test bindmount

.gitignore

@@ -6,4 +6,3 @@ build
 .vscode
 .cache
 .ccls-cache
-archive

.sops.yaml

@@ -1,23 +1,29 @@
 keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &chn age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
   - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+  - &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
   - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
+  - &surface age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+  - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
   - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
-  - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
   - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
   - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
   - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
   - &srv1-node3 age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5
-  - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-  - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
 creation_rules:
   - path_regex: devices/pc/.*$
     key_groups:
     - age:
       - *chn
       - *pc
+  - path_regex: devices/vps4/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *vps4
   - path_regex: devices/vps6/.*$
     key_groups:
     - age:
@@ -33,16 +39,26 @@ creation_rules:
     - age:
       - *chn
       - *nas
+  - path_regex: devices/surface/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *surface
+  - path_regex: devices/xmupc1/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *xmupc1
+  - path_regex: devices/xmupc2/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *xmupc2
   - path_regex: devices/pi3b/.*$
     key_groups:
     - age:
       - *chn
       - *pi3b
-  - path_regex: devices/one/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *one
   - path_regex: devices/srv1/node0/.*$
     key_groups:
     - age:
@@ -63,13 +79,3 @@ creation_rules:
     - age:
       - *chn
       - *srv1-node3
-  - path_regex: devices/srv2/node0/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *srv2-node0
-  - path_regex: devices/srv2/node1/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *srv2-node1

README.md

@@ -1,26 +0,0 @@
-This is my NixOS configuration. I use it to manage:
-* some vps serving some websites and services (misskey, synapse), etc.
-* my laptop (Lenovo R9000P 2023), and my tablet (One Netbook One Mix 4).
-* some cluster for scientific computing (vasp, lammps, etc).
-With the following highlights:
-* All binary is compiled for specific CPU (`-march=xxx`, like that on Gentoo). 
-* All packages and configurations are managed by Nix, as much reproducible as possible.
-
-## Using overlay
-
-An overlay is provided through `outputs.overlays.default`, you could use it in your `configuration.nix` like this:
-
-```nix
-{
-  inputs.chn-nixos.url = "github:CHN-beta/nixos";
-  outputs.nixosConfigurations.my-host = inputs.nixpkgs.lib.nixosSystem
-  {
-    modules = [({pkgs, ...}: { config =
-    {
-      nixpkgs.overlays = [ inputs.chn-nixos.overlays.default ];
-      environment.systemPackages = [ pkgs.localPackages.vasp.intel ];
-    };})];
-  };
-}
-```
-

devices/jykang.xmuhpc/.bashrc

@@ -37,9 +37,6 @@ fi
 if [ -z "${BASHRC_SOURCED-}" ]; then
 	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
 	export BASHRC_SOURCED=1
-	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
-		export PATH=$HOME/wuyaping/lyj/bin:$PATH
-	fi
 fi
 
 [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"

devices/jykang.xmuhpc/.ssh/authorized_keys

@@ -8,8 +8,6 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRpyIU8ZuYTa0LvsVHmJZ1FA7Lbp4PObjkwo+UcpCP8
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRZp8xp9hVO7e/6eflQsnFZj853IRVywc97cTevnWbg hjp@xmupc1
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh wm
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss
 
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc

devices/nas/default.nix

@@ -46,6 +46,7 @@ inputs:
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
       {
+        snapper.enable = true;
         sshd = {};
         xray.client = { enable = true; dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1"; };
         smartd.enable = true;
@@ -61,6 +62,7 @@ inputs:
           publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
           wireguardIp = "192.168.83.4";
         };
+        misskey.instances.misskey = {};
       };
     };
   };

devices/nas/secrets.yaml

@@ -3,7 +3,13 @@ xray-client:
 acme:
     token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
 wireguard:
-    privateKey: ENC[AES256_GCM,data:H+CDLqfMV5Kcd42LbrU1GpnyJYB1y0bSRBaRR9jNctmlReADRVuvA1y1zLM=,iv:SztfuX+Tm3bO82VfDOjjP2Bmv7IComa1poZfQ48YXVs=,tag:aA35tsgvZQDexSDgD4RjlQ==,type:str]
+    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:ezBawTyn+oPKKy6sQuj2BQXhnO4PTbxYWRpQR9URCxqD7bFlnmWU1Q==,iv:eD4yLDA209x6HFtDaqyj8kRxTImdyZCgOminHWb9vt4=,tag:mx+qPp4L9jHRvL90XH1RwA==,type:str]
+redis:
+    misskey-misskey: ENC[AES256_GCM,data:daHnurnqW0MI2uHd3gNT+ZczmytRdwBSsHGkCwNH9hJFMJW/U56HtjG5ivOQzYprWJ5uzgN98ivocbwzJEAGfg==,iv:aE9kvEErN06FNPPFQNchbmg/+SJCKT3QzCN/JTlZovk=,tag:iMo3MTssxKKT02zi8gCZPA==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:QhsmKzYmAV0kGPhtRjTK7npt/Nop5JM9EFPpD8K6KfUJ48w+r+4vTORmERu7D2+fE3XDXxNZeSJg//bGxMmhfg==,iv:qkjkrqepjQ4kbwoaceQSzEP5TjLsiY7ih/ESj5RFpHw=,tag:UtZVW30xcsbGUjU2HjoUvw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,8 +34,8 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-19T03:04:43Z"
-    mac: ENC[AES256_GCM,data:ns1NlfKruRwlUv4u4J5i/lQmaEo0HVxEWZlauWBFO0AqXxdU9+X+MbufxkqqjbfSryJ3bqBSMdsVUNX87rZGoESWoLLiwLIRuRJTx7jtGppNiHN4LaP95TqliATWZAGZr/xUe2xNUrvgRqSgToT8ah6IxyZblTr1brnUMRTI+Gc=,iv:KbkkbkeJUrgNUmFbqCI2ifk0UDUfPJ80LTRTzaFRA9s=,tag:uKzMN2zURmBzWY4XUnOACg==,type:str]
+    lastmodified: "2024-10-05T02:43:05Z"
+    mac: ENC[AES256_GCM,data:NyXFwcVCCRfU+QSJVwov38SzRag1vhgfyQ0xtOheKtK/UaA+2Vqiqatp/lKWeri9ltpw5xWBYQnmE6aBHEkrj5RvoXeho3CUWiSqsB/3COn3FSfXGGJ2M642dnCtWqHfTrGNW7bhq/lBisODvtv+SAs108R5yYXhXWotUs/p+W0=,iv:Wsel2unj5X/dBCwt5sLzHmUIqm9c0uqzzpfnUkxq5cc=,tag:a5/I8GWuUOy4F4lOx9TH+w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.0

devices/one/default.nix

@@ -1,43 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model = { type = "desktop"; private = true; };
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
-            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
-          swap = [ "/nix/swap/swap" ];
-          resume = { device = "/dev/mapper/root"; offset = 4728064; };
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "tigerlake";
-        kernel.variant = "cachyos";
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
-      services =
-      {
-        xray.client.enable = true;
-        smartd.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
-          wireguardIp = "192.168.83.5";
-        };
-        sshd = {};
-      };
-      bugs = [ "xmunet" ];
-    };
-  };
-}

devices/one/secrets.yaml

@@ -1,46 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:+zy72VDj8hs1GH7E1U04WhiGq0xkIPGC8pHbAYR70OK5E6EOdkQwKA==,iv:oYNSrOH3pLhltYw2NX1d4s6jiUgMssWiIK//62i0ptQ=,tag:C5ekSVjmwSEphsTZ/DLcsg==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:/x9HJWh4Kpp5xy4TfuC/bP4Z/gMOFgAalz91cewHj1/tPxFe5R/nQA==,iv:K696zu685ydzwFMKIrqz1GiYLMKGM1dLNDWdhH4U0L8=,tag:nFwqXc7RPIYcQxVIu6GWgw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:NgA5rHB6GwqiNSx1mhxObywuiZWq5qpcNrlpk6HaD9hzQoL0j1IrrgMCqkU=,iv:ZZUlSJeQPN2/JxjhR08FdEZl3gCFuNpJ3M93C6JovHs=,tag:rCtWHOYCmgZKF1lRlIAReA==,type:str]
-github:
-    token: ENC[AES256_GCM,data:rGiseVhDBU+rNcz92QXHeqAQ4lC7l5dba8d7rGUIIoEcpBVGwGh/5w==,iv:lf4aMBAQxI140qJsMLqHpI3dKRw6HiV20cyn0WFWbT8=,tag:w1P9MrqgUAmPzVWkIFs1jg==,type:str]
-chn:
-    age: ENC[AES256_GCM,data:eI7ZtgOdcI0sWrD0MmbPEOnImVaacTrR/rDtZcUKSlUIMlpFga7HYOKUZbgMvqaxZK9YLuddB4setggrPvEx+rXpTU4fx0s5Ce4=,iv:5aYVpf5/nr/ssGAZDiSs4/5HP4aPDya0DZ8OfrhHowg=,tag:ImzDxw/1GB4/krCnNAxJ8Q==,type:str]
-    rsa: ENC[AES256_GCM,data:TirRkEaW0sTstTp3JoHz1KCTo3F1zozjsUUHVxJ9v+rmZRfH3DjwOKeGHsiKtJWo16yqHpQjcBmInWzgnFUZtM87lzW5YaKOPDwBwsbLtP9NxaFTU74kU05Y8E2Aireg1LlmLvu8sRHy/SwVHdML1AUZ4g9sLCLcb/eQcWQmawdsl7Y2xkPQlBfKiophu7dkEPw51vUoKvYzM47R9RI5cRFCNZtUfr4hOk23L7XoVL0Aejqd6pBoENCJ+nCXp4kUTYqrSPqHuQuuYwb0thsrd++g4vmSQQWCN/KkYAg8UPvAN3hMGF+4f0S5Zdr+g0Lb2KHQkpBofOlBZ3P1uTmm/2s9R6brqFrz38OGWK8ZouNZyDPC+FwJfMywm3GRf87rCzEjF0bAix3J779YDG31uaJJhTjRa4q/2Uvk8YXbebTZEuQ5dK1bav+730dOeGF7oa8oBVVQjB2KYzInuuVGdLoVMeaiRlpJpK4ZU3SnzjUheiq7fAdJcqM3QxgK2vIy4kL6LcniSm4J/b7IZjsbxAdkFRN0VZOgHQiO+IICbbhNftSXCCFgFvG3Yl5dzCtqUGYoYEpZwMwJQZJuFJqfCzRFb83jAAjGSN9OByGbu7flsaqRR1YjKNs6BgJOnyhbQ2YJrozOuzw8ZquuDURP+WmP4NnKOAZ6J06Imupkd3Q/pfYxSzSuNrfXYqSHeczDgb8IOc37rfPWGXLgEvDVuSYvYNf+jgSap0aGhHRJ65dvRsZE/GXVuRhTnpzF0vuoVJpifrzkgHehklUGPOLhvnzTwLryHvnO2VJpZ7hhlreeVGf6iZ7fDYJW91OvNX9b3WvtWV985n892jeFCW6/OHfNhv6VBjj/YeNMrZVy9JLwDe5DmxQBH9GIc5S1AGVuTzZBLsd9L+ZFonGfxbwpPtATFCvaftaTed55cXkZvj499rfu6KkGzCPP79tNQSyCRGPrq2pLGyAAMh40+8gkCgKmrw7ZrdhoUvBllKrAMGb8kd9FQ74OPD6vhb/IXMBc4+N1i5d+XiONOOKyVHpz8y/XS1rHnQO1sSN0Wkhgoc48m0zN/frmZzBw2xiYnG19rd5CHSRRbK50JgI4unMNiJKWNQjqnDxsKJu/WSOKeOFK7g5lcKl1D/XPYOeFUm0ZWmqhb9XrF0f045RHKNEMwkYbRJZaJcPQ36H7+99pYGjjZzY7KVUVlc+7ttQiUoOIkGKI8A06Q7fSXxBWA9x8Om9CdKPT3g/MnELl9Bg8kf7Pc+McWmGxdKzjhzEL1ElMTWfuM/a8hU7SMDjHtCHdxwngLn8+krt0HJ5SwEcDs0KUYEBRDwDpooDVNEUTHL8zEKE8zVl49lkN0NX/Wu0LvnQeJ0NjrFkF3eDpGyPbkXKgqzTMSaA45gK48UsCzKkMaqmTpCyfISyhMeEQm3danslHL01P20GoY/zWLsvOgO96p7X/j6nRv8RCHNH8pu2ve9d8V3Zu5DuHW6+ODOfaCihxkkSqD4jv5OFgISD6afLiBShVMcH8tKkEFph+Zd8COYmuUBZ5ez+BvXmMG1DsVs0/RNY9G8PG7GOoyWVU52JaJw3Awl56o47vDviBGjHi9bF5+5Je/il9csvcuokvyhsRxJ4vBwGJUNI0xtBK0/6wX2GTd10CisYw/fKOyGPgKyquGJlsODLV5JzmWY7GmI8MmVKYrPyVjPmegClnDdkxjknQGnGmEuyPLSTR03OmzR5YQ5e8Nl97mQWAr8kX/vxiQmCfufAZCJOfxoy5RRkDMuvVYlnpl5DtSPMUg+DXO9243gxqYSNCopbcAdkMH2ylkAAIzrmZym3E0EWFz98JLl9RkD1/jI80QUmZwsf3JU8pbtfV8yLs+xOrvZ0MQZc+uDvvDsi/2ZYQKfwWqmx64oK00vncyDHH9zhvwxauSfiqkA7K98ZgajrcEbU3nSfGPgdXxTlVpIufhK8k5QVM80DoMEvq+1i78ZsOd/zHFH90tyzZ1ploIY+mptGWMHJNpdBnXgy5KlUkmSuf5PUQ/xoD7UybxuamriO18IrjiQOE3pDhA1GTXz0iM+UOSceysEgNnINh+gRUbGX97YAoTS4pXGyzjYfoY8vMFmkD3DzTNClV2MSVtjuBR+dDwa58SvAAwyw55oQdILw+dogh/qGmL7MSvmssw3mxM7hsEfDu7Kea5FFVZJbgPh5VDZ/hHTWHU6gapgt1QvQQ4kNQuXJnNfooIaMWRg==,iv:9FUcJX6puazsRTBtKfuhvbY8jA5pdVHD4PfChtSX314=,tag:bxLTovW44jFhGkzGzwCHiQ==,type:str]
-    ed25519: ENC[AES256_GCM,data:KLBlDuxOdHnqmVU1KtDrd1r44VzuCYhQW8+7KDAXLD5XGKBP9ip41ZByuRxVUnhVtTP9LRlUt7qvEjPen4hn7HxH+Ic5tghN400JFKpnmxmnjZGbelIheAuRYU0t6BKFvTvcaKD5sNhpoYX9P29L+Yobt59Lo9dc96dF8xy6iWE4X+FPYBsxtheGOMDW/I0CLKF82pv+yy01EFDKLBLciPkweUcCf4642Xv/Lv1knCIhxnCGa5fD7XpqNbz/VfTiqgIDUScISIo5cXJQIp4Dho2SIaf3nMg8BQB5iNRDcyU45m01M36SaYKU7xBuJN7pRP+vtPySavtjbmqLbowFM9iQArpHCV+VT7cF6D35lPcn6hsZ9xEIP6XIpQU+cl6RrNmV+Rbxlzi/wGTYB6pWrfmrJaJpDPkYvyO9uy76yaljkbL03LgAsc7ittNkCEJ3xXznr9AHKH382JTHlQtMbKZPBUCAa8T7kJmu9gdfpj3yqJtvdHkOi+RIjls84l7X2OO3vhUzuRqx5FAboxKfDcPgifXV2t3d9wfMTlH8ziJGHiz8RKZJife6tdP2G7nKtSchjTyv9JqFQhTF,iv:C5KL23GV5Cs2vzHix8UNBcDSOvQgNvhewd96BMGpjj8=,tag:0zwTPg+AJyb/pCKV0zEQqA==,type:str]
-    ed25519_sk: ENC[AES256_GCM,data:v8pEsJ2p9cBr+wFIvcVwtHMVfuYUtFOtjbr/SuusDfAzlJJNQ6jIQxrynFwiPGf+zKRKgOmQ55XdlTHnCMztK0stDzPSs15IzgIXf1xTKNsEZVh077VM4a+DAnQMWJVjslcf/ljU0Ec5yoEGuerO03Q7Ud3ffCdObdWCwYYN++QEJ63eKSQhzMZ1LFH0YLizhvIEeqe/NYsYncA+js8uL92/97e7W1Ui2iGwC1kB4gDe0QijmaVKv4yThaw2SlcHiBuKlenkuXZu1h26Z23oa3d/GpEscuNjgY6EKFBHwg9bZIDDH2V+Gt0sWe7lWfAUR6g9DlvXZQ5J2PR+eMaQmKIYKQJRfIogAzA4sh25ecazPDgU5MtJX8W2QO4yDDvbM6TclCFPjnqSPZFpqPu5Dmess2dKMFxq8F+BEJ9typonLcX2YsFizeIZ+y4cbmyINTV3WlMd/hVCOTIadmsTshEIwquKMkKpsxzlu0DRNt1IIj9InqcQmUDfXDJlOYQlE0YPjZnUZmHEq+s+yIhkR21a1dtJ7f5T7YU5de12OiTjn3ekMhw6fSncGIWobwLvezXplLJ0+JM=,iv:QSO+YZLxSwQ69K20+qp5J7R70C6yqZ76LjhXkbfnM98=,tag:TKGQeFJdkBGmj7KO37XOjA==,type:str]
-    rsa.ppk: ENC[AES256_GCM,data:XBM/HD3mv2BD3Dp1LP0i+mSSSyUBrA38RzAQIIQlraFhID9oZBUTzqdSqXDeLtS1p6y2xAOxBVkH/D4WR1kOpXgw3LgNuvb1YFvZkYjCf5QgH9sxMSjiaXRdRHSAuF1b3MpGkgH7gmZRFTc5WkKvia7qzJgwGF0qNwS5j+lB1g0U0oXR6vguqb0gYcA2dKH2tpj/CqGJVAzkZCd1BxQygTpewcb2cbnVG+lb1kixD/r3q2PBoviS56BRCHbwoLhHLSn/y6XOnWqcaBgpBzwE7aZqTWa1QnRtv0OtUkGilrB+SBcXvMDNc0Xts2hhsHuc1DCB4CsAaEY37SEHKJhdZEVHoAZ9dJzScMntcRTES4AjhHXoBUpNy6wvTTLwdw58dXLkxfMdVl4LZ9Lcoc+mFfgPrNpvkvYVh8X0HiDC1FLgoEU8IQXPPW1HJCTGRbPAMRwXXtwxpmDN0byEnLH81JfxvSxnNZkvLu9qRyWC+IRknUALh3KkqzalzpuA3btDkyGBFDSX5phITtTmm0R1eSJg0R/BbFAogHz6NA/2KPoz9TtNH0nkQfDqiYfYub2J+8w9QsAr1k+0Wew9DeAF9eLaNTJSUeDlvz/Rq/DJLyUfOGIpCiY4cecJ5nbHPvdIia7qM3NBeGE0ImQspjjXaZH9WSaUZ/sjJu26LRNj7qJP9DWv8VfxkJ4BuRuYqP0qlWYFd36b38EQbgTiPoDHZoiIXG+1/cfqTf00bKskMl/gmEdoyoa2OZRO9K78iZLu7JFmqL7MoEaOUiLbNHymp7U6QgBdvbqeZxYmcIiMfvWK9Pudxrt5ts6rUDeZgJ02IdZy3BpDIjFBu8OXBHf5U4f+EIjuWDI39S8FOFy7Nv/XVcz9LIqPfR5j1hO+5Gdgqmx30xiccJRM2QZUxh5vC4m9wIFyg0HRrXYF/m7FRiTt3m5VXut4jWMyUbxSNaZMHlq8Lof+Wb/nbEv4HiQxywKCmDQ2YWotJita1fRgXNFCiV+BaEO3MTozUF+aGugBT7YvnufheVrAEVtxRnzD84kTsfvg1uDybvxGOJsj41HfDNOyEkHpsagCj8dcaqtIOPmg42oGEeoGO8sLeVQieVA/OzwDoBk+fC0gwa76t99VANrqdg+rVmHI5rF532j0jXJR9Nr59mZF9yzj0ECHOyRHEj7OkBRFKS9hLshifGJ6GvSNjEm59ohrf4S3ZIfkLx0fZUjmIovXDc6nxaazTd2ww5ZH1P+pkPtFLaGTqvlEKEQJ1zekzBYKH+gze6WP/LK6q/8RianwKB/5kuMbRkk3dsUF7fh017ir2DA7+nedU3Kk7d7/mM01eQHNcIED/BprFGQenuCUl64rn6V7XTdAKWlhusF5fQruU2bXdjO1ojGh8topWyz8Wp7TxN7cRSlU7SLLnXcLuNP2DfrfwDEAL8HNn4K4LJLJAB0gZiPi5Hz9nT1J54mWdifDgaeHbijsWmqrDZwpE/D6hYpXTMU8YWOM0RRf/5ECRCCmh0C+BZvx1CKncsd6BBAa3uMoB4hXMGtMSSpT5ZkDhcoU5h2XNoBSjRLmmbDYraUk9VqByRanZ9zpRGpvb5SFF0OFzuELl3bDxlw0NjYEKSh1lMWSSpVaTDm1XdNcpajXqFmBTN8x2oP77tnLlPPrFbcoXdn6k3jmvTzYpBk0FRv582ZYaHhH0iXkrp8/R4GtWA5VjqfZ7pGSZSBIu4OjzjdxXvee0ZK5Z1kR7MfR4G0S0BGgYbTPdoy5exm6Xfwy3qzKlfKI0vni8ttjbiACq+/ImMPUmvCSgtqnGTUejF4rEDrvJLZHrybQQ83X7/QoXrt9MzJB5gR7xCr80FdsEgT7ZnPd+arZJRJfryYHaMsZ83FTikc+eM62gRm1Hj5TdCUtHgmgwQraH3+GGgIWRQVZRxZoPf1RlAYRH+9i1+BiqdLxqdBECA==,iv:vaQNKRMYwXIFl+8Q1IKgpEHGd+pAAGzn27sLNlqS5sk=,tag:DQrSrQ06amQRcFhHJvy9xw==,type:str]
-    xmuhk: ENC[AES256_GCM,data:7Si22B70Q/tM8iiUwhNKeMvCOXcDeRQRJsLNfmi+IxTRL1Xgj7nCYRihRoqk/kNqGlW7EiLGp/D30tbnd4V0TOOd25je4bVF3DFKOkvD8x9iJX5GwT5KA0Kc0uVOLawYT55OxxsdsjDvYUENSobdqgHNw+uBQM3cXc1mkKSarzhq+ZaRJpuPPFApORCL96sLFBTYyChgQDPSKz8zU2YMjurC5gQAgZVMXHw5WJdrd2m9fl/asUJlbJprISqJ61zKALYC/fYosAPZVvQfVnzp3gmhJuZQrhoLsGELSFFc8t4/urlIjGhi7BM8sAT+6ZYxGSKGcgqP3K6cavzLr8eIvuG3nnZxZJzelS3LscVtjLI5Ddv6Luyjn59Pc+NLDHTEbAM9aIRsL4TPLtW1ebqqCk+rkqxvP0zhLKnA25DKKYjOGlAydbCbxcCX8/l0gjtiu6MJkaw2mC1Ppw9OrO5f+GQRiUFIsmFTAMViiQ44gZxCVPCPa08hxgmkwRp/PvdH0+nzxK6IuBWZIZV/M712LGPT9lrhaEDT0PSyGwcHMWcVu+ziZHGbG+vbeSk3pyv5Ou+uvG1DUxAh/7cp9YLL5U90UkI3WSBsge2bBtURQLnQIrGyQO9xk+3heXzcfxYl3kL2ARA7BIvyXrwpd/77WmRPhdL8YCax1z2+cK7kP4HWOhhpXNcIPRN5qwuPVRJCBcSBacahJO6PLpbEJ0nXM5D5XY0s9COkWfIPyUNA0b78LHB5pGMP+rRF6w7OYNbniNM3zHZnNyw3DyMT+V8PBfcmj8p3KF0rgdD0USvm4C4B1zvKVFK2P3ZMw0K/L78Xp4bTx1q1eA9qiqe0SPPc1BvgyRksS49VYtL47bA380MOmvgj+xwW+qTEozBW1HxaCJuqJBLxIX8i7LXSkSSGL64QOj+j2Eulbc6Sgg1g82XKpQZivkq/yGR77zODEshlaVUWkzSFSVOFF3aQGK28jl1U3HZpfPCCx7uaXZoaNTwwR9dsZh+t5YJJb1oKRlzgIWo7DB8CJufxX64uSFT2prY3sITfAuH12C4TrmjwP7tt0ZbTVgtvych1MGa1PY2225Bs1BgxLRVSSn6MRYz68NiE8xahRqwkK1306+r1jPjuEIjBdkoG46MR/eo/OF2n1xXkyLkwQAFlsk0+CGuGFzAj+f/++s85N8/ctPINJXGt31uEooD8fcBNnDGBSc4YQYtpVWCviJaaE/fRXzldfKB73V4Tidyg60fDJCNfJI8r/Ic3YFBGiQGTH6beitg72mQuLp5vlrxBhCqGYsEZkW5x/wcoJoEot5rirQKq3trIrL2nTF12AYQbNPjbJBavnpPds2UctkiUM+JP3CIiolAvqLMML79fRNeCsvUtDqbHTGU53/qbx3NlkIIqF4JHbK8Ckr9WHnTGAugbMgiNKQ3PKlSdV+vG1clb3fbHgMWRbv4xZq2KdJq7iibGUEBvO5rqr9YngqdOxhsQmyAh1ibkIbtJh3TcXkNUcw2h/tAalxV1xmbT0Glp42GU0pgUr0aGkjepoCH8jYkmmft4l9qy8t8Gi4EdAe3ImdTqKxwpp1CG+hoR2Laqp7z7UpXkILYfZxHwQa7NZSok2WZXEHeZJbCciREqZAUOW7EtdZGG619XJ0YTWxeZl6/+1oOA6TUb/r1HnSGo+xfNhzUeQcDsyf4SWpr2X6IUP+qUnOciCsSFRklJgj/JCteIK8GKIij34ODehPKZB0BZC1fqx3mZbqbTN2RA3adJV4asKam6kAtExqhuVyv8Mn2LTSMKwMkCi8DLPtvFSqpicffSUkkAs/X6HNSVrUTpA4sjkqLz3aoRLAMrijMYz19dvgb4MM8vv0zYaip2RYxkLnl0VrBrrIaNWiHRsiCR7pTPJaE+0k7QRWh3Hk9yX3UADTMOy7SIrqGlz1uihPodz9DeWGZ7ddMXeabWrRIh+In2Hyvs0HdhlEWgYyIefVIWZpCWVheDNCPb40RcEKB7WVDrbXrn3zWqM4DFCeemvd705OTzF5LUQ0Ql8prYKw2N30fC4l2OT3LWr0fhdsgsLBfKojoVSxFPG0WLxfS2Hhu4Qb94nSJlvjFtsiNAcTooXZKd64+WeJTdfDEE7Z7VoGgU2c6LsIUpWjY69KZy9BscY2hZUZFBgM/4iznyOvtyiWYJP1cUy3pDg4aAcoF8xTB5oqpCjI97jxAOYIKWIJj7aOoy9dpoT8BWu0fS0GobBSZAyZ37rGIomPni2jQUmaBPSvmRTQhyq2qHpgTIUYzphpZ5pva9jQbYp8ejR+sUMVf/EKVUzFTG/YhjAzIfTjZePnoxw10JkFS+n0Nq5Qqz1aMK/ie7sHg2DON4z4sJZ9z6jR8KOKOVfBlrwOFYQ2ViG4ut3EHDBIu7qWpSrtWza4cnGnADhPTLh3wjqFTD/j0wRkR9Bs9fzSShuoG8Kgm6zlBUX2bVwb0SLSqFNRSyReXjPq2gjma8iJPT6o+aSWpIfsYf1FsQsG6rJFaw5JxSz2oyi8TSIYStJInjjNDgw4sk4/Xk99pwEnHe+sOUNNhu6BPPm3KpAKIKm6HNwZJK836qvqAqwtL/d5QJYwpc8EBuxpCvijJe4nBR4HZnFJfDH+llhn/tDe+GOVLs6OHtdU/N5UbpBu7k2O4mq1kQhc1uRU+H9l6KxPQ0vjnAvRhUjcqVTtJzzpnZ1wfFDWlRqwoCshT5Ohc3PhS204au3OUZWtbXEcWSG5Lh9Gs5W6Rw5mPplFFYZVisoGvv/KnoSpm6opYjoMSBobNWgi7Zu9IgtrjZ63ddmJs22zvE6UjaUpHOF91QOOwlNCVdwJ7SQXv6gEL5mXC4GdgUW7oDyprHysSbL2ec6KxsP+qXgPa/S9KYo5uriJ1MQxRDbhjQjkjq0augD7zgiX95aUDvTjG8GP8JNs1U1QMi1Xg1TSLyE45kbRIZ5WWuT5iJOS+SHr66Qpvg05ymHwX/Mt7aHLe27XXOSGmZoQPcr/6rF851No+o9qSdaeVAK4lvrcmE6KeQWsQ3pW6TytE6qdGWgW3f/SuPTKVIgNk8aPWH6lbTZc4RbZpwlxpMeFP98xcwfkV0dzmTVax3UAUdVCH/LH+LLT/tgTiHh9H29rI/nvvOP6+lSj3O6xUvArl9wFLo7txQtFc/BAmeUicVdHCF78Fv7E3hlGkL1PhURuf7DO4m8pTkA9NKN7cZUUGVF9DI4PVmGJSmvF36ees63CqDSb4ZTnRdcPt/chXLmIamFlugG046eKPKsQ17dk05UZqQ2Mw8A9V7jMeJIiE27ZnjB4mnn3aO4g8mGyuUDysWlRxTbBlW57whOXEFMdczp1Hvsn37+3GJgduYifrC4iI3PwrBM7ZClL8t6z5QecRLnRsRZDdLhpB2nePP4VU/JSYYy/Rq/vqoM/MfFLeJr+YMijAKO49Jdd4RSDDStrnbBq6snW9cyPlgUko44w==,iv:/FD0wfUdv26ZDkSneTnAkHoei6+I/YgyNrOfsDTP2Fs=,tag:rKPUUlSmCrD9iEKhZR0+GQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
-            ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
-            TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
-            eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
-            2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
-            OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
-            eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
-            ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
-            LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-12T06:44:16Z"
-    mac: ENC[AES256_GCM,data:/uuP0StTdBz+Z2FddjGDP7i5lZhT0z4vCd22twm6lzp4WkpSklX+YMPRddqvwT/zsJpJIFf1+vK9VtPZBW721SB7AZx4oC1f42adFHjBtSXO3QJPI8cfUx6wdvcjwN3ySXYIcf/qi34ePmFm9amr4xU9jzN1OaZhKUt5Y7kq2LY=,iv:RJUr4u5UKJh9X0xh1lvdE6HWKxnaxKoDi95V3Pj80f8=,tag:D71HJ8LgJrGIu31WV8KaCg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

devices/pc/container/jykang.nix

@@ -1,12 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "minimal";
-      system.nixpkgs.march = "znver4";
-      hardware.cpus = [ "amd" ];
-    };
-  };
-}

devices/pc/default.nix

@@ -4,7 +4,7 @@ inputs:
   {
     nixos =
     {
-      model = { type = "desktop"; private = true; };
+      model.type = "desktop";
       system =
       {
         fileSystems =
@@ -38,18 +38,16 @@ inputs:
             "broadwell"
             # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
             "skylake" "cascadelake"
-            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
-            "tigerlake"
             # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
             # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
             "alderlake"
           ];
+          githubToken.enable = true;
         };
         nixpkgs =
           { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
         kernel =
         {
-          # TODO: switch to cachyos-lts
           variant = "cachyos";
           patches = [ "hibernate-progress" ];
           modules.modprobeConfig =
@@ -60,7 +58,7 @@ inputs:
       hardware =
       {
         cpus = [ "amd" ];
-        gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "beta"; }; };
+        gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "latest"; }; };
         legion = {};
       };
       virtualization =
@@ -70,6 +68,7 @@ inputs:
       };
       services =
       {
+        snapper.enable = true;
         samba =
         {
           enable = true;
@@ -93,7 +92,10 @@ inputs:
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
             ++ (builtins.map
               (name: { inherit name; value = "0.0.0.0"; })
-              [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
+              [
+                "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
+                "dispatchcnglobal.yuanshen.com"
+              ])
             ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
           );
         };
@@ -103,11 +105,7 @@ inputs:
           enable = true;
           serverName = "frp.chn.moe";
           user = "pc";
-          stcpVisitor =
-          {
-            "yy.vnc".localPort = 6187;
-            "temp.ssh".localPort = 6188;
-          };
+          stcpVisitor."yy.vnc".localPort = 6187;
         };
         nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
         smartd.enable = true;
@@ -129,11 +127,11 @@ inputs:
           {
             name = "pc"; address = "127.0.0.1";
             cpu = { cores = 16; threads = 2; };
-            memoryMB = 80 * 1024;
+            memoryMB = 90112;
             gpus."4060" = 1;
           };
           partitions.localhost = [ "pc" ];
-          tui = { cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; }]; gpuIds = [ "4060" ]; };
+          tui = { cpuMpiThreads = 4; cpuOpenmpThreads = 4; gpus = [ "4060" ]; };
         };
         ollama = {};
         docker = {};
@@ -141,35 +139,28 @@ inputs:
         keyd = {};
       };
       bugs = [ "xmunet" "backlight" "amdpstate" ];
-      packages = { android-studio = {}; mathematica = {}; };
     };
-    boot.loader.grub =
+    boot =
     {
-      extraFiles =
+      kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2015"'' ];
+      loader.grub =
       {
-        "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
-        "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
-        "UiApp.efi" = ./bios/UiApp.efi;
-        "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        "nixos.iso" = inputs.topInputs.self.src.iso;
+        extraFiles =
+        {
+          "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
+          "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
+          "UiApp.efi" = ./bios/UiApp.efi;
+          "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
+        };
+        extraEntries = 
+        ''
+          menuentry 'Advanced UEFI Firmware Settings' {
+            insmod fat
+            insmod chain
+            chainloader @bootRoot@/EFI/Boot/Bootx64.efi
+          }
+        '';
       };
-      extraEntries = 
-      ''
-        menuentry 'Advanced UEFI Firmware Settings' {
-          insmod fat
-          insmod chain
-          chainloader @bootRoot@/EFI/Boot/Bootx64.efi
-        }
-        menuentry 'Live ISO' {
-          set iso_path=@bootRoot@/nixos.iso
-          export iso_path
-          search --set=root --file "$iso_path"
-          loopback loop "$iso_path"
-          root=(loop)
-          configfile /boot/grub/loopback.cfg
-          loopback --delete loop
-        }
-      '';
     };
     # 禁止鼠标等在睡眠时唤醒
     services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
@@ -177,13 +168,30 @@ inputs:
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
     networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
-    containers.jykang =
+    environment.persistence."/nix/archive" =
     {
-      autoStart = true;
-      privateNetwork = true;
-      hostAddress = "192.168.100.10";
-      localAddress = "192.168.100.11";
-      config = builtins.elemAt (inputs.localLib.mkModules [ ./container/jykang.nix ]) 0;
+      hideMounts = true;
+      users.chn.directories = builtins.map
+        (dir: { directory = "repo/${dir}"; user = "chn"; group = "chn"; mode = "0755"; })
+        [ "BPD-paper" "kurumi-asmr" "BPD-paper-old" "SiC-20240705" ];
+    };
+    specialisation =
+    {
+      hybrid.configuration =
+      {
+        nixos =
+        {
+          hardware.gpu =
+            { type = inputs.lib.mkForce "amd+nvidia"; nvidia.prime.busId = { amd = "6:0:0"; nvidia = "1:0:0"; }; };
+          services.gamemode.drmDevice = inputs.lib.mkForce 1;
+        };
+        system.nixos.tags = [ "hybrid" ];
+      };
+      xanmod.configuration =
+      {
+        nixos.system.kernel.variant = inputs.lib.mkForce "xanmod-latest";
+        system.nixos.tags = [ "xanmod" ];
+      };
     };
   };
 }

devices/pc/secrets/default.yaml

@@ -6,7 +6,6 @@ frp:
     token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
     stcp:
         yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
-        temp.ssh: ENC[AES256_GCM,data:XG9WpTR8Bw==,iv:XiMTPN8Gx1nNssf4r+VXTvUATiUNsOYJ2jeHjhDSyTs=,tag:JS3NlA4cs/6IA19PJYrStg==,type:str]
 store:
     signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
 nginx:
@@ -23,18 +22,10 @@ nix:
     remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
 github:
     token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str]
-chn:
-    age: ENC[AES256_GCM,data:bxmGYdxcF0OTe8LIVuBUEIs1014k4l/UoN+k90B85FOcTSzeVuSbjpFTRgNDj68MQiqoERGy8mFkKC6pbDFhnlXyns3AsxCnoZw=,iv:U93Lo5JAxJzIdTTuVtMhfirbMA3VSCtP/SoZikDWLyo=,tag:Ld0wZK06PNuvEeXu6PysZQ==,type:str]
-    rsa: ENC[AES256_GCM,data:asERfFj4Wx2dIJr9rnZ9i2fUxYnMY8RoIB/6mOOmeBE4yZPc1zMbhUX2aFftTgCsqH6ZC6qi15k1YWlRHrJqqyLyIGCukIbRwPMtlowU9Gr36YSok0NFrkQbUT9zjlns8NGqiHJAPKYhFed20hjN+IhgnDuFxtDEjA711b88z5prlm+NpKQ8Ohj6fKLWR+xEj/+KHWgF4K4WJMIZxu+jfRagHg6nwJBvWJDPZJQin/ZeCMqvH2XZkgujuUjXNfNhBhOENgaFtkW8/o6oZCySBctsCFXkgRK/7YbTO+Szzn3rJ878QGPMQJLqSONP62YlzCPO50B8Gsd9wBz1f6RKZrmXIElOdTNgTyPp1jL8zOWlSb14n0gVNoEi32JtkU5PNXYr86rHUX6zHbjdSimqqmhZl6tvBc/cKNQ9UoJ1syIe4xzN61je9Va6bJJt+WBipfn72z3KGAgR6yucKh7RX7Up7iiVTaxpq8BTsfUWvd/1Ar7jQb3YojOVRcX7CE4Iil7L8v2vj7pP8ecmo/ejggQiK9iGqWbeoQGh/j7ZhAYdx0ZY4lAk/HUc8z9yMfTxv64WQbCkHIeAnrstfHFXjzkX8zKYiKxvQr4mSCuHTusZFJ58hXOtSwFmE9tg1EESojoFP08kE+CuSCEjGCHT8V0snCFDMTEBZzGQzXpNfPNPILUEWpDSZj+ec+fM5jP1LEBErtg4JXeCqWD42SpR9wJxE2vs+D/Yt5a4OohbbzyxvWJLYAOuNflIguEIthdJEIN69fGmOBuxNU5witRXKx2rGbsdnIqzEloij5Utxy6uDrh3qqSHvqApd6+r+mAHZRtEUqRkvB1DOMNm/5iDEzOjrw0GEF2meHMRDGP8EEuEvXiaMevyPL3RIWuxxlVZBDlr0a8FwTmNlaGas4HHtLKsAH17wjolTJ6Uz3xFT2+WhsyvD7cARWETZSUd+9UBgylamsebDERhiDOo3t6VuHNuNwp5xwxtNVje3dmHRTzkI1WLaDxYbxPq7J2eGCpSYb4hKoexuWZCs7ian3UTBnvLig5w13eXJmhsbpSjt8p7hnEohL/f5v6PmxrH/+OKA1IE9PApJ3gaptaDeLOWa3uKtGxKJMSqsZprpb7D3kma+Zy1H2txvmKSmTGwT8wCQymWo90OF2NZCKtcXxAlj//cl7OBF0BbEqY3XMngZnpRiQX/VSzddvjwAjtnhf3VsE1V5vXk5j6ECExshjPqQ5kOuzUY62hiOT0V0X81uVRhdx6QVUDpWL3fumuipc+fEm/f9mwuhgv0mGvrpVyFF16GY5ne6W/N1HWEBBuBbJUtxjUEttZDAZxtKLyKjZtC6qJe9GoHaDtHBba1f7aloVDMU18tEyqO/EyPxDDUn55ToiGuk6lSQPy/las8V7YMCxDbBaVeRczCZRkEKbRPyI+hTN3yF+bw0HDDOJc8s1DO+h6xYauLhCS9V9f/QKgrXNWpJKm+JDGRO+ZAr/r/AARSE8nKvNOn7ML0VCWw8pWSHNL7iDcsngpk82W+b/a1maVN0ujub6mKyWhtJOkqxFFirKvFJLx78SRDYTVdiENE3YKgXYKB7r0RltjXACbAMCGcqXYudoDShopN0+oRu6mDAIpnrFOJykr7KaZZuu9DjxtxMRXu9OX0IuXnJ6kthHL8i6IQQNPj+Ky0Gfoh0I0+BbyTPigN2c+LJVe823VXgR9oVc/kpnjZF0BSCJQePR68MTKspwzE1NMvVF+ofRPkR3uXJs46w3eW1NIcds+AkmaonyUOa9Nlt/wRbGzZhboV86n2zn8qHEvZZjYX/oMfrVezuCsuyYSnyCzBrZMz+oHf4m/poa0K7wZWczatT9tVaUIFGgfwG6N/PutyKx/kbaJEIWefZgMqqwJNLDByP0IhFEJQk6yGr1kMJOBoD5qWI2WLObYUZ7mlOvtaa9iJAwdlQTEPjCB6mSL0kcXmR47DdDi/v1fiJ3dBmNskUwoNYPmdAowRe+pTj7fTsm4aDZJV533g4BWG2HgHmaEpAso78V6ScApgNiirqe5QuBxFnGrbPeNyiT72X0PFht5ovD9HbaHCYkt10lzlkW9i0whu2YPUtiVtecijS2AndST61YLVEXyj2NDlngFoCOGK10yCPqon7n5QPjv3unuvArTUD4lIjg28gn4fQmhwN53KqhLgYOQ3lRQLIWGbR1DT9pPQtYtDtFTv5SpiFTelUZcN7MIOD8jP3g==,iv:Hy9rTArntNBlYLShRbs7gWL5kcabBd30oH/Ib0vO2LI=,tag:GeibYKs+2b91rA6On6KrcA==,type:str]
-    ed25519: ENC[AES256_GCM,data:zHHSiY9cQ8odPTu9v0kiLQ80ssBrzTLkihVboYdhO04fnH1VakzKNISj1mUZIsixdHGPR1Fd1gBr1sSA8I5tES0QsOjqF777Wwjg8en5foIwgr0Ue5jMFlIdM4VkFZVNQBOV1z8rsc75nEpP+4XiQ57/ca6Nlaye0zIe+8uU+06YO9vfRVE5II67DRAN8aoUeGKW0uiBGIggkxzgPd2+pvQuC1QPbEWwCuNP18azSRqrZW0XnE65tJn4wQhoUQBQIIYWk81CMSBRn5VO0KIaYyVI7VY+Mi+XqgU2223tqaaivt1bDHfhMCsbqXtyWcT8kwZF5s4LyTdK8mKaREwHqen0jRSsaEV0Yfy4Wgq74fSm4oaqAeZLLj0O3/SEDjsWSwdRW2IU6WpT4b9Nh14dBi670Ke2tcwgF3Q4fh7+nPN6nAUPQPtzxPIVrW4FCbB9BV79A4IPLr/dItjC5wrMpw6ibhMe5WF0FAxA0Vuhz3Ob6lqWsai5f+XvrIgObCnyb05Ing40u522dMLYRJt+bP2Xx27cKrgKZTQdZnzSmXdEQGzFH0so4rgMyhNl4DEhr1b2FlnqPbTTLZul,iv:B7lfJnud2IYPtoMPny4jr6xVsLUyIiKC+Q7ztVHuqvs=,tag:ShnpzJBtG5B4xJkPJqATKQ==,type:str]
-    ed25519_sk: ENC[AES256_GCM,data:Zx271cuqIw+rj13VDR/JRY0vSWMwg+mXaxfpePol+vbCmV3LhSa61OSMy2iWIg05Lz3jwf9XE8lUWIAiajNgcLRg3k7ftwpbTCpyxoLE0U0l3DknbccaqM9riSyHX1UxXV0HYIsK5jb+vBjaDTvBqmCTmd91cG9Sn5Zo9GxdklebUeGLVmNe/9ldIaZU1XW8UHWvc2murzjF2HSkYDAMp6eKcnUPSo5u0QVrPVbo6g3iziw7Gwag0Xr/bVfoP7XZHrTobRcse8Sd+apRTinU1bHqcuHFaPwwfHsj/w9VRZJMCpwgg2V4DWyMTKZRjTohN6PUEqBmPc93Ep1DH/E7GmrGvAtBZ2yB9TLhjVoN+xH3ITbur2NtIIN9a3JPnEMoFtJgX4f1YQhUH9c3h6URDxdWtmBe78RxQCMk7OtHZ4UmhKxoUZUJoZuxvnccfQ0QcjtF3RN9rzP/ZPST3Cxvu2yUOPySl27Yp+eKjIOJ3rdorC9D3UhKbbb57O1/ABwPAiRfZjr45+wvgCGnZkOJZiXCiNoYeyw8UHMgvsICZuRM2HHPlh9GX577Np7QSwoFkYiEBFGJBO8=,iv:WWEwRDersTZYC3fEYLjWMtUtcyWXh9gLKyJVpaj73Vw=,tag:bqIFY6oaUMWIqMVfFwe4dw==,type:str]
-    rsa.ppk: ENC[AES256_GCM,data:wCFbvosUbnbikayf/h0Z7gelFGs4quD2WQlZJcBjp4MiXTGYVxj8oNr3y6aqkmpfyoKd2J/vNJeMFEzqXkGVyH4JyvQaiR8zoedFVSWqusD+sq0DuWDzMpdPmosTdM2frqo+w5MHJ87ybCJxynFH5xVC08jbTABFdkLPf+LULmxtipy0Np6UQuO50+XFyT12r1ZxPxj8eXGLg5z0sRSM+97EdJuoA4gpL2butioiIfDJ8RiudnyfhPzoh4V96zZsK8eQ+33HcFQYhKbaPtOcIswK6FkBUyaKCg2odCMFaRtzgFWIKqAuvcMVooEPz8epb0OPajn58rMCwjEfNK0jFaD0yKmdd9ExogDD0cJfp3jK+uuV/UpLUczkk10c2lbNHZ4DHCsNRPgll6DxcOx3zJbF/0ua2Wmbv1VV6JoT58Rzq/Ri8DeeIBuF9tlItFGJpRLnUN0MaHD/V6myggQuo9aAuI9p6VNSJ1aV5noPONi8efeG7kOGe09jQcOmmltHM915khZ7Veu/Oby9ZDCI0TErLzsQiO40Y4NW5B4Gd801CaDPKSxxCdsVgaEWiZU053KzH0qa+0YwXt+ffanRGrY4TtLsrJdEmiF0AnOaWYs/znPkWZXMTSLPTk6Be3yoTfxxq1ggT6AWF9p9/nlMPdhkfLUrOnAV6uQq3fStKFq3gTCyHxNZ5dx/XyrN96Kd3OTCgflJbD8lCqABSH9jZwfdh06HZ74pB15yNGFLvhOIhJwn5E0H+WW26MkFUnDSWHz1R0vIJEKnyy3lSPRweFM2MxAtEMOBOjqvlN0C32oCEoKknM6t/S3s4lwlMtUrqsAme4uYlUzPbEVPmzzMRpYhr+UM+MoG4nmovtRrIOL0ELunU6nsEaxxiHymCwGWJDyD/7W9lh93lV3dGP7X87IcfTt9rTUj6+YJS2pqkycZRtnPWkVDlzkS/I8MOL90jIEk0/YkTRWbB5GDcJ8a878mKW0/YPcpfC6MbRsYPo6eDz4KIGKxHDPezRfnOJC/gs72rIrEiC6h7bfW+XGye5VwvMtZefXFjCVyh+ZVco45UPertfLqT9Ewr1mfo5SfgaBJHSs58IuV2vXyfIJeIdO8BXS/YEUxcmWAI9PG1gOJz9lSHbyrm8RtnXZ+f8NJNOT2m7zyF1cYfscGaQ0gTTSP6+0uSTWsZOYuc8rObFP5OU/99yIkDXZv8gVG9YrlAjP1RtwXSlsbzj9EYlUUNQyKYoMnZDwTQL9qlqQVuP2ndL7QpRg8lusnFHZGivgyNWZ6bae3QWe2yTgD5BaXH00u4sktdZsPHAVa6p3XMppmoSuVX63FVsimJ5qzDJp+yRhIbUAPD8KwHYrGLkV/q6SBV8Der184m/MbACv3dCGf3RHzrx4LWWtrpaqntTTbUrQo/BJagY6Vyb22kmFs2gpBB6VJJc4Srq+6RbuQq7Oo2PNaHjbLxkhFIqTRX7Z1/m0nvbuLIN3HIqtxzBEAod0vDUAhEF+Vw92tSTJmirEM4pEDrQn7v1klp67f+40Hlxt5dTXiOZO9fXr0jTF7Or5pnRxSQ9FvlzPDcMuaaiDuBBzVQABZC9wBNCWzUIhAF/RGXqv4Xs1oIpLrWzeg7Vo2QVHRTXEZn1mxnX4LOVFAfkvV6U09NW8T35qU7QyTqzl06jHqAutEPTU4Se6w9FqMEDZ2lMUZ83iO1u6Yj859mFLFRIguhK+cIFzIUOfcwUFKEH5RV741zx1wN2UMac3jgQwzkV70gz6h1Kwbb5B02FZCEaW0222A7A7oSkzuYFD7qZNrQTlsdeqsrsjp9XC95TZBBw/mEE62xp4sLV9UTgKOGSyERigawFfoUAlE8XGrbMIaHUgKBJKTMXAe7Ljc3HIaHczwUJAnYDsu48Pan1KZpF4CsiBO6H2lDVXfKl8GuePd9QkVgi9GFqulA9rWypk4hg==,iv:/O35CB1rNDim/CKsot0sWMM+qEN96vqr9Z4fVG1A3Dg=,tag:pKbid3MCW2I5XouRNXSk8Q==,type:str]
-    xmuhk: ENC[AES256_GCM,data:z51um3KAQodAHZqeLAd53wRuQ+s/vFISxNKu0uZQSdUAtrL4BAj8LBJ743CV/HkrqpaCjClK0Vnn7yhFY3+NFq4fFCIAjVRWdvsfHARKbWEufJtNk5JVn5dLahPCMq0A0ZEZwghJ17opHOVMY4o/QiTyyAEeuD+4zSAh6ofko159WVtK4gDwexgg+bb74EtOxJPxnyV7jdZczH72aD1gwd29WhzSuMiCIAb7SiRhA+QEpvrzKLcT6C2ZPqrMoPbiXD4z/UTfOSEtOFZMfdUFPuExPCCVnHcqSbTlXRRWUMFX8rxFLyWaUjOB4+rvTVDYLGZCS+rtPlgfFEhGs5LGNLQvzvXTiftyfi2xMfg2uhm+0RLUPQQvajbU+akfQbUQVkGi3BklNEQquuxTzedUws7B6OU7WCpgpLCGcg2jyT6AtCF54k3VOVdu0eOjlja3dI3knMixUaHu8bZ+g0xwJCbiab2eaZiDqhoDnCxeuOXBZTdCF8OvGiD5rneDf0r0H8q/7d+jwOvW3d+Pw64ObDUUsa5gzfqOaHNH3ktaRB52dJfg3iBCwj96CNPTY3vEvmNKJ4ruGpP5x5AZ57SfprHeoqXHp7cBMjypgEG+NrJlAFyUdeaO39mHKn9V/jq3bX6SQkNrv8oFPAlbULNyZbOkwEE4g+34H4uV14sEXn3k36tdVb/vX+YfF/FDWjg7Y/kZhvDUOek6Kbd/ps2peavVK0War4RjnJ1GKSUZivj482GnJ6T9exuNnnHwBa+VmONr+OYcrcTTcKwQ8TGWjewA1GT5Dtyphlpk7MJvoUw/i+JCSNbfTZwIDb6J5s89yEd9ES6KfGFMb3KMRRSnM+ozLK85EvFeyHSxhl2XQJQwEz/S7Q6eTKlOQESSIxLDqifOnhKdN/xVdEpXpy51v/x5dqaOYKgYnI8gx1UpsMR5AJKkF5ft0n0yHjz1UQc6ZSDdaj7t5u2EoYB9/lLBjC338Rtq2UPAPhETHA4IPvp3Vg34Z5UO8L1L0Uo6c7cbrTpVAAmbCwzkKbfGsAh2Zhz0u8Y31rMO8W2kqveaaSt1P71EVA1eYaxUUtaq50dn6miWuIVPTbY8AJ9lZVXOlbOoNLrh/wP3Rp43RClVeiEnxLD/EgRp8Vw3P4E6rbVpnP2pZCetD+WyTlnGx8QoC1dpiosCMlcy/M8BNwvqgphgQZrZhu2OT7WqVt/ie4QcKBg+Fje2lwU6TGjGEwwsS/taCWBjMrOBWktI/ZOW4IqV4/FdzuvYDsfDfplIQeFSaFOwFCX3Q0PLNhtL3fRYeUsK76eTCAQxXB+LhE6wJpxznz1cAUqZG9/lYmqe19rIh1P1UWdlnCQI/35ar7dInH+/D38a6PbtcmunHfuqSdXqK7KF03CFQCTLjhmy9DHo+15mAhP8m/AjvGNNnF4X+POc+1hnNSML5ZNS52dRJ4zaHgPmiXWpcUdF4YNPb92IWelyOD1kmzylXl4NFGeVA4D0yVWaOANAzoYrgydoyeq2pOGYEwmVRmJPj2BnUWr3k/t47cyZthRzZZsIYNoTvBCSgy8l0t+YuKiIZh6goQFRR6lpo7aTpEDDRUcNoq0Vq6fyClbtEvl0KZbFwhQy+/3uIiaEYvhUDcDKqOqoHqd1HE8Vs2ETsBbIeTe1IL9J35a+WJuUgkl9iUUrMoRLr7apVsypGBQ8a9mUe/YA9S6UH/+lFVk4aXczYMG2/d1BSAJcvroDbka2NntHZeYI4700wlhmMK6TkOxQi7w3BcNv2N164wf7l3FgtRGpo7Md+ryJF7y/50cyljl1DX9NULM/9Qw291A18TL5ZKRvJjGhQgBJOo67IV8itKYoSxsitE7cudKBT6pqDGsFhvbBusEBP0VpPIRIziwH58SkiJ1M1WHpgmp9pnIjRhiw0Nl/j0SMEGtzjlfaZsKwk3uGjLHkC757WU5mIcCiuPPl87QDTqc6/PDcU4r6CVN10Ppx7OsViCg5sH5A0+/Zj67NJTrdNO5iawTozo4alnMMhfhl5xpuFO8oXviiy4mAez8AFIjaYoujhlPww03w7/u52iIbiHFiNyIzMoo0nqlHKJ9MfI9fmTsxpD+2zF8bnatDkdiDRg+Gn6H1pfHGH/XxT9yIqVlMpzSs3WXEjgTcYzLwYDDHTdnkbd4pAPBkX5vXfptRLWF8wNessEvfOhm6IGxjyXiNipbhWNjRzvs8WohB8c5dfpqnPWEz3GopA7a/vTFI7elDZ5VoJYclaoAQpESnEXNupT/DiZcOGvyk9kupmwgeoE7kWxMy9Wc2mg8Do4sxw4yV6pvqm94Ne8Bu0OEd7DkHDCxuJQfXLL387HoXWgn+on603FGEIaTSrkWUx4T7AxGjQgd5q3t8RsSXsWVACEodx0AcqzqS98f8qOmZ4Ivqq8W2UCqVmY/GYnemoxfRGRN+mW9znfYTO57ywQA9HLJ9V8XYX1AYdeaWu59WUcQ1oNzNB3ZB5QQ50AmHrkJj0Zn92fgL8olp5rGoOtjHqQCewJlBCQKoWVUzsUZMAM6GQrXxvf3ORytTXYUW+zXOiKxuyZHg4RZ5cs+Py9hvquEFE3D92UI/iwkNvOLW38eeVdR4U1/qKc1U1oFkgZuB5EC+NyXekYgyAaqWlS4K6x0Q77UvXcsKxSOghDbKoFUw0kxXlxI1+MhAUECKopvQoXsADw6Yy/3VgzpoFvaj9lFttwSb2IIScgaxxciOwRaQIbSh6joWbWQWtEowK9BUObRKJ3ED4jS4Te+Pp43dI38fZ/+Ng3y4nYj/jdAqRhTE7jhSzdK8LYGcUrxOodTa28q3pHBvJJiBgQDEnEoJUKl7PJcggUdPbAhi5ywy28SxZ3i1qTeMu8TVjMwdkjQ/1hCeqWGX1PldSqw1cOTub71zkrj1m0rLY/noaWCOwjjaorz87UjcV1+k2NH2oZ1o4EXgybBrAlahAxD3AFKumkvViTe/lprYpbaecse6393K/9SpD0+Qb+WbDgq/eZ0FwsdFblAG4xLZUOpwwqCa3F44n9el+Cuzpxzaap7HUjyFxwSz2MsLGAC1e4tX9GD9e+g4f7XozPSxgMunNAuFsIbD680Y7q/cgpIGCba6oIWlpe6TJQD7EOh4/nAw4FTWuljUHp/1ZROpnLRG5oEOxIm8Wi8GmoRyhNMCnvZEo7LPfNJP4cJmiWFmtIhHRFzefr2o6roWM5mhZsZkxuMK5rFQU39TNo3bj03CT0OlrIqeEMFVxj1wjaPo/4eBcHC4hJKeUzdSp1cNlW+u0l+C1SpMsfhQvDGaD254i0LwDaYSSAJymG3B72UfqlsCOT9GEH9FUj3lNskX2FR3NXvT9et15X57LHjXOSmYjn9EuQcYRv2/476WjQqX/d2v57vGqfRQxWmFdMBTo5747pDo6eaXCxbql8jzgFncGxMqcp+R7k4j8T0Fl4kuSbYpQo2wunJp7iACAQ==,iv:gdfp0dUqeJegQuoExquRV9GTtMo3eL1LWFKYOm5REkw=,tag:jsSkfWALdHsoNevaYkJyhA==,type:str]
+age: ENC[AES256_GCM,data:EPjip4/tz50e+blPko9NpzDamLRO6BVy64kDnGAhUJJ/bMw6V9Of8RzuiqUupIjEmFiUcgWf9ZsV5RZO3Ai9udq0W7mYS1Y/zn4=,iv:TBs/o6mp8t+S3Ma5/QhnLhzgl852HB3sEzKy9SvKJjU=,tag:2yMUVWPua2g0VOkaXpJzKQ==,type:str]
 user:
     #ENC[AES256_GCM,data:a4mHxr7bn7BV,iv:FYQk3yv3XgxNO9CnrQefo3WqhO0Sf8Mihfp+Iw4AcWM=,tag:jebxvG+xUidghf5dOlvDYA==,type:comment]
     zzn: ENC[AES256_GCM,data:xBSve41JclBYQULPN7yV/1Eyo3u+CHAewVetKHwjvl6Te0kk/+aLx6gs8EpOJGmVaiSAdt6F2ayHXUD8RXXpJIOnnEHk88kqbw==,iv:XPxMLvlVtaZvpWnau5Jwlj/5ty5Zyw4F44ix5G64Z84=,tag:uJfWb0PCebdMtxXMfueULQ==,type:str]
-wechat2tg:
-    token: ENC[AES256_GCM,data:PrZWR8WiZ7grkpTLqMxwbnkwZttl7n0e1lc1mdHJiFUWq/PqG2wNBC27C58jMg==,iv:02XHhfpN8YPix0REbJDnsBbvCwifbdwBwfuJ2glbvjo=,tag:6aWNqBfwulsjMbl+D6L9vw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -59,8 +50,8 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-14T01:12:53Z"
-    mac: ENC[AES256_GCM,data:Ak+LR+PkQG1g9wwlfLtDN2Dm8GdGfbb0qA9Spb3X0LkdCSFLBWqW0Jf88gHB0j/4HszYVaCAUFs+OlTvTjOtboOCTM7tH6z3dd0sU+EMHeK9cPz9kmDlF1LFFhD8dyqytEwq8/xN2MlTmbVoYQvVoGsrD8tP0B9NBPaQiLMPcrQ=,iv:9DthG+HGB3lCxb85YpfitNw2PWYwpdqWTo660gTOUew=,tag:yAH6o3LkGfvKF1UOdgWyyQ==,type:str]
+    lastmodified: "2024-09-04T01:39:48Z"
+    mac: ENC[AES256_GCM,data:VkpF9zTWRLMriukAif6lfp8uy6+IcPDYUnXCQ5XLUtSstEyUoaVBjn+VVAoKkLX3MnyR6gyiYVWDDJmXrsyNoQpjRVQR0yu0p6p7sB3voGKiNxhw5qGwZj4IIXnHFWvktgWiawCiUkmSTUUHxe0XjAh7AWxjGqgAs/oyWGq/YfE=,iv:IQbJAhW/y18s57CAwRPeypQreBqQb0KkJAgIZ90QXJU=,tag:a0AB3l83j31Ex6PH9ziHRg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.0

devices/pi3b/default.nix

@@ -24,7 +24,7 @@ inputs:
       };
       services =
       {
-        snapper = null;
+        # snapper.enable = true;
         sshd = {};
         xray.client.enable = true;
         fail2ban = {};

devices/srv1/default.nix

@@ -22,6 +22,7 @@ inputs:
       hardware.cpus = [ "intel" ];
       services =
       {
+        snapper.enable = true;
         sshd.passwordAuthentication = true;
         smartd.enable = true;
         slurm =
@@ -34,25 +35,25 @@ inputs:
             {
               name = "n0"; address = "192.168.178.1";
               cpu = { sockets = 4; cores = 20; threads = 2; };
-              memoryMB = 112 * 1024;
+              memoryMB = 122880;
             };
             srv1-node1 =
             {
               name = "n1"; address = "192.168.178.2";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 56 * 1024;
+              memoryMB = 30720;
             };
             srv1-node2 =
             {
               name = "n2"; address = "192.168.178.3";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 56 * 1024;
+              memoryMB = 61440;
             };
             srv1-node3 =
             {
               name = "n3"; address = "192.168.178.4";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 32 * 1024;
+              memoryMB = 38912;
             };
           };
           partitions =
@@ -62,11 +63,7 @@ inputs:
             fdtd = [ "srv1-node2" ];
             all = [ "srv1-node0" "srv1-node1" "srv1-node2" "srv1-node3" ];
           };
-          tui.cpuQueues =
-          [
-            { mpiThreads = 8; openmpThreads = 10; }
-            { name = "old"; mpiThreads = 8; openmpThreads = 4; }
-          ];
+          tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; };
           setupFirewall = true;
         };
       };

devices/srv1/node0/default.nix

@@ -25,6 +25,7 @@ inputs:
           publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
           wireguardIp = "192.168.83.9";
         };
+        nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
         xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
         samba =
         {

devices/srv1/node1/default.nix

@@ -4,13 +4,17 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
         networking.static.eno2 =
           { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
     specialisation.no-share-home.configuration =
     {

devices/srv1/node2/default.nix

@@ -4,6 +4,7 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
@@ -12,14 +13,20 @@ inputs:
           br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
           eno2 = { ip = "192.168.178.3"; mask = 24; };
         };
-        fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
-          { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
+        fileSystems.mount =
+        {
+          nfs."192.168.178.1:/home" = "/home";
+          btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+            { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
+        };
       };
       services =
       {
         xray.client.enable = true;
         beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
       };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
       virtualization.kvmHost = { enable = true; gui = true; };
     };
     specialisation.no-share-home.configuration =

devices/srv1/node3/default.nix

@@ -4,13 +4,17 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
         networking.static.eno2 =
           { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
     specialisation.no-share-home.configuration =
     {

devices/srv2/default.nix

@@ -1,86 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
-          {
-            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
-            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
-              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs.cuda =
-        {
-          enable = true;
-          capabilities =
-          [
-            # p5000 p400
-            "6.1"
-            # 2080 Ti
-            "7.5"
-            # 3090
-            "8.6"
-            # 4090
-            "8.9"
-          ];
-          forwardCompat = false;
-        };
-      };
-      hardware.gpu = { type = "nvidia"; nvidia.open = false; };
-      services =
-      {
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        smartd.enable = true;
-        slurm =
-        {
-          enable = true;
-          master = "srv2-node0";
-          node =
-          {
-            srv2-node0 =
-            {
-              name = "n0"; address = "192.168.178.1";
-              cpu = { sockets = 2; cores = 22; threads = 2; };
-              memoryMB = 240 * 1024;
-              gpus."4090" = 1;
-            };
-            srv2-node1 =
-            {
-              name = "n1"; address = "192.168.178.2";
-              cpu = { cores = 16; threads = 2; };
-              memoryMB = 80 * 1024;
-              gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; };
-            };
-          };
-          partitions =
-          {
-            all = [ "srv2-node0" "srv2-node1" ];
-            n0 = [ "srv2-node0" ];
-            n1 = [ "srv2-node1" ];
-          };
-          defaultPartition = "all";
-          tui =
-          {
-            cpuQueues =
-            [
-              { name = "n0"; mpiThreads = 8; openmpThreads = 5; }
-              { name = "n1"; mpiThreads = 3; openmpThreads = 4; }
-            ];
-            gpuIds = [ "4090" "3090" "p5000" ];
-            gpuPartition = "all";
-          };
-        };
-      };
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" ];
-    };
-  };
-}

devices/srv2/node0/default.nix

@@ -1,40 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.cluster.nodeType = "master";
-      hardware.cpus = [ "intel" ];
-      system =
-      {
-        nixpkgs.march = "skylake";
-        networking =
-        {
-          static.eno2 = { ip = "192.168.178.1"; mask = 24; };
-          wireless = [ "457的5G" ];
-        };
-      };
-      services =
-      {
-        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno2" ]; };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; loadAverage = 8;  };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
-          wireguardIp = "192.168.83.7";
-        };
-        xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
-        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
-        groupshare = {};
-        hpcstat = {};
-      };
-    };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    networking.firewall.trustedInterfaces = [ "eno2" ];
-  };
-}

devices/srv2/node1/default.nix

@@ -1,26 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      hardware.cpus = [ "amd" ];
-      system =
-      {
-        nixpkgs.march = "znver3";
-        networking.static.enp58s0 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-      };
-      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-    };
-    services.hardware.bolt.enable = true;
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
-    };
-    boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "enp58s0" ];
-  };
-}

devices/srv2/node1/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:fkOaCmCk6e8KTUq9zvhYPL6o24Vcja909NoKl7CIy+8H1D2bX31JEa42D0CfLFxvkA/kVcUehVbwL9Ax0ufBa33O73VrTggU9u4qolgpjmibIINXlQrl1MtEQu66MHpq971czzTCACGHz27/cUCUU2wBZWCCv9Zyk22OJgzDgYs=,iv:cDAcl4w4MKERttP4Bv7TZ701jSHVMquSqj6HqyyQ1sU=,tag:aSm/gR7zWYMZN8Iu6VEf6w==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTnkwcE9RWHdrOEdyaW8v\nbUxiQ0pmcW1ha1E3ZkRmaWpqYWFXUm5NVVZRCkVHT2xhbnQ2MkFiczdPRktaRTlI\nT0lhcDdOd2hoeHZMM1RnVWdiUHpoZ1UKLS0tIGxZaDdMNW5LNU9DWkt1ZHJlQ3M1\nTi9GaFEyMFFYLzFyL05kaEVQTDB6Vk0KUlNgX2N8n9NsLJuFflkH92EbxnMp37dg\nArhpRuUXscHZ62Z9eR3cgXwfFTAYzYBhL0M6uE/jwfDEV3jw9fNyaQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTjcvWVcxSWRVdHp3amtj\nVk54dTdRZUdXaGFuUTRLNVk2Uk5xWkx6WlRFCkxHUlhoTlJOTnN0TjhNZHFIV0tY\nQi9kUFh3R2lZYm9UdWFGZmFKZDFQdFUKLS0tIFo3b1IrNGFZaVVYZXpTYlFiVjNo\nV3QwU1RRaFExOXlnUmdJMlFmQmZJdm8Kzs/5XnsdYfJvLMCS/Uidwz7zQ2AphqRb\nWD+ua4DLsGIzVDCFzkuVcROBrJC8zkI8PGSd0pgFiV8zUKwEbyHG3w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-01-11T12:46:25Z",
-		"mac": "ENC[AES256_GCM,data:qqwInEypo5r5bCu8r2x/CHdLxFZRxjlBfvSdhO9DeINGOtPB33WvjNei3UiuqROKWIa6tOpXSjz4jUdhI88aA4lip6JUPu4rfat/GaJDP6FjtDqtKuBoZRv1YG1QY1cAuENjzi30092rZNhC1vnh38IjmcyHffM2phgkG2JRmL0=,iv:f1BbcrBH6YmEODUh6SM16LiJH85/MU5GhW4hpy9k0yE=,tag:/c0/783cQ1c4oJ0Rfcw+Mg==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.2"
-	}
-}

devices/surface/default.nix

@@ -0,0 +1,66 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ inputs.topInputs.nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
+  config =
+  {
+    nixos =
+    {
+      model.type = "desktop";
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
+            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          luks.auto =
+          {
+            "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
+            "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          resume = "/dev/mapper/swap";
+          rollingRootfs = {};
+        };
+        nixpkgs.march = "skylake";
+        nix = { substituters = [ "https://nix-store.chn.moe?priority=100" ]; githubToken.enable = true; };
+        kernel = { variant = "xanmod-latest"; patches = [ "surface" "hibernate-progress" ]; };
+      };
+      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      services =
+      {
+        snapper.enable = true;
+        sshd = {};
+        xray.client =
+        {
+          enable = true;
+          dnsmasq.hosts = builtins.listToAttrs (builtins.map
+            (name: { inherit name; value = "0.0.0.0"; })
+            [
+              "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
+              "dispatchcnglobal.yuanshen.com"
+            ]);
+        };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "j7qEeODVMH31afKUQAmKRGLuqg8Bxd0dIPbo17LHqAo=";
+          wireguardIp = "192.168.83.5";
+        };
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+        waydroid = {};
+        docker = {};
+      };
+      bugs = [ "xmunet" "suspend-hibernate-no-platform" ];
+    };
+    powerManagement.resumeCommands = ''${inputs.pkgs.systemd}/bin/systemctl restart iptsd'';
+    services.iptsd.config =
+    {
+      Touchscreen = { DisableOnPalm = true; DisableOnStylus = true; Overshoot = 0.5; };
+      Contacts = { Neutral = "Average"; NeutralValue = 10; };
+    };
+  };
+}

devices/surface/secrets.yaml

@@ -0,0 +1,36 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
+github:
+    token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str]
+age: ENC[AES256_GCM,data:KEaMrk9eldR6oCqNqSpwhbJKj+JrN1KBkDL5p9itaszGf4tnDRidcleCQi1Ae17osYXIEh4+OxX/d6RKb9TP6JMLJe0iq6c9sC8=,iv:ztiP2Vz4AFZkd8ZG7xYlqYrV3JZYvmX07Ez6GtJ6yp0=,tag:PS8oSkkrrpgYYVfjbTtkaQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1pvWkVGSFg5TVAvRlhu
+            TnFnMEszcDRWWHlQanAyRkRpQWdqQkdhTzFvCjBqUG4xNFBiRnlSeTNQSmdkVkdD
+            UlVCQjRFVExuZHdrSnViajZGZ3c2dWsKLS0tIHlQYU5VeGpEQzllMmxLSnJZZzZx
+            N1R3Mkhxa0dOVlJiU0V2OEZVVzZVMFkKae3c1axl22uxh9wMygAHs6q1WA5ImOS8
+            uzKSthWSqtC7DMqgUFaaSjBYM2TN3l402syx71xVFyyAmCcGZbbJcg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHJVRGIwQUFpVER5SWxq
+            YjJOT0lXN3dFOFpjMFlWV3JCbmZFN0hnNEJBClpQUEczK2RWTGlVTmJRbVZaUC8y
+            bEFrL1RjTTNlYVNnRVRBZlRjaTlnUEEKLS0tIE5GM01pTGFFcWVVSWEvUHE3Z08r
+            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
+            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-01T15:22:09Z"
+    mac: ENC[AES256_GCM,data:Br2+miNeZI41QyTXdhJ5Mdwq5no/d4kJgESwiltcRZV/Pax8R+GFeLDg/AQFoh1fLHU6bTX45SN0wnIrIeCnkoXV0U2RiT7bdtBaDrGxqnFvjMVE0VaUrj9bpagta13tahsEfI17cyUq4BqwS4BXx60RXvbvs9jZ5/dfpYunGsc=,iv:FfWYfS40XcFgF8lEYK4IHypLzz7svFxPL+WuudQm3oA=,tag:0KDBdf7w6BdcQ8Qt3k1isg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

devices/vps4/default.nix

@@ -0,0 +1,44 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-uuid/403fe853-8648-4c16-b2b5-3dfa88aee351"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          luks.manual =
+          {
+            enable = true;
+            devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
+            delayedMount = [ "/" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = {};
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
+        nixpkgs.march = "znver2";
+        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
+        initrd.sshd = {};
+        networking = {};
+      };
+      services =
+      {
+        snapper.enable = true;
+        sshd = {};
+        fail2ban = {};
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
+        xray.server = { serverName = "xserver.vps4.chn.moe"; userNumber = 4; };
+      };
+    };
+  };
+}

devices/vps4/secrets.yaml

@@ -0,0 +1,51 @@
+xray-server:
+    clients:
+        #ENC[AES256_GCM,data:d7cv,iv:RHzGIDLuuKejCTQ5YlNNITkCS3VoprsqH/kHckdpAv0=,tag:3cYw7uyUmXALo3v7SiqLJA==,type:comment]
+        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
+        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
+        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
+        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
+        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
+        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
+        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
+    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
+nginx:
+    detectAuth:
+        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
+        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
+        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
+    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
+    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNamN1TytweDd3blJsR2ZH
+            ZmlocFZjT3ZaUjlVbG1vVSt4a2s2SjJIaGtRCjRneDV6cHYwdGJOY1BDVS9DeDVC
+            cDdNbUdtSGRHNU1yZFpPc1MzRS92ME0KLS0tIFpmamNmTFYrRGRqbTFVSzBhUlNa
+            VllXdzZ3bEc3UFY0YjZRKzBUcGgyVkUKqI1ojiLbF87alAkEwyrm8wuW2fLbmj8d
+            YBIpoDCZ7AwR5uHWQAtl7BWJV1zab+rA3zvaf2BsrVA1A+RWOtYT/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWitsSnRVSzJDZG9ZSE5I
+            bmt2NEFDanR3aFJyYVNnU1NlUldRb2RUVXhNClQrTkgzR1dPNWp3endZTUl5SmRs
+            dEtkSWk4aWJEc2hhbWlXZkxpNGhacFUKLS0tIGZNSG43R0NKYmdFMzdXbmJjSExJ
+            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
+            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-25T03:19:55Z"
+    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

devices/vps6/default.nix

@@ -34,6 +34,7 @@ inputs:
       };
       services =
       {
+        snapper.enable = true;
         sshd = {};
         xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
         frpServer = { enable = true; serverName = "frp.chn.moe"; };
@@ -50,7 +51,15 @@ inputs:
             [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
           // (builtins.listToAttrs (builtins.map
             (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
-            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
+            [
+              "xn--s8w913fdga" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
+              "send" "api" "git" "grafana" "peertube"
+            ]))
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.nas.chn.moe"; })
+            [
+              "misskey"
+            ]));
           applications =
           {
             element.instances."element.chn.moe" = {};
@@ -59,7 +68,6 @@ inputs:
             main.enable = true;
             nekomia.enable = true;
             blog = {};
-            sticker = {};
           };
         };
         coturn = {};
@@ -69,7 +77,7 @@ inputs:
         wireguard =
         {
           enable = true;
-          peers = [ "pc" "nas" "one" "vps7" "srv2-node0" "pi3b" "srv1-node0" ];
+          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ];
           publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
           wireguardIp = "192.168.83.1";
           listenIp = "74.211.99.69";

devices/vps6/secrets.yaml

@@ -14,7 +14,7 @@ xray-server:
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
         user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
-        #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
+        #ENC[AES256_GCM,data:PTYBkBHs16U=,iv:qr3u7OveM1CmTBIf9gZK4fTRuLCpcZCwf8jmnd1L3Co=,tag:w3O41NG7yCwCVqPGh/6SXA==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
         #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
         user6: ENC[AES256_GCM,data:YzLlf37SxKmU1/QA7gUIJsGid3KZNoAGOew8xR7cmw5l8ZmX,iv:SfKubo2jfjtxKn9odDiokMEZyPFfYZ/wwyYtBrgvgmM=,tag:+hxwIU5uBhzQyrKX4r3oiw==,type:str]
@@ -24,7 +24,7 @@ xray-server:
         user8: ENC[AES256_GCM,data:H1gPtqF8vryD0rVH7HYzpMuZ3lufOBYczKwaTr4PidQtTyQK,iv:wh7NwFc/1ogNrnTTpm5L9dBqDVkvWiIsJZelR2mtR4Q=,tag:oEFdMFZJ9UYhsSVdefJ4rg==,type:str]
         #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
         user9: ENC[AES256_GCM,data:HVK9KvGfOcwn1joc3VrkjBjE6hrxQPOBD5RTtQUgBPepToh6,iv:VK9aQ64L/GajpledBxC8PNB1BdNYEqwcdL3GKttgxvs=,tag:O/piztCYBARtAFxTMNXGaA==,type:str]
-        #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
+        #ENC[AES256_GCM,data:b839t/OihMOmz0gIcTo43r2MIw==,iv:8kaAFG7DhFOoitcvbFaAvE1NUSLFrFhy1KiMrqs4r/c=,tag:G4vSADa52ZfN5y5ytoFJoQ==,type:comment]
         user10: ENC[AES256_GCM,data:xjVkr/wy7OxRuNZKfQagfNxdVxTEyQP1ZhnR6jHy2gjBQ0RD,iv:G6iOBCHOqlvfEENY/ega/TUm81wgT2OOdZKZ6bPfg9o=,tag:p8AMa3bGsIl0hWQ09lSzgA==,type:str]
         #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
         user11: ENC[AES256_GCM,data:BIZ2zRgGv5/9AexiZZvu+m4A62YUWtAkjWWMu89GteqpWMBq,iv:13IJcDf18LjoxJk7uoKnuFZT6Ihxrxsy7DBaAaiFqus=,tag:RN7wj+uPneCkqNlMRyYrXw==,type:str]
@@ -91,8 +91,8 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-14T12:02:33Z"
-    mac: ENC[AES256_GCM,data:2iQLMkj/qg+TQodFXqCaSOhj1G2NGGr1ZEDewDm/6H2zteppgEw4vRls5GPUrxTQnC22NHKqih7REWa0Xv7L4eALkxrVYqWkPVcxvlt1RauW8XrW1JJhhLj+E/52AKqOxGd1CviuyyQS2M2cZzk1t3gNDpSZ8YdmhjYPUHk2SCA=,iv:imFhB5A4LZYhE3NqIbQazMqBzEtdv/c6r7DcY9yJqKE=,tag:eRTl/1vbmI3YsLLEyFyIAg==,type:str]
+    lastmodified: "2024-09-26T04:24:17Z"
+    mac: ENC[AES256_GCM,data:AXhLmyZWGD6KvMkyHqmCERE6eNE3pD5Pa/9mRBWZe4hiXL4mKTzCn5C/ODGQ1ZeQjDdP+awjJRvLRjMiYFhVlU8rKpg/f2G1gDr4cIbr61sCdzXKX8wFW0G7bJWxxpAC4X59+u9EJ3sNcyf7bJrMdkTzTYpgXh29mtl2bprcdJQ=,iv:pK4hYexcWng3GwOmWGqgyMsmATnXgcwR3NH4UxCwpvE=,tag:zpv64JWoXc5cDCukDuW51g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.0

devices/vps7/default.nix

@@ -33,10 +33,10 @@ inputs:
       };
       services =
       {
+        snapper.enable = true;
         sshd = {};
         rsshub.enable = true;
-        misskey.instances =
-          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
+        misskey.instances.misskey.hostname = "xn--s8w913fdga.chn.moe";
         synapse.instances =
         {
           synapse.matrixHostname = "synapse.chn.moe";
@@ -47,12 +47,12 @@ inputs:
         photoprism.enable = true;
         nextcloud = {};
         freshrss.enable = true;
-        send = {};
+        send.enable = true;
         huginn.enable = true;
         fz-new-order = {};
         httpapi.enable = true;
         gitea = { enable = true; ssh = {}; };
-        grafana = {};
+        grafana.enable = true;
         fail2ban = {};
         wireguard =
         {

devices/vps7/secrets.yaml

@@ -3,12 +3,11 @@ acme:
 nginx:
     detectAuth:
         chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
-        led: ENC[AES256_GCM,data:Vb2p9v7U,iv:xJcKgvbc0KAP31uTpFiYlpvPoEHMWH3VkEqqyINKcyk=,tag:X2R+CHFj4N4i7cAK88IoSA==,type:str]
+        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
     maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
 redis:
     rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
     misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
-    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
     nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
     send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
@@ -16,7 +15,6 @@ redis:
     peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
-    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
     synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
     vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
     nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
@@ -129,8 +127,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-19T03:03:26Z"
-    mac: ENC[AES256_GCM,data:Y2V6OGImOqv25o+VMCtdYbD/VWXdyQLq2K0EjKk2hbalKPAK0qnU4NOEDl9Em+39Jxo6LYlDUyXHLNOWo77QGjgztR2pp+xaZmd9g2zRxMXZLiv3khLUX6tIEpI1b1EdgQ2id2D21YxU+89D9Jwxlp6Dd5bcHa4GxPplstha2jw=,iv:deYb0CZ6kaK8epuRQ/jW8flGYlrIHhCfJbF7E6Iw19A=,tag:ZAf4yRhyxoK/SYS0ApRivg==,type:str]
+    lastmodified: "2024-10-25T08:48:30Z"
+    mac: ENC[AES256_GCM,data:VtdB55WtONC5orgSMFPuELRVtjAC9REZIscEtWLZ8Cyo+FEYmFAlj+0cg/5aOk4dr2JVUnkcWNyefM8xw7m78yU3f5KruKH0N741ngkovhJnI1V6yuY9om/NXvux6dkYKmQcAXq87rYkoDg5CFxsU9RKJncBMCA7bekebzo0aIw=,iv:7Jv8ciLxXWkCzZeU82Wv8oxBcesjb9/qzWfn9tqyta8=,tag:aEnX4E5w64oY8bbJ5Z8MRg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.1

devices/xmupc1/default.nix

@@ -0,0 +1,103 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            # TODO: reparition
+            vfat."/dev/disk/by-uuid/467C-02E3" = "/boot";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/2f9060bc-09b5-4348-ad0f-3a43a91d158b"."/nix" = "/nix";
+              "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12" =
+              {
+                "/nix/rootfs" = "/nix/rootfs";
+                "/nix/persistent" = "/nix/persistent";
+                "/nix/nodatacow" = "/nix/nodatacow";
+                "/nix/rootfs/current" = "/";
+              };
+            };
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = {};
+        };
+        nixpkgs =
+        {
+          march = "znver3";
+          cuda =
+          {
+            enable = true;
+            capabilities =
+            [
+              # p5000 p400
+              "6.1"
+              # 2080 Ti
+              "7.5"
+              # 3090
+              "8.6"
+              # 4090
+              "8.9"
+            ];
+            forwardCompat = false;
+          };
+        };
+        nix.remote.slave.enable = true;
+      };
+      hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; };
+      virtualization.kvmHost = { enable = true; gui = true; };
+      services =
+      {
+        snapper.enable = true;
+        sshd = { passwordAuthentication = true; groupBanner = true; };
+        xray.client.enable = true;
+        smartd.enable = true;
+        beesd.instances =
+        {
+          root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
+          nix = { device = "/nix"; hashTableSizeMB = 512; };
+        };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
+          wireguardIp = "192.168.83.6";
+        };
+        slurm =
+        {
+          enable = true;
+          master = "xmupc1";
+          node.xmupc1 =
+          {
+            name = "xmupc1"; address = "127.0.0.1";
+            cpu = { cores = 16; threads = 2; };
+            memoryMB = 94208;
+            gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; };
+          };
+          partitions.localhost = [ "xmupc1" ];
+          tui = { cpuMpiThreads = 3; cpuOpenmpThreads = 4; gpus = [ "p5000" "3090" "4090" ]; };
+        };
+        xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
+        groupshare = {};
+        hpcstat = {};
+        docker = {};
+      };
+      bugs = [ "xmunet" "amdpstate" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" ];
+    };
+    services.hardware.bolt.enable = true;
+  };
+}

devices/xmupc1/secrets/default.yaml

@@ -23,6 +23,13 @@ users:
     zzn: ENC[AES256_GCM,data:/CSffToFJiBotXZ5rPkz0UNgI/iC0ftusPF2Ce6Of3XckjpCcikWj6n3ahJ24XsWQjp3EvacOiBorh+Kg16LjCEl0P2RMIitTQ==,iv:u9IFdp/jw7ehTshPzQVssLeh33iBYCPjSyJSLsc5EVo=,tag:/KXgmU7dcTKG8C4Y7NcMhw==,type:str]
     #ENC[AES256_GCM,data:TN/ycWtGSCNY,iv:pSilXx4zKs53XX/L0+QFbwv13rutQG11sU0EgVhaJEA=,tag:L+MpcYYlsMnSpS1JQdnwIQ==,type:comment]
     lly: ENC[AES256_GCM,data:XkRaNI0SqooptH/OexBCzZ4RYvA3s7qXbpCtLVidJ4pZU/o7EHlIcvMbeRxqdujhXNQ+vbS3o7CmhwJK2JVVPCCVsd6k0gMDdw==,iv:v/2mgDuR+/lb8mtyv6sn4Z9XXnuDoXkT0DeNQ7850fU=,tag:T8xxo9C7kFSNlLDjEaZK0Q==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
+hpcstat:
+    key: ENC[AES256_GCM,data:POK329h/joF7WdSBwSE1EkYH/pZ9X+wiTKcVWLZjmh7gM9d7HONbN/PqsYNFTHJVR0GgysqpLEcPN2OFGs/SSeH86o04cAdjAVznKZgt1Q34QGYy6b+io15P3lbmK0kTKmeGt5qEhGkBh6BVBoSyqbKAknvUqJ17ZkL17kyRaKffm3Zais7keEJCFdyRF6oSz2kl2CvEmKNWPWDdO9EpgqgYlm9mwu95/k9Hx5eyUjiFpxc3fdFTESGbe0ZYAqKQ0eLFfLLorQp0pAzxCbbxIzZEgyxjzkICXKa1n7Zz6h1ON2Rsqq0Q4hEYJdWGLtvOH/VLVxvNWjW4Er6i3lWGhZRiDDrxLErQGONI+X7QqbneFCnMCZGln3pAfNtOr+KX58ij/egyzmb7bKZrARqnm+X+/I/L0+VS1PfDdLP53GaX7mfKYpcH6z7O2F/zjpuXQTV8njs64YlvgyYXsCaghEUBzehsruwRsBEkTIb4R2AlqItpbesMnNNUJ4Cr/B7Bw6O+gHeJ+oK4ZPBYbgso,iv:B2eWjydl8m8nbcPw2fZfxCnj57utWM9ABj2eJ1pRKWQ=,tag:5W9ZwVSJvm1KvZnf/E5Tug==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:Mu7guAFUu+UoHvo/h1blcI6Kg3mvng6zNc/HKXuCdf73ujziK0mXwPcf7t7d/w==,iv:BkA4d0OJ4lTD7csZJQHcDnYe7SYcFbwRVYOQAWOQ2lQ=,tag:GuJ4z5pe2znTY3xNT2WF+w==,type:str]
+    chat: ENC[AES256_GCM,data:OC8ElUPmfsVL,iv:WgZMJP2ugZbqZyihdNtL1xMH8u9VpLNzO8DGpDL4w4k=,tag:u4cKABikuMUbCIm5zCnk6A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -47,8 +54,8 @@ sops:
             ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
             IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-11T12:43:41Z"
-    mac: ENC[AES256_GCM,data:exCwRlOqvMRvqStZfI0P1nXE9KX0GxVGhPD4PEkDXhm35CtFXJj6toZyJqHUt9XrrlW6NHzXbQszeHV0/EmdItJK3HupRMopetBTSBmkH3FpuCrD8QZ4Ukm60ZQq1YiAlgE+HqOGhz+eYvUI9WPwci05Hi3Ea/a7ASsE3UWyc9Q=,iv:BX26ZpZGVsYUkZu//hD1Go18T+UWpGCChHFGFMUHmJE=,tag:0RvkrXGBc1ZN3MqaNHOHGA==,type:str]
+    lastmodified: "2024-10-26T12:26:52Z"
+    mac: ENC[AES256_GCM,data:TiF/QAh6Y8Xn+3B1rlg+FvZFJ4fGP+szvvopbiEzO6AWBYp8dcD6MmaZstVzJL1BrRIQ3GENcq7EVyfZMWQlW8aRsVF/RrWOSpAKI1tiWDl+10Ov3zjr+Q8sFYTfblWXYH7Tq9pcWBChj1Kj88Ri5xRRfJTuelQoL0igHQBwfFM=,iv:ikzexH8P3CYu7SrRXwWd1Ar3+PEXSSjSVj5E3jwcZyQ=,tag:i5/F33/KcDJVQ4ceYtRErQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.1

devices/xmupc1/secrets/munge.key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:tuEymMXW0f7Rui5wrz/xozphTEq6ffkYIfNIoURFNHwH2Cg+aKHz2ox0gk02BJARhPMDrxCYlChkcrEI0ma/T0eBe9sWz3tA8AOwU1lHSZ06d/JWzW7IUIyTac2mnjt3/jY/qpnR4A8wtHwD0j4zkzXgUgFwq7k/fs24acEE4Jo=,iv:iDTS0xswLrwkOYmfomE5hluVONgJYia/RjINDy7T3R0=,tag:oIYNpFCuT2D+X1QEJJiHew==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFRRa0NsOUp5MEg3UHcx\nc3g1VFZEQS9Tci9QSnNFYnIrT3hUdVU5cWxjCnU5UXVEdTFXczJzcHVvSjF2WHdB\nYmpyQVVaUFozKzJIZThBbXUxb2k2YzAKLS0tIHE1QXVrOXo1Y3VXMzJJYitWU3Qv\neDF1cndrSi94clh1cS9NczN0UW9pOXcKtrnIj3WovMYdcg5nWnnyRhJhTGLrlwxW\nxQ6bmNrfbZedmCNdjY2lPXmudMXJ8YlWe/HGCe94x3iFlaSwCIGUsA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocFl1SHJEemRySlBnMmNn\nVW9RS1NNdlo4M3l2WGlQaHJmbDBHcjMwaVVnCnY5WExPOXZJVEdYSlJ6UTRBMGJj\ncmlYaUNVV1hnWTNkaWVuV2VuaXN2eU0KLS0tIDBTYnd2NmVYTUJKaHZWRWo3ZlUx\nTEtPZWc2RE1XNG9WTXFOTllWVUVWeUkK+9aLz1rygGAQjpG+oMNUtrDkQaDfg+2q\nnl/CtZZrFD6NXGw6Di0X5t9fQu295NTJ/0qjXnfMigG8gDtxkE+/7g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-26T06:04:53Z",
+		"mac": "ENC[AES256_GCM,data:y0RkPyUwwff95BFL951TxS/x5ORzMsxFJVjopSw+8iVtswD8MT1nmsbwyth4C9OnJ/IAtnZk/CjAt72a68AZpPI+2W/JqJq20ohFoquDNhTlsoyLWdO3Vjrd+Wo3hp0+iKQ3e/uYrF1sTqQO9a3OIxu2sVLM0gEDmIe2nJpLJQo=,iv:EjXTQvVdjzfClNfQ3rPxAFVWVqr7sSOz4ap+nshPEAk=,tag:DcIlf9W7NNqQ+gf8f46MwQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

devices/xmupc2/README.md

@@ -0,0 +1,29 @@
+# 硬件
+
+* CPU：44 核 88 线程。
+* 内存：256 G。
+* 显卡：
+  * 4090：24 G 显存。
+  * ~~P5000：16 G 显存~~暂时拔掉了，否则 4090 供电不够。
+* 硬盘：18 T。
+
+# 支持的连接协议
+
+## SSH
+
+* 地址：xmupc2.chn.moe
+* 端口：6394
+* 用户名：自己名字的拼音首字母
+* 可以用密码登陆，也可以用证书登陆。
+
+## RDP
+
+* 地址：xmupc2.chn.moe:3390
+* 用户名：自己名字的拼音首字母
+* 密码和 ssh 一样（使用同样的验证机制）。
+
+## samba
+
+因端口冲突暂时禁用。
+
+其它内容请阅读 [xmupc1](../xmupc1) 的说明，两台机器的软件大致是一样的。

devices/xmupc2/default.nix

@@ -0,0 +1,95 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/23CA-F4C4" = "/boot";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/d187e03c-a2b6-455b-931a-8d35b529edac" =
+                { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
+            };
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = {};
+        };
+        nixpkgs =
+        {
+          march = "skylake";
+          cuda =
+          {
+            enable = true;
+            capabilities =
+            [
+              # p5000 p400
+              "6.1"
+              # 2080 Ti
+              "7.5"
+              # 3090
+              "8.6"
+              # 4090
+              "8.9"
+            ];
+            forwardCompat = false;
+          };
+        };
+        nix =
+        {
+          marches =
+          [
+            "broadwell" "skylake"
+            # AVX512F CLWB AVX512VL AVX512BW AVX512DQ AVX512CD AVX512VNNI
+            # "cascadelake"
+          ];
+          remote.slave.enable = true;
+        };
+        grub.windowsEntries."8F50-83B8" = "猿神，启动！";
+      };
+      hardware = { cpus = [ "intel" ]; gpu.type = "nvidia"; };
+      virtualization.kvmHost = { enable = true; gui = true; };
+      services =
+      {
+        snapper.enable = true;
+        sshd = { passwordAuthentication = true; groupBanner = true; };
+        xray.client.enable = true;
+        smartd.enable = true;
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
+          wireguardIp = "192.168.83.7";
+        };
+        slurm =
+        {
+          enable = true;
+          master = "xmupc2";
+          node.xmupc2 =
+          {
+            name = "xmupc2"; address = "127.0.0.1";
+            cpu = { sockets = 2; cores = 22; threads = 2; };
+            memoryMB = 253952;
+            gpus."4090" = 1;
+          };
+          partitions.localhost = [ "xmupc2" ];
+          tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; gpus = [ "4090" ]; };
+        };
+        xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; };
+        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
+        groupshare = {};
+        docker = {};
+      };
+      bugs = [ "xmunet" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" ];
+    };
+  };
+}

devices/xmupc2/secrets/default.yaml

@@ -23,14 +23,6 @@ users:
     lly: ENC[AES256_GCM,data:tP/NtJcMUtZPvuAqoM6KhCMybhsTxKSq4WWW3SBzQ/O0FmUXhECQc5CQnI4J9PlalP7Ug+uUQzeBMnHN84pkKNIeHVJhqjU8Zw==,iv:7TPPuSfXypSRnnhuy8LJSXIB+KB+3vWV0G7AbCZpB6s=,tag:iSLgRxOHgUolByFyvwltNQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
-hpcstat:
-    key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:dCDqQhNiuIGJAdbun2uwCBV1smrpvKvwi5AGOs+QWK0ANNVBoSHuUNPeNH2Ivg==,iv:Vcp/OPW8IRPHlqumPxYAfVLtZbdG3rB8VeXM34xBYSk=,tag:vKMihlMdwrPY0XKErtgwIA==,type:str]
-    chat: ENC[AES256_GCM,data:zw2me9Jc7XKl,iv:b699uod4AtF37Ih/9qdQUZN/uhdN+UUeR0ojKogpuTI=,tag:BsDWzbk8175SX6b9ajsPlw==,type:str]
-wireless:
-    #ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
-    457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -55,8 +47,8 @@ sops:
             M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
             LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-11T11:25:26Z"
-    mac: ENC[AES256_GCM,data:RFoPSvTM1+sxQNxHVWYw/PYOmIYFiYg81/ICZMsDtQdwRYUzCAoOmJFeWAKNRWRJgRW9cNYvaowcjuLGXGcCoWlepJ9T48G16Id7sL99Y5BHeul9UHsZTF5dWGvL7JoKbJr4lVJBU/oGNtNJib7qe9TO2ts5JYU511acJUBMKx0=,iv:ZZKLZ3wXRR6pi9zZuuizYXm5EvJY90zD9V7Eymz9XOU=,tag:edIQTpwNjGxm1zPQ9pvhuw==,type:str]
+    lastmodified: "2024-10-26T12:27:03Z"
+    mac: ENC[AES256_GCM,data:q1EihAxiS23XoKWt4ogBo34pP7J6i/yFglmmvFIdWKIgwaoXWFexKrdu1oRZBIxISW+3b/NzkuUm1anu3sGFGiirDpllg8wu8ezXJJODb8yTU0HJpZ/9vjBPm+ZBt5zFzGky7kmW+qOFfUsZkr8dCiJil/Z0HrXrY2d59ksxhto=,iv:7b6ePa4xXdjrj8O2JWAptsONz8gPApS3roYMuRyrztU=,tag:uzOcc8H2W6VvGDkrex5M6A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.1

dns/config.yaml

@@ -1,14 +0,0 @@
-providers:
-  config:
-    class: octodns.provider.yaml.YamlProvider
-    directory: ./config
-  cloudflare:
-    class: octodns_cloudflare.CloudflareProvider
-    token: env/CLOUDFLARE_TOKEN
-    pagerules: false
-zones:
-  '*':
-    sources:
-      - cloudflare
-    targets:
-      - config

dns/config/chn.moe.yaml

@@ -1,186 +0,0 @@
-? ''
-: - type: A
-    value: 74.211.99.69
-  - type: MX
-    values:
-    - exchange: tuesday.mxrouting.net.
-      preference: 10
-    - exchange: tuesday-relay.mxrouting.net.
-      preference: 20
-  - type: TXT
-    value: v=spf1 include:mxlogin.com -all
-'*.vps4':
-  type: CNAME
-  value: vps4.chn.moe.
-'*.xsession':
-  type: CNAME
-  value: vps3.chn.moe.
-_xlog-challenge.xlog:
-  type: TXT
-  value: chn
-api:
-  type: CNAME
-  value: autoroute.chn.moe.
-autoroute:
-  type: NS
-  values:
-  - ns1.huaweicloud-dns.cn.
-  - ns1.huaweicloud-dns.com.
-  - ns1.huaweicloud-dns.net.
-  - ns1.huaweicloud-dns.org.
-blog:
-  type: CNAME
-  value: vps6.chn.moe.
-catalog:
-  type: CNAME
-  value: vps6.chn.moe.
-coturn:
-  type: CNAME
-  value: vps6.chn.moe.
-element:
-  type: CNAME
-  value: vps6.chn.moe.
-freshrss:
-  type: CNAME
-  value: vps7.chn.moe.
-frp:
-  type: CNAME
-  value: vps6.chn.moe.
-git:
-  type: CNAME
-  value: autoroute.chn.moe.
-grafana:
-  type: CNAME
-  value: autoroute.chn.moe.
-huginn:
-  type: CNAME
-  value: vps7.chn.moe.
-initrd.nas:
-  type: A
-  value: 192.168.1.2
-initrd.vps6:
-  type: CNAME
-  value: vps6.chn.moe.
-initrd.vps7:
-  type: CNAME
-  value: vps7.chn.moe.
-mail:
-  type: CNAME
-  value: tuesday.mxrouting.net.
-matrix:
-  type: CNAME
-  value: autoroute.chn.moe.
-misskey:
-  type: CNAME
-  value: vps6.chn.moe.
-nas:
-  type: A
-  value: 192.168.1.2
-nextcloud:
-  type: CNAME
-  value: vps7.chn.moe.
-nix-store:
-  type: CNAME
-  value: vps6.chn.moe.
-office:
-  type: A
-  value: 210.34.16.60
-peertube:
-  type: CNAME
-  value: autoroute.chn.moe.
-photoprism:
-  type: CNAME
-  value: vps7.chn.moe.
-rsshub:
-  type: CNAME
-  value: vps7.chn.moe.
-send:
-  type: CNAME
-  value: autoroute.chn.moe.
-srv1:
-  type: A
-  value: 59.77.36.250
-srv2:
-  type: CNAME
-  value: office.chn.moe.
-ssh.git:
-  type: CNAME
-  value: vps7.chn.moe.
-sticker:
-  type: CNAME
-  value: vps6.chn.moe.
-synapse:
-  type: CNAME
-  value: autoroute.chn.moe.
-synapse-admin:
-  type: CNAME
-  value: vps6.chn.moe.
-ua:
-  octodns:
-    cloudflare:
-      auto-ttl: true
-  ttl: 300
-  type: CNAME
-  value: vps6.chn.moe.
-vaultwarden:
-  octodns:
-    cloudflare:
-      auto-ttl: true
-  ttl: 300
-  type: CNAME
-  value: vps7.chn.moe.
-vps6:
-  type: A
-  value: 74.211.99.69
-vps6.xserver:
-  type: CNAME
-  value: vps6.chn.moe.
-vps7:
-  type: A
-  value: 144.126.144.62
-webdav:
-  type: CNAME
-  value: vps7.chn.moe.
-webmail:
-  type: CNAME
-  value: tuesday.mxrouting.net.
-wireguard.nas:
-  type: A
-  value: 192.168.83.4
-wireguard.one:
-  type: A
-  value: 192.168.83.5
-wireguard.pc:
-  type: A
-  value: 192.168.83.3
-wireguard.srv1:
-  type: A
-  value: 192.168.83.9
-wireguard.srv2:
-  type: A
-  value: 192.168.83.7
-wireguard.vps6:
-  type: A
-  value: 192.168.83.1
-wireguard.vps7:
-  type: A
-  value: 192.168.83.2
-www:
-  type: CNAME
-  value: vps3.chn.moe.
-x._domainkey:
-  type: TXT
-  value: v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6xvkOMNYyOlY5mCjyL+Wx9PIWljb7WKLurGNnPNrKOrmSKQBAOwKOgv6SWABsuQMSZnoi33QVrqL2pFrGwAnPbhmQSesdAQW/D2ktaTp6iaRCT2eZTGz+dNdi9HCk1Uzkee8hU7L7KZISnNhvOrbBYbaICOwJWVYjk8hqSbIgyhK90IsTmrs9S4E5PSGxLjJ
-    Cpo0X0DPTtPD4ipH7kHnnD5DRO3fkxCvMAuWbnnt5+iUn/NuFQSC//dMqzs+IklBzZWdm/3n3GijkI5XK9rxnvg8V2/bk7SzJy7qeuLJPgbQgVDHCcIJKR0Ugl6CxpqQ8Jvcf0X0AtixVoVEWoyFQIDAQAB
-xlog:
-  type: CNAME
-  value: xlog.autoroute.chn.moe.
-xsession.vps7:
-  type: CNAME
-  value: vps7.chn.moe.
-铜锣湾:
-  type: CNAME
-  value: autoroute.chn.moe.
-铜锣湾实验室:
-  type: CNAME
-  value: vps6.chn.moe.

dns/config/mirism.one.yaml

@@ -1,3 +0,0 @@
-entry:
-  type: CNAME
-  value: vps6.chn.moe.

dns/config/nekomia.moe.yaml

@@ -1,3 +0,0 @@
-? ''
-: type: ALIAS
-  value: vps6.chn.moe.

flake.nix

@@ -6,16 +6,16 @@
     nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-24.11";
     "nixpkgs-23.11".url = "github:CHN-beta/nixpkgs/nixos-23.11";
     "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    home-manager = { url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
-    sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; };
+    sops-nix =
+    {
+      url = "github:Mic92/sops-nix";
+      inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
+    };
     nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
     nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-vscode-extensions =
-    {
-      url = "github:nix-community/nix-vscode-extensions?rev=7aa26ebccf778efe880fda1290db9c1da56ffa4f";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    impermanence.url = "github:CHN-beta/impermanence";
+    nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
+    impermanence.url = "github:nix-community/impermanence";
     qchem = { url = "github:Nix-QChem/NixOS-QChem/master"; inputs.nixpkgs.follows = "nixpkgs"; };
     plasma-manager =
     {
@@ -23,6 +23,7 @@
       inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
     };
     nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixos-hardware.url = "github:CHN-beta/nixos-hardware";
     envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-flatpak.url = "github:gmodena/nix-flatpak";
     chaotic =
@@ -33,8 +34,9 @@
     gricad = { url = "github:Gricad/nur-packages"; flake = false; };
     catppuccin.url = "github:catppuccin/nix";
     bscpkgs = { url = "git+https://git.chn.moe/chn/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
+    poetry2nix = { url = "github:nix-community/poetry2nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
-    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -46,10 +48,11 @@
     matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
     nameof = { url = "github:Neargye/nameof"; flake = false; };
     tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
-    v-sim = { url = "gitlab:l_sim/v_sim/master"; flake = false; };
+    v-sim = { url = "gitlab:l_sim/v_sim"; flake = false; };
     rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
     blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
     slate = { url = "github:TheBigWazz/Slate"; flake = false; };
+    linux-surface = { url = "github:linux-surface/linux-surface"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
     lmod = { url = "github:TACC/Lmod"; flake = false; };
     mumax = { url = "github:CHN-beta/mumax"; flake = false; };
@@ -65,12 +68,6 @@
     blog = { url = "git+https://git.chn.moe/chn/blog-public.git"; flake = false; };
     nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
     spectroscopy = { url = "github:skelton-group/Phonopy-Spectroscopy"; flake = false; };
-    vaspberry = { url = "github:Infant83/VASPBERRY"; flake = false; };
-    ufo = { url = "git+https://git.chn.moe/chn/ufo.git"; flake = false; };
-    highfive = { url = "git+https://github.com/CHN-beta/HighFive?submodules=1"; flake = false; };
-    stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
-    fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
-    octodns-cloudflare = { url = "github:octodns/octodns-cloudflare"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

flake/dev.nix

@@ -5,28 +5,24 @@
     inputsFrom = [ pkgs.localPackages.biu ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-    hardeningDisable = [ "all" ];
   };
-  hpcstat = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
+  hpcstat = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ (pkgs.localPackages.hpcstat.override { version = null; }) ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-    hardeningDisable = [ "all" ];
   };
   sbatch-tui = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.sbatch-tui ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-    hardeningDisable = [ "all" ];
   };
   ufo = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.ufo ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-    hardeningDisable = [ "all" ];
   };
   chn-bsub = pkgs.mkShell
   {

flake/nixos.nix

@@ -1,8 +1,5 @@
 { inputs, localLib }:
-let
-  machine = [ "nas" "pc" "pi3b" "vps6" "vps7" "one" ];
-  cluster = { srv1 = 4; srv2 = 2; };
-in builtins.listToAttrs
+builtins.listToAttrs
 (
   (builtins.map
     (system:
@@ -14,39 +11,41 @@ in builtins.listToAttrs
         specialArgs = { topInputs = inputs; inherit localLib; };
         modules = localLib.mkModules
         [
-          { config = { nixpkgs.overlays = [ inputs.self.overlays.default ]; nixos.model.hostname = system; }; }
+          {
+            config =
+            {
+              nixpkgs.overlays = [ inputs.self.overlays.default ];
+              nixos.model.hostname = system;
+            };
+          }
           ../modules
           ../devices/${system}
         ];
       };
     })
-    machine)
-  ++ (builtins.concatLists (builtins.map
-    (cluster:
-      let nodes = builtins.genList (n: "node${builtins.toString n}") cluster.value;
-      in builtins.map
-        (node:
-        {
-          name = "${cluster.name}-${node}";
-          value = inputs.nixpkgs.lib.nixosSystem
+    [ "nas" "pc" "pi3b" "surface" "vps4" "vps6" "vps7" "xmupc1" "xmupc2" ])
+  ++ (builtins.map
+    (node:
+    {
+      name = "srv1-${node}";
+      value = inputs.nixpkgs.lib.nixosSystem
+      {
+        system = "x86_64-linux";
+        specialArgs = { topInputs = inputs; inherit localLib; };
+        modules = localLib.mkModules
+        [
           {
-            system = "x86_64-linux";
-            specialArgs = { topInputs = inputs; inherit localLib; };
-            modules = localLib.mkModules
-            [
-              {
-                config =
-                {
-                  nixpkgs.overlays = [ inputs.self.overlays.default ];
-                  nixos.model.cluster = { clusterName = cluster.name; nodeName = node; };
-                };
-              }
-              ../modules
-              ../devices/${cluster.name}
-              ../devices/${cluster.name}/${node}
-            ];
-          };
-        })
-        nodes)
-    (localLib.attrsToList cluster)))
+            config =
+            {
+              nixpkgs.overlays = [ inputs.self.overlays.default ];
+              nixos.model.cluster = { clusterName = "srv1"; nodeName = node; };
+            };
+          }
+          ../modules
+          ../devices/srv1
+          ../devices/srv1/${node}
+        ];
+      };
+    })
+    [ "node0" "node1" "node2" "node3" ])
 )

flake/packages.nix

@@ -11,11 +11,9 @@
       openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
         (prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
       duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
-      glaze = pkgs.pkgsStatic.glaze.overrideAttrs
-        (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-Dglaze_ENABLE_FUZZING=OFF" ]; });
       # pkgsStatic.clangStdenv have a bug
       # https://github.com/NixOS/nixpkgs/issues/177129
-      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; inherit glaze; };
+      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; };
     in pkgs.pkgsStatic.localPackages.hpcstat.override
     {
       inherit openssh duc biu;
@@ -25,11 +23,6 @@
     };
   chn-bsub = pkgs.pkgsStatic.localPackages.chn-bsub;
   blog = pkgs.callPackage inputs.blog { inherit (inputs) hextra; };
-  vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
-  {
-    gfortran = pkgs.pkgsStatic.gfortran;
-    lapack = pkgs.pkgsStatic.openblas;
-  };
 }
 // (builtins.listToAttrs (builtins.map
   (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

flake/src.nix

@@ -1,39 +1,4 @@
 { inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
 {
-  git-lfs-transfer = "sha256-qHQeBI2b8EmUinowixqEuR6iGwNYQy3pSc8iPVfJemE=";
-  nvhpc =
-  {
-    src = pkgs.fetchurl
-    {
-      url = "https://developer.download.nvidia.com/hpc-sdk/24.11/nvhpc_2024_2411_Linux_x86_64_cuda_12.6.tar.gz";
-      sha256 = "080rb89p2z98b75wqssvp3s8x6b5n0556d0zskh3cfapcb08lh1r";
-    };
-    version = "24.11";
-    cudaVersion = "12.6";
-  };
-  iso = pkgs.fetchurl
-  {
-    url = "https://releases.nixos.org/nixos/24.11/nixos-24.11beta709057.0c582677378f"
-      + "/nixos-plasma6-24.11beta709057.0c582677378f-x86_64-linux.iso";
-    sha256 = "000wmfn6k5awqwsx9qldhdgahv4k09w4yzmvf0djs51qjdpha082";
-  };
-  nglview = pkgs.fetchPypi
-  {
-    pname = "nglview";
-    version = "3.1.2";
-    hash = "sha256-f2cu+itsoNs03paOW1dmsUsbPa3iEtL4oIPGAKETRc4=";
-  };
-  vtst =
-  {
-    patch = pkgs.fetchzip
-    {
-      url = "http://theory.cm.utexas.edu/code/vtstcode-204.tgz";
-      sha256 = "00qpqiabl568fwqjnmwqwr0jwg7s56xd9lv9lw8q4qxqy19cpg62";
-    };
-    script = pkgs.fetchzip
-    {
-      url = "http://theory.cm.utexas.edu/code/vtstscripts.tgz";
-      sha256 = "18gsw2850ig1mg4spp39i0ygfcwx0lqnamysn5whiax22m8d5z67";
-    };
-  };
+  git-lfs-transfer = "sha256-1cGlhLdnU6yTqzcB3J1cq3gawncbtdgkb3LFh2ZmXbM=";
 }

modules/default.nix

@@ -24,6 +24,7 @@ inputs:
           [
             topInputs.qchem.overlays.default
             topInputs.bscpkgs.overlays.default
+            topInputs.poetry2nix.overlays.default
             topInputs.aagl.overlays.default
             (final: prev:
             {

modules/hardware/gpu.nix

@@ -22,7 +22,6 @@ inputs:
         busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
       };
       driver = mkOption { type = types.enum [ "production" "latest" "beta" ]; default = "production"; };
-      open = mkOption { type = types.bool; default = true; };
     };
   };
   config = let inherit (inputs.config.nixos.hardware) gpu; in inputs.lib.mkIf (gpu.type != null) (inputs.lib.mkMerge
@@ -48,8 +47,8 @@ inputs:
               let packages = with inputs.pkgs;
               {
                 # TODO: import from nixos-hardware instead
-                # enableHybridCodec is only needed for some old intel gpus (Atom, Nxxx, etc)
-                intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
+                intel =
+                  [ (intel-vaapi-driver.override { enableHybridCodec = true; }) libvdpau-va-gl intel-media-driver ];
                 nvidia = [ vaapiVdpau ];
                 amd = [];
               };
@@ -62,11 +61,15 @@ inputs:
             dynamicBoost.enable = inputs.lib.mkIf gpu.nvidia.dynamicBoost true;
             nvidiaSettings = true;
             package = inputs.config.boot.kernelPackages.nvidiaPackages.${gpu.nvidia.driver};
-            inherit (gpu.nvidia) open;
+            open = true; # TODO: remove when 560 is stable
             prime.allowExternalGpu = true;
           };
         };
         boot.blacklistedKernelModules = [ "nouveau" ];
+        environment.variables =
+          if builtins.elem "nvidia" gpus then { VDPAU_DRIVER = "nvidia"; }
+          else if builtins.elem "intel" gpus then { VDPAU_DRIVER = "va_gl"; }
+          else {};
         services.xserver.videoDrivers =
           let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
           in builtins.map (gpu: driver.${gpu}) gpus;

modules/model.nix

@@ -4,7 +4,8 @@ inputs:
   {
     hostname = mkOption { type = types.nonEmptyStr; };
     type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
-    private = mkOption { type = types.bool; default = false; };
+    # not implemented yet
+    # private = mkOption { type = types.bool; };
     cluster = mkOption
     {
       type = types.nullOr (types.submodule { options =
@@ -21,5 +22,12 @@ inputs:
     { networking.hostName = model.hostname; }
     (inputs.lib.mkIf (model.cluster != null)
       { nixos.model.hostname = "${model.cluster.clusterName}-${model.cluster.nodeName}"; })
+    # TODO: remove it
+    {
+      systemd.services = inputs.lib.mkIf (model.cluster.nodeType or null == "worker") (builtins.listToAttrs
+        (builtins.map
+          (user: { name = "home-manager-${inputs.utils.escapeSystemdPath user}"; value.enable = false; })
+          inputs.config.nixos.user.users));
+    }
   ];
 }

modules/packages/android-studio.nix

@@ -1,12 +0,0 @@
-inputs:
-{
-  options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
-  {
-    nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];
-  };
-}

modules/packages/default.nix

@@ -3,23 +3,30 @@ inputs:
   imports = inputs.localLib.findModules ./.;
   options.nixos.packages.packages = let inherit (inputs.lib) mkOption types; in
   {
+    extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
     _packages = mkOption { type = types.listOf types.unspecified; default = []; };
     _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
     _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-    _vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
   };
   config =
   {
     environment.systemPackages = with inputs.config.nixos.packages.packages;
-      _packages
+      (inputs.lib.lists.subtractLists excludePackages (_packages ++ extraPackages))
       ++ [
-        (
-          (inputs.pkgs.python3.withPackages (pythonPackages:
-            builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages) _pythonPackages)))
-          .override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
+        (inputs.pkgs.python3.withPackages (pythonPackages:
+          inputs.lib.lists.subtractLists
+            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
+              excludePythonPackages))
+            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
+              (_pythonPackages ++ extraPythonPackages)))))
         (inputs.pkgs.writeTextDir "share/prebuild-packages"
-          (builtins.concatStringsSep "\n" (builtins.map builtins.toString _prebuildPackages)))
+          (builtins.concatStringsSep "\n" (builtins.map builtins.toString
+            (inputs.lib.lists.subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages)))))
       ];
   };
 }

modules/packages/desktop/default.nix

@@ -16,7 +16,7 @@ inputs:
           # system management
           # TODO: module should add yubikey-touch-detector into path
           gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
-          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror geekbench xpra
+          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror
           (
             writeShellScriptBin "xclip"
             ''
@@ -43,7 +43,7 @@ inputs:
           warp-terminal
           # development
           adb-sync scrcpy dbeaver-bin cling aircrack-ng
-          weston cage openbox krita jetbrains.clion fprettify
+          weston cage openbox krita jetbrains.clion androidStudioPackages.stable.full fprettify
           # desktop sharing
           rustdesk-flutter
           # password and key management
@@ -52,7 +52,7 @@ inputs:
           # download
           qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
           # editor
-          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq
+          typora # appflowy notion-app-enhanced joplin-desktop standardnotes logseq
           # news
           fluent-reader rssguard newsflash newsboat
           # nix tools
@@ -65,14 +65,15 @@ inputs:
           google-chrome tor-browser microsoft-edge
           # office
           crow-translate zotero pandoc libreoffice-qt texliveFull poppler_utils pdftk pdfchain davinci-resolve
-          ydict texstudio panoply pspp
+          # TODO: enable in next release
+          # hdfview
+          ydict texstudio
           # matplot++ needs old gnuplot
           inputs.pkgs."pkgs-23.11".gnuplot
           # math, physics and chemistry
-          octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
-          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14;
-            wannier90 = inputs.pkgs.wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; }; })
-          inputs.pkgs."pkgs-23.11".hdfview
+          octaveFull root ovito localPackages.vesta localPackages.v-sim
+          (mathematica.overrideAttrs (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; }))
+          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14; }) jmol mpi localPackages.ufo
           # virtualization
           virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
           # media

modules/packages/mathematica.nix

@@ -1,13 +0,0 @@
-inputs:
-{
-  options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
-  {
-    nixos.packages.packages._packages = [ (inputs.pkgs.mathematica.overrideAttrs
-      (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; })) ];
-  };
-}

modules/packages/root/17253.patch

@@ -1,151 +0,0 @@
-From 1d2acc921853825af02059183b683c35f5075302 Mon Sep 17 00:00:00 2001
-From: chn <chn@chn.moe>
-Date: Wed, 11 Dec 2024 22:33:40 +0800
-Subject: [PATCH] add C++23 support
-
----
- graf3d/eve7/inc/ROOT/REveCaloData.hxx             |  4 ++--
- graf3d/eve7/src/REveCaloData.cxx                  |  3 +++
- interpreter/cling/lib/Interpreter/CIFactory.cpp   | 15 +++++++++++----
- .../Interpreter/IncrementalCUDADeviceCompiler.cpp |  2 ++
- .../cling/tools/Jupyter/kernel/clingkernel.py     |  4 ++--
- .../inc/RooStats/HistFactory/HistRef.h            |  3 +--
- .../inc/RooFit/Detail/NormalizationHelpers.h      |  3 +--
- 7 files changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/graf3d/eve7/inc/ROOT/REveCaloData.hxx b/graf3d/eve7/inc/ROOT/REveCaloData.hxx
-index 79d2e7069504c..33152334730f4 100644
---- a/graf3d/eve7/inc/ROOT/REveCaloData.hxx
-+++ b/graf3d/eve7/inc/ROOT/REveCaloData.hxx
-@@ -174,7 +174,7 @@ protected:
- 
- public:
-    REveCaloData(const char* n="REveCaloData", const char* t="");
--   ~REveCaloData() override {}
-+   ~REveCaloData() override;
- 
-    void    FillImpliedSelectedSet(Set_t& impSelSet, const std::set<int>& sec_idcs) override;
- 
-@@ -220,7 +220,7 @@ public:
-    Bool_t   GetWrapTwoPi() const { return fWrapTwoPi; }
-    void     SetWrapTwoPi(Bool_t w) { fWrapTwoPi=w; }
- 
--   void     SetSelector(REveCaloDataSelector* iSelector) { fSelector.reset(iSelector); }
-+   void     SetSelector(REveCaloDataSelector* iSelector);
-    REveCaloDataSelector* GetSelector() { return fSelector.get(); }
- 
-    Int_t WriteCoreJson(nlohmann::json &j, Int_t rnr_offset) override;
-diff --git a/graf3d/eve7/src/REveCaloData.cxx b/graf3d/eve7/src/REveCaloData.cxx
-index a5248f3c51d39..dc19d7d1be4a4 100644
---- a/graf3d/eve7/src/REveCaloData.cxx
-+++ b/graf3d/eve7/src/REveCaloData.cxx
-@@ -129,6 +129,9 @@ REveCaloData::REveCaloData(const char* n, const char* t):
-    // Constructor.
- }
- 
-+REveCaloData::~REveCaloData() {}
-+void REveCaloData::SetSelector(REveCaloDataSelector* iSelector) { fSelector.reset(iSelector); }
-+
- ////////////////////////////////////////////////////////////////////////////////
- /// Process newly selected cells with given select-record.
- 
-diff --git a/interpreter/cling/lib/Interpreter/CIFactory.cpp b/interpreter/cling/lib/Interpreter/CIFactory.cpp
-index 385c03682575d..d33ce3a0039c5 100644
---- a/interpreter/cling/lib/Interpreter/CIFactory.cpp
-+++ b/interpreter/cling/lib/Interpreter/CIFactory.cpp
-@@ -61,14 +61,18 @@ using namespace cling;
- 
- namespace {
-   static constexpr unsigned CxxStdCompiledWith() {
-+    // The value of __cplusplus in GCC < 14 is 202100L when -std=c++2b or
-+    // -std=c++23 is specified, thus we relax the check to 202100L.
-+#if __cplusplus >= 202100L
-+    return 23;
-+#elif __cplusplus >  201703L
-+    return 20;
-+#elif __cplusplus > 201402L
-+    return 17;
-     // The value of __cplusplus in GCC < 5.0 (e.g. 4.9.3) when
-     // either -std=c++1y or -std=c++14 is specified is 201300L, which fails
-     // the test for C++14 or more (201402L) as previously specified.
-     // I would claim that the check should be relaxed to:
--#if __cplusplus >  201703L
--    return 20;
--#elif __cplusplus > 201402L
--    return 17;
- #elif __cplusplus > 201103L || (defined(_WIN32) && _MSC_VER >= 1900)
-     return 14;
- #elif __cplusplus >= 201103L
-@@ -941,6 +945,8 @@ namespace {
-     // Sanity check that clang delivered the language standard requested
-     if (CompilerOpts.DefaultLanguage(&LangOpts)) {
-       switch (CxxStdCompiledWith()) {
-+        case 23: assert(LangOpts.CPlusPlus23 && "Language version mismatch");
-+          LLVM_FALLTHROUGH;
-         case 20: assert(LangOpts.CPlusPlus20 && "Language version mismatch");
-           LLVM_FALLTHROUGH;
-         case 17: assert(LangOpts.CPlusPlus17 && "Language version mismatch");
-@@ -1343,6 +1349,7 @@ namespace {
-       // and by enforcing the std version now cling is telling clang what to
-       // do, rather than after clang has dedcuded a default.
-       switch (CxxStdCompiledWith()) {
-+        case 23: argvCompile.emplace_back("-std=c++23"); break;
-         case 20: argvCompile.emplace_back("-std=c++20"); break;
-         case 17: argvCompile.emplace_back("-std=c++17"); break;
-         case 14: argvCompile.emplace_back("-std=c++14"); break;
-diff --git a/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp b/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
-index ac6bd0e89444e..a492add8a01fc 100644
---- a/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
-+++ b/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
-@@ -117,6 +117,8 @@ namespace cling {
-       cppStdVersion = "-std=c++1z";
-     if (langOpts.CPlusPlus20)
-       cppStdVersion = "-std=c++20";
-+    if (langOpts.CPlusPlus23)
-+      cppStdVersion = "-std=c++23";
- 
-     if (cppStdVersion.empty())
-       llvm::errs()
-diff --git a/interpreter/cling/tools/Jupyter/kernel/clingkernel.py b/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
-index 17fcbd116ecc6..17b4d24f23d86 100644
---- a/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
-+++ b/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
-@@ -90,8 +90,8 @@ def _banner_default(self):
-     flush_interval = Float(0.25, config=True)
- 
-     std = CaselessStrEnum(default_value='c++11',
--            values = ['c++11', 'c++14', 'c++1z', 'c++17', 'c++20', 'c++2b'],
--            help="C++ standard to use, either c++2b, c++20, c++17, c++1z, c++14 or c++11").tag(config=True);
-+            values = ['c++11', 'c++14', 'c++1z', 'c++17', 'c++20', 'c++2b', 'c++23' ],
-+            help="C++ standard to use, either c++23, c++2b, c++20, c++17, c++1z, c++14 or c++11").tag(config=True);
- 
-     def __init__(self, **kwargs):
-         super(ClingKernel, self).__init__(**kwargs)
-diff --git a/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h b/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
-index 7db9765004e0d..5b37542e6bdea 100644
---- a/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
-+++ b/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
-@@ -12,8 +12,7 @@
- #define HISTFACTORY_HISTREF_H
- 
- #include <memory>
--
--class TH1;
-+#include <TH1.h>
- 
- namespace RooStats{
- namespace HistFactory {
-diff --git a/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h b/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
-index c66954d0f0549..a849d7c2c8b4b 100644
---- a/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
-+++ b/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
-@@ -70,8 +70,7 @@ template <class T>
- std::unique_ptr<T> compileForNormSet(T const &arg, RooArgSet const &normSet)
- {
-    RooFit::Detail::CompileContext ctx{normSet};
--   std::unique_ptr<RooAbsArg> head = arg.compileForNormSet(normSet, ctx);
--   return std::unique_ptr<T>{static_cast<T *>(head.release())};
-+   return std::unique_ptr<T>{static_cast<T *>(arg.compileForNormSet(normSet, ctx).release())};
- }
- 
- } // namespace Detail

modules/packages/root/17273.patch

@@ -1,22 +0,0 @@
-From ab80270dd50f4ae08e452daa3fd0eccc7f9f96ee Mon Sep 17 00:00:00 2001
-From: Danilo Piparo <danilo.piparo@cern.ch>
-Date: Sat, 14 Dec 2024 07:45:22 +0100
-Subject: [PATCH 1/2] [CMake] Allow to process cxx23 option
-
----
- cmake/modules/CheckCompiler.cmake | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cmake/modules/CheckCompiler.cmake b/cmake/modules/CheckCompiler.cmake
-index 883bf0e2daed1..c2ac5df869797 100644
---- a/cmake/modules/CheckCompiler.cmake
-+++ b/cmake/modules/CheckCompiler.cmake
-@@ -161,7 +161,7 @@ set(CMAKE_CXX_STANDARD ${CXX_STANDARD_STRING} CACHE STRING "")
- set(CMAKE_CXX_STANDARD_REQUIRED TRUE)
- set(CMAKE_CXX_EXTENSIONS FALSE CACHE BOOL "")
- 
--if(NOT CMAKE_CXX_STANDARD MATCHES "17|20")
-+if(NOT CMAKE_CXX_STANDARD MATCHES "17|20|23")
-   message(FATAL_ERROR "Unsupported C++ standard: ${CMAKE_CXX_STANDARD}. Supported standards are: 17, 20.")
- endif()
- 

modules/packages/root/default.nix

@@ -1,31 +0,0 @@
-inputs:
-{
-  options.nixos.packages.root = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.packages) root; in inputs.lib.mkIf (root != null)
-  {
-    nixos.packages.packages =
-      let
-        root = inputs.pkgs.root.overrideAttrs (prev:
-        {
-          patches = prev.patches or [] ++ [ ./17253.patch ./17273.patch ];
-          cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ];
-        });
-        jupyterPath = inputs.pkgs.jupyter-kernel.create { definitions.root = rec
-        {
-          displayName = "ROOT";
-          language = "c++";
-          argv = [ "/run/current-system/sw/bin/python3" "-m" "JupyROOT.kernel.rootkernel" "-f" "{connection_file}" ];
-          logo64 = "${root}/etc/root/notebook/kernels/root/logo-64x64.png";
-          logo32 = inputs.pkgs.runCommand "logo-32x32.png" {}
-            "${inputs.pkgs.imagemagick}/bin/convert ${logo64} -resize 32x32 $out";
-        };};
-      in
-      {
-        _packages = [ root ];
-        _pythonPackages = [(pythonPackages: with pythonPackages; [ metakernel notebook ])];
-        _pythonEnvFlags = [ "--prefix JUPYTER_PATH : ${jupyterPath}" "--suffix NIX_PYTHONPATH : ${root}/lib" ];
-        _vscodeEnvFlags = [ "--prefix JUPYTER_PATH : ${jupyterPath}" ];
-      };
-  };
-}

modules/packages/server.nix

@@ -9,10 +9,10 @@ inputs:
       _packages = with inputs.pkgs;
       [
         # basic tools
-        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq zellij ipfetch localPackages.pslist
-        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch dateutils
+        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij ipfetch localPackages.pslist
+        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch
         # lsxx
-        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools
+        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc
         # top
         iotop iftop htop btop powertop s-tui
         # editor
@@ -35,9 +35,8 @@ inputs:
         nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
         gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
-        (octodns.withProviders (_: [ localPackages.octodns-cloudflare ]))
         # stupid things
-        toilet lolcat localPackages.stickerpicker graph-easy
+        toilet lolcat
         # office
         pdfgrep ffmpeg-full # todo-txt-cli 
       ]

modules/packages/ssh.nix

@@ -7,6 +7,16 @@ inputs:
     services.openssh.knownHosts =
       let servers =
       {
+        vps4 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIF7Y0tjt1XLPjqJ8HEB26W9jVfJafRQ3pv5AbPaxEc/Z";
+          hostnames = [ "vps4.chn.moe" "104.234.37.61" ];
+        };
+        "initrd.vps4" =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJkOPTFvX9f+Fn/KHOIvUgoRiJfq02T42lVGQhpMUGJq";
+          hostnames = [ "initrd.vps4.chn.moe" "104.234.37.61" ];
+        };
         vps6 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
@@ -37,15 +47,15 @@ inputs:
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
           hostnames = [ "initrd.nas.chn.moe" "192.168.1.2" ];
         };
-        one =
+        surface =
         {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
-          hostnames = [ "wireguard.one.chn.moe" "192.168.1.4" "192.168.83.5" ];
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIFdm3DcfHdcLP0oSpVrWwIZ/b9lZuakBSPwCFz2BdTJ7";
+          hostnames = [ "192.168.1.4" "wireguard.surface.chn.moe" "192.168.83.5" ];
         };
         pc =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
-          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.3" "192.168.83.3" ];
+          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.105" "192.168.83.3" ];
         };
         hpc =
         {
@@ -57,20 +67,20 @@ inputs:
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
           hostnames = [ "github.com" ];
         };
-        srv2-node0 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6";
-          hostnames = [ "srv2.chn.moe" "wireguard.srv2.chn.moe" ];
-        };
-        srv2-node1 =
+        xmupc1 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
-          hostnames = [ "192.168.178.2" ];
+          hostnames = [ "[office.chn.moe]:6007" "[xmupc1.chn.moe]:6007" "wireguard.xmupc1.chn.moe" "192.168.83.6" ];
+        };
+        xmupc2 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6";
+          hostnames = [ "[xmupc2.chn.moe]:6394" "wireguard.xmupc2.chn.moe" "192.168.83.7" ];
         };
         srv1-node0 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs";
-          hostnames = [ "srv1.chn.moe" "wireguard.srv1.chn.moe" ];
+          hostnames = [ "srv1.chn.moe" "node0.srv1.chn.moe" "wireguard.node0.srv1.chn.moe" ];
         };
         srv1-node1 =
         {
@@ -121,10 +131,10 @@ inputs:
         (
           (builtins.map
             (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
-            [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" "wireguard.one" ])
+            [ "vps4" "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" ])
           ++ (builtins.map
             (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; forwardX11 = true; }; })
-            [ "wireguard.pc" "srv1" "wireguard.srv1" "srv2" "wireguard.srv2" ])
+            [ "wireguard.pc" "wireguard.surface" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ])
           ++ (builtins.map
             (host:
             {
@@ -140,9 +150,11 @@ inputs:
             [ "wlin" "hwang" ])
         )
         // rec {
+          xmupc1 = { host = "xmupc1"; hostname = "xmupc1.chn.moe"; port = 6007; forwardX11 = true; };
+          xmupc2 = { host = "xmupc2"; hostname = "xmupc2.chn.moe"; port = 6394; forwardX11 = true; };
           nas = { host = "nas"; hostname = "192.168.1.2"; forwardX11 = true; };
           pc = { host = "pc"; hostname = "192.168.1.3"; forwardX11 = true; };
-          one = { host = "one"; hostname = "192.168.1.4"; forwardX11 = true; };
+          surface = { host = "surface"; hostname = "192.168.1.4"; forwardX11 = true; };
           gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
           jykang =
           {
@@ -152,13 +164,10 @@ inputs:
             forwardAgent = true;
             extraOptions.AddKeysToAgent = "yes";
           };
-          "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.srv2"; };
-          srv1-node0 = { host = "srv1-node0"; hostname = "srv1.chn.moe"; };
+          "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.xmupc1"; };
           srv1-node1 = { host = "srv1-node1"; hostname = "192.168.178.2"; proxyJump = "srv1"; };
           srv1-node2 = { host = "srv1-node2"; hostname = "192.168.178.3"; proxyJump = "srv1"; };
           srv1-node3 = { host = "srv1-node3"; hostname = "192.168.178.4"; proxyJump = "srv1"; };
-          srv2-node0 = { host = "srv2-node0"; hostname = "srv2.chn.moe"; };
-          srv2-node1 = { host = "srv2-node1"; hostname = "192.168.178.2"; proxyJump = "srv2"; };
         };
       };
     })];

modules/packages/vasp.nix

@@ -8,16 +8,12 @@ inputs:
   # TODO: add more options to correctly configure VASP
   config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
   {
-    nixos.packages.packages = with inputs.pkgs;
-    {
-      _packages =
-      (
-        [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
-          ++ (inputs.lib.optional
-            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
-            localPackages.vasp.nvidia)
-      );
-      _pythonPackages = [(_: [ localPackages.py4vasp ])];
-    };
+    nixos.packages.packages._packages = with inputs.pkgs;
+    (
+      [ localPackages.vasp.intel localPackages.vasp.vtstscripts localPackages.py4vasp localPackages.vaspkit wannier90 ]
+        ++ (inputs.lib.optional
+          (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+          localPackages.vasp.nvidia)
+    );
   };
 }

modules/packages/vscode.nix

@@ -18,20 +18,17 @@ inputs:
               (set:
               {
                 name = set;
-                value = vscode-extensions.${set} or {}
-                  // nix-vscode-extensions.vscode-marketplace.${set}
-                  // nix-vscode-extensions.vscode-marketplace-release.${set} or {};
+                value = nix-vscode-extensions.vscode-marketplace.${set} // vscode-extensions.${set} or {};
               })
               (inputs.lib.unique
               (
-                (builtins.attrNames vscode-extensions)
-                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
-                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace-release)
+                (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
+                ++ (builtins.attrNames vscode-extensions)
               )));
             in with extensions;
               (with github; [ copilot github-vscode-theme ])
               ++ (with intellsmi; [ comment-translate ])
-              ++ (with ms-vscode; [ cmake-tools cpptools-extension-pack hexeditor remote-explorer ])
+              ++ (with ms-vscode; [ cmake-tools cpptools cpptools-extension-pack hexeditor remote-explorer ])
               ++ (with ms-vscode-remote; [ remote-ssh ])
               ++ [
                 donjayamanne.githistory fabiospampinato.vscode-diff
@@ -54,14 +51,7 @@ inputs:
                 ms-python.python
                 # theme
                 pkief.material-icon-theme
-                # direnv
-                mkhl.direnv
-              ]
-              # jupyter
-              # TODO: use last release
-              ++ (with vscode-extensions.ms-toolsai;
-                [ jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow ]);
-          extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
+              ];
         }
       )];
     };

modules/packages/zsh/default.nix

@@ -4,86 +4,72 @@ inputs:
     { type = types.nullOr (types.submodule {}); default = {}; };
   config = let inherit (inputs.config.nixos.packages) zsh; in inputs.lib.mkIf (zsh != null)
   {
-    nixos.user.sharedModules = [(home-inputs: { config.programs = inputs.lib.mkMerge
-    [
-      # general config
+    nixos.user.sharedModules = [(home-inputs: { config.programs =
+    {
+      zsh =
       {
-        zsh =
-        {
-          enable = true;
-          history =
+        enable = true;
+        initExtraBeforeCompInit =
+        ''
+          # p10k instant prompt
+          P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+          [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+          HYPHEN_INSENSITIVE="true"
+          export PATH=~/bin:$PATH
+          function br
           {
-            path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
-            extended = true;
-            save = 100000000;
-            size = 100000000;
-          };
-          syntaxHighlighting.enable = true;
-          autosuggestion.enable = true;
-          enableCompletion = true;
-          oh-my-zsh =
+            local cmd cmd_file code
+            cmd_file=$(mktemp)
+            if broot --outcmd "$cmd_file" "$@"; then
+              cmd=$(<"$cmd_file")
+              command rm -f "$cmd_file"
+              eval "$cmd"
+            else
+              code=$?
+              command rm -f "$cmd_file"
+              return "$code"
+            fi
+          }
+          alias todo="todo.sh"
+        '';
+        plugins =
+        [
           {
-            enable = true;
-            plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
-            theme = inputs.lib.mkDefault "clean";
-          };
-          # ensure ~/.zlogin exists
-          loginExtra = " ";
-        };
-        # set bash history file path, avoid overwriting zsh history
-        bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
-      }
-      # config for root and chn
-      {
-        zsh = inputs.lib.mkIf (builtins.elem home-inputs.config.home.username [ "chn" "root" ])
+            file = "powerlevel10k.zsh-theme";
+            name = "powerlevel10k";
+            src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+          }
+          { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
+          {
+            name = "zsh-lsd";
+            src = inputs.pkgs.fetchFromGitHub
+            {
+              owner = "z-shell";
+              repo = "zsh-lsd";
+              rev = "65bb5ac49190beda263aae552a9369127961632d";
+              hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
+            };
+          }
+        ];
+        history =
         {
-          plugins =
-          [
-            {
-              file = "powerlevel10k.zsh-theme";
-              name = "powerlevel10k";
-              src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-            }
-            { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
-            {
-              name = "zsh-lsd";
-              src = inputs.pkgs.fetchFromGitHub
-              {
-                owner = "z-shell";
-                repo = "zsh-lsd";
-                rev = "65bb5ac49190beda263aae552a9369127961632d";
-                hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
-              };
-            }
-          ];
-          initExtraBeforeCompInit =
-          ''
-            # p10k instant prompt
-            P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-            [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-            HYPHEN_INSENSITIVE="true"
-            export PATH=~/bin:$PATH
-            function br
-            {
-              local cmd cmd_file code
-              cmd_file=$(mktemp)
-              if broot --outcmd "$cmd_file" "$@"; then
-                cmd=$(<"$cmd_file")
-                command rm -f "$cmd_file"
-                eval "$cmd"
-              else
-                code=$?
-                command rm -f "$cmd_file"
-                return "$code"
-              fi
-            }
-            alias todo="todo.sh"
-          '';
-          oh-my-zsh.theme = "";
+          path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+          extended = true;
+          save = 100000000;
+          size = 100000000;
         };
-      }
-    ];})];
-    environment.pathsToLink = [ "/share/zsh" ];
-    programs.zsh.enable = true;
+      };
+      # set bash history file path, avoid overwriting zsh history
+      bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
+    };})];
+    programs.zsh =
+    {
+      enable = true;
+      syntaxHighlighting.enable = true;
+      autosuggestions.enable = true;
+      enableCompletion = true;
+      ohMyZsh =
+        { enable = true; plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ]; };
+    };
   };
 }

modules/services/ananicy.nix

@@ -9,11 +9,6 @@ inputs:
       enable = true;
       package = inputs.pkgs.ananicy-cpp;
       rulesProvider = inputs.pkgs.ananicy-rules-cachyos;
-      extraRules =
-      [
-        { name = "YuanShen.exe"; type = "Game"; }
-        { name = "Typora"; type = "Doc-View"; }
-      ];
     };
   };
 }

modules/services/docker.nix

@@ -7,30 +7,28 @@ inputs:
     (
       inputs.lib.mkIf (docker != null)
       {
-        virtualisation.docker =
+        # system-wide docker is not needed
+        # virtualisation.docker.enable = true;
+        virtualisation.docker.rootless =
         {
           enable = true;
-          rootless =
+          setSocketVariable = true;
+          daemon.settings =
           {
-            enable = true;
-            setSocketVariable = true;
-            daemon.settings =
-            {
-              features.buildkit = true;
-              # dns 127.0.0.1 make docker not work
-              dns = [ "1.1.1.1" ];
-              # prevent create btrfs subvol
-              storage-driver = "overlay2";
-            };
+            features.buildkit = true;
+            # dns 127.0.0.1 make docker not work
+            dns = [ "1.1.1.1" ];
+            # prevent create btrfs subvol
+            storage-driver = "overlay2";
           };
         };
-        hardware.nvidia-container-toolkit.enable = inputs.lib.mkIf inputs.config.nixos.system.nixpkgs.cuda.enable true;
       }
     )
     # some docker settings should be set unconditionally, as some services depend on them
     {
       virtualisation.docker =
       {
+        enableNvidia = inputs.lib.mkIf inputs.config.nixos.system.nixpkgs.cuda.enable true;
         # prevent create btrfs subvol
         storageDriver = "overlay2";
         daemon.settings.dns = [ "1.1.1.1" ];

modules/services/grafana.nix

@@ -1,18 +1,17 @@
 inputs:
 {
-  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule { options =
-    {
-      hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
-    };});
-    default = null;
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
   };
-  config = let inherit (inputs.config.nixos.services) grafana; in inputs.lib.mkIf (grafana != null)
-  {
-    services =
+  config =
+    let
+      inherit (inputs.config.nixos.services) grafana;
+      inherit (inputs.lib) mkIf;
+    in mkIf grafana.enable
     {
-      grafana =
+      services.grafana =
       {
         enable = true;
         declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
@@ -45,57 +44,24 @@ inputs:
             password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
           };
         };
-        provision =
+      };
+      nixos.services =
+      {
+        nginx =
         {
           enable = true;
-          datasources.settings =
-          {
-            # prune = true;
-            datasources =
-            [{
-              name = "Prometheus";
-              type = "prometheus";
-              access = "proxy";
-              url = "http://localhost:9090";
-              editable = false;
-            }];
-          };
+          https."${grafana.hostname}".location."/".proxy =
+            { upstream = "http://127.0.0.1:3001"; websocket = true; };
         };
+        postgresql.instances.grafana = {};
       };
-      prometheus =
+      sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
       {
-        enable = true;
-        exporters =
-        {
-          node = { enable = true; enabledCollectors = [ "systemd" ]; };
-        };
-        scrapeConfigs =
-        [{
-          job_name = "lapetus";
-          static_configs =
-            [{ targets = [ "127.0.0.1:${toString inputs.config.services.prometheus.exporters.node.port}" ]; }];
-        }];
+        "grafana/mail" = { owner = owner; key = "mail/bot"; };
+        "grafana/secret".owner = owner;
+        "grafana/chn".owner = owner;
+        "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
+        "mail/bot" = {};
       };
     };
-    nixos.services =
-    {
-      nginx =
-      {
-        enable = true;
-        https."${grafana.hostname}".location."/".proxy =
-          { upstream = "http://127.0.0.1:3001"; websocket = true; };
-      };
-      postgresql.instances.grafana = {};
-    };
-    sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
-    {
-      "grafana/mail" = { owner = owner; key = "mail/bot"; };
-      "grafana/secret".owner = owner;
-      "grafana/chn".owner = owner;
-      "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
-      "mail/bot" = {};
-    };
-    environment.persistence."/nix/nodatacow".directories =
-      [{ directory = "/var/lib/prometheus2"; user = "prometheus"; group = "prometheus"; mode = "0700"; }];
-  };
 }

modules/services/hpcstat.nix

@@ -76,7 +76,7 @@ inputs:
         calenders =
         {
           finishjob = "*-*-* *:*:00";
-          backupdb = "*-*-* 00/8:00:00";
+          backupdb = "*-*-* *:00/10:00";
           diskstat = "*-*-* 03/12:00:00";
         };
       in

modules/services/misskey.nix

@@ -4,131 +4,137 @@ inputs:
   {
     type = types.attrsOf (types.submodule { options =
     {
+      autoStart = mkOption { type = types.bool; default = true; };
       port = mkOption { type = types.ints.unsigned; default = 9726; };
       redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
       hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
     };});
     default = {};
   };
-  config = let inherit (inputs.config.nixos.services) misskey; in
-  {
-    systemd = inputs.lib.mkMerge (builtins.map
-      (instance:
-      {
-        services."misskey-${instance.name}" = rec
-        {
-          description = "misskey ${instance.name}";
-          after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
-          requires = after;
-          wantedBy = [ "multi-user.target" ];
-          environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
-          serviceConfig = rec
-          {
-            User = "misskey-${instance.name}";
-            Group = "misskey-${instance.name}";
-            WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
-            ExecStart = "${WorkingDirectory}/bin/misskey";
-            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-            AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-            Restart = "always";
-          };
-        };
-        tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
-          [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
-      })
-      (inputs.localLib.attrsToList misskey.instances));
-    fileSystems = inputs.lib.mkMerge (builtins.map
-      (instance:
-      {
-        "/var/lib/misskey/${instance.name}/work" =
-        {
-          device = "${inputs.pkgs.localPackages.misskey}";
-          options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
-        };
-        "/var/lib/misskey/${instance.name}/work/files" =
-        {
-          device = "/var/lib/misskey/${instance.name}/files";
-          options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
-        };
-      })
-      (inputs.localLib.attrsToList misskey.instances));
-    sops.templates = builtins.listToAttrs (builtins.map
-      (instance:
-      {
-        name = "misskey/${instance.name}.yml";
-        value =
-        {
-          content =
-            let
-              placeholder = inputs.config.sops.placeholder;
-              redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
-            in
-            ''
-              url: https://${instance.value.hostname}/
-              port: ${toString instance.value.port}
-              db:
-                host: 127.0.0.1
-                port: 5432
-                db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
-                user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
-                pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
-                extra:
-                  statement_timeout: 600000
-              dbReplications: false
-              redis:
-                host: 127.0.0.1
-                port: ${builtins.toString redis.port}
-                pass: ${placeholder."redis/misskey-${instance.name}"}
-              id: 'aid'
-              proxyBypassHosts:
-                - api.deepl.com
-                - api-free.deepl.com
-                - www.recaptcha.net
-                - hcaptcha.com
-                - challenges.cloudflare.com
-              proxyRemoteFiles: true
-              signToActivityPubGet: true
-              maxFileSize: 1073741824
-              fulltextSearch:
-                provider: sqlPgroonga
-            '';
-          owner = "misskey-${instance.name}";
-        };
-      })
-      (inputs.localLib.attrsToList misskey.instances));
-    users = inputs.lib.mkMerge (builtins.map
-      (instance:
-      {
-        users."misskey-${instance.name}" =
-        {
-          uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
-          group = "misskey-${instance.name}";
-          home = "/var/lib/misskey/${instance.name}";
-          createHome = true;
-          isSystemUser = true;
-        };
-        groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
-      })
-      (inputs.localLib.attrsToList misskey.instances));
-    nixos.services =
+  config =
+    let
+      inherit (inputs.config.nixos.services) misskey;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (builtins) map listToAttrs toString replaceStrings filter;
+    in
     {
-      redis.instances = builtins.listToAttrs (builtins.map
-        (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
-        (inputs.localLib.attrsToList misskey.instances));
-      postgresql.instances = builtins.listToAttrs (builtins.map
-        (instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
-        (inputs.localLib.attrsToList misskey.instances));
-      nginx =
-      {
-        enable = inputs.lib.mkIf (misskey.instances != {}) true;
-        https = builtins.listToAttrs (builtins.map
-          (instance: with instance.value;
+      systemd = mkMerge (map
+        (instance:
+        {
+          services."misskey-${instance.name}" = rec
           {
-            name = hostname;
-            value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
-          })
-          (inputs.localLib.attrsToList misskey.instances));
+            enable = instance.value.autoStart;
+            description = "misskey ${instance.name}";
+            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
+            requires = after;
+            wantedBy = [ "multi-user.target" ];
+            environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
+            serviceConfig = rec
+            {
+              User = inputs.config.users.users."misskey-${instance.name}".name;
+              Group = inputs.config.users.users."misskey-${instance.name}".group;
+              WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
+              ExecStart = "${WorkingDirectory}/bin/misskey";
+              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+              Restart = "always";
+            };
+          };
+          tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
+            [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
+        })
+        (attrsToList misskey.instances));
+      fileSystems = mkMerge (map
+        (instance:
+        {
+          "/var/lib/misskey/${instance.name}/work" =
+          {
+            device = "${inputs.pkgs.localPackages.misskey}";
+            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+          };
+          "/var/lib/misskey/${instance.name}/work/files" =
+          {
+            device = "/var/lib/misskey/${instance.name}/files";
+            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+          };
+        })
+        (attrsToList misskey.instances));
+      sops.templates = listToAttrs (map
+        (instance:
+        {
+          name = "misskey/${instance.name}.yml";
+          value =
+          {
+            content =
+              let
+                placeholder = inputs.config.sops.placeholder;
+                redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
+              in
+              ''
+                url: https://${instance.value.hostname}/
+                port: ${toString instance.value.port}
+                db:
+                  host: 127.0.0.1
+                  port: 5432
+                  db: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
+                  user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
+                  pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"}
+                  extra:
+                    statement_timeout: 600000
+                dbReplications: false
+                redis:
+                  host: 127.0.0.1
+                  port: ${toString redis.port}
+                  pass: ${placeholder."redis/misskey-${instance.name}"}
+                id: 'aid'
+                proxyBypassHosts:
+                  - api.deepl.com
+                  - api-free.deepl.com
+                  - www.recaptcha.net
+                  - hcaptcha.com
+                  - challenges.cloudflare.com
+                proxyRemoteFiles: true
+                signToActivityPubGet: true
+                maxFileSize: 1073741824
+              '';
+            owner = inputs.config.users.users."misskey-${instance.name}".name;
+          };
+        })
+        (attrsToList misskey.instances));
+      users = mkMerge (map
+        (instance:
+        {
+          users."misskey-${instance.name}" =
+          {
+            uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
+            group = "misskey-${instance.name}";
+            home = "/var/lib/misskey/${instance.name}";
+            createHome = true;
+            isSystemUser = true;
+          };
+          groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
+        })
+        (attrsToList misskey.instances));
+      nixos.services =
+      {
+        redis.instances = listToAttrs (map
+          (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
+          (attrsToList misskey.instances));
+        postgresql.instances = listToAttrs (map
+          (instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
+          (attrsToList misskey.instances));
+        nginx =
+        {
+          enable = mkIf (misskey.instances != {}) true;
+          https = listToAttrs (map
+            (instance: with instance.value;
+            {
+              name = hostname;
+              value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
+            })
+            (attrsToList misskey.instances));
+        };
       };
     };
-  };
 }

modules/services/nextcloud.nix

@@ -16,7 +16,7 @@ inputs:
       hostName = nextcloud.hostname;
       appstoreEnable = false;
       https = true;
-      package = inputs.pkgs.nextcloud30;
+      package = inputs.pkgs.nextcloud29;
       maxUploadSize = "10G";
       config =
       {

modules/services/nginx/applications/sticker/.gitignore

@@ -1,2 +0,0 @@
-/config.json
-/sticker-import.session

modules/services/nginx/applications/sticker/default.nix

@@ -1,22 +0,0 @@
-inputs:
-{
-  options.nixos.services.nginx.applications.sticker = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = {};
-  };
-  config = let inherit (inputs.config.nixos.services.nginx.applications) sticker; in inputs.lib.mkIf (sticker != null)
-  {
-    nixos.services.nginx.https."sticker.chn.moe".location."/".static =
-    {
-      root = builtins.toString (inputs.pkgs.runCommand "web" {}
-      ''
-        mkdir -p $out
-        cp -r ${inputs.topInputs.stickerpicker}/web/* $out
-        chmod -R +w $out
-        cp -r ${./web}/* $out
-      '');
-      index = [ "index.html" ];
-    };
-  };
-}

modules/services/nginx/applications/sticker/web/packs/index.json

@@ -1,19 +0,0 @@
-{
-  "packs": [
-    "Mare_by_WuMingv2Bot.json",
-    "line_191054124446_by_moe_sticker_bot.json",
-    "Sakurada_Shiro.json",
-    "loli_DaiSi_by_WuMingv2Bot.json",
-    "listentoweiwei_by_WuMingv2Bot.json",
-    "csaexi.json",
-    "wechat_transfer_zhcn.json",
-    "teamtimothy_bilibili.json",
-    "line26158619ac0d_by_moe_sticker_bot.json",
-    "LINE_nachonekodayo.json",
-    "zhehelima.json",
-    "TheDonaldTrump.json",
-    "line_173195293297_by_moe_sticker_bot.json",
-    "line261586194a0d_by_moe_sticker_bot.json"
-  ],
-  "homeserver_url": "https://matrix.chn.moe"
-}

modules/services/nginx/default.nix

@@ -250,9 +250,6 @@ inputs:
               # nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
               # this make it redirect to /docs/ without hostname
               absolute_redirect off;
-              # allow realip module to set ip
-              set_real_ip_from 0.0.0.0/0;
-              real_ip_header proxy_protocol;
             '';
             proxyTimeout = "1d";
             recommendedZstdSettings = true;

modules/services/postgresql.nix

@@ -22,8 +22,7 @@ inputs:
       postgresql =
       {
         enable = true;
-        package = inputs.pkgs.postgresql_17;
-        extensions = ps: with ps; [ pgroonga ];
+        package = inputs.pkgs.postgresql_15;
         enableTCPIP = true;
         authentication = "host all all 0.0.0.0/0 md5";
         settings =

modules/services/send.nix

@@ -1,37 +1,51 @@
 inputs:
 {
-  options.nixos.services.send = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.send = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule (submoduleInputs: { options =
-    {
-      hostname = mkOption { type = types.nonEmptyStr; default = "send.chn.moe"; };
-    };}));
-    default = null;
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.nonEmptyStr; default = "send.chn.moe"; };
   };
-  config = let inherit (inputs.config.nixos.services) send; in inputs.lib.mkIf (send != null)
-  {
-    services.send =
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) send;
+    in mkIf send.enable
     {
-      enable = true;
-      baseUrl = "https://${send.hostname}";
-      environment.MAX_FILE_SIZE = "17179869184";
-      redis =
+      virtualisation.oci-containers.containers.send =
       {
-        createLocally = false;
-        host = "127.0.0.1";
-        port = 9184;
-        passwordFile = inputs.config.sops.secrets."redis/send".path;
+        image = "timvisee/send:1ee4951";
+        imageFile = inputs.pkgs.dockerTools.pullImage
+        {
+          imageName = "registry.gitlab.com/timvisee/send";
+          imageDigest = "sha256:1ee495161f176946e6e4077e17be2b8f8634c2d502172cc530a8cd5affd7078f";
+          sha256 = "1dimqga35c2ka4advhv3v60xcsdrhc6c4hh21x36fbyhk90n2vzs";
+          finalImageName = "timvisee/send";
+          finalImageTag = "1ee4951";
+        };
+        ports = [ "127.0.0.1:1443:1443/tcp" ];
+        volumes = [ "send:/uploads" ];
+        extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
+        environmentFiles = [ inputs.config.sops.templates."send/env".path ];
+      };
+      sops =
+      {
+        templates."send/env".content =
+        ''
+          BASE_URL=https://${send.hostname}
+          MAX_FILE_SIZE=17179869184
+          REDIS_HOST=host.docker.internal
+          REDIS_PORT=9184
+          REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/send"}
+        '';
+      };
+      nixos.services =
+      {
+        nginx =
+        {
+          enable = true;
+          https."${send.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:1443"; websocket = true; };
+        };
+        redis.instances.send = { user = "root"; port = 9184; };
       };
     };
-    systemd.services.send.after = [ "redis-send.service" ];
-    nixos.services =
-    {
-      nginx =
-      {
-        enable = true;
-        https."${send.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:1443"; websocket = true; };
-      };
-      redis.instances.send = { user = "root"; port = 9184; };
-    };
-  };
 }

modules/services/slurm.nix

@@ -15,6 +15,8 @@ inputs:
         sockets = mkOption { type = types.ints.unsigned; default = 1; };
         cores = mkOption { type = types.ints.unsigned; default = 1; };
         threads = mkOption { type = types.ints.unsigned; default = 1; };
+        mpiThreads = mkOption { type = types.ints.unsigned; default = 1; };
+        openmpThreads = mkOption { type = types.ints.unsigned; default = 1; };
       };
       memoryMB = mkOption { type = types.ints.unsigned; default = 1024; };
       gpus = mkOption { type = types.nullOr (types.attrsOf types.ints.unsigned); default = null; };
@@ -23,17 +25,9 @@ inputs:
     defaultPartition = mkOption { type = types.nonEmptyStr; default = "localhost"; };
     tui =
     {
-      cpuQueues = mkOption
-      {
-        type = types.nonEmptyListOf (types.submodule (submoduleInputs: { options =
-        {
-          name = mkOption { type = types.nonEmptyStr; default = "localhost"; };
-          mpiThreads = mkOption { type = types.ints.unsigned; default = 1; };
-          openmpThreads = mkOption { type = types.ints.unsigned; default = 1; };
-        };}));
-      };
-      gpuIds = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
-      gpuPartition = mkOption { type = types.nonEmptyStr; default = "localhost"; };
+      cpuMpiThreads = mkOption { type = types.ints.unsigned; default = 1; };
+      cpuOpenmpThreads = mkOption { type = types.ints.unsigned; default = 1; };
+      gpus = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
     };
     # 是否打开防火墙相应端口，对于多节点部署需要打开
     setupFirewall = mkOption { type = types.bool; default = false; };
@@ -131,16 +125,6 @@ inputs:
 
             # enable task plugins
             TaskPlugin=task/affinity,task/cgroup
-
-            # omit --mpi=pmix
-            MpiDefault=pmix
-
-            # record more info
-            JobAcctGatherType=jobacct_gather/cgroup
-            AccountingStorageTRES=gres/gpu
-
-            # append to output file
-            JobFileAppend=1
           '';
           extraConfigPaths =
             let gpus = slurm.node.${inputs.config.nixos.model.hostname}.gpus or null;
@@ -151,15 +135,6 @@ inputs:
                 (inputs.localLib.attrsToList gpus));
               in [(inputs.pkgs.writeTextDir "gres.conf" "AutoDetect=nvml\n${gpuString}")]
             );
-          extraCgroupConfig =
-          ''
-            ConstrainCores=yes
-            ConstrainRAMSpace=yes
-            ConstrainSwapSpace=yes
-            AllowedSwapSpace=20
-            # this make job hang, not sure why
-            # ConstrainDevices=yes
-          '';
         };
         munge = { enable = true; password = inputs.config.sops.secrets."munge.key".path; };
       };
@@ -182,7 +157,6 @@ inputs:
       networking.firewall =
         let config = inputs.lib.mkIf slurm.setupFirewall [ 6818 ];
         in { allowedTCPPorts = config; allowedUDPPorts = config; };
-      environment.sessionVariables = { SLURM_HINT = "nomultithread"; SLURM_UNBUFFEREDIO = "1"; };
     }
     # master 配置
     (inputs.lib.mkIf (slurm.master == inputs.config.nixos.model.hostname)
@@ -222,11 +196,9 @@ inputs:
       };
       environment.etc."sbatch-tui.yaml".text = builtins.toJSON
       {
-        GpuIds = slurm.tui.gpuIds;
-        GpuPartition = slurm.tui.gpuPartition;
-        CpuQueues = builtins.map
-          (queue: [ queue.name [ queue.mpiThreads queue.openmpThreads ]])
-          slurm.tui.cpuQueues;
+        CpuMpiThreads = slurm.tui.cpuMpiThreads;
+        CpuOpenmpThreads = slurm.tui.cpuOpenmpThreads;
+        GpuIds = slurm.tui.gpus;
       };
       networking.firewall =
         let config = inputs.lib.mkIf slurm.setupFirewall [ 6817 ];

modules/services/snapper.nix

@@ -1,11 +1,11 @@
 inputs:
 {
-  options.nixos.services.snapper = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.snapper = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.attrsOf types.nonEmptyStr);
-    default.persistent = "/nix/persistent";
+    enable = mkOption { type = types.bool; default = false; };
+    configs = mkOption { type = types.attrsOf types.nonEmptyStr; default.persistent = "/nix/persistent"; };
   };
-  config = let inherit (inputs.config.nixos.services) snapper; in inputs.lib.mkIf (snapper != null)
+  config = let inherit (inputs.config.nixos.services) snapper; in inputs.lib.mkIf snapper.enable
   {
     services.snapper.configs = builtins.listToAttrs (builtins.map
       (config:
@@ -24,6 +24,6 @@ inputs:
           TIMELINE_LIMIT_YEARLY = 0;
         };
       })
-      (inputs.localLib.attrsToList snapper));
+      (inputs.localLib.attrsToList snapper.configs));
   };
 }

modules/services/sshd/banner-rendered.txt

@@ -0,0 +1,19 @@
+                   ░▒▓█▓▒░      ░▒▓█▓▒░▒▓███████▓▒░  
+                  ░▒▓█▓▒░      ░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+                 ░▒▓█▓▒░      ░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+                ░▒▓█▓▒░      ░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+               ░▒▓█▓▒░      ░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+              ░▒▓█▓▒░      ░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+             ░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+
+      ░▒▓██████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░  
+    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+   ░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
+  ░▒▓█▓▒▒▓███▓▒░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░  
+ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
+░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░        
+
+               ┌──────────────────────────┐
+               │ＩｎＡｌＧａＮ  ／  ＳｉＣ│
+               └──────────────────────────┘

modules/services/sshd/default.nix

@@ -9,39 +9,25 @@ inputs:
     };});
     default = null;
   };
-  config = let inherit (inputs.config.nixos.services) sshd; in inputs.lib.mkIf (sshd != null) (inputs.lib.mkMerge
-  [
+  config = let inherit (inputs.config.nixos.services) sshd; in inputs.lib.mkIf (sshd != null)
+  {
+    services.openssh =
     {
-      services.openssh =
+      enable = true;
+      settings =
       {
-        enable = true;
-        settings =
-        {
-          X11Forwarding = true;
-          ChallengeResponseAuthentication = false;
-          PasswordAuthentication = sshd.passwordAuthentication;
-          KbdInteractiveAuthentication = false;
-          UsePAM = true;
-        };
+        X11Forwarding = true;
+        ChallengeResponseAuthentication = false;
+        PasswordAuthentication = sshd.passwordAuthentication;
+        KbdInteractiveAuthentication = false;
+        UsePAM = true;
       };
-      nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ 22 ];
-    }
-    # 如果是服务器，那么启用 motd
-    (inputs.lib.mkIf (inputs.config.nixos.model.type == "server")
-    {
-      nixos =
-      {
-        packages.packages._packages =
-          [ (inputs.pkgs.fancy-motd.overrideAttrs { src = inputs.topInputs.fancy-motd; }) ];
-        user.sharedModules = [(home-inputs: { config.programs.zsh.loginExtra =
-        ''
-          [ -f /etc/fancy-motd/banner ] && lolcat -f /etc/fancy-motd/banner
-          motd
-        '';})];
-      };
-      # generate from https://patorjk.com/software/taag with font "BlurVision ASCII"
-      # generate using `toilet -f wideterm -F border "InAlGaN / SiC"`
-      environment.etc = inputs.lib.mkIf sshd.groupBanner { "fancy-motd/banner".source = ./banner.txt; };
-    })
-  ]);
+    };
+    nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ 22 ];
+    # generate from https://patorjk.com/software/taag with font "BlurVision ASCII"
+    # generate using `toilet -f wideterm -F border "InAlGaN / SiC"`
+    # somehow lolcat could not run with these characters, use rendered directly
+    # TODO: move this settings to user
+    users.motdFile = inputs.lib.mkIf sshd.groupBanner ./banner-rendered.txt;
+  };
 }

modules/services/synapse.nix

@@ -195,8 +195,6 @@ inputs:
                 ];
                 max_image_pixels = "32M";
                 dynamic_thumbnails = false;
-                # this is required for displaying thumbnails in sticker widgets
-                enable_authenticated_media = false;
               });
           };
           secrets = (listToAttrs (map

modules/services/wechat2tg.nix

@@ -1,48 +0,0 @@
-inputs:
-{
-  options.nixos.services.wechat2tg = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.services) wechat2tg; in inputs.lib.mkIf (wechat2tg != null)
-  {
-    virtualisation.oci-containers.containers.wechat2tg =
-    {
-      image = "finalpi/wechat2tg:v1.3.3";
-      imageFile = inputs.pkgs.dockerTools.pullImage
-      {
-        imageName = "finalpi/wechat2tg";
-        imageDigest = "sha256:48e3aff3f501847f063318b41ca34af7d83278847d2eee40d7ffbf439ee4c194";
-        sha256 = "04hq577d981mdfz0xwklhj9ifgnpbv91d6zkf37awfrbsiqfkrr6";
-        finalImageName = "finalpi/wechat2tg";
-        finalImageTag = "v1.3.3";
-      };
-      volumes = [ "wechat2tg-config:/app/storage" "wechat2tg-files:/app/save-files" ];
-      environmentFiles = [ inputs.config.sops.templates."wechat2tg/env".path ];
-    };
-    sops =
-    {
-      templates."wechat2tg/env".content = let placeholder = inputs.config.sops.placeholder; in
-      ''
-        BOT_TOKEN=${placeholder."wechat2tg/token"}
-        # PROXY_HOST: ""
-        # PROXY_PORT: ""
-        # Proxy type: socks5, http, https
-        # PROXY_PROTOCOL: 'socks5'
-        # Optional username and password
-        # PROXY_USERNAME: ""
-        # PROXY_PASSWORD: ""
-        # API_ID: ""
-        # API_HASH: ""
-        ROOM_MESSAGE='<i>🌐#[topic]</i> ---- <b>👤#[(alias)] #[name]: </b>'
-        OFFICIAL_MESSAGE='<b>📣#[name]: </b>'
-        CONTACT_MESSAGE='<b>👤#[alias_first]: </b>'
-        ROOM_MESSAGE_GROUP='<b>👤#[(alias)] #[name]: </b>'
-        OFFICIAL_MESSAGE_GROUP='<b>📣#[name]: </b>'
-        CONTACT_MESSAGE_GROUP='<b>👤#[alias_first]: </b>'
-        CREATE_ROOM_NAME='#[topic]'
-        CREATE_CONTACT_NAME='#[alias]#[[name]]'
-        MESSAGE_DISPLAY='#[identity]#[br]#[body]'
-      '';
-      secrets."wechat2tg/token" = {};
-    };
-  };
-}

modules/system/default.nix

@@ -17,7 +17,7 @@ inputs:
       supportedFilesystems = [ "ntfs" "nfs" "nfsv4" ];
       # consoleLogLevel = 7;
     };
-    hardware = { enableAllFirmware = true; bluetooth.enable = true; sensor.iio.enable = true; };
+    hardware = { enableAllFirmware = true; bluetooth.enable = true; };
     environment =
     {
       sessionVariables = rec

modules/system/fileSystems/cluster.nix

@@ -1,36 +0,0 @@
-inputs:
-{
-  config = inputs.lib.mkMerge
-  [
-    # for cluster master, export NFS
-    (inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null == "master")
-      { nixos.services.nfs = { root = "/"; exports = [ "/nix/persistent/home" ]; accessLimit = "192.168.178.0/24"; }; })
-    # for cluster worker, mount nfs, disable some home manager files
-    (inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null == "worker")
-      { nixos.system.fileSystems.mount.nfs."192.168.178.1:/nix/persistent/home" = "/remote/home"; })
-    # 将一部分由 home-manager 生成软链接的文件改为直接挂载，以兼容集群的设置
-    {
-      home-manager.users = builtins.listToAttrs (builtins.map
-        (user:
-        {
-          name = user;
-          value.config.home.file = builtins.listToAttrs (builtins.map
-            (file: { name = file; value.enable = false; })
-            [ ".zshrc" ".zshenv" ".profile" ".bashrc" ".bash_profile" ".zlogin" ]);
-        })
-        inputs.config.nixos.user.users);
-      systemd.mounts = builtins.concatLists (builtins.map
-        (user: builtins.map
-          (file:
-          {
-            what = "${inputs.config.home-manager.users.${user}.home.file.${file}.source}";
-            where = "/home/${user}/${file}";
-            options = "bind";
-            wantedBy = [ "local-fs.target" ];
-          })
-          [ ".zshrc" ".zshenv" ".profile" ".bashrc" ".bash_profile" ".zlogin" ]
-        )
-        inputs.config.nixos.user.users);
-    }
-  ];
-}

modules/system/fileSystems/default.nix

@@ -25,6 +25,8 @@ inputs:
     {
       type = types.nullOr (types.submodule { options =
       {
+        device = mkOption { type = types.nonEmptyStr; default = inputs.config.fileSystems."/".device; };
+        path = mkOption { type = types.nonEmptyStr; default = "/nix/rootfs"; };
         waitDevices = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
       };});
       default = null;
@@ -83,11 +85,12 @@ inputs:
     # resume
     (inputs.lib.mkIf (fileSystems.resume != null) { boot =
     (
-      if builtins.typeOf fileSystems.resume == "string" then { resumeDevice = fileSystems.resume; }
+      if builtins.typeOf fileSystems.resume == "string" then
+        { resumeDevice = fileSystems.resume; }
       else
       {
         resumeDevice = fileSystems.resume.device;
-        kernelParams = [ "resume_offset=${builtins.toString fileSystems.resume.offset}" ];
+        kernelModules = [ "resume_offset=${builtins.toString fileSystems.resume.offset}" ];
       }
     );})
     # rollingRootfs
@@ -111,25 +114,24 @@ inputs:
           serviceConfig.Type = "oneshot";
           script =
             let
-              device = inputs.config.fileSystems."/".device;
+              inherit (fileSystems.rollingRootfs) device path waitDevices;
               waitDevice = builtins.concatStringsSep "\n" (builtins.map
-                (device: "while ! [ -e ${device} ]; do sleep 1; done")
-                (fileSystems.rollingRootfs.waitDevices ++ [ device ]));
+                (device: "while ! [ -e ${device} ]; do sleep 1; done") (waitDevices ++ [ device ]));
             in
             ''
               while ! lsmod | grep -q btrfs; do sleep 1; done
               ${waitDevice}
               mount ${device} /mnt -m
-              if [ -f /mnt/nix/rootfs/current/.timestamp ]
+              if [ -f /mnt${path}/current/.timestamp ]
               then
-                timestamp=$(cat /mnt/nix/rootfs/current/.timestamp)
-                subvolid=$(btrfs subvolume show /mnt/nix/rootfs/current | grep 'Subvolume ID:' | awk '{print $NF}')
-                mv /mnt/nix/rootfs/current /mnt/nix/rootfs/$timestamp-$subvolid
-                btrfs property set -ts /mnt/nix/rootfs/$timestamp-$subvolid ro true
+                timestamp=$(cat /mnt${path}/current/.timestamp)
+                subvolid=$(btrfs subvolume show /mnt${path}/current | grep 'Subvolume ID:' | awk '{print $NF}')
+                mv /mnt${path}/current /mnt${path}/$timestamp-$subvolid
+                btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
               fi
-              [ -d /mnt/nix/rootfs/current ] || btrfs subvolume create /mnt/nix/rootfs/current
-              chattr +C /mnt/nix/rootfs/current
-              echo $(date '+%Y%m%d%H%M%S') > /mnt/nix/rootfs/current/.timestamp
+              btrfs subvolume create /mnt${path}/current
+              chattr +C /mnt${path}/current
+              echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
               umount /mnt
             '';
         };

modules/system/fileSystems/impermanence.nix

@@ -1,79 +0,0 @@
-inputs:
-{
-  config.environment.persistence = inputs.lib.mkMerge
-  [
-    # generic settings
-    {
-      "/nix/persistent" =
-      {
-        hideMounts = true;
-        directories =
-        [
-          "/var/db" "/var/lib" "/var/log" "/var/spool" "/var/backup" "/srv"
-          { directory = "/var/lib/docker/volumes"; mode = "0710"; }
-        ];
-        files = [ "/etc/machine-id" ]
-          ++ (builtins.concatLists (builtins.map
-            (suf: builtins.map (f: "/etc/ssh/ssh_host_${f}_key${suf}") [ "ed25519" "rsa" ])
-            [ "" ".pub" ]));
-      };
-      "/nix/rootfs/current" =
-      {
-        hideMounts = true;
-        directories = [ { directory = "/var/lib/docker"; mode = "0710"; } "/var/lib/flatpak" ]
-          ++ builtins.map (f: "/var/lib/systemd/${f}") [ "linger" "coredump" "backlight" ];
-      };
-      "/nix/nodatacow" =
-      {
-        hideMounts = true;
-        directories =
-          [{ directory = "/var/log/journal"; user = "root"; group = "systemd-journal"; mode = "u=rwx,g=rx+s,o=rx"; }]
-          ++ inputs.lib.optional inputs.config.nixos.virtualization.kvmHost.enable
-            { directory = "/var/lib/libvirt/images"; mode = "0711"; };
-      };
-    }
-    # 挂载 /home/user
-    # 对于集群的工作节点，挂载 /remote/user 到 /home/user
-    # 对于桌面用途的 chn，不需要挂载
-    # 对于其它情况，则挂载 /nix/persistent/home/user 到 /home/user
-    {
-      "${if inputs.config.nixos.model.cluster.nodeType or null == "worker" then "/remote" else "/nix/persistent"}" =
-      {
-        hideMounts = true;
-        directories = builtins.map
-          (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; })
-          (builtins.filter
-            (user: !(user == "chn" && inputs.config.nixos.model.type == "desktop"))
-            inputs.config.nixos.user.users);
-      };
-    }
-    # 挂载更详细的目录
-    # 对于任何情况，`.cache` 都应该在重启后丢失
-    {
-      "/nix/rootfs/current".users = builtins.listToAttrs (builtins.map
-        (user: { name = user; value.directories = [ ".cache" ]; })
-        inputs.config.nixos.user.users);
-    }
-    # 对于桌面用途的 chn，有一些需要 persist 的目录
-    (inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop" && builtins.elem "chn" inputs.config.nixos.user.users)
-    {
-      "/nix/persistent".users.chn.directories =
-      [
-        "bin" "Desktop" "Documents" "Downloads" "Music" "Pictures" "repo" "share" "Public" "Videos" ".config"
-        ".local/share" ".ecdata" { directory = ".mozilla/firefox/default"; mode = "0700"; } ".steam" ".vscode" ".zotero"
-        "Zotero"
-      ];
-    })
-    # 对于集群的工作节点，挂载一些本来由 home-manager 生成的文件，以及一些用来存放 home-manager 生成文件的目录
-    # impermanence 挂载来自 nix store 的文件会导致家目录的权限错误，在 cluster.nix 中直接使用 systemd.mounts 来挂载
-    (inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null == "worker")
-    {
-      "/nix/persistent".users = builtins.listToAttrs (builtins.map
-        (user: { name = user; value.directories = [ ".config" ".local" ".ssh" ".mozilla" ]; })
-        inputs.config.nixos.user.users);
-      "/nix/rootfs/current".users = builtins.listToAttrs (builtins.map
-        (user: { name = user; value.directories = [ ".zsh" ".yubico" ]; })
-        inputs.config.nixos.user.users);
-    })
-  ];
-}

modules/system/fileSystems/nfs.nix

@@ -10,19 +10,7 @@ inputs:
       (device:
       {
         name = device.value;
-        value =
-        {
-          device = device.name;
-          fsType = "nfs4";
-          neededForBoot = true;
-          options =
-          [
-            # when try to mount at startup, wait 15 minutes before giving up
-            "retry=15" "x-systemd.device-timeout=15min"
-            # sync every seconds
-            "actimeo=1"
-          ];
-        };
+        value = { device = device.name; fsType = "nfs"; neededForBoot = true; };
       })
       (inputs.localLib.attrsToList nfs));
     boot.initrd =

modules/system/font.nix

@@ -9,7 +9,7 @@ inputs:
       [
         noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts hack-font inter
         noto-fonts-color-emoji roboto sarasa-gothic source-han-mono wqy_microhei wqy_zenhei noto-fonts-cjk-sans
-        noto-fonts-emoji corefonts vistafonts vistafonts-chs dejavu_fonts
+        noto-fonts-emoji corefonts vistafonts vistafonts-chs
       ];
       fontconfig.defaultFonts =
       {