containers/garnet: add hosts and correct bind mounts

alyssum/filesystem: add myosotis
containers/garnet: try removing host header
2026-05-29 00:44:13 +10:00 · 2026-05-29 00:43:32 +10:00 · 2026-05-28 23:43:07 +10:00 · 2026-05-28 23:34:25 +10:00 · 2026-05-28 23:27:19 +10:00 · 2026-05-28 23:22:19 +10:00
39 changed files with 159 additions and 358 deletions
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -11,7 +11,7 @@
    enable = true;
    lfs.enable = true;
    settings = {
-      DEFAULT.APP_NAME = "cilly's botanical laboratory";
+      DEFAULT.APP_NAME = "Garden";
      server = {
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
@ -34,8 +34,6 @@
      };
      api.ENABLE_SWAGGER = false;
      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
-      repository.ENABLE_PUSH_CREATE_USER = true;
-      repository.ENABLE_PUSH_CREATE_ORG = true;
      service.DISABLE_REGISTRATION = true;
    };
    stateDir = "/persist/forgejo";
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -6,7 +6,7 @@
  outputs = { nixpkgs, catppuccin, ... }:
  let
    name = "citrine";
-    fqdn = "lab.lava.moe";
+    fqdn = "garden.lava.moe";
    subnetId = "3";

    subnet = x: "fd0d:1::${subnetId}:${toString x}";
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@ -16,8 +16,7 @@
      ShareURL = "https://${shareFqdn}";
      EnableSharing = true;
      DataFolder = "/persist/navidrome";
-      MusicFolder = "/binds/music/main";
+      MusicFolder = "/binds/music";
    };
  };
-  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
 }
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -9,11 +9,11 @@
    shareFqdn = "muse.lava.moe";
    subnetId = "5";

-    subnet = x: "fd0d:2::${subnetId}:${toString x}";
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;

-    subnet4 = x: "10.32.${subnetId}.${toString x}";
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;

@ -39,7 +39,13 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:4533";
-        listenAddresses = [ "100.67.2.1" ];
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+      services.nginx.virtualHosts."${shareFqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".return = "404";
+        locations."/share/".proxyPass = "http://[${client}]:4533";
      };

      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
@ -62,7 +68,7 @@
          isReadOnly = false;
        };
        bindMounts."music" = {
-          hostPath = "/flower/media/music";
+          hostPath = "/persist/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
--- a/containers/garnet/configuration.nix
+++ b/containers/garnet/configuration.nix
@ -28,8 +28,6 @@
    port = 9200;
    environment = {
      PROXY_TLS = "false";
-      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
-      IDP_ID_TOKEN_EXPIRATION = "2592000";
    };
    environmentFile = "/etc/opencloud-admin-pass";
  };
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@ -41,13 +41,6 @@
          proxyPass = "http://${client4}:9200";
          proxyWebsockets = true;
        };
-        extraConfig = ''
-          proxy_read_timeout 3600s;
-          proxy_send_timeout 3600s;
-          keepalive_requests 100000;
-          keepalive_timeout 5m;
-          http2_max_concurrent_streams 512;
-        '';
        # TODO: hardcoded address
        listenAddresses = [ "100.67.2.1" ];
      };
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1779903856,
-        "narHash": "sha256-uRShMtD6xW3ZKZbCQ6sDzKWEnbBXUg3IGfOARYogKhg=",
+        "lastModified": 1777475243,
+        "narHash": "sha256-EiCeDGJewyWq2Mtdt5m8qyo/W5PXVUCacLuZJ/diBQ8=",
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "50671fc7f29d686f63ef34b603320d44ad7f2d29",
+        "rev": "12e7b06163456e4c3685ee83b8fdc277fe03bdc8",
        "type": "github"
      },
      "original": {
@ -309,11 +309,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778716662,
-        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
+        "lastModified": 1777988971,
+        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
+        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
        "type": "github"
      },
      "original": {
@ -327,11 +327,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1778716662,
-        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
+        "lastModified": 1777988971,
+        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
+        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
        "type": "github"
      },
      "original": {
@ -404,11 +404,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778507602,
-        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
+        "lastModified": 1776796298,
+        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
+        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
        "type": "github"
      },
      "original": {
@ -510,11 +510,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1779969295,
-        "narHash": "sha256-HwIJ3tOcwSMiV75L7KqJXciXR9UfT+d7rwOZMX7cTnA=",
+        "lastModified": 1778365864,
+        "narHash": "sha256-ImoT/wqmgMImf2dAC+E0MverAdA4QXsedOeES9B7Ezw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "61e2c9659324181e0f0ed911958c536333b1d4f6",
+        "rev": "2f419037039a152448c5f4ae9494154753d1b399",
        "type": "github"
      },
      "original": {
@ -554,11 +554,11 @@
    "linux-tkg": {
      "flake": false,
      "locked": {
-        "lastModified": 1779857514,
-        "narHash": "sha256-dCrVB3cFvv1d/9wuEejYN131b1phyf6SDy1bcEvtWGo=",
+        "lastModified": 1778301982,
+        "narHash": "sha256-M8a1VqhhI3Ii0KFY4n1UdzUIFwZbET+G464cCb5ye5U=",
        "owner": "Frogging-Family",
        "repo": "linux-tkg",
-        "rev": "c9196dea7ee464f7792f94cd39c32431ad9e25ab",
+        "rev": "d20b99557a90663a016f741398098d4d7b3ad119",
        "type": "github"
      },
      "original": {
@ -576,11 +576,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1780013080,
-        "narHash": "sha256-m984DKbcIeNNuLYFjN3780rPEd55Xe9/cB4BNKkIDvg=",
+        "lastModified": 1778371477,
+        "narHash": "sha256-sVlZeFIds47ABfBbAmBLexCFnkE1GIBTNGjAMRh+BfA=",
        "owner": "nix-community",
        "repo": "neovim-nightly-overlay",
-        "rev": "c6cc238427db8f61b786a66d7e02cf7724b30226",
+        "rev": "b9ee678fadf59b3c998e180d62f4cee0641d21d9",
        "type": "github"
      },
      "original": {
@ -592,11 +592,11 @@
    "neovim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1779979065,
-        "narHash": "sha256-3uF/oP2D4Jka3DU2G8qqml75UOzPRrK+FIp+jghOq0s=",
+        "lastModified": 1778321961,
+        "narHash": "sha256-lrPZ0C+uixk+6jx+maWM998GZaj4lAuicAz/dZHFNBk=",
        "owner": "neovim",
        "repo": "neovim",
-        "rev": "5d85669a33e10f1f156b086562458cbbc8054438",
+        "rev": "b44c2bdd16226f6caa5324d91f1ae9781ffdc12b",
        "type": "github"
      },
      "original": {
@ -612,11 +612,11 @@
        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
-        "lastModified": 1779768228,
-        "narHash": "sha256-/dRavNAx/Mp67xcQQ3JBIMyf0cLoXqKedafB1+wksAE=",
+        "lastModified": 1778384395,
+        "narHash": "sha256-ymn6ivl8RbUK8oevC+aRQ3IY3cB3Jg0dCv7LR5XSBVo=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "6e7a8414c0f547a86646eb0b56ebf89e7cc217a2",
+        "rev": "8368f981774ee25774d016e810d426891174a993",
        "type": "github"
      },
      "original": {
@ -632,11 +632,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1779604987,
-        "narHash": "sha256-ZQ5z+fVhxYKtIFwtqGp5O0PD84BM1riASvqDaN5Xs+s=",
+        "lastModified": 1778240325,
+        "narHash": "sha256-d2HIS7LpfI0lgxiXCXLjxrHl3eIdNvAVexOu0xiM488=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "8fba98c80b48fa013820e0163c5096922fea4ddd",
+        "rev": "dd2d0e3f6ba00af01b9498f5697173bdc2524bee",
        "type": "github"
      },
      "original": {
@ -647,11 +647,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1777268161,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "lastModified": 1770841267,
+        "narHash": "sha256-9xejG0KoqsoKEGp2kVbXRlEYtFFcDTHjidiuX8hGO44=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "rev": "ec7c70d12ce2fc37cb92aff673dcdca89d187bae",
        "type": "github"
      },
      "original": {
@ -694,11 +694,11 @@
    },
    "nixpkgs_10": {
      "locked": {
-        "lastModified": 1779536132,
-        "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
+        "lastModified": 1778274207,
+        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
+        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
        "type": "github"
      },
      "original": {
@ -710,11 +710,11 @@
    },
    "nixpkgs_11": {
      "locked": {
-        "lastModified": 1779560665,
-        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
        "type": "github"
      },
      "original": {
@ -953,11 +953,11 @@
    "pure": {
      "flake": false,
      "locked": {
-        "lastModified": 1779255807,
-        "narHash": "sha256-UQ0hP3qJd4Qxiw1LXPdb9d0Dc4OSD3HJpgYzaCfujno=",
+        "lastModified": 1770811375,
+        "narHash": "sha256-Fhk4nlVPS09oh0coLsBnjrKncQGE6cUEynzDO2Skiq8=",
        "owner": "sindresorhus",
        "repo": "pure",
-        "rev": "cc0759a0de620f191510e2e2f9748194a605b54d",
+        "rev": "dbefd0dcafaa3ac7d7222ca50890d9d0c97f7ca2",
        "type": "github"
      },
      "original": {
@ -1007,11 +1007,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777605393,
-        "narHash": "sha256-Hjp0VOOHgHcTrX23iVvnfAudPcuCmfkfpQNFwv2v/ks=",
+        "lastModified": 1770952264,
+        "narHash": "sha256-CjymNrJZWBtpavyuTkfPVPaZkwzIzGaf0E/3WgcwM14=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "ff88db34cfa486fc4964a6991cab1678d82eee8c",
+        "rev": "ec6a3d5cdf14bb5a1dd03652bd3f6351004d2188",
        "type": "github"
      },
      "original": {
@ -1028,11 +1028,11 @@
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1779824049,
-        "narHash": "sha256-dWHVUjP03KSVG1PaLKA6j9EdxWSxSQvipMUIcSyuA/U=",
+        "lastModified": 1777789800,
+        "narHash": "sha256-XHCvLGu/bEEZRzXVKFu1i+2YB102Nr00n8e7xrzsfVs=",
        "owner": "Gerg-L",
        "repo": "spicetify-nix",
-        "rev": "1362178e5f5f7a848c49fe9dee004ef8824f100a",
+        "rev": "d0e921cc48aab6137d203a3eab19601dc2bdc0c3",
        "type": "github"
      },
      "original": {
@ -1060,11 +1060,11 @@
    "stevenblack-hosts": {
      "flake": false,
      "locked": {
-        "lastModified": 1779976382,
-        "narHash": "sha256-wt5NGa4K8/vda669UYUmTUt+BR9X5fPnuTZFfQdpLYo=",
+        "lastModified": 1778258800,
+        "narHash": "sha256-wTiDXFiBKV4M4jv1JrVLL/kkIyE1FK4qino07BYU5fc=",
        "owner": "StevenBlack",
        "repo": "hosts",
-        "rev": "d3e838712512490260f051150e3573eeebecfadb",
+        "rev": "8ce06e1ed6f063d3d58cf9c980793415085f5d89",
        "type": "github"
      },
      "original": {
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -1,12 +1,10 @@
-{ inputs, lib, modules, modulesPath, ... }: {
+{ inputs, modules, modulesPath, ... }: {
  networking.hostName = "alyssum";
  system.stateVersion = "25.11";
  time.timeZone = "Australia/Melbourne";

  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
-    passwd.file = ../../secrets/passwd.age;
-    navidrome_env.file = ../../secrets/navidrome_env.age;
    wpa_conf = {
      file = ../../secrets/wpa_conf.age;
      path = "/etc/wpa_supplicant/imperative.conf";
@ -26,20 +24,15 @@
    tailscale

    modules.services.nginx
-    modules.services.syncthing

-    inputs.c-emerald.nixosModule
    inputs.c-garnet.nixosModule

    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
-    ./home.syncthing.nix
-    ./samba.nix

    ../../users/hana
  ];

  me.environment = "headless";
-  services.syncthing.user = lib.mkForce "hana";
 }
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@ -1,39 +0,0 @@
-{ config, lib, ... }:
-let
-  configOn = user: port: {
-    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
-    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
-
-    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
-
-    users.users.${user} = {
-      hashedPasswordFile = config.age.secrets.passwd.path;
-      isNormalUser = true;
-      linger = true;
-    };
-    home-manager.users.${user} = { ... }: {
-      home = {
-        username = "${user}";
-        homeDirectory = "/home/${user}";
-        stateVersion = "26.05";
-      };
-      services.syncthing = {
-        enable = true;
-        guiAddress = "[::]:${toString port}";
-        overrideDevices = false;
-        overrideFolders = false;
-        settings = {
-          options.listenAddresses = [
-            "tcp://0.0.0.0:2${toString port}"
-            "quic://0.0.0.0:2${toString port}"
-            "dynamic+https://relays.syncthing.net/endpoint"
-          ];
-          defaults.folder.path = "/flower/syncthing/${user}";
-        };
-      };
-    };
-  };
-in lib.mkMerge [
-  (configOn "kujira" 8385)
-  (configOn "cilly" 8386)
-]
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@ -1,84 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  configOn = user: let
-    passwd_fname = "passwd_smb${user}";
-  in {
-    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
-    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
-    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
-
-    users.users.${user} = {
-      hashedPasswordFile = config.age.secrets.passwd.path;
-      isNormalUser = true;
-    };
-
-    system.activationScripts = {
-      init_smbpasswd.text = let
-        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
-      in ''
-        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
-      '';
-    };
-    services.samba.settings."${user}" = {
-      "path" = "/flower/smb/${user}";
-      "browseable" = "yes";
-      "read only" = "no";
-      "guest ok" = "no";
-      "create mask" = "0644";
-      "directory mask" = "0755";
-      "force user" = user;
-      "force group" = "users";
-      "valid users" = user;
-    };
-  };
-in lib.mkMerge [
-  (configOn "cilly")
-  (configOn "kujira")
-  {
-    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
-
-    networking.firewall.allowPing = true;
-
-    services.samba = {
-      enable = true;
-      package = pkgs.samba4Full;
-      openFirewall = true;
-      settings = {
-        global = {
-          "server smb encrypt" = "required";
-          "workgroup" = "WORKGROUP";
-          "server string" = "smbnix";
-          "netbios name" = "smbnix";
-          "security" = "user";
-          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
-          "hosts deny" = "0.0.0.0/0";
-          "guest account" = "nobody";
-          "map to guest" = "bad user";
-        };
-        "public" = {
-          "path" = "/flower/smb/public";
-          "browseable" = "yes";
-          "read only" = "no";
-          "guest ok" = "yes";
-          "create mask" = "0644";
-          "directory mask" = "0755";
-          "force user" = "hana";
-          "force group" = "users";
-        };
-      };
-    };
-
-    services.samba-wsdd = {
-      enable = true;
-      openFirewall = true;
-    };
-
-    services.avahi = {
-      enable = true;
-      openFirewall = true;
-      nssmdns4 = true;
-      publish.enable = true;
-      publish.userServices = true;
-    };
-  }
-]
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -5,6 +5,7 @@

  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
    slskd_env.file = ../../secrets/slskd_env.age;
    wg_dandelion.file = ../../secrets/wg_dandelion.age;
  };
@ -30,12 +31,12 @@
    inputs.c-beryllium.nixosModule
    inputs.c-citrine.nixosModule
    inputs.c-diamond.nixosModule
+    inputs.c-emerald.nixosModule
    inputs.c-fluorite.nixosModule

    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
-    ./nginx.nix

    ../../users/hana
  ];
--- a/hosts/dandelion/filesystem.nix
+++ b/hosts/dandelion/filesystem.nix
@ -22,7 +22,7 @@ in {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
-      options = [ "defaults" "size=6G" "mode=755" ];
+      options = [ "defaults" "size=12G" "mode=755" ];
    };
    "/boot" = mkLabelMount "UEFI" "vfat";

--- a/hosts/dandelion/nginx.nix
+++ b/hosts/dandelion/nginx.nix
@ -1,8 +0,0 @@
-{ ... }: {
-  services.nginx.virtualHosts."muse.lava.moe" = {
-    useACMEHost = "lava.moe";
-    forceSSL = true;
-    locations."/".return = "404";
-    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
-  };
-}
--- a/hosts/hyacinth/default.nix
+++ b/hosts/hyacinth/default.nix
@ -18,7 +18,6 @@
    bluetooth
    ccache
    corectrl
-    docker
    flatpak
    greetd
    gui
@ -29,7 +28,6 @@
    printing
    security
    snapper
-    tailscale
    wireguard

    modules.services.syncthing
--- a/hosts/hyacinth/packages.nix
+++ b/hosts/hyacinth/packages.nix
@ -1,6 +1,5 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [
-    discord
    jetbrains.idea
    texliveFull
  ];
--- a/modules/binds.nix
+++ b/modules/binds.nix
@ -1,13 +0,0 @@
-{ config, lib, ...}: {
-  imports = [ ./options.nix ];
-  fileSystems = lib.mapAttrs (dest: key: let
-    target = if (lib.strings.hasPrefix "/" key)
-      then key
-      else "/persist/binds/${key}";
-  in {
-    depends = [ "/persist" ];
-    device = target;
-    fsType = "none";
-    options = [ "bind" ];
-  }) config.me.binds;
-}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -14,7 +14,6 @@ let
    }) paths
  );
 in {
-  binds = ./binds.nix;
  options = ./options.nix;
  services = mkAttrsFromPaths [
    ./services/banksia.nix
--- a/modules/options.nix
+++ b/modules/options.nix
@ -44,10 +44,5 @@ in {
      type = types.bool;
      default = false;
    };
-
-    binds = lib.mkOption {
-      type = with lib.types; attrsOf str;
-      default = {};
-    };
  };
 }
--- a/modules/services/banksia.nix
+++ b/modules/services/banksia.nix
@ -4,7 +4,7 @@
    "banksia.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
-      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
+      locations."/".return = "302 https://github.com/cillynder/Banksia";
      locations."/api".proxyPass = "http://localhost:8080/";
    };
  };
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@ -1,8 +1,7 @@
 { config, ... }:
 let
  dir = "/persist/shared/.syncthing";
-  user = if config.me.gui then "rin" else "hana";
-  uid = toString config.users.users."${user}".uid;
+  uid = toString config.users.users.rin.uid;
  gid = toString config.users.groups.users.gid;
 in
 {
@ -14,10 +13,9 @@ in
  services.syncthing = {
    enable = true;
    openDefaultPorts = true;
-    user = user;
+    user = "rin";
    group = "users";
    dataDir = "/persist/shared/.syncthing/data";
    configDir = "/persist/shared/.syncthing/config";
-    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
  };
 }
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@ -1,5 +1,5 @@
 { config, inputs, modules, ... }: {
-  imports = [ modules.binds modules.options ];
+  imports = [ modules.options ];

  environment.etc = {
    "machine-id".source = "/persist/machine-id";
--- a/modules/system/input.nix
+++ b/modules/system/input.nix
@ -6,19 +6,7 @@
        "-arinterval 15"
      ];
    };
+    xkb.options = "caps:escape";
  };
-  services.keyd = {
-    enable = true;
-    keyboards = {
-      default = {
-        ids = [ "*" ];
-        settings = {
-          main = {
-            capslock = "esc";
-            esc = "capslock";
-          };
-        };
-      };
-    };
-  };
+  console.useXkbConfig = true;
 }
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -1,6 +1,5 @@
-{ config, inputs, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
  nix = {
-    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    package = pkgs.nixVersions.latest;

    settings = rec {
--- a/modules/system/packages.nix
+++ b/modules/system/packages.nix
@ -16,6 +16,7 @@
    neovim
    nfs-utils
    ntfs3g
+    oci-cli
    ripgrep
    rsync
    sshfs
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -49,7 +49,7 @@
        {
          groups = [ "wheel" ];
          keepEnv = true;
-          persist = true;
+          persist = config.me.environment != "laptop";
        }
      ];
    };
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@ -1,9 +1,5 @@
-{ config, lib, ... }: {
+{ config, ... }: {
  age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
-  me.binds."/var/lib/tailscale" = "tailscale";
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
-  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
-
  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale_auth.path;
--- a/modules/user/eww.nix
+++ b/modules/user/eww.nix
@ -21,9 +21,9 @@ let
    '';
  };
 in {
-  home.packages = with pkgs; [ iw socat ];
+  home.packages = with pkgs; [ socat ];
  programs.eww = {
    enable = true;
+    configDir = res;
  };
-  xdg.configFile."eww".source = res;
 }
--- a/modules/user/git.nix
+++ b/modules/user/git.nix
@ -10,7 +10,6 @@
      user.email = "mini@cilly.moe";
      core.abbrev = 11;
      safe.directory = "/home/rin/Projects/flakes";
-      init.defaultBranch = "master";
    };
  };
 }
--- a/modules/user/neovim.nix
+++ b/modules/user/neovim.nix
@ -1,9 +1,9 @@
-{ config, lib, pkgs, sysConfig, ... }:
+{ config, lib, pkgs, ... }:
 let
  luaconf = pkgs.writeText "config.lua"
    (lib.replaceStrings
-      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"]
-      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName]
+      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
+      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
      (builtins.readFile ../../res/config.lua));
 in {
  systemd.user.tmpfiles.rules = [
@ -21,7 +21,6 @@ in {
    withRuby = false;

    extraPackages = with pkgs; [
-      nixd
      rust-analyzer
      texlab
      astro-language-server
--- a/packages/linux-lava/sources.nix
+++ b/packages/linux-lava/sources.nix
@ -1,8 +1,8 @@
 { fetchFromGitHub, inputs, lib }:
 let
-  version = "7.0.10";
+  version = "7.0.5";
  kernelHash = "1w4i705i0nl1xqv7fdhdbhy7j3xrzhl31fabs6vmgiw7nf06szxv";
-  kernelPatchHash = "0h7gxqcnww7sj5cdyblzj04775zhavwdylkm2pm91v6xkjbnz1zj";
+  kernelPatchHash = "15a173sx7nw4qkp45f5ksnqd3a1flhpiq3zzsa6gzzcww433hm8d";

  mm = lib.versions.majorMinor version;
  hasPatch = (builtins.length (builtins.splitVersion version)) == 3;
--- a/res/config.lua
+++ b/res/config.lua
@ -108,18 +108,18 @@ require('lualine').setup {
 -- many thanks to @kristijanhusak
 -- https://github.com/nvim-treesitter/nvim-treesitter/issues/1167#issuecomment-920824125
 function _G.javascript_indent()
-    local line = vim.fn.getline(vim.v.lnum)
-    local prev_line = vim.fn.getline(vim.v.lnum - 1)
-    if line:match('^%s*[%*/]%s*') then
-        if prev_line:match('^%s*%*%s*') then
-            return vim.fn.indent(vim.v.lnum - 1)
-        end
-        if prev_line:match('^%s*/%*%*%s*$') then
-            return vim.fn.indent(vim.v.lnum - 1) + 1
-        end
+  local line = vim.fn.getline(vim.v.lnum)
+  local prev_line = vim.fn.getline(vim.v.lnum - 1)
+  if line:match('^%s*[%*/]%s*') then
+    if prev_line:match('^%s*%*%s*') then
+      return vim.fn.indent(vim.v.lnum - 1)
    end
+    if prev_line:match('^%s*/%*%*%s*$') then
+      return vim.fn.indent(vim.v.lnum - 1) + 1
+    end
+  end

-    return vim.fn['GetJavascriptIndent']()
+  return vim.fn['GetJavascriptIndent']()
 end

 vim.cmd('au FileType javascript setlocal indentexpr=v:lua.javascript_indent()')
@ -157,17 +157,22 @@ vim.api.nvim_create_autocmd("LspAttach", {
    end
 })

-vim.diagnostic.config({
-    focusable = false,
-    virtual_text = false,
-    underline = true,
-    signs = true,
-    update_in_insert = true
-})
+vim.lsp.handlers["textDocument/publishDiagnostics"] = vim.lsp.with(
+    vim.lsp.diagnostic.on_publish_diagnostics, {
+        focusable = false,
+        virtual_text = false,
+        underline = true,
+        signs = true,
+        update_in_insert = true
+    }
+)
+vim.lsp.handlers["textDocument/signatureHelp"] = vim.lsp.with(
+    vim.lsp.handlers.signature_help, { focusable = false }
+)

 capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)

-local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
+local servers = { 'astro', 'clangd', 'cssls', 'html', 'nil_ls', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
 for _, lsp in ipairs(servers) do
    vim.lsp.config(lsp, {
        capabilities = capabilities,
@ -292,32 +297,6 @@ vim.lsp.config("diagnosticls", {
 })
 vim.lsp.enable("diagnosticls")

-- LSP/nixd
-vim.lsp.config("nixd", {
-  cmd = { "nixd" },
-  filetypes = { "nix" },
-  root_markers = { "flake.nix", ".git" },
-  settings = {
-    nixd = {
-      nixpkgs = {
-        expr = "import <nixpkgs> { }",
-      },
-      formatting = {
-        command = { "nixfmt" },
-      },
-      options = {
-        nixos = {
-          expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options',
-        },
-        home_manager = {
-          expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []',
-        },
-      },
-    },
-  },
-})
-vim.lsp.enable("nixd")
-
 -- LSP/Signatures
 require("lsp_signature").setup {
    hint_enable = false,
--- a/res/eww/eww.yuck
+++ b/res/eww/eww.yuck
@ -1,5 +1,4 @@
 (defwindow mainbar :monitor 0
-
                   :geometry (geometry :x "0%"
                                       :y "0%"
                                       :width "100%"
@ -40,15 +39,14 @@
  `cat /sys/class/power_supply/_BAT_PATH_/capacity`)
 (defpoll pbat_status :interval "1s" :run-while bat-enabled
  `cat /sys/class/power_supply/_BAT_PATH_/status`)
-(defpoll wifi_ssid :interval "1s" :run-while wifi-enabled
-  `iwctl station wlan0 show | grep "Connected network" | awk '{print $3}'`)
-(defpoll wifi_strength :interval "1s" :run-while wifi-enabled
-  `iw dev wlan0 link | awk '/signal/ {gsub("-",""); print $2}'`)
+(defpoll network_strength :interval "1s" :run-while wifi-enabled
+  `nmcli -f IN-USE,SIGNAL device wifi | grep '*' | tr -d -c 0-9`)
 (defpoll bluetooth_device :interval "1s" :run-while bt-enabled
  `bluetoothctl devices Connected | grep Device | cut -d" " -f3-`)
 (defpoll bluetooth_device_count :interval "1s" :run-while bt-enabled
  `bluetoothctl devices Connected | wc -l`)

+(deflisten lnetwork :initial "" :run-while wifi-enabled "./scripts/network.sh")
 (deflisten ltitle :initial "" "./scripts/title.sh")
 (deflisten lworkspaces :initial "[]" "./scripts/workspaces.sh")
 (deflisten lcurrent_workspace :initial "1" "./scripts/active-workspace.sh")
@ -109,22 +107,22 @@
 (defwidget network []
  (button :onclick `eww update network-extended=${network-extended ? "false" : "true"}`
    (box :orientation "horizontal"
-         :class {"widget pill" + ((network-extended && wifi_ssid != "") ? " extended" : "")}
-         :spacing {(network-extended && wifi_ssid != "") ? 5 : 0}
+         :class {"widget pill" + ((network-extended && lnetwork != "Disconnected") ? " extended" : "")}
+         :spacing {(network-extended && lnetwork != "Disconnected") ? 5 : 0}
         :space-evenly false
      (label :text {
-          (wifi_ssid == "") ? ""
-        : (wifi_strength == "") ? ""
-        : (wifi_strength < 75) ? ""
-        : (wifi_strength < 65) ? ""
-        : (wifi_strength < 60) ? ""
-        : (wifi_strength < 50) ? ""
+          (lnetwork == "Disconnected") ? ""
+        : (network_strength == "") ? ""
+        : (network_strength < 20) ? ""
+        : (network_strength < 30) ? ""
+        : (network_strength < 55) ? ""
+        : (network_strength < 80) ? ""
        : ""}
             :class "base pill-icon")
      (revealer :transition "slideleft"
-                :reveal {network-extended && wifi_ssid != ""}
+                :reveal {network-extended && lnetwork != "Disconnected"}
                :duration 150
-        (label :text wifi_ssid
+        (label :text lnetwork
               :class "base")))))

 (defwidget battery []
--- a/res/eww/scripts/network.sh
+++ b/res/eww/scripts/network.sh
@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+init=$(nmcli -t -f name,device connection show --active | grep wlp1s0 | cut -d\: -f1)
+
+if [[ -z $init ]]; then
+    echo Disconnected
+else
+    echo $init
+fi
+
+nmcli monitor | while read -r line ; do
+    if [[ $line == *"is now the primary connection" ]]; then
+        conn=$(echo $line | cut -d\' -f2)
+        echo $conn
+    fi
+    if [[ $line == "There's no primary connection" ]]; then
+        echo Disconnected
+    fi
+done
--- a/secrets.nix
+++ b/secrets.nix
@ -7,13 +7,11 @@ let

  rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
-  "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ];
-  "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ];
-  "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
+  "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
  "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];

  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
-  "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ];
+  "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ];
  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
  "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
  "secrets/warden_admin.age".publicKeys = [ rin ];
--- a/secrets/navidrome_env.age
+++ b/secrets/navidrome_env.age
--- a/secrets/passwd.age
+++ b/secrets/passwd.age
--- a/secrets/passwd_smbcilly.age
+++ b/secrets/passwd_smbcilly.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ
-i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI
-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o
-+pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM
--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew
-Æ*Œl\ÈWç!J7E/´»îò"f@%\ìüÏ[¨òj8fÓ¶›ž
--- a/secrets/passwd_smbkujira.age
+++ b/secrets/passwd_smbkujira.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8
-IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE
-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg
-QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk
--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw
-TÎ <ç‘R#d<>Ä†ÌŽlLkáN¦½º8´cÃ_N¬)±ŠT
--- a/users/rin/packages.nix
+++ b/users/rin/packages.nix
@ -15,25 +15,19 @@ in {
    ffmpeg
    gnupg
    kitty
+    nil
    nodejs_latest
    pamixer
    pnpm
-    unrar
-    yt-dlp
-  ] ++ lib.optionals (config.me.environment == "desktop") [
-    krita
-    lutris
-    mangohud
-    inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin
    qmk
-    tetrio-desktop
-    tor-browser
-    virt-manager
-    winetricks
+    unrar
+    weechat
+    yt-dlp
  ] ++ lib.optionals config.me.gui [
    android-studio
    brightnessctl
    drawio
+    element-desktop
    evince
    eww
    feh
@ -42,9 +36,17 @@ in {
    gamescope
    gimp3
    grim
+    jetbrains.gateway
+    #kotatogram-desktop
+    krita
    lm_sensors
+    lutris
+    insomnia
    maim
+    mangohud
    me.psensor
+    inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin
+    # inputs.nix-gaming.packages.x86_64-linux.wine-osu
    obsidian
    pavucontrol
    (prismlauncher.override {
@ -58,9 +60,13 @@ in {
    screenkey
    slurp
    swaybg
+    tetrio-desktop
    texliveFull
+    tor-browser
    transmission-remote-gtk
    vesktop
+    virt-manager
+    winetricks
    zathura
    zenity
Author	SHA1	Message	Date
Cilly Leang	4e0be8131d	containers/garnet: add hosts and correct bind mounts Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-05-29 00:44:13 +10:00
Cilly Leang	947af464c4	alyssum/filesystem: add myosotis	2026-05-29 00:43:32 +10:00
Cilly Leang	0e693f0780	containers/garnet: try removing host header Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:43:07 +10:00
Cilly Leang	752025b9a8	containers/garnet: move back to listen addrs Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:34:25 +10:00
Cilly Leang	e9fc7754aa	containers/garnet: use ipv4 for proxy Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:27:19 +10:00
Cilly Leang	58a7650715	containers/garnet: remove stray sv and set address to local ip Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:22:19 +10:00
Cilly Leang	25c8f389e8	hosts/alyssum: enable nginx Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:10:40 +10:00
Cilly Leang	4ab35c6f51	containers/garnet: better ip filtering Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:04:35 +10:00
Cilly Leang	1295d3f916	hosts/alyssum: enable garnet	2026-05-28 23:02:40 +10:00
Cilly Leang	ef490d82f7	containers/garnet: init Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-05-28 23:01:43 +10:00