Merge branch 'production' into next

devices/srv1/default.nix

@@ -48,25 +48,27 @@ inputs:
             {
               name = "n2"; address = "192.168.178.3";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryMB = 61440;
             };
             srv1-node3 =
             {
               name = "n3"; address = "192.168.178.4";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryMB = 38912;
             };
           };
           partitions =
           {
             localhost = [ "srv1-node0" ];
-            old = [ "srv1-node1" "srv1-node2" "srv1-node3" ];
+            old = [ "srv1-node1" "srv1-node3" ];
+            fdtd = [ "srv1-node2" ];
+            all = [ "srv1-node0" "srv1-node1" "srv1-node2" "srv1-node3" ];
           };
           tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; };
           setupFirewall = true;
         };
       };
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
     };
   };
 }

devices/srv1/node0/default.nix

@@ -26,6 +26,13 @@ inputs:
           wireguardIp = "192.168.83.9";
         };
         nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
+        xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
       };
       packages.packages._prebuildPackages =
         [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];

devices/srv1/node0/secrets/default.yaml

@@ -4,6 +4,27 @@ xray-client:
     uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:k5QU1aHvd/hSG4yncffSwnxQvhULHd0I8wtrXD2FcOH3SWswkmzMOA==,iv:WB18Wsl0nxUQ6Om3SXP5+0BtFbNZ8fCXTyPJqj6a9Ik=,tag:dKpr52W7Wdwws87r3hQxqw==,type:str]
+users:
+    #ENC[AES256_GCM,data:rNA32tcCmriP,iv:No3Hyee58jDzZaXOD8SJYzgQXXs58oAddwC5Q9mo55E=,tag:RgZO7fgZkAr3Pawqt0dwmQ==,type:comment]
+    xll: ENC[AES256_GCM,data:kq6gpuxBRbDP7Yi16WJrrsumnSfersI2kP5pT5efn5CjbL65JaW/Bff9P4OM6b3J21ObT0uRSmParBqW4OvN/UA4KXDhibqwRg==,iv:GvpNgy8kREgxp9v0cyIobgg2ZrrxylMmwq1hRaAoNA8=,tag:RpD/1FjWVglzt8sIAjjpsg==,type:str]
+    #ENC[AES256_GCM,data:nl+uNO7GVV4r,iv:8hUmN4uWOqJE0g1aYA5dqQq+0oCpYGKe//yuECpmyBM=,tag:79XibRYMadJNE5Uy1O+4Jw==,type:comment]
+    zem: ENC[AES256_GCM,data:t6zd/9ZoJWEkPhKyfaUXWQM2Y2unpUUq79SEKSt8nmWCQxlBk4PzMX031CwNde/0A4G3ARyIoU8vcFqp8NaBMA64INccKccrGQ==,iv:QOKpu7lm6uiPACNGa0QvHP81PP/4doS3r95h8/nexcs=,tag:J85l6pYh9WT/LyMbTrw+vA==,type:str]
+    #ENC[AES256_GCM,data:7SGmLzQyXKWo,iv:lr7nM0r7eMc+sCNO8OgwwELH41zTk3W/1i+0rnTc+9s=,tag:ZOkLRhEsFXX6bODu6wUyiQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:8TF316O4M3UDoSA7rjBn12vUdHOcWXtrvuhqa6K65NaMhHU9rMrPHEikr0tqe5B5ojhh8PRRe+X/Dq19L4rJXThRfzdhALZzsA==,iv:2plZ2m0JuuUMQqYnyETCPH9x5jnLtNl396zvv7ay++s=,tag:X7YSLQOE9xnC63RWCht3GA==,type:str]
+    #ENC[AES256_GCM,data:yclOn8oHwLYQ,iv:Ba7Q84z6e9/3lv43wdN+bd/aqO/y5qR5I6Z5O6o7U6E=,tag:ecaNN9MgZqDYBCbTlsOZtw==,type:comment]
+    gb: ENC[AES256_GCM,data:piD2eh5iUXnCEkEyDULPkjbEG4Uc4izoVAuscbb9TPr7Q9WhCJX3FGRYrQp/wmZQ6UETR1jTejtbT9j/kI96BcN2onlwO/lqvw==,iv:oFWeoDp3GQA8aR+/AcJnhkovOWx7MgHoCKy5xdPIJMo=,tag:n2E+zuKckNAU7mOCJW+f1Q==,type:str]
+    #ENC[AES256_GCM,data:hfcOjdrvK+YD,iv:8rUsS1exsOx+2YEgdATNcWGKqmaCNbpY1EEq1Gv1utE=,tag:Z0lq2ctHBWDtx2tyxOSIBw==,type:comment]
+    wp: ENC[AES256_GCM,data:DUfGQpSg79W8KD/SWC2B4FqoPGoCrd1miczAQR5YApD00QopMmeDR28uTmHru2KU9DsjkdnWEbgfM49CwXt5FFJennqW36oYbg==,iv:D9+3CMZlJIHm+u14rAEikQoBM3jBQN8Lnx22DN2EIg4=,tag:ZegZmI1kf7Whcw3EE9dwPQ==,type:str]
+    #ENC[AES256_GCM,data:6pwUu43Lu5/h,iv:lZQ5F8v9VZRGuUoEMH15JLvx40N08ahTEbdEoKEuvsg=,tag:zPMQy6d9/RcukBO1cyeM4A==,type:comment]
+    hjp: ENC[AES256_GCM,data:dqoQ9hUbptm0//mlcFRrqLh1NpjxFPH+4jeyMG/x9Zvkszw7d71jvkO8KEPBfKnXpPBP2lvFyEqooIMWQJPYiIszHt2f0qSC7A==,iv:5nRcsaylcx74tQR1KddEpZUhmcynMvdHCcJYA7wfJnE=,tag:bGVKD1aDZJUlFg/zagP/eg==,type:str]
+    #ENC[AES256_GCM,data:Idordi28++/e,iv:5TR6Z14yluxPhrD7ye2mXEQpD53qS9/ZJIZ+S1sTqco=,tag:IkmLWXdxDmFQxtpJxL61pg==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:JuNtb5SRUrxfyjWFn3Be7EU51j/HlwiOpuN0m+Picf/2Bs97kflGnqGKstVRIjWEn4WzqscSaLRsbP9uFfSBHeJ152xfyOqkww==,iv:mQvIC6v+1fziRDYHYSFMOKof1ZcoFskpQDiCAF35sa0=,tag:0IL2VvdMorgE6oziscAB8Q==,type:str]
+    #ENC[AES256_GCM,data:kyJP952K5atd,iv:TLMUPKshuWqbQ6koiZ9eTXcoDS3jLXYy/gCZbMGrRl4=,tag:M2tLLogovoG2PCojt9CJ9Q==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:ifWnLx1YEewdviqHK8fdesM3c1m1T4g6twnz1cGv1yc4jit68pQWLrRMivdsM4tUcyU9GKwCaElVlvh+dgyy8EZQPKCbvJX6GA==,iv:T5FWReeZ0QOkGJiNfrVrUBhAhbXxlFQJKqQV2tzw9AQ=,tag:XClXGZDWGuoGxzPW7ne2Pg==,type:str]
+    #ENC[AES256_GCM,data:t8QUVYG4v7fE,iv:N8hDAV7wulPHcfnYTXuZRhb9dQPZqKpfMKK1+ITaZTA=,tag:eKMJDOmqoWWQbv/mm3LaAw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:VlAA+g7SRZyhPSl0Gd1KS7dCwNgRA/o+d8anN88A7E8bSE1ckeTSp+J4YrbbUlLasLhliOZ/nDC0rti+hckGCrjMwweMorSIWg==,iv:7u1yNrN7uxHCF1MsJ2qt1jyQ0ZYYCYKUHwRff50P9oI=,tag:3raCWjdButfmcdy8mH25Jw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,8 +49,8 @@ sops:
             OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
             2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-15T10:53:47Z"
-    mac: ENC[AES256_GCM,data:0bZzNFEh3hRHLLImLLxYiN82QW4JAiyvuzRtE2MH8xa+VAE1kKy+ceED32zhEKl/yG/9lbGaz0bZz/+ouZyBd6ejvAbOaHZGRc+GY4VyLQfvpEx+7W19VVTGW1Wsae1zQv6WAML2cRsSbZX7FZNTGnTH8YKC9nXB+y+RTOtR7x0=,iv:+t1Agt5UmaloJ45onPWbcqu5geHNaMwF8WojmZeRiY8=,tag:IZbqzVl6LVVaJUHJSYkY4w==,type:str]
+    lastmodified: "2024-09-29T06:38:23Z"
+    mac: ENC[AES256_GCM,data:n7MVBKCUW4xpIiVO4ysBqlG89LjzpDBx9GJWQTrSenLWV/YrIGUxA6QDlRg7yhqV9ldF9Q7hDve1KHw7OxKRx5ot5OZiD3Bq3TwJfS2DarJ2vi9oc1J+CXXach8gp3m4C4RkPJ/y1i3jB2nRfSw5Z/TtdPMbvGXlHh+hhriAqxM=,iv:tyBcXMZzgeUOgYJtU1XkptPOlNoFwH+4z6xTD89aKOw=,tag:apXU989ZL+D8WhWKFTdXTg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/srv1/node1/secrets/default.yaml

@@ -1,4 +1,24 @@
-hello: ENC[AES256_GCM,data:wA==,iv:kLAdTomvGSJRmZiO916Ort8crRCp05vlSamVMJ/gLbU=,tag:QTxIe+dhLWVljw9Svuu7Tg==,type:int]
+users:
+    #ENC[AES256_GCM,data:dgM035YLtZfl,iv:h7pHQ6YFa4hxcHMihQTegHmkaCMlfPtqdCqvJxSsXt8=,tag:V2v9C2TfErIOAihtTQpnSw==,type:comment]
+    xll: ENC[AES256_GCM,data:/YL4vowFLFbbYv06yaKWZH5UNBKs0L6LQ+6O0IsiUZpgW5fGfp2A5JTlH6ne7RGyyTE4GNId0MC7byQbTHHwO+5zVYWpzjDCfQ==,iv:5/VKGsIohoutZf3F4Qj8PruAXSivQ0zsg1pwLwZbCLs=,tag:/vsrCISEbgQ7HnubWOtKow==,type:str]
+    #ENC[AES256_GCM,data:oT8PFxQdwEt6,iv:eD/wF2toUAT991S0aO7NklpKSnMDH40+73IhU83H9t4=,tag:mxxAUdfHgC/hlvmLc2MlAA==,type:comment]
+    zem: ENC[AES256_GCM,data:RpmSTr2ZKfUNWg5vYbKB00AG18GNQs+kgx82E9Mg5hoc3HKmbAyIzjxloMn/Bw3MOTnof6Cf1ZzVCs53Wz8YbZFClLEVdKhMKA==,iv:NQJQOxQa/RaGzvGgarq5kWL8ojB1bejEiqJUCJLxgyU=,tag:8cFFQ5kKpZji4YvEYOyzOg==,type:str]
+    #ENC[AES256_GCM,data:keNqy5SdClQT,iv:N5LX7VJEwLHQ5HsFINs6LupP3rv/XAWFR2e/S52N+Oc=,tag:cqBh1bL1jAEk3mT0pLDd5A==,type:comment]
+    yjq: ENC[AES256_GCM,data:TagWplgUyhaEAuFpup0TRIxWXIEGwsG/V+gOo/pXSGor30B/BF7+wVozYTZ/iSN7OJJw8I7IZGvxvh0v01BGz1RQO6MEEpSj5A==,iv:TeXXYlhfae78cJFdZk0Nnm24sP43wi9UM80vHwKfXFU=,tag:lhae9Ona5OMlTBAJg3PiIA==,type:str]
+    #ENC[AES256_GCM,data:jmRMNpJLMqEo,iv:UOfzRSPDFsJ52sa2FVaQsVcU2P2bOYPzh4JLZ/8+hCg=,tag:8rCEYFELB2geXhfUjfZ18A==,type:comment]
+    gb: ENC[AES256_GCM,data:RneeGyzmdxCceKPzOHaTtS1l6NzuS07NYBxYrLICMLWHPog08FTINWEZx1JmqbAloVna3wE43kPPa9s1w3VbtPBhzRpTVZfUtA==,iv:1vu79FhPiWQ2/G5xzzBdyc790yv/aYKIQFPhaDpBmoA=,tag:vkpT1bDfVufBkDmOs7RomQ==,type:str]
+    #ENC[AES256_GCM,data:swW/4Fii+fHz,iv:9UZ8W6RY+n3XZkDCxSP/CQQn1Ji+mo2aqgmG9wTF/I4=,tag:2ifOyc0oGzM1iM3rouvvMw==,type:comment]
+    wp: ENC[AES256_GCM,data:/cIBL7orNYqu6Ybahdd1UVdTbS1SHr3GGb3ib4FDxPUlp/Xr4ARMX+01N6pOahVYwE8Hwp6nr4TdvwFpe2/AE6v2rbyclSzJgA==,iv:ZGwmAgwiC15K5NhajLCTiuW2mLT2gt0KUicDFmMY+JE=,tag:8rcoY6/weOkML90FyDfiSw==,type:str]
+    #ENC[AES256_GCM,data:6KbDgRf0Lmsh,iv:2vhLHgIzhCrdvQ7w6lCPKOmLlOVRJ5gJ+Pw5NSiMVVc=,tag:E6PwWCsUn3tZwV95zFbwhA==,type:comment]
+    hjp: ENC[AES256_GCM,data:0hzP2t4ck/0GVa2OoZxETCSQvp0QYN+0MJYl5aJ5hzSOXbwBPlTcIbjckpWDacx4iKGw+skhv1Nhz9lGrhgvddzqb/o1GWkKUw==,iv:OzKTIxDm+AgDAy4rP31kts0PKHuNqBZWc0Vsvh6X8CY=,tag:7Y/6qP+TJd1o0a96gKq5JQ==,type:str]
+    #ENC[AES256_GCM,data:PQmtt6/8T8Nm,iv:ZDUkaQts3hUQ1nncynoGw8gNV9jYvnXz9rOaqRC6yLE=,tag:jN8sUWnqoWbMlkLEqVKNkg==,type:comment]
+    zzn: ENC[AES256_GCM,data:YNB9leH/qgXpApA+bnsZiBlfbQSEiOoqhDgKCbwz33zPVc8KRShSS4kWEseiMlYLv7Kfbfy94cEKLOaWBjuRmMrODmC3HZ+rtQ==,iv:Ju02Sz0PHoBftz2W818hmXQ3J/fzLacWv+gy4eGXvjU=,tag:B6mvgWUclyHXgno07jhXQw==,type:str]
+    #ENC[AES256_GCM,data:UVi9/5NV0ySV,iv:E7ZZvvf6lNJdT4esykilJxhpTu7gqmu9w4w8rII/RSk=,tag:pnl3G0qt7ZzXlA9YWo7LiA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:M4LHqgN/WYk9Nh7Pawft1tplh/FiADu6GoyImyLGBk8rbNNLT5AXuNYGj97tVYxI0Hwek+zhnmcjAWdDtmkVzE7TcD1WAZbkTA==,iv:GN/jHnEikITXkLRR/tXnhYiTE5bIDOg1d9DrYeASoY4=,tag:hkoAHHYX+q1topjXkRyK2g==,type:str]
+    #ENC[AES256_GCM,data:EVL/9hYcFl4F,iv:EZ8PMqklNEky0i940vwyQFXrgBoQRwwGDjBgRB18KGg=,tag:cnQzCU7XZ0EO6ojGaEk4Dg==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:7HOyyFtPjhxtvz3cG561aslZ1Ct+DmR290XOxz34sA/vyA+gjvHTWoIpKPGVzSU8vGfaLLV4ta/nOUsK/VfUj00ngwTdkEDkrg==,iv:rkDAE24gaE7MzOcIUX87oMyK6ra0Pt/vUNrIV9p7aFY=,tag:24NTkSu8Fd785uC2Lwr2XQ==,type:str]
+    #ENC[AES256_GCM,data:sa3uVs8+996Q,iv:eN3S4x/UROkZWV3U2pZpvULgoPdh42lM/Q+jZ13ohsk=,tag:IG0q/+ti4tthAejVp7MCPw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:jfeQWLGUWK4xfgRtS9RjjN76D+JLqTF526SI0XeYnUXtCsKhJYE88hgVnn7m/Af9g1OCj08+UDsM8cyKOJj3+m6h+IZQzCS4bg==,iv:Syf3SYAFvOtfOy4PeA/PcYbuUnABk6f5A+OmZYtdwv8=,tag:cib1RuKxGffjB7R5GSxotA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +43,8 @@ sops:
             R1BkT1hoSWo1RlJnU0pCdTFYbDFoZmMKKF7cND1jSo+neTTJ+GwW4T0RTOX9mbME
             58wjAtkrKSD2vDFMQ/vtPNiohAt6RMdClLVm50yh7Oh961YmvJYnbA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-16T03:04:24Z"
-    mac: ENC[AES256_GCM,data:2uq4QvP4l+WvV5G1FOj9nNmC9ZRvJcLUsLU0/Wrh7b6f+30g0lkw5M/WtHFd9CjrfB1O98Cvm3Y3ABsSTue5OLuAjACc+Jz5wvRbuLkWRNRU4HNdaAJIzN5Fqd6w+SR8vzLCe+NTcDlhEjdD0zcrRGD4+aM/cnn228sCTtRw1JY=,iv:MhHsNC/VJVPI8LVN9xuY4JZFlinuDI3C3Igo/O9/gbs=,tag:4jIbeOwspn7yZCrn8xKVrA==,type:str]
+    lastmodified: "2024-09-29T06:38:35Z"
+    mac: ENC[AES256_GCM,data:UWDwXUfk4R9CfgU2gv1NZsusLq5+VTsvjGQNst99MuxLz4sox8CZuuYsDLB2dobKrJua107yqhbM8Ps42JJVHZEf3WHqP08tRbdIWNVoakYR6UJlNS3WZVR+LlheQI5PfJqPqa7VFgZeSVm7weIPCHqvHt+ak76oyJK1VsI0f+k=,iv:VL9s+LUA/TrOsJNQWC0/v0Yh+hT8uh2vitc9h1xHBEY=,tag:iA8yMpm+0ANAC+2BLN9Agw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/srv1/node2/default.nix

@@ -9,7 +9,7 @@ inputs:
         nixpkgs.march = "broadwell";
         networking.networkd.static =
         {
-          eno1 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+          br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
           eno2 = { ip = "192.168.178.3"; mask = 24; };
         };
         cluster.nodeType = "worker";
@@ -37,5 +37,8 @@ inputs:
     boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
     # make slurm sub process to be able to communicate with the master
     networking.firewall.trustedInterfaces = [ "eno2" ];
+    # add a bridge for kvm
+    # 设置桥接之后，不能再给eno1配置ip，需要转而给 br0 配置ip
+    networking.bridges.br0.interfaces = [ "eno1" ];
   };
 }

devices/srv1/node2/secrets/default.yaml

@@ -1,5 +1,26 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
+users:
+    #ENC[AES256_GCM,data:bAA1+Mx9xsFr,iv:5GWh+DyuRydCKm8K1kaiTJIt4ReEugHFnKYfan6RAE4=,tag:VqcWjIMIYhkSj6f/ZclTVw==,type:comment]
+    xll: ENC[AES256_GCM,data:lqzwlETuKuKa2wh+ickMFiWyprcnIBfRBjri+NWoltxib/LWzEEbyetRc4AKyVaBiDhsOTw6MazPNy2mhcAFwb6pM+QKce5ntA==,iv:VaGQux8MJNPZeHwDpM+yJ47XvOul0qRE8xVdSWjYRhY=,tag:rBWdTPmJX9YsP0l1FtVbJw==,type:str]
+    #ENC[AES256_GCM,data:AgppEXaJcXhQ,iv:gI4nUzfy7w9yqaWlT1NYk1cHdErCJsrlilwYSGxxCdw=,tag:/A6zwbvQdhX9MLfAdXIVqw==,type:comment]
+    zem: ENC[AES256_GCM,data:t0rCwed8EzXbEuwTabzSLUd/Gln3YD9IT56JNVHwlodAvFYwtTDJe3cy7K17TmIkL1Nk/hAGzQ2BIZJxaKq7A5pSNIUO1zqMUQ==,iv:jSKCoNKQ5a91kK19w5mE0lJ9lh391ACq64UtLvJ4kLI=,tag:d6+IrgLyCw05vvLcCF5+yQ==,type:str]
+    #ENC[AES256_GCM,data:s39KO3hHcrOK,iv:ICtP2r9JMjcieHZdyHpj5Z1DympJUcHq2jPpjUwSOzM=,tag:Es3YS+mEg5I3SIujfs50jQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:gOc59J2eiND+qJJRwLYvTymfrjWNRWw8IwLxDdS2cSu0yTN5SWF1eEg+tYmDqqhPmXkIlenL8VyIZD2P+Qi+Vi7l1pZMnneRCw==,iv:TsWOmHlClMgpXbNsCyvs+wkTvvKViAooA36+O4eQesk=,tag:jp5ZO9tlCPNTNZXWXCUEeg==,type:str]
+    #ENC[AES256_GCM,data:JmmZl+8nta5Q,iv:qWGS5i+ntmJ9x3HFClVdfypQKqSTUx827OFu/wxx3HQ=,tag:SzvgJtIQb1Z02GDwkAhveQ==,type:comment]
+    gb: ENC[AES256_GCM,data:pgwGyp/QC+h05grD345pJrJefm4NWd0e6mQEzrsqCbjMi9Ak2nUD+K09mIKQJ39NttC+NQZezRmKUJjDBH50s0O69nBlPOJtgA==,iv:ZLm6KUzD8fTq4YpxhdYjtp7bbDjP7Sy+0fnDO0W5GY0=,tag:H2mNHIQvHe+3YzZ9ITVdOg==,type:str]
+    #ENC[AES256_GCM,data:94hwxSaMkbIB,iv:4Xjukoo7rxeu4SWjwFeLo5fwSX6a8mpkTOIpnOnR/Io=,tag:XOjY6ziyDdMNo53NFSjcJQ==,type:comment]
+    wp: ENC[AES256_GCM,data:9/aVAQskZyQrfhVFVHfpdTWDLdoP2ZO7gG6bNcRpOJEBle3V9XqVSwmLViIIysy4XxoR3cym/7WXB96O3C8feK7sbihaRpT+Dg==,iv:WPnDArVKqV7u3EIQ0CMectK1W6gXKOo37oOybyob3As=,tag:1R/0qjRzif4/sTFSs55NuQ==,type:str]
+    #ENC[AES256_GCM,data:RluXnmnn8CAI,iv:OqzKfed5CARE/KKur0GXDpLBqStEva7YVoQMQX4+FnU=,tag:prOaqWk6ARxEKvnhOnCZhw==,type:comment]
+    hjp: ENC[AES256_GCM,data:Tb9vCi68B88UZc/ZVSxEI+esKOLlFcAPAaMk9FDmkBycZmzDjHfkUKCxVcOMtqeNSluVZ/5IFgowaYbk9ncK6yoYTjXjj1Z0lA==,iv:COs+ijt0h+UygyhWDQV23NRd/xBcfeqz6CO7D+xw7t8=,tag:RaIMaGrgHkidB9vqLR6cNw==,type:str]
+    #ENC[AES256_GCM,data:pymPvP+KjTd2,iv:g5tmBMQevuzES9FVlRten8Vzy5nvgamDNPo6Vy018T4=,tag:sMYZAyyAzEyS5CsAyC7xtw==,type:comment]
+    zzn: ENC[AES256_GCM,data:CJ8cOBjblYIc0GoiPnIbbWfYDfpQW5u31R9T/P0/aVuxi6P44wYYH0posVGthR1laqHIlu8bzgeRyTbBYir/Mw1AGokAnFLEPQ==,iv:dJXFcZ9f3xe3rcPzOLd6AMFh6EyJXlv3/+uR2x9XYsw=,tag:4I1WqtloUSXNeQ6AlVPY5g==,type:str]
+    #ENC[AES256_GCM,data:r1Rl1+lfgMad,iv:9RGwiYlePcXZFDxw5uc1yEwZ4N3lStmE1cGmsj5dPls=,tag:yGChsxZtIzDjMUgIkd+PdA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:IIZpTdr5jpidbxYCQ+fODOHdoWI51upPI3yxYlrAAd+RE62t6PzAvHKFmKPivbHmQS5RZrJXE7zm9JtwiodRmPl0pYLxYNBpFQ==,iv:WQc1pOungm1gEqYPk/MITbjs1l83ikcys47CARRgoFk=,tag:sS2mXDIWl32ZZzDtictv9g==,type:str]
+    #ENC[AES256_GCM,data:VtrWQKVtCHtA,iv:ap/n2HxQ7dgKOA8rIfenv9LOwwAh1na8+I9O/k/wMxs=,tag:Vl03ortuZ5OS2qcBMnc59g==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fkxYmHEQnCjx/srKBgjreIR0S7mcXyl1h3H80PFsH3A/yCGnJbFCGK1GW1++Q+tziOnEWCTLZ/l9dlPuB5BFSK7iHiVXtkOfVQ==,iv:z6duWl+LFpS5RJnCGxb3yvgHp96uJYoSsAThWrbGYfg=,tag:AKWisEg506eOgdp/4tLU7g==,type:str]
+    #ENC[AES256_GCM,data:e8HuWaLrvHx5,iv:ZKvfRQtOMV6v3MSCDVoPEsxldI+ZRYJBwrKAD8YZzPc=,tag:tPL3IyjC8f+S+6MoMJSd0A==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:if1S/3AxNLkWvDQJom+4EPRBOpkAPNTkEcqHHLAuEJATSNLlIhVLOPgt10cM4LWx2TdG8V2TcZip9qnr4ABHMsPF5vm6Y53r9Q==,iv:Rba0So8DXJrSC88mjwT8j2AVy84TPm0R6AVf2ZmXNBg=,tag:qiSeYLrw/6QJ7vMiPEZ66A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +45,8 @@ sops:
             MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
             Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-26T04:24:23Z"
-    mac: ENC[AES256_GCM,data:GS9TPomEy3rHaanqMWkqGV9NX8lsYMnujxhuWTnJxdgfCP8scOEo2O+ATlmxmcmKquXlq+zo4LF6RCzF65eSvpSKcIDQRc0yDgBQ5+M8gXv1lk0WNdicpHJsEk8j/ostJTwEkV5QDyp3+J6lRNtFMQnrZ7+UxpgQwK7DaP8mnF4=,iv:1BEb2Xr8jQO6M19bC+jlGGSI0aT1MEgEoYwLuCT1T9U=,tag:Be7BQsjWq7PZBrgsrH/cjA==,type:str]
+    lastmodified: "2024-09-29T06:38:42Z"
+    mac: ENC[AES256_GCM,data:tb6UXalJcNqd1bCJ4pdWQ5lctAXMrwAJsGagNIjtAklVx/0vibEBTvtVdI3CSNA3OuDguyXc/ECGEqlPNpoRq/F5JINfnirEbaBL6KhNkFxaSLVP7mu1u0KH93qhzA2j4jofderpxj+FvOOMVZNuZkrcSPDoufPA/ypY+YaKuu8=,iv:KPyXi7AD6FSmoZKYUDh2zLZnArvdcHau5XZHk8CbwI4=,tag:7T1jUJ7eNkY9VYt2eP+brg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/srv1/node3/secrets/default.yaml

@@ -1,4 +1,24 @@
-hello: ENC[AES256_GCM,data:DCfr682OxZ49pR5Q/sYZxqMdmUothpOOQOiKiPc0Xoh/gJ19qA0yVrO7aKk3Bg==,iv:B01Qfkiy3/B3MYskqFAxEZNoGjb8+A5wcyjq8Bj987k=,tag:e3/VHntKiG+/8xHz/nFXYg==,type:str]
+users:
+    #ENC[AES256_GCM,data:uBjvj5Y6SIk8,iv:WxYu6Xkh2T7kb3uLqgkJJtHvCmWyvntcGfCKJfSfSmo=,tag:ueHbPNX3KOVO9RdQnw/nog==,type:comment]
+    xll: ENC[AES256_GCM,data:Cp2wBFygUBlZnf0oAAxB5L8/qD/LwKksp0YG4Ic7nay8E8kXJGSYDyTK5AdeVh8/MxLgVVY6LMWtUOzFe3WU1u71pgBGF4x+yw==,iv:wXfcHuJzqWmm++vysZW3z4TLEOkgWTUF/pqFDfgwny8=,tag:k9o2yp1AksTGOgREOLlprQ==,type:str]
+    #ENC[AES256_GCM,data:4CsCDEg/UChs,iv:ENErjaF65B1dCuD56/DCqe37WSCu1q28s2khMyF7I8E=,tag:q9mxHCAsuDGygseYU0pRDg==,type:comment]
+    zem: ENC[AES256_GCM,data:cPDlicY4vrQ5VTyfCVN0zH5EIV8kH2xqlFEUkmwO3TmKV69Qx0nE+6yiUhENKR72zY3p5w4ZFEtF7maqqklWvThkeSs059aFpA==,iv:g+nASIzOUZuyX5MCFcKOJKsKTQhcpSY4sIKArlVZh8o=,tag:WaAYcxHmFs6/EG3oy56xJA==,type:str]
+    #ENC[AES256_GCM,data:fu6KBkGEtzD/,iv:OzClxptcUbrbgmYYoQYcInG5Tl6HrjSRVrt3iIaSrqI=,tag:kc+AxJ7UI45j6eW69CiBkA==,type:comment]
+    yjq: ENC[AES256_GCM,data:QGpjtIrtio3Jc4kGam5cjqCHZJl2c0wWQAD8BXXhiWfwbQF+sQSTk2V3FbvOlHjqcT92ab8qWCCFjIqBH4DJUq+z/eleX6Y4wQ==,iv:aky2Q2kpEf2EhcR9UXIAyf+BSW9CIZCGbyZCp0l3X4c=,tag:RHLILdrK3duFA2iZDDigEw==,type:str]
+    #ENC[AES256_GCM,data:YUQ73+HZk69O,iv:wY5da+RRnPpXOD5+HdKkyYZ04ZpB3NBtRjRq5Utzlvw=,tag:BE8MhvbxTkn3rG4Pe/zitw==,type:comment]
+    gb: ENC[AES256_GCM,data:AkPFt/GGyeKdYtY/cW774Yi4rrxhTFRzXe/hf0rbwFESwf4pwgfdcr9e3bp6mfmNy86CCDMsUVPtg49q+DV+9CwHU1ETe1vIbg==,iv:L/kLfEjt3WEQmgAXjOAsnE2Sp45DQP9LLKcZe1FjnVs=,tag:HluImuMHEhiE8yAw3fjNQg==,type:str]
+    #ENC[AES256_GCM,data:WCkGncBugE2H,iv:ZN3edJuEDKrHo9OZs0jbU1ATI5+WpfVul5i7SK51ME0=,tag:rgxwqwPJcdDNMnRFlxNplA==,type:comment]
+    wp: ENC[AES256_GCM,data:n7S4got9Q/7s7rZQldnB1wJlB36uqjremc1UDeUmzs6I9Gp9YPj7dJBDAHBNzWruo83ciP6PygHcCmHzBojISgW/HdD5j9cgJw==,iv:ymjB5YWxJJXBA80a2MPYHXBV+bNxUhroPWu+1GJo4XY=,tag:GGVz7kzBrSomBityyZBdvg==,type:str]
+    #ENC[AES256_GCM,data:2aKW2wBhF2oG,iv:wXRX5ZAr5O0c/H1WvzK1+kG1NbZU92h89NgXB8lHfMk=,tag:gAW2oQxz2dUthyNvMlmxcA==,type:comment]
+    hjp: ENC[AES256_GCM,data:+9MKYP96nBdLFVcTkpSS/hiTLdTOf5+Rs3dpUus/ym7gl2+aA2rGtlGS+ozALeUV1seNlVAuyhclZG2dH9uhaudlQvQw5ntAzQ==,iv:eobXw5ahEl9I2HlXD+y3NtGFOlPulk+aKVFxuCRe2+g=,tag:zt6MveyltO2xxThG9grZqQ==,type:str]
+    #ENC[AES256_GCM,data:WLU7JBd7ZNES,iv:GkmmM1n0Squ0rundsz4Q+1dkF9BcCaV1hID8bt/gmxI=,tag:MMukyZlOeE0CcnI51VYPWg==,type:comment]
+    zzn: ENC[AES256_GCM,data:5uNrzv43K/TQlGDldxqUYscDoEduTJdRz0jgd5dBh3N3bMNHulZbD95IVAj87OkLgdOtlDPZz3DfB5oxKBVcV0XE/E7GwJKILg==,iv:SB/uOB1SdhC5zGCY/OzBRY6wgGQLwKYuFgekxZpX1Y4=,tag:ckOxmdXvhQjGMPssoLeMPQ==,type:str]
+    #ENC[AES256_GCM,data:xLPmYdIcIUz7,iv:NqaKJJgyMwfVfAYgEAMHXo1qLYfyOHhIcV++lseKcNQ=,tag:qXDuROf4A9T2H61KtrQUpQ==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:izqFF2JD0ZEeNlqrQ9sJcEcrnp/WmyJL46jszmR4fLwrFGcMoekSfOTkzjO8upogY5fIDsn02dwh4mLX74vA8DjeRTaDKZyyfw==,iv:lknYrGgDFQen2w8mtLNHewQXara1ikWvGdvVA8a6Fyg=,tag:EiiMBUhF6YOafD7MCIMA5A==,type:str]
+    #ENC[AES256_GCM,data:Zt6KCQ3chnLi,iv:RpMBGf2zDVWN13PpTr0Zj18ORdIZT2u34BestCjyLsU=,tag:aBuN2QGhxgnOXPC1NOoROQ==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fAczfnHue47oHJm/8Hcu8iC+scxUQRNZlJWSCFnmtn8PzbOtPXGVLYaZJs3SRE0F7yYsOUZlHnEPaK5bFjCHioindbS0oimBfQ==,iv:F14TVM+UxXm0UbAgLmQpkI4v+jhQ84a4G8IuWRw1k/o=,tag:R+r0be31nLC0T6Isl9/sdA==,type:str]
+    #ENC[AES256_GCM,data:xccChTyxO80R,iv:tSxhbmVwhwD1IbXRNglS+WWMXfzUDaoJfCNqfKWqVko=,tag:XrFTahck6EKRf79NNeMRfg==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:LQAAYOKBVKRsVfwRJOr4jBCqnHKG60euQMngfuI82Dewwtnt4fKZ/iDg6otJIXwdMdiYI4ytr573GaAPyadt/UdDv+EqrLQ3qA==,iv:dD7djoiEBjrZCQCKkjzsVD+IK7T9sL02zxRG3b1uwQ8=,tag:sqJ0Q665aXVnPHWlTS0Rag==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +43,8 @@ sops:
             bHQzK1EvVEhvZFI5MjVxL0Q5UVZYdGsKJl2M3eOB0lRyu2VO1qDjW1pNJ9HhwAS6
             g5yOa2fxLJn4bvmQAJYeNJ1Wi6sYaBvkbeOegjaKjW4ZvwhP5kWqRA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T06:02:54Z"
-    mac: ENC[AES256_GCM,data:OQYaHF7lMspMaXjK64fZhdd6w9EHWzvjYsJdGEEaSwj6nfgb8EPxn73hn8NMgubXnqxonqbrpwgUuI+u297ItEEsksWQGGe//UrLlAJlhPvgezOpeeBfT4iWUrbazam4Uakh457N9W0AX390D2VmDtSBMw60fqnIeSnJF6Jv5Gs=,iv:O0h2sKf4KibuP5ZfRWF8tEVnLyyZtwst66frYUC4Awo=,tag:y94K0y/nF4y1sfh+P/hWrA==,type:str]
+    lastmodified: "2024-09-29T06:38:50Z"
+    mac: ENC[AES256_GCM,data:pQDphBruG5s5trIOY1fvcCAnLDx+NcVJ6cEP48u92JRnM5cojYXbiFt6Mlq+bYLxkXb2PoKMBoohRbsNdYLRgz3BGAY//Kc5OHGWzi7r9t4/iuhcouZsV/6wHGnrJ0yECS2+LPkT+/JXnYv1ZJTpUR0TSmTvnCgJI6xpWt8HDSA=,iv:Oyn7UESWVDqh3kDFAX3opbC/XEYOa1s3wmGolc1uhTM=,tag:aasXTc9+bgLgCaLDNfbJGA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/vps6/default.nix

@@ -53,7 +53,7 @@ inputs:
             (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
             [
               "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "kkmeeting" "api" "git" "grafana" "vikunja" "write" "blog"
+              "send" "kkmeeting" "api" "git" "grafana" "vikunja" "write" "blog" "peertube"
             ]));
           applications =
           {

devices/vps7/default.nix

@@ -71,6 +71,7 @@ inputs:
         xray.server = { serverName = "xserver.vps7.chn.moe"; userNumber = 4; };
         writefreely = {};
         docker = {};
+        peertube = {};
       };
     };
     specialisation.generic.configuration =

devices/vps7/secrets.yaml

@@ -16,6 +16,7 @@ redis:
     mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
     synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
+    peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
     wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
@@ -29,6 +30,7 @@ postgresql:
     akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
     synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
     vikunja: ENC[AES256_GCM,data:syb4NYBxL3DdmZmcC+em0klmm6bkkIL/DH/gnzShYRiaezRFskT+yay9govn++SpbuvkoCJq/GYAFxNL+hcVtw==,iv:TQUgdzYQ0gqsAmux9v3BAQFNzHnCTZ+X/OC0b9Bfya8=,tag:b1AsiAW5XzA3DzGdf8J03g==,type:str]
+    peertube: ENC[AES256_GCM,data:dLzOez3dTy0NqHED1Oc43Ox2AFuH196kxwOSuR6RejUw3iJuzEQCdmA/i+70zHoveAYBdPCGpM8cz0y2M+usjw==,iv:KxDqmbNBkJ6Nw0M3060L9ESDf2qAur7umlejcDyRmwA=,tag:RScP7Cny8b1Z1/REpk+daA==,type:str]
 rsshub:
     pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
     youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
@@ -122,6 +124,9 @@ xray-server:
     private-key: ENC[AES256_GCM,data:TarrinCFzWkB5zCc7i7f3B3tFfxrF+cGnrg4bw9CAGKWBazSJHCviY8Imw==,iv:azHdrc6AlgS9RPwGVsYRb8bBeC/askCdut1rnv9TA3I=,tag:AT2lLraKVgbp9GmlLJiI+w==,type:str]
 writefreely:
     chn: ENC[AES256_GCM,data:YvhPa69sVdiljm9Ix6yQh6YCEpFvC9iw5Yx72MBcGr7+swdbvWDAfMmGFY066mAPvhpwZX/IEivKvrS0t/OSnw==,iv:7s2yEb30YaCAtNeevbur0HL28nXHVIqmCx6Bngh+HWk=,tag:yx0JK8RNQMVcYLBSxNj+uw==,type:str]
+peertube:
+    secrets: ENC[AES256_GCM,data:DAlig4wYCridlfS00YOqH++/4Rkssq2bkJ1bhERrsgeqdccwwnk6ADKpN2UBGANNYiTj2VUHsHT6mIWxPRcJvQ==,iv:kOedA1gAD7el6JbP8MujSCSfkkHM6CDDMSs2LwPmsGU=,tag:ZDS+LGX2hNXHw15Js2sBkQ==,type:str]
+    password: ENC[AES256_GCM,data:jmKmQlFqHSmImfym2M3/+ItbPxx1GwgrLRZwk7KxqXGHFvqZ1ybCnfZCN8jmA1gVJLuPLTrYA9ggHwdKgVrknw==,iv:cBSb5PJsjHBAMgrxlZaVtw1aP39AXMtdk5pnnCyyZbQ=,tag:6TLoDRY6305lm4HVapT4yQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -146,8 +151,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-02T23:57:33Z"
-    mac: ENC[AES256_GCM,data:Tp7uSF3G1WALzv7jPSXGyIJbwYLHz4sF73NUoAI6KPboLs3juhDiZjJfkBkIIv4BawWNTvvAQfBL6hbpPbn3bLpkTvU8TiHyP9yiY5kJkid37I2s8KOHHaxKSu4CXlkAeXdZX0I1iujAOsKYUd2GnN19V07K0qwCtZOVvZXvjsk=,iv:fcsE7qXrcoaRdTv0C4nmfNvIDXtTXiKyF7TCfnkvRPg=,tag:Dgdq4gT2lzhkXZ10uUCwwQ==,type:str]
+    lastmodified: "2024-09-28T12:28:35Z"
+    mac: ENC[AES256_GCM,data:gDrWd/AMuHzTBu809FOInNtakqABMcbVMYn6FxqSsD4l+GCGoteQKzUVYhM327mxqV9dM2TfklCnSQ2tYOiY0ea7EBjqsCGL7eKexY7wmPY2gPHLNQEzoeagQKl1k1wU45JgUriit6t2iajUCPoEK1yHJg4qPHy/EoE9NMwf0IM=,iv:haPKxQ/YQ0vq0UFub7YVPqqSoiV0NiLsuOUUV+ZDk3U=,tag:pxsNkKHjciJ/GwBhQiSqXA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

flake.lock

@@ -24,11 +24,11 @@
     "blog": {
       "flake": false,
       "locked": {
-        "lastModified": 1726576113,
-        "narHash": "sha256-u/I6XYepAVGtkayYDm16IlaYOPEJFSyt/XRxG2YtgBw=",
+        "lastModified": 1727598108,
+        "narHash": "sha256-8wVJBavzvY3n2sJeuyOt68FNJ9W70M+FlxoeiJhP/JQ=",
         "ref": "refs/heads/main",
-        "rev": "737eeef5116febf4c1dbc27737107dc616810d8d",
-        "revCount": 2,
+        "rev": "2b65e0deb81324be72afc51204a0a75dad7eade5",
+        "revCount": 9,
         "type": "git",
         "url": "https://git.chn.moe/chn/blog.git"
       },
@@ -951,13 +951,29 @@
         "type": "github"
       }
     },
+    "nixos-wallpaper": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1715952274,
+        "narHash": "sha256-i2L4L9mV/wOl6QV+d8pyLZUHS+QIFJN5lYuQrP+CSjk=",
+        "ref": "refs/heads/main",
+        "rev": "1ad78b20b21c9f4f7ba5f4c897f74276763317eb",
+        "revCount": 1,
+        "type": "git",
+        "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1727355718,
-        "narHash": "sha256-AvmneY2JNPdqXWrSSSWNeNCZeCTBXVu10WDFYlD/IHM=",
+        "lastModified": 1727530699,
+        "narHash": "sha256-Gfn8d6gbG5B+IO6mUWQXrnoUDCJUmrUD/M/QJDUsfRY=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "17fe8ed6ac90b3ca5ca23e5ad9e95a2051db6c8b",
+        "rev": "9062900234c7d0157fc9612d36a1f03bc47040e9",
         "type": "github"
       },
       "original": {
@@ -1398,6 +1414,7 @@
         "nix-index-database": "nix-index-database",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixos-hardware": "nixos-hardware",
+        "nixos-wallpaper": "nixos-wallpaper",
         "nixpkgs": "nixpkgs",
         "nixpkgs-22.05": "nixpkgs-22.05",
         "nixpkgs-22.11": "nixpkgs-22.11",

flake.nix

@@ -72,9 +72,7 @@
     py4vasp = { url = "github:vasp-dev/py4vasp"; flake = false; };
     pocketfft = { url = "github:/mreineck/pocketfft"; flake = false; };
     blog = { url = "git+https://git.chn.moe/chn/blog.git"; flake = false; };
-
-    # does not support lfs yet
-    # nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
+    nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

flake/src.nix

@@ -1,11 +1,4 @@
 { inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
 {
-  nixos-wallpaper = pkgs.fetchgit
-  {
-    url = "https://git.chn.moe/chn/nixos-wallpaper.git";
-    rev = "1ad78b20b21c9f4f7ba5f4c897f74276763317eb";
-    sha256 = "0faahbzsr44bjmwr6508wi5hg59dfb57fzh5x6jh7zwmv4pzhqlb";
-    fetchLFS = true;
-  };
   git-lfs-transfer = "sha256-AXXYo00ewbg656KiDasHrf3Krh6ZPUabmB3De090zCw=";
 }

modules/packages/desktop/default.nix

@@ -100,7 +100,7 @@ inputs:
               baloofilerc."Basic Settings".Indexing-Enabled.value = false;
               plasmarc.Wallpapers.usersWallpapers.value =
                 let
-                  inherit (inputs.topInputs.self.src) nixos-wallpaper;
+                  inherit (inputs.topInputs) nixos-wallpaper;
                   isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
                     [ "png" "jpg" "jpeg" "webp" ];
                 in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")

modules/services/nginx/default.nix

@@ -247,6 +247,9 @@ inputs:
               proxy_ssl_server_name on;
               proxy_ssl_session_reuse off;
               send_timeout 1d;
+              # nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
+              # this make it redirect to /docs/ without hostname
+              absolute_redirect off;
             '';
             proxyTimeout = "1d";
             recommendedZstdSettings = true;

modules/services/peertube.nix

@@ -0,0 +1,65 @@
+inputs:
+{
+  options.nixos.services.peertube = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = "peertube.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) peertube; in inputs.lib.mkIf (peertube != null)
+  {
+    services.peertube =
+    {
+      enable = true;
+      localDomain = peertube.hostname;
+      listenHttp = 5046;
+      listenWeb = 443;
+      enableWebHttps = true;
+      serviceEnvironmentFile = inputs.config.sops.templates."peertube/env".path;
+      secrets.secretsFile = inputs.config.sops.secrets."peertube/secrets".path;
+      configureNginx = true;
+      database =
+      {
+        createLocally = true;
+        host = "127.0.0.1";
+        passwordFile = inputs.config.sops.secrets."peertube/postgresql".path;
+      };
+      redis =
+      {
+        host = "127.0.0.1";
+        port = 7599;
+        passwordFile = inputs.config.sops.secrets."redis/peertube".path;
+      };
+      smtp.passwordFile = inputs.config.sops.secrets."peertube/smtp".path;
+      settings.smtp =
+      {
+        host = "mail.chn.moe";
+        username = "bot@chn.moe";
+        from_address = "bot@chn.moe";
+      };
+    };
+    sops =
+    {
+      templates."peertube/env".content =
+      ''
+        PT_INITIAL_ROOT_PASSWORD=${inputs.config.sops.placeholder."peertube/password"}
+      '';
+      secrets =
+      {
+        "peertube/postgresql" = { owner = inputs.config.services.peertube.user; key = "postgresql/peertube"; };
+        "peertube/password" = {};
+        "peertube/secrets".owner = inputs.config.services.peertube.user;
+        "peertube/smtp" = { owner = inputs.config.services.peertube.user; key = "mail/bot"; };
+      };
+    };
+    nixos.services =
+    {
+      nginx = { enable = true; https.${peertube.hostname}.global.configName = peertube.hostname; };
+      postgresql.instances.peertube = {};
+      redis.instances.peertube.port = 7599;
+    };
+    systemd.services.peertube.after = [ "redis-peertube.service" ];
+  };
+}

modules/services/wireguard.nix

@@ -41,6 +41,7 @@ inputs:
           firewall =
           {
             allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
+            trustedInterfaces = [ "wireguard" ];
           };
           wireguard.interfaces.wireguard =
           {

modules/system/fileSystems/luks/default.nix

@@ -61,20 +61,21 @@ inputs:
       boot.initrd =
       {
         luks.forceLuksSupportInInitrd = true;
-        systemd.services.wait-manual-decrypt =
+        systemd =
         {
-          wantedBy = [ "initrd-root-fs.target" ];
-          before = [ "roll-rootfs.service" ];
-          unitConfig.DefaultDependencies = false;
-          serviceConfig.Type = "oneshot";
-          script = builtins.concatStringsSep "\n" (builtins.map
-            (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
-            (inputs.localLib.attrsToList luks.manual.devices));
+          services.wait-manual-decrypt =
+          {
+            wantedBy = [ "initrd-root-fs.target" ];
+            before = [ "roll-rootfs.service" ];
+            unitConfig.DefaultDependencies = false;
+            serviceConfig.Type = "oneshot";
+            script = builtins.concatStringsSep "\n" (builtins.map
+              (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
+              (inputs.localLib.attrsToList luks.manual.devices));
+          };
+          extraBin.cryptsetup = "${inputs.pkgs.cryptsetup}/bin/cryptsetup";
         };
       };
-      fileSystems = builtins.listToAttrs (builtins.map
-        (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
-        luks.manual.delayedMount);
     })
   ];
 }

modules/system/networking.nix

@@ -75,10 +75,10 @@ inputs:
           (builtins.map
             (network:
             {
-              name = "10-${network.ssid}";
+              name = "10-${network}";
               value =
               {
-                matchConfig.Name = network.ssid;
+                matchConfig.Name = network;
                 networkConfig = { DHCP = "yes"; IPv6AcceptRA = true; };
                 linkConfig.RequiredForOnline = "routable";
               };

modules/user/chn/plasma/wallpaper.nix

@@ -2,7 +2,7 @@ inputs:
 {
   config.home-manager.users.chn.config.programs.plasma.configFile =
     let
-      inherit (inputs.topInputs.self.src) nixos-wallpaper;
+      inherit (inputs.topInputs) nixos-wallpaper;
       wallpaper =
       {
         pc = "${nixos-wallpaper}/pixiv-117612023.png";

modules/user/default.nix

@@ -22,6 +22,9 @@ inputs:
         hjp = 1008;
         zzn = 1009;
         wm = 1010;
+        GROUPIII-1 = 1011;
+        GROUPIII-2 = 1012;
+        GROUPIII-3 = 1013;
         misskey-misskey = 2000;
         misskey-misskey-old = 2001;
         frp = 2002;