosotis" "/@" true;
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  configOn = user: port: {
+    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
+    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
+
+    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+      linger = true;
+    };
+    home-manager.users.${user} = { ... }: {
+      home = {
+        username = "${user}";
+        homeDirectory = "/home/${user}";
+        stateVersion = "26.05";
+      };
+      services.syncthing = {
+        enable = true;
+        guiAddress = "[::]:${toString port}";
+        overrideDevices = false;
+        overrideFolders = false;
+        settings = {
+          options.listenAddresses = [
+            "tcp://0.0.0.0:2${toString port}"
+            "quic://0.0.0.0:2${toString port}"
+            "dynamic+https://relays.syncthing.net/endpoint"
+          ];
+          defaults.folder.path = "/flower/syncthing/${user}";
+        };
+      };
+    };
+  };
+in lib.mkMerge [
+  (configOn "kujira" 8385)
+  (configOn "cilly" 8386)
+]
--- a/hosts/alyssum/kernel.nix
+++ b/hosts/alyssum/kernel.nix
@ -0,0 +1,12 @@
+{ config, lib, ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+  };
+  hardware.cpu.amd.updateMicrocode = true;
+}
--- a/hosts/alyssum/networking.nix
+++ b/hosts/alyssum/networking.nix
@ -0,0 +1,15 @@
+{ config, ... }: {
+  networking = {
+    useDHCP = true;
+    wireless.enable = true;
+
+    interfaces.wlp1s0.useDHCP = false;
+    interfaces.wlp1s0.ipv4.addresses = [{
+      address = "192.168.1.167";
+      prefixLength = 24;
+    }];
+
+    defaultGateway = "192.168.1.1";
+    nameservers = [ "8.8.8.8" "8.8.4.4" ];
+  };
+}
--- a/hosts/alyssum/packages.nix
+++ b/hosts/alyssum/packages.nix
@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+let
+  configOn = user: let
+    passwd_fname = "passwd_smb${user}";
+  in {
+    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
+    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
+    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+    };
+
+    system.activationScripts = {
+      init_smbpasswd.text = let
+        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+      in ''
+        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
+      '';
+    };
+    services.samba.settings."${user}" = {
+      "path" = "/flower/smb/${user}";
+      "browseable" = "yes";
+      "read only" = "no";
+      "guest ok" = "no";
+      "create mask" = "0644";
+      "directory mask" = "0755";
+      "force user" = user;
+      "force group" = "users";
+      "valid users" = user;
+    };
+  };
+in lib.mkMerge [
+  (configOn "cilly")
+  (configOn "kujira")
+  {
+    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
+
+    networking.firewall.allowPing = true;
+
+    services.samba = {
+      enable = true;
+      package = pkgs.samba4Full;
+      openFirewall = true;
+      settings = {
+        global = {
+          "server smb encrypt" = "required";
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "public" = {
+          "path" = "/flower/smb/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "hana";
+          "force group" = "users";
+        };
+      };
+    };
+
+    services.samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    services.avahi = {
+      enable = true;
+      openFirewall = true;
+      nssmdns4 = true;
+      publish.enable = true;
+      publish.userServices = true;
+    };
+  }
+]
--- a/hosts/anemone/default.nix
+++ b/hosts/anemone/default.nix
@ -28,6 +28,7 @@
    printing
    security
    snapper
+    tailscale
    wireguard

    ./filesystem.nix
--- a/hosts/anemone/networking.nix
+++ b/hosts/anemone/networking.nix
@ -1,19 +1,4 @@
 { config, ... }: {
-  networking = {
-    #nameservers = [ "8.8.8.8" "8.8.4.4" ];
-
-    #wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf";
-    wireless.enableHardening = false;
-
-    networkmanager = {
-      enable = true;
-      #dns = "none";
-    };
-
-    extraHosts = ''
-      192.168.100.16 hyacinth
-    '';
-  };
-
+  networking.wireless.iwd.enable = true;
  environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
 }
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -5,7 +5,6 @@

  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
-    navidrome_env.file = ../../secrets/navidrome_env.age;
    slskd_env.file = ../../secrets/slskd_env.age;
    wg_dandelion.file = ../../secrets/wg_dandelion.age;
  };
@ -19,6 +18,7 @@
    nix-stable
    packages
    security
+    tailscale
    wireguard

    modules.services.banksia
@ -30,12 +30,12 @@
    inputs.c-beryllium.nixosModule
    inputs.c-citrine.nixosModule
    inputs.c-diamond.nixosModule
-    inputs.c-emerald.nixosModule
    inputs.c-fluorite.nixosModule

    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
+    ./nginx.nix

    ../../users/hana
  ];
--- a/hosts/dandelion/filesystem.nix
+++ b/hosts/dandelion/filesystem.nix
@ -22,7 +22,7 @@ in {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
-      options = [ "defaults" "size=12G" "mode=755" ];
+      options = [ "defaults" "size=6G" "mode=755" ];
    };
    "/boot" = mkLabelMount "UEFI" "vfat";

--- a/hosts/dandelion/nginx.nix
+++ b/hosts/dandelion/nginx.nix
@ -0,0 +1,8 @@
+{ ... }: {
+  services.nginx.virtualHosts."muse.lava.moe" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    locations."/".return = "404";
+    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
+  };
+}
--- a/hosts/hyacinth/default.nix
+++ b/hosts/hyacinth/default.nix
@ -18,6 +18,7 @@
    bluetooth
    ccache
    corectrl
+    docker
    flatpak
    greetd
    gui
@ -28,6 +29,7 @@
    printing
    security
    snapper
+    tailscale
    wireguard

    modules.services.syncthing
--- a/hosts/hyacinth/packages.nix
+++ b/hosts/hyacinth/packages.nix
@ -1,5 +1,6 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [
+    discord
    jetbrains.idea
    texliveFull
  ];
--- a/modules/binds.nix
+++ b/modules/binds.nix
@ -0,0 +1,13 @@
+{ config, lib, ...}: {
+  imports = [ ./options.nix ];
+  fileSystems = lib.mapAttrs (dest: key: let
+    target = if (lib.strings.hasPrefix "/" key)
+      then key
+      else "/persist/binds/${key}";
+  in {
+    depends = [ "/persist" ];
+    device = target;
+    fsType = "none";
+    options = [ "bind" ];
+  }) config.me.binds;
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -14,6 +14,7 @@ let
    }) paths
  );
 in {
+  binds = ./binds.nix;
  options = ./options.nix;
  services = mkAttrsFromPaths [
    ./services/banksia.nix
@ -49,6 +50,7 @@ in {
    ./system/printing.nix
    ./system/security.nix
    ./system/snapper.nix
+    ./system/tailscale.nix
    ./system/virtualisation.nix
    ./system/wireguard.nix
  ];
--- a/modules/options.nix
+++ b/modules/options.nix
@ -44,5 +44,10 @@ in {
      type = types.bool;
      default = false;
    };
+
+    binds = lib.mkOption {
+      type = with lib.types; attrsOf str;
+      default = {};
+    };
  };
 }
--- a/modules/services/banksia.nix
+++ b/modules/services/banksia.nix
@ -4,7 +4,7 @@
    "banksia.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
-      locations."/".return = "302 https://github.com/cillynder/Banksia";
+      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
      locations."/api".proxyPass = "http://localhost:8080/";
    };
  };
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -6,7 +6,7 @@
      email = "me@lava.moe";
      group = "nginx";
      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets."acme_dns".path;
+      environmentFile = config.age.secrets."acme_dns".path;
    };
    certs."lava.moe" = {
      extraDomainNames = [
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@ -1,7 +1,8 @@
 { config, ... }:
 let
  dir = "/persist/shared/.syncthing";
-  uid = toString config.users.users.rin.uid;
+  user = if config.me.gui then "rin" else "hana";
+  uid = toString config.users.users."${user}".uid;
  gid = toString config.users.groups.users.gid;
 in
 {
@ -13,9 +14,10 @@ in
  services.syncthing = {
    enable = true;
    openDefaultPorts = true;
-    user = "rin";
+    user = user;
    group = "users";
    dataDir = "/persist/shared/.syncthing/data";
    configDir = "/persist/shared/.syncthing/config";
+    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
  };
 }
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@ -27,8 +27,12 @@ in {
        forward-addr = [
          "2606:4700:4700::1111@853#cloudflare-dns.com"
          "2606:4700:4700::1001@853#cloudflare-dns.com"
+          "2001:4860:4860::8888@853#dns.google"
+          "2001:4860:4860::8844@853#dns.google"
          "1.1.1.1@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
        ];
      }];

@ -37,8 +41,10 @@ in {
        access-control = [
          "127.0.0.1/8      allow"
          "10.0.0.0/8       allow"
+          "100.64.0.0/10    allow"
          "192.168.100.0/24 allow"
-          "fd0d::/16 allow"
+          "fd0d::/16        allow"
+          "fd7a:115c:a1e0::/48 allow"
          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
        ];
        domain-insecure = [ "\"local.lava.moe\"" ];
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@ -1,5 +1,5 @@
 { config, inputs, modules, ... }: {
-  imports = [ modules.options ];
+  imports = [ modules.binds modules.options ];

  environment.etc = {
    "machine-id".source = "/persist/machine-id";
--- a/modules/system/input.nix
+++ b/modules/system/input.nix
@ -6,7 +6,19 @@
        "-arinterval 15"
      ];
    };
-    xkb.options = "caps:escape";
  };
-  console.useXkbConfig = true;
+  services.keyd = {
+    enable = true;
+    keyboards = {
+      default = {
+        ids = [ "*" ];
+        settings = {
+          main = {
+            capslock = "esc";
+            esc = "capslock";
+          };
+        };
+      };
+    };
+  };
 }
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -1,5 +1,6 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, pkgs, ... }: {
  nix = {
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    package = pkgs.nixVersions.latest;

    settings = rec {
--- a/modules/system/packages-gui.nix
+++ b/modules/system/packages-gui.nix
@ -10,7 +10,6 @@
      libva-vdpau-driver
      libvdpau-va-gl
    ];
-    programs.light.enable = true;
    hardware.opentabletdriver.enable = true;
    hardware.keyboard.qmk.enable = true;
    programs.steam = {
--- a/modules/system/packages.nix
+++ b/modules/system/packages.nix
@ -16,7 +16,6 @@
    neovim
    nfs-utils
    ntfs3g
-    oci-cli
    ripgrep
    rsync
    sshfs
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
  networking.firewall =
  let
    iptables = "${pkgs.iptables}/bin/iptables";
@ -53,5 +53,33 @@
        }
      ];
    };
+    pam = lib.mkIf (config.me.environment != "headless") {
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true;
+          pinverification = 1;
+        };
+      };
+      services.doas.rules.auth = {
+        u2f.settings.pinverification = lib.mkForce 0;
+        u2f_int = lib.mkMerge [
+          {
+            enable = true;
+            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
+            control = "sufficient";
+            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
+            inherit (config.security.pam.u2f) settings;
+          }
+          {
+            settings = lib.mkForce {
+              interactive = true;
+              pinverification = 0;
+              userpresence = 0;
+            };
+          }
+        ];
+      };
+    };
  };
 }
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@ -0,0 +1,13 @@
+{ config, lib, ... }: {
+  age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
+  me.binds."/var/lib/tailscale" = "tailscale";
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
+
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.age.secrets.tailscale_auth.path;
+    openFirewall = true;
+    useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
+  };
+}
--- a/modules/system/wireguard.nix
+++ b/modules/system/wireguard.nix
@ -1,12 +1,12 @@
 { config, lib, pkgs, gcSecrets, ... }:
 let
-  port = 123;
+  port = 51801;
  serverName = "dandelion";
  serverInterface = "enp0s6";
  serverIp = gcSecrets.wireguard.gateway;

  forwarding = {
-#    "22727" = [ "10.100.0.3" "7777" ];
+    "22727" = [ "10.100.0.3" "7777" ];
  };

  mapForwards = type:
@ -18,6 +18,8 @@ let
      in ''
        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
+        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
      '') forwarding
    );

--- a/modules/user/eww.nix
+++ b/modules/user/eww.nix
@ -21,9 +21,9 @@ let
    '';
  };
 in {
-  home.packages = with pkgs; [ socat ];
+  home.packages = with pkgs; [ iw socat ];
  programs.eww = {
    enable = true;
-    configDir = res;
  };
+  xdg.configFile."eww".source = res;
 }
--- a/modules/user/git.nix
+++ b/modules/user/git.nix
@ -10,6 +10,7 @@
      user.email = "mini@cilly.moe";
      core.abbrev = 11;
      safe.directory = "/home/rin/Projects/flakes";
+      init.defaultBranch = "master";
    };
  };
 }
--- a/modules/user/hypridle.nix
+++ b/modules/user/hypridle.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  kblight = "light -s sysfs/leds/${config.me.kbBacklightDevice}";
+  kblight = "brightnessctl -d ${config.me.kbBacklightDevice}";
 in
 {
  home.packages = [ config.services.hypridle.package ];
@ -16,18 +16,18 @@ in
      listener = lib.optionals (config.me.kbBacklightDevice != null) [
        {
          timeout = 120;
-          on-timeout = "${kblight} -O && ${kblight} -S 0";
-          on-resume = "${kblight} -I";
+          on-timeout = "${kblight} -s && ${kblight} 0";
+          on-resume = "${kblight} -r";
        }
      ] ++ [
        {
          timeout = 150;
-          on-timeout = "light -O && light -T 0.5";
-          on-resume = "light -I";
+          on-timeout = "brightnessctl -s && brightnessctl 50%-";
+          on-resume = "brightnessctl -r";
        }
        {
          timeout = 180;
-          on-timeout = "light -I && loginctl lock-session";
+          on-timeout = "brightnessctl -r && loginctl lock-session";
        }
        {
          timeout = 195;
--- a/modules/user/neovim-minimal.nix
+++ b/modules/user/neovim-minimal.nix
@ -9,6 +9,8 @@
    vimAlias = true;
    vimdiffAlias = true;
    withNodeJs = false;
+    withPython3 = false;
+    withRuby = false;

    plugins = with pkgs.vimPlugins; [
      fzf-vim
--- a/modules/user/neovim.nix
+++ b/modules/user/neovim.nix
@ -1,9 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sysConfig, ... }:
 let
  luaconf = pkgs.writeText "config.lua"
    (lib.replaceStrings
-      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
-      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
+      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"]
+      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName]
      (builtins.readFile ../../res/config.lua));
 in {
  systemd.user.tmpfiles.rules = [
@ -17,17 +17,20 @@ in {
    vimdiffAlias = true;
    #package = pkgs.neovim-nightly;
    withNodeJs = true;
+    withPython3 = true;
+    withRuby = false;

    extraPackages = with pkgs; [
+      nixd
      rust-analyzer
      texlab
-      nodePackages."@astrojs/language-server"
-      nodePackages."@tailwindcss/language-server"
-      nodePackages.diagnostic-languageserver
-      nodePackages.eslint_d
-      nodePackages.typescript-language-server
-      nodePackages.vscode-langservers-extracted
-      nodePackages.yaml-language-server
+      astro-language-server
+      tailwindcss-language-server
+      diagnostic-languageserver
+      eslint_d
+      typescript-language-server
+      vscode-langservers-extracted
+      yaml-language-server
    ];

    plugins = with pkgs.vimPlugins; [
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -5,6 +5,7 @@ builtins.map (path: import path) [
  ./eww.nix
  ./jetbrains.nix
  ./material-icons.nix
+  ./openldap.nix
  ./steam.nix
  ./utillinux.nix
  ./wpa-supplicant.nix
--- a/overlays/openldap.nix
+++ b/overlays/openldap.nix
@ -0,0 +1,9 @@
+self: super: {
+  # openldap i686 fails checks
+  # issue: https://github.com/NixOS/nixpkgs/issues/514113
+  # workaround: https://github.com/NixOS/nixpkgs/issues/513245#issuecomment-4320293674
+  # fix: https://github.com/NixOS/nixpkgs/pull/515956
+  openldap = super.openldap.overrideAttrs {
+    doCheck = !self.stdenv.hostPlatform.isi686;
+  };
+}
--- a/packages/linux-lava/sources.nix
+++ b/packages/linux-lava/sources.nix
@ -1,8 +1,8 @@
 { fetchFromGitHub, inputs, lib }:
 let
-  version = "6.19";
-  kernelHash = "0mqka8ii7bvmx9hvfjdiyva9ib0j7m390gxhh8gki3qb4nl7jc1h";
-  kernelPatchHash = "0w36sxwwhfqpc1if9d52rg0g1k20xjl2cairlyiyk10ns17mjxlb";
+  version = "7.0.10";
+  kernelHash = "1w4i705i0nl1xqv7fdhdbhy7j3xrzhl31fabs6vmgiw7nf06szxv";
+  kernelPatchHash = "0h7gxqcnww7sj5cdyblzj04775zhavwdylkm2pm91v6xkjbnz1zj";

  mm = lib.versions.majorMinor version;
  hasPatch = (builtins.length (builtins.splitVersion version)) == 3;
--- a/res/config.lua
+++ b/res/config.lua
@ -51,6 +51,7 @@ vim.g.signify_sign_change_delete     = vim.g.signify_sign_delete

 -- VimTeX
 vim.g.vimtex_view_method = "zathura"
+vim.g.vimtex_quickfix_open_on_warning = 0

 -- Theming
 vim.api.nvim_command("syntax enable")
@ -107,18 +108,18 @@ require('lualine').setup {
 -- many thanks to @kristijanhusak
 -- https://github.com/nvim-treesitter/nvim-treesitter/issues/1167#issuecomment-920824125
 function _G.javascript_indent()
-  local line = vim.fn.getline(vim.v.lnum)
-  local prev_line = vim.fn.getline(vim.v.lnum - 1)
-  if line:match('^%s*[%*/]%s*') then
-    if prev_line:match('^%s*%*%s*') then
-      return vim.fn.indent(vim.v.lnum - 1)
+    local line = vim.fn.getline(vim.v.lnum)
+    local prev_line = vim.fn.getline(vim.v.lnum - 1)
+    if line:match('^%s*[%*/]%s*') then
+        if prev_line:match('^%s*%*%s*') then
+            return vim.fn.indent(vim.v.lnum - 1)
+        end
+        if prev_line:match('^%s*/%*%*%s*$') then
+            return vim.fn.indent(vim.v.lnum - 1) + 1
+        end
    end
-    if prev_line:match('^%s*/%*%*%s*$') then
-      return vim.fn.indent(vim.v.lnum - 1) + 1
-    end
-  end

-  return vim.fn['GetJavascriptIndent']()
+    return vim.fn['GetJavascriptIndent']()
 end

 vim.cmd('au FileType javascript setlocal indentexpr=v:lua.javascript_indent()')
@ -156,22 +157,17 @@ vim.api.nvim_create_autocmd("LspAttach", {
    end
 })

-vim.lsp.handlers["textDocument/publishDiagnostics"] = vim.lsp.with(
-    vim.lsp.diagnostic.on_publish_diagnostics, {
-        focusable = false,
-        virtual_text = false,
-        underline = true,
-        signs = true,
-        update_in_insert = true
-    }
-)
-vim.lsp.handlers["textDocument/signatureHelp"] = vim.lsp.with(
-    vim.lsp.handlers.signature_help, { focusable = false }
-)
+vim.diagnostic.config({
+    focusable = false,
+    virtual_text = false,
+    underline = true,
+    signs = true,
+    update_in_insert = true
+})

 capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)

-local servers = { 'astro', 'clangd', 'cssls', 'html', 'nil_ls', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
+local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
 for _, lsp in ipairs(servers) do
    vim.lsp.config(lsp, {
        capabilities = capabilities,
@ -296,6 +292,32 @@ vim.lsp.config("diagnosticls", {
 })
 vim.lsp.enable("diagnosticls")

+-- LSP/nixd
+vim.lsp.config("nixd", {
+  cmd = { "nixd" },
+  filetypes = { "nix" },
+  root_markers = { "flake.nix", ".git" },
+  settings = {
+    nixd = {
+      nixpkgs = {
+        expr = "import <nixpkgs> { }",
+      },
+      formatting = {
+        command = { "nixfmt" },
+      },
+      options = {
+        nixos = {
+          expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options',
+        },
+        home_manager = {
+          expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []',
+        },
+      },
+    },
+  },
+})
+vim.lsp.enable("nixd")
+
 -- LSP/Signatures
 require("lsp_signature").setup {
    hint_enable = false,
--- a/res/eww/eww.yuck
+++ b/res/eww/eww.yuck
@ -1,4 +1,5 @@
 (defwindow mainbar :monitor 0
+
                   :geometry (geometry :x "0%"
                                       :y "0%"
                                       :width "100%"
@ -39,14 +40,15 @@
  `cat /sys/class/power_supply/_BAT_PATH_/capacity`)
 (defpoll pbat_status :interval "1s" :run-while bat-enabled
  `cat /sys/class/power_supply/_BAT_PATH_/status`)
-(defpoll network_strength :interval "1s" :run-while wifi-enabled
-  `nmcli -f IN-USE,SIGNAL device wifi | grep '*' | tr -d -c 0-9`)
+(defpoll wifi_ssid :interval "1s" :run-while wifi-enabled
+  `iwctl station wlan0 show | grep "Connected network" | awk '{print $3}'`)
+(defpoll wifi_strength :interval "1s" :run-while wifi-enabled
+  `iw dev wlan0 link | awk '/signal/ {gsub("-",""); print $2}'`)
 (defpoll bluetooth_device :interval "1s" :run-while bt-enabled
  `bluetoothctl devices Connected | grep Device | cut -d" " -f3-`)
 (defpoll bluetooth_device_count :interval "1s" :run-while bt-enabled
  `bluetoothctl devices Connected | wc -l`)

-(deflisten lnetwork :initial "" :run-while wifi-enabled "./scripts/network.sh")
 (deflisten ltitle :initial "" "./scripts/title.sh")
 (deflisten lworkspaces :initial "[]" "./scripts/workspaces.sh")
 (deflisten lcurrent_workspace :initial "1" "./scripts/active-workspace.sh")
@ -107,22 +109,22 @@
 (defwidget network []
  (button :onclick `eww update network-extended=${network-extended ? "false" : "true"}`
    (box :orientation "horizontal"
-         :class {"widget pill" + ((network-extended && lnetwork != "Disconnected") ? " extended" : "")}
-         :spacing {(network-extended && lnetwork != "Disconnected") ? 5 : 0}
+         :class {"widget pill" + ((network-extended && wifi_ssid != "") ? " extended" : "")}
+         :spacing {(network-extended && wifi_ssid != "") ? 5 : 0}
         :space-evenly false
      (label :text {
-          (lnetwork == "Disconnected") ? ""
-        : (network_strength == "") ? ""
-        : (network_strength < 20) ? ""
-        : (network_strength < 30) ? ""
-        : (network_strength < 55) ? ""
-        : (network_strength < 80) ? ""
+          (wifi_ssid == "") ? ""
+        : (wifi_strength == "") ? ""
+        : (wifi_strength < 75) ? ""
+        : (wifi_strength < 65) ? ""
+        : (wifi_strength < 60) ? ""
+        : (wifi_strength < 50) ? ""
        : ""}
             :class "base pill-icon")
      (revealer :transition "slideleft"
-                :reveal {network-extended && lnetwork != "Disconnected"}
+                :reveal {network-extended && wifi_ssid != ""}
                :duration 150
-        (label :text lnetwork
+        (label :text wifi_ssid
               :class "base")))))

 (defwidget battery []
--- a/res/eww/scripts/network.sh
+++ b/res/eww/scripts/network.sh
@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-init=$(nmcli -t -f name,device connection show --active | grep wlp1s0 | cut -d\: -f1)
-
-if [[ -z $init ]]; then
-    echo Disconnected
-else
-    echo $init
-fi
-
-nmcli monitor | while read -r line ; do
-    if [[ $line == *"is now the primary connection" ]]; then
-        conn=$(echo $line | cut -d\' -f2)
-        echo $conn
-    fi
-    if [[ $line == "There's no primary connection" ]]; then
-        echo Disconnected
-    fi
-done
--- a/secrets.nix
+++ b/secrets.nix
@ -1,4 +1,5 @@
 let
+  alyssum = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp00i2DTwMk9i2WBEwpNTDA51TQJEqzpyCka6znmRzR";
  anemone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEPFifSAybe97xDP/cq6AAjy7Fm0go0dtQ9ICK6JRUgc";
  blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
  dandelion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUk99ku7+eiIO7Q9sIPlPx3GiUljLv7W404W/zwrtzI";
@ -6,12 +7,15 @@ let

  rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
-  "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
-  "secrets/wpa_conf.age".publicKeys = [ blossom rin ];
+  "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ];
+  "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ];
+  "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
+  "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];

-  "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ];
-  "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
+  "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ];
  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
  "secrets/warden_admin.age".publicKeys = [ rin ];
  "secrets/wg_anemone.age".publicKeys = [ anemone rin ];
  "secrets/wg_dandelion.age".publicKeys = [ dandelion rin ];
--- a/secrets/acme_dns.age
+++ b/secrets/acme_dns.age
@ -1,10 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 bRFqeQ trK7wfJ1fObF70yD3a6axuXaZv/EzzFI7he1dvUajH8
-1C5IrwITtma/um0zUo6by0llVTnla7TBdyRD07azTT8
-> ssh-ed25519 ZAcXHw f+n0WJKTViwizwTIgRpbLGqk458SnuAFVVj5FQS0nwA
-MRinOTxWGwfeg16VWJYD+1Uta+7xF6G9oyqtYSfEq80
-> ssh-ed25519 U9FXlg 24QGfemIAHZYMwroayNJp91fUkbwUF7ACuXIk+7qdBg
-RNGpjxUgfzV/e1Ab/NcA8A0zzxsXU06xmVbLpG3x+iI
--- mekieJNQOl4vcg+hsSOQsFC7mVUZf/oRl/dT7AeTRKg
-ºöHì¦<C3AC>)kñÞ#%3cªQÎÚº¿Ï•žè1?žad|‚ì³„Ù—²õo2Š¡
-Bð)¾ä=ÿZió˜9çpR<70>¦î	ÉKl<>žgû Õž’éhŒ
+-> ssh-ed25519 kOMSPw vqjZO82kILUQaoD9EwOgnmXKD9IyscgtzP65BVKkGhs
+07f0vL5fSq+EVdJ4n3L/q0tGsh0SVLCueTzbrMQC2ok
+-> ssh-ed25519 bRFqeQ qZAsyhdIY/fg7weEBYfB/WwFBrr/fDRrjt0J/m+57W4
+FOWjbk7efoVdL9WxjWvaZ/0mJrQ4yj0fN/Fa3zztz84
+-> ssh-ed25519 ZAcXHw UHpAQ4nKoGGaZWXVj4UM6uBanOgDpBvG6XdoBvhz6y8
+xF1orqajQxp2QzU/e1sq8lMxz4AQ2Vr5a3wEU55QqyE
+-> ssh-ed25519 U9FXlg n/LPuRDZ7N0VbZYLNr86hH/yRuqd2zFC7Nnpooz8d0o
+aZig/wjd5vitGaJwQ89w2M7fj8fAiqTpdDOmLae74sM
+--- mXuALIh6k4n0cErsTFnwKemo/r2jFG7mGSTz2M8zXF8
+Zr2îŽ.	Òõ~Mú’P€þXÅ¹1¼)pÌ9Rî–9ªScLzhQü™ßO†Ä0íH7£•ŽLÌj¦5½
üâÏöÒ\©›l9˜7ÓôçÜ«nœ©¡>¹æ¢
--- a/secrets/navidrome_env.age
+++ b/secrets/navidrome_env.age
--- a/secrets/passwd.age
+++ b/secrets/passwd.age
--- a/secrets/passwd_smbcilly.age
+++ b/secrets/passwd_smbcilly.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ
+i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI
+-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o
+pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM
+--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew
+Æ*Œl\ÈWç!J7E/´»îò"f@%\ìüÏ[¨òj8fÓ¶›ž
--- a/secrets/passwd_smbkujira.age
+++ b/secrets/passwd_smbkujira.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8
+IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE
+-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg
+QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk
+--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw
+TÎ <ç‘R#d<>Ä†ÌŽlLkáN¦½º8´cÃ_N¬)±ŠT
--- a/secrets/slskd_env.age
+++ b/secrets/slskd_env.age
--- a/secrets/tailscale_auth.age
+++ b/secrets/tailscale_auth.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw judP6VmZDGErkHfUpCp3xTgJtWVmGv3/tZw3WGyhfhM
+10jxPIR6Qaf/iWLzbWOrFq9XBsm8OC3mcMrxEt+BYQ8
+-> ssh-ed25519 ohyStA Xc6TjSJYtJkK1VEauNJKn+RcTdwdkyJ0Sr+tbAJ8rGc
+vzQt4zMdktY5tNvfu9HsKBgJb52uM7x8bhF+WXwpWZ8
+-> ssh-ed25519 CUCjXQ r8WxaXpWtaBdMJ2ubaAwJ4ipSz/UtnMs0x3+eI8p0VU
+CdicUH7AE4E4XVHDAeYzQdsYMYA0sCLlt2P4eR24vvs
+-> ssh-ed25519 bRFqeQ E9sknPioO9leKqs8bFJDLrAMuRAJf0ZRyGMvy7O5wVA
+KX93oSqGHimM/PaeaoHq1aYVXGG1YsVMO2ihZaM8xVE
+-> ssh-ed25519 U9FXlg u7yG7cLylPUgu/Is4xx0BXVhX31vUtgStV5CYa8Cowg
+xAuGYZpMPVQpZYASXrMuqNE9wqqEG3kMLUNjLzPmL4g
+--- EoeqIMnX5tR3J51Cz2QEyjsgD/7h468bqjRmt3mOEjY
+–äxHQ•<>Š)þôÛûkö)Ä‰Bâ³~Û•‚Ö–Zv?·–ˆ¦%lQx
OwZIs©Û„óf4á‹D¯”ûÇ”þ*îOtÝ³¶0.m[qß_[¯ÿ°¨žvº×Û
--- a/secrets/wpa_conf.age
+++ b/secrets/wpa_conf.age
--- a/users/rin/packages.nix
+++ b/users/rin/packages.nix
@ -15,19 +15,25 @@ in {
    ffmpeg
    gnupg
    kitty
-    nil
    nodejs_latest
    pamixer
-    qmk
+    pnpm
    unrar
-    weechat
    yt-dlp
-
-    nodePackages_latest.pnpm
+  ] ++ lib.optionals (config.me.environment == "desktop") [
+    krita
+    lutris
+    mangohud
+    inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin
+    qmk
+    tetrio-desktop
+    tor-browser
+    virt-manager
+    winetricks
  ] ++ lib.optionals config.me.gui [
    android-studio
+    brightnessctl
    drawio
-    element-desktop
    evince
    eww
    feh
@ -36,32 +42,25 @@ in {
    gamescope
    gimp3
    grim
-    jetbrains.gateway
-    #kotatogram-desktop
-    krita
    lm_sensors
-    lutris
-    insomnia
    maim
-    mangohud
    me.psensor
-    inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin
-    # inputs.nix-gaming.packages.x86_64-linux.wine-osu
    obsidian
    pavucontrol
-    prismlauncher
+    (prismlauncher.override {
+      jdks = [
+        jdk21
+        temurin-bin-25
+      ];
+    })
    qbittorrent
    rivalcfg
    screenkey
    slurp
    swaybg
-    tetrio-desktop
    texliveFull
-    tor-browser
    transmission-remote-gtk
    vesktop
-    virt-manager
-    winetricks
    zathura
    zenity
Author	SHA1	Message	Date
Cilly Leang	c0004409d7	alyssum/samba: bind music Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-19 09:12:52 +10:00
Cilly Leang	004832fc06	containers/emerald: bind music directory Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-19 09:03:39 +10:00
Cilly Leang	83371117d4	containers/emerald: change mounts Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-19 08:57:22 +10:00
Cilly Leang	e1c02d7a91	containers/emerald: move to alyssum Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-19 08:01:17 +10:00
Cilly Leang	4dfc898140	user/neovim: switch to nixd	2026-06-19 07:36:13 +10:00
Cilly Leang	21dc584199	alyssum/home.syncthing: don't override devices and folders Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-17 21:22:03 +10:00
Cilly Leang	6c80606b7e	alyssum/home.syncthing: fixup conf Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 21:15:22 +10:00
Cilly Leang	907f2cabca	alyssum/home.syncthing: set proper defaults Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 21:14:47 +10:00
Cilly Leang	5c13051b4b	alyssum/samba: bind some directories	2026-06-17 21:05:38 +10:00
Cilly Leang	bc3269a814	alyssum/home.syncthing: create another instance Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 20:29:22 +10:00
Cilly Leang	63d9d6b004	alyssum/home.syncthing: add host to gui address Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 19:58:03 +10:00
Cilly Leang	9a821fda94	alyssum/home.syncthing: fixup hm config Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 19:50:02 +10:00
Cilly Leang	8157d0d561	alyssum/home.syncthing: init Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 19:49:10 +10:00
Cilly Leang	024a6bdbe2	alyssum/samba: relax hosts Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 18:47:15 +10:00
Cilly Leang	4bb20124a7	alyssum/samba: use full package for discovery Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 18:34:34 +10:00
Cilly Leang	509684d0bd	alyssum/samba: use proper smbpasswd path Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 18:28:39 +10:00
Cilly Leang	c782bd5e53	hosts/alyssum: add passwd age Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 18:23:10 +10:00
Cilly Leang	4f8249b780	alyssum/samba: use proper credentials Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-17 18:16:21 +10:00
Cilly Leang	d1a8e7222f	alyssum/samba: init	2026-06-17 18:11:09 +10:00
Cilly Leang	402c847f3c	dandelion/filesystem: reduce rootfs from 12G to 6G	2026-06-14 20:32:32 +10:00
Cilly Leang	2a9e8e6c03	containers/garnet: extend token expiration Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-13 23:44:29 +10:00
Cilly Leang	e98a71cd1e	containers/garnet: config nginx to avoid errors Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-13 22:12:32 +10:00
Cilly Leang	6fc74bd778	hosts/hyacinth: add docker	2026-06-13 22:10:19 +10:00
Cilly Leang	37f271bed8	containers/citrine: enable push to create Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-10 16:05:24 +10:00
Cilly Leang	2990972989	user/git: set default branch name	2026-06-10 16:01:23 +10:00
Cilly Leang	b705a21478	system/tailscale: fix syntax Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-10 15:06:38 +10:00
Cilly Leang	75f9cc9d2b	system/tailscale: open port 123 on headless Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-10 15:05:05 +10:00
Cilly Leang	ea17ef30c6	system/input: map esc to capslock	2026-06-10 15:03:24 +10:00
Cilly Leang	8a85e25d72	system/input: don't overload capslock input delay :p	2026-06-10 15:03:24 +10:00
Cilly Leang	9a6a29831b	system/security: reenable doas persist	2026-06-10 15:03:24 +10:00
Cilly Leang	8ca9e393ea	system/input: swap esc using keyd	2026-06-10 15:03:24 +10:00
Cilly Leang	9a87dc63c3	rin/packages: move prism back to shared gui	2026-06-10 15:03:19 +10:00
Cilly Leang	1ad05857b7	services/syncthing: setup correct guiAddress Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-06 20:35:10 +10:00
Cilly Leang	72078aad6c	services/syncthing: listen on all ports for headless Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-06 20:33:19 +10:00
Cilly Leang	abe0027e5d	hosts/alyssum: add syncthing Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-06 20:23:56 +10:00
Cilly Leang	ee3e0868a8	system/tailscale: loosen firewall for tailnet	2026-06-06 20:14:37 +10:00
Cilly Leang	91abcbed19	services/banksia: redirect to lab Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-02 19:54:09 +10:00
Cilly Leang	93354e6419	containers/citrine: garden -> lab Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-02 19:50:01 +10:00
Cilly Leang	cc2e9d1a90	user/eww: use iwd tools instead of nmcli Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-05-31 02:15:37 +10:00
Cilly Leang	e7588e0be0	{system,rin}/packages: cleanup Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-30 21:24:30 +10:00
Cilly Leang	4851369098	containers/garnet: add hosts and correct bind mounts Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-29 00:44:13 +10:00
Cilly Leang	34e649e621	alyssum/filesystem: add myosotis	2026-05-29 00:43:32 +10:00
Cilly Leang	f622d5f577	containers/garnet: try removing host header	2026-05-28 23:43:07 +10:00
Cilly Leang	c4bedfd86e	containers/garnet: move back to listen addrs	2026-05-28 23:34:25 +10:00
Cilly Leang	011ceee498	containers/garnet: use ipv4 for proxy	2026-05-28 23:27:19 +10:00
Cilly Leang	0735ffdb69	containers/garnet: remove stray sv and set address to local ip	2026-05-28 23:22:19 +10:00
Cilly Leang	a25d214b82	hosts/alyssum: enable nginx	2026-05-28 23:10:40 +10:00
Cilly Leang	27e9546327	containers/garnet: better ip filtering	2026-05-28 23:04:35 +10:00
Cilly Leang	140b12fa5d	hosts/alyssum: enable garnet	2026-05-28 23:02:40 +10:00
Cilly Leang	babc27c8be	containers/garnet: init	2026-05-28 23:01:43 +10:00
Cilly Leang	939d0cc861	system/tailscale: persist tailscale state Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-30 20:37:42 +10:00
Cilly Leang	0edeac9f4c	user/neovim: remove lsp.with	2026-05-30 19:38:31 +10:00
Cilly Leang	10fbeac140	user/eww: manually set configDir Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details why was this changed???	2026-05-30 01:57:08 +10:00
github-actions[bot]	1d9f9f4927	packages/linux-lava: bump to 7.0.10	2026-05-30 01:51:28 +10:00
github-actions[bot]	1941deb004	flake: bump inputs	2026-05-30 01:51:28 +10:00
Cilly Leang	4a82035d82	hosts/hyacinth: enable tailscale	2026-05-30 01:45:45 +10:00
Cilly Leang	604983800f	hyacinth/packages: add discord	2026-05-30 01:27:12 +10:00
Cilly Leang	81c17720eb	containers/{d,e,f}: listen on tailscale Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-05-28 22:40:19 +10:00
Cilly Leang	b8a7dfa8a8	system/tailscale: enable routing features Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 22:19:54 +10:00
Cilly Leang	d0e090bb68	hosts/alyssum: enable tailscale Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 22:10:44 +10:00
Cilly Leang	e5e608c580	services/unbound: allow access from tailscale Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-05-28 21:56:34 +10:00
Cilly Leang	69717ef92b	hosts/dandelion: enable tailscale Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 21:33:57 +10:00
Cilly Leang	d13f18a189	user/neovim{,-minimal}: set defaults to suppress warning	2026-05-28 21:21:49 +10:00
Cilly Leang	de857dcfbf	services/nginx: credentialsFile -> environmentFile	2026-05-28 21:20:27 +10:00
Cilly Leang	5680e29cd2	services/unbound: add google to dns	2026-05-28 21:17:50 +10:00
Cilly Leang	4a91f8a165	system/wireguard: also forward udp	2026-05-28 21:17:50 +10:00
Cilly Leang	52e53ba5b3	containers/amethyst: use ipv4 proxy	2026-05-28 21:17:49 +10:00
Cilly Leang	218da08936	containers/beryllium: use ipv4	2026-05-28 21:17:49 +10:00
Cilly Leang	724d30a092	containers/fluorite: change slskd env	2026-05-28 21:17:46 +10:00
Cilly Leang	c8c6fb1b5e	system/tailscale: init	2026-05-28 20:55:11 +10:00
Cilly Leang	59f5913b68	hosts/alyssum: disable insecure ssh	2026-05-28 20:19:04 +10:00
Cilly Leang	0d99bd6015	alyssum/networking: point to wpa_conf correctly, attempt 3	2026-05-28 20:16:59 +10:00
Cilly Leang	865b473df7	alyssum/networking: point to wpa_conf correctly, attempt 2 why was this changed?????	2026-05-28 20:13:54 +10:00
Cilly Leang	c323f004f1	alyssum/networking: point to wpa_conf correctly	2026-05-28 20:06:36 +10:00
Cilly Leang	220af6cf15	alyssum/networking: enable wpa_supplicant	2026-05-28 18:59:38 +10:00
Cilly Leang	ae707d33ea	alyssum/networking: use wpa_conf	2026-05-28 18:55:41 +10:00
Cilly Leang	880316173f	hosts/alyssum: (temporarily) allow password login	2026-05-28 18:43:52 +10:00
Cilly Leang	0638cf6f5f	alyssum/kernel: update	2026-05-28 18:19:13 +10:00
Cilly Leang	0f7393714f	hosts/alyssum: init	2026-05-28 18:08:15 +10:00
Cilly Leang	cc43450dd1	system/security: enable pam_u2f	2026-05-28 17:43:08 +10:00
Cilly Leang	4c28a3eecb	overlays/openldap: skip failing checks for 32-bit	2026-05-11 01:05:27 +10:00
Cilly Leang	575a0e9610	treewide: remove nodePackages	2026-05-10 22:44:46 +10:00
github-actions[bot]	58d4b60f5b	packages/linux-lava: bump to 7.0.5	2026-05-10 22:35:04 +10:00
github-actions[bot]	75e0c8f6ac	flake: bump inputs	2026-05-10 22:35:00 +10:00
Cilly Leang	27ba1aaede	anemone/networking: switch to iwd	2026-04-26 15:47:39 +10:00
Cilly Leang	087ed1c323	user/neovim: fix logs opening on tex save	2026-04-18 15:10:44 +10:00
Cilly Leang	e303fee58d	system/wireguard: change port to 51801 Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-04-06 23:16:57 +10:00
Cilly Leang	d11d080c94	system/packages-gui: move light to brightnessctl in home Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-03-24 13:53:28 +11:00
github-actions[bot]	2239c1cc64	packages/linux-lava: bump to 6.19.9	2026-03-24 13:53:27 +11:00
github-actions[bot]	576fd7604f	flake: bump inputs	2026-03-24 13:53:27 +11:00
Cilly Leang	9fd117c50c	rin/packages: add temurin-25 to prismlauncher	2026-03-24 13:52:02 +11:00