containers/garnet: add hosts and correct bind mounts

containers/garnet/configuration.nix

@@ -0,0 +1,34 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/opencloud" = {
+    device = "/flower/data";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  fileSystems."/etc/opencloud" = {
+    device = "/persist/cfg";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  # TODO: hardcoded address
+  networking.extraHosts = ''
+    100.67.2.1 cloud.lava.moe
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 9200 ];
+  networking.firewall.allowedUDPPorts = [ 9200 ];
+
+  environment.etc."opencloud-admin-pass".text = ''
+    IDM_ADMIN_PASSWORD=supersillysecure
+  '';
+  services.opencloud = {
+    enable = true;
+    url = "https://cloud.lava.moe";
+    address = "10.30.7.2";
+    port = 9200;
+    environment = {
+      PROXY_TLS = "false";
+    };
+    environmentFile = "/etc/opencloud-admin-pass";
+  };
+}

containers/garnet/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

containers/garnet/flake.nix

@@ -0,0 +1,77 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "garnet";
+    fqdn = "cloud.lava.moe";
+    subnetId = "7";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://${client4}:9200";
+          proxyWebsockets = true;
+        };
+        # TODO: hardcoded address
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."content" = {
+          hostPath = "/flower/opencloud";
+          mountPoint = "/flower";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}

flake.lock

@@ -128,6 +128,20 @@
       },
       "parent": []
     },
+    "c-garnet": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_9"
+      },
+      "locked": {
+        "path": "./containers/garnet",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/garnet",
+        "type": "path"
+      },
+      "parent": []
+    },
     "catppuccin": {
       "inputs": {
         "nixpkgs": "nixpkgs_4"
@@ -595,7 +609,7 @@
       "inputs": {
         "flake-parts": "flake-parts_2",
         "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_10"
       },
       "locked": {
         "lastModified": 1778384395,
@@ -679,6 +693,22 @@
       }
     },
     "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1778274207,
+        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_11": {
       "locked": {
         "lastModified": 1777954456,
         "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
@@ -694,7 +724,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_11": {
+    "nixpkgs_12": {
       "locked": {
         "lastModified": 1770019141,
         "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
@@ -824,16 +854,16 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1778274207,
-        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -880,7 +910,7 @@
     "pastel": {
       "inputs": {
         "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_11",
+        "nixpkgs": "nixpkgs_12",
         "pnpm2nix": "pnpm2nix"
       },
       "locked": {
@@ -946,6 +976,7 @@
         "c-diamond": "c-diamond",
         "c-emerald": "c-emerald",
         "c-fluorite": "c-fluorite",
+        "c-garnet": "c-garnet",
         "catppuccin": "catppuccin_2",
         "catppuccin-palette": "catppuccin-palette",
         "fast-syntax-highlighting": "fast-syntax-highlighting",
@@ -954,7 +985,7 @@
         "neovim-nightly": "neovim-nightly",
         "nix-gaming": "nix-gaming",
         "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_10",
+        "nixpkgs": "nixpkgs_11",
         "nvim-treesitter": "nvim-treesitter",
         "pastel": "pastel",
         "pure": "pure",

flake.nix

@@ -44,6 +44,7 @@
     c-diamond.url = "path:./containers/diamond";
     c-emerald.url = "path:./containers/emerald";
     c-fluorite.url = "path:./containers/fluorite";
+    c-garnet.url = "path:./containers/garnet";
   };
 
   outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:

hosts/alyssum/default.nix

@@ -1,9 +1,10 @@
-{ lib, modules, modulesPath, ... }: {
+{ inputs, modules, modulesPath, ... }: {
   networking.hostName = "alyssum";
   system.stateVersion = "25.11";
   time.timeZone = "Australia/Melbourne";
 
   age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
     wpa_conf = {
       file = ../../secrets/wpa_conf.age;
       path = "/etc/wpa_supplicant/imperative.conf";
@@ -22,6 +23,10 @@
     security
     tailscale
 
+    modules.services.nginx
+
+    inputs.c-garnet.nixosModule
+
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix

hosts/alyssum/filesystem.nix

@@ -26,6 +26,7 @@ in {
     };
     "/boot" = mkLabelMount "stem" "vfat";
 
+    "/flower" = mkBtrfsMount "myosotis" "/@" true;
     "/nix" = submount "/@/nix" false;
     "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
     "/persist/.snapshots" = submount "/snap/persist" false;

secrets.nix

@@ -10,7 +10,7 @@ in {
   "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
   "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
 
-  "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ];
+  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
   "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
   "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
   "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];

secrets/acme_dns.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 bRFqeQ trK7wfJ1fObF70yD3a6axuXaZv/EzzFI7he1dvUajH8
-1C5IrwITtma/um0zUo6by0llVTnla7TBdyRD07azTT8
--> ssh-ed25519 ZAcXHw f+n0WJKTViwizwTIgRpbLGqk458SnuAFVVj5FQS0nwA
-MRinOTxWGwfeg16VWJYD+1Uta+7xF6G9oyqtYSfEq80
--> ssh-ed25519 U9FXlg 24QGfemIAHZYMwroayNJp91fUkbwUF7ACuXIk+7qdBg
-RNGpjxUgfzV/e1Ab/NcA8A0zzxsXU06xmVbLpG3x+iI
---- mekieJNQOl4vcg+hsSOQsFC7mVUZf/oRl/dT7AeTRKg
-ºöHì¦<C3AC>)kñÞ#%3cªQÎÚº¿Ï•žè1?žad|‚쳄ٗ²õo2Š
¡
-Bð)¾ä=ÿZió˜9çpR<70>¦î	ÉKl<>žgû Õž’é
hŒ
+-> ssh-ed25519 kOMSPw vqjZO82kILUQaoD9EwOgnmXKD9IyscgtzP65BVKkGhs
+07f0vL5fSq+EVdJ4n3L/q0tGsh0SVLCueTzbrMQC2ok
+-> ssh-ed25519 bRFqeQ qZAsyhdIY/fg7weEBYfB/WwFBrr/fDRrjt0J/m+57W4
+FOWjbk7efoVdL9WxjWvaZ/0mJrQ4yj0fN/Fa3zztz84
+-> ssh-ed25519 ZAcXHw UHpAQ4nKoGGaZWXVj4UM6uBanOgDpBvG6XdoBvhz6y8
+xF1orqajQxp2QzU/e1sq8lMxz4AQ2Vr5a3wEU55QqyE
+-> ssh-ed25519 U9FXlg n/LPuRDZ7N0VbZYLNr86hH/yRuqd2zFC7Nnpooz8d0o
+aZig/wjd5vitGaJwQ89w2M7fj8fAiqTpdDOmLae74sM
+--- mXuALIh6k4n0cErsTFnwKemo/r2jFG7mGSTz2M8zXF8
+Zr2îŽ.	Òõ~Mú’P€þXŹ1¼)pÌ9Rî–9ªScLzhQü™ßO†Ä0­íH7£•ŽLÌj¦5½
üâÏöÒ\©›l9˜7ÓôçÜ«nœ©¡>¹æ¢