alyssum/samba: bind music

containers/emerald: bind music directory
containers/emerald: change mounts
2026-06-19 09:12:52 +10:00 · 2026-06-19 09:03:39 +10:00 · 2026-06-19 08:57:22 +10:00 · 2026-06-19 08:01:17 +10:00 · 2026-06-19 07:36:13 +10:00 · 2026-06-17 21:22:03 +10:00
215 changed files with 6688 additions and 13700 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -0,0 +1,4 @@
 # Do not edit this file.  To specify the files to encrypt, create your own
 # .gitattributes file in the directory where your files are.
 * !filter !diff
 *.gpg binary
--- a/.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
+++ b/.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
 secrets.gcrypt/** filter=git-crypt diff=git-crypt
--- a/.github/screenshots/desktop.png
+++ b/.github/screenshots/desktop.png
--- a/.github/screenshots/neovim.png
+++ b/.github/screenshots/neovim.png
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@ -0,0 +1,50 @@
 name: Auto update
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  update:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.PAT_TOKEN }}
      - name: Check for updates
        id: check
        run: |
          local=$(cat flake.lock | jq ".nodes.nixpkgs.locked.rev")
          remote=$(curl "https://api.github.com/repos/NixOS/nixpkgs/branches/nixos-unstable/commits?per_page=1" | jq ".commit.sha")
          if [[ $local == $remote ]]; then
            echo "skip=1" >> "$GITHUB_OUTPUT"
          else
            echo "skip=0" >> "$GITHUB_OUTPUT"
            branch=$(TZ='Australia/Melbourne' date '+staging_auto/%Y%m%d')
            echo "branch_name=${branch}" >> "$GITHUB_OUTPUT"
          fi
      - name: Install nix
        if: steps.check.outputs.skip == 0
        uses: cachix/install-nix-action@v31
      - name: Configure git
        if: steps.check.outputs.skip == 0
        run: |
          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
      - name: Update
        if: steps.check.outputs.skip == 0
        run: ./update.sh
      - name: Push
        if: steps.check.outputs.skip == 0
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.PAT_TOKEN }}
          branch: ${{ steps.check.outputs.branch_name }}
--- a/.github/workflows/cachix.yml
+++ b/.github/workflows/cachix.yml
@ -1,35 +1,28 @@
-name: Cachix build
+name: CI
 on:
  push:
  workflow_dispatch:
 jobs:
-  linux:
+  build:
-    name: Build Linux
+    name: Build linux-lava for x86_64-linux
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2.3.4
+      # credits to https://github.com/easimon/maximize-build-space/issues/45
-      - uses: cachix/install-nix-action@v13
+      - name: Remove unneeded packages to maximise build space
        shell: bash
        run: |
            df -h
            sudo rm -rf /usr/share/dotnet
            sudo rm -rf /usr/local/lib/android
            df -h
      - uses: actions/checkout@v4
        with:
-          install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-3.0pre20201007_5257a25/install
+          fetch-depth: 0
-          extra_nix_config: experimental-features = nix-command flakes
+      - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v10
+      - uses: cachix/cachix-action@v16
        with:
          name: lava
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - run: nix build -L .#linux-lava
  wine:
    name: Build Wine
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2.3.4
      - uses: cachix/install-nix-action@v13
        with:
          install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-3.0pre20201007_5257a25/install
          extra_nix_config: experimental-features = nix-command flakes
      - uses: cachix/cachix-action@v10
        with:
          name: lava
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - run: nix build -L .#wine-osu
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@ -0,0 +1,31 @@
 name: Build images
 on:
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    name: Build caramel-img
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: dbhi/qus/action@main
        with:
          targets: arm aarch64
      - uses: cachix/install-nix-action@v17
        with:
          install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.12.0pre20220930_89ca75c/install
          extra_nix_config: |
            extra-platforms = aarch64-linux arm-linux
            experimental-features = nix-command flakes
      - uses: cachix/cachix-action@v10
        with:
          name: lava
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - run: nix build -L .#packages.aarch64-linux.caramel-img
      - uses: actions/upload-artifact@v3
        with:
          name: caramel-sd-image
          path: result/sd-image/*
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 result
--- a/README.md
+++ b/README.md
@ -0,0 +1,31 @@
 # flakes
 My NixOS config!
 ![Desktop](.github/screenshots/desktop.png?raw=true)
 ![Neovim](.github/screenshots/neovim.png?raw=true)
 ## Usage
 I recommend more that you only simply look at the modules as inspiration for your own config. Some of them
 may or may not work on your machine if copied directly (but theoretically they should).
 But if you insist, just copy-paste one of the hosts in `hosts/`, one of the users in `users/`, and modify them
 to your liking. Open up `flake.nix`, add your new host config at the bottom, and then build it!
 ## Hosts
 | Name      | Description |
 | -------   | ----------- |
 | hyacinth  | Main Desktop PC |
 | anemone   | Main Laptop |
 | caramel   | Raspberry Pi 400, stateless |
 | dandelion | ARM OCI VPS, stateless |
 ## Users
 | Name | Description |
 | ---- | ----------- |
 | rin  | Main user for general usage |
 | hana | Lightweight user intended for inspecting stateless hosts |
 ## License
 Licensed under CC0
 Credit is appreciated but not necessary
--- a/containers/amethyst/configuration.nix
+++ b/containers/amethyst/configuration.nix
@ -0,0 +1,47 @@
 { lib, pkgs, ... }: {
  system.stateVersion = "23.11";
  systemd.tmpfiles.rules = [
    "d /persist/transmission 755 transmission transmission"
    "d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
    "d /persist/transmission/.incomplete 750 transmission transmission"
    "d /persist/transmission/Downloads 755 transmission transmission"
    "d /persist/transmission/watchdir 755 transmission transmission"
  ];
  networking.wg-quick.interfaces.wg0 = {
    configFile = "/persist/vpn.conf";
    preUp = ''
          # Try to access the DNS for up to 300s
          for i in {1..60}; do
            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
            echo "Attempt $i: DNS still not available"
            sleep 5s
          done
    '';
  };
  # https://github.com/NixOS/nixpkgs/issues/258793
  systemd.services.transmission.serviceConfig = {
    BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
    RootDirectoryStartOnly = lib.mkForce false;
    RootDirectory = lib.mkForce "";
    PrivateMounts = lib.mkForce false;
    PrivateUsers = lib.mkForce false;
  };
  networking.firewall.allowedTCPPorts = [ 9091 ];
  services.transmission = {
    enable = true;
    package = pkgs.transmission_4;
    downloadDirPermissions = "775";
    openFirewall = true;
    home = "/persist/transmission";
    settings = {
      ratio-limit-enabled = true;
      rpc-bind-address = "0.0.0.0";
      rpc-enabled = true;
      rpc-port = 9091;
      rpc-host-whitelist-enabled = false;
      rpc-whitelist-enabled = false;
    };
  };
 }
--- a/containers/amethyst/flake.lock
+++ b/containers/amethyst/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -0,0 +1,51 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }: {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      modules = [ ./configuration.nix ];
    };
    nixosModule = { ... }:
    let
      name = "amethyst";
      fqdn = "amethyst.lava.moe";
      subnet = "1";
    in {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = "10.30.${subnet}.1";
        localAddress = "10.30.${subnet}.2";
        hostAddress6 = "fd0d:1::${subnet}:1";
        localAddress6 = "fd0d:1::${subnet}:2";
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = [ ./configuration.nix ]; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/beryllium/configuration.nix
+++ b/containers/beryllium/configuration.nix
@ -0,0 +1,23 @@
 { ... }: {
  system.stateVersion = "25.11";
  fileSystems."/var/lib/private" = {
    device = "/persist";
    fsType = "none";
    options = [ "bind" ];
  };
  networking.firewall.allowedTCPPorts = [ 6167 ];
  networking.firewall.allowedUDPPorts = [ 6167 ];
  # TODO: this should be generically set
  networking.useHostResolvConf = false;
  networking.nameservers = [ "8.8.8.8" ];
  services.matrix-continuwuity = {
    enable = true;
    settings.global = {
      # TODO: link this with outer container's address
      address = [ "10.30.2.2" ];
      server_name = "lava.moe";
      rocksdb_recovery_mode = 2;
    };
  };
 }
--- a/containers/beryllium/flake.lock
+++ b/containers/beryllium/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@ -0,0 +1,69 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }: {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      modules = [ ./configuration.nix ];
    };
    nixosModule = { ... }:
    let
      name = "beryllium";
      fqdn = "beryllium.lava.moe";
      subnet = "2";
    in {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".extraConfig = "return 302 'https://lava.moe';";
        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
      };
      services.nginx.virtualHosts."lava.moe" = {
        locations."= /.well-known/matrix/server".extraConfig =
          let
            server = { "m.server" = "${fqdn}:443"; };
          in ''
            add_header Content-Type application/json;
            return 200 '${builtins.toJSON server}';
          '';
        locations."= /.well-known/matrix/client".extraConfig =
          let
            client = {
              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
              # "m.identity_server" = { "base_url" = "https://vector.im"; };
            };
          in ''
            add_header Content-Type application/json;
            add_header Access-Control-Allow-Origin *;
            return 200 '${builtins.toJSON client}';
          '';
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = "10.30.${subnet}.1";
        localAddress = "10.30.${subnet}.2";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = [ ./configuration.nix ]; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
      };
    };
  };
 }
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -0,0 +1,53 @@
 { config, fqdn, lib, ... }: {
  system.stateVersion = "25.11";
  networking.firewall.allowedTCPPorts = [ 22 3000 ];
  networking.firewall.allowedUDPPorts = [ 22 3000 ];
  systemd.tmpfiles.rules = [
    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
  ];
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    settings = {
      DEFAULT.APP_NAME = "cilly's botanical laboratory";
      server = {
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
        HTTP_PORT = 3000;
        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
        SSH_DOMAIN = "git.lava.moe";
        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
      };
      ui = lib.mkForce {
        DEFAULT_THEME = "catppuccin-maroon-auto";
        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
          "catppuccin-pink"
          "catppuccin-maroon"
          "catppuccin-flamingo"
          "catppuccin-rosewater"
          "forgejo"
          "gitea"
        ];
      };
      api.ENABLE_SWAGGER = false;
      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
      repository.ENABLE_PUSH_CREATE_USER = true;
      repository.ENABLE_PUSH_CREATE_ORG = true;
      service.DISABLE_REGISTRATION = true;
    };
    stateDir = "/persist/forgejo";
  };
  systemd.services.forgejo.serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
    PrivateUsers = lib.mkForce false;
  };
  catppuccin.forgejo.enable = true;
  environment.systemPackages = [ config.services.forgejo.package ];
 }
--- a/containers/citrine/flake.lock
+++ b/containers/citrine/flake.lock
@ -0,0 +1,62 @@
 {
  "nodes": {
    "catppuccin": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1773403535,
        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
        "owner": "catppuccin",
        "repo": "nix",
        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
        "type": "github"
      },
      "original": {
        "owner": "catppuccin",
        "repo": "nix",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1773122722,
        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "catppuccin": "catppuccin",
        "nixpkgs": "nixpkgs_2"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -0,0 +1,68 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    catppuccin.url = "github:catppuccin/nix";
  };
  outputs = { nixpkgs, catppuccin, ... }:
  let
    name = "citrine";
    fqdn = "lab.lava.moe";
    subnetId = "3";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      catppuccin.nixosModules.catppuccin
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:3000";
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/citrine/templates/base/footer_content.tmpl
+++ b/containers/citrine/templates/base/footer_content.tmpl
@ -0,0 +1,31 @@
 <footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
        {{if ShowFooterPoweredBy}}
            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
        {{end}}
        {{if (or .ShowFooterVersion .PageIsAdmin)}}
            {{if .IsAdmin}}
                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
            {{else}}
                {{AppVerNoMetadata}}
            {{end}}
        {{end}}
        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
        {{end}}
    </div>
    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
        <div class="ui dropdown upward language">
            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
            <div class="menu language-menu">
                {{range .AllLangs}}
                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
                {{end}}
            </div>
        </div>
        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
        {{template "custom/extra_links_footer" .}}
    </div>
 </footer>
--- a/containers/citrine/templates/home.tmpl
+++ b/containers/citrine/templates/home.tmpl
@ -0,0 +1,19 @@
 {{template "base/head" .}}
 {{if not .IsSigned}}
    <script>window.location.href = "/explore/repos";</script>
 {{end}}
 <div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
    <div class="tw-mb-8 tw-px-8">
        <div class="center">
            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
            <div class="hero">
                <h1 class="ui icon header title">
                    {{AppDisplayName}}
                </h1>
                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
            </div>
        </div>
    </div>
    {{template "home_forgejo" .}}
 </div>
 {{template "base/footer" .}}
--- a/containers/diamond/configuration.nix
+++ b/containers/diamond/configuration.nix
@ -0,0 +1,22 @@
 { fqdn, ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
  ];
  fileSystems."/var/lib/vaultwarden" = {
    device = "/persist/vaultwarden";
    fsType = "none";
    options = [ "bind" ];
  };
  networking.firewall.allowedTCPPorts = [ 8000 ];
  networking.firewall.allowedUDPPorts = [ 8000 ];
  services.vaultwarden = {
    enable = true;
    domain = fqdn;
    config = {
      DOMAIN = "https://${fqdn}";
      ROCKET_ADDRESS = "::";
    };
  };
 }
--- a/containers/diamond/flake.lock
+++ b/containers/diamond/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/diamond/flake.nix
+++ b/containers/diamond/flake.nix
@ -0,0 +1,51 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "diamond";
    fqdn = "astransia.lava.moe";
    subnetId = "4";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    modules = [
      ./configuration.nix
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { ... }: {
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:8000";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@ -0,0 +1,23 @@
 { fqdn, shareFqdn, ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
    "d /persist/navidrome 755 navidrome navidrome"
  ];
  networking.firewall.allowedTCPPorts = [ 4533 ];
  networking.firewall.allowedUDPPorts = [ 4533 ];
  services.navidrome = {
    enable = true;
    environmentFile = "/binds/navidrome_env";
    settings = {
      Port = 4533;
      Address = "[::]";
      BaseUrl = "https://${fqdn}/";
      ShareURL = "https://${shareFqdn}";
      EnableSharing = true;
      DataFolder = "/persist/navidrome";
      MusicFolder = "/binds/music/main";
    };
  };
  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
 }
--- a/containers/emerald/flake.lock
+++ b/containers/emerald/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -0,0 +1,78 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "emerald";
    fqdn = "navia.lava.moe";
    shareFqdn = "muse.lava.moe";
    subnetId = "5";
    subnet = x: "fd0d:2::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.32.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:4533";
        listenAddresses = [ "100.67.2.1" ];
      };
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn shareFqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."music" = {
          hostPath = "/flower/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
        bindMounts."navidrome_env" = {
          hostPath = config.age.secrets.navidrome_env.path;
          mountPoint = "/binds/navidrome_env";
          isReadOnly = true;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/fluorite/configuration.nix
+++ b/containers/fluorite/configuration.nix
@ -0,0 +1,22 @@
 { ... }: {
  system.stateVersion = "25.11";
  systemd.tmpfiles.rules = [
    "d /persist/slskd/Downloads 755 slskd slskd"
  ];
  fileSystems."/var/lib/slskd" = {
    device = "/persist/slskd";
    fsType = "none";
    options = [ "bind" ];
  };
  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
  networking.firewall.allowedUDPPorts = [ 5030 50300 ];
  services.slskd = {
    enable = true;
    domain = null;
    environmentFile = "/binds/slskd_env";
    settings = {
      shares.directories = [ "/binds/music/" ];
    };
  };
 }
--- a/containers/fluorite/flake.lock
+++ b/containers/fluorite/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@ -0,0 +1,89 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "fluorite";
    fqdn = "fluorite.lava.moe";
    subnetId = "6";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      networking.firewall.allowedTCPPorts = [ 50300 ];
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:5030";
        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
      };
      systemd.tmpfiles.rules = [
        "d /persist/containers/${name} 755 root users"
        "d /persist/media/music 075 nobody users"
      ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        forwardPorts = [
          {
            containerPort = 50300;
            hostPort = 50300;
            protocol = "tcp";
          }
        ];
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."music" = {
          hostPath = "/persist/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
        bindMounts."slskd_env" = {
          hostPath = config.age.secrets.slskd_env.path;
          mountPoint = "/binds/slskd_env";
          isReadOnly = true;
        };
        # flake = "path:" + ./.;
      };
    };
  };
 }
--- a/containers/garnet/configuration.nix
+++ b/containers/garnet/configuration.nix
@ -0,0 +1,36 @@
 { ... }: {
  system.stateVersion = "25.11";
  fileSystems."/var/lib/opencloud" = {
    device = "/flower/data";
    fsType = "none";
    options = [ "bind" ];
  };
  fileSystems."/etc/opencloud" = {
    device = "/persist/cfg";
    fsType = "none";
    options = [ "bind" ];
  };
  # TODO: hardcoded address
  networking.extraHosts = ''
    100.67.2.1 cloud.lava.moe
  '';
  networking.firewall.allowedTCPPorts = [ 9200 ];
  networking.firewall.allowedUDPPorts = [ 9200 ];
  environment.etc."opencloud-admin-pass".text = ''
    IDM_ADMIN_PASSWORD=supersillysecure
  '';
  services.opencloud = {
    enable = true;
    url = "https://cloud.lava.moe";
    address = "10.30.7.2";
    port = 9200;
    environment = {
      PROXY_TLS = "false";
      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
      IDP_ID_TOKEN_EXPIRATION = "2592000";
    };
    environmentFile = "/etc/opencloud-admin-pass";
  };
 }
--- a/containers/garnet/flake.lock
+++ b/containers/garnet/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1779560665,
        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@ -0,0 +1,84 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "garnet";
    fqdn = "cloud.lava.moe";
    subnetId = "7";
    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;
    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;
    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ host ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://${client4}:9200";
          proxyWebsockets = true;
        };
        extraConfig = ''
          proxy_read_timeout 3600s;
          proxy_send_timeout 3600s;
          keepalive_requests 100000;
          keepalive_timeout 5m;
          http2_max_concurrent_streams 512;
        '';
        # TODO: hardcoded address
        listenAddresses = [ "100.67.2.1" ];
      };
      systemd.tmpfiles.rules = [
        "d /persist/containers/${name} 755 root users"
      ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };
        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."content" = {
          hostPath = "/flower/opencloud";
          mountPoint = "/flower";
          isReadOnly = false;
        };
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,64 +1,101 @@
 {
  inputs = {
-    nixpkgs = { url = "github:NixOS/nixpkgs/nixos-unstable"; };
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    home-manager = { url = "github:LavaDesu/home-manager/xsession-profilePath"; };
+    home-manager.url = "github:nix-community/home-manager";
    secrets = { url = "github:LavaDesu/flakes-secrets"; };
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
    catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
    catppuccin.inputs.nixpkgs.follows = "nixpkgs";
    catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
    neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
    nix-gaming.url = "github:fufexan/nix-gaming";
    nix-index-database.url = "github:nix-community/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
    spicetify-nix.url = "github:Gerg-L/spicetify-nix";
    spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
    # services
    pastel.url = "github:cillynder/pastel";
    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
    website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
    # zsh plugins
    zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
    zsh-history-substring-search = { url = "github:zsh-users/zsh-history-substring-search"; flake = false; };
    fast-syntax-highlighting = { url = "github:zdharma-continuum/fast-syntax-highlighting"; flake = false; };
    pure = { url = "github:sindresorhus/pure"; flake = false; };
    # overlays
    linux-tkg = { url = "github:Frogging-Family/linux-tkg"; flake = false; };
    nvim-treesitter = { url = "github:nvim-treesitter/nvim-treesitter"; flake = false; };
    spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
    tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
    wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
    # containers
    c-amethyst.url = "path:./containers/amethyst";
    c-beryllium.url = "path:./containers/beryllium";
    c-citrine.url = "path:./containers/citrine";
    c-diamond.url = "path:./containers/diamond";
    c-emerald.url = "path:./containers/emerald";
    c-fluorite.url = "path:./containers/fluorite";
    c-garnet.url = "path:./containers/garnet";
  };
-  outputs = inputs: with inputs;
+  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
    let
-      revCount = "297098";
+      overlays = (import ./overlays)
-      base = { config, ... }: {
+        ++ [(final: prev: {
-        system = {
+          me = prev.callPackage ./packages { inherit inputs; } // { inherit inputs; };
-          configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
+        })];
-          nixos = rec {
+
-            version = config.system.nixos.release + versionSuffix;
+        patchOverlaysWithLinuxLava = nixpkgs: arch: ([(self: super: {
-            versionSuffix = ".${nixpkgs.lib.substring 0 8 (nixpkgs.lastModifiedDate or nixpkgs.lastModified or "19700101")}.r${revCount}-${nixpkgs.lib.substring 0 11 (nixpkgs.rev or "dirty")}";
+          linuxLavaNixpkgs = import nixpkgs {
            overlays = [ (import ./overlays/linux-lava.nix) ] ++ overlays;
            system = arch;
          };
        })] ++ overlays);
      mkSystem =
        if !(self ? rev) then throw "Dirty git tree detected." else
        nixpkgs: name: arch: extraModules: nixpkgs.lib.nixosSystem {
          system = arch;
          modules = [
            ({
              nixpkgs.overlays = patchOverlaysWithLinuxLava nixpkgs arch;
            })
            agenix.nixosModules.age
            catppuccin.nixosModules.catppuccin
            (./hosts + "/${name}")
          ] ++ extraModules;
          specialArgs = {
            inherit inputs;
            modules = import ./modules { lib = nixpkgs.lib; };
            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
          };
        nix.registry.nixpkgs.flake = nixpkgs;
        nixpkgs.overlays = builtins.attrValues overlays;
      };
      hm-base = {
        home-manager.useGlobalPkgs = true;
        home-manager.useUserPackages = true;
      };
      overlays = {
        discord = import ./overlays/discord.nix;
        linux = import ./overlays/linux.nix;
        material-icons = import ./overlays/material-icons.nix;
        mps-youtube = import ./overlays/mps-youtube.nix;
        picom = import ./overlays/picom.nix;
        polybar = import ./overlays/polybar.nix;
        transcrypt = import ./overlays/transcrypt.nix;
        winetricks = import ./overlays/winetricks.nix;
        wine-osu = import ./overlays/wine-osu.nix;
        xinit = import ./overlays/xinit.nix;
        };
    in
    {
-      nixosConfigurations."winter" = nixpkgs.lib.nixosSystem {
+      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
-        system = "x86_64-linux";
+      nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
-        modules = [
+      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
-          base
+      nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
          home-manager.nixosModules.home-manager
          hm-base
          ./hosts/winter
          secrets.nixosModules.winter
        ];
        specialArgs = { inherit overlays; };
      };
-      packages.x86_64-linux =
+      packages."x86_64-linux" =
        let
-          pkgs = import nixpkgs {
+          pkgs = import nixpkgs rec {
-            overlays = builtins.attrValues overlays;
+            overlays = patchOverlaysWithLinuxLava nixpkgs system;
            system = "x86_64-linux";
          };
-        in {
+        in
-          inherit (pkgs) linux-lava wine-osu;
+        {
          inherit (pkgs.me) linux-lava spotify-adblock;
          linux-lava-ccache = pkgs.me.linux-lava.override { useCcache = true; };
        };
    };
 }
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -0,0 +1,45 @@
 { inputs, lib, modules, modulesPath, ... }: {
  networking.hostName = "alyssum";
  system.stateVersion = "25.11";
  time.timeZone = "Australia/Melbourne";
  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
    passwd.file = ../../secrets/passwd.age;
    navidrome_env.file = ../../secrets/navidrome_env.age;
    wpa_conf = {
      file = ../../secrets/wpa_conf.age;
      path = "/etc/wpa_supplicant/imperative.conf";
      symlink = false;
    };
  };
  imports = with modules.system; [
    (modulesPath + "/profiles/qemu-guest.nix")
    home-manager
    base
    kernel
    nix-stable
    packages
    security
    tailscale
    modules.services.nginx
    modules.services.syncthing
    inputs.c-emerald.nixosModule
    inputs.c-garnet.nixosModule
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ./home.syncthing.nix
    ./samba.nix
    ../../users/hana
  ];
  me.environment = "headless";
  services.syncthing.user = lib.mkForce "hana";
 }
--- a/hosts/alyssum/filesystem.nix
+++ b/hosts/alyssum/filesystem.nix
@ -0,0 +1,35 @@
 { ... }:
 let
  bind = src: {
    depends = [ "/nix" ];
    device = src;
    fsType = "none";
    neededForBoot = true;
    options = [ "bind" ];
  };
  mkLabelMount = label: type: {
    device = "/dev/disk/by-label/${label}";
    fsType = type;
    options = [ "defaults" "relatime" ];
  };
  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
  };
  submount = mkBtrfsMount "alyssum";
 in {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=8G" "mode=755" ];
    };
    "/boot" = mkLabelMount "stem" "vfat";
    "/flower" = mkBtrfsMount "myosotis" "/@" true;
    "/nix" = submount "/@/nix" false;
    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
    "/persist/.snapshots" = submount "/snap/persist" false;
    "/var/log/journal" = bind "/persist/journal";
  };
 }
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@ -0,0 +1,39 @@
 { config, lib, ... }:
 let
  configOn = user: port: {
    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
    users.users.${user} = {
      hashedPasswordFile = config.age.secrets.passwd.path;
      isNormalUser = true;
      linger = true;
    };
    home-manager.users.${user} = { ... }: {
      home = {
        username = "${user}";
        homeDirectory = "/home/${user}";
        stateVersion = "26.05";
      };
      services.syncthing = {
        enable = true;
        guiAddress = "[::]:${toString port}";
        overrideDevices = false;
        overrideFolders = false;
        settings = {
          options.listenAddresses = [
            "tcp://0.0.0.0:2${toString port}"
            "quic://0.0.0.0:2${toString port}"
            "dynamic+https://relays.syncthing.net/endpoint"
          ];
          defaults.folder.path = "/flower/syncthing/${user}";
        };
      };
    };
  };
 in lib.mkMerge [
  (configOn "kujira" 8385)
  (configOn "cilly" 8386)
 ]
--- a/hosts/alyssum/kernel.nix
+++ b/hosts/alyssum/kernel.nix
@ -0,0 +1,12 @@
 { config, lib, ... }: {
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = true;
    };
    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-amd" ];
  };
  hardware.cpu.amd.updateMicrocode = true;
 }
--- a/hosts/alyssum/networking.nix
+++ b/hosts/alyssum/networking.nix
@ -0,0 +1,15 @@
 { config, ... }: {
  networking = {
    useDHCP = true;
    wireless.enable = true;
    interfaces.wlp1s0.useDHCP = false;
    interfaces.wlp1s0.ipv4.addresses = [{
      address = "192.168.1.167";
      prefixLength = 24;
    }];
    defaultGateway = "192.168.1.1";
    nameservers = [ "8.8.8.8" "8.8.4.4" ];
  };
 }
--- a/hosts/alyssum/packages.nix
+++ b/hosts/alyssum/packages.nix
@ -0,0 +1,14 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    git
    htop
    jq
    neovim
    rsync
    sshfs
    wget
    kitty.terminfo
  ];
  environment.variables.EDITOR = "nvim";
 }
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@ -0,0 +1,84 @@
 { config, lib, pkgs, ... }:
 let
  configOn = user: let
    passwd_fname = "passwd_smb${user}";
  in {
    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
    users.users.${user} = {
      hashedPasswordFile = config.age.secrets.passwd.path;
      isNormalUser = true;
    };
    system.activationScripts = {
      init_smbpasswd.text = let
        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
      in ''
        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
      '';
    };
    services.samba.settings."${user}" = {
      "path" = "/flower/smb/${user}";
      "browseable" = "yes";
      "read only" = "no";
      "guest ok" = "no";
      "create mask" = "0644";
      "directory mask" = "0755";
      "force user" = user;
      "force group" = "users";
      "valid users" = user;
    };
  };
 in lib.mkMerge [
  (configOn "cilly")
  (configOn "kujira")
  {
    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
    networking.firewall.allowPing = true;
    services.samba = {
      enable = true;
      package = pkgs.samba4Full;
      openFirewall = true;
      settings = {
        global = {
          "server smb encrypt" = "required";
          "workgroup" = "WORKGROUP";
          "server string" = "smbnix";
          "netbios name" = "smbnix";
          "security" = "user";
          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
          "hosts deny" = "0.0.0.0/0";
          "guest account" = "nobody";
          "map to guest" = "bad user";
        };
        "public" = {
          "path" = "/flower/smb/public";
          "browseable" = "yes";
          "read only" = "no";
          "guest ok" = "yes";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "hana";
          "force group" = "users";
        };
      };
    };
    services.samba-wsdd = {
      enable = true;
      openFirewall = true;
    };
    services.avahi = {
      enable = true;
      openFirewall = true;
      nssmdns4 = true;
      publish.enable = true;
      publish.userServices = true;
    };
  }
 ]
--- a/hosts/anemone/default.nix
+++ b/hosts/anemone/default.nix
@ -0,0 +1,60 @@
 { config, inputs, modules, overlays, pkgs, ... }: {
  networking.hostName = "anemone";
  system.stateVersion = "23.11";
  time.timeZone = "Australia/Melbourne";
  nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
  age.secrets = {
    wg_anemone.file = ../../secrets/wg_anemone.age;
    passwd.file = ../../secrets/passwd.age;
  };
  imports = with modules.system; [
    home-manager
    audio
    base
    bluetooth
    ccache
    corectrl
    docker
    flatpak
    greetd
    gui
    input
    kernel
    nix
    packages
    printing
    security
    snapper
    tailscale
    wireguard
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ../../users/rin
    modules.services.syncthing
  ];
  me = {
    environment = "laptop";
    batteryDevice = "BATT";
    kbBacklightDevice = "asus::kbd_backlight";
    hasFingerprint = true;
    hidpi = true;
  };
  programs.wireshark = {
    enable = true;
    package = pkgs.wireshark;
  };
  services.fprintd.enable = true;
  services.tlp.enable = true;
  programs.kdeconnect.enable = true;
 }
--- a/hosts/anemone/filesystem.nix
+++ b/hosts/anemone/filesystem.nix
@ -0,0 +1,36 @@
 { config, lib, ... }:
 let
  mkLabelMount = label: type: lazy: {
    device = "/dev/disk/by-label/${label}";
    fsType = type;
    options = [ "defaults" "relatime" ] ++ lib.optionals lazy [ "nofail" ];
  };
  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" false // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
  };
  submount = mkBtrfsMount "Anemone";
 in
 {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=8G" "mode=755" ];
    };
    "/boot" = mkLabelMount "SYSTEM" "vfat" true;
    "/mnt/butter" = submount "/" true;
    "/nix" = submount "/current/snow" false;
    "/home" = submount "/current/home" true;
    "/home/.snapshots" = submount "/snapshot/home" false;
    "/root" = submount "/current/root" false;
    "/var" = submount "/current/var" false;
    "/persist" = {
      depends = [ "/var" ];
      device = "/var/persist";
      fsType = "none";
      options = [ "bind" ];
      neededForBoot = true;
    };
  };
 }
--- a/hosts/anemone/kernel.nix
+++ b/hosts/anemone/kernel.nix
@ -0,0 +1,62 @@
 { config, lib, pkgs, ... }: {
  boot = {
    consoleLogLevel = 0;
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = true;
    };
    initrd = {
      availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
      systemd.enable = true;
      verbose = false;
    };
    kernelModules = [ "kvm-amd" ];
    kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
    kernelParams = [
      "quiet"
      "console=tty2"
      "systemd.show_status=0"
      "rd.systemd.show_status=0"
      "rd.udev.log_level=3"
      "udev.log_level=3"
      "udev.log_priority=3"
    ];
  };
  # swapDevices = [{
  #   device = "/persist/swapfile";
  #   size = 16 * 1024;
  # }];
  #
  # systemd.sleep.extraConfig = ''
  #   HibernateMode=shutdown
  # '';
  /*
  services.logind.lidSwitch = "suspend-then-hibernate";
  systemd.sleep.extraConfig = ''
    HibernateDelaySec=14400
    SuspendEstimationSec=3600
    HibernateOnACPower=true
  '';
  */
  powerManagement.cpufreq.min = 400000;
  hardware.cpu.amd.updateMicrocode = true;
  hardware.firmware = let
    fw = "${pkgs.linux-firmware}/lib/firmware/cirrus/";
   in [(
    pkgs.runCommandNoCC "cs35l41-10431683" { } ''
      mkdir -p $out/lib/firmware/cirrus
      cd $out/lib/firmware/cirrus
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-l0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-r0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-l0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-r0.bin
      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12.wmfw cs35l41-dsp1-spk-prot-10431683.wmfw
    ''
  )];
 }
--- a/hosts/anemone/networking.nix
+++ b/hosts/anemone/networking.nix
@ -0,0 +1,4 @@
 { config, ... }: {
  networking.wireless.iwd.enable = true;
  environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
 }
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -0,0 +1,44 @@
 { inputs, modules, modulesPath, ... }: {
  networking.hostName = "dandelion";
  system.stateVersion = "23.11";
  time.timeZone = "Australia/Melbourne";
  age.secrets = {
    acme_dns.file = ../../secrets/acme_dns.age;
    slskd_env.file = ../../secrets/slskd_env.age;
    wg_dandelion.file = ../../secrets/wg_dandelion.age;
  };
  imports = with modules.system; [
    (modulesPath + "/profiles/qemu-guest.nix")
    home-manager
    base
    kernel
    nix-stable
    packages
    security
    tailscale
    wireguard
    modules.services.banksia
    modules.services.nginx
    modules.services.unbound
    modules.services.website
    inputs.c-amethyst.nixosModule
    inputs.c-beryllium.nixosModule
    inputs.c-citrine.nixosModule
    inputs.c-diamond.nixosModule
    inputs.c-fluorite.nixosModule
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ./nginx.nix
    ../../users/hana
  ];
  me.environment = "headless";
 }
--- a/hosts/dandelion/filesystem.nix
+++ b/hosts/dandelion/filesystem.nix
@ -0,0 +1,34 @@
 { ... }:
 let
  bind = src: {
    depends = [ "/nix" ];
    device = src;
    fsType = "none";
    neededForBoot = true;
    options = [ "bind" ];
  };
  mkLabelMount = label: type: {
    device = "/dev/disk/by-label/${label}";
    fsType = type;
    options = [ "defaults" "relatime" ];
  };
  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
  };
  submount = mkBtrfsMount "DANDELION";
 in {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=6G" "mode=755" ];
    };
    "/boot" = mkLabelMount "UEFI" "vfat";
    "/nix" = submount "/@/nix" false;
    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
    "/persist/.snapshots" = submount "/snap/persist" false;
    "/var/log/journal" = bind "/persist/journal";
  };
 }
--- a/hosts/dandelion/kernel.nix
+++ b/hosts/dandelion/kernel.nix
@ -0,0 +1,10 @@
 { ... }: {
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = true;
    };
    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
    initrd.kernelModules = [ "nvme" ];
  };
 }
--- a/hosts/dandelion/networking.nix
+++ b/hosts/dandelion/networking.nix
@ -0,0 +1,4 @@
 { ... }: {
  networking.useDHCP = true;
  networking.interfaces.enp2s0.useDHCP = false;
 }
--- a/hosts/dandelion/nginx.nix
+++ b/hosts/dandelion/nginx.nix
@ -0,0 +1,8 @@
 { ... }: {
  services.nginx.virtualHosts."muse.lava.moe" = {
    useACMEHost = "lava.moe";
    forceSSL = true;
    locations."/".return = "404";
    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
  };
 }
--- a/hosts/dandelion/packages.nix
+++ b/hosts/dandelion/packages.nix
@ -0,0 +1,14 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    git
    htop
    jq
    neovim
    rsync
    sshfs
    wget
    kitty.terminfo
  ];
  environment.variables.EDITOR = "nvim";
 }
--- a/hosts/hyacinth/default.nix
+++ b/hosts/hyacinth/default.nix
@ -0,0 +1,47 @@
 { config, inputs, modules, overlays, pkgs, ... }: {
  networking.hostName = "hyacinth";
  system.stateVersion = "21.11";
  time.timeZone = "Australia/Melbourne";
  nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
  age.secrets = {
    passwd.file = ../../secrets/passwd.age;
    wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
    wpa_conf.file = ../../secrets/wpa_conf.age;
  };
  imports = with modules.system; [
    home-manager
    aagl
    audio
    base
    bluetooth
    ccache
    corectrl
    docker
    flatpak
    greetd
    gui
    input
    kernel
    nix
    packages
    printing
    security
    snapper
    tailscale
    wireguard
    modules.services.syncthing
    ./filesystem.nix
    ./kernel.nix
    ./networking.nix
    ./packages.nix
    ../../users/rin
  ];
  systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
  me.hasBluetooth = true;
 }
--- a/hosts/hyacinth/filesystem.nix
+++ b/hosts/hyacinth/filesystem.nix
@ -0,0 +1,50 @@
 { config, lib, ... }:
 let
  mkLabelMount = label: type: {
    device = "/dev/disk/by-label/${label}";
    fsType = type;
    options = [ "defaults" "relatime" ];
  };
  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
  };
  mkCakeMount = mkBtrfsMount "CAKE";
 in
 {
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=24G" "mode=755" ];
    };
    "/boot" = mkLabelMount "CUP" "vfat";
    "/mnt/butter" = mkCakeMount "/" true;
    "/mnt/cream" = mkBtrfsMount "CREAM" "/" true;
    "/mnt/cream/permanence/.snapshots" = mkBtrfsMount "CREAM" "/snapshot/permanence" false;
    "/nix" = mkCakeMount "/current/snow" false;
    "/home" = mkCakeMount "/current/home" true;
    "/home/.snapshots" = mkCakeMount "/snapshot/home" false;
    "/root" = mkCakeMount "/current/root" false;
    "/var" = mkCakeMount "/current/var" false;
    "/persist" = {
      depends = [ "/var" ];
      device = "/var/persist";
      fsType = "none";
      options = [ "bind" ];
      neededForBoot = true;
    };
  };
  services.snapper.configs.cream = {
      FSTYPE = "btrfs";
      SUBVOLUME = "/mnt/cream/permanence";
      TIMELINE_CLEANUP = true;
      TIMELINE_CREATE = true;
      TIMELINE_MIN_AGE = "1800";
      TIMELINE_LIMIT_HOURLY = "5";
      TIMELINE_LIMIT_DAILY = "7";
      TIMELINE_LIMIT_WEEKLY = "0";
      TIMELINE_LIMIT_MONTHLY = "0";
      TIMELINE_LIMIT_YEARLY = "0";
    };
 }
--- a/hosts/hyacinth/kernel.nix
+++ b/hosts/hyacinth/kernel.nix
@ -0,0 +1,20 @@
 { config, lib, pkgs, ... }: {
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = true;
    };
    initrd.availableKernelModules = [ "xhci_pci" "nvme" ];
    initrd.kernelModules = [ "amdgpu" ];
    kernelParams = [
      "amdgpu.gpu_recovery=1"
      "intel_pstate=passive"
      "split_lock_detect=off"
    ];
    kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
  };
  hardware.amdgpu.overdrive = {
    enable = true;
    ppfeaturemask = "0xffffffff";
  };
 }
--- a/hosts/hyacinth/networking.nix
+++ b/hosts/hyacinth/networking.nix
@ -0,0 +1,19 @@
 { config, ... }: {
  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
  networking = {
    useDHCP = true;
    interfaces.enp5s0.useDHCP = false;
    interfaces.enp5s0.wakeOnLan.enable = true;
    interfaces.enp5s0.ipv4.addresses = [{
      address = "192.168.1.201";
      prefixLength = 24;
    }];
    defaultGateway = "192.168.1.1";
    nameservers = [ "8.8.8.8" "8.8.4.4" ];
    extraHosts = ''
      10.100.0.1     sugarcane
    '';
  };
 }
--- a/hosts/hyacinth/packages.nix
+++ b/hosts/hyacinth/packages.nix
@ -0,0 +1,7 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    discord
    jetbrains.idea
    texliveFull
  ];
 }
--- a/hosts/winter/audio.nix
+++ b/hosts/winter/audio.nix
@ -1,107 +0,0 @@
 { config, ... }:
 let
  int = {
    quantum = {
      min = 512;
      def = 1024;
      max = 2048;
    };
    rate = 48000;
  };
  str = {
    quantum = {
      min = toString int.quantum.min;
      def = toString int.quantum.def;
      max = toString int.quantum.max;
    };
    rate = toString int.rate;
  };
 in {
  sound.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = true;
    config.pipewire = {
      "context.properties" = {
        "link.max-buffers" = 16;
        "default.clock.rate" = int.rate;
        "default.clock.quantum" = int.quantum.def;
        "default.clock.min-quantum" = int.quantum.min;
        "default.clock.max-quantum" = int.quantum.max;
        "core.daemon" = true;
        "core.name" = "pipewire-0";
      };
      "context.modules" = [
        {
          name = "libpipewire-module-rtkit";
          args = {
            "nice.level" = -15;
            "rt.prio" = 88;
            "rt.time.soft" = 200000;
            "rt.time.hard" = 200000;
          };
          flags = [ "ifexists" "nofail" ];
        }
        { name = "libpipewire-module-protocol-native"; }
        { name = "libpipewire-module-profiler"; }
        { name = "libpipewire-module-metadata"; }
        { name = "libpipewire-module-spa-device-factory"; }
        { name = "libpipewire-module-spa-node-factory"; }
        { name = "libpipewire-module-client-node"; }
        { name = "libpipewire-module-client-device"; }
        {
          name = "libpipewire-module-portal";
          flags = [ "ifexists" "nofail" ];
        }
        { name = "libpipewire-module-access"; args = {}; }
        { name = "libpipewire-module-adapter"; }
        { name = "libpipewire-module-link-factory"; }
        { name = "libpipewire-module-session-manager"; }
      ];
      "stream.properties" = {
        "node.latency" = "${str.quantum.min}/${str.rate}";
        "resample.quality" = 1;
      };
    };
    config.pipewire-pulse = {
      "context.modules" = [
        {
          name = "libpipewire-module-rtkit";
          args = {
            "nice.level" = -15;
            "rt.prio" = 88;
            "rt.time.soft" = 200000;
            "rt.time.hard" = 200000;
          };
          flags = [ "ifexists" "nofail" ];
        }
        { name = "libpipewire-module-protocol-native"; }
        { name = "libpipewire-module-client-node"; }
        { name = "libpipewire-module-adapter"; }
        { name = "libpipewire-module-metadata"; }
        {
          name = "libpipewire-module-protocol-pulse";
          args = {
            "pulse.min.req" = "${str.quantum.min}/${str.rate}";
            "pulse.default.req" = "${str.quantum.def}/${str.rate}";
            "pulse.max.req" = "${str.quantum.max}/${str.rate}";
            "pulse.min.quantum" = "${str.quantum.min}/${str.rate}";
            "pulse.max.quantum" = "${str.quantum.max}/${str.rate}";
            "server.address" = [ "unix:native" ];
          };
        }
      ];
      "stream.properties" = {
        "node.latency" = "${str.quantum.min}/${str.rate}";
        "resample.quality" = 1;
      };
    };
  };
 }
--- a/hosts/winter/default.nix
+++ b/hosts/winter/default.nix
@ -1,47 +0,0 @@
 { config, overlays, pkgs, ... }: {
  networking.hostName = "winter";
  system.stateVersion = "20.09";
  environment.etc = {
    "machine-id".source = "/var/persist/machine-id";
    "ssh/ssh_host_rsa_key".source = "/var/persist/ssh_host_rsa_key";
    "ssh/ssh_host_rsa_key.pub".source = "/var/persist/ssh_host_rsa_key.pub";
    "ssh/ssh_host_ed25519_key".source = "/var/persist/ssh_host_ed25519_key";
    "ssh/ssh_host_ed25519_key.pub".source = "/var/persist/ssh_host_ed25519_key.pub";
  };
  environment.pathsToLink = [ "/share/zsh" ];
  users.mutableUsers = false;
  imports = [
    ./audio.nix
    ./gui.nix
    ./hardware-configuration.nix
    ./kernel.nix
    ./networking.nix
    ./packages.nix
    ./security.nix
    ../../users/rin
  ];
  nix = rec {
    package = pkgs.nixUnstable;
    binaryCaches = [
      "https://cache.nixos.org?priority=10"
      "https://lava.cachix.org"
    ];
    binaryCachePublicKeys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
    ];
    trustedBinaryCaches = binaryCaches;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
  nixpkgs.config.allowUnfree = true;
  i18n.defaultLocale = "en_GB.UTF-8";
  console.useXkbConfig = true;
 }
--- a/hosts/winter/gui.nix
+++ b/hosts/winter/gui.nix
@ -1,60 +0,0 @@
 { config, lib, pkgs, ... }: {
  fonts = {
    enableDefaultFonts = true;
    fontconfig = {
      defaultFonts = {
        serif = ["NotoSerif"];
        sansSerif = ["NotoSans"];
        monospace = ["CascadiaCode"];
      };
    };
    fonts = with pkgs; [
      cascadia-code
      font-awesome-ttf
      font-awesome_4
      hanazono
      material-icons
      noto-fonts
      noto-fonts-cjk
      noto-fonts-extra
      open-sans
      twemoji-color-font
      unifont
    ];
  };
  services.xserver = {
    enable = true;
    autorun = false;
    displayManager = {
      lightdm.enable = lib.mkForce false;
      startx.enable = true;
      xserverArgs = [
        "-ardelay 250"
        "-arinterval 15"
      ];
    };
    desktopManager.xterm.enable = false;
    libinput = {
      enable = true;
      mouse = {
        accelSpeed = "0";
        accelProfile = "flat";
      };
    };
    xkbOptions = "caps:escape";
    windowManager.i3 = {
      enable = true;
      package = pkgs.i3-gaps;
      extraPackages = with pkgs; [
        dunst
        feh
        lxappearance
        maim
        picom
        polybar
        rofi
        xclip
      ];
    };
  };
 }
--- a/hosts/winter/hardware-configuration.nix
+++ b/hosts/winter/hardware-configuration.nix
@ -1,63 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "rootfs";
      fsType = "tmpfs";
      options = [ "defaults" "size=4G" "mode=755" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/E8E8-E570";
      fsType = "vfat";
    };
  fileSystems."/mnt/butter" =
    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
      fsType = "btrfs";
      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=5" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
      fsType = "btrfs";
      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=258" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
      fsType = "btrfs";
      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=260" ];
    };
  fileSystems."/root" =
    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
      fsType = "btrfs";
      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=261" ];
    };
  fileSystems."/var" =
    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
      fsType = "btrfs";
      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=259" ];
    };
  fileSystems."/mnt/hdd" =
    { device = "/dev/disk/by-uuid/d5e3cfe5-c73a-4695-b81b-fc0215d4cefe";
      fsType = "ext4";
    };
  swapDevices = [ ];
 }
--- a/hosts/winter/kernel.nix
+++ b/hosts/winter/kernel.nix
@ -1,32 +0,0 @@
 { config, pkgs, ...}: {
  powerManagement.cpuFreqGovernor = "ondemand";
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        efiSupport = true;
        device = "nodev";
      };
    };
    blacklistedKernelModules = ["uvcvideo"];
    initrd = {
      includeDefaultModules = false;
      kernelModules = [ "i915" ];
    };
    kernel.sysctl = {
      "kernel.core_pattern" = "|/bin/false";
      "kernel.sysrq" = 1;
    };
    kernelParams = [
      "amdgpu.gpu_recovery=1"
      "amdgpu.si_support=1"
      "radeon.si_support=0"
      "intel_pstate=passive"
      "msr.allow_writes=on"
    ];
    kernelPackages = pkgs.lib.mkForce (pkgs.linuxPackagesFor pkgs.linux-lava);
  };
  zramSwap.enable = true;
 }
--- a/hosts/winter/networking.nix
+++ b/hosts/winter/networking.nix
@ -1,21 +0,0 @@
 { config, ... }: {
  networking.wireless = {
    enable = true;
    interfaces = [ "wlp3s0" ];
  };
  networking.useDHCP = false;
  networking.interfaces.eno1.useDHCP = false;
  networking.interfaces.wlp3s0.useDHCP = false;
  networking.interfaces.eno1.ipv4.addresses = [{
    address = "10.0.0.2";
    prefixLength = 24;
  }];
  networking.interfaces.wlp3s0.ipv4.addresses = [{
    address = "192.168.100.13";
    prefixLength = 24;
  }];
  networking.defaultGateway = "192.168.100.1";
  networking.nameservers = ["192.168.100.11"];
 }
--- a/hosts/winter/packages.nix
+++ b/hosts/winter/packages.nix
@ -1,33 +0,0 @@
 { config, pkgs, ...}: {
  environment.systemPackages = with pkgs; [
    efibootmgr
    git
    gparted
    htop
    libarchive
    lf
    msr-tools
    ncdu
    neovim
    rsync
    wget
    gnome3.nautilus
  ];
  environment.variables.EDITOR = "nvim";
  hardware.opengl.extraPackages = with pkgs; [
     vaapiIntel
     vaapiVdpau
     libvdpau-va-gl
     intel-ocl
     rocm-opencl-icd
     rocm-opencl-runtime
  ];
  programs.light.enable = true;
  hardware.opentabletdriver.enable = true;
  programs.steam.enable = true;
  services.dbus.packages = [ pkgs.gnome3.dconf pkgs.gcr ];
  services.gnome.sushi.enable = true;
  # services.ipfs.enable = true;
 }
--- a/hosts/winter/security.nix
+++ b/hosts/winter/security.nix
@ -1,19 +0,0 @@
 { config, pkgs, ... }: {
  networking.firewall.enable = false;
  services.openssh.enable = true;
  security = {
    polkit.enable = true;
    sudo.enable = false;
    doas = {
      enable = true;
      extraRules = [
        {
          groups = ["wheel"];
          keepEnv = true;
          persist = true;
        }
      ];
    };
  };
 }
--- a/modules/binds.nix
+++ b/modules/binds.nix
@ -0,0 +1,13 @@
 { config, lib, ...}: {
  imports = [ ./options.nix ];
  fileSystems = lib.mapAttrs (dest: key: let
    target = if (lib.strings.hasPrefix "/" key)
      then key
      else "/persist/binds/${key}";
  in {
    depends = [ "/persist" ];
    device = target;
    fsType = "none";
    options = [ "bind" ];
  }) config.me.binds;
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,80 @@
 { lib }:
 let
  getName = path: lib.removeSuffix ".nix" ( # Strip extension
    lib.last (                              # Gets the last part (filename)
      lib.splitString "/" (                 # Splits the path into components
        builtins.toString path              # Converts the path into a string
      )
    )
  );
  mkAttrsFromPaths = paths: builtins.listToAttrs (
    builtins.map (path: {
      name = getName path;
      value = path;
    }) paths
  );
 in {
  binds = ./binds.nix;
  options = ./options.nix;
  services = mkAttrsFromPaths [
    ./services/banksia.nix
    ./services/jellyfin.nix
    ./services/nginx.nix
    ./services/postgres.nix
    ./services/sonarr.nix
    ./services/synapse.nix
    ./services/syncthing.nix
    ./services/tmptsync.nix
    ./services/transmission.nix
    ./services/unbound.nix
    ./services/vaultwarden.nix
    ./services/website.nix
  ];
  system = mkAttrsFromPaths [
    ./system/aagl.nix
    ./system/audio.nix
    ./system/base.nix
    ./system/bluetooth.nix
    ./system/ccache.nix
    ./system/corectrl.nix
    ./system/docker.nix
    ./system/flatpak.nix
    ./system/greetd.nix
    ./system/gui.nix
    ./system/home-manager.nix
    ./system/input.nix
    ./system/kernel.nix
    ./system/nix.nix
    ./system/nix-stable.nix
    ./system/packages.nix
    ./system/printing.nix
    ./system/security.nix
    ./system/snapper.nix
    ./system/tailscale.nix
    ./system/virtualisation.nix
    ./system/wireguard.nix
  ];
  user = mkAttrsFromPaths [
    ./user/catppuccin.nix
    ./user/comma.nix
    ./user/direnv.nix
    ./user/dunst.nix
    ./user/eww.nix
    ./user/git.nix
    ./user/gpg.nix
    ./user/hypridle.nix
    ./user/hyprlock.nix
    ./user/kitty.nix
    ./user/mpv.nix
    ./user/neovim.nix
    ./user/neovim-minimal.nix
    ./user/npm.nix
    ./user/obs.nix
    ./user/rofi.nix
    ./user/sessionVariables.nix
    ./user/spicetify.nix
    ./user/theming.nix
    ./user/xdg.nix
    ./user/zsh.nix
  ];
 }
--- a/modules/options.nix
+++ b/modules/options.nix
@ -0,0 +1,53 @@
 { config, lib, ... }:
 let
  inherit (lib)
    mkOption
    types;
 in {
  options.me = {
    environment = mkOption {
      type = types.enum [ "desktop" "laptop" "headless" ];
      default = "desktop";
    };
    hasFingerprint = mkOption {
      type = types.bool;
      default = false;
    };
    gui = mkOption {
      type = types.bool;
      default = config.me.environment != "headless";
    };
    batteryDevice = mkOption {
      type = with types; nullOr (uniq str);
      default = null;
    };
    kbBacklightDevice = mkOption {
      type = with types; nullOr (uniq str);
      default = null;
    };
    hasBluetooth = mkOption {
      type = types.bool;
      default = config.me.environment == "laptop";
    };
    hasWifi = mkOption {
      type = types.bool;
      default = config.me.environment == "laptop";
    };
    hidpi = mkOption {
      type = types.bool;
      default = false;
    };
    binds = lib.mkOption {
      type = with lib.types; attrsOf str;
      default = {};
    };
  };
 }
--- a/modules/services/banksia.nix
+++ b/modules/services/banksia.nix
@ -0,0 +1,11 @@
 # TODO ^^
 { ... }: {
  services.nginx.virtualHosts = {
    "banksia.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
      locations."/api".proxyPass = "http://localhost:8080/";
    };
  };
 }
--- a/modules/services/jellyfin.nix
+++ b/modules/services/jellyfin.nix
@ -0,0 +1,28 @@
 { ... }:
 let
  dir = "/persist/jellyfin";
 in
 {
  fileSystems."/var/lib/jellyfin" = {
    depends = [ "/persist" ];
    device = dir;
    fsType = "none";
    options = [ "bind" ];
  };
  system.activationScripts."jellyfin-create-bind-mount" = {
    deps = [ "users" "groups" ];
    text = ''
      mkdir -p ${dir}
      chown jellyfin:jellyfin ${dir}
      chmod 700 ${dir}
    '';
  };
  systemd.tmpfiles.rules = [
    "d /tmp/jelly-transcodes 700 jellyfin jellyfin"
    "L+ /var/lib/jellyfin/transcodes - - - - /tmp/jelly-transcodes"
  ];
  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -0,0 +1,28 @@
 { config, ... }: {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "me@lava.moe";
      group = "nginx";
      dnsProvider = "cloudflare";
      environmentFile = config.age.secrets."acme_dns".path;
    };
    certs."lava.moe" = {
      extraDomainNames = [
        "*.lava.moe"
        "*.local.lava.moe"
      ];
    };
    certs."cilly.moe" = {};
    certs."cilly.dev" = {};
  };
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
  };
 }
--- a/modules/services/postgres.nix
+++ b/modules/services/postgres.nix
@ -0,0 +1,20 @@
 { config, lib, pkgs, ... }:
 let
  dir = "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
  uid = toString config.ids.uids.postgres;
  gid = toString config.ids.gids.postgres;
 in {
  systemd.tmpfiles.rules = [ "d ${dir} 700 ${uid} ${gid}" ];
  services.postgresql = {
    enable = true;
    dataDir = dir;
    # TODO: broken :3
    package = pkgs.postgresql_13;
    authentication = lib.mkOverride 10 ''
      #type  database  DBuser  origin-address      auth-method
      local  all       all                         trust
      host   all       all     127.0.0.1/32        trust
      host   all       all     ::1/128             trust
    '';
  };
 }
--- a/modules/services/sonarr.nix
+++ b/modules/services/sonarr.nix
@ -0,0 +1,11 @@
 { ... }:
 let
  dir = "/persist/sonarr";
 in
 {
  services.sonarr = {
    enable = true;
    dataDir = dir;
    openFirewall = true;
  };
 }
--- a/modules/services/synapse.nix
+++ b/modules/services/synapse.nix
@ -0,0 +1,89 @@
 { config, lib, options, pkgs, ... }:
 let
  dom = "lava.moe";
  sub = "matrix.lava.moe";
  dir = "/persist/matrix-synapse";
  uid = toString config.ids.uids.matrix-synapse;
  gid = toString config.ids.gids.matrix-synapse;
 in {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  systemd.tmpfiles.rules = [ "d ${dir} 700 ${uid} ${gid}" ];
  /*services.postgresql = {
    ensureDatabases = [ "matrix-synapse" ];
    ensureUsers = [{
      name = "matrix-synapse";
      ensurePermissions = {
        "DATABASE matrix-synapse" = "ALL PRIVILEGES";
      };
    }];
  };*/
  # TODO this would be bad if we use postgres for other things too
  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
      TEMPLATE template0
      LC_COLLATE = "C"
      LC_CTYPE = "C";
  '';
  services.nginx = {
    virtualHosts = {
      ${dom} = {
        locations."= /.well-known/matrix/server".extraConfig =
          let
            server = { "m.server" = "${sub}:443"; };
          in ''
            add_header Content-Type application/json;
            return 200 '${builtins.toJSON server}';
          '';
        locations."= /.well-known/matrix/client".extraConfig =
          let
            client = {
              "m.homeserver" =  { "base_url" = "https://${sub}"; };
              "m.identity_server" =  { "base_url" = "https://vector.im"; };
            };
          in ''
            add_header Content-Type application/json;
            add_header Access-Control-Allow-Origin *;
            return 200 '${builtins.toJSON client}';
          '';
      };
      ${sub} = {
        forceSSL = true;
        useACMEHost = dom;
        locations."/".extraConfig = ''
          return 302 'https://${dom}';
        '';
        locations."/_matrix" = {
          proxyPass = "http://[::1]:8008";
        };
      };
    };
  };
  services.matrix-synapse = {
    enable = true;
    dataDir = dir;
    server_name = dom;
    logConfig = builtins.replaceStrings [ "INFO" ] [ "WARNING" ] options.services.matrix-synapse.logConfig.default;
    listeners = [
      {
        port = 8008;
        bind_address = "::1";
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [
          {
            names = [ "client" "federation" ];
            compress = false;
          }
        ];
      }
    ];
  };
 }
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@ -0,0 +1,23 @@
 { config, ... }:
 let
  dir = "/persist/shared/.syncthing";
  user = if config.me.gui then "rin" else "hana";
  uid = toString config.users.users."${user}".uid;
  gid = toString config.users.groups.users.gid;
 in
 {
  systemd.tmpfiles.rules = [
    "d ${dir}/config 700 ${uid} ${gid}"
    "d ${dir}/data 700 ${uid} ${gid}"
  ];
  systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
  services.syncthing = {
    enable = true;
    openDefaultPorts = true;
    user = user;
    group = "users";
    dataDir = "/persist/shared/.syncthing/data";
    configDir = "/persist/shared/.syncthing/config";
    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
  };
 }
--- a/modules/services/tmptsync.nix
+++ b/modules/services/tmptsync.nix
@ -0,0 +1,32 @@
 { ... }:
 let
  dir = "/persist/tmptsync";
 in
 {
  systemd = {
    services = {
      tmptsync-load = {
        before = [ "basic.target" ];
        after = [ "local-fs.target" "sysinit.target" ];
        unitConfig.DefaultDependencies = false;
        environment.FILE = dir;
        script = "${../../scripts/tmptsync.sh} load";
        wantedBy = [ "basic.target" ];
      };
      tmptsync-save = {
        environment.FILE = dir;
        script = "${../../scripts/tmptsync.sh} save";
        wantedBy = [ "basic.target" ];
      };
    };
    timers.tmptsync-save = {
      timerConfig = {
        Unit = "tmptsync-save.service";
        OnBootSec = "30min";
        OnUnitActiveSec = "2h";
      };
    };
  };
 }
--- a/modules/services/transmission.nix
+++ b/modules/services/transmission.nix
@ -0,0 +1,18 @@
 { config, ... }: {
  networking.firewall.allowedTCPPorts = [ 9091 ];
  services.transmission = {
    enable = true;
    downloadDirPermissions = "775";
    openFirewall = true;
    settings = {
      download-dir = "/persist/transmission/Downloads";
      incomplete-dir = "/persist/transmission/.incomplete";
      ratio-limit-enabled = true;
      rpc-bind-address = "0.0.0.0";
      rpc-enabled = true;
      rpc-port = 9091;
      rpc-host-whitelist = "${config.networking.hostName}";
      rpc-whitelist = "10.100.0.*,10.0.0.*,192.168.100.*";
    };
  };
 }
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@ -0,0 +1,62 @@
 { inputs, pkgs, gcSecrets, ... }:
 let
  dir = "/persist/unbound";
  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
    echo "server:" > "$out"
    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
  '';
 in {
  networking.firewall.interfaces."ve-+" = {
    allowedUDPPorts = [ 53 853 ];
    allowedTCPPorts = [ 53 853 ];
  };
  networking.firewall.interfaces.wg0 = {
    allowedUDPPorts = [ 53 853 ];
    allowedTCPPorts = [ 53 853 ];
  };
  systemd.tmpfiles.rules = [ "d ${dir} 700 unbound unbound" ];
  services.unbound = {
    enable = true;
    stateDir = dir;
    settings = {
      forward-zone = [{
        name = ".";
        forward-tls-upstream = true;
        forward-addr = [
          "2606:4700:4700::1111@853#cloudflare-dns.com"
          "2606:4700:4700::1001@853#cloudflare-dns.com"
          "2001:4860:4860::8888@853#dns.google"
          "2001:4860:4860::8844@853#dns.google"
          "1.1.1.1@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
          "8.8.8.8@853#dns.google"
          "8.8.4.4@853#dns.google"
        ];
      }];
      server = {
        interface = [ "0.0.0.0" "::0" ];
        access-control = [
          "127.0.0.1/8      allow"
          "10.0.0.0/8       allow"
          "100.64.0.0/10    allow"
          "192.168.100.0/24 allow"
          "fd0d::/16        allow"
          "fd7a:115c:a1e0::/48 allow"
          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
        ];
        domain-insecure = [ "\"local.lava.moe\"" ];
        local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
        local-data = [
          "\"warden.local.lava.moe. IN A 10.100.0.2\""
        ];
      };
      include = "${converted}";
    };
  };
  systemd.services.unbound.serviceConfig.ReadWritePaths = [ dir ];
 }
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@ -0,0 +1,32 @@
 { config, lib, ... }:
 let
  dir = "/persist/vaultwarden";
  user = config.users.users.vaultwarden.name;
  group = config.users.groups.vaultwarden.name;
 in {
  systemd.tmpfiles.rules = [
    "d ${dir} 700 ${user} ${group}"
    "d ${dir}_backup 700 ${user} ${group}"
  ];
  services.vaultwarden = {
    enable = true;
    backupDir = "${dir}_backup";
    config = {
      dataFolder = dir;
      signupsAllowed = false;
      domain = "https://warden.local.lava.moe";
      rocketPort = 8002;
    };
    environmentFile = config.age.secrets.warden_admin.path;
  };
  services.nginx.virtualHosts."warden.local.lava.moe" = {
    forceSSL = true;
    useACMEHost = "lava.moe";
    locations."/".proxyPass = "http://localhost:8002";
  };
  systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ dir ];
  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce dir;
 }
--- a/modules/services/website.nix
+++ b/modules/services/website.nix
@ -0,0 +1,43 @@
 { inputs, pkgs, ... }: let
  pastel = inputs.pastel.packages.${pkgs.system}.default;
 in {
  services.nginx.virtualHosts = {
    "cilly.moe" = {
      useACMEHost = "cilly.moe";
      forceSSL = true;
      root = pastel.outPath;
    };
    "cilly.dev" = {
      useACMEHost = "cilly.dev";
      forceSSL = true;
      root = pastel.outPath;
    };
    "lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      root = inputs.website.outPath;
    };
    "cdn.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      extraConfig = ''
        return 301 https://sh.lava.moe$request_uri;
      '';
    };
    "sh.lava.moe" = {
      useACMEHost = "lava.moe";
      forceSSL = true;
      root = "/persist/cdn";
    };
    "_" = {
      default = true;
      addSSL = true;
      # TODO generate this somewhere
      sslCertificate = "/persist/fakeCerts/fake.crt";
      sslCertificateKey = "/persist/fakeCerts/fake.key";
      extraConfig = ''
        return 444;
      '';
    };
  };
 }
--- a/modules/system/aagl.nix
+++ b/modules/system/aagl.nix
@ -0,0 +1,6 @@
 { inputs, ... }: {
  imports = [ inputs.aagl.nixosModules.default ];
  nix.settings = inputs.aagl.nixConfig;
  programs.anime-game-launcher.enable = true;
  programs.sleepy-launcher.enable = true;
 }
--- a/modules/system/audio.nix
+++ b/modules/system/audio.nix
@ -0,0 +1,88 @@
 { config, ... }:
 let
  int = {
    quantum = {
      min = 64;
      def = 1024;
      max = 2048;
    };
    rate = 48000;
  };
  str = {
    quantum = {
      min = toString int.quantum.min;
      def = toString int.quantum.def;
      max = toString int.quantum.max;
    };
    rate = toString int.rate;
  };
 in {
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = true;
  };
  services.pipewire.extraConfig.pipewire = {
    "context.properties" = {
      "default.clock.rate" = int.rate;
      "default.clock.quantum" = int.quantum.def;
      "default.clock.min-quantum" = int.quantum.min;
      "default.clock.max-quantum" = int.quantum.max;
    };
    "context.modules" = [
      {
        name = "libpipewire-module-rtkit";
        args = {
          "nice.level" = -15;
          "rt.prio" = 88;
          "rt.time.soft" = 200000;
          "rt.time.hard" = 200000;
        };
      }
    ];
    "stream.properties" = {
      "node.latency" = "${str.quantum.min}/${str.rate}";
      "resample.quality" = 1;
    };
  };
  services.pipewire.extraConfig.pipewire-pulse = {
      "context.modules" = [
        {
          name = "libpipewire-module-rtkit";
          args = {
            "nice.level" = -15;
            "rt.prio" = 88;
            "rt.time.soft" = 200000;
            "rt.time.hard" = 200000;
          };
        }
      ];
      "pulse.properties" = {
         "pulse.min.req" = "${str.quantum.min}/${str.rate}";
         "pulse.default.req" = "${str.quantum.def}/${str.rate}";
         "pulse.max.req" = "${str.quantum.max}/${str.rate}";
         "pulse.min.quantum" = "${str.quantum.min}/${str.rate}";
         "pulse.max.quantum" = "${str.quantum.max}/${str.rate}";
      };
      "pulse.rules" = [
        {
          # Discord notification sounds fix
          matches = [ { "application.process.binary" = ".DiscordCanary-wrapped"; } ];
          actions = {
              update-props = {
                  "pulse.min.quantum" = "1024/48000";
              };
          };
        }
      ];
      "stream.properties" = {
        "node.latency" = "${str.quantum.min}/${str.rate}";
        "resample.quality" = 1;
      };
  };
 }
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@ -0,0 +1,27 @@
 { config, inputs, modules, ... }: {
  imports = [ modules.binds modules.options ];
  environment.etc = {
    "machine-id".source = "/persist/machine-id";
    "ssh/ssh_host_rsa_key".source = "/persist/ssh_host_rsa_key";
    "ssh/ssh_host_rsa_key.pub".source = "/persist/ssh_host_rsa_key.pub";
    "ssh/ssh_host_ed25519_key".source = "/persist/ssh_host_ed25519_key";
    "ssh/ssh_host_ed25519_key.pub".source = "/persist/ssh_host_ed25519_key.pub";
  };
  environment.pathsToLink = [ "/share/zsh" ];
  i18n.defaultLocale = "en_AU.UTF-8";
  i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
  users.mutableUsers = false;
  system = {
    configurationRevision = inputs.self.rev;
    nixos = rec {
      version = config.system.nixos.release + versionSuffix;
      versionSuffix = "-${config.system.name}.r${builtins.toString inputs.self.revCount}.${inputs.self.shortRev}";
    };
  };
  nix.registry.config.flake = inputs.self;
  nix.registry.shells.flake = inputs.self;
 }
--- a/modules/system/bluetooth.nix
+++ b/modules/system/bluetooth.nix
@ -0,0 +1,6 @@
 { ... }: {
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;
  };
 }
--- a/modules/system/ccache.nix
+++ b/modules/system/ccache.nix
@ -0,0 +1,3 @@
 { config, ... }: {
  programs.ccache.enable = true;
 }
--- a/modules/system/corectrl.nix
+++ b/modules/system/corectrl.nix
@ -0,0 +1,5 @@
 { ... }: {
  programs.corectrl = {
    enable = true;
  };
 }
--- a/modules/system/docker.nix
+++ b/modules/system/docker.nix
@ -0,0 +1,13 @@
 { pkgs, ... }: {
  virtualisation.docker = {
    enable = true;
    storageDriver = "btrfs";
    # rootless = {
    #   enable = true;
    #   setSocketVariable = true;
    # };
  };
  environment.systemPackages = [
    pkgs.docker-compose
  ];
 }
--- a/modules/system/flatpak.nix
+++ b/modules/system/flatpak.nix
@ -0,0 +1,8 @@
 { pkgs, ... }: {
  services.flatpak.enable = true;
  xdg.portal = {
    enable = true;
    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
    config.common.default = "*";
  };
 }
--- a/modules/system/greetd.nix
+++ b/modules/system/greetd.nix
@ -0,0 +1,18 @@
 { pkgs, ... }: {
  services.greetd = {
    enable = true;
    settings = {
      default_session = {
        command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
        user = "greeter";
      };
      initial_session = {
        command = "${pkgs.writeShellScript "launch.sh" ''
          zsh -c "source $HOME/.config/zsh/.zshrc && Hyprland > \"$XDG_RUNTIME_DIR/Hyprland.out\""
        ''}";
        user = "rin";
      };
    };
  };
 }
--- a/modules/system/gui.nix
+++ b/modules/system/gui.nix
@ -0,0 +1,31 @@
 { config, lib, pkgs, ... }: {
  fonts = {
    enableDefaultPackages = true;
    fontconfig = {
      defaultFonts = {
        serif = [ "NotoSerif" ];
        sansSerif = [ "NotoSans" ];
        monospace = [ "CascadiaCode" ];
      };
    };
    packages = with pkgs; [
      material-symbols
      material-icons
      cascadia-code
      hanazono
      noto-fonts
      noto-fonts-cjk-sans
      open-sans
      twemoji-color-font
      unifont
    ];
  };
  services.xserver = {
    enable = true;
    displayManager.lightdm.enable = lib.mkForce false;
    desktopManager.xterm.enable = false;
  };
  programs.hyprland.enable = true;
  security.pam.services.hyprlock = {};
 }
--- a/modules/system/home-manager.nix
+++ b/modules/system/home-manager.nix
@ -0,0 +1,19 @@
 { config, inputs, modules, ... }: {
  imports = [
    inputs.home-manager.nixosModules.home-manager
  ];
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
    extraSpecialArgs = {
      inherit inputs modules;
      sysConfig = config;
    };
    sharedModules = [
      {
        imports = [ modules.options ];
        config.me = config.me;
      }
    ];
  };
 }
--- a/modules/system/input.nix
+++ b/modules/system/input.nix
@ -0,0 +1,24 @@
 { ... }: {
  services.xserver = {
    displayManager = {
      xserverArgs = [
        "-ardelay 150"
        "-arinterval 15"
      ];
    };
  };
  services.keyd = {
    enable = true;
    keyboards = {
      default = {
        ids = [ "*" ];
        settings = {
          main = {
            capslock = "esc";
            esc = "capslock";
          };
        };
      };
    };
  };
 }
--- a/modules/system/kernel.nix
+++ b/modules/system/kernel.nix
@ -0,0 +1,18 @@
 { config, pkgs, ... }: {
  boot = {
    blacklistedKernelModules = [ "uvcvideo" ];
    initrd = {
      includeDefaultModules = false;
      availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
    };
    kernel.sysctl = {
      "kernel.core_pattern" = "|/bin/false";
      "kernel.sysrq" = 1;
    };
  };
  hardware.enableRedistributableFirmware = true;
  zramSwap = {
    enable = true;
    priority = 100;
  };
 }
--- a/modules/system/nix-stable.nix
+++ b/modules/system/nix-stable.nix
@ -0,0 +1,23 @@
 { config, lib, pkgs, ... }: {
  nix = {
    package = pkgs.nixVersions.latest;
    settings = rec {
      substituters = [
        "https://cache.nixos.org?priority=10"
        "https://lava.cachix.org"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
      ];
      trusted-substituters = substituters;
    };
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
  nixpkgs.config.allowUnfree = true;
  programs.nh.enable = true;
 }
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -0,0 +1,28 @@
 { config, inputs, pkgs, ... }: {
  nix = {
    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    package = pkgs.nixVersions.latest;
    settings = rec {
      extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
      substituters = [
        "https://cache.nixos.org?priority=10"
        "https://lava.cachix.org"
        "https://nix-gaming.cachix.org"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
        "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
      ];
      trusted-substituters = substituters;
      trusted-users = [ "root" "rin" ];
    };
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
  nixpkgs.config.allowUnfree = true;
  programs.nh.enable = true;
 }
--- a/modules/system/packages-gui.nix
+++ b/modules/system/packages-gui.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }: {
  config = lib.mkIf config.me.gui {
    environment.systemPackages = with pkgs; [
      android-tools
      gparted
      nautilus
    ];
    hardware.graphics.extraPackages = with pkgs; [
      intel-vaapi-driver
      libva-vdpau-driver
      libvdpau-va-gl
    ];
    hardware.opentabletdriver.enable = true;
    hardware.keyboard.qmk.enable = true;
    programs.steam = {
      enable = true;
      package = pkgs.steam.override {
        extraPkgs = pkgs: with pkgs; [
          gsettings-desktop-schemas
        ];
      };
    };
    services.dbus.packages = [ pkgs.dconf pkgs.gcr ];
    services.gnome.sushi.enable = true;
  };
 }
--- a/modules/system/packages.nix
+++ b/modules/system/packages.nix
@ -0,0 +1,25 @@
 { pkgs, ... }: {
  imports = [ ./packages-gui.nix ];
  environment.systemPackages = with pkgs; [
    # ecryptfs
    efibootmgr
    fd
    git
    git-crypt
    htop
    jq
    kitty.terminfo
    libarchive
    lf
    msr-tools
    ncdu
    neovim
    nfs-utils
    ntfs3g
    ripgrep
    rsync
    sshfs
    wget
  ];
  environment.variables.EDITOR = "nvim";
 }
--- a/modules/system/printing.nix
+++ b/modules/system/printing.nix
@ -0,0 +1,9 @@
 { pkgs, ... }: {
  services.printing = {
    enable = true;
    drivers = with pkgs; [
      epson-escpr
      #me.epson-201112j
    ];
  };
 }
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -0,0 +1,85 @@
 { config, lib, pkgs, ... }: {
  networking.firewall =
  let
    iptables = "${pkgs.iptables}/bin/iptables";
    genCmds = type: ''
      ${iptables} -${type} nixos-fw -p tcp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
      ${iptables} -${type} nixos-fw -p udp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
    '';
  in {
    enable = true;
    allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];
    allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];
    trustedInterfaces = [ "wg0" ];
    logRefusedConnections = false;
    extraCommands = genCmds "I";
    extraStopCommands = genCmds "D";
  };
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      X11Forwarding = true;
    };
    hostKeys = [
      {
        bits = 4096;
        path = "/persist/ssh_host_rsa_key";
        rounds = 100;
        type = "rsa";
      }
      {
        path = "/persist/ssh_host_ed25519_key";
        rounds = 100;
        type = "ed25519";
      }
    ];
  };
  security = {
    polkit.enable = true;
    sudo.enable = false;
    doas = {
      enable = true;
      extraRules = [
        {
          groups = [ "wheel" ];
          keepEnv = true;
          persist = true;
        }
      ];
    };
    pam = lib.mkIf (config.me.environment != "headless") {
      u2f = {
        enable = true;
        settings = {
          cue = true;
          pinverification = 1;
        };
      };
      services.doas.rules.auth = {
        u2f.settings.pinverification = lib.mkForce 0;
        u2f_int = lib.mkMerge [
          {
            enable = true;
            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
            control = "sufficient";
            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
            inherit (config.security.pam.u2f) settings;
          }
          {
            settings = lib.mkForce {
              interactive = true;
              pinverification = 0;
              userpresence = 0;
            };
          }
        ];
      };
    };
  };
 }
--- a/modules/system/snapper.nix
+++ b/modules/system/snapper.nix
@ -0,0 +1,17 @@
 { config, lib, ... }: {
  services.snapper = {
    cleanupInterval = "1h";
    configs.home = {
      FSTYPE = "btrfs";
      SUBVOLUME = "/home";
      TIMELINE_CLEANUP = true;
      TIMELINE_CREATE = true;
      TIMELINE_MIN_AGE = "1800";
      TIMELINE_LIMIT_HOURLY = "5";
      TIMELINE_LIMIT_DAILY = "7";
      TIMELINE_LIMIT_WEEKLY = "0";
      TIMELINE_LIMIT_MONTHLY = "0";
      TIMELINE_LIMIT_YEARLY = "0";
    };
  };
 }
--- a/Show more
+++ b/Show more
		`@ -0,0 +1 @@`
							`secrets.gcrypt/** filter=git-crypt diff=git-crypt`