services.xray: use dae

devices/nas/default.nix

@@ -37,14 +37,14 @@ inputs:
             delayedMount = [ "/" "/nix" ];
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs.waitDevices = [ "/dev/mapper/root2" ];
+          rollingRootfs.device = "/dev/mapper/root1";
         };
         initrd.sshd.enable = true;
         grub.installDevice = "efi";
         nixpkgs.march = "silvermont";
         nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
         kernel.patches = [ "cjktty" "lantian" ];
-        networking = { hostname = "nas"; networkd = {}; };
+        networking.hostname = "nas";
         gui.preferred = false;
       };
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
@@ -60,14 +60,18 @@ inputs:
           shares = { home.path = "/home"; root.path = "/"; };
         };
         sshd.enable = true;
-        xray.client = {};
+        xray.client.enable = true;
         xrdp = { enable = true; hostname = [ "nas.chn.moe" "office.chn.moe" ]; };
-        groupshare = {};
+        groupshare.enable = true;
         smartd.enable = true;
-        beesd.instances =
+        beesd =
         {
-          root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 128; };
+          enable = true;
+          instances =
+          {
+            root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
+            nix = { device = "/nix"; hashTableSizeMB = 128; };
+          };
         };
         frpClient =
         {
@@ -85,7 +89,7 @@ inputs:
           wireguardIp = "192.168.83.4";
         };
       };
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" ];
+      users.users = [ "chn" "xll" "zem" "yjq" "gb" ];
     };
   };
 }

devices/pc/default.nix

@@ -10,16 +10,16 @@ inputs:
         {
           mount =
           {
-            vfat."/dev/disk/by-uuid/E58F-416A" = "/boot/efi";
+            vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
             btrfs =
             {
-              "/dev/disk/by-uuid/066be4fd-8617-4fe1-9654-c133c2996d33"."/" = "/boot";
+              "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
           decrypt.auto =
           {
-            "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root"; ssd = true; };
+            "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
             "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
               { mapper = "swap"; ssd = true; before = [ "root" ]; };
           };
@@ -50,11 +50,10 @@ inputs:
             # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
             "alderlake"
           ];
-          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
         };
         nixpkgs =
           { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
-        kernel = { varient = "cachyos"; patches = [ "cjktty" "hibernate-progress" ]; };
+        kernel.patches = [ "cjktty" "lantian" "hibernate-progress" ];
         networking.hostname = "pc";
         sysctl.laptop-mode = 5;
       };
@@ -78,7 +77,7 @@ inputs:
       };
       services =
       {
-        # snapper.enable = true;
+        snapper.enable = true;
         fontconfig.enable = true;
         samba =
         {
@@ -94,11 +93,9 @@ inputs:
           };
         };
         sshd.enable = true;
-        xray.client.dnsmasq.hosts = builtins.listToAttrs (builtins.map
-          (name: { inherit name; value = "74.211.99.69"; })
-          [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ]);
+        xray.client.enable = true;
         firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
-        acme.cert."debug.mirism.one" = {};
+        acme = { enable = true; cert."debug.mirism.one" = {}; };
         frpClient =
         {
           enable = true;
@@ -109,7 +106,7 @@ inputs:
         nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
         smartd.enable = true;
         misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; }; };
         wireguard =
         {
           enable = true;
@@ -118,16 +115,11 @@ inputs:
           wireguardIp = "192.168.83.3";
         };
         gamemode = { enable = true; drmDevice = 1; };
-        slurm = { enable = true; cpu = { cores = 16; threads = 2; }; memoryMB = 90112; gpus."4060" = 1; };
-        xrdp =
-        {
-          enable = true;
-          hostname = [ "pc.chn.moe" ];
-        };
+        slurm = { enable = true; cpu = { cores = 16; threads = 2; }; memoryMB = 94208; gpus."4060" = 1; };
+        xrdp = { enable = true; hostname = [ "pc.chn.moe" ]; };
       };
       bugs = [ "xmunet" "backlight" "amdpstate" ];
     };
-    networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
     virtualisation.virtualbox.host = { enable = true; enableExtensionPack = true; };
     specialisation =

devices/pc/secrets/default.yaml

@@ -20,8 +20,6 @@ wireguard:
     privateKey: ENC[AES256_GCM,data:oIpiXJvEoyryS4eEutoe85Af0L5a5iNuOsCWCat9KEhr2ecY/vRimk/1fbA=,iv:dm2hTSNX7Q38yASon5o1jxEJZbWPXUWYydXYMBHF/sE=,tag:yrANhwIF/wHQGHGA1bfPgw==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
-nix:
-    remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -46,8 +44,8 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-11T08:27:38Z"
-    mac: ENC[AES256_GCM,data:X5AqIdnMzLNCHXbN3TuG4st907Rw080V8AqzesiwVFOjbBYRZWetCndtfE+/o8G1q5YE/Qwspy7HsxP5tCbSNI5c8P0XTjRTCEGyRFY8fM1TFIM32rCFjUot1iFC+l//iq62M/5iMhT2Z7pi+CDIyNMEE3TJMhBc8JmgTJXIsI8=,iv:UZXFi3rJgVHBNVqwNHlIkmW+xYkX6X2/54QQ1aZTmyU=,tag:SXyL69DZ5i0cQFvXnFkZIg==,type:str]
+    lastmodified: "2024-03-07T12:35:41Z"
+    mac: ENC[AES256_GCM,data:Krgtb791wR+S0PQyV2h0Uyh7MKx9fOTHbetmgLoiGOHL8FMSvmWt3LCMQy+RyjnOIj9XRwb8l+kyTqkgeN4zEfKd1uuOh95Z/hLWhCkWs4dPaBu6Uw4aekH9ZUmQJZIr1lt2AIayRsVjaU0dIl4FOcLW+93ls95aluhvPPloJX0=,iv:MmJFdVpF4ZfxMRwbxPV/TC1Qt957vl0QvU0MZzUWdm8=,tag:6+VVFDdPSTycxnKO7Td6VA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

devices/surface/default.nix

@@ -50,7 +50,7 @@ inputs:
         snapper.enable = true;
         fontconfig.enable = true;
         sshd.enable = true;
-        xray.client = {};
+        xray.client.enable = true;
         firewall.trustedInterfaces = [ "virbr0" ];
         wireguard =
         {
@@ -59,7 +59,7 @@ inputs:
           publicKey = "j7qEeODVMH31afKUQAmKRGLuqg8Bxd0dIPbo17LHqAo=";
           wireguardIp = "192.168.83.5";
         };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 512; }; };
       };
       bugs = [ "xmunet" ];
     };

devices/vps6/default.nix

@@ -29,14 +29,14 @@ inputs:
         nixpkgs.march = "sandybridge";
         nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
         initrd.sshd.enable = true;
-        networking = { hostname = "vps6"; networkd = {}; };
+        networking.hostname = "vps6";
       };
       packages.packageSet = "server";
       services =
       {
         snapper.enable = false;
         sshd.enable = true;
-        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 13; };
+        xray.server = { enable = true; serverName = "vps6.xserver.chn.moe"; };
         frpServer = { enable = true; serverName = "frp.chn.moe"; };
         nginx =
         {
@@ -64,10 +64,10 @@ inputs:
             main.enable = true;
           };
         };
-        coturn = {};
-        httpua = {};
+        coturn.enable = true;
+        httpua.enable = true;
         mirism.enable = true;
-        fail2ban = {};
+        fail2ban.enable = true;
         wireguard =
         {
           enable = true;
@@ -77,7 +77,7 @@ inputs:
           listenIp = "74.211.99.69";
           lighthouse = true;
         };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 64; }; };
       };
     };
   };

devices/vps6/secrets/default.yaml

@@ -14,22 +14,49 @@ xray-server:
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
         user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
-        #ENC[AES256_GCM,data:PTYBkBHs16U=,iv:qr3u7OveM1CmTBIf9gZK4fTRuLCpcZCwf8jmnd1L3Co=,tag:w3O41NG7yCwCVqPGh/6SXA==,type:comment]
+        #ENC[AES256_GCM,data:bnnxo/I=,iv:8jOo0P+8gk05O1vnxOiyGhaeD4wyuaaA3CCr8/DbzII=,tag:J6VSJZoko3EiWyn0ATcmqA==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
+        #ENC[AES256_GCM,data:zsCT,iv:iTPnIsLoQKbmJuyFrf/aCKsiOy/TOrnbpJLu6dWFT4o=,tag:lFybPTAA7EedSsJ5dEfCLg==,type:comment]
+        user6: ENC[AES256_GCM,data:WLAKPPIHGvZrTaGMLFRQIgEYWFHYy0mD6sLJEYjCD+g93wek,iv:fCOxekJSBczJz/ODYwWgk1CqERc5q/87C+G/9ETuaSI=,tag:rkpBLQoEOPnWuE+U+BnzIQ==,type:str]
         #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
-        user6: ENC[AES256_GCM,data:YzLlf37SxKmU1/QA7gUIJsGid3KZNoAGOew8xR7cmw5l8ZmX,iv:SfKubo2jfjtxKn9odDiokMEZyPFfYZ/wwyYtBrgvgmM=,tag:+hxwIU5uBhzQyrKX4r3oiw==,type:str]
+        user7: ENC[AES256_GCM,data:7rxvmKbtYrDKBlo8kZIfd86KLd9EcSWB0ikasIRqfCZ24W0h,iv:Uplz4fnFymmBVZ9YTniHFFY3EVSrTYsg1+CTFqBu1WY=,tag:l3EPeYRHSeRsCyRhqFRrEg==,type:str]
         #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
-        user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
+        user8: ENC[AES256_GCM,data:FNT3hHMwPJu3iI1LuOP1KvsoOonh+J/ecrNrRQO5TpunDPUq,iv:tTEB0MSUmQ39tNq9v1BTfaEcJY7Y59CPHRASMC1a4U8=,tag:klDm6Isk52hG8ubcFu6yHA==,type:str]
         #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        user8: ENC[AES256_GCM,data:H1gPtqF8vryD0rVH7HYzpMuZ3lufOBYczKwaTr4PidQtTyQK,iv:wh7NwFc/1ogNrnTTpm5L9dBqDVkvWiIsJZelR2mtR4Q=,tag:oEFdMFZJ9UYhsSVdefJ4rg==,type:str]
+        user9: ENC[AES256_GCM,data:4BD/4MXAVLhDm3EXdgTiEgPketf0WgflVPGb3/JMWXfycEKY,iv:jwE5sFVxZjORwoqCBdufP2EhetVtFGHyCP58AzJwle0=,tag:OCteA20hDBLI9zt1ET0tUQ==,type:str]
+        #ENC[AES256_GCM,data:U48hPlrJn2dF9g==,iv:W+6QEgemNa41VCT2OfBvEhuLAucLxfR+YZiDgdkkSnk=,tag:IhVstGnQ4EviT5ctMgyKiA==,type:comment]
+        user10: ENC[AES256_GCM,data:d9qxJQH9Jo8gJKUi5jjSdVwqzuHG+dj08Tk+TxhczJmlSaFT,iv:DS+9isZX2B9AYAyV4Yle4fpHzA/SHcR56B/GW8QdALw=,tag:9nUQ0OuMCuXGSZs2kjfnIQ==,type:str]
+        #ENC[AES256_GCM,data:DxZrs2B0LyPdLg==,iv:yZzEjyiY2s6gIPTsALl5xOsI0ByDvSBG4SI2+K6TLzI=,tag:hAniFFNS0SueybUKnRd2YQ==,type:comment]
+        user11: ENC[AES256_GCM,data:RPIH0DudfPJwPsa0yFLNqUy2EMwQh1bIqkmhCfteVTkUQGWP,iv:NH0aGTZ6nVqz2nn+o1HQS0PKpqHTBMkAhy0oFeyX/8k=,tag:kgd5zkHXW+oxRFC9x2VTUg==,type:str]
         #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        user9: ENC[AES256_GCM,data:HVK9KvGfOcwn1joc3VrkjBjE6hrxQPOBD5RTtQUgBPepToh6,iv:VK9aQ64L/GajpledBxC8PNB1BdNYEqwcdL3GKttgxvs=,tag:O/piztCYBARtAFxTMNXGaA==,type:str]
+        user12: ENC[AES256_GCM,data:Q+XcMYPWWeHqXZZt3lf9OurlWwVQGBJWTnRwDUvg7np19g3+,iv:ybREjo5/SFRN5LMSyYdm0ygkYoq/G1uBv9K0iGPqrh4=,tag:g2y8IJeXtHW1XjelOvT+/A==,type:str]
+        #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
+        user13: ENC[AES256_GCM,data:IKKk8joJQ5rcSXV84jbYd4uox548czpcgXwTtyK4rFimQIoO,iv:ycVDDSb0qAtZE8WzEdKkaBYKY13JpKj+4xrgkLogikw=,tag:z9ty67NWIgGlh1psbE5qVQ==,type:str]
+        #ENC[AES256_GCM,data:ujz8CAgN2g==,iv:2KP2DwIfIPPnsyZRSptG6x80n0cQGoiYCFoLRbFeEos=,tag:oITBAiHs1odW3heSEOQAJA==,type:comment]
+        user14: ENC[AES256_GCM,data:WFhrirjRUEZlOaCLGvHzvRPyp5O+035k0bNFqCvs0UTdT0+y,iv:C2vvOexQwFFkQyvFd8tf7lca2ZZIF3hbSiOHa2RFfGU=,tag:zowYrIut44mRiq6/h0r4fQ==,type:str]
+        #ENC[AES256_GCM,data:t9mAcEcdBg==,iv:hzqb80+FtfsNP8ofYMyT0PwT8T8B3HYSGZUOrnk3SjM=,tag:0mbDe6S0bqbC/SffMr0AAg==,type:comment]
+        user15: ENC[AES256_GCM,data:Sfc4BWiQ5dz7K0kwlp/1e8x/ahPTnbTvSvFjz9R5KQL52uaO,iv:kzap3jQgm9P22teMkYJHlySh2azLBBuy/kpm+ylxIhM=,tag:2fOBw+McYdT3r+qoF/Wkzw==,type:str]
+        #ENC[AES256_GCM,data:S7Iodket2fLLhcDDuWgv6fVAbcg=,iv:2XlrHA0A36xrmEv7kqtL8i8EYnNpq7cjRMmsF+mPu4s=,tag:M6JvHYU6jqqinPoHcgnEZA==,type:comment]
+        user16: ENC[AES256_GCM,data:ijz4n66TY2tGpKLvGr7I6n+cOP6BfgpJdHmcPy2oTPGCvhR0,iv:RK8wi3Cj9XFVTqqt00DLru12Hiu/WJU8lV/v9MF5deI=,tag:6SHR8Yb2dO1rRY/xV5u9yw==,type:str]
+        #ENC[AES256_GCM,data:inAhj6SP8p4KahuZ+aSjPfnEcOY=,iv:eB6OvUkQvfdAkNuf95K7jAjZZ8i+nbsnsH3WEdRWFhw=,tag:dgw+RFY2cm6jF+R5z3Z+XA==,type:comment]
+        user17: ENC[AES256_GCM,data:Wz7tWzASeIKE9TzicUIwyOnjZDDICYvDAUu/scHrQoFjoOlE,iv:A2gPFSiIXaf1dQkFlXjw5yesKtv3qOVcIXzM2QspvDk=,tag:JWCVx2FJS84v2iMdzBxhlQ==,type:str]
         #ENC[AES256_GCM,data:b839t/OihMOmz0gIcTo43r2MIw==,iv:8kaAFG7DhFOoitcvbFaAvE1NUSLFrFhy1KiMrqs4r/c=,tag:G4vSADa52ZfN5y5ytoFJoQ==,type:comment]
-        user10: ENC[AES256_GCM,data:xjVkr/wy7OxRuNZKfQagfNxdVxTEyQP1ZhnR6jHy2gjBQ0RD,iv:G6iOBCHOqlvfEENY/ega/TUm81wgT2OOdZKZ6bPfg9o=,tag:p8AMa3bGsIl0hWQ09lSzgA==,type:str]
+        user18: ENC[AES256_GCM,data:xQMRt+YC1Kn0Qxtis9QVIypq4uHNLq2sWKxxQe515Kfg+zzw,iv:28nQibxqzx5Q17UkEwK0zYhu6mFJ8LUk78xxlQrIqFY=,tag:B7N/fC81v8VBTsDdIZDvDw==,type:str]
+        #ENC[AES256_GCM,data:fZFxSd9QDRBg/X5yFQia96I=,iv:cd9vJ+f+TJr4mmXPNwcsce0p7i36Nkt1OnUzqDhK4hE=,tag:FsOHS+zhr5wZNmJpMfG97w==,type:comment]
+        user19: ENC[AES256_GCM,data:Qjajmu6cfACT4eho6BK56zRd7BSXxo4fUeJ2RRawopVFZESJ,iv:QZN81pQxspe76V90NQxzsKmMwtvaC1qwuvd5a6WbrdU=,tag:/+LYeQLqvwM60DgIPtZzKA==,type:str]
         #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
-        user11: ENC[AES256_GCM,data:BIZ2zRgGv5/9AexiZZvu+m4A62YUWtAkjWWMu89GteqpWMBq,iv:13IJcDf18LjoxJk7uoKnuFZT6Ihxrxsy7DBaAaiFqus=,tag:RN7wj+uPneCkqNlMRyYrXw==,type:str]
+        user20: ENC[AES256_GCM,data:uRSG6jOks7utk2bRdd5sndvqVnSGRhjkts2f3+V7JdEwQf4k,iv:xZdVv/H5RuliwSEWmgLViLquWZ5znGOpP9YwwLJfsyo=,tag:JR3BsCKkHpkE7woTaMHXwQ==,type:str]
+        #ENC[AES256_GCM,data:37f8REUu8PU0lfg=,iv:WOhsotX/O7Gg+YgkK5Fuw/njKz+1OgKSx0vXl1A32XY=,tag:IyjPLut59RuK/PpCyK4ZAQ==,type:comment]
+        user21: ENC[AES256_GCM,data:9cd7IY3zzoziXznclguxbmmZ5hfc2H1DPa+KW1geuybRlpB9,iv:NKwdt7ppRuNpn44f1ypNOoPS27Yqk3Z31ABQbflS9Gg=,tag:S2B1vR0PVd3FYu24XwTfpQ==,type:str]
         #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        user12: ENC[AES256_GCM,data:FAF9lXOzXW9CrZgnQ1a2+E8snZj2+JHqP5Gny92k09o/Wzga,iv:/qZuAtFmUQE7A9lMzJUoCvGx+3Sv9Ioh2ahch3puaC4=,tag:urwbLwGkSX3e85NCjyPhhg==,type:str]
+        user22: ENC[AES256_GCM,data:sCOmhXaJjzDIiuwP3Nh+yXQRYCppATzVWIdjOoMOlu+OFT+U,iv:HKRsCLJ/2jr7rGkM04uv4V1GKQheo2oxeFu4zqxcIAc=,tag:1swUo08hSzJ1PmQr/dBcgQ==,type:str]
+        user23: ENC[AES256_GCM,data:rgS6IdC4DBLvWWBkf5Db54yaNvagfISm5tHUD1KgeqrCR5x/,iv:ANQYEXssMfbU0bvk25dVYq+yQlMiVEyQCwrGPw1AGxc=,tag:d9sOvvxheWwsE/SeOgcWUQ==,type:str]
+        user24: ENC[AES256_GCM,data:3bn/ZG0En/OgY4PA4Ir8MaVWpJbX+ywpkoXQn7HChT+xhKFZ,iv:Jw8AG7vTc6j4VznekF6x2LXkoSFz960yqsSjPm1ORvw=,tag:EszCODBuLULKHJHh4Itq7A==,type:str]
+        user25: ENC[AES256_GCM,data:17bfY/7nClQ3c4OL/aNrUIuafPa1RLc9aLZUCyJMhsKp/1ob,iv:s6OD1AipescKuwdTw8x4hQkfHsl01FCh5c20SnpQk0g=,tag:+vlKdXWI6y7fU0AJIHVRJQ==,type:str]
+        user26: ENC[AES256_GCM,data:ubecAnPqdUhyEWU3vn3cbSFl0Ql/XfUbqWO9553jLqd2DP8R,iv:6GeibZBoBfJHWUjlW/eHbYwj6z9AFXDyom62BCpJp90=,tag:N3Al0SLPbC8lteky+aXNvA==,type:str]
+        user27: ENC[AES256_GCM,data:KM7HUEUHzXd+g/Vxy13uv+zOXLJ1BtSRPUnFIl2/u+ISu6MW,iv:fAxQRVjPsA3cFV1VLyIYMpG60sxi1pWW7153Cc8zjFM=,tag:HtiU8F5shQrFwonQEgQDiA==,type:str]
+        user28: ENC[AES256_GCM,data:FWuW6SmdA9l+yhTE7KEec72KZ7Ab0A9jYEWoHcLm1+DPydHk,iv:WipmZE/tZ5yCU+cDfeJCNpKv8o7T/zrcMzYRIVXI7FM=,tag:IDTNiPBGY9lER8fdIfL/6w==,type:str]
+        user29: ENC[AES256_GCM,data:SSP4igGqVthHTDOxOUodm1KEqPSOikWP/7jFKpYhXGe1wqrF,iv:ri82voK2BEArMlyV9F+NMTXQfV1pakGMoUyKh/LoYN4=,tag:VHZ/3DThAD7NmP3oOGyfcw==,type:str]
     telegram:
         token: ENC[AES256_GCM,data:xsJoGgQ8pLeZqA2alGKkCyrvnjY6rVF5TlXn4GWDrStFBl65XXzwVY/9ZZthYQ==,iv:qTLfpRUyuIGFM668URfknhSRtx3WEHp/WTGzGUPuFd4=,tag:p8mF0tM+t02g7v2EQZN3Vg==,type:str]
         chat: ENC[AES256_GCM,data:X1JxFQw0bPCu,iv:hf+TOSH2p9RdnXDFKxTpSRzxDLdJyzNHVV8MfOQuGWY=,tag:iiWw9IFiBGOOyOSl9Jj2wQ==,type:str]
@@ -73,8 +100,8 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T15:01:58Z"
-    mac: ENC[AES256_GCM,data:hjG1VHHNTm7qt/f/t0VuziFPQKSv/1qYI2nvNrO7qeHywtEol1SbpaaF0kn8/8TOuZFfdrIECj4CrI2M1nWWEMF+1LBOI4ccBPDY/33tqg4B1ZX90GEdK0ZnaBn0/tEziu4i6wIKcPXQMnpftPrUXegQUKqMlnTTZKY2AGsPXoI=,iv:a+4+n31/3r+nhyAuL7o/lyd7NMA+e+AwfgHneNOFrx8=,tag:Ei8mQiI0+ZS8TWisc3NCDA==,type:str]
+    lastmodified: "2024-03-09T07:57:44Z"
+    mac: ENC[AES256_GCM,data:urofF4HNdRtVIZYifB0++/vsMWnaPkGxVRG9w2LEdfiELnCuhvEDHdpmVTIVZLPqYWPtqlHMncawD2+Hl3s6sH5K9uJ+/4R46XFS2Y2qr78lIAKc5OAHNiywPoXJ/4mbVWsTAR0MZUO/HpO3IujBXAp9NWqIBh2aGGr9MIQNTc4=,iv:k80R2cB31GCQ+eaevYsRyUYISU4wmJiXPel4YqppzAA=,tag:ZeG5N7KnJTIS4IQ+c9xDPA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

devices/vps7/default.nix

@@ -29,7 +29,7 @@ inputs:
         nixpkgs.march = "broadwell";
         nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
         initrd.sshd.enable = true;
-        networking = { hostname = "vps7"; networkd = {}; };
+        networking.hostname = "vps7";
         gui.preferred = false;
       };
       packages.packageSet = "desktop";
@@ -52,18 +52,18 @@ inputs:
         };
         xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
         vaultwarden.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 1024; };
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
         photoprism.enable = true;
         nextcloud.enable = true;
         freshrss.enable = true;
         send.enable = true;
         huginn.enable = true;
-        fz-new-order = {};
+        fz-new-order.enable = true;
         nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
         httpapi.enable = true;
         gitea.enable = true;
         grafana.enable = true;
-        fail2ban = {};
+        fail2ban.enable = true;
         wireguard =
         {
           enable = true;

devices/xmupc1/README.md

@@ -1,53 +1,49 @@
-# 硬件
-
-* CPU：16 核 32 线程。
-* 内存：96 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * 3090：24 G 显存。
-  * 2080Ti: 12 G 显存。
-* 硬盘：2 T。
-
-# 队列系统（SLURM）
+# slurm
 
 ## 基本概念
 
-SLURM 是一个用来对任务排队的系统，轮到某个任务时，再调用其它程序来执行这个任务。
+队列系统换成了 slurm。这是个正经的队列系统（不像之前那样是临时手搓的），可靠性应该会好很多。
+学校的 hpc 上用的是 PBS，和这个不一样，但很多概念是相通的，例如队列、节点等（当然这里只有一个队列和一个节点）。
+这里简单记录一下如何使用。更多内容，网上随便搜一下 slurm 的教程就可以找到很多介绍，也可以看官网文档。
+
+先说明一下机器的硬件配置：CPU 有 16 个核，每个核 2 线程，也就是总共 32 个线程。
+slurm 限制 CPU 按照核（而不是线程）分配，
+  提交任务时， `sbatch` 命令中的 `cpu` 或者 `core` （它俩是同义词）都是指核的数量而不是线程数
+  （也就是说，实际运行的线程数要再乘以 2）。
+
+VASP 支持两个层面的并行，一个叫 MPI，一个叫 OpenMP，实际运行的线程数是两者的乘积。
+MPI 并行的数量就是提交任务时指定的 task 的数量，
+  OpenMP 并行的数量等于提交任务时指定的分配给每个 task 的 CPU 的数量再乘以 2，
+  也就是最终的线程数等于指定的 CPU 数量乘以 2。
+此外还有一个限制：当使用 GPU 时，MPI 并行的数量必须等于 GPU 的数量，否则 VASP 会在开头报个警告然后只用 CPU 计算（但不会报错）。
 
 ## 常用命令
 
 提交一个 VASP GPU 任务的例子：
 
 ```bash
-sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" vasp-nvidia-640
+sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" vasp-nvidia-6.4.0 mpirun vasp-std
 ```
 
-* `--gpus` 指定使用GPU 的情况：
-  * 要占用任意一个 GPU（排到这个任务时哪个空闲就使用哪个），写 `--gpus=1`。要占用任意两个就写 `--gpus=2`，以此类推。
-    但一般来说，**单个任务不要占用超过一个 GPU**，多个显卡的速度会比单个更慢。
-  * 要指定具体使用哪个 GPU 时，写 `--gpus=4090:1`。2080 Ti 需要写为 `2080_ti`，P5000 需要写为 `p5000`。
-  * 当需要使用多个不同类型的显卡（例如，指定使用一个 3090 和一个 4090）时，写 `--gres=gpu:3090:1,gpu:4090:1`。
-* `--ntasks-per-gpu=1` 对于 VASP 来说一定要写。
-* `--job-name=xxx` 指定任务的名字。可以简写为 `-J`。也可以不指定。
-* 默认情况下，一个 task 会搭配分配一个 CPU 核（一个线程），一般已经够用。如果一定要修改，用 `--cpus-per-task`。
-* `vasp-nvidia-640` 指调用 std 版本，要使用 gam 或 ncl 版本时，写为例如 `vasp-nvidia-640-gam`。
+* `--gpus=1` 指定使用一个 GPU（排到这个任务时哪个空闲就使用哪个）。
+  可以指定具体使用哪个GPU，例如 `--gpus=4090:1`。
+  可以简写为 `-G`。
+  这个选项实际上是 `--gres` 选项的一种简便写法，当需求更复杂时（例如，指定使用一个 3090 和一个 4090）时，就需要用 `--gres`。
+  例如：`--gres=gpu:3090:1,gpu:4090:1`。
+  “gre” 是 “generic resource” 的缩写。
+* `--ntasks-per-gpu=1` 是一定要写的。
+* `--job-name=` 指定任务的名字。可以简写为 `-J`。也可以不指定。
+* 默认情况下，一个 task 会搭配分配一个 CPU 核（两个线程），一般不用修改。如果一定要修改，用 `--cpus-per-task`。
 
 提交一个 VASP CPU 任务的例子：
 
 ```bash
-sbatch --ntasks=4 --cpus-per-task=4 --hint=nomultithread --job-name="my great job" vasp-intel-640
+sbatch --ntasks=2 --cpus-per-task=2 --job-name="my great job" vasp-gnu-6.4.0 mpirun vasp-std
 ```
 
-* `--ntasks=4 --cpus-per-task=4` 指定使用占用多少核。
-  * CPU 的调度是个非常复杂的问题，而且 slurm 和 Intel MPI 之间的兼容性也不算好，因此**推荐照抄下面的设置**。
-    也可以自己测试一下怎样分配更好，但不要随意地设置。不同的设置会成倍地影响性能。
-    * 对于 xmupc1：`--ntasks=3 --cpus-per-task=4`。
-    * 对于 xmupc2：`--ntasks=4 --cpus-per-task=10`。
-* `--hint=nomultithread` 记得写。
-* `--job-name=xxx` 指定任务的名字。可以简写为 `-J`。也可以不指定。
-* `vasp-intel-640` 指调用 std 版本，要使用 gam 或 ncl 版本时，写为例如 `vasp-intel-640-gam`。
-
-要把其它程序提交到队列里，也是类似的写法。请自行举一反三。
+* `--ntasks=2` 指定在 MPI 层面上并行的数量。
+  可以简写为 `-n`。
+* `--cpus-per-task=2` 指定每个 task 使用的 CPU 核的数量，OpenMP 并行的数量等于这个数再乘以 2。
 
 要列出已经提交（包括已经完成、取消、失败）的任务：
 
@@ -66,25 +62,13 @@ scancel -n my_great_job
 scancel -u chn
 ```
 
-要将自己已经提交的一个任务优先级提到最高（相应降低其它任务的优先级，使得总体来说不影响别人的任务）：
+要将自己已经提交的一个任务优先级提到最高（只是自己已经提交任务的最高，不影响别人的任务）：
 
 ```bash
-scontrol top 114514
+scontrol top job_id
 ```
 
-要显示一个任务的详细信息（不包括服务器重启之前算过的任务）：
-
-```bash
-scontrol show job 114514
-```
-
-要显示一个任务的详细信息（包括服务器重启之前算过的任务）：
-
-```bash
-sacct --units M --format=ALL -j 114514 | bat -S
-```
-
-## `sbatch` 的更多参数
+## sbatch 的更多参数
 
 ```bash
 # 提交一个新任务，但是礼让后面的任务（推迟到指定时间再开始排队）
@@ -117,162 +101,25 @@ sacct --units M --format=ALL -j 114514 | bat -S
 --wrap=
 ```
 
-# 支持的连接协议
-
-## SSH
+# ssh
 
 ssh 就是 putty winscp 之类的工具使用的那个协议。
 
-* 地址：xmupc1.chn.moe
+* 地址：office.chn.moe（如果在校外，需要厦大 VPN）
 * 端口：6007
 * 用户名：自己名字的拼音首字母
 * 可以用密码登陆，也可以用证书登陆。
 
-从一台服务器登陆到其它服务器，只需要使用 `ssh`` 命令：
+要从本机登陆到学校 hpc 的 jykang 账户，使用下面的命令：
 
 ```bash
 ssh jykang
-ssh xmupc1
-ssh xmupc2
-ssh user@host
 ```
 
-直接从另外一台服务器下载文件，可以使用 `rsync` 命令：
-
-```bash
-rsync -avzP jykang:/path/to/remote/directory_or_file /path/to/local/directory
-```
-
-将另外一个服务器的某个目录挂载到这个服务器，可以使用 `sshfs` 命令：
-
-```bash
-sshfs jykang:/path/to/remote/directory /path/to/local/directory
-```
-
-用完之后记得卸载（不卸载也不会有什么后果，只是怕之后忘记了以为这是本地的目录，以及如果网络不稳定的话，运行在这里的软件可能会卡住）：
-
-```bash
-umount /path/to/local/directory
-```
-
-如果不喜欢敲命令来挂载/卸载远程目录，也可以 RDP 登陆后用 dolphin。
-
-## RDP
+# rdp
 
 就是 windows 那个远程桌面。
 
-* 地址：xmupc1.chn.moe
+* 地址：xmupc1.chn.moe（如果在校外，需要厦大 VPN）
 * 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-RDP 暂时没有硬件加速（主要是毛玻璃之类的特效会有点卡）。
-
-记得在连接时，点击“显示选项”，将“体验”中的连接速度改为“LAN（10 Mbps 或更高）”，不然会很卡。
-
-## samba
-
-samba 就是 windows 共享文件夹的那个协议。
-
-* 地址：xmupc1.chn.moe
-* 用户名：自己名字的拼音首字母
-* 初始密码和 ssh 一样，你可以自己修改密码（使用 `smbpasswd` 命令）。samba 的密码和 ssh/rdp 的密码是分开的，它们使用不同的验证机制。
-
-在 windows 上，可以直接在资源管理器中输入 `\\xmupc1.chn.moe` 访问。
-也可以将它作为一个网络驱动器添加（地址同样是 `\\xmupc1.chn.moe`）。
-
-# 计算软件
-
-## VASP
-
-VASP 有很多很多个版本，具体来说：
-
-* VASP 多个版本可以共存。目前安装了两个版本：6.3.1 和 6.4.0。
-* VASP 可以用不同的编译器编译。目前安装的有：nvidia、gnu、intel 和 amd。nvidia 使用 GPU 计算，其它的只能用 CPU 计算。
-* VASP 的 std/gam/ncl 版本有一点区别，一般用 std，只有一个 gamma 点的时候用 gam 会快一点，系统中存在方向不平行的磁矩时必须用 ncl。
-* 无论哪个版本，都集成了下面这些补丁：
-  * HDF5：用于生成 hdf5 格式的输出文件。
-  * wannier90：我也不知道干啥的，随手加上的。
-  * OPTCELL：如果存在一个 `OPTCELL` 文件，VASP 会据此决定弛豫时仅优化哪几个晶胞参数。
-  * MPI shared memory：用来减小内存占用。
-
-如何提交 VASP 到队列系统已经在上面介绍过了。下面的例子是，如果要直接运行一个任务的写法：
-
-```bash
-vasp-nvidia-640-env mpirun -np 1 -x CUDA_DEVICE_ORDER=PCI_BUS_ID -x CUDA_VISIBLE_DEVICES=0 -x OMP_NUM_THREADS=4 vasp-std
-vasp-gnu-640-env mpirun -np 2 -x OMP_NUM_THREADS=4 vasp-std
-vasp-intel-640-env mpirun -n 2 -genv OMP_NUM_THREADS=4 vasp-std
-vasp-amd-640-env mpirun -np 2 -x OMP_NUM_THREADS=4 vasp-std
-```
-
-其中 `CUDA_VISIBLE_DEVICES` 用于指定用哪几个显卡计算（多个显卡用逗号分隔）。
-要查看显卡的编号，可以用 `CUDA_DEVICE_ORDER=PCI_BUS_ID vasp-nvidia-640-env nvaccelinfo` 命令。
-
-这里 `vasp-xxx-6.4.0` 命令的作用是，进入一个安装了对应版本的 VASP 的环境，实际上和 VASP 关系不大；
-  后面的 `mpirun xxx` 才是真的调用 VASP。
-所以实际上你也可以在这个环境里做别的事情，例如执行上面的 `nvaccelinfo` 命令。
-
-## mumax
-
-问龚斌，我没用过。
-
-## lammps
-
-除了我应该没人用，就不写了。
-
-## quantum espresso
-
-我也只用过一次。大规模用到了再说吧。
-
-# 其它软件
-
-我自己电脑上有的软件，服务器都有装，用于科研的比如 VESTA 什么的。可以自己去菜单里翻一翻。
-
-## 操作系统
-
-操作系统是 NixOS，是一个相对来说比较小众的系统。
-它是一个所谓“函数式”的系统。
-也就说，理想情况下，系统的状态（包括装了什么软件、每个软件和服务的设置等等）是由一组配置文件唯一决定的（这组配置文件放在 `/etc/nixos` 中）。
-要修改系统的状态（新增软件、修改设置等等），只需要修改这组配置文件，然后要求系统应用这组配置文件就可以了，
-  系统会自动计算出应该怎么做（增加、删除、修改哪些文件，重启哪些服务等等）。
-这样设计有许多好处，例如可以方便地回滚到之前任意一个时刻的状态（方便在调试时试错）；
-  一份配置文件可以描述多台机器的系统，在一台上调试好后在其它机器上直接部署；
-  以及适合抄或者引用别人写好的配置文件。
-
-以上都是对于管理员来说的好处。对于用户来说的好处不是太多，但是也有一些。
-举个例子，如果用户需要使用一个没有安装的软件（例如 `phonopy`，当然实际上这个已经装了），只需要在要执行的命令前加一个逗号：
-
-```bash
-, phonopy --dim 2 2 2
-```
-
-系统就会帮你下载所有的依赖，并在一个隔离的环境中运行这个命令（不会影响这之后系统的状态）。
-
-还有一个命令可能也有用，叫 `try`。
-它会在当前的文件系统上添加一个 overlay，之后执行的命令对文件的修改只会发生在这个 overlay 上；
-  命令执行完成后，它会告诉你哪些文件发生了改变，然后可以选择实际应用这些改变还是丢弃这些改变。
-例如：
-
-```bash
-try phonopy --dim 2 2 2
-```
-
-这个命令和 NixOS 无关，只是突然想起来了。
-
-## 文件系统
-
-文件系统是 BtrFS。它的好处有：
-
-* 同样的内容只占用一份空间；以及内容会被压缩存储（在读取时自动解压）。这样大致可以节省一半左右的空间。
-  例如现在 xll 目录里放了 213 G 文件，但只占用了 137 G 空间。
-* 每小时自动备份，放置在 `/nix/persistent/.snapshots` 中，大致上会保留最近一周的备份。如果你误删了什么文件，可以去里面找回。
-
-## ZSH
-
-所谓 “shell” 就是将敲击的一行行命令转换成操作系统能理解的系统调用（C 语言的函数）的那个东西，也就是负责解释敲进去的命令的意思的那个程序。
-
-大多情况下默认的 shell 是 bash，但我装的服务器上用 zsh。
-zsh 几乎完全兼容 bash 的语法，除此以外有一些顺手的功能：
-* 如果忘记了曾经输入过的一个命令，输入其中的几个连续的字母或者单词（不一定是开头的几个字母），然后按 `↑` 键，就会自动在历史命令中依次搜索。
-  例如我输入 `install` 按几下 `↑` 键，就可以找到 `sudo nixos-rebuild boot --flake . --install-bootloader --option substituters https://nix-store.chn.moe` 这个东西。
-* 如果从头开始输入一个曾经输入过的命令，会用浅灰色提示这个命令。要直接补全全部命令，按 `→` 键。要补全一个单词，按 `Ctrl` + `→` 键。
-* 常用的命令，以及常用命令的常用选项，按几下 `tab` 键，会自动补全或者弹出提示。
+* 密码和 ssh 一样。

devices/xmupc1/default.nix

@@ -24,7 +24,11 @@ inputs:
             };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
+          rollingRootfs =
+          {
+            device = "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12";
+            waitDevices = [ "/dev/disk/by-partuuid/cdbfc7d4-965e-42f2-89a3-eb2202849429" ];
+          };
         };
         grub.installDevice = "efi";
         nixpkgs =
@@ -35,8 +39,6 @@ inputs:
             enable = true;
             capabilities =
             [
-              # p5000 p400
-              "6.1"
               # 2080 Ti
               "7.5"
               # 3090
@@ -50,7 +52,6 @@ inputs:
         gui = { preferred = false; autoStart = true; };
         kernel.patches = [ "cjktty" "lantian" ];
         networking.hostname = "xmupc1";
-        nix.remote.slave.enable = true;
       };
       hardware =
       {
@@ -68,13 +69,17 @@ inputs:
         snapper.enable = true;
         fontconfig.enable = true;
         sshd = { enable = true; passwordAuthentication = true; };
-        xray.client = {};
+        xray.client.enable = true;
         firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
         smartd.enable = true;
-        beesd.instances =
+        beesd =
         {
-          root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 512; };
+          enable = true;
+          instances =
+          {
+            root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
+            nix = { device = "/nix"; hashTableSizeMB = 512; };
+          };
         };
         wireguard =
         {
@@ -88,19 +93,18 @@ inputs:
           enable = true;
           cpu = { cores = 16; threads = 2; };
           memoryMB = 94208;
-          gpus = { "2080_ti" = 1; "3090" = 1; "4090" = 1; };
+          gpus = { "3090" = 1; "4090" = 1; };
         };
         xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
         samba =
         {
           enable = true;
-          hostsAllowed = "";
+          hostsAllowed = "192.168. 127.";
           shares = { home.path = "/home"; root.path = "/"; };
         };
-        groupshare = {};
       };
       bugs = [ "xmunet" "amdpstate" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" ];
+      users.users = [ "chn" "xll" "zem" "yjq" "gb" ];
     };
     services.hardware.bolt.enable = true;
   };

devices/xmupc1/secrets/default.yaml

@@ -7,14 +7,10 @@ xray-client:
 wireguard:
     privateKey: ENC[AES256_GCM,data:Azaqung7llErB7/IdnOnEkwjQ39yQHKcO7VgvMDCDTExM7nS0zx+yMYX4ls=,iv:FX8oLHMBVEnKkYOg8q2A9vFmtRZDws5T87+lEl7+2G8=,tag:DdOQUbNKB6JK7Tp6McQ0Og==,type:str]
 users:
-    #ENC[AES256_GCM,data:1RG/IM/UrLCk,iv:LY2QCBN0gYwuhVwS/WIrjt4MEHhjPPQG+cjTZJhU6Zc=,tag:AEL+smmitSqW+D70K74LbQ==,type:comment]
-    xll: ENC[AES256_GCM,data:YauaeGHDVAnMXp9hSz4r4jNsioF79Q+WplfsYGpl4g5FxoakhfjRlnfzrLmMO3mWEIBOmDqeShbDEulyV5O47CIBGaMUUHe+Gg==,iv:RNwRfghJBb0PO4A/T5d5J1U0NsXdygXlWq/FfF8MO4U=,tag:BOh666TYGbCCHcgB/uBhTw==,type:str]
-    #ENC[AES256_GCM,data:zxOQcoOzJNBK,iv:YJQB8lV+nhwm5XYMpDIyt0IDHBlHTiHO8cpgXkXe/dQ=,tag:re5ekGkYRewPdxv83mtLUQ==,type:comment]
-    zem: ENC[AES256_GCM,data:bIxVN4T3Gh3aSa1gylkPmW3/uT5xQAlruC+L3zk0Tc3KvwBCQA5DpxXU8ZxjeK0P0xGi02U7gFWgm+yxp6otdCsUEmWed4EHHw==,iv:vpKpY0nRUwuI5mCcYTOD3zN/E21wHl4ZbRDUPoFmdhQ=,tag:m5WTzCgOTC7oqU4yfV9gkQ==,type:str]
-    #ENC[AES256_GCM,data:ZnMFN0WzjKDd,iv:t1YHrNoHOohYsdBOqoV6OtfS5ig6CTS8jW5mKy0oSQA=,tag:WkgrH1ZXcbHruxJY/hVsmg==,type:comment]
-    yjq: ENC[AES256_GCM,data:ua0DINHutjt2Pk+SfHRQRV99mT3Cnw6rRKO8VRIAlP0dY6QhK9wkNdyRYWYRBKVrWgyFQMGNFYAxIpymjF/X7mBOVI2sOHLgkw==,iv:PUZ6S0KICuqoSA2sDLxdL4gtAOQnQXOUY+5f3qDZgpc=,tag:f39P34vAUOrV23BsKkRarA==,type:str]
-    #ENC[AES256_GCM,data:6qNjSdjck4Vz,iv:c/GNqCNgRgwgL+2f6Vumtjb/ub9WCBSy8R02NRCDqk8=,tag:b/tucJsHTjSfcK0vgHtE8A==,type:comment]
-    gb: ENC[AES256_GCM,data:3eAKBiJoC1owCHTFd3Xq8vI8VK980evePc92xCXJJ21M9D1MdbwN8ySZ3Ovjk7VfQmEo8oRv1Ll1sftyrXYoeTHmJsNDxCpR6A==,iv:Ju/ERNuGrgO5kYlbvmkbLJkgiW3Elou34AsJTFITCUg=,tag:POVlxYh9kZ1BMSbt97IVOQ==,type:str]
+    xll: ENC[AES256_GCM,data:tGzKVg4prhg9oXOSX0FJIAWdF79CWsFuiU8U12dSnkBIgRXPZlJkz9mLLTENm6SjftItt/ku4MDj94KnM+nPYkIorTYtEuergg==,iv:oavvRf7/21LuDksUiXLfR2/qQNz5O6JyroxX1DwC6gc=,tag:qYbW1ZQtXo+2qGrl5wuZkA==,type:str]
+    zem: ENC[AES256_GCM,data:r2BDtAfMohsnoqw51/flvkiXe/EtJtDhakEyOTPX2E7cikfPtPD9iJPd2RnNkS3QPBKg08ex5ce2e3ywzGgNX5RKrxIacpxSSA==,iv:VfhEqTvS9qVFGif+SkBdz8VR6BXEnncMYcPQW4qqNk8=,tag:t4JBEhX+6iqnrd0JoLKpmA==,type:str]
+    yjq: ENC[AES256_GCM,data:Yb9gVDrWhpmBYI8JlGee30J+PVFVGLo4btFVGToUVj3Sr2bPetY96mEJoxYQha7SPKBoZ7+ePzWYiYOi43MZ6sYndj3C6sYmYg==,iv:2H2+ZmIIDJAKds1XSMqVcUpsix3rbxLkVlBIIAK3ifg=,tag:7redx03BsscRrk+e7dqXdg==,type:str]
+    gb: ENC[AES256_GCM,data:ZoprrHc2l0nkqy4ujYQfxNENMEnfpRhCIxX7jMPoWeTrJt2sE1AloWeVFsArJKTx8krpW96X3AXpUIauMH9kc/CviPop2QMgDw==,iv:fOIVPEHDvyZ45G9uRbx2gBE0KuZy+aEWALlXusDJ1YU=,tag:G6hZLn9/99Kj+wZAeNyxkQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
 sops:
@@ -41,8 +37,8 @@ sops:
             ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
             IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-10T13:47:17Z"
-    mac: ENC[AES256_GCM,data:19w2Q1SRhKIyxibGgKa+CkEhiizFJ27FePOlMll+8tJVJRzfIl8KrutlRi0hMhEYFlML0bWunbINUEIg7yJbIwFCSjxFDnqKsCT3iClT3kaktxr5+0R+ECoQTGGV67VkT5WY/LT3V1zdLYI38MVaBQObGKCpBs23nIK2QXrg39Q=,iv:q1ezSmo14vsmEE8owxnsonWMq2uj6mrVjKNh+RuK+cE=,tag:QBc99UEaEPiEgZH+Z3Z8tA==,type:str]
+    lastmodified: "2024-02-26T06:04:25Z"
+    mac: ENC[AES256_GCM,data:2d3i3rcRYrB58vJuyhP4AIB11Ns+zQq0Pli1LF4sAKb75OmJ/qlRcwJKlOCASdY95FfzOQDGjfZheg58fVSd9EbYxX+npMXGUiODa8JRTHgQye3/qjFv14v49zKFJ0dNs13XnOEA4QAry/7gDlb0+M44bNRGPSZSoFX2yJ53smw=,iv:I1YDN6+26BmaWR84kq9zXNXjQ4cRvtzrS2Q13PlUjp0=,tag:sgxcTpOr7T2oXjb5qLRrqw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

devices/xmupc2/README.md

@@ -1,31 +0,0 @@
-# 硬件
-
-* CPU：44 核 88 线程。
-* 内存：256 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * P5000：16 G 显存。
-* 硬盘：18 T。
-
-# 支持的连接协议
-
-## SSH
-
-* 地址：xmupc2.chn.moe
-* 端口：6394
-* 用户名：自己名字的拼音首字母
-* 可以用密码登陆，也可以用证书登陆。
-
-## RDP
-
-* 地址：xmupc2.chn.moe
-* 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-## samba
-
-* 地址：xmupc2.chn.moe
-* 用户名：自己名字的拼音首字母
-* 初始密码和 ssh 一样。
-
-其它内容请阅读 [xmupc1](../xmupc1) 的说明，两台机器的软件大致是一样的。

devices/xmupc2/default.nix

@@ -18,7 +18,7 @@ inputs:
             };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
+          rollingRootfs.device = "/dev/disk/by-uuid/d187e03c-a2b6-455b-931a-8d35b529edac";
         };
         grub.installDevice = "efi";
         nixpkgs =
@@ -44,7 +44,6 @@ inputs:
         gui = { preferred = false; autoStart = true; };
         kernel.patches = [ "cjktty" "lantian" ];
         networking.hostname = "xmupc2";
-        nix.remote.slave.enable = true;
       };
       hardware =
       {
@@ -59,13 +58,17 @@ inputs:
       virtualization = { waydroid.enable = true; docker.enable = true; kvmHost = { enable = true; gui = true; }; };
       services =
       {
-        snapper.enable = true;
+        snapper.enable = false;
         fontconfig.enable = true;
         sshd = { enable = true; passwordAuthentication = true; };
-        xray.client = {};
+        xray.client.enable = true;
         firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
         smartd.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
+        beesd =
+        {
+          enable = false;
+          instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
+        };
         wireguard =
         {
           enable = true;
@@ -78,19 +81,18 @@ inputs:
           enable = true;
           cpu = { sockets = 2; cores = 22; threads = 2; };
           memoryMB = 253952;
-          gpus = { "4090" = 1; "p5000" = 1; };
+          gpus = { "p400" = 1; };
         };
-        xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; };
+        xrdp = { enable = false; hostname = [ "xmupc2.chn.moe" ]; };
         samba =
         {
           enable = true;
-          hostsAllowed = "";
+          hostsAllowed = "192.168. 127.";
           shares = { home.path = "/home"; root.path = "/"; };
         };
-        groupshare = {};
       };
       bugs = [ "xmunet" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" ];
+      users.users = [ "chn" "xll" "zem" "yjq" "gb" ];
     };
   };
 }

devices/xmupc2/secrets/default.yaml

@@ -7,14 +7,10 @@ xray-client:
 wireguard:
     privateKey: ENC[AES256_GCM,data:0Vw9NVs/Kxc52zUlmeAPFeOG8msdL0YopjhzFKRWhv6+kfb+SFObOP8EJ2M=,iv:KgIZIawbnN+1sIcMjNECkdtujPbg7yQktKVc25SXavI=,tag:b79oZP+GZKmM3OVFshvFhg==,type:str]
 users:
-    #ENC[AES256_GCM,data:FP1Mr1TmRI4L,iv:3K4LMbOQPvF1ORWNyaXDoC5MXn3yColR4eKs9sm9y5s=,tag:f3guTegVXw1A6aqolKQnqA==,type:comment]
-    xll: ENC[AES256_GCM,data:CAEd+usnLKoQZ+0PLEiJfbZpz2pyn+I/edC2KbNXBXZPAgT7IDENMnSQyxme899KqRVL4nLrtHs82aA8+kl/dE+QYSTCFVVuHg==,iv:Hs8rb0Iu5Xw74p9/cL2gWfPLh61VaLzIltKUSjRFZjc=,tag:/u5vI0oTMQbNoCEzhcWqOw==,type:str]
-    #ENC[AES256_GCM,data:UIns0CnC/QmJ,iv:Gn4XDPcdTyDLXAgGq7qwayrN206Gx7JsJ3V9G+4bTyA=,tag:FITVs8Tgkiq1XoS8joXM1Q==,type:comment]
-    zem: ENC[AES256_GCM,data:znpGuS8LVxaztnwQlIwu3hykWRBUtQvOsniLaOasXDbw9lHGX8lwwYJuCE+0I14HmiZK/RrrouIwfAfcjZQzPyjJ/SRoOG1Vyg==,iv:YXHX43y99/w9102vhsvFLVOUtJmuRnLVLu+ywfn9URY=,tag:AzsmkXOyX7y/D+ndteuMmA==,type:str]
-    #ENC[AES256_GCM,data:6vMItERptBsX,iv:G0sDjEfLciheMxTZbeLIbWKlimPD1ANIk/VVdhQifXA=,tag:oR9FEdVx6W+0uDeKfb37iw==,type:comment]
-    yjq: ENC[AES256_GCM,data:sGPQ0xALULREnhzl9g/V91M5osMglsSps6R4gYn5OZc/4xVC1phF3qajVN3YMOr7kKgkHbF2Rjm6/2vuK0k1iYZnFswUAmFlmw==,iv:5vG1hn7SlX6HCpas2BgxBSwWqLby8OCxcH3EKNvceIc=,tag:TVwFBAuosKnEOZecq1phXw==,type:str]
-    #ENC[AES256_GCM,data:ALHxkRABA+ll,iv:r1IDiHLFcTdLID3q16zrLTavAwQfddC7bXMKcFZFveI=,tag:4Pd0/Q1BmH4gJjaM4hbqqQ==,type:comment]
-    gb: ENC[AES256_GCM,data:z4CrtdmdLJJ0qZzr7qvihnluJQgjtciX56KdEmtemiRu0llEJk9qz6a23aJ7m40Sfc38elF1/LsvjOuBOC87+BVkKDCj76phag==,iv:WrFVxkr3snmqDXZx5kAYCLp7ixEIzxoT7El3rV7Ovqg=,tag:iExf2Y/HObHQrKMTRvqn7A==,type:str]
+    xll: ENC[AES256_GCM,data:8g3/l09TNw7PYDtVkdQvQDgpOrsdrH2u07mtDxcvBY+hij3kQ9Ma3AMrspo0yRO82zInEOUlB100l/ja79nTtB1hqriQb1SEZg==,iv:G7zuzsUAPj6UHCgR6bDFpy9Wa3PVW+FSag3juYXizg0=,tag:Qdk3fN280ZAzutRkRYK2/A==,type:str]
+    zem: ENC[AES256_GCM,data:lBIXyIPWdE0AIpVzjRdB8vreCC0KW40tVDkYbv8E6D81spNBDsPLntuvliHWq9xs0qAH5fhY/ov03lCThGKwzW0r2GdoeLe+1Q==,iv:orRqqLFJ/P0MhT/i7sVQFLel94qY8YL34Uw4kM6D+10=,tag:fvA12mgRxLQzczz/F4Fmew==,type:str]
+    yjq: ENC[AES256_GCM,data:gnfFvRUjSygRGvQPgxOea4ecgDrTA+YCGjXlcRGyj6l0ZEIOfbdf5XuIX2KeDKZ0ku/2nbEYfQIRAiljIpczJwtKuXcMndhn8w==,iv:U487J2mBOxPeVq8Viyr/NQY5/d63bm03LUUJ1FHQqMM=,tag:H/kUYAWDPlAY52H6AOwgsA==,type:str]
+    gb: ENC[AES256_GCM,data:5Vb+7peQfFFHEjPPYcjWYIQ4EJYFASWKQIfR1A36LUJXWtvr6tIhd2VWIIGOrrAz3JqGEx5+5ZBq49N/zp8fGI4GiEGtFkILGA==,iv:lCjRClDKTmWtEMc1Z6jMfWQQ103/AaFbyETxNoGLr1E=,tag:grdktL6lnNtQk4rKp/hnCA==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
 sops:
@@ -41,8 +37,8 @@ sops:
             M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
             LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-10T13:46:59Z"
-    mac: ENC[AES256_GCM,data:j+bdp0emAtTNNI7aZsKTJ+uARsuyLb9GRV0CeIb2EoZaOmj5cJpUzYtcAWIdCYplt1ZScCcR7iQPUlCzUb0+pXth7QDibtGJcj0dqw87DoaY3cqm7jNkKteiIYxXOCmbMBgED9eMxQVdcGZTDSuTQ0KjFYoXkcUSriMsJltDUDc=,iv:+eLNmlxeqB/Q7Rmz5B/wZSajiesV+/ED3ROJuuShpfo=,tag:95xKRRuqRZkUFUjHbPrDNw==,type:str]
+    lastmodified: "2024-03-09T07:58:59Z"
+    mac: ENC[AES256_GCM,data:dNS3GGmHEJonDGNVGlhjRPnDSo0DljmX3pRrnYXsCLrjViOQpLmgInJF3g37Thpl5+PQOpjGpwSqTuWrIkTuSs3wWwjzA2xE6WtPStY13U7lGLhBmkLIocVqmWCPH5zs1pVKQnuk6jNaBUfWUA5aL2+WNcatnPqxIL45j0Chvmw=,iv:JhGN219z3uwl5fEx7KVLG/p23JWe1JHMPLg09G9+CWM=,tag:y5VuwVyMu8c8aDtKqWDykw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

flake.lock

@@ -21,39 +21,6 @@
         "type": "github"
       }
     },
-    "attic": {
-      "inputs": {
-        "crane": [
-          "chaotic",
-          "crane"
-        ],
-        "flake-compat": [
-          "chaotic",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "chaotic",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1707922053,
-        "narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=",
-        "rev": "6eabc3f02fae3683bffab483e614bebfcd476b21",
-        "revCount": 193,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/zhaofengli/attic/0.1.193%2Brev-6eabc3f02fae3683bffab483e614bebfcd476b21/018da817-367d-75ac-bd41-470d92844bf2/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/zhaofengli/attic/0.1.%2A.tar.gz"
-      }
-    },
     "blurred-wallpaper": {
       "flake": false,
       "locked": {
@@ -70,44 +37,6 @@
         "type": "github"
       }
     },
-    "chaotic": {
-      "inputs": {
-        "attic": "attic",
-        "compare-to": "compare-to",
-        "conduit": "conduit",
-        "crane": "crane",
-        "fenix": "fenix",
-        "flake-compat": "flake-compat_2",
-        "flake-schemas": "flake-schemas",
-        "flake-utils": "flake-utils",
-        "home-manager": [
-          "home-manager"
-        ],
-        "jovian": "jovian",
-        "jujutsu": "jujutsu",
-        "niri": "niri",
-        "nix-filter": "nix-filter",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems",
-        "yafas": "yafas"
-      },
-      "locked": {
-        "lastModified": 1710340554,
-        "narHash": "sha256-oMeBMZmLEcqPQ3DBG1xVhSm9+dV+ZNxaYn3wfro2p70=",
-        "owner": "chaotic-cx",
-        "repo": "nyx",
-        "rev": "03b2bea544688068025df1912ff1e9a1ad4a642a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "chaotic-cx",
-        "repo": "nyx",
-        "rev": "03b2bea544688068025df1912ff1e9a1ad4a642a",
-        "type": "github"
-      }
-    },
     "citation-style-language": {
       "flake": false,
       "locked": {
@@ -126,20 +55,6 @@
         "url": "https://github.com/zepinglee/citeproc-lua"
       }
     },
-    "compare-to": {
-      "locked": {
-        "lastModified": 1695341185,
-        "narHash": "sha256-htO6DSbWyCgaDkxi7foPjXwJFPzGjVt3RRUbPSpNtZY=",
-        "rev": "98b8e330823a3570d328720f87a1153f8a7f2224",
-        "revCount": 2,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/chaotic-cx/nix-empty-flake/0.1.2%2Brev-98b8e330823a3570d328720f87a1153f8a7f2224/018aba35-d228-7fa9-b205-7616c89ef4e0/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/chaotic-cx/nix-empty-flake/%3D0.1.2.tar.gz"
-      }
-    },
     "concurrencpp": {
       "flake": false,
       "locked": {
@@ -156,51 +71,6 @@
         "type": "github"
       }
     },
-    "conduit": {
-      "inputs": {
-        "attic": [
-          "chaotic",
-          "attic"
-        ],
-        "crane": [
-          "chaotic",
-          "crane"
-        ],
-        "fenix": [
-          "chaotic",
-          "fenix"
-        ],
-        "flake-compat": [
-          "chaotic",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "chaotic",
-          "flake-utils"
-        ],
-        "nix-filter": [
-          "chaotic",
-          "nix-filter"
-        ],
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1710562188,
-        "narHash": "sha256-KHlb4sK9fvp+9DoYWHLyaegoeLV7w8s7CsNMmNlKu1U=",
-        "owner": "girlbossceo",
-        "repo": "conduwuit",
-        "rev": "8d8467a4eafd264adb9c710e0638c08ae547dec4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "girlbossceo",
-        "repo": "conduwuit",
-        "type": "github"
-      }
-    },
     "cppcoro": {
       "flake": false,
       "locked": {
@@ -217,26 +87,6 @@
         "type": "github"
       }
     },
-    "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1706473297,
-        "narHash": "sha256-FbxuYIrHaXpsYCLtI1gCNJhd+qvERjPibXL3ctmVaCs=",
-        "rev": "fe812ef0dad5bb93a56c599d318be176d080281d",
-        "revCount": 493,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/ipetkov/crane/0.16.1/018d51be-1c17-765e-babc-c9e3bc8a5a14/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/ipetkov/crane/%2A.tar.gz"
-      }
-    },
     "date": {
       "flake": false,
       "locked": {
@@ -255,7 +105,7 @@
     },
     "deploy-rs": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -391,11 +241,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1711262477,
-        "narHash": "sha256-fK1OsvjJwQlTeGJHcngxM2iWICCJ/vnG1qJq6U3H7UQ=",
+        "lastModified": 1708989027,
+        "narHash": "sha256-14HU66SKCszBP0h+/g/5YLfSksSro+AeEUFFchH0VWA=",
         "owner": "Mic92",
         "repo": "envfs",
-        "rev": "4aa4816dd9b5c38db4005ca18a42d8070242eec5",
+        "rev": "3273ab593b97adf85e89210233bf7d9324177e46",
         "type": "github"
       },
       "original": {
@@ -484,27 +334,6 @@
         "type": "github"
       }
     },
-    "fenix": {
-      "inputs": {
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ],
-        "rust-analyzer-src": "rust-analyzer-src"
-      },
-      "locked": {
-        "lastModified": 1709274179,
-        "narHash": "sha256-O6EC6QELBLHzhdzBOJj0chx8AOcd4nDRECIagfT5Nd0=",
-        "rev": "4be608f4f81d351aacca01b21ffd91028c23cc22",
-        "revCount": 1791,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.1791%2Brev-4be608f4f81d351aacca01b21ffd91028c23cc22/018df913-b6d3-756c-b05c-358eca6e487d/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/nix-community/fenix/0.1.%2A.tar.gz"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -526,24 +355,25 @@
       "locked": {
         "lastModified": 1696426674,
         "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
         "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "revCount": 57,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/%2A.tar.gz"
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
       }
     },
     "flake-compat_3": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
         "type": "github"
       },
       "original": {
@@ -571,11 +401,11 @@
     "flake-compat_5": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -600,22 +430,6 @@
         "type": "github"
       }
     },
-    "flake-compat_7": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -624,11 +438,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709336216,
-        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
+        "lastModified": 1698882062,
+        "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
+        "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
         "type": "github"
       },
       "original": {
@@ -715,43 +529,9 @@
         "type": "github"
       }
     },
-    "flake-schemas": {
-      "locked": {
-        "lastModified": 1693491534,
-        "narHash": "sha256-ifw8Td8kD08J8DxFbYjeIx5naHcDLz7s2IFP3X42I/U=",
-        "rev": "c702cbb663d6d70bbb716584a2ee3aeb35017279",
-        "revCount": 21,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.1/018a4c59-80e1-708a-bb4d-854930c20f72/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.1.tar.gz"
-      }
-    },
     "flake-utils": {
       "inputs": {
-        "systems": [
-          "chaotic",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "revCount": 92,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/numtide/flake-utils/0.1.92%2Brev-b1d9ab70662946ef0850d488da1c9019f3a9752a/018e2ca5-e5a2-7f80-9261-445a8cecd4d7/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/numtide/flake-utils/0.1.%2A.tar.gz"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -767,9 +547,9 @@
         "type": "github"
       }
     },
-    "flake-utils_3": {
+    "flake-utils_2": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1694529238,
@@ -785,9 +565,9 @@
         "type": "github"
       }
     },
-    "flake-utils_4": {
+    "flake-utils_3": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -803,7 +583,7 @@
         "type": "github"
       }
     },
-    "flake-utils_5": {
+    "flake-utils_4": {
       "locked": {
         "lastModified": 1638122382,
         "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
@@ -818,6 +598,24 @@
         "type": "github"
       }
     },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "flake-utils_6": {
       "inputs": {
         "systems": "systems_6"
@@ -840,24 +638,6 @@
       "inputs": {
         "systems": "systems_7"
       },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_8": {
-      "inputs": {
-        "systems": "systems_8"
-      },
       "locked": {
         "lastModified": 1701680307,
         "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
@@ -905,22 +685,6 @@
         "type": "github"
       }
     },
-    "gricad": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1709199491,
-        "narHash": "sha256-J32quO+kCOrOLkYQzFZpiPhUXJHE6GIrmb0VSlECKLM=",
-        "owner": "Gricad",
-        "repo": "nur-packages",
-        "rev": "4b4a489297f3a11b8d0883b02c0d154ce37f24e0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Gricad",
-        "repo": "nur-packages",
-        "type": "github"
-      }
-    },
     "hercules-ci-effects": {
       "inputs": {
         "flake-parts": [
@@ -982,54 +746,6 @@
         "type": "github"
       }
     },
-    "jovian": {
-      "inputs": {
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1710404304,
-        "narHash": "sha256-tYsUAsZgt9TT7d+r1KRYHWyBRWedJ39SXNBVSCQVsGQ=",
-        "owner": "Jovian-Experiments",
-        "repo": "Jovian-NixOS",
-        "rev": "ffa51458aec4d53aac85b6dee1ee2ec29f4e953f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Jovian-Experiments",
-        "repo": "Jovian-NixOS",
-        "type": "github"
-      }
-    },
-    "jujutsu": {
-      "inputs": {
-        "flake-utils": [
-          "chaotic",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ],
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1710563757,
-        "narHash": "sha256-H5SZIo7O4zg/NqSdM71V2gYH4ex5WbBf6s9ue5s4nL4=",
-        "owner": "martinvonz",
-        "repo": "jj",
-        "rev": "8600750fceafbf489d42a99b36b1f48bbc1e416b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "martinvonz",
-        "repo": "jj",
-        "type": "github"
-      }
-    },
     "lepton": {
       "flake": false,
       "locked": {
@@ -1049,11 +765,11 @@
     "linux-surface": {
       "flake": false,
       "locked": {
-        "lastModified": 1710015335,
-        "narHash": "sha256-Mjk332F7vTGupjpfRv9OdvV9MZORb87L2D+cYI7f8CM=",
+        "lastModified": 1709062140,
+        "narHash": "sha256-yhNJ/0oQWkNkBrBePEYN4SEzlx8S4w/OK6KFYP/vCbk=",
         "owner": "linux-surface",
         "repo": "linux-surface",
-        "rev": "3c1b47315d1e4f49b13903f07618310c65b16e64",
+        "rev": "0a6559d21ea3ccdb12ce2483fa6b6ad416f0c56f",
         "type": "github"
       },
       "original": {
@@ -1146,7 +862,7 @@
     },
     "napalm": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -1165,43 +881,6 @@
         "type": "github"
       }
     },
-    "niri": {
-      "inputs": {
-        "crane": [
-          "chaotic",
-          "crane"
-        ],
-        "fenix": [
-          "chaotic",
-          "fenix"
-        ],
-        "flake-utils": [
-          "chaotic",
-          "flake-utils"
-        ],
-        "nix-filter": [
-          "chaotic",
-          "nix-filter"
-        ],
-        "nixpkgs": [
-          "chaotic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1710525749,
-        "narHash": "sha256-LpV/mJLeShTPecVQZnIAb9PTCGziuMuGOJQUeAb2u/w=",
-        "owner": "YaLTeR",
-        "repo": "niri",
-        "rev": "0c57815fbf47c69af9ed11fa8ebc1b52158a3ba2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "YaLTeR",
-        "repo": "niri",
-        "type": "github"
-      }
-    },
     "nix-doom-emacs": {
       "inputs": {
         "doom-emacs": "doom-emacs",
@@ -1213,8 +892,8 @@
         "evil-org-mode": "evil-org-mode",
         "evil-quick-diff": "evil-quick-diff",
         "explain-pause-mode": "explain-pause-mode",
-        "flake-compat": "flake-compat_4",
-        "flake-utils": "flake-utils_3",
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_2",
         "format-all": "format-all",
         "nix-straight": "nix-straight",
         "nixpkgs": [
@@ -1268,59 +947,6 @@
         "type": "github"
       }
     },
-    "nix-filter": {
-      "locked": {
-        "lastModified": 1710156097,
-        "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
-        "owner": "numtide",
-        "repo": "nix-filter",
-        "rev": "3342559a24e85fc164b295c3444e8a139924675b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "nix-filter",
-        "type": "github"
-      }
-    },
-    "nix-flatpak": {
-      "locked": {
-        "lastModified": 1708781964,
-        "narHash": "sha256-qbEZgB1mNuMADLmM64EtcRjDHXR3UFL4xVmoanv9wZU=",
-        "owner": "gmodena",
-        "repo": "nix-flatpak",
-        "rev": "09d07c73b4d9771f527a168e0b1b6d8a1f39de28",
-        "type": "github"
-      },
-      "original": {
-        "owner": "gmodena",
-        "repo": "nix-flatpak",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "chaotic",
-          "jovian",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1690328911,
-        "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=",
-        "owner": "zhaofengli",
-        "repo": "nix-github-actions",
-        "rev": "96df4a39c52f53cb7098b923224d8ce941b64747",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zhaofengli",
-        "ref": "matrix-name",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -1359,8 +985,8 @@
     },
     "nix-vscode-extensions": {
       "inputs": {
-        "flake-compat": "flake-compat_5",
-        "flake-utils": "flake-utils_4",
+        "flake-compat": "flake-compat_4",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -1402,7 +1028,7 @@
     },
     "nixos-cn": {
       "inputs": {
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -1476,11 +1102,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710140976,
-        "narHash": "sha256-DNFKN7j4o4Ki71uhj7w+Ldgb/1ugYA6qB7xgV3U88eI=",
+        "lastModified": 1709962988,
+        "narHash": "sha256-0RQgOuv7sqs5m2aWoXOCYaqbiwORms1kaoB/4vOM5BY=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "5d5433bd0da0c3eafe4726c9186e93b43e09554d",
+        "rev": "a987675eb3d475c7949e508f6bfaf0e36ae1b674",
         "type": "github"
       },
       "original": {
@@ -1574,22 +1200,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1702780907,
-        "narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1709345434,
@@ -1656,9 +1266,9 @@
     "nur-linyinfeng": {
       "inputs": {
         "devshell": "devshell",
-        "flake-compat": "flake-compat_6",
+        "flake-compat": "flake-compat_5",
         "flake-parts": "flake-parts_5",
-        "flake-utils": "flake-utils_6",
+        "flake-utils": "flake-utils_5",
         "nixos-stable": "nixos-stable",
         "nixpkgs": [
           "nixpkgs"
@@ -1682,7 +1292,7 @@
     },
     "nur-xddxdd": {
       "inputs": {
-        "flake-utils": "flake-utils_7",
+        "flake-utils": "flake-utils_6",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -1733,7 +1343,7 @@
     },
     "nvfetcher_2": {
       "inputs": {
-        "flake-compat": "flake-compat_7",
+        "flake-compat": "flake-compat_6",
         "flake-utils": [
           "nur-xddxdd",
           "flake-utils"
@@ -1862,7 +1472,7 @@
     },
     "pnpm2nix-nzbr": {
       "inputs": {
-        "flake-utils": "flake-utils_8",
+        "flake-utils": "flake-utils_7",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -1922,7 +1532,6 @@
       "inputs": {
         "aagl": "aagl",
         "blurred-wallpaper": "blurred-wallpaper",
-        "chaotic": "chaotic",
         "citation-style-language": "citation-style-language",
         "concurrencpp": "concurrencpp",
         "cppcoro": "cppcoro",
@@ -1931,7 +1540,6 @@
         "eigen": "eigen",
         "envfs": "envfs",
         "fluent-kde": "fluent-kde",
-        "gricad": "gricad",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
         "lepton": "lepton",
@@ -1944,7 +1552,6 @@
         "napalm": "napalm",
         "nix-doom-emacs": "nix-doom-emacs",
         "nix-fast-build": "nix-fast-build",
-        "nix-flatpak": "nix-flatpak",
         "nix-index-database": "nix-index-database",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixd": "nixd",
@@ -2005,50 +1612,6 @@
         "type": "github"
       }
     },
-    "rust-analyzer-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1709219524,
-        "narHash": "sha256-8HHRXm4kYQLdUohNDUuCC3Rge7fXrtkjBUf0GERxrkM=",
-        "owner": "rust-lang",
-        "repo": "rust-analyzer",
-        "rev": "9efa23c4dacee88b93540632eb3d88c5dfebfe17",
-        "type": "github"
-      },
-      "original": {
-        "owner": "rust-lang",
-        "ref": "nightly",
-        "repo": "rust-analyzer",
-        "type": "github"
-      }
-    },
-    "rust-overlay": {
-      "inputs": {
-        "flake-utils": [
-          "chaotic",
-          "jujutsu",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "chaotic",
-          "jujutsu",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1707444620,
-        "narHash": "sha256-P8kRkiJLFttN+hbAOlm11wPxUrQZqKle+QtVCqFiGXY=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "78503e9199010a4df714f29a4f9c00eb2ccae071",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
     "rycee": {
       "flake": false,
       "locked": {
@@ -2122,16 +1685,16 @@
     },
     "systems": {
       "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default-linux",
+        "repo": "default",
         "type": "github"
       }
     },
@@ -2225,21 +1788,6 @@
         "type": "github"
       }
     },
-    "systems_8": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "tgbot-cpp": {
       "flake": false,
       "locked": {
@@ -2264,11 +1812,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710781103,
-        "narHash": "sha256-nehQK/XTFxfa6rYKtbi8M1w+IU1v5twYhiyA4dg1vpg=",
+        "lastModified": 1699786194,
+        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "7ee5aaac63c30d3c97a8c56efe89f3b2aa9ae564",
+        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
         "type": "github"
       },
       "original": {
@@ -2337,7 +1885,7 @@
     },
     "utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -2401,30 +1949,6 @@
         "type": "github"
       }
     },
-    "yafas": {
-      "inputs": {
-        "flake-schemas": [
-          "chaotic",
-          "flake-schemas"
-        ],
-        "systems": [
-          "chaotic",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1695926485,
-        "narHash": "sha256-wNFFnItckgSs8XeYhhv8vlJs2WF09fSQaWgw4xkDqHQ=",
-        "rev": "7772afd6686458ca0ddbc599a52cf5d337367653",
-        "revCount": 4,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/UbiqueLambda/yafas/0.1.4%2Brev-7772afd6686458ca0ddbc599a52cf5d337367653/018add18-ebb4-72c6-93fe-d1d8da361703/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/UbiqueLambda/yafas/0.1.%2A.tar.gz"
-      }
-    },
     "zpp-bits": {
       "flake": false,
       "locked": {

flake.nix

@@ -37,13 +37,6 @@
     nixos-hardware.url = "github:CHN-beta/nixos-hardware";
     envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-fast-build = { url = "github:/Mic92/nix-fast-build"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-flatpak.url = "github:gmodena/nix-flatpak";
-    chaotic =
-    {
-      url = "github:chaotic-cx/nyx?rev=03b2bea544688068025df1912ff1e9a1ad4a642a";
-      inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
-    };
-    gricad = { url = "github:Gricad/nur-packages"; flake = false; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -104,9 +97,11 @@
             specialArgs = { topInputs = inputs; inherit localLib; };
             modules = localLib.mkModules
             [
-              (moduleInputs: { config.nixpkgs.overlays = [(prev: final:
-                # replace pkgs with final to avoid infinite recursion
-                { localPackages = import ./local/pkgs (moduleInputs // { pkgs = final; }); })]; })
+              (moduleInputs:
+              {
+                config.nixpkgs.overlays = [(final: prev: { localPackages =
+                  import ./local/pkgs { inherit (moduleInputs) lib; pkgs = final; topInputs = inputs; };})];
+              })
               ./modules
               ./devices/${system}
             ];

local/lib/default.nix

@@ -1,4 +1,4 @@
-lib: rec
+lib:
 {
   attrsToList = attrs: builtins.map (name: { inherit name; value = attrs.${name}; }) (builtins.attrNames attrs);
   mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
@@ -12,9 +12,9 @@ lib: rec
   mkModules = moduleList:
     (builtins.map
       (
-        let handle = module: let type = builtins.typeOf module; in
-          if type == "path" || type == "string" then (handle (import module))
-          else if type == "lambda" then ({ pkgs, utils, ... }@inputs: (module inputs))
+        let handle = module:
+          if ( builtins.typeOf module ) == "path" then (handle (import module))
+          else if ( builtins.typeOf module ) == "lambda" then ({ pkgs, utils, ... }@inputs: (module inputs))
           else module;
         in handle
       )
@@ -37,21 +37,4 @@ lib: rec
   findIndex = e: list:
     let findIndex_ = i: list: if (builtins.elemAt list i) == e then i else findIndex_ (i + 1) list;
     in findIndex_ 0 list;
-
-  # return a list of path, including:
-  # - all .nix file in the directory except for default.nix
-  # - all directories containing a default.nix
-  findModules = path:
-    builtins.filter (path: path != null) (builtins.map
-      (subPath:
-        if subPath.value == "regular" && subPath.name != "default.nix"
-          then if lib.strings.hasSuffix ".nix" subPath.name
-            then "${path}/${subPath.name}"
-            else null
-          else if subPath.value == "directory"
-            then if (builtins.readDir "${path}/${subPath.name}")."default.nix" or null == "regular"
-              then "${path}/${subPath.name}"
-            else null
-          else null)
-      (attrsToList (builtins.readDir path)));
 }

local/pkgs/aocc/default.nix

@@ -1,25 +1 @@
-{ version ? "4.2.0", stdenv, fetchurl, lib }:
-let versions =
-{
-  "4.1.0" = "1k9anln9hmdjflrkq4iacrmhma7gfrfj6d0b8ywxys0wfpdvy12v";
-  "4.2.0" = "1aycw6ygzr1db6xf3z7v5lpznhs8j7gcpkawd304vcj5qw75cnpd";
-};
-in stdenv.mkDerivation
-{
-  pname = "aocc";
-  inherit version;
-  src = fetchurl
-  {
-    url = "https://download.amd.com/developer/eula/aocc/aocc-"
-      + builtins.concatStringsSep "-" (lib.lists.take 2 (builtins.splitVersion version))
-      + "/aocc-compiler-${version}.tar";
-    sha256 = versions.${version};
-  };
-  dontBuild = true;
-  installPhase =
-  ''
-    mkdir -p $out
-    cp -r bin include lib lib32 libexec share $out
-  '';
-  dontFixup = true;
-}
+1k9anln9hmdjflrkq4iacrmhma7gfrfj6d0b8ywxys0wfpdvy12v

local/pkgs/aocl/default.nix

@@ -1,28 +0,0 @@
-{ version ? "4.2.0", stdenv, fetchurl, lib }:
-let versions =
-{
-  "4.1.0" = "04780c2zks0g76c4n4a2cbbhs1qz4lza4ffiw1fj0md3f1lxihr5";
-  "4.2.0" = "0p4x0zza6y18hjjs1971gyc5kjd2f8nzzynp2jabhl2vxiys2nnj";
-};
-in stdenv.mkDerivation
-{
-  pname = "aocl";
-  inherit version;
-  src = fetchurl
-  {
-    url = "https://download.amd.com/developer/eula/aocl/aocl-"
-      + builtins.concatStringsSep "-" (lib.lists.take 2 (builtins.splitVersion version))
-      + "/aocl-linux-aocc-${version}.tar.gz";
-    sha256 = versions.${version};
-  };
-  dontBuild = true;
-  installPhase =
-  ''
-    installDir=$(mktemp -d)
-    bash ./install.sh -t $installDir
-    mkdir -p $out
-    cp -r $installDir/${version}/aocc/lib_LP64 $out/lib
-    cp -r $installDir/${version}/aocc/include_LP64 $out/include
-  '';
-  dontFixup = true;
-}

local/pkgs/default.nix

@@ -1,87 +1,69 @@
-inputs: rec
+{ lib, pkgs, topInputs }: with pkgs; rec
 {
-  typora = inputs.pkgs.callPackage ./typora {};
-  vesta = inputs.pkgs.callPackage ./vesta {};
-  rsshub = inputs.pkgs.callPackage ./rsshub { src = inputs.topInputs.rsshub; };
-  misskey = inputs.pkgs.callPackage ./misskey { nodejs = inputs.pkgs.nodejs_21; src = inputs.topInputs.misskey; };
-  mk-meili-mgn = inputs.pkgs.callPackage ./mk-meili-mgn {};
-  vaspkit = inputs.pkgs.callPackage ./vaspkit { inherit (inputs.localLib) attrsToList; };
-  v-sim = inputs.pkgs.callPackage ./v-sim { src = inputs.topInputs.v-sim; };
-  concurrencpp = inputs.pkgs.callPackage ./concurrencpp
-    { stdenv = inputs.pkgs.gcc13Stdenv; src = inputs.topInputs.concurrencpp; };
-  eigengdb = inputs.pkgs.python3Packages.callPackage ./eigengdb {};
-  nodesoup = inputs.pkgs.callPackage ./nodesoup { src = inputs.topInputs.nodesoup; };
-  matplotplusplus = inputs.pkgs.callPackage ./matplotplusplus
-    { inherit nodesoup glad; src = inputs.topInputs.matplotplusplus; };
-  zpp-bits = inputs.pkgs.callPackage ./zpp-bits { src = inputs.topInputs.zpp-bits; };
-  eigen = inputs.pkgs.callPackage ./eigen { src = inputs.topInputs.eigen; };
-  nameof = inputs.pkgs.callPackage ./nameof { src = inputs.topInputs.nameof; };
-  pslist = inputs.pkgs.callPackage ./pslist {};
-  glad = inputs.pkgs.callPackage ./glad {};
-  chromiumos-touch-keyboard = inputs.pkgs.callPackage ./chromiumos-touch-keyboard {};
-  yoga-support = inputs.pkgs.callPackage ./yoga-support {};
-  tgbot-cpp = inputs.pkgs.callPackage ./tgbot-cpp { src = inputs.topInputs.tgbot-cpp; };
-  biu = inputs.pkgs.callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = inputs.pkgs.gcc13Stdenv; };
-  citation-style-language = inputs.pkgs.callPackage ./citation-style-language
-    { src = inputs.topInputs.citation-style-language; };
-  mirism = inputs.pkgs.callPackage ./mirism
+  typora = callPackage ./typora {};
+  vesta = callPackage ./vesta {};
+  rsshub = callPackage ./rsshub { src = topInputs.rsshub; };
+  misskey = callPackage ./misskey { nodejs = nodejs_21; src = topInputs.misskey; };
+  mk-meili-mgn = callPackage ./mk-meili-mgn {};
+  vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; };
+  v-sim = callPackage ./v-sim { src = topInputs.v-sim; };
+  concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; src = topInputs.concurrencpp; };
+  eigengdb = python3Packages.callPackage ./eigengdb {};
+  nodesoup = callPackage ./nodesoup { src = topInputs.nodesoup; };
+  matplotplusplus = callPackage ./matplotplusplus { inherit nodesoup glad; src = topInputs.matplotplusplus; };
+  zpp-bits = callPackage ./zpp-bits { src = topInputs.zpp-bits; };
+  eigen = callPackage ./eigen { src = topInputs.eigen; };
+  nameof = callPackage ./nameof { src = topInputs.nameof; };
+  pslist = callPackage ./pslist {};
+  glad = callPackage ./glad {};
+  chromiumos-touch-keyboard = callPackage ./chromiumos-touch-keyboard {};
+  yoga-support = callPackage ./yoga-support {};
+  tgbot-cpp = callPackage ./tgbot-cpp { src = topInputs.tgbot-cpp; };
+  biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
+  citation-style-language = callPackage ./citation-style-language { src = topInputs.citation-style-language; };
+  mirism = callPackage ./mirism
   {
     inherit cppcoro nameof tgbot-cpp date;
-    nghttp2 = inputs.pkgs.callPackage "${inputs.topInputs."nixpkgs-23.05"}/pkgs/development/libraries/nghttp2"
-      { enableAsioLib = true; };
+    nghttp2 = pkgs."nghttp2-23.05".override { enableAsioLib = true; };
   };
-  cppcoro = inputs.pkgs.callPackage ./cppcoro { src = inputs.topInputs.cppcoro; };
-  date = inputs.pkgs.callPackage ./date { src = inputs.topInputs.date; };
-  esbonio = inputs.pkgs.python3Packages.callPackage ./esbonio {};
-  pix2tex = inputs.pkgs.python3Packages.callPackage ./pix2tex {};
-  pyreadline3 = inputs.pkgs.python3Packages.callPackage ./pyreadline3 {};
-  torchdata = inputs.pkgs.python3Packages.callPackage ./torchdata {};
-  torchtext = inputs.pkgs.python3Packages.callPackage ./torchtext { inherit torchdata; };
-  win11os-kde = inputs.pkgs.callPackage ./win11os-kde { src = inputs.topInputs.win11os-kde; };
-  fluent-kde = inputs.pkgs.callPackage ./fluent-kde { src = inputs.topInputs.fluent-kde; };
-  blurred-wallpaper = inputs.pkgs.callPackage ./blurred-wallpaper { src = inputs.topInputs.blurred-wallpaper; };
-  slate = inputs.pkgs.callPackage ./slate { src = inputs.topInputs.slate; };
-  nvhpc = inputs.pkgs.callPackage ./nvhpc {};
-  lmod = inputs.pkgs.callPackage ./lmod { src = inputs.topInputs.lmod; };
-  vasp = rec
+  cppcoro = callPackage ./cppcoro { src = topInputs.cppcoro; };
+  date = callPackage ./date { src = topInputs.date; };
+  esbonio = python3Packages.callPackage ./esbonio {};
+  pix2tex = python3Packages.callPackage ./pix2tex {};
+  pyreadline3 = python3Packages.callPackage ./pyreadline3 {};
+  torchdata = python3Packages.callPackage ./torchdata {};
+  torchtext = python3Packages.callPackage ./torchtext { inherit torchdata; };
+  win11os-kde = callPackage ./win11os-kde { src = topInputs.win11os-kde; };
+  fluent-kde = callPackage ./fluent-kde { src = topInputs.fluent-kde; };
+  blurred-wallpaper = callPackage ./blurred-wallpaper { src = topInputs.blurred-wallpaper; };
+  slate = callPackage ./slate { src = topInputs.slate; };
+  nvhpc = callPackage ./nvhpc {};
+  lmod = callPackage ./lmod { src = topInputs.lmod; };
+  vasp =
   {
-    source = inputs.pkgs.callPackage ./vasp/source.nix {};
-    gnu = inputs.pkgs.callPackage ./vasp/gnu
+    source = callPackage ./vasp/source.nix {};
+    gnu = callPackage ./vasp/gnu
     {
-      inherit (inputs.pkgs.llvmPackages) openmp;
-      inherit wannier90 additionalCommands;
-      hdf5 = inputs.pkgs.hdf5.override { mpiSupport = true; fortranSupport = true; };
+      inherit (llvmPackages) openmp;
+      wannier90 = callPackage "${topInputs.nixpkgs-unstable}/pkgs/by-name/wa/wannier90/package.nix" {};
+      hdf5 = hdf5.override { mpiSupport = true; fortranSupport = true; };
     };
-    gnu-mkl = inputs.pkgs.callPackage ./vasp/gnu-mkl
+    nvidia = callPackage ./vasp/nvidia
     {
-      inherit (inputs.pkgs.llvmPackages) openmp;
-      inherit wannier90 additionalCommands;
-      hdf5 = inputs.pkgs.hdf5.override { mpiSupport = true; fortranSupport = true; };
+      inherit lmod;
+      nvhpc = nvhpc."24.1";
+      hdf5 = hdf5-nvhpc.override { nvhpc = nvhpc."24.1"; };
+      wannier90 = callPackage "${topInputs.nixpkgs-unstable}/pkgs/by-name/wa/wannier90/package.nix" {};
+    };
+    intel = callPackage ./vasp/intel
+    {
+      inherit lmod;
+      oneapi = oneapi."2022.2";
+      hdf5 = hdf5.override { mpiSupport = true; fortranSupport = true; };
+      inherit (unstablePackages) wannier90;
     };
-    nvidia = inputs.pkgs.callPackage ./vasp/nvidia
-      { inherit lmod nvhpc wannier90 additionalCommands; hdf5 = hdf5-nvhpc; };
-    intel = inputs.pkgs.callPackage ./vasp/intel
-      { inherit lmod oneapi wannier90 additionalCommands; hdf5 = hdf5-oneapi; };
-    amd = inputs.pkgs.callPackage ./vasp/amd
-      { inherit aocc aocl wannier90 additionalCommands; hdf5 = hdf5-aocc; openmpi = openmpi-aocc; gcc = gcc-pie; };
-    wannier90 = inputs.pkgs.callPackage
-      "${inputs.topInputs.nixpkgs-unstable}/pkgs/by-name/wa/wannier90/package.nix" {};
-    hdf5-nvhpc = inputs.pkgs.callPackage ./vasp/hdf5-nvhpc { inherit lmod nvhpc; inherit (inputs.pkgs.hdf5) src; };
-    hdf5-oneapi = inputs.pkgs.callPackage ./vasp/hdf5-oneapi { inherit lmod oneapi; inherit (inputs.pkgs.hdf5) src; };
-    hdf5-aocc = inputs.pkgs.callPackage ./vasp/hdf5-aocc
-      { inherit (inputs.pkgs.hdf5) src; inherit aocc; openmpi = openmpi-aocc; gcc = gcc-pie; };
-    openmpi-aocc = inputs.pkgs.callPackage ./vasp/openmpi-aocc { inherit aocc; gcc = gcc-pie; };
-    gcc-pie = inputs.pkgs.wrapCC (inputs.pkgs.gcc.cc.overrideAttrs (prev:
-      { configureFlags = prev.configureFlags ++ [ "--enable-default-pie" ];}));
-    additionalCommands = let uid = inputs.config.nixos.user.uid.gb; in
-      ''[ "$(${inputs.pkgs.coreutils}/bin/id -u)" -eq ${builtins.toString uid} ] && exit 1'';
   };
-  oneapi = inputs.pkgs.callPackage ./oneapi {};
-  mumax = inputs.pkgs.callPackage ./mumax { src = inputs.topInputs.mumax; };
-  aocc = inputs.pkgs.callPackage ./aocc {};
-  aocl = inputs.pkgs.callPackage ./aocl {};
-
-  fromYaml = content: builtins.fromJSON (builtins.readFile
-    (inputs.pkgs.runCommand "toJSON" {}
-      "${inputs.pkgs.remarshal}/bin/yaml2json ${builtins.toFile "content.yaml" content} $out"));
+  hdf5-nvhpc = callPackage ./hdf5-nvhpc { inherit lmod; inherit (hdf5) src; nvhpc = nvhpc."24.1"; };
+  oneapi = callPackage ./oneapi {};
+  mumax = callPackage ./mumax { src = topInputs.mumax; };
 }

local/pkgs/hdf5-nvhpc/default.nix

@@ -1,7 +1,8 @@
 {
   buildFHSEnv, writeScript, stdenvNoCC,
   src,
-  nvhpc, lmod, cmake, gfortran
+  nvhpc, lmod, cmake, gfortran,
+  config, nvhpcArch ? config.nvhpcArch or "px"
 }:
 let
   buildEnv = buildFHSEnv
@@ -35,6 +36,5 @@ in stdenvNoCC.mkDerivation
     ${buildEnv}/bin/buildEnv ${buildScript}
   '';
   dontInstall = true;
-  dontFixup = true;
-  requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
+  requiredSystemFeatures = [ "nvhpcarch-${nvhpcArch}" ];
 }

local/pkgs/nvhpc/default.nix

@@ -1,5 +1,4 @@
 {
-  version ? "24.1",
   stdenvNoCC, fetchurl, buildFHSEnv,
   gfortran, flock
 }:
@@ -18,7 +17,7 @@ let
     targetPkgs = pkgs: with pkgs; [ coreutils ];
     extraBwrapArgs = [ "--bind" "$out" "$out" ];
   };
-in stdenvNoCC.mkDerivation
+in let buildNvhpc = version: stdenvNoCC.mkDerivation
 {
   pname = "nvhpc";
   inherit version;
@@ -39,5 +38,5 @@ in stdenvNoCC.mkDerivation
     mkdir -p $out
     ${builder}/bin/builder ./install
   '';
-  requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
-}
+};
+in builtins.mapAttrs (version: _: buildNvhpc version) versions

local/pkgs/oneapi/default.nix

@@ -1,5 +1,4 @@
 {
-  version ? "2024.0",
   stdenvNoCC, fetchurl, buildFHSEnv,
   ncurses
 }:
@@ -57,7 +56,7 @@ let
   };
   componentString = components: if components == null then "--components default" else
     " --components " + (builtins.concatStringsSep ":" components);
-in stdenvNoCC.mkDerivation rec
+in let buildOneapi = version: stdenvNoCC.mkDerivation rec
 {
   pname = "oneapi";
   inherit version;
@@ -85,6 +84,5 @@ in stdenvNoCC.mkDerivation rec
     ${builder}/bin/builder $out/share/intel/modulefiles-setup.sh --output-dir=$out/share/intel/modulefiles \
       --ignore-latest
   '';
-  dontFixup = true;
-  requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
-}
+};
+in builtins.mapAttrs (version: _: buildOneapi version) versions

local/pkgs/vasp/amd/default.nix

@@ -1,75 +0,0 @@
-{
-  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll,
-  aocc, rsync, which, hdf5, wannier90, aocl, openmpi, gcc, zlib, glibc, binutils, libpsm2,
-  additionalCommands ? ""
-}:
-let
-  sources = import ../source.nix { inherit requireFile; };
-  buildEnv = buildFHSEnv
-  {
-    name = "buildEnv";
-    targetPkgs = _: [ zlib aocc aocl openmpi gcc.cc gcc.cc.lib glibc.dev binutils.bintools ];
-  };
-  buildScript = writeScript "build"
-  ''
-    mkdir -p bin
-    make DEPS=1 -j$NIX_BUILD_CORES
-  '';
-  include = version: substituteAll
-  {
-    src = ./makefile.include-${version};
-    gccArch = stdenvNoCC.hostPlatform.gcc.arch;
-  };
-  vasp = version: stdenvNoCC.mkDerivation rec
-  {
-    pname = "vasp-amd";
-    inherit version;
-    src = sources.${version};
-    configurePhase =
-    ''
-      cp ${include version} makefile.include
-      cp ${../constr_cell_relax.F} src/constr_cell_relax.F
-    '';
-    buildInputs = [ wannier90 ];
-    nativeBuildInputs = [ rsync which ];
-    AMDBLIS_ROOT = aocl;
-    AMDLIBFLAME_ROOT = aocl;
-    AMDSCALAPACK_ROOT = aocl;
-    AMDFFTW_ROOT = aocl;
-    HDF5_ROOT = hdf5;
-    WANNIER90_ROOT = wannier90;
-    OMPI_CC = "clang";
-    OMPI_CXX = "clang++";
-    OMPI_FC = "flang";
-    buildPhase = "${buildEnv}/bin/buildEnv ${buildScript}";
-    installPhase =
-    ''
-      mkdir -p $out/bin
-      for i in std gam ncl; do cp bin/vasp_$i $out/bin/vasp-$i; done
-    '';
-    dontFixup = true;
-    requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
-  };
-  startScript = version: writeScript "vasp-nvidia-${version}"
-  ''
-    # if OMP_NUM_THREADS is not set, set it according to SLURM_CPUS_PER_TASK or to 1
-    if [ -z "''${OMP_NUM_THREADS-}" ]; then
-      if [ -n "''${SLURM_CPUS_PER_TASK-}" ]; then
-        OMP_NUM_THREADS=$SLURM_CPUS_PER_TASK
-      else
-        OMP_NUM_THREADS=1
-      fi
-    fi
-    export OMP_NUM_THREADS
-
-    ${additionalCommands}
-
-    exec "$@"
-  '';
-  runEnv = version: buildFHSEnv
-  {
-    name = "vasp-amd-${builtins.replaceStrings ["."] [""] version}-env";
-    targetPkgs = _: [ zlib (vasp version) aocc aocl openmpi gcc.cc.lib hdf5 wannier90 libpsm2 ];
-    runScript = startScript version;
-  };
-in builtins.mapAttrs (version: _: runEnv version) sources

local/pkgs/vasp/amd/makefile.include-6.3.1

@@ -1,91 +0,0 @@
-# Default precompiler options
-CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
-              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
-              -DscaLAPACK \
-              -DCACHE_SIZE=4000 \
-              -Davoidalloc \
-              -Dvasp6 \
-              -Duse_bse_te \
-              -Dtbdyn \
-              -Dfock_dblbuf \
-              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
-
-CPP         = flang -E -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS) -ffree-form
-
-FC          = mpif90 -fopenmp
-FCL         = mpif90 -fopenmp
-
-FREE        = -ffree-form -ffree-line-length-none
-
-FFLAGS      = -w -fno-fortran-main -Mbackslash
-
-OFLAG       = -O2
-OFLAG_IN    = $(OFLAG)
-DEBUG       = -O0
-
-OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
-OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
-OBJECTS_O2 += fft3dlib.o
-
-# For what used to be vasp.5.lib
-CPP_LIB     = $(CPP)
-FC_LIB      = $(FC)
-CC_LIB      = clang
-CFLAGS_LIB  = -O
-FFLAGS_LIB  = -O1
-FREE_LIB    = $(FREE)
-
-OBJECTS_LIB = linpack_double.o getshmem.o
-
-# For the parser library
-CXX_PARS    = clang++
-LLIBS       = -lstdc++
-
-##
-## Customize as of this point! Of course you may change the preceding
-## part of this file as well if you like, but it should rarely be
-## necessary ...
-##
-
-# When compiling on the target machine itself, change this to the
-# relevant target when cross-compiling for another architecture
-VASP_TARGET_CPU ?= -march=@gccArch@
-FFLAGS     += $(VASP_TARGET_CPU)
-
-# BLAS (mandatory)
-AMDBLIS_ROOT ?= /path/to/your/amdblis/installation
-BLAS        = -L${AMDBLIS_ROOT}/lib -lblis-mt
-
-# LAPACK (mandatory)
-AMDLIBFLAME_ROOT ?= /path/to/your/amdlibflame/installation
-LAPACK      = -L${AMDLIBFLAME_ROOT}/lib -lflame
-
-# scaLAPACK (mandatory)
-AMDSCALAPACK_ROOT ?= /path/to/your/amdscalapack/installation
-SCALAPACK   = -L${AMDSCALAPACK_ROOT}/lib -lscalapack
-
-LLIBS      += $(SCALAPACK) $(LAPACK) $(BLAS)
-
-# FFTW (mandatory)
-AMDFFTW_ROOT  ?= /path/to/your/amdfftw/installation
-LLIBS      += -L$(AMDFFTW_ROOT)/lib -lfftw3 -lfftw3_omp
-INCS       += -I$(AMDFFTW_ROOT)/include
-
-# HDF5-support (optional but strongly recommended)
-CPP_OPTIONS+= -DVASP_HDF5
-HDF5_ROOT  ?= /path/to/your/hdf5/installation
-LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
-INCS       += -I$(HDF5_ROOT)/include
-
-# For the VASP-2-Wannier90 interface (optional)
-CPP_OPTIONS    += -DVASP2WANNIER90
-WANNIER90_ROOT ?= /path/to/your/wannier90/installation
-LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
-
-# For the fftlib library (recommended)
-CPP_OPTIONS+= -Dsysv
-FCL        += fftlib.o
-CXX_FFTLIB  = clang++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
-INCS_FFTLIB = -I./include -I$(AMDFFTW_ROOT)/include
-LIBS       += fftlib
-LLIBS      += -ldl

local/pkgs/vasp/amd/makefile.include-6.4.0

@@ -1,91 +0,0 @@
-# Default precompiler options
-CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
-              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
-              -DscaLAPACK \
-              -DCACHE_SIZE=4000 \
-              -Davoidalloc \
-              -Dvasp6 \
-              -Duse_bse_te \
-              -Dtbdyn \
-              -Dfock_dblbuf \
-              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
-
-CPP         = flang -E -ffree-form -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS) -ffree-form
-
-FC          = mpif90 -fopenmp
-FCL         = mpif90 -fopenmp
-
-FREE        = -ffree-form -ffree-line-length-none
-
-FFLAGS      = -w -fno-fortran-main -Mbackslash
-
-OFLAG       = -O2
-OFLAG_IN    = $(OFLAG)
-DEBUG       = -O0
-
-OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
-OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
-OBJECTS_O2 += fft3dlib.o
-
-# For what used to be vasp.5.lib
-CPP_LIB     = $(CPP)
-FC_LIB      = $(FC)
-CC_LIB      = clang
-CFLAGS_LIB  = -O
-FFLAGS_LIB  = -O1
-FREE_LIB    = $(FREE)
-
-OBJECTS_LIB = linpack_double.o getshmem.o
-
-# For the parser library
-CXX_PARS    = clang++
-LLIBS       = -lstdc++
-
-##
-## Customize as of this point! Of course you may change the preceding
-## part of this file as well if you like, but it should rarely be
-## necessary ...
-##
-
-# When compiling on the target machine itself, change this to the
-# relevant target when cross-compiling for another architecture
-VASP_TARGET_CPU ?= -march=@gccArch@
-FFLAGS     += $(VASP_TARGET_CPU)
-
-# BLAS (mandatory)
-AMDBLIS_ROOT ?= /path/to/your/amdblis/installation
-BLAS        = -L${AMDBLIS_ROOT}/lib -lblis-mt
-
-# LAPACK (mandatory)
-AMDLIBFLAME_ROOT ?= /path/to/your/amdlibflame/installation
-LAPACK      = -L${AMDLIBFLAME_ROOT}/lib -lflame
-
-# scaLAPACK (mandatory)
-AMDSCALAPACK_ROOT ?= /path/to/your/amdscalapack/installation
-SCALAPACK   = -L${AMDSCALAPACK_ROOT}/lib -lscalapack
-
-LLIBS      += $(SCALAPACK) $(LAPACK) $(BLAS)
-
-# FFTW (mandatory)
-AMDFFTW_ROOT  ?= /path/to/your/amdfftw/installation
-LLIBS      += -L$(AMDFFTW_ROOT)/lib -lfftw3 -lfftw3_omp
-INCS       += -I$(AMDFFTW_ROOT)/include
-
-# HDF5-support (optional but strongly recommended)
-CPP_OPTIONS+= -DVASP_HDF5
-HDF5_ROOT  ?= /path/to/your/hdf5/installation
-LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
-INCS       += -I$(HDF5_ROOT)/include
-
-# For the VASP-2-Wannier90 interface (optional)
-CPP_OPTIONS    += -DVASP2WANNIER90
-WANNIER90_ROOT ?= /path/to/your/wannier90/installation
-LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
-
-# For the fftlib library (recommended)
-CPP_OPTIONS+= -Dsysv
-FCL        += fftlib.o
-CXX_FFTLIB  = clang++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
-INCS_FFTLIB = -I./include -I$(AMDFFTW_ROOT)/include
-LIBS       += fftlib
-LLIBS      += -ldl

local/pkgs/vasp/gnu-mkl/default.nix

@@ -1,57 +0,0 @@
-{
-  stdenvNoCC, requireFile, writeShellApplication,
-  rsync, mkl, mpi, openmp, gfortran, gcc, fftwMpi, hdf5, wannier90,
-  additionalCommands ? ""
-}:
-let
-  sources = import ../source.nix { inherit requireFile; };
-  include = version: ./makefile.include-${version};
-  vasp = version: stdenvNoCC.mkDerivation rec
-  {
-    pname = "vasp-gnu-mkl";
-    inherit version;
-    src = sources.${version};
-    configurePhase =
-    ''
-      cp ${include version} makefile.include
-      cp ${../constr_cell_relax.F} src/constr_cell_relax.F
-      mkdir -p bin
-    '';
-    enableParallelBuilding = true;
-    makeFlags = "DEPS=1";
-    buildInputs = [ mkl mpi openmp fftwMpi.dev fftwMpi hdf5 hdf5.dev wannier90 ];
-    nativeBuildInputs = [ rsync gfortran gfortran.cc gcc ];
-    FFTW_ROOT = fftwMpi.dev;
-    HDF5_ROOT = hdf5.dev;
-    WANNIER90_ROOT = wannier90;
-    MKLROOT = mkl;
-    installPhase =
-    ''
-      mkdir -p $out/bin
-      for i in std gam ncl; do
-        cp bin/vasp_$i $out/bin/vasp-$i
-      done
-    '';
-  };
-  startScript = version: writeShellApplication
-  {
-    name = "vasp-gnu-${builtins.replaceStrings ["."] [""] version}-env";
-    runtimeInputs = [(vasp version)];
-    text =
-    ''
-      # if OMP_NUM_THREADS is not set, set it according to SLURM_CPUS_PER_TASK or to 1
-      if [ -z "''${OMP_NUM_THREADS-}" ]; then
-        if [ -n "''${SLURM_CPUS_PER_TASK-}" ]; then
-          OMP_NUM_THREADS=$SLURM_CPUS_PER_TASK
-        else
-          OMP_NUM_THREADS=1
-        fi
-      fi
-      export OMP_NUM_THREADS
-
-      ${additionalCommands}
-
-      exec "$@"
-    '';
-  };
-in builtins.mapAttrs (version: _: startScript version) sources

local/pkgs/vasp/gnu-mkl/makefile.include-6.3.1

@@ -1,87 +0,0 @@
-# Default precompiler options
-CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
-              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
-              -DscaLAPACK \
-              -DCACHE_SIZE=4000 \
-              -Davoidalloc \
-              -Dvasp6 \
-              -Duse_bse_te \
-              -Dtbdyn \
-              -Dfock_dblbuf \
-              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
-
-CPP         = gcc -E -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS)
-
-FC          = mpif90 -fopenmp
-FCL         = mpif90 -fopenmp
-
-FREE        = -ffree-form -ffree-line-length-none
-
-FFLAGS      = -w -ffpe-summary=none
-
-OFLAG       = -O2
-OFLAG_IN    = $(OFLAG)
-DEBUG       = -O0
-
-OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
-OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
-OBJECTS_O2 += fft3dlib.o
-
-# For what used to be vasp.5.lib
-CPP_LIB     = $(CPP)
-FC_LIB      = $(FC)
-CC_LIB      = gcc
-CFLAGS_LIB  = -O
-FFLAGS_LIB  = -O1
-FREE_LIB    = $(FREE)
-
-OBJECTS_LIB = linpack_double.o getshmem.o
-
-# For the parser library
-CXX_PARS    = g++
-LLIBS       = -lstdc++
-
-##
-## Customize as of this point! Of course you may change the preceding
-## part of this file as well if you like, but it should rarely be
-## necessary ...
-##
-
-# When compiling on the target machine itself, change this to the
-# relevant target when cross-compiling for another architecture
-# VASP_TARGET_CPU ?= -march=native
-# FFLAGS     += $(VASP_TARGET_CPU)
-
-# For gcc-10 and higher (comment out for older versions)
-FFLAGS     += -fallow-argument-mismatch
-
-# Intel MKL for FFTW, BLAS, LAPACK, and scaLAPACK
-MKLROOT   ?= /path/to/your/mkl/installation
-LLIBS_MKL  = -L$(MKLROOT)/lib/intel64 -Wl,--no-as-needed -lmkl_gf_lp64 -lmkl_gnu_thread -lmkl_core -lmkl_scalapack_lp64 -lmkl_blacs_openmpi_lp64 -lgomp -lpthread -lm -ldl
-INCS       = -I$(MKLROOT)/include/fftw
-
-# Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
-# Comment out the two lines below if you want to use scaLAPACK from MKL instead
-#SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
-#LLIBS_MKL  = -L$(SCALAPACK_ROOT)/lib -lscalapack -L$(MKLROOT)/lib/intel64 -Wl,--no-as-needed -lmkl_gf_lp64 -lmkl_gnu_thread -lmkl_core -lgomp -lpthread -lm -ldl
-
-LLIBS      += $(LLIBS_MKL)
-
-# HDF5-support (optional but strongly recommended)
-CPP_OPTIONS+= -DVASP_HDF5
-HDF5_ROOT  ?= /path/to/your/hdf5/installation
-LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
-INCS       += -I$(HDF5_ROOT)/include
-
-# For the VASP-2-Wannier90 interface (optional)
-CPP_OPTIONS    += -DVASP2WANNIER90
-WANNIER90_ROOT ?= /path/to/your/wannier90/installation
-LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
-
-# For the fftlib library (hardly any benefit in combination with MKL's FFTs)
-#CPP_OPTIONS+= -Dsysv
-#FCL        += fftlib.o
-#CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_USE_MKL -DFFTLIB_THREADSAFE
-#INCS_FFTLIB = -I./include -I$(MKLROOT)/include/fftw
-#LIBS       += fftlib
-#LLIBS      += -ldl

local/pkgs/vasp/gnu-mkl/makefile.include-6.4.0

@@ -1,87 +0,0 @@
-# Default precompiler options
-CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
-              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
-              -DscaLAPACK \
-              -DCACHE_SIZE=4000 \
-              -Davoidalloc \
-              -Dvasp6 \
-              -Duse_bse_te \
-              -Dtbdyn \
-              -Dfock_dblbuf \
-              -D_OPENMP -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj
-
-CPP         = gcc -E -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS)
-
-FC          = mpif90 -fopenmp
-FCL         = mpif90 -fopenmp
-
-FREE        = -ffree-form -ffree-line-length-none
-
-FFLAGS      = -w -ffpe-summary=none
-
-OFLAG       = -O3
-OFLAG_IN    = $(OFLAG)
-DEBUG       = -O0
-
-OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
-OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
-OBJECTS_O2 += fft3dlib.o
-
-# For what used to be vasp.5.lib
-CPP_LIB     = $(CPP)
-FC_LIB      = $(FC)
-CC_LIB      = gcc
-CFLAGS_LIB  = -O
-FFLAGS_LIB  = -O1
-FREE_LIB    = $(FREE)
-
-OBJECTS_LIB = linpack_double.o getshmem.o
-
-# For the parser library
-CXX_PARS    = g++
-LLIBS       = -lstdc++
-
-##
-## Customize as of this point! Of course you may change the preceding
-## part of this file as well if you like, but it should rarely be
-## necessary ...
-##
-
-# When compiling on the target machine itself, change this to the
-# relevant target when cross-compiling for another architecture
-# VASP_TARGET_CPU ?= -march=native
-# FFLAGS     += $(VASP_TARGET_CPU)
-
-# For gcc-10 and higher (comment out for older versions)
-FFLAGS     += -fallow-argument-mismatch
-
-# Intel MKL for FFTW, BLAS, LAPACK, and scaLAPACK
-MKLROOT   ?= /path/to/your/mkl/installation
-LLIBS_MKL  = -L$(MKLROOT)/lib/intel64 -Wl,--no-as-needed -lmkl_gf_lp64 -lmkl_gnu_thread -lmkl_core -lmkl_scalapack_lp64 -lmkl_blacs_openmpi_lp64 -lgomp -lpthread -lm -ldl
-INCS       = -I$(MKLROOT)/include/fftw
-
-# Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
-# Comment out the two lines below if you want to use scaLAPACK from MKL instead
-#SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
-#LLIBS_MKL  = -L$(SCALAPACK_ROOT)/lib -lscalapack -L$(MKLROOT)/lib/intel64 -Wl,--no-as-needed -lmkl_gf_lp64 -lmkl_gnu_thread -lmkl_core -lgomp -lpthread -lm -ldl
-
-LLIBS      += $(LLIBS_MKL)
-
-# HDF5-support (optional but strongly recommended)
-CPP_OPTIONS+= -DVASP_HDF5
-HDF5_ROOT  ?= /path/to/your/hdf5/installation
-LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
-INCS       += -I$(HDF5_ROOT)/include
-
-# For the VASP-2-Wannier90 interface (optional)
-CPP_OPTIONS    += -DVASP2WANNIER90
-WANNIER90_ROOT ?= /path/to/your/wannier90/installation
-LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
-
-# For the fftlib library (hardly any benefit in combination with MKL's FFTs)
-#CPP_OPTIONS+= -Dsysv
-#FCL        += fftlib.o
-#CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_USE_MKL -DFFTLIB_THREADSAFE
-#INCS_FFTLIB = -I./include -I$(MKLROOT)/include/fftw
-#LIBS       += fftlib
-#LLIBS      += -ldl

local/pkgs/vasp/gnu/default.nix

@@ -1,7 +1,6 @@
 {
-  stdenvNoCC, requireFile, writeShellApplication,
-  rsync, blas, scalapack, mpi, openmp, gfortran, gcc, fftwMpi, hdf5, wannier90,
-  additionalCommands ? ""
+  stdenvNoCC, requireFile, writeShellApplication, substituteAll,
+  rsync, blas, scalapack, mpi, openmp, gfortran, gcc, fftwMpi, hdf5, wannier90
 }:
 let
   sources = import ../source.nix { inherit requireFile; };
@@ -34,22 +33,14 @@ let
   };
   startScript = version: writeShellApplication
   {
-    name = "vasp-gnu-${builtins.replaceStrings ["."] [""] version}-env";
-    runtimeInputs = [(vasp version)];
+    name = "vasp-gnu-${version}";
+    runtimeInputs = [ (vasp version) ];
     text =
     ''
-      # if OMP_NUM_THREADS is not set, set it according to SLURM_CPUS_PER_TASK or to 1
-      if [ -z "''${OMP_NUM_THREADS-}" ]; then
-        if [ -n "''${SLURM_CPUS_PER_TASK-}" ]; then
-          OMP_NUM_THREADS=$SLURM_CPUS_PER_TASK
-        else
-          OMP_NUM_THREADS=1
-        fi
+      if [ -n "''${SLURM_CPUS_PER_TASK-}" ] && [ -n "''${SLURM_THREADS_PER_CPU-}" ]; then
+        export OMP_NUM_THREADS=$(( SLURM_CPUS_PER_TASK * SLURM_THREADS_PER_CPU ))
       fi
-      export OMP_NUM_THREADS
-
-      ${additionalCommands}
-
+      export PATH=$PATH:$PWD
       exec "$@"
     '';
   };

local/pkgs/vasp/gnu/makefile.include-6.3.1

@@ -84,9 +84,9 @@ WANNIER90_ROOT ?= /path/to/your/wannier90/installation
 LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
 
 # For the fftlib library (recommended)
-CPP_OPTIONS+= -Dsysv
-FCL        += fftlib.o
-CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
-INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
-LIBS       += fftlib
-LLIBS      += -ldl
+#CPP_OPTIONS+= -Dsysv
+#FCL        += fftlib.o
+#CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
+#INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
+#LIBS       += fftlib
+#LLIBS      += -ldl

local/pkgs/vasp/gnu/makefile.include-6.4.0

@@ -87,6 +87,7 @@ LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
 CPP_OPTIONS+= -Dsysv
 FCL        += fftlib.o
 CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
-INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
+# INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
+INCS_FFTLIB = -I./include
 LIBS       += fftlib
 LLIBS      += -ldl

local/pkgs/vasp/hdf5-aocc/default.nix

@@ -1,46 +0,0 @@
-{
-  buildFHSEnv, writeScript, stdenvNoCC,
-  src,
-  aocc, cmake, openmpi, zlib, gcc, glibc, binutils, pkg-config
-}:
-let
-  buildEnv = buildFHSEnv
-  {
-    name = "buildEnv";
-    targetPkgs = _: [ zlib aocc gcc.cc.lib.lib glibc.dev binutils.bintools openmpi pkg-config ];
-    extraBwrapArgs = [ "--bind" "$out" "$out" ];
-  };
-  buildScript = writeScript "build"
-  ''
-    mkdir build
-    cd build
-    cmake -DCMAKE_INSTALL_PREFIX=$out -DHDF5_INSTALL_CMAKE_DIR=$out/lib/cmake \
-      -DHDF5_BUILD_FORTRAN=ON -DHDF5_ENABLE_PARALLEL=ON ..
-    make -j$NIX_BUILD_CORES
-    make install
-  '';
-in stdenvNoCC.mkDerivation
-{
-  name = "hdf5-aocc";
-  inherit src;
-  dontConfigure = true;
-  enableParallelBuilding = true;
-  nativeBuildInputs = [ cmake ];
-  CC = "clang";
-  CXX = "clang++";
-  FC = "flang";
-  OMPI_CC = "clang";
-  OMPI_CXX = "clang++";
-  OMPI_FC = "flang";
-  CFLAGS = "-march=${stdenvNoCC.hostPlatform.gcc.arch} -O2";
-  CXXFLAGS = "-march=${stdenvNoCC.hostPlatform.gcc.arch} -O2";
-  FCFLAGS = "-march=${stdenvNoCC.hostPlatform.gcc.arch} -O2";
-  buildPhase =
-  ''
-    mkdir -p $out
-    ${buildEnv}/bin/buildEnv ${buildScript}
-  '';
-  dontInstall = true;
-  dontFixup = true;
-  requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
-}

local/pkgs/vasp/hdf5-oneapi/default.nix

@@ -1,48 +0,0 @@
-{
-  buildFHSEnv, writeScript, stdenvNoCC, symlinkJoin,
-  src,
-  oneapi, lmod, cmake, gcc, glibc, binutils,
-  config, oneapiArch ? config.oneapiArch or "SSE3"
-}:
-let
-  gccFull = symlinkJoin { name = "gcc"; paths = [ gcc gcc.cc gcc.cc.lib glibc.dev binutils.bintools ]; };
-  buildEnv = buildFHSEnv
-  {
-    name = "buildEnv";
-    targetPkgs = pkgs: with pkgs; [ zlib (writeTextDir "etc/release" "") gccFull ];
-    extraBwrapArgs = [ "--bind" "$out" "$out" ];
-  };
-  buildScript = writeScript "build"
-  ''
-    . ${lmod}/share/lmod/lmod/init/bash
-    module use ${oneapi}/share/intel/modulefiles
-    module load tbb compiler-rt oclfpga # dependencies
-    module load mpi mkl compiler
-    mkdir build
-    cd build
-    cmake -DCMAKE_INSTALL_PREFIX=$out -DHDF5_INSTALL_CMAKE_DIR=$out/lib/cmake \
-      -DHDF5_BUILD_FORTRAN=ON -DHDF5_ENABLE_PARALLEL=ON -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=OFF \
-      -DBUILD_TESTING=OFF ..
-    make -j$NIX_BUILD_CORES
-    make install
-  '';
-in stdenvNoCC.mkDerivation
-{
-  name = "hdf5-oneapi";
-  inherit src;
-  dontConfigure = true;
-  enableParallelBuilding = true;
-  nativeBuildInputs = [ cmake ];
-  I_MPI_CC = "icx";
-  I_MPI_CXX = "icpx";
-  I_MPI_FC = "ifx";
-  I_MPI_F90 = "ifx";
-  buildPhase =
-  ''
-    mkdir -p $out
-    ${buildEnv}/bin/buildEnv ${buildScript}
-  '';
-  dontInstall = true;
-  dontFixup = true;
-  requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
-}

local/pkgs/vasp/intel/default.nix

@@ -1,15 +1,15 @@
 {
-  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll, symlinkJoin, writeTextDir,
-  config, oneapiArch ? config.oneapiArch or "SSE3", additionalCommands ? "",
-  oneapi, gcc, glibc, lmod, rsync, which, wannier90, binutils, hdf5, zlib
+  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll, symlinkJoin,
+  config, oneapiArch ? config.oneapiArch or "SSE3",
+  oneapi, gfortran, gcc, glibc, lmod, rsync, which, hdf5, wannier90
 }:
 let
-  sources = import ../source.nix { inherit requireFile; };
+  versions = import ../source.nix;
   buildEnv = buildFHSEnv
   {
     name = "buildEnv";
     # make "module load mpi" success
-    targetPkgs = _: [ zlib (writeTextDir "etc/release" "") gccFull ];
+    targetPkgs = pkgs: with pkgs; [ zlib (writeTextDir "etc/release" "") ];
   };
   buildScript = writeScript "build"
   ''
@@ -18,26 +18,34 @@ let
     module load tbb compiler-rt oclfpga # dependencies
     module load mpi mkl compiler
     mkdir -p bin
-    make DEPS=1 -j$NIX_BUILD_CORES
+    make DEPS=1 -j$NIX_BUILD_CORES std
   '';
   include = version: substituteAll
   {
     src = ./makefile.include-${version};
     inherit oneapiArch;
+    gcc = symlinkJoin { name = "gcc"; paths = [ gfortran gfortran.cc gcc ]; };
   };
-  gccFull = symlinkJoin { name = "gcc"; paths = [ gcc gcc.cc gcc.cc.lib glibc.dev binutils.bintools ]; };
   vasp = version: stdenvNoCC.mkDerivation rec
   {
-    pname = "vasp-intel";
+    pname = "vasp";
     inherit version;
-    src = sources.${version};
+    src = requireFile
+    {
+      name = "${pname}-${version}";
+      sha256 = versions.${version};
+      hashMode = "recursive";
+      message = "Source file not found.";
+    };
     configurePhase =
     ''
       cp ${include version} makefile.include
       cp ${../constr_cell_relax.F} src/constr_cell_relax.F
     '';
-    nativeBuildInputs = [ rsync which ];
-    HDF5_ROOT = hdf5;
+    enableParallelBuilding = false;
+    buildInputs = [ hdf5 hdf5.dev wannier90 glibc glibc.dev ];
+    nativeBuildInputs = [ gfortran gfortran.cc gcc rsync which ];
+    HDF5_ROOT = hdf5.dev;
     WANNIER90_ROOT = wannier90;
     buildPhase = "${buildEnv}/bin/buildEnv ${buildScript}";
     installPhase =
@@ -45,64 +53,19 @@ let
       mkdir -p $out/bin
       for i in std gam ncl; do cp bin/vasp_$i $out/bin/vasp-$i; done
     '';
-    dontFixup = true;
-    requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
   };
-  startScript = { version, variant }: writeScript "vasp-intel-${version}"
+  startScript = version: writeScript "vasp-intel-${version}"
   ''
     . ${lmod}/share/lmod/lmod/init/bash
     module use ${oneapi}/share/intel/modulefiles
     module load tbb compiler-rt oclfpga # dependencies
     module load mpi mkl compiler
-
-    # if OMP_NUM_THREADS is not set, set it according to SLURM_CPUS_PER_TASK or to 1
-    if [ -z "''${OMP_NUM_THREADS-}" ]; then
-      if [ -n "''${SLURM_CPUS_PER_TASK-}" ]; then
-        OMP_NUM_THREADS=$SLURM_CPUS_PER_TASK
-      else
-        OMP_NUM_THREADS=1
-      fi
-    fi
-    export OMP_NUM_THREADS
-
-    # if I_MPI_PIN_PROCESSOR_LIST is not set, set it to allcores
-    if [ -z "''${I_MPI_PIN_PROCESSOR_LIST-}" ]; then
-      I_MPI_PIN_PROCESSOR_LIST=allcores
-    fi
-    export I_MPI_PIN_PROCESSOR_LIST
-
-    # set I_MPI_PIN I_MPI_PIN_DOMAIN I_MPI_DEBUG if not set
-    export I_MPI_PIN=''${I_MPI_PIN-yes}
-    export I_MPI_PIN_DOMAIN=''${I_MPI_PIN_DOMAIN-omp}
-    export I_MPI_DEBUG=''${I_MPI_DEBUG-4}
-
-    # fork to bootstrap, do not use srun, causing it could not find proper ld
-    export I_MPI_HYDRA_BOOTSTRAP=''${I_MPI_HYDRA_BOOTSTRAP-fork}
-
-    ${additionalCommands}
-
-    ${
-      if variant == "env" then ''exec "$@"''
-      else
-      ''
-        if [ -n "''${SLURM_JOB_ID-}" ]; then
-          exec mpirun -n $SLURM_NTASKS ${vasp version}/bin/vasp-${variant}
-        else
-          exec mpirun -n 1 ${vasp version}/bin/vasp-${variant}
-        fi
-      ''
-    }
+    exec "$@"
   '';
-  runEnv = { version, variant }: let shortVersion = builtins.replaceStrings ["."] [""] version; in buildFHSEnv
-  {
-    name = "vasp-intel-${shortVersion}${if variant == "" then "" else "-${variant}"}";
-    targetPkgs = _: [ zlib (vasp version) (writeTextDir "etc/release" "") gccFull ];
-    runScript = startScript { inherit version; variant = if variant == "" then "std" else variant; };
-  };
-in builtins.mapAttrs
-  (version: _: symlinkJoin
+  runEnv = version: buildFHSEnv
   {
     name = "vasp-intel-${version}";
-    paths = builtins.map (variant: runEnv { inherit version variant; }) [ "" "env" "std" "gam" "ncl" ];
-  })
-  sources
+    targetPkgs = pkgs: with pkgs; [ zlib (vasp version) (writeTextDir "etc/release" "") ];
+    runScript = startScript version;
+  };
+in builtins.mapAttrs (version: _: runEnv version) versions

local/pkgs/vasp/intel/makefile.include-6.3.1

@@ -12,8 +12,8 @@ CPP_OPTIONS = -DHOST=\"LinuxIFC\" \
 
 CPP         = fpp -f_com=no -free -w0  $*$(FUFFIX) $*$(SUFFIX) $(CPP_OPTIONS)
 
-FC          = mpiifx -qopenmp
-FCL         = mpiifx
+FC          = I_MPI_FC=ifort mpif90 -qopenmp
+FCL         = I_MPI_FC=ifort mpif90
 
 FREE        = -free -names lowercase
 
@@ -30,7 +30,7 @@ OBJECTS_O2 += fft3dlib.o
 # For what used to be vasp.5.lib
 CPP_LIB     = $(CPP)
 FC_LIB      = $(FC)
-CC_LIB      = icx
+CC_LIB      = icc
 CFLAGS_LIB  = -O
 FFLAGS_LIB  = -O1
 FREE_LIB    = $(FREE)
@@ -38,7 +38,7 @@ FREE_LIB    = $(FREE)
 OBJECTS_LIB = linpack_double.o getshmem.o
 
 # For the parser library
-CXX_PARS    = icpx
+CXX_PARS    = icpc
 LLIBS       = -lstdc++
 
 ##
@@ -56,13 +56,12 @@ FFLAGS     += $(VASP_TARGET_CPU)
 # (Note: for Intel Parallel Studio's MKL use -mkl instead of -qmkl)
 FCL        += -qmkl
 MKLROOT    ?= /path/to/your/mkl/installation
-LLIBS      += -L$(MKLROOT)/lib/intel64 -lmkl_scalapack_lp64 -lmkl_blacs_intelmpi_lp64
 INCS        =-I$(MKLROOT)/include/fftw
 
 # Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
 # Comment out the two lines below if you want to use scaLAPACK from MKL instead
-# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
-# LLIBS      += -L${SCALAPACK_ROOT}/lib -lscalapack
+#SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+#LLIBS      += -L${SCALAPACK_ROOT}/lib -lscalapack
 
 # HDF5-support (optional but strongly recommended)
 CPP_OPTIONS+= -DVASP_HDF5

local/pkgs/vasp/intel/makefile.include-6.4.0

@@ -12,8 +12,8 @@ CPP_OPTIONS = -DHOST=\"LinuxIFC\" \
 
 CPP         = fpp -f_com=no -free -w0  $*$(FUFFIX) $*$(SUFFIX) $(CPP_OPTIONS)
 
-FC          = mpiifx -qopenmp
-FCL         = mpiifx
+FC          = I_MPI_F90=ifort mpif90 -qopenmp
+FCL         = I_MPI_F90=ifort mpif90
 
 FREE        = -free -names lowercase
 
@@ -30,7 +30,7 @@ OBJECTS_O2 += fft3dlib.o
 # For what used to be vasp.5.lib
 CPP_LIB     = $(CPP)
 FC_LIB      = $(FC)
-CC_LIB      = icx
+CC_LIB      = icc
 CFLAGS_LIB  = -O
 FFLAGS_LIB  = -O1
 FREE_LIB    = $(FREE)
@@ -38,7 +38,7 @@ FREE_LIB    = $(FREE)
 OBJECTS_LIB = linpack_double.o getshmem.o
 
 # For the parser library
-CXX_PARS    = icpx
+CXX_PARS    = icpc
 LLIBS       = -lstdc++
 
 ##
@@ -56,13 +56,12 @@ FFLAGS     += $(VASP_TARGET_CPU)
 # (Note: for Intel Parallel Studio's MKL use -mkl instead of -qmkl)
 FCL        += -qmkl
 MKLROOT    ?= /path/to/your/mkl/installation
-LLIBS      += -L$(MKLROOT)/lib/intel64 -lmkl_scalapack_lp64 -lmkl_blacs_intelmpi_lp64
 INCS        =-I$(MKLROOT)/include/fftw
 
 # Use a separate scaLAPACK installation (optional but recommended in combination with OpenMPI)
 # Comment out the two lines below if you want to use scaLAPACK from MKL instead
-# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
-# LLIBS      += -L${SCALAPACK_ROOT}/lib -lscalapack
+#SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+#LLIBS      += -L${SCALAPACK_ROOT}/lib -lscalapack
 
 # HDF5-support (optional but strongly recommended)
 CPP_OPTIONS+= -DVASP_HDF5

local/pkgs/vasp/nvidia/default.nix

@@ -1,14 +1,14 @@
 {
-  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll, symlinkJoin,
-  config, cudaCapabilities ? config.cudaCapabilities, nvhpcArch ? config.nvhpcArch or "px", additionalCommands ? "",
-  nvhpc, lmod, mkl, gfortran, rsync, which, hdf5, wannier90, zlib
+  buildFHSEnv, writeScript, stdenvNoCC, requireFile, substituteAll,
+  config, cudaCapabilities ? config.cudaCapabilities, nvhpcArch ? config.nvhpcArch or "px",
+  nvhpc, lmod, mkl, gfortran, rsync, which, hdf5, wannier90
 }:
 let
   sources = import ../source.nix { inherit requireFile; };
   buildEnv = buildFHSEnv
   {
     name = "buildEnv";
-    targetPkgs = _: [ zlib ];
+    targetPkgs = pkgs: with pkgs; [ zlib ];
   };
   buildScript = writeScript "build"
   ''
@@ -39,8 +39,8 @@ let
     enableParallelBuilding = true;
     buildInputs = [ mkl hdf5 wannier90 ];
     nativeBuildInputs = [ gfortran rsync which ];
-    MKLROOT = mkl;
-    HDF5_ROOT = hdf5;
+    MKLROOT = "${mkl}";
+    HDF5_ROOT = "${hdf5}";
     WANNIER90_ROOT = wannier90;
     buildPhase = "${buildEnv}/bin/buildEnv ${buildScript}";
     installPhase =
@@ -48,49 +48,24 @@ let
       mkdir -p $out/bin
       for i in std gam ncl; do cp bin/vasp_$i $out/bin/vasp-$i; done
     '';
-    dontFixup = true;
-    requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
+    requiredSystemFeatures = [ "nvhpcarch-${nvhpcArch}" ];
   };
-  startScript = { version, variant }: writeScript "vasp-nvidia-${version}"
+  startScript = version: writeScript "vasp-nvidia-${version}"
   ''
     . ${lmod}/share/lmod/lmod/init/bash
     module use ${nvhpc}/share/nvhpc/modulefiles
     module load nvhpc
 
-    # if OMP_NUM_THREADS is not set, set it according to SLURM_CPUS_PER_TASK or to 1
-    if [ -z "''${OMP_NUM_THREADS-}" ]; then
-      if [ -n "''${SLURM_CPUS_PER_TASK-}" ]; then
-        OMP_NUM_THREADS=$SLURM_CPUS_PER_TASK
-      else
-        OMP_NUM_THREADS=1
-      fi
+    # if SLURM_CPUS_PER_TASK and SLURM_THREADS_PER_CPU are set, use them to set OMP_NUM_THREADS
+    if [ -n "''${SLURM_CPUS_PER_TASK-}" ] && [ -n "''${SLURM_THREADS_PER_CPU-}" ]; then
+      export OMP_NUM_THREADS=$(( SLURM_CPUS_PER_TASK * SLURM_THREADS_PER_CPU ))
     fi
-    export OMP_NUM_THREADS
-
-    ${additionalCommands}
-
-    ${
-      if variant == "env" then ''exec "$@"''
-      else
-      ''
-        if [ -n "''${SLURM_JOB_ID-}" ]; then
-          exec mpirun --bind-to none ${vasp version}/bin/vasp-${variant}
-        else
-          exec mpirun -np 1 ${vasp version}/bin/vasp-${variant}
-        fi
-      ''
-    }
+    exec "$@"
   '';
-  runEnv = { version, variant }: let shortVersion = builtins.replaceStrings ["."] [""] version; in buildFHSEnv
-  {
-    name = "vasp-nvidia-${shortVersion}${if variant == "" then "" else "-${variant}"}";
-    targetPkgs = _: [ zlib (vasp version) ];
-    runScript = startScript { inherit version; variant = if variant == "" then "std" else variant; };
-  };
-in builtins.mapAttrs
-  (version: _: symlinkJoin
+  runEnv = version: buildFHSEnv
   {
     name = "vasp-nvidia-${version}";
-    paths = builtins.map (variant: runEnv { inherit version variant; }) [ "" "env" "std" "gam" "ncl" ];
-  })
-  sources
+    targetPkgs = pkgs: with pkgs; [ zlib (vasp version) ];
+    runScript = startScript version;
+  };
+in builtins.mapAttrs (version: _: runEnv version) sources

local/pkgs/vasp/openmpi-aocc/default.nix

@@ -1,45 +0,0 @@
-{
-  lib, buildFHSEnv, writeScript, stdenvNoCC,
-  openmpi, 
-  aocc, cmake, libnl, pmix, libpsm2, libfabric, zlib, numactl, ucx, ucc, libevent, hwloc, rdma-core, perl, glibc, binutils, gcc
-}:
-let
-  buildEnv = buildFHSEnv
-  {
-    name = "buildEnv";
-    targetPkgs = _: [ zlib aocc gcc.cc.lib.lib glibc.dev binutils.bintools libnl numactl ucx ucc libevent hwloc rdma-core libpsm2 libfabric perl ];
-    extraBwrapArgs = [ "--bind" "$out" "$out" ];
-  };
-  buildScript = writeScript "build"
-  ''
-    ./configure --prefix=$out --disable-mca-dso
-    make -j$NIX_BUILD_CORES
-    make install
-  '';
-in stdenvNoCC.mkDerivation
-{
-  name = "openmpi-aocc";
-  inherit (openmpi) src postPatch;
-  dontConfigure = true;
-  CC = "clang";
-  CXX = "clang++";
-  FC = "flang";
-  OMPI_CC = "clang";
-  OMPI_CXX = "clang++";
-  OMPI_FC = "flang";
-  CFLAGS = "-march=${stdenvNoCC.hostPlatform.gcc.arch} -O2";
-  CXXFLAGS = "-march=${stdenvNoCC.hostPlatform.gcc.arch} -O2";
-  FCFLAGS = "-march=${stdenvNoCC.hostPlatform.gcc.arch} -O2";
-  enableParallelBuilding = true;
-  buildPhase =
-  ''
-    runHook preBuild
-    mkdir -p $out
-    ${buildEnv}/bin/buildEnv ${buildScript}
-    runHook postBuild
-  '';
-  postBuild = with openmpi; postInstall + postFixup;
-  dontInstall = true;
-  dontFixup = true;
-  requiredSystemFeatures = [ "gccarch-exact-${stdenvNoCC.hostPlatform.gcc.arch}" "big-parallel" ];
-}

modules/default.nix

@@ -13,8 +13,6 @@ inputs:
       topInputs.nur.nixosModules.nur
       topInputs.nur-xddxdd.nixosModules.setupOverlay
       topInputs.impermanence.nixosModules.impermanence
-      topInputs.nix-flatpak.nixosModules.nix-flatpak
-      topInputs.chaotic.nixosModules.default
       (inputs:
       {
         config =
@@ -33,8 +31,10 @@ inputs:
               nur-linyinfeng = (topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
               deploy-rs =
                 { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
+              # needed by mirism
+              "nghttp2-23.05" =
+                inputs.pkgs.callPackage "${inputs.topInputs."nixpkgs-23.05"}/pkgs/development/libraries/nghttp2" {};
               firefox-addons = (import "${topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
-              inherit (import topInputs.gricad { pkgs = final; }) intel-oneapi intel-oneapi-2022;
             })
           ];
           home-manager.sharedModules =
@@ -44,6 +44,6 @@ inputs:
           ];
         };
       })
-      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user
+      ./hardware ./packages ./system ./virtualization ./services ./bugs ./users
     ];
   }

modules/hardware/default.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules [ ./gpu.nix ./legion.nix ];
   options.nixos.hardware = let inherit (inputs.lib) mkOption types; in
   {
     bluetooth.enable = mkOption { type = types.bool; default = false; };

modules/packages/default.nix

@@ -1,6 +1,12 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules
+  [
+    ./server
+    ./desktop
+    ./desktop-fat
+    ./workstation
+  ];
   options.nixos.packages =
     let
       inherit (inputs.lib) mkOption types;

modules/packages/desktop-fat/default.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules [ ./steam.nix ];
   config =
     let
       inherit (inputs.lib) mkIf;

modules/packages/desktop/chromium.nix

@@ -6,7 +6,7 @@ inputs:
     in mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
     {
       programs.chromium = { enable = true; extraOpts.PasswordManagerEnabled = false; };
-      nixos.user.sharedModules =
+      nixos.users.sharedModules =
       [{
         config.programs.chromium =
         {

modules/packages/desktop/default.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules [ ./vscode.nix ./firefox.nix ./chromium.nix ./plasma ];
   config =
     let
       inherit (inputs.lib) mkIf;
@@ -32,8 +32,6 @@ inputs:
           # themes
           tela-circle-icon-theme localPackages.win11os-kde localPackages.fluent-kde localPackages.blurred-wallpaper
           localPackages.slate utterly-nord-plasma
-          # terminal
-          unstablePackages.warp-terminal
         ];
       };
       programs =

modules/packages/desktop/firefox.nix

@@ -2,7 +2,7 @@ inputs:
 {
   config = inputs.lib.mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
   {
-    nixos.user.sharedModules = [{ config =
+    nixos.users.sharedModules = [{ config =
     {
       programs.firefox =
       {

modules/packages/desktop/plasma/default.nix

@@ -1,7 +1,7 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
-  config.nixos.user.sharedModules = inputs.lib.mkIf inputs.config.nixos.system.gui.enable
+  imports = inputs.localLib.mkModules [ ./konsole.nix ];
+  config.nixos.users.sharedModules = inputs.lib.mkIf inputs.config.nixos.system.gui.enable
   [{
     config.programs.plasma = inputs.lib.mkMerge
     [

modules/packages/desktop/plasma/konsole.nix

@@ -2,7 +2,7 @@ inputs:
 {
   config = inputs.lib.mkIf inputs.config.nixos.system.gui.enable
   {
-    nixos.user.sharedModules =
+    nixos.users.sharedModules =
     [(hmInputs: {
       config =
       {
@@ -79,6 +79,6 @@ inputs:
       in inputs.lib.mkIf impermanence.enable (inputs.lib.mkMerge (builtins.map
         (user:
           { "${impermanence.root}".users.${user}.directories = [ ".local/share/konsole" ".local/share/yakuake" ]; })
-        inputs.config.nixos.user.users));
+        inputs.config.nixos.users.users));
   };
 }

modules/packages/desktop/vscode.nix

@@ -47,8 +47,6 @@ inputs:
                 # vasp
                 mystery.vasp-support
                 yutengjing.open-in-external-app
-                # ChatGPT-like plugin
-                codeium.codeium
               ];
           }
         )];

modules/packages/flatpak.nix

@@ -1,11 +0,0 @@
-inputs:
-{
-  config = inputs.lib.mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
-  {
-    services.flatpak =
-    {
-      enable = true;
-      uninstallUnmanagedPackages = true;
-    };
-  };
-}

modules/packages/server/default.nix

@@ -1,6 +1,11 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules
+  [
+    ./ssh
+    ./zsh
+    ./gpg.nix
+  ];
   config =
     let
       inherit (inputs.lib) mkIf;
@@ -44,16 +49,15 @@ inputs:
             # office
             todo-txt-cli pdfgrep
             # development
-            gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix hexo-cli gh
-          ]
-          ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
+            gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix hexo-cli
+          ] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
           _pythonPackages = [(pythonPackages: with pythonPackages;
           [
             openai python-telegram-bot fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
             certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus
           ])];
         };
-        user.sharedModules = [(home-inputs:
+        users.sharedModules = [(home-inputs:
         {
           config.programs =
           {

modules/packages/server/ssh/default.nix

@@ -119,7 +119,7 @@ inputs:
         extraConfig = "AddKeysToAgent yes";
       };
       environment.sessionVariables.SSH_ASKPASS_REQUIRE = "prefer";
-      nixos.user.sharedModules =
+      nixos.users.sharedModules =
       [(hmInputs: {
         config.programs.ssh =
         {

modules/packages/server/zsh/default.nix

@@ -5,7 +5,7 @@ inputs:
       inherit (inputs.lib) mkIf;
     in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
     {
-      nixos.user.sharedModules = [(home-inputs: { config.programs =
+      nixos.users.sharedModules = [(home-inputs: { config.programs =
       {
         zsh =
         {

modules/packages/vasp.nix

@@ -1,9 +0,0 @@
-inputs:
-{
-  config = inputs.lib.mkIf (builtins.elem "workstation" inputs.config.nixos.packages._packageSets)
-  {
-    nixos.packages._packages = builtins.concatLists (builtins.map
-      (compiler: builtins.map (version: inputs.pkgs.localPackages.vasp.${compiler}.${version}) [ "6.3.1" "6.4.0" ])
-      [ "amd" "gnu" "gnu-mkl" "intel" "nvidia" ]);
-  };
-}

modules/packages/workstation/default.nix

@@ -28,7 +28,7 @@ inputs:
             # text editor
             appflowy notion-app-enhanced joplin-desktop standardnotes logseq
             # math, physics and chemistry
-            mathematica paraview jmol mpi quantum-espresso # localPackages.mumax
+            mathematica paraview jmol mpi localPackages.mumax quantum-espresso
             # encryption and password management
             john crunch hashcat
             # container and vm
@@ -37,13 +37,16 @@ inputs:
             microsoft-edge tor-browser
             # news
             rssguard newsflash newsboat
-          ];
+          ]
+          ++ (builtins.concatLists (builtins.map
+            (compiler: builtins.map (version: localPackages.vasp.${compiler}.${version}) [ "6.3.1" "6.4.0" ])
+            [ "gnu" "nvidia" ]));
           _pythonPackages = [(pythonPackages: with pythonPackages;
           [
             phonopy tensorflow keras scipy scikit-learn jupyterlab autograd # localPackages.pix2tex
           ])];
         };
-        user.sharedModules =
+        users.sharedModules =
         [{
           config.programs =
           {
@@ -61,6 +64,7 @@ inputs:
       {
         anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
         honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
+        nix-ld.enable = true;
       };
     };
 }

modules/services/acme.nix

@@ -1,43 +1,46 @@
 inputs:
 {
-  options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule { options =
+    enable = mkOption { type = types.bool; default = false; };
+    cert = mkOption
     {
-      cert = mkOption
+      type = types.attrsOf (types.submodule (submoduleInputs: { options =
       {
-        type = types.attrsOf (types.submodule (submoduleInputs: { options =
-        {
-          domains = mkOption
-            { type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
-          group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-        };}));
-        default = {};
-      };
-    };});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.services) acme; in inputs.lib.mkIf (acme != null)
-  {
-    security.acme =
-    {
-      acceptTerms = true;
-      defaults.email = "chn@chn.moe";
-      certs = builtins.listToAttrs (builtins.map
-        (cert:
-        {
-          name = builtins.elemAt cert.value.domains 0;
-          value =
-          {
-            dnsResolver = "8.8.8.8";
-            dnsProvider = "cloudflare";
-            credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
-            extraDomainNames = builtins.tail cert.value.domains;
-            group = inputs.lib.mkIf (cert.value.group != null) cert.value.group;
-          };
-        })
-        (inputs.localLib.attrsToList acme.cert));
+        domains = mkOption
+          { type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
+        group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+      };}));
+      default = {};
     };
-    sops.secrets."acme/cloudflare.ini" = {};
   };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) acme;
+      inherit (builtins) map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
+    in mkIf acme.enable
+    {
+      security.acme =
+      {
+        acceptTerms = true;
+        defaults.email = "chn@chn.moe";
+        certs = listToAttrs (map
+          (cert:
+          {
+            name = builtins.elemAt cert.value.domains 0;
+            value =
+            {
+              dnsResolver = "8.8.8.8";
+              dnsProvider = "cloudflare";
+              credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
+              extraDomainNames = builtins.tail cert.value.domains;
+              group = mkIf (cert.value.group != null) cert.value.group;
+            };
+          })
+          (attrsToList acme.cert));
+      };
+      sops.secrets."acme/cloudflare.ini" = {};
+    };
 }

modules/services/beesd.nix

@@ -1,55 +1,53 @@
 inputs:
 {
-  options.nixos.services.beesd = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.beesd = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule { options =
+    enable = mkOption { type = types.bool; default = false; };
+    instances = mkOption
     {
-      instances = mkOption
-      {
-        type = types.attrsOf (types.oneOf
-        [
-          types.nonEmptyStr
-          (types.submodule
-          {
-            options =
-            {
-              device = mkOption { type = types.nonEmptyStr; };
-              hashTableSizeMB = mkOption { type = types.ints.unsigned; default = 1024; };
-              threads = mkOption { type = types.ints.unsigned; default = 1; };
-            };})
-        ]);
-        default = {};
-      };
-    };});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.services) beesd; in inputs.lib.mkIf (beesd != null)
-  {
-    services.beesd.filesystems = builtins.listToAttrs (map
-      (instance:
-      {
-        inherit (instance) name;
-        value =
+      type = types.attrsOf (types.oneOf
+      [
+        types.nonEmptyStr
+        (types.submodule
         {
-          spec = instance.value.device or instance.value;
-          hashTableSizeMB = instance.value.hashTableSizeMB or 1024;
-          extraOptions =
-          [
-            "--workaround-btrfs-send"
-            "--thread-count" "${builtins.toString instance.value.threads or 1}"
-            "--scan-mode" "3"
-          ];
-        };
-      })
-      (inputs.localLib.attrsToList beesd.instances));
-    systemd.slices.system-beesd.sliceConfig =
-    {
-      CPUSchedulingPolicy = "idle";
-      IOSchedulingClass = "idle";
-      IOSchedulingPriority = 4;
-      IOAccounting = true;
-      IOWeight = 1;
-      Nice = 19;
+          options =
+          {
+            device = mkOption { type = types.nonEmptyStr; };
+            hashTableSizeMB = mkOption { type = types.ints.unsigned; default = 1024; };
+            threads = mkOption { type = types.ints.unsigned; default = 1; };
+          };})
+      ]);
+      default = {};
     };
   };
+  config =
+    let
+      inherit (inputs.config.nixos.services) beesd;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
+    in mkIf beesd.enable
+      {
+        services.beesd.filesystems = listToAttrs (map
+          (instance:
+          {
+            inherit (instance) name;
+            value =
+            {
+              spec = instance.value.device or instance.value;
+              hashTableSizeMB = instance.value.hashTableSizeMB or 1024;
+              extraOptions = [ "--thread-count" "${toString instance.value.threads or 1}" "--scan-mode" "3" ];
+            };
+          })
+          (attrsToList beesd.instances));
+        systemd.slices.system-beesd.sliceConfig =
+        {
+          CPUSchedulingPolicy = "idle";
+          IOSchedulingClass = "idle";
+          IOSchedulingPriority = 4;
+          IOAccounting = true;
+          IOWeight = 1;
+          Nice = 19;
+        };
+      };
 }

modules/services/coturn.nix

@@ -1,32 +1,37 @@
 inputs:
 {
-  options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule { options =
-    {
-      hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
-    };});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.services) coturn; in inputs.lib.mkIf (coturn != null)
-  {
-    services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
-    {
-      enable = true;
-      use-auth-secret = true;
-      static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
-      realm = coturn.hostname;
-      cert = "${keydir}/full.pem";
-      pkey = "${keydir}/key.pem";
-      no-cli = true;
-    };
-    sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
-    nixos.services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
-    networking.firewall = with inputs.config.services.coturn;
-    {
-      allowedUDPPorts = [ listening-port tls-listening-port ];
-      allowedTCPPorts = [ listening-port tls-listening-port ];
-      allowedUDPPortRanges = [{ from = min-port; to = max-port; }];
-    };
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
   };
+  config =
+    let
+      inherit (inputs.config.nixos.services) coturn;
+      inherit (inputs.lib) mkIf;
+    in mkIf coturn.enable
+      {
+        services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
+        {
+          enable = true;
+          use-auth-secret = true;
+          static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
+          realm = coturn.hostname;
+          cert = "${keydir}/full.pem";
+          pkey = "${keydir}/key.pem";
+          no-cli = true;
+        };
+        sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
+        nixos.services.acme =
+        {
+          enable = true;
+          cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
+        };
+        networking.firewall = with inputs.config.services.coturn;
+        {
+          allowedUDPPorts = [ listening-port tls-listening-port ];
+          allowedTCPPorts = [ listening-port tls-listening-port ];
+          allowedUDPPortRanges = [ { from = min-port; to = max-port; } ];
+        };
+      };
 }

modules/services/default.nix

@@ -1,6 +1,49 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules
+  [
+    ./postgresql.nix
+    ./redis.nix
+    ./rsshub.nix
+    ./misskey.nix
+    ./nginx
+    ./meilisearch.nix
+    ./xray.nix
+    ./coturn.nix
+    ./synapse.nix
+    ./phpfpm.nix
+    ./xrdp.nix
+    ./groupshare.nix
+    ./acme.nix
+    ./samba.nix
+    ./sshd.nix
+    ./vaultwarden.nix
+    ./frp.nix
+    ./beesd.nix
+    ./snapper.nix
+    ./mariadb.nix
+    ./photoprism.nix
+    ./nextcloud.nix
+    ./freshrss.nix
+    ./kmscon.nix
+    ./fontconfig.nix
+    ./nix-serve.nix
+    ./send.nix
+    ./huginn.nix
+    ./httpua
+    ./fz-new-order
+    ./httpapi.nix
+    ./mirism.nix
+    ./mastodon.nix
+    ./gitea.nix
+    ./grafana.nix
+    ./fail2ban.nix
+    ./wireguard.nix
+    ./akkoma.nix
+    ./gamemode.nix
+    ./vikunja.nix
+    ./slurm.nix
+  ];
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
   {
     firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };

modules/services/fail2ban.nix

@@ -1,9 +1,19 @@
 inputs:
 {
-  options.nixos.services.fail2ban = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.services) fail2ban; in inputs.lib.mkIf (fail2ban != null)
+  options.nixos.services.fail2ban = let inherit (inputs.lib) mkOption types; in
   {
-    services.fail2ban = { enable = true; ignoreIP = [ "127.0.0.0/8" "192.168.0.0/16" "vps6.chn.moe" ]; };
+    enable = mkOption { type = types.bool; default = false; };
   };
+  config =
+    let
+      inherit (inputs.config.nixos.services) fail2ban;
+      inherit (inputs.lib) mkIf;
+    in mkIf fail2ban.enable
+    {
+      services.fail2ban =
+      {
+        enable = true;
+        ignoreIP = [ "127.0.0.0/8" "192.168.0.0/16" "vps6.chn.moe" ];
+      };
+    };
 }

modules/services/fontconfig.nix

@@ -26,6 +26,6 @@ inputs:
           serif = [ "Liberation Serif" "Source Han Serif SC" ];
         };
       };
-      nixos.user.sharedModules = [{ config.xdg.configFile."fontconfig/conf.d/10-hm-fonts.conf".force = true; }];
+      nixos.users.sharedModules = [{ config.xdg.configFile."fontconfig/conf.d/10-hm-fonts.conf".force = true; }];
     };
 }

modules/services/frp.nix

@@ -142,8 +142,8 @@ inputs:
           };
           users =
           {
-            users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
-            groups.frp.gid = inputs.config.nixos.user.gid.frp;
+            users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
+            groups.frp.gid = inputs.config.nixos.system.user.group.frp;
           };
         }
       )
@@ -190,11 +190,11 @@ inputs:
             };
             secrets."frp/token" = {};
           };
-          nixos.services.acme.cert.${frpServer.serverName}.group = "frp";
+          nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
           users =
           {
-            users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
-            groups.frp.gid = inputs.config.nixos.user.gid.frp;
+            users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
+            groups.frp.gid = inputs.config.nixos.system.user.group.frp;
           };
           networking.firewall.allowedTCPPorts = [ 7000 ];
         }

modules/services/fz-new-order/default.nix

@@ -1,106 +1,115 @@
 inputs:
 {
-  options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule {});
-    default = null;
+    enable = mkOption { type = types.bool; default = false; };
   };
-  config = let inherit (inputs.config.nixos.services) fz-new-order; in inputs.lib.mkIf (fz-new-order != null)
-  {
-    users =
+  config =
+    let
+      inherit (inputs.config.nixos.services) fz-new-order;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) map listToAttrs toString concatLists;
+    in mkIf fz-new-order.enable
     {
-      users.fz-new-order =
+      users =
       {
-        uid = inputs.config.nixos.user.uid.fz-new-order;
-        group = "fz-new-order";
-        home = "/var/lib/fz-new-order";
-        createHome = true;
-        isSystemUser = true;
-      };
-      groups.fz-new-order.gid = inputs.config.nixos.user.gid.fz-new-order;
-    };
-    systemd =
-    {
-      timers.fz-new-order =
-      {
-        wantedBy = [ "timers.target" ];
-        timerConfig = { OnBootSec = "10m"; OnUnitActiveSec = "10m"; Unit = "fz-new-order.service"; };
-      };
-      services.fz-new-order = rec
-      {
-        description = "fz-new-order";
-        after = [ "network.target" ];
-        requires = after;
-        serviceConfig =
+        users.fz-new-order =
         {
-          User = inputs.config.users.users."fz-new-order".name;
-          Group = inputs.config.users.users."fz-new-order".group;
-          WorkingDirectory = "/var/lib/fz-new-order";
-          ExecStart =
-            let
-              src = inputs.pkgs.substituteAll
-              {
-                src = ./main.cpp;
-                config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
-              };
-              binary = inputs.pkgs.stdenv.mkDerivation
-              {
-                name = "fz-new-order";
-                inherit src;
-                buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
-                dontUnpack = true;
-                buildPhase =
-                ''
-                  runHook preBuild
-                  g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
-                  runHook postBuild
-                '';
-                installPhase =
-                ''
-                  runHook preInstall
-                  mkdir -p $out/bin
-                  cp fz-new-order $out/bin/fz-new-order
-                  runHook postInstall
-                '';
-              };
-            in "${binary}/bin/fz-new-order";
+          uid = inputs.config.nixos.system.user.user.fz-new-order;
+          group = "fz-new-order";
+          home = "/var/lib/fz-new-order";
+          createHome = true;
+          isSystemUser = true;
         };
+        groups.fz-new-order.gid = inputs.config.nixos.system.user.group.fz-new-order;
       };
-      tmpfiles.rules =
-      [
-        "d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
-        "Z /var/lib/fz-new-order - fz-new-order fz-new-order"
-      ];
-    };
-    sops = let userNum = 6; configNum = 2; in
-    {
-      templates."fz-new-order/config.json" =
+      systemd =
       {
-        owner = inputs.config.users.users."fz-new-order".name;
-        group = inputs.config.users.users."fz-new-order".group;
-        content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
+        timers.fz-new-order =
         {
-          manager = placeholder."fz-new-order/manager";
-          token = placeholder."fz-new-order/token";
-          uids = builtins.map (j: placeholder."fz-new-order/uids/user${builtins.toString j}")
-            (builtins.genList (n: n) userNum);
-          config = builtins.map
-            (i: builtins.listToAttrs (builtins.map
-              (attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
-              [ "username" "password" "comment" ]))
-            (builtins.genList (n: n) configNum);
+          wantedBy = [ "timers.target" ];
+          timerConfig =
+          {
+            OnBootSec = "10m";
+            OnUnitActiveSec = "10m";
+            Unit = "fz-new-order.service";
+          };
         };
+        services.fz-new-order = rec
+        {
+          description = "fz-new-order";
+          after = [ "network.target" ];
+          requires = after;
+          serviceConfig =
+          {
+            User = inputs.config.users.users."fz-new-order".name;
+            Group = inputs.config.users.users."fz-new-order".group;
+            WorkingDirectory = "/var/lib/fz-new-order";
+            ExecStart =
+              let
+                src = inputs.pkgs.substituteAll
+                {
+                  src = ./main.cpp;
+                  config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
+                };
+                binary = inputs.pkgs.stdenv.mkDerivation
+                {
+                  name = "fz-new-order";
+                  inherit src;
+                  buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
+                  dontUnpack = true;
+                  buildPhase =
+                  ''
+                    runHook preBuild
+                    g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
+                    runHook postBuild
+                  '';
+                  installPhase =
+                  ''
+                    runHook preInstall
+                    mkdir -p $out/bin
+                    cp fz-new-order $out/bin/fz-new-order
+                    runHook postInstall
+                  '';
+                };
+              in "${binary}/bin/fz-new-order";
+          };
+        };
+        tmpfiles.rules =
+        [
+          "d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
+          "Z /var/lib/fz-new-order - fz-new-order fz-new-order"
+        ];
+      };
+      sops = let userNum = 6; configNum = 2; in
+      {
+        templates."fz-new-order/config.json" =
+        {
+          owner = inputs.config.users.users."fz-new-order".name;
+          group = inputs.config.users.users."fz-new-order".group;
+          content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
+          {
+            manager = placeholder."fz-new-order/manager";
+            token = placeholder."fz-new-order/token";
+            uids = map (j: placeholder."fz-new-order/uids/user${toString j}") (builtins.genList (n: n) userNum);
+            config = map
+              (i: listToAttrs (map
+                (attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
+                [ "username" "password" "comment" ]))
+              (builtins.genList (n: n) configNum);
+          };
+        };
+        secrets =
+          { "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
+          // (listToAttrs (map
+            (i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
+            (builtins.genList (n: n) userNum)))
+          // (listToAttrs (concatLists (map
+            (i: map
+              (attrName: { name = "fz-new-order/config${toString i}/${attrName}"; value = {}; })
+              [ "username" "password" "comment" ])
+            (builtins.genList (n: n) configNum))));
       };
-      secrets =
-        { "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
-        // (builtins.listToAttrs (builtins.map
-          (i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
-          (builtins.genList (n: n) userNum)))
-        // (builtins.listToAttrs (builtins.concatLists (builtins.map
-          (i: builtins.map
-            (attrName: { name = "fz-new-order/config${builtins.toString i}/${attrName}"; value = {}; })
-            [ "username" "password" "comment" ])
-          (builtins.genList (n: n) configNum))));
     };
-  };
 }

modules/services/groupshare.nix

@@ -1,26 +1,22 @@
 inputs:
 {
-  options.nixos.services.groupshare = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.groupshare = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule { options =
-    {
-      users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "chn" "gb" "xll" "yjq" "zem" ]; };
-    };});
-    default = null;
+    enable = mkOption { type = types.bool; default = false; };
+    # hard to read value from inputs.config.users.users.xxx.home, causing infinite recursion
+    mountPoints = mkOption { type = types.listOf types.str; default = []; };
   };
   config =
     let
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) listToAttrs map concatLists concatStringsSep;
       inherit (inputs.config.nixos.services) groupshare;
-      users = inputs.lib.intersectLists groupshare.users inputs.config.nixos.user.users;
-    in inputs.lib.mkIf (groupshare != null)
+      users = inputs.config.users.groups.groupshare.members;
+    in mkIf groupshare.enable
     {
-      users =
-      {
-        users = builtins.listToAttrs (map (user: { name = user; value.extraGroups = [ "groupshare" ]; }) users);
-        groups.groupshare.gid = inputs.config.nixos.user.gid.groupshare;
-      };
+      users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare;
       systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
-        ++ (builtins.concatLists (map
+        ++ (concatLists (map
           (user:
           [
             "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
@@ -29,20 +25,22 @@ inputs:
               # d 指 default, 即目录下新创建的文件和目录的权限
               # 大写 X 指仅给目录执行权限
               # m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限
-              + (builtins.concatStringsSep "," (builtins.concatLists (map
+              + (concatStringsSep "," (concatLists (map
                 (perm: [ "d:${perm}" perm ])
                 [ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ]))))
           ])
           users));
-      home-manager.users = builtins.listToAttrs (map
-        (user:
+      fileSystems = listToAttrs (map
+        (mountPoint:
         {
-          name = user;
-          value = homeInputs:
+          name = mountPoint;
+          value =
           {
-            config.home.file.groupshare.source = homeInputs.config.lib.file.mkOutOfStoreSymlink "/var/lib/groupshare";
+            device = "/var/lib/groupshare";
+            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+            depends = [ "/home" "/var/lib" ];
           };
         })
-        users);
+        groupshare.mountPoints);
     };
 }

modules/services/httpua/default.nix

@@ -1,20 +1,25 @@
 inputs:
 {
-  options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
   {
-    type = types.nullOr (types.submodule { options =
-    {
-      hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
-    };});
-    default = null;
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
   };
-  config = let inherit (inputs.config.nixos.services) httpua; in inputs.lib.mkIf (httpua != null)
-  {
-    nixos.services =
+  config =
+    let
+      inherit (inputs.config.nixos.services) httpua;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) toString;
+    in mkIf httpua.enable
     {
-      phpfpm.instances.httpua = {};
-      nginx.http.${httpua.hostname}.php =
-        { root = "${./.}"; fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi; };
+      nixos.services =
+      {
+        phpfpm.instances.httpua = {};
+        nginx.http.${httpua.hostname}.php =
+        {
+          root = toString ./.;
+          fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
+        };
+      };
     };
-  };
 }

modules/services/mirism.nix

@@ -13,8 +13,8 @@ inputs:
     {
       users =
       {
-        users.mirism = { uid = inputs.config.nixos.user.uid.mirism; group = "mirism"; isSystemUser = true; };
-        groups.mirism.gid = inputs.config.nixos.user.gid.mirism;
+        users.mirism = { uid = inputs.config.nixos.system.user.user.mirism; group = "mirism"; isSystemUser = true; };
+        groups.mirism.gid = inputs.config.nixos.system.user.group.mirism;
       };
       systemd =
       {
@@ -56,7 +56,7 @@ inputs:
             })
             [ "entry." "" ]);
         };
-        acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
+        acme = { enable = true; cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; }; };
       };
       environment.etc = listToAttrs (concatLists (map
         (instance:

modules/services/misskey.nix

@@ -125,13 +125,13 @@ inputs:
         {
           users."misskey-${instance.name}" =
           {
-            uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
+            uid = inputs.config.nixos.system.user.user."misskey-${instance.name}";
             group = "misskey-${instance.name}";
             home = "/var/lib/misskey/${instance.name}";
             createHome = true;
             isSystemUser = true;
           };
-          groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
+          groups."misskey-${instance.name}".gid = inputs.config.nixos.system.user.group."misskey-${instance.name}";
         })
         (attrsToList misskey.instances));
       nixos.services =

modules/services/nginx/applications/default.nix

@@ -1,4 +1,13 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules
+  [
+    ./element.nix
+    ./synapse-admin.nix
+    ./kkmeeting.nix
+    ./webdav.nix
+    ./blog.nix
+    ./catalog.nix
+    ./main.nix
+  ];
 }

modules/services/nginx/default.nix

@@ -1,6 +1,9 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules
+  [
+    ./applications
+  ];
   options.nixos.services.nginx = let inherit (inputs.lib) mkOption types; in
   {
     enable = mkOption { type = types.bool; default = false; };
@@ -670,9 +673,13 @@ inputs:
                   (site: { inherit (site) name; value.rewriteHttps = {}; })
                   (filter (site: site.value.global.rewriteHttps) sites));
               };
-            acme.cert = listToAttrs (map
-              (site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
-              sites);
+            acme =
+            {
+              enable = true;
+              cert = listToAttrs (map
+                (site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
+                sites);
+            };
           };
           sops =
             let

modules/services/phpfpm.nix

@@ -55,7 +55,7 @@ inputs:
           inherit (pool) name;
           value =
           {
-            uid = inputs.config.nixos.user.uid.${pool.name};
+            uid = inputs.config.nixos.system.user.user.${pool.name};
             group = pool.name;
             extraGroups = [ "nginx" ];
             isSystemUser = true;
@@ -63,7 +63,7 @@ inputs:
         })
         (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
       groups = listToAttrs (map
-        (pool: { inherit (pool) name; value.gid = inputs.config.nixos.user.gid.${pool.name}; })
+        (pool: { inherit (pool) name; value.gid = inputs.config.nixos.system.user.group.${pool.name}; })
         (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
     };
   };

modules/services/rsshub.nix

@@ -54,8 +54,8 @@ inputs:
       };
       users =
       {
-        users.rsshub = { uid = inputs.config.nixos.user.uid.rsshub; group = "rsshub"; isSystemUser = true; };
-        groups.rsshub.gid = inputs.config.nixos.user.gid.rsshub;
+        users.rsshub = { uid = inputs.config.nixos.system.user.user.rsshub; group = "rsshub"; isSystemUser = true; };
+        groups.rsshub.gid = inputs.config.nixos.system.user.group.rsshub;
       };
       nixos.services =
       {

modules/services/slurm.nix

@@ -67,8 +67,6 @@ inputs:
             SelectType=select/cons_tres
             SelectTypeParameters=CR_Core
             GresTypes=gpu
-            DefCpuPerGPU=1
-
             TaskProlog=${inputs.pkgs.writeShellScript "set_env" taskProlog}
 
             AccountingStorageType=accounting_storage/slurmdbd

modules/services/synapse.nix

@@ -37,14 +37,14 @@ inputs:
         {
           users."synapse-${instance.name}" =
           {
-            uid = inputs.config.nixos.user.uid."synapse-${instance.name}";
+            uid = inputs.config.nixos.system.user.user."synapse-${instance.name}";
             group = "synapse-${instance.name}";
             home = "/var/lib/synapse/${instance.name}";
             createHome = true;
             isSystemUser = true;
             shell = "${inputs.pkgs.bash}/bin/bash";
           };
-          groups."synapse-${instance.name}".gid = inputs.config.nixos.user.gid."synapse-${instance.name}";
+          groups."synapse-${instance.name}".gid = inputs.config.nixos.system.user.group."synapse-${instance.name}";
         })
         (attrsToList synapse.instances));
       systemd = mkMerge (map

modules/services/wireguard.nix

@@ -9,7 +9,7 @@ inputs:
     behindNat = mkOption
     {
       type = types.bool;
-      default = inputs.config.nixos.services.xray.client != null;
+      default = inputs.config.nixos.services.xray.client.enable;
     };
     listenIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
     # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820

modules/services/xray.nix

@@ -2,45 +2,21 @@ inputs:
 {
   options.nixos.services.xray = let inherit (inputs.lib) mkOption types; in
   {
-    client = mkOption
+    client =
     {
-      type = types.nullOr (types.submodule { options =
+      enable = mkOption { type = types.bool; default = false; };
+      serverAddress = mkOption { type = types.nonEmptyStr; default = "74.211.99.69"; };
+      serverName = mkOption { type = types.nonEmptyStr; default = "vps6.xserver.chn.moe"; };
+      dae.lanInterfaces = mkOption
       {
-        xray =
-        {
-          serverAddress = mkOption { type = types.nonEmptyStr; default = "74.211.99.69"; };
-          serverName = mkOption { type = types.nonEmptyStr; default = "vps6.xserver.chn.moe"; };
-          noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
-        };
-        dae =
-        {
-          lanInterfaces = mkOption
-          {
-            type = types.listOf types.nonEmptyStr;
-            default = inputs.lib.optionals inputs.config.nixos.virtualization.docker.enable [ "docker0" ];
-          };
-          wanInterface = mkOption { type = types.listOf types.nonEmptyStr; default = [ "auto" ]; };
-        };
-        dnsmasq =
-        {
-          extraInterfaces = mkOption
-          {
-            type = types.listOf types.nonEmptyStr;
-            default = inputs.lib.optional inputs.config.nixos.virtualization.docker.enable "docker0";
-          };
-          hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
-        };
-      };});
-      default = null;
+        type = types.listOf types.nonEmptyStr;
+        default = inputs.lib.optionals inputs.config.nixos.virtualization.docker.enable [ "docker0" ];
+      };
     };
-    server = mkOption
+    server =
     {
-      type = types.nullOr (types.submodule { options =
-      {
-        serverName = mkOption { type = types.nonEmptyStr; };
-        userNumber = mkOption { type = types.ints.unsigned; };
-      };});
-      default = null;
+      enable = mkOption { type = types.bool; default = false; };
+      serverName = mkOption { type = types.nonEmptyStr; };
     };
   };
   config = let inherit (inputs.config.nixos.services) xray; in inputs.lib.mkMerge
@@ -48,50 +24,30 @@ inputs:
     {
       assertions =
       [{
-        assertion = !(xray.client != null && xray.server != null);
+        assertion = !(xray.client.enable && xray.server.enable);
         message = "Currenty xray.client and xray.server could not be simutaniusly enabled.";
       }];
     }
     (
-      inputs.lib.mkIf (xray.client != null)
+      inputs.lib.mkIf xray.client.enable
       {
         services =
         {
           xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-client.json".path; };
-          dnsmasq =
-          {
-            enable = true;
-            settings =
-            {
-              no-poll = true;
-              log-queries = true;
-              server = [ "127.0.0.1#10853" ];
-              interface = xray.client.dnsmasq.extraInterfaces ++ [ "lo" ];
-              bind-dynamic = true;
-              address = map (host: "/${host.name}/${host.value}")
-                (inputs.localLib.attrsToList xray.client.dnsmasq.hosts);
-            };
-          };
           dae =
           {
             enable = true;
-            package = inputs.pkgs.callPackage "${inputs.topInputs.nixpkgs-unstable}/pkgs/tools/networking/dae" {};
             config =
-            let
-              lanString = (inputs.lib.optionalString (xray.client.dae.lanInterfaces != []) "lan_interface: ")
-                + builtins.concatStringsSep "," xray.client.dae.lanInterfaces;
-              wanString = (inputs.lib.optionalString (xray.client.dae.wanInterface != []) "wan_interface: ")
-                + builtins.concatStringsSep "," xray.client.dae.wanInterface;
-            in
             ''
               global {
                 tproxy_port: 12345
                 tproxy_port_protect: true
                 so_mark_from_dae: 0
                 log_level: info
-                disable_waiting_network: true
-                ${lanString}
-                ${wanString}
+                disable_waiting_network: false
+
+                lan_interface: ${builtins.concatStringsSep "," xray.client.dae.lanInterfaces}
+                wan_interface: auto
                 auto_config_kernel_parameter: true
 
                 dial_mode: ip
@@ -103,6 +59,24 @@ inputs:
                 'socks5://localhost:10884'
               }
 
+              dns {
+                upstream {
+                  alidns: 'udp://223.5.5.5:53'
+                  googledns: 'tcp+udp://8.8.8.8:53'
+                }
+                routing {
+                  request {
+                    qname(geosite:geolocation-cn) -> alidns
+                    qname(geosite:geolocation-!cn) -> googledns
+                    fallback: alidns
+                  }
+                  response {
+                    upstream(alidns) && !ip(geoip:cn) -> googledns
+                    fallback: accept
+                  }
+                }
+              }
+
               group {
                 default_group {
                   policy: fixed(0)
@@ -110,10 +84,13 @@ inputs:
               }
 
               routing {
-                dscp(0x1) -> direct
+                # TODO: more general rules to bypass the proxy
+                pname(xray) -> direct
 
                 dip(224.0.0.0/3, 'ff00::/8') -> direct
                 dip(geoip:private) -> direct
+                domain(geosite:geolocation-cn) -> direct
+                domain('geosite:geolocation-!cn') -> default_group
                 dip(8.8.8.8) -> default_group
                 dip(223.5.5.5) -> direct
                 dip(geoip:cn) -> direct
@@ -122,7 +99,6 @@ inputs:
               }
             '';
           };
-          resolved.enable = false;
         };
         sops =
         {
@@ -138,39 +114,8 @@ inputs:
               builtins.toJSON
               {
                 log.loglevel = "info";
-                dns =
-                {
-                  servers =
-                  # 先尝试匹配域名列表进行查询，若匹配成功则使用前两个 dns 查询。
-                  # 若匹配域名列表失败，或者匹配成功但是查询到的 IP 不在期望的 IP 列表中，则回落到使用后两个 dns 依次查询。
-                  [
-                    {
-                      address = chinaDns;
-                      domains = [ "geosite:geolocation-cn" ];
-                      expectIPs = [ "geoip:cn" ];
-                      skipFallback = true;
-                    }
-                    {
-                      address = foreignDns;
-                      domains = [ "geosite:geolocation-!cn" ];
-                      expectIPs = [ "geoip:!cn" ];
-                      skipFallback = true;
-                    }
-                    { address = chinaDns; expectIPs = [ "geoip:cn" ]; }
-                    { address = foreignDns; }
-                  ];
-                  disableCache = true;
-                  queryStrategy = "UseIPv4";
-                  tag = "dns-internal";
-                };
                 inbounds =
                 [
-                  {
-                    port = 10853;
-                    protocol = "dokodemo-door";
-                    settings = { address = "8.8.8.8"; network = "tcp,udp"; port = 53; };
-                    tag = "dns-in";
-                  }
                   {
                     port = 10881;
                     protocol = "dokodemo-door";
@@ -178,7 +123,7 @@ inputs:
                     streamSettings.sockopt.tproxy = "tproxy";
                     tag = "xmu-in";
                   }
-                  { port = 10884; protocol = "socks"; settings.udp = true; tag = "common-in"; }
+                  { port = 10884; protocol = "socks"; settings.udp = true; tag = "proxy-in"; }
                   { port = 10882; protocol = "socks"; settings.udp = true; tag = "direct-in"; }
                 ];
                 outbounds =
@@ -187,7 +132,7 @@ inputs:
                     protocol = "vless";
                     settings.vnext =
                     [{
-                      address = xray.client.xray.serverAddress;
+                      address = xray.client.serverAddress;
                       port = 443;
                       users =
                       [{
@@ -202,7 +147,7 @@ inputs:
                       security = "reality";
                       realitySettings =
                       {
-                        serverName = xray.client.xray.serverName;
+                        serverName = xray.client.serverName;
                         publicKey = "Nl0eVZoDF9d71_3dVsZGJl3UWR9LCv3B14gu7G6vhjk";
                         fingerprint = "firefox";
                       };
@@ -223,20 +168,9 @@ inputs:
                   domainStrategy = "AsIs";
                   rules = builtins.map (rule: rule // { type = "field"; })
                   [
-                    { inboundTag = [ "dns-in" ]; outboundTag = "dns-out"; }
-                    { inboundTag = [ "dns-internal" ]; ip = [ chinaDns ]; outboundTag = "direct"; }
-                    { inboundTag = [ "dns-internal" ]; ip = [ foreignDns ]; outboundTag = "proxy-vless"; }
-                    { inboundTag = [ "dns-internal" ]; outboundTag = "block"; }
                     { inboundTag = [ "xmu-in" ]; outboundTag = "xmu-out"; }
                     { inboundTag = [ "direct-in" ]; outboundTag = "direct"; }
-                    { inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-cn" ]; outboundTag = "direct"; }
-                    {
-                      inboundTag = [ "common-in" ];
-                      domain = [ "geosite:geolocation-!cn" ];
-                      outboundTag = "proxy-vless";
-                    }
-                    { inboundTag = [ "common-in" ]; ip = [ "geoip:cn" ]; outboundTag = "direct"; }
-                    { inboundTag = [ "common-in" ]; outboundTag = "proxy-vless"; }
+                    { inboundTag = [ "proxy-in" ]; outboundTag = "proxy-vless"; }
                   ];
                 };
               };
@@ -291,14 +225,10 @@ inputs:
                     "${iptables} -t mangle -A OUTPUT -j v2ray_mark -w"
                   ]
                   ++ (map (action: "${iptables} -t mangle -A v2ray_mark ${action} -w")
-                  (
-                    [ "-m set --match-set xmu_net dst -j MARK --set-mark 1/1" ]
-                    ++ (map
-                      (user:
-                        let uid = inputs.config.nixos.user.uid.${user};
-                        in "-m owner --uid-owner ${toString uid} -j DSCP --set-dscp 0x1")
-                      (xray.client.xray.noproxyUsers ++ [ "v2ray" ]))  
-                  ))
+                  [
+                    "-m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1"
+                    "-m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1"
+                  ])
                   ++ [
                     "${ip} rule add fwmark 1/1 table 100"
                     "${ip} route add local 0.0.0.0/0 dev lo table 100"
@@ -321,14 +251,13 @@ inputs:
         };
         users =
         {
-          users.v2ray = { uid = inputs.config.nixos.user.uid.v2ray; group = "v2ray"; isSystemUser = true; };
-          groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
+          users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
+          groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
         };
-        environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
       }
     )
     (
-      inputs.lib.mkIf (xray.server != null) (let userList = builtins.genList (n: n) xray.server.userNumber; in
+      inputs.lib.mkIf xray.server.enable (let userList = builtins.genList (n: n) 30; in
       {
         services.xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
         sops =
@@ -439,9 +368,9 @@ inputs:
               };
             };
           };
-          secrets = builtins.listToAttrs
+          secrets = inputs.localLib.listToAttrs
             (map (n: { name = "xray-server/clients/user${toString n}"; value = {}; }) userList)
-            // (builtins.listToAttrs (map
+            // (inputs.localLib.listToAttrs (map
               (name:
               {
                 name = "xray-server/telegram/${name}";
@@ -509,12 +438,12 @@ inputs:
         };
         users =
         {
-          users.v2ray = { uid = inputs.config.nixos.user.uid.v2ray; group = "v2ray"; isSystemUser = true; };
-          groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
+          users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
+          groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
         };
         nixos.services =
         {
-          acme.cert.${xray.server.serverName}.group = inputs.config.users.users.nginx.group;
+          acme = { enable = true; cert.${xray.server.serverName}.group = inputs.config.users.users.nginx.group; };
           nginx =
           {
             enable = true;

modules/services/xrdp.nix

@@ -19,26 +19,27 @@ inputs:
     [
       {
         assertions =
-        [{
-          assertion = (xrdp.optimise.type == "nvidia") -> (xrdp.optimise.nvidiaBusId != null);
-          message = "nvidiaBusId must be set if optimise type is nvidia";
-        }];
+        [
+          {
+            assertion = !inputs.config.nixos.system.envfs.enable;
+            message = "Somehow xrdp could not start if envfs is enabled";
+          }
+          {
+            assertion = (xrdp.optimise.type == "nvidia") -> (xrdp.optimise.nvidiaBusId != null);
+            message = "nvidiaBusId must be set if optimise type is nvidia";
+          }
+        ];
       }
       {
         services.xrdp =
         {
           enable = true;
-          package = mkIf (xrdp.optimise.type != null) (inputs.pkgs.xrdp.override
-          {
-            variant = xrdp.optimise.type;
-            inherit (xrdp.optimise) nvidiaBusId;
-            nvidiaPackage = inputs.config.hardware.nvidia.package;
-          });
+          package = mkIf (xrdp.optimise.type != null)
+            (inputs.pkgs.xrdp.override { variant = xrdp.optimise.type; inherit (xrdp.optimise) nvidiaBusId; });
           port = xrdp.port;
           openFirewall = true;
           defaultWindowManager = "${inputs.pkgs.plasma-workspace}/bin/startplasma-x11";
         };
-        environment.etc.xrdp.source = "${inputs.config.services.xrdp.package}/etc/xrdp";
       }
       (
         mkIf (xrdp.hostname != null)
@@ -50,8 +51,12 @@ inputs:
             services.xrdp =
               let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
               in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
-            nixos.services.acme.cert.${mainDomain} =
-              { domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
+            nixos.services.acme =
+            {
+              enable = true;
+              cert.${mainDomain} =
+                { domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
+            };
           }
         )
       )

modules/system/default.nix

@@ -1,6 +1,24 @@
 inputs:
 {
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
+  imports = inputs.localLib.mkModules
+  [
+    ./nix.nix
+    ./fileSystems
+    ./grub.nix
+    ./initrd.nix
+    ./kernel
+    ./impermanence.nix
+    ./gui.nix
+    ./nixpkgs.nix
+    ./networking.nix
+    ./systemd.nix
+    ./security.nix
+    ./sops.nix
+    ./user.nix
+    ./sysctl.nix
+    ./envfs.nix
+    ./binfmt.nix
+  ];
   config =
   {
     services = { dbus.implementation = "broker"; fstrim.enable = true; acpid.enable = true; };

modules/system/envfs.nix

@@ -1,8 +1,10 @@
 inputs:
 {
-  options.nixos.system.envfs = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.system) envfs; in inputs.lib.mkIf (envfs != null) (inputs.lib.mkMerge
+  options.nixos.system.envfs = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config = inputs.lib.mkIf inputs.config.nixos.system.envfs.enable (inputs.lib.mkMerge
   [
     (builtins.elemAt inputs.topInputs.envfs.nixosModules.envfs.imports 0 inputs)
     { environment.variables.ENVFS_RESOLVE_ALWAYS = "1"; }

modules/system/fileSystems/default.nix

@@ -50,16 +50,18 @@ inputs:
     # device or { device, offset }
     resume = mkOption
     {
-      type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.submodule { options =
-        { device = mkOption { type = types.nonEmptyStr; }; offset = mkOption { type = types.ints.unsigned; }; };
-      })]);
+      type = types.nullOr (types.str or (types.submodule
+      {
+        options =
+          { device = mkOption { type = types.nonEmptyStr; }; offset = mkOption { type = types.ints.unsigned; }; };
+      }));
       default = null;
     };
     rollingRootfs = mkOption
     {
       type = types.nullOr (types.submodule { options =
       {
-        device = mkOption { type = types.nonEmptyStr; default = inputs.config.fileSystems."/".device; };
+        device = mkOption { type = types.nonEmptyStr; default = "/dev/mapper/root"; };
         path = mkOption { type = types.nonEmptyStr; default = "/nix/rootfs"; };
         waitDevices = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
       };});

modules/system/impermanence.nix

@@ -20,6 +20,8 @@ inputs:
           hideMounts = true;
           directories =
           [
+            { directory = "/etc/NetworkManager/system-connections"; mode = "0700"; }
+            "/home"
             "/root"
             "/var/db"
             "/var/lib"
@@ -46,12 +48,11 @@ inputs:
             "/var/lib/systemd/linger"
             "/var/lib/systemd/coredump"
             { directory = "/var/lib/docker"; mode = "0710"; }
-            "/var/lib/flatpak"
           ]
           ++ (if inputs.config.services.xserver.displayManager.sddm.enable then
             [{ directory = "/var/lib/sddm"; user = "sddm"; group = "sddm"; mode = "0700"; }] else []);
         }
-        // (if builtins.elem "chn" inputs.config.nixos.user.users then
+        // (if builtins.elem "chn" inputs.config.nixos.users.users then
         {
           users.chn =
           {

modules/system/kernel/default.nix

@@ -2,11 +2,7 @@ inputs:
 {
   options.nixos.system.kernel = let inherit (inputs.lib) mkOption types; in
   {
-    varient = mkOption
-    {
-      type = types.enum [ "xanmod-lts" "xanmod-latest" "cachyos" "cachyos-lto" ];
-      default = "xanmod-lts";
-    };
+    varient = mkOption { type = types.enum [ "lts" "latest" ]; default = "lts"; };
     patches = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
     modules =
     {
@@ -16,137 +12,123 @@ inputs:
       modprobeConfig = mkOption { type = types.listOf types.str; default = []; };
     };
   };
-  config = let inherit (inputs.config.nixos.system) kernel; in inputs.lib.mkMerge
-  [
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.localLib) mkConditional;
+      inherit (inputs.config.nixos.system) kernel;
+    in { boot =
     {
-      boot =
+      kernelModules = [ "br_netfilter" ] ++ kernel.modules.load;
+      # modprobe --show-depends
+      initrd.availableKernelModules =
+      [
+        "ahci" "ata_piix" "bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "nvme" "sdhci_acpi" "sd_mod"
+        "sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
+        "virtio_net" "virtio_pci" "xhci_pci" "virtio_ring" "virtio_scsi" "cryptd" "crypto_simd" "libaes"
+        # networking for nas
+        "igb"
+        # yoga
+        "lenovo_yogabook"
+      ];
+      extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install;
+      extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
+      kernelParams = [ "delayacct" "acpi_osi=Linux" "acpi.ec_no_wakeup=1" ];
+      kernelPackages =
       {
-        kernelModules = [ "br_netfilter" ] ++ kernel.modules.load;
-        # modprobe --show-depends
-        initrd.availableKernelModules =
-        [
-          "ahci" "ata_piix" "bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "nvme" "sdhci_acpi" "sd_mod"
-          "sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
-          "virtio_net" "virtio_pci" "xhci_pci" "virtio_ring" "virtio_scsi" "cryptd" "crypto_simd" "libaes"
-          # networking for nas
-          "igb"
-        ];
-        extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install;
-        extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
-        kernelParams = [ "delayacct" "acpi_osi=Linux" "acpi.ec_no_wakeup=1" ];
-        kernelPackages =
-        {
-          xanmod-lts = inputs.pkgs.linuxPackages_xanmod;
-          xanmod-latest = inputs.pkgs.linuxPackages_xanmod_latest;
-          cachyos = inputs.pkgs.linuxPackages_cachyos;
-          cachyos-lto = inputs.pkgs.linuxPackages_cachyos-lto;
-        }.${kernel.varient};
-        kernelPatches =
-          let
-            patches =
-            {
-              cjktty =
-              [{
-                name = "cjktty";
-                patch =
-                  let
-                    version = builtins.splitVersion inputs.config.boot.kernelPackages.kernel.version;
-                    major = builtins.elemAt version 0;
-                    minor = builtins.elemAt version 1;
-                  in inputs.pkgs.fetchurl
-                  {
-                    url = "https://raw.githubusercontent.com/zhmars/cjktty-patches/master/"
-                      + "v${major}.x/cjktty-${major}.${minor}.patch";
-                    sha256 =
-                      let
-                        hashes =
-                        {
-                          "6.1" = "11ddiammvjxx2m9v32p25l1ai759a1d6xhdpszgnihv7g2fzigf5";
-                          "6.6" = "19ib0syj3207ifr315gdrnpv6nhh435fmgl05c7k715nng40i827";
-                          "6.7" = "1yfsmc0873xiwlirir0xfp9zyrpd09q1srgr3z4rl7i7lxzaqls8";
-                        };
-                      in hashes."${major}.${minor}";
-                  };
-                extraStructuredConfig =
-                  { FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
-              }];
-              lantian =
-              [{
-                name = "lantian";
-                patch = null;
-                # pick from xddxdd/nur-packages dce93a
-                extraStructuredConfig = with inputs.lib.kernel;
-                {
-                  ACPI_PCI_SLOT = yes;
-                  ENERGY_MODEL = yes;
-                  PARAVIRT_TIME_ACCOUNTING = yes;
-                  PM_AUTOSLEEP = yes;
-                  WQ_POWER_EFFICIENT_DEFAULT = yes;
-                  PREEMPT_VOLUNTARY = inputs.lib.mkForce no;
-                  PREEMPT = inputs.lib.mkForce yes;
-                  NO_HZ_FULL = yes;
-                  HZ_1000 = inputs.lib.mkForce yes;
-                  HZ_250 = inputs.lib.mkForce no;
-                  HZ = inputs.lib.mkForce (freeform "1000");
-                };
-              }];
-              surface =
-                let
-                  version =
-                    let versionArray = builtins.splitVersion inputs.config.boot.kernelPackages.kernel.version;
-                    in "${builtins.elemAt versionArray 0}.${builtins.elemAt versionArray 1}";
-                  kernelPatches = builtins.map
-                    (file:
-                    {
-                      name = "surface-${file.name}";
-                      patch = "${inputs.topInputs.linux-surface}/patches/${version}/${file.name}";
-                    })
-                    (builtins.filter
-                      (file: file.value == "regular")
-                      (inputs.localLib.attrsToList (builtins.readDir
-                        "${inputs.topInputs.linux-surface}/patches/${version}")));
-                  kernelConfig = builtins.removeAttrs
-                    (builtins.listToAttrs (builtins.concatLists (builtins.map
-                      (configString:
-                        if builtins.match "CONFIG_.*=." configString == [] then
-                        (
-                          let match = builtins.match "CONFIG_(.*)=(.)" configString; in with inputs.lib.kernel;
-                          [{
-                            name = builtins.elemAt match 0;
-                            value = { m = module; y = yes; }.${builtins.elemAt match 1};
-                          }]
-                        )
-                        else if builtins.match "# CONFIG_.* is not set" configString == [] then
-                        [{
-                          name = builtins.elemAt (builtins.match "# CONFIG_(.*) is not set" configString) 0;
-                          value = inputs.lib.kernel.unset;
-                        }]
-                        else if builtins.match "#.*" configString == [] then []
-                        else if configString == "" then []
-                        else throw "could not parse: ${configString}"
-                      )
-                      (inputs.lib.strings.splitString "\n"
-                        (builtins.readFile "${inputs.topInputs.linux-surface}/configs/surface-${version}.config")))))
-                    [ "VIDEO_IPU3_IMGU" ];
-                in kernelPatches ++ [{ name = "surface-config"; patch = null; extraStructuredConfig = kernelConfig; }];
-              hibernate-progress = [{ name = "hibernate-progress"; patch = ./hibernate-progress.patch; }];
-            };
-          in builtins.concatLists (builtins.map (name: patches.${name}) kernel.patches);
-      };
-    }
-    (
-      inputs.lib.mkIf (inputs.lib.strings.hasPrefix "cachyos" kernel.varient)
-      (
-        let scx =
-          let rustPlatform = inputs.pkgs.unstablePackages.rustPlatform;
-          in inputs.pkgs.scx.override (prev:
+        lts = inputs.pkgs.linuxPackages_xanmod;
+        latest = inputs.pkgs.linuxPackages_xanmod_latest;
+      }.${kernel.varient};
+      kernelPatches =
+        let
+          patches =
           {
-            scx-layered = prev.scx-layered.override { inherit rustPlatform; };
-            scx-rustland = prev.scx-rustland.override { inherit rustPlatform; };
-            scx-rusty = prev.scx-rusty.override { inherit rustPlatform; };
-          });
-        in { environment.systemPackages = [ scx ]; }
-      )
-    )
-  ];
+            cjktty =
+            [{
+              name = "cjktty";
+              patch =
+                let
+                  version = builtins.splitVersion inputs.config.boot.kernelPackages.kernel.version;
+                  major = builtins.elemAt version 0;
+                  minor = builtins.elemAt version 1;
+                in inputs.pkgs.fetchurl
+                {
+                  url = "https://raw.githubusercontent.com/zhmars/cjktty-patches/master/"
+                    + "v${major}.x/cjktty-${major}.${minor}.patch";
+                  sha256 =
+                    let
+                      hashes =
+                      {
+                        "6.1" = "11ddiammvjxx2m9v32p25l1ai759a1d6xhdpszgnihv7g2fzigf5";
+                        "6.6" = "19ib0syj3207ifr315gdrnpv6nhh435fmgl05c7k715nng40i827";
+                        "6.7" = "1yfsmc0873xiwlirir0xfp9zyrpd09q1srgr3z4rl7i7lxzaqls8";
+                      };
+                    in hashes."${major}.${minor}";
+                };
+              extraStructuredConfig =
+                { FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
+            }];
+            lantian =
+            [{
+              name = "lantian";
+              patch = null;
+              # pick from xddxdd/nur-packages dce93a
+              extraStructuredConfig = with inputs.lib.kernel;
+              {
+                ACPI_PCI_SLOT = yes;
+                ENERGY_MODEL = yes;
+                PARAVIRT_TIME_ACCOUNTING = yes;
+                PM_AUTOSLEEP = yes;
+                WQ_POWER_EFFICIENT_DEFAULT = yes;
+                PREEMPT_VOLUNTARY = inputs.lib.mkForce no;
+                PREEMPT = inputs.lib.mkForce yes;
+                NO_HZ_FULL = yes;
+                HZ_1000 = inputs.lib.mkForce yes;
+                HZ_250 = inputs.lib.mkForce no;
+                HZ = inputs.lib.mkForce (freeform "1000");
+              };
+            }];
+            surface =
+              let
+                version =
+                  let versionArray = builtins.splitVersion inputs.config.boot.kernelPackages.kernel.version;
+                  in "${builtins.elemAt versionArray 0}.${builtins.elemAt versionArray 1}";
+                kernelPatches = builtins.map
+                  (file:
+                  {
+                    name = "surface-${file.name}";
+                    patch = "${inputs.topInputs.linux-surface}/patches/${version}/${file.name}";
+                  })
+                  (builtins.filter
+                    (file: file.value == "regular")
+                    (inputs.localLib.attrsToList (builtins.readDir
+                      "${inputs.topInputs.linux-surface}/patches/${version}")));
+                kernelConfig = builtins.removeAttrs
+                  (builtins.listToAttrs (builtins.concatLists (builtins.map
+                    (configString:
+                      if builtins.match "CONFIG_.*=." configString == [] then
+                      (
+                        let match = builtins.match "CONFIG_(.*)=(.)" configString; in with inputs.lib.kernel;
+                        [{
+                          name = builtins.elemAt match 0;
+                          value = { m = module; y = yes; }.${builtins.elemAt match 1};
+                        }]
+                      )
+                      else if builtins.match "# CONFIG_.* is not set" configString == [] then
+                      [{
+                        name = builtins.elemAt (builtins.match "# CONFIG_(.*) is not set" configString) 0;
+                        value = inputs.lib.kernel.unset;
+                      }]
+                      else if builtins.match "#.*" configString == [] then []
+                      else if configString == "" then []
+                      else throw "could not parse: ${configString}"
+                    )
+                    (inputs.lib.strings.splitString "\n"
+                      (builtins.readFile "${inputs.topInputs.linux-surface}/configs/surface-${version}.config")))))
+                  [ "VIDEO_IPU3_IMGU" ];
+              in kernelPatches ++ [{ name = "surface-config"; patch = null; extraStructuredConfig = kernelConfig; }];
+            hibernate-progress = [{ name = "hibernate-progress"; patch = ./hibernate-progress.patch; }];
+          };
+        in builtins.concatLists (builtins.map (name: patches.${name}) kernel.patches);
+    };};
 }

modules/system/networking.nix

@@ -3,34 +3,26 @@ inputs:
   options.nixos.system.networking = let inherit (inputs.lib) mkOption types; in
   {
     hostname = mkOption { type = types.nonEmptyStr; };
-    networkManager.enable = mkOption
-      { type = types.bool; default = inputs.config.nixos.system.networking.networkd == null; };
-    networkd = mkOption
-    {
-      type = types.nullOr (types.submodule { options =
-      {
-        dhcp = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-        static = mkOption
-        {
-          type = types.attrsOf (types.submodule { options =
-          {
-            ip = mkOption { type = types.nonEmptyStr; };
-            mask = mkOption { type = types.ints.unsigned; };
-            gateway = mkOption { type = types.nonEmptyStr; };
-            dns = mkOption { type = types.nonEmptyStr; default = null; };
-          };});
-          default = {};
-        };
-      };});
-      default = null;
-    };
-    wireless = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
   };
-  config = let inherit (inputs.config.nixos.system) networking; in inputs.lib.mkMerge
-  [
-    # general config
+  config =
+    let
+      inherit (inputs.config.nixos.system) networking;
+    in
     {
-      networking.hostName = networking.hostname;
+      networking =
+      {
+        networkmanager =
+        {
+          enable = true;
+          # let networkmanager ignore the kernel command line `ip=xxx`
+          extraConfig =
+          ''
+            [device]
+            keep-configuration=no
+          '';
+        };
+        hostName = networking.hostname;
+      };
       boot.kernel.sysctl =
       {
         "net.core.rmem_max" = 67108864;
@@ -52,88 +44,5 @@ inputs:
         "net.bridge.bridge-nf-call-ip6tables" = false;
         "net.bridge.bridge-nf-call-arptables" = false;
       };
-    }
-    # networkManager
-    (inputs.lib.mkIf networking.networkManager.enable
-    {
-      networking.networkmanager =
-      {
-        enable = true;
-        # let networkmanager ignore the kernel command line `ip=xxx`
-        extraConfig =
-        ''
-          [device]
-          keep-configuration=no
-        '';
-      };
-      environment.persistence."${inputs.config.nixos.system.impermanence.persistence}".directories =
-        [{ directory = "/etc/NetworkManager/system-connections"; mode = "0700"; }];
-    })
-    # networkd
-    (inputs.lib.mkIf (networking.networkd != null)
-    {
-      systemd.network =
-      {
-        enable = true;
-        networks = builtins.listToAttrs
-        (
-          (builtins.map
-            (network:
-            {
-              name = "10-${network.ssid}";
-              value =
-              {
-                matchConfig.Name = network.ssid;
-                networkConfig = { DHCP = "yes"; IPv6AcceptRA = true; };
-                linkConfig.RequiredForOnline = "routable";
-              };
-            })
-            networking.networkd.dhcp)
-          ++ (builtins.map
-            (network:
-            {
-              name = "10-${network.name}";
-              value =
-              {
-                matchConfig.Name = network.name;
-                address = [ "${network.ip}/${builtins.toString network.mask}" ];
-                routes = [{ routeConfig.Gateway = network.gateway; }];
-                linkConfig.RequiredForOnline = "routable";
-              };
-            })
-            (inputs.localLib.attrsToList networking.networkd.static))
-        );
-      };
-      networking =
-      {
-        networkmanager.unmanaged = with networking.networkd; dhcp ++ (builtins.attrNames static);
-        useNetworkd = true;
-      };
-    })
-    # wpa_supplicant
-    (inputs.lib.mkIf (networking.wireless != [])
-    {
-      networking.wireless =
-      {
-        enable = true;
-        networks = builtins.listToAttrs (builtins.map
-          (network:
-          {
-            name = network;
-            value.psk = "@${builtins.hashString "md5" network}_PSK@";
-          })
-          networking.wireless);
-        environmentFile = inputs.config.sops.templates."wireless.env".path;
-      };
-      sops =
-      {
-        templates."wireless.env".content = builtins.concatStringsSep "\n" (builtins.map
-          (network: "${builtins.hashString "md5" network}_PSK=${inputs.config.sops.placeholder."wireless/${network}"}")
-          networking.wireless);
-        secrets = builtins.listToAttrs (builtins.map
-          (network: { name = "wireless/${network}"; value = {}; })
-          networking.wireless);
-      };
-    })
-  ];
+    };
 }

modules/system/nix.nix

@@ -7,19 +7,6 @@ inputs:
     includeBuildDependencies = mkOption { type = types.bool; default = inputs.topInputs.self.config.archive; };
     substituters = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
     autoOptimiseStore = mkOption { type = types.bool; default = false; };
-    remote =
-    {
-      slave =
-      {
-        enable = mkOption { type = types.bool; default = false; };
-        mandatoryFeatures = mkOption { type = types.listOf types.nonEmptyStr; default = [ "big-parallel" ]; };
-      };
-      master =
-      {
-        enable = mkOption { type = types.bool; default = false; };
-        hosts = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-      };
-    };
   };
   config = let inherit (inputs.config.nixos.system) nix; in inputs.lib.mkMerge
   [
@@ -32,7 +19,6 @@ inputs:
         keep-failed = true;
         max-substitution-jobs = 4;
         trusted-public-keys = [ "chn:Cc+nowW1LIpe1kyXOZmNaznFDiH1glXmpb4A+WD/DTE=" ];
-        trusted-users = [ "@wheel" ];
         show-trace = true;
         max-jobs = 4;
         cores = 0;
@@ -79,66 +65,20 @@ inputs:
             (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ march ])
           else nix.marches
         ))
-      ++ (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ "gccarch-exact-${march}" ]);
+      ++ (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ "nvhpcarch-${march}" ]);
     }
     # includeBuildDependencies
-    (inputs.lib.mkIf nix.includeBuildDependencies
     {
       system.includeBuildDependencies = nix.includeBuildDependencies;
-    })
+    }
     # substituters
     {
       nix.settings.substituters = if nix.substituters == null then [ "https://cache.nixos.org/" ] else nix.substituters;
     }
     # autoOptimiseStore
-    (inputs.lib.mkIf nix.autoOptimiseStore
     {
       nix.settings.auto-optimise-store = nix.autoOptimiseStore;
-    })
-    # remote.slave
-    (inputs.lib.mkIf nix.remote.slave.enable
-    {
-      nix =
-      {
-        sshServe =
-        {
-          enable = true;
-          keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdUiHbT1Vs++5L0OPaMtYG7Wa0ejbJs2KBZ4QAspM4n nix-ssh@pc" ];
-          write = true;
-          protocol = "ssh-ng";
-        };
-        settings.trusted-users = [ "nix-ssh" ];
-      };
-    })
-    # remote.master
-    (inputs.lib.mkIf nix.remote.master.enable
-    {
-      assertions = builtins.map
-        (host: 
-        {
-          assertion = inputs.topInputs.self.nixosConfigurations.${host}.config.nixos.system.nix.remote.slave.enable; 
-          message = "remote.slave.enable is not set for ${host}";
-        })
-        nix.remote.master.hosts;
-      nix =
-      {
-        distributedBuilds = true;
-        buildMachines = builtins.map
-          (host: let hostConfig = inputs.topInputs.self.nixosConfigurations.${host}.config; in
-          {
-            hostName = host;
-            protocol = "ssh-ng";
-            systems = [ "x86_64-linux" ] ++ hostConfig.nix.settings.extra-platforms;
-            sshUser = "nix-ssh";
-            sshKey = inputs.config.sops.secrets."nix/remote".path;
-            maxJobs = 1;
-            inherit (hostConfig.nixos.system.nix.remote.slave) mandatoryFeatures;
-            supportedFeatures = hostConfig.nix.settings.system-features;
-          })
-          nix.remote.master.hosts;
-      };
-      sops.secrets."nix/remote" = {};
-    })
+    }
     # c++ include path
     # environment.pathsToLink = [ "/include" ];
     # environment.variables.CPATH = "/run/current-system/sw/include";

modules/system/nixpkgs.nix

@@ -33,6 +33,7 @@ inputs:
               { cudaCapabilities = nixpkgs.cuda.capabilities; })
             // (inputs.lib.optionalAttrs (nixpkgs.cuda.forwardCompat != null)
               { cudaForwardCompat = nixpkgs.cuda.forwardCompat; })
+            // (inputs.lib.optionalAttrs (nixpkgs.march != null) { nvhpcArch = nixpkgs.march; })
           );
         in
         {
@@ -44,13 +45,8 @@ inputs:
               (filter (package: inputs.pkgs ? ${package}) permittedInsecurePackages);
             allowUnfree = true;
             qchem-config = { optArch = nixpkgs.march; useCuda = nixpkgs.cuda.enable; };
-          }
-          // (if nixpkgs.march == null then {} else
-          {
-            oneapiArch = let match = { znver3 = "CORE-AVX2"; znver4 = "CORE-AVX512"; };
-              in match.${nixpkgs.march} or nixpkgs.march;
-            nvhpcArch = nixpkgs.march;
-          });
+            oneapiArch = mkIf (nixpkgs.march != null) nixpkgs.march;
+          };
           overlays =
           [(final: prev:
             let

modules/system/security.nix

@@ -31,14 +31,8 @@ inputs:
           ]);
         };
         yubico = { enable = true; id = "91291"; };
-        loginLimits =
-        [
-          { domain = "@users"; item = "nofile"; value = 65536; }
-          { domain = "@users"; item = "stack"; value = "unlimited"; }
-        ];
       };
       sudo.extraConfig = "Defaults pwfeedback";
     };
-    systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
   };
 }

modules/system/user.nix

@@ -0,0 +1,41 @@
+inputs:
+{
+  options.nixos.system.user = let inherit (inputs.lib) mkOption types; in
+  {
+    user = mkOption
+    {
+      type = types.attrsOf types.ints.unsigned;
+      readOnly = true;
+      default =
+      {
+        chn = 1000;
+        xll = 1001;
+        yjq = 1002;
+        yxy = 1003;
+        zem = 1004;
+        gb = 1005;
+        test = 1006;
+        misskey-misskey = 2000;
+        misskey-misskey-old = 2001;
+        frp = 2002;
+        mirism = 2003;
+        httpapi = 2004;
+        httpua = 2005;
+        rsshub = 2006;
+        v2ray = 2007;
+        fz-new-order = 2008;
+        synapse-synapse = 2009;
+        synapse-matrix = 2010;
+      };
+    };
+    group = mkOption
+    {
+      type = types.attrsOf types.ints.unsigned;
+      readOnly = true;
+      default = inputs.config.nixos.system.user.user //
+      {
+        groupshare = 3000;
+      };
+    };
+  };
+}

modules/user/chn/default.nix

@@ -1,82 +0,0 @@
-inputs:
-{
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
-  config =
-    let
-      inherit (inputs.lib) mkIf;
-      inherit (inputs.config.nixos) user;
-      inherit (builtins) listToAttrs;
-    in mkIf (builtins.elem "chn" user.users)
-    {
-      users.users.chn =
-      {
-        extraGroups = inputs.lib.intersectLists
-          [ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" ]
-          (builtins.attrNames inputs.config.users.groups);
-        autoSubUidGidRange = true;
-        hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
-        openssh.authorizedKeys.keys = [(builtins.readFile ./id_ed25519_sk.pub)];
-      };
-      home-manager.users.chn =
-      {
-        config =
-        {
-          programs =
-          {
-            git = { userName = "chn"; userEmail = "chn@chn.moe"; };
-            ssh.matchBlocks =
-            {
-              # identityFile = "~/.ssh/xmuhk_id_rsa";
-              xmuhk = { host = "xmuhk"; hostname = "10.26.14.56"; user = "xmuhk"; };
-              xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; };
-            }
-            // (listToAttrs (map
-              (system: { name = system; value.forwardAgent = true; })
-              [
-                "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "nas" "wireguard.nas"
-                "wireguard.surface" "xmupc1" "wireguard.xmupc1" "xmupc2" "wireguard.xmupc2"
-              ]));
-          };
-          home =
-          {
-            file.groupshare.enable = false;
-            packages =
-            [
-              (
-                let
-                  servers = builtins.filter
-                    (system: system.value.enable)
-                    (builtins.map
-                      (system:
-                      {
-                        name = system.config.nixos.system.networking.hostname;
-                        value = system.config.nixos.system.fileSystems.decrypt.manual;
-                      })
-                      (builtins.attrValues inputs.topInputs.self.nixosConfigurations));
-                  cat = "${inputs.pkgs.coreutils}/bin/cat";
-                  gpg = "${inputs.pkgs.gnupg}/bin/gpg";
-                  ssh = "${inputs.pkgs.openssh}/bin/ssh";
-                in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
-                  (
-                    (builtins.map (system: builtins.concatStringsSep "\n"
-                      [
-                        "decrypt-${system.name}() {"
-                        "  key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
-                        (builtins.concatStringsSep "\n" (builtins.map
-                          (device: "  echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
-                            + (if device.value.ssd then "--allow-discards " else "")
-                            + "${device.name} ${device.value.mapper} -")
-                          (inputs.localLib.attrsToList system.value.devices)))
-                        "}"
-                      ])
-                      servers)
-                    ++ [ "decrypt-$1" ]
-                  ))
-              )
-            ];
-          };
-          pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
-        };
-      };
-    };
-}

modules/user/chn/id_ed25519_sk.pub

@@ -1 +0,0 @@
-sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= chn@pc

modules/user/chn/id_rsa.pub

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXlhoouWG+arWJz02vBP/lxpG2tUjx8jhGBnDeNyMu0OtGcnHMAWcb3YDP0A2XJIVFBCCZMM2REwnSNbHRSCl1mTdRbelfjA+7Jqn1wnrDXkAOG3S8WYXryPGpvavu6lgW7p+dIhGiTLWwRbFH+epFTn1hZ3A1UofVIWTOPdoOnx6k7DpQtIVMWiIXLg0jIkOZiTMr3jKfzLMBAqQ1xbCV2tVwbEY02yxxyxIznbpSPReyn1RDLWyqqLRd/oqGPzzhEXNGNAZWnSoItkYq9Bxh2AvMBihiTir3FEVPDgDLtS5LUpM93PV1yTr6JyCPAod9UAxpfBYzHKse0KCQFoZH chn@chn-PC

modules/user/chn/plasma/default.nix

@@ -1,4 +0,0 @@
-inputs:
-{
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
-}

modules/user/default.nix

@@ -1,169 +0,0 @@
-inputs:
-{
-  imports = inputs.localLib.mkModules (inputs.localLib.findModules ./.);
-  options.nixos.user = let inherit (inputs.lib) mkOption types; in
-  {
-    users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "chn" ]; };
-    sharedModules = mkOption { type = types.listOf types.anything; default = []; };
-    uid = mkOption
-    {
-      type = types.attrsOf types.ints.unsigned;
-      readOnly = true;
-      default =
-      {
-        chn = 1000;
-        xll = 1001;
-        yjq = 1002;
-        yxy = 1003;
-        zem = 1004;
-        gb = 1005;
-        test = 1006;
-        misskey-misskey = 2000;
-        misskey-misskey-old = 2001;
-        frp = 2002;
-        mirism = 2003;
-        httpapi = 2004;
-        httpua = 2005;
-        rsshub = 2006;
-        v2ray = 2007;
-        fz-new-order = 2008;
-        synapse-synapse = 2009;
-        synapse-matrix = 2010;
-      };
-    };
-    gid = mkOption
-    {
-      type = types.attrsOf types.ints.unsigned;
-      readOnly = true;
-      default = inputs.config.nixos.user.uid //
-      {
-        groupshare = 3000;
-      };
-    };
-  };
-  config = let inherit (inputs.config.nixos) user; in inputs.lib.mkMerge
-  [
-    {
-      users =
-      {
-        users = builtins.listToAttrs (builtins.map
-          (userName:
-          {
-            name = userName;
-            value =
-            {
-              uid = user.uid.${userName};
-              group = userName;
-              isNormalUser = true;
-              shell = inputs.pkgs.zsh;
-              extraGroups = inputs.lib.intersectLists [ "users" "video" "audio" ]
-                (builtins.attrNames inputs.config.users.groups);
-              # ykman fido credentials list
-              # ykman fido credentials delete f2c1ca2d
-              # ssh-keygen -t ed25519-sk -O resident
-              # ssh-keygen -K
-              openssh.authorizedKeys.keys =
-                let
-                  keys = [ "rsa" "ed25519" "ed25519_sk" ];
-                  getKey = user: key: inputs.lib.optional (builtins.pathExists ./${user}/id_${key}.pub)
-                    (builtins.readFile ./${user}/id_${key}.pub);
-                in inputs.lib.mkDefault (builtins.concatLists (builtins.map (key: getKey userName key) keys));
-            };
-          })
-          user.users);
-        groups = builtins.listToAttrs (builtins.map
-          (name: { inherit name; value.gid = user.gid.${name}; })
-          user.users);
-      };
-      home-manager.users = builtins.listToAttrs (builtins.map
-        (name: { inherit name; value.imports = user.sharedModules; })
-        user.users);
-      environment.persistence."${inputs.config.nixos.system.impermanence.persistence}".directories = builtins.map
-        (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; })
-        user.users;
-      nixos.user.sharedModules =
-      [{
-        config.home.file =
-        {
-          ".config/.keep".text = "";
-          ".local/.keep".text = "";
-          ".local/share/.keep".text = "";
-          ".local/state/.keep".text = "";
-        };
-      }];
-    }
-    # set hashedPassword if it exist in secrets
-    (
-      let
-        secrets = inputs.pkgs.localPackages.fromYaml (builtins.readFile inputs.config.sops.defaultSopsFile);
-        hashedPasswordExist = userName: (secrets ? users) && ((secrets.users or {}) ? ${userName});
-      in
-      {
-        users.users = builtins.listToAttrs (builtins.map
-          (name: { inherit name; value.hashedPasswordFile = inputs.config.sops.secrets."users/${name}".path; })
-          (builtins.filter (user: hashedPasswordExist user) user.users));
-        sops.secrets = builtins.listToAttrs (builtins.map
-          (name: { name = "users/${name}"; value.neededForUsers = true; })
-          (builtins.filter (user: hashedPasswordExist user) user.users));
-      }
-    )
-    {
-      users.users.root =
-      {
-        shell = inputs.pkgs.zsh;
-        openssh.authorizedKeys.keys = [(builtins.readFile ./chn/id_ed25519_sk.pub)];
-        hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
-      };
-      home-manager.users.root =
-      {
-        imports = user.sharedModules;
-        config.programs.git =
-          { extraConfig.core.editor = inputs.lib.mkForce "vim"; userName = "chn"; userEmail = "chn@chn.moe"; };
-      };
-    }
-    (inputs.lib.mkIf (builtins.elem "test" user.users) { users.users.test.password = "test"; })
-  ];
-}
-
-# environment.persistence."/impermanence".users.chn =
-# {
-#   directories =
-#   [
-#     "Desktop"
-#     "Documents"
-#     "Downloads"
-#     "Music"
-#     "repo"
-#     "Pictures"
-#     "Videos"
-
-#     ".cache"
-#     ".config"
-#     ".gnupg"
-#     ".local"
-#     ".ssh"
-#     ".android"
-#     ".exa"
-#     ".gnome"
-#     ".Mathematica"
-#     ".mozilla"
-#     ".pki"
-#     ".steam"
-#     ".tcc"
-#     ".vim"
-#     ".vscode"
-#     ".Wolfram"
-#     ".zotero"
-
-#   ];
-#   files =
-#   [
-#     ".bash_history"
-#     ".cling_history"
-#     ".gitconfig"
-#     ".gtkrc-2.0"
-#     ".root_hist"
-#     ".viminfo"
-#     ".zsh_history"
-#   ];
-# };

modules/users/chn/default.nix

@@ -0,0 +1,93 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ ./plasma ];
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos) users;
+      inherit (builtins) listToAttrs;
+    in mkIf (builtins.elem "chn" users.users)
+    {
+      users.users.chn =
+      {
+        extraGroups = inputs.lib.intersectLists
+          [ "users" "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
+          (builtins.attrNames inputs.config.users.groups);
+        shell = inputs.pkgs.zsh;
+        autoSubUidGidRange = true;
+        hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
+        openssh.authorizedKeys.keys =
+        [
+          # ykman fido credentials list
+          # ykman fido credentials delete f2c1ca2d
+          # ssh-keygen -t ed25519-sk -O resident
+          # ssh-keygen -K
+          (builtins.concatStringsSep " "
+          [
+            "sk-ssh-ed25519@openssh.com"
+            "AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo="
+            "chn@pc"
+          ])
+        ];
+      };
+      home-manager.users.chn =
+      {
+        imports = users.sharedModules;
+        config =
+        {
+          programs =
+          {
+            git = { userName = "chn"; userEmail = "chn@chn.moe"; };
+            ssh.matchBlocks =
+            {
+              # identityFile = "~/.ssh/xmuhk_id_rsa";
+              xmuhk = { host = "xmuhk"; hostname = "10.26.14.56"; user = "xmuhk"; };
+              xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; };
+            }
+            // (listToAttrs (map
+              (system: { name = system; value.forwardAgent = true; })
+              [
+                "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "nas" "wireguard.nas"
+                "wireguard.surface" "xmupc1" "wireguard.xmupc1" "xmupc2" "wireguard.xmupc2"
+              ]));
+          };
+          home.packages =
+          [
+            (
+              let
+                servers = builtins.filter
+                  (system: system.value.enable)
+                  (builtins.map
+                    (system:
+                    {
+                      name = system.config.nixos.system.networking.hostname;
+                      value = system.config.nixos.system.fileSystems.decrypt.manual;
+                    })
+                    (builtins.attrValues inputs.topInputs.self.nixosConfigurations));
+                cat = "${inputs.pkgs.coreutils}/bin/cat";
+                gpg = "${inputs.pkgs.gnupg}/bin/gpg";
+                ssh = "${inputs.pkgs.openssh}/bin/ssh";
+              in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
+                (
+                  (builtins.map (system: builtins.concatStringsSep "\n"
+                    [
+                      "decrypt-${system.name}() {"
+                      "  key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
+                      (builtins.concatStringsSep "\n" (builtins.map
+                        (device: "  echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
+                          + (if device.value.ssd then "--allow-discards " else "")
+                          + "${device.name} ${device.value.mapper} -")
+                        (inputs.localLib.attrsToList system.value.devices)))
+                      "}"
+                    ])
+                    servers)
+                  ++ [ "decrypt-$1" ]
+                ))
+            )
+          ];
+          pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
+        };
+      };
+      nixos.services.groupshare.mountPoints = [ "/home/chn/groupshare" ];
+    };
+}

modules/users/chn/plasma/default.nix

@@ -0,0 +1,4 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ ./autostart.nix ./wallpaper ./shortcuts.nix ./theme.nix ];
+}