containers/emerald: return 404 on /

containers/emerald: only allow urls under /share
containers/emerald: use correct shareurl format
2026-03-18 01:22:07 +11:00 · 2026-03-18 01:11:20 +11:00 · 2026-03-18 00:07:52 +11:00 · 2026-03-17 23:43:23 +11:00 · 2026-03-17 18:58:49 +11:00 · 2026-03-17 18:57:18 +11:00
15 changed files with 349 additions and 24 deletions
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -9,6 +9,7 @@
    nixosModule = { ... }:
    let
      name = "amethyst";
+      fqdn = "amethyst.lava.moe";
      subnet = "1";
    in {
      networking.nat = {
@ -17,7 +18,7 @@
        internalInterfaces = [ "ve-${name}" ];
      };

-      services.nginx.virtualHosts."${name}.local.lava.moe" = {
+      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@ -9,6 +9,7 @@
    nixosModule = { ... }:
    let
      name = "beryllium";
+      fqdn = "beryllium.lava.moe";
      subnet = "2";
    in {
      networking.nat = {
@ -17,7 +18,7 @@
        internalInterfaces = [ "ve-${name}" ];
      };

-      services.nginx.virtualHosts."${name}.lava.moe" = {
+      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".extraConfig = "return 302 'https://lava.moe';";
@ -29,7 +30,7 @@
      services.nginx.virtualHosts."lava.moe" = {
        locations."= /.well-known/matrix/server".extraConfig =
          let
-            server = { "m.server" = "beryllium.lava.moe:443"; };
+            server = { "m.server" = "${fqdn}:443"; };
          in ''
            add_header Content-Type application/json;
            return 200 '${builtins.toJSON server}';
@ -37,7 +38,7 @@
        locations."= /.well-known/matrix/client".extraConfig =
          let
            client = {
-              "m.homeserver" = { "base_url" = "https://beryllium.lava.moe"; };
+              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
              # "m.identity_server" = { "base_url" = "https://vector.im"; };
            };
          in ''
@ -51,8 +52,6 @@
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
-        hostAddress = "10.30.${subnet}.1";
-        localAddress = "10.30.${subnet}.2";
        hostAddress6 = "fd0d:1::${subnet}:1";
        localAddress6 = "fd0d:1::${subnet}:2";
        # privateUsers = "pick";
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }: {
+{ config, fqdn, lib, ... }: {
  system.stateVersion = "25.11";
  networking.firewall.allowedTCPPorts = [ 22 3000 ];
  networking.firewall.allowedUDPPorts = [ 22 3000 ];
@ -13,8 +13,8 @@
    settings = {
      DEFAULT.APP_NAME = "Garden";
      server = {
-        DOMAIN = "garden.lava.moe";
-        ROOT_URL = "https://garden.lava.moe/";
+        DOMAIN = fqdn;
+        ROOT_URL = "https://${fqdn}/";
        HTTP_PORT = 3000;
        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -6,6 +6,7 @@
  outputs = { nixpkgs, catppuccin, ... }:
  let
    name = "citrine";
+    fqdn = "garden.lava.moe";
    subnetId = "3";

    subnet = x: "fd0d:1::${subnetId}:${toString x}";
@ -35,7 +36,7 @@
        internalInterfaces = [ "ve-${name}" ];
      };

-      services.nginx.virtualHosts."garden.lava.moe" = {
+      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:3000";
@ -53,6 +54,7 @@
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };

        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
--- a/containers/diamond/configuration.nix
+++ b/containers/diamond/configuration.nix
@ -0,0 +1,22 @@
+{ fqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
+  ];
+  fileSystems."/var/lib/vaultwarden" = {
+    device = "/persist/vaultwarden";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+  networking.firewall.allowedUDPPorts = [ 8000 ];
+
+  services.vaultwarden = {
+    enable = true;
+    domain = fqdn;
+    config = {
+      DOMAIN = "https://${fqdn}";
+      ROCKET_ADDRESS = "::";
+    };
+  };
+}
--- a/containers/diamond/flake.lock
+++ b/containers/diamond/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/containers/diamond/flake.nix
+++ b/containers/diamond/flake.nix
@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "diamond";
+    fqdn = "astransia.lava.moe";
+    subnetId = "4";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    modules = [
+      ./configuration.nix
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:8000";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
--- a/containers/diamond/templates/base/footer_content.tmpl
+++ b/containers/diamond/templates/base/footer_content.tmpl
@ -0,0 +1,31 @@
+<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
+    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
+        {{if ShowFooterPoweredBy}}
+            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
+        {{end}}
+        {{if (or .ShowFooterVersion .PageIsAdmin)}}
+            {{if .IsAdmin}}
+                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
+            {{else}}
+                {{AppVerNoMetadata}}
+            {{end}}
+        {{end}}
+        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
+            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
+            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
+        {{end}}
+    </div>
+    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
+        <div class="ui dropdown upward language">
+            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
+            <div class="menu language-menu">
+                {{range .AllLangs}}
+                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
+                {{end}}
+            </div>
+        </div>
+        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
+        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
+        {{template "custom/extra_links_footer" .}}
+    </div>
+</footer>
--- a/containers/diamond/templates/home.tmpl
+++ b/containers/diamond/templates/home.tmpl
@ -0,0 +1,19 @@
+{{template "base/head" .}}
+{{if not .IsSigned}}
+    <script>window.location.href = "/explore/repos";</script>
+{{end}}
+<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
+    <div class="tw-mb-8 tw-px-8">
+        <div class="center">
+            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
+            <div class="hero">
+                <h1 class="ui icon header title">
+                    {{AppDisplayName}}
+                </h1>
+                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
+            </div>
+        </div>
+    </div>
+    {{template "home_forgejo" .}}
+</div>
+{{template "base/footer" .}}
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@ -0,0 +1,22 @@
+{ fqdn, shareFqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/music 755 navidrome navidrome"
+    "d /persist/navidrome 755 navidrome navidrome"
+  ];
+  networking.firewall.allowedTCPPorts = [ 4533 ];
+  networking.firewall.allowedUDPPorts = [ 4533 ];
+
+  services.navidrome = {
+    enable = true;
+    settings = {
+      Port = 4533;
+      Address = "[::]";
+      BaseUrl = "https://${fqdn}/";
+      ShareURL = "https://${shareFqdn}";
+      EnableSharing = true;
+      DataFolder = "/persist/navidrome";
+      MusicFolder = "/persist/music";
+    };
+  };
+}
--- a/containers/emerald/flake.lock
+++ b/containers/emerald/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -0,0 +1,58 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "emerald";
+    fqdn = "navia.lava.moe";
+    shareFqdn = "muse.lava.moe";
+    subnetId = "5";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    modules = [
+      ./configuration.nix
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+      };
+      services.nginx.virtualHosts."${shareFqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".return = "404";
+        locations."/share/".proxyPass = "http://[${client}]:4533";
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn shareFqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -86,6 +86,34 @@
      },
      "parent": []
    },
+    "c-diamond": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_7"
+      },
+      "locked": {
+        "path": "./containers/diamond",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/diamond",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-emerald": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_8"
+      },
+      "locked": {
+        "path": "./containers/emerald",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/emerald",
+        "type": "path"
+      },
+      "parent": []
+    },
    "catppuccin": {
      "inputs": {
        "nixpkgs": "nixpkgs_5"
@ -491,7 +519,7 @@
    "nix-gaming": {
      "inputs": {
        "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_7"
+        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "lastModified": 1770778188,
@ -574,6 +602,38 @@
        "type": "github"
      }
    },
+    "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1770562336,
+        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_11": {
+      "locked": {
+        "lastModified": 1770019141,
+        "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1744536153,
@ -656,27 +716,27 @@
    },
    "nixpkgs_7": {
      "locked": {
-        "lastModified": 1770537093,
-        "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=",
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fef9403a3e4d31b0a23f0bacebbec52c248fbb51",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_8": {
      "locked": {
-        "lastModified": 1770562336,
-        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
@ -688,16 +748,16 @@
    },
    "nixpkgs_9": {
      "locked": {
-        "lastModified": 1770019141,
-        "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
+        "lastModified": 1770537093,
+        "narHash": "sha256-pF1quXG5wsgtyuPOHcLfYg/ft/QMr8NnX0i6tW2187s=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137",
+        "rev": "fef9403a3e4d31b0a23f0bacebbec52c248fbb51",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -744,7 +804,7 @@
    "pastel": {
      "inputs": {
        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_9",
+        "nixpkgs": "nixpkgs_11",
        "pnpm2nix": "pnpm2nix"
      },
      "locked": {
@ -807,6 +867,8 @@
        "c-amethyst": "c-amethyst",
        "c-beryllium": "c-beryllium",
        "c-citrine": "c-citrine",
+        "c-diamond": "c-diamond",
+        "c-emerald": "c-emerald",
        "catppuccin": "catppuccin_2",
        "catppuccin-palette": "catppuccin-palette",
        "fast-syntax-highlighting": "fast-syntax-highlighting",
@ -815,7 +877,7 @@
        "neovim-nightly": "neovim-nightly",
        "nix-gaming": "nix-gaming",
        "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_10",
        "nvim-treesitter": "nvim-treesitter",
        "pastel": "pastel",
        "pure": "pure",
--- a/flake.nix
+++ b/flake.nix
@ -41,6 +41,8 @@
    c-amethyst.url = "path:./containers/amethyst";
    c-beryllium.url = "path:./containers/beryllium";
    c-citrine.url = "path:./containers/citrine";
+    c-diamond.url = "path:./containers/diamond";
+    c-emerald.url = "path:./containers/emerald";
  };

  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -27,6 +27,8 @@
    inputs.c-amethyst.nixosModule
    inputs.c-beryllium.nixosModule
    inputs.c-citrine.nixosModule
+    inputs.c-diamond.nixosModule
+    inputs.c-emerald.nixosModule

    ./filesystem.nix
    ./kernel.nix
Author	SHA1	Message	Date
Cilly Leang	4ac5640cc4	containers/emerald: return 404 on / Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-03-18 01:22:07 +11:00
Cilly Leang	4ff7481391	containers/emerald: only allow urls under /share Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-03-18 01:11:20 +11:00
Cilly Leang	39418b8d39	containers/emerald: use correct shareurl format Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details navidrome always add /share at the end :(	2026-03-18 00:07:52 +11:00
Cilly Leang	19c4b1f100	containers/emerald: use alternative share fqdn Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details insane, ssl cert extra domains' wildcard only goes one level deep	2026-03-17 23:43:23 +11:00
Cilly Leang	4bfb5cd5c6	hosts/dandelion: add emerald Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-03-17 18:58:49 +11:00
Cilly Leang	8dc0f8207c	containers/emerald: enable sharing	2026-03-17 18:57:18 +11:00
Cilly Leang	04ca03e50a	containers/emerald: init	2026-03-17 18:13:53 +11:00
Cilly Leang	113a545e0e	containers/diamond: only listen on local addresses Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details TIL nginx will only route via amethyst if it's on local address, even if hostname doesn't match	2026-03-17 17:25:35 +11:00
Cilly Leang	667bbd164f	containers/diamond: listen on ipv6 Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-03-17 17:06:49 +11:00
Cilly Leang	cc8e7058b3	containers: clean up domain names Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-03-17 17:01:15 +11:00
Cilly Leang	2f79c9d6ec	containers/diamond: init Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-03-17 16:00:08 +11:00