services.xrdp: add optimise

Merge branch 'production' into xrdp
暂存
2026-01-12 04:19:22 +08:00 · 2024-03-08 13:49:12 +08:00 · 2024-03-08 12:50:46 +08:00 · 2024-03-07 20:36:41 +08:00 · 2024-03-07 20:34:58 +08:00 · 2024-03-07 20:34:58 +08:00
254 changed files with 13231 additions and 1760 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+*.png filter=lfs diff=lfs merge=lfs -text
+*.icm filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 result
 result-man
+outputs
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,15 +1,39 @@
-keys:
+keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  - &chn age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-  - &chn-PC age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
-  - &chn-nixos-test age1thf94z6z4835nxsx56upa3s32vfqq2s6d67rpg7weawj2lrk25asw8smhh
+  - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+  - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+  - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
+  - &surface age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
+  - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
 creation_rules:
-  - path_regex: secrets/chn-PC\.yaml$
+  - path_regex: devices/pc/secrets/.*$
    key_groups:
    - age:
      - *chn
-      - *chn-PC
-  - path_regex: secrets/chn-nixos-test\.yaml$
+      - *pc
+  - path_regex: devices/vps6/secrets/.*$
    key_groups:
    - age:
      - *chn
-      - *chn-nixos-test
+      - *vps6
+  - path_regex: devices/vps7/secrets/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *vps7
+  - path_regex: devices/nas/secrets/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *nas
+  - path_regex: devices/surface/secrets/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *surface
+  - path_regex: devices/xmupc1/secrets/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *xmupc1
--- a/devices/nas/default.nix
+++ b/devices/nas/default.nix
@@ -0,0 +1,101 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/13BC-F0C9" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/0e184f3b-af6c-4f5d-926a-2559f2dc3063"."/boot" = "/boot";
+              "/dev/mapper/nix"."/nix" = "/nix";
+              "/dev/mapper/root1" =
+              {
+                "/nix/rootfs" = "/nix/rootfs";
+                "/nix/persistent" = "/nix/persistent";
+                "/nix/nodatacow" = "/nix/nodatacow";
+                "/nix/rootfs/current" = "/";
+                "/nix/backup" = "/nix/backup";
+              };
+            };
+          };
+          decrypt.manual =
+          {
+            enable = true;
+            devices =
+            {
+              "/dev/disk/by-uuid/5cf1d19d-b4a5-4e67-8e10-f63f0d5bb649".mapper = "root1";
+              "/dev/disk/by-uuid/aa684baf-fd8a-459c-99ba-11eb7636cb0d".mapper = "root2";
+              "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
+            };
+            delayedMount = [ "/" "/nix" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
+        };
+        initrd.sshd.enable = true;
+        grub.installDevice = "efi";
+        nixpkgs.march = "silvermont";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        kernel.patches = [ "cjktty" "lantian" ];
+        networking.hostname = "nas";
+        gui.preferred = false;
+      };
+      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      packages.packageSet = "desktop-fat";
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "192.168. 127.";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
+        sshd.enable = true;
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns.extraInterfaces = [ "docker0" ];
+        };
+        xrdp = { enable = true; hostname = [ "nas.chn.moe" "office.chn.moe" ]; };
+        groupshare.enable = true;
+        smartd.enable = true;
+        beesd =
+        {
+          enable = true;
+          instances =
+          {
+            root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
+            nix = { device = "/nix"; hashTableSizeMB = 128; };
+          };
+        };
+        frpClient =
+        {
+          enable = true;
+          serverName = "frp.chn.moe";
+          user = "nas";
+          stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
+        };
+        nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
+          wireguardIp = "192.168.83.4";
+        };
+      };
+      users.users = [ "chn" "xll" "zem" "yjq" "gb" ];
+    };
+  };
+}
--- a/devices/nas/secrets/default.yaml
+++ b/devices/nas/secrets/default.yaml
@@ -0,0 +1,48 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
+acme:
+    cloudflare.ini: ENC[AES256_GCM,data:/LpP1qoVS+CG+5ska6vtmagHNrhcgr5e1QRzDdbdCYGnDB8Nca/GmIogzHCXsogQY/rwGTCZoXLKKEGToYiThwk=,iv:R++I0ued2wrVsmM/vYvBVMOp9M7HyZIfDOVOlg7GALE=,tag:gYchPuh8MHk3EEnGb9g4WA==,type:str]
+users:
+    xll: ENC[AES256_GCM,data:XLSsz6fZ23PPaJS1Y5C3FAOks3wzb2f+Pv8TgyKrDBfMeoLk1M37A00OGJ2wsYxkuR0JV6Uoh+hhRpTUjOQnmLfQrBxPxxP8DA==,iv:jxEZX/flxxduM1sdrYfGHfMtFMYduMg0Lr6hY1pkAPg=,tag:CYy0y1e2S2Txz1OSh+XDHA==,type:str]
+    zem: ENC[AES256_GCM,data:VCVLfGO9a06XhAOBciFf1u7A5jaQikAt2wZf+dCAi1BglXpM6Hof1yAunadYOwLOBFgGlP19kX53CBBlZtaqZFL2GRDzXP0woQ==,iv:AFYtHCCkzNrllN/fjQ8GKYs2TyV3uj3BsU5n1tBQAmM=,tag:5dP7c5N4yG2NS4T+Vg0Zpg==,type:str]
+    yjq: ENC[AES256_GCM,data:yn6eGrySCxlRsFioaE2p1qlTHkIGC9l64+edjuDvt232xc+iFeD03EYfuulyr0GxYFwnlAwtaJnyMi5eOrSd1W6HeV3Canzdbw==,iv:qTc6vA8uQza8CB+BvffEN9GqHkiwNM4h9RkqQR14ylk=,tag:UZ2GYCJLjcWLuVXlscLviw==,type:str]
+    gb: ENC[AES256_GCM,data:jIR3EVdATYUgWmW4J8RdURJRmDBC84t0S/c2EzWwtFMtjgKlqg52fIfQ66i7RnIYRAoF+s4Ex0aLSejWgzQ69NA/AF0AIS7Y/Q==,iv:mvTCTP0E74QlvM8TcY4o49G5kNGs5HFx3YUrj6mCrwM=,tag:LXfIOyAB10XuHA6Cg7LBeQ==,type:str]
+frp:
+    token: ENC[AES256_GCM,data:zYRZoWa3Llv0NiPXtSfhWUn+wt4uIcw8Wa+QBTzn7gLk6UVIA4FD7FLABBKoFbwg62Fo79Nn,iv:YZdOYkJf6BN76Z68nCtetKElJkqKiYmcx6UmLoIXSdo=,tag:5sC2vt3Z21KhgOU9mrfXhg==,type:str]
+    stcp:
+        hpc: ENC[AES256_GCM,data:lkpM4nzt8ymQ+5eV,iv:LvSShCSN8w0VsJYjICG9NWCMiw7NSPpoSZ+I2t7uILs=,tag:LLry5z4KpPdnN75x8dANqg==,type:str]
+nginx:
+    detectAuth:
+        chn: ENC[AES256_GCM,data:44vsExbVhO3gnD4Gme92eQ==,iv:LyDvZebs1sDL1/hZQiZdHoPBm4hXtBy56jR73zSH6Aw=,tag:w5xPHnK9XOSS0+97q8b5gQ==,type:str]
+    maxmind-license: ENC[AES256_GCM,data:JbAnFQiDcJGwvb89sG2ro77nwwOWcDnqVcA902jwb2zzZci7PpXROw==,iv:eifkWK0oN73Ekn3oWzy6XbYK2GU+4tlnLPJ+96WOWJY=,tag:35ulsshxtUfOsSQOLgAt0g==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aWJSUVUwMnYwN01vSEJO
+            cHV3Ylkzb1Z6Z1E3a2NwZXdIVlpacHJDNWhBCkZXZWx5M21HKy94WkhuaDhkVEFL
+            M01MdUlza0VmK1hKTExmeFdUWDllbTAKLS0tIE8wR1F6ZVZPNVYwU1Y3ZFJaUkhT
+            a3B1UzdQSjlzTmxReVhWMzhTaVdTRDgKG76K16V6NAMaeyfne4LL/zwa5+lfPz/y
+            1SX1JOaWNpXqfOIGflZUF88lxCLR8ttEFea391x2vhoKPZKCvIDGHw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eXhkb1B3WXhGTTBLTDk2
+            ZmhTUDltWGk4ZU1PUk8vYkVaUkx0MDFEWUZNCjl2R25JR3Z0U3NKWWwzbjVsMXVq
+            NXMxOThGaFVHQ1ZacU4yUXVBVXNBNUkKLS0tIFkyUjhzMzlMVkM2WFZ1VUw5Zlcy
+            by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
+            kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-07T12:35:21Z"
+    mac: ENC[AES256_GCM,data:bR4PPHaGX6VCRP+Ze96sccnwYxnZkfpmJp6iMBzr+W3JRd0VjTEwTH8aNn1WIsNFXco+BCmwroJR07oKYnbusBYgiEeHnkhXvyAELETs7BitH8JrUtSsGs2wJDfkU9fWf6BNT7oHGpP69Tyrl+8v+Q8jyLV8kW8+c7uJPyT2ACQ=,iv:Hl2eX7TV6lgWjUim0m4r44Ji0c9QDH+qzpDyBOTeVp4=,tag:6xkFMQMwEP7IhpXEB4o+hQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/devices/pc/color/TPLCD_161B_Default.icm
+++ b/devices/pc/color/TPLCD_161B_Default.icm
--- a/devices/pc/color/TPLCD_161B_Native.icm
+++ b/devices/pc/color/TPLCD_161B_Native.icm
--- a/devices/pc/color/TPLCD_161B_Native_HDR.icm
+++ b/devices/pc/color/TPLCD_161B_Native_HDR.icm
--- a/devices/pc/color/TPLCD_161B_REC709.icm
+++ b/devices/pc/color/TPLCD_161B_REC709.icm
--- a/devices/pc/color/TPLCD_161B_sRGB.icm
+++ b/devices/pc/color/TPLCD_161B_sRGB.icm
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@@ -0,0 +1,187 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.auto =
+          {
+            "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
+            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
+              { mapper = "swap"; ssd = true; before = [ "root" ]; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          resume = "/dev/mapper/swap";
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub =
+        {
+          # TODO: install windows
+          # windowsEntries = { "7317-1DB6" = "Windows"; "7321-FA9C" = "Windows for malware"; };
+          installDevice = "efi";
+        };
+        nix =
+        {
+          marches =
+          [
+            "znver2" "znver3" "znver4"
+            # FXSR SAHF XSAVE
+            "sandybridge"
+            # FXSR PREFETCHW RDRND SAHF
+            "silvermont"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+            "broadwell"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+            "skylake"
+            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+            "alderlake"
+          ];
+        };
+        nixpkgs =
+          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
+        kernel.patches = [ "cjktty" "lantian" "hibernate-progress" ];
+        networking.hostname = "pc";
+        sysctl.laptop-mode = 5;
+      };
+      hardware =
+      {
+        cpus = [ "amd" ];
+        gpu = { type = "amd+nvidia"; prime.busId = { amd = "8:0:0"; nvidia = "1:0:0"; }; dynamicBoost = true; };
+        bluetooth.enable = true;
+        joystick.enable = true;
+        printer.enable = true;
+        sound.enable = true;
+        legion.enable = true;
+      };
+      packages.packageSet = "workstation";
+      virtualization =
+      {
+        waydroid.enable = true;
+        docker.enable = true;
+        kvmHost = { enable = true; gui = true; autoSuspend = [ "win10" "hardconnect" ]; };
+        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
+      };
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        samba =
+        {
+          enable = true;
+          private = true;
+          hostsAllowed = "192.168. 127.";
+          shares =
+          {
+            media.path = "/run/media/chn";
+            home.path = "/home/chn";
+            mnt.path = "/mnt";
+            share.path = "/home/chn/share";
+          };
+        };
+        sshd.enable = true;
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns =
+          {
+            extraInterfaces = [ "docker0" ];
+            hosts =
+            {
+              "mirism.one" = "74.211.99.69";
+              "beta.mirism.one" = "74.211.99.69";
+              "ng01.mirism.one" = "74.211.99.69";
+              "debug.mirism.one" = "127.0.0.1";
+              "initrd.vps6.chn.moe" = "74.211.99.69";
+              "nix-store.chn.moe" = "127.0.0.1";
+              "initrd.nas.chn.moe" = "192.168.1.185";
+            };
+          };
+        };
+        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
+        acme = { enable = true; cert."debug.mirism.one" = {}; };
+        frpClient =
+        {
+          enable = true;
+          serverName = "frp.chn.moe";
+          user = "pc";
+          stcpVisitor."yy.vnc".localPort = 6187;
+        };
+        nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
+        smartd.enable = true;
+        misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; }; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
+          wireguardIp = "192.168.83.3";
+        };
+        gamemode = { enable = true; drmDevice = 1; };
+        slurm = { enable = true; cpu = { cores = 16; threads = 2; }; memoryMB = 94208; gpus."4060" = 1; };
+        xrdp = { enable = true; hostname = [ "pc.chn.moe" ]; optimise = { type = "nvidia"; nvidiaBusId = "1:0:0"; }; };
+      };
+      bugs = [ "xmunet" "backlight" "amdpstate" ];
+    };
+    services.colord.enable = true;
+    virtualisation.virtualbox.host = { enable = true; enableExtensionPack = true; };
+    specialisation =
+    {
+      nvidia.configuration =
+      {
+        nixos =
+        {
+          hardware.gpu.type = inputs.lib.mkForce "nvidia";
+          services.gamemode.drmDevice = inputs.lib.mkForce 0;
+        };
+        system.nixos.tags = [ "nvidia" ];
+      };
+      hybrid-sync.configuration =
+      {
+        nixos.hardware.gpu.prime.mode = "sync";
+        system.nixos.tags = [ "hybrid-sync" ];
+      };
+      amd.configuration =
+      {
+        nixos.hardware.gpu = { type = inputs.lib.mkForce "amd"; dynamicBoost = inputs.lib.mkForce false; };
+        boot =
+        {
+          extraModprobeConfig =
+          ''
+            blacklist nouveau
+            options nouveau modeset=0
+          '';
+          blacklistedKernelModules = [ "nvidia" "nvidia_drm" "nvidia_modeset" ];
+        };
+        services.udev.extraRules =
+        ''
+          # Remove NVIDIA USB xHCI Host Controller devices, if present
+          ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{power/control}="auto", ATTR{remove}="1"
+          # Remove NVIDIA USB Type-C UCSI devices, if present
+          ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{power/control}="auto", ATTR{remove}="1"
+          # Remove NVIDIA Audio devices, if present
+          ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{power/control}="auto", ATTR{remove}="1"
+          # Remove NVIDIA VGA/3D controller devices
+          ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1"
+        '';
+        system.nixos.tags = [ "amd" ];
+      };
+    };
+  };
+}
--- a/devices/pc/secrets/default.yaml
+++ b/devices/pc/secrets/default.yaml
@@ -0,0 +1,51 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:XU7/GZ8cJmDwNsrQfoFHrquZT5QkjvTPZfnghX3BLyvPLlrX,iv:e/BQkZ5ydWD4P/qT9OUloB8/cXImfkG3YZnuIeNLoTc=,tag:EW3ZBzGnyIrUfcMeJqm4aA==,type:str]
+acme:
+    cloudflare.ini: ENC[AES256_GCM,data:hPNpTclYvRbcbFO6aR9PNyHt3kDUmjeUgg4NPsr+c/yxKPundoiziNYBRfF7/axlw8Hu32jf/cDlcWaEmqCBQJY=,iv:bdGCD/a6AnGQhiFNyZ+fD1f/rILsEcPXC2qRDsAO4n8=,tag:MLZak9uSqsg/0Ldx2Wgb6A==,type:str]
+frp:
+    token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
+    stcp:
+        yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
+store:
+    signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:PVV4VAvB22KoA8EM8Honb+KWYhydXdmTAVlDw/XnTcbaIY+5Km2gGA==,iv:7PfytRbpW4G2iDNqysvZnB0YsQFVUL5Kr1DNsBzuhCA=,tag:z2J14fdD7AUNabN+6kUojA==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:MSDbQffk/WjZ6EYiwVuUMdhdv9VE59ZM7t4XldOKRO0=,iv:J/x9t4Pk5zi7Av9fbzxgAbbtbEUZttSx/JGRmmgmvE4=,tag:CwFR9K++T7YqYR932z3IAg==,type:str]
+redis:
+    misskey-misskey: ENC[AES256_GCM,data:vcvQ/hs/F3BZd1sfvWwfEeB8vVoqdnprxobcmL6xsmg=,iv:S32yrjrjj56HbxTlfFGjOb+sO2M9KKEDEazCrpQWj6Q=,tag:iwnvqwQEdd6jicx9jJBdbg==,type:str]
+meilisearch:
+    misskey-misskey: ENC[AES256_GCM,data:/wYR3Bz4LRk/Ks0vizlZS3Ebf5qVfnlBBqZEm/ZIBFdDuhddgu71cqCjTHIKQ6CYh3CoUyguKIIFWku/kOCHKA==,iv:dllKvZwxvZC4pVyEMOB9WNiVBsVxzo5kwbdYKCzzyrY=,tag:MvzqalVvBkyJoLbirN0V8Q==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:oIpiXJvEoyryS4eEutoe85Af0L5a5iNuOsCWCat9KEhr2ecY/vRimk/1fbA=,iv:dm2hTSNX7Q38yASon5o1jxEJZbWPXUWYydXYMBHF/sE=,tag:yrANhwIF/wHQGHGA1bfPgw==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcDBqZldlajB1RURQVW03
+            TWJTaDlvVEYvZDd5dXBJV0c2V3FGY0laMUZ3CkxjQUtLRHBOZkQ4Mk5JTGd5V0M4
+            VUJ5aHJGSDl0MWpDSTNnQ2RSRnpPQ0kKLS0tIFA2em42NXNmZkJZWCs1Tmxia1VV
+            RnRPQ05LTDZTOEY3OWVMdmhHTTRKT1EKyBnGiEpkJ9TUGMSne5RUX5U4Nc49gXOn
+            8q6IeBWnI3mkVA0PElAThSpXLMMzq01uDrcZEeE9BocyU7Y/JRbUMA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeEw5YWpQNXM2dWpVY3Uw
+            bjBFQmVKeDlqYUFPNGhwVlVwdTdDaDY2bUNNCmJncHhrbHplU2ZvTHROcU1LNzBE
+            dnRlOFF2eXhHKzZ5VzQvS3RPb3FsWTAKLS0tIHNDcmdGTWl1VTREaVJXR1VzSUs0
+            OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
+            +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-07T12:35:41Z"
+    mac: ENC[AES256_GCM,data:Krgtb791wR+S0PQyV2h0Uyh7MKx9fOTHbetmgLoiGOHL8FMSvmWt3LCMQy+RyjnOIj9XRwb8l+kyTqkgeN4zEfKd1uuOh95Z/hLWhCkWs4dPaBu6Uw4aekH9ZUmQJZIr1lt2AIayRsVjaU0dIl4FOcLW+93ls95aluhvPPloJX0=,iv:MmJFdVpF4ZfxMRwbxPV/TC1Qt957vl0QvU0MZzUWdm8=,tag:6+VVFDdPSTycxnKO7Td6VA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/devices/pc/secrets/munge.key
+++ b/devices/pc/secrets/munge.key
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:ftogJ/2oPME8sVbyNAuI3t3GEzUmdCadyjf2g/bjGNx3AoV0jU0SDxnBLDFfoR1rEtV00zfgCMPDGsEXavg+QVvoICpvvhckXMOLXe37H3Ff0wDVJtL4BBIK3oVh/SiYaRm/+uR0x6HW37KX50RRvKvpQoRdMVNnvtKbMjmQVIA=,iv:MOHfTIavoU643K10jSR3HruzoofOqqVspYgiaLc294o=,tag:zjDTPKwAOh/nqkquvAQpbw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TTB1bHFXcDhoMk1QVzJ0\nUUplcGVBVUhoOEt0Rnc2ZStDUUpjZmV0eGpvCjFQSGl4TjlMT2R5RExNZWxwOUtz\nSWhhSUtFN0JISzJhclpCMFZDQ09jK28KLS0tIGJydDNoY3hBbEhBYUNYZGZCaWpQ\nQnVDalJCcWpIRTdVaWkzeGVNSGpDRWsKWXoMC8NApfenn191aRwdAjD0iM5+C3R6\nXKpHxfhc1Gf6paxBhketFU+AwWsKiBDKh0gntV49F+YSriPa7uI3FA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzclYwVjdOZnQ1Y2dlUi9n\naXQya21QVHZ0KzMxTkVuTEJuazB4WklqdFdvCmpMd0h6OXUvZSttOFpmeUdsSlNs\nQkhQaVJqVFdidFNMejljV2h3WUFTaFUKLS0tIGNBemY5R1N3T00zMEthZjBsWXZh\nVXRtNG5UV3I3WG5LYUphNUNyUDI5WXcKVQpMe3zYgzHOtQQvo8Vvz94lYR6TBFuV\nD7ztr4rD/Vdk3hkSGZQvdzGjNDdGpac38LUN9vtFQbzMofykcn/etw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-24T05:48:31Z",
+		"mac": "ENC[AES256_GCM,data:kCLcS6xeMijD8Bxa0MBUbFH2pdXX6BdGL1SztHHPet8loMkiCfgEiyp9l/QjszWa3G6zx3K+0wXXtRXmrNAxThnIgMZQVGCy4Ucw7fp8Pral/5eaJNlZGb56JQPF9ZDHb9YQPDPImaEAKYUtzayyaZAGJGlCmIIhVVhXTx7iiig=,iv:MXRDA/6YnVUbLdYAIrMvrdb2iPsi4Bmr06SPCU8CCVc=,tag:9hT7Xo0tRnHTgAaivKj4QQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/devices/surface/default.nix
+++ b/devices/surface/default.nix
@@ -0,0 +1,76 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ inputs.topInputs.nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/7179-9C69" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/c6d35075-85fe-4129-aaa8-f436ab85ce43"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.auto =
+          {
+            "/dev/disk/by-uuid/4f7420f9-ea19-4713-b084-2ac8f0a963ac" = { mapper = "root"; ssd = true; };
+            "/dev/disk/by-uuid/88bd9d44-928b-40a2-8f3d-6dcd257c4601" =
+              { mapper = "swap"; ssd = true; before = [ "root" ]; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          resume = "/dev/mapper/swap";
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        nixpkgs.march = "skylake";
+        grub.installDevice = "efi";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        kernel.patches = [ "cjktty" "lantian" "surface" ];
+        networking.hostname = "surface";
+      };
+      hardware =
+      {
+        cpus = [ "intel" ];
+        gpu.type = "intel";
+        bluetooth.enable = true;
+        joystick.enable = true;
+        printer.enable = true;
+        sound.enable = true;
+      };
+      packages.packageSet = "desktop-fat";
+      virtualization = { docker.enable = true; waydroid.enable = true; };
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        sshd.enable = true;
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns.extraInterfaces = [ "docker0" ];
+        };
+        firewall.trustedInterfaces = [ "virbr0" ];
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "j7qEeODVMH31afKUQAmKRGLuqg8Bxd0dIPbo17LHqAo=";
+          wireguardIp = "192.168.83.5";
+        };
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 512; }; };
+      };
+      bugs = [ "xmunet" ];
+    };
+    boot.kernelParams = [ "intel_iommu=off" ];
+    environment.systemPackages = with inputs.pkgs; [ maliit-keyboard maliit-framework ];
+    powerManagement.resumeCommands = ''${inputs.pkgs.systemd}/bin/systemctl restart iptsd'';
+  };
+}
--- a/devices/surface/secrets/default.yaml
+++ b/devices/surface/secrets/default.yaml
@@ -0,0 +1,33 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1pvWkVGSFg5TVAvRlhu
+            TnFnMEszcDRWWHlQanAyRkRpQWdqQkdhTzFvCjBqUG4xNFBiRnlSeTNQSmdkVkdD
+            UlVCQjRFVExuZHdrSnViajZGZ3c2dWsKLS0tIHlQYU5VeGpEQzllMmxLSnJZZzZx
+            N1R3Mkhxa0dOVlJiU0V2OEZVVzZVMFkKae3c1axl22uxh9wMygAHs6q1WA5ImOS8
+            uzKSthWSqtC7DMqgUFaaSjBYM2TN3l402syx71xVFyyAmCcGZbbJcg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHJVRGIwQUFpVER5SWxq
+            YjJOT0lXN3dFOFpjMFlWV3JCbmZFN0hnNEJBClpQUEczK2RWTGlVTmJRbVZaUC8y
+            bEFrL1RjTTNlYVNnRVRBZlRjaTlnUEEKLS0tIE5GM01pTGFFcWVVSWEvUHE3Z08r
+            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
+            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-16T14:25:17Z"
+    mac: ENC[AES256_GCM,data:lpZ+Jd5LF35ESBOmOoq7pbNHze7rJiQsiq8cOgf8+cWnAqVh1bccG0cFe7R8uBhmuKIqp7TwkORDFuD+KFCZW14cbR4SP3vndSoYzKxIBdKTObR95w2ETst+prUtQ3fvFeEtlJexeljikfprWf2pGo1OzPophAyocgT31z2iMjs=,iv:Bryz+kqRvXYPj6YuxeDhQfLsgYqHXrA+lHFX18m2GGE=,tag:A7mvmguWoOir2JoIprgL4A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -0,0 +1,84 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-uuid/24577c0e-d56b-45ba-8b36-95a848228600"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.manual =
+          {
+            enable = true;
+            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
+            delayedMount = [ "/" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
+        nixpkgs.march = "sandybridge";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        initrd.sshd.enable = true;
+        networking.hostname = "vps6";
+      };
+      packages.packageSet = "server";
+      services =
+      {
+        snapper.enable = false;
+        sshd.enable = true;
+        xray.server = { enable = true; serverName = "vps6.xserver.chn.moe"; };
+        frpServer = { enable = true; serverName = "frp.chn.moe"; };
+        nginx =
+        {
+          streamProxy.map =
+          {
+            "anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
+            "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
+            "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
+          }
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.pc.chn.moe"; })
+            [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
+            [
+              "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
+              "send" "kkmeeting" "api" "git" "grafana" "vikunja"
+            ]));
+          applications =
+          {
+            element.instances."element.chn.moe" = {};
+            synapse-admin.instances."synapse-admin.chn.moe" = {};
+            catalog.enable = true;
+            blog.enable = true;
+            main.enable = true;
+          };
+        };
+        coturn.enable = true;
+        httpua.enable = true;
+        mirism.enable = true;
+        fail2ban.enable = true;
+        wireguard =
+        {
+          enable = true;
+          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" ];
+          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
+          wireguardIp = "192.168.83.1";
+          listenIp = "74.211.99.69";
+          lighthouse = true;
+        };
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 64; }; };
+      };
+    };
+  };
+}
--- a/devices/vps6/secrets/default.yaml
+++ b/devices/vps6/secrets/default.yaml
@@ -0,0 +1,106 @@
+acme:
+    cloudflare.ini: ENC[AES256_GCM,data:X1v1QuOZemIuxldd1bzIvbUsq+8HMGLh91zUB+fnrxaW40z0OQh9L1rF/0Nj3gmUmgT4KEV7nkHFYYpZBp4/Kyc=,iv:fQmbhx9wV3l+DVPaBrAyJbTCsS3q3s5F9Go1F7pZ2pQ=,tag:P4vuruX460YSOUsx6zGHXQ==,type:str]
+frp:
+    token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
+xray-server:
+    clients:
+        #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment]
+        user0: ENC[AES256_GCM,data:rJ00sfe/oJSry6Ixn4Bn+p41syqsOrdWv6fRGVCwPvn/unMY,iv:htTvFMvhIRkORA/gIU8J7CgA+tOncYQWh7sUh+F6XDs=,tag:VrSJBD7ti9WtSLHoWjMClw==,type:str]
+        #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
+        user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
+        #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
+        user2: ENC[AES256_GCM,data:e7ITe2ZouKr8dXT7SYATyzbzHaVeu6AKt1OcQKk3U0nsQgoa,iv:UbOOuojy6OAFEH8lGhKe5Hs+2K6FX5MZ8Br9AB007gs=,tag:5XeB4YngzTcHZvCpXe/ZXA==,type:str]
+        user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
+        #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
+        user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
+        #ENC[AES256_GCM,data:bnnxo/I=,iv:8jOo0P+8gk05O1vnxOiyGhaeD4wyuaaA3CCr8/DbzII=,tag:J6VSJZoko3EiWyn0ATcmqA==,type:comment]
+        user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
+        #ENC[AES256_GCM,data:zsCT,iv:iTPnIsLoQKbmJuyFrf/aCKsiOy/TOrnbpJLu6dWFT4o=,tag:lFybPTAA7EedSsJ5dEfCLg==,type:comment]
+        user6: ENC[AES256_GCM,data:WLAKPPIHGvZrTaGMLFRQIgEYWFHYy0mD6sLJEYjCD+g93wek,iv:fCOxekJSBczJz/ODYwWgk1CqERc5q/87C+G/9ETuaSI=,tag:rkpBLQoEOPnWuE+U+BnzIQ==,type:str]
+        #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
+        user7: ENC[AES256_GCM,data:7rxvmKbtYrDKBlo8kZIfd86KLd9EcSWB0ikasIRqfCZ24W0h,iv:Uplz4fnFymmBVZ9YTniHFFY3EVSrTYsg1+CTFqBu1WY=,tag:l3EPeYRHSeRsCyRhqFRrEg==,type:str]
+        #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
+        user8: ENC[AES256_GCM,data:FNT3hHMwPJu3iI1LuOP1KvsoOonh+J/ecrNrRQO5TpunDPUq,iv:tTEB0MSUmQ39tNq9v1BTfaEcJY7Y59CPHRASMC1a4U8=,tag:klDm6Isk52hG8ubcFu6yHA==,type:str]
+        #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
+        user9: ENC[AES256_GCM,data:4BD/4MXAVLhDm3EXdgTiEgPketf0WgflVPGb3/JMWXfycEKY,iv:jwE5sFVxZjORwoqCBdufP2EhetVtFGHyCP58AzJwle0=,tag:OCteA20hDBLI9zt1ET0tUQ==,type:str]
+        #ENC[AES256_GCM,data:U48hPlrJn2dF9g==,iv:W+6QEgemNa41VCT2OfBvEhuLAucLxfR+YZiDgdkkSnk=,tag:IhVstGnQ4EviT5ctMgyKiA==,type:comment]
+        user10: ENC[AES256_GCM,data:d9qxJQH9Jo8gJKUi5jjSdVwqzuHG+dj08Tk+TxhczJmlSaFT,iv:DS+9isZX2B9AYAyV4Yle4fpHzA/SHcR56B/GW8QdALw=,tag:9nUQ0OuMCuXGSZs2kjfnIQ==,type:str]
+        #ENC[AES256_GCM,data:DxZrs2B0LyPdLg==,iv:yZzEjyiY2s6gIPTsALl5xOsI0ByDvSBG4SI2+K6TLzI=,tag:hAniFFNS0SueybUKnRd2YQ==,type:comment]
+        user11: ENC[AES256_GCM,data:RPIH0DudfPJwPsa0yFLNqUy2EMwQh1bIqkmhCfteVTkUQGWP,iv:NH0aGTZ6nVqz2nn+o1HQS0PKpqHTBMkAhy0oFeyX/8k=,tag:kgd5zkHXW+oxRFC9x2VTUg==,type:str]
+        #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
+        user12: ENC[AES256_GCM,data:Q+XcMYPWWeHqXZZt3lf9OurlWwVQGBJWTnRwDUvg7np19g3+,iv:ybREjo5/SFRN5LMSyYdm0ygkYoq/G1uBv9K0iGPqrh4=,tag:g2y8IJeXtHW1XjelOvT+/A==,type:str]
+        #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
+        user13: ENC[AES256_GCM,data:IKKk8joJQ5rcSXV84jbYd4uox548czpcgXwTtyK4rFimQIoO,iv:ycVDDSb0qAtZE8WzEdKkaBYKY13JpKj+4xrgkLogikw=,tag:z9ty67NWIgGlh1psbE5qVQ==,type:str]
+        #ENC[AES256_GCM,data:ujz8CAgN2g==,iv:2KP2DwIfIPPnsyZRSptG6x80n0cQGoiYCFoLRbFeEos=,tag:oITBAiHs1odW3heSEOQAJA==,type:comment]
+        user14: ENC[AES256_GCM,data:WFhrirjRUEZlOaCLGvHzvRPyp5O+035k0bNFqCvs0UTdT0+y,iv:C2vvOexQwFFkQyvFd8tf7lca2ZZIF3hbSiOHa2RFfGU=,tag:zowYrIut44mRiq6/h0r4fQ==,type:str]
+        #ENC[AES256_GCM,data:t9mAcEcdBg==,iv:hzqb80+FtfsNP8ofYMyT0PwT8T8B3HYSGZUOrnk3SjM=,tag:0mbDe6S0bqbC/SffMr0AAg==,type:comment]
+        user15: ENC[AES256_GCM,data:Sfc4BWiQ5dz7K0kwlp/1e8x/ahPTnbTvSvFjz9R5KQL52uaO,iv:kzap3jQgm9P22teMkYJHlySh2azLBBuy/kpm+ylxIhM=,tag:2fOBw+McYdT3r+qoF/Wkzw==,type:str]
+        #ENC[AES256_GCM,data:S7Iodket2fLLhcDDuWgv6fVAbcg=,iv:2XlrHA0A36xrmEv7kqtL8i8EYnNpq7cjRMmsF+mPu4s=,tag:M6JvHYU6jqqinPoHcgnEZA==,type:comment]
+        user16: ENC[AES256_GCM,data:ijz4n66TY2tGpKLvGr7I6n+cOP6BfgpJdHmcPy2oTPGCvhR0,iv:RK8wi3Cj9XFVTqqt00DLru12Hiu/WJU8lV/v9MF5deI=,tag:6SHR8Yb2dO1rRY/xV5u9yw==,type:str]
+        #ENC[AES256_GCM,data:inAhj6SP8p4KahuZ+aSjPfnEcOY=,iv:eB6OvUkQvfdAkNuf95K7jAjZZ8i+nbsnsH3WEdRWFhw=,tag:dgw+RFY2cm6jF+R5z3Z+XA==,type:comment]
+        user17: ENC[AES256_GCM,data:Wz7tWzASeIKE9TzicUIwyOnjZDDICYvDAUu/scHrQoFjoOlE,iv:A2gPFSiIXaf1dQkFlXjw5yesKtv3qOVcIXzM2QspvDk=,tag:JWCVx2FJS84v2iMdzBxhlQ==,type:str]
+        #ENC[AES256_GCM,data:b839t/OihMOmz0gIcTo43r2MIw==,iv:8kaAFG7DhFOoitcvbFaAvE1NUSLFrFhy1KiMrqs4r/c=,tag:G4vSADa52ZfN5y5ytoFJoQ==,type:comment]
+        user18: ENC[AES256_GCM,data:xQMRt+YC1Kn0Qxtis9QVIypq4uHNLq2sWKxxQe515Kfg+zzw,iv:28nQibxqzx5Q17UkEwK0zYhu6mFJ8LUk78xxlQrIqFY=,tag:B7N/fC81v8VBTsDdIZDvDw==,type:str]
+        #ENC[AES256_GCM,data:fZFxSd9QDRBg/X5yFQia96I=,iv:cd9vJ+f+TJr4mmXPNwcsce0p7i36Nkt1OnUzqDhK4hE=,tag:FsOHS+zhr5wZNmJpMfG97w==,type:comment]
+        user19: ENC[AES256_GCM,data:Qjajmu6cfACT4eho6BK56zRd7BSXxo4fUeJ2RRawopVFZESJ,iv:QZN81pQxspe76V90NQxzsKmMwtvaC1qwuvd5a6WbrdU=,tag:/+LYeQLqvwM60DgIPtZzKA==,type:str]
+        #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
+        user20: ENC[AES256_GCM,data:uRSG6jOks7utk2bRdd5sndvqVnSGRhjkts2f3+V7JdEwQf4k,iv:xZdVv/H5RuliwSEWmgLViLquWZ5znGOpP9YwwLJfsyo=,tag:JR3BsCKkHpkE7woTaMHXwQ==,type:str]
+        #ENC[AES256_GCM,data:37f8REUu8PU0lfg=,iv:WOhsotX/O7Gg+YgkK5Fuw/njKz+1OgKSx0vXl1A32XY=,tag:IyjPLut59RuK/PpCyK4ZAQ==,type:comment]
+        user21: ENC[AES256_GCM,data:9cd7IY3zzoziXznclguxbmmZ5hfc2H1DPa+KW1geuybRlpB9,iv:NKwdt7ppRuNpn44f1ypNOoPS27Yqk3Z31ABQbflS9Gg=,tag:S2B1vR0PVd3FYu24XwTfpQ==,type:str]
+        #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
+        user22: ENC[AES256_GCM,data:sCOmhXaJjzDIiuwP3Nh+yXQRYCppATzVWIdjOoMOlu+OFT+U,iv:HKRsCLJ/2jr7rGkM04uv4V1GKQheo2oxeFu4zqxcIAc=,tag:1swUo08hSzJ1PmQr/dBcgQ==,type:str]
+        user23: ENC[AES256_GCM,data:rgS6IdC4DBLvWWBkf5Db54yaNvagfISm5tHUD1KgeqrCR5x/,iv:ANQYEXssMfbU0bvk25dVYq+yQlMiVEyQCwrGPw1AGxc=,tag:d9sOvvxheWwsE/SeOgcWUQ==,type:str]
+        user24: ENC[AES256_GCM,data:3bn/ZG0En/OgY4PA4Ir8MaVWpJbX+ywpkoXQn7HChT+xhKFZ,iv:Jw8AG7vTc6j4VznekF6x2LXkoSFz960yqsSjPm1ORvw=,tag:EszCODBuLULKHJHh4Itq7A==,type:str]
+        user25: ENC[AES256_GCM,data:17bfY/7nClQ3c4OL/aNrUIuafPa1RLc9aLZUCyJMhsKp/1ob,iv:s6OD1AipescKuwdTw8x4hQkfHsl01FCh5c20SnpQk0g=,tag:+vlKdXWI6y7fU0AJIHVRJQ==,type:str]
+        user26: ENC[AES256_GCM,data:ubecAnPqdUhyEWU3vn3cbSFl0Ql/XfUbqWO9553jLqd2DP8R,iv:6GeibZBoBfJHWUjlW/eHbYwj6z9AFXDyom62BCpJp90=,tag:N3Al0SLPbC8lteky+aXNvA==,type:str]
+        user27: ENC[AES256_GCM,data:KM7HUEUHzXd+g/Vxy13uv+zOXLJ1BtSRPUnFIl2/u+ISu6MW,iv:fAxQRVjPsA3cFV1VLyIYMpG60sxi1pWW7153Cc8zjFM=,tag:HtiU8F5shQrFwonQEgQDiA==,type:str]
+        user28: ENC[AES256_GCM,data:FWuW6SmdA9l+yhTE7KEec72KZ7Ab0A9jYEWoHcLm1+DPydHk,iv:WipmZE/tZ5yCU+cDfeJCNpKv8o7T/zrcMzYRIVXI7FM=,tag:IDTNiPBGY9lER8fdIfL/6w==,type:str]
+        user29: ENC[AES256_GCM,data:SSP4igGqVthHTDOxOUodm1KEqPSOikWP/7jFKpYhXGe1wqrF,iv:ri82voK2BEArMlyV9F+NMTXQfV1pakGMoUyKh/LoYN4=,tag:VHZ/3DThAD7NmP3oOGyfcw==,type:str]
+    telegram:
+        token: ENC[AES256_GCM,data:xsJoGgQ8pLeZqA2alGKkCyrvnjY6rVF5TlXn4GWDrStFBl65XXzwVY/9ZZthYQ==,iv:qTLfpRUyuIGFM668URfknhSRtx3WEHp/WTGzGUPuFd4=,tag:p8mF0tM+t02g7v2EQZN3Vg==,type:str]
+        chat: ENC[AES256_GCM,data:X1JxFQw0bPCu,iv:hf+TOSH2p9RdnXDFKxTpSRzxDLdJyzNHVV8MfOQuGWY=,tag:iiWw9IFiBGOOyOSl9Jj2wQ==,type:str]
+    private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
+nginx:
+    #ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
+    #ENC[AES256_GCM,data:rVTLpe3uIQ5LArPnEY8N8kjtHq8kZddbqR+nyUaia72Y7PWEfHzy6wgx3Q==,iv:AZEufH3zfVL0XbUh3CQZGYcx6zIMFV4tF+jHf73IplU=,tag:B/UbtQh5dGrctNih2uoO8w==,type:comment]
+    #ENC[AES256_GCM,data:InzwjKl3R4SJSXTz5u1Pt0kf2HYEtKfSkJO0cbPhhXADNp2/Tn0nwQJFy9EzpMvK9mw8+l5LadbY0tIwmTVvV5yxUQo78HcgXWInfp/zJ+GG1L/RQOHck74lEA==,iv:UBMRYPd0loOQBs3mNyndiKPu72aRA8HbOKWDfUWPQg8=,tag:t/ONqdwpWcbo/2vy5TOjlA==,type:comment]
+    #ENC[AES256_GCM,data:HTinhnsAbVujUOuLIVT/CkvdtTN9Nk7wZKZ5SyrPC+vZ/cB9E10FffMYLQ==,iv:Clby9A7MIUSknNFkzKuWEDL0yUW/ctd6KShCIEYrDZA=,tag:CJKORoXrspDjRmaSHUnlqw==,type:comment]
+    #ENC[AES256_GCM,data:cwAb68VgebTwCCeAFUbOG0CUAuggfRnLNv9NWldJN+E9NY4WKxs12Nz7yX/vtelcqqJ2TOUL78uAR88Nzavv7VtCTZRivWjRG6GvAUyRdv8lAZo=,iv:PScTSTCuVnsoZlvyTVL+ZgqqEm4m2/fUqWzPwE+PvuY=,tag:1jeRsHqgMheXbcnhRicsnw==,type:comment]
+    #ENC[AES256_GCM,data:V5XRrTvyeezkcJqw1/BhhZz5K/egpl+PtNwjAGELjWRp7IqDfRsInxBKEg==,iv:LdOTkL22HvaNbiUi6hG8o0ownfZ22OKFGxCuGPqG8xU=,tag:/06I/mLzBlgS489iuwFTuw==,type:comment]
+    #ENC[AES256_GCM,data:i9PXzaO1od7HimP/6vxYfh30SxFbdXRDcnXujH3VrvngFcWaVcXgigncp3cboi6RoERSZ6yakxviVyEBIS4v0qRfombj2UtJg8N3Kg==,iv:aohIMhAYfZhlGDrcEvi+Qc16nF8ZgrPUGhWj/7nl8Fs=,tag:o70qsk/2cAbZgbVBwfl3Ew==,type:comment]
+    maxmind-license: ENC[AES256_GCM,data:sESU6uK9EYLido9/0sXO2Zw1SjuKmxPh4r3giJcaG7068gn1kByjsA==,iv:htnFgnLrH35zSvmlRAdoRDLFIpKroKO5dW9TNK9soUc=,tag:6pJuc54SrKP5n0kJJ7fGyA==,type:str]
+send:
+    redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
+coturn:
+    auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:4DKPPqQkjb33rQzFIz863A2arDRQA9AivWFBaWTf0xXDX4hWvJFiIlJQfvE=,iv:0R2TH3CMxHgwVjojzjE2Gnp8SXonmBDLWF7hB33NiX0=,tag:vgtV8JkuCdspleN/SvgIqQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QXc4NzREZHlhMDV2WXlM
+            a2I4d1pjWm9Xd2gzUDUwZ1ZSTkFGR1ZQNDJzCmJwcWFxRWNNVGxTNno2b1NxNktO
+            aHhINXBjdmE3alFGYk9kUHZ1UzdJUk0KLS0tIFdKMDlvb1Z2Qi8xRjl0MXpKMDMz
+            cVVNdDRDNmtHZlJEcVRXR1FLVkZrMWcKn2iTHH7/52fJNXcbDFbzOxNAaiQRA0nO
+            we74EeNzcaaQwuEmBQPKxd/g7/kjhnHzTkoX3OneXMd/gBZMn2knXw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEw1bXA4QUZkUzJ0Z3pM
+            Z0xHam5SLzRGV21XYUtxTFh1VnhQUk1NbzAwCkU1Z3VTR1FtZ05GOWNDOENlZTgz
+            SitzYXo2Q2VEaGtLTGE2UGRoUDkxN28KLS0tIHhRS2Y1cnQreC9Fc2FLdGR1ZXdJ
+            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
+            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-07T12:36:12Z"
+    mac: ENC[AES256_GCM,data:VECN4xQhoulbsTzIZpXKYY5/8ZuC+fkSluMPJbfqcvCCvvcyclIKJJQZin5SYAxGxewQZdeyZ4sfZ+lo+0/gXiiHQPz+jqrURGIWailfnUhM/6ziHVxXAdAq2j0XNDGt1Xf+rprG+R7xhqBHK6jt/EMJBuT4ar9heo/aJBtU2hk=,iv:pYzKQAVdY0qJKRzq4eESQNd94PpK8q6xwpOowtmreVQ=,tag:LlzVVl5U/uU3eJNck9LnrQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/devices/vps7/default.nix
+++ b/devices/vps7/default.nix
@@ -0,0 +1,79 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-uuid/e36287f7-7321-45fa-ba1e-d126717a65f0"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.manual =
+          {
+            enable = true;
+            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
+            delayedMount = [ "/" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
+        nixpkgs.march = "broadwell";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        initrd.sshd.enable = true;
+        networking.hostname = "vps7";
+        gui.preferred = false;
+      };
+      packages.packageSet = "desktop";
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        sshd.enable = true;
+        rsshub.enable = true;
+        wallabag.enable = true;
+        misskey.instances =
+        {
+          misskey.hostname = "xn--s8w913fdga.chn.moe";
+          misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
+        };
+        synapse.instances =
+        {
+          synapse.matrixHostname = "synapse.chn.moe";
+          matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
+        };
+        xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
+        vaultwarden.enable = true;
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
+        photoprism.enable = true;
+        nextcloud.enable = true;
+        freshrss.enable = true;
+        send.enable = true;
+        huginn.enable = true;
+        fz-new-order.enable = true;
+        nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
+        httpapi.enable = true;
+        gitea.enable = true;
+        grafana.enable = true;
+        fail2ban.enable = true;
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
+          wireguardIp = "192.168.83.2";
+          listenIp = "95.111.228.40";
+        };
+        vikunja.enable = true;
+      };
+    };
+  };
+}
--- a/devices/vps7/secrets/default.yaml
+++ b/devices/vps7/secrets/default.yaml
@@ -0,0 +1,137 @@
+acme:
+    cloudflare.ini: ENC[AES256_GCM,data:PJ3JhdSPCyxzdcRI4UFdESWgyAjIYGyuVaU9l0R3s8mJidtgavvSSMy0hC0G/2fauLB/Eqc3L3NppXFjlKVywVE=,iv:lZVlOf7P/Vs/+u/5YPKFXmdeYV9NP9kcVWd00w1OjB4=,tag:LfWZTvPQH4QPrNrYfZ/Z6Q==,type:str]
+nginx:
+    detectAuth:
+        chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
+        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
+    maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
+redis:
+    rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
+    wallabag: ENC[AES256_GCM,data:WkiqS9TOHxYalDp7Ssgg2x7vj4D58psQ5au4a0e3LZBecERwzUKmrhbVKRuDvNTwWbYxSds9SAca0wN+pWmrmA==,iv:QqHlzSXG1I4+p8wd58lcQs8TqAF3foxiYVdgL8L3IpA=,tag:CPtFgIeFL5W25gtd6NFkrg==,type:str]
+    misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
+    nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
+    send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
+    mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
+    synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
+    synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
+postgresql:
+    wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
+    misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
+    synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
+    vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
+    nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
+    mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
+    gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
+    grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
+    akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
+    synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
+    vikunja: ENC[AES256_GCM,data:syb4NYBxL3DdmZmcC+em0klmm6bkkIL/DH/gnzShYRiaezRFskT+yay9govn++SpbuvkoCJq/GYAFxNL+hcVtw==,iv:TQUgdzYQ0gqsAmux9v3BAQFNzHnCTZ+X/OC0b9Bfya8=,tag:b1AsiAW5XzA3DzGdf8J03g==,type:str]
+meilisearch:
+    misskey-misskey: ENC[AES256_GCM,data:4s+qqd6mmstioC0XmG/vA6ED9mzu1vRJVPFFalRiqnnsFy0dYEU87H+y12eOp/KDSLdTNvpp6Z6jCNvxnpDXzQ==,iv:x6L9OPu/dwVsD9pYb4dqavw9NesMbo7LB+rwz6veAR4=,tag:/BBqV2sHIgPas7XsZydh2g==,type:str]
+rsshub:
+    pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
+    youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
+    youtube-client-id: ENC[AES256_GCM,data:dPo4+HsfXHdxrgF9F0qJmOGcSHDCn2KIkHx3ZYZU94iv8ImiPI9dTRfoz0zq8UIN7rwIKidQu9GxCRrg9aXk34pc35SXzEh8JQ==,iv:ROVHb0QjVsNae9eJevG6qc5dc4gkrGt+Y7S2QYrzmQ4=,tag:Advoh75OKPC7CnIeL4GFbA==,type:str]
+    youtube-client-secret: ENC[AES256_GCM,data:c/ALpo/4qJdccMgYiSLg9ZgG7ddaMYxHwJYZ/ogJN2ED21k=,iv:CkrIq+Vpuq28CsRNwdKRLnBq6L8NF37y4xhhnmHQHqQ=,tag:SKtHpm/QZWnGViDtSKlUUQ==,type:str]
+    youtube-refresh-token: ENC[AES256_GCM,data:pnXQ1euCdix2H7IxudmUUcpxc2OUhciKT8OcGV89c/EpoXHgx1+eLxwY5rRszroWwjge9M001RGHngvD/ny3phfWAwYmIzMJxun2f7JCPe7ybMesWmPSkiqVBss1Zfic1uB8mNM/yw==,iv:8p8/vATY8F3YuGA1TtjekiuaKOMnQyTMjrwDBJaK4VU=,tag:/jVg9FDOuLMNrupgrywpBQ==,type:str]
+mail:
+    bot-encoded: ENC[AES256_GCM,data:HstqDfhKoLqDip9O+mwYGbNlNQ==,iv:CZSTfxJHhI6nG7501cQdJiZ9l3uKS7d5YsA8iVTUuoE=,tag:Rj3rvXJzDp8XzODV/gABog==,type:str]
+    bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
+synapse:
+    synapse:
+        coturn: ENC[AES256_GCM,data:9MDq0eXLHjJ8Cd2d1iogS1lnjI0A2+0ZK8OtLKRLqT16BVzQQJyhbkAYwkn1+9ppfrazsHFGrk7DVsA7PWjdmA==,iv:SOjwZIyzkMK9Q1fGkmBSr6nSIarNe/WeD91GPJRuZjg=,tag:1GljmXdK80NKTPSg6xJz0A==,type:str]
+        registration: ENC[AES256_GCM,data:MmRJ3el59XaTwFImuCsiAm2zXeGhgvyUyw9AIv7FvxR4N3YWnHKALcQJtG52N4bmLXU=,iv:vm2R7XGzGET0eTcD2trl3xD2I09NzYmx5NPIY4KK4xM=,tag:exm8/ehPufeqtp6j61ap0Q==,type:str]
+        macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
+        form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
+        signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
+        sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
+    matrix:
+        coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
+        registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
+        macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
+        form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
+        signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
+        sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
+vaultwarden:
+    admin_token: ENC[AES256_GCM,data:muavuOY88Lm4rSEoCp4IIPp7Z+sqf36VwpnPgf+K6IwwFkUgYM1GO80ogReYWqqUM6ij1Yzl5D9ncUbq+aGTKQ==,iv:jA4MRJlz71CMmPnWjb2tGbbIoMkEsESUowhXDckKKMI=,tag:l0HaJmnU29YeFUxjOgN3Kg==,type:str]
+mariadb:
+    photoprism: ENC[AES256_GCM,data:TF1SZVFnvzyE+7vrHYYUS4Juqhbiw9QcJx7p3Xj88xyBFcTqS1YjzAKs/9GQ1PuzdBrt6hXm/XtJILHiuktnSg==,iv:sd9sQEuIePL6LzUYbFtmdecJ57sMrkF0coalBf8KFqQ=,tag:P/knaKYTJ+aXu4l6IixISA==,type:str]
+    freshrss: ENC[AES256_GCM,data:ydqCbj3UbsLC1e++p5ixb5Kpmk2BsYd0urcfw8T51Is5N1/gQ7P0zgR33AOteAxw2oj85WQZhxu3eAN7BCXV5A==,iv:1oiMo1wwFNXiTZLsf4UPZSJfKFIWLI3h947TC06CVy4=,tag:Otq1oeKBnWXhqNilfsywPQ==,type:str]
+    huginn: ENC[AES256_GCM,data:1Tdg1WDwGgFSXdChgif8knWS24BIFYnmaiSjJXxs5uj/v/5fJ1alb4K4XHW/kFRjQbuAOFfJiJ9ogJ1KAyk17A==,iv:qLMaQpVaKrjP7g2lWzhaNLghxwiV4YJmyYY1hrpu5I8=,tag:566JCENvOxgwD7tM3aQBiw==,type:str]
+photoprism:
+    adminPassword: ENC[AES256_GCM,data:gB81joOfS8h05BNy2YmD/N0cpLPa/vAduDcQBeHiY/WkcnvqSXnXsOfnvbP74KQfoP4W35oFkfyGVPUBSB83tg==,iv:AkN2NoqMXVHQA9fHTTR7xbEapEqy/D61mHn7O23hyYk=,tag:WV+siDA3VnRkOYnP4Z9Qhw==,type:str]
+nextcloud:
+    admin: ENC[AES256_GCM,data:1rglLrLtRf3yXQwfHDMZLewk8ueIbMFOC+1mtoAyLKnDmcQAoEQZ1vHw/hpKkFXJQ+QyX3sP8eUjRXuBEIVl3A==,iv:lfEGPEw9ybSdOYLDdaGCLXKgCvgRxn3k9eIy2DJHDYU=,tag:j4qRexbEAgK5HAGhr/wxfA==,type:str]
+freshrss:
+    chn: ENC[AES256_GCM,data:XGcgfuRozJ/xowtmFPSW,iv:yZ9LTuVE8dGyrtE3vxLA2jLErvmt67XC0jefl1njiOM=,tag:J5d+oGFWhfXEFwVOnsJ2iA==,type:str]
+huginn:
+    invitationCode: ENC[AES256_GCM,data:+m2AabRzUiCFy3MAKTB8d1IE05WHTcmZ,iv:ccdIPHl9N+bvPR/QCwZUwZOfWTeW6gWhhBjOpL85JRg=,tag:Ir2085K04XUGkAuoCG+7VQ==,type:str]
+fz-new-order:
+    manager: ENC[AES256_GCM,data:qZc5U3SZQPWzcKVjN2+A2qWNae4GItcjvEQFgkThvIQ=,iv:fJpiUlViiUg1ea/zGhgedQG7TeTbeb9dPviYoiUBLqI=,tag:6T7rgJflsjgK++28SgsLtg==,type:str]
+    token: ENC[AES256_GCM,data:qhwWRflJbW1QMOhiPfbTIrEdQJyVtfZ1QycCgstdKD1Nh40=,iv:GvZ8MJig64l34jkvuJbMMjyNaPT5yz0/pFCc6KEPTvA=,tag:cMXo/6F9thl8k2iAhT507Q==,type:str]
+    uids:
+        #ENC[AES256_GCM,data:WJszzA==,iv:KvyEnUu69+L5ZxNbRmjtP2R+8lHKgdlMN0WuvDbYgE4=,tag:LP2FJ2HXWZJmTdvXpHflVQ==,type:comment]
+        user0: ENC[AES256_GCM,data:Qw18Ht6qXo3n7DD9NgNB+3IRbCmKuvJQiK5UBsg/FC8=,iv:TeeTcR0tnRrniySqKrsKfOfr2JO7+kqS3iETdCFX5ZA=,tag:rRo2yNku9JWxmILWBS/Wyw==,type:str]
+        #ENC[AES256_GCM,data:O3DOE3jFCg==,iv:9shUoHCLXsJPKHELlyWdreouEcyOqhsfVI2KaqwC4CU=,tag:tYKVv+/DuesSijZwWGdrig==,type:comment]
+        user1: ENC[AES256_GCM,data:vY4qTPNqdFp2H348jAgvwKktywdVVvQK/lR2NgRE4Ho=,iv:DrweeSEJ5ETomIkRtkcVboiQindzBoxvxjlSmrQIfI8=,tag:sMz1ITHkDclBc4OY91dMGg==,type:str]
+        #ENC[AES256_GCM,data:yeA9zF8Tug==,iv:VZuWLZnt1RBmkBWudKVvgJkYfqxIj/umEHVCfR6IG3k=,tag:1kj7HyjVT59n05VYJ1uP+w==,type:comment]
+        user2: ENC[AES256_GCM,data:7hlq1FEauGcKkStREDbxA3tOA5NmFo9AbXiOPUt+kZ4=,iv:urOP3ENSviWRKDIWGc1P5PkEtkoBSCSYlgGqJQznp8s=,tag:NNKCW5bFPY7t/PC7dsSJwg==,type:str]
+        #ENC[AES256_GCM,data:4G7DyLVVgQ==,iv:Ht/exln1QtL2BxjCaOTIXHRPDiSFYP4zIa7VaeMCuhE=,tag:btVLXf+WS/YgzRFbVFoAfQ==,type:comment]
+        user3: ENC[AES256_GCM,data:nBTbmp9OP14ayVBz1UGC5g76txfUwxL2NPQCKGxsQyw=,iv:2B8ISdT+8WpfeiU9peKoMlpwcRoGZVh11VyAnS9IKP4=,tag:uBMxqrPlb6TaftnAMqodKw==,type:str]
+        #ENC[AES256_GCM,data:TGrZBuCRgQ==,iv:9IOJ3Bkw9udS/y93TTtZ9o79aDq3Bb+DMEogJG77iqA=,tag:S/XcPX1f89IyfZnMoR9s/A==,type:comment]
+        user4: ENC[AES256_GCM,data:LVendDEBlPUCkXPfgbYf2X0EgJsAdLKjAudXeAgy2Is=,iv:bR0emkQa6OHUP1ucgAvJU0eEop0gp+3rwDB5XJhh4+s=,tag:YZsW9Yyr+ey9AbTO3ucWDg==,type:str]
+        #ENC[AES256_GCM,data:b4iJ73sUoQ==,iv:A2hmi7lCR15E5jVR8E71GQuHgF4TdjDuQadXOtBon6k=,tag:eopTJdjN16u7PtpZdhKymQ==,type:comment]
+        user5: ENC[AES256_GCM,data:wG4awLnfB4B0qLWG6Aj+OslLMnViPjIzicfB4ZzkZPA=,iv:b9C1IDmZTMV0RYXqkM/Y3khZeSQEOISrQyPjhQe3WKM=,tag:cRMtLNU6TCwTQG4UVhvTng==,type:str]
+    config0:
+        username: ENC[AES256_GCM,data:p8+q8u1A,iv:9s52kS5yLB4vQuGVXNtA4amZqT3eHTTybsbsQZRiFnk=,tag:7SA4SEzMHpP9H/rwoE+UJQ==,type:str]
+        password: ENC[AES256_GCM,data:58+gFodT,iv:ohZlT1BwnzCYv84xHgFsLRkiPMpE8lB8QVHwr0QtDWc=,tag:XF047RnXs6IbKsTnsm0D6g==,type:str]
+        comment: ENC[AES256_GCM,data:T4XcbF1c,iv:hHdsMjU8rzPiduhT05v98pgDqxRW/Km5zmXCEZaT2AI=,tag:LWvwIEfbW2IuDELr4fEXKg==,type:str]
+    config1:
+        username: ENC[AES256_GCM,data:xWP1cesh,iv:11KFZ/J9PScz/oW2+H5BWgw0+ETkCXlcYOMuPpgjEs0=,tag:HswEVzm6ElRjIDsZyEfZcA==,type:str]
+        password: ENC[AES256_GCM,data:Da/E7ZeZ,iv:gIoheXeTErV3+CtZSEDsX7pGzRahHWlKYQ6QZ6W2eu8=,tag:0oQzQ5DJiS2hqMQfU6JRWw==,type:str]
+        comment: ENC[AES256_GCM,data:etfZKwbh,iv:XqqF3D0PpCPd2Q/CCu/PAH4SrvXAOu+lIXvSht/KfKk=,tag:7jyG33foxneRK2wvI/5uBg==,type:str]
+httpapi:
+    token: ENC[AES256_GCM,data:fuGJ+5sKr3yob7JbyqtwGBAxnDzxTvoC5XPWHNawOjqC7Ydz6HujpYudG2CUMxt+rA==,iv:Yhg5NqRRp+PYsxNKFUiUydAL1hmz2pr/T0f5GDKV18w=,tag:SZoy0gTzpeq39mEFBTUDLA==,type:str]
+gitlab:
+    secret: ENC[AES256_GCM,data:hBax7ClSuttBacykKw42pvrvowZW8OeTry/0rkmy5BHyLM7HllNYCOw+tupIOdhVEfgJPWQeBeGuyFHt7lPRWQ==,iv:zOM+eMW04Z9QkTchkAXWYHg2eWTQmGEs/dHtUnvNVd8=,tag:RzLyecuASl9CcmQSuabN6w==,type:str]
+    otp: ENC[AES256_GCM,data:Hgq5Tyq+BUTsexVsjFWf07fY0znPL50+qIm+fhuVljlauXBZouQjJKMhqTs9zhLECOktYUtp0wrNa++nO1Ys9A==,iv:Am51j8QjDtldtsZL8uCu0I3pr/SQ6R8KUQinznZjClg=,tag:hbtrlG0MGNL3VcbQUG/irQ==,type:str]
+    dbFile: ENC[AES256_GCM,data:AKxE/Z4jooDlkIl3WpQZIlN+MLxlZ7SEWVF12/8f9aq7LtVl5B0RDA6bZbeM0PU8h4eGcSX9feSpLIVpvBAQxQ==,iv:li6hBLw9filwVVXa01oICtvY9UJsMgB+3XYOgZyCTnY=,tag:wC18TzVMM+dcpIi8wwCcIw==,type:str]
+    root: ENC[AES256_GCM,data:nPO4MT7BWuCHnWkbHPRYygMpieGsni4+BQs6HVwxBqH5KuD0O7I3PQlcgntxb4kWbqvyWstYW+k9LdscSEzgXg==,iv:fgfW8BljGlOIQzGK+UiEFcT6Hp5ieA8C86kwT8xRlO4=,tag:eSWPda0NYBe47uVYCOUiLg==,type:str]
+grafana:
+    secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
+    chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
+vikunja:
+    jwtsecret: ENC[AES256_GCM,data:p6e22qPJzTGB21oWhSr8AA4bfrele9ZOHVtZ8BHgX21IhoKdm58coGtSX1CGXR7J6+1/74RdLY9K88nGrM1F1w==,iv:DGUO8rhf7Lg9dTqSmzlR/Jd2K4oUjO8w9E5bihwsykI=,tag:SpX6UI0QIju/tC1fIL9CCg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb0FWUkoxeWZ4K1lOb2k5
+            cUZXQktjSTY3djFZOEJyL1dWd0dmWHV4Y3dzClMvSWNiNk9YSzFoRmhQSG9wb1NG
+            ejRUeStyKy9qYWFwWHJraXFWREdhZFkKLS0tIExMb3VCWm13ZkJ3UXcrM3IrRGQv
+            ZjhMWlAyRUpUYkVjb2lidHZPNkg4SUEKctTzocxhVXJ56sHH4BO6QkS5Rn9k/y2U
+            IrZHT9b3nyyyZxhctOArjBXohwt1asNeAe7qsTypTtAMgKTRwggX9Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Vi8vRTFFTW5tNW9OdnNQ
+            MEpxeXY5MnRzTE9GUkRLMVl1cTRBcU1FSmhnCkdmY3RCcy9oS2lZOVJ0Ni9RL041
+            UWo0TkxMblRqSkZoaDVYZm9xRFBCeDgKLS0tIEFVVkl0bUdoN3FVcThVRHpmVEJk
+            SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
+            HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-07T12:36:38Z"
+    mac: ENC[AES256_GCM,data:Pe1wXpemyIGckkldnOy7sWYTp/SlHT7ffNzJbeNwK9hSRGbpU9as7BQ8IenrHbO9U5QT7oij3PdzLk88ImVCbu0rZ8P6k6JbbrSEUSeN+9IRPnMDbIcpd+HQ+Ite4UjLwX7UxPuy0yRCYHiu2Fu2JpdWf+uL5bc/ZFnJ887+3lA=,iv:JmII0faZo+upukOJeCS7AbpCr2wKR5YjPX/W+kJnFUE=,tag:w5woNqrhJbZM38/RPWYmnw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/devices/xmupc1/README.md
+++ b/devices/xmupc1/README.md
@@ -0,0 +1,125 @@
+# slurm
+
+## 基本概念
+
+队列系统换成了 slurm。这是个正经的队列系统（不像之前那样是临时手搓的），可靠性应该会好很多。
+学校的 hpc 上用的是 PBS，和这个不一样，但很多概念是相通的，例如队列、节点等（当然这里只有一个队列和一个节点）。
+这里简单记录一下如何使用。更多内容，网上随便搜一下 slurm 的教程就可以找到很多介绍，也可以看官网文档。
+
+先说明一下机器的硬件配置：CPU 有 16 个核，每个核 2 线程，也就是总共 32 个线程。
+slurm 限制 CPU 按照核（而不是线程）分配，
+  提交任务时， `sbatch` 命令中的 `cpu` 或者 `core` （它俩是同义词）都是指核的数量而不是线程数
+  （也就是说，实际运行的线程数要再乘以 2）。
+
+VASP 支持两个层面的并行，一个叫 MPI，一个叫 OpenMP，实际运行的线程数是两者的乘积。
+MPI 并行的数量就是提交任务时指定的 task 的数量，
+  OpenMP 并行的数量等于提交任务时指定的分配给每个 task 的 CPU 的数量再乘以 2，
+  也就是最终的线程数等于指定的 CPU 数量乘以 2。
+此外还有一个限制：当使用 GPU 时，MPI 并行的数量必须等于 GPU 的数量，否则 VASP 会在开头报个警告然后只用 CPU 计算（但不会报错）。
+
+## 常用命令
+
+提交一个 VASP GPU 任务的例子：
+
+```bash
+sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" vasp-nvidia-6.4.0 mpirun vasp-std
+```
+
+* `--gpus=1` 指定使用一个 GPU（排到这个任务时哪个空闲就使用哪个）。
+  可以指定具体使用哪个GPU，例如 `--gpus=4090:1`。
+  可以简写为 `-G`。
+  这个选项实际上是 `--gres` 选项的一种简便写法，当需求更复杂时（例如，指定使用一个 3090 和一个 4090）时，就需要用 `--gres`。
+  例如：`--gres=gpu:3090:1,gpu:4090:1`。
+  “gre” 是 “generic resource” 的缩写。
+* `--ntasks-per-gpu=1` 是一定要写的。
+* `--job-name=` 指定任务的名字。可以简写为 `-J`。也可以不指定。
+* 默认情况下，一个 task 会搭配分配一个 CPU 核（两个线程），一般不用修改。如果一定要修改，用 `--cpus-per-task`。
+
+提交一个 VASP CPU 任务的例子：
+
+```bash
+sbatch --ntasks=2 --cpus-per-task=2 --job-name="my great job" vasp-gnu-6.4.0 mpirun vasp-std
+```
+
+* `--ntasks=2` 指定在 MPI 层面上并行的数量。
+  可以简写为 `-n`。
+* `--cpus-per-task=2` 指定每个 task 使用的 CPU 核的数量，OpenMP 并行的数量等于这个数再乘以 2。
+
+要列出已经提交（包括已经完成、取消、失败）的任务：
+
+```bash
+squeue -t all -l
+```
+
+取消一个任务：
+
+```bash
+# 按任务的 id 取消
+scancel 114514
+# 按任务的名字取消
+scancel -n my_great_job
+# 取消一个用户的所有任务
+scancel -u chn
+```
+
+要将自己已经提交的一个任务优先级提到最高（只是自己已经提交任务的最高，不影响别人的任务）：
+
+```bash
+scontrol top job_id
+```
+
+## sbatch 的更多参数
+
+```bash
+# 提交一个新任务，但是礼让后面的任务（推迟到指定时间再开始排队）
+--begin=16:00 --begin=now+1hour
+# 指定工作目录
+--chdir=/path/to/your/workdir
+# 指定备注
+--comment="my great job"
+# 指定任务的 ddl，算不完就杀掉
+--deadline=now+1hour
+# 标准错误输出写到别的文件里
+--error=error.log
+# 将一些环境变量传递给任务（=ALL是默认行为）
+--export=ALL,MY_ENV_VAR=my_value
+# 不传递现在的环境变量
+--export=NONE
+# 打开一个文件作为标准输入
+--input=
+# 发生一些事件（任务完成等）时发邮件
+--mail-type=NONE,BEGIN,END,FAIL,REQUEUE,ALL --mail-user=chn@chn.moe
+# 要求分配内存（不会真的限制内存使用，只是在分配资源时会考虑）
+--mem=20G --mem-per-cpu --mem-per-gpu
+# 输出文件是否覆盖
+--open-mode={append|truncate}
+# 指定输出文件
+-o, --output=<filename_pattern>
+# 不排队，直接跑（超额分配）
+-s, --oversubscribe
+# 包裹一个二进制程序
+--wrap=
+```
+
+# ssh
+
+ssh 就是 putty winscp 之类的工具使用的那个协议。
+
+* 地址：office.chn.moe（如果在校外，需要厦大 VPN）
+* 端口：6007
+* 用户名：自己名字的拼音首字母
+* 可以用密码登陆，也可以用证书登陆。
+
+要从本机登陆到学校 hpc 的 jykang 账户，使用下面的命令：
+
+```bash
+ssh jykang
+```
+
+# rdp
+
+就是 windows 那个远程桌面。
+
+* 地址：xmupc1.chn.moe（如果在校外，需要厦大 VPN）
+* 用户名：自己名字的拼音首字母
+* 密码和 ssh 一样。
--- a/devices/xmupc1/default.nix
+++ b/devices/xmupc1/default.nix
@@ -0,0 +1,113 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/467C-02E3" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/2f9060bc-09b5-4348-ad0f-3a43a91d158b" = { "/nix" = "/nix"; "/nix/boot" = "/boot"; };
+              "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12" =
+              {
+                "/nix/rootfs" = "/nix/rootfs";
+                "/nix/persistent" = "/nix/persistent";
+                "/nix/nodatacow" = "/nix/nodatacow";
+                "/nix/rootfs/current" = "/";
+              };
+            };
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12"; path = "/nix/rootfs"; };
+        };
+        grub.installDevice = "efi";
+        nixpkgs =
+        {
+          march = "znver3";
+          cuda =
+          {
+            enable = true;
+            capabilities =
+            [
+              # 2080 Ti
+              "7.5"
+              # 3090
+              "8.6"
+              # 4090
+              "8.9"
+            ];
+            forwardCompat = false;
+          };
+        };
+        gui = { preferred = false; autoStart = true; };
+        kernel.patches = [ "cjktty" "lantian" ];
+        networking.hostname = "xmupc1";
+      };
+      hardware =
+      {
+        cpus = [ "amd" ];
+        gpu.type = "nvidia";
+        bluetooth.enable = true;
+        joystick.enable = true;
+        printer.enable = true;
+        sound.enable = true;
+      };
+      packages.packageSet = "workstation";
+      virtualization = { waydroid.enable = true; docker.enable = true; kvmHost = { enable = true; gui = true; }; };
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        sshd = { enable = true; passwordAuthentication = true; };
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns.extraInterfaces = [ "docker0" ];
+        };
+        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
+        smartd.enable = true;
+        beesd =
+        {
+          enable = true;
+          instances =
+          {
+            root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
+            nix = { device = "/nix"; hashTableSizeMB = 512; };
+          };
+        };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
+          wireguardIp = "192.168.83.6";
+        };
+        slurm =
+        {
+          enable = true;
+          cpu = { cores = 16; threads = 2; };
+          memoryMB = 94208;
+          gpus = { "3090" = 1; "4090" = 1; };
+        };
+        xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "192.168. 127.";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
+      };
+      bugs = [ "xmunet" "amdpstate" ];
+      users.users = [ "chn" "xll" "zem" "yjq" "gb" ];
+    };
+    services.hardware.bolt.enable = true;
+  };
+}
--- a/devices/xmupc1/secrets/default.yaml
+++ b/devices/xmupc1/secrets/default.yaml
@@ -0,0 +1,44 @@
+acme:
+    cloudflare.ini: ENC[AES256_GCM,data:PjCyozvFTXxA///enYYbaMZ8ISfFjJviLVKfdOcMSi5G3CEjEsp1Ez4krbgy4/eJo4v9HfTN0bMmUnl2OHOyzTg=,iv:e1iQZ5JUHkzfnfP956Lzl3FWs11xdULctA5MZsALtU0=,tag:8X2Q/Hixxn/ci4XRSUDidg==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:/7R7w+fiMw54Cmd7y/wT/s8RMqFMf3Fc0Mph0ZhURmCzowkmLEhtmw==,iv:i+Z+2NbssI864Edwf73SQfaeFuWoqr+U8eQ/8R23FOk=,tag:8ITlkS97vlsmHM1HDk6/3A==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:4PM/d263HgBseIgRplgo5ahJ8u8HuPznXt2hW5O+VawS6WjP,iv:98Ymj4eiCGQPMcaHBI9zJAaRagm82mF0LY2c9bzA+/s=,tag:8imXq/hxAxS5XKy0uWIBPw==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:Azaqung7llErB7/IdnOnEkwjQ39yQHKcO7VgvMDCDTExM7nS0zx+yMYX4ls=,iv:FX8oLHMBVEnKkYOg8q2A9vFmtRZDws5T87+lEl7+2G8=,tag:DdOQUbNKB6JK7Tp6McQ0Og==,type:str]
+users:
+    xll: ENC[AES256_GCM,data:tGzKVg4prhg9oXOSX0FJIAWdF79CWsFuiU8U12dSnkBIgRXPZlJkz9mLLTENm6SjftItt/ku4MDj94KnM+nPYkIorTYtEuergg==,iv:oavvRf7/21LuDksUiXLfR2/qQNz5O6JyroxX1DwC6gc=,tag:qYbW1ZQtXo+2qGrl5wuZkA==,type:str]
+    zem: ENC[AES256_GCM,data:r2BDtAfMohsnoqw51/flvkiXe/EtJtDhakEyOTPX2E7cikfPtPD9iJPd2RnNkS3QPBKg08ex5ce2e3ywzGgNX5RKrxIacpxSSA==,iv:VfhEqTvS9qVFGif+SkBdz8VR6BXEnncMYcPQW4qqNk8=,tag:t4JBEhX+6iqnrd0JoLKpmA==,type:str]
+    yjq: ENC[AES256_GCM,data:Yb9gVDrWhpmBYI8JlGee30J+PVFVGLo4btFVGToUVj3Sr2bPetY96mEJoxYQha7SPKBoZ7+ePzWYiYOi43MZ6sYndj3C6sYmYg==,iv:2H2+ZmIIDJAKds1XSMqVcUpsix3rbxLkVlBIIAK3ifg=,tag:7redx03BsscRrk+e7dqXdg==,type:str]
+    gb: ENC[AES256_GCM,data:ZoprrHc2l0nkqy4ujYQfxNENMEnfpRhCIxX7jMPoWeTrJt2sE1AloWeVFsArJKTx8krpW96X3AXpUIauMH9kc/CviPop2QMgDw==,iv:fOIVPEHDvyZ45G9uRbx2gBE0KuZy+aEWALlXusDJ1YU=,tag:G6hZLn9/99Kj+wZAeNyxkQ==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RWIreCtMeTZ0UE9Zd2di
+            VE9tR0x6SUNyWjlPV1BqMU5Tb0RTSXNGN2hNCkxuVjFFb0xJZTBMekxqdE96RlRh
+            czF0dHQxdVhsNE5tVWg0Q2RmYktsWDgKLS0tIFY3dHRlbFpsWUsyTzA3RVR1Qyts
+            UUJHMU13cm1lOXhRYzhSWlFyTFltYWcKDUxABRGskWWpHEFL44gHYzAqaQ3AmBDt
+            LcL/4IiEs3TwOpuY+WTVx8JKZBOsxcSlNahiDuCnoTbL4gZTPnd0pA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbHd4ZHhsTk5leDlreC9E
+            TVAzRXVuS0Judk5zTGVWRVhWSUhpMFdscEg0ClVFYzZYZG9hNjJKTlRVZ1I3eXVq
+            M2Y5by85dE1QM25yQ3g3bFVSL2tsVlkKLS0tIHVYbGxrT0hOQkZ5SHBsQ3UyaVly
+            ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
+            IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-26T06:04:25Z"
+    mac: ENC[AES256_GCM,data:2d3i3rcRYrB58vJuyhP4AIB11Ns+zQq0Pli1LF4sAKb75OmJ/qlRcwJKlOCASdY95FfzOQDGjfZheg58fVSd9EbYxX+npMXGUiODa8JRTHgQye3/qjFv14v49zKFJ0dNs13XnOEA4QAry/7gDlb0+M44bNRGPSZSoFX2yJ53smw=,iv:I1YDN6+26BmaWR84kq9zXNXjQ4cRvtzrS2Q13PlUjp0=,tag:sgxcTpOr7T2oXjb5qLRrqw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/devices/xmupc1/secrets/munge.key
+++ b/devices/xmupc1/secrets/munge.key
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:tuEymMXW0f7Rui5wrz/xozphTEq6ffkYIfNIoURFNHwH2Cg+aKHz2ox0gk02BJARhPMDrxCYlChkcrEI0ma/T0eBe9sWz3tA8AOwU1lHSZ06d/JWzW7IUIyTac2mnjt3/jY/qpnR4A8wtHwD0j4zkzXgUgFwq7k/fs24acEE4Jo=,iv:iDTS0xswLrwkOYmfomE5hluVONgJYia/RjINDy7T3R0=,tag:oIYNpFCuT2D+X1QEJJiHew==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFRRa0NsOUp5MEg3UHcx\nc3g1VFZEQS9Tci9QSnNFYnIrT3hUdVU5cWxjCnU5UXVEdTFXczJzcHVvSjF2WHdB\nYmpyQVVaUFozKzJIZThBbXUxb2k2YzAKLS0tIHE1QXVrOXo1Y3VXMzJJYitWU3Qv\neDF1cndrSi94clh1cS9NczN0UW9pOXcKtrnIj3WovMYdcg5nWnnyRhJhTGLrlwxW\nxQ6bmNrfbZedmCNdjY2lPXmudMXJ8YlWe/HGCe94x3iFlaSwCIGUsA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocFl1SHJEemRySlBnMmNn\nVW9RS1NNdlo4M3l2WGlQaHJmbDBHcjMwaVVnCnY5WExPOXZJVEdYSlJ6UTRBMGJj\ncmlYaUNVV1hnWTNkaWVuV2VuaXN2eU0KLS0tIDBTYnd2NmVYTUJKaHZWRWo3ZlUx\nTEtPZWc2RE1XNG9WTXFOTllWVUVWeUkK+9aLz1rygGAQjpG+oMNUtrDkQaDfg+2q\nnl/CtZZrFD6NXGw6Di0X5t9fQu295NTJ/0qjXnfMigG8gDtxkE+/7g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-26T06:04:53Z",
+		"mac": "ENC[AES256_GCM,data:y0RkPyUwwff95BFL951TxS/x5ORzMsxFJVjopSw+8iVtswD8MT1nmsbwyth4C9OnJ/IAtnZk/CjAt72a68AZpPI+2W/JqJq20ohFoquDNhTlsoyLWdO3Vjrd+Wo3hp0+iKQ3e/uYrF1sTqQO9a3OIxu2sVLM0gEDmIe2nJpLJQo=,iv:EjXTQvVdjzfClNfQ3rPxAFVWVqr7sSOz4ap+nshPEAk=,tag:DcIlf9W7NNqQ+gf8f46MwQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -1,191 +1,154 @@
 {
-	description = "CNH's NixOS Flake";
+  description = "CNH's NixOS Flake";

-	inputs =
-	{
-		nixpkgs.url = "github:CHN-beta/nixpkgs/next";
-		nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05";
-		flake-utils.url = "github:numtide/flake-utils";
-		flake-utils-plus =
-		{
-			url = "github:gytis-ivaskevicius/flake-utils-plus";
-			inputs.flake-utils.follows = "flake-utils";
-		};
-		flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
-		nvfetcher =
-		{
-			url = "github:berberman/nvfetcher";
-			inputs =
-			{
-				nixpkgs.follows = "nixpkgs";
-				flake-utils.follows = "flake-utils";
-				flake-compat.follows = "flake-compat";
-			};
-		};
-		home-manager = { url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; };
-		sops-nix =
-		{
-			url = "github:Mic92/sops-nix";
-			inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs-stable"; };
-		};
-		touchix = { url = "github:CHN-beta/touchix"; inputs.nixpkgs.follows = "nixpkgs"; };
-		aagl =
-		{
-			url = "github:ezKEa/aagl-gtk-on-nix";
-			inputs = { nixpkgs.follows = "nixpkgs"; flake-compat.follows = "flake-compat"; };
-		};
-		nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
-		nur.url = "github:nix-community/NUR";
-		nixos-cn =
-		{
-			url = "github:nixos-cn/flakes";
-			inputs = { nixpkgs.follows = "nixpkgs"; flake-utils.follows = "flake-utils"; };
-		};
-		nur-xddxdd =
-		{
-			url = "github:xddxdd/nur-packages";
-			inputs =
-			{
-				flake-utils.follows = "flake-utils";
-				nixpkgs.follows = "nixpkgs-stable";
-				flake-utils-plus.follows = "flake-utils-plus";
-			};
-		};
-		nix-vscode-extensions =
-		{
-			url = "github:nix-community/nix-vscode-extensions";
-			inputs =
-			{
-				nixpkgs.follows = "nixpkgs";
-				flake-utils.follows = "flake-utils";
-				flake-compat.follows = "flake-compat";
-			};
-		};
-		nix-alien =
-		{
-			url = "github:thiagokokada/nix-alien";
-			inputs =
-			{
-				flake-compat.follows = "flake-compat";
-				flake-utils.follows = "flake-utils";
-				nix-index-database.follows = "nix-index-database";
-			};
-		};
-		impermanence.url = "github:nix-community/impermanence";
-		qchem =
-		{
-			url = "github:Nix-QChem/NixOS-QChem";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-	};
+  inputs =
+  {
+    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.11";
+    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
+    "nixpkgs-22.11".url = "github:NixOS/nixpkgs/nixos-22.11";
+    "nixpkgs-22.05".url = "github:NixOS/nixpkgs/nixos-22.05";
+    home-manager = { url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    sops-nix =
+    {
+      url = "github:Mic92/sops-nix";
+      inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
+    };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs-unstable"; };
+    nur.url = "github:nix-community/NUR";
+    nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
+    impermanence.url = "github:nix-community/impermanence";
+    qchem = { url = "github:Nix-QChem/NixOS-QChem/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixd = { url = "github:nix-community/nixd"; inputs.nixpkgs.follows = "nixpkgs"; };
+    napalm = { url = "github:nix-community/napalm"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixpak = { url = "github:nixpak/nixpak"; inputs.nixpkgs.follows = "nixpkgs"; };
+    deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    pnpm2nix-nzbr = { url = "github:CHN-beta/pnpm2nix-nzbr"; inputs.nixpkgs.follows = "nixpkgs"; };
+    plasma-manager =
+    {
+      url = "github:pjones/plasma-manager";
+      inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
+    };
+    nix-doom-emacs = { url = "github:nix-community/nix-doom-emacs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixos-hardware.url = "github:CHN-beta/nixos-hardware";
+    envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-fast-build = { url = "github:/Mic92/nix-fast-build"; inputs.nixpkgs.follows = "nixpkgs"; };

-	outputs = inputs:
-		let
-			local = import ./local;
-		in
-		{
-			nixosConfigurations =
-			{
-				"chn-PC" = inputs.nixpkgs.lib.nixosSystem
-				{
-					system = "x86_64-linux";
-					specialArgs = { topInputs = inputs; localLib = local.lib; };
-					modules =
-					[
-						inputs.home-manager.nixosModules.home-manager
-						inputs.sops-nix.nixosModules.sops
-						inputs.touchix.nixosModules.v2ray-forwarder
-						inputs.aagl.nixosModules.default
-						inputs.nix-index-database.nixosModules.nix-index
-						inputs.nur.nixosModules.nur
-						inputs.nur-xddxdd.nixosModules.setupOverlay
-						inputs.impermanence.nixosModules.impermanence
-						(args: {
-							config.nixpkgs =
-							{
-								overlays =
-								[
-									(
-										final: prev:
-										{
-											touchix = inputs.touchix.packages."${prev.system}";
-											nix-vscode-extensions = inputs.nix-vscode-extensions.extensions."${prev.system}";
-											localPackages = local.pkgs { pkgs = prev; };
-										}
-									)
-									inputs.qchem.overlays.default
-									(
-										final: prev: { nur-xddxdd =
-											(inputs.nur-xddxdd.overlays.custom args.config.boot.kernelPackages.nvidia_x11) final prev; }
-									)
-								];
-								config.allowUnfree = true;
-							};
-						})
-						(
-							local.lib.mkModules
-							[
-								./modules/boot/fileSystems.nix
-								(inputs: { config.nixos =
-									{
-										fileSystems =
-										{
-											mount =
-											{
-												vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
-												btrfs =
-												{
-													"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
-													"/dev/mapper/root"."/nix" = "/nix";
-												};
-											};
-											decrypt.auto =
-											{
-												"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
-												"/dev/md/swap" = { mapper = "swap"; ssd = true; };
-											};
-											mdadm =
-												"ARRAY /dev/md/swap metadata=1.2 name=chn-PC:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
-											swap = [ "/dev/mapper/swap" ];
-											resume = "/dev/mapper/swap";
-										};
-									};}
-								)
+    misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
+    rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
+    zpp-bits = { url = "github:eyalz800/zpp_bits"; flake = false; };
+    citation-style-language = { url = "git+https://github.com/zepinglee/citeproc-lua?submodules=1"; flake = false; };
+    concurrencpp = { url = "github:David-Haim/concurrencpp"; flake = false; };
+    cppcoro = { url = "github:Garcia6l20/cppcoro"; flake = false; };
+    date = { url = "github:HowardHinnant/date"; flake = false; };
+    eigen = { url = "gitlab:libeigen/eigen"; flake = false; };
+    matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
+    nameof = { url = "github:Neargye/nameof"; flake = false; };
+    nodesoup = { url = "github:olvb/nodesoup"; flake = false; };
+    tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
+    v-sim = { url = "gitlab:l_sim/v_sim"; flake = false; };
+    win11os-kde = { url = "github:yeyushengfan258/Win11OS-kde"; flake = false; };
+    fluent-kde = { url = "github:vinceliuice/Fluent-kde"; flake = false; };
+    rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
+    blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
+    slate = { url = "github:TheBigWazz/Slate"; flake = false; };
+    linux-surface = { url = "github:linux-surface/linux-surface"; flake = false; };
+    lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
+    lmod = { url = "github:TACC/Lmod"; flake = false; };
+    mumax = { url = "github:CHN-beta/mumax"; flake = false; };
+  };

-								[ ./modules/basic.nix { hostName = "chn-PC"; } ]
-								./modules/fonts.nix
-								[ ./modules/i18n.nix { fcitx = true; } ]
-								./modules/kde.nix
-								./modules/sops.nix
-								./modules/boot/chn-PC.nix
-								./modules/hardware/bluetooth.nix
-								./modules/hardware/joystick.nix
-								[ ./modules/hardware/nvidia-prime.nix { intelBusId = "PCI:0:2:0"; nvidiaBusId = "PCI:1:0:0"; } ]
-								./modules/hardware/printer.nix
-								./modules/hardware/sound.nix
-								./modules/hardware/chn-PC.nix
-								./modules/networking/basic.nix
-								./modules/networking/samba.nix
-								./modules/networking/ssh.nix
-								./modules/networking/wall_client.nix
-								./modules/networking/xmunet.nix
-								./modules/networking/chn-PC.nix
-								./modules/packages/terminal.nix
-								./modules/packages/gui.nix
-								./modules/packages/gaming.nix
-								./modules/packages/hpc.nix
-								[ ./modules/users/root.nix {} ]
-								[ ./modules/users/chn.nix {} ]
-								./modules/virtualisation/docker.nix
-								./modules/virtualisation/kvm_guest.nix
-								./modules/virtualisation/kvm_host.nix
-								./modules/virtualisation/waydroid.nix
-								./modules/home/root.nix
-								./modules/home/chn.nix
-							]
-						)
-					];
-				};
-			};
-		};
+  outputs = inputs:
+    let
+      localLib = import ./local/lib inputs.nixpkgs.lib;
+      devices = builtins.attrNames (builtins.readDir ./devices);
+    in
+    {
+      packages.x86_64-linux =
+      {
+        default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
+          (builtins.concatStringsSep "\n" (builtins.map
+            (system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
+            devices));
+      }
+      // (
+        builtins.listToAttrs (builtins.map
+          (system:
+          {
+            name = system;
+            value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
+          })
+          devices)
+      );
+      # ssh-keygen -t rsa -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_rsa_key
+      # ssh-keygen -t ed25519 -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_ed25519_key
+      # systemd-machine-id-setup --root=/mnt/nix/persistent
+      nixosConfigurations = builtins.listToAttrs (builtins.map
+        (system:
+        {
+          name = system;
+          value = inputs.nixpkgs.lib.nixosSystem
+          {
+            system = "x86_64-linux";
+            specialArgs = { topInputs = inputs; inherit localLib; };
+            modules = localLib.mkModules
+            [
+              (moduleInputs:
+              {
+                config.nixpkgs.overlays = [(final: prev: { localPackages =
+                  import ./local/pkgs { inherit (moduleInputs) lib; pkgs = final; topInputs = inputs; };})];
+              })
+              ./modules
+              ./devices/${system}
+            ];
+          };
+        })
+        devices);
+      # sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont
+      # nix-serve -p 5000
+      # nix copy --substitute-on-destination --to ssh://server /run/current-system
+      # nix copy --to ssh://nixos@192.168.122.56 ./result
+      # sudo nixos-install --flake .#bootstrap
+      #    --option substituters http://192.168.122.1:5000 --option require-sigs false
+      # sudo chattr -i var/empty
+      # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+      # sudo nixos-rebuild switch --flake .#vps6 --log-format internal-json -v |& nom --json
+      # boot.shell_on_fail systemd.setenv=SYSTEMD_SULOGIN_FORCE=1
+      # sudo usbipd
+      # ssh -R 3240:127.0.0.1:3240 root@192.168.122.57
+      # modprobe vhci-hcd
+      # sudo usbip bind -b 3-6
+      # usbip attach -r 127.0.0.1 -b 3-6
+      # systemd-cryptenroll --fido2-device=auto /dev/vda2
+      # systemd-cryptsetup attach root /dev/vda2
+      deploy =
+      {
+        sshUser = "root";
+        user = "root";
+        fastConnection = true;
+        autoRollback = false;
+        magicRollback = false;
+        nodes = builtins.listToAttrs (builtins.map
+          (node:
+          {
+            name = node;
+            value =
+            {
+              hostname = node;
+              profiles.system.path = inputs.self.nixosConfigurations.${node}.pkgs.deploy-rs.lib.activate.nixos
+                inputs.self.nixosConfigurations.${node};
+            };
+          })
+          [ "vps6" "vps7" "nas" "surface" "xmupc1" ]
+        );
+      };
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
+      overlays.default = final: prev:
+        { localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); };
+      config.archive = false;
+    };
 }
--- a/local/default.nix
+++ b/local/default.nix
@@ -1,4 +0,0 @@
-{
-	lib = import ./lib;
-	pkgs = import ./pkgs;
-}
--- a/local/lib/attrsToList.nix
+++ b/local/lib/attrsToList.nix
@@ -1 +0,0 @@
-Attrs: builtins.map ( name: { inherit name; value = Attrs.${name}; } ) ( builtins.attrNames Attrs )
--- a/local/lib/default.nix
+++ b/local/lib/default.nix
@@ -1,6 +1,40 @@
+lib:
 {
-	mkModules = import ./mkModules.nix;
-	mkSystem = import ./mkSystems.nix;
-	mkInputs = import ./mkInputs.nix;
-	attrsToList = import ./attrsToList.nix;
+  attrsToList = attrs: builtins.map (name: { inherit name; value = attrs.${name}; }) (builtins.attrNames attrs);
+  mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
+    mkMerge [ ( mkIf condition trueResult ) ( mkIf (!condition) falseResult ) ];
+
+  # Behaviors of these two NixOS modules would be different:
+  # { pkgs, ... }@inputs: { environment.systemPackages = [ pkgs.hello ]; }
+  # inputs: { environment.systemPackages = [ pkgs.hello ]; }
+  # The second one would failed to evaluate because nixpkgs would not pass pkgs to it.
+  # So that we wrote a wrapper to make it always works like the first one.
+  mkModules = moduleList:
+    (builtins.map
+      (
+        let handle = module:
+          if ( builtins.typeOf module ) == "path" then (handle (import module))
+          else if ( builtins.typeOf module ) == "lambda" then ({ pkgs, utils, ... }@inputs: (module inputs))
+          else module;
+        in handle
+      )
+      moduleList);
+
+  # from: https://github.com/NixOS/nix/issues/3759
+  stripeTabs = text:
+    let
+      # Whether all lines start with a tab (or is empty)
+      shouldStripTab = lines: builtins.all (line: (line == "") || (lib.strings.hasPrefix "  " line)) lines;
+      # Strip a leading tab from all lines
+      stripTab = lines: builtins.map (line: lib.strings.removePrefix "  " line) lines;
+      # Strip tabs recursively until there are none
+      stripTabs = lines: if (shouldStripTab lines) then (stripTabs (stripTab lines)) else lines;
+    in
+      # Split into lines. Strip leading tabs. Concat back to string.
+      builtins.concatStringsSep "\n" (stripTabs (lib.strings.splitString "\n" text));
+  
+  # find an element in a list, return the index
+  findIndex = e: list:
+    let findIndex_ = i: list: if (builtins.elemAt list i) == e then i else findIndex_ (i + 1) list;
+    in findIndex_ 0 list;
 }
--- a/local/lib/mkModules.nix
+++ b/local/lib/mkModules.nix
@@ -1,45 +0,0 @@
-# Behaviors of these two NixOS modules would be different:
-# { pkgs, ... }@inputs: { environment.systemPackages = [ pkgs.hello ]; }
-# inputs: { environment.systemPackages = [ pkgs.hello ]; }
-# The second one would failed to evaluate because nixpkgs would not pass pkgs to it.
-# So that we wrote a wrapper to make it always works like the first one.
-# Input a list of modules, allowed types are:
-#	* attribute set
-#	* file containing attribute set
-#	* file containing lambda, which takes inputs as argument
-#	* lambda, which takes inputs as argument
-#	* list, first member is a lambda, 
-moduleList: { pkgs, ... }@inputs:
-{
-	imports = builtins.map
-	(
-		let
-			handle = { module, customArgs }:
-				if ( builtins.typeOf module ) == "list"
-					then handle { module = builtins.elemAt module 0; customArgs = builtins.elemAt module 1; }
-				else if ( builtins.typeOf module ) == "path"
-					then handle { module = import module; inherit customArgs; }
-				else if ( builtins.typeOf module ) == "lambda" && customArgs != null # deprecated
-					then handle { module = module customArgs; customArgs = null; }
-				else if ( builtins.typeOf module ) == "lambda" then module inputs # deprecated
-				else module;
-			caller = module: handle { inherit module; customArgs = null; };
-		in caller
-	) moduleList;
-}
-
-# Behaviors of these two NixOS modules would be different:
-# { pkgs, ... }@inputs: { environment.systemPackages = [ pkgs.hello ]; }
-# inputs: { environment.systemPackages = [ pkgs.hello ]; }
-# The second one would failed to evaluate because nixpkgs would not pass pkgs to it.
-# So that we wrote a wrapper to make it always works like the first one.
-# moduleList: { pkgs, ... }@inputs:
-# {
-# 	imports = builtins.map
-# 	(
-# 		handle = module:
-# 			if ( builtins.typeOf module ) == "path" then handle import module
-# 			else if ( builtins.typeOf module ) == "lambda" then module inputs
-# 			else module;
-# 	) moduleList;
-# }
--- a/local/pkgs/aocc/default.nix
+++ b/local/pkgs/aocc/default.nix
@@ -0,0 +1 @@
+1k9anln9hmdjflrkq4iacrmhma7gfrfj6d0b8ywxys0wfpdvy12v
--- a/local/pkgs/biu/default.nix
+++ b/local/pkgs/biu/default.nix
@@ -0,0 +1,17 @@
+{
+  stdenv, fetchFromGitHub, cmake, pkg-config, ninja,
+  fmt, boost, magic-enum, libbacktrace, concurrencpp, tgbot-cpp, nameof, eigen, range-v3
+}: stdenv.mkDerivation rec
+{
+  name = "libbiu";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "biu";
+    rev = "8ed2e52968f98d3a6ddbd01e86e57604ba3a7f54";
+    sha256 = "OqQ+QkjjIbpve/xn/DJA7ONw/bBg5zGNr+VJjc3o+K8=";
+  };
+  nativeBuildInputs = [ cmake pkg-config ninja ];
+  buildInputs = [ fmt boost magic-enum libbacktrace concurrencpp tgbot-cpp nameof eigen range-v3 ];
+  propagatedBuildInputs = buildInputs;
+}
--- a/local/pkgs/blurred-wallpaper/default.nix
+++ b/local/pkgs/blurred-wallpaper/default.nix
@@ -0,0 +1,11 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  name = "blurred-wallpaper";
+  inherit src;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    mkdir -p $out/share/plasma/wallpapers/a2n.blur
+    cp -r $src/* $out/share/plasma/wallpapers/a2n.blur
+  '';
+}
--- a/local/pkgs/citation-style-language/default.nix
+++ b/local/pkgs/citation-style-language/default.nix
@@ -0,0 +1,22 @@
+{ stdenvNoCC, texlive, src }: stdenvNoCC.mkDerivation (finalAttrs:
+{
+  name = "citation-style-language";
+  inherit src;
+  passthru =
+  {
+    pkgs = [ finalAttrs.finalPackage ];
+    tlDeps = with texlive; [ latex ];
+    tlType = "run";
+  };
+
+  nativeBuildInputs = [ texlive.combined.scheme-full ];
+  dontConfigure = true;
+  dontBuild = true;
+  installPhase =
+  ''
+    runHook preInstall
+    export TEXMFHOME=$out
+    l3build install
+    runHook postInstall
+  '';
+})
--- a/local/pkgs/concurrencpp/default.nix
+++ b/local/pkgs/concurrencpp/default.nix
@@ -0,0 +1,6 @@
+{ stdenv, cmake, src }: stdenv.mkDerivation
+{
+  name = "concurrencpp";
+  inherit src;
+  nativeBuildInputs = [ cmake ];
+}
--- a/local/pkgs/cppcoro/cppcoro-include-utility.patch
+++ b/local/pkgs/cppcoro/cppcoro-include-utility.patch
@@ -0,0 +1,12 @@
+diff --git a/lib/static_thread_pool.cpp b/lib/static_thread_pool.cpp
+index 989a6a9..0b91b9c 100644
+--- a/lib/static_thread_pool.cpp
+++ b/lib/static_thread_pool.cpp
+@@ -12,6 +12,7 @@
+ #include <cassert>
+ #include <mutex>
+ #include <chrono>
+#include <utility>
+ 
+ namespace
+ {
--- a/local/pkgs/cppcoro/default.nix
+++ b/local/pkgs/cppcoro/default.nix
@@ -0,0 +1,7 @@
+{ stdenv, cmake, src }: stdenv.mkDerivation
+{
+  name = "cppcoro";
+  inherit src;
+  nativeBuildInputs = [ cmake ];
+  patches = [ ./cppcoro-include-utility.patch ];
+}
--- a/local/pkgs/date/default.nix
+++ b/local/pkgs/date/default.nix
@@ -0,0 +1,13 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  name = "date";
+  inherit src;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out
+    cp -r $src/{include,src} $out
+    runHook postInstall
+  '';
+}
--- a/local/pkgs/default.nix
+++ b/local/pkgs/default.nix
@@ -1,7 +1,69 @@
-{ pkgs }: with pkgs;
+{ lib, pkgs, topInputs }: with pkgs; rec
 {
-	typora = callPackage ./typora {};
-	upho = python3Packages.callPackage ./upho {};
-	spectral = python3Packages.callPackage ./spectral {};
-	vesta = callPackage ./vesta {};
+  typora = callPackage ./typora {};
+  vesta = callPackage ./vesta {};
+  rsshub = callPackage ./rsshub { src = topInputs.rsshub; };
+  misskey = callPackage ./misskey { nodejs = nodejs_21; src = topInputs.misskey; };
+  mk-meili-mgn = callPackage ./mk-meili-mgn {};
+  vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; };
+  v-sim = callPackage ./v-sim { src = topInputs.v-sim; };
+  concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; src = topInputs.concurrencpp; };
+  eigengdb = python3Packages.callPackage ./eigengdb {};
+  nodesoup = callPackage ./nodesoup { src = topInputs.nodesoup; };
+  matplotplusplus = callPackage ./matplotplusplus { inherit nodesoup glad; src = topInputs.matplotplusplus; };
+  zpp-bits = callPackage ./zpp-bits { src = topInputs.zpp-bits; };
+  eigen = callPackage ./eigen { src = topInputs.eigen; };
+  nameof = callPackage ./nameof { src = topInputs.nameof; };
+  pslist = callPackage ./pslist {};
+  glad = callPackage ./glad {};
+  chromiumos-touch-keyboard = callPackage ./chromiumos-touch-keyboard {};
+  yoga-support = callPackage ./yoga-support {};
+  tgbot-cpp = callPackage ./tgbot-cpp { src = topInputs.tgbot-cpp; };
+  biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
+  citation-style-language = callPackage ./citation-style-language { src = topInputs.citation-style-language; };
+  mirism = callPackage ./mirism
+  {
+    inherit cppcoro nameof tgbot-cpp date;
+    nghttp2 = pkgs."nghttp2-23.05".override { enableAsioLib = true; };
+  };
+  cppcoro = callPackage ./cppcoro { src = topInputs.cppcoro; };
+  date = callPackage ./date { src = topInputs.date; };
+  esbonio = python3Packages.callPackage ./esbonio {};
+  pix2tex = python3Packages.callPackage ./pix2tex {};
+  pyreadline3 = python3Packages.callPackage ./pyreadline3 {};
+  torchdata = python3Packages.callPackage ./torchdata {};
+  torchtext = python3Packages.callPackage ./torchtext { inherit torchdata; };
+  win11os-kde = callPackage ./win11os-kde { src = topInputs.win11os-kde; };
+  fluent-kde = callPackage ./fluent-kde { src = topInputs.fluent-kde; };
+  blurred-wallpaper = callPackage ./blurred-wallpaper { src = topInputs.blurred-wallpaper; };
+  slate = callPackage ./slate { src = topInputs.slate; };
+  nvhpc = callPackage ./nvhpc {};
+  lmod = callPackage ./lmod { src = topInputs.lmod; };
+  vasp =
+  {
+    source = callPackage ./vasp/source.nix {};
+    gnu = callPackage ./vasp/gnu
+    {
+      inherit (llvmPackages) openmp;
+      inherit (unstablePackages) wannier90;
+      hdf5 = hdf5.override { mpiSupport = true; fortranSupport = true; };
+    };
+    nvidia = callPackage ./vasp/nvidia
+    {
+      inherit lmod;
+      nvhpc = nvhpc."24.1";
+      hdf5 = hdf5-nvhpc.override { nvhpc = nvhpc."24.1"; };
+      inherit (unstablePackages) wannier90;
+    };
+    intel = callPackage ./vasp/intel
+    {
+      inherit lmod;
+      oneapi = oneapi."2022.2";
+      hdf5 = hdf5.override { mpiSupport = true; fortranSupport = true; };
+      inherit (unstablePackages) wannier90;
+    };
+  };
+  hdf5-nvhpc = callPackage ./hdf5-nvhpc { inherit lmod; inherit (hdf5) src; nvhpc = nvhpc."24.1"; };
+  oneapi = callPackage ./oneapi {};
+  mumax = callPackage ./mumax { src = topInputs.mumax; };
 }
--- a/local/pkgs/eigen/default.nix
+++ b/local/pkgs/eigen/default.nix
@@ -0,0 +1,6 @@
+{ lib, stdenv, cmake, src }: stdenv.mkDerivation
+{
+  name = "eigen";
+  inherit src;
+  nativeBuildInputs = [ cmake ];
+}
--- a/local/pkgs/eigengdb/default.nix
+++ b/local/pkgs/eigengdb/default.nix
@@ -0,0 +1,15 @@
+{ lib, fetchFromGitHub, buildPythonPackage, numpy, gdb }: buildPythonPackage
+{
+  name = "eigengdb";
+  src = fetchFromGitHub
+  {
+    owner = "dmillard";
+    repo = "eigengdb";
+    rev = "c741edef3f07f33429056eff48d79a62733ed494";
+    sha256 = "MTqOaWsKhWaPs3G5F/6bYZmQI5qS2hEGKGa3mwbgFaY=";
+  };
+  doCheck = false;
+  buildInputs = [ gdb ];
+  nativeBuildInputs = [ gdb ];
+  propagatedBuildInputs = [ numpy ];
+}
--- a/local/pkgs/esbonio/default.nix
+++ b/local/pkgs/esbonio/default.nix
@@ -0,0 +1,11 @@
+{ lib, fetchPypi, buildPythonPackage }: buildPythonPackage rec
+{
+  pname = "esbonio";
+  version = "0.16.4";
+  src = fetchPypi
+  {
+    inherit pname version;
+    sha256 = "1MBNBLCEBD6HtlxEASc4iZaXYyNdih2MIHoxK84jMdI=";
+  };
+  doCheck = false;
+}
--- a/local/pkgs/fluent-kde/default.nix
+++ b/local/pkgs/fluent-kde/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, src }: stdenv.mkDerivation
+{
+  name = "fluent-kde";
+  inherit src;
+  installPhase =
+  ''
+    mkdir -p $out/share/aurorae/themes
+    cp -r $src/aurorae/* $out/share/aurorae/themes
+    mkdir -p $out/share/color-schemes
+    cp -r $src/color-schemes/*.colors $out/share/color-schemes
+    mkdir -p $out/share/Kvantum
+    cp -r $src/Kvantum/Fluent* $out/share/Kvantum
+    mkdir -p $out/share/plasma/desktoptheme
+    cp -r $src/plasma/desktoptheme/* $out/share/plasma/desktoptheme
+    mkdir -p $out/share/plasma/layout-templates
+    cp -r $src/plasma/layout-templates/* $out/share/plasma/layout-templates
+    mkdir -p $out/share/plasma/look-and-feel
+    cp -r $src/plasma/look-and-feel/com.github.vinceliuice.Fluent* $out/share/plasma/look-and-feel
+    mkdir -p $out/share/wallpapers
+    cp -r $src/wallpaper/* $out/share/wallpapers
+  '';
+}
--- a/local/pkgs/glad/default.nix
+++ b/local/pkgs/glad/default.nix
@@ -0,0 +1,14 @@
+{ lib, stdenv, fetchFromGitHub, cmake, python3 }: stdenv.mkDerivation rec
+{
+  pname = "glad";
+  version = "0.1.36";
+  src = fetchFromGitHub
+  {
+    owner = "Dav1dde";
+    repo = "glad";
+    rev = "v${version}";
+    sha256 = "FtkPz0xchwmqE+QgS+nSJVYaAfJSTUmZsObV/IPypVQ=";
+  };
+  cmakeFlags = [ "-DGLAD_REPRODUCIBLE=ON" "-DGLAD_INSTALL=ON" ];
+  nativeBuildInputs = [ cmake python3 ];
+}
--- a/local/pkgs/hdf5-nvhpc/default.nix
+++ b/local/pkgs/hdf5-nvhpc/default.nix
@@ -0,0 +1,40 @@
+{
+  buildFHSEnv, writeScript, stdenvNoCC,
+  src,
+  nvhpc, lmod, cmake, gfortran,
+  config, nvhpcArch ? config.nvhpcArch or "px"
+}:
+let
+  buildEnv = buildFHSEnv
+  {
+    name = "buildEnv";
+    targetPkgs = pkgs: with pkgs; [ zlib ];
+    extraBwrapArgs = [ "--bind" "$out" "$out" ];
+  };
+  buildScript = writeScript "build"
+  ''
+    . ${lmod}/share/lmod/lmod/init/bash
+    module use ${nvhpc}/share/nvhpc/modulefiles
+    module load nvhpc
+    mkdir build
+    cd build
+    cmake -DCMAKE_INSTALL_PREFIX=$out -DHDF5_INSTALL_CMAKE_DIR=$out/lib/cmake \
+      -DHDF5_BUILD_FORTRAN=ON -DHDF5_ENABLE_PARALLEL=ON -DBUILD_SHARED_LIBS=ON ..
+    make -j$NIX_BUILD_CORES
+    make install
+  '';
+in stdenvNoCC.mkDerivation
+{
+  name = "hdf5-nvhpc";
+  inherit src;
+  dontConfigure = true;
+  enableParallelBuilding = true;
+  nativeBuildInputs = [ cmake gfortran ];
+  buildPhase =
+  ''
+    mkdir -p $out
+    ${buildEnv}/bin/buildEnv ${buildScript}
+  '';
+  dontInstall = true;
+  requiredSystemFeatures = [ "nvhpcarch-${nvhpcArch}" ];
+}
--- a/local/pkgs/lmod/default.nix
+++ b/local/pkgs/lmod/default.nix
@@ -0,0 +1,14 @@
+{
+  stdenv, src,
+  tcl,
+  procps, bc, lua
+}:
+stdenv.mkDerivation
+{
+  name = "lmod";
+  inherit src;
+  buildInputs = [ tcl ];
+  nativeBuildInputs = [ procps bc (lua.withPackages (ps: with ps; [ luaposix ])) ];
+  configurePhase = ''./configure --prefix=$out/share'';
+  postUnpack = "patchShebangs .";
+}
--- a/local/pkgs/matplotplusplus/default.nix
+++ b/local/pkgs/matplotplusplus/default.nix
@@ -0,0 +1,18 @@
+{
+  stdenv, src, cmake, pkg-config, substituteAll,
+  gnuplot, libjpeg, libtiff, zlib, libpng, lapack, blas, fftw, opencv, nodesoup, cimg, glfw, libGL, python3, glad
+}: stdenv.mkDerivation
+{
+  name = "matplotplusplus";
+  inherit src;
+  cmakeFlags =
+  [
+    "-DBUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_EXAMPLES=OFF"
+    "-DMATPLOTPP_WITH_SYSTEM_NODESOUP=ON" "-DMATPLOTPP_WITH_SYSTEM_CIMG=ON"
+    "-DMATPLOTPP_BUILD_EXPERIMENTAL_OPENGL_BACKEND=ON" "-DGLAD_REPRODUCIBLE=ON"
+  ];
+  buildInputs = [ gnuplot libjpeg libtiff zlib libpng lapack blas fftw opencv nodesoup cimg glfw libGL glad ];
+  nativeBuildInputs = [ cmake pkg-config python3 ];
+  propagatedBuildInputs = [ libGL glad glfw ];
+  propagatedNativeBuildInputs = [ python3 ];
+}
--- a/local/pkgs/mirism/default.nix
+++ b/local/pkgs/mirism/default.nix
@@ -0,0 +1,29 @@
+{
+  lib, stdenv, requireFile,
+  boost, nghttp2, brotli, nameof, cppcoro, tgbot-cpp, libbacktrace, fmt, date
+}: stdenv.mkDerivation rec
+{
+  name = "mirism";
+  # nix-store --query --hash $(nix store add-path . --name 'mirism')
+  src = requireFile
+  {
+    inherit name;
+    sha256 = "0f50pvdafhlmrlbf341mkp9q50v4ld5pbx92d2w1633f18zghbzf";
+    hashMode = "recursive";
+    message = "Source file not found.";
+  };
+  buildInputs = [ boost nghttp2.dev brotli nameof cppcoro tgbot-cpp libbacktrace fmt date ];
+  buildPhase =
+  ''
+    runHook preBuild
+    make ng01 beta
+    runHook postBuild
+  '';
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp build/{ng01,beta} $out/bin
+    runHook postInstall
+  '';
+}
--- a/local/pkgs/misskey/default.nix
+++ b/local/pkgs/misskey/default.nix
@@ -0,0 +1,69 @@
+{
+  lib, stdenv, mkPnpmPackage, fetchurl, nodejs, writeShellScript, buildFHSEnv,
+  bash, cypress, vips, pkg-config, src, libtensorflow
+}:
+let
+  name = "misskey";
+  originalPnpmPackage = mkPnpmPackage
+  {
+    inherit name src nodejs;
+    copyPnpmStore = true;
+    extraIntegritySha256."https://github.com/aiscript-dev/aiscript-languageserver/releases/download/0.1.5/aiscript-dev-aiscript-languageserver-0.1.5.tgz" = "1mhnwa8h48bc21f0zv8q93aphiqz9i70r7m4xsa4sd1mlncfgyl7";
+  };
+  startScript = writeShellScript "misskey"
+  ''
+    export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress ]}:$PATH
+    export CYPRESS_RUN_BINARY="${cypress}/bin/Cypress"
+    export NODE_ENV=production
+    pnpm run migrateandstart
+  '';
+in
+  stdenv.mkDerivation rec
+  {
+    inherit src name;
+    buildInputs =
+    [
+      bash nodejs nodejs.pkgs.typescript nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress vips pkg-config
+    ];
+    nativeBuildInputs = buildInputs;
+    CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress";
+    NODE_ENV = "production";
+    configurePhase =
+    ''
+      export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
+      export npm_config_nodedir=${nodejs}
+      pnpm config set reporter append-only
+
+      runHook preConfigure
+
+      store=$(pnpm store path)
+      mkdir -p $(dirname $store)
+
+      cp -f ${originalPnpmPackage.passthru.patchedLockfileYaml} pnpm-lock.yaml
+      cp -RL ${originalPnpmPackage.passthru.pnpmStore} $store
+      chmod -R +w $store
+      pnpm install --frozen-lockfile --offline
+
+      runHook postConfigure
+    '';
+    buildPhase =
+    ''
+      runHook preBuild
+      pnpm run build
+      runHook postBuild
+    '';
+    installPhase =
+    ''
+      runHook preInstall
+      mkdir -p $out
+      mv * .* $out
+      mkdir -p $out/bin
+      cp ${startScript} $out/bin/misskey
+      mkdir -p $out/files
+      runHook postInstall
+    '';
+    passthru =
+    {
+      inherit originalPnpmPackage startScript;
+    };
+  }
--- a/local/pkgs/mk-meili-mgn/default.nix
+++ b/local/pkgs/mk-meili-mgn/default.nix
@@ -0,0 +1,16 @@
+{ lib, fetchFromGitHub, rustPlatform, pkg-config, openssl }:
+rustPlatform.buildRustPackage rec
+{
+  pname = "mk-meili-mgn";
+  version = "20230827";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "mk-meili-mgn";
+    rev = "53e282c992293ec735c9bc964f097b5bdbc3e48a";
+    hash = "sha256-KBSoEGfWKDXZHSzSzak1v0nxtQQGI15DQTyNAPhsIB4=";
+  };
+  cargoHash = "sha256-wNdMPPl2H2iSrNYjoij0Qg/c2S5RjTHpOMV1RfHU27g=";
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ openssl ];
+}
--- a/local/pkgs/mumax/default.nix
+++ b/local/pkgs/mumax/default.nix
@@ -0,0 +1,22 @@
+{ buildGoModule, cudatoolkit, src, config, cudaCapabilities ? config.cudaCapabilities, gcc, makeWrapper }:
+# TODO: use addDriverRunpath
+buildGoModule
+{
+  name = "mumax";
+  inherit src;
+  vendorHash = null;
+  nativeBuildInputs = [ cudatoolkit gcc makeWrapper ];
+  CUDA_CC = builtins.concatStringsSep " " cudaCapabilities;
+  CPATH = "${cudatoolkit}/include";
+  LIBRARY_PATH = "${cudatoolkit}/lib/stubs";
+  doCheck = false;
+  postInstall =
+  ''
+    rm $out/bin/{doc,test}
+    for i in $out/bin/*; do
+      if [ -f $i ]; then
+        wrapProgram $i --prefix LD_LIBRARY_PATH ":" "/run/opengl-driver/lib:${cudatoolkit}/lib"
+      fi
+    done
+  '';
+}
--- a/local/pkgs/nameof/default.nix
+++ b/local/pkgs/nameof/default.nix
@@ -0,0 +1,13 @@
+{ lib, stdenv, src }: stdenv.mkDerivation
+{
+  name = "nameof";
+  inherit src;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out
+    cp -r $src/include $out
+    runHook postInstall
+  '';
+}
--- a/local/pkgs/nodesoup/default.nix
+++ b/local/pkgs/nodesoup/default.nix
@@ -0,0 +1,7 @@
+{ stdenv, src, cmake, pkg-config, cairo, pcre2, xorg }: stdenv.mkDerivation
+{
+  name = "nodesoup";
+  inherit src;
+  buildInputs = [ cairo pcre2.dev xorg.libXdmcp.dev ];
+  nativeBuildInputs = [ cmake pkg-config ];
+}
--- a/local/pkgs/nvhpc/default.nix
+++ b/local/pkgs/nvhpc/default.nix
@@ -0,0 +1,42 @@
+{
+  stdenvNoCC, fetchurl, buildFHSEnv,
+  gfortran, flock
+}:
+let
+  versions =
+  {
+    "24.1" = "1n0x1x7ywvr3623ylvrjagayn44mbvfas3c3062p7y3asmgjx697";
+    "23.1" = "1xg933f4n1bw39y1x1vrjrbzpx36sbmjgvi332hfck3dbx0n982m";
+  };
+  releaseName = version:
+    let versions = builtins.splitVersion version;
+    in "nvhpc_20${builtins.elemAt versions 0}_${builtins.concatStringsSep "" versions}_Linux_x86_64_cuda_multi";
+  builder = buildFHSEnv
+  {
+    name = "builder";
+    targetPkgs = pkgs: with pkgs; [ coreutils ];
+    extraBwrapArgs = [ "--bind" "$out" "$out" ];
+  };
+in let buildNvhpc = version: stdenvNoCC.mkDerivation
+{
+  pname = "nvhpc";
+  inherit version;
+  src = fetchurl
+  {
+    url = "https://developer.download.nvidia.com/hpc-sdk/${version}/${releaseName version}.tar.gz";
+    sha256 = versions.${version};
+  };
+  dontFixup = true;
+  dontBuild = true;
+  buildInputs = [ gfortran flock ];
+  installPhase =
+  ''
+    export NVHPC_SILENT=true
+    export NVHPC_INSTALL_TYPE=single
+    export NVHPC_INSTALL_DIR=$out/share/nvhpc
+    # $out should exist before bwrap
+    mkdir -p $out
+    ${builder}/bin/builder ./install
+  '';
+};
+in builtins.mapAttrs (version: _: buildNvhpc version) versions
--- a/local/pkgs/oneapi/default.nix
+++ b/local/pkgs/oneapi/default.nix
@@ -0,0 +1,88 @@
+{
+  stdenvNoCC, fetchurl, buildFHSEnv,
+  ncurses
+}:
+let
+  versions =
+  {
+    "2022.2" =
+    {
+      basekit =
+      {
+        id = "18673";
+        version = "2022.2.0.262";
+        sha256 = "03qx6sb58mkhc7iyc8va4y1ihj6l3155dxwmqj8dfw7j2ma7r5f6";
+        components =
+        [
+          "intel.oneapi.lin.dpcpp-ct"
+          "intel.oneapi.lin.dpcpp_dbg"
+          "intel.oneapi.lin.dpl"
+          "intel.oneapi.lin.tbb.devel"
+          "intel.oneapi.lin.ccl.devel"
+          "intel.oneapi.lin.dpcpp-cpp-compiler"
+          "intel.oneapi.lin.dpl"
+          "intel.oneapi.lin.mkl.devel"
+        ];
+      };
+      hpckit =
+      {
+        id = "18679";
+        version = "2022.2.0.191";
+        sha256 = "0swz4w9bn58wwqjkqhjqnkcs8k8ms9nn9s8k7j5w6rzvsa6817d2";
+      };
+    };
+    "2024.0" =
+    {
+      basekit =
+      {
+        id = "163da6e4-56eb-4948-aba3-debcec61c064";
+        version = "2024.0.1.46";
+        sha256 = "1sp1fgjv8xj8qxf8nv4lr1x5cxz7xl5wv4ixmfmcg0gyk28cjq1g";
+      };
+      hpckit =
+      {
+        id = "67c08c98-f311-4068-8b85-15d79c4f277a";
+        version = "2024.0.1.38";
+        sha256 = "06vpdz51w2v4ncgk8k6y2srlfbbdqdmb4v4bdwb67zsg9lmf8fp9";
+      };
+    };
+  };
+  builder = buildFHSEnv
+  {
+    name = "builder";
+    targetPkgs = pkgs: with pkgs; [ coreutils zlib ];
+    extraBwrapArgs = [ "--bind" "$out" "$out" ];
+    runScript = "sh";
+  };
+  componentString = components: if components == null then "--components default" else
+    " --components " + (builtins.concatStringsSep ":" components);
+in let buildOneapi = version: stdenvNoCC.mkDerivation rec
+{
+  pname = "oneapi";
+  inherit version;
+  basekit = fetchurl
+  {
+    url = "https://registrationcenter-download.intel.com/akdlm/IRC_NAS/${versions.${version}.basekit.id}/"
+      + "l_BaseKit_p_${versions.${version}.basekit.version}_offline.sh";
+    sha256 = versions.${version}.basekit.sha256;
+  };
+  hpckit = fetchurl
+  {
+    url = "https://registrationcenter-download.intel.com/akdlm/IRC_NAS/${versions.${version}.hpckit.id}/"
+      + "l_HPCKit_p_${versions.${version}.hpckit.version}_offline.sh";
+    sha256 = versions.${version}.hpckit.sha256;
+  };
+  phases = [ "installPhase" ];
+  nativeBuildInputs = [ ncurses ];
+  installPhase =
+  ''
+    mkdir -p $out
+    ${builder}/bin/builder ${basekit} -a --silent --eula accept --install-dir $out/share/intel \
+      ${componentString versions.${version}.basekit.components or null}
+    ${builder}/bin/builder ${hpckit} -a --silent --eula accept --install-dir $out/share/intel \
+      ${componentString versions.${version}.hpckit.components or null}
+    ${builder}/bin/builder $out/share/intel/modulefiles-setup.sh --output-dir=$out/share/intel/modulefiles \
+      --ignore-latest
+  '';
+};
+in builtins.mapAttrs (version: _: buildOneapi version) versions
--- a/local/pkgs/pix2tex/default.nix
+++ b/local/pkgs/pix2tex/default.nix
@@ -0,0 +1,32 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage,
+  # general dependencies:
+  tqdm, munch, torch, opencv, requests, einops, transformers, tokenizers, numpy, pillow, pyyaml, pandas, timm,
+  albumentations,
+  # gui
+  pyqt6, pyqt6-webengine, pyside6, pynput, screeninfo,
+  # api
+  streamlit, fastapi, uvicorn, python-multipart,
+  # training
+  # python-Levenshtein, torchtext, imagesize
+  # highlight
+  pygments
+}: buildPythonPackage
+{
+  name = "pix2tex";
+  src = fetchFromGitHub
+  {
+    owner = "lukas-blecher";
+    repo = "LaTeX-OCR";
+    rev = "1781514fb8c92ea9f94057295fdae0e683f4648e";
+    hash = "sha256-I3B8eH7zV2zIogDt9znkEzp4EeBjY6NfI4jsl+v/8aM=";
+  };
+  patches = [ ./remove-version-requires.patch ];
+  propagatedBuildInputs =
+  [
+    tqdm munch torch opencv requests einops transformers tokenizers numpy pillow pyyaml pandas timm albumentations
+    pyqt6 pyqt6-webengine pyside6 pynput screeninfo
+    streamlit fastapi uvicorn python-multipart
+    pygments
+  ];
+}
--- a/local/pkgs/pix2tex/remove-version-requires.patch
+++ b/local/pkgs/pix2tex/remove-version-requires.patch
@@ -0,0 +1,13 @@
+diff --git a/setup.py b/setup.py
+index 29b26cb..511012f 100644
+--- a/setup.py
+++ b/setup.py
+@@ -64,7 +64,7 @@ setuptools.setup(
+         'Pillow>=9.1.0',
+         'PyYAML>=5.4.1',
+         'pandas>=1.0.0',
+-        'timm==0.5.4',
+        'timm>=0.5.4',
+         'albumentations>=0.5.2',
+         'pyreadline3>=3.4.1; platform_system=="Windows"',
+     ],
--- a/local/pkgs/pslist/default.nix
+++ b/local/pkgs/pslist/default.nix
@@ -0,0 +1,27 @@
+# http://launchpadlibrarian.net/632309499/pslist_1.4.0-4_all.deb
+# https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-4/pslist_1.4.0.orig.tar.xz
+{ lib, stdenv, fetchzip, perl, procps }: stdenv.mkDerivation
+{
+  pname = "pslist";
+  version = "1.4.0";
+  src = fetchzip
+  {
+    url = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-4/pslist_1.4.0.orig.tar.xz";
+    sha256 = "1sp1h7ccniz658ms331npffpa9iz8llig43d9mlysll420nb3xqv";
+  };
+  buildInstall = [ perl procps ];
+  installPhase =
+  ''
+    mkdir -p $out/bin
+    cp $src/pslist $out/bin
+    ln -s pslist $out/bin/rkill
+    ln -s pslist $out/bin/rrenice
+    mkdir -p $out/share/man/man1
+    cp $src/pslist.1 $out/share/man/man1
+    ln -s pslist.1 $out/share/man/man1/rkill.1
+    ln -s pslist.1 $out/share/man/man1/rrenice.1
+
+    sed -i 's|/usr/bin/perl|${perl}/bin/perl|' $out/bin/pslist
+    sed -i 's|/bin/ps|${procps}/bin/ps|' $out/bin/pslist
+  '';
+}
--- a/local/pkgs/pyreadline3/default.nix
+++ b/local/pkgs/pyreadline3/default.nix
@@ -0,0 +1,14 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage
+}: buildPythonPackage rec
+{
+  pname = "pyreadline3";
+  version = "3.4.1";
+  src = fetchFromGitHub
+  {
+    owner = "pyreadline3";
+    repo = "pyreadline3";
+    rev = "v${version}";
+    hash = "sha256-02/gkx955NupVKXSu/xBQQtY4SEP4zxbNQYg1oQ/nGY=";
+  };
+}
--- a/local/pkgs/rsshub/default.nix
+++ b/local/pkgs/rsshub/default.nix
@@ -0,0 +1,50 @@
+{
+  lib, stdenv, mkPnpmPackage, nodejs, writeShellScript,
+  chromium, bash, src
+}:
+let
+  name = "rsshub";
+  originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; };
+  nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };
+  rsshub-unwrapped = stdenv.mkDerivation
+  {
+    inherit src;
+    name = "${name}-unwrapped";
+    configurePhase = 
+    ''
+      export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
+      export npm_config_nodedir=${nodejs}
+
+      runHook preConfigure
+
+      ln -s ${nodeModules}/. node_modules
+
+      runHook postConfigure
+    '';
+    installPhase =
+    ''
+      runHook preInstall
+      mkdir -p $out
+      mv * .* $out
+      runHook postInstall
+    '';
+  };
+  startScript = writeShellScript "rsshub"
+  ''
+    cd ${rsshub-unwrapped}
+    export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm chromium ]}:$PATH
+    export CHROMIUM_EXECUTABLE_PATH=chromium
+    pnpm start
+  '';
+in stdenv.mkDerivation
+{
+  inherit name;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp ${startScript} $out/bin/rsshub
+    runHook postInstall
+  '';
+}
--- a/local/pkgs/slate/default.nix
+++ b/local/pkgs/slate/default.nix
@@ -0,0 +1,10 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  name = "slate";
+  src = "${src}/Slate.tar.gz";
+  installPhase =
+  ''
+    mkdir -p $out/share/yakuake/skins/Slate
+    cp -r * $out/share/yakuake/skins/Slate
+  '';
+}
--- a/local/pkgs/spectral/default.nix
+++ b/local/pkgs/spectral/default.nix
@@ -1,15 +0,0 @@
-{
-	lib, fetchPypi, buildPythonPackage,
-	numpy, pillow, wxPython_4_2, matplotlib, ipython, pyopengl
-}: buildPythonPackage rec
-{
-	pname = "spectral";
-	version = "0.23.1";
-	src = fetchPypi
-	{
-		inherit pname version;
-		sha256 = "sha256-4YIic1Je81g7J6lmIm1Vr+CefSmnI2z82LwN+x+Wj8I=";
-	};
-	doCheck = false;
-	propagatedBuildInputs = [ numpy pillow wxPython_4_2 matplotlib ipython pyopengl ];
-}
--- a/local/pkgs/tgbot-cpp/default.nix
+++ b/local/pkgs/tgbot-cpp/default.nix
@@ -0,0 +1,8 @@
+{ stdenv, src, cmake, pkg-config, boost, openssl, zlib, curl }: stdenv.mkDerivation rec
+{
+  name = "tgbot-cpp";
+  inherit src;
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ boost openssl zlib curl.dev ];
+  propagatedBuildInputs = buildInputs;
+}
--- a/local/pkgs/torchdata/default.nix
+++ b/local/pkgs/torchdata/default.nix
@@ -0,0 +1,20 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage,
+  torch, urllib3, requests, cmake, pkg-config, ninja
+}: buildPythonPackage rec
+{
+  pname = "torchdata";
+  version = "0.7.1";
+  src = fetchFromGitHub
+  {
+    owner = "pytorch";
+    repo = "data";
+    rev = "v${version}";
+    hash = "sha256-SOeu+mI4p2tHX0YyctrDBcrz2/zYcwH9GGJ+6ytRmjQ=";
+    fetchSubmodules = true;
+  };
+  dontUseCmakeConfigure = true;
+  pyproject = true;
+  propagatedBuildInputs = [ torch urllib3 requests ];
+  nativeBuildInputs = [ cmake pkg-config ninja ];
+}
--- a/local/pkgs/torchtext/default.nix
+++ b/local/pkgs/torchtext/default.nix
@@ -0,0 +1,20 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage,
+  tqdm, requests, torch, numpy, torchdata, cmake
+}: buildPythonPackage rec
+{
+  pname = "torchtext";
+  version = "0.16.1";
+  src = fetchFromGitHub
+  {
+    owner = "pytorch";
+    repo = "text";
+    rev = "v${version}";
+    hash = "sha256-4a33AWdd1VZwRL5vTawo0yplpw+qcNMetbfE1h1kafE=";
+    fetchSubmodules = true;
+  };
+  dontUseCmakeConfigure = true;
+  pyproject = true;
+  propagatedBuildInputs = [ tqdm requests torch numpy torchdata ];
+  nativeBuildInputs = [ cmake ];
+}
--- a/local/pkgs/typora/default.nix
+++ b/local/pkgs/typora/default.nix
@@ -1,42 +0,0 @@
-{ lib, stdenv, steam-run, fetchurl, writeShellScript }:
-let
-	typora-dist = stdenv.mkDerivation rec
-	{
-		pname = "typora-dist";
-		version = "1.6.6";
-		src = fetchurl
-		{
-			url = "https://download.typora.io/linux/typora_${version}_amd64.deb";
-			sha256 = "sha256-77mCgmsROLhfuOmOOyl2C5Ug2NfqEvcD+kMA3aiAQtA=";
-		};
-
-		dontFixup = true;
-
-		unpackPhase =
-		''
-			ar x ${src}
-			tar xf data.tar.xz
-		'';
-		installPhase =
-		''
-			mkdir -p $out
-			mv usr/share $out
-		'';
-	};
-in stdenv.mkDerivation rec
-{
-	pname = "typora";
-	inherit (typora-dist) version;
-	BuildInputs = [ typora-dist steam-run ];
-	startScript = writeShellScript "typora" "${steam-run}/bin/steam-run ${typora-dist}/share/typora/Typora $@";
-	phases = [ "installPhase" ];
-  installPhase =
-	''
-    mkdir -p $out/bin $out/share/applications
-    ln -s ${startScript} $out/bin/typora
-    cp ${typora-dist}/share/applications/typora.desktop $out/share/applications
-		sed -i "s|Exec=.*|Exec=${startScript} %U|g" $out/share/applications/typora.desktop
-		sed -i "s|Icon=.*|Icon=${typora-dist}/share/icons/hicolor/256x256/apps/typora.png|g" \
-			$out/share/applications/typora.desktop
-  '';
-}
--- a/local/pkgs/upho/default.nix
+++ b/local/pkgs/upho/default.nix
@@ -1,14 +0,0 @@
-{ lib, fetchFromGitHub, buildPythonPackage, numpy, h5py, phonopy }: buildPythonPackage rec
-{
-	pname = "upho";
-	version = "0.6.6";
-	src = fetchFromGitHub
-	{
-		owner = "CHN-beta";
-		repo = "upho";
-		rev = "0f27ac6918e8972c70692816438e4ac37ec6b348";
-		sha256 = "sha256-NvoV+AUH9MmGT4ohrLAAvpLs8APP2DOKYlZVliHrVRM=";
-	};
-	doCheck = false;
-	propagatedBuildInputs = [ numpy h5py phonopy ];
-}
--- a/local/pkgs/v-sim/default.nix
+++ b/local/pkgs/v-sim/default.nix
@@ -0,0 +1,21 @@
+{
+  stdenv, lib, src,
+  wrapGAppsHook, autoreconfHook, autoconf, libtool, intltool, gettext, automake, gtk-doc, pkg-config, gfortran, libxslt,
+  glib, gtk3, epoxy, libyaml
+}:
+stdenv.mkDerivation
+{
+  name = "v-sim";
+  inherit src;
+  buildInputs = [ glib gtk3 epoxy libyaml ];
+  nativeBuildInputs =
+  [
+    autoreconfHook wrapGAppsHook autoconf libtool intltool gettext automake pkg-config
+    gtk-doc gfortran libxslt.bin
+  ];
+  enableParallelBuilding = true;
+  postPatch =
+  ''
+    ./autogen.sh
+  '';
+}
--- a/local/pkgs/vasp/constr_cell_relax.F
+++ b/local/pkgs/vasp/constr_cell_relax.F
@@ -0,0 +1,22 @@
+SUBROUTINE CONSTR_CELL_RELAX(FCELL)
+  USE prec
+  REAL(q) FCELL(3,3)
+
+  LOGICAL FILFLG
+  INTEGER ICELL(3,3)
+  INQUIRE(FILE='OPTCELL',EXIST=FILFLG)
+  IF (FILFLG) THEN
+      OPEN(67,FILE='OPTCELL',FORM='FORMATTED',STATUS='OLD')
+      DO J=1,3
+        READ(67,"(3I1)") (ICELL(I,J),I=1,3)
+      ENDDO
+      CLOSE(67)
+      DO J=1,3
+      DO I=1,3
+        IF (ICELL(I,J)==0) FCELL(I,J)=0.0
+      ENDDO
+      ENDDO
+  ENDIF
+
+  RETURN
+END SUBROUTINE
--- a/local/pkgs/vasp/gnu/default.nix
+++ b/local/pkgs/vasp/gnu/default.nix
@@ -0,0 +1,46 @@
+{
+  stdenvNoCC, requireFile, writeShellApplication,
+  rsync, blas, scalapack, mpi, openmp, gfortran, gcc, fftwMpi, hdf5, wannier90
+}:
+let
+  sources = import ../source.nix { inherit requireFile; };
+  vasp = version: stdenvNoCC.mkDerivation rec
+  {
+    pname = "vasp-gnu";
+    inherit version;
+    src = sources.${version};
+    configurePhase =
+    ''
+      cp ${./makefile.include-${version}} makefile.include
+      cp ${../constr_cell_relax.F} src/constr_cell_relax.F
+      mkdir -p bin
+    '';
+    enableParallelBuilding = true;
+    makeFlags = "DEPS=1";
+    buildInputs = [ blas scalapack mpi openmp fftwMpi.dev fftwMpi hdf5 hdf5.dev wannier90 ];
+    nativeBuildInputs = [ rsync gfortran gfortran.cc gcc ];
+    FFTW_ROOT = fftwMpi.dev;
+    HDF5_ROOT = hdf5.dev;
+    WANNIER90_ROOT = wannier90;
+    installPhase =
+    ''
+      mkdir -p $out/bin
+      for i in std gam ncl; do
+        cp bin/vasp_$i $out/bin/vasp-$i
+      done
+    '';
+  };
+  startScript = version: writeShellApplication
+  {
+    name = "vasp-gnu-${version}";
+    runtimeInputs = [ (vasp version) ];
+    text =
+    ''
+      if [ -n "''${SLURM_CPUS_PER_TASK-}" ] && [ -n "''${SLURM_THREADS_PER_CPU-}" ]; then
+        export OMP_NUM_THREADS=$(( SLURM_CPUS_PER_TASK * SLURM_THREADS_PER_CPU ))
+      fi
+      export PATH=$PATH:$PWD
+      exec "$@"
+    '';
+  };
+in builtins.mapAttrs (version: _: startScript version) sources
--- a/local/pkgs/vasp/gnu/makefile.include-6.3.1
+++ b/local/pkgs/vasp/gnu/makefile.include-6.3.1
@@ -0,0 +1,92 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
+              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dfock_dblbuf \
+              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
+
+CPP         = gcc -E -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS)
+
+FC          = mpif90 -fopenmp
+FCL         = mpif90 -fopenmp
+
+FREE        = -ffree-form -ffree-line-length-none
+
+FFLAGS      = -w -ffpe-summary=none
+
+OFLAG       = -O2
+OFLAG_IN    = $(OFLAG)
+DEBUG       = -O0
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
+OBJECTS_O2 += fft3dlib.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = $(FC)
+CC_LIB      = gcc
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o getshmem.o
+
+# For the parser library
+CXX_PARS    = g++
+LLIBS       = -lstdc++
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+
+# When compiling on the target machine itself, change this to the
+# relevant target when cross-compiling for another architecture
+# VASP_TARGET_CPU ?= -march=native
+# FFLAGS     += $(VASP_TARGET_CPU)
+
+# For gcc-10 and higher (comment out for older versions)
+FFLAGS     += -fallow-argument-mismatch
+
+# BLAS and LAPACK (mandatory)
+# OPENBLAS_ROOT ?= /path/to/your/openblas/installation
+# BLASPACK    = -L$(OPENBLAS_ROOT)/lib -lopenblas
+BLASPACK    = -lblas
+
+# scaLAPACK (mandatory)
+# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+# SCALAPACK   = -L$(SCALAPACK_ROOT)/lib -lscalapack
+SCALAPACK = -lscalapack
+
+LLIBS      += $(SCALAPACK) $(BLASPACK)
+
+# FFTW (mandatory)
+FFTW_ROOT  ?= /path/to/your/fftw/installation
+LLIBS      += -L$(FFTW_ROOT)/lib -lfftw3 -lfftw3_omp
+INCS       += -I$(FFTW_ROOT)/include
+
+# HDF5-support (optional but strongly recommended)
+CPP_OPTIONS+= -DVASP_HDF5
+HDF5_ROOT  ?= /path/to/your/hdf5/installation
+LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+CPP_OPTIONS    += -DVASP2WANNIER90
+WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (recommended)
+#CPP_OPTIONS+= -Dsysv
+#FCL        += fftlib.o
+#CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
+#INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
+#LIBS       += fftlib
+#LLIBS      += -ldl
--- a/local/pkgs/vasp/gnu/makefile.include-6.4.0
+++ b/local/pkgs/vasp/gnu/makefile.include-6.4.0
@@ -0,0 +1,93 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
+              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dfock_dblbuf \
+              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
+
+CPP         = gcc -E -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS)
+
+FC          = mpif90 -fopenmp
+FCL         = mpif90 -fopenmp
+
+FREE        = -ffree-form -ffree-line-length-none
+
+FFLAGS      = -w -ffpe-summary=none
+
+OFLAG       = -O3
+OFLAG_IN    = $(OFLAG)
+DEBUG       = -O0
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
+OBJECTS_O2 += fft3dlib.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = $(FC)
+CC_LIB      = gcc
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o getshmem.o
+
+# For the parser library
+CXX_PARS    = g++
+LLIBS       = -lstdc++
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+
+# When compiling on the target machine itself, change this to the
+# relevant target when cross-compiling for another architecture
+# VASP_TARGET_CPU ?= -march=native
+# FFLAGS     += $(VASP_TARGET_CPU)
+
+# For gcc-10 and higher (comment out for older versions)
+FFLAGS     += -fallow-argument-mismatch
+
+# BLAS and LAPACK (mandatory)
+# OPENBLAS_ROOT ?= /path/to/your/openblas/installation
+# BLASPACK    = -L$(OPENBLAS_ROOT)/lib -lopenblas
+BLASPACK    = -lblas
+
+# scaLAPACK (mandatory)
+# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+# SCALAPACK   = -L$(SCALAPACK_ROOT)/lib -lscalapack
+SCALAPACK = -lscalapack
+
+LLIBS      += $(SCALAPACK) $(BLASPACK)
+
+# FFTW (mandatory)
+FFTW_ROOT  ?= /path/to/your/fftw/installation
+LLIBS      += -L$(FFTW_ROOT)/lib -lfftw3 -lfftw3_omp
+INCS       += -I$(FFTW_ROOT)/include
+
+# HDF5-support (optional but strongly recommended)
+CPP_OPTIONS+= -DVASP_HDF5
+HDF5_ROOT  ?= /path/to/your/hdf5/installation
+LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+CPP_OPTIONS    += -DVASP2WANNIER90
+WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (recommended)
+CPP_OPTIONS+= -Dsysv
+FCL        += fftlib.o
+CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
+# INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
+INCS_FFTLIB = -I./include
+LIBS       += fftlib
+LLIBS      += -ldl
--- a/local/pkgs/vasp/intel/default.nix
+++ b/local/pkgs/vasp/intel/default.nix
@@ -0,0 +1,71 @@
+{
+  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll, symlinkJoin,
+  config, oneapiArch ? config.oneapiArch or "SSE3",
+  oneapi, gfortran, gcc, glibc, lmod, rsync, which, hdf5, wannier90
+}:
+let
+  versions = import ../source.nix;
+  buildEnv = buildFHSEnv
+  {
+    name = "buildEnv";
+    # make "module load mpi" success
+    targetPkgs = pkgs: with pkgs; [ zlib (writeTextDir "etc/release" "") ];
+  };
+  buildScript = writeScript "build"
+  ''
+    . ${lmod}/share/lmod/lmod/init/bash
+    module use ${oneapi}/share/intel/modulefiles
+    module load tbb compiler-rt oclfpga # dependencies
+    module load mpi mkl compiler
+    mkdir -p bin
+    make DEPS=1 -j$NIX_BUILD_CORES std
+  '';
+  include = version: substituteAll
+  {
+    src = ./makefile.include-${version};
+    inherit oneapiArch;
+    gcc = symlinkJoin { name = "gcc"; paths = [ gfortran gfortran.cc gcc ]; };
+  };
+  vasp = version: stdenvNoCC.mkDerivation rec
+  {
+    pname = "vasp";
+    inherit version;
+    src = requireFile
+    {
+      name = "${pname}-${version}";
+      sha256 = versions.${version};
+      hashMode = "recursive";
+      message = "Source file not found.";
+    };
+    configurePhase =
+    ''
+      cp ${include version} makefile.include
+      cp ${../constr_cell_relax.F} src/constr_cell_relax.F
+    '';
+    enableParallelBuilding = false;
+    buildInputs = [ hdf5 hdf5.dev wannier90 glibc glibc.dev ];
+    nativeBuildInputs = [ gfortran gfortran.cc gcc rsync which ];
+    HDF5_ROOT = hdf5.dev;
+    WANNIER90_ROOT = wannier90;
+    buildPhase = "${buildEnv}/bin/buildEnv ${buildScript}";
+    installPhase =
+    ''
+      mkdir -p $out/bin
+      for i in std gam ncl; do cp bin/vasp_$i $out/bin/vasp-$i; done
+    '';
+  };
+  startScript = version: writeScript "vasp-intel-${version}"
+  ''
+    . ${lmod}/share/lmod/lmod/init/bash
+    module use ${oneapi}/share/intel/modulefiles
+    module load tbb compiler-rt oclfpga # dependencies
+    module load mpi mkl compiler
+    exec "$@"
+  '';
+  runEnv = version: buildFHSEnv
+  {
+    name = "vasp-intel-${version}";
+    targetPkgs = pkgs: with pkgs; [ zlib (vasp version) (writeTextDir "etc/release" "") ];
+    runScript = startScript version;
+  };
+in builtins.mapAttrs (version: _: runEnv version) versions
--- a/local/pkgs/vasp/intel/makefile.include-6.3.1
+++ b/local/pkgs/vasp/intel/makefile.include-6.3.1
@@ -0,0 +1,82 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxIFC\" \
+              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dfock_dblbuf \
+              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
+
+CPP         = fpp -f_com=no -free -w0  $*$(FUFFIX) $*$(SUFFIX) $(CPP_OPTIONS)
+
+FC          = I_MPI_FC=ifort mpif90 -qopenmp
+FCL         = I_MPI_FC=ifort mpif90
+
+FREE        = -free -names lowercase
+
+FFLAGS      = -assume byterecl -w
+
+OFLAG       = -O2
+OFLAG_IN    = $(OFLAG)
+DEBUG       = -O0
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
+OBJECTS_O2 += fft3dlib.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = $(FC)
+CC_LIB      = icc
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o getshmem.o
+
+# For the parser library
+CXX_PARS    = icpc
+LLIBS       = -lstdc++
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+
+# When compiling on the target machine itself, change this to the
+# relevant target when cross-compiling for another architecture
+VASP_TARGET_CPU ?= -x@oneapiArch@
+FFLAGS     += $(VASP_TARGET_CPU)
+ 
+# Intel MKL for FFTW, BLAS, LAPACK, and scaLAPACK
+# (Note: for Intel Parallel Studio's MKL use -mkl instead of -qmkl)
+FCL        += -qmkl
+MKLROOT    ?= /path/to/your/mkl/installation
+INCS        =-I$(MKLROOT)/include/fftw
+
+# Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
+# Comment out the two lines below if you want to use scaLAPACK from MKL instead
+#SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+#LLIBS      += -L${SCALAPACK_ROOT}/lib -lscalapack
+
+# HDF5-support (optional but strongly recommended)
+CPP_OPTIONS+= -DVASP_HDF5
+HDF5_ROOT  ?= /path/to/your/hdf5/installation
+LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+CPP_OPTIONS    += -DVASP2WANNIER90
+WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (hardly any benefit in combination with MKL's FFTs)
+#CPP_OPTION += -Dsysv
+#FCL         = mpif90 fftlib.o -qmkl
+#CXX_FFTLIB  = icpc -qopenmp -std=c++11 -DFFTLIB_USE_MKL -DFFTLIB_THREADSAFE
+#INCS_FFTLIB = -I./include -I$(MKLROOT)/include/fftw
+#LIBS       += fftlib
--- a/local/pkgs/vasp/intel/makefile.include-6.4.0
+++ b/local/pkgs/vasp/intel/makefile.include-6.4.0
@@ -0,0 +1,82 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxIFC\" \
+              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dfock_dblbuf \
+              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
+
+CPP         = fpp -f_com=no -free -w0  $*$(FUFFIX) $*$(SUFFIX) $(CPP_OPTIONS)
+
+FC          = I_MPI_F90=ifort mpif90 -qopenmp
+FCL         = I_MPI_F90=ifort mpif90
+
+FREE        = -free -names lowercase
+
+FFLAGS      = -assume byterecl -w
+
+OFLAG       = -O2
+OFLAG_IN    = $(OFLAG)
+DEBUG       = -O0
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
+OBJECTS_O2 += fft3dlib.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = $(FC)
+CC_LIB      = icc
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o getshmem.o
+
+# For the parser library
+CXX_PARS    = icpc
+LLIBS       = -lstdc++
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+
+# When compiling on the target machine itself, change this to the
+# relevant target when cross-compiling for another architecture
+VASP_TARGET_CPU ?= -x@oneapiArch@
+FFLAGS     += $(VASP_TARGET_CPU)
+ 
+# Intel MKL for FFTW, BLAS, LAPACK, and scaLAPACK
+# (Note: for Intel Parallel Studio's MKL use -mkl instead of -qmkl)
+FCL        += -qmkl
+MKLROOT    ?= /path/to/your/mkl/installation
+INCS        =-I$(MKLROOT)/include/fftw
+
+# Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
+# Comment out the two lines below if you want to use scaLAPACK from MKL instead
+#SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+#LLIBS      += -L${SCALAPACK_ROOT}/lib -lscalapack
+
+# HDF5-support (optional but strongly recommended)
+CPP_OPTIONS+= -DVASP_HDF5
+HDF5_ROOT  ?= /path/to/your/hdf5/installation
+LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+CPP_OPTIONS    += -DVASP2WANNIER90
+WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (hardly any benefit in combination with MKL's FFTs)
+#CPP_OPTION += -Dsysv
+#FCL         = mpif90 fftlib.o -qmkl
+#CXX_FFTLIB  = icpc -qopenmp -std=c++11 -DFFTLIB_USE_MKL -DFFTLIB_THREADSAFE
+#INCS_FFTLIB = -I./include -I$(MKLROOT)/include/fftw
+#LIBS       += fftlib
--- a/local/pkgs/vasp/nvidia/default.nix
+++ b/local/pkgs/vasp/nvidia/default.nix
@@ -0,0 +1,71 @@
+{
+  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll,
+  config, cudaCapabilities ? config.cudaCapabilities, nvhpcArch ? config.nvhpcArch or "px",
+  nvhpc, lmod, mkl, gfortran, rsync, which, hdf5, wannier90
+}:
+let
+  sources = import ../source.nix { inherit requireFile; };
+  buildEnv = buildFHSEnv
+  {
+    name = "buildEnv";
+    targetPkgs = pkgs: with pkgs; [ zlib ];
+  };
+  buildScript = writeScript "build"
+  ''
+    . ${lmod}/share/lmod/lmod/init/bash
+    module use ${nvhpc}/share/nvhpc/modulefiles
+    module load nvhpc
+    mkdir -p bin
+    make DEPS=1 -j$NIX_BUILD_CORES
+  '';
+  include = version: substituteAll
+  {
+    src = ./makefile.include-${version};
+    cudaCapabilities = builtins.concatStringsSep "," (builtins.map
+      (cap: "cc${builtins.replaceStrings ["."] [""] cap}")
+      cudaCapabilities);
+    inherit nvhpcArch;
+  };
+  vasp = version: stdenvNoCC.mkDerivation rec
+  {
+    pname = "vasp";
+    inherit version;
+    src = sources.${version};
+    configurePhase =
+    ''
+      cp ${include version} makefile.include
+      cp ${../constr_cell_relax.F} src/constr_cell_relax.F
+    '';
+    enableParallelBuilding = true;
+    buildInputs = [ mkl hdf5 wannier90 ];
+    nativeBuildInputs = [ gfortran rsync which ];
+    MKLROOT = "${mkl}";
+    HDF5_ROOT = "${hdf5}";
+    WANNIER90_ROOT = "${wannier90}";
+    buildPhase = "${buildEnv}/bin/buildEnv ${buildScript}";
+    installPhase =
+    ''
+      mkdir -p $out/bin
+      for i in std gam ncl; do cp bin/vasp_$i $out/bin/vasp-$i; done
+    '';
+    requiredSystemFeatures = [ "nvhpcarch-${nvhpcArch}" ];
+  };
+  startScript = version: writeScript "vasp-nvidia-${version}"
+  ''
+    . ${lmod}/share/lmod/lmod/init/bash
+    module use ${nvhpc}/share/nvhpc/modulefiles
+    module load nvhpc
+
+    # if SLURM_CPUS_PER_TASK and SLURM_THREADS_PER_CPU are set, use them to set OMP_NUM_THREADS
+    if [ -n "''${SLURM_CPUS_PER_TASK-}" ] && [ -n "''${SLURM_THREADS_PER_CPU-}" ]; then
+      export OMP_NUM_THREADS=$(( SLURM_CPUS_PER_TASK * SLURM_THREADS_PER_CPU ))
+    fi
+    exec "$@"
+  '';
+  runEnv = version: buildFHSEnv
+  {
+    name = "vasp-nvidia-${version}";
+    targetPkgs = pkgs: with pkgs; [ zlib (vasp version) ];
+    runScript = startScript version;
+  };
+in builtins.mapAttrs (version: _: runEnv version) sources
--- a/local/pkgs/vasp/nvidia/makefile.include-6.3.1
+++ b/local/pkgs/vasp/nvidia/makefile.include-6.3.1
@@ -0,0 +1,109 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxNV\" \
+              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dqd_emulate \
+              -Dfock_dblbuf \
+              -D_OPENMP \
+              -D_OPENACC \
+              -DUSENCCL -DUSENCCLP2P -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
+
+CPP         = nvfortran -Mpreprocess -Mfree -Mextend -E $(CPP_OPTIONS) $*$(FUFFIX)  > $*$(SUFFIX)
+
+# N.B.: you might need to change the cuda-version here
+#       to one that comes with your NVIDIA-HPC SDK
+FC          = mpif90 -acc -gpu=@cudaCapabilities@ -mp
+FCL         = mpif90 -acc -gpu=@cudaCapabilities@ -mp -c++libs
+
+FREE        = -Mfree
+
+FFLAGS      = -Mbackslash -Mlarge_arrays
+
+OFLAG       = -fast
+
+DEBUG       = -Mfree -O0 -traceback
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+
+LLIBS       = -cudalib=cublas,cusolver,cufft,nccl -cuda
+
+# Redefine the standard list of O1 and O2 objects
+SOURCE_O1  := pade_fit.o
+SOURCE_O2  := pead.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = nvfortran
+CC_LIB      = nvc -w
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1 -Mfixed
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o getshmem.o
+
+# For the parser library
+CXX_PARS    = nvc++ --no_warnings
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+# When compiling on the target machine itself , change this to the
+# relevant target when cross-compiling for another architecture
+VASP_TARGET_CPU ?= -tp=@nvhpcArch@
+FFLAGS     += $(VASP_TARGET_CPU)
+
+# Specify your NV HPC-SDK installation (mandatory)
+#... first try to set it automatically
+NVROOT      =$(shell which nvfortran | awk -F /compilers/bin/nvfortran '{ print $$1 }')
+
+# If the above fails, then NVROOT needs to be set manually
+#NVHPC      ?= /opt/nvidia/hpc_sdk
+#NVVERSION   = 21.11
+#NVROOT      = $(NVHPC)/Linux_x86_64/$(NVVERSION)
+
+## Improves performance when using NV HPC-SDK >=21.11 and CUDA >11.2
+#OFLAG_IN   = -fast -Mwarperf
+#SOURCE_IN  := nonlr.o
+
+# Software emulation of quadruple precsion (mandatory)
+QD         ?= $(NVROOT)/compilers/extras/qd
+LLIBS      += -L$(QD)/lib -lqdmod -lqd
+INCS       += -I$(QD)/include/qd
+
+# Intel MKL for FFTW, BLAS, LAPACK, and scaLAPACK
+MKLROOT    ?= /path/to/your/mkl/installation
+LLIBS_MKL   = -Mmkl -L$(MKLROOT)/lib -lmkl_scalapack_lp64 -lmkl_blacs_openmpi_lp64
+INCS       += -I$(MKLROOT)/include/fftw
+
+# Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
+# Comment out the two lines below if you want to use scaLAPACK from MKL instead
+# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+# LLIBS_MKL   = -L$(SCALAPACK_ROOT)/lib -lscalapack -Mmkl
+
+LLIBS      += $(LLIBS_MKL)
+
+# HDF5-support (optional but strongly recommended)
+CPP_OPTIONS+= -DVASP_HDF5
+HDF5_ROOT  ?= /path/to/your/hdf5/installation
+LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+CPP_OPTIONS    += -DVASP2WANNIER90
+WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (hardly any benefit for the OpenACC GPU port, especially in combination with MKL's FFTs)
+#CPP_OPTIONS+= -Dsysv
+#FCL        += fftlib.o
+#CXX_FFTLIB  = nvc++ -mp --no_warnings -std=c++11 -DFFTLIB_USE_MKL -DFFTLIB_THREADSAFE
+#INCS_FFTLIB = -I./include -I$(MKLROOT)/include/fftw
+#LIBS       += fftlib
+#LLIBS      += -ldl
--- a/local/pkgs/vasp/nvidia/makefile.include-6.4.0
+++ b/local/pkgs/vasp/nvidia/makefile.include-6.4.0
@@ -0,0 +1,109 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxNV\" \
+              -DMPI -DMPI_INPLACE -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dqd_emulate \
+              -Dfock_dblbuf \
+              -D_OPENMP \
+              -D_OPENACC \
+              -DUSENCCL -DUSENCCLP2P -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
+
+CPP         = nvfortran -Mpreprocess -Mfree -Mextend -E $(CPP_OPTIONS) $*$(FUFFIX)  > $*$(SUFFIX)
+
+# N.B.: you might need to change the cuda-version here
+#       to one that comes with your NVIDIA-HPC SDK
+FC          = mpif90 -acc -gpu=@cudaCapabilities@ -mp
+FCL         = mpif90 -acc -gpu=@cudaCapabilities@ -mp -c++libs
+
+FREE        = -Mfree
+
+FFLAGS      = -Mbackslash -Mlarge_arrays
+
+OFLAG       = -fast
+
+DEBUG       = -Mfree -O0 -traceback
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+
+LLIBS       = -cudalib=cublas,cusolver,cufft,nccl -cuda
+
+# Redefine the standard list of O1 and O2 objects
+SOURCE_O1  := pade_fit.o minimax_dependence.o
+SOURCE_O2  := pead.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = nvfortran
+CC_LIB      = nvc -w
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1 -Mfixed
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o getshmem.o
+
+# For the parser library
+CXX_PARS    = nvc++ --no_warnings
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+# When compiling on the target machine itself , change this to the
+# relevant target when cross-compiling for another architecture
+VASP_TARGET_CPU ?= -tp=@nvhpcArch@
+FFLAGS     += $(VASP_TARGET_CPU)
+
+# Specify your NV HPC-SDK installation (mandatory)
+#... first try to set it automatically
+NVROOT      =$(shell which nvfortran | awk -F /compilers/bin/nvfortran '{ print $$1 }')
+
+# If the above fails, then NVROOT needs to be set manually
+#NVHPC      ?= /opt/nvidia/hpc_sdk
+#NVVERSION   = 21.11
+#NVROOT      = $(NVHPC)/Linux_x86_64/$(NVVERSION)
+
+## Improves performance when using NV HPC-SDK >=21.11 and CUDA >11.2
+#OFLAG_IN   = -fast -Mwarperf
+#SOURCE_IN  := nonlr.o
+
+# Software emulation of quadruple precsion (mandatory)
+QD         ?= $(NVROOT)/compilers/extras/qd
+LLIBS      += -L$(QD)/lib -lqdmod -lqd
+INCS       += -I$(QD)/include/qd
+
+# Intel MKL for FFTW, BLAS, LAPACK, and scaLAPACK
+MKLROOT    ?= /path/to/your/mkl/installation
+LLIBS_MKL   = -Mmkl -L$(MKLROOT)/lib -lmkl_scalapack_lp64 -lmkl_blacs_openmpi_lp64
+INCS       += -I$(MKLROOT)/include/fftw
+
+# Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
+# Comment out the two lines below if you want to use scaLAPACK from MKL instead
+# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+# LLIBS_MKL   = -L$(SCALAPACK_ROOT)/lib -lscalapack -Mmkl
+
+LLIBS      += $(LLIBS_MKL)
+
+# HDF5-support (optional but strongly recommended)
+CPP_OPTIONS+= -DVASP_HDF5
+HDF5_ROOT  ?= /path/to/your/hdf5/installation
+LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+CPP_OPTIONS    += -DVASP2WANNIER90
+WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (hardly any benefit for the OpenACC GPU port, especially in combination with MKL's FFTs)
+#CPP_OPTIONS+= -Dsysv
+#FCL        += fftlib.o
+#CXX_FFTLIB  = nvc++ -mp --no_warnings -std=c++11 -DFFTLIB_USE_MKL -DFFTLIB_THREADSAFE
+#INCS_FFTLIB = -I./include -I$(MKLROOT)/include/fftw
+#LIBS       += fftlib
+#LLIBS      += -ldl
--- a/local/pkgs/vasp/source.nix
+++ b/local/pkgs/vasp/source.nix
@@ -0,0 +1,16 @@
+{ requireFile }:
+let
+  hashes =
+  {
+    # nix-store --query --hash $(nix store add-path ./vasp-6.4.0)
+    "6.3.1" = "1xdr5kjxz6v2li73cbx1ls5b1lnm6z16jaa4fpln7d3arnnr1mgx";
+    "6.4.0" = "189i1l5q33ynmps93p2mwqf5fx7p4l50sls1krqlv8ls14s3m71f";
+  };
+  sources = version: sha256: requireFile
+  {
+    name = "vasp-${version}";
+    inherit sha256;
+    hashMode = "recursive";
+    message = "Source file not found.";
+  };
+in builtins.mapAttrs sources hashes
--- a/local/pkgs/vaspkit/default.nix
+++ b/local/pkgs/vaspkit/default.nix
@@ -0,0 +1,64 @@
+{ stdenv, fetchurl, requireFile, autoPatchelfHook, makeWrapper, python3, attrsToList, gnused }:
+let
+  potcar = requireFile
+  {
+    name = "POTCAR";
+    sha256 = "01adpp9amf27dd39m8svip3n6ax822vsyhdi6jn5agj13lis0ln3";
+    hashMode = "recursive";
+    message = "POTCAR not found.";
+  };
+  unwrapped = stdenv.mkDerivation rec
+  {
+    pname = "vaspkit-unwrapped";
+    version = "1.5.1";
+    buildInputs = [ autoPatchelfHook stdenv.cc.cc ];
+    src = fetchurl
+    {
+      url = "mirror://sourceforge/vaspkit/Binaries/vaspkit.${version}.linux.x64.tar.gz";
+      sha256 = "1cbj1mv7vx18icwlk9d2vfavsfd653943xg2ywzd8b7pb43xrfs1";
+    };
+    installPhase =
+    ''
+      runHook preInstall
+      mkdir -p $out
+      cp -r * $out
+      runHook postInstall
+    '';
+  };
+  python = python3.withPackages (pythonPackages: with pythonPackages; [ numpy scipy matplotlib ]);
+  envirmentVariables =
+  {
+    LDA_PATH = "${potcar}/PAW_LDA";
+    PBE_PATH = "${potcar}/PAW_PBE";
+    GGA_PATH = "${potcar}/PAW_PW91";
+    VASPKIT_UTILITIES_PATH = "${unwrapped}/utilities";
+    PYTHON_BIN = "${python}/bin/python";
+    AUTO_PLOT = ".TRUE.";
+  };
+in
+  stdenv.mkDerivation rec
+  {
+    pname = "vaspkit";
+    inherit (unwrapped) version;
+    phases = [ "installPhase" ];
+    buildInputs = [ makeWrapper ];
+    nativeBuildInputs = [ gnused ];
+    replaceEnv = builtins.concatStringsSep "" (map
+      (variable: ''sed 's|\(${variable.name}\s*=\s*\)\(\S\+\)|\1${variable.value}|g' -i $out/.vaspkit'' + "\n")
+      (attrsToList envirmentVariables));
+    installPhase =
+    ''
+      runHook preInstall
+
+      # setup ~/.vaspkit
+      mkdir -p $out
+      cp ${unwrapped}/how_to_set_environment_variables $out/.vaspkit
+
+      # setup wrapper
+      makeWrapper ${unwrapped}/bin/vaspkit $out/bin/vaspkit --set HOME $out;
+    ''
+    + replaceEnv
+    + ''
+      runHook postInstall
+    '';
+  }
--- a/local/pkgs/vesta/default.nix
+++ b/local/pkgs/vesta/default.nix
@@ -1,49 +1,42 @@
 {
-	lib, stdenv, fetchurl, autoPatchelfHook, wrapGAppsHook,
-	glib, gtk2, xorg, libGLU, gtk3, writeShellScript, gsettings-desktop-schemas, xdg-utils
+  lib, stdenv, fetchurl, autoPatchelfHook, wrapGAppsHook, makeWrapper,
+  glib, gtk2, xorg, libGLU, gtk3, writeShellScript, gsettings-desktop-schemas, xdg-utils
 }:

 stdenv.mkDerivation rec
 {
-	pname = "vesta";
-	version = "3.5.5";
-	src = fetchurl
-	{
-		url = "https://jp-minerals.org/vesta/archives/${version}/VESTA-gtk3.tar.bz2";
-		sha256 = "sRzQNJA7+hsjLWmykqe6bH0p1/aGEB8hCuxCyPzxYHs=";
-	};
-	desktopFile = fetchurl
-	{
-		url = "https://aur.archlinux.org/cgit/aur.git/plain/VESTA.desktop?h=vesta&id=4fae08afc37ee0fd88d14328cf0d6b308fea04d1";
-		sha256 = "Tq4AzQgde2KIWKA1k6JlxvdphGG9JluHMZjVw0fBUeQ=";
-	};
+  pname = "vesta";
+  version = "3.5.5";
+  src = fetchurl
+  {
+    url = "https://jp-minerals.org/vesta/archives/${version}/VESTA-gtk3.tar.bz2";
+    sha256 = "sRzQNJA7+hsjLWmykqe6bH0p1/aGEB8hCuxCyPzxYHs=";
+  };
+  desktopFile = fetchurl
+  {
+    url = "https://aur.archlinux.org/cgit/aur.git/plain/VESTA.desktop?h=vesta&id=4fae08afc37ee0fd88d14328cf0d6b308fea04d1";
+    sha256 = "Tq4AzQgde2KIWKA1k6JlxvdphGG9JluHMZjVw0fBUeQ=";
+  };

-	nativeBuildInputs = [ glib autoPatchelfHook gtk2 xorg.libXxf86vm libGLU gtk3 xorg.libXtst wrapGAppsHook ];
-	# buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ autoPatchelfHook wrapGAppsHook makeWrapper ];
+  buildInputs = [ glib gtk2 xorg.libXxf86vm libGLU gtk3 xorg.libXtst ];

-	unpackPhase = "tar -xf ${src}";
+  unpackPhase = "tar -xf ${src}";

  installPhase =
-	# Note '<<-' here, it strips tabs before EOF. It doesn't work with spaces
-	''
-		echo $out
-		mkdir -p $out/share/applications
-		cp ${desktopFile} $out/share/applications/vesta.desktop
-		sed -i "s|Exec=.*|Exec=$out/bin/vesta|" $out/share/applications/vesta.desktop
-		sed -i "s|Icon=.*|Icon=$out/opt/VESTA-gtk3/img/logo.png|" $out/share/applications/vesta.desktop
+  ''
+    echo $out
+    mkdir -p $out/share/applications
+    cp ${desktopFile} $out/share/applications/vesta.desktop
+    sed -i "s|Exec=.*|Exec=$out/bin/vesta|" $out/share/applications/vesta.desktop
+    sed -i "s|Icon=.*|Icon=$out/opt/VESTA-gtk3/img/logo.png|" $out/share/applications/vesta.desktop

-		mkdir -p $out/opt
-		cp -r VESTA-gtk3 $out/opt/VESTA-gtk3
+    mkdir -p $out/opt
+    cp -r VESTA-gtk3 $out/opt/VESTA-gtk3

-		mkdir -p $out/bin
-		tee $out/bin/vesta <<- EOF
-			#!${stdenv.shell}
-			export XDG_DATA_DIRS=$GSETTINGS_SCHEMAS_PATH\''${XDG_DATA_DIRS:+:}\$XDG_DATA_DIRS
-			export PATH="\$PATH\''${PATH:+:}${xdg-utils}/bin"
-			$out/opt/VESTA-gtk3/VESTA "\$@"
-		EOF
-		chmod +x $out/bin/vesta
+    mkdir -p $out/bin
+    makeWrapper $out/opt/VESTA-gtk3/VESTA $out/bin/vesta

-		patchelf --remove-needed libjawt.so $out/opt/VESTA-gtk3/PowderPlot/libswt-awt-gtk-3346.so
-	'';
+    patchelf --remove-needed libjawt.so $out/opt/VESTA-gtk3/PowderPlot/libswt-awt-gtk-3346.so
+  '';
 }
--- a/local/pkgs/win11os-kde/default.nix
+++ b/local/pkgs/win11os-kde/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, src }: stdenv.mkDerivation
+{
+  name = "win11os-kde";
+  inherit src;
+  installPhase =
+  ''
+    mkdir -p $out/share/aurorae/themes
+    cp -r $src/aurorae/* $out/share/aurorae/themes
+    mkdir -p $out/share/color-schemes
+    cp -r $src/color-schemes/*.colors $out/share/color-schemes
+    mkdir -p $out/share/Kvantum
+    cp -r $src/Kvantum/* $out/share/Kvantum
+    mkdir -p $out/share/plasma/desktoptheme
+    cp -r $src/plasma/desktoptheme/* $out/share/plasma/desktoptheme
+    mkdir -p $out/share/plasma/look-and-feel
+    cp -r $src/plasma/look-and-feel/* $out/share/plasma/look-and-feel
+    mkdir -p $out/share/wallpapers
+    cp -r $src/wallpaper/* $out/share/wallpapers
+  '';
+}
--- a/local/pkgs/yoga-support/default.nix
+++ b/local/pkgs/yoga-support/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, python3 }:
+let
+  python = python3.withPackages (ps: with ps; [ evdev pyudev ]);
+in stdenv.mkDerivation
+{
+  name = "yogabook-support";
+  src = fetchFromGitHub
+  {
+    owner = "jekhor";
+    repo = "yogabook-support";
+    rev = "8ecf7861e469ba4094115fff0e81d537135e3f22";
+    sha256 = "4UtiQooCaeUDHc9YE9EQRJ2MNKvOqqCv85k0YyI2BO4=";
+  };
+  buildInputs = [ python ];
+  installPhase =
+  ''
+    mkdir -p $out/bin
+    cp pen-key-handler yogabook-modes-handler $out/bin
+    mkdir -p $out/lib/udev/rules.d
+    cp 61-sensor-yogabook.rules $out/lib/udev/rules.d
+    mkdir -p $out/lib/udev/hwdb.d
+    cp 61-sensor-yogabook.hwdb $out/lib/udev/hwdb.d
+  '';
+}
--- a/local/pkgs/zpp-bits/default.nix
+++ b/local/pkgs/zpp-bits/default.nix
@@ -0,0 +1,11 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  inherit src;
+  name = "zpp-bits";
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    mkdir -p $out/include
+    cp $src/zpp_bits.h $out/include
+  '';
+}
--- a/modules/basic.nix
+++ b/modules/basic.nix
@@ -1,72 +0,0 @@
-{ hostName }: inputs:
-{
-	config =
-	{
-		nixpkgs.hostPlatform = inputs.lib.mkDefault "x86_64-linux";
-		nix =
-		{
-			settings =
-			{
-				experimental-features = [ "nix-command" "flakes" ];
-				keep-outputs = true;
-				system-features = [ "big-parallel" ];
-				keep-failed = true;
-				auto-optimise-store = true;
-			};
-			daemonIOSchedClass = "idle";
-			daemonCPUSchedPolicy = "idle";
-			registry =
-			{
-				nixpkgs.flake = inputs.topInputs.nixpkgs;
-				nixos-config.flake = inputs.topInputs.self;
-			};
-			# nixPath =
-			# [
-			# 	"nixpkgs=/etc/channels/nixpkgs"
-			# 	"nixos-config=/etc/nixos/configuration.nix"
-			# 	"/nix/var/nix/profiles/per-user/root/channels"
-			# ];
-		};
-		networking.hostName = hostName;
-		time.timeZone = "Asia/Shanghai";
-		system =
-		{
-			stateVersion = "22.11";
-			configurationRevision = inputs.topInputs.self.rev or "dirty";
-		};
-		nixpkgs.config.allowUnfree = true;
-		systemd =
-		{
-			extraConfig =
-			"
-				DefaultTimeoutStopSec=10s
-				DefaultLimitNOFILE=1048576:1048576
-			";
-			user.extraConfig = "DefaultTimeoutStopSec=10s";
-			sleep.extraConfig =
-			"
-				SuspendState=freeze
-				HibernateMode=shutdown
-			";
-			services.nix-daemon.serviceConfig = { Slice = "-.slice"; Nice = "19"; };
-		};
-		programs.nix-ld.enable = true;
-		boot = { supportedFilesystems = [ "ntfs" ]; consoleLogLevel = 7; };
-		hardware.enableAllFirmware = true;
-		security.pam =
-		{
-			u2f = { enable = true; cue = true; authFile = ./u2f_keys; };
-			services = builtins.listToAttrs (builtins.map (name: { inherit name; value = { u2fAuth = true; }; })
-				[ "login" "sudo" "su" "kde" "polkit-1" ]);
-		};
-		systemd.nspawn.arch =
-		{
-			execConfig.PrivateUsers = false;
-			networkConfig.VirtualEthernet = false;
-		};
-		environment.etc."channels/nixpkgs".source = inputs.topInputs.nixpkgs.outPath;
-		# environment.pathsToLink = [ "/include" ];
-		# environment.variables.CPATH = "/run/current-system/sw/include";
-		# environment.variables.LIBRARY_PATH = "/run/current-system/sw/lib";
-	};
-}
--- a/modules/boot/chn-PC.nix
+++ b/modules/boot/chn-PC.nix
@@ -1,184 +0,0 @@
-inputs:
-{
-	config =
-	{
-		# filesystem mount
-		fileSystems."/" =
-		{
-			device = "/dev/mapper/root";
-			fsType = "btrfs";
-			options = [ "subvol=nix/rootfs/current" "compress-force=zstd" ];
-		};
-		# sudo btrfs fi mkswapfile --size 64g --uuid clear swap
-		# sudo btrfs inspect-internal map-swapfile -r swap
-		# sudo mdadm --create /dev/md/swap --level 0 --raid-devices 2 /dev/nvme1n1p5 /dev/nvme0n1p5
-		# sudo mkswap --uuid clear /dev/md/swap
-		# sudo cryptsetup luksFormat /dev/md/swap
-		# sudo systemd-cryptenroll --fido2-device=auto /dev/md/swap
-		# sudo systemd-cryptenroll --wipe-slot=0 /dev/md/swap
-		# sudo $(dirname $(realpath $(which systemctl)))/../lib/systemd/systemd-cryptsetup \
-		#		attach swap /dev/md/swap - fido2-device=auto
-		# sudo mkswap --uuid clear /dev/mapper/swap
-
-		# kernel, modules, ucode
-		boot.kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
-		hardware.cpu.intel.updateMicrocode = true;
-		# modules auto loaded in stage2
-		boot.kernelModules = [ "kvm-intel" "br_netfilter" ];
-		# modules install but not auto loaded
-		# boot.extraModulePackages = [ yourmodulename ];
-		boot.extraModprobeConfig =
-		''
-			options kvm_intel nested=1
-			options iwlmvm power_scheme=1
-			options iwlwifi uapsd_disable=1
-		'';
-		boot.kernelParams = [ "delayacct" "acpi_osi=Linux" ];
-		boot.kernelPatches =
-		[
-			{ name = "hdmi"; patch = ./hdmi.patch; }
-			{
-				name = "cjktty";
-				patch = inputs.pkgs.fetchurl
-				{
-					url = "https://raw.githubusercontent.com/zhmars/cjktty-patches/master/v6.x/cjktty-6.3.patch";
-					sha256 = "sha256-QnsWruzhtiZnqzTUXkPk9Hb19Iddr4VTWXyV4r+iLvE=";
-				};
-				extraStructuredConfig = { FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
-			}
-			{
-				name = "custom config";
-				patch = null;
-				extraStructuredConfig =
-				{
-					GENERIC_CPU = inputs.lib.kernel.no;
-					MALDERLAKE = inputs.lib.kernel.yes;
-					PREEMPT_VOLUNTARY = inputs.lib.mkForce inputs.lib.kernel.no;
-					PREEMPT = inputs.lib.mkForce inputs.lib.kernel.yes;
-					HZ_500 = inputs.lib.mkForce inputs.lib.kernel.no;
-					HZ_1000 = inputs.lib.mkForce inputs.lib.kernel.yes;
-					HZ = inputs.lib.mkForce (inputs.lib.kernel.freeform "1000");
-				};
-			}
-		];
-
-		# grub
-		boot.loader =
-		{
-			timeout = 5;
-			efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot/efi"; };
-			grub =
-			{
-				enable = true;
-				# for BIOS, set disk to install; for EFI, set nodev
-				device = "nodev";
-				efiSupport = true;
-				useOSProber = false;
-				extraEntries =
-				''
-					menuentry "Windows" {
-						insmod part_gpt
-						insmod fat
-						insmod search_fs_uuid
-						insmod chain
-						search --fs-uuid --set=root 7317-1DB6
-						chainloader /EFI/Microsoft/Boot/bootmgfw.efi
-					}
-					menuentry "Windows for malware" {
-						insmod part_gpt
-						insmod fat
-						insmod search_fs_uuid
-						insmod chain
-						search --fs-uuid --set=root 7321-FA9C
-						chainloader /EFI/Microsoft/Boot/bootmgfw.efi
-					}
-				'';
-			};
-		};
-
-		# initrd, luks
-		boot.initrd =
-		{
-			systemd =
-			{
-				enable = true;
-				services.create-current-rootfs =
-				{
-					wantedBy = [ "local-fs-pre.target" ];
-					after = [ "cryptsetup.target" ];
-					before = [ "local-fs-pre.target" ];
-					unitConfig.DefaultDependencies = false;
-					serviceConfig.Type = "oneshot";
-					script =
-					''
-						mount /dev/mapper/root /mnt -m
-						if [ -f /mnt/nix/rootfs/current/.timestamp ]
-						then
-							mv /mnt/nix/rootfs/current /mnt/nix/rootfs/$(cat /mnt/nix/rootfs/current/.timestamp)
-						fi
-						btrfs subvolume create /mnt/nix/rootfs/current
-						echo $(date '+%Y%m%d%H%M%S') > /mnt/nix/rootfs/current/.timestamp
-						umount /mnt
-					'';
-				};
-			};
-			# modules in initrd
-			# modprobe --show-depends
-			availableKernelModules =
-			[
-				"ahci" "bfq" "i915" "intel_cstate" "nls_cp437" "nls_iso8859-1" "nvidia" "nvidia_drm" "nvidia_modeset"
-				"nvidia_uvm" "nvme" "sr_mod" "usbhid" "usb_storage" "virtio_blk" "virtio_pci" "xhci_pci"
-			]
-			# speed up luks decryption
-			++ [ "aesni_intel" "cryptd" "crypto_simd" "libaes" ];
-		};
-
-		# impermanence
-		environment.persistence."/nix/persistent" =
-		{
-			hideMounts = true;
-			directories =
-			[
-				"/etc/NetworkManager/system-connections"
-				"/home"
-				"/root"
-				"/var"
-			];
-			files =
-			[
-				"/etc/machine-id"
-				"/etc/ssh/ssh_host_ed25519_key.pub"
-				"/etc/ssh/ssh_host_ed25519_key"
-				"/etc/ssh/ssh_host_rsa_key.pub"
-				"/etc/ssh/ssh_host_rsa_key"
-			];
-		};
-
-		# services
-		systemd.services =
-		{
-			nix-daemon = { environment = { TMPDIR = "/var/cache/nix"; }; serviceConfig = { CacheDirectory = "nix"; }; };
-			systemd-tmpfiles-setup = { environment = { SYSTEMD_TMPFILES_FORCE_SUBVOL = "0"; }; };
-		};
-		services =
-		{
-			snapper.configs.persistent =
-			{
-				SUBVOLUME = "/nix/persistent";	
-				TIMELINE_CREATE = true;
-				TIMELINE_CLEANUP = true;
-				TIMELINE_MIN_AGE = 1800;
-				TIMELINE_LIMIT_HOURLY = "10";
-				TIMELINE_LIMIT_DAILY = "7";
-				TIMELINE_LIMIT_WEEKLY = "1";
-				TIMELINE_LIMIT_MONTHLY = "0";
-				TIMELINE_LIMIT_YEARLY = "0";
-			};
-			udev.extraRules =
-			''
-				ACTION=="add|change", KERNEL=="[sv]d[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
-				ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
-			'';
-		};
-	};
-}
--- a/modules/boot/fileSystems.nix
+++ b/modules/boot/fileSystems.nix
@@ -1,119 +0,0 @@
-inputs:
-{
-	options.nixos.fileSystems = let inherit (inputs.lib) mkOption types; in
-	{
-		mount =
-		{
-			# device = mountPoint;
-			vfat = mkOption { type = types.attrsOf types.nonEmptyStr; };
-			# device.subvol = mountPoint;
-			btrfs = mkOption { type = types.attrsOf (types.attrsOf types.nonEmptyStr); };
-		};
-		decrypt.auto = mkOption { type = types.attrsOf (types.submodule { options =
-		{
-			mapper = mkOption { type = types.nonEmptyStr; };
-			ssd = mkOption { type = types.bool; default = false; };
-		}; }); };
-		mdadm = mkOption { type = types.nullOr types.str; };
-		swap = mkOption { type = types.listOf types.nonEmptyStr; };
-		resume = mkOption { type = types.nullOr (types.str or (types.submodule { options =
-			{ device = mkOption { type = types.nonEmptyStr; }; offset = mkOption { type = types.ints.unsigned; }; }; })); };
-		# cleanRootfs = mkOption { type = types.nullOr
-
-		# swap and resume
-		# swap != resume.device if swap is a file
-		# swap = mkOption { type = types.nullOr types.str; };
-		# resume =
-		# {
-		# 	device = mkOption { type = types.nullOr types.str; };
-		# 	# sudo btrfs fi mkswapfile --size 64g --uuid clear swap
-		# 	# sudo btrfs inspect-internal map-swapfile -r swap
-		# 	offset = mkOption { type = types.nullOr types.ints.unsigned; };
-		# };
-	};
-	config =
-	{
-		fileSystems =
-		(
-			builtins.listToAttrs (builtins.map
-				(device: { name = device.value; value = { device = device.name; fsType = "vfat"; }; })
-				(inputs.localLib.attrsToList inputs.config.nixos.fileSystems.mount.vfat))
-		)
-		// (
-			builtins.listToAttrs (builtins.concatLists (builtins.map
-				(
-					device: builtins.map
-						(
-							subvol:
-							{
-								name = subvol.value;
-								value =
-								{
-									device = device.name;
-									fsType = "btrfs";
-									options = [ "compress-force=zstd:8" "subvol=${subvol.name}" ];
-								};
-							}
-						)
-						(inputs.localLib.attrsToList device.value)
-				)
-				(inputs.localLib.attrsToList inputs.config.nixos.fileSystems.mount.btrfs)))
-		);
-		swapDevices = builtins.map (device: { device = device; }) inputs.config.nixos.fileSystems.swap;
-		boot =
-		{
-			initrd = {}
-			// (
-				if inputs.config.nixos.fileSystems.decrypt.auto != null then
-				{
-					luks.devices =
-					(
-						builtins.listToAttrs (builtins.map
-							(
-								device:
-								{
-									name = device.value.mapper;
-									value =
-									{
-										device = device.name;
-										allowDiscards = device.value.ssd;
-										bypassWorkqueues = device.value.ssd;
-										crypttabExtraOpts = [ "fido2-device=auto" ];
-									};
-								}
-							)
-							(inputs.localLib.attrsToList inputs.config.nixos.fileSystems.decrypt.auto))
-					);
-				}
-				else {}
-			)
-			// (
-				if inputs.config.nixos.fileSystems.mdadm != null then
-					{ services.swraid = { enable = true; mdadmConf = inputs.config.nixos.fileSystems.mdadm; }; }
-				else {}
-			);
-		}
-		// (
-			if inputs.config.nixos.fileSystems.resume != null then
-				if builtins.typeOf inputs.config.nixos.fileSystems.resume == "string" then
-					{ resumeDevice = inputs.config.nixos.fileSystems.resume; }
-				else
-				{
-					resumeDevice = inputs.config.nixos.fileSystems.resume.device;
-					kernelModules = [ "resume_offset=${inputs.config.nixos.fileSystems.resume.offset}" ];
-				}
-			else {}
-		);
-	};
-}
-
-# Disable CoW for VM image and database:
-# sudo chattr +C images
-# zstd:15 cause sound stuttering
-# From btrfs wiki: 1-3 are real-time, 4-8 slower with improved compression,
-#	 9-15 try even harder though the resulting size may not be significantly improved.
-# https://btrfs.readthedocs.io/en/latest/Compression.html
-# sudo btrfs filesystem resize -50G /nix
-# sudo cryptsetup status root
-# sudo cryptsetup -b 3787456512 resize root
-# sudo cfdisk /dev/nvme1n1p3
--- a/modules/boot/hdmi.patch
+++ b/modules/boot/hdmi.patch
@@ -1,14 +0,0 @@
-diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
-index 55544d484318..d6f257f8fd14 100644
--- a/drivers/gpu/drm/i915/display/intel_bios.c
-+++ b/drivers/gpu/drm/i915/display/intel_bios.c
-@@ -2708,7 +2708,7 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
- 	if (i915->display.vbt.ports[port]) {
- 		drm_dbg_kms(&i915->drm,
- 			    "More than one child device for port %c in VBT, using the first.\n",
- 			    port_name(port));
-		return;
-+		// return;
- 	}
- 
- 	sanitize_device_type(devdata, port);
--- a/modules/bugs/default.nix
+++ b/modules/bugs/default.nix
@@ -0,0 +1,93 @@
+inputs:
+  let
+    inherit (inputs.localLib) stripeTabs;
+    inherit (builtins) map attrNames;
+    inherit (inputs.lib) mkMerge mkIf mkOption types;
+    bugs =
+    {
+      # suspend & hibernate do not use platform
+      suspend-hibernate-no-platform.systemd.sleep.extraConfig =
+      ''
+        SuspendState=freeze
+        HibernateMode=shutdown
+      '';
+      # reload iwlwifi after resume from hibernate
+      hibernate-iwlwifi =
+      {
+        systemd.services.reload-iwlwifi-after-hibernate =
+        {
+          description = "reload iwlwifi after resume from hibernate";
+          after = [ "systemd-hibernate.service" ];
+          serviceConfig.Type = "oneshot";
+          script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
+          ''
+            ${modprobe} -r iwlwifi
+            ${modprobe} iwlwifi
+            echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
+          '';
+          wantedBy = [ "systemd-hibernate.service" ];
+        };
+        nixos.system.kernel.modules.modprobeConfig =
+          [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+      };
+      # disable wakeup on lid open
+      suspend-lid-no-wakeup.systemd.services.lid-no-wakeup =
+      {
+        description = "lid no wake up";
+        serviceConfig.Type = "oneshot";
+        script =
+          let
+            cat = "${inputs.pkgs.coreutils}/bin/cat";
+            grep = "${inputs.pkgs.gnugrep}/bin/grep";
+          in
+          ''
+            if ${cat} /proc/acpi/wakeup | ${grep} LID0 | ${grep} -q enabled
+            then
+              echo LID0 > /proc/acpi/wakeup
+            fi
+            if ${cat} /proc/acpi/wakeup | ${grep} XHCI | ${grep} -q enabled
+            then
+              echo XHCI > /proc/acpi/wakeup
+            fi
+          '';
+        wantedBy = [ "multi-user.target" ];
+      };
+      # xmunet use old encryption
+      xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
+        (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
+      suspend-hibernate-waydroid.systemd.services =
+        let
+          systemctl = "${inputs.pkgs.systemd}/bin/systemctl";
+        in
+        {
+          "waydroid-hibernate" =
+          {
+            description = "waydroid hibernate";
+            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            before = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            serviceConfig.Type = "oneshot";
+            script = "${systemctl} stop waydroid-container";
+          };
+          "waydroid-resume" =
+          {
+            description = "waydroid resume";
+            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            after = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            serviceConfig.Type = "oneshot";
+            script = "${systemctl} start waydroid-container";
+          };
+        };
+      firefox.programs.firefox.enable = inputs.lib.mkForce false;
+      power.boot.kernelParams = [ "cpufreq.default_governor=powersave" ];
+      backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
+      amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
+    };
+  in
+    {
+      options.nixos.bugs = mkOption
+      {
+        type = types.listOf (types.enum (attrNames bugs));
+        default = [];
+      };
+      config = mkMerge (map (bug: mkIf (builtins.elem bug inputs.config.nixos.bugs) bugs.${bug}) (attrNames bugs));
+    }
--- a/modules/networking/xmunet.patch
+++ b/modules/networking/xmunet.patch
@@ -5,7 +5,7 @@
 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
 -
-+        SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
 
 #ifdef SSL_MODE_NO_AUTO_CHAIN
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -0,0 +1,49 @@
+inputs:
+  let
+    inherit (inputs) topInputs;
+    inherit (inputs.localLib) mkModules;
+  in
+  {
+    imports = mkModules
+    [
+      topInputs.home-manager.nixosModules.home-manager
+      topInputs.sops-nix.nixosModules.sops
+      topInputs.aagl.nixosModules.default
+      topInputs.nix-index-database.nixosModules.nix-index
+      topInputs.nur.nixosModules.nur
+      topInputs.nur-xddxdd.nixosModules.setupOverlay
+      topInputs.impermanence.nixosModules.impermanence
+      (inputs:
+      {
+        config =
+        {
+          nixpkgs.overlays =
+          [
+            topInputs.qchem.overlays.default
+            topInputs.nixd.overlays.default
+            topInputs.napalm.overlays.default
+            topInputs.pnpm2nix-nzbr.overlays.default
+            topInputs.aagl.overlays.default
+            (final: prev:
+            {
+              nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
+              nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
+              nur-linyinfeng = (topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
+              deploy-rs =
+                { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
+              # needed by mirism
+              "nghttp2-23.05" =
+                inputs.pkgs.callPackage "${inputs.topInputs."nixpkgs-23.05"}/pkgs/development/libraries/nghttp2" {};
+              firefox-addons = (import "${topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
+            })
+          ];
+          home-manager.sharedModules =
+          [
+            topInputs.plasma-manager.homeManagerModules.plasma-manager
+            topInputs.nix-doom-emacs.hmModule
+          ];
+        };
+      })
+      ./hardware ./packages ./system ./virtualization ./services ./bugs ./users
+    ];
+  }
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@@ -1,16 +0,0 @@
-inputs:
-{
-	config.fonts =
-	{
-		fontDir.enable = true;
-		fonts = with inputs.pkgs;
-			[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
-		fontconfig.defaultFonts =
-		{
-			emoji = [ "Noto Color Emoji" ];
-			monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
-			sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
-			serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
-		};
-	};
-}
--- a/modules/hardware/bluetooth.nix
+++ b/modules/hardware/bluetooth.nix
@@ -1 +0,0 @@
-{ config.hardware.bluetooth.enable = true; }
--- a/modules/hardware/chn-PC.nix
+++ b/modules/hardware/chn-PC.nix
@@ -1,79 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		nix.settings.system-features = [ "nixos-test" "benchmark" "kvm" "gccarch-alderlake" ];
-		nixpkgs =
-		{
-			hostPlatform = { system = "x86_64-linux"; gcc = { arch = "alderlake"; tune = "alderlake"; }; };
-			config.allowUnfree = true;
-			overlays =
-			[(
-				final: prev:
-					let
-						generic-pkgs = (inputs.topInputs.nixpkgs.lib.nixosSystem
-						{
-							system = "x86_64-linux";
-							modules = [{ config.nixpkgs.config.allowUnfree = true; }];
-						}).pkgs;
-					in
-						{
-							pandoc = generic-pkgs.pandoc;
-							fwupd = generic-pkgs.fwupd;
-						}
-			)];
-			config.qchem-config.optArch = "alderlake";
-		};
-		services.dbus.implementation = "broker";
-		programs.dconf.enable = true;
-		hardware.opengl.extraPackages = with inputs.pkgs; [ intel-media-driver intel-ocl ];
-		systemd.services =
-		{
-			reload-iwlwifi-after-hibernate =
-			{
-				description = "reload iwlwifi after resume from hibernate";
-				after = [ "systemd-hibernate.service" ];
-				serviceConfig =
-				{
-					Type = "oneshot";
-					ExecStart = let inherit (inputs.pkgs) kmod bash; in
-					[
-						"${kmod}/bin/modprobe -r iwlwifi" "${kmod}/bin/modprobe iwlwifi"
-						"${bash}/bin/bash -c 'echo 0 /sys/devices/system/cpu/intel_pstate/no_turbo'"
-					];
-				};
-				wantedBy = [ "systemd-hibernate.service" ];
-			};
-			lid-no-wakeup =
-			{
-				description = "lid no wake up";
-				serviceConfig.ExecStart = let inherit (inputs.pkgs) bash coreutils gnugrep; in
-					"${bash}/bin/bash -c '"
-						+ "if ${coreutils}/bin/cat /proc/acpi/wakeup | "
-						+ "${gnugrep}/bin/grep LID0 | "
-						+ "${gnugrep}/bin/grep -q enabled; then "
-							+ "echo LID0 > /proc/acpi/wakeup; "
-						+ "fi"
-					+ "'";
-				wantedBy = [ "multi-user.target" ];
-			};
-		};
-		boot.kernel.sysctl =
-		{
-			"net.core.rmem_max" = 67108864;
-			"net.core.wmem_max" = 67108864;
-			"net.ipv4.tcp_rmem" = "4096 87380 67108864";
-			"net.ipv4.tcp_wmem" = "4096 65536 67108864";
-			"net.ipv4.tcp_mtu_probing" = true;
-			"net.ipv4.tcp_tw_reuse" = true;
-			"vm.swappiness" = 10;
-			"net.ipv4.tcp_max_syn_backlog" = 8388608;
-			"net.core.netdev_max_backlog" = 8388608;
-			"net.core.somaxconn" = 8388608;
-			"vm.oom_kill_allocating_task" = true;
-			"vm.oom_dump_tasks" = false;
-			"vm.overcommit_kbytes" = 22020096;
-			"dev.i915.perf_stream_paranoid" = false;
-		};
-	};
-}
--- a/modules/hardware/default.nix
+++ b/modules/hardware/default.nix
@@ -0,0 +1,77 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ ./gpu.nix ./legion.nix ];
+  options.nixos.hardware = let inherit (inputs.lib) mkOption types; in
+  {
+    bluetooth.enable = mkOption { type = types.bool; default = false; };
+    joystick.enable = mkOption { type = types.bool; default = false; };
+    printer.enable = mkOption { type = types.bool; default = false; };
+    sound.enable = mkOption { type = types.bool; default = false; };
+    cpus = mkOption { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.config.nixos) hardware;
+      inherit (builtins) listToAttrs map concatLists;
+      inherit (inputs.localLib) attrsToList;
+    in mkMerge
+    [
+      # bluetooth
+      (mkIf hardware.bluetooth.enable { hardware.bluetooth.enable = true; })
+      # joystick
+      (mkIf hardware.joystick.enable { hardware = { xone.enable = true; xpadneo.enable = true; }; })
+      # printer
+      (
+        mkIf hardware.printer.enable
+        {
+          services =
+          {
+            printing = { enable = true; drivers = [ inputs.pkgs.cnijfilter2 ]; };
+            avahi = { enable = true; nssmdns = true; openFirewall = true; };
+          };
+        }
+      )
+      # sound
+      (
+        mkIf hardware.sound.enable
+        {
+          hardware.pulseaudio.enable = false;
+          services.pipewire = { enable = true; alsa = { enable = true; support32Bit = true; }; pulse.enable = true; };
+          sound.enable = true;
+          security.rtkit.enable = true;
+          environment.etc."wireplumber/main.lua.d/50-alsa-config.lua".text =
+            let
+              content = builtins.readFile
+                (inputs.pkgs.wireplumber + "/share/wireplumber/main.lua.d/50-alsa-config.lua");
+              matched = builtins.match
+                ".*\n([[:space:]]*)(--\\[\"session\\.suspend-timeout-seconds\"][^\n]*)[\n].*" content;
+              spaces = builtins.elemAt matched 0;
+              comment = builtins.elemAt matched 1;
+              config = ''["session.suspend-timeout-seconds"] = 0'';
+            in
+              builtins.replaceStrings [(spaces + comment)] [(spaces + config)] content;
+        }
+      )
+      # cpus
+      (
+        mkIf (hardware.cpus != [])
+        {
+          hardware.cpu = listToAttrs
+            (map (name: { inherit name; value = { updateMicrocode = true; }; }) hardware.cpus);
+          boot.initrd.availableKernelModules =
+            let
+              modules =
+              {
+                intel =
+                [
+                  "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
+                ];
+                amd = [];
+              };
+            in
+              concatLists (map (cpu: modules.${cpu}) hardware.cpus);
+        }
+      )
+    ];
+}
--- a/modules/hardware/gpu.nix
+++ b/modules/hardware/gpu.nix
@@ -0,0 +1,95 @@
+inputs:
+{
+  options.nixos.hardware.gpu = let inherit (inputs.lib) mkOption types; in
+  {
+    type = mkOption
+    {
+      type = types.nullOr (types.enum
+      [
+        # single gpu
+        "intel" "nvidia" "amd"
+        # hibrid gpu: use nvidia prime offload mode
+        "intel+nvidia" "amd+nvidia"
+      ]);
+      default = null;
+    };
+    dynamicBoost = mkOption { type = types.bool; default = false; };
+    prime =
+    {
+      mode = mkOption { type = types.enum [ "offload" "sync" ]; default = "offload"; };
+      busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
+    };
+  };
+  config = let inherit (inputs.config.nixos.hardware) gpu; in inputs.lib.mkIf (gpu.type != null) (inputs.lib.mkMerge
+  [
+    # generic settings
+    (
+      let gpus = inputs.lib.strings.splitString "+" gpu.type; in
+      {
+        boot.initrd.availableKernelModules =
+          let modules =
+          {
+            intel = [ "i915" ];
+            nvidia = [ "nvidia" "nvidia_drm" "nvidia_modeset" ]; # nvidia-uvm should not be loaded
+            amd = [ "amdgpu" ];
+          };
+          in builtins.concatLists (builtins.map (gpu: modules.${gpu}) gpus);
+        hardware =
+        {
+          opengl =
+          {
+            enable = true;
+            driSupport = true;
+            driSupport32Bit = true;
+            extraPackages =
+              let packages = with inputs.pkgs;
+              {
+                intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
+                nvidia = [ vaapiVdpau ];
+                amd = [ amdvlk rocmPackages.clr rocmPackages.clr.icd ];
+              };
+              in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
+            extraPackages32 =
+              let packages = { intel = []; nvidia = []; amd = [ inputs.pkgs.driversi686Linux.amdvlk ]; };
+              in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
+          };
+          nvidia = inputs.lib.mkIf (builtins.elem "nvidia" gpus)
+          {
+            modesetting.enable = true;
+            powerManagement.enable = true;
+            dynamicBoost.enable = inputs.lib.mkIf gpu.dynamicBoost true;
+            nvidiaSettings = true;
+            forceFullCompositionPipeline = true;
+            # package = inputs.config.boot.kernelPackages.nvidiaPackages.production;
+            prime.allowExternalGpu = true;
+          };
+        };
+        boot =
+        {
+          kernelParams = inputs.lib.mkIf (builtins.elem "amd" gpus)
+            [ "radeon.cik_support=0" "amdgpu.cik_support=1" "radeon.si_support=0" "amdgpu.si_support=1" "iommu=pt" ];
+          blacklistedKernelModules = [ "nouveau" ];
+        };
+        environment.variables.VDPAU_DRIVER = inputs.lib.mkIf (builtins.elem "intel" gpus) "va_gl";
+        services.xserver.videoDrivers =
+          let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
+          in builtins.map (gpu: driver.${gpu}) gpus;
+      }
+    )
+    # nvidia prime offload
+    (
+      inputs.lib.mkIf (inputs.lib.strings.hasSuffix "+nvidia" gpu.type) { hardware.nvidia =
+      {
+        prime =
+        {
+          offload = inputs.lib.mkIf (gpu.prime.mode == "offload") { enable = true; enableOffloadCmd = true; };
+          sync = inputs.lib.mkIf (gpu.prime.mode == "sync") { enable = true; };
+        }
+        // builtins.listToAttrs (builtins.map
+          (gpu: { name = "${if gpu.name == "amd" then "amdgpu" else gpu.name}BusId"; value = "PCI:${gpu.value}"; })
+          (inputs.localLib.attrsToList gpu.prime.busId));
+        powerManagement.finegrained = inputs.lib.mkIf (gpu.prime.mode == "offload") true;
+      };}
+    )
+  ]);
+}
--- a/modules/hardware/joystick.nix
+++ b/modules/hardware/joystick.nix
@@ -1 +0,0 @@
-{ config.hardware = { xone.enable = true; xpadneo.enable = true; }; }
--- a/modules/hardware/legion.nix
+++ b/modules/hardware/legion.nix
@@ -0,0 +1,16 @@
+inputs:
+{
+  options.nixos.hardware.legion = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.hardware) legion;
+    in mkIf legion.enable
+    {
+      environment.systemPackages = [ inputs.pkgs.lenovo-legion ];
+      boot.extraModulePackages = [ inputs.config.boot.kernelPackages.lenovo-legion-module ];
+    };
+}
--- a/modules/hardware/nvidia-prime.nix
+++ b/modules/hardware/nvidia-prime.nix
@@ -1,24 +0,0 @@
-{ intelBusId, nvidiaBusId }: inputs:
-{
-	config =
-	{
-		services.xserver.videoDrivers = inputs.lib.mkBefore [ "intel" "nvidia" ];
-		hardware.nvidia.prime =
-		{
-			offload.enable = true;
-			intelBusId = intelBusId;
-			nvidiaBusId = nvidiaBusId;
-		};
-		environment.systemPackages =
-		[(
-			inputs.pkgs.writeShellScriptBin "nvidia-offload"
-			''
-				export __NV_PRIME_RENDER_OFFLOAD=1
-				export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
-				export __GLX_VENDOR_LIBRARY_NAME=nvidia
-				export __VK_LAYER_NV_optimus=NVIDIA_only
-				exec "$@"
-			''
-		)];
-	};
-}
--- a/modules/hardware/printer.nix
+++ b/modules/hardware/printer.nix
@@ -1,8 +0,0 @@
-inputs:
-{
-	config.services =
-	{
-		printing = { enable = true; drivers = [ inputs.pkgs.cnijfilter2 ]; };
-		avahi = { enable = true; nssmdns = true; openFirewall = true; };
-	};
-}
--- a/modules/hardware/sound.nix
+++ b/modules/hardware/sound.nix
@@ -1,19 +0,0 @@
-inputs:
-{
-	config =
-	{
-		sound =
-		{
-			enable = true;
-			extraConfig = "session.suspend-timeout-seconds 0";
-		};
-		hardware.pulseaudio.enable = false;
-		security.rtkit.enable = true;
-		services.pipewire =
-		{
-			enable = true;
-			alsa = { enable = true; support32Bit = true; };
-			pulse.enable = true;
-		};
-	};
-}
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Attrs: builtins.map ( name: { inherit name; value = Attrs.${name}; } ) ( builtins.attrNames Attrs )`
				`@@ -0,0 +1 @@`
				`1k9anln9hmdjflrkq4iacrmhma7gfrfj6d0b8ywxys0wfpdvy12v`
				`@@ -1 +0,0 @@`
				`{ config.hardware.bluetooth.enable = true; }`
				`@@ -1 +0,0 @@`
				`{ config.hardware = { xone.enable = true; xpadneo.enable = true; }; }`