test bindmount

modules.user: use bind mount
modules.user: ensure home permission
2026-01-12 20:59:23 +08:00 · 2024-11-10 22:19:12 +08:00 · 2024-11-10 16:13:54 +08:00 · 2024-11-10 14:14:13 +08:00 · 2024-11-10 12:56:14 +08:00 · 2024-11-10 12:54:17 +08:00
255 changed files with 4655 additions and 5530 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ outputs
 build
 .vscode
 .cache
+.ccls-cache
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -9,7 +9,10 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
  - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
  - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
-  - &pcvm age1jmu4jym0e0xkq5shx2g7ef4xzre94vaxy2n4fcn0kp94dtlupdxqkzyyp7
+  - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+  - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+  - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+  - &srv1-node3 age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5
 creation_rules:
  - path_regex: devices/pc/.*$
    key_groups:
@@ -56,8 +59,23 @@ creation_rules:
    - age:
      - *chn
      - *pi3b
-  - path_regex: devices/pcvm/.*$
+  - path_regex: devices/srv1/node0/.*$
    key_groups:
    - age:
      - *chn
-      - *pcvm
+      - *srv1-node0
+  - path_regex: devices/srv1/node1/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *srv1-node1
+  - path_regex: devices/srv1/node2/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *srv1-node2
+  - path_regex: devices/srv1/node3/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *srv1-node3
--- a/blog/.gitignore
+++ b/blog/.gitignore
@@ -1,4 +0,0 @@
-/themes
-/public
-/.hugo_build.lock
-/resources/_gen
--- a/blog/archetypes/default.md
+++ b/blog/archetypes/default.md
@@ -1,5 +0,0 @@
-+++
-title = '{{ replace .File.ContentBaseName "-" " " | title }}'
-date = {{ .Date }}
-draft = true
-+++
--- a/blog/content/_index.md
+++ b/blog/content/_index.md
@@ -1,6 +0,0 @@
---
-title: Introduction
-type: docs
---
-
-这里是主页
--- a/blog/content/docs/example/_index.md
+++ b/blog/content/docs/example/_index.md
@@ -1,7 +0,0 @@
---
-weight: 1
-bookFlatSection: true
-title: "Example Site"
---
-
-{{< callout emoji=":building_construction:" >}} 施工中 {{< /callout >}}
--- a/blog/content/posts/_index.md
+++ b/blog/content/posts/_index.md
@@ -1,5 +0,0 @@
---
-title: Blog
---
-
-我得在这里写点什么
--- a/blog/content/posts/aaa.md
+++ b/blog/content/posts/aaa.md
@@ -1,172 +0,0 @@
---
-title = 'Aaa'
-date = 2024-08-25T13:20:46+08:00
-draft = true
---
-
-大家好，我是陈浩南，是 xmurp 的作者。
-前两天“页文选”的 up 主联系到我，说想让我聊聊相关事情的看法。
-那我就想，我干脆也在 b 站做个视频，那就有这个东西了。
-这个是我在 b 站的第一个投稿，废话比较多，没有专业麦克风，如果有什么口胡的话大家也可以提提意见。
-视频各个章节的传送链接会放到评论区，大家可以直接跳到自己感兴趣的地方。
-
-# xmurp 是什么？
-
-它是几年前我写的一个装在**路由器**上的插件，
-  那这个插件是用来让这个路由器在校园网里，也就是在学校宿舍里，也能正常使用。
-当时我们学校的网络你买了他的带宽带的套餐之后，只许你**一台**电脑插着网线上网，
-  不管你是接路由器，还是电脑开个热点，
-  只要手机或者平板通过这个宽带连上网，他们后台都会检测到，然后就会把你的网给断了，一次断二十分钟，
-  等二十分钟恢复之后，如果它发现还是有手机或者平板通过这个宽带上网，就会再给你断网二十分钟，如此循环，
-  直到你放弃折腾，老老实实就用一台电脑上网为止。
-然后我这个插件就是解决这个问题的，路由器装这个插件之后，它会把手机或者平板的一些数据特征给抹掉，
-  那它在后台检测不到你的手机，就不会给你断网了。
-所以当时给插件起名叫 xmu 路由器补丁，简称 xmurp。
-然后我把这个源代码共享出去之后，才发现这个问题是很多学校都有的，我那个插件在很多学校都能用，然后，然后就流行起来了，是这么回事。
-
-这个事情大概是2018年到2019年的时候发生的，现在都已经过去很多年了。
-前两天（8月20日左右，字幕备注）有个叫“页文选”的 up 主找到我，
-  说想让我评价一下这个事情，就是校园网里不许装路由器的事情，以及大家去想办法绕过这个限制的事情，
-  然后把我的评价做到她的视频结尾里。
-但是她也没有提出什么**非常具体**的问题，我这个人聊起天来又容易跑题跑到不知道哪里去，很容易就扯一大堆其它的东西。
-正好关于这个话题我也有一些想聊的事情，也想试试在 b 站发个视频看会怎么样，就干脆决定自己做一个视频了。
-
-# 做这个插件的背景？
-
-其实我刚上大学的时候，当时宿舍是海韵1，那栋楼是可以正常用路由器的。
-大二也就是 2017 年刚放暑假的时候我搬到了另外一栋宿舍（海韵16）。
-这栋楼有网络限制，但限制的措施还不是我之前提到的那种情况。
-当时联网是需要用一个叫“深澜”的软件去联网的，这个软件只能运行在 Windows 上，就没法接路由器了。
-尤其我主要用的 linux，那就约等于不许我上网了，那这个事情我肯定得解决。
-后来乘着暑假我在网上找资料，发现有人提到那个软件其实就是个套壳 PPPoE，PPPoE 的账号怎么搞出来也有办法。
-一旦知道这点就好办了，路由器也就安排上，顺便在qq空间发了个帖子。
-暑假结束之后同学们返校之后发现判死刑的路由器又能用了，我总结的拨号的方法就被传播开了。
-开心地上了一年网之后，一年之后的暑假，路由器又突然不能用了，这次是我之前提到的那种情况。
-然后我就很生气，就是我什么都没干就突然把我网断了，完全就是无缘无故被欺负的感觉。
-经常欺负我的人都知道，我平时都很好说话的，沾我一点小便宜也都无所谓，
-  但一旦过了一个度，我就会很生气，就一定会报复，做事情也会非常激进，当时就是这种情况。
-然后我就闷头搞了两周，其中第一周就各种尝试确定它是怎么检测的，第二周就是写代码，内核怎么编程，netfilter hook 怎么用，之类的。
-两周之后就肝出来了。但是比较可惜的是内核模块使用门槛还是有点高，在现实世界反而没怎么传开了。
-反而是在网上传开了，然后发现其它学校的情况也差不多。
-
-# 是否会继续维护插件？
-
-大概率不会。因为我自己后来搬到别的宿舍了，那些宿舍都是可以正常用路由器的，所以我也就没太有动力继续维护这个插件了。
-而且后来这个检测似乎放松了很多，据我观察，很多同学直接接路由器，网络也基本可用。现在流量也便宜，身边人的需求也少了。
-也许会作为一个兴趣项目哪天把它捡起来再写写，但是大概率不会，毕竟我感兴趣的也不止这一件事情。
-如果还有很多其他人需要的话，也可能会继续维护。但也只是可能。毕竟使用门槛还是有点高，要会自己刷机自己编译才行，这能难倒 99% 的人了。
-
-有其他人开发的项目，可以搜索到，用户态的程序。也有人开发内核态的软件，也挺好的。
-
-# 如何看待校园网禁止共享
-
-我觉得这个问题可能大家都会比较期待我从宏观上回答，去评价全中国的这种现象。
-这个问题我很难从宏观上来回答。我又不是这个行业的人，我也并不比大家知道更多的内幕。
-所以这个事情我只能从我个人亲身经历的角度来回答。
-如果你问我，想到这个事情，情绪上是怎样的，那我一定是想骂人的。这方面我觉得我和大多数看到这里的人是一样的。
-抛开情绪的话，我有两个事情想要讨论。
-
-第一个事情是，这个事情到底是谁干的？
-我个人觉得这个事情不是学校干的，也不是运营商干的。
-因为学校没有动力去赚那两个破钱的，培养一个本科生一年要花的钱、相关的财政补贴，应该都比这些多得多。
-而且学校一般也比较注重自己的名声，出这种事情学生第一反应肯定是怨学校。
-中国移动电信这些运营商倒是有动力赚这个钱，但我们这里运营商是存在竞争的，故意恶化自己的服务就是给对手送钱。
-我当时因为移动和电信资费一样而电信提供公网IP而换了电信，如果哪家运营商这样作死那就别想再赚钱了。
-实际上我在厦大住过几栋不同的宿舍楼，只有一栋楼是会有限制的。
-这栋楼的网络还有两个特点，一个是在这栋楼里，下载论文是没有付费墙的，就像是在学校的内网一样；另外一个是只有它是需要用深澜客户端登陆的。
-如果你去搜索深澜，它属于深信服，一个做to B的主要做网络安全和审计的公司。
-如果你稍微搜索一下，会发现很多公司和学校的网络安全都是他家做的，包括厦大的vpn easyconnect也是他家做的。
-搜索“深澜认证计费软件解决方案 百度文库”，里面就有关于限制代理的内容。
-所以我觉得应该是这栋楼的网络因为什么原因想划到校园网内部，需要做一些网络安全上的事情，这个事情就交给深信服去做了。
-  这中间有决策者一刀切，然后就成这样了。至于决策者是谁，那就不知道了，但直接干这个事情的公司应该是深信服。
-限制用户的直接目的也不是赚钱，而是行政决策上的不周全，这是我的观点。
-
-第二个事情是，如果技术一直升级下去，检测代理的技术进步反检测的技术也进步，那最后会是谁赢呢？
-我个人的观点是，我们会赢。
-因为上网这个事情是有正当性的，至少单个设备的正常上网是有正当性的。
-反代理检测是这样的，我们要做的事情比较简单，只要把特征抹除得足够干净，让它的误报率降不下来就行。
-深信服要考虑的就多了，误报率不能太高，设备成本不能太高，其实他们要考虑的很多，他们的技术升级的难度是比较大的。
-我们就灵活多了，都不需要科班出身的人，物理系的本科生努力两个星期也就绕过去了。
-总之就是，哪怕仅仅是从技术上来说，检测的技术难度也比反检测要大很多，再加上行政成本，只要你想，肯定是能绕过去的。
-
-# 你的博客呢？
-
-有人可能看到过我的一篇文章，和 xmurp 配套的，发在我自己博客上。
-但是我自己博客迁移过好多次，你可能现在也找不到了（我自己没丢）。
-实际上最近几年都没有认真写过东西，感觉这几年有点太浮躁了，没有沉下心来写东西。但我内心其实是有写作的欲望的。
-最近我应该会把博客恢复起来。包括这个稿子也会整理一下放到上面。
-
-# 对这个 up 主的视频怎么看？
-
-我有点担心她的视频发出去后会让一些人失望。
-因为我看预告的视频下面的评论区，一些朋友期待看这个视频学到一些技术。
-我提前看过她的视频的文字大纲，按照我的理解，她的视频主要目的并不是技术教学，
-  主要目的有两个方面，一方面是尝试一些视频特效，另一方面是记录一下自己探索的过程。
-如果你之前完全没有接触过这些东西，它可以解答“有什么”的问题，让你眼熟一些名词，知道有这么回事。
-但是它没法解答“为什么”和“怎么做”，也就是没法带你理解技术细节，也没法教明白怎么操作。
-换句话说，看视频只要半个小时，你可能会觉得“原来如此，なるほど”，
-  但是你要想真的去做的话，大概率会遇到比看上去多很多的细碎但是又相当硌脚的一些困难。
-实际上如果真的教这些技术细节的话，她的视频也不会只有半个小时了。
-比如b站上有详细的教你怎么编译openwrt，只是编译这**一个**事情就要讲半个小时，
-  没有linux操作经验的话，从装虚拟机到编译出来要花费的时间绝对不止半个小时，如果他三四个小时能做出来我都觉得是神速。
-总之大家还是要有一个心理预期。虽然你们的条件比我当年好了很多，（不需要一个人闷声干一星期），
-  但这个事情还是没有那么容易。
-
-# 为什么要做这个视频？
-
-xmurp 是我本科的时候做的**最**骄傲的一个事情，虽然它不是我专业的，虽然它的代码质量在我现在看来就是依托答辩，
-  但它确实是我内心最认可的作品。
-当时能做出这个事情来，其实有一个我觉得很重要的原因我在之前都没有提到，那就是我当时是放暑假，我**一个人**在宿舍生活。
-我不知道别的i人是什么感觉，反正我是个很内向的人，但对我来说，和别人相处是一个非常耗费精力的事情。
-一方面我得考虑我干什么会不会打扰到别人，另外一方面我也需要考虑别人如何理解我表达或者正在做的事情，等等。
-但是当我一个人的时候，我就可以完全不用考虑这些事情。
-一旦没有什么干扰，精力自然而然就会聚焦到一件事情上，这个时候一旦决定做什么事情，力量就会非常大。
-为什么提这件事情呢，是因为我这个暑假又搬宿舍了，这次是单人间。
-逐渐习惯之后，那种长时间专注、充满掌控力的感觉就又回来了。
-
-就在这个时候呢，这个 up 主呢就来联系我了。
-可是我当时不知道他是个up主，我也没注意到我其实还看过她的视频，
-  她上来也不做自我介绍，直接丢给我一个我根本看不明白的word文档，关键是同样的内容我在邮件的垃圾箱里也看到过，就把我整蒙了。
-后来又看了好几遍才终于看明白，她是想让我聊聊我对这个事情的看法。
-这种直率又缺少经验的感觉就很像我以前做事的感觉，我其实就是在她这个年龄，用和她差不多的方式，做了一个 xmurp 出来。
-我内心就挺感动的，她是一个遇到问题就直接朝着问题撞过去的开拓者，虽然她很缺乏和人沟通的经验，
-  她的视频最后做得好不好我没法预知，但她做的事情是独一份的，你在b站上找不到类似的。
-“勇敢牛牛不怕困难”，我不知道为什么会想到这句话。
-我自己在过去几年其实过得挺消沉的，原因的话也很复杂，不只是和别人住在一起导致的，概括来说的话就是和身边的世界妥协得太多了，
-  一些该割舍的情感一直犹豫着没有割舍（不是指恋爱），心里想要的东西一直不敢去追求。
-或者说，就是出格的事情干得太少了，少得自己都忘了自己是一个主动的**人**，那种感觉。
-我不好说这个到底是怎么回事吧，就蛮神奇的，触动了我一根已经很久没有被触动的神经。
-
-我稿子写到这里是8月25号晚上11点了，接下来我非常清楚我要做什么事情，我整理一下，今天晚上或者明天把稿子录个音，
-  然后简单做个视频，这个事情就算结束，等到时间发布就行。
-之后的工作，我要先做什么，再做什么，我要争取什么结果，我都非常非常清楚。
-我很久没有这种感觉了，我觉得我应该要感谢这个 up 主，谢谢xx。
-
-# 为什么公开反检测的技术，不会导致反检测技术无效化？
-
-反检测很简单，只要把它要找的那一点点特征藏起来就行了，但检测的时候要考虑的就多了。
-那他们得考虑设备成本不能太高，误报率不能太高，技术人员的工资也得给人家发，不能影响用户正常上网，还得行政上合规，这些东西很麻烦的。
-
-# 对比一下校园内有线宽带和蜂窝网络的区别？
-
-各取所需嘛，现在流量费用也很便宜了，很多人单纯手机流量就够了，根本不需要折腾这些。
-如果确实需要宽带，又有兴趣折腾，那就搞呗，谁要是说你不应该搞的话那是他没素质。
-
-# 对反检测路由器商业化的看法？
-
-我其实觉得商业化本身是很好的，相当于给不愿意折腾的人节省了很多时间。
-至于商家不尊重开源协议，那这个确实该骂。openwrt是gpl协议发布的，gpl的意思是说，你可以卖钱，但同时必须开源，不然就是违法。现在国内司法实践有这种判例，但是很少，这块还是缺少发展的。
-以次充好、价格虚高，我觉得得看他有没有虚假宣传。如果没有虚假宣传的话只是不值那个价格，那就是市场的问题，应该交给市场调节。要是有虚假宣传，比如宣传八核实际卖四核，那就是违法。但实际上市场上假货还很多，你去淘宝上搜石墨烯，99%都是假的，什么石墨烯电热毯石墨烯散热器都是扯淡。
-
-# 代理检测原本是用于企业的安全技术，为什么会用于宿舍的网络？
-
-学校里的网络也和企业一样，需要保证安全。至于为什么宿舍的网络也要被划分到校园网里处理，我觉得这是个行政决策上的错误。据我体验厦大大部分宿舍楼都是没有划分到校园网里的，就和小区里的网络一样，爱怎么用怎么用，我住过五栋，只有一栋是划分在校园网里管理的，当年搞得很麻烦。实际上我住的那栋后来也基本上放开了，我看其它同学接普通路由器也能用。
-
-# 代理检测厂商的技术改进方向？
-
-这个你应该问深信服的人（我不知道这个算不算他们的商业机密），但我觉得这个事情已经基本上到头了，检测ua或者个别应用的特殊软件包这个已经是极限了。不是说不可能继续升级，但是考虑到成本（经济成本，合规成本）的话，我觉得已经到头了。
-实际上我已经不在这个圈里很久了，我写xmurp是五年前了，五年过去了我看技术也没什么改进。
-
-# 反检测的改进方向？
-
-以前是“见招拆招”，他们检测什么我们改什么。现在已经把所有的招都拆过一遍了，再改进的话就是让软件更易用，让使用成本更低。比如说能不能做到一键编译openwrt软件包，再一键安装上去，我觉得其实是可以的。说到这里我就要安利一个我自己正在用的一个东西，叫nix，它就是一个一键可复现地构建一个软件，甚至可复现地构建并且帮你配置好整个linux系统，这个就叫NixOS。我觉得这个东西非常好，我有空可以试试能不能搓一个一键构建和安装xmurp的网页，这个我其实挺有兴趣的。当然我不懂前端，所以搓出来的网页很可能会比较丑。
--- a/blog/content/posts/helloworld.md
+++ b/blog/content/posts/helloworld.md
@@ -1,49 +0,0 @@
---
-title: Helloworld
-date: 2024-08-24T20:13:59+08:00
-draft: false
-summary: 为什么不问问神奇海螺呢？
-math: true
---
-
-# 一级标题
-
-## 二级标题
-
-### 三级标题
-
-hello world!
-
-* 无序列表1
-* 无序列表2
-* 无序列表3
-
-1. 有序列表1
-2. 有序列表2
-3. 有序列表3
-
-> 这是一个引用
-> 写了两行
-
-如果段与段之间
-没有空行
-会怎样？
-
-```c++
-#include <iostream>
-using namespace std;
-int main() {
-    cout << "Hello, World!" << endl;
-    return 0;
-}
-```
-
-这是一个行内代码`printf("Hello, World!\n");`，和行内公式 $E=mc^2$。
-
-$$
-\int_{-\infty}^{+\infty} e^{-x^2} \dd x = \sqrt{\pi}
-$$
-
-**这是粗体文本**，*这是斜体文本*。
-
-[这是一个链接](https://www.example.com)
--- a/blog/default.nix
+++ b/blog/default.nix
@@ -1,13 +0,0 @@
-{ stdenv, hextra, hugo }: stdenv.mkDerivation
-{
-  name = "blog";
-  src = ./.;
-  nativeBuildInputs = [ hugo ];
-  configurePhase =
-  ''
-    mkdir themes
-    ln -s ${hextra} themes/hextra
-  '';
-  buildPhase = "hugo";
-  installPhase = "cp -r public $out";
-}
--- a/blog/hugo.yaml
+++ b/blog/hugo.yaml
@@ -1,144 +0,0 @@
-baseURL: https://blog.chn.moe/
-theme: hextra
-
-enableRobotsTXT: true
-enableGitInfo: false
-enableEmoji: true
-hasCJKLanguage: true
-
-# services:
-#   googleAnalytics:
-#     ID: G-MEASUREMENT_ID
-
-outputs:
-  home: [ html ]
-  page: [ html ]
-  section: [ html, rss ]
-
-defaultContentLanguage: zh-cn
-languages:
-  zh-cn:
-    languageName: 简体中文
-    languageCode: zh-CN
-    weight: 1
-    title: My New Hugo Site
-  en:
-    languageName: English
-    weight: 2
-    title: My New Hugo Site
-    contentDir: content/en
-
-# Needed for mermaid/katex shortcodes
-markup:
-  goldmark:
-    renderer:
-      unsafe: true
-  highlight:
-    noClasses: false
-
-enableInlineShortcodes: true
-
-menu:
-  main:
-    - identifier: documentation
-      name: Documentation
-      pageRef: /docs
-      weight: 1
-    - identifier: blog
-      name: Blog
-      pageRef: /blog
-      weight: 2
-    - identifier: about
-      name: About
-      pageRef: /about
-      weight: 3
-    - name: Search
-      weight: 4
-      params:
-        type: search
-    - name: GitHub
-      weight: 5
-      url: "https://github.com/imfing/hextra"
-      params:
-        icon: github
-  sidebar:
-    - identifier: more
-      name: More
-      params:
-        type: separator
-      weight: 1
-    - identifier: about
-      name: "About"
-      pageRef: "/about"
-      weight: 2
-    - identifier: hugoDocs
-      name: "Hugo Docs ↗"
-      url: "https://gohugo.io/documentation/"
-      weight: 3
-
-params:
-  description: Modern, responsive, batteries-included Hugo theme for creating beautiful static websites.
-  navbar:
-    displayTitle: true
-    displayLogo: true
-    logo:
-      path: images/logo.svg
-      dark: images/logo-dark.svg
-      # width: 40
-      # height: 20
-      # link: /
-    width: wide
-  page:
-    # full (100%), wide (90rem), normal (1280px)
-    width: normal
-  theme:
-    # light | dark | system
-    default: system
-    displayToggle: true
-  footer:
-    enable: true
-    displayCopyright: true
-    displayPoweredBy: true
-    width: normal
-  displayUpdatedDate: true
-  dateFormat: "January 2, 2006"
-  search:
-    enable: true
-    type: flexsearch
-    flexsearch:
-      # index page by: content | summary | heading | title
-      index: content
-      # full | forward | reverse | strict
-      # https://github.com/nextapps-de/flexsearch/#tokenizer-prefix-search
-      tokenize: forward
-  editURL:
-    enable: true
-    base: "https://github.com/imfing/hextra/edit/main/exampleSite/content"
-  blog:
-    list:
-      displayTags: true
-      # date | lastmod | publishDate | title | weight
-      sortBy: date
-      sortOrder: desc # or "asc"
-  highlight:
-    copy:
-      enable: true
-      # hover | always
-      display: hover
-  comments:
-    # TODO: enable cusdis
-    enable: false
-    type: giscus
-    # https://giscus.app/
-    giscus:
-      repo: imfing/hextra
-      repoId: R_kgDOJ9fJag
-      category: General
-      categoryId: DIC_kwDOJ9fJas4CY7gW
-      # mapping: pathname
-      # strict: 0
-      # reactionsEnabled: 1
-      # emitMetadata: 0
-      # inputPosition: top
-      # lang: en
-  math: true
--- a/devices/jykang.xmuhpc/.ssh/authorized_keys
+++ b/devices/jykang.xmuhpc/.ssh/authorized_keys
@@ -4,6 +4,10 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJ/jzUQ6QuAjnAryvpWk7TReS6pnHxhEXY9RonojKk
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtnVhZQsJfbs2w9hFZkx4qDhIs++7no+6r5TifP3Dq7epJYd2QYx4dI66XxTNhKxZjN6a4Xn5nFlYLtQJXOvzBLC8IBf1W5GCH0k/jqzzskS0/Ix/70HzcBwJk8ihWDkyON5Ki1BRCx34RNxth1BIxWyc5QT+lou+D92x8iAu/uOvmcAL3Ua0OlZwxw03hLp/PpS4ZnUqFjc2JVtarY7eQu/i3RwOZUaK6nT2EL8RObzk4xnieqsU5PWwA3voVjetqZaDQ+P7dimQXz/FaucroKxCNyTiy1oG4fdQpm2UDrH6ZfPvdQLYrtet6FQabXOxhV7MuR3jYtxZjs1kDVZIseIZ6IwjetaUoMxvIouRfYjOSIEo9Ek9o0+Yhku4r0uWmPDrymWugU1raMmlRxSUwdlzW+C7mQwtGbs/MG4MN4GWkM6id5DKlY2vYKUfrTzmhY1swCtzKq20fjvyX8qhJdcytgVlOrBZnPje6Qd55sI0RjdgJrBsxT2SYquez7U8= yjq@xmupc1
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDn1pfGen7kjPTHsbb8AgrUJWOeFPHK5S4M97Lcj3tvdcjZi2SXN6PwHQfh8/xGhZbTLPz/40S9O9/Dn30xkUTfnONirKt790jp7VEbOtPnjQPOd/KRNWlS3VV0BELuq5p633Mi13rP6JZtdKmU2uSkvvaUBfCppy3JaWv/B7HLJ48f8IzkdiT1px3dN1eQ4SFoHOiVG0ci5TGG6wfMdoAAnM9R1aXI4gDxnYjLYujpaNZ4hBOta/6ZK/PV0JufoXdIAZjubgk1Hv04XHXLR2Z0UhRM6x7UrZIOdM/LlnKmcVk408ZKEj/9m1xRyDsNoZ24CF++cmnwfBHrp9I5nvDI7xOTdZlOhzkiiPM3f4i6s2Qjdv4vpZ6AeE3Qt1LVQyAr67b4UMjHuYqSi2KgyCO6My2Ov2eRoS74EKcb8ejJv3O+XInmYUgDgTgDFT3CgQgK2DG45HiV6nOkaE/6iKx2JSOiYZTFc7TRcePfXF9JQD7dXFde6qm3EbIVyJIpCJ8= zem@xmupc1
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCW2fx1Sim7X2i/e/RBPEl1q/XbV7wa9pmZfnRINHIv24MCUgtNZ5GHEEW7dvzrQBeRj3I7CAyK8fbuhv/l8HuDtjxJJ1fmcBp9UG5vfpb/UTxayJxHBRrwokp2JL7HKVviI6d8FcNa/T0CMoUNYXnel6dE3B78k9Q0dDxlOGS1MzgsP3Pn66lm0ww9FRAVHe+KkhFmwyQ1VHUxHgK4QjCIt7+9+PJE7fK0aVWBsR309pui7Pbm6mgd4d6mwiBeVvxsNGnI4DsO1hz4N2GapuQy19PDiG7A4H41Z5RYQnv/3XTy4TBXOFQm77v6pyGkCmG6BGnRdvMB6C0hWPJvudbsA/BNp4ApL7/CrwTdLp1z6ToAOLvKrUQAM+hcbJimnFVMXqz7iSYg99XTnzue7ncecp19XiaDJbM47bGXcT4nTO5XaiMYi2xGAHIrij5GIuFF5ymKYSp5ejb1VucMdKlaaAmS10+wdUcuT7tzX/IuVr5aqg2dsxT5aJCRhZ1k2V0= xly@xmuhpc
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRpyIU8ZuYTa0LvsVHmJZ1FA7Lbp4PObjkwo+UcpCP8 wp@xmupc1
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRZp8xp9hVO7e/6eflQsnFZj853IRVywc97cTevnWbg hjp@xmupc1
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh wm
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly

 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc
--- a/devices/nas/default.nix
+++ b/devices/nas/default.nix
@@ -24,7 +24,7 @@ inputs:
              };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices =
@@ -38,10 +38,10 @@ inputs:
          swap = [ "/nix/swap/swap" ];
          rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
        };
-        initrd.sshd.enable = true;
+        initrd.sshd = {};
        nixpkgs.march = "silvermont";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        networking = { hostname = "nas"; networkd = {}; };
+        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
+        networking = {};
      };
      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
      services =
@@ -62,6 +62,7 @@ inputs:
          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
          wireguardIp = "192.168.83.4";
        };
+        misskey.instances.misskey = {};
      };
    };
  };
--- a/devices/nas/secrets.yaml
+++ b/devices/nas/secrets.yaml
@@ -4,6 +4,12 @@ acme:
    token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
 wireguard:
    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:ezBawTyn+oPKKy6sQuj2BQXhnO4PTbxYWRpQR9URCxqD7bFlnmWU1Q==,iv:eD4yLDA209x6HFtDaqyj8kRxTImdyZCgOminHWb9vt4=,tag:mx+qPp4L9jHRvL90XH1RwA==,type:str]
+redis:
+    misskey-misskey: ENC[AES256_GCM,data:daHnurnqW0MI2uHd3gNT+ZczmytRdwBSsHGkCwNH9hJFMJW/U56HtjG5ivOQzYprWJ5uzgN98ivocbwzJEAGfg==,iv:aE9kvEErN06FNPPFQNchbmg/+SJCKT3QzCN/JTlZovk=,tag:iMo3MTssxKKT02zi8gCZPA==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:QhsmKzYmAV0kGPhtRjTK7npt/Nop5JM9EFPpD8K6KfUJ48w+r+4vTORmERu7D2+fE3XDXxNZeSJg//bGxMmhfg==,iv:qkjkrqepjQ4kbwoaceQSzEP5TjLsiY7ih/ESj5RFpHw=,tag:UtZVW30xcsbGUjU2HjoUvw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -28,8 +34,8 @@ sops:
            by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
            kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-24T05:14:57Z"
-    mac: ENC[AES256_GCM,data:9xKBuoVeotcZfiqsKg+iXxOc5BV9kGVvR5f9Anu6DauBceYIBxgeVCDU3dRUPz67MkOK/n2w9+gLchQxUyK8G4ECRTESL+GKpZslNVThb2j6vswLXNBHqsQCoQBlYOiKw5ZM1gpdYJPni8qpsdGvTwc5JkW+FH6v1BdZWaUhc3U=,iv:SyLiMXsQhS+8FFlSMXiD9ETD+mIsz6mePXnJzBODK5g=,tag:YpiU58lJ5Nb78EMyEmJdbw==,type:str]
+    lastmodified: "2024-10-05T02:43:05Z"
+    mac: ENC[AES256_GCM,data:NyXFwcVCCRfU+QSJVwov38SzRag1vhgfyQ0xtOheKtK/UaA+2Vqiqatp/lKWeri9ltpw5xWBYQnmE6aBHEkrj5RvoXeho3CUWiSqsB/3COn3FSfXGGJ2M642dnCtWqHfTrGNW7bhq/lBisODvtv+SAs108R5yYXhXWotUs/p+W0=,iv:Wsel2unj5X/dBCwt5sLzHmUIqm9c0uqzzpfnUkxq5cc=,tag:a5/I8GWuUOy4F4lOx9TH+w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@@ -4,6 +4,7 @@ inputs:
  {
    nixos =
    {
+      model.type = "desktop";
      system =
      {
        fileSystems =
@@ -13,7 +14,7 @@ inputs:
            vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          decrypt.auto =
+          luks.auto =
          {
            "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
@@ -23,7 +24,7 @@ inputs:
          resume = "/dev/mapper/swap";
          rollingRootfs = {};
        };
-        grub.windowsEntries."7AF0-D2F2" = "Windows";
+        grub.windowsEntries."08D3-10DE" = "Windows";
        nix =
        {
          marches =
@@ -36,41 +37,32 @@ inputs:
            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
            "broadwell"
            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-            "skylake"
+            "skylake" "cascadelake"
            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
            "alderlake"
          ];
-          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
          githubToken.enable = true;
        };
        nixpkgs =
          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
        kernel =
        {
-          variant = "xanmod-latest";
-          patches = [ "hibernate-progress" "amdgpu" ];
+          variant = "cachyos";
+          patches = [ "hibernate-progress" ];
          modules.modprobeConfig =
            [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
        };
-        networking.hostname = "pc";
        sysctl.laptop-mode = 5;
-        gui.enable = true;
      };
      hardware =
      {
        cpus = [ "amd" ];
-        gpu =
-        {
-          type = "amd+nvidia";
-          nvidia = { prime.busId = { amd = "5:0:0"; nvidia = "1:0:0"; }; dynamicBoost = true; driver = "latest"; };
-        };
+        gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "latest"; }; };
        legion = {};
      };
      virtualization =
      {
-        waydroid.enable = true;
-        docker.enable = true;
        kvmHost = { enable = true; gui = true; };
        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
      };
@@ -80,7 +72,6 @@ inputs:
        samba =
        {
          enable = true;
-          private = true;
          hostsAllowed = "192.168. 127.";
          shares =
          {
@@ -105,9 +96,9 @@ inputs:
                "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
                "dispatchcnglobal.yuanshen.com"
              ])
+            ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
          );
        };
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
        acme.cert."debug.mirism.one" = {};
        frpClient =
        {
@@ -127,15 +118,25 @@ inputs:
          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
          wireguardIp = "192.168.83.3";
        };
-        gamemode = { enable = true; drmDevice = 1; };
+        gamemode = { enable = true; drmDevice = 0; };
        slurm =
        {
          enable = true;
-          cpu = { cores = 16; threads = 2; mpiThreads = 2; openmpThreads = 4; };
-          memoryMB = 90112;
-          gpus."4060" = 1;
+          master = "pc";
+          node.pc =
+          {
+            name = "pc"; address = "127.0.0.1";
+            cpu = { cores = 16; threads = 2; };
+            memoryMB = 90112;
+            gpus."4060" = 1;
+          };
+          partitions.localhost = [ "pc" ];
+          tui = { cpuMpiThreads = 4; cpuOpenmpThreads = 4; gpus = [ "4060" ]; };
        };
        ollama = {};
+        docker = {};
+        ananicy = {};
+        keyd = {};
      };
      bugs = [ "xmunet" "backlight" "amdpstate" ];
    };
@@ -163,6 +164,8 @@ inputs:
    };
    # 禁止鼠标等在睡眠时唤醒
    services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
+    # 允许kvm读取物理硬盘
+    users.users.qemu-libvirtd.extraGroups = [ "disk" ];
    networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
    services.colord.enable = true;
    environment.persistence."/nix/archive" =
@@ -174,19 +177,20 @@ inputs:
    };
    specialisation =
    {
-      nvidia.configuration =
+      hybrid.configuration =
      {
        nixos =
        {
-          hardware.gpu.type = inputs.lib.mkForce "nvidia";
-          services.gamemode.drmDevice = inputs.lib.mkForce 0;
+          hardware.gpu =
+            { type = inputs.lib.mkForce "amd+nvidia"; nvidia.prime.busId = { amd = "6:0:0"; nvidia = "1:0:0"; }; };
+          services.gamemode.drmDevice = inputs.lib.mkForce 1;
        };
-        system.nixos.tags = [ "nvidia" ];
+        system.nixos.tags = [ "hybrid" ];
      };
-      zen.configuration =
+      xanmod.configuration =
      {
-        nixos.system.kernel = { variant = inputs.lib.mkForce "zen"; patches = inputs.lib.mkForce []; };
-        system.nixos.tags = [ "zen" ];
+        nixos.system.kernel.variant = inputs.lib.mkForce "xanmod-latest";
+        system.nixos.tags = [ "xanmod" ];
      };
    };
  };
--- a/devices/pc/secrets/default.yaml
+++ b/devices/pc/secrets/default.yaml
@@ -22,6 +22,10 @@ nix:
    remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
 github:
    token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str]
+age: ENC[AES256_GCM,data:EPjip4/tz50e+blPko9NpzDamLRO6BVy64kDnGAhUJJ/bMw6V9Of8RzuiqUupIjEmFiUcgWf9ZsV5RZO3Ai9udq0W7mYS1Y/zn4=,iv:TBs/o6mp8t+S3Ma5/QhnLhzgl852HB3sEzKy9SvKJjU=,tag:2yMUVWPua2g0VOkaXpJzKQ==,type:str]
+user:
+    #ENC[AES256_GCM,data:a4mHxr7bn7BV,iv:FYQk3yv3XgxNO9CnrQefo3WqhO0Sf8Mihfp+Iw4AcWM=,tag:jebxvG+xUidghf5dOlvDYA==,type:comment]
+    zzn: ENC[AES256_GCM,data:xBSve41JclBYQULPN7yV/1Eyo3u+CHAewVetKHwjvl6Te0kk/+aLx6gs8EpOJGmVaiSAdt6F2ayHXUD8RXXpJIOnnEHk88kqbw==,iv:XPxMLvlVtaZvpWnau5Jwlj/5ty5Zyw4F44ix5G64Z84=,tag:uJfWb0PCebdMtxXMfueULQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -46,8 +50,8 @@ sops:
            OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
            +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-24T03:34:07Z"
-    mac: ENC[AES256_GCM,data:+nJ/wuO5G6pEsCiBNEHOYrbiYyGXXIHu3ZUgEVwqLQ10W94EOGLUto61IGtkapk4xmaHYAVmUlq76g2hRGrndLVlUthGnEc5QoQKZoUmrxK7ux1R2ubv0s1k+l2HpRerr/I8X+hHyV0fdxT6ivkpq6OsEzHDnxgewDvYNZGQS4k=,iv:TuzO1Yo0MPms5RrG8+GbwSCOILp9BF7Jsv5JvcAPwFw=,tag:fUNc+ccQDE/jcMLuQ4thCQ==,type:str]
+    lastmodified: "2024-09-04T01:39:48Z"
+    mac: ENC[AES256_GCM,data:VkpF9zTWRLMriukAif6lfp8uy6+IcPDYUnXCQ5XLUtSstEyUoaVBjn+VVAoKkLX3MnyR6gyiYVWDDJmXrsyNoQpjRVQR0yu0p6p7sB3voGKiNxhw5qGwZj4IIXnHFWvktgWiawCiUkmSTUUHxe0XjAh7AWxjGqgAs/oyWGq/YfE=,iv:IQbJAhW/y18s57CAwRPeypQreBqQb0KkJAgIZ90QXJU=,tag:a0AB3l83j31Ex6PH9ziHRg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/devices/pcarm/default.nix
+++ b/devices/pcarm/default.nix
@@ -1,28 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/CE84-E0D8" = "/boot";
-            btrfs."/dev/disk/by-uuid/61f51d93-d3e5-4028-a903-332fafbfd365" =
-              { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-          };
-          rollingRootfs = {};
-        };
-        networking = { hostname = "pcarm"; networkd = {}; };
-        nixpkgs.arch = "aarch64";
-        kernel.variant = "nixos";
-        sops.enable = false;
-      };
-      services.sshd = {};
-    };
-  };
-}
--- a/devices/pcvm/default.nix
+++ b/devices/pcvm/default.nix
@@ -1,28 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/AE90-1DD1" = "/boot";
-            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          decrypt.auto."/dev/disk/by-uuid/a9e4a508-3f0b-492e-b932-e2019be28615" = { mapper = "root"; ssd = true; };
-          rollingRootfs = {};
-        };
-        kernel.variant = "xanmod-latest";
-        networking.hostname = "pcvm";
-        initrd.sshd.enable = true;
-      };
-      hardware.cpus = [ "amd" ];
-      services.sshd = {};
-    };
-  };
-}
--- a/devices/pcvm/secrets.yaml
+++ b/devices/pcvm/secrets.yaml
@@ -1,39 +0,0 @@
-hello: ENC[AES256_GCM,data:7xCy5PqPVdUNIdzqaGQLsPA88mAfRt6T57LjFDwOaTlhdejLPrBdyN4=,iv:dM0QWDpylPjnbtdNrjV8LHISNi/U718+xooFm0qTcbI=,tag:d5HbLG7yF3QRz7nP+4aeiA==,type:str]
-example_key: ENC[AES256_GCM,data:K5SD4k9jL5r4ZSUwNQ==,iv:mJrZshT0PKmT7OJE/ZBUWzq1Gc6xXymFbypxwQtQJq8=,tag:I4+AyMh+AVpmWa1fdIJpyA==,type:str]
-#ENC[AES256_GCM,data:vHj6+kNand8d1AzgXTaOMQ==,iv:j6b3SDqzVgY8U/puEm9UcpJYGK84gF/YIXzRbG0radQ=,tag:yzfXKHReJ0++3fhk2ztbBA==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:vRjjfVSy8g5mBZVM/oU=,iv:C+HE4Q157eNhEmcDJSMJINfMgztf6XfELCjotg8q3XU=,tag:JSQDItdYbCCs65tmbeR6tg==,type:str]
-    - ENC[AES256_GCM,data:xzfN6WiT8r8YcWtS+H4=,iv:btlOvqrn0pITT3rCTIjgS2b5TrfNKym0yPEnE7bJDqg=,tag:Wf40b8zBhrv452OKodkU+w==,type:str]
-example_number: ENC[AES256_GCM,data:akqZ12u1wl4Zww==,iv:hS3NBWI7o6dZLtsIsoVHYdtyqpUmbQrpMHPhRRzEd18=,tag:1voFm4LuupWJMGP3xd0k4A==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:wWEU8w==,iv:rf8uwo+sP9YFyPmoxROVVmrx+q6Yr0PIOWznM96w9XY=,tag:nVJdD1Z7U8zVRBxs8gLvQQ==,type:bool]
-    - ENC[AES256_GCM,data:gVe51tg=,iv:eOJ2TOWStHpckNyYx2UdLcipshFpjcWtEids5c+Q8bs=,tag:0iSjlC/TgNfl7ZtXmttgaQ==,type:bool]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTGliaUlvOVlxejZhSDZi
-            YU96S0VPOE5Ldk56WlJjTzBSRm9oYnBoQ0NBCnhJWmg3KzUrT1VyemRiSWtQeklS
-            UFFFTjdod0g1d1EvYWJoOElJSjIrWTgKLS0tIDlaQnJOMTZRUms4am1mQjV5MzFJ
-            QlhKL1ltY2lGZGU0clhIRTRsSW5BOTgK4gKbhvF1bV/YdKOxzqrecHPDAKPOd81V
-            YnWgLpP6h+zycx80iqwsfqiQJdPyDrfhB43ksn2oxsX0qXtLI9j9TQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jmu4jym0e0xkq5shx2g7ef4xzre94vaxy2n4fcn0kp94dtlupdxqkzyyp7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRU1IRXZkbFQ4elgydTlv
-            VlRVKzJIWDVCZk5xaTd0Y2JXS2l0Mi85Zm1jCnNkS0NETm5SaG9WUE9Mb3RtbE5B
-            YTRmWHNXTk9hZHNBT0FxT1RNNnFMNEkKLS0tIGRWNWpLcDVtOEdGZHFPT3paeVo2
-            QWsreTlaVW5Bd2lZb3JZeTdjcG9WQlEKy3p4QnjPrJtfaueLKBzMz7VZ9QfrTer1
-            lEP8mInFprR65LtpoKabsTWQwkzURzB/OdbKSYG2o6Rlqy9L3d5eBw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-02T23:46:35Z"
-    mac: ENC[AES256_GCM,data:OncqYSgPSoge5Nw6eh0A4cm0KXSQhmSpGIu5WSv38LdMto5fNLIK2VRIwaXfq9nyf10bxNN7xSADj2GPhMiwlHM8nIQXtxdlWsZfEOc/qOWM8nz+9DPKtKGD6RZcDLDRhNTDxzPXGWIuY1tDKQpUlt/iDlymSskcqSrdTfBqCGk=,iv:NesxRr6FXXApE8aafnAV3x6hwCoAxoEly/QkcyAQ8Pw=,tag:3o37dr4vKLqEENIdj8RHXw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/devices/pi3b/default.nix
+++ b/devices/pi3b/default.nix
@@ -18,7 +18,7 @@ inputs:
          swap = [ "/nix/swap/swap" ];
          rollingRootfs = {};
        };
-        networking = { hostname = "pi3b"; networkd = {}; };
+        networking = {};
        nixpkgs.arch = "aarch64";
        kernel.variant = "nixos";
      };
--- a/devices/srv1/default.nix
+++ b/devices/srv1/default.nix
@@ -0,0 +1,73 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
+          {
+            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root" =
+              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = {};
+        };
+      };
+      hardware.cpus = [ "intel" ];
+      services =
+      {
+        snapper.enable = true;
+        sshd.passwordAuthentication = true;
+        smartd.enable = true;
+        slurm =
+        {
+          enable = true;
+          master = "srv1-node0";
+          node =
+          {
+            srv1-node0 =
+            {
+              name = "n0"; address = "192.168.178.1";
+              cpu = { sockets = 4; cores = 20; threads = 2; };
+              memoryMB = 122880;
+            };
+            srv1-node1 =
+            {
+              name = "n1"; address = "192.168.178.2";
+              cpu = { sockets = 4; cores = 8; threads = 2; };
+              memoryMB = 30720;
+            };
+            srv1-node2 =
+            {
+              name = "n2"; address = "192.168.178.3";
+              cpu = { sockets = 4; cores = 8; threads = 2; };
+              memoryMB = 61440;
+            };
+            srv1-node3 =
+            {
+              name = "n3"; address = "192.168.178.4";
+              cpu = { sockets = 4; cores = 8; threads = 2; };
+              memoryMB = 38912;
+            };
+          };
+          partitions =
+          {
+            localhost = [ "srv1-node0" ];
+            old = [ "srv1-node1" "srv1-node3" ];
+            fdtd = [ "srv1-node2" ];
+            all = [ "srv1-node0" "srv1-node1" "srv1-node2" "srv1-node3" ];
+          };
+          tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; };
+          setupFirewall = true;
+        };
+      };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
+    };
+  };
+}
--- a/devices/srv1/node0/default.nix
+++ b/devices/srv1/node0/default.nix
@@ -0,0 +1,46 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "master";
+      system =
+      {
+        nixpkgs.march = "cascadelake";
+        networking.static =
+        {
+          eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
+          eno146 = { ip = "192.168.178.1"; mask = 24; };
+        };
+      };
+      services =
+      {
+        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
+          wireguardIp = "192.168.83.9";
+        };
+        nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
+        xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
+      };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
+    };
+    # allow other machine access network by this machine
+    systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
+    # without this, tproxy does not work
+    # TODO: why?
+    networking.firewall.trustedInterfaces = [ "eno146" ];
+  };
+}
--- a/devices/srv1/node0/secrets/default.yaml
+++ b/devices/srv1/node0/secrets/default.yaml
@@ -0,0 +1,56 @@
+wireguard:
+    privateKey: ENC[AES256_GCM,data:egNwovz+DTKoaGs/QQXR3MD7AImGlMlBnYsAZ1nuYnlgTVPM28aiLJ4iLGM=,iv:cFcf/sjqTmGqceNwHnzrhs1IvhDPRJi5YkyFVpjrsrs=,tag:yUwvNYCHjK+7+xkM2cuQNQ==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:k5QU1aHvd/hSG4yncffSwnxQvhULHd0I8wtrXD2FcOH3SWswkmzMOA==,iv:WB18Wsl0nxUQ6Om3SXP5+0BtFbNZ8fCXTyPJqj6a9Ik=,tag:dKpr52W7Wdwws87r3hQxqw==,type:str]
+users:
+    #ENC[AES256_GCM,data:rNA32tcCmriP,iv:No3Hyee58jDzZaXOD8SJYzgQXXs58oAddwC5Q9mo55E=,tag:RgZO7fgZkAr3Pawqt0dwmQ==,type:comment]
+    xll: ENC[AES256_GCM,data:kq6gpuxBRbDP7Yi16WJrrsumnSfersI2kP5pT5efn5CjbL65JaW/Bff9P4OM6b3J21ObT0uRSmParBqW4OvN/UA4KXDhibqwRg==,iv:GvpNgy8kREgxp9v0cyIobgg2ZrrxylMmwq1hRaAoNA8=,tag:RpD/1FjWVglzt8sIAjjpsg==,type:str]
+    #ENC[AES256_GCM,data:nl+uNO7GVV4r,iv:8hUmN4uWOqJE0g1aYA5dqQq+0oCpYGKe//yuECpmyBM=,tag:79XibRYMadJNE5Uy1O+4Jw==,type:comment]
+    zem: ENC[AES256_GCM,data:t6zd/9ZoJWEkPhKyfaUXWQM2Y2unpUUq79SEKSt8nmWCQxlBk4PzMX031CwNde/0A4G3ARyIoU8vcFqp8NaBMA64INccKccrGQ==,iv:QOKpu7lm6uiPACNGa0QvHP81PP/4doS3r95h8/nexcs=,tag:J85l6pYh9WT/LyMbTrw+vA==,type:str]
+    #ENC[AES256_GCM,data:7SGmLzQyXKWo,iv:lr7nM0r7eMc+sCNO8OgwwELH41zTk3W/1i+0rnTc+9s=,tag:ZOkLRhEsFXX6bODu6wUyiQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:8TF316O4M3UDoSA7rjBn12vUdHOcWXtrvuhqa6K65NaMhHU9rMrPHEikr0tqe5B5ojhh8PRRe+X/Dq19L4rJXThRfzdhALZzsA==,iv:2plZ2m0JuuUMQqYnyETCPH9x5jnLtNl396zvv7ay++s=,tag:X7YSLQOE9xnC63RWCht3GA==,type:str]
+    #ENC[AES256_GCM,data:yclOn8oHwLYQ,iv:Ba7Q84z6e9/3lv43wdN+bd/aqO/y5qR5I6Z5O6o7U6E=,tag:ecaNN9MgZqDYBCbTlsOZtw==,type:comment]
+    gb: ENC[AES256_GCM,data:piD2eh5iUXnCEkEyDULPkjbEG4Uc4izoVAuscbb9TPr7Q9WhCJX3FGRYrQp/wmZQ6UETR1jTejtbT9j/kI96BcN2onlwO/lqvw==,iv:oFWeoDp3GQA8aR+/AcJnhkovOWx7MgHoCKy5xdPIJMo=,tag:n2E+zuKckNAU7mOCJW+f1Q==,type:str]
+    #ENC[AES256_GCM,data:hfcOjdrvK+YD,iv:8rUsS1exsOx+2YEgdATNcWGKqmaCNbpY1EEq1Gv1utE=,tag:Z0lq2ctHBWDtx2tyxOSIBw==,type:comment]
+    wp: ENC[AES256_GCM,data:DUfGQpSg79W8KD/SWC2B4FqoPGoCrd1miczAQR5YApD00QopMmeDR28uTmHru2KU9DsjkdnWEbgfM49CwXt5FFJennqW36oYbg==,iv:D9+3CMZlJIHm+u14rAEikQoBM3jBQN8Lnx22DN2EIg4=,tag:ZegZmI1kf7Whcw3EE9dwPQ==,type:str]
+    #ENC[AES256_GCM,data:6pwUu43Lu5/h,iv:lZQ5F8v9VZRGuUoEMH15JLvx40N08ahTEbdEoKEuvsg=,tag:zPMQy6d9/RcukBO1cyeM4A==,type:comment]
+    hjp: ENC[AES256_GCM,data:dqoQ9hUbptm0//mlcFRrqLh1NpjxFPH+4jeyMG/x9Zvkszw7d71jvkO8KEPBfKnXpPBP2lvFyEqooIMWQJPYiIszHt2f0qSC7A==,iv:5nRcsaylcx74tQR1KddEpZUhmcynMvdHCcJYA7wfJnE=,tag:bGVKD1aDZJUlFg/zagP/eg==,type:str]
+    #ENC[AES256_GCM,data:Idordi28++/e,iv:5TR6Z14yluxPhrD7ye2mXEQpD53qS9/ZJIZ+S1sTqco=,tag:IkmLWXdxDmFQxtpJxL61pg==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:JuNtb5SRUrxfyjWFn3Be7EU51j/HlwiOpuN0m+Picf/2Bs97kflGnqGKstVRIjWEn4WzqscSaLRsbP9uFfSBHeJ152xfyOqkww==,iv:mQvIC6v+1fziRDYHYSFMOKof1ZcoFskpQDiCAF35sa0=,tag:0IL2VvdMorgE6oziscAB8Q==,type:str]
+    #ENC[AES256_GCM,data:kyJP952K5atd,iv:TLMUPKshuWqbQ6koiZ9eTXcoDS3jLXYy/gCZbMGrRl4=,tag:M2tLLogovoG2PCojt9CJ9Q==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:ifWnLx1YEewdviqHK8fdesM3c1m1T4g6twnz1cGv1yc4jit68pQWLrRMivdsM4tUcyU9GKwCaElVlvh+dgyy8EZQPKCbvJX6GA==,iv:T5FWReeZ0QOkGJiNfrVrUBhAhbXxlFQJKqQV2tzw9AQ=,tag:XClXGZDWGuoGxzPW7ne2Pg==,type:str]
+    #ENC[AES256_GCM,data:t8QUVYG4v7fE,iv:N8hDAV7wulPHcfnYTXuZRhb9dQPZqKpfMKK1+ITaZTA=,tag:eKMJDOmqoWWQbv/mm3LaAw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:VlAA+g7SRZyhPSl0Gd1KS7dCwNgRA/o+d8anN88A7E8bSE1ckeTSp+J4YrbbUlLasLhliOZ/nDC0rti+hckGCrjMwweMorSIWg==,iv:7u1yNrN7uxHCF1MsJ2qt1jyQ0ZYYCYKUHwRff50P9oI=,tag:3raCWjdButfmcdy8mH25Jw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUpac093NWh3bnZqWkFY
+            WGorTlk3WWJRb0RYVWVQc1JacU9GZDhFN0RnCkJkQnJoTkZtYkFEQ1JDZXA1Qzdp
+            dWxtc3RFbUd4TEZobXBQVWVlL3VETVEKLS0tIExoMUNidEZob2dtTWhmS0VHbDJn
+            RFNiU0xMOG1UNVY5TTYrcW1GTnIwb0kKyCl+eqpGtqN047+t1C/c1prIaP3tm1jk
+            1ObtsmGwCxDyIkayqB3WF9DWhNHipXHZXrWT+JQJTD30BABBex+ufg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WXJ0dmh3RTBMci9pVVh6
+            cWsyNHVub2U1RFhLSnJPSFI1S2lGV21nYm1ZCll2TUQybmtaaTdYd0dGSXVNV1Y3
+            TC9zbWJQOENsQm1Nc1ZwUTMvczJGK0UKLS0tIHJRemNhdWpRa1pkRnhTZjhCODNM
+            OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
+            2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-29T06:38:23Z"
+    mac: ENC[AES256_GCM,data:n7MVBKCUW4xpIiVO4ysBqlG89LjzpDBx9GJWQTrSenLWV/YrIGUxA6QDlRg7yhqV9ldF9Q7hDve1KHw7OxKRx5ot5OZiD3Bq3TwJfS2DarJ2vi9oc1J+CXXach8gp3m4C4RkPJ/y1i3jB2nRfSw5Z/TtdPMbvGXlHh+hhriAqxM=,iv:tyBcXMZzgeUOgYJtU1XkptPOlNoFwH+4z6xTD89aKOw=,tag:apXU989ZL+D8WhWKFTdXTg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/devices/srv1/node0/secrets/munge.key
+++ b/devices/srv1/node0/secrets/munge.key
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:ul1xMmQ5FZVIKct4KbgnTStsT5cH3sRvmaApZez4WZ36zF3q3M4o0dcwuWXxl9Ay8+Kd1zzUCZy26FRj85IwAel6POkmIlXl51Awou3iWuGBqUlS6IL9MIERMR6lTlisOK2l2PJ7IJBichFwwDrxImnt06B68Z7JWOyrLMfQhwg=,iv:nHePsGpRWMj4CdZ8wxr4xCJAcSndHsRju+AMyK54vNw=,tag:+CC0EJbTmIjRijr1SZpF3g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRTJCOTJqclZqV2ZTb3NG\nSUV1VVNnUVpqZGVCc2hlTVBkQUVtVGlQdEhVCk1aNjhhbDZuajhQL1l1allHOXV1\naGRoWEpTZ2haTFFqRDhlclEySjVmMXMKLS0tIFpPdHZvekhDaS9yam5GSEVhZFlw\nZGN1QTVYQjZuUXd0NklqdytYRjRSNWcKC+AmUlZiefdfnP1l/sbQHBUaZGN6ciT8\n/yI2ed25uFGwCo0h+yLywbuNQTv7AiBFM3R+KBSjNDkFSgiGfblVNQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VHhFMi9RZ2VjeUxqTHAz\nZklRbkRGVkg3NDR2elYwbXRHZ1dSQTEwNXl3CkdidmwwVUZJWDllRVdYRWM0WEtX\ncXlHbnlZd1h1Ni9UTEtHK0Z2YzNHcWMKLS0tIHl5ME9UaDBFSkRXeEh4OWNRajZu\nOUdGcHA4Q1I4dS9RMUV0YUZBYmZyK3cKSxvVdG+P9+esK3miJdW9BqgJdEMEq4iS\njWgh5lmSQaat3UzjkOVPPp9Xu3DRpzTFq+dM8bdGDTbzAdrUhxj87w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-15T11:11:36Z",
+		"mac": "ENC[AES256_GCM,data:bV7T1HfvM2n8+Vus9oDO5yoWDGtWYOd6d/zJ86/sXB4psg7aXVNedYSn+98SJdpYKHRcSuMJ9D4h62nAawERB6u8EmW8kxh8fuVLb6tj+9fWF1iVqinL4LE3916+XzMqGzGVZZEXaVtPHqOue/D1sYtBrBCOEMMyq0cmLFY2JrE=,iv:eSrtmJLARmwuAQ1//x4XqCKDZybJmMtyefWyLPk+1j0=,tag:M5W+vO4RjVwS18C9wTIe2w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/devices/srv1/node1/default.nix
+++ b/devices/srv1/node1/default.nix
@@ -0,0 +1,28 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "worker";
+      system =
+      {
+        nixpkgs.march = "broadwell";
+        networking.static.eno2 =
+          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
+      };
+      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
+    };
+    specialisation.no-share-home.configuration =
+    {
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
+    };
+    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "eno2" ];
+  };
+}
--- a/devices/srv1/node1/secrets/default.yaml
+++ b/devices/srv1/node1/secrets/default.yaml
@@ -0,0 +1,50 @@
+users:
+    #ENC[AES256_GCM,data:dgM035YLtZfl,iv:h7pHQ6YFa4hxcHMihQTegHmkaCMlfPtqdCqvJxSsXt8=,tag:V2v9C2TfErIOAihtTQpnSw==,type:comment]
+    xll: ENC[AES256_GCM,data:/YL4vowFLFbbYv06yaKWZH5UNBKs0L6LQ+6O0IsiUZpgW5fGfp2A5JTlH6ne7RGyyTE4GNId0MC7byQbTHHwO+5zVYWpzjDCfQ==,iv:5/VKGsIohoutZf3F4Qj8PruAXSivQ0zsg1pwLwZbCLs=,tag:/vsrCISEbgQ7HnubWOtKow==,type:str]
+    #ENC[AES256_GCM,data:oT8PFxQdwEt6,iv:eD/wF2toUAT991S0aO7NklpKSnMDH40+73IhU83H9t4=,tag:mxxAUdfHgC/hlvmLc2MlAA==,type:comment]
+    zem: ENC[AES256_GCM,data:RpmSTr2ZKfUNWg5vYbKB00AG18GNQs+kgx82E9Mg5hoc3HKmbAyIzjxloMn/Bw3MOTnof6Cf1ZzVCs53Wz8YbZFClLEVdKhMKA==,iv:NQJQOxQa/RaGzvGgarq5kWL8ojB1bejEiqJUCJLxgyU=,tag:8cFFQ5kKpZji4YvEYOyzOg==,type:str]
+    #ENC[AES256_GCM,data:keNqy5SdClQT,iv:N5LX7VJEwLHQ5HsFINs6LupP3rv/XAWFR2e/S52N+Oc=,tag:cqBh1bL1jAEk3mT0pLDd5A==,type:comment]
+    yjq: ENC[AES256_GCM,data:TagWplgUyhaEAuFpup0TRIxWXIEGwsG/V+gOo/pXSGor30B/BF7+wVozYTZ/iSN7OJJw8I7IZGvxvh0v01BGz1RQO6MEEpSj5A==,iv:TeXXYlhfae78cJFdZk0Nnm24sP43wi9UM80vHwKfXFU=,tag:lhae9Ona5OMlTBAJg3PiIA==,type:str]
+    #ENC[AES256_GCM,data:jmRMNpJLMqEo,iv:UOfzRSPDFsJ52sa2FVaQsVcU2P2bOYPzh4JLZ/8+hCg=,tag:8rCEYFELB2geXhfUjfZ18A==,type:comment]
+    gb: ENC[AES256_GCM,data:RneeGyzmdxCceKPzOHaTtS1l6NzuS07NYBxYrLICMLWHPog08FTINWEZx1JmqbAloVna3wE43kPPa9s1w3VbtPBhzRpTVZfUtA==,iv:1vu79FhPiWQ2/G5xzzBdyc790yv/aYKIQFPhaDpBmoA=,tag:vkpT1bDfVufBkDmOs7RomQ==,type:str]
+    #ENC[AES256_GCM,data:swW/4Fii+fHz,iv:9UZ8W6RY+n3XZkDCxSP/CQQn1Ji+mo2aqgmG9wTF/I4=,tag:2ifOyc0oGzM1iM3rouvvMw==,type:comment]
+    wp: ENC[AES256_GCM,data:/cIBL7orNYqu6Ybahdd1UVdTbS1SHr3GGb3ib4FDxPUlp/Xr4ARMX+01N6pOahVYwE8Hwp6nr4TdvwFpe2/AE6v2rbyclSzJgA==,iv:ZGwmAgwiC15K5NhajLCTiuW2mLT2gt0KUicDFmMY+JE=,tag:8rcoY6/weOkML90FyDfiSw==,type:str]
+    #ENC[AES256_GCM,data:6KbDgRf0Lmsh,iv:2vhLHgIzhCrdvQ7w6lCPKOmLlOVRJ5gJ+Pw5NSiMVVc=,tag:E6PwWCsUn3tZwV95zFbwhA==,type:comment]
+    hjp: ENC[AES256_GCM,data:0hzP2t4ck/0GVa2OoZxETCSQvp0QYN+0MJYl5aJ5hzSOXbwBPlTcIbjckpWDacx4iKGw+skhv1Nhz9lGrhgvddzqb/o1GWkKUw==,iv:OzKTIxDm+AgDAy4rP31kts0PKHuNqBZWc0Vsvh6X8CY=,tag:7Y/6qP+TJd1o0a96gKq5JQ==,type:str]
+    #ENC[AES256_GCM,data:PQmtt6/8T8Nm,iv:ZDUkaQts3hUQ1nncynoGw8gNV9jYvnXz9rOaqRC6yLE=,tag:jN8sUWnqoWbMlkLEqVKNkg==,type:comment]
+    zzn: ENC[AES256_GCM,data:YNB9leH/qgXpApA+bnsZiBlfbQSEiOoqhDgKCbwz33zPVc8KRShSS4kWEseiMlYLv7Kfbfy94cEKLOaWBjuRmMrODmC3HZ+rtQ==,iv:Ju02Sz0PHoBftz2W818hmXQ3J/fzLacWv+gy4eGXvjU=,tag:B6mvgWUclyHXgno07jhXQw==,type:str]
+    #ENC[AES256_GCM,data:UVi9/5NV0ySV,iv:E7ZZvvf6lNJdT4esykilJxhpTu7gqmu9w4w8rII/RSk=,tag:pnl3G0qt7ZzXlA9YWo7LiA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:M4LHqgN/WYk9Nh7Pawft1tplh/FiADu6GoyImyLGBk8rbNNLT5AXuNYGj97tVYxI0Hwek+zhnmcjAWdDtmkVzE7TcD1WAZbkTA==,iv:GN/jHnEikITXkLRR/tXnhYiTE5bIDOg1d9DrYeASoY4=,tag:hkoAHHYX+q1topjXkRyK2g==,type:str]
+    #ENC[AES256_GCM,data:EVL/9hYcFl4F,iv:EZ8PMqklNEky0i940vwyQFXrgBoQRwwGDjBgRB18KGg=,tag:cnQzCU7XZ0EO6ojGaEk4Dg==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:7HOyyFtPjhxtvz3cG561aslZ1Ct+DmR290XOxz34sA/vyA+gjvHTWoIpKPGVzSU8vGfaLLV4ta/nOUsK/VfUj00ngwTdkEDkrg==,iv:rkDAE24gaE7MzOcIUX87oMyK6ra0Pt/vUNrIV9p7aFY=,tag:24NTkSu8Fd785uC2Lwr2XQ==,type:str]
+    #ENC[AES256_GCM,data:sa3uVs8+996Q,iv:eN3S4x/UROkZWV3U2pZpvULgoPdh42lM/Q+jZ13ohsk=,tag:IG0q/+ti4tthAejVp7MCPw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:jfeQWLGUWK4xfgRtS9RjjN76D+JLqTF526SI0XeYnUXtCsKhJYE88hgVnn7m/Af9g1OCj08+UDsM8cyKOJj3+m6h+IZQzCS4bg==,iv:Syf3SYAFvOtfOy4PeA/PcYbuUnABk6f5A+OmZYtdwv8=,tag:cib1RuKxGffjB7R5GSxotA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaHcyMnpWRTAwRzJ0MTFi
+            elk3QXNqdXQ2MEttNXhBOGF1Vlk5cW12YTM4ClRkUm5zUUo5NjVrNnBlSFFPOVVR
+            V3VxVWZQQ0VvTm9KZ2Y1L3BpRkFDTjgKLS0tIDJadStsQ1Vya0FMa21Da3ZhUDVN
+            RVVTQXY2NkdzbVFLY1pYYTRLSGM5WDgKbFabN/iH2YDJaSXdm+7EebKS/As1zH43
+            HjUp2LHN85/WQEx3VheZRGJBwpNn/Tdunhm0yTdNA1jpzQnO9bIMXg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TTlxNWhMS0dJbkZRSWsv
+            MitoM1NicmJzbVJBZnhUbnlJejBWVzU1TmpnCkxrVEs2eEE5VnVDN0NNaFZ0b3M0
+            SXFmc2JxblAvN29Eb2ZrR1llZkp6cmMKLS0tIGdQMjNIRXY2UGIxdGk2Q2V1MXJO
+            R1BkT1hoSWo1RlJnU0pCdTFYbDFoZmMKKF7cND1jSo+neTTJ+GwW4T0RTOX9mbME
+            58wjAtkrKSD2vDFMQ/vtPNiohAt6RMdClLVm50yh7Oh961YmvJYnbA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-29T06:38:35Z"
+    mac: ENC[AES256_GCM,data:UWDwXUfk4R9CfgU2gv1NZsusLq5+VTsvjGQNst99MuxLz4sox8CZuuYsDLB2dobKrJua107yqhbM8Ps42JJVHZEf3WHqP08tRbdIWNVoakYR6UJlNS3WZVR+LlheQI5PfJqPqa7VFgZeSVm7weIPCHqvHt+ak76oyJK1VsI0f+k=,iv:VL9s+LUA/TrOsJNQWC0/v0Yh+hT8uh2vitc9h1xHBEY=,tag:iA8yMpm+0ANAC+2BLN9Agw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/devices/srv1/node1/secrets/munge.key
+++ b/devices/srv1/node1/secrets/munge.key
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:GHsftJ/b50XSTy3wCX/ms8iGhs7oQMrqw5R+7PxrjAm/VzcYJbAQjYButIeNYB2/r87IGKDEMAskowocqyuhamTZS9n6eElDBZrEoUXc9J/lZvXrNqBa2pDsR5a58X6Paj2kMn8Ke9M3vwHcgniEgZtC2h5u6VwbgPMZniqYT5w=,iv:KhGKrf0tXdLb0sWc6kB9lXjj9jOU+wsy76xGFRmwdz8=,tag:s+NBphi1n00GflKqujZcfA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPYWdxSzIrQzRaVnh3K292\nVGkwdWUxanpQbEllWlNvaHBoQ2VYR2pXcVZVCk14ZmxlK1pSWnpCZC8yaE84b1Ew\nNTJUTDErTUVxZzBqdGFORDc1TEo0REkKLS0tIFZJeFIvd3BDOGkwenMrWlAyVHdh\nTzRHNU02RWY4clJ4dk1IV3R4c0VTd2cKeX/tLKOnkbcAhkgCY+T4XWBgc7eUFecn\nfqd6Kxfg6P75OT6Z4ACKsHDGznGk8fYk+Ms67MSCGzr1HXaR14/eVQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxODlXSGpsYk5BZ1piSUhX\nUnlTQXpycmV3YlhLM01SMXZ2ZzFXWEU5MVNZCnVUNFRUTTVNaWVUZWY4dklFMmhW\nWUc1azJFNGJTZFVlRkdSZEd0eUozbk0KLS0tIDhUTFE3cHpFblZTa056R0lscHR4\nSXpoT2QrOU9mcDV2ZjR1bjV4cHZCdXMKyVyxBRY9oyhfj0ZMVRtjf8TT0qRJULwN\nosghj6bPqOFl3C9zBne1Xn/2mOj5lkMZP6MAMPtaW8nvsf/LkZx/Hg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-16T03:08:59Z",
+		"mac": "ENC[AES256_GCM,data:SjmuJVeJsamHE7Yv5Lvoyjp0CysTo3K1nyJgPI7KKp21H8Xq59g9/zbth4pCdIMHyt43MNUXFkhYD/Ox9ySoDEi2pr7H2kM9fcFM0W/ObM/gm/lt5jTLzzS+OkKys+Yw/WA2nIStSNq7rAb/SKFbHvj1P9YBsJxlOnBzTW7uu8g=,iv:tNjnqRX1D+vY8w7RxZzo+HdfjK9pXJpB5MKnb7EyUXk=,tag:PuLU5zmUH14ZxuTUPIz20Q==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/devices/srv1/node2/default.nix
+++ b/devices/srv1/node2/default.nix
@@ -0,0 +1,44 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "worker";
+      system =
+      {
+        nixpkgs.march = "broadwell";
+        networking.static =
+        {
+          br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+          eno2 = { ip = "192.168.178.3"; mask = 24; };
+        };
+        fileSystems.mount =
+        {
+          nfs."192.168.178.1:/home" = "/home";
+          btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+            { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
+        };
+      };
+      services =
+      {
+        xray.client.enable = true;
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
+      };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
+      virtualization.kvmHost = { enable = true; gui = true; };
+    };
+    specialisation.no-share-home.configuration =
+    {
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
+    };
+    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "eno2" ];
+    # add a bridge for kvm
+    # 设置桥接之后，不能再给eno1配置ip，需要转而给 br0 配置ip
+    networking.bridges.br0.interfaces = [ "eno1" ];
+  };
+}
--- a/devices/srv1/node2/secrets/default.yaml
+++ b/devices/srv1/node2/secrets/default.yaml
@@ -0,0 +1,52 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
+users:
+    #ENC[AES256_GCM,data:bAA1+Mx9xsFr,iv:5GWh+DyuRydCKm8K1kaiTJIt4ReEugHFnKYfan6RAE4=,tag:VqcWjIMIYhkSj6f/ZclTVw==,type:comment]
+    xll: ENC[AES256_GCM,data:lqzwlETuKuKa2wh+ickMFiWyprcnIBfRBjri+NWoltxib/LWzEEbyetRc4AKyVaBiDhsOTw6MazPNy2mhcAFwb6pM+QKce5ntA==,iv:VaGQux8MJNPZeHwDpM+yJ47XvOul0qRE8xVdSWjYRhY=,tag:rBWdTPmJX9YsP0l1FtVbJw==,type:str]
+    #ENC[AES256_GCM,data:AgppEXaJcXhQ,iv:gI4nUzfy7w9yqaWlT1NYk1cHdErCJsrlilwYSGxxCdw=,tag:/A6zwbvQdhX9MLfAdXIVqw==,type:comment]
+    zem: ENC[AES256_GCM,data:t0rCwed8EzXbEuwTabzSLUd/Gln3YD9IT56JNVHwlodAvFYwtTDJe3cy7K17TmIkL1Nk/hAGzQ2BIZJxaKq7A5pSNIUO1zqMUQ==,iv:jSKCoNKQ5a91kK19w5mE0lJ9lh391ACq64UtLvJ4kLI=,tag:d6+IrgLyCw05vvLcCF5+yQ==,type:str]
+    #ENC[AES256_GCM,data:s39KO3hHcrOK,iv:ICtP2r9JMjcieHZdyHpj5Z1DympJUcHq2jPpjUwSOzM=,tag:Es3YS+mEg5I3SIujfs50jQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:gOc59J2eiND+qJJRwLYvTymfrjWNRWw8IwLxDdS2cSu0yTN5SWF1eEg+tYmDqqhPmXkIlenL8VyIZD2P+Qi+Vi7l1pZMnneRCw==,iv:TsWOmHlClMgpXbNsCyvs+wkTvvKViAooA36+O4eQesk=,tag:jp5ZO9tlCPNTNZXWXCUEeg==,type:str]
+    #ENC[AES256_GCM,data:JmmZl+8nta5Q,iv:qWGS5i+ntmJ9x3HFClVdfypQKqSTUx827OFu/wxx3HQ=,tag:SzvgJtIQb1Z02GDwkAhveQ==,type:comment]
+    gb: ENC[AES256_GCM,data:pgwGyp/QC+h05grD345pJrJefm4NWd0e6mQEzrsqCbjMi9Ak2nUD+K09mIKQJ39NttC+NQZezRmKUJjDBH50s0O69nBlPOJtgA==,iv:ZLm6KUzD8fTq4YpxhdYjtp7bbDjP7Sy+0fnDO0W5GY0=,tag:H2mNHIQvHe+3YzZ9ITVdOg==,type:str]
+    #ENC[AES256_GCM,data:94hwxSaMkbIB,iv:4Xjukoo7rxeu4SWjwFeLo5fwSX6a8mpkTOIpnOnR/Io=,tag:XOjY6ziyDdMNo53NFSjcJQ==,type:comment]
+    wp: ENC[AES256_GCM,data:9/aVAQskZyQrfhVFVHfpdTWDLdoP2ZO7gG6bNcRpOJEBle3V9XqVSwmLViIIysy4XxoR3cym/7WXB96O3C8feK7sbihaRpT+Dg==,iv:WPnDArVKqV7u3EIQ0CMectK1W6gXKOo37oOybyob3As=,tag:1R/0qjRzif4/sTFSs55NuQ==,type:str]
+    #ENC[AES256_GCM,data:RluXnmnn8CAI,iv:OqzKfed5CARE/KKur0GXDpLBqStEva7YVoQMQX4+FnU=,tag:prOaqWk6ARxEKvnhOnCZhw==,type:comment]
+    hjp: ENC[AES256_GCM,data:Tb9vCi68B88UZc/ZVSxEI+esKOLlFcAPAaMk9FDmkBycZmzDjHfkUKCxVcOMtqeNSluVZ/5IFgowaYbk9ncK6yoYTjXjj1Z0lA==,iv:COs+ijt0h+UygyhWDQV23NRd/xBcfeqz6CO7D+xw7t8=,tag:RaIMaGrgHkidB9vqLR6cNw==,type:str]
+    #ENC[AES256_GCM,data:pymPvP+KjTd2,iv:g5tmBMQevuzES9FVlRten8Vzy5nvgamDNPo6Vy018T4=,tag:sMYZAyyAzEyS5CsAyC7xtw==,type:comment]
+    zzn: ENC[AES256_GCM,data:CJ8cOBjblYIc0GoiPnIbbWfYDfpQW5u31R9T/P0/aVuxi6P44wYYH0posVGthR1laqHIlu8bzgeRyTbBYir/Mw1AGokAnFLEPQ==,iv:dJXFcZ9f3xe3rcPzOLd6AMFh6EyJXlv3/+uR2x9XYsw=,tag:4I1WqtloUSXNeQ6AlVPY5g==,type:str]
+    #ENC[AES256_GCM,data:r1Rl1+lfgMad,iv:9RGwiYlePcXZFDxw5uc1yEwZ4N3lStmE1cGmsj5dPls=,tag:yGChsxZtIzDjMUgIkd+PdA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:IIZpTdr5jpidbxYCQ+fODOHdoWI51upPI3yxYlrAAd+RE62t6PzAvHKFmKPivbHmQS5RZrJXE7zm9JtwiodRmPl0pYLxYNBpFQ==,iv:WQc1pOungm1gEqYPk/MITbjs1l83ikcys47CARRgoFk=,tag:sS2mXDIWl32ZZzDtictv9g==,type:str]
+    #ENC[AES256_GCM,data:VtrWQKVtCHtA,iv:ap/n2HxQ7dgKOA8rIfenv9LOwwAh1na8+I9O/k/wMxs=,tag:Vl03ortuZ5OS2qcBMnc59g==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fkxYmHEQnCjx/srKBgjreIR0S7mcXyl1h3H80PFsH3A/yCGnJbFCGK1GW1++Q+tziOnEWCTLZ/l9dlPuB5BFSK7iHiVXtkOfVQ==,iv:z6duWl+LFpS5RJnCGxb3yvgHp96uJYoSsAThWrbGYfg=,tag:AKWisEg506eOgdp/4tLU7g==,type:str]
+    #ENC[AES256_GCM,data:e8HuWaLrvHx5,iv:ZKvfRQtOMV6v3MSCDVoPEsxldI+ZRYJBwrKAD8YZzPc=,tag:tPL3IyjC8f+S+6MoMJSd0A==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:if1S/3AxNLkWvDQJom+4EPRBOpkAPNTkEcqHHLAuEJATSNLlIhVLOPgt10cM4LWx2TdG8V2TcZip9qnr4ABHMsPF5vm6Y53r9Q==,iv:Rba0So8DXJrSC88mjwT8j2AVy84TPm0R6AVf2ZmXNBg=,tag:qiSeYLrw/6QJ7vMiPEZ66A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WlJNWmp2VUxpcXR3NE92
+            TnNuLzg0SVZKdmt1cEVZU2FodXZPdmt6Rm5rClhrbDh3SzFlMU9LVFpEZDFLUGZZ
+            d2RBTVNCamNBWFVEVW9FMjYxcUE4Rm8KLS0tIHBwYjlMU2tnUTZweDBYcmZXUC9l
+            OWFUeE9xdldpTUQ3cDFENjU4YUVwSkUKp7yZGpvKMSm6rvsoPbcaqVznL3wzGEXB
+            OGzrmgY083Gyjb5P/0wPY0ShGMWfWQW6vGchoqVuwr4oHKT3APcrIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRjBjdGFEMjR6QnQ0a3Nz
+            c2lmVWE0bFh3amRULytZOVhYS3dkL2JmRVhVClVQalh1WjJqcWcxT3ZXMWduN3Nl
+            UzdFNXNQUmtaaTVIVVFVYXkyZEFPUncKLS0tIExrTDA0OEJzQklQOHNJZzBJdzJP
+            MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
+            Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-29T06:38:42Z"
+    mac: ENC[AES256_GCM,data:tb6UXalJcNqd1bCJ4pdWQ5lctAXMrwAJsGagNIjtAklVx/0vibEBTvtVdI3CSNA3OuDguyXc/ECGEqlPNpoRq/F5JINfnirEbaBL6KhNkFxaSLVP7mu1u0KH93qhzA2j4jofderpxj+FvOOMVZNuZkrcSPDoufPA/ypY+YaKuu8=,iv:KPyXi7AD6FSmoZKYUDh2zLZnArvdcHau5XZHk8CbwI4=,tag:7T1jUJ7eNkY9VYt2eP+brg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/devices/srv1/node2/secrets/munge.key
+++ b/devices/srv1/node2/secrets/munge.key
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:04fSLZEkne1LqLZNYpy1tFlKTVUgQNuX9L3cL66FVHD+LqGAyWJGlAnduY+fQMZdDhbBdeEnJKXjyQ2jdDCttuqbPRiJQChtD7ztf+oiP877N143iSY2G245aCjIrAzmFORkGZaQT7nD5oxgCPiLqJzkNPzgjN4HIDsVoYz6jtw=,iv:gTbiJmdXN/62/t53ddfDrYlNLe3AoujT4G03eFQXyZs=,tag:eAYfhXPERqsVKFSkcm+Abw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBb3JtVi92M2JUc3dKVzRt\na1kzNU8ycE1LTmdVZVNFNDNJZmpsTEdCK3hZCjNXajNpcGxXMDJxRjhPMmhFd2la\nZy8xUFZNZXhiVHFtbG9xVmJ3Q2d0NE0KLS0tIDlNWEJqcSsvQTFzc2FxL2F2bVVs\neS9UenMrYXNKbGJVTnZzN3VscWlrRk0K24RHbcTz56GV6AbQt7Yy9+1NClMpQFtk\nf/NO2RYuS0ciHwkJQEw7M48iJuwTSiv1pflXXkNvkl6/I7wPgS/eXw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSjFQbWd4SUhoOExTdnFk\nd3dVVytZaDAyc1F2eUowdmY0azFKbWJ2Z2pZCnhYQWJtVXVjTTRvTlI4SlVyVHh1\nZlBZTlFheVNKdzN5a0RHM3RkTDhzQncKLS0tIFlpbjRUSzdzS3ZuMW8welNRODdR\nWis0ajQrdUNqVWcwMWF4bVlUaWsrc00KfL/zF2RiAanljrNhRT99i2jPvLySMWXx\nEyzYRuTH8ZGXsX4T2VAPjreBt1ahJ/EgBWmCLibEVK62zWfdquAZKg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-20T05:31:41Z",
+		"mac": "ENC[AES256_GCM,data:7kp2KNU4O1yuBdu7cxzg8BytPWiP8hQ0/mWVKPPn4BXjFleyo8KzLC3XZn9Ovt2fHWiF/4hMreOPIDW1W+8n/DedLa2G+zkHiQDVBCyiLJ+FCELvNPdDwR37RvOJ0Oo3RtQaSK2xBhNwS2Qs1G7DemEGFrWXrZ/SeCG5H6bI4X4=,iv:zGG9jcC3McICjeYZd1aGud+VaUhLXg3J/demAqM4vUM=,tag:RINzMA36WfaTRuEy0cTQKQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/devices/srv1/node3/default.nix
+++ b/devices/srv1/node3/default.nix
@@ -0,0 +1,28 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "worker";
+      system =
+      {
+        nixpkgs.march = "broadwell";
+        networking.static.eno2 =
+          { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
+      };
+      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
+    };
+    specialisation.no-share-home.configuration =
+    {
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
+    };
+    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "eno2" ];
+  };
+}
--- a/devices/srv1/node3/secrets/default.yaml
+++ b/devices/srv1/node3/secrets/default.yaml
@@ -0,0 +1,50 @@
+users:
+    #ENC[AES256_GCM,data:uBjvj5Y6SIk8,iv:WxYu6Xkh2T7kb3uLqgkJJtHvCmWyvntcGfCKJfSfSmo=,tag:ueHbPNX3KOVO9RdQnw/nog==,type:comment]
+    xll: ENC[AES256_GCM,data:Cp2wBFygUBlZnf0oAAxB5L8/qD/LwKksp0YG4Ic7nay8E8kXJGSYDyTK5AdeVh8/MxLgVVY6LMWtUOzFe3WU1u71pgBGF4x+yw==,iv:wXfcHuJzqWmm++vysZW3z4TLEOkgWTUF/pqFDfgwny8=,tag:k9o2yp1AksTGOgREOLlprQ==,type:str]
+    #ENC[AES256_GCM,data:4CsCDEg/UChs,iv:ENErjaF65B1dCuD56/DCqe37WSCu1q28s2khMyF7I8E=,tag:q9mxHCAsuDGygseYU0pRDg==,type:comment]
+    zem: ENC[AES256_GCM,data:cPDlicY4vrQ5VTyfCVN0zH5EIV8kH2xqlFEUkmwO3TmKV69Qx0nE+6yiUhENKR72zY3p5w4ZFEtF7maqqklWvThkeSs059aFpA==,iv:g+nASIzOUZuyX5MCFcKOJKsKTQhcpSY4sIKArlVZh8o=,tag:WaAYcxHmFs6/EG3oy56xJA==,type:str]
+    #ENC[AES256_GCM,data:fu6KBkGEtzD/,iv:OzClxptcUbrbgmYYoQYcInG5Tl6HrjSRVrt3iIaSrqI=,tag:kc+AxJ7UI45j6eW69CiBkA==,type:comment]
+    yjq: ENC[AES256_GCM,data:QGpjtIrtio3Jc4kGam5cjqCHZJl2c0wWQAD8BXXhiWfwbQF+sQSTk2V3FbvOlHjqcT92ab8qWCCFjIqBH4DJUq+z/eleX6Y4wQ==,iv:aky2Q2kpEf2EhcR9UXIAyf+BSW9CIZCGbyZCp0l3X4c=,tag:RHLILdrK3duFA2iZDDigEw==,type:str]
+    #ENC[AES256_GCM,data:YUQ73+HZk69O,iv:wY5da+RRnPpXOD5+HdKkyYZ04ZpB3NBtRjRq5Utzlvw=,tag:BE8MhvbxTkn3rG4Pe/zitw==,type:comment]
+    gb: ENC[AES256_GCM,data:AkPFt/GGyeKdYtY/cW774Yi4rrxhTFRzXe/hf0rbwFESwf4pwgfdcr9e3bp6mfmNy86CCDMsUVPtg49q+DV+9CwHU1ETe1vIbg==,iv:L/kLfEjt3WEQmgAXjOAsnE2Sp45DQP9LLKcZe1FjnVs=,tag:HluImuMHEhiE8yAw3fjNQg==,type:str]
+    #ENC[AES256_GCM,data:WCkGncBugE2H,iv:ZN3edJuEDKrHo9OZs0jbU1ATI5+WpfVul5i7SK51ME0=,tag:rgxwqwPJcdDNMnRFlxNplA==,type:comment]
+    wp: ENC[AES256_GCM,data:n7S4got9Q/7s7rZQldnB1wJlB36uqjremc1UDeUmzs6I9Gp9YPj7dJBDAHBNzWruo83ciP6PygHcCmHzBojISgW/HdD5j9cgJw==,iv:ymjB5YWxJJXBA80a2MPYHXBV+bNxUhroPWu+1GJo4XY=,tag:GGVz7kzBrSomBityyZBdvg==,type:str]
+    #ENC[AES256_GCM,data:2aKW2wBhF2oG,iv:wXRX5ZAr5O0c/H1WvzK1+kG1NbZU92h89NgXB8lHfMk=,tag:gAW2oQxz2dUthyNvMlmxcA==,type:comment]
+    hjp: ENC[AES256_GCM,data:+9MKYP96nBdLFVcTkpSS/hiTLdTOf5+Rs3dpUus/ym7gl2+aA2rGtlGS+ozALeUV1seNlVAuyhclZG2dH9uhaudlQvQw5ntAzQ==,iv:eobXw5ahEl9I2HlXD+y3NtGFOlPulk+aKVFxuCRe2+g=,tag:zt6MveyltO2xxThG9grZqQ==,type:str]
+    #ENC[AES256_GCM,data:WLU7JBd7ZNES,iv:GkmmM1n0Squ0rundsz4Q+1dkF9BcCaV1hID8bt/gmxI=,tag:MMukyZlOeE0CcnI51VYPWg==,type:comment]
+    zzn: ENC[AES256_GCM,data:5uNrzv43K/TQlGDldxqUYscDoEduTJdRz0jgd5dBh3N3bMNHulZbD95IVAj87OkLgdOtlDPZz3DfB5oxKBVcV0XE/E7GwJKILg==,iv:SB/uOB1SdhC5zGCY/OzBRY6wgGQLwKYuFgekxZpX1Y4=,tag:ckOxmdXvhQjGMPssoLeMPQ==,type:str]
+    #ENC[AES256_GCM,data:xLPmYdIcIUz7,iv:NqaKJJgyMwfVfAYgEAMHXo1qLYfyOHhIcV++lseKcNQ=,tag:qXDuROf4A9T2H61KtrQUpQ==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:izqFF2JD0ZEeNlqrQ9sJcEcrnp/WmyJL46jszmR4fLwrFGcMoekSfOTkzjO8upogY5fIDsn02dwh4mLX74vA8DjeRTaDKZyyfw==,iv:lknYrGgDFQen2w8mtLNHewQXara1ikWvGdvVA8a6Fyg=,tag:EiiMBUhF6YOafD7MCIMA5A==,type:str]
+    #ENC[AES256_GCM,data:Zt6KCQ3chnLi,iv:RpMBGf2zDVWN13PpTr0Zj18ORdIZT2u34BestCjyLsU=,tag:aBuN2QGhxgnOXPC1NOoROQ==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fAczfnHue47oHJm/8Hcu8iC+scxUQRNZlJWSCFnmtn8PzbOtPXGVLYaZJs3SRE0F7yYsOUZlHnEPaK5bFjCHioindbS0oimBfQ==,iv:F14TVM+UxXm0UbAgLmQpkI4v+jhQ84a4G8IuWRw1k/o=,tag:R+r0be31nLC0T6Isl9/sdA==,type:str]
+    #ENC[AES256_GCM,data:xccChTyxO80R,iv:tSxhbmVwhwD1IbXRNglS+WWMXfzUDaoJfCNqfKWqVko=,tag:XrFTahck6EKRf79NNeMRfg==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:LQAAYOKBVKRsVfwRJOr4jBCqnHKG60euQMngfuI82Dewwtnt4fKZ/iDg6otJIXwdMdiYI4ytr573GaAPyadt/UdDv+EqrLQ3qA==,iv:dD7djoiEBjrZCQCKkjzsVD+IK7T9sL02zxRG3b1uwQ8=,tag:sqJ0Q665aXVnPHWlTS0Rag==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQy8reUxHUm5leVk4dzhx
+            L0h2ZVVONnlEWlBXWlhKa082aXJGRlhIaUhZCkQxSFV3SHcyQjNCN3NyK3h0V1hN
+            SHVZYXJjenlPR2lrL1J0ZkpoTlQ3S1kKLS0tIEZPU2c4VHpzdEwzWTVTUk9OdDFI
+            em9JMjA0VFk3Q0NKSWt4YllkWHpYNWMKJxCl3tXFHSUfawt8pB21WLKvUWwTn+Jl
+            gz52soH0P/k7bg6Lx4gs5WywIIIOWnHg7p0BJS9BCmFWvXR442c2XQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaG1ZdERieVMzM2JjY3Zt
+            KzRTVCt6eVRsSmJXT3FKL0pSVHF0L25SSGlRCkg5bGVHcEhBam56bHdBcUZHRWF0
+            ODVkamc0RlJxNk5hRjMzTVRkYVNsam8KLS0tICsrTXdGMzZ2UmE1VmNyK3pwME1u
+            bHQzK1EvVEhvZFI5MjVxL0Q5UVZYdGsKJl2M3eOB0lRyu2VO1qDjW1pNJ9HhwAS6
+            g5yOa2fxLJn4bvmQAJYeNJ1Wi6sYaBvkbeOegjaKjW4ZvwhP5kWqRA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-29T06:38:50Z"
+    mac: ENC[AES256_GCM,data:pQDphBruG5s5trIOY1fvcCAnLDx+NcVJ6cEP48u92JRnM5cojYXbiFt6Mlq+bYLxkXb2PoKMBoohRbsNdYLRgz3BGAY//Kc5OHGWzi7r9t4/iuhcouZsV/6wHGnrJ0yECS2+LPkT+/JXnYv1ZJTpUR0TSmTvnCgJI6xpWt8HDSA=,iv:Oyn7UESWVDqh3kDFAX3opbC/XEYOa1s3wmGolc1uhTM=,tag:aasXTc9+bgLgCaLDNfbJGA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/devices/srv1/node3/secrets/munge.key
+++ b/devices/srv1/node3/secrets/munge.key
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:9uBZv+GmpEqEbpE1E4szW3EPA6AJPUprWMQs2XwXq/VfrOfVG+Dz6PsAfPgOgii9KMPZb+358lfdhXbKF2cjflMw9Iz1wc2eU8vrbbU7toisLnuYBm2676wKzatQVbL0SHvlyScVIEwNphTJdIPJuMD0JrFMfDV7J/jdgwdpPRE=,iv:fk1YA7IXX/9/jU9jqAg4YrFZrprm9zoBw5avnKtvBnw=,tag:rfsCsir2C4UsUTgfvbRCVg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRm9wakd5Z2cwblM4a3c3\nVURGS3prTHJ5R1RzOGpXaXFOcFlNWGJCTGtjCmt3Q2M1Z0FaTGRscDlOamI2L2Yy\nQUlaNWJMcHdEVVIzMzdYVXdVZVpHd3MKLS0tIGlscllCSnJCS1JDNEVXWXhJVUNa\naFlPSU9lZnpPbFY3VkI3NkNtVlNTWHcKfRcjJroaUVDePl+mg22NndJfFciAuolg\nsOEaEZCH/cIJg0XTXfM18ZRUl4IuMmR3D2L4KAhzbfADNmC81mpMLw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeDBPMWZnRXRPbkRXQVpm\nL0pwWDE4blRuYUV6QVJyOHBITUJjU1ViR25rCjRJTmF0MDhjNEhFQVNHZ3M4QUJ4\nQ05DbTlVbjhMMDhTdGlZN01tRUxOZE0KLS0tIEExMXZTSzJjeEdqcHBNWjhGSFIx\nQmJaSHh4dHdUTjRmWUZIUFdmVkI3YncKvCunmgurC7YO0Y5FssulaJ/VDvuiR5Y+\nOxfMe34ilsF+k8bTBAuYLlDCl8uQ14cPiOLAhAw1vdFgs9o8cs9MUg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-20T06:03:27Z",
+		"mac": "ENC[AES256_GCM,data:sEMEYJDZhhza1HvtmQ9maK9gXgBNfNGDhvSySoz/GuiTrs2Hhae/YI+o6DvYHPDUoOJGVwLjHVhfoIYw9CvoCZNm8Gn3fUSeP372x2kRAjFJYJ56qovU5hz7H/m1Mm9CQ38PvnsWMgc+dB1q0h01g4x7/URfjJDlU+Rq4n3f6B4=,iv:v/P0xSTBjGrmhzeAiS0eaQ4Y7pls9xCKPq9gysLuINY=,tag:SsCPc1av/pGpZS5AqzJdxA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/devices/surface/default.nix
+++ b/devices/surface/default.nix
@@ -5,6 +5,7 @@ inputs:
  {
    nixos =
    {
+      model.type = "desktop";
      system =
      {
        fileSystems =
@@ -14,7 +15,7 @@ inputs:
            vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          decrypt.auto =
+          luks.auto =
          {
            "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
            "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
@@ -24,14 +25,10 @@ inputs:
          rollingRootfs = {};
        };
        nixpkgs.march = "skylake";
-        nix = { substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; githubToken.enable = true; };
-        kernel = { variant = "xanmod-lts"; patches = [ "surface" "hibernate-progress" ]; };
-        networking.hostname = "surface";
-        gui.enable = true;
-        initrd.unl0kr = {};
+        nix = { substituters = [ "https://nix-store.chn.moe?priority=100" ]; githubToken.enable = true; };
+        kernel = { variant = "xanmod-latest"; patches = [ "surface" "hibernate-progress" ]; };
      };
      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
-      virtualization = { docker.enable = true; waydroid.enable = true; };
      services =
      {
        snapper.enable = true;
@@ -46,7 +43,6 @@ inputs:
              "dispatchcnglobal.yuanshen.com"
            ]);
        };
-        firewall.trustedInterfaces = [ "virbr0" ];
        wireguard =
        {
          enable = true;
@@ -55,14 +51,15 @@ inputs:
          wireguardIp = "192.168.83.5";
        };
        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+        waydroid = {};
+        docker = {};
      };
      bugs = [ "xmunet" "suspend-hibernate-no-platform" ];
-      packages.vasp = null;
    };
    powerManagement.resumeCommands = ''${inputs.pkgs.systemd}/bin/systemctl restart iptsd'';
    services.iptsd.config =
    {
-      Touch = { DisableOnPalm = true; DisableOnStylus = true; Overshoot = 0.5; };
+      Touchscreen = { DisableOnPalm = true; DisableOnStylus = true; Overshoot = 0.5; };
      Contacts = { Neutral = "Average"; NeutralValue = 10; };
    };
  };
--- a/devices/surface/secrets.yaml
+++ b/devices/surface/secrets.yaml
@@ -4,6 +4,7 @@ wireguard:
    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
 github:
    token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str]
+age: ENC[AES256_GCM,data:KEaMrk9eldR6oCqNqSpwhbJKj+JrN1KBkDL5p9itaszGf4tnDRidcleCQi1Ae17osYXIEh4+OxX/d6RKb9TP6JMLJe0iq6c9sC8=,iv:ztiP2Vz4AFZkd8ZG7xYlqYrV3JZYvmX07Ez6GtJ6yp0=,tag:PS8oSkkrrpgYYVfjbTtkaQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -28,8 +29,8 @@ sops:
            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-24T03:36:38Z"
-    mac: ENC[AES256_GCM,data:Dv6WO5K0GFVm4Rt+GjXeE1vwqlPkP+kmRCGU41rbSR3YBcL8mkpBRQQXJiMU99cQQMK/rCGy+k91fhGnG5xFT/FdEZF8qUjRHPZ5MdWCjPOuY/LrXWnSnwwJa2neQLFH/ToUkNaGHCk/FngnZ/e0U43Rnwt3iHRDBG3io8oDY0M=,iv:Jf5EtkTuf/MFDq6UiOo8/31ev5zBiaP9WnlgsUgK5Y4=,tag:r6ql+UbXbG5A1vtbsGXnJQ==,type:str]
+    lastmodified: "2024-09-01T15:22:09Z"
+    mac: ENC[AES256_GCM,data:Br2+miNeZI41QyTXdhJ5Mdwq5no/d4kJgESwiltcRZV/Pax8R+GFeLDg/AQFoh1fLHU6bTX45SN0wnIrIeCnkoXV0U2RiT7bdtBaDrGxqnFvjMVE0VaUrj9bpagta13tahsEfI17cyUq4BqwS4BXx60RXvbvs9jZ5/dfpYunGsc=,iv:FfWYfS40XcFgF8lEYK4IHypLzz7svFxPL+WuudQm3oA=,tag:0KDBdf7w6BdcQ8Qt3k1isg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/devices/vps4/default.nix
+++ b/devices/vps4/default.nix
@@ -16,7 +16,7 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
@@ -27,10 +27,9 @@ inputs:
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        initrd.sshd.enable = true;
-        networking = { hostname = "vps4"; networkd = {}; };
-        kernel.variant = "xanmod-latest";
+        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
+        initrd.sshd = {};
+        networking = {};
      };
      services =
      {
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -16,7 +16,7 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
@@ -27,16 +27,16 @@ inputs:
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
        nixpkgs.march = "sandybridge";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        initrd.sshd.enable = true;
-        networking = { hostname = "vps6"; networkd = {}; };
+        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
+        initrd.sshd = {};
+        networking = {};
        # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
      };
      services =
      {
        snapper.enable = true;
        sshd = {};
-        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 20; };
+        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
        frpServer = { enable = true; serverName = "frp.chn.moe"; };
        nginx =
        {
@@ -52,8 +52,13 @@ inputs:
          // (builtins.listToAttrs (builtins.map
            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
            [
-              "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "kkmeeting" "api" "git" "grafana" "vikunja" "write" "blog"
+              "xn--s8w913fdga" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
+              "send" "api" "git" "grafana" "peertube"
+            ]))
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.nas.chn.moe"; })
+            [
+              "misskey"
            ]));
          applications =
          {
@@ -62,6 +67,7 @@ inputs:
            catalog.enable = true;
            main.enable = true;
            nekomia.enable = true;
+            blog = {};
          };
        };
        coturn = {};
@@ -71,7 +77,7 @@ inputs:
        wireguard =
        {
          enable = true;
-          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" "xmupc2" "pi3b" ];
+          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ];
          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
          wireguardIp = "192.168.83.1";
          listenIp = "74.211.99.69";
@@ -79,7 +85,6 @@ inputs:
        };
        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
      };
-      user.users = [ "chn" "zqq" ];
    };
    specialisation.generic.configuration =
    {
--- a/devices/vps6/secrets.yaml
+++ b/devices/vps6/secrets.yaml
@@ -44,6 +44,10 @@ xray-server:
        user18: ENC[AES256_GCM,data:dssxPEv8srXydunolaaDAYYo+BOXhp2PoqidOWH3z6NYBpyB,iv:WCLcMMwQJiHZBwreQpaOZp2saXvjBwgYUqSf7HQhMgA=,tag:5jsAVcgAgO+7JhBINz6tzQ==,type:str]
        #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
        user19: ENC[AES256_GCM,data:+Mh15DR9xvFAwks86iuHEA9FpObKWTSuVOEzUDpBUS/h0hOz,iv:zYIkic2bibvwCBpomnJ9465mda1rbm3RERBZY9twXuc=,tag:bwdL6DAGgkGYhYFI2C4A+A==,type:str]
+        #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
+        user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
+        #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
+        user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
    private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 nginx:
    #ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
@@ -87,8 +91,8 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-30T10:43:57Z"
-    mac: ENC[AES256_GCM,data:Mg/DZghIkaWM5KEjk5zg3S0L5qPa8/rkc2ooSjA1ewzbDhTKls2tzv7fQqLx2WQtcJiKkoVx22UkiL0AzBwJdCr3473vx93ajTVK9HNu3jqXmuzSiv2iVS21EX9tyBNiL6uWlVAtlVfMMs69PEUF+EJIYY5TkVVPaQjzEebwo5w=,iv:tFON7RVSnNNHo5U4dRuMGDhH5iPGShW9uoda+apiIjI=,tag:3nG/u7vaChFBHoDsLLb23w==,type:str]
+    lastmodified: "2024-09-26T04:24:17Z"
+    mac: ENC[AES256_GCM,data:AXhLmyZWGD6KvMkyHqmCERE6eNE3pD5Pa/9mRBWZe4hiXL4mKTzCn5C/ODGQ1ZeQjDdP+awjJRvLRjMiYFhVlU8rKpg/f2G1gDr4cIbr61sCdzXKX8wFW0G7bJWxxpAC4X59+u9EJ3sNcyf7bJrMdkTzTYpgXh29mtl2bprcdJQ=,iv:pK4hYexcWng3GwOmWGqgyMsmATnXgcwR3NH4UxCwpvE=,tag:zpv64JWoXc5cDCukDuW51g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/devices/vps7/default.nix
+++ b/devices/vps7/default.nix
@@ -16,7 +16,7 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
+          luks.manual =
          {
            enable = true;
            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
@@ -27,32 +27,29 @@ inputs:
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        initrd.sshd.enable = true;
-        networking = { hostname = "vps7"; networkd = {}; };
+        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
+        initrd.sshd = {};
+        networking = {};
      };
      services =
      {
        snapper.enable = true;
        sshd = {};
        rsshub.enable = true;
-        wallabag.enable = true;
-        misskey.instances =
-          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
+        misskey.instances.misskey.hostname = "xn--s8w913fdga.chn.moe";
        synapse.instances =
        {
          synapse.matrixHostname = "synapse.chn.moe";
-          matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
+          matrix = { port = 8009; redisPort = 6380; };
        };
        vaultwarden.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 1024; loadAverage = 4; };
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
        photoprism.enable = true;
        nextcloud = {};
        freshrss.enable = true;
        send.enable = true;
        huginn.enable = true;
        fz-new-order = {};
-        nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; blog = {}; };
        httpapi.enable = true;
        gitea = { enable = true; ssh = {}; };
        grafana.enable = true;
@@ -63,12 +60,12 @@ inputs:
          peers = [ "vps6" ];
          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
          wireguardIp = "192.168.83.2";
-          listenIp = "95.111.228.40";
+          listenIp = "144.126.144.62";
        };
-        vikunja.enable = true;
-        chatgpt = {};
        xray.server = { serverName = "xserver.vps7.chn.moe"; userNumber = 4; };
-        writefreely = {};
+        docker = {};
+        peertube = {};
+        nginx.applications.webdav.instances."webdav.chn.moe" = {};
      };
    };
    specialisation.generic.configuration =
--- a/devices/vps7/secrets.yaml
+++ b/devices/vps7/secrets.yaml
@@ -4,39 +4,33 @@ nginx:
    detectAuth:
        chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
-        chat: ENC[AES256_GCM,data:1HJiO1zU5SX4G56oWxv5zqGyUqnBWByrtSnQ01wvmZ7PmRkrV+DV6StMg5DtJR9HhkWYnbXlbnBHzP+poPUMag==,iv:sfwI62nwGSnsdj1RyADWgXvp5AY+9RQdtSooxbKFWTs=,tag:pN/LF0mo7RXWoIPPzzs8qw==,type:str]
    maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
 redis:
    rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
-    wallabag: ENC[AES256_GCM,data:WkiqS9TOHxYalDp7Ssgg2x7vj4D58psQ5au4a0e3LZBecERwzUKmrhbVKRuDvNTwWbYxSds9SAca0wN+pWmrmA==,iv:QqHlzSXG1I4+p8wd58lcQs8TqAF3foxiYVdgL8L3IpA=,tag:CPtFgIeFL5W25gtd6NFkrg==,type:str]
    misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
-    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
    nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
    send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
-    mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
    synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
    synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
+    peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
-    wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
    misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
-    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
    synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
    vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
    nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
-    mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
    gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
    grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
-    akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
    synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
-    vikunja: ENC[AES256_GCM,data:syb4NYBxL3DdmZmcC+em0klmm6bkkIL/DH/gnzShYRiaezRFskT+yay9govn++SpbuvkoCJq/GYAFxNL+hcVtw==,iv:TQUgdzYQ0gqsAmux9v3BAQFNzHnCTZ+X/OC0b9Bfya8=,tag:b1AsiAW5XzA3DzGdf8J03g==,type:str]
+    peertube: ENC[AES256_GCM,data:dLzOez3dTy0NqHED1Oc43Ox2AFuH196kxwOSuR6RejUw3iJuzEQCdmA/i+70zHoveAYBdPCGpM8cz0y2M+usjw==,iv:KxDqmbNBkJ6Nw0M3060L9ESDf2qAur7umlejcDyRmwA=,tag:RScP7Cny8b1Z1/REpk+daA==,type:str]
 rsshub:
    pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
    youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
    youtube-client-id: ENC[AES256_GCM,data:dPo4+HsfXHdxrgF9F0qJmOGcSHDCn2KIkHx3ZYZU94iv8ImiPI9dTRfoz0zq8UIN7rwIKidQu9GxCRrg9aXk34pc35SXzEh8JQ==,iv:ROVHb0QjVsNae9eJevG6qc5dc4gkrGt+Y7S2QYrzmQ4=,tag:Advoh75OKPC7CnIeL4GFbA==,type:str]
    youtube-client-secret: ENC[AES256_GCM,data:c/ALpo/4qJdccMgYiSLg9ZgG7ddaMYxHwJYZ/ogJN2ED21k=,iv:CkrIq+Vpuq28CsRNwdKRLnBq6L8NF37y4xhhnmHQHqQ=,tag:SKtHpm/QZWnGViDtSKlUUQ==,type:str]
    youtube-refresh-token: ENC[AES256_GCM,data:pnXQ1euCdix2H7IxudmUUcpxc2OUhciKT8OcGV89c/EpoXHgx1+eLxwY5rRszroWwjge9M001RGHngvD/ny3phfWAwYmIzMJxun2f7JCPe7ybMesWmPSkiqVBss1Zfic1uB8mNM/yw==,iv:8p8/vATY8F3YuGA1TtjekiuaKOMnQyTMjrwDBJaK4VU=,tag:/jVg9FDOuLMNrupgrywpBQ==,type:str]
+    twitter-auth-token: ENC[AES256_GCM,data:65SbHggbYtfSfaaxJxRgD6+HpOX4vIfjnVZmOAZ9illPMYOu9MIchQ==,iv:49UuC8n6AGj1skuHzQX39Q/QuKlB9IxogIfiiy1GBnw=,tag:Rq6b0H9UFVZ19tU8ZeelRg==,type:str]
+    bilibili-cookie: ENC[AES256_GCM,data:58nO7ADu2oH/OgLJNYrEEzhf1J0zt8EpuygnSANkGXJju5oSmtM7WLnaMEjC96q14OTTA9QLiFVsbxiFY1eUnraA5W7g7+6CYRXVRZaxz91D/dhKzHGTMjB/LynnNqEIc6liONlcHbyjZNQ+WIqPtjVpCKMN7Mi8cv81/cFX/1GqAwncgDD2oXh1hMPOVY4dYcGKuOG0GjlY6RgOgTPqU3HawQjnoWQjPF+lq2rnWD5HP9ZTxOYa7hm2GgPrxkq1fkRrq+kKYeDh+6M7VLDcm5Fpf+biq6F8fZWzmw4NlVZT9BG0vJFa,iv:vxYXg9Yg9qIWFQXtwTYa4Ds0KSxZYg3M6xdtXKbdaig=,tag:TzCPehk9w+BL4wwgDc1CPg==,type:str]
 mail:
-    bot-encoded: ENC[AES256_GCM,data:HstqDfhKoLqDip9O+mwYGbNlNQ==,iv:CZSTfxJHhI6nG7501cQdJiZ9l3uKS7d5YsA8iVTUuoE=,tag:Rj3rvXJzDp8XzODV/gABog==,type:str]
    bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
 synapse:
    synapse:
@@ -45,14 +39,12 @@ synapse:
        macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
        form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
        signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
-        sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
    matrix:
        coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
        registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
        macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
        form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
        signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
-        sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
 vaultwarden:
    #ENC[AES256_GCM,data:yFDD8GHjZWHN/Yh53DseevKAhDVwrHX60e8sGZnF4BUsUuPA/4S2PRzj7CtlpFzUH3kb0i+HkLKRvbchg93U3as=,iv:JGG7daEKs0oMKTNVi9GS7PrXn/8rFtVkHknACsEQR+g=,tag:RSN6fojLsI4dcuPu2eTiWA==,type:comment]
    admin_token: ENC[AES256_GCM,data:OpjREmxJSRj+aGVoP8KKRE7ClNqRtaV8va4WLVmpl1AO6D0q/GapJvhORHQb5s5ZjIAgvWTz1w+fh050Q9sPwRsNUke3FIcyeNy7k0PHgnnVIdxnU1Vn9KMz/SovjQ0/qEQ7tArvW/EXtKfwnP9lsz9m94VBvA==,iv:9AvDqMa2PeQOSrP2th3YBgA2RxPl3oKZTyUzi/yjRTM=,tag:HYFTQDgWvBsHQk8IZxWkfw==,type:str]
@@ -60,7 +52,6 @@ mariadb:
    photoprism: ENC[AES256_GCM,data:TF1SZVFnvzyE+7vrHYYUS4Juqhbiw9QcJx7p3Xj88xyBFcTqS1YjzAKs/9GQ1PuzdBrt6hXm/XtJILHiuktnSg==,iv:sd9sQEuIePL6LzUYbFtmdecJ57sMrkF0coalBf8KFqQ=,tag:P/knaKYTJ+aXu4l6IixISA==,type:str]
    freshrss: ENC[AES256_GCM,data:ydqCbj3UbsLC1e++p5ixb5Kpmk2BsYd0urcfw8T51Is5N1/gQ7P0zgR33AOteAxw2oj85WQZhxu3eAN7BCXV5A==,iv:1oiMo1wwFNXiTZLsf4UPZSJfKFIWLI3h947TC06CVy4=,tag:Otq1oeKBnWXhqNilfsywPQ==,type:str]
    huginn: ENC[AES256_GCM,data:1Tdg1WDwGgFSXdChgif8knWS24BIFYnmaiSjJXxs5uj/v/5fJ1alb4K4XHW/kFRjQbuAOFfJiJ9ogJ1KAyk17A==,iv:qLMaQpVaKrjP7g2lWzhaNLghxwiV4YJmyYY1hrpu5I8=,tag:566JCENvOxgwD7tM3aQBiw==,type:str]
-    writefreely: ENC[AES256_GCM,data:+5jsON4SpeWKWZWlbn233XuQ/6HDzaS3XxUxDbUqAp8S/XGmn/QuFK2f375QJEiyZsnrIYkbN/CiOjdTw+nNzg==,iv:8mKqWegyxrT6908P5G0olVZzpP+BwpE7SYODEry7F3A=,tag:HeYoT0RFJGzX6DWcBQy7Jg==,type:str]
 photoprism:
    adminPassword: ENC[AES256_GCM,data:gB81joOfS8h05BNy2YmD/N0cpLPa/vAduDcQBeHiY/WkcnvqSXnXsOfnvbP74KQfoP4W35oFkfyGVPUBSB83tg==,iv:AkN2NoqMXVHQA9fHTTR7xbEapEqy/D61mHn7O23hyYk=,tag:WV+siDA3VnRkOYnP4Z9Qhw==,type:str]
 nextcloud:
@@ -90,20 +81,11 @@ fz-new-order:
        username: ENC[AES256_GCM,data:xWP1cesh,iv:11KFZ/J9PScz/oW2+H5BWgw0+ETkCXlcYOMuPpgjEs0=,tag:HswEVzm6ElRjIDsZyEfZcA==,type:str]
        password: ENC[AES256_GCM,data:Da/E7ZeZ,iv:gIoheXeTErV3+CtZSEDsX7pGzRahHWlKYQ6QZ6W2eu8=,tag:0oQzQ5DJiS2hqMQfU6JRWw==,type:str]
        comment: ENC[AES256_GCM,data:etfZKwbh,iv:XqqF3D0PpCPd2Q/CCu/PAH4SrvXAOu+lIXvSht/KfKk=,tag:7jyG33foxneRK2wvI/5uBg==,type:str]
-gitlab:
-    secret: ENC[AES256_GCM,data:hBax7ClSuttBacykKw42pvrvowZW8OeTry/0rkmy5BHyLM7HllNYCOw+tupIOdhVEfgJPWQeBeGuyFHt7lPRWQ==,iv:zOM+eMW04Z9QkTchkAXWYHg2eWTQmGEs/dHtUnvNVd8=,tag:RzLyecuASl9CcmQSuabN6w==,type:str]
-    otp: ENC[AES256_GCM,data:Hgq5Tyq+BUTsexVsjFWf07fY0znPL50+qIm+fhuVljlauXBZouQjJKMhqTs9zhLECOktYUtp0wrNa++nO1Ys9A==,iv:Am51j8QjDtldtsZL8uCu0I3pr/SQ6R8KUQinznZjClg=,tag:hbtrlG0MGNL3VcbQUG/irQ==,type:str]
-    dbFile: ENC[AES256_GCM,data:AKxE/Z4jooDlkIl3WpQZIlN+MLxlZ7SEWVF12/8f9aq7LtVl5B0RDA6bZbeM0PU8h4eGcSX9feSpLIVpvBAQxQ==,iv:li6hBLw9filwVVXa01oICtvY9UJsMgB+3XYOgZyCTnY=,tag:wC18TzVMM+dcpIi8wwCcIw==,type:str]
-    root: ENC[AES256_GCM,data:nPO4MT7BWuCHnWkbHPRYygMpieGsni4+BQs6HVwxBqH5KuD0O7I3PQlcgntxb4kWbqvyWstYW+k9LdscSEzgXg==,iv:fgfW8BljGlOIQzGK+UiEFcT6Hp5ieA8C86kwT8xRlO4=,tag:eSWPda0NYBe47uVYCOUiLg==,type:str]
 grafana:
    secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
    chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
 wireguard:
    privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
-vikunja:
-    jwtsecret: ENC[AES256_GCM,data:p6e22qPJzTGB21oWhSr8AA4bfrele9ZOHVtZ8BHgX21IhoKdm58coGtSX1CGXR7J6+1/74RdLY9K88nGrM1F1w==,iv:DGUO8rhf7Lg9dTqSmzlR/Jd2K4oUjO8w9E5bihwsykI=,tag:SpX6UI0QIju/tC1fIL9CCg==,type:str]
-chatgpt:
-    key: ENC[AES256_GCM,data:bkLxKUqkjwpUeqeAZCaAgKiOse8QtZ0zOn9TQNA84+B3rxNiTFPisI8=,iv:Zd5dO5Sdt4HCvNZgS2K0FjJAzti6oE22vahYQl99TrI=,tag:E3o+X84tRsIEGU9Jfb85JQ==,type:str]
 telegram:
    token: ENC[AES256_GCM,data:Mr6KrAzYoDXA+dPT3oXqK2wm9ahTjZ5GVE/iRPsmcM+S2MABT+8ramyHz9oIFw==,iv:nIZ8rpSxz2GwMbDQFfG3xauMQjiriZ1oxFMrEQeH7sQ=,tag:y5U1T1vV/mmdE/CeaeTR8g==,type:str]
    chat: ENC[AES256_GCM,data:8w/0EI64a1dC,iv:dHu9JHcUY7QPd9YBKXnrRXQB2K6jpnLrSFs+1IJmkio=,tag:3ucN3uNnBxxRF+cbLsa1nQ==,type:str]
@@ -118,8 +100,9 @@ xray-server:
        #ENC[AES256_GCM,data:j83rYg==,iv:3oEdAoVz7aMcezcy2chTO0LQTtKpTrJJoQZx3PC03BU=,tag:ABteEIyr2Y6MbGQhmrQySQ==,type:comment]
        user3: ENC[AES256_GCM,data:Uk0Ax9FVzmmYs+ggWy7z6FEkuj2tppGlvnQdoW6PDI1VA9oI,iv:wSxigXleRUalQR1/TzKfdUVrdyEUuq+Wg42gSv1QMAI=,tag:qn6nBWv6MlGhMarCfI13BA==,type:str]
    private-key: ENC[AES256_GCM,data:TarrinCFzWkB5zCc7i7f3B3tFfxrF+cGnrg4bw9CAGKWBazSJHCviY8Imw==,iv:azHdrc6AlgS9RPwGVsYRb8bBeC/askCdut1rnv9TA3I=,tag:AT2lLraKVgbp9GmlLJiI+w==,type:str]
-writefreely:
-    chn: ENC[AES256_GCM,data:YvhPa69sVdiljm9Ix6yQh6YCEpFvC9iw5Yx72MBcGr7+swdbvWDAfMmGFY066mAPvhpwZX/IEivKvrS0t/OSnw==,iv:7s2yEb30YaCAtNeevbur0HL28nXHVIqmCx6Bngh+HWk=,tag:yx0JK8RNQMVcYLBSxNj+uw==,type:str]
+peertube:
+    secrets: ENC[AES256_GCM,data:DAlig4wYCridlfS00YOqH++/4Rkssq2bkJ1bhERrsgeqdccwwnk6ADKpN2UBGANNYiTj2VUHsHT6mIWxPRcJvQ==,iv:kOedA1gAD7el6JbP8MujSCSfkkHM6CDDMSs2LwPmsGU=,tag:ZDS+LGX2hNXHw15Js2sBkQ==,type:str]
+    password: ENC[AES256_GCM,data:jmKmQlFqHSmImfym2M3/+ItbPxx1GwgrLRZwk7KxqXGHFvqZ1ybCnfZCN8jmA1gVJLuPLTrYA9ggHwdKgVrknw==,iv:cBSb5PJsjHBAMgrxlZaVtw1aP39AXMtdk5pnnCyyZbQ=,tag:6TLoDRY6305lm4HVapT4yQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -144,8 +127,8 @@ sops:
            SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
            HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-20T15:48:48Z"
-    mac: ENC[AES256_GCM,data:buEby7ZmmEFARmRp3r7JwYdMck87u4c3TGkeF2pkc5ORnqIgwSH1XVSjlbK8vTBWz2FKXeQh9wkX3BMaam9dU873/yPBe54BnbZNggZ7jDDEpSTeddfTsM8mrka0xDO3CUHbwCsqYWFm4NLAbCfRPKhrjvSJVyEC85K3eO45Z6M=,iv:/7cOdSi6oiaaFRkSnR+1/XXapjlQdMgom31xrpIGXHk=,tag:XW4WX93bw45zPweblW4Dtg==,type:str]
+    lastmodified: "2024-10-25T08:48:30Z"
+    mac: ENC[AES256_GCM,data:VtdB55WtONC5orgSMFPuELRVtjAC9REZIscEtWLZ8Cyo+FEYmFAlj+0cg/5aOk4dr2JVUnkcWNyefM8xw7m78yU3f5KruKH0N741ngkovhJnI1V6yuY9om/NXvux6dkYKmQcAXq87rYkoDg5CFxsU9RKJncBMCA7bekebzo0aIw=,iv:7Jv8ciLxXWkCzZeU82Wv8oxBcesjb9/qzWfn9tqyta8=,tag:aEnX4E5w64oY8bbJ5Z8MRg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/devices/xmupc1/README.md
+++ b/devices/xmupc1/README.md
@@ -5,7 +5,7 @@
 * 显卡：
  * 4090：24 G 显存。
  * 3090：24 G 显存。
-  * 2080Ti: 12 G 显存。
+  * P5000: 16 G 显存。
 * 硬盘：2 T。

 # 队列系统（SLURM）
@@ -34,7 +34,7 @@ sbatch
 提交一个 VASP GPU 任务的例子：

 ```bash
-sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" vasp-nvidia
+sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" --output=output.txt vasp-nvidia
 ```

 * `--gpus` 指定使用GPU 的情况：
@@ -50,7 +50,7 @@ sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" vasp-nvidia
 提交一个 VASP CPU 任务的例子：

 ```bash
-sbatch --ntasks=4 --cpus-per-task=4 --hint=nomultithread --job-name="my great job" vasp-intel
+sbatch --ntasks=4 --cpus-per-task=4 --hint=nomultithread --job-name="my great job" --output=output.txt vasp-intel
 ```

 * `--ntasks=4 --cpus-per-task=4` 指定使用占用多少核。
@@ -85,6 +85,7 @@ scancel -u chn

 ```bash
 scontrol top 114514
+sudo scontrol update JobId=3337 Nice=-2147483645
 ```

 要显示一个任务的详细信息（不包括服务器重启之前算过的任务）：
@@ -130,6 +131,8 @@ sacct --units M --format=ALL -j 114514 | bat -S
 -s, --oversubscribe
 # 包裹一个二进制程序
 --wrap=
+# 设置为最低优先级
+--nice=10000
 ```

 # 支持的连接协议
@@ -188,9 +191,7 @@ RDP 暂时没有硬件加速（主要是毛玻璃之类的特效会有点卡）

 samba 就是 windows 共享文件夹的那个协议。

-* 地址：xmupc1.chn.moe
-* 用户名：自己名字的拼音首字母
-* 初始密码和 ssh 一样，你可以自己修改密码（使用 `smbpasswd` 命令）。samba 的密码和 ssh/rdp 的密码是分开的，它们使用不同的验证机制。
+* 地址：因为懒得管理暂时禁用。

 在 windows 上，可以直接在资源管理器中输入 `\\xmupc1.chn.moe` 访问。
 也可以将它作为一个网络驱动器添加（地址同样是 `\\xmupc1.chn.moe`）。
--- a/devices/xmupc1/default.nix
+++ b/devices/xmupc1/default.nix
@@ -4,6 +4,7 @@ inputs:
  {
    nixos =
    {
+      model.type = "server";
      system =
      {
        fileSystems =
@@ -47,18 +48,15 @@ inputs:
            forwardCompat = false;
          };
        };
-        gui = { enable = true; preferred = false; autoStart = true; };
-        networking.hostname = "xmupc1";
        nix.remote.slave.enable = true;
      };
      hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; };
-      virtualization = { waydroid.enable = true; docker.enable = true; kvmHost = { enable = true; gui = true; }; };
+      virtualization.kvmHost = { enable = true; gui = true; };
      services =
      {
        snapper.enable = true;
        sshd = { passwordAuthentication = true; groupBanner = true; };
        xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
        smartd.enable = true;
        beesd.instances =
        {
@@ -75,9 +73,16 @@ inputs:
        slurm =
        {
          enable = true;
-          cpu = { cores = 16; threads = 2; mpiThreads = 3; openmpThreads = 4; };
-          memoryMB = 94208;
-          gpus = { "2080_ti" = 1; "3090" = 1; "4090" = 1; };
+          master = "xmupc1";
+          node.xmupc1 =
+          {
+            name = "xmupc1"; address = "127.0.0.1";
+            cpu = { cores = 16; threads = 2; };
+            memoryMB = 94208;
+            gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; };
+          };
+          partitions.localhost = [ "xmupc1" ];
+          tui = { cpuMpiThreads = 3; cpuOpenmpThreads = 4; gpus = [ "p5000" "3090" "4090" ]; };
        };
        xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
        samba =
@@ -88,9 +93,10 @@ inputs:
        };
        groupshare = {};
        hpcstat = {};
+        docker = {};
      };
      bugs = [ "xmunet" "amdpstate" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "zqq" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" ];
    };
    services.hardware.bolt.enable = true;
  };
--- a/devices/xmupc1/secrets/default.yaml
+++ b/devices/xmupc1/secrets/default.yaml
@@ -15,8 +15,14 @@ users:
    yjq: ENC[AES256_GCM,data:ua0DINHutjt2Pk+SfHRQRV99mT3Cnw6rRKO8VRIAlP0dY6QhK9wkNdyRYWYRBKVrWgyFQMGNFYAxIpymjF/X7mBOVI2sOHLgkw==,iv:PUZ6S0KICuqoSA2sDLxdL4gtAOQnQXOUY+5f3qDZgpc=,tag:f39P34vAUOrV23BsKkRarA==,type:str]
    #ENC[AES256_GCM,data:6qNjSdjck4Vz,iv:c/GNqCNgRgwgL+2f6Vumtjb/ub9WCBSy8R02NRCDqk8=,tag:b/tucJsHTjSfcK0vgHtE8A==,type:comment]
    gb: ENC[AES256_GCM,data:3eAKBiJoC1owCHTFd3Xq8vI8VK980evePc92xCXJJ21M9D1MdbwN8ySZ3Ovjk7VfQmEo8oRv1Ll1sftyrXYoeTHmJsNDxCpR6A==,iv:Ju/ERNuGrgO5kYlbvmkbLJkgiW3Elou34AsJTFITCUg=,tag:POVlxYh9kZ1BMSbt97IVOQ==,type:str]
-    #ENC[AES256_GCM,data:oniighfvCNGWUwdhqg==,iv:RVUuZBqCd111QJ7MpgYBuP4fDCzm4NZAtbua9kXkrJM=,tag:21zF8E/3lBTDr54I9NKPVg==,type:comment]
-    zqq: ENC[AES256_GCM,data:Vjbbs8xIlH3+of7+kLGFVp4bIizU8D5R1qRbCqP5FhzTadXA8KD9/uiYxtrV3oxYGwZ/RlLvriHMClob4ihyDF4U2t8Dc4eVqA==,iv:FjCftpfKPZYThiNOyNkhx9uNyWIsjC5sK5WWcaEBtiY=,tag:MTL490c2SeFGx3EhxEdvkA==,type:str]
+    #ENC[AES256_GCM,data:/2y613pek/CO,iv:gqSh74Ac0BxPdO+fOsQ0K8t2YduwyTVOjMq/A5Wmoz0=,tag:jLUYXu7f27FruwH5rUUZSA==,type:comment]
+    wp: ENC[AES256_GCM,data:3jeHpeu1YlFhK2+o19q2/JyJPhZFivPbUQzJJbJZ15GzAVh7i1VsTSN31LufXAgsC8KjZHAPhEZlGYvnGpCvPzoISQa5NVAJdQ==,iv:bL3ohgbjA2agFKDwgw0H3LgiHTWB4Y5KlQAtHfEMr+w=,tag:SfLtj7iDcmV3dgOlITFvxA==,type:str]
+    #ENC[AES256_GCM,data:YIlY7n5pcJTp,iv:Y/+ogxaMgSl0vcMPRr3qdSHjjnnhY+N2Q6jFojzIDyQ=,tag:zat02jxJ8jI2uk8noslmHQ==,type:comment]
+    hjp: ENC[AES256_GCM,data:Ii4P9ZsUOEh3cqt3AKWlgUH1CMNnmHln9QNWdTRR3vZXkkR5j5qKAIrAltml/i3xFlt4hftYNufnupog4UlAVWQJhYBlhCSE4g==,iv:eKWmUcKItjd1dsvVP1se5CAhIFqV/eVH03gPJhBau1E=,tag:ZTE0BTSoDpJGqECklGjs2g==,type:str]
+    #ENC[AES256_GCM,data:hCgqHfpmeJ1Z,iv:pEKUNxhUyNAVtniTIQ2IpMPmXr2O+twq2/3Y2lIoqdw=,tag:RTqcI0XCoOymQD3r4+yS9Q==,type:comment]
+    zzn: ENC[AES256_GCM,data:/CSffToFJiBotXZ5rPkz0UNgI/iC0ftusPF2Ce6Of3XckjpCcikWj6n3ahJ24XsWQjp3EvacOiBorh+Kg16LjCEl0P2RMIitTQ==,iv:u9IFdp/jw7ehTshPzQVssLeh33iBYCPjSyJSLsc5EVo=,tag:/KXgmU7dcTKG8C4Y7NcMhw==,type:str]
+    #ENC[AES256_GCM,data:TN/ycWtGSCNY,iv:pSilXx4zKs53XX/L0+QFbwv13rutQG11sU0EgVhaJEA=,tag:L+MpcYYlsMnSpS1JQdnwIQ==,type:comment]
+    lly: ENC[AES256_GCM,data:XkRaNI0SqooptH/OexBCzZ4RYvA3s7qXbpCtLVidJ4pZU/o7EHlIcvMbeRxqdujhXNQ+vbS3o7CmhwJK2JVVPCCVsd6k0gMDdw==,iv:v/2mgDuR+/lb8mtyv6sn4Z9XXnuDoXkT0DeNQ7850fU=,tag:T8xxo9C7kFSNlLDjEaZK0Q==,type:str]
 mariadb:
    slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
 hpcstat:
@@ -48,8 +54,8 @@ sops:
            ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
            IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-21T09:56:03Z"
-    mac: ENC[AES256_GCM,data:9+AR9Y6ik+BH1Spk62LSTU1NFQ8ID0YROF+yf8ss2RqhfP6/5+lsrNjGC7gnEEMYF8UWVtChUuljIK3Q4MtT64JhDWgp8tenbpkJnRFGylzEe37MYajdDY7nrPP7iPUPNvS1ndo6vp/yuEigBXVhCtpjMObj7zIdGnLbtz0sczA=,iv:gNb8gVp9adnlZsMM2afOlFe46Vy15ELmC9vGaaeaInY=,tag:rltLL3WSZytjEemgjCy6Ng==,type:str]
+    lastmodified: "2024-10-26T12:26:52Z"
+    mac: ENC[AES256_GCM,data:TiF/QAh6Y8Xn+3B1rlg+FvZFJ4fGP+szvvopbiEzO6AWBYp8dcD6MmaZstVzJL1BrRIQ3GENcq7EVyfZMWQlW8aRsVF/RrWOSpAKI1tiWDl+10Ov3zjr+Q8sFYTfblWXYH7Tq9pcWBChj1Kj88Ri5xRRfJTuelQoL0igHQBwfFM=,iv:ikzexH8P3CYu7SrRXwWd1Ar3+PEXSSjSVj5E3jwcZyQ=,tag:i5/F33/KcDJVQ4ceYtRErQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/devices/xmupc2/README.md
+++ b/devices/xmupc2/README.md
@@ -4,7 +4,7 @@
 * 内存：256 G。
 * 显卡：
  * 4090：24 G 显存。
-  * P5000：16 G 显存。
+  * ~~P5000：16 G 显存~~暂时拔掉了，否则 4090 供电不够。
 * 硬盘：18 T。

 # 支持的连接协议
@@ -18,14 +18,12 @@

 ## RDP

-* 地址：xmupc2.chn.moe
+* 地址：xmupc2.chn.moe:3390
 * 用户名：自己名字的拼音首字母
 * 密码和 ssh 一样（使用同样的验证机制）。

 ## samba

-* 地址：xmupc2.chn.moe
-* 用户名：自己名字的拼音首字母
-* 初始密码和 ssh 一样。
+因端口冲突暂时禁用。

 其它内容请阅读 [xmupc1](../xmupc1) 的说明，两台机器的软件大致是一样的。
--- a/devices/xmupc2/default.nix
+++ b/devices/xmupc2/default.nix
@@ -4,6 +4,7 @@ inputs:
  {
    nixos =
    {
+      model.type = "server";
      system =
      {
        fileSystems =
@@ -40,18 +41,25 @@ inputs:
            forwardCompat = false;
          };
        };
-        gui = { enable = true; preferred = false; autoStart = true; };
-        networking.hostname = "xmupc2";
-        nix.remote.slave.enable = true;
+        nix =
+        {
+          marches =
+          [
+            "broadwell" "skylake"
+            # AVX512F CLWB AVX512VL AVX512BW AVX512DQ AVX512CD AVX512VNNI
+            # "cascadelake"
+          ];
+          remote.slave.enable = true;
+        };
+        grub.windowsEntries."8F50-83B8" = "猿神，启动！";
      };
      hardware = { cpus = [ "intel" ]; gpu.type = "nvidia"; };
-      virtualization = { waydroid.enable = true; docker.enable = true; kvmHost = { enable = true; gui = true; }; };
+      virtualization.kvmHost = { enable = true; gui = true; };
      services =
      {
        snapper.enable = true;
        sshd = { passwordAuthentication = true; groupBanner = true; };
        xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
        smartd.enable = true;
        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
        wireguard =
@@ -64,16 +72,24 @@ inputs:
        slurm =
        {
          enable = true;
-          cpu = { sockets = 2; cores = 22; threads = 2; mpiThreads = 4; openmpThreads = 10; };
-          memoryMB = 253952;
-          gpus = { "4090" = 1; "p5000" = 1; };
+          master = "xmupc2";
+          node.xmupc2 =
+          {
+            name = "xmupc2"; address = "127.0.0.1";
+            cpu = { sockets = 2; cores = 22; threads = 2; };
+            memoryMB = 253952;
+            gpus."4090" = 1;
+          };
+          partitions.localhost = [ "xmupc2" ];
+          tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; gpus = [ "4090" ]; };
        };
        xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; };
        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
        groupshare = {};
+        docker = {};
      };
      bugs = [ "xmunet" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "zqq" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" ];
    };
  };
 }
--- a/devices/xmupc2/secrets/default.yaml
+++ b/devices/xmupc2/secrets/default.yaml
@@ -15,8 +15,12 @@ users:
    yjq: ENC[AES256_GCM,data:sGPQ0xALULREnhzl9g/V91M5osMglsSps6R4gYn5OZc/4xVC1phF3qajVN3YMOr7kKgkHbF2Rjm6/2vuK0k1iYZnFswUAmFlmw==,iv:5vG1hn7SlX6HCpas2BgxBSwWqLby8OCxcH3EKNvceIc=,tag:TVwFBAuosKnEOZecq1phXw==,type:str]
    #ENC[AES256_GCM,data:ALHxkRABA+ll,iv:r1IDiHLFcTdLID3q16zrLTavAwQfddC7bXMKcFZFveI=,tag:4Pd0/Q1BmH4gJjaM4hbqqQ==,type:comment]
    gb: ENC[AES256_GCM,data:z4CrtdmdLJJ0qZzr7qvihnluJQgjtciX56KdEmtemiRu0llEJk9qz6a23aJ7m40Sfc38elF1/LsvjOuBOC87+BVkKDCj76phag==,iv:WrFVxkr3snmqDXZx5kAYCLp7ixEIzxoT7El3rV7Ovqg=,tag:iExf2Y/HObHQrKMTRvqn7A==,type:str]
-    #ENC[AES256_GCM,data:UoNCXbGIHDNsmyCJxw==,iv:uTNvqg4xm7E+yn8vFaaihbEGEhLTZ2FNFNCYzdgiDlU=,tag:4bRSZbx6FFzA6MiBYVu0qw==,type:comment]
-    zqq: ENC[AES256_GCM,data:sfgufV++PfTrdeUBXZhmF1JoSpD8Nj+m0QKFrUMJG/pHb0AUagJEWEJwPsI+m91tZE0qxM271ks+WKqLElmyD4Ftw7ywWzTE0Q==,iv:R05QFUF+fvIHidWpHIR/D/e+UeciS5ehnx1kx+saCgM=,tag:3Awnd+pUQRxjjQ58SUX7Mg==,type:str]
+    #ENC[AES256_GCM,data:XfNExliq7noL,iv:K+rFlZHF1oY5rsTzaO0mgxiE1VlKdtPTifAaesg321k=,tag:Dja8NmPWZdJkf/J/96/wAw==,type:comment]
+    wp: ENC[AES256_GCM,data:yjMDez28pJUo6riIHypQQgjGFbuLwy87eG4ek/+Li2w8b4Cm5JckRvs26o+S0blfICc8WqIqEJGakT2wVBE5O1jGfniKn3PhTA==,iv:dOA318XRd2EXxmTIlk6GhlAR/FBpbKkbPJJCXTwFCxM=,tag:9MkXNUuAoplAzE+4eJpr0w==,type:str]
+    #ENC[AES256_GCM,data:YGcTkNCeu3m7,iv:jYmVrfRFwQoX1XxeSzS23wRMAD/AnzYBXQjI76Ke2FE=,tag:WJfSmjdggzPojDcJ6GzP+A==,type:comment]
+    hjp: ENC[AES256_GCM,data:0R5SfBFKuLGurwINnTj31FOrwwfY9bqVS1rG/a0HqIYd+Ui8/2ffFBx0Et+tYIqcxXEJpGbvse43V0naNKmFKlLanfcy9YV/Hg==,iv:mpAUmcVHWWLoreEsG9ha09jxte8mQCLt/A7nm04iX9Y=,tag:bia9pjL0MAcs9vj1gKCVCQ==,type:str]
+    #ENC[AES256_GCM,data:Q3TFPjvcDmKh,iv:eZ1NXGQr9HogxWa46T26WL63nvqho2/KSji8Dgse76o=,tag:iSGPRMCMolp7LVFjJGPotg==,type:comment]
+    lly: ENC[AES256_GCM,data:tP/NtJcMUtZPvuAqoM6KhCMybhsTxKSq4WWW3SBzQ/O0FmUXhECQc5CQnI4J9PlalP7Ug+uUQzeBMnHN84pkKNIeHVJhqjU8Zw==,iv:7TPPuSfXypSRnnhuy8LJSXIB+KB+3vWV0G7AbCZpB6s=,tag:iSLgRxOHgUolByFyvwltNQ==,type:str]
 mariadb:
    slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
 sops:
@@ -43,8 +47,8 @@ sops:
            M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
            LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-21T09:56:44Z"
-    mac: ENC[AES256_GCM,data:COodLhpL5EA5g15lgimsuxs1vmqJrLDVgtjw+0FLKTq6E1pcQ+zJl+dD0b9u5fYy9BBf56TI8TLJahVPR0eGxbDFlHmx8M9GStlTqaOE3jRsDT8GsihdlvLokyVt8jEfAnaWESTIgfehVL2TrLlsMnIsoVHrzdlEhX5ATXA3QOg=,iv:U/EwFmYWOcxi7ItkR/+MT8gTu7UobH5pxS00qrH/yyU=,tag:RVMcx4X0IS9yvpHrF0owpg==,type:str]
+    lastmodified: "2024-10-26T12:27:03Z"
+    mac: ENC[AES256_GCM,data:q1EihAxiS23XoKWt4ogBo34pP7J6i/yFglmmvFIdWKIgwaoXWFexKrdu1oRZBIxISW+3b/NzkuUm1anu3sGFGiirDpllg8wu8ezXJJODb8yTU0HJpZ/9vjBPm+ZBt5zFzGky7kmW+qOFfUsZkr8dCiJil/Z0HrXrY2d59ksxhto=,iv:7b6ePa4xXdjrj8O2JWAptsONz8gPApS3roYMuRyrztU=,tag:uzOcc8H2W6VvGDkrex5M6A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -3,18 +3,15 @@

  inputs =
  {
-    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-24.11";
    "nixpkgs-23.11".url = "github:CHN-beta/nixpkgs/nixos-23.11";
    "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    "nixpkgs-22.11".url = "github:NixOS/nixpkgs/nixos-22.11";
-    "nixpkgs-22.05".url = "github:NixOS/nixpkgs/nixos-22.05";
    home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; };
    sops-nix =
    {
      url = "github:Mic92/sops-nix";
      inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
    };
-    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
    nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
    nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
    nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
@@ -28,7 +25,6 @@
    nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
    nixos-hardware.url = "github:CHN-beta/nixos-hardware";
    envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-fast-build = { url = "github:/Mic92/nix-fast-build"; inputs.nixpkgs.follows = "nixpkgs"; };
    nix-flatpak.url = "github:gmodena/nix-flatpak";
    chaotic =
    {
@@ -37,7 +33,10 @@
    };
    gricad = { url = "github:Gricad/nur-packages"; flake = false; };
    catppuccin.url = "github:catppuccin/nix";
-    bscpkgs = { url = "git+https://pm.bsc.es/gitlab/rarias/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
+    bscpkgs = { url = "git+https://git.chn.moe/chn/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
+    poetry2nix = { url = "github:nix-community/poetry2nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };

    misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
    rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -48,7 +47,6 @@
    eigen = { url = "gitlab:libeigen/eigen"; flake = false; };
    matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
    nameof = { url = "github:Neargye/nameof"; flake = false; };
-    nodesoup = { url = "github:olvb/nodesoup"; flake = false; };
    tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
    v-sim = { url = "gitlab:l_sim/v_sim"; flake = false; };
    rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
@@ -58,150 +56,28 @@
    lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
    lmod = { url = "github:TACC/Lmod"; flake = false; };
    mumax = { url = "github:CHN-beta/mumax"; flake = false; };
-    kylin-virtual-keyboard = { url = "git+https://gitee.com/openkylin/kylin-virtual-keyboard.git"; flake = false; };
-    cjktty = { url = "github:CHN-beta/cjktty-patches"; flake = false; };
-    zxorm = { url = "github:CHN-beta/zxorm"; flake = false; };
    openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
    sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
    sockpp = { url = "github:fpagliughi/sockpp"; flake = false; };
    git-lfs-transfer = { url = "github:charmbracelet/git-lfs-transfer"; flake = false; };
    nc4nix = { url = "github:helsinki-systems/nc4nix"; flake = false; };
    hextra = { url = "github:imfing/hextra"; flake = false; };
-
-    # does not support lfs yet
-    # nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
+    nu-scripts = { url = "github:nushell/nu_scripts"; flake = false; };
+    py4vasp = { url = "github:vasp-dev/py4vasp"; flake = false; };
+    pocketfft = { url = "github:mreineck/pocketfft"; flake = false; };
+    blog = { url = "git+https://git.chn.moe/chn/blog-public.git"; flake = false; };
+    nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
+    spectroscopy = { url = "github:skelton-group/Phonopy-Spectroscopy"; flake = false; };
  };

-  outputs = inputs:
-    let
-      localLib = import ./lib.nix inputs.nixpkgs.lib;
-      devices = builtins.filter (dir: (builtins.readDir ./devices/${dir})."default.nix" or null == "regular" )
-        (builtins.attrNames (builtins.readDir ./devices));
-    in
-    {
-      packages.x86_64-linux = rec
-      {
-        pkgs = (import inputs.nixpkgs
-        {
-          system = "x86_64-linux";
-          config.allowUnfree = true;
-          overlays = [ inputs.self.overlays.default ];
-        });
-        default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
-          (builtins.concatStringsSep "\n" (builtins.map
-            (system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
-            devices));
-        hpcstat =
-          let
-            openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
-              (prev: { doCheck = false; patches = prev.patches ++ [ ./packages/hpcstat/openssh.patch ];});
-            duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
-          in pkgs.pkgsStatic.localPackages.hpcstat.override
-            { inherit openssh duc; standalone = true; version = inputs.self.rev or "dirty"; };
-        ufo =
-          let
-            range-v3 = pkgs.pkgsStatic.range-v3.overrideAttrs (prev:
-            {
-              cmakeFlags = prev.cmakeFlags or []
-                ++ [ "-DRANGE_V3_DOCS=OFF" "-DRANGE_V3_TESTS=OFF" "-DRANGE_V3_EXAMPLES=OFF" ];
-              doCheck = false;
-            });
-            tbb = pkgs.pkgsStatic.tbb_2021_11.overrideAttrs (prev: { cmakeFlags = prev.cmakeFlags or [] ++
-              [ "-DTBB_TEST=OFF" ]; });
-            biu = pkgs.pkgsStatic.localPackages.biu.override { inherit range-v3; };
-            matplotplusplus = pkgs.pkgsStatic.localPackages.matplotplusplus.override { libtiff = null; };
-          in pkgs.pkgsStatic.localPackages.ufo.override { inherit biu tbb matplotplusplus; };
-        chn-bsub = pkgs.pkgsStatic.localPackages.chn-bsub;
-        blog = pkgs.callPackage ./blog { inherit (inputs) hextra; };
-      }
-      // (builtins.listToAttrs (builtins.map
-        (system:
-        {
-          name = system;
-          value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
-        })
-        devices)
-      );
-      nixosConfigurations =
-      (
-        (builtins.listToAttrs (builtins.map
-          (system:
-          {
-            name = system;
-            value = inputs.nixpkgs.lib.nixosSystem
-            {
-              system = "x86_64-linux";
-              specialArgs = { topInputs = inputs; inherit localLib; };
-              modules = localLib.mkModules
-              [
-                (moduleInputs: { config.nixpkgs.overlays = [(prev: final:
-                  # replace pkgs with final to avoid infinite recursion
-                  { localPackages = import ./packages (moduleInputs // { pkgs = final; }); })]; })
-                ./modules
-                ./devices/${system}
-              ];
-            };
-          })
-          devices))
-        // {
-          pi3b = inputs.nixpkgs.lib.nixosSystem
-          {
-            system = "aarch64-linux";
-            specialArgs = { topInputs = inputs; inherit localLib; };
-            modules = localLib.mkModules
-            [
-              (moduleInputs: { config.nixpkgs.overlays = [(prev: final:
-                # replace pkgs with final to avoid infinite recursion
-                { localPackages = import ./packages (moduleInputs // { pkgs = final; }); })]; })
-              ./modules
-              ./devices/pi3b
-            ];
-          };
-        }
-      );
-      overlays.default = final: prev:
-        { localPackages = (import ./packages { inherit (inputs) lib; pkgs = final; topInputs = inputs; }); };
-      config = { archive = false; branch = "production"; };
-      devShells.x86_64-linux = let inherit (inputs.self.packages.x86_64-linux) pkgs; in
-      {
-        biu = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
-        {
-          inputsFrom = [ pkgs.localPackages.biu ];
-          packages = [ pkgs.clang-tools_18 ];
-          CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-        };
-        hpcstat = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
-        {
-          inputsFrom = [ (inputs.self.packages.x86_64-linux.hpcstat.override { version = null; }) ];
-          packages = [ pkgs.clang-tools_18 ];
-          CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-        };
-        sbatch-tui = pkgs.mkShell
-        {
-          inputsFrom = [ pkgs.localPackages.sbatch-tui ];
-          packages = [ pkgs.clang-tools_18 ];
-          CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-        };
-        ufo = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
-        {
-          inputsFrom = [ (inputs.self.packages.x86_64-linux.ufo.override { version = null; }) ];
-          packages = [ pkgs.clang-tools_18 ];
-          CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-        };
-        chn-bsub = pkgs.mkShell
-        {
-          inputsFrom = [ pkgs.localPackages.chn-bsub ];
-          packages = [ pkgs.clang-tools_18 ];
-          CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-        };
-        winjob =
-          let inherit (pkgs) clang-tools_18; in let inherit (inputs.self.packages.x86_64-w64-mingw32) pkgs winjob;
-          in pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
-          {
-            inputsFrom = [ winjob ];
-            packages = [ clang-tools_18 ];
-            CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-          };
-      };
-    };
+  outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in
+  {
+    packages.x86_64-linux = import ./flake/packages.nix { inherit inputs localLib; };
+    nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; };
+    overlays.default = final: prev:
+      { localPackages = (import ./packages { inherit localLib; pkgs = final; topInputs = inputs; }); };
+    config = { archive = false; branch = "production"; };
+    devShells.x86_64-linux = import ./flake/dev.nix { inherit inputs; };
+    src = import ./flake/src.nix { inherit inputs; };
+  };
 }
--- a/flake/dev.nix
+++ b/flake/dev.nix
@@ -0,0 +1,47 @@
+{ inputs }: let inherit (inputs.self.nixosConfigurations.pc) pkgs; in
+{
+  biu = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.biu ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
+  hpcstat = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ (pkgs.localPackages.hpcstat.override { version = null; }) ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
+  sbatch-tui = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.sbatch-tui ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
+  ufo = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.ufo ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
+  chn-bsub = pkgs.mkShell
+  {
+    inputsFrom = [ pkgs.localPackages.chn-bsub ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
+  winjob =
+    let inherit (pkgs) clang-tools_18; in let inherit (inputs.self.packages.x86_64-w64-mingw32) pkgs winjob;
+    in pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
+    {
+      inputsFrom = [ winjob ];
+      packages = [ clang-tools_18 ];
+      CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    };
+  mirism = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.mirism ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
+}
--- a/flake/lib.nix
+++ b/flake/lib.nix
@@ -54,4 +54,36 @@ lib: rec
            else null
          else null)
      (attrsToList (builtins.readDir path))));
+
+  # replace the value in a nested attrset. example:
+  # deepReplace
+  #   [ { path = [ "a" "b" 1 ]; value = "new value"; } ]
+  #   { a = { b = [ "old value" "old value" ]; }; }
+  # => { a = { b = [ "old value" "new value" ]; }; }
+  deepReplace = pattern: origin:
+    let replace = { path, value, content }:
+      if path == [] then
+        if (builtins.typeOf value) == "lambda" then value content
+        else value
+      else let currentPath = builtins.head path; nextPath = builtins.tail path; in
+        if (builtins.typeOf currentPath) == "string" then
+          if (builtins.typeOf content) != "set" then builtins.throw "content should be a set"
+          else builtins.mapAttrs
+            (n: v: if n == currentPath then replace { path = nextPath; inherit value; content = v; } else v) content
+        else if (builtins.typeOf currentPath) == "int" then
+          if (builtins.typeOf content) != "list" then builtins.throw "content should be a list"
+          else lib.imap0
+            (i: v: if i == currentPath then replace { path = nextPath; inherit value; content = v; } else v) content
+        else if (builtins.typeOf currentPath) != "lambda" then throw "path should be a lambda"
+        else
+          if (builtins.typeOf content) == "list" then builtins.map
+            (v: if currentPath v then replace { path = nextPath; inherit value; content = v; } else v) content
+          else if (builtins.typeOf content) == "set" then builtins.listToAttrs (builtins.map
+            (v: if currentPath v then replace { path = nextPath; inherit value; content = v; } else v)
+            (attrsToList content))
+          else throw "content should be a list or a set.";
+    in
+      if (builtins.typeOf pattern) != "list" then throw "pattern should be a list"
+      else if pattern == [] then origin
+      else deepReplace (builtins.tail pattern) (replace ((builtins.head pattern) // { content = origin; }));
 }
--- a/flake/nixos.nix
+++ b/flake/nixos.nix
@@ -0,0 +1,51 @@
+{ inputs, localLib }:
+builtins.listToAttrs
+(
+  (builtins.map
+    (system:
+    {
+      name = system;
+      value = inputs.nixpkgs.lib.nixosSystem
+      {
+        system = let arch.pi3b = "aarch64-linux"; in arch.${system} or "x86_64-linux";
+        specialArgs = { topInputs = inputs; inherit localLib; };
+        modules = localLib.mkModules
+        [
+          {
+            config =
+            {
+              nixpkgs.overlays = [ inputs.self.overlays.default ];
+              nixos.model.hostname = system;
+            };
+          }
+          ../modules
+          ../devices/${system}
+        ];
+      };
+    })
+    [ "nas" "pc" "pi3b" "surface" "vps4" "vps6" "vps7" "xmupc1" "xmupc2" ])
+  ++ (builtins.map
+    (node:
+    {
+      name = "srv1-${node}";
+      value = inputs.nixpkgs.lib.nixosSystem
+      {
+        system = "x86_64-linux";
+        specialArgs = { topInputs = inputs; inherit localLib; };
+        modules = localLib.mkModules
+        [
+          {
+            config =
+            {
+              nixpkgs.overlays = [ inputs.self.overlays.default ];
+              nixos.model.cluster = { clusterName = "srv1"; nodeName = node; };
+            };
+          }
+          ../modules
+          ../devices/srv1
+          ../devices/srv1/${node}
+        ];
+      };
+    })
+    [ "node0" "node1" "node2" "node3" ])
+)
--- a/flake/packages.nix
+++ b/flake/packages.nix
@@ -0,0 +1,29 @@
+{ inputs, localLib }: rec
+{
+  pkgs = (import inputs.nixpkgs
+  {
+    system = "x86_64-linux";
+    config.allowUnfree = true;
+    overlays = [ inputs.self.overlays.default ];
+  });
+  hpcstat =
+    let
+      openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
+        (prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
+      duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
+      # pkgsStatic.clangStdenv have a bug
+      # https://github.com/NixOS/nixpkgs/issues/177129
+      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; };
+    in pkgs.pkgsStatic.localPackages.hpcstat.override
+    {
+      inherit openssh duc biu;
+      standalone = true;
+      version = inputs.self.rev or "dirty";
+      stdenv = pkgs.pkgsStatic.gcc14Stdenv;
+    };
+  chn-bsub = pkgs.pkgsStatic.localPackages.chn-bsub;
+  blog = pkgs.callPackage inputs.blog { inherit (inputs) hextra; };
+}
+// (builtins.listToAttrs (builtins.map
+  (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })
+  (localLib.attrsToList inputs.self.outputs.nixosConfigurations)))
--- a/flake/src.nix
+++ b/flake/src.nix
@@ -0,0 +1,4 @@
+{ inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
+{
+  git-lfs-transfer = "sha256-1cGlhLdnU6yTqzcB3J1cq3gawncbtdgkb3LFh2ZmXbM=";
+}
--- a/modules/bugs/default.nix
+++ b/modules/bugs/default.nix
@@ -14,32 +14,8 @@ inputs:
      # xmunet use old encryption
      xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
        (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
-      suspend-hibernate-waydroid.systemd.services =
-        let
-          systemctl = "${inputs.pkgs.systemd}/bin/systemctl";
-        in
-        {
-          "waydroid-hibernate" =
-          {
-            description = "waydroid hibernate";
-            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            before = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            serviceConfig.Type = "oneshot";
-            script = "${systemctl} stop waydroid-container";
-          };
-          "waydroid-resume" =
-          {
-            description = "waydroid resume";
-            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            after = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            serviceConfig.Type = "oneshot";
-            script = "${systemctl} start waydroid-container";
-          };
-        };
      backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
      amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
-      hibernate-mt7921e.powerManagement.resumeCommands =
-        let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in "${modprobe} -r -w 3000 mt7921e && ${modprobe} mt7921e";
    };
  in
    {
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -8,7 +8,6 @@ inputs:
    [
      topInputs.home-manager.nixosModules.home-manager
      topInputs.sops-nix.nixosModules.sops
-      topInputs.aagl.nixosModules.default
      topInputs.nix-index-database.nixosModules.nix-index
      topInputs.nur-xddxdd.nixosModules.setupOverlay
      topInputs.impermanence.nixosModules.impermanence
@@ -16,6 +15,7 @@ inputs:
      topInputs.chaotic.nixosModules.default
      { config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
      topInputs.catppuccin.nixosModules.catppuccin
+      topInputs.aagl.nixosModules.default
      (inputs:
      {
        config =
@@ -23,8 +23,9 @@ inputs:
          nixpkgs.overlays =
          [
            topInputs.qchem.overlays.default
-            topInputs.aagl.overlays.default
            topInputs.bscpkgs.overlays.default
+            topInputs.poetry2nix.overlays.default
+            topInputs.aagl.overlays.default
            (final: prev:
            {
              nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
@@ -41,6 +42,6 @@ inputs:
          ];
        };
      })
-      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user
+      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user ./model.nix
    ];
  }
--- a/modules/hardware/default.nix
+++ b/modules/hardware/default.nix
@@ -4,18 +4,15 @@ inputs:
  options.nixos.hardware =
    let
      inherit (inputs.lib) mkOption types;
-      default = if inputs.config.nixos.system.gui.enable then {} else null;
+      default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
    in
    {
-      bluetooth = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
      joystick = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
      printer = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
      sound = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
    };
  config = let inherit (inputs.config.nixos) hardware; in inputs.lib.mkMerge
  [
-    # bluetooth
-    (inputs.lib.mkIf (hardware.bluetooth != null) { hardware.bluetooth.enable = true; })
    # joystick
    (inputs.lib.mkIf (hardware.joystick != null) { hardware = { xone.enable = true; xpadneo.enable = true; }; })
    # printer
@@ -28,6 +25,8 @@ inputs:
          {
            enable = true;
            drivers = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.arch == "x86_64") [ inputs.pkgs.cnijfilter2 ];
+            # TODO: remove in next update
+            browsed.enable = false;
          };
          avahi = { enable = true; nssmdns4 = true; openFirewall = true; };
        };
--- a/modules/hardware/gpu.nix
+++ b/modules/hardware/gpu.nix
@@ -46,7 +46,9 @@ inputs:
            extraPackages =
              let packages = with inputs.pkgs;
              {
-                intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
+                # TODO: import from nixos-hardware instead
+                intel =
+                  [ (intel-vaapi-driver.override { enableHybridCodec = true; }) libvdpau-va-gl intel-media-driver ];
                nvidia = [ vaapiVdpau ];
                amd = [];
              };
@@ -101,8 +103,8 @@ inputs:
      inputs.lib.mkIf (inputs.lib.strings.hasPrefix "amd" gpu.type) { hardware.amdgpu =
      {
        opencl.enable = true;
+        initrd.enable = true; # needed for waydroid
        legacySupport.enable = true;
-        initrd.enable = true;
        amdvlk = { enable = true; support32Bit.enable = true; supportExperimental.enable = true; };
      };}
    )
--- a/modules/model.nix
+++ b/modules/model.nix
@@ -0,0 +1,33 @@
+inputs:
+{
+  options.nixos.model = let inherit (inputs.lib) mkOption types; in
+  {
+    hostname = mkOption { type = types.nonEmptyStr; };
+    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
+    # not implemented yet
+    # private = mkOption { type = types.bool; };
+    cluster = mkOption
+    {
+      type = types.nullOr (types.submodule { options =
+      {
+        clusterName = mkOption { type = types.nonEmptyStr; };
+        nodeName = mkOption { type = types.nonEmptyStr; };
+        nodeType = mkOption { type = types.enum [ "master" "worker" ]; default = "worker"; };
+      };});
+      default = null;
+    };
+  };
+  config = let inherit (inputs.config.nixos) model; in inputs.lib.mkMerge
+  [
+    { networking.hostName = model.hostname; }
+    (inputs.lib.mkIf (model.cluster != null)
+      { nixos.model.hostname = "${model.cluster.clusterName}-${model.cluster.nodeName}"; })
+    # TODO: remove it
+    {
+      systemd.services = inputs.lib.mkIf (model.cluster.nodeType or null == "worker") (builtins.listToAttrs
+        (builtins.map
+          (user: { name = "home-manager-${inputs.utils.escapeSystemdPath user}"; value.enable = false; })
+          inputs.config.nixos.user.users));
+    }
+  ];
+}
--- a/modules/packages/chromium.nix
+++ b/modules/packages/chromium.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
  {
--- a/modules/packages/default.nix
+++ b/modules/packages/default.nix
@@ -24,121 +24,9 @@ inputs:
              excludePythonPackages))
            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
              (_pythonPackages ++ extraPythonPackages)))))
-        (inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
-        {
-          name = "prebuild-packages";
-          propagateBuildInputs = inputs.lib.lists.subtractLists excludePrebuildPackages
-            (_prebuildPackages ++ extraPrebuildPackages);
-          phases = [ "installPhase" ];
-          installPhase =
-          ''
-            runHook preInstall
-            mkdir -p $out
-            runHook postInstall
-          '';
-        }) {})
+        (inputs.pkgs.writeTextDir "share/prebuild-packages"
+          (builtins.concatStringsSep "\n" (builtins.map builtins.toString
+            (inputs.lib.lists.subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages)))))
      ];
  };
 }
-
-    # programs.firejail =
-    # {
-    #   enable = true;
-    #   wrappedBinaries =
-    #   {
-    #     qq =
-    #     {
-    #       executable = "${inputs.pkgs.qq}/bin/qq";
-    #       profile = "${inputs.pkgs.firejail}/etc/firejail/linuxqq.profile";
-    #     };
-    #   };
-    # };
-
-# config.nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-  # only replace stdenv for large and tested packages
-  # config.programs.ccache.packageNames = [ "webkitgtk" "libreoffice" "tensorflow" "linux" "chromium" ];
-  # config.nixpkgs.overlays = [(final: prev:
-  # {
-  #   libreoffice-qt = prev.libreoffice-qt.override (prev: { unwrapped = prev.unwrapped.override
-  #     (prev: { stdenv = final.ccacheStdenv.override { stdenv = prev.stdenv; }; }); });
-  #   python3 = prev.python3.override { packageOverrides = python-final: python-prev:
-  #     {
-  #       tensorflow = python-prev.tensorflow.override
-  #         { stdenv = final.ccacheStdenv.override { stdenv = python-prev.tensorflow.stdenv; }; };
-  #     };};
-  #   # webkitgtk = prev.webkitgtk.override (prev:
-  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.stdenv; }; enableUnifiedBuilds = false; });
-  #   wxGTK31 = prev.wxGTK31.override { stdenv = final.ccacheStdenv.override { stdenv = prev.wxGTK31.stdenv; }; };
-  #   wxGTK32 = prev.wxGTK32.override { stdenv = final.ccacheStdenv.override { stdenv = prev.wxGTK32.stdenv; }; };
-  #   # firefox-unwrapped = prev.firefox-unwrapped.override
-  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.firefox-unwrapped.stdenv; }; };
-  #   # chromium = prev.chromium.override
-  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.chromium.stdenv; }; };
-  #   # linuxPackages_xanmod_latest = prev.linuxPackages_xanmod_latest.override
-  #   # {
-  #   #   kernel = prev.linuxPackages_xanmod_latest.kernel.override
-  #   #   {
-  #   #     stdenv = final.ccacheStdenv.override { stdenv = prev.linuxPackages_xanmod_latest.kernel.stdenv; };
-  #   #     buildPackages = prev.linuxPackages_xanmod_latest.kernel.buildPackages //
-  #   #       { stdenv = prev.linuxPackages_xanmod_latest.kernel.buildPackages.stdenv; };
-  #   #   };
-  #   # };
-  # })];
-  # config.programs.ccache.packageNames = [ "libreoffice-unwrapped" ];
-
-# cross-x86_64-pc-linux-musl/gcc
-# dev-cpp/cpp-httplib ? how to use
-# dev-cpp/cppcoro
-# dev-cpp/date
-# dev-cpp/nameof
-# dev-cpp/scnlib
-# dev-cpp/tgbot-cpp
-# dev-libs/pocketfft
-# dev-util/intel-hpckit
-# dev-util/nvhpc
-# kde-misc/wallpaper-engine-kde-plugin
-# media-fonts/arphicfonts
-# media-fonts/sarasa-gothic
-# media-gfx/flameshot
-# media-libs/libva-intel-driver
-# media-libs/libva-intel-media-driver
-# media-sound/netease-cloud-music
-# net-vpn/frp
-# net-wireless/bluez-tools
-# sci-libs/mkl
-# sci-libs/openblas
-# sci-libs/pfft
-# sci-libs/scalapack
-# sci-libs/wannier90
-# sci-mathematics/ginac
-# sci-mathematics/mathematica
-# sci-mathematics/octave
-# sci-physics/lammps::touchfish-os
-# sci-physics/vsim
-# sci-visualization/scidavis
-# sys-apps/flatpak
-# sys-cluster/modules
-# sys-devel/distcc
-# sys-fs/btrfs-progs
-# sys-fs/compsize
-# sys-fs/dosfstools
-# sys-fs/duperemove
-# sys-fs/exfatprogs
-# sys-fs/mdadm
-# sys-fs/ntfs3g
-# sys-kernel/dracut
-# sys-kernel/linux-firmware
-# sys-kernel/xanmod-sources
-# sys-kernel/xanmod-sources:6.1.12
-# sys-kernel/xanmod-sources::touchfish-os
-# sys-libs/libbacktrace
-# sys-libs/libselinux
-# x11-apps/xinput
-# x11-base/xorg-apps
-# x11-base/xorg-fonts
-# x11-base/xorg-server
-# x11-misc/imwheel
-# x11-misc/optimus-manager
-# x11-misc/unclutter-xfixes
-
-#   ++ ( with inputs.pkgs.pkgsCross.mingwW64.buildPackages; [ gcc ] );
--- a/modules/packages/desktop/default.nix
+++ b/modules/packages/desktop/default.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
  {
@@ -16,7 +16,7 @@ inputs:
          # system management
          # TODO: module should add yubikey-touch-detector into path
          gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
-          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x inputs.pkgs."pkgs-23.11".etcher wl-mirror
+          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror
          (
            writeShellScriptBin "xclip"
            ''
@@ -33,72 +33,83 @@ inputs:
          # networking
          remmina putty mtr-gui
          # media
-          mpv nomacs spotify yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc obs-studio
-          waifu2x-converter-cpp inkscape blender whalebird paraview
+          mpv nomacs yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk qcm
+          waifu2x-converter-cpp inkscape blender paraview vlc whalebird spotify obs-studio
          # themes
+          klassy localPackages.slate localPackages.blurred-wallpaper tela-circle-icon-theme
          catppuccin catppuccin-sddm catppuccin-cursors catppuccinifier-gui catppuccinifier-cli catppuccin-plymouth
          (catppuccin-kde.override { flavour = [ "latte" ]; }) (catppuccin-kvantum.override { variant = "latte"; })
-          localPackages.slate localPackages.blurred-wallpaper tela-circle-icon-theme
          # terminal
          warp-terminal
          # development
-          adb-sync scrcpy weston cage openbox krita jetbrains.clion android-studio dbeaver-bin cling fprettify
-          aircrack-ng
+          adb-sync scrcpy dbeaver-bin cling aircrack-ng
+          weston cage openbox krita jetbrains.clion androidStudioPackages.stable.full fprettify
          # desktop sharing
          rustdesk-flutter
          # password and key management
-          yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden electrum
-          jabref
-          john crunch hashcat
+          yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
+          electrum jabref john crunch
          # download
          qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
          # editor
-          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq
+          typora # appflowy notion-app-enhanced joplin-desktop standardnotes logseq
          # news
          fluent-reader rssguard newsflash newsboat
          # nix tools
          nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
          nix-template nil pnpm-lock-export bundix
          # instant messager
-          element-desktop telegram-desktop discord fluffychat zoom-us signal-desktop slack nur-linyinfeng.wemeet
-          cinny-desktop nheko # qq nur-xddxdd.wechat-uos
+          element-desktop telegram-desktop discord zoom-us slack nur-linyinfeng.wemeet nheko
+          fluffychat signal-desktop qq nur-xddxdd.wechat-uos cinny-desktop
          # browser
          google-chrome tor-browser microsoft-edge
          # office
-          crow-translate zotero pandoc ydict libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain hdfview
-          davinci-resolve
-          texliveFull
+          crow-translate zotero pandoc libreoffice-qt texliveFull poppler_utils pdftk pdfchain davinci-resolve
+          # TODO: enable in next release
+          # hdfview
+          ydict texstudio
+          # matplot++ needs old gnuplot
+          inputs.pkgs."pkgs-23.11".gnuplot
          # math, physics and chemistry
-          octaveFull root ovito localPackages.vesta localPackages.vaspkit localPackages.v-sim
-          (mathematica.overrideAttrs (prev: { postInstall = prev.postInstall or "" + "ln -s ${src} $out/src"; }))
-          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14; }) jmol mpi
+          octaveFull root ovito localPackages.vesta localPackages.v-sim
+          (mathematica.overrideAttrs (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; }))
+          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14; }) jmol mpi localPackages.ufo
          # virtualization
-          # TODO: broken on python 3.12: playonlinux
-          wineWowPackages.stagingFull virt-viewer bottles genymotion
+          virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
          # media
          nur-xddxdd.svp
+          # for kdenlive auto subtitle
+          openai-whisper
        ]
          ++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
            (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
-          # TODO: fix it
-          # ++ inputs.lib.optional (inputs.config.nixos.system.nixpkgs.march != null) localPackages.mumax;
        _pythonPackages = [(pythonPackages: with pythonPackages;
        [
-          phonopy scipy scikit-learn jupyterlab autograd # localPackages.pix2tex
-          # TODO: broken on python 3.12: tensorflow keras
+          phonopy scipy scikit-learn jupyterlab autograd
+          # TODO: broken on python 3.12 tensorflow keras
+          # for phonopy
+          inputs.pkgs.localPackages.spectroscopy numpy
        ])];
      };
      user.sharedModules =
      [{
        config.programs =
        {
-          plasma = 
+          plasma =
          {
            enable = true;
            configFile =
            {
              plasma-localerc = { Formats.LANG.value = "en_US.UTF-8"; Translations.LANGUAGE.value = "zh_CN"; };
              baloofilerc."Basic Settings".Indexing-Enabled.value = false;
+              plasmarc.Wallpapers.usersWallpapers.value =
+                let
+                  inherit (inputs.topInputs) nixos-wallpaper;
+                  isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
+                    [ "png" "jpg" "jpeg" "webp" ];
+                in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")
+                  (builtins.filter (f: (isPicture f.name) && (f.value == "regular"))
+                    (inputs.localLib.attrsToList (builtins.readDir nixos-wallpaper))));
            };
            powerdevil =
              let config =
@@ -131,10 +142,13 @@ inputs:
    };
    nixpkgs.overlays = [(final: prev:
    {
-      telegram-desktop = prev.telegram-desktop.overrideAttrs (attrs:
+      telegram-desktop = prev.telegram-desktop.override
      {
-        patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
-      });
+        unwrapped = prev.telegram-desktop.unwrapped.overrideAttrs (prev:
+        {
+          patches = prev.patches or [] ++ [ ./telegram.patch ];
+        });
+      };
    })];
    services.pcscd.enable = true;
  };
--- a/modules/packages/desktop/telegram.patch
+++ b/modules/packages/desktop/telegram.patch
@@ -1,12 +1,12 @@
-diff --color -ur a/Telegram/SourceFiles/data/components/sponsored_messages.cpp b/Telegram/SourceFiles/data/components/sponsored_messages.cpp
--- a/Telegram/SourceFiles/data/components/sponsored_messages.cpp	1970-01-01 08:00:01.000000000 +0800
-+++ b/Telegram/SourceFiles/data/components/sponsored_messages.cpp	2024-05-21 20:41:12.849951324 +0800
-@@ -193,7 +193,7 @@
+diff --git a/Telegram/SourceFiles/data/components/sponsored_messages.cpp b/Telegram/SourceFiles/data/components/sponsored_messages.cpp
+index d2746ad9..f46b51fb 100644
+--- a/Telegram/SourceFiles/data/components/sponsored_messages.cpp
+++ b/Telegram/SourceFiles/data/components/sponsored_messages.cpp
+@@ -195,6 +195,7 @@ void SponsoredMessages::inject(
 }
 
 bool SponsoredMessages::canHaveFor(not_null<History*> history) const {
-	return history->peer->isChannel();
 +	return false;
- }
- 
- void SponsoredMessages::request(not_null<History*> history, Fn<void()> done) {
+ 	if (history->peer->isChannel()) {
+ 		return true;
+ 	} else if (const auto user = history->peer->asUser()) {
--- a/modules/packages/firefox.nix
+++ b/modules/packages/firefox.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
  {
@@ -12,7 +12,55 @@ inputs:
    {
      enable = true;
      languagePacks = [ "zh-CN" "en-US" ];
-      nativeMessagingHosts.packages = with inputs.pkgs; [ uget-integrator ];
+      nativeMessagingHosts.packages = with inputs.pkgs; [ uget-integrator firefoxpwa ];
+    };
+    nixos =
+    {
+      packages.packages._packages = [ inputs.pkgs.firefoxpwa ];
+      user.sharedModules =
+      [{
+        config =
+        {
+          programs.firefox =
+          {
+            enable = true;
+            nativeMessagingHosts = with inputs.pkgs;
+              [ kdePackages.plasma-browser-integration uget-integrator firefoxpwa ];
+            # TODO: use fixed-version of plugins
+            policies.DefaultDownloadDirectory = "\${home}/Downloads";
+            profiles.default =
+            {
+              extensions = with inputs.pkgs.firefox-addons;
+              [
+                tampermonkey bitwarden cookies-txt dualsub firefox-color i-dont-care-about-cookies
+                metamask pakkujs switchyomega rsshub-radar rsspreview tabliss tree-style-tab ublock-origin wallabagger
+                wappalyzer grammarly plasma-integration zotero-connector pwas-for-firefox smartproxy kiss-translator
+              ];
+              search = { default = "Google"; force = true; };
+              userChrome = builtins.readFile "${inputs.topInputs.lepton}/userChrome.css";
+              userContent = builtins.readFile "${inputs.topInputs.lepton}/userContent.css";
+              extraConfig = builtins.readFile "${inputs.topInputs.lepton}/user.js";
+              settings =
+              {
+                # general
+                "browser.search.region" = "CN";
+                "intl.locale.requested" = "zh-CN,en-US";
+                "browser.aboutConfig.showWarning" = false;
+                "browser.bookmarks.showMobileBookmarks" = true;
+                "browser.download.panel.shown" = true;
+                "browser.download.useDownloadDir" = true;
+                "browser.newtab.extensionControlled" = true;
+                "browser.toolbars.bookmarks.visibility" = "never";
+                # allow to apply userChrome.css
+                "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+                # automatically enable extensions
+                "extensions.autoDisableScopes" = 0;
+              };
+            };
+          };
+          home.file.".mozilla/firefox/profiles.ini".force = true;
+        };
+      }];
    };
  };
 }
--- a/modules/packages/flatpak.nix
+++ b/modules/packages/flatpak.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.flatpak = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) flatpak; in inputs.lib.mkIf (flatpak != null)
  {
--- a/modules/packages/helix.nix
+++ b/modules/packages/helix.nix
@@ -0,0 +1,21 @@
+inputs:
+{
+  options.nixos.packages.helix = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = {}; };
+  config = let inherit (inputs.config.nixos.packages) helix; in inputs.lib.mkIf (helix != null)
+  {
+    nixos =
+    {
+      user.sharedModules =
+      [{
+        config.programs.helix =
+        {
+          enable = true;
+          defaultEditor = true;
+          settings.theme = "catppuccin_latte";
+        };
+      }];
+      packages.packages._packages = [ inputs.pkgs.helix ];
+    };
+  };
+}
--- a/modules/packages/lammps.nix
+++ b/modules/packages/lammps.nix
@@ -0,0 +1,22 @@
+inputs:
+{
+  options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
+  {
+    nixos.packages.packages._packages =
+      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null;
+      in
+        if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
+          .overrideAttrs (prev:
+          {
+            cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
+            nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
+            buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
+          }))]
+        else [ inputs.pkgs.lammps-mpi ];
+  };
+}
--- a/modules/packages/mumax.nix
+++ b/modules/packages/mumax.nix
@@ -0,0 +1,16 @@
+inputs:
+{
+  options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default =
+      if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
+        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+      then {}
+      else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
+  {
+    nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];
+  };
+}
--- a/modules/packages/nushell.nix
+++ b/modules/packages/nushell.nix
@@ -0,0 +1,51 @@
+inputs:
+{
+  options.nixos.packages.nushell = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = {};
+  };
+  config = let inherit (inputs.config.nixos.packages) nushell; in inputs.lib.mkIf (nushell != null)
+  {
+    nixos =
+    {
+      packages.packages._packages = [ inputs.pkgs.nushell ];
+      user.sharedModules =
+      [{
+        config.programs =
+        {
+          nushell =
+          {
+            enable = true;
+            extraConfig =
+            ''
+              source ${inputs.topInputs.nu-scripts}/aliases/git/git-aliases.nu
+              $env.PATH = ($env.PATH | split row (char esep) | append "~/bin")
+            '';
+          };
+          carapace.enable = true;
+          oh-my-posh =
+          {
+            enable = true;
+            enableZshIntegration = false;
+            settings = inputs.localLib.deepReplace
+              [
+                {
+                  path = [ "blocks" 0 "segments" (v: v.type or "" == "path") "properties" "style" ];
+                  value = "powerlevel";
+                }
+                {
+                  path = [ "blocks" 0 "segments" (v: v.type or "" == "executiontime") "template" ];
+                  value = v: builtins.replaceStrings [ "⠀" ] [ " " ] v;
+                }
+              ]
+              (builtins.fromJSON (builtins.readFile
+                "${inputs.pkgs.oh-my-posh}/share/oh-my-posh/themes/atomic.omp.json"));
+          };
+          zoxide.enable = true;
+          direnv.enable = true;
+        };
+      }];
+    };
+  };
+}
--- a/modules/packages/server.nix
+++ b/modules/packages/server.nix
@@ -10,9 +10,9 @@ inputs:
      [
        # basic tools
        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij ipfetch localPackages.pslist
-        fastfetch reptyr nushell duc ncdu progress libva-utils ksh neofetch
+        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch
        # lsxx
-        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors
+        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc
        # top
        iotop iftop htop btop powertop s-tui
        # editor
@@ -26,26 +26,28 @@ inputs:
        # file system management
        sshfs e2fsprogs duperemove compsize exfatprogs
        # disk management
-        smartmontools hdparm
+        smartmontools hdparm megacli gptfdisk
        # encryption and authentication
        apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
        # networking
        ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
        # nix tools
-        nix-output-monitor nix-tree ssh-to-age (callPackage "${inputs.topInputs.nix-fast-build}" {}) nix-inspect
+        nix-output-monitor nix-tree ssh-to-age nix-inspect
        # development
        gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
        # stupid things
        toilet lolcat
        # office
-        todo-txt-cli pdfgrep ffmpeg-full
+        pdfgrep ffmpeg-full # todo-txt-cli 
      ]
        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
        ++ (inputs.lib.optional (inputs.config.nixos.system.nixpkgs.arch == "x86_64") rar);
      _pythonPackages = [(pythonPackages: with pythonPackages;
      [
-        openai python-telegram-bot fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
+        openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2
        certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus
+        # for vasp plot-workfunc.py
+        ase
      ])];
    };
    programs =
@@ -61,8 +63,16 @@ inputs:
    services =
    {
      udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
-      fwupd.enable = true;
+      fwupd =
+      {
+        enable = true;
+        # allow fwupd install firmware from any source (e.g. manually extracted from msi)
+        daemonSettings.OnlyTrusted = false;
+      };
    };
    home-manager = { useGlobalPkgs = true; useUserPackages = true; };
+    # allow everyone run compsize
+    security.wrappers.compsize =
+      { setuid = true; owner = "root"; group = "root"; source = "${inputs.pkgs.compsize}/bin/compsize"; };
  };
 }
--- a/modules/packages/ssh.nix
+++ b/modules/packages/ssh.nix
@@ -30,12 +30,12 @@ inputs:
        vps7 =
        {
          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
-          hostnames = [ "vps7.chn.moe" "wireguard.vps7.chn.moe" "ssh.git.chn.moe" "95.111.228.40" "192.168.83.2" ];
+          hostnames = [ "vps7.chn.moe" "wireguard.vps7.chn.moe" "ssh.git.chn.moe" "144.126.144.62" "192.168.83.2" ];
        };
        "initrd.vps7" =
        {
          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
-          hostnames = [ "initrd.vps7.chn.moe" "95.111.228.40" ];
+          hostnames = [ "initrd.vps7.chn.moe" "144.126.144.62" ];
        };
        nas =
        {
@@ -77,6 +77,26 @@ inputs:
          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6";
          hostnames = [ "[xmupc2.chn.moe]:6394" "wireguard.xmupc2.chn.moe" "192.168.83.7" ];
        };
+        srv1-node0 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs";
+          hostnames = [ "srv1.chn.moe" "node0.srv1.chn.moe" "wireguard.node0.srv1.chn.moe" ];
+        };
+        srv1-node1 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIIFmG/ZzLDm23NeYa3SSI0a0uEyQWRFkaNRE9nB8egl7";
+          hostnames = [ "192.168.178.2" ];
+        };
+        srv1-node2 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDhgEApzHhVPDvdVFPRuJ/zCDiR1K+rD4sZzH77imKPE";
+          hostnames = [ "192.168.178.3" ];
+        };
+        srv1-node3 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIO/4xbQNz6KNcEdjtBMGY8wUoFK1sCgamKl/r+kVjd7O";
+          hostnames = [ "192.168.178.4" ];
+        };
      };
      in builtins.listToAttrs (builtins.map
        (server:
@@ -91,6 +111,8 @@ inputs:
        (inputs.localLib.attrsToList servers));
    programs.ssh =
    {
+      # maybe better network performance
+      package = inputs.pkgs.openssh_hpn;
      startAgent = true;
      enableAskPassword = true;
      askPassword = "${inputs.pkgs.systemd}/bin/systemd-ask-password";
@@ -112,7 +134,7 @@ inputs:
            [ "vps4" "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" ])
          ++ (builtins.map
            (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; forwardX11 = true; }; })
-            [ "wireguard.pc" "wireguard.surface" "wireguard.xmupc1" "wireguard.xmupc2" ])
+            [ "wireguard.pc" "wireguard.surface" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ])
          ++ (builtins.map
            (host:
            {
@@ -142,7 +164,10 @@ inputs:
            forwardAgent = true;
            extraOptions.AddKeysToAgent = "yes";
          };
-          "wireguard.jykang" = jykang // { host = "internal.jykang"; proxyJump = "wireguard.xmupc1"; };
+          "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.xmupc1"; };
+          srv1-node1 = { host = "srv1-node1"; hostname = "192.168.178.2"; proxyJump = "srv1"; };
+          srv1-node2 = { host = "srv1-node2"; hostname = "192.168.178.3"; proxyJump = "srv1"; };
+          srv1-node3 = { host = "srv1-node3"; hostname = "192.168.178.4"; proxyJump = "srv1"; };
        };
      };
    })];
--- a/modules/packages/steam.nix
+++ b/modules/packages/steam.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
  {
@@ -12,7 +12,7 @@ inputs:
      enable = true;
      package = inputs.pkgs.steam.override (prev:
      {
-        steam = prev.steam.overrideAttrs (prev:
+        steam-unwrapped = prev.steam-unwrapped.overrideAttrs (prev:
        {
          postInstall = prev.postInstall +
          ''
--- a/modules/packages/vasp.nix
+++ b/modules/packages/vasp.nix
@@ -3,12 +3,17 @@ inputs:
  options.nixos.packages.vasp = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  # TODO: add more options to correctly configure VASP
  config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
  {
-    nixos.packages.packages._packages = inputs.lib.optionals (inputs.config.nixos.system.nixpkgs.march != null)
-      (with inputs.pkgs.localPackages.vasp; [ intel nvidia vtstscripts ]);
+    nixos.packages.packages._packages = with inputs.pkgs;
+    (
+      [ localPackages.vasp.intel localPackages.vasp.vtstscripts localPackages.py4vasp localPackages.vaspkit wannier90 ]
+        ++ (inputs.lib.optional
+          (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+          localPackages.vasp.nvidia)
+    );
  };
 }
--- a/modules/packages/vim.nix
+++ b/modules/packages/vim.nix
@@ -9,7 +9,7 @@ inputs:
      config.programs.vim =
      {
        enable = true;
-        defaultEditor = true;
+        defaultEditor = false;
        packageConfigurable = inputs.config.programs.vim.package;
        settings =
        {
--- a/modules/packages/vscode.nix
+++ b/modules/packages/vscode.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
  {
@@ -26,53 +26,34 @@ inputs:
                ++ (builtins.attrNames vscode-extensions)
              )));
            in with extensions;
-              (with equinusocio; [ vsc-material-theme vsc-material-theme-icons ])
-              ++ (with github; [ copilot copilot-chat github-vscode-theme ])
-              ++ (with intellsmi; [ comment-translate deepl-translate ])
-              ++ (with ms-python; [ isort python vscode-pylance ])
-              ++ (with ms-toolsai;
-              [
-                jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
-              ])
-              ++ (with ms-vscode;
-              [
-                (cmake-tools.overrideAttrs { sourceRoot = "extension"; }) cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
-                test-adapter-converter
-              ])
-              ++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
+              (with github; [ copilot github-vscode-theme ])
+              ++ (with intellsmi; [ comment-translate ])
+              ++ (with ms-vscode; [ cmake-tools cpptools cpptools-extension-pack hexeditor remote-explorer ])
+              ++ (with ms-vscode-remote; [ remote-ssh ])
              ++ [
-                donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
+                donjayamanne.githistory fabiospampinato.vscode-diff
                llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
                oderwat.indent-rainbow
                twxs.cmake guyutongxue.cpp-reference thfriedrich.lammps leetcode.vscode-leetcode # znck.grammarly
-                james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
-                yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
-                redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
-                hbenl.vscode-test-explorer
-                jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
-                hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
-                feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
-                njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
+                james-yu.latex-workshop bbenoist.nix jnoortheen.nix-ide ccls-project.ccls
+                brettm12345.nixfmt-vscode
                gruntfuggly.todo-tree
                # restrctured text
-                lextudio.restructuredtext trond-snekvik.simple-rst
+                lextudio.restructuredtext trond-snekvik.simple-rst swyddfa.esbonio chrisjsewell.myst-tml-syntax
                # markdown
-                shd101wyy.markdown-preview-enhanced
+                yzhang.markdown-all-in-one shd101wyy.markdown-preview-enhanced
                # vasp
                mystery.vasp-support
                yutengjing.open-in-external-app
-                # ChatGPT-like plugin
-                codeium.codeium
                # git graph
                mhutchie.git-graph
+                # python
+                ms-python.python
+                # theme
+                pkief.material-icon-theme
              ];
        }
      )];
-      _pythonPackages = [(pythonPackages: with pythonPackages;
-      [
-        # required by vscode extensions restrucuredtext
-        localPackages.esbonio
-      ])];
    };
  };
 }
--- a/modules/packages/winapps/default.nix
+++ b/modules/packages/winapps/default.nix
@@ -0,0 +1,47 @@
+inputs:
+{
+  options.nixos.packages.winapps = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) winapps; in inputs.lib.mkIf (winapps != null)
+  {
+    nixos.packages.packages._packages =
+    [
+      (inputs.pkgs.callPackage "${inputs.topInputs.winapps}/packages/winapps" {})
+      (inputs.pkgs.runCommand "winapps-windows" {}
+      ''
+        mkdir -p $out/share/applications
+        cp ${inputs.pkgs.substituteAll { src = ./windows.desktop; path = inputs.topInputs.winapps; }} \
+          $out/share/applications/windows.desktop
+      '')
+    ]
+      ++ builtins.map
+        (p: inputs.pkgs.runCommand "winapps-${p}" {}
+        ''
+          mkdir -p $out/share/applications
+          source ${inputs.topInputs.winapps}/apps/${p}/info
+          # replace \ with \\
+          WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/\\/\\\\/g')
+          # replace space with \s
+          WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/ /\\s/g')
+          cat > $out/share/applications/${p}.desktop << EOF
+          [Desktop Entry]
+          Name=$NAME
+          Exec=winapps manual "$WIN_EXECUTABLE" %F
+          Terminal=false
+          Type=Application
+          Icon=${inputs.topInputs.winapps}/apps/${p}/icon.svg
+          StartupWMClass=$FULL_NAME
+          Comment=$FULL_NAME
+          Categories=$CATEGORIES
+          MimeType=$MIME_TYPES
+          EOF
+        '')
+        [
+          "access-o365" "acrobat-x-pro" "cmd" "excel-o365" "explorer" "illustrator-cc" "powerpoint-o365"
+          "visual-studio-comm" "word-o365"
+        ];
+  };
+}
--- a/modules/packages/winapps/windows.desktop
+++ b/modules/packages/winapps/windows.desktop
@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=Windows
+Exec=winapps windows %F
+Terminal=false
+Type=Application
+Icon=@path@/icons/windows.svg
+StartupWMClass=Micorosoft Windows
+Comment=Micorosoft Windows
+Categories=Windows
--- a/modules/services/akkoma.nix
+++ b/modules/services/akkoma.nix
@@ -1,51 +0,0 @@
-inputs:
-{
-  options.nixos.services.akkoma = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "akkoma.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) akkoma;
-      inherit (inputs.lib) mkIf;
-    in mkIf akkoma.enable
-    {
-      services.akkoma =
-      {
-        enable = true;
-        config.":pleroma" =
-        {
-          "Pleroma.Web.Endpoint".url.host = akkoma.hostname;
-          "Pleroma.Repo" =
-          {
-            adapter = (inputs.pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
-            hostname = "127.0.0.1";
-            username = "akkoma";
-            password._secret = inputs.config.sops.secrets."akkoma/db".path;
-            database = "akkoma";
-          };
-          ":instance" =
-          {
-            name = "艹";
-            email = "grass@grass.squre";
-            description = "艹艹艹艹艹";
-          };
-        };
-      };
-      nixos.services =
-      {
-        nginx =
-        {
-          enable = true;
-          https."${akkoma.hostname}" =
-          {
-            global.tlsCert = "/var/lib/akkoma";
-            location."/".proxy = { upstream = "http://127.0.0.1:4000"; websocket = true; };
-          };
-        };
-        postgresql.instances.akkoma = {};
-      };
-      sops.secrets."akkoma/db" = { owner = "akkoma"; key = "postgresql/akkoma"; };
-    };
-}
--- a/modules/services/ananicy.nix
+++ b/modules/services/ananicy.nix
@@ -0,0 +1,14 @@
+inputs:
+{
+  options.nixos.services.ananicy = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) ananicy; in inputs.lib.mkIf (ananicy != null)
+  {
+    services.ananicy =
+    {
+      enable = true;
+      package = inputs.pkgs.ananicy-cpp;
+      rulesProvider = inputs.pkgs.ananicy-rules-cachyos;
+    };
+  };
+}
--- a/modules/services/chatgpt.nix
+++ b/modules/services/chatgpt.nix
@@ -1,48 +0,0 @@
-inputs:
-{
-  options.nixos.services.chatgpt = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule { options =
-    {
-      hostname = mkOption { type = types.str; default = "chat.chn.moe"; };
-    };});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.services) chatgpt; in inputs.lib.mkIf (chatgpt != null)
-  {
-    virtualisation.oci-containers.containers.chatgpt =
-    {
-      image = "yidadaa/chatgpt-next-web:v2.11.3";
-      imageFile = inputs.pkgs.dockerTools.pullImage
-      {
-        imageName = "yidadaa/chatgpt-next-web";
-        imageDigest = "sha256:622462a7958f82e128a0e1ebd07b96e837f3d457b912fb246b550fb730b538a7";
-        sha256 = "00qwh1kjdchf1nhaz18s2yly2xhvpaa83ym5x4wy3z0y3vc1zwxx";
-        finalImageName = "yidadaa/chatgpt-next-web";
-        finalImageTag = "v2.11.3";
-      };
-      ports = [ "127.0.0.1:6184:3000/tcp" ];
-      extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
-      environmentFiles = [ inputs.config.sops.templates."chatgpt/env".path ];
-    };
-    sops =
-    {
-      templates."chatgpt/env".content =
-      ''
-        OPENAI_API_KEY=${inputs.config.sops.placeholder."chatgpt/key"}
-        BASE_URL=https://oa.api2d.net
-      '';
-      secrets."chatgpt/key" = {};
-    };
-    nixos =
-    {
-      services.nginx =
-      {
-        enable = true;
-        https."${chatgpt.hostname}".location."/".proxy =
-          { upstream = "http://127.0.0.1:6184"; detectAuth.users = [ "chat" ]; };
-      };
-      virtualization.docker.enable = true;
-    };
-  };
-}
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -3,10 +3,8 @@ inputs:
  imports = inputs.localLib.findModules ./.;
  options.nixos.services = let inherit (inputs.lib) mkOption types; in
  {
-    firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
    smartd.enable = mkOption { type = types.bool; default = false; };
-    wallabag.enable = mkOption { type = types.bool; default = false; };
-    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
+    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.model.type == "desktop"; };
  };
  config =
    let
@@ -16,67 +14,7 @@ inputs:
      inherit (builtins) map listToAttrs toString;
    in mkMerge
    [
-      { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
      (mkIf services.smartd.enable { services.smartd.enable = true; })
-      (
-        mkIf services.wallabag.enable
-        {
-          virtualisation.oci-containers.containers.wallabag =
-          {
-            image = "wallabag/wallabag:2.6.2";
-            imageFile = inputs.pkgs.dockerTools.pullImage
-            {
-              imageName = "wallabag/wallabag";
-              imageDigest = "sha256:241e5c71f674ee3f383f428e8a10525cbd226d04af58a40ce9363ed47e0f1de9";
-              sha256 = "0zflrhgg502w3np7kqmxij8v44y491ar2qbk7qw981fysia5ix09";
-              finalImageName = "wallabag/wallabag";
-              finalImageTag = "2.6.2";
-            };
-            ports = [ "127.0.0.1:4398:80/tcp" ];
-            extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
-            environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
-          };
-          sops =
-          {
-            templates."wallabag/env".content =
-              let
-                placeholder = inputs.config.sops.placeholder;
-              in
-              ''
-                SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
-                SYMFONY__ENV__DATABASE_HOST=host.docker.internal
-                SYMFONY__ENV__DATABASE_PORT=5432
-                SYMFONY__ENV__DATABASE_NAME=wallabag
-                SYMFONY__ENV__DATABASE_USER=wallabag
-                SYMFONY__ENV__DATABASE_PASSWORD=${placeholder."postgresql/wallabag"}
-                SYMFONY__ENV__REDIS_HOST=host.docker.internal
-                SYMFONY__ENV__REDIS_PORT=8790
-                SYMFONY__ENV__REDIS_PASSWORD=${placeholder."redis/wallabag"}
-                SYMFONY__ENV__SERVER_NAME=wallabag.chn.moe
-                SYMFONY__ENV__DOMAIN_NAME=https://wallabag.chn.moe
-                SYMFONY__ENV__TWOFACTOR_AUTH=false
-              '';
-              # SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
-              # SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
-              # SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
-            secrets."mail/bot-encoded" = {};
-          };
-          nixos =
-          {
-            services =
-            {
-              nginx =
-              {
-                enable = true;
-                https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
-              };
-              postgresql.instances.wallabag = {};
-              redis.instances.wallabag = { user = "root"; port = 8790; };
-            };
-            virtualization.docker.enable = true;
-          };
-        }
-      )
      (mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })
    ];
 }
--- a/modules/services/docker.nix
+++ b/modules/services/docker.nix
@@ -0,0 +1,38 @@
+inputs:
+{
+  options.nixos.services.docker = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) docker; in inputs.lib.mkMerge
+  [
+    (
+      inputs.lib.mkIf (docker != null)
+      {
+        # system-wide docker is not needed
+        # virtualisation.docker.enable = true;
+        virtualisation.docker.rootless =
+        {
+          enable = true;
+          setSocketVariable = true;
+          daemon.settings =
+          {
+            features.buildkit = true;
+            # dns 127.0.0.1 make docker not work
+            dns = [ "1.1.1.1" ];
+            # prevent create btrfs subvol
+            storage-driver = "overlay2";
+          };
+        };
+      }
+    )
+    # some docker settings should be set unconditionally, as some services depend on them
+    {
+      virtualisation.docker =
+      {
+        enableNvidia = inputs.lib.mkIf inputs.config.nixos.system.nixpkgs.cuda.enable true;
+        # prevent create btrfs subvol
+        storageDriver = "overlay2";
+        daemon.settings.dns = [ "1.1.1.1" ];
+      };
+    }
+  ];
+}
--- a/modules/services/gitea.nix
+++ b/modules/services/gitea.nix
@@ -43,11 +43,32 @@ inputs:
          SMTP_PORT = 465;
          USER = "bot@chn.moe";
        };
+        service.REGISTER_MANUAL_CONFIRM = true;
      };
    };
    nixos.services =
    {
-      nginx = { enable = true; https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3002"; };
+      nginx =
+      {
+        enable = true;
+        https."${gitea.hostname}".location =
+        {
+          "/".proxy.upstream = "http://127.0.0.1:3002";
+          "/robots.txt".static.root =
+            let
+              robotsFile = inputs.pkgs.fetchurl
+              {
+                url = "https://gitea.com/robots.txt";
+                sha256 = "144c5s3la4a85c9lygcnxhbxs3w5y23bkhhqx69fbp9yiqyxdkk2";
+              };
+              robotsDir = inputs.pkgs.runCommand "robots.txt" {}
+              ''
+                mkdir -p $out
+                cp ${robotsFile} $out/robots.txt
+              '';
+            in "${robotsDir}";
+        };
+      };
      postgresql.instances.gitea = {};
    };
    sops.secrets =
--- a/modules/services/groupshare.nix
+++ b/modules/services/groupshare.nix
@@ -4,7 +4,11 @@ inputs:
  {
    type = types.nullOr (types.submodule { options =
    {
-      users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "chn" "gb" "xll" "yjq" "zem" ]; };
+      users = mkOption
+      {
+        type = types.listOf types.nonEmptyStr;
+        default = [ "chn" "gb" "xll" "yjq" "zem" "gb" "wp" "hjp" ];
+      };
    };});
    default = null;
  };
--- a/modules/services/huginn.nix
+++ b/modules/services/huginn.nix
@@ -60,7 +60,6 @@ inputs:
          };
          mariadb.instances.huginn = {};
        };
-        virtualization.docker.enable = true;
      };
    };
 }
--- a/modules/services/keyd.nix
+++ b/modules/services/keyd.nix
@@ -0,0 +1,21 @@
+inputs:
+{
+  options.nixos.services.keyd = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) keyd; in inputs.lib.mkIf (keyd != null)
+  {
+    services.keyd =
+    {
+      enable = true;
+      keyboards.default =
+      {
+        ids = [ "*" ];
+        settings =
+        {
+          main.rightcontrol = "overload(r_ctrl, rightcontrol)";
+          "r_ctrl:C" = { left = "home"; right = "end"; up = "pageup"; down = "pagedown"; };
+        };
+      };
+    };
+  };
+}
--- a/modules/services/kmscon.nix
+++ b/modules/services/kmscon.nix
@@ -1,19 +0,0 @@
-inputs:
-{
-  options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-  };
-  config =
-    let
-      inherit (inputs.lib) mkIf;
-      inherit (inputs.config.nixos.services) kmscon;
-    in mkIf kmscon.enable
-    {
-      services.kmscon =
-      {
-        enable = true;
-        fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
-      };
-    };
-}
--- a/modules/services/mariadb.nix
+++ b/modules/services/mariadb.nix
@@ -49,11 +49,7 @@ inputs:
    sops.secrets = builtins.listToAttrs (builtins.map
      (db: { name = "mariadb/${db.value.user}"; value.owner = inputs.config.users.users.mysql.name; })
      (builtins.filter (db: db.value.passwordFile == null) (inputs.localLib.attrsToList mariadb.instances)));
-    environment.persistence =
-      let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
-      {
-        "${impermanence.nodatacow}".directories = let user = "mysql"; in
-          [{ directory = "/var/lib/mysql"; inherit user; group = user; mode = "0750"; }];
-      };
+    environment.persistence."/nix/nodatacow".directories =
+      [{ directory = "/var/lib/mysql"; user = "mysql"; group = "mysql"; mode = "0750"; }];
  };
 }
--- a/modules/services/mastodon.nix
+++ b/modules/services/mastodon.nix
@@ -1,83 +0,0 @@
-inputs:
-{
-  options.nixos.services.mastodon = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "dudu.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) mastodon;
-      inherit (inputs.lib) mkIf;
-      inherit (builtins) toString;
-    in mkIf mastodon.enable
-    {
-      services.mastodon =
-      {
-        enable = true;
-        streamingProcesses = 1;
-        enableUnixSocket = false;
-        localDomain = mastodon.hostname;
-        database =
-        {
-          createLocally = false;
-          host = "127.0.0.1";
-          passwordFile = inputs.config.sops.secrets."mastodon/postgresql".path;
-        };
-        redis.createLocally = false;
-        smtp =
-        {
-          createLocally = false;
-          user = "bot@chn.moe";
-          port = 465;
-          passwordFile = inputs.config.sops.secrets."mastodon/mail".path;
-          host = "mail.chn.moe";
-          fromAddress = "bot@chn.moe";
-          authenticate = true;
-        };
-        extraEnvFiles = [ inputs.config.sops.templates."mastodon/env".path ];
-      };
-      nixos.services =
-      {
-        postgresql.instances.mastodon = {};
-        redis.instances.mastodon.port = inputs.config.services.mastodon.redis.port;
-        nginx =
-        {
-          enable = true;
-          https."${mastodon.hostname}".location =
-          {
-            "/system/".alias.path = "/var/lib/mastodon/public-system/";
-            "/".static =
-              { root = "${inputs.config.services.mastodon.package}/public"; tryFiles = [ "$uri" "@proxy" ]; };
-            "@proxy".proxy =
-              { upstream = "http://127.0.0.1:${toString inputs.config.services.mastodon.webPort}"; websocket = true; };
-            "/api/v1/streaming/".proxy =
-            {
-              upstream = "http://unix:/run/mastodon-streaming/streaming-1.socket";
-              websocket = true;
-            };
-          };
-        };
-      };
-      sops =
-      {
-        secrets =
-        {
-          "mastodon/mail" = { owner = "mastodon"; key = "mail/bot"; };
-          "mastodon/postgresql" = { owner = "mastodon"; key = "postgresql/mastodon"; };
-        };
-        templates."mastodon/env" =
-        {
-          owner = "mastodon";
-          content =
-          ''
-            REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/mastodon"}
-            SMTP_SSL=true
-            SMTP_AUTH_METHOD=plain
-          '';
-        };
-      };
-      environment.systemPackages = [ inputs.config.services.mastodon.package ];
-      # sudo -u mastodon mastodon-tootctl accounts modify chn --role Owner
-    };
-}
--- a/modules/services/meilisearch.nix
+++ b/modules/services/meilisearch.nix
@@ -1,113 +0,0 @@
-inputs:
-{
-  options.nixos.services.meilisearch = let inherit (inputs.lib) mkOption types; in
-  {
-    instances = mkOption
-    {
-      type = types.attrsOf (types.submodule (submoduleInputs: { options =
-      {
-        user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-        port = mkOption { type = types.ints.unsigned; };
-      };}));
-      default = {};
-    };
-    ioLimitDevice = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-  };
-  config = let inherit (inputs.config.nixos.services) meilisearch; in
-  {
-    systemd =
-    {
-      services = builtins.listToAttrs (builtins.map
-        (instance:
-        {
-          name = "meilisearch-${instance.name}";
-          value =
-          {
-            description = "meiliSearch ${instance.name}";
-            wantedBy = [ "multi-user.target" ];
-            after = [ "network.target" ];
-            # environment.RUST_BACKTRACE = "full";
-            serviceConfig =
-            {
-              User = instance.value.user;
-              Group = inputs.config.users.users.${instance.value.user}.group;
-              ExecStart =
-                let
-                  meilisearch = inputs.pkgs.meilisearch.overrideAttrs (prev:
-                  {
-                    RUSTFLAGS = prev.RUSTFLAGS or [] ++ [ "-Clto=true" "-Cpanic=abort" "-Cembed-bitcode=yes"]
-                      ++ (
-                        let inherit (inputs.config.nixos.system.nixpkgs) march;
-                        in (if march != null then [ "-Ctarget-cpu=${march}" ] else [])
-                      );
-                  });
-                  config = inputs.config.sops.templates."meilisearch-${instance.name}.toml".path;
-                in
-                  "${meilisearch}/bin/meilisearch --config-file-path ${config}";
-              Restart = "always";
-              StartLimitBurst = 3;
-              LimitNOFILE = "infinity";
-              LimitNPROC = "infinity";
-              LimitCORE = "infinity";
-              CPUSchedulingPolicy = "idle";
-              IOSchedulingClass = "idle";
-              IOSchedulingPriority = 4;
-              IOAccounting = true;
-              IOWeight = 1;
-              Nice = 19;
-              Slice = "-.slice";
-            }
-            // (if meilisearch.ioLimitDevice != null then
-            {
-              IOReadBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
-              IOWriteBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
-              # iostat -dx 1
-              IOReadIOPSMax = "${meilisearch.ioLimitDevice} 100";
-              IOWriteIOPSMax = "${meilisearch.ioLimitDevice} 100";
-            } else {});
-          };
-        })
-        (inputs.localLib.attrsToList meilisearch.instances));
-      tmpfiles.rules = builtins.concatLists (builtins.map
-        (instance:
-          let
-            user = instance.value.user;
-            group = inputs.config.users.users.${instance.value.user}.group;
-            dir = "/var/lib/meilisearch/${instance.name}";
-          in
-            [ "d ${dir} 0700 ${user} ${group}" "Z ${dir} - ${user} ${group}" ])
-        (inputs.localLib.attrsToList meilisearch.instances));
-    };
-    sops =
-    {
-      templates = builtins.listToAttrs (builtins.map
-        (instance:
-        {
-          name = "meilisearch-${instance.name}.toml";
-          value =
-          {
-            content =
-            ''
-              db_path = "/var/lib/meilisearch/${instance.name}"
-              http_addr = "0.0.0.0:${builtins.toString instance.value.port}"
-              master_key = "${inputs.config.sops.placeholder."meilisearch/${instance.name}"}"
-              env = "production"
-              dump_dir = "/var/lib/meilisearch/${instance.name}/dumps"
-              log_level = "INFO"
-              max_indexing_memory = "16Gb"
-              max_indexing_threads = 1
-            '';
-            owner = instance.value.user;
-          };
-        })
-        (inputs.localLib.attrsToList meilisearch.instances));
-      secrets = builtins.listToAttrs (builtins.map
-        (instance: { name = "meilisearch/${instance.name}"; value = {}; })
-        (inputs.localLib.attrsToList meilisearch.instances));
-    };
-    environment.persistence =
-      let inherit (inputs.config.nixos.system) impermanence;
-      in inputs.lib.mkIf (impermanence.enable && meilisearch.instances != {})
-        { "${impermanence.nodatacow}".directories = [ "/var/lib/meilisearch" ]; };
-  };
-}
--- a/modules/services/mirism.nix
+++ b/modules/services/mirism.nix
@@ -31,7 +31,7 @@ inputs:
              {
                User = inputs.config.users.users.mirism.name;
                Group = inputs.config.users.users.mirism.group;
-                ExecStart = "${inputs.pkgs.localPackages.mirism}/bin/${instance}";
+                ExecStart = "${inputs.pkgs.localPackages.mirism-old}/bin/${instance}";
                RuntimeMaxSec = "1d";
                Restart = "always";
              };
--- a/modules/services/misskey.nix
+++ b/modules/services/misskey.nix
@@ -8,11 +8,6 @@ inputs:
      port = mkOption { type = types.ints.unsigned; default = 9726; };
      redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
      hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
-      meilisearch =
-      {
-        enable = mkOption { type = types.bool; default = false; };
-        port = mkOption { type = types.ints.unsigned; default = 7700; };
-      };
    };});
    default = {};
  };
@@ -31,9 +26,7 @@ inputs:
          {
            enable = instance.value.autoStart;
            description = "misskey ${instance.name}";
-            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ]
-              ++ (if instance.value.meilisearch.enable then [ "meilisearch-misskey-${instance.name}.service" ]
-                else []);
+            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
            requires = after;
            wantedBy = [ "multi-user.target" ];
            environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
@@ -77,7 +70,6 @@ inputs:
              let
                placeholder = inputs.config.sops.placeholder;
                redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
-                meilisearch = inputs.config.nixos.services.meilisearch.instances."misskey-${instance.name}";
              in
              ''
                url: https://${instance.value.hostname}/
@@ -105,17 +97,7 @@ inputs:
                proxyRemoteFiles: true
                signToActivityPubGet: true
                maxFileSize: 1073741824
-              ''
-              + (if instance.value.meilisearch.enable then
-              ''
-                meilisearch:
-                  host: 127.0.0.1
-                  port: ${toString meilisearch.port}
-                  apiKey: ${placeholder."meilisearch/misskey-${instance.name}"}
-                  ssl: false
-                  index: misskey
-                  scope: global
-              '' else "");
+              '';
            owner = inputs.config.users.users."misskey-${instance.name}".name;
          };
        })
@@ -142,19 +124,6 @@ inputs:
        postgresql.instances = listToAttrs (map
          (instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
          (attrsToList misskey.instances));
-        meilisearch.instances =
-          let instances = filter (instance: instance.value.meilisearch.enable) (attrsToList misskey.instances);
-          in listToAttrs (map
-            (instance:
-            {
-              name = "misskey-${instance.name}";
-              value =
-              {
-                user = inputs.config.users.users."misskey-${instance.name}".name;
-                port = instance.value.meilisearch.port;
-              };
-            })
-            instances);
        nginx =
        {
          enable = mkIf (misskey.instances != {}) true;
--- a/modules/services/nfs.nix
+++ b/modules/services/nfs.nix
@@ -0,0 +1,29 @@
+inputs:
+{
+  options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      root = mkOption { type = types.nonEmptyStr; };
+      exports = mkOption { type = types.listOf types.nonEmptyStr; };
+      accessLimit = mkOption { type = types.nonEmptyStr; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != null)
+  {
+    services =
+    {
+      rpcbind.enable = true;
+      nfs.server =
+      {
+        enable = true;
+        exports = "${nfs.root} ${nfs.accessLimit}(rw,no_root_squash,fsid=0,sync,crossmnt)\n"
+          + builtins.concatStringsSep "\n" (builtins.map
+            (export: "${export} ${nfs.accessLimit}(rw,no_root_squash,sync,crossmnt)")
+            nfs.exports);
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 2049 ];
+  };
+}
--- a/modules/services/nginx/applications/kkmeeting.nix
+++ b/modules/services/nginx/applications/kkmeeting.nix
@@ -1,18 +0,0 @@
-inputs:
-{
-  options.nixos.services.nginx.applications.kkmeeting = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.nonEmptyStr; default = "kkmeeting.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services.nginx.applications) kkmeeting;
-      inherit (inputs.lib) mkIf;
-    in mkIf kkmeeting.enable
-    {
-      nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
-        { root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
-      systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" "Z /srv/kkmeeting - nginx nginx" ];
-    };
-}
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -247,6 +247,9 @@ inputs:
              proxy_ssl_server_name on;
              proxy_ssl_session_reuse off;
              send_timeout 1d;
+              # nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
+              # this make it redirect to /docs/ without hostname
+              absolute_redirect off;
            '';
            proxyTimeout = "1d";
            recommendedZstdSettings = true;
@@ -333,7 +336,7 @@ inputs:
          let
            ipset = "${inputs.pkgs.ipset}/bin/ipset";
            iptables = "${inputs.pkgs.iptables}/bin/iptables";
-            ip = "${inputs.pkgs.iproute}/bin/ip";
+            ip = "${inputs.pkgs.iproute2}/bin/ip";
            start = inputs.pkgs.writeShellScript "nginx-proxy.start"
            (
              ''
--- a/modules/services/nixseperatedebuginfo.nix
+++ b/modules/services/nixseperatedebuginfo.nix
@@ -3,17 +3,18 @@ inputs:
  options.nixos.services.nixseparatedebuginfo = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
  };
  config =
    let inherit (inputs.config.nixos.services) nixseparatedebuginfo; in inputs.lib.mkIf (nixseparatedebuginfo != {})
    {
      services.nixseparatedebuginfod.enable = true;
-      environment.persistence =
-        let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
-        {
-          "${impermanence.nodatacow}".directories = let user = "nixseparatedebuginfod"; in
-          [{ directory = "/var/cache/nixseparatedebuginfod"; inherit user; group = user; mode = "0755"; }];
-        };
+      environment.persistence."/nix/nodatacow".directories =
+      [{
+        directory = "/var/cache/nixseparatedebuginfod";
+        user = "nixseparatedebuginfod";
+        group = "nixseparatedebuginfod";
+        mode = "0755";
+      }];
    };
 }
--- a/modules/services/ollama.nix
+++ b/modules/services/ollama.nix
@@ -11,7 +11,6 @@ inputs:
        { enable = true; package = inputs.pkgs.genericPackages.open-webui; environment.WEBUI_AUTH = "False"; };
      nextjs-ollama-llm-ui.enable = true;
    };
-    # TODO: broken in python 3.12
-    # nixos.packages._packages = [ inputs.pkgs.oterm ];
+    nixos.packages.packages._packages = [ inputs.pkgs.oterm ];
  };
 }
--- a/modules/services/peertube.nix
+++ b/modules/services/peertube.nix
@@ -0,0 +1,65 @@
+inputs:
+{
+  options.nixos.services.peertube = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = "peertube.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) peertube; in inputs.lib.mkIf (peertube != null)
+  {
+    services.peertube =
+    {
+      enable = true;
+      localDomain = peertube.hostname;
+      listenHttp = 5046;
+      listenWeb = 443;
+      enableWebHttps = true;
+      serviceEnvironmentFile = inputs.config.sops.templates."peertube/env".path;
+      secrets.secretsFile = inputs.config.sops.secrets."peertube/secrets".path;
+      configureNginx = true;
+      database =
+      {
+        createLocally = true;
+        host = "127.0.0.1";
+        passwordFile = inputs.config.sops.secrets."peertube/postgresql".path;
+      };
+      redis =
+      {
+        host = "127.0.0.1";
+        port = 7599;
+        passwordFile = inputs.config.sops.secrets."redis/peertube".path;
+      };
+      smtp.passwordFile = inputs.config.sops.secrets."peertube/smtp".path;
+      settings.smtp =
+      {
+        host = "mail.chn.moe";
+        username = "bot@chn.moe";
+        from_address = "bot@chn.moe";
+      };
+    };
+    sops =
+    {
+      templates."peertube/env".content =
+      ''
+        PT_INITIAL_ROOT_PASSWORD=${inputs.config.sops.placeholder."peertube/password"}
+      '';
+      secrets =
+      {
+        "peertube/postgresql" = { owner = inputs.config.services.peertube.user; key = "postgresql/peertube"; };
+        "peertube/password" = {};
+        "peertube/secrets".owner = inputs.config.services.peertube.user;
+        "peertube/smtp" = { owner = inputs.config.services.peertube.user; key = "mail/bot"; };
+      };
+    };
+    nixos.services =
+    {
+      nginx = { enable = true; https.${peertube.hostname}.global.configName = peertube.hostname; };
+      postgresql.instances.peertube = {};
+      redis.instances.peertube.port = 7599;
+    };
+    systemd.services.peertube.after = [ "redis-peertube.service" ];
+  };
+}
--- a/modules/services/postgresql.nix
+++ b/modules/services/postgresql.nix
@@ -28,7 +28,7 @@ inputs:
        settings =
        {
          unix_socket_permissions = "0700";
-          shared_buffers = "8192MB";
+          shared_buffers = "512MB";
          work_mem = "512MB";
          autovacuum = "on";
        };
@@ -86,11 +86,7 @@ inputs:
    sops.secrets = builtins.listToAttrs (builtins.map
      (db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })
      (builtins.filter (db: db.value.passwordFile == null) (inputs.localLib.attrsToList postgresql.instances)));
-    environment.persistence =
-      let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
-      {
-        "${impermanence.nodatacow}".directories = let user = "postgres"; in
-          [{ directory = "/var/lib/postgresql"; inherit user; group = user; mode = "0750"; }];
-      };
+    environment.persistence."/nix/nodatacow".directories =
+      [{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }];
  };
 }
--- a/modules/services/rsshub.nix
+++ b/modules/services/rsshub.nix
@@ -13,22 +13,27 @@ inputs:
      inherit (builtins) map listToAttrs toString;
    in mkIf rsshub.enable
    {
-      systemd.services.rsshub =
+      systemd =
      {
-        description = "rsshub";
-        after = [ "network.target" "redis-rsshub.service" ];
-        requires = [ "redis-rsshub.service" ];
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig =
+        services.rsshub =
        {
-          User = inputs.config.users.users.rsshub.name;
-          Group = inputs.config.users.users.rsshub.group;
-          EnvironmentFile = inputs.config.sops.templates."rsshub/env".path;
-          WorkingDirectory = "${inputs.pkgs.localPackages.rsshub}";
-          ExecStart = "${inputs.pkgs.localPackages.rsshub}/bin/rsshub";
-          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          description = "rsshub";
+          after = [ "network.target" "redis-rsshub.service" ];
+          requires = [ "redis-rsshub.service" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig =
+          {
+            User = inputs.config.users.users.rsshub.name;
+            Group = inputs.config.users.users.rsshub.group;
+            EnvironmentFile = inputs.config.sops.templates."rsshub/env".path;
+            WorkingDirectory = "${inputs.pkgs.localPackages.rsshub}";
+            ExecStart = "${inputs.pkgs.localPackages.rsshub}/bin/rsshub";
+            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          };
+          restartTriggers = [ inputs.config.sops.templates."rsshub/env".content ];
        };
+        tmpfiles.rules = [ "d /var/cache/rsshub 0700 rsshub rsshub" ];
      };
      sops =
      {
@@ -46,11 +51,17 @@ inputs:
            YOUTUBE_CLIENT_ID='${placeholder."rsshub/youtube-client-id"}'
            YOUTUBE_CLIENT_SECRET='${placeholder."rsshub/youtube-client-secret"}'
            YOUTUBE_REFRESH_TOKEN='${placeholder."rsshub/youtube-refresh-token"}'
+            TWITTER_AUTH_TOKEN='${placeholder."rsshub/twitter-auth-token"}'
+            XDG_CONFIG_HOME='/var/cache/rsshub/chromium'
+            XDG_CACHE_HOME='/var/cache/rsshub/chromium'
+            BILIBILI_COOKIE_data0='${placeholder."rsshub/bilibili-cookie"}'
          '';
        secrets = (listToAttrs (map (secret: { name = "rsshub/${secret}"; value = {}; })
        [
          "pixiv-refreshtoken"
          "youtube-key" "youtube-client-id" "youtube-client-secret" "youtube-refresh-token"
+          "twitter-auth-token"
+          "bilibili-cookie"
        ]));
      };
      users =
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -33,18 +33,7 @@ inputs:
          enable = true;
          # TCP 139 445 UDP 137 138
          openFirewall = !samba.private;
-          securityType = "user";
-          extraConfig =
-          ''
-            workgroup = WORKGROUP
-            server string = Samba Server
-            server role = standalone server
-            hosts allow = ${samba.hostsAllowed}
-            dns proxy = no
-          '';
-          #  obey pam restrictions = yes
-          #  encrypt passwords = no
-          shares = listToAttrs (map
+          settings = listToAttrs (map
            (share:
            {
              name = share.name;
@@ -60,7 +49,8 @@ inputs:
                "force directory mode" = "2755";
              };
            })
-            (attrsToList samba.shares));
+            (attrsToList samba.shares))
+            // { global."hosts allow" = "${samba.hostsAllowed}"; };
        };
      };
      nixos.services.xray.client.v2ray-forwarder =
--- a/Show More
+++ b/Show More