init jykang container

This reverts commit 2f34d101de.

README.md

@@ -0,0 +1,26 @@
+This is my NixOS configuration. I use it to manage:
+* some vps serving some websites and services (misskey, synapse), etc.
+* my laptop (Lenovo R9000P 2023), and my tablet (One Netbook One Mix 4).
+* some cluster for scientific computing (vasp, lammps, etc).
+With the following highlights:
+* All binary is compiled for specific CPU (`-march=xxx`, like that on Gentoo). 
+* All packages and configurations are managed by Nix, as much reproducible as possible.
+
+## Using overlay
+
+An overlay is provided through `outputs.overlays.default`, you could use it in your `configuration.nix` like this:
+
+```nix
+{
+  inputs.chn-nixos.url = "github:CHN-beta/nixos";
+  outputs.nixosConfigurations.my-host = inputs.nixpkgs.lib.nixosSystem
+  {
+    modules = [({pkgs, ...}: { config =
+    {
+      nixpkgs.overlays = [ inputs.chn-nixos.overlays.default ];
+      environment.systemPackages = [ pkgs.localPackages.vasp.intel ];
+    };})];
+  };
+}
+```
+

bbb

@@ -1 +0,0 @@
-aaa

devices/nas/default.nix

@@ -61,7 +61,6 @@ inputs:
           publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
           wireguardIp = "192.168.83.4";
         };
-        misskey.instances.misskey = {};
       };
     };
   };

devices/nas/secrets.yaml

@@ -3,13 +3,7 @@ xray-client:
 acme:
     token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
 wireguard:
-    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:ezBawTyn+oPKKy6sQuj2BQXhnO4PTbxYWRpQR9URCxqD7bFlnmWU1Q==,iv:eD4yLDA209x6HFtDaqyj8kRxTImdyZCgOminHWb9vt4=,tag:mx+qPp4L9jHRvL90XH1RwA==,type:str]
-redis:
-    misskey-misskey: ENC[AES256_GCM,data:daHnurnqW0MI2uHd3gNT+ZczmytRdwBSsHGkCwNH9hJFMJW/U56HtjG5ivOQzYprWJ5uzgN98ivocbwzJEAGfg==,iv:aE9kvEErN06FNPPFQNchbmg/+SJCKT3QzCN/JTlZovk=,tag:iMo3MTssxKKT02zi8gCZPA==,type:str]
-postgresql:
-    misskey_misskey: ENC[AES256_GCM,data:QhsmKzYmAV0kGPhtRjTK7npt/Nop5JM9EFPpD8K6KfUJ48w+r+4vTORmERu7D2+fE3XDXxNZeSJg//bGxMmhfg==,iv:qkjkrqepjQ4kbwoaceQSzEP5TjLsiY7ih/ESj5RFpHw=,tag:UtZVW30xcsbGUjU2HjoUvw==,type:str]
+    privateKey: ENC[AES256_GCM,data:H+CDLqfMV5Kcd42LbrU1GpnyJYB1y0bSRBaRR9jNctmlReADRVuvA1y1zLM=,iv:SztfuX+Tm3bO82VfDOjjP2Bmv7IComa1poZfQ48YXVs=,tag:aA35tsgvZQDexSDgD4RjlQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -34,8 +28,8 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-05T02:43:05Z"
-    mac: ENC[AES256_GCM,data:NyXFwcVCCRfU+QSJVwov38SzRag1vhgfyQ0xtOheKtK/UaA+2Vqiqatp/lKWeri9ltpw5xWBYQnmE6aBHEkrj5RvoXeho3CUWiSqsB/3COn3FSfXGGJ2M642dnCtWqHfTrGNW7bhq/lBisODvtv+SAs108R5yYXhXWotUs/p+W0=,iv:Wsel2unj5X/dBCwt5sLzHmUIqm9c0uqzzpfnUkxq5cc=,tag:a5/I8GWuUOy4F4lOx9TH+w==,type:str]
+    lastmodified: "2025-01-19T03:04:43Z"
+    mac: ENC[AES256_GCM,data:ns1NlfKruRwlUv4u4J5i/lQmaEo0HVxEWZlauWBFO0AqXxdU9+X+MbufxkqqjbfSryJ3bqBSMdsVUNX87rZGoESWoLLiwLIRuRJTx7jtGppNiHN4LaP95TqliATWZAGZr/xUe2xNUrvgRqSgToT8ah6IxyZblTr1brnUMRTI+Gc=,iv:KbkkbkeJUrgNUmFbqCI2ifk0UDUfPJ80LTRTzaFRA9s=,tag:uKzMN2zURmBzWY4XUnOACg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2

devices/pc/container/jykang.nix

@@ -0,0 +1,12 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "minimal";
+      system.nixpkgs.march = "znver4";
+      hardware.cpus = [ "amd" ];
+    };
+  };
+}

devices/pc/default.nix

@@ -50,7 +50,7 @@ inputs:
         kernel =
         {
           # TODO: switch to cachyos-lts
-          variant = "xanmod-latest";
+          variant = "cachyos";
           patches = [ "hibernate-progress" ];
           modules.modprobeConfig =
             [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
@@ -177,5 +177,13 @@ inputs:
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
     networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
+    containers.jykang =
+    {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "192.168.100.10";
+      localAddress = "192.168.100.11";
+      config = builtins.elemAt (inputs.localLib.mkModules [ ./container/jykang.nix ]) 0;
+    };
   };
 }

devices/srv1/default.nix

@@ -34,25 +34,25 @@ inputs:
             {
               name = "n0"; address = "192.168.178.1";
               cpu = { sockets = 4; cores = 20; threads = 2; };
-              memoryMB = 122880;
+              memoryMB = 112 * 1024;
             };
             srv1-node1 =
             {
               name = "n1"; address = "192.168.178.2";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryMB = 56 * 1024;
             };
             srv1-node2 =
             {
               name = "n2"; address = "192.168.178.3";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 61440;
+              memoryMB = 56 * 1024;
             };
             srv1-node3 =
             {
               name = "n3"; address = "192.168.178.4";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 38912;
+              memoryMB = 32 * 1024;
             };
           };
           partitions =

devices/srv1/node1/default.nix

@@ -11,8 +11,6 @@ inputs:
           { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
     specialisation.no-share-home.configuration =
     {

devices/srv1/node2/default.nix

@@ -20,8 +20,6 @@ inputs:
         xray.client.enable = true;
         beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
       };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
       virtualization.kvmHost = { enable = true; gui = true; };
     };
     specialisation.no-share-home.configuration =

devices/srv1/node2/secrets/default.yaml

@@ -0,0 +1,52 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
+users:
+    #ENC[AES256_GCM,data:bAA1+Mx9xsFr,iv:5GWh+DyuRydCKm8K1kaiTJIt4ReEugHFnKYfan6RAE4=,tag:VqcWjIMIYhkSj6f/ZclTVw==,type:comment]
+    xll: ENC[AES256_GCM,data:lqzwlETuKuKa2wh+ickMFiWyprcnIBfRBjri+NWoltxib/LWzEEbyetRc4AKyVaBiDhsOTw6MazPNy2mhcAFwb6pM+QKce5ntA==,iv:VaGQux8MJNPZeHwDpM+yJ47XvOul0qRE8xVdSWjYRhY=,tag:rBWdTPmJX9YsP0l1FtVbJw==,type:str]
+    #ENC[AES256_GCM,data:AgppEXaJcXhQ,iv:gI4nUzfy7w9yqaWlT1NYk1cHdErCJsrlilwYSGxxCdw=,tag:/A6zwbvQdhX9MLfAdXIVqw==,type:comment]
+    zem: ENC[AES256_GCM,data:t0rCwed8EzXbEuwTabzSLUd/Gln3YD9IT56JNVHwlodAvFYwtTDJe3cy7K17TmIkL1Nk/hAGzQ2BIZJxaKq7A5pSNIUO1zqMUQ==,iv:jSKCoNKQ5a91kK19w5mE0lJ9lh391ACq64UtLvJ4kLI=,tag:d6+IrgLyCw05vvLcCF5+yQ==,type:str]
+    #ENC[AES256_GCM,data:s39KO3hHcrOK,iv:ICtP2r9JMjcieHZdyHpj5Z1DympJUcHq2jPpjUwSOzM=,tag:Es3YS+mEg5I3SIujfs50jQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:gOc59J2eiND+qJJRwLYvTymfrjWNRWw8IwLxDdS2cSu0yTN5SWF1eEg+tYmDqqhPmXkIlenL8VyIZD2P+Qi+Vi7l1pZMnneRCw==,iv:TsWOmHlClMgpXbNsCyvs+wkTvvKViAooA36+O4eQesk=,tag:jp5ZO9tlCPNTNZXWXCUEeg==,type:str]
+    #ENC[AES256_GCM,data:JmmZl+8nta5Q,iv:qWGS5i+ntmJ9x3HFClVdfypQKqSTUx827OFu/wxx3HQ=,tag:SzvgJtIQb1Z02GDwkAhveQ==,type:comment]
+    gb: ENC[AES256_GCM,data:pgwGyp/QC+h05grD345pJrJefm4NWd0e6mQEzrsqCbjMi9Ak2nUD+K09mIKQJ39NttC+NQZezRmKUJjDBH50s0O69nBlPOJtgA==,iv:ZLm6KUzD8fTq4YpxhdYjtp7bbDjP7Sy+0fnDO0W5GY0=,tag:H2mNHIQvHe+3YzZ9ITVdOg==,type:str]
+    #ENC[AES256_GCM,data:94hwxSaMkbIB,iv:4Xjukoo7rxeu4SWjwFeLo5fwSX6a8mpkTOIpnOnR/Io=,tag:XOjY6ziyDdMNo53NFSjcJQ==,type:comment]
+    wp: ENC[AES256_GCM,data:9/aVAQskZyQrfhVFVHfpdTWDLdoP2ZO7gG6bNcRpOJEBle3V9XqVSwmLViIIysy4XxoR3cym/7WXB96O3C8feK7sbihaRpT+Dg==,iv:WPnDArVKqV7u3EIQ0CMectK1W6gXKOo37oOybyob3As=,tag:1R/0qjRzif4/sTFSs55NuQ==,type:str]
+    #ENC[AES256_GCM,data:RluXnmnn8CAI,iv:OqzKfed5CARE/KKur0GXDpLBqStEva7YVoQMQX4+FnU=,tag:prOaqWk6ARxEKvnhOnCZhw==,type:comment]
+    hjp: ENC[AES256_GCM,data:Tb9vCi68B88UZc/ZVSxEI+esKOLlFcAPAaMk9FDmkBycZmzDjHfkUKCxVcOMtqeNSluVZ/5IFgowaYbk9ncK6yoYTjXjj1Z0lA==,iv:COs+ijt0h+UygyhWDQV23NRd/xBcfeqz6CO7D+xw7t8=,tag:RaIMaGrgHkidB9vqLR6cNw==,type:str]
+    #ENC[AES256_GCM,data:pymPvP+KjTd2,iv:g5tmBMQevuzES9FVlRten8Vzy5nvgamDNPo6Vy018T4=,tag:sMYZAyyAzEyS5CsAyC7xtw==,type:comment]
+    zzn: ENC[AES256_GCM,data:CJ8cOBjblYIc0GoiPnIbbWfYDfpQW5u31R9T/P0/aVuxi6P44wYYH0posVGthR1laqHIlu8bzgeRyTbBYir/Mw1AGokAnFLEPQ==,iv:dJXFcZ9f3xe3rcPzOLd6AMFh6EyJXlv3/+uR2x9XYsw=,tag:4I1WqtloUSXNeQ6AlVPY5g==,type:str]
+    #ENC[AES256_GCM,data:r1Rl1+lfgMad,iv:9RGwiYlePcXZFDxw5uc1yEwZ4N3lStmE1cGmsj5dPls=,tag:yGChsxZtIzDjMUgIkd+PdA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:IIZpTdr5jpidbxYCQ+fODOHdoWI51upPI3yxYlrAAd+RE62t6PzAvHKFmKPivbHmQS5RZrJXE7zm9JtwiodRmPl0pYLxYNBpFQ==,iv:WQc1pOungm1gEqYPk/MITbjs1l83ikcys47CARRgoFk=,tag:sS2mXDIWl32ZZzDtictv9g==,type:str]
+    #ENC[AES256_GCM,data:VtrWQKVtCHtA,iv:ap/n2HxQ7dgKOA8rIfenv9LOwwAh1na8+I9O/k/wMxs=,tag:Vl03ortuZ5OS2qcBMnc59g==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fkxYmHEQnCjx/srKBgjreIR0S7mcXyl1h3H80PFsH3A/yCGnJbFCGK1GW1++Q+tziOnEWCTLZ/l9dlPuB5BFSK7iHiVXtkOfVQ==,iv:z6duWl+LFpS5RJnCGxb3yvgHp96uJYoSsAThWrbGYfg=,tag:AKWisEg506eOgdp/4tLU7g==,type:str]
+    #ENC[AES256_GCM,data:e8HuWaLrvHx5,iv:ZKvfRQtOMV6v3MSCDVoPEsxldI+ZRYJBwrKAD8YZzPc=,tag:tPL3IyjC8f+S+6MoMJSd0A==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:if1S/3AxNLkWvDQJom+4EPRBOpkAPNTkEcqHHLAuEJATSNLlIhVLOPgt10cM4LWx2TdG8V2TcZip9qnr4ABHMsPF5vm6Y53r9Q==,iv:Rba0So8DXJrSC88mjwT8j2AVy84TPm0R6AVf2ZmXNBg=,tag:qiSeYLrw/6QJ7vMiPEZ66A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WlJNWmp2VUxpcXR3NE92
+            TnNuLzg0SVZKdmt1cEVZU2FodXZPdmt6Rm5rClhrbDh3SzFlMU9LVFpEZDFLUGZZ
+            d2RBTVNCamNBWFVEVW9FMjYxcUE4Rm8KLS0tIHBwYjlMU2tnUTZweDBYcmZXUC9l
+            OWFUeE9xdldpTUQ3cDFENjU4YUVwSkUKp7yZGpvKMSm6rvsoPbcaqVznL3wzGEXB
+            OGzrmgY083Gyjb5P/0wPY0ShGMWfWQW6vGchoqVuwr4oHKT3APcrIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRjBjdGFEMjR6QnQ0a3Nz
+            c2lmVWE0bFh3amRULytZOVhYS3dkL2JmRVhVClVQalh1WjJqcWcxT3ZXMWduN3Nl
+            UzdFNXNQUmtaaTVIVVFVYXkyZEFPUncKLS0tIExrTDA0OEJzQklQOHNJZzBJdzJP
+            MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
+            Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-29T06:38:42Z"
+    mac: ENC[AES256_GCM,data:tb6UXalJcNqd1bCJ4pdWQ5lctAXMrwAJsGagNIjtAklVx/0vibEBTvtVdI3CSNA3OuDguyXc/ECGEqlPNpoRq/F5JINfnirEbaBL6KhNkFxaSLVP7mu1u0KH93qhzA2j4jofderpxj+FvOOMVZNuZkrcSPDoufPA/ypY+YaKuu8=,iv:KPyXi7AD6FSmoZKYUDh2zLZnArvdcHau5XZHk8CbwI4=,tag:7T1jUJ7eNkY9VYt2eP+brg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

devices/srv1/node2/secrets/munge.key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:04fSLZEkne1LqLZNYpy1tFlKTVUgQNuX9L3cL66FVHD+LqGAyWJGlAnduY+fQMZdDhbBdeEnJKXjyQ2jdDCttuqbPRiJQChtD7ztf+oiP877N143iSY2G245aCjIrAzmFORkGZaQT7nD5oxgCPiLqJzkNPzgjN4HIDsVoYz6jtw=,iv:gTbiJmdXN/62/t53ddfDrYlNLe3AoujT4G03eFQXyZs=,tag:eAYfhXPERqsVKFSkcm+Abw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBb3JtVi92M2JUc3dKVzRt\na1kzNU8ycE1LTmdVZVNFNDNJZmpsTEdCK3hZCjNXajNpcGxXMDJxRjhPMmhFd2la\nZy8xUFZNZXhiVHFtbG9xVmJ3Q2d0NE0KLS0tIDlNWEJqcSsvQTFzc2FxL2F2bVVs\neS9UenMrYXNKbGJVTnZzN3VscWlrRk0K24RHbcTz56GV6AbQt7Yy9+1NClMpQFtk\nf/NO2RYuS0ciHwkJQEw7M48iJuwTSiv1pflXXkNvkl6/I7wPgS/eXw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSjFQbWd4SUhoOExTdnFk\nd3dVVytZaDAyc1F2eUowdmY0azFKbWJ2Z2pZCnhYQWJtVXVjTTRvTlI4SlVyVHh1\nZlBZTlFheVNKdzN5a0RHM3RkTDhzQncKLS0tIFlpbjRUSzdzS3ZuMW8welNRODdR\nWis0ajQrdUNqVWcwMWF4bVlUaWsrc00KfL/zF2RiAanljrNhRT99i2jPvLySMWXx\nEyzYRuTH8ZGXsX4T2VAPjreBt1ahJ/EgBWmCLibEVK62zWfdquAZKg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-20T05:31:41Z",
+		"mac": "ENC[AES256_GCM,data:7kp2KNU4O1yuBdu7cxzg8BytPWiP8hQ0/mWVKPPn4BXjFleyo8KzLC3XZn9Ovt2fHWiF/4hMreOPIDW1W+8n/DedLa2G+zkHiQDVBCyiLJ+FCELvNPdDwR37RvOJ0Oo3RtQaSK2xBhNwS2Qs1G7DemEGFrWXrZ/SeCG5H6bI4X4=,iv:zGG9jcC3McICjeYZd1aGud+VaUhLXg3J/demAqM4vUM=,tag:RINzMA36WfaTRuEy0cTQKQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}

devices/srv1/node3/default.nix

@@ -11,8 +11,6 @@ inputs:
           { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
     specialisation.no-share-home.configuration =
     {

devices/vps6/default.nix

@@ -50,15 +50,7 @@ inputs:
             [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
           // (builtins.listToAttrs (builtins.map
             (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
-            [
-              "xn--s8w913fdga" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "api" "git" "grafana" "peertube"
-            ]))
-          // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.nas.chn.moe"; })
-            [
-              "misskey"
-            ]));
+            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
           applications =
           {
             element.instances."element.chn.moe" = {};

devices/vps7/default.nix

@@ -35,7 +35,8 @@ inputs:
       {
         sshd = {};
         rsshub.enable = true;
-        misskey.instances.misskey.hostname = "xn--s8w913fdga.chn.moe";
+        misskey.instances =
+          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
         synapse.instances =
         {
           synapse.matrixHostname = "synapse.chn.moe";
@@ -51,7 +52,7 @@ inputs:
         fz-new-order = {};
         httpapi.enable = true;
         gitea = { enable = true; ssh = {}; };
-        grafana.enable = true;
+        grafana = {};
         fail2ban = {};
         wireguard =
         {

devices/vps7/secrets.yaml

@@ -3,11 +3,12 @@ acme:
 nginx:
     detectAuth:
         chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
-        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
+        led: ENC[AES256_GCM,data:Vb2p9v7U,iv:xJcKgvbc0KAP31uTpFiYlpvPoEHMWH3VkEqqyINKcyk=,tag:X2R+CHFj4N4i7cAK88IoSA==,type:str]
     maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
 redis:
     rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
     misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
     nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
     send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
@@ -15,6 +16,7 @@ redis:
     peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
     synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
     vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
     nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
@@ -127,8 +129,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-13T03:06:27Z"
-    mac: ENC[AES256_GCM,data:aIgKGuyrNWt2etXCtqHXxXwLSTkGhX3wk9NcHXv4u/rkZ3wUz8iJv24whMIN+ZFhQmNV1TLuPncd/O6bYra1YmG0FXSyBkgfQdVbCAR7ys1yXpdz00zcC7zMqm3CeNui89DZH27P5z6cDtNG4Z/dLz6lpln/ummYcdcb+/7KbZQ=,iv:Gl8turVRflUOB3PWqLfwU4JPoy0k9zLKir4CKB9628s=,tag:aJ8PDOfn/XBeklIlSkC2vg==,type:str]
+    lastmodified: "2025-01-19T03:03:26Z"
+    mac: ENC[AES256_GCM,data:Y2V6OGImOqv25o+VMCtdYbD/VWXdyQLq2K0EjKk2hbalKPAK0qnU4NOEDl9Em+39Jxo6LYlDUyXHLNOWo77QGjgztR2pp+xaZmd9g2zRxMXZLiv3khLUX6tIEpI1b1EdgQ2id2D21YxU+89D9Jwxlp6Dd5bcHa4GxPplstha2jw=,iv:deYb0CZ6kaK8epuRQ/jW8flGYlrIHhCfJbF7E6Iw19A=,tag:ZAf4yRhyxoK/SYS0ApRivg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

dns/config.yaml

@@ -0,0 +1,14 @@
+providers:
+  config:
+    class: octodns.provider.yaml.YamlProvider
+    directory: ./config
+  cloudflare:
+    class: octodns_cloudflare.CloudflareProvider
+    token: env/CLOUDFLARE_TOKEN
+    pagerules: false
+zones:
+  '*':
+    sources:
+      - cloudflare
+    targets:
+      - config

dns/config/chn.moe.yaml

@@ -0,0 +1,186 @@
+? ''
+: - type: A
+    value: 74.211.99.69
+  - type: MX
+    values:
+    - exchange: tuesday.mxrouting.net.
+      preference: 10
+    - exchange: tuesday-relay.mxrouting.net.
+      preference: 20
+  - type: TXT
+    value: v=spf1 include:mxlogin.com -all
+'*.vps4':
+  type: CNAME
+  value: vps4.chn.moe.
+'*.xsession':
+  type: CNAME
+  value: vps3.chn.moe.
+_xlog-challenge.xlog:
+  type: TXT
+  value: chn
+api:
+  type: CNAME
+  value: autoroute.chn.moe.
+autoroute:
+  type: NS
+  values:
+  - ns1.huaweicloud-dns.cn.
+  - ns1.huaweicloud-dns.com.
+  - ns1.huaweicloud-dns.net.
+  - ns1.huaweicloud-dns.org.
+blog:
+  type: CNAME
+  value: vps6.chn.moe.
+catalog:
+  type: CNAME
+  value: vps6.chn.moe.
+coturn:
+  type: CNAME
+  value: vps6.chn.moe.
+element:
+  type: CNAME
+  value: vps6.chn.moe.
+freshrss:
+  type: CNAME
+  value: vps7.chn.moe.
+frp:
+  type: CNAME
+  value: vps6.chn.moe.
+git:
+  type: CNAME
+  value: autoroute.chn.moe.
+grafana:
+  type: CNAME
+  value: autoroute.chn.moe.
+huginn:
+  type: CNAME
+  value: vps7.chn.moe.
+initrd.nas:
+  type: A
+  value: 192.168.1.2
+initrd.vps6:
+  type: CNAME
+  value: vps6.chn.moe.
+initrd.vps7:
+  type: CNAME
+  value: vps7.chn.moe.
+mail:
+  type: CNAME
+  value: tuesday.mxrouting.net.
+matrix:
+  type: CNAME
+  value: autoroute.chn.moe.
+misskey:
+  type: CNAME
+  value: vps6.chn.moe.
+nas:
+  type: A
+  value: 192.168.1.2
+nextcloud:
+  type: CNAME
+  value: vps7.chn.moe.
+nix-store:
+  type: CNAME
+  value: vps6.chn.moe.
+office:
+  type: A
+  value: 210.34.16.60
+peertube:
+  type: CNAME
+  value: autoroute.chn.moe.
+photoprism:
+  type: CNAME
+  value: vps7.chn.moe.
+rsshub:
+  type: CNAME
+  value: vps7.chn.moe.
+send:
+  type: CNAME
+  value: autoroute.chn.moe.
+srv1:
+  type: A
+  value: 59.77.36.250
+srv2:
+  type: CNAME
+  value: office.chn.moe.
+ssh.git:
+  type: CNAME
+  value: vps7.chn.moe.
+sticker:
+  type: CNAME
+  value: vps6.chn.moe.
+synapse:
+  type: CNAME
+  value: autoroute.chn.moe.
+synapse-admin:
+  type: CNAME
+  value: vps6.chn.moe.
+ua:
+  octodns:
+    cloudflare:
+      auto-ttl: true
+  ttl: 300
+  type: CNAME
+  value: vps6.chn.moe.
+vaultwarden:
+  octodns:
+    cloudflare:
+      auto-ttl: true
+  ttl: 300
+  type: CNAME
+  value: vps7.chn.moe.
+vps6:
+  type: A
+  value: 74.211.99.69
+vps6.xserver:
+  type: CNAME
+  value: vps6.chn.moe.
+vps7:
+  type: A
+  value: 144.126.144.62
+webdav:
+  type: CNAME
+  value: vps7.chn.moe.
+webmail:
+  type: CNAME
+  value: tuesday.mxrouting.net.
+wireguard.nas:
+  type: A
+  value: 192.168.83.4
+wireguard.one:
+  type: A
+  value: 192.168.83.5
+wireguard.pc:
+  type: A
+  value: 192.168.83.3
+wireguard.srv1:
+  type: A
+  value: 192.168.83.9
+wireguard.srv2:
+  type: A
+  value: 192.168.83.7
+wireguard.vps6:
+  type: A
+  value: 192.168.83.1
+wireguard.vps7:
+  type: A
+  value: 192.168.83.2
+www:
+  type: CNAME
+  value: vps3.chn.moe.
+x._domainkey:
+  type: TXT
+  value: v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6xvkOMNYyOlY5mCjyL+Wx9PIWljb7WKLurGNnPNrKOrmSKQBAOwKOgv6SWABsuQMSZnoi33QVrqL2pFrGwAnPbhmQSesdAQW/D2ktaTp6iaRCT2eZTGz+dNdi9HCk1Uzkee8hU7L7KZISnNhvOrbBYbaICOwJWVYjk8hqSbIgyhK90IsTmrs9S4E5PSGxLjJ
+    Cpo0X0DPTtPD4ipH7kHnnD5DRO3fkxCvMAuWbnnt5+iUn/NuFQSC//dMqzs+IklBzZWdm/3n3GijkI5XK9rxnvg8V2/bk7SzJy7qeuLJPgbQgVDHCcIJKR0Ugl6CxpqQ8Jvcf0X0AtixVoVEWoyFQIDAQAB
+xlog:
+  type: CNAME
+  value: xlog.autoroute.chn.moe.
+xsession.vps7:
+  type: CNAME
+  value: vps7.chn.moe.
+铜锣湾:
+  type: CNAME
+  value: autoroute.chn.moe.
+铜锣湾实验室:
+  type: CNAME
+  value: vps6.chn.moe.

dns/config/mirism.one.yaml

@@ -0,0 +1,3 @@
+entry:
+  type: CNAME
+  value: vps6.chn.moe.

dns/config/nekomia.moe.yaml

@@ -0,0 +1,3 @@
+? ''
+: type: ALIAS
+  value: vps6.chn.moe.

flake.lock

@@ -25,11 +25,11 @@
     "blog": {
       "flake": false,
       "locked": {
-        "lastModified": 1736655114,
-        "narHash": "sha256-UARA0dfib7ZZSms8r8zrC4VVdc5wdUgrN5pEEYayXLc=",
+        "lastModified": 1736917794,
+        "narHash": "sha256-hPeMx01jxV9YrRil5pdd9byr4bLF/2VgveJwO9v2cgI=",
         "ref": "refs/heads/public",
-        "rev": "dcd52004853ed1f04a67822f9b5ddefa25670692",
-        "revCount": 12,
+        "rev": "f75e004d65761a888bba816d6af860586039ef29",
+        "revCount": 13,
         "type": "git",
         "url": "https://git.chn.moe/chn/blog-public.git"
       },
@@ -674,11 +674,11 @@
     "misskey": {
       "flake": false,
       "locked": {
-        "lastModified": 1732375939,
-        "narHash": "sha256-ZlyBBJniDJ8yS3ALMQ9gfsVUDTzp/U4Pr3SOtE5FttY=",
+        "lastModified": 1737165545,
+        "narHash": "sha256-aQ6MuY3eqx7V7Hk+i1L7aQN1n9pZ8PMareqWUXsEp98=",
         "ref": "refs/heads/chn-mod",
-        "rev": "bb3ae0b9c84126dada9ce7e13a42962a8889eba8",
-        "revCount": 26357,
+        "rev": "e457a9d67945f27c44c470fba36980f32d11ef46",
+        "revCount": 26439,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/CHN-beta/misskey"
@@ -1084,6 +1084,22 @@
         "type": "github"
       }
     },
+    "octodns-cloudflare": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1736639669,
+        "narHash": "sha256-5k6w5e5U1sr7qBJ2tXbmAJi/BMe6qT2W6x53vDEO4xs=",
+        "owner": "octodns",
+        "repo": "octodns-cloudflare",
+        "rev": "51c34b65b3405adeca395c0bba8b1b97af672f9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "octodns",
+        "repo": "octodns-cloudflare",
+        "type": "github"
+      }
+    },
     "openxlsx": {
       "flake": false,
       "locked": {
@@ -1238,6 +1254,7 @@
         "nu-scripts": "nu-scripts",
         "nur-linyinfeng": "nur-linyinfeng",
         "nur-xddxdd": "nur-xddxdd",
+        "octodns-cloudflare": "octodns-cloudflare",
         "openxlsx": "openxlsx",
         "plasma-manager": "plasma-manager",
         "pocketfft": "pocketfft",

flake.nix

@@ -70,6 +70,7 @@
     highfive = { url = "git+https://github.com/CHN-beta/HighFive?submodules=1"; flake = false; };
     stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
     fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
+    octodns-cloudflare = { url = "github:octodns/octodns-cloudflare"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

modules/packages/server.nix

@@ -35,6 +35,7 @@ inputs:
         nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
         gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
+        (octodns.withProviders (_: [ localPackages.octodns-cloudflare ]))
         # stupid things
         toilet lolcat localPackages.stickerpicker graph-easy
         # office

modules/packages/zsh/default.nix

@@ -27,6 +27,8 @@ inputs:
             plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
             theme = inputs.lib.mkDefault "clean";
           };
+          # ensure ~/.zlogin exists
+          loginExtra = " ";
         };
         # set bash history file path, avoid overwriting zsh history
         bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };

modules/services/grafana.nix

@@ -1,17 +1,18 @@
 inputs:
 {
-  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) grafana;
-      inherit (inputs.lib) mkIf;
-    in mkIf grafana.enable
+    type = types.nullOr (types.submodule { options =
     {
-      services.grafana =
+      hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) grafana; in inputs.lib.mkIf (grafana != null)
+  {
+    services =
+    {
+      grafana =
       {
         enable = true;
         declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
@@ -44,24 +45,57 @@ inputs:
             password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
           };
         };
-      };
-      nixos.services =
-      {
-        nginx =
+        provision =
         {
           enable = true;
-          https."${grafana.hostname}".location."/".proxy =
-            { upstream = "http://127.0.0.1:3001"; websocket = true; };
+          datasources.settings =
+          {
+            # prune = true;
+            datasources =
+            [{
+              name = "Prometheus";
+              type = "prometheus";
+              access = "proxy";
+              url = "http://localhost:9090";
+              editable = false;
+            }];
+          };
         };
-        postgresql.instances.grafana = {};
       };
-      sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+      prometheus =
       {
-        "grafana/mail" = { owner = owner; key = "mail/bot"; };
-        "grafana/secret".owner = owner;
-        "grafana/chn".owner = owner;
-        "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
-        "mail/bot" = {};
+        enable = true;
+        exporters =
+        {
+          node = { enable = true; enabledCollectors = [ "systemd" ]; };
+        };
+        scrapeConfigs =
+        [{
+          job_name = "lapetus";
+          static_configs =
+            [{ targets = [ "127.0.0.1:${toString inputs.config.services.prometheus.exporters.node.port}" ]; }];
+        }];
       };
     };
+    nixos.services =
+    {
+      nginx =
+      {
+        enable = true;
+        https."${grafana.hostname}".location."/".proxy =
+          { upstream = "http://127.0.0.1:3001"; websocket = true; };
+      };
+      postgresql.instances.grafana = {};
+    };
+    sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+    {
+      "grafana/mail" = { owner = owner; key = "mail/bot"; };
+      "grafana/secret".owner = owner;
+      "grafana/chn".owner = owner;
+      "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
+      "mail/bot" = {};
+    };
+    environment.persistence."/nix/nodatacow".directories =
+      [{ directory = "/var/lib/prometheus2"; user = "prometheus"; group = "prometheus"; mode = "0700"; }];
+  };
 }

modules/services/misskey.nix

@@ -4,137 +4,131 @@ inputs:
   {
     type = types.attrsOf (types.submodule { options =
     {
-      autoStart = mkOption { type = types.bool; default = true; };
       port = mkOption { type = types.ints.unsigned; default = 9726; };
       redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
       hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
     };});
     default = {};
   };
-  config =
-    let
-      inherit (inputs.config.nixos.services) misskey;
-      inherit (inputs.localLib) attrsToList;
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (builtins) map listToAttrs toString replaceStrings filter;
-    in
-    {
-      systemd = mkMerge (map
-        (instance:
-        {
-          services."misskey-${instance.name}" = rec
-          {
-            enable = instance.value.autoStart;
-            description = "misskey ${instance.name}";
-            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
-            requires = after;
-            wantedBy = [ "multi-user.target" ];
-            environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
-            serviceConfig = rec
-            {
-              User = inputs.config.users.users."misskey-${instance.name}".name;
-              Group = inputs.config.users.users."misskey-${instance.name}".group;
-              WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
-              ExecStart = "${WorkingDirectory}/bin/misskey";
-              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-              Restart = "always";
-            };
-          };
-          tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
-            [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
-        })
-        (attrsToList misskey.instances));
-      fileSystems = mkMerge (map
-        (instance:
-        {
-          "/var/lib/misskey/${instance.name}/work" =
-          {
-            device = "${inputs.pkgs.localPackages.misskey}";
-            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
-          };
-          "/var/lib/misskey/${instance.name}/work/files" =
-          {
-            device = "/var/lib/misskey/${instance.name}/files";
-            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
-          };
-        })
-        (attrsToList misskey.instances));
-      sops.templates = listToAttrs (map
-        (instance:
-        {
-          name = "misskey/${instance.name}.yml";
-          value =
-          {
-            content =
-              let
-                placeholder = inputs.config.sops.placeholder;
-                redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
-              in
-              ''
-                url: https://${instance.value.hostname}/
-                port: ${toString instance.value.port}
-                db:
-                  host: 127.0.0.1
-                  port: 5432
-                  db: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
-                  user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
-                  pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"}
-                  extra:
-                    statement_timeout: 600000
-                dbReplications: false
-                redis:
-                  host: 127.0.0.1
-                  port: ${toString redis.port}
-                  pass: ${placeholder."redis/misskey-${instance.name}"}
-                id: 'aid'
-                proxyBypassHosts:
-                  - api.deepl.com
-                  - api-free.deepl.com
-                  - www.recaptcha.net
-                  - hcaptcha.com
-                  - challenges.cloudflare.com
-                proxyRemoteFiles: true
-                signToActivityPubGet: true
-                maxFileSize: 1073741824
-              '';
-            owner = inputs.config.users.users."misskey-${instance.name}".name;
-          };
-        })
-        (attrsToList misskey.instances));
-      users = mkMerge (map
-        (instance:
-        {
-          users."misskey-${instance.name}" =
-          {
-            uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
-            group = "misskey-${instance.name}";
-            home = "/var/lib/misskey/${instance.name}";
-            createHome = true;
-            isSystemUser = true;
-          };
-          groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
-        })
-        (attrsToList misskey.instances));
-      nixos.services =
+  config = let inherit (inputs.config.nixos.services) misskey; in
+  {
+    systemd = inputs.lib.mkMerge (builtins.map
+      (instance:
       {
-        redis.instances = listToAttrs (map
-          (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
-          (attrsToList misskey.instances));
-        postgresql.instances = listToAttrs (map
-          (instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
-          (attrsToList misskey.instances));
-        nginx =
+        services."misskey-${instance.name}" = rec
         {
-          enable = mkIf (misskey.instances != {}) true;
-          https = listToAttrs (map
-            (instance: with instance.value;
-            {
-              name = hostname;
-              value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
-            })
-            (attrsToList misskey.instances));
+          description = "misskey ${instance.name}";
+          after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
+          requires = after;
+          wantedBy = [ "multi-user.target" ];
+          environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
+          serviceConfig = rec
+          {
+            User = "misskey-${instance.name}";
+            Group = "misskey-${instance.name}";
+            WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
+            ExecStart = "${WorkingDirectory}/bin/misskey";
+            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+            Restart = "always";
+          };
         };
+        tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
+          [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    fileSystems = inputs.lib.mkMerge (builtins.map
+      (instance:
+      {
+        "/var/lib/misskey/${instance.name}/work" =
+        {
+          device = "${inputs.pkgs.localPackages.misskey}";
+          options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+        };
+        "/var/lib/misskey/${instance.name}/work/files" =
+        {
+          device = "/var/lib/misskey/${instance.name}/files";
+          options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+        };
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    sops.templates = builtins.listToAttrs (builtins.map
+      (instance:
+      {
+        name = "misskey/${instance.name}.yml";
+        value =
+        {
+          content =
+            let
+              placeholder = inputs.config.sops.placeholder;
+              redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
+            in
+            ''
+              url: https://${instance.value.hostname}/
+              port: ${toString instance.value.port}
+              db:
+                host: 127.0.0.1
+                port: 5432
+                db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
+                user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
+                pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
+                extra:
+                  statement_timeout: 600000
+              dbReplications: false
+              redis:
+                host: 127.0.0.1
+                port: ${builtins.toString redis.port}
+                pass: ${placeholder."redis/misskey-${instance.name}"}
+              id: 'aid'
+              proxyBypassHosts:
+                - api.deepl.com
+                - api-free.deepl.com
+                - www.recaptcha.net
+                - hcaptcha.com
+                - challenges.cloudflare.com
+              proxyRemoteFiles: true
+              signToActivityPubGet: true
+              maxFileSize: 1073741824
+              fulltextSearch:
+                provider: sqlPgroonga
+            '';
+          owner = "misskey-${instance.name}";
+        };
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    users = inputs.lib.mkMerge (builtins.map
+      (instance:
+      {
+        users."misskey-${instance.name}" =
+        {
+          uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
+          group = "misskey-${instance.name}";
+          home = "/var/lib/misskey/${instance.name}";
+          createHome = true;
+          isSystemUser = true;
+        };
+        groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    nixos.services =
+    {
+      redis.instances = builtins.listToAttrs (builtins.map
+        (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
+        (inputs.localLib.attrsToList misskey.instances));
+      postgresql.instances = builtins.listToAttrs (builtins.map
+        (instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
+        (inputs.localLib.attrsToList misskey.instances));
+      nginx =
+      {
+        enable = inputs.lib.mkIf (misskey.instances != {}) true;
+        https = builtins.listToAttrs (builtins.map
+          (instance: with instance.value;
+          {
+            name = hostname;
+            value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
+          })
+          (inputs.localLib.attrsToList misskey.instances));
       };
     };
+  };
 }

modules/services/nginx/applications/sticker/web/packs/index.json

@@ -2,7 +2,18 @@
   "packs": [
     "Mare_by_WuMingv2Bot.json",
     "line_191054124446_by_moe_sticker_bot.json",
-    "Sakurada_Shiro.json"
+    "Sakurada_Shiro.json",
+    "loli_DaiSi_by_WuMingv2Bot.json",
+    "listentoweiwei_by_WuMingv2Bot.json",
+    "csaexi.json",
+    "wechat_transfer_zhcn.json",
+    "teamtimothy_bilibili.json",
+    "line26158619ac0d_by_moe_sticker_bot.json",
+    "LINE_nachonekodayo.json",
+    "zhehelima.json",
+    "TheDonaldTrump.json",
+    "line_173195293297_by_moe_sticker_bot.json",
+    "line261586194a0d_by_moe_sticker_bot.json"
   ],
   "homeserver_url": "https://matrix.chn.moe"
 }

modules/services/postgresql.nix

@@ -22,7 +22,8 @@ inputs:
       postgresql =
       {
         enable = true;
-        package = inputs.pkgs.postgresql_15;
+        package = inputs.pkgs.postgresql_17;
+        extensions = ps: with ps; [ pgroonga ];
         enableTCPIP = true;
         authentication = "host all all 0.0.0.0/0 md5";
         settings =

modules/services/synapse.nix

@@ -195,6 +195,8 @@ inputs:
                 ];
                 max_image_pixels = "32M";
                 dynamic_thumbnails = false;
+                # this is required for displaying thumbnails in sticker widgets
+                enable_authenticated_media = false;
               });
           };
           secrets = (listToAttrs (map

modules/system/fileSystems/cluster.nix

@@ -7,11 +7,7 @@ inputs:
       { nixos.services.nfs = { root = "/"; exports = [ "/nix/persistent/home" ]; accessLimit = "192.168.178.0/24"; }; })
     # for cluster worker, mount nfs, disable some home manager files
     (inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null == "worker")
-    {
-      nixos.system.fileSystems.mount.nfs = builtins.listToAttrs (builtins.map
-        (user: { name = "192.168.178.1:/nix/persistent/home/${user}"; value = "/home/${user}"; })
-        inputs.config.nixos.user.users);
-    })
+      { nixos.system.fileSystems.mount.nfs."192.168.178.1:/nix/persistent/home" = "/remote/home"; })
     # 将一部分由 home-manager 生成软链接的文件改为直接挂载，以兼容集群的设置
     {
       home-manager.users = builtins.listToAttrs (builtins.map
@@ -23,21 +19,18 @@ inputs:
             [ ".zshrc" ".zshenv" ".profile" ".bashrc" ".bash_profile" ".zlogin" ]);
         })
         inputs.config.nixos.user.users);
-      systemd.mounts = builtins.filter (mount: mount != null) (builtins.concatLists (builtins.map
+      systemd.mounts = builtins.concatLists (builtins.map
         (user: builtins.map
           (file:
-            let f = inputs.config.home-manager.users.${user}.config.home.file.${file}.source or null;
-            in if f == null then null else
-            {
-              what = "${f}";
-              where = "/home/${user}/${file}";
-              options = [ "bind" ];
-              wantedBy = [ "local-fs.target" ];
-            }
-          )
+          {
+            what = "${inputs.config.home-manager.users.${user}.home.file.${file}.source}";
+            where = "/home/${user}/${file}";
+            options = "bind";
+            wantedBy = [ "local-fs.target" ];
+          })
           [ ".zshrc" ".zshenv" ".profile" ".bashrc" ".bash_profile" ".zlogin" ]
         )
-        inputs.config.nixos.user.users));
+        inputs.config.nixos.user.users);
     }
   ];
 }

modules/system/fileSystems/impermanence.nix

@@ -33,16 +33,19 @@ inputs:
       };
     }
     # 挂载 /home/user
-    # 对于集群的工作节点，不做任何事情，这些目录已经挂载好
+    # 对于集群的工作节点，挂载 /remote/user 到 /home/user
     # 对于桌面用途的 chn，不需要挂载
     # 对于其它情况，则挂载 /nix/persistent/home/user 到 /home/user
     {
-      "/nix/persistent".directories = builtins.map
-        (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; })
-        (builtins.filter
-          (user: !(user == "chn" && inputs.config.nixos.model.type == "desktop"
-            || inputs.config.nixos.model.cluster.nodeType or null == "worker"))
-          inputs.config.nixos.user.users);
+      "${if inputs.config.nixos.model.cluster.nodeType or null == "worker" then "/remote" else "/nix/persistent"}" =
+      {
+        hideMounts = true;
+        directories = builtins.map
+          (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; })
+          (builtins.filter
+            (user: !(user == "chn" && inputs.config.nixos.model.type == "desktop"))
+            inputs.config.nixos.user.users);
+      };
     }
     # 挂载更详细的目录
     # 对于任何情况，`.cache` 都应该在重启后丢失

modules/system/grub.nix

@@ -2,7 +2,7 @@ inputs:
 {
   options.nixos.system.grub = let inherit (inputs.lib) mkOption types; in
   {
-    timeout = mkOption { type = types.int; default = if inputs.config.nixos.model.type == "server" then 15 else 5; };
+    timeout = mkOption { type = types.int; default = 15; };
     windowsEntries = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
     # "efi" using efi, "efiRemovable" using efi with install grub removable, or dev path like "/dev/sda" using bios
     installDevice = mkOption { type = types.str; default = "efi"; };

modules/system/kernel/default.nix

@@ -92,9 +92,9 @@ inputs:
         { boot.initrd = { systemd.enableTpm2 = false; includeDefaultModules = false; }; }
     )
     # enable scx when using cachyos
-    # (
-    #   inputs.lib.mkIf (builtins.elem kernel.variant [ "cachyos" "cachyos-lto" "cachyos-server" ])
-    #     { services.scx = { enable = true; scheduler = "scx_lavd"; extraArgs = [ "--autopower" ]; }; }
-    # )
+    (
+      inputs.lib.mkIf (builtins.elem kernel.variant [ "cachyos" "cachyos-lto" "cachyos-server" ])
+        { services.scx = { enable = true; scheduler = "scx_lavd"; extraArgs = [ "--autopower" ]; }; }
+    )
   ];
 }

modules/user/chn/plasma/autostart.nix

@@ -65,7 +65,6 @@ inputs:
           value.source = programs.${file}.path;
         })
         (devices.${inputs.config.nixos.model.hostname} or []));
-    environment.persistence."/nix/rootfs/current".users.chn.directories =
-      inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null != "worker") [ ".config/autostart" ];
+    environment.persistence."/nix/rootfs/current".users.chn.directories = [ ".config/autostart" ];
   };
 }

modules/user/chn/plasma/konsole.nix

@@ -68,7 +68,6 @@ inputs:
         (builtins.readFile "${inputs.pkgs.konsole}/share/konsole/Breeze.colorscheme");
     };
     environment.persistence."/nix/rootfs/current".users.chn.directories =
-      inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null != "worker")
-        [ ".local/share/konsole" ".local/share/yakuake" ];
+      [ ".local/share/konsole" ".local/share/yakuake" ];
   };
 }

packages/default.nix

@@ -118,6 +118,8 @@ inputs: rec
   highfive = inputs.pkgs.callPackage ./highfive.nix { src = inputs.topInputs.highfive; };
   stickerpicker = inputs.pkgs.python3Packages.callPackage ./stickerpicker.nix { src = inputs.topInputs.stickerpicker; };
   nglview = inputs.pkgs.python3Packages.callPackage ./nglview.nix { src = inputs.topInputs.self.src.nglview; };
+  octodns-cloudflare = inputs.pkgs.python3Packages.callPackage ./octodns-cloudflare.nix
+    { src = inputs.topInputs.octodns-cloudflare; };
 
   fromYaml = content: builtins.fromJSON (builtins.readFile
     (inputs.pkgs.runCommand "toJSON" {}

packages/nvhpc/mpi.nix

@@ -2,7 +2,7 @@
 {
   requireFile, stdenv, lib,
   perl, libnl, rdma-core, zlib, numactl, libevent, hwloc, libpsm2, libfabric, pmix, ucx, ucc, prrte
-}: stdenv.mkDerivation
+}: stdenv.mkDerivation rec
 {
   name = "openmpi";
   src = requireFile
@@ -64,4 +64,5 @@
 
   enableParallelBuilding = true;
   doCheck = true;
+  postInstall = "ln -s ${src} $out/src";
 }

packages/octodns-cloudflare.nix

@@ -0,0 +1,13 @@
+{
+  src, buildPythonPackage, setuptools,
+  requests, octodns, dnspython
+}:
+buildPythonPackage
+{
+  name = "octodns-cloudflare";
+  pyproject = true;
+  inherit src;
+  nativeBuildInputs = [ setuptools ];
+  propagatedBuildInputs = [ octodns dnspython requests ];
+  env.OCTODNS_RELEASE = 1;
+}

packages/sbatch-tui/src/main.cpp

@@ -215,6 +215,8 @@ int main()
   // 进入事件循环
   while (true)
   {
+    // 开始之前需要先刷新状态
+    refresh_state();
     screen.Loop(request_interface);
     if (state.user_command == "quit") return 0;
     else if (state.user_command == "continue")