add znver4 support

This reverts commit 3867469fc5.

flake.lock

@@ -1124,11 +1124,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1702811583,
+        "lastModified": 1704292225,
-        "narHash": "sha256-QKifzSH6PSxuCdn+qJsYdQ5uomwX2UCnxxFTj/ONAJ8=",
+        "narHash": "sha256-UVLp373pJ9AbsG1+aiwvPQRG3lJSjNLLGUIsflgWL/0=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "e8dff8ee0ef5f66f7044f3e4a4d13b6b7269f264",
+        "rev": "38bebe0e71de109725f1dbbfa8e4922e7b4095b3",
         "type": "github"
       },
       "original": {
@@ -1140,11 +1140,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1702811556,
+        "lastModified": 1704292168,
-        "narHash": "sha256-jyHGQzmgFqlVoqpTz7bVXnbn1PHul7i4ORhSBu5xKKs=",
+        "narHash": "sha256-a2qeYhRSd7RFxyn52L/K0+rsKb7/HyMquHwzIsToCC4=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "6d4bfbee38915ba83d8c6a1c2740f60153e6835c",
+        "rev": "2d0e9eed1f0daef1fbc4791d6912a9fbc5b0be62",
         "type": "github"
       },
       "original": {

flake.nix

@@ -111,14 +111,16 @@
                     "znver2" "znver3"
                     # CX16 SAHF FXSR HLE RDSEED
                     "broadwell"
+                    "znver4"
                   ];
                   keepOutputs = true;
                 };
                 nixpkgs =
                   { march = "alderlake"; cuda = { enable = true; capabilities = [ "8.6" ]; forwardCompat = false; }; };
-                kernel.patches = [ "cjktty" ];
+                kernel.patches = [ "cjktty" "lantian" ];
                 impermanence.enable = true;
                 networking.hostname = "pc";
+                sysctl.laptop-mode = 5;
               };
               hardware =
               {
@@ -201,8 +203,8 @@
               };
               bugs =
               [
-                "intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
+                "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
-                "suspend-hibernate-waydroid" "acpi"
+                "suspend-hibernate-waydroid" "power"
               ];
             };
             vps6 =
@@ -255,7 +257,10 @@
                     [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
                   // (builtins.listToAttrs (builtins.map
                     (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
-                    [ "xn--s8w913fdga" "misskey" "synapse" "send" "kkmeeting" "api" "git" "grafana" ]));
+                    [
+                      "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
+                      "send" "kkmeeting" "api" "git" "grafana"
+                    ]));
                   applications =
                   {
                     element.instances."element.chn.moe" = {};
@@ -324,7 +329,11 @@
                   misskey.hostname = "xn--s8w913fdga.chn.moe";
                   misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
                 };
-                synapse.instances.synapse.matrixHostname = "synapse.chn.moe";
+                synapse.instances =
+                {
+                  synapse.matrixHostname = "synapse.chn.moe";
+                  matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
+                };
                 xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
                 vaultwarden.enable = true;
                 beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
@@ -348,7 +357,6 @@
                   wireguardIp = "192.168.83.2";
                   externalIp = "95.111.228.40";
                 };
-                akkoma.enable = true;
               };
             };
             nas =

local/pkgs/default.nix

@@ -4,7 +4,7 @@
   vesta = callPackage ./vesta {};
   oneapi = callPackage ./oneapi {};
   rsshub = callPackage ./rsshub {};
-  misskey = callPackage ./misskey {};
+  misskey = callPackage ./misskey { nodejs = nodejs_21; };
   mk-meili-mgn = callPackage ./mk-meili-mgn {};
   # vasp = callPackage ./vasp
   # {

local/pkgs/misskey/default.nix

@@ -1,95 +1,45 @@
 {
-  lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs_20, writeShellScript, buildFHSEnv,
+  lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs, writeShellScript, buildFHSEnv,
   bash, cypress, vips, pkg-config
 }:
 let
   pname = "misskey";
-  version = "2023.11.1";
+  version = "2023.12.2";
   src = fetchFromGitHub
   {
     owner = "CHN-beta";
     repo = "misskey";
-    rev = "1e5134816cc23600a0448a62b34aadfe573c3bbc";
+    rev = "cd1d0ab06eb6b7e06afdfae9a12b2d2829564229";
-    sha256 = "ihkFVTpwEELmxAw4Lw01pWr8j6u2oLpfcw3laVUFCO4=";
+    hash = "sha256-sKEZ1ZpyA/02CNwiOMIOS5f/csx6ELDwCVJYc+oMChM=";
     fetchSubmodules = true;
   };
   originalPnpmPackage = mkPnpmPackage
   {
-    inherit pname version src;
+    inherit pname version src nodejs;
-    nodejs = nodejs_20;
     copyPnpmStore = true;
   };
   startScript = writeShellScript "misskey"
   ''
-    export PATH=${lib.makeBinPath [ bash nodejs_20 nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress ]}:$PATH
+    export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress ]}:$PATH
     export CYPRESS_RUN_BINARY="${cypress}/bin/Cypress"
     export NODE_ENV=production
     pnpm run migrateandstart
   '';
-  re2 = stdenv.mkDerivation rec
-  {
-    pname = "re2";
-    version = "1.20.8";
-    srcs =
-    [
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-120.br";
-        sha256 = "0f2l658xxc2112mbqpkyfic3vhjgdyafbfi14b6n40skyd6lijcq";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-120.gz";
-        sha256 = "1v5n8i16188xpwx1jr8gcc1a99v83hlbh5hldl4i376vh0lwsxlq";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-115.br";
-        sha256 = "0cyqmgqk5cwik27wh4ynaf94v4w6p1fsavm07xh8xfmdim2sr9kd";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-115.gz";
-        sha256 = "0i3iykw13d5qfd5s6pq6kx6cbd64vfb3w65f9bnj87qz44la84ic";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-108.br";
-        sha256 = "1467frfapqhi839r2v0p0wh76si3lihwzwgl9098mj7mwhjfl4lx";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-108.gz";
-        sha256 = "0hykpqdrn55x83v1kzz6bdvrp24hgz3rwmwbdfl2saz576krzg1c";
-      })
-    ];
-    phases = [ "installPhase" ];
-    installPhase =
-    ''
-      mkdir -p $out/${version}
-      for i in $srcs
-      do
-        cp $i $out/${version}/''${i#*-}
-      done
-    '';
-  };
 in
   stdenv.mkDerivation rec
   {
     inherit version src pname;
     buildInputs =
     [
-      bash nodejs_20 nodejs_20.pkgs.typescript nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress vips pkg-config
+      bash nodejs nodejs.pkgs.typescript nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress vips pkg-config
     ];
     nativeBuildInputs = buildInputs;
     CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress";
     NODE_ENV = "production";
-    RE2_DOWNLOAD_MIRROR = "${re2}";
-    RE2_DOWNLOAD_SKIP_PATH = "true";
     configurePhase =
     ''
       export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
-      export npm_config_nodedir=${nodejs_20}
+      export npm_config_nodedir=${nodejs}
 
       runHook preConfigure
 
@@ -121,6 +71,6 @@ in
     '';
     passthru =
     {
-      inherit originalPnpmPackage startScript re2;
+      inherit originalPnpmPackage startScript;
     };
   }

modules/bugs/default.nix

@@ -5,8 +5,6 @@ inputs:
     inherit (inputs.lib) mkMerge mkIf mkOption types;
     bugs =
     {
-      # intel i915 hdmi
-      intel-hdmi.boot.kernelPatches = [{ name = "intel-hdmi"; patch = ./intel-hdmi.patch; }];
       # suspend & hibernate do not use platform
       suspend-hibernate-no-platform.systemd.sleep.extraConfig =
       ''
@@ -80,7 +78,7 @@ inputs:
           };
         };
       firefox.programs.firefox.enable = inputs.lib.mkForce false;
-      acpi.boot.kernelParams = [ ''acpi_osi="Windows 2022"'' ];
+      power.boot.kernelParams = [ "cpufreq.default_governor=powersave" ];
     };
   in
     {

modules/bugs/intel-hdmi.patch

@@ -1,14 +0,0 @@
-diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
-index 55544d484318..d6f257f8fd14 100644
---- a/drivers/gpu/drm/i915/display/intel_bios.c
-+++ b/drivers/gpu/drm/i915/display/intel_bios.c
-@@ -2708,7 +2708,7 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
- 	if (i915->display.vbt.ports[port]) {
- 		drm_dbg_kms(&i915->drm,
- 			    "More than one child device for port %c in VBT, using the first.\n",
- 			    port_name(port));
--		return;
-+		// return;
- 	}
- 
- 	sanitize_device_type(devdata, port);

modules/packages/desktop-fat/default.nix

@@ -3,6 +3,7 @@ inputs:
   imports = inputs.localLib.mkModules
   [
     ./chromium.nix
+    ./steam.nix
   ];
   config =
     let
@@ -42,6 +43,6 @@ inputs:
           ] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
         };
       };
-      programs = { steam.enable = true; kdeconnect.enable = true; };
+      programs.kdeconnect.enable = true;
     };
 }

modules/packages/desktop-fat/steam.nix

@@ -0,0 +1,23 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
+    {
+      programs.steam =
+      {
+        enable = true;
+        package = inputs.pkgs.steam.override (prev:
+        {
+          steam = prev.steam.overrideAttrs (prev:
+          {
+            postInstall = prev.postInstall +
+            ''
+              sed -i 's#Comment\[zh_CN\]=.*$#Comment\[zh_CN\]=思题慕®学习平台#' $out/share/applications/steam.desktop
+            '';
+          });
+        });
+      };
+    };
+}

modules/packages/desktop/default.nix

@@ -19,6 +19,7 @@ inputs:
           mpv nomacs
           # themes
           tela-circle-icon-theme
+          firefoxpwa
         ];
         users.sharedModules =
         [{
@@ -33,7 +34,12 @@ inputs:
       {
         adb.enable = true;
         wireshark = { enable = true; package = inputs.pkgs.wireshark; };
-        firefox = { enable = true; languagePacks = [ "zh-CN" "en-US" ]; };
+        firefox =
+        {
+          enable = true;
+          languagePacks = [ "zh-CN" "en-US" ];
+          nativeMessagingHosts.packages = [ inputs.pkgs.firefoxpwa ];
+        };
         vim.package = inputs.pkgs.vim-full;
       };
       nixpkgs.config.packageOverrides = pkgs: 

modules/packages/server/default.nix

@@ -3,6 +3,8 @@ inputs:
   imports = inputs.localLib.mkModules
   [
     ./ssh
+    ./zsh
+    ./gpg.nix
   ];
   config =
     let
@@ -47,70 +49,13 @@ inputs:
             # office
             todo-txt-cli
             # development
-            gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix
+            gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix hexo-cli
           ] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
         };
         users.sharedModules = [(home-inputs:
         {
           config.programs =
           {
-            zsh =
-            {
-              enable = true;
-              initExtraBeforeCompInit =
-              ''
-                # p10k instant prompt
-                P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-                [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-                HYPHEN_INSENSITIVE="true"
-                export PATH=~/bin:$PATH
-                function br
-                {
-                  local cmd cmd_file code
-                  cmd_file=$(mktemp)
-                  if broot --outcmd "$cmd_file" "$@"; then
-                    cmd=$(<"$cmd_file")
-                    command rm -f "$cmd_file"
-                    eval "$cmd"
-                  else
-                    code=$?
-                    command rm -f "$cmd_file"
-                    return "$code"
-                  fi
-                }
-                alias todo="todo.sh"
-              '';
-              plugins =
-              [
-                {
-                  file = "powerlevel10k.zsh-theme";
-                  name = "powerlevel10k";
-                  src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-                }
-                {
-                  file = "p10k.zsh";
-                  name = "powerlevel10k-config";
-                  src = ./p10k-config;
-                }
-                {
-                  name = "zsh-lsd";
-                  src = inputs.pkgs.fetchFromGitHub
-                  {
-                    owner = "z-shell";
-                    repo = "zsh-lsd";
-                    rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
-                    sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
-                  };
-                }
-              ];
-              history =
-              {
-                path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
-                extended = true;
-                save = 100000000;
-                size = 100000000;
-              };
-            };
             direnv = { enable = true; nix-direnv.enable = true; };
             git =
             {
@@ -163,21 +108,7 @@ inputs:
       {
         nix-index-database.comma.enable = true;
         nix-index.enable = true;
-        zsh =
-        {
-          enable = true;
-          syntaxHighlighting.enable = true;
-          autosuggestions.enable = true;
-          enableCompletion = true;
-          ohMyZsh =
-          {
-            enable = true;
-            plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
-            customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
-          };
-        };
         command-not-found.enable = false;
-        gnupg.agent = { enable = true; enableSSHSupport = true; };
         autojump.enable = true;
         git =
         {

modules/packages/server/gpg.nix

@@ -0,0 +1,10 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
+    {
+      programs.gnupg.agent = { enable = true; pinentryFlavor = "tty"; };
+    };
+}

modules/packages/server/ssh/default.nix

@@ -96,8 +96,16 @@ inputs:
             else []
           ))
           (attrsToList servers)));
+      programs.ssh =
+      {
+        startAgent = true;
+        enableAskPassword = true;
+        askPassword = "${inputs.pkgs.systemd}/bin/systemd-ask-password";
+        extraConfig = "AddKeysToAgent yes";
+      };
+      environment.sessionVariables.SSH_ASKPASS_REQUIRE = "prefer";
       nixos.users.sharedModules =
-      [{
+      [(hmInputs: {
         config.programs.ssh =
         {
           enable = true;
@@ -122,12 +130,27 @@ inputs:
                   {
                     PubkeyAcceptedAlgorithms = "+ssh-rsa";
                     HostkeyAlgorithms = "+ssh-rsa";
-                    SetEnv = "TERM=chn_unset_ls_colors:xterm-256color";
+                    SetEnv =
+                      let
+                        usernameMap =
+                        {
+                          chn = "linwei/chn";
+                        };
+                        cdString =
+                          if host == "jykang" && (usernameMap ? ${hmInputs.config.home.username}) then
+                            ":chn_cd:${usernameMap.${hmInputs.config.home.username}}"
+                          else "";
+                      in "TERM=chn_unset_ls_colors${cdString}:xterm-256color";
                     # in .bash_profile:
                     # if [[ $TERM == chn_unset_ls_colors* ]]; then
                     #   export TERM=${TERM#*:}
                     #   export CHN_LS_USE_COLOR=1
                     # fi
+                    # if [[ $TERM == chn_cd* ]]; then
+                    #   export TERM=${TERM#*:}
+                    #   cd ~/${TERM%%:*}
+                    #   export TERM=${TERM#*:}
+                    # fi
                     # in .bashrc
                     # [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
                   };
@@ -141,6 +164,6 @@ inputs:
             gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
           };
         };
-      }];
+      })];
     };
 }

modules/packages/server/zsh/default.nix

@@ -0,0 +1,78 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
+    {
+      nixos.users.sharedModules = [(home-inputs: { config.programs.zsh =
+      {
+        enable = true;
+        initExtraBeforeCompInit =
+        ''
+          # p10k instant prompt
+          P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+          [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+          HYPHEN_INSENSITIVE="true"
+          export PATH=~/bin:$PATH
+          function br
+          {
+            local cmd cmd_file code
+            cmd_file=$(mktemp)
+            if broot --outcmd "$cmd_file" "$@"; then
+              cmd=$(<"$cmd_file")
+              command rm -f "$cmd_file"
+              eval "$cmd"
+            else
+              code=$?
+              command rm -f "$cmd_file"
+              return "$code"
+            fi
+          }
+          alias todo="todo.sh"
+        '';
+        plugins =
+        [
+          {
+            file = "powerlevel10k.zsh-theme";
+            name = "powerlevel10k";
+            src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+          }
+          {
+            file = "p10k.zsh";
+            name = "powerlevel10k-config";
+            src = ./p10k-config;
+          }
+          {
+            name = "zsh-lsd";
+            src = inputs.pkgs.fetchFromGitHub
+            {
+              owner = "z-shell";
+              repo = "zsh-lsd";
+              rev = "65bb5ac49190beda263aae552a9369127961632d";
+              hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
+            };
+          }
+        ];
+        history =
+        {
+          path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+          extended = true;
+          save = 100000000;
+          size = 100000000;
+        };
+      };})];
+      programs.zsh =
+      {
+        enable = true;
+        syntaxHighlighting.enable = true;
+        autosuggestions.enable = true;
+        enableCompletion = true;
+        ohMyZsh =
+        {
+          enable = true;
+          plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
+        };
+      };
+    };
+}

modules/packages/workstation/default.nix

@@ -20,7 +20,7 @@ inputs:
             nix-prefetch-docker pnpm-lock-export bundix
             # instant messager
             zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack inputs.config.nur.repos.linyinfeng.wemeet
-            cinny-desktop
+            cinny-desktop nheko
             # office
             libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain hdfview
             (texlive.combine { inherit (texlive) scheme-full; inherit (localPackages) citation-style-language; })

modules/services/frp.nix

@@ -113,6 +113,7 @@ inputs:
                     type = "stcp";
                     transport.useCompression = true;
                     secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
+                    allowUsers = [ "*" ];
                     inherit (stcp.value) localIp localPort;
                   })
                   (attrsToList frpClient.stcp));

modules/services/misskey.nix

@@ -89,7 +89,7 @@ inputs:
                   user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
                   pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"}
                   extra:
-                    statement_timeout: 60000
+                    statement_timeout: 600000
                 dbReplications: false
                 redis:
                   host: 127.0.0.1

modules/services/nginx/applications/element.nix

@@ -5,7 +5,7 @@ inputs:
     type = types.attrsOf (types.submodule (submoduleInputs: { options =
     {
       hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-      defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "element.chn.moe"; };
+      defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "matrix.chn.moe"; };
     };}));
     default = {};
   };

modules/services/nginx/applications/main.nix

@@ -7,15 +7,16 @@ inputs:
   config =
     let
       inherit (inputs.config.nixos.services.nginx.applications) main;
-    in
+      inherit (inputs.lib) mkIf;
+    in mkIf main.enable
     {
       nixos.services.nginx.https."chn.moe".location =
       {
         "/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
         "/.well-known/matrix/server".proxy =
         {
-          setHeaders.Host = "synapse.chn.moe";
+          setHeaders.Host = "matrix.chn.moe";
-          upstream = "https://synapse.chn.moe";
+          upstream = "https://matrix.chn.moe";
         };
       };
     };

modules/services/postgresql.nix

@@ -10,6 +10,7 @@ inputs:
         database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
         user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
         passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+        initializeFlags = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
       };}));
       default = {};
     };
@@ -51,7 +52,6 @@ inputs:
           # chattr +C /path/to/dir
           # cp -a --reflink=never /path/to/dir_old/. /path/to/dir
           # rm -rf /path/to/dir_old
-          ensureDatabases = map (db: db.value.database) (attrsToList postgresql.instances);
           ensureUsers = map (db: { name = db.value.user; }) (attrsToList postgresql.instances);
         };
         postgresqlBackup =
@@ -68,15 +68,26 @@ inputs:
             passwordFile =
               if db.value.passwordFile or null != null then db.value.passwordFile
               else inputs.config.sops.secrets."postgresql/${db.value.user}".path;
-            in
+            initializeFlag =
-            # set user password
+              if db.value.initializeFlags != {} then
-            "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
+                " WITH "
-            # set db owner
+                + (concatStringsSep " " (map
-              + "\n"
+                  (flag: ''${flag.name} = "${flag.value}"'')
-              + "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
+                  (attrsToList db.value.initializeFlags)))
-              + " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
+              else "";
-              + " | grep -E '^${db.value.user}$' -q"
+          in
-              + " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
+          # create database if not exist
+          "$PSQL -tAc \"SELECT 1 FROM pg_database WHERE datname = '${db.value.database}'\" | grep -q 1"
+            + " || $PSQL -tAc 'CREATE DATABASE \"${db.value.database}\"${initializeFlag}'"
+          # set user password
+            + "\n"
+            + "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
+          # set db owner
+            + "\n"
+            + "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
+            + " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
+            + " | grep -E '^${db.value.user}$' -q"
+            + " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
         (attrsToList postgresql.instances)));
       sops.secrets = listToAttrs (map
         (db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })

modules/services/synapse.nix

@@ -3,21 +3,32 @@ inputs:
 {
   options.nixos.services.synapse.instances = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    type = types.attrsOf (types.submodule { options =
+    type = types.attrsOf (types.submodule (submoduleInputs: { options =
     {
       autoStart = mkOption { type = types.bool; default = true; };
       port = mkOption { type = types.ints.unsigned; default = 8008; };
       redisPort = mkOption { type = types.ints.unsigned; default = 6379; };
-      hostname = mkOption { type = types.nonEmptyStr; default = "synapse.chn.moe"; };
+      slidingSyncPort = mkOption { type = types.ints.unsigned; default = 9000; };
+      hostname = mkOption
+      {
+        type = types.nonEmptyStr;
+        default = "${submoduleInputs.config._module.args.name}.chn.moe";
+      };
       matrixHostname = mkOption { type = types.nonEmptyStr; default = "chn.moe"; };
-    };});
+      slidingSyncHostname = mkOption
+      {
+        type = types.nonEmptyStr;
+        default = "syncv3.${submoduleInputs.config.hostname}";
+      };
+      # , synapse_homeserver --config-path homeserver.yaml --generate-config --report-stats=yes --server-name xxx
+    };}));
     default = {};
   };
   config =
     let
       inherit (inputs.config.nixos.services) synapse;
       inherit (inputs.lib) mkIf mkMerge;
-      inherit (builtins) map listToAttrs replaceStrings;
+      inherit (builtins) map listToAttrs replaceStrings concatLists;
       inherit (inputs.localLib) attrsToList;
     in
     {
@@ -39,161 +50,208 @@ inputs:
       systemd = mkMerge (map
         (instance: let workdir = "/var/lib/synapse/${instance.name}"; in
         {
-          services."synapse-${instance.name}" =
+          services =
-            let
+          {
-              package = inputs.pkgs.matrix-synapse.override
+            "synapse-${instance.name}" =
-                { extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
+              let
-              config = inputs.config.sops.templates."synapse/${instance.name}.yaml".path;
+                package = inputs.pkgs.matrix-synapse.override
-              homeserver = "${package}/bin/synapse_homeserver";
+                  { extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
-            in
+                config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
+                homeserver = "${package}/bin/synapse_homeserver";
+              in
+              {
+                description = "synapse-${instance.name}";
+                enable = instance.value.autoStart;
+                after = [ "network-online.target" "postgresql.service" ];
+                requires = [ "postgresql.service" ];
+                wantedBy = [ "multi-user.target" ];
+                serviceConfig =
+                {
+                  ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
+                  Type = "notify";
+                  User = "synapse-${instance.name}";
+                  Group = "synapse-${instance.name}";
+                  WorkingDirectory = workdir;
+                  ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
+                  Restart = "on-failure";
+                  UMask = "0077";
+                  CapabilityBoundingSet = [ "" ];
+
+                  # hardening
+                  LockPersonality = true;
+                  NoNewPrivileges = true;
+                  PrivateDevices = true;
+                  PrivateTmp = true;
+                  PrivateUsers = true;
+                  ProcSubset = "pid";
+                  ProtectClock = true;
+                  ProtectControlGroups = true;
+                  ProtectHome = true;
+                  ProtectHostname = true;
+                  ProtectKernelLogs = true;
+                  ProtectKernelModules = true;
+                  ProtectKernelTunables = true;
+                  ProtectProc = "invisible";
+                  ProtectSystem = "strict";
+                  ReadWritePaths = [ workdir ];
+                  RemoveIPC = true;
+                  RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+                  RestrictNamespaces = true;
+                  RestrictRealtime = true;
+                  RestrictSUIDSGID = true;
+                  SystemCallArchitectures = "native";
+                  SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
+                };
+              };
+            "synapse-sliding-sync-${instance.name}" =
             {
-              description = "synapse-${instance.name}";
+              after = [ "synapse-${instance.name}.service" ];
-              enable = instance.value.autoStart;
+              wants = [ "synapse-${instance.name}.service" ];
-              after = [ "network-online.target" "postgresql.service" ];
-              requires = [ "postgresql.service" ];
               wantedBy = [ "multi-user.target" ];
               serviceConfig =
               {
-                ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
-                Type = "notify";
                 User = "synapse-${instance.name}";
                 Group = "synapse-${instance.name}";
-                WorkingDirectory = workdir;
+                EnvironmentFile = inputs.config.sops.templates."synapse/${instance.name}-sliding-sync/env".path;
-                ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
+                ExecStart = inputs.lib.getExe inputs.pkgs.matrix-sliding-sync;
+                WorkingDirectory = workdir + "-sliding-sync";
                 Restart = "on-failure";
-                UMask = "0077";
+                RestartSec = "1s";
-                CapabilityBoundingSet = [ "" ];
-
-                # hardening
-                LockPersonality = true;
-                NoNewPrivileges = true;
-                PrivateDevices = true;
-                PrivateTmp = true;
-                PrivateUsers = true;
-                ProcSubset = "pid";
-                ProtectClock = true;
-                ProtectControlGroups = true;
-                ProtectHome = true;
-                ProtectHostname = true;
-                ProtectKernelLogs = true;
-                ProtectKernelModules = true;
-                ProtectKernelTunables = true;
-                ProtectProc = "invisible";
-                ProtectSystem = "strict";
-                ReadWritePaths = [ workdir ];
-                RemoveIPC = true;
-                RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
-                RestrictNamespaces = true;
-                RestrictRealtime = true;
-                RestrictSUIDSGID = true;
-                SystemCallArchitectures = "native";
-                SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
               };
             };
+          };
           tmpfiles.rules =
           [
             "d /var/lib/synapse 0755 root root"
             "d ${workdir} 0700 synapse-${instance.name} synapse-${instance.name}"
             "Z ${workdir} - synapse-${instance.name} synapse-${instance.name}"
+            "d ${workdir}-sliding-sync 0700 synapse-${instance.name} synapse-${instance.name}"
+            "Z ${workdir}-sliding-sync - synapse-${instance.name} synapse-${instance.name}"
           ];
         })
         (attrsToList synapse.instances));
       sops = mkMerge (map
         (instance:
         {
-          templates."synapse/${instance.name}.yaml" =
+          templates =
           {
-            owner = "synapse-${instance.name}";
+            "synapse/${instance.name}/config.yaml" =
-            group = "synapse-${instance.name}";
+            {
-            content =
+              owner = "synapse-${instance.name}";
-              let
+              group = "synapse-${instance.name}";
-                inherit (inputs.config.sops) placeholder;
+              content =
-              in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
+                let
-              {
+                  inherit (inputs.config.sops) placeholder;
-                server_name = instance.value.matrixHostname;
+                in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
-                listeners =
-                [{
-                  bind_addresses = [ "127.0.0.1" ];
-                  inherit (instance.value) port;
-                  resources = [{ names = [ "client" "federation" ]; compress = false; }];
-                  tls = false;
-                  type = "http";
-                  x_forwarded = true;
-                }];
-                database =
                 {
-                  name = "psycopg2";
+                  server_name = instance.value.matrixHostname;
-                  args =
+                  public_baseurl = "https://${instance.value.hostname}/";
+                  listeners =
+                  [{
+                    bind_addresses = [ "127.0.0.1" ];
+                    inherit (instance.value) port;
+                    resources = [{ names = [ "client" "federation" ]; compress = false; }];
+                    tls = false;
+                    type = "http";
+                    x_forwarded = true;
+                  }];
+                  database =
                   {
-                    user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                    name = "psycopg2";
-                    password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                    args =
-                    database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                    {
-                    host = "127.0.0.1";
+                      user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
-                    port = "5432";
+                      password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                      database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                      host = "127.0.0.1";
+                      port = "5432";
+                    };
+                    allow_unsafe_locale = true;
                   };
-                  allow_unsafe_locale = true;
+                  redis =
-                };
+                  {
-                redis =
+                    enabled = true;
-                {
+                    port = instance.value.redisPort;
-                  enabled = true;
+                    password = placeholder."redis/synapse-${instance.name}";
-                  port = instance.value.redisPort;
+                  };
-                  password = placeholder."redis/synapse-${instance.name}";
+                  turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
-                };
+                  registration_shared_secret = placeholder."synapse/${instance.name}/registration";
-                turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
+                  macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
-                registration_shared_secret = placeholder."synapse/${instance.name}/registration";
+                  form_secret = placeholder."synapse/${instance.name}/form";
-                macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
+                  signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
-                form_secret = placeholder."synapse/${instance.name}/form";
+                  email =
-                signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
+                  {
-                email =
+                    smtp_host = "mail.chn.moe";
-                {
+                    smtp_port = 25;
-                  smtp_host = "mail.chn.moe";
+                    smtp_user = "bot@chn.moe";
-                  smtp_port = 25;
+                    smtp_pass = placeholder."mail/bot";
-                  smtp_user = "bot@chn.moe";
+                    require_transport_security = true;
-                  smtp_pass = placeholder."mail/bot";
+                    notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
-                  require_transport_security = true;
+                    app_name = "Haonan Chen's synapse";
-                  notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
+                  };
-                  app_name = "Haonan Chen's synapse";
+                  admin_contact = "mailto:chn@chn.moe";
-                };
+                  enable_registration = true;
-                admin_contact = "mailto:chn@chn.moe";
+                  registrations_require_3pid = [ "email" ];
-                enable_registration = true;
+                  turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
-                registrations_require_3pid = [ "email" ];
+                  max_upload_size = "1024M";
-                turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
+                  web_client_location = "https://element.chn.moe/";
-                max_upload_size = "1024M";
+                  extra_well_known_client_content."org.matrix.msc3575.proxy".url =
-                web_client_location = "https://element.chn.moe/";
+                    "https://${instance.value.slidingSyncHostname}";
-                serve_server_wellknown = true;
+                  report_stats = true;
-                report_stats = true;
+                  trusted_key_servers =
-                trusted_key_servers =
+                  [{
-                [{
+                    server_name = "matrix.org";
-                  server_name = "matrix.org";
+                    verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-                  verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+                  }];
-                }];
+                  suppress_key_server_warning = true;
-                suppress_key_server_warning = true;
+                  log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
-                log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
+                  {
-                {
+                    version = 1;
-                  version = 1;
+                    formatters.precise.format =
-                  formatters.precise.format =
+                      "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
-                    "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
+                    handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
-                  handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
+                    root = { level = "INFO"; handlers = [ "console" ]; };
-                  root = { level = "INFO"; handlers = [ "console" ]; };
+                    disable_existing_loggers = true;
-                  disable_existing_loggers = true;
+                  };
-                };
+                  pid_file = "/run/synapse-${instance.name}.pid";
-                pid_file = "/run/synapse-${instance.name}.pid";
+                  media_store_path = "/var/lib/synapse/${instance.name}/media_store";
-                media_store_path = "/var/lib/synapse/${instance.name}/media_store";
+                  presence.enabled = true;
-                presence.enabled = true;
+                  url_preview_enabled = true;
-                url_preview_enabled = true;
+                  url_preview_ip_range_blacklist =
-                url_preview_ip_range_blacklist =
+                  [
-                [
+                    "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
-                  "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
+                    "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
-                  "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
+                    "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
-                  "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
+                  ];
-                ];
+                  max_image_pixels = "32M";
-                max_image_pixels = "32M";
+                  dynamic_thumbnails = false;
-                dynamic_thumbnails = false;
+                });
-              });
+            };
+            "synapse/${instance.name}-sliding-sync/env" =
+            {
+              owner = "synapse-${instance.name}";
+              group = "synapse-${instance.name}";
+              content =
+                let
+                  inherit (inputs.config.sops) placeholder;
+                  pgString = "postgresql://"
+                    + "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"
+                    + ":${placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"}"
+                    + "@127.0.0.1:5432"
+                    + "/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync"
+                    + "?sslmode=disable";
+                in
+                ''
+                  SYNCV3_SERVER=https://${instance.value.hostname}
+                  SYNCV3_DB=${pgString}
+                  SYNCV3_SECRET=${placeholder."synapse/${instance.name}/sliding-sync"}
+                  SYNCV3_BINDADDR=127.0.0.1:${toString instance.value.slidingSyncPort}
+                '';
+            };
           };
           secrets = (listToAttrs (map
             (secret: { name = "synapse/${instance.name}/${secret}"; value = {}; })
-            [ "coturn" "registration" "macaroon" "form" ]))
+            [ "coturn" "registration" "macaroon" "form" "sliding-sync" ]))
             // { "synapse/${instance.name}/signing-key".owner = "synapse-${instance.name}"; }
             // { "mail/bot" = {}; };
         })
@@ -203,9 +261,19 @@ inputs:
         postgresql =
         {
           enable = mkIf (synapse.instances != {}) true;
-          instances = listToAttrs (map
+          instances = listToAttrs (concatLists (map
-            (instance: { name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
+            (instance:
-            (attrsToList synapse.instances));
+            [
+              {
+                name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
+              }
+              {
+                name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync";
+                value.user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+              }
+            ])
+            (attrsToList synapse.instances)));
         };
         redis.instances = listToAttrs (map
           (instance: { name = "synapse-${instance.name}"; value.port = instance.value.redisPort; })
@@ -213,13 +281,35 @@ inputs:
         nginx =
         {
           enable = mkIf (synapse.instances != {}) true;
-          https = listToAttrs (map
+          https = listToAttrs (concatLists (map
             (instance: with instance.value;
-            {
+            [
-              name = hostname;
+              {
-              value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
+                name = hostname;
-            })
+                value.location =
-            (attrsToList synapse.instances));
+                {
+                  "/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
+                  "/.well-known/matrix/server".static =
+                  {
+                    root = builtins.toString (inputs.pkgs.writeTextFile
+                    {
+                      name = "server";
+                      text = builtins.toJSON
+                      {
+                        "m.server" = "${hostname}:443";
+                      };
+                      destination = "/.well-known/matrix/server";
+                    });
+                  };
+                };
+              }
+              {
+                name = slidingSyncHostname;
+                value.location."/".proxy =
+                  { upstream = "http://127.0.0.1:${toString slidingSyncPort}"; websocket = true; };
+              }
+            ])
+            (attrsToList synapse.instances)));
         };
       };
     };

modules/system/default.nix

@@ -15,20 +15,14 @@ inputs:
     ./security.nix
     ./sops.nix
     ./user.nix
+    ./sysctl.nix
   ];
   config =
   {
-    services = { dbus.implementation = "broker"; fstrim = { enable = true; interval = "daily"; }; };
+    services = { dbus.implementation = "broker"; fstrim.enable = true; };
     time.timeZone = "Asia/Shanghai";
     boot =
     {
-      kernel.sysctl =
-      {
-        "vm.oom_kill_allocating_task" = true;
-        "vm.oom_dump_tasks" = false;
-        "vm.overcommit_memory" = 1;
-        "kernel.sysrq" = 438;
-      };
       supportedFilesystems = [ "ntfs" ];
       consoleLogLevel = 7;
     };
@@ -57,5 +51,11 @@ inputs:
     # environment.variables.LIBRARY_PATH = "/run/current-system/sw/lib";
     virtualisation.oci-containers.backend = "docker";
     home-manager.sharedModules = [{ home.stateVersion = "22.11"; }];
+    system =
+    {
+      stateVersion = "22.11";
+      configurationRevision = inputs.topInputs.self.rev or "dirty";
+      nixos.versionSuffix = inputs.lib.mkForce "";
+    };
   };
 }

modules/system/kernel.nix

@@ -2,8 +2,7 @@ inputs:
 {
   options.nixos.system.kernel = let inherit (inputs.lib) mkOption types; in
   {
-    useLts = mkOption { type = types.bool; default = false; };
+    patches = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-    patches = mkOption { type = types.listOf (types.enum [ "cjktty" ]); default = []; };
     modules =
     {
       install = mkOption { type = types.listOf types.str; default = []; };
@@ -30,11 +29,11 @@ inputs:
         "igb"
         # yoga
         "lenovo_yogabook"
-      ] ++ kernel.modules.initrd ++ (if (!kernel.useLts) then [ "lenovo-yogabook" ] else []);
+      ];
       extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install;
       extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
-      kernelParams = [ "delayacct" ];
+      kernelParams = [ "delayacct" "acpi_osi=Linux" ];
-      kernelPackages = inputs.pkgs."linuxPackages_xanmod${if kernel.useLts then "" else "_latest"}";
+      kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
       kernelPatches =
         let
           patches =
@@ -55,13 +54,32 @@ inputs:
                       hashes =
                       {
                         "6.1" = "11ddiammvjxx2m9v32p25l1ai759a1d6xhdpszgnihv7g2fzigf5";
-                        "6.5" = "0ckmbx53js04lrcvcsf8qk935v2pl9w0af2v1mqghfs0krakfgfh";
+                        "6.6" = "19ib0syj3207ifr315gdrnpv6nhh435fmgl05c7k715nng40i827";
                       };
                     in hashes."${major}.${minor}";
                 };
               extraStructuredConfig =
                 { FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
             };
+            lantian =
+            {
+              patch = null;
+              # pick from xddxdd/nur-packages dce93a
+              extraStructuredConfig = with inputs.lib.kernel;
+              {
+                ACPI_PCI_SLOT = yes;
+                ENERGY_MODEL = yes;
+                PARAVIRT_TIME_ACCOUNTING = yes;
+                PM_AUTOSLEEP = yes;
+                WQ_POWER_EFFICIENT_DEFAULT = yes;
+                PREEMPT_VOLUNTARY = inputs.lib.mkForce no;
+                PREEMPT = inputs.lib.mkForce yes;
+                NO_HZ_FULL = yes;
+                HZ_1000 = inputs.lib.mkForce yes;
+                HZ_250 = inputs.lib.mkForce no;
+                HZ = inputs.lib.mkForce (freeform "1000");
+              };
+            };
           };
         in
           builtins.map (name: { inherit name; } // patches.${name}) kernel.patches;

modules/system/nix.nix

@@ -45,7 +45,6 @@ inputs:
           };
           nixPath = [ "nixpkgs=${inputs.topInputs.nixpkgs}" ];
         };
-        system = { stateVersion = "22.11"; configurationRevision = inputs.topInputs.self.rev or "dirty"; };
         systemd.services.nix-daemon =
         {
           serviceConfig = { CacheDirectory = "nix"; Slice = "-.slice"; Nice = "19"; };

modules/system/sysctl.nix

@@ -0,0 +1,24 @@
+inputs:
+{
+  options.nixos.system.sysctl = let inherit (inputs.lib) mkOption types; in
+  {
+    laptop-mode = mkOption { type = types.nullOr types.int; default = null; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf mkMerge;
+      inherit (inputs.config.nixos.system) sysctl;
+    in mkMerge
+    [
+      {
+        boot.kernel.sysctl =
+        {
+          "vm.oom_kill_allocating_task" = true;
+          "vm.oom_dump_tasks" = false;
+          "vm.overcommit_memory" = 1;
+          "kernel.sysrq" = 438;
+        };
+      }
+      (mkIf (sysctl.laptop-mode != null) { boot.kernel.sysctl."vm.laptop_mode" = sysctl.laptop-mode; })
+    ];
+}

modules/system/user.nix

@@ -23,6 +23,7 @@ inputs:
         v2ray = 2007;
         fz-new-order = 2008;
         synapse-synapse = 2009;
+        synapse-matrix = 2010;
       };
     };
     group = mkOption

modules/users/chn/default.nix

@@ -5,6 +5,7 @@ inputs:
     let
       inherit (inputs.lib) mkIf;
       inherit (inputs.config.nixos) users;
+      inherit (builtins) listToAttrs;
     in mkIf (builtins.elem "chn" users.users)
     {
       users.users.chn =
@@ -42,7 +43,10 @@ inputs:
               # identityFile = "~/.ssh/xmuhk_id_rsa";
               xmuhk = { host = "xmuhk"; hostname = "10.26.14.56"; user = "xmuhk"; };
               xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; };
-            };
+            }
+            // (listToAttrs (map
+              (system: { name = system; value.forwardAgent = true; })
+              [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "nas" "wireguard.nas" ]));
           };
           home.packages =
           [

secrets/vps7/default.yaml

@@ -14,6 +14,7 @@ redis:
     send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
     mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
+    synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
 postgresql:
     wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
@@ -25,6 +26,7 @@ postgresql:
     gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
     grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
     akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
+    synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
 meilisearch:
     misskey-misskey: ENC[AES256_GCM,data:4s+qqd6mmstioC0XmG/vA6ED9mzu1vRJVPFFalRiqnnsFy0dYEU87H+y12eOp/KDSLdTNvpp6Z6jCNvxnpDXzQ==,iv:x6L9OPu/dwVsD9pYb4dqavw9NesMbo7LB+rwz6veAR4=,tag:/BBqV2sHIgPas7XsZydh2g==,type:str]
 rsshub:
@@ -43,6 +45,14 @@ synapse:
         macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
         form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
         signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
+        sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
+    matrix:
+        coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
+        registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
+        macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
+        form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
+        signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
+        sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
 nebula:
     key: ENC[AES256_GCM,data:9o6EkfTWOU0KwnJsgHML4E7VOfzo3LHnlOkV8ubhi6aayXImC3lAaoPrqUI=,iv:KHprijN7z+4FIIW+D5klDM9a9VzMJ5xawPc7jJtbHmk=,tag:0DAmxoz8D5f38ndPbkNW+g==,type:str]
 vaultwarden:
@@ -119,8 +129,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-17T14:39:51Z"
+    lastmodified: "2023-12-20T06:27:19Z"
-    mac: ENC[AES256_GCM,data:W07NZGIKm0sx1g/DBB5IRZItomTKjj5m+AnWYT1lck11hwH20kjH21zm++VtNpS4j+ay/5Y3e9zkWSFpk3C8AFxvB/2r8gVhcNF5stCGCj4Exc2OTE+g2m6yp4ZMkgXZDidlc1by6pNah6nf7lk1W/sZ5ViMdlMonERCoOiOmf0=,iv:sFEs5FSKp29bXZQPBWoQ71ippu2XxLPl8b5hSzG0Gbk=,tag:/Jio9+sysSrpFKMYBVWGpw==,type:str]
+    mac: ENC[AES256_GCM,data:i7AN+Sd4C61GSzT409mYd6D2tQzDyONIUsto52b1mV8hIJ4Q/U9VT5wumRjm4dGUWqrq9oFdD0/iUL1CmEdasBN7VFwNEpSYl6yhzU7zX3Re3N/0mffeW0Fx/38LdvywusJAHC9yWvsNMblKDnYxGm/UI2W/7QRMDyr8jnU6La0=,iv:Ua+K1m27GkkrUn+wcylkwrdWnq1yzFG1NMVzYAiW/6k=,tag:Gqqk5zOU3Ax2Al5CvXEV7g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1