alyssum/samba: bind music

input delay :p

.github/workflows/cachix.yml

@@ -5,20 +5,6 @@ on:
   workflow_dispatch:
 
 jobs:
-  check:
-    name: Check flake
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v14
-        with:
-          name: lava
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix flake check --keep-going --verbose
-
   build:
     name: Build linux-lava for x86_64-linux
     runs-on: ubuntu-latest
@@ -35,7 +21,7 @@ jobs:
         with:
           fetch-depth: 0
       - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v14
+      - uses: cachix/cachix-action@v16
         with:
           name: lava
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

containers/amethyst/configuration.nix

@@ -0,0 +1,47 @@
+{ lib, pkgs, ... }: {
+  system.stateVersion = "23.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/transmission 755 transmission transmission"
+    "d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
+    "d /persist/transmission/.incomplete 750 transmission transmission"
+    "d /persist/transmission/Downloads 755 transmission transmission"
+    "d /persist/transmission/watchdir 755 transmission transmission"
+  ];
+  networking.wg-quick.interfaces.wg0 = {
+    configFile = "/persist/vpn.conf";
+    preUp = ''
+          # Try to access the DNS for up to 300s
+          for i in {1..60}; do
+            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
+            echo "Attempt $i: DNS still not available"
+            sleep 5s
+          done
+    '';
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/258793
+  systemd.services.transmission.serviceConfig = {
+    BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
+    RootDirectoryStartOnly = lib.mkForce false;
+    RootDirectory = lib.mkForce "";
+    PrivateMounts = lib.mkForce false;
+    PrivateUsers = lib.mkForce false;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
+  services.transmission = {
+    enable = true;
+    package = pkgs.transmission_4;
+    downloadDirPermissions = "775";
+    openFirewall = true;
+    home = "/persist/transmission";
+    settings = {
+      ratio-limit-enabled = true;
+      rpc-bind-address = "0.0.0.0";
+      rpc-enabled = true;
+      rpc-port = 9091;
+      rpc-host-whitelist-enabled = false;
+      rpc-whitelist-enabled = false;
+    };
+  };
+}

containers/amethyst/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/amethyst/flake.nix

@@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "amethyst";
+      fqdn = "amethyst.lava.moe";
+      subnet = "1";
+    in {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        hostAddress6 = "fd0d:1::${subnet}:1";
+        localAddress6 = "fd0d:1::${subnet}:2";
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/beryllium/configuration.nix

@@ -0,0 +1,23 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/private" = {
+    device = "/persist";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 6167 ];
+  networking.firewall.allowedUDPPorts = [ 6167 ];
+  # TODO: this should be generically set
+  networking.useHostResolvConf = false;
+  networking.nameservers = [ "8.8.8.8" ];
+
+  services.matrix-continuwuity = {
+    enable = true;
+    settings.global = {
+      # TODO: link this with outer container's address
+      address = [ "10.30.2.2" ];
+      server_name = "lava.moe";
+      rocksdb_recovery_mode = 2;
+    };
+  };
+}

containers/beryllium/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/beryllium/flake.nix

@@ -0,0 +1,69 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "beryllium";
+      fqdn = "beryllium.lava.moe";
+      subnet = "2";
+    in {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".extraConfig = "return 302 'https://lava.moe';";
+        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
+      };
+
+      services.nginx.virtualHosts."lava.moe" = {
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            server = { "m.server" = "${fqdn}:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+              # "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}

containers/citrine/configuration.nix

@@ -0,0 +1,53 @@
+{ config, fqdn, lib, ... }: {
+  system.stateVersion = "25.11";
+  networking.firewall.allowedTCPPorts = [ 22 3000 ];
+  networking.firewall.allowedUDPPorts = [ 22 3000 ];
+
+  systemd.tmpfiles.rules = [
+    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
+  ];
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      DEFAULT.APP_NAME = "cilly's botanical laboratory";
+      server = {
+        DOMAIN = fqdn;
+        ROOT_URL = "https://${fqdn}/";
+        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_DOMAIN = "git.lava.moe";
+        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
+      };
+      ui = lib.mkForce {
+        DEFAULT_THEME = "catppuccin-maroon-auto";
+        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
+          "catppuccin-pink"
+          "catppuccin-maroon"
+          "catppuccin-flamingo"
+          "catppuccin-rosewater"
+          "forgejo"
+          "gitea"
+        ];
+      };
+      api.ENABLE_SWAGGER = false;
+      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+      repository.ENABLE_PUSH_CREATE_USER = true;
+      repository.ENABLE_PUSH_CREATE_ORG = true;
+      service.DISABLE_REGISTRATION = true;
+    };
+    stateDir = "/persist/forgejo";
+  };
+
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
+  catppuccin.forgejo.enable = true;
+
+  environment.systemPackages = [ config.services.forgejo.package ];
+}

containers/citrine/flake.lock

@@ -0,0 +1,62 @@
+{
+  "nodes": {
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1773403535,
+        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773122722,
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "catppuccin": "catppuccin",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/citrine/flake.nix

@@ -0,0 +1,68 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    catppuccin.url = "github:catppuccin/nix";
+  };
+  outputs = { nixpkgs, catppuccin, ... }:
+  let
+    name = "citrine";
+    fqdn = "lab.lava.moe";
+    subnetId = "3";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      catppuccin.nixosModules.catppuccin
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:3000";
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/citrine/templates/base/footer_content.tmpl

@@ -0,0 +1,31 @@
+<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
+    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
+        {{if ShowFooterPoweredBy}}
+            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
+        {{end}}
+        {{if (or .ShowFooterVersion .PageIsAdmin)}}
+            {{if .IsAdmin}}
+                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
+            {{else}}
+                {{AppVerNoMetadata}}
+            {{end}}
+        {{end}}
+        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
+            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
+            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
+        {{end}}
+    </div>
+    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
+        <div class="ui dropdown upward language">
+            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
+            <div class="menu language-menu">
+                {{range .AllLangs}}
+                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
+                {{end}}
+            </div>
+        </div>
+        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
+        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
+        {{template "custom/extra_links_footer" .}}
+    </div>
+</footer>

containers/citrine/templates/home.tmpl

@@ -0,0 +1,19 @@
+{{template "base/head" .}}
+{{if not .IsSigned}}
+    <script>window.location.href = "/explore/repos";</script>
+{{end}}
+<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
+    <div class="tw-mb-8 tw-px-8">
+        <div class="center">
+            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
+            <div class="hero">
+                <h1 class="ui icon header title">
+                    {{AppDisplayName}}
+                </h1>
+                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
+            </div>
+        </div>
+    </div>
+    {{template "home_forgejo" .}}
+</div>
+{{template "base/footer" .}}

containers/diamond/configuration.nix

@@ -0,0 +1,22 @@
+{ fqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
+  ];
+  fileSystems."/var/lib/vaultwarden" = {
+    device = "/persist/vaultwarden";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+  networking.firewall.allowedUDPPorts = [ 8000 ];
+
+  services.vaultwarden = {
+    enable = true;
+    domain = fqdn;
+    config = {
+      DOMAIN = "https://${fqdn}";
+      ROCKET_ADDRESS = "::";
+    };
+  };
+}

containers/diamond/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/diamond/flake.nix

@@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "diamond";
+    fqdn = "astransia.lava.moe";
+    subnetId = "4";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    modules = [
+      ./configuration.nix
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:8000";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/emerald/configuration.nix

@@ -0,0 +1,23 @@
+{ fqdn, shareFqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/navidrome 755 navidrome navidrome"
+  ];
+  networking.firewall.allowedTCPPorts = [ 4533 ];
+  networking.firewall.allowedUDPPorts = [ 4533 ];
+
+  services.navidrome = {
+    enable = true;
+    environmentFile = "/binds/navidrome_env";
+    settings = {
+      Port = 4533;
+      Address = "[::]";
+      BaseUrl = "https://${fqdn}/";
+      ShareURL = "https://${shareFqdn}";
+      EnableSharing = true;
+      DataFolder = "/persist/navidrome";
+      MusicFolder = "/binds/music/main";
+    };
+  };
+  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
+}

containers/emerald/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/emerald/flake.nix

@@ -0,0 +1,78 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "emerald";
+    fqdn = "navia.lava.moe";
+    shareFqdn = "muse.lava.moe";
+    subnetId = "5";
+
+    subnet = x: "fd0d:2::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.32.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn shareFqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."music" = {
+          hostPath = "/flower/media/music";
+          mountPoint = "/binds/music";
+          isReadOnly = true;
+        };
+        bindMounts."navidrome_env" = {
+          hostPath = config.age.secrets.navidrome_env.path;
+          mountPoint = "/binds/navidrome_env";
+          isReadOnly = true;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/fluorite/configuration.nix

@@ -0,0 +1,22 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/slskd/Downloads 755 slskd slskd"
+  ];
+  fileSystems."/var/lib/slskd" = {
+    device = "/persist/slskd";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
+  networking.firewall.allowedUDPPorts = [ 5030 50300 ];
+
+  services.slskd = {
+    enable = true;
+    domain = null;
+    environmentFile = "/binds/slskd_env";
+    settings = {
+      shares.directories = [ "/binds/music/" ];
+    };
+  };
+}

containers/fluorite/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/fluorite/flake.nix

@@ -0,0 +1,89 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "fluorite";
+    fqdn = "fluorite.lava.moe";
+    subnetId = "6";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+      networking.firewall.allowedTCPPorts = [ 50300 ];
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:5030";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+        "d /persist/media/music 075 nobody users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        forwardPorts = [
+          {
+            containerPort = 50300;
+            hostPort = 50300;
+            protocol = "tcp";
+          }
+        ];
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."music" = {
+          hostPath = "/persist/media/music";
+          mountPoint = "/binds/music";
+          isReadOnly = true;
+        };
+        bindMounts."slskd_env" = {
+          hostPath = config.age.secrets.slskd_env.path;
+          mountPoint = "/binds/slskd_env";
+          isReadOnly = true;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}

containers/garnet/configuration.nix

@@ -0,0 +1,36 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/opencloud" = {
+    device = "/flower/data";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  fileSystems."/etc/opencloud" = {
+    device = "/persist/cfg";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  # TODO: hardcoded address
+  networking.extraHosts = ''
+    100.67.2.1 cloud.lava.moe
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 9200 ];
+  networking.firewall.allowedUDPPorts = [ 9200 ];
+
+  environment.etc."opencloud-admin-pass".text = ''
+    IDM_ADMIN_PASSWORD=supersillysecure
+  '';
+  services.opencloud = {
+    enable = true;
+    url = "https://cloud.lava.moe";
+    address = "10.30.7.2";
+    port = 9200;
+    environment = {
+      PROXY_TLS = "false";
+      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
+      IDP_ID_TOKEN_EXPIRATION = "2592000";
+    };
+    environmentFile = "/etc/opencloud-admin-pass";
+  };
+}

containers/garnet/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/garnet/flake.nix

@@ -0,0 +1,84 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "garnet";
+    fqdn = "cloud.lava.moe";
+    subnetId = "7";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://${client4}:9200";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          proxy_read_timeout 3600s;
+          proxy_send_timeout 3600s;
+          keepalive_requests 100000;
+          keepalive_timeout 5m;
+          http2_max_concurrent_streams 512;
+        '';
+        # TODO: hardcoded address
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."content" = {
+          hostPath = "/flower/opencloud";
+          mountPoint = "/flower";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}

flake.nix

@@ -4,10 +4,6 @@
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/release-25.05";
-    home-manager-stable.url = "github:nix-community/home-manager/release-25.05";
-    home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";
-
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     aagl.url = "github:ezKEa/aagl-gtk-on-nix";
@@ -18,12 +14,15 @@
     neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gaming.url = "github:fufexan/nix-gaming";
+    nix-index-database.url = "github:nix-community/nix-index-database";
+    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
     spicetify-nix.url = "github:Gerg-L/spicetify-nix";
     spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
 
     # services
-    # hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
-    website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
+    pastel.url = "github:cillynder/pastel";
+    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
+    website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
 
     # zsh plugins
     zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
@@ -37,9 +36,18 @@
     spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
     tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
     wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
+
+    # containers
+    c-amethyst.url = "path:./containers/amethyst";
+    c-beryllium.url = "path:./containers/beryllium";
+    c-citrine.url = "path:./containers/citrine";
+    c-diamond.url = "path:./containers/diamond";
+    c-emerald.url = "path:./containers/emerald";
+    c-fluorite.url = "path:./containers/fluorite";
+    c-garnet.url = "path:./containers/garnet";
   };
 
-  outputs = { self, agenix, catppuccin, nixpkgs, nixpkgs-stable, ... } @ inputs:
+  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
     let
       overlays = (import ./overlays)
         ++ [(final: prev: {
@@ -73,9 +81,9 @@
         };
     in
     {
+      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
       nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
-      nixosConfigurations."dandelion" = mkSystem nixpkgs-stable "dandelion" "aarch64-linux" [];
-      nixosConfigurations."hazel" = mkSystem nixpkgs-stable "hazel" "x86_64-linux" [];
+      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
       nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
 
       packages."x86_64-linux" =

hosts/alyssum/default.nix

@@ -0,0 +1,45 @@
+{ inputs, lib, modules, modulesPath, ... }: {
+  networking.hostName = "alyssum";
+  system.stateVersion = "25.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+    passwd.file = ../../secrets/passwd.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
+    wpa_conf = {
+      file = ../../secrets/wpa_conf.age;
+      path = "/etc/wpa_supplicant/imperative.conf";
+      symlink = false;
+    };
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+    tailscale
+
+    modules.services.nginx
+    modules.services.syncthing
+
+    inputs.c-emerald.nixosModule
+    inputs.c-garnet.nixosModule
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./home.syncthing.nix
+    ./samba.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+  services.syncthing.user = lib.mkForce "hana";
+}

hosts/alyssum/filesystem.nix

@@ -0,0 +1,35 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "alyssum";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=8G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "stem" "vfat";
+
+    "/flower" = mkBtrfsMount "myosotis" "/@" true;
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}

hosts/alyssum/home.syncthing.nix

@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  configOn = user: port: {
+    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
+    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
+
+    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+      linger = true;
+    };
+    home-manager.users.${user} = { ... }: {
+      home = {
+        username = "${user}";
+        homeDirectory = "/home/${user}";
+        stateVersion = "26.05";
+      };
+      services.syncthing = {
+        enable = true;
+        guiAddress = "[::]:${toString port}";
+        overrideDevices = false;
+        overrideFolders = false;
+        settings = {
+          options.listenAddresses = [
+            "tcp://0.0.0.0:2${toString port}"
+            "quic://0.0.0.0:2${toString port}"
+            "dynamic+https://relays.syncthing.net/endpoint"
+          ];
+          defaults.folder.path = "/flower/syncthing/${user}";
+        };
+      };
+    };
+  };
+in lib.mkMerge [
+  (configOn "kujira" 8385)
+  (configOn "cilly" 8386)
+]

hosts/alyssum/kernel.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+  };
+  hardware.cpu.amd.updateMicrocode = true;
+}

hosts/alyssum/networking.nix

@@ -0,0 +1,15 @@
+{ config, ... }: {
+  networking = {
+    useDHCP = true;
+    wireless.enable = true;
+
+    interfaces.wlp1s0.useDHCP = false;
+    interfaces.wlp1s0.ipv4.addresses = [{
+      address = "192.168.1.167";
+      prefixLength = 24;
+    }];
+
+    defaultGateway = "192.168.1.1";
+    nameservers = [ "8.8.8.8" "8.8.4.4" ];
+  };
+}

hosts/alyssum/packages.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}

hosts/alyssum/samba.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+let
+  configOn = user: let
+    passwd_fname = "passwd_smb${user}";
+  in {
+    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
+    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
+    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+    };
+
+    system.activationScripts = {
+      init_smbpasswd.text = let
+        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+      in ''
+        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
+      '';
+    };
+    services.samba.settings."${user}" = {
+      "path" = "/flower/smb/${user}";
+      "browseable" = "yes";
+      "read only" = "no";
+      "guest ok" = "no";
+      "create mask" = "0644";
+      "directory mask" = "0755";
+      "force user" = user;
+      "force group" = "users";
+      "valid users" = user;
+    };
+  };
+in lib.mkMerge [
+  (configOn "cilly")
+  (configOn "kujira")
+  {
+    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
+
+    networking.firewall.allowPing = true;
+
+    services.samba = {
+      enable = true;
+      package = pkgs.samba4Full;
+      openFirewall = true;
+      settings = {
+        global = {
+          "server smb encrypt" = "required";
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "public" = {
+          "path" = "/flower/smb/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "hana";
+          "force group" = "users";
+        };
+      };
+    };
+
+    services.samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    services.avahi = {
+      enable = true;
+      openFirewall = true;
+      nssmdns4 = true;
+      publish.enable = true;
+      publish.userServices = true;
+    };
+  }
+]

hosts/anemone/default.nix

@@ -5,6 +5,7 @@
 
   nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
   age.secrets = {
+    wg_anemone.file = ../../secrets/wg_anemone.age;
     passwd.file = ../../secrets/passwd.age;
   };
 
@@ -16,6 +17,7 @@
     bluetooth
     ccache
     corectrl
+    docker
     flatpak
     greetd
     gui
@@ -26,6 +28,8 @@
     printing
     security
     snapper
+    tailscale
+    wireguard
 
     ./filesystem.nix
     ./kernel.nix
@@ -51,4 +55,6 @@
 
   services.fprintd.enable = true;
   services.tlp.enable = true;
+
+  programs.kdeconnect.enable = true;
 }

hosts/anemone/kernel.nix

@@ -23,14 +23,14 @@
     ];
   };
 
-  swapDevices = [{
-    device = "/persist/swapfile";
-    size = 16 * 1024;
-  }];
-
-  systemd.sleep.extraConfig = ''
-    HibernateMode=shutdown
-  '';
+  # swapDevices = [{
+  #   device = "/persist/swapfile";
+  #   size = 16 * 1024;
+  # }];
+  #
+  # systemd.sleep.extraConfig = ''
+  #   HibernateMode=shutdown
+  # '';
   /*
   services.logind.lidSwitch = "suspend-then-hibernate";
   systemd.sleep.extraConfig = ''

hosts/anemone/networking.nix

@@ -1,18 +1,4 @@
 { config, ... }: {
-  networking = {
-    #nameservers = [ "8.8.8.8" "8.8.4.4" ];
-
-    #wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf";
-
-    networkmanager = {
-      enable = true;
-      #dns = "none";
-    };
-
-    extraHosts = ''
-      192.168.100.16 hyacinth
-    '';
-  };
-
+  networking.wireless.iwd.enable = true;
   environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
 }

hosts/dandelion/default.nix

@@ -1,29 +1,41 @@
-{ modules, modulesPath, ... }: {
+{ inputs, modules, modulesPath, ... }: {
   networking.hostName = "dandelion";
   system.stateVersion = "23.11";
   time.timeZone = "Australia/Melbourne";
 
   age.secrets = {
     acme_dns.file = ../../secrets/acme_dns.age;
+    slskd_env.file = ../../secrets/slskd_env.age;
+    wg_dandelion.file = ../../secrets/wg_dandelion.age;
   };
 
   imports = with modules.system; [
     (modulesPath + "/profiles/qemu-guest.nix")
-    home-manager-stable
+    home-manager
 
     base
     kernel
     nix-stable
     packages
     security
+    tailscale
+    wireguard
 
+    modules.services.banksia
     modules.services.nginx
-    modules.services.postgres
+    modules.services.unbound
+    modules.services.website
+
+    inputs.c-amethyst.nixosModule
+    inputs.c-beryllium.nixosModule
+    inputs.c-citrine.nixosModule
+    inputs.c-diamond.nixosModule
+    inputs.c-fluorite.nixosModule
 
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
-    ./transmission-container.nix
+    ./nginx.nix
 
     ../../users/hana
   ];

hosts/dandelion/filesystem.nix

@@ -22,7 +22,7 @@ in {
     "/" = {
       device = "rootfs";
       fsType = "tmpfs";
-      options = [ "defaults" "size=12G" "mode=755" ];
+      options = [ "defaults" "size=6G" "mode=755" ];
     };
     "/boot" = mkLabelMount "UEFI" "vfat";
 

hosts/dandelion/networking.nix

@@ -1,3 +1,4 @@
 { ... }: {
   networking.useDHCP = true;
+  networking.interfaces.enp2s0.useDHCP = false;
 }

hosts/dandelion/nginx.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  services.nginx.virtualHosts."muse.lava.moe" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    locations."/".return = "404";
+    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
+  };
+}

hosts/dandelion/transmission-container.nix

@@ -1,61 +0,0 @@
-{ lib, modules, pkgs, gcSecrets, ... }: {
-  networking.nat = {
-    enable = true;
-    internalInterfaces = [ "ve-+" ];
-    externalInterface = "enp0s6";
-  };
-
-  networking.firewall = {
-    extraCommands = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE
-    '';
-    extraStopCommands = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE || true
-    '';
-  };
-
-  services.nginx.virtualHosts."tr.dandelion.gw.lava.moe" = {
-    locations."/".proxyPass = "http://10.25.0.11:9091";
-  };
-
-  containers.transmission = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "10.25.0.10";
-    localAddress = "10.25.0.11";
-    bindMounts."vpn" = {
-      hostPath = "/persist/aus.conf";
-      mountPoint = "/vpn.conf";
-      isReadOnly = true;
-    };
-    bindMounts."transmission" = {
-      hostPath = "/persist/transmission";
-      mountPoint = "/persist/transmission";
-      isReadOnly = false;
-    };
-    config = {
-      system.stateVersion = "23.11";
-      networking.wg-quick.interfaces.wg0 = {
-        configFile = "/vpn.conf";
-        preUp = ''
-          # Try to access the DNS for up to 300s
-          for i in {1..60}; do
-            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
-            echo "Attempt $i: DNS still not available"
-            sleep 5s
-          done
-        '';
-      };
-
-      networking.firewall.enable = false;
-      systemd.services.transmission.serviceConfig.BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
-      imports = [ modules.services.transmission ];
-      services.transmission.settings = {
-        rpc-host-whitelist-enabled = false;
-        rpc-whitelist = lib.mkForce "10.100.0.*,10.0.0.*,10.25.0.*,192.168.100.*";
-        rpc-username = gcSecrets.transmission.username;
-        rpc-password = gcSecrets.transmission.password;
-      };
-    };
-  };
-}

hosts/hazel/default.nix

@@ -1,35 +0,0 @@
-{ modules, pkgs, ... }: {
-  networking.hostName = "hazel";
-  system.stateVersion = "24.11";
-  time.timeZone = "Australia/Melbourne";
-
-  imports = with modules.system; with modules.services; [
-    home-manager-stable
-
-    base
-    kernel
-    nginx
-    nix-stable
-    packages
-    security
-
-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-
-    ../../users/hana
-  ];
-
-  me.environment = "headless";
-
-  services.nextcloud = {
-    enable = true;
-    package = pkgs.nextcloud31;
-    hostName = "cloud.lava.moe";
-    database.createLocally = true;
-    config = {
-      dbtype = "pgsql";
-      adminpassFile = "/persist/nextcloud-admin-pass";
-    };
-  };
-}

hosts/hazel/filesystem.nix

@@ -1,53 +0,0 @@
-{ ... }:
-let
-  mkLabelMount = label: type: options: {
-    device = "/dev/disk/by-label/${label}";
-    fsType = type;
-    options = [ "defaults" ] ++ options;
-  };
-  mkBtrfsMount = name: ext: subvol: atime: mkLabelMount name "btrfs"
-  ([
-    "autodefrag"
-    "compress=zstd:4"
-    "compress-force=zstd:4"
-    "defaults"
-    "nossd"
-    "space_cache=v2"
-    "subvol=${subvol}"
-    (if atime then "relatime" else "noatime")
-  ] ++ ext);
-
-  mkHazelMount = mkBtrfsMount "HAZEL" [];
-in
-{
-  boot.supportedFilesystems = [ "btrfs" ];
-  fileSystems = {
-    "/" = {
-      device = "rootfs";
-      fsType = "tmpfs";
-      options = [ "defaults" "mode=755" ];
-    };
-    "/boot" = mkLabelMount "ROOT" "vfat" [];
-
-    "/flower" = mkHazelMount "/current/flower" true;
-    "/persist" = mkHazelMount "/current/persist" true;
-    "/var" = mkHazelMount "/current/var" true;
-    "/nix" = mkHazelMount "/current/nix" false;
-
-    "/mnt" = mkHazelMount "/" true;
-  };
-
-  services.snapper.cleanupInterval = "1h";
-  services.snapper.configs.flower = {
-      FSTYPE = "btrfs";
-      SUBVOLUME = "/mnt/current/flower";
-      TIMELINE_CLEANUP = true;
-      TIMELINE_CREATE = true;
-      TIMELINE_MIN_AGE = "1800";
-      TIMELINE_LIMIT_HOURLY = "5";
-      TIMELINE_LIMIT_DAILY = "7";
-      TIMELINE_LIMIT_WEEKLY = "0";
-      TIMELINE_LIMIT_MONTHLY = "0";
-      TIMELINE_LIMIT_YEARLY = "0";
-    };
-}

hosts/hazel/kernel.nix

@@ -1,10 +0,0 @@
-{ ... }: {
-  boot = {
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot.enable = true;
-    };
-    initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-    kernelModules = [ "kvm-amd" ];
-  };
-}

hosts/hazel/networking.nix

@@ -1,5 +0,0 @@
-{ config, ... }: {
-  networking = {
-    useDHCP = true;
-  };
-}

hosts/hyacinth/default.nix

@@ -3,11 +3,10 @@
   system.stateVersion = "21.11";
   time.timeZone = "Australia/Melbourne";
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
   age.secrets = {
     passwd.file = ../../secrets/passwd.age;
-    wg_hyacinth.file = ../../secrets/wg_blossom.age;
+    wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
     wpa_conf.file = ../../secrets/wpa_conf.age;
   };
   imports = with modules.system; [
@@ -19,6 +18,7 @@
     bluetooth
     ccache
     corectrl
+    docker
     flatpak
     greetd
     gui
@@ -29,7 +29,8 @@
     printing
     security
     snapper
-    virtualisation
+    tailscale
+    wireguard
 
     modules.services.syncthing
 
@@ -42,5 +43,5 @@
   ];
   systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
 
-  services.jenkins.enable = true;
+  me.hasBluetooth = true;
 }

hosts/hyacinth/filesystem.nix

@@ -15,7 +15,7 @@ in
     "/" = {
       device = "rootfs";
       fsType = "tmpfs";
-      options = [ "defaults" "size=8G" "mode=755" ];
+      options = [ "defaults" "size=24G" "mode=755" ];
     };
     "/boot" = mkLabelMount "CUP" "vfat";
 

hosts/hyacinth/kernel.nix

@@ -13,4 +13,8 @@
     ];
     kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
   };
+  hardware.amdgpu.overdrive = {
+    enable = true;
+    ppfeaturemask = "0xffffffff";
+  };
 }

hosts/hyacinth/networking.nix

@@ -3,12 +3,13 @@
   networking = {
     useDHCP = true;
     interfaces.enp5s0.useDHCP = false;
+    interfaces.enp5s0.wakeOnLan.enable = true;
 
     interfaces.enp5s0.ipv4.addresses = [{
-      address = "192.168.0.151";
+      address = "192.168.1.201";
       prefixLength = 24;
     }];
-    defaultGateway = "192.168.0.1";
+    defaultGateway = "192.168.1.1";
     nameservers = [ "8.8.8.8" "8.8.4.4" ];
 
     extraHosts = ''

hosts/hyacinth/packages.nix

@@ -1,6 +1,7 @@
 { pkgs, ... }: {
   environment.systemPackages = with pkgs; [
-    jetbrains.idea-community-bin
+    discord
+    jetbrains.idea
     texliveFull
   ];
 }

modules/binds.nix

@@ -0,0 +1,13 @@
+{ config, lib, ...}: {
+  imports = [ ./options.nix ];
+  fileSystems = lib.mapAttrs (dest: key: let
+    target = if (lib.strings.hasPrefix "/" key)
+      then key
+      else "/persist/binds/${key}";
+  in {
+    depends = [ "/persist" ];
+    device = target;
+    fsType = "none";
+    options = [ "bind" ];
+  }) config.me.binds;
+}

modules/default.nix

@@ -14,8 +14,10 @@ let
     }) paths
   );
 in {
+  binds = ./binds.nix;
   options = ./options.nix;
   services = mkAttrsFromPaths [
+    ./services/banksia.nix
     ./services/jellyfin.nix
     ./services/nginx.nix
     ./services/postgres.nix
@@ -26,6 +28,7 @@ in {
     ./services/transmission.nix
     ./services/unbound.nix
     ./services/vaultwarden.nix
+    ./services/website.nix
   ];
   system = mkAttrsFromPaths [
     ./system/aagl.nix
@@ -34,11 +37,11 @@ in {
     ./system/bluetooth.nix
     ./system/ccache.nix
     ./system/corectrl.nix
+    ./system/docker.nix
     ./system/flatpak.nix
     ./system/greetd.nix
     ./system/gui.nix
     ./system/home-manager.nix
-    ./system/home-manager-stable.nix
     ./system/input.nix
     ./system/kernel.nix
     ./system/nix.nix
@@ -47,11 +50,13 @@ in {
     ./system/printing.nix
     ./system/security.nix
     ./system/snapper.nix
+    ./system/tailscale.nix
     ./system/virtualisation.nix
     ./system/wireguard.nix
   ];
   user = mkAttrsFromPaths [
     ./user/catppuccin.nix
+    ./user/comma.nix
     ./user/direnv.nix
     ./user/dunst.nix
     ./user/eww.nix

modules/options.nix

@@ -44,5 +44,10 @@ in {
       type = types.bool;
       default = false;
     };
+
+    binds = lib.mkOption {
+      type = with lib.types; attrsOf str;
+      default = {};
+    };
   };
 }

modules/services/banksia.nix

@@ -0,0 +1,11 @@
+# TODO ^^
+{ ... }: {
+  services.nginx.virtualHosts = {
+    "banksia.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
+      locations."/api".proxyPass = "http://localhost:8080/";
+    };
+  };
+}

modules/services/nginx.nix

@@ -1,18 +1,21 @@
-{ config, inputs, ... }: {
+{ config, ... }: {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme = {
     acceptTerms = true;
-    email = "me@lava.moe";
-    certs."lava.moe" = {
+    defaults = {
+      email = "me@lava.moe";
       group = "nginx";
-      domain = "lava.moe";
+      dnsProvider = "cloudflare";
+      environmentFile = config.age.secrets."acme_dns".path;
+    };
+    certs."lava.moe" = {
       extraDomainNames = [
         "*.lava.moe"
         "*.local.lava.moe"
       ];
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets."acme_dns".path;
     };
+    certs."cilly.moe" = {};
+    certs."cilly.dev" = {};
   };
 
   services.nginx = {
@@ -21,28 +24,5 @@
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
-
-    virtualHosts = {
-      "lava.moe" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        root = inputs.website.outPath;
-      };
-      "cdn.lava.moe" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        root = "/persist/cdn";
-      };
-      "_" = {
-        default = true;
-        addSSL = true;
-        # TODO generate this somewhere
-        sslCertificate = "/persist/fakeCerts/fake.crt";
-        sslCertificateKey = "/persist/fakeCerts/fake.key";
-        extraConfig = ''
-          return 444;
-        '';
-      };
-    };
   };
 }

modules/services/postgres.nix

@@ -8,6 +8,7 @@ in {
   services.postgresql = {
     enable = true;
     dataDir = dir;
+    # TODO: broken :3
     package = pkgs.postgresql_13;
     authentication = lib.mkOverride 10 ''
       #type  database  DBuser  origin-address      auth-method

modules/services/syncthing.nix

@@ -1,7 +1,8 @@
 { config, ... }:
 let
   dir = "/persist/shared/.syncthing";
-  uid = toString config.users.users.rin.uid;
+  user = if config.me.gui then "rin" else "hana";
+  uid = toString config.users.users."${user}".uid;
   gid = toString config.users.groups.users.gid;
 in
 {
@@ -13,9 +14,10 @@ in
   services.syncthing = {
     enable = true;
     openDefaultPorts = true;
-    user = "rin";
+    user = user;
     group = "users";
     dataDir = "/persist/shared/.syncthing/data";
     configDir = "/persist/shared/.syncthing/config";
+    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
   };
 }

modules/services/unbound.nix

@@ -1,8 +1,17 @@
-{ inputs, ... }:
+{ inputs, pkgs, gcSecrets, ... }:
 let
   dir = "/persist/unbound";
+
+  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
+    echo "server:" > "$out"
+    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
+  '';
 in {
-  networking.firewall.interfaces.wlan0 = {
+  networking.firewall.interfaces."ve-+" = {
+    allowedUDPPorts = [ 53 853 ];
+    allowedTCPPorts = [ 53 853 ];
+  };
+  networking.firewall.interfaces.wg0 = {
     allowedUDPPorts = [ 53 853 ];
     allowedTCPPorts = [ 53 853 ];
   };
@@ -16,17 +25,27 @@ in {
         name = ".";
         forward-tls-upstream = true;
         forward-addr = [
+          "2606:4700:4700::1111@853#cloudflare-dns.com"
+          "2606:4700:4700::1001@853#cloudflare-dns.com"
+          "2001:4860:4860::8888@853#dns.google"
+          "2001:4860:4860::8844@853#dns.google"
           "1.1.1.1@853#cloudflare-dns.com"
           "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
         ];
       }];
 
       server = {
-        interface = [ "0.0.0.0" ];
+        interface = [ "0.0.0.0" "::0" ];
         access-control = [
           "127.0.0.1/8      allow"
           "10.0.0.0/8       allow"
+          "100.64.0.0/10    allow"
           "192.168.100.0/24 allow"
+          "fd0d::/16        allow"
+          "fd7a:115c:a1e0::/48 allow"
+          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
         ];
         domain-insecure = [ "\"local.lava.moe\"" ];
         local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@@ -35,7 +54,7 @@ in {
         ];
       };
 
-      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+      include = "${converted}";
     };
   };
 

modules/services/website.nix

@@ -0,0 +1,43 @@
+{ inputs, pkgs, ... }: let
+  pastel = inputs.pastel.packages.${pkgs.system}.default;
+in {
+  services.nginx.virtualHosts = {
+    "cilly.moe" = {
+      useACMEHost = "cilly.moe";
+      forceSSL = true;
+      root = pastel.outPath;
+    };
+    "cilly.dev" = {
+      useACMEHost = "cilly.dev";
+      forceSSL = true;
+      root = pastel.outPath;
+    };
+    "lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = inputs.website.outPath;
+    };
+    "cdn.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      extraConfig = ''
+        return 301 https://sh.lava.moe$request_uri;
+      '';
+    };
+    "sh.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = "/persist/cdn";
+    };
+    "_" = {
+      default = true;
+      addSSL = true;
+      # TODO generate this somewhere
+      sslCertificate = "/persist/fakeCerts/fake.crt";
+      sslCertificateKey = "/persist/fakeCerts/fake.key";
+      extraConfig = ''
+        return 444;
+      '';
+    };
+  };
+}

modules/system/base.nix

@@ -1,5 +1,5 @@
 { config, inputs, modules, ... }: {
-  imports = [ modules.options ];
+  imports = [ modules.binds modules.options ];
 
   environment.etc = {
     "machine-id".source = "/persist/machine-id";
@@ -11,7 +11,8 @@
   environment.pathsToLink = [ "/share/zsh" ];
 
   i18n.defaultLocale = "en_AU.UTF-8";
-  i18n.extraLocales = [ "en_GB.UTF-8" ];
+  i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
+
   users.mutableUsers = false;
 
   system = {

modules/system/corectrl.nix

@@ -1,9 +1,5 @@
 { ... }: {
   programs.corectrl = {
     enable = true;
-    gpuOverclock = {
-      enable = true;
-      ppfeaturemask = "0xffffffff";
-    };
   };
 }

modules/system/docker.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "btrfs";
+    # rootless = {
+    #   enable = true;
+    #   setSocketVariable = true;
+    # };
+  };
+  environment.systemPackages = [
+    pkgs.docker-compose
+  ];
+}

modules/system/greetd.nix

@@ -3,7 +3,7 @@
     enable = true;
     settings = {
       default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
+        command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
         user = "greeter";
       };
 

modules/system/gui.nix

@@ -15,7 +15,6 @@
       hanazono
       noto-fonts
       noto-fonts-cjk-sans
-      noto-fonts-extra
       open-sans
       twemoji-color-font
       unifont

modules/system/home-manager-stable.nix

@@ -1,19 +0,0 @@
-{ config, inputs, modules, ... }: {
-  imports = [
-    inputs.home-manager-stable.nixosModules.home-manager
-  ];
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    extraSpecialArgs = {
-      inherit inputs modules;
-      sysConfig = config;
-    };
-    sharedModules = [
-      {
-        imports = [ modules.options ];
-        config.me = config.me;
-      }
-    ];
-  };
-}

modules/system/input.nix

@@ -6,7 +6,19 @@
         "-arinterval 15"
       ];
     };
-    xkb.options = "caps:escape";
   };
-  console.useXkbConfig = true;
+  services.keyd = {
+    enable = true;
+    keyboards = {
+      default = {
+        ids = [ "*" ];
+        settings = {
+          main = {
+            capslock = "esc";
+            esc = "capslock";
+          };
+        };
+      };
+    };
+  };
 }

modules/system/nix-stable.nix

@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }: {
   nix = {
+    package = pkgs.nixVersions.latest;
+
     settings = rec {
       substituters = [
         "https://cache.nixos.org?priority=10"
@@ -17,4 +19,5 @@
     '';
   };
   nixpkgs.config.allowUnfree = true;
+  programs.nh.enable = true;
 }

modules/system/nix.nix

@@ -1,5 +1,6 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, pkgs, ... }: {
   nix = {
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     package = pkgs.nixVersions.latest;
 
     settings = rec {
@@ -23,5 +24,5 @@
     '';
   };
   nixpkgs.config.allowUnfree = true;
-  system.rebuild.enableNg = true;
+  programs.nh.enable = true;
 }

modules/system/packages-gui.nix

@@ -1,16 +1,15 @@
 { config, lib, pkgs, ... }: {
   config = lib.mkIf config.me.gui {
     environment.systemPackages = with pkgs; [
-     gparted
+      android-tools
+      gparted
       nautilus
     ];
-    programs.adb.enable = true;
     hardware.graphics.extraPackages = with pkgs; [
-      vaapiIntel
-      vaapiVdpau
+      intel-vaapi-driver
+      libva-vdpau-driver
       libvdpau-va-gl
     ];
-    programs.light.enable = true;
     hardware.opentabletdriver.enable = true;
     hardware.keyboard.qmk.enable = true;
     programs.steam = {

modules/system/packages.nix

@@ -1,8 +1,7 @@
 { pkgs, ... }: {
   imports = [ ./packages-gui.nix ];
   environment.systemPackages = with pkgs; [
-    comma
-    ecryptfs
+    # ecryptfs
     efibootmgr
     fd
     git

modules/system/security.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
   networking.firewall =
   let
     iptables = "${pkgs.iptables}/bin/iptables";
@@ -53,5 +53,33 @@
         }
       ];
     };
+    pam = lib.mkIf (config.me.environment != "headless") {
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true;
+          pinverification = 1;
+        };
+      };
+      services.doas.rules.auth = {
+        u2f.settings.pinverification = lib.mkForce 0;
+        u2f_int = lib.mkMerge [
+          {
+            enable = true;
+            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
+            control = "sufficient";
+            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
+            inherit (config.security.pam.u2f) settings;
+          }
+          {
+            settings = lib.mkForce {
+              interactive = true;
+              pinverification = 0;
+              userpresence = 0;
+            };
+          }
+        ];
+      };
+    };
   };
 }

modules/system/tailscale.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }: {
+  age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
+  me.binds."/var/lib/tailscale" = "tailscale";
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
+
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.age.secrets.tailscale_auth.path;
+    openFirewall = true;
+    useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
+  };
+}

modules/system/wireguard.nix

@@ -1,13 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, gcSecrets, ... }:
 let
-  port = 51820;
-  serverName = "sugarcane";
-  serverInterface = "ens3";
-  serverIp = "51.79.240.130";
+  port = 51801;
+  serverName = "dandelion";
+  serverInterface = "enp0s6";
+  serverIp = gcSecrets.wireguard.gateway;
 
   forwarding = {
-    "80" = [ "10.100.0.2" "80" ];
-    "443" = [ "10.100.0.2" "443" ];
     "22727" = [ "10.100.0.3" "7777" ];
   };
 
@@ -20,52 +18,61 @@ let
       in ''
         ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
         ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
+        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
       '') forwarding
     );
 
-  routeBypass = {
-    caramel = {
-      gateway = "192.168.100.1";
-      interface = "wlan0";
-      routes = [
-        serverIp
-      ];
-    };
-    hyacinth = {
-      gateway = "192.168.100.1";
-      interface = "enp5s0";
-      routes = [
-        serverIp
-      ];
-    };
-  };
-
   clients = {
-    caramel = {
-      publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA=";
-      allowedIPs = [ "10.100.0.2/32" ];
-    };
     hyacinth = {
       publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
-      allowedIPs = [ "10.100.0.3/32" ];
+      allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3" "fd0d::3" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
     };
-    strawberry = {
-      publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg=";
-      allowedIPs = [ "10.100.0.4/32" ];
+    anemone = {
+      publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY=";
+      allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" "fd0d::4" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
     };
-    maple = {
-      publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do=";
-      allowedIPs = [ "10.100.0.5/32" ];
+    hibiscus = {
+      publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw=";
+      allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" "fd0d::5" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
+    };
+    hazel = {
+      publicKey = "0zruTndObzHo+b1rbOuTsxCU97epygZycxXS/lgUHUc=";
+      allowedIPs = [ "10.100.0.21/32" "${gcSecrets.wireguard.ipv6Subnet}:21" "fd0d::21" ];
+      interfaces = {
+        wg0 = {
+          dns = [ "::1" "127.0.0.1" ];
+          peers = [ serverLocalOnlyPeer ];
+        };
+      };
     };
   };
 
-  clientPeers = builtins.attrValues clients;
-  serverPeer = {
+  clientPeers = builtins.map (client: builtins.removeAttrs client [ "interfaces" ]) (builtins.attrValues clients);
+  serverPeerWith = ips: {
     publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0=";
-    allowedIPs = [ "0.0.0.0/0" ];
+    allowedIPs = ips;
     endpoint = "${serverIp}:${toString port}";
     persistentKeepalive = 25;
   };
+  serverPeer = serverPeerWith [ "0.0.0.0/0" "::/0" ];
+  server6OnlyPeer = serverPeerWith [ "10.100.0.0/24" "::/0" ];
+  serverLocalOnlyPeer = serverPeerWith [ "10.100.0.0/24" "fd0d::/16" ];
 
   serverConfig = {
     nat = {
@@ -79,7 +86,7 @@ let
     };
 
     wireguard.interfaces.wg0 = {
-      ips = [ "10.100.0.1/24" ];
+      ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" "fd0d::1" ];
       listenPort = port;
 
       postSetup = ''
@@ -97,33 +104,24 @@ let
   };
 
   clientConfig = {
-    wireguard.interfaces.wg0 =
+    wg-quick.interfaces =
     let
       client = clients."${config.networking.hostName}";
-      routes = routeBypass."${config.networking.hostName}";
-      mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes;
-    in {
-      ips = client.allowedIPs;
-      listenPort = port;
-
-      postSetup = ''
-        ${mapRoutes "add"}
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
-      '';
-
-      postShutdown = ''
-        ${mapRoutes "del"}
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
-      '';
-
-      privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
-      peers = [ serverPeer ];
-    };
+    in
+      builtins.mapAttrs (interface: conf: {
+        address = client.allowedIPs;
+        dns = [ "fd0d::1" "10.100.0.1" ];
+        privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
+      } // conf) client.interfaces;
   };
 in {
+  boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({
+    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv6.conf.default.forwarding" = true;
+  });
   networking =
     lib.mkMerge [
       (lib.mkIf (config.networking.hostName == serverName) serverConfig)
-      (lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig)
+      (lib.mkIf (config.networking.hostName != serverName) clientConfig)
     ];
 }

modules/user/catppuccin.nix

@@ -53,7 +53,7 @@
         echo "invalid theme, valid values: [dark, light, restore]"
         exit 1
       fi
-      current="$HOME/.local/state/nix/profiles/home-manager"
+      current="$HOME/.local/state/home-manager/gcroots/current-home/"
       cached="$HOME/.local/state/last-parent-specialisation"
       if [ -d "$current/specialisation" ]; then
         if [ -d "$cached" ]; then

modules/user/comma.nix

@@ -0,0 +1,7 @@
+{ inputs, ... }: {
+  imports = [
+    inputs.nix-index-database.homeModules.default
+  ];
+  programs.nix-index.enable = true;
+  programs.nix-index-database.comma.enable = true;
+}

modules/user/direnv.nix

@@ -5,7 +5,7 @@
       enable = true;
     };
   };
-  programs.git.extraConfig.core.excludesFile = ".envrc";
+  programs.git.settings.core.excludesFile = ".envrc";
   # We can't use .source since hm manages this file too
   xdg.configFile."direnv/direnvrc".text = builtins.readFile ../../res/direnvrc;
   home.activation = {

modules/user/eww.nix

@@ -21,9 +21,9 @@ let
     '';
   };
 in {
-  home.packages = with pkgs; [ socat ];
+  home.packages = with pkgs; [ iw socat ];
   programs.eww = {
     enable = true;
-    configDir = res;
   };
+  xdg.configFile."eww".source = res;
 }

modules/user/git.nix

@@ -1,15 +1,16 @@
 { ... }: {
   programs.git = {
     enable = true;
-    userName = "LavaDesu";
-    userEmail = "me@lava.moe";
     signing = {
       key = "059F098EBF0E9A13E10A46BF6500251E087653C9";
       signByDefault = true;
     };
-    extraConfig = {
+    settings = {
+      user.name = "Cilly Leang";
+      user.email = "mini@cilly.moe";
       core.abbrev = 11;
       safe.directory = "/home/rin/Projects/flakes";
+      init.defaultBranch = "master";
     };
   };
 }

modules/user/gpg.nix

@@ -5,6 +5,6 @@
   };
   services.gpg-agent = {
     enable = true;
-    pinentryPackage = pkgs.pinentry-gnome3;
+    pinentry.package = pkgs.pinentry-gnome3;
   };
 }

modules/user/hypridle.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  kblight = "light -s sysfs/leds/${config.me.kbBacklightDevice}";
+  kblight = "brightnessctl -d ${config.me.kbBacklightDevice}";
 in
 {
   home.packages = [ config.services.hypridle.package ];
@@ -16,18 +16,18 @@ in
       listener = lib.optionals (config.me.kbBacklightDevice != null) [
         {
           timeout = 120;
-          on-timeout = "${kblight} -O && ${kblight} -S 0";
-          on-resume = "${kblight} -I";
+          on-timeout = "${kblight} -s && ${kblight} 0";
+          on-resume = "${kblight} -r";
         }
       ] ++ [
         {
           timeout = 150;
-          on-timeout = "light -O && light -T 0.5";
-          on-resume = "light -I";
+          on-timeout = "brightnessctl -s && brightnessctl 50%-";
+          on-resume = "brightnessctl -r";
         }
         {
           timeout = 180;
-          on-timeout = "light -I && loginctl lock-session";
+          on-timeout = "brightnessctl -r && loginctl lock-session";
         }
         {
           timeout = 195;

modules/user/mpv.nix

@@ -1,8 +1,7 @@
-{ config, pkgs, ... }: {
+{ pkgs, ... }: {
   programs.mpv = {
     enable = true;
-    package = pkgs.mpv-unwrapped.wrapper {
-      mpv = pkgs.mpv-unwrapped;
+    package = pkgs.mpv.override {
       youtubeSupport = true;
       scripts = [ pkgs.mpvScripts.mpris ];
     };

modules/user/neovim-minimal.nix

@@ -9,6 +9,8 @@
     vimAlias = true;
     vimdiffAlias = true;
     withNodeJs = false;
+    withPython3 = false;
+    withRuby = false;
 
     plugins = with pkgs.vimPlugins; [
       fzf-vim

modules/user/neovim.nix

@@ -1,9 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sysConfig, ... }:
 let
   luaconf = pkgs.writeText "config.lua"
     (lib.replaceStrings
-      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
-      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
+      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"]
+      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName]
       (builtins.readFile ../../res/config.lua));
 in {
   systemd.user.tmpfiles.rules = [
@@ -17,24 +17,35 @@ in {
     vimdiffAlias = true;
     #package = pkgs.neovim-nightly;
     withNodeJs = true;
+    withPython3 = true;
+    withRuby = false;
 
     extraPackages = with pkgs; [
+      nixd
       rust-analyzer
-      nodePackages.diagnostic-languageserver
-      nodePackages.eslint_d
-      nodePackages.typescript-language-server
-      nodePackages.vscode-langservers-extracted
-      nodePackages.yaml-language-server
+      texlab
+      astro-language-server
+      tailwindcss-language-server
+      diagnostic-languageserver
+      eslint_d
+      typescript-language-server
+      vscode-langservers-extracted
+      yaml-language-server
     ];
 
     plugins = with pkgs.vimPlugins; [
+      autoclose-nvim
+      auto-save-nvim
       flutter-tools-nvim
       fzf-vim
       fzf-lsp-nvim
       lualine-nvim
+      nvim-ts-autotag
+      nvim-web-devicons
       plenary-nvim
       tokyonight-nvim
       vim-fugitive
+      vim-latex-live-preview
       vim-nix
       vim-repeat
       vim-signify
@@ -44,6 +55,7 @@ in {
 
       nvim-cmp
       nvim-dap
+      nvim-highlight-colors
       nvim-lspconfig
       cmp-nvim-lsp
       cmp_luasnip
@@ -51,6 +63,7 @@ in {
 
       #(pkgs.me.nvim-treesitter-nightly.withPlugins (p: with p; [
       (nvim-treesitter.withPlugins (p: with p; [
+        tree-sitter-astro
         tree-sitter-bash
         tree-sitter-c
         tree-sitter-c-sharp
@@ -61,6 +74,7 @@ in {
         tree-sitter-javascript
         tree-sitter-json
         tree-sitter-kotlin
+        tree-sitter-latex
         tree-sitter-lua
         tree-sitter-markdown
         tree-sitter-nix

modules/user/rofi.nix

@@ -16,7 +16,6 @@ let
 in {
   programs.rofi = {
     enable = true;
-    package = pkgs.rofi-wayland;
     theme = "theme";
   };
   xdg.configFile."rofi/theme.rasi".source = theme;

modules/user/spicetify.nix

@@ -40,7 +40,6 @@ in
       shuffle
       hidePodcasts
 
-      skipStats
       songStats
       history
       volumePercentage

modules/user/zsh.nix

@@ -38,7 +38,8 @@ let
     jf = "doas journalctl -f";
 
     fl = "cd ~/Projects/flakes";
-    nr = "doas nixos-rebuild switch --flake .#${sysConfig.networking.hostName} -v -L";
+    nr = "nh os switch";
+    nb = "nh os boot";
 
     gs = "git status";
     ga = "git add";
@@ -101,10 +102,9 @@ let
     bindkey -a -r ':'
   '';
 in {
-  programs.command-not-found.enable = true;
   programs.zsh = {
     enable = true;
-    dotDir = ".config/zsh";
+    dotDir = "${config.xdg.configHome}/zsh";
 
     autocd = true;
     defaultKeymap = "viins";

overlays/android-studio.nix

@@ -1,27 +0,0 @@
-self: { bash, buildFHSEnv, cacert, ncurses5, runCommand, ... } @ super:
-let
-  drvName = super.android-studio.name;
-  fhsEnv = buildFHSEnv {
-    name = "${drvName}-fhs-env";
-    # google's analytics calls jdk's getOperatingSystemMXBean which tries to parse cgroups and ultimately fails for whatever reason with an npe
-    unshareCgroup = false;
-    multiPkgs = pkgs: [
-      ncurses5
-
-      (runCommand "fedoracert" {}
-        ''
-        mkdir -p $out/etc/pki/tls/
-        ln -s ${cacert}/etc/ssl/certs $out/etc/pki/tls/certs
-        '')
-    ];
-  };
-
-  startScript = ''
-    #!${bash}/bin/bash
-    ${fhsEnv}/bin/${drvName}-fhs-env ${super.android-studio.passthru.unwrapped}/bin/studio.sh "$@"
-  '';
-in {
-  android-studio-patched = super.android-studio.overrideAttrs(_: {
-    inherit startScript;
-  });
-}

overlays/default.nix

@@ -1,10 +1,11 @@
 builtins.map (path: import path) [
-  ./android-studio.nix
   ./bitwarden-desktop.nix
   ./cascadia-code.nix
   ./ccache.nix
   ./eww.nix
+  ./jetbrains.nix
   ./material-icons.nix
+  ./openldap.nix
   ./steam.nix
   ./utillinux.nix
   ./wpa-supplicant.nix

overlays/jetbrains.nix

@@ -0,0 +1,22 @@
+# https://github.com/NixOS/nixpkgs/issues/375254
+self: super: {
+  jetbrains = super.jetbrains // {
+    gateway = let
+      unwrapped = super.jetbrains.gateway;
+    in super.buildFHSEnv {
+      name = "gateway";
+      inherit (unwrapped) version;
+
+      runScript = super.writeScript "gateway-wrapper" ''
+        unset JETBRAINS_CLIENT_JDK
+        exec ${unwrapped}/bin/gateway "$@"
+      '';
+
+      meta = unwrapped.meta;
+
+      passthru = {
+        inherit unwrapped;
+      };
+    };
+  };
+}

overlays/linux-lava.nix

@@ -1,12 +1,16 @@
 self: super: let
   llvmPackages = super.llvmPackages_19;
   clangVersion = super.lib.versions.major llvmPackages.libclang.version;
+  addFlagsScript = "$out/nix-support/add-local-cc-cflags-before.sh";
   cc = llvmPackages.stdenv.cc.override {
     # :sob: see https://github.com/NixOS/nixpkgs/issues/142901
     bintools = llvmPackages.bintools;
+
+    # https://github.com/NixOS/nixpkgs/issues/368850
     extraBuildCommands = ''
+      cat <(echo "NIX_CC_WRAPPER_SUPPRESS_TARGET_WARNING=1") "${addFlagsScript}" > "${addFlagsScript}.new"
+      mv "${addFlagsScript}.new" "${addFlagsScript}"
       substituteInPlace "$out/nix-support/cc-cflags" --replace " -nostdlibinc" ""
-      substituteInPlace "$out/nix-support/add-local-cc-cflags-before.sh" --replace 'echo "Warning: supplying the --target argument to a nix-wrapped compiler may not work correctly - cc-wrapper is currently not designed with multi-target compilers in mind. You may want to use an un-wrapped compiler instead." >&2' ""
       echo " -resource-dir=${llvmPackages.libclang.lib}/lib/clang/${clangVersion}" >> $out/nix-support/cc-cflags
     '';
   };

overlays/openldap.nix

@@ -0,0 +1,9 @@
+self: super: {
+  # openldap i686 fails checks
+  # issue: https://github.com/NixOS/nixpkgs/issues/514113
+  # workaround: https://github.com/NixOS/nixpkgs/issues/513245#issuecomment-4320293674
+  # fix: https://github.com/NixOS/nixpkgs/pull/515956
+  openldap = super.openldap.overrideAttrs {
+    doCheck = !self.stdenv.hostPlatform.isi686;
+  };
+}

packages/linux-lava/bluetooth.patch

@@ -0,0 +1,13 @@
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index ef9689f8776..aabbc031b5f 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -759,6 +759,8 @@ static const struct usb_device_id quirks_table[] = {
+ 						     BTUSB_WIDEBAND_SPEECH },
+ 	{ USB_DEVICE(0x2b89, 0x8761), .driver_info = BTUSB_REALTEK |
+ 						     BTUSB_WIDEBAND_SPEECH },
++	{ USB_DEVICE(0x2c4e, 0x0115), .driver_info = BTUSB_REALTEK |
++ 						     BTUSB_WIDEBAND_SPEECH },
+ 
+ 	/* Additional Realtek 8821AE Bluetooth devices */
+ 	{ USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },

packages/linux-lava/default.nix

@@ -56,6 +56,10 @@ let
       INIT_STACK_ALL_ZERO = yes;
       INIT_STACK_NONE = no;
 
+      # bore
+      SCHED_BORE = yes;
+      MIN_BASE_SLICE_NS = freeform "2000000";
+
       # tickless timers
       HZ_PERIODIC = no;
       NO_HZ = yes;

packages/linux-lava/sources.nix

@@ -1,17 +1,16 @@
 { fetchFromGitHub, inputs, lib }:
 let
-  version = "6.14.7";
-  kernelHash = "0w3nqh02vl8f2wsx3fmsvw1pdsnjs5zfqcmv2w2vnqdiwy1vd552";
-  kernelPatchHash = "05a5srmb27gqyv49mxy3rmlxgiinacwbyzmig1hk313m0wl88av3";
+  version = "7.0.10";
+  kernelHash = "1w4i705i0nl1xqv7fdhdbhy7j3xrzhl31fabs6vmgiw7nf06szxv";
+  kernelPatchHash = "0h7gxqcnww7sj5cdyblzj04775zhavwdylkm2pm91v6xkjbnz1zj";
 
   mm = lib.versions.majorMinor version;
   hasPatch = (builtins.length (builtins.splitVersion version)) == 3;
   tkgPatches = [
     "0002-clear-patches"
     "0003-glitched-base"
-    "0003-glitched-eevdf-additions"
+    "0001-bore"
     "0003-glitched-cfs"
-    "0007-v${mm}-fsync_legacy_via_futex_waitv"
     "0012-misc-additions"
   ];
 
@@ -36,6 +35,7 @@ in {
 
   kernelPatches = lib.optionals hasPatch [
     kernelPatchSrc
+    (patch ./bluetooth.patch)
   ]
   ++ builtins.map (name: {
     inherit name;

packages/spotify-adblock/0001-cargo.patch

@@ -1,141 +0,0 @@
-From 002a25dd56233d599adda61b298d612a46267407 Mon Sep 17 00:00:00 2001
-From: LavaDesu <me@lava.moe>
-Date: Tue, 14 Sep 2021 08:34:05 +0700
-Subject: [PATCH] cargo
-
----
- Cargo.lock | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 122 insertions(+)
- create mode 100644 Cargo.lock
-
-diff --git a/Cargo.lock b/Cargo.lock
-new file mode 100644
-index 00000000000..b952e17ca90
---- /dev/null
-+++ b/Cargo.lock
-@@ -0,0 +1,122 @@
-+# This file is automatically @generated by Cargo.
-+# It is not intended for manual editing.
-+version = 3
-+
-+[[package]]
-+name = "aho-corasick"
-+version = "0.7.18"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
-+dependencies = [
-+ "memchr",
-+]
-+
-+[[package]]
-+name = "lazy_static"
-+version = "1.4.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
-+
-+[[package]]
-+name = "libc"
-+version = "0.2.101"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "3cb00336871be5ed2c8ed44b60ae9959dc5b9f08539422ed43f09e34ecaeba21"
-+
-+[[package]]
-+name = "memchr"
-+version = "2.4.1"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
-+
-+[[package]]
-+name = "proc-macro2"
-+version = "1.0.29"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "b9f5105d4fdaab20335ca9565e106a5d9b82b6219b5ba735731124ac6711d23d"
-+dependencies = [
-+ "unicode-xid",
-+]
-+
-+[[package]]
-+name = "quote"
-+version = "1.0.9"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7"
-+dependencies = [
-+ "proc-macro2",
-+]
-+
-+[[package]]
-+name = "regex"
-+version = "1.5.4"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
-+dependencies = [
-+ "aho-corasick",
-+ "memchr",
-+ "regex-syntax",
-+]
-+
-+[[package]]
-+name = "regex-syntax"
-+version = "0.6.25"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
-+
-+[[package]]
-+name = "serde"
-+version = "1.0.130"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913"
-+dependencies = [
-+ "serde_derive",
-+]
-+
-+[[package]]
-+name = "serde_derive"
-+version = "1.0.130"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "syn",
-+]
-+
-+[[package]]
-+name = "spotify-adblock"
-+version = "1.0.0"
-+dependencies = [
-+ "lazy_static",
-+ "libc",
-+ "regex",
-+ "serde",
-+ "toml",
-+]
-+
-+[[package]]
-+name = "syn"
-+version = "1.0.76"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "c6f107db402c2c2055242dbf4d2af0e69197202e9faacbef9571bbe47f5a1b84"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "unicode-xid",
-+]
-+
-+[[package]]
-+name = "toml"
-+version = "0.5.8"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "a31142970826733df8241ef35dc040ef98c679ab14d7c3e54d827099b3acecaa"
-+dependencies = [
-+ "serde",
-+]
-+
-+[[package]]
-+name = "unicode-xid"
-+version = "0.2.2"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
--- 
-2.32.0
-

packages/spotify-adblock/default.nix

@@ -7,7 +7,7 @@ rustPlatform.buildRustPackage {
   version = "1.0";
   src = inputs.spotify-adblock;
 
-  cargoHash = "sha256-yxumYGAMObgl1u6GlbEQOKOn1DWxXN8bbT7BjiWT96o=";
+  cargoHash = "sha256-oGpe+kBf6kBboyx/YfbQBt1vvjtXd1n2pOH6FNcbF8M=";
 
   patches = [ ./0002-allow-setting-config-from-environment-variable.patch ];
 

res/config-minimal.lua

@@ -1,5 +1,5 @@
 -- Keybindings
-local map = vim.api.nvim_set_keymap
+local map = vim.keymap.set
 map('n', '<C-H>', '<C-W>h', { noremap = true })
 map('n', '<C-J>', '<C-W>j', { noremap = true })
 map('n', '<C-K>', '<C-W>k', { noremap = true })
@@ -18,6 +18,7 @@ vim.opt.number = true
 vim.opt.cursorline = true
 vim.opt.signcolumn = "yes:3"
 vim.opt.title = true
+vim.opt.termguicolors = true
 vim.opt.updatetime = 0
 vim.opt.clipboard:prepend('unnamedplus')
 
@@ -47,7 +48,7 @@ vim.g.signify_sign_change            = vim.g.signify_sign_add
 vim.g.signify_sign_change_delete     = vim.g.signify_sign_delete
 
 -- Plugins
-require('nvim-treesitter.configs').setup {
+require('nvim-treesitter').setup {
     highlight = { enable = true },
     indent = { enable = false }
 }

res/config.lua

@@ -1,11 +1,13 @@
 -- Keybindings
-local map = vim.api.nvim_set_keymap
-map('n', '<C-H>', '<C-W>h', { noremap = true })
-map('n', '<C-J>', '<C-W>j', { noremap = true })
-map('n', '<C-K>', '<C-W>k', { noremap = true })
-map('n', '<C-L>', '<C-W>l', { noremap = true })
-map('n', '<C-Q>', ':q<CR>', { noremap = true })
-map('n', '<C-P>', ':Files<CR>', { noremap = true })
+local map = vim.keymap.set
+map('n', '<C-H>', '<C-W>h', { remap = false })
+map('n', '<C-J>', '<C-W>j', { remap = false })
+map('n', '<C-K>', '<C-W>k', { remap = false })
+map('n', '<C-L>', '<C-W>l', { remap = false })
+map('n', '<C-Q>', ':q<CR>', { remap = false })
+map('n', '<C-P>', ':Files<CR>', { remap = false })
+map('n', '<C-/>', 'gcc', { remap = true, silent = true })
+map('v', '<C-/>', 'gc', { remap = true, silent = true })
 
 -- Autocommands
 vim.cmd('au BufEnter * set noro')
@@ -18,6 +20,7 @@ vim.opt.number = true
 vim.opt.cursorline = true
 vim.opt.signcolumn = "yes:3"
 vim.opt.title = true
+vim.opt.termguicolors = true
 vim.opt.updatetime = 0
 vim.opt.clipboard:prepend('unnamedplus')
 
@@ -48,6 +51,7 @@ vim.g.signify_sign_change_delete     = vim.g.signify_sign_delete
 
 -- VimTeX
 vim.g.vimtex_view_method = "zathura"
+vim.g.vimtex_quickfix_open_on_warning = 0
 
 -- Theming
 vim.api.nvim_command("syntax enable")
@@ -64,13 +68,39 @@ vim.cmd("highlight SignifySignChangeDelete    guifg="..colors.red)
 vim.cmd("au FileType rust highlight DiagnosticUnderlineHint ctermfg=14 gui=italic guifg="..colors.overlay2)
 
 -- Plugins
-require('nvim-treesitter.configs').setup {
+require('autoclose').setup {}
+local function autosavecond(buf)
+    if vim.tbl_contains({"astro", "tex"}, vim.fn.getbufvar(buf, "&filetype")) then
+        return true
+    end
+    return false
+end
+require('auto-save').setup {
+    trigger_events = {
+        defer_save = { "InsertLeave", "TextChanged", "TextChangedI" },
+    },
+    debounce_delay = 250,
+    condition = autosavecond,
+}
+require('nvim-ts-autotag').setup {}
+require('nvim-highlight-colors').setup {
+    render = "virtual",
+}
+require('nvim-treesitter').setup {
     highlight = { enable = true },
     indent = { enable = false }
 }
 require('lualine').setup {
     options = {
-        theme = 'tokyonight'
+        theme = 'catppuccin'
+    },
+    sections = {
+        lualine_c = {
+            {
+                "filename",
+                path = 1,
+            }
+        }
     }
 }
 
@@ -78,74 +108,72 @@ require('lualine').setup {
 -- many thanks to @kristijanhusak
 -- https://github.com/nvim-treesitter/nvim-treesitter/issues/1167#issuecomment-920824125
 function _G.javascript_indent()
-  local line = vim.fn.getline(vim.v.lnum)
-  local prev_line = vim.fn.getline(vim.v.lnum - 1)
-  if line:match('^%s*[%*/]%s*') then
-    if prev_line:match('^%s*%*%s*') then
-      return vim.fn.indent(vim.v.lnum - 1)
+    local line = vim.fn.getline(vim.v.lnum)
+    local prev_line = vim.fn.getline(vim.v.lnum - 1)
+    if line:match('^%s*[%*/]%s*') then
+        if prev_line:match('^%s*%*%s*') then
+            return vim.fn.indent(vim.v.lnum - 1)
+        end
+        if prev_line:match('^%s*/%*%*%s*$') then
+            return vim.fn.indent(vim.v.lnum - 1) + 1
+        end
     end
-    if prev_line:match('^%s*/%*%*%s*$') then
-      return vim.fn.indent(vim.v.lnum - 1) + 1
-    end
-  end
 
-  return vim.fn['GetJavascriptIndent']()
+    return vim.fn['GetJavascriptIndent']()
 end
 
 vim.cmd('au FileType javascript setlocal indentexpr=v:lua.javascript_indent()')
 
 -- LSP
-local nvim_lsp = require('lspconfig')
+vim.api.nvim_create_autocmd("LspAttach", {
+    callback = function(args)
+        local client = vim.lsp.get_client_by_id(args.data.client_id)
+        if not client then
+            return
+        end
 
-local on_attach = function(client, bufnr)
-    local function buf_set_keymap(...) vim.api.nvim_buf_set_keymap(bufnr, ...) end
-    local function buf_set_option(...) vim.api.nvim_buf_set_option(bufnr, ...) end
+        local function buf_set_keymap(...) vim.api.nvim_buf_set_keymap(args.buf, ...) end
+        local function buf_set_option(...) vim.api.nvim_buf_set_option(args.buf, ...) end
 
-    local opts = { noremap = true, silent = true }
+        local opts = { noremap = true, silent = true }
 
-    buf_set_keymap('n', 'gD', '<cmd>lua vim.lsp.buf.declaration()<CR>', opts)
-    buf_set_keymap('n', 'gd', '<cmd>lua vim.lsp.buf.definition()<CR>', opts)
-    buf_set_keymap('n', 'K', '<cmd>lua vim.lsp.buf.hover()<CR>', opts)
-    buf_set_keymap('n', 'gi', '<cmd>lua vim.lsp.buf.implementation()<CR>', opts)
-    buf_set_keymap('n', '<C-k>', '<cmd>lua vim.lsp.buf.signature_help()<CR>', opts)
-    buf_set_keymap('n', '<space>wa', '<cmd>lua vim.lsp.buf.add_workspace_folder()<CR>', opts)
-    buf_set_keymap('n', '<space>wr', '<cmd>lua vim.lsp.buf.remove_workspace_folder()<CR>', opts)
-    buf_set_keymap('n', '<space>wl', '<cmd>lua print(vim.inspect(vim.lsp.buf.list_workspace_folders()))<CR>', opts)
-    buf_set_keymap('n', '<space>D', '<cmd>lua vim.lsp.buf.type_definition()<CR>', opts)
-    buf_set_keymap('n', '<space>rn', '<cmd>lua vim.lsp.buf.rename()<CR>', opts)
-    buf_set_keymap('n', '<space>ca', '<cmd>lua vim.lsp.buf.code_action()<CR>', opts)
-    buf_set_keymap('n', 'gr', '<cmd>lua vim.lsp.buf.references()<CR>', opts)
-    buf_set_keymap('n', '<space>e', '<cmd>lua vim.diagnostic.open_float(0, { scope = "line" })<CR>', opts)
-    buf_set_keymap('n', '[d', '<cmd>lua vim.lsp.diagnostic.goto_prev()<CR>', opts)
-    buf_set_keymap('n', ']d', '<cmd>lua vim.lsp.diagnostic.goto_next()<CR>', opts)
-    buf_set_keymap('n', '<space>q', '<cmd>lua vim.lsp.diagnostic.set_loclist()<CR>', opts)
-    buf_set_keymap('n', '<space>f', '<cmd>lua vim.lsp.buf.formatting()<CR>', opts)
-end
+        buf_set_keymap('n', 'gD', '<cmd>lua vim.lsp.buf.declaration()<CR>', opts)
+        buf_set_keymap('n', 'gd', '<cmd>lua vim.lsp.buf.definition()<CR>', opts)
+        buf_set_keymap('n', 'K', '<cmd>lua vim.lsp.buf.hover()<CR>', opts)
+        buf_set_keymap('n', 'gi', '<cmd>lua vim.lsp.buf.implementation()<CR>', opts)
+        buf_set_keymap('n', '<C-k>', '<cmd>lua vim.lsp.buf.signature_help()<CR>', opts)
+        buf_set_keymap('n', '<space>wa', '<cmd>lua vim.lsp.buf.add_workspace_folder()<CR>', opts)
+        buf_set_keymap('n', '<space>wr', '<cmd>lua vim.lsp.buf.remove_workspace_folder()<CR>', opts)
+        buf_set_keymap('n', '<space>wl', '<cmd>lua print(vim.inspect(vim.lsp.buf.list_workspace_folders()))<CR>', opts)
+        buf_set_keymap('n', '<space>D', '<cmd>lua vim.lsp.buf.type_definition()<CR>', opts)
+        buf_set_keymap('n', '<space>rn', '<cmd>lua vim.lsp.buf.rename()<CR>', opts)
+        buf_set_keymap('n', '<space>ca', '<cmd>lua vim.lsp.buf.code_action()<CR>', opts)
+        buf_set_keymap('n', 'gr', '<cmd>lua vim.lsp.buf.references()<CR>', opts)
+        buf_set_keymap('n', '<space>e', '<cmd>lua vim.diagnostic.open_float(0, { scope = "line" })<CR>', opts)
+        buf_set_keymap('n', '[d', '<cmd>lua vim.lsp.diagnostic.goto_prev()<CR>', opts)
+        buf_set_keymap('n', ']d', '<cmd>lua vim.lsp.diagnostic.goto_next()<CR>', opts)
+        buf_set_keymap('n', '<space>q', '<cmd>lua vim.lsp.diagnostic.set_loclist()<CR>', opts)
+        buf_set_keymap('n', '<space>f', '<cmd>lua vim.lsp.buf.formatting()<CR>', opts)
+    end
+})
 
-vim.lsp.handlers["textDocument/publishDiagnostics"] = vim.lsp.with(
-    vim.lsp.diagnostic.on_publish_diagnostics, {
-        focusable = false,
-        virtual_text = false,
-        underline = true,
-        signs = true,
-        update_in_insert = true
-    }
-)
-vim.lsp.handlers["textDocument/signatureHelp"] = vim.lsp.with(
-    vim.lsp.handlers.signature_help, { focusable = false }
-)
+vim.diagnostic.config({
+    focusable = false,
+    virtual_text = false,
+    underline = true,
+    signs = true,
+    update_in_insert = true
+})
 
-local capabilities = vim.lsp.protocol.make_client_capabilities()
-capabilities.textDocument.completion.completionItem.snippetSupport = true
 capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)
 
-local servers = { 'cssls', 'html', 'nil_ls', 'ts_ls', 'yamlls' }
+local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
 for _, lsp in ipairs(servers) do
-    nvim_lsp[lsp].setup {
+    vim.lsp.config(lsp, {
         capabilities = capabilities,
-        on_attach = on_attach,
         flags = { debounce_text_changes = 150 }
-    }
+    })
+    vim.lsp.enable(lsp)
 end
 
 -- nvim-cmp
@@ -195,15 +223,16 @@ cmp.setup {
 
 -- LSP/Omnisharp
 local pid = vim.fn.getpid()
-nvim_lsp.omnisharp.setup {
+vim.lsp.config("omnisharp", {
     capabilities = capabilities,
     on_attach = on_attach,
     flags = { debounce_text_changes = 150 },
     cmd = { "{{OMNISHARP_PATH}}", "--languageserver", "--hostPID", tostring(pid) }
-}
+})
+vim.lsp.enable("omnisharp")
 
 -- LSP/rust_analyzer
-nvim_lsp.rust_analyzer.setup {
+vim.lsp.config("rust_analyzer", {
     capabilities = capabilities,
     on_attach = on_attach,
     flags = { debounce_text_changes = 150 },
@@ -220,11 +249,11 @@ nvim_lsp.rust_analyzer.setup {
             }
         }
     }
-}
-
+})
+vim.lsp.enable("rust_analyzer")
 
 -- LSP/Diagnostics
-nvim_lsp.diagnosticls.setup {
+vim.lsp.config("diagnosticls", {
     capabilities = capabilities,
     on_attach = on_attach,
     flags = { debounce_text_changes = 150 },
@@ -260,7 +289,34 @@ nvim_lsp.diagnosticls.setup {
             vue = 'eslint'
         }
     }
-}
+})
+vim.lsp.enable("diagnosticls")
+
+-- LSP/nixd
+vim.lsp.config("nixd", {
+  cmd = { "nixd" },
+  filetypes = { "nix" },
+  root_markers = { "flake.nix", ".git" },
+  settings = {
+    nixd = {
+      nixpkgs = {
+        expr = "import <nixpkgs> { }",
+      },
+      formatting = {
+        command = { "nixfmt" },
+      },
+      options = {
+        nixos = {
+          expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options',
+        },
+        home_manager = {
+          expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []',
+        },
+      },
+    },
+  },
+})
+vim.lsp.enable("nixd")
 
 -- LSP/Signatures
 require("lsp_signature").setup {

res/eww/eww.yuck

@@ -1,4 +1,5 @@
 (defwindow mainbar :monitor 0
+
                    :geometry (geometry :x "0%"
                                        :y "0%"
                                        :width "100%"
@@ -39,12 +40,15 @@
   `cat /sys/class/power_supply/_BAT_PATH_/capacity`)
 (defpoll pbat_status :interval "1s" :run-while bat-enabled
   `cat /sys/class/power_supply/_BAT_PATH_/status`)
-(defpoll network_strength :interval "1s" :run-while wifi-enabled
-  `nmcli -f IN-USE,SIGNAL device wifi | grep '*' | tr -d -c 0-9`)
+(defpoll wifi_ssid :interval "1s" :run-while wifi-enabled
+  `iwctl station wlan0 show | grep "Connected network" | awk '{print $3}'`)
+(defpoll wifi_strength :interval "1s" :run-while wifi-enabled
+  `iw dev wlan0 link | awk '/signal/ {gsub("-",""); print $2}'`)
 (defpoll bluetooth_device :interval "1s" :run-while bt-enabled
   `bluetoothctl devices Connected | grep Device | cut -d" " -f3-`)
+(defpoll bluetooth_device_count :interval "1s" :run-while bt-enabled
+  `bluetoothctl devices Connected | wc -l`)
 
-(deflisten lnetwork :initial "" :run-while wifi-enabled "./scripts/network.sh")
 (deflisten ltitle :initial "" "./scripts/title.sh")
 (deflisten lworkspaces :initial "[]" "./scripts/workspaces.sh")
 (deflisten lcurrent_workspace :initial "1" "./scripts/active-workspace.sh")
@@ -99,28 +103,28 @@
       (revealer :transition "slideleft"
                 :reveal {bluetooth-extended && bluetooth_device != ""}
                 :duration 150
-        (label :text bluetooth_device
+        (label :text { bluetooth_device_count == "1" ? bluetooth_device : (bluetooth_device_count + " devices") }
                :class "base")))))
 
 (defwidget network []
   (button :onclick `eww update network-extended=${network-extended ? "false" : "true"}`
     (box :orientation "horizontal"
-         :class {"widget pill" + ((network-extended && lnetwork != "Disconnected") ? " extended" : "")}
-         :spacing {(network-extended && lnetwork != "Disconnected") ? 5 : 0}
+         :class {"widget pill" + ((network-extended && wifi_ssid != "") ? " extended" : "")}
+         :spacing {(network-extended && wifi_ssid != "") ? 5 : 0}
          :space-evenly false
       (label :text {
-          (lnetwork == "Disconnected") ? ""
-        : (network_strength == "") ? ""
-        : (network_strength < 20) ? ""
-        : (network_strength < 30) ? ""
-        : (network_strength < 55) ? ""
-        : (network_strength < 80) ? ""
+          (wifi_ssid == "") ? ""
+        : (wifi_strength == "") ? ""
+        : (wifi_strength < 75) ? ""
+        : (wifi_strength < 65) ? ""
+        : (wifi_strength < 60) ? ""
+        : (wifi_strength < 50) ? ""
         : ""}
              :class "base pill-icon")
       (revealer :transition "slideleft"
-                :reveal {network-extended && lnetwork != "Disconnected"}
+                :reveal {network-extended && wifi_ssid != ""}
                 :duration 150
-        (label :text lnetwork
+        (label :text wifi_ssid
                :class "base")))))
 
 (defwidget battery []