flake: add ufo as submodule

This reverts commit 3e3e62838b.

.gitattributes

@@ -1 +0,0 @@
-flake/branch.nix merge=ours

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "nixpkgs"]
+	path = nixpkgs
+	url = https://github.com/CHN-beta/nixpkgs.git
+[submodule "packages/ufo"]
+	path = packages/ufo
+	url = https://git.chn.moe/chn/ufo.git

.sops.yaml

@@ -3,14 +3,14 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
   - &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+  - &vps9 age19yt2tszdtnwylqh5qdmg25mlfd8cft0z24x4mp20fnyywfs88cxqgwt9m2
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
-  - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
   - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
   - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
   - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
-  - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-  - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-  - &srv3 age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+  - &srv2-node0 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+  - &srv2-node1 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+  - &srv2-node2 age1k2y0vm4tmf88vg6zfed8q8zv544g4u0l5ry4kmm4hmzslvj5vdxskhat2n
   - &test age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
   - &test-pc age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
   - &test-pc-vm age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
@@ -21,10 +21,10 @@ creation_rules:
     key_groups: [{ age: [ *chn, *vps4 ] }]
   - path_regex: devices/vps6/.*$
     key_groups: [{ age: [ *chn, *vps6 ] }]
+  - path_regex: devices/vps9/.*$
+    key_groups: [{ age: [ *chn, *vps9 ] }]
   - path_regex: devices/nas/.*$
     key_groups: [{ age: [ *chn, *nas ] }]
-  - path_regex: devices/one/.*$
-    key_groups: [{ age: [ *chn, *one ] }]
   - path_regex: devices/srv1/secrets/.*$
     key_groups: [{ age: [ *chn, *srv1-node0, *srv1-node1, *srv1-node2 ] }]
   - path_regex: devices/srv1/node0/.*$
@@ -34,13 +34,13 @@ creation_rules:
   - path_regex: devices/srv1/node2/.*$
     key_groups: [{ age: [ *chn, *srv1-node2 ] }]
   - path_regex: devices/srv2/secrets/.*$
-    key_groups: [{ age: [ *chn, *srv2-node0, *srv2-node1 ] }]
+    key_groups: [{ age: [ *chn, *srv2-node0, *srv2-node1, *srv2-node2 ] }]
   - path_regex: devices/srv2/node0/.*$
     key_groups: [{ age: [ *chn, *srv2-node0 ] }]
   - path_regex: devices/srv2/node1/.*$
     key_groups: [{ age: [ *chn, *srv2-node1 ] }]
-  - path_regex: devices/srv3/.*$
-    key_groups: [{ age: [ *chn, *srv3 ] }]
+  - path_regex: devices/srv2/node2/.*$
+    key_groups: [{ age: [ *chn, *srv2-node2 ] }]
   - path_regex: devices/test/.*$
     key_groups: [{ age: [ *chn, *test ] }]
   - path_regex: devices/test-pc/.*$
@@ -49,8 +49,11 @@ creation_rules:
     key_groups: [{ age: [ *chn, *test-pc-vm ] }]
   - path_regex: devices/cross/secrets/default.yaml$
     key_groups:
-    - age: [ *chn, *pc, *vps4, *vps6, *nas, *one, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
-      *srv3, *test, *test-pc, *test-pc-vm]
+    - age: [ *chn, *pc, *vps4, *vps6, *vps9, *nas, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
+      *srv2-node2, *test, *test-pc, *test-pc-vm ]
   - path_regex: devices/cross/secrets/chn.yaml$
     key_groups:
-    - age: [ *chn, *pc, *one, *nas ]
+    - age: [ *chn, *pc, *nas ]
+  - path_regex: devices/cross/secrets/xray-server.yaml$
+    key_groups:
+    - age: [ *chn, *vps4, *vps6, *vps9, *nas ]

README.md

@@ -24,3 +24,9 @@ An overlay is provided through `outputs.overlays.default`, you could use it in y
 }
 ```
 
+## TODO
+
+* Write this readme file. Something have been outdate.
+* Servers in XMU should use vps9 to run proxy.
+* Allow to specify oneapiArch and nvhpcArch per package.
+* Update document. Something is outdate.

devices/cross/luks-manual/default.nix

@@ -3,17 +3,17 @@ let devices =
 {
   nas =
   {
-    "/dev/disk/by-partlabel/nas-root3".mapper = "root3";
-    "/dev/disk/by-partlabel/nas-root4".mapper = "root4";
+    "/dev/disk/by-partlabel/nas-root1".mapper = "root1";
+    "/dev/disk/by-partlabel/nas-root2".mapper = "root2";
+    "/dev/disk/by-partlabel/nas-root3" = { mapper = "root3"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-root4" = { mapper = "root4"; ssd = true; };
     "/dev/disk/by-partlabel/nas-swap" = { mapper = "swap"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-ssd1" = { mapper = "ssd1"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-ssd2" = { mapper = "ssd2"; ssd = true; };
   };
   vps4."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
   vps6."/dev/disk/by-uuid/961d75f0-b4ad-4591-a225-37b385131060" = { mapper = "root"; ssd = true; };
-  srv3 =
-  {
-    "/dev/disk/by-partlabel/srv3-root1" = { mapper = "root1"; ssd = true; };
-    "/dev/disk/by-partlabel/srv3-swap" = { mapper = "swap"; ssd = true; };
-  };
+  vps9."/dev/disk/by-partlabel/vps9-root" = { mapper = "root"; ssd = true; };
 };
 in
 {

devices/cross/secrets/chn.yaml

@@ -6,12 +6,8 @@ chn:
     rsa.ppk: ENC[AES256_GCM,data:9njXWqYEZ7jd0u0lvtmIarEka6n6oHmMeLFvBGejAt2cXZdrZzn5hdotT1+yGrPQYH5n5+f5R8E9wSAZK9Xwn5qfLxXkjmOOVd+L+UFr8fNwlac2GK8Z2OpYKSKg8JbNRw7kgl3ktu8xE6IWqTdL75idvW5JI9iXSSLT9o86oV25HN5Ku/JzRRc9ZlrSugxza/w2yUv7ICT4wGw600aXWhF4R9c2vf6+vZyxaBt7BzaT2+IPPrxDxoW6jx+1fATlwTSiqcKD/0ymy0Hk4ryhI6Vk7BaK5ePC405pdghXA3zwHvRKoFtZGPLy7+iQe4GLE1GEOLN+3MSSAlJEnGMKnwP93IqcAghIXAFXHaJzY1a/492waYqXCc3H/SOlI52oKjZY/SUKoSkDxRoY0wr3OdseFgV/BEWgrunN0MakTiqY6Q8okMX3LXeaUHwnIK9t01eLpvIUA2Y1wI7Olx2Ez1Tp1yPjACTZlQrOPOiCeumlRey15bGNywV3p+DY5wM3zqBn+529MauJv7W2NYIJ6do26hAVpe5FMYb0l/G8AYg0E+AJ2nfVRb8Gu5MxprSNQQEMca+PxKSsmCvicBeNuDreZwt7vpMAb8ndv8O96k8cz2G126Rpe6dgsf3XND3VLWJpYIJYG+KA2AaVCvayAcHRUfIZdZ+wMDJFP+nQHk8wH8/Zu6mWL0nkgFMIj7C/xymdIO1Ugc2CjUlZZtSkgZ6JnAQ+rs94B7QBSCcEnkd4kOU4CvrH1eIyxXS1YH6KhYVhOIXeZFvtI38ergae/ruHfruU4tYk9sj+MmiK7tQDVfiu+XY56mrYt46sDOe36nUDAw1xMLV18Wu7P3wh2zwLrHzRcpTljlcilEh6NQTbIZBm5oQUCJhtYkfPtfsOUs6EKR6Zte1xQE6jdMES6Nnki4OAyv6ZC847jZGkGVg2nFkg8K0d3HoLqsIb3AJMgSNoZtImsGdo4I/jgiBdt9GEjXj5o6zYAvt+F/fea8Lvz/JveU4eL+HA5++pSuuFH33eYntPsPeoi3aXMt3HgHpan9hUAYNSTn0IBrEbsFPkxdaPVhyVygZo7nVzMc1z8xRhMuDv/0DlRpSzd0CM/5nFsaexX03W2ByKUatEP+DXxWswXXV0pod1Q65Jp8X6jr3KrGdzgQ+xqT7yCLDInMP08ug8d3MV8cPvdTLKRy3H789WyBKKH9LE6L36ron3571L2C1YRqnSaCtLF4PZWcYhR8QW8DWhU/tQVPc39ny0PazwEKJK4vAuFc9voYTHMgYJ9fvM+TCRQVRi92yECtHO0XsS08UVz4aJpiBnpCf6k26e9Fv5nZkpjeG8l6j1/FLSbUUzM8Ig8JVJZXOV2mkZxB+UVGAaIAaIFuxHJ0u8EVqNGW/yRneZiFop/j+4/rUmR5QaXsqlp6dIjqGiGQxkAsNVc5TiRG4ChQJn50UyqUFWNT/YIFZyJnE051ztZzl0DXoqLdfjn63HJZ0E7OLVwpe6xYQ3DGvwmH+siq5mdjbhF8477C1oes7q+Pc8L8vlYRTIKeLGm5asN2ZyPDigpAnDcPsZUh4Z1EY9/uu1CTG4A2yUdx1Wk9+1ZZf+X8SGK5YyQofuA1WJR3Nxvxr0K2ThUJc2X4jy1x5FCWqINotiHWEj1VLKUEU/eqWcchp99/r6Ai9DBrsuwd7zLq1/EzWyGRFL04aoaHWkzq/2uxs5mBwJYAoRBhXS544JbWgl3k9gnhiTdwzmHxuJqGLQGGLT4kc7va/ym81dPQE5QlMlEsmf0ecHyT9X67GYIsxQtxi8tepM9ycWVRkH2skYVSodOdNvwRZkmtJIzw2lECdx3Sx3u1RAudXMUdGzviUas1+4V7L5w95QF8mQCS5gkHwu11mH6T6aRGLFRUfKNkbOGoiCzOeGsnoQr0IzkwWZ6Kpk/1z8txKIxNfdM3woxAGKbQ==,iv:rU+t8OnwA5yGRQZYSI9GQcfaZY2EjCPxrsoSzlCy1Ok=,tag:5H2oYeXpEkwIhtnAz6uywQ==,type:str]
     xmuhk: ENC[AES256_GCM,data:I87DH/L3FE/qmYNJ4GPbvuEZ0BU3ljoxjVO+C4UUSGiFq+d0SwqteH8X36SZHsPVOJLtbw+HDxvHuu8avCdPgyg+utYQ902PnU6ldvxpPak2eK/mZQo9KOKNQa6U2QPL7Yq3odemlAHTTp8BD5yOc4gnxGP5/TZZt3jcSAza17tqXwO1dDE0o0ilQ4v5SW4AtBF9Tph5sTyYy9+RlGagvUc35hgl00gDzoTd8ydvFGWSVKO5nTRMQQUfJ1/t5L9ruH4+5+W7Ic6bRXGCSSJ+iKUUcR/N2Bjizcae7TOXZ4VmqkCBHUYDcRnI7kLI3An2dliuPsgyIGVBOzmayNFn8MXjJritptbbm1zC60xzJFaamkQdSTTwUBXNVY5Y/0m/W20/AxyMOvpyxWCDx9XKYK9J6BxqI/uSkJ+IIxHZuiDmY8pF4l6THOd37anRxP2u3S2+yv1sVxqu1cVKR4fmtKqry27KcGkRFwU78qm5QQlSOcxXNSp6gsX5BOb7y0f6rWekRmHLN3gcXJPpEF3AYRXhQZs81J9Tij7F/jemXSG8282PHkvZOnnJQZjb02uVu5NxF+8couaYF18oFjncPlPDrJXEtT2tSabma0fneiLDXnlZ05oPXyWbn81b/KvNxgsDnUAOf3p1sdmIcMG2FLSc2jmaeAF2dCnn7EMjWHwpoR9OeTt5Iq2XIvBzqLsq0dfX22OFCxdO+MX3yWEwZQsU/78n45jiIMOFHZq7GuUsMEd6/p1A9yyuEpkhgqxKRPCIzbmJEaLDAiFSeKw5Q8y5u3sE6NWCJouRsyYaBVtjBYuPCxRA/C5MwiJNL8GCxC++GYWn0OTiAmLMbFyFWVMtwcfVD+SRaOdjzL6v2VvtQpAmNnz4FXdQUb2PpImN/s6Rdg1ca9hPMVkqqgfdc5OC1KvwJP6M3s6g7xzarzTz0whJ0mhNthAHWa0rrnnIEdXa1bdxMEHafkv0VTsUayqfU8kA6pILUFz7d7pot1xrs7ucgw+eqT193kc4XyqxJQK26eWuUVyP1Qd5MnBTQnFXplqIY2sTjisICpvhEAdDeWNN0ouXLFEuQfvfINTydGgITMfQgZbdUuqC4PtdnatZGnwEsuXjRpQ2SA6y1mP3gG3AEvfYnhgg+S1F0pcpN4sa9B1DHvs6ILRaNSnHTHWklD1sMD2YXTgpuFHKtxZMa7dc+pCh4vyGViSgauNaACK/91+OlLPoeIPeQoREvzkOhz+VYXRtG6N5lTMLuubhgOdicBKz8Qt9S9BZTOiJ1hEb4uXXTXwkgulUa77Rd5HEnr31l3BvsNrCt3fDNT8Ec46ICeoRnDjPEIZpXTTUZc7C/J1UUuDCQ1dzVmGrZaM6vyRCFzVa6rgj138CkAp2zF5QzJPyHtyrciPCQfgLweAoT6+tUBOngZNcZ+gSZYrA4uRmwlob9Af6uZEL/GA4zRcSCj73h/7VDhjI4IgaxtiTGsMEmHtGBdryVIPuT8eRcdx6tDkulgQvFi0ku9iqKuBCYpveK+y6OO+5V7GIow7gMfU5AGDNYTNkrVIkhV+Bm5Y3s43eHhda6xxVFR948QvrbYIf3PFMcla2tc0LTOk7r/Fyt/3ij77aVjblq+gfoPtFrbEhvg9Yp8NDnlnuqYel+D24eV+Gd6vY79Gu+JGMgZvFlvEhqJSrKVQ8r4lXl8FMP+S8P5XxXkzf6SNbj1Qm0cwTEtg8p00vt4vH8MaYbSFSSwUeJkOEolDMFSW8FPvqenz1tFq8ShFXB7fuNaU1iqyldnSU3xpswjP8RyrSkZPMClSr2esuLx21+YYSJ90zHtB9kLGdTmp9D5hkGa4IpsbvGVlEvB+yfU9AoFwOi+PoajlxabMHFqIwlyGbl5pXd8Da7PFI1PGfkUa9rPBiusk2IDhXGJn7M00HcWzSjfepkE5EbxzXH0NlsXsqCpGlP1KvDIx4NCYMWJgf7iWebytUqO+AR8nAZlIV95b22EzcsGjAzo0SfqBQnyE9D3y4x/JdKKVy8rW8w/++DeAqQw00VE1JfFubi9NLCzqUQV3zgrEb3SC0yswCMowydXV8Ahl+79Km3Hdnm9H2s94iOlIWMCOV/RKWI/qZujq4ccQdvl77GC+5vXEY6bccNfkIMNPCby9O2383EmS2PzLzMdV0rEBoKkotib+i9IRVKIWJ+pwJwWF/ZPdO/ZcX5ds6oT/U9+RLk+Bq2eLAUwHEVd5mhw2V8Ngj9mp0O9P5vcWQhovnYQRh0WJwJUM1mWfiVLS1IZktndP1efTWR+SPw47tuVcuMcX3vxfReERMAIiO1EcR8+9WYzoSasB16sm9sN1nJUx/LgThjzRTszfy+GFJJZ4dIY/noYyH9LvIz5rHKAAbja5c0PjB22DXOdEjARoXIWHTTH1Ab7/eVk/ixbHOx9sOET9C/koI/URX1XtTRIuM1UXt4OJbIn3fvuPOywHTkWeF5WV/19ZrMHSIM/JHGYc4au/sD06C+wJZseXLPXSIJF2LgabEXJjvHsb++gccqD0GofcJVJzgYuOaJ0ZydbJn670xa/qludJ1nMuSEc3Py4jTOs0vyfrMkDQHWUScT1C/HsQH1YcCKeyAZMSh4hphM7MtAY9v60cnhsyOAwmBhVaZGZSaFIWyf1+ea2eTLnF6HEF0HSYl7L0hd1i8bPBxoyjB2DIbxbzR7TiaMuPQ/HPNhZhXuFfZK6iBjrGDlhGCn/vlFgsSCGCdcLwKBdC8dpfgpyf65ccvtIXMQGFZMQynIDNCBnALF5dtTQprXf/O1WRuZSLAF/H7q+2gXl9hMKeCLWfGbGE/cWvrRw81efgjUQ8AuFUttR2wUL2u26JgrDuoCG9+vhs4S4x2tXDooucqIRQDAUEIE6gF6NsWDi33K5baQ3RA5Z6btNPNQkqXtz4yQE0Zlh9mFT/jkXGRfZ6RtJbT5jWdHQONXaTHTFK43eZlViM1VydoEwiCrclyWYHWswKyLNjQWATICe7X9NYyU/S/Rj9dIRUUzm2KjLfMEfjyiLS5MLDu9lmKUdXAcz4nFcCWIc4VRR5fMsMh6Zvk8eh/vn176Ic58byvfjsAAflZ2QQyZLaA+Utr8YbpxwbRp8WYg0Ktt7q3rlh2WegEa6wKdESqcb53dlK8qw3ICPW4XhFAA37Ru4zlZ5O+ayDoCvrsWE924VXe+1ctjGQ5via4ctDTXXl+GALQPbLmEfwSyvaC332fbZ6YRM1fY6GmnliWCfgHh0cPwuGNmXbhn/Bftsy+jL6ljma//pnkHfQrynho8XeW0edyrXY91CJtkHKhF4h4SVq4tLQ4cRFEjFfkwy4UXZ7m6AnY1cr83iGqbuU1TnKn91mxiBoPWx0arRHeTSCK/xRcBOF7NqBdmEMMefeq2lLuv+8VVKFBFUKCL5e0rKcQ1N2G2ALtrgWVjsaI0eJSyD9aGSADnlMWu14g/msECa5Clvzw2Q==,iv:cv9sYcivQZc/hz+Sri9iLkRHV3uStIvwT2/083DsUtQ=,tag:re/iwRtY/mlnxibqXBnkPg==,type:str]
 github:
-    token: ENC[AES256_GCM,data:t95+VgTEkcpsYGty95nKg+4QU86rVnJjw/LZEAk6PHc3ZR3GjPLBtg==,iv:1d/tXqknfEh+GFYj22TRtr7Sq9GpE8NujfAKDwJttD8=,tag:LNyI9Tul7g5mm1gM9ijWMw==,type:str]
+    token: ENC[AES256_GCM,data:hTmaIFtLYkrcqz9uVcP/g0mdEIV7ujN6z3m/Hr6U3lk4sJS2m7Lxig==,iv:WpTW4mM6XqPnpAC47fBXw3cKbfEawZKeNBi2fFoKbg8=,tag:rgDmc2WRKhLQrHyUI2O/Bw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -49,8 +45,7 @@ sops:
             UjFLR3hxSVZVajY0WURiUklveHpzVVkKUwCaBC10Iq931J1umHA3xCWfi1mrmTAx
             vaJiadYqmMSwYk8g5thQ4jjweh133nL1AdxjmAZOVPgYUr6rmcRfXA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-10T22:08:33Z"
-    mac: ENC[AES256_GCM,data:s0GsJysfnqxdLi99gBsTlE7kZ3prTrhCuCtgp3HD3d41r1mMxQ7F8NqBm1jBc5vhYHcHQgS/YfSQ1kM6+RDXN2dZ5NMzchyXtcq9h7smEKxizRbIx0PSoBZfnxR4LTZfBDi4LUBPVVSjb6A+7FDcfXAp+pM/ciuxmvNH9965Xws=,iv:zHiROdgHavc/sCH7oV1cm0JpSBRjxj8QR6yUZzK/fAo=,tag:2TeMi2a71YOawddL/EeJSQ==,type:str]
-    pgp: []
+    lastmodified: "2025-10-05T17:54:13Z"
+    mac: ENC[AES256_GCM,data:cCa6Jz53okeMQ2BI+lcJojbo5NDfcyBmROwcC4O3olGC2v3QU4Qkchx2ju6+8LhPR0uTuPA4ENhotoeAK5A+8kwdsJDvGT8si/GNq6u4UWqZuXZ06Op0R5OU10vJT1qEKwYWhJMX8BRsFK7Ab+J3hz5UnOyYlpcmNQtJBEkzwqo=,iv:mct+fwOwKEb1eSqpBNA71SXjS0AWQDF+rzQBv/zABYs=,tag:42K6sYGwPxVHTdDgzOSZmw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/cross/secrets/default.yaml

@@ -21,162 +21,159 @@ users:
     GROUPIII-3: ENC[AES256_GCM,data:c+HRdDZPugIVI2vmuOlorhjZzxS11c6CJiZ3ZEwFFHfIoIUmGsXoRPGraJ0BjI3W+XZbI6qk211yufTgXLVj7nOVi0PW/9mteg==,iv:H8DlkTjkL/f6Oa2LG3dHRsJuWkEqokUJ/mjMyDnEAc4=,tag:0QmUyfAbYnn7vs4AdwQtYw==,type:str]
     #ENC[AES256_GCM,data:F347rPlEQZyz,iv:VlbVlc/tFmmoe8lVDza7ZJgHavZ/1NM9mK3KZNVrpbk=,tag:iRdvv0ajtgrJgMe87vBFfA==,type:comment]
     zzn: ENC[AES256_GCM,data:P76cGOGJK3B7Z3nxZ9BlvvyegJ+4JX25kax7/Bj/0VKsH1cGEfyvNbPH8qYUZqm+zUvqEoFNZKWM4+IQKO7Zo9IXCJhGItL1Nw==,iv:e9lnHecgzSrHJkxumRpKGHzGlYbM5Yov4F4Dd4fIqrc=,tag:G7Cr7d1KZfldzYNRL1eSpA==,type:str]
-    aleksana: ENC[AES256_GCM,data:xRqQLPpcv0Ymz7wV0jDDz1i6eKIZKEXvqofO58VSHEC9aVSTLV7aXLw2kQ8PrAPo4FAkne2F6MYQGRwZFIHOjxfhw+ncXVDHxg==,iv:OSbT/f2LRUFY3DEyCCbWkPzwsrsNdVz6ah5ITRt+Kjc=,tag:00z36RTe76p1uxFCchGcpg==,type:str]
-    #ENC[AES256_GCM,data:xAGWajpTpg2keMthwQ==,iv:sQreB2mExZlWgVsig7885zf4LI6RFSitYUnD4ngvhfQ=,tag:viEY1wUVlDCqKm5ucQWzsA==,type:comment]
-    alikia: ENC[AES256_GCM,data:N4lyS8XZSxP3su+Frz00BPU+II+N6nosu4yOLPSG7zxefcJoG7i5bG3bzb1OQLc/x4fTuD2Wd6mEy6q66cizBkGn3xQHZIaW2w==,iv:FO64ACjOS6+UzWKP5WdcFOGZTzslfetX/VAxyUPZ3ds=,tag:6Kf0MCRUj9cbxyk4TsH8iA==,type:str]
-    #ENC[AES256_GCM,data:1br5bc3q0jBn4WrJzQ==,iv:YmIFhDd9Wl4dcKJLBC6A3v7oUXhBin6ZOuJknSiaYfw=,tag:8gtEBug4vHQkxN/9tLjqSw==,type:comment]
-    pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
-    #ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
-    reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
     #ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
     zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
     zgq: ENC[AES256_GCM,data:cHYFToQ5ulEcb741Gg3X4lKj8ZJy1zcLHpkVQjQXt5hRAQtPsiPlegi2a1nUIAUb6sI//4ffcytlXpdK2sXewFe3ZiIXy3UVjQ==,iv:fKaPxpfh5ssOwAbmEsAPaQ45KrNtkHZb96IzWc6pD9s=,tag:Vt91B77SjxYaZ/HvWVBufA==,type:str]
+    #ENC[AES256_GCM,data:B8NX79g1IqmiNdO9pmq11g==,iv:Uf4dOMGCa73+YgFwNHUGmrVQW7zDavyUn8pVlZIlU0Y=,tag:Dp1g1k3x6LYgyHoyOnXdnQ==,type:comment]
+    lilydjwg: ENC[AES256_GCM,data:/2Af4TldHmIbMzv8aDrlhElrsW+P//5cF7vQy/EzcKVa20WhLYIM1KICweZRdxE45FTWsxv+Fp21rBoQS89QePyVAw7POhtceA==,iv:Yv0J0GAWuBLSziHEBFPFSVg0kHjVf//f5ZKYLpyyjDA=,tag:+fJKhLhUWGqfjiSumH3dgQ==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
     user:
         chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
         hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
+        root: ENC[AES256_GCM,data:KFyR8e+rt0E9,iv:i13OWPwPGpHP8CEGGVm24KgqEOxrqeL+Y3mHBYuntms=,tag:CjKuwE+USmQq6gncXQDrJQ==,type:str]
 maxmind: ENC[AES256_GCM,data:KfTXvxX4zzXBfNMPmZY1z5jTHTByGfH9qEo6EUAQqZ1JOtNUomOWNQ==,iv:KcexOWAXFhWfli6bAMZ+61x960trZ3iE9UYMuOtJNms=,tag:reuuIe6MkONpeT44U6yUjQ==,type:str]
 acme:
     token: ENC[AES256_GCM,data:DrNdcyf2tiZ5nmjYmsG13V63ZuZhNG1c/kkGM7eXQWvRvDbu37nKWA==,iv:xc4gtNvZ/BYG+KmT1XgFfG3Z17bBLURazG8tz4/laxE=,tag:khnYVQWjiiaQC9VsJyLV6A==,type:str]
+tailscale: ENC[AES256_GCM,data:ajw332lHmxY8mdaxeG6zLui3Coc7z/3+ojBIcZHBY8KhpRbEiAj6n8yIIj/7BffR,iv:oqCBZsrYz6bMax96QQVWhcXnppx676TbUh3Vl4qJh00=,tag:557nZp1SE7NsUii7QUtSeQ==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR09MUytUL2h3cWlIanNF
-            VWd6SVNWOGVlVVpGbGtyQWxnZlk0cEx2TFJzCmhtbGRFcDdlWDAxU3NneXloSS9U
-            WXBtQmg4dFhOb3J3bThCUDliUmJ4NVUKLS0tIG1uQjdiODdHWVVrVGIwb2lPN1V1
-            QjVyWFAzQTRDWXMyMXdUNytKcy9abmsKZ6maa6DoKPkDAYXGLVoLWIi3fzzs1SVF
-            C/9y2PG/j7F8Pd4hUHl7ILWN/VNbYKQwGYp59+kKeAzeSHkJeTTKyg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBma1JoNldVdG1yNVYxVm5y
+            SWVEemtFUUZHOVVRa2ZPNzkvRWxkTEN1MENBCnQ4elhUYmRuL0xPUVlBbFRNSUFp
+            YTFIRVlHaEdJMlI4TENIS09HcVVrSHMKLS0tIGErY3pJaG1YdmthU3BzZWtCeWkw
+            Qk5TekphSjFqVmg4dEkwWExjek9GK1EK+gzFgvWe2otn946O0roo2K4ADR/U96Co
+            tw0wIOTxw6dtkntbvZHVz3Mh38K5mBpAjPLzyd4IjuUy2AkNSkwGew==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaitpVkkvNEFOMEZXK2s0
-            Z1o0UTZ4NFRrd2NqNzhNVWhncmdWWDlzZ2swCkthMU50WldYajN1eEZCRVRUZ2d6
-            TU8za1R0aUdCV3hZaVlIRE01UHdYc2MKLS0tIFNWcFdVWGc5dUVtWnVVbGh1WFVU
-            UzFsYS9tL0xNeDBmQWIrTVB2MkVtdVUKjMADWap5h4NGj3ESamUHz3+8AtO2sOL6
-            wFm/sTfEuhFqO8bodtBXB/veQOrr97Dw8PhO/6CO5JdGTEyFIZ3DoQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMW4raDc4V0RWRkljb2E3
+            a1Q3ZzBFVnVpWit0andqNmNrZkZqS1VSbjFnClM1WmVDbUV1TnAwRHJOU3ZsQVhF
+            a0NQZng4VURGSStCT216OGJuNU9jaWcKLS0tIGY5YW9MUjJZd1Q3SVNEdGVTS25x
+            bytMcjJTeVh6a25ZR0JjV2dIa3BZM0kKi/b439/DJPLu1ccqYmVDQMAOaT8Rae0U
+            cJlTLPHiN+YINT1/NMT62UuPRbGq5puK4v2IXxWo4Xc1KVEwE4j78Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOFprRWZQaVpMQkxJN2Vw
-            RVB6QXN6bDJPcEt3YURaby9PZm1FZHhDRmtZClBiV0JobHZRejhWVzhOZThRTTJ1
-            UE91bzdWMjJvYllIWXBmQkNReThIc00KLS0tIGRLa0V1b3ZWSVQzc01sUlBMVzBz
-            blZyM0FpelBoTE5Ia2J3S2c0WE5FcVEKKTJ5jzNLkLixv+8DlcTrR9sWs6GihPG6
-            x9w/Zu5H4DK9EVFyksTujRZZMI6o4lHzl2VIrgkTNQUwIPtsqo5KMQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUWo3ck9qN2VybUJrNmdk
+            Q1ZlMEJkRFh5OS90cHVheWhoUmNveGQ3Y2l3ClorWmlCUEhpWDAraUR6M1dlTTdR
+            QTRCeTFRUUd6SFBaYXBDb1VFc0ZMbW8KLS0tIDVXMEhVQml5bW5MbXJqYWllZnJL
+            TysxNXhwcllsZGJOejZXUEZkcU55M0UKvIwSQ49VO9cJfRPKzEzly4R6GAPOyi43
+            5aWMh9Yu5EpZTUmyg5MByBdd1ENZZfqy0u9U1BiGxq7fj0DM/pYWjw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQWwvbXZoNHFxM1Y3L0pO
-            cDlML1ZWWXppeWxaZjZwOFVvbHNubmxEYUI4ClB6Wm00dTRFUE8xTFNlUmdacjFU
-            VGNiMFk1SHpOVnJ6RWdyVXk3WGkxZm8KLS0tIDFnamZqa1VqdUVXWFN5YW5CNGhh
-            UHc5bCsvVFV2eDlLR2Q3STFCQXpZRzgKSVvG8HcDtBJAh8iNrQd+UKbgs/k5Yf2t
-            KqMdODturfudk8QJn3pR97essszrsK/HS4yptp71bBSj3qK50Lp/rg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWHRSNFBqVHlSSHUwOXRS
+            MTFPdFZQVzZ5VEpwVE5EN3hqYUZWbEtoNkNNCjRwRUlKVmFxTDNiOHh4TWYwcStP
+            UGRLMmN5Rmx2K2VGRCtCOWNmaENEZmcKLS0tIE1oZUdxRFNXTEljd3ppWXpUUUhE
+            OXMydGE5T0tCS3BUQ0k4bUlEdDdPVE0KFiFCbmzRDXz33uh/klHEDdTP13tGWV4V
+            v7GLkjcoDyYf/4N7i8meu77E2zTMiTdDbUOF0oehFPTDrM1TwJ8LtQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19yt2tszdtnwylqh5qdmg25mlfd8cft0z24x4mp20fnyywfs88cxqgwt9m2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSzJGeDJYUHRtV0hGb3I5
+            ZUlBRnRKem1ucXk0VFZvb0xlSlBkeU1ZeFJvCmFJeXM3eGJBcC9IWHdSV05obVZq
+            b0VOT1NzdzhKOWVYZytQOW5UTXlDS3MKLS0tIHc2U0crejgzTUtVbm9VN3pVNzda
+            NVNQU1RNdldXR2ZoWCs5VlZYV1JyTWsKayt8OOhvopxjAyNMgRTwZVHaRGApUURE
+            V0jeyb/l03hefxUkEsR1yxsQemwJAbbzhhjnsWjjxJ7Zt+bh4FdHiw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Rkc2MVhUc0tTUkNsenQ2
-            aVM1dG9MSVpwaFloU1ZRWmVsaEtYVGY3NlFnCm5PM0VpWVFKdExJbExIMnZ0Tmw1
-            eCtVdkRpVW9lcFA5bWwwbWNaYTMzejQKLS0tIHA4MTd1anM4NWtmQUx1cVlsWFVQ
-            bk5iV2xRazdoZnY1dGhKSGFFdUFWY3MKGoxBih7fDQoZFxj8JjiRAl8D3/8xWBeq
-            RS/8C6v+/V+Afnv9QN6uYt0l4YeGn8tv1TRNWXHZl0A6DFjzouwhZw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzN2hsZGExRnFaclpUNEdr
-            bkJJM2gySmtzUlVmZWoxZ3pST2l2dGtCdnhnClNWeVZqWTJ1Mk1pMGZCaXppU0lY
-            RUtlT3YrQmZuVTZ3TjJYMlhGMTVMMncKLS0tIDJsaVQ3aHZIWHhXOFJ1WmpQUDNk
-            SjBSRm4wWjhpUzFmVUtwdGUvbmVIV0EKzgfa9i+VJLPvBRrFbNavZtG1hK6jazoD
-            WHkWedx4AUUJQQlp12Wetj/0yY9jF3BLv/wvEAusq6Z4dO2aHr3sRA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbE1uZlFXRUdkaGNWNGpn
+            b2JiT1RoSWVLVSt5VHQ2bVRRU0tnVWRudDF3CnVsYXk1R3RGTXN4MkRORERRYXhq
+            UFJkOTZ1ZzgxVXhxOVZ5akpqdDBKNUUKLS0tIGpDS1lGMTRKS0wyOGxyejZvT1F3
+            WjVLek96VW5iNHhxSytvZDVDSWcyRW8KrGqY/w8wOaw+PEAVNMtTpsdSjk+gD+gz
+            fzs9+4uo9Y2KzjCJ6oHIVC4Yz7VkG9Ipo9p6Jd82SJIGcuRtsVljKw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcWFOcXAyYjNoSEhLdEtC
-            ang3bHJ2RmtaL2RManE0K3B0elg4aHJmODB3ClZLSXA5MmhVT2ZZSm9KSUlod3BB
-            V05lT3h0a3NQZnMrNERwNk1LTHRiVlkKLS0tIElESTNEVUpZbk93WFpXNnRTYzY5
-            K2tkMlVCRnBKdVRzWk9aQy9kUUx3L1kKNO9LsaJDfF0v/XCMYV0lmHLFakbVjj+H
-            wGJZQYgu/sETDZQVMeu42fQ++IKElmpfq2/o6+gM7aI0RxLqnBryfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUnJCdXloNk1FdnlMY3BZ
+            QlFrdkJEYktwYlRLblhQeVZER2pEYWd2UUE0CnVaZDk0b3VoRjlVRVFXVmZQNUpR
+            bngzcHFyaEREaVVIRnRhc3YwVzVwT1kKLS0tIEprbDl6NVZTSzZPZlF3NjVUODFD
+            R2EvTERKTnpoWkdiRVd4c1Ywdm5OV2cK5DR+WLAYmTRVyIP3kx9ImL7oFou/xyJJ
+            P2GNebydAIBPdRmnnPSk5qsGKxZBpiXesSpPCvf71NSp0ayQWtuaZg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYnBzd1k5UEhXZ0wxSU02
-            elZkYlhDWC9CbWFkRlM2bCs2dzNTSlk4TUJnCm1WVnVxaUYwZ1QvNHJRb29ER21P
-            UWhOb2tETWRJR09Sb0l6VXRMaU5KZlkKLS0tIFA3TldTUmJ0Y0xJemJPS0wwK05D
-            SHVXTGUraDE4anJOZFFuaHBKV1lMSWMKemZfKWbI0YR4QuR5zqvGKSnU3HzwZHvo
-            DJ9u2eq7R7OwtDscn9qCwPThORxLMWdI3n+3+XVwAysqW2efrvnGgA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbUtDNk9WUXBYREJpNnNy
+            MDN0WVFRYzlGR0FxTmphMnIxcW5LcGZOWUZjCmRnd0ZNbWhwb3h4ZEVPSm00MGlN
+            SjRYZllXOGVXNjdUazR6bHlSemVscTgKLS0tIFh6aVB0QzFsankzUWpGVG4rTnNp
+            Y3ZGaDlwR0lmQkVnRWxVNGJqS3I5NHMKF7nBtR4gQQ3SMPgsRLczQXlUBFa/+2ND
+            sAcakFO2SiXnfMJTaEdZmoH6gVDjtGhxb72jNbx4c92yFUYNJrAn+w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOFZQZmRHVUdjTXpDbFFm
-            SGt1d2lmYXVZa21iSFhMOTUzMmRIU3BIOUI4CmFvT1BMZmE1eC9tV3dJbVJ4ME8z
-            N25hc0NyZmtMbGFxYmtPSkFkSGZ4bFEKLS0tIE5sUFBTanJONjhtR3BnYjVYdlYr
-            NVZNeDFJOGJIdFlacE9LMmFuakZYUkUKmuK+ogCs3WH9TiGiUfRZ9L98aqRli91A
-            1xHYMJOc5FwI+jaHp1m7nkn+egIOmKvyyejI2ZHQ84tItS+aoiI0bw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRHdHMFAvRFRCNmNES2R0
-            Q3ptRDVrQ3JHaXBxSUlldVd5WUNFc1ZQeDBFCnNiMFErODJhbk5LQ1VGd01oU1N2
-            eXk4Q3VRcUNNWURDUitUMWNOQlJaeWsKLS0tIDRKQ2M1Rnpla3o1NTlCeC9wbGJo
-            cGZxcDUyYzZBMXRpbi94RkcvQXc5aDAKrHpvCDpECN5HS1qeNoiOwKWpT46bLQBd
-            404XgHar20AswgDIjAMp5KJ1pkluQ9j5pVKNFjqJ+9sb3RLYM7Z06Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMysyb2NzMXRlMUk3YnQx
+            eFF4MEU2S0pvS1F4Q1JvUnVYcStDZURuMjJFCnRadVVNbm9IV01ScHlEK0kwK3ds
+            Z1YxY1pMT2RZL0pUZ0pPOUZvQ2xYYmMKLS0tIDE5K2xjU2dFSGZkeHZUNDNUMFhj
+            d0Y0ZS9ub1dVc0lSdXZlOXhMWEc4VkUK7S2XKWP/nHs/7wY6Qs2SaqY7HoAC3h3P
+            S+xf/tGriY7pKXIA8OSn4v2NQGE44LA8sk18c6cpH0KxdgMh+sumXg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR3RhUHBORW1BNFh5M1c0
-            QlhmUDY1T0ZmN2dGaUhLOVkxN2NiUklBU1hVCjY0MXBoNmw0ekpQYlMzdFZhNFA5
-            NE9XdnlaaGdiSU1BYkRvcThaYmpVcTAKLS0tIGk4UHMwK20yQ2w0N0hoQnZYK2Fk
-            czU0M2dQbU8rMkZJbEJaZ1NhcE1yZFEKUWe5IaDuPjfQ/m76m6DdvF8HWmDiVH1k
-            IQk6sIJfbcINGOVP+JYGJPWgq6LGg1EdW4ONctosVk6kxRO30N0rVQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY05iS0V0aWdVWm5iYyts
+            YlBNSEFQZ0Nxck5jaWZublZOeFhvbmxTOEV3ClIzYnZ4bGZrT1VpZVZlVTl2YXdD
+            VmFEeUFPbTY3eHNXZk1jVXAzZ1paK2MKLS0tIHBsV0wwNllza3JZTzlqbE1DQ1Yy
+            Rk1rdzk3Q0czUW5oSEh2NEtFNitHOTAKe2uoBtAswRNNSV//PI7djMWRy7mYyJpy
+            j6a+cyUQ6ZTGsMTWIFTeymq83Kn/gZNxlgmFWc/NWN0t/i84yQM+iw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YXF5aGRobkFVdFQzRFBp
-            NnhvdWtxU2dxa2s4d2FiYnBrdmMvakU1cFhvCnJ4NWVCc0t2ajFpdWVMM25XUnE4
-            a3E3N0laOEYwNDBNdTc4WjdZR2R3M1EKLS0tIC9WRGpJSUhhM0JGZVJWaHlvSkRH
-            bXErdTlYQWh3cmZITWxIeDYzaklWbmcKKG08GymtessnDUfg/AgmQh9eyJx25Y+c
-            RyhAdNl6Lu2Hv7e/oqr23SmwFuhzgPl6eL8t1Nz3s1KraShZazjpQA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ0IwMHJZc0dFWmNVNkQ5
+            WUJDeE44SEpyLzdVUDdQTHVEdGc2OFpiQjJnCkMxRlIrcGU5WVRtdFZqc2oxdjBh
+            NkRzN0Q2MGNqZUZUMWNKRlF4czhubWsKLS0tIEdKVGU2RE01QzZ3WlJxU0RrUWtk
+            SFhBMzYwMDN6bUZyOEo5R094QjgxSWMK61kBpZIHQyB7fPEHw69c2pKoR0+vP6U7
+            1gHTVBIUvMc2UbuAvI3tSoNmSDYHpm8AE+1m0E3eZZFHbZYua9+hKA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k2y0vm4tmf88vg6zfed8q8zv544g4u0l5ry4kmm4hmzslvj5vdxskhat2n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdlJ4QWRPUlpwSlJYaG5K
+            UW05aURRSHlXSmJZekhoZGtlL2dLcUQ3VWhzCmRsM3NnQU1ITGNkNnJETlRpUVJI
+            VUo0cHMxS3FyV2FsNk1iK2U1cnhaL00KLS0tIGx3enAzeHBOOG4zdkVXM21Ldm56
+            ZFA3YVNEM1JTOW50NGxWaXllZFFnSWcKi2LFPb9Bo+XtViBFz7x8jn8Xpn6K5dbQ
+            PJIepVai+5XuuhyUJXKf48b5jUT/FWIKHWFZicrLBuadWx7iHCX4Rg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSK2tkZXZkYWZWcEFhS1h2
-            YTk2N3F4L3AzNzdmZXhLRXpOLzlRa1NNSXlnCjRNL3paejlRUTZrVEFwdWdzRzVp
-            NVFReGwrZk9IdVhQSnFzK3lVMWRPOTgKLS0tIGs2azNoQm51ZDZrOEJDbEhRVTFu
-            aVdEZ0s4SjljZFc5ZTJwK3ZON3VlRVkKB1apktkRqW0R/Epn3bZf/Aym5evUmxm+
-            TLkJxTT6TVcgjobcpFvMmI+pqRWfh5Opj9a9lSe5QvsXxdgOs0mvzg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRDlUcStHUFc4Vm54YTVV
+            M1V0Ujc2RENybTFVbHgxbVFZV0F2dlI1UTBnCnd2OWhTc1g5Yk0vR0Q5VmpHUitX
+            Y29malU1VEN0WW5XVVFWTFg0S3RFSmMKLS0tIEJKZ0g1U1hWSUZvdjQ1YW14bnFR
+            Wk83NU9XN1pxWHZ3MWo0VHpKek1HOXcKXdzEIlwE4riww33KCRcWEAv3vUQhSqG7
+            4ndZSMOzl9LMGJM3tvX+49TpdoLn+pkrE8g2BcBZPA2UsO1a/ASj2w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWlhIdTdtNkpZU3Y5T1Vl
-            WjZXLzJYVDdweFpITEh6cmszOVYrZWI5eTM0CmNSTnd4T3g0dFNiTDNCM2hEOTVo
-            OS85R0VqdEZkTlhGWFNRZFpXZGlWTFEKLS0tIHQ1YWJrZERJUlZwZnU3RThucVRL
-            NHdwcGl2Wk11TFdCd25OTE1nVDNYd2MKOxa2f7bFgFE2zCR1kKtC6giQhr1P79W0
-            MKxil/x2T8rBNkK6sN0PjkphKdg9LVit86ilHPwTgnkl9oz8Cs6X5A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMMWw5OXk2bjdHWmg0VGJI
+            MmtRNk5jUFBWc3gwZkVTbUIvNGN2ZlpZcFR3CkJ4Q01CU2tCZDF4djBOSEtzUjZS
+            TFN0dWNlZDdmSnZYdlo5aUpRNDVXaG8KLS0tIDVFdllPdVFUbTFYeUlHUEdRMjNx
+            dEUxemY4Nmp4djBFR2ZDMWZFS3VmOFEKCIeWZZslOeXVY3hqzyIEUeHPzN4Pk+xw
+            hCtNDvShZqcjdR4qwHHQwPjiiZvVk6k0M+GPH2KXVarbIlkqiwHPzQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmL1ZjRzJNQVFNekFUVlQv
-            SmJWMDRZMXNDaTNNd093b25kSk5nTDg0K244CmVLK08xKzlleXpWblRkbGZVMENi
-            U0NGVVhycUN6OEZDNjFBUndSdnRLdE0KLS0tIHJEeTVIY2xwZWdqdG9JRVhsRENq
-            UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
-            +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbVpDMkEzSFRhMTE4MktT
+            TWN4ZTRKUk1POWxsa0pPMzZZS2VtN1M3T244CjRJaFpaK0VpenNvWGZNZzdUVGdr
+            RGVycHBJM2VnU29TQ3JmMEJyUTg1QVkKLS0tIGJlQ3NwMjFhSkkzRmwyaXlYZ3pN
+            TXZuTFNpdElIUkNrcHA5T3NKQ0NvY1EKG2FGYxVFp/oa7kxpYD038uUHfZDuoQK+
+            7hsk7Tn+KTjTYs0E7soMcGVr8GRcqcJFXRjt8hFtw9HLDlzaYK6uMA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-13T00:27:59Z"
-    mac: ENC[AES256_GCM,data:iBBMsGOD7nDpXDPDlB/ml06y4WVe0uq7dptn5VZSppoxGA7BmRfWq9OKueXykmgfueqC3N45KVeRh3/b+FrsIRuTl1iyKnT3pd/naGTguQBfFewhrbqNc6UaDadpEVSgYiS76A5JwEoemePPHVUboDOSe0ru3uzNk1nDh/85jRg=,iv:8/GpDArKPYPG2O41p97oQZHkmIgIVdB7OWLvMrDXlaI=,tag:sq3B5Zo7XoA151WmgtvMMw==,type:str]
+    lastmodified: "2025-11-06T12:38:15Z"
+    mac: ENC[AES256_GCM,data:aIN1vCZVyKnZYmsWwTuClQT+Xsqx46HpFQo/4ZYu4V8WcDtR8UaIH2K/vq6LiJ3bSD06xxR3U9Ljc67hhehiFLMJr00l4KoczLvYYiQZKWC95A/OTyK1UeMMyioBYguDrmIKQiR+sUF/juPn7BjXdygYuVzkH7iLiTz4DczjIhE=,iv:zOZY/pBxieuNhWXonF/mq/0NoM2pgfWMyekx1C+LV78=,tag:EYZndCzRzV+v3icoESW+CQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/cross/secrets/xray-server.yaml

@@ -0,0 +1,98 @@
+xray-server:
+    clients:
+        #ENC[AES256_GCM,data:apFo,iv:GVyUtpmMFo2KR06S6hgm0Zy/iUJk4cbi9Yl/TiNkxfs=,tag:KdaMi6k9bLqlnVeCZ5Ohlg==,type:comment]
+        user0: ENC[AES256_GCM,data:qbXM3ZlNPd2A8Jt12qO1huCpXEGN1MsL5oPPYIuIJWtJd/k4,iv:3/be8p4HZnRbplLo6XrVa8TCvnLGRB0pYSsHrqZnZuM=,tag:SiViFW7BHISfR4CTqZHHCw==,type:str]
+        #ENC[AES256_GCM,data:qK++2XZ8JQ==,iv:cTBGDX7ZvPuGBbueoxTaTRhAk94J+MVhLmCwPNYy2WM=,tag:cgcxD8niAhRzBHlW0Hb4YA==,type:comment]
+        user1: ENC[AES256_GCM,data:qrsdJEEH0K3FQUBy2z6uXgg7iIhSLjNdhytb4nlXWDS4s784,iv:2/QfNMq/mvXVr/Kkt1/8QT0SLQRMrIMQi7lV9JwtJUY=,tag:XraahXAHu6agGAzTIs8zNA==,type:str]
+        #ENC[AES256_GCM,data:HBbmq8qGjZXo3w==,iv:wUeTTL2ceksqBvjxtUiOAlZmmuvXktWB/DoEFUBGsMM=,tag:QTEp6rrFXyLf2UHtE4wcUQ==,type:comment]
+        user2: ENC[AES256_GCM,data:QjONa3SjB7B/uzu9g8Um9YB8JsIoGdWmvk7A+hSe+TniPHql,iv:7OH4gspFB4eIAxGBHTFBEq6y5N1MTErbgQ6jzbyXUIo=,tag:X8h0gidTnD55KKSFcbuiLA==,type:str]
+        #ENC[AES256_GCM,data:dxMJLsx7IPiEN9g=,iv:JtDsa8j4alMMm6v+Fv5CUDiliLh7iz16dSgEQQcjvi8=,tag:5PgogsAqbeVMEtpFCHOWmg==,type:comment]
+        user3: ENC[AES256_GCM,data:exjMqGscWD1EzA8PTGw4rrd75K6SVFPuiaixE5iCRIkGLyYZ,iv:dfP7ZOaMtNCFhWvfkaFeFPFUZD4h3vQhoHj/SI3+bG0=,tag:ohkuRMP7qVFtNP8QOFb8ng==,type:str]
+        #ENC[AES256_GCM,data:uSJneMPH2A==,iv:BIyirNs1W1SJ/f26D4V1MwQR+AllT4Se1KmEeHzqP7c=,tag:99GkRHlVdfhxdN3zaPN/uQ==,type:comment]
+        user4: ENC[AES256_GCM,data:2efLv9agodkVcZSBBsVzPPrCze5cpb0C9A3WkZIrfoBF1YxH,iv:YBciseSbBo7Wxm96X34uHOwTHoxMJL5bDWhQm66s0lM=,tag:T6/kBJPZLTj1l40mnp97xA==,type:str]
+        #ENC[AES256_GCM,data:x2izZg==,iv:MWq/PyJtSeRkvjtLOcuy1JZ2RA1JN+qfrkWNdH3D3W0=,tag:Y6MSxOQsxPIpeB3U5L5LuQ==,type:comment]
+        user5: ENC[AES256_GCM,data:t8agOEuxDtEHx4fmw4okIskHP5DBuY2NaMKL6OBBv/F+Imxd,iv:PKeQgxq/E4vE4FKaG8uyFKhuMAzhPlUpE25UiL+9oGM=,tag:DVPzdtcG3Hck5HQ1c2FoKQ==,type:str]
+        #ENC[AES256_GCM,data:LeZZ1g==,iv:1c9z1Id4SOy5M8zXbEBzK3ePaKm5iDlyGjPuxvd/P6c=,tag:D7s1oWI5ONur/zbJLFhfEg==,type:comment]
+        user7: ENC[AES256_GCM,data:Yk6XSTV8fvLEDOKO67WA0DkPPHWYMPHbY/agEo9N5UZKWd34,iv:VnfMVQeVGqEsrI4+F5FsJz+btO2JjIJ7+Xtb1y/a5mg=,tag:VFuy2HFuR/xL6TpfI2pXZQ==,type:str]
+        #ENC[AES256_GCM,data:LJrX+KL9IPx+Qg==,iv:CeDhlFJXwxNQf25V/z+1nK+l2ymkVhkKPjeqY8Txfn8=,tag:KMnvIEbhqKCpQK+7XkoR/A==,type:comment]
+        user8: ENC[AES256_GCM,data:qZlOJmLVhboazv+RN6TCOuxPheeM3+pmur8ZggaPlOJAyOYo,iv:Mrq1LLte/+8HzOZI3yKapH/vhEfNW9lP9py4JYkdW8A=,tag:HA/XFbLK2cu5Qx+F78M8tQ==,type:str]
+        #ENC[AES256_GCM,data:oJmtrGgpDsGGFw==,iv:OKt2T7A8X+ASW1AB1TisTqTMKaE5xQsrW/gSwTfjHBw=,tag:/OCwEYiQIK2MxfgpGJdQpA==,type:comment]
+        user9: ENC[AES256_GCM,data:R/R2+4kR6EE8CpVONcmkHDSBfvG1Vo82fXCUYA/XGfQL8Hu3,iv:iqkivoGnvNKWOXw+CQ+/xfQeRXfG/OSUMNmv1ZfcyUU=,tag:xeEWhHBR9dRyx542G6ywzw==,type:str]
+        #ENC[AES256_GCM,data:StwPOQo=,iv:VkuAD9NevMl0hdnb31vWN5CTOKpt/2agjjx0QUpkVf4=,tag:jPW4n28Yx7L2FOV9qC50hw==,type:comment]
+        user10: ENC[AES256_GCM,data:QrYqOyxFkNTNk1gzxZR5tyQCInAapf7ZQs5ZSDpBwysgolKg,iv:BJuTVRvpEKc6OpTtiwCmVwySoLSroxr7PrcHStezgAc=,tag:5j4TsHjyiLJPqZNtzvkhtg==,type:str]
+        #ENC[AES256_GCM,data:qYr1yinZQw==,iv:hhPlIlvqTQhx2aaykfvYHfp4WOPkUvt7V9RYyF4M+9Q=,tag:Zo7nVeDN6mEvLLQVQ00vbg==,type:comment]
+        user12: ENC[AES256_GCM,data:UP6+WhGaySTAu/CHhPKviinNG4idINYQrS9JS/rRARcC6D83,iv:KeqVGDWmukQmQP6jALXgiVu9tdYTdbUoLjuhio04UJw=,tag:0Lg89PSA1mtJbJxELu1+GA==,type:str]
+        #ENC[AES256_GCM,data:vwcHgHRYjkNISQ==,iv:dyjjpPBApwwMKdzBezl3CoplmqSkd86Xg/Cqt6LEI4U=,tag:iqSnfbIUE4eBcNBRn/4E2w==,type:comment]
+        user13: ENC[AES256_GCM,data:BC47uCs4ww6GvmVDyyxsfU1neXejZ7G2A2zgjdsABVCZBKRu,iv:n4+JPd35lhDaWkcf7c826b2eOg/UDmuarLYIjtDh1co=,tag:lD5gwDyiZ85O4790O+u4Ng==,type:str]
+        #ENC[AES256_GCM,data:uhxnoQ7KcZ6MFQ==,iv:aM3zaFvL2Zem9I1sC+Guqw33Zl3hk2RxBn+oP9xaHUw=,tag:2bDvig8aIN9mpvMeX5FU1g==,type:comment]
+        user16: ENC[AES256_GCM,data:zWOkpPwFoXUirk21I+VwAhX0uZ2j+W8dDCaYAnVQdpqCrTo7,iv:IAl6jhop6l6IqetMCd23PEqE3WvErlXa6kBbKrIni2c=,tag:Kk7alU4T0PeYSgfq3LbP8A==,type:str]
+        #ENC[AES256_GCM,data:+GWm3samEUggJw==,iv:LcLIjh1eXMT4JIxNPyCbgiqUCZyS6mUv5E6kYnupasg=,tag:C/P5lscrlu56o532A+qjlQ==,type:comment]
+        user17: ENC[AES256_GCM,data:pyaEKKNJrwJ7cVxHg64dVT3i08Wbboo1wmGC+U6qW1l73oHY,iv:AkJ32rtr+a50xw30Jr5/Sb/flIK7cJG30Iw44Hb5FUU=,tag:d0c+ezonaZ5mSFsPCRr+lg==,type:str]
+        #ENC[AES256_GCM,data:v8kPeimXbQc9fA==,iv:f4kPRsNSUpqy8Vhe1I7CoN5X2kq/h74H8GAbkKmcslU=,tag:6RiCtYXezZ1+7e3DI0Jlww==,type:comment]
+        user18: ENC[AES256_GCM,data:oza5WDfR+sGXdW5sTrHfjl1haxq8B6r3bddChsmV6FQIz/AF,iv:hH3Zr9gsd+fdIdbZTMD8L5c71WtODm/yLvj0TcvSa4Q=,tag:mQxIYxnyvsNPhlXC6SwcHQ==,type:str]
+        #ENC[AES256_GCM,data:t088qCSsFlUCHw==,iv:hmLtwQVU4sfaPRDs+hk4LuMGlLFh4X+jq/Lm1BndyyY=,tag:JkqjOFPqYZ6PkjDV2DC1LA==,type:comment]
+        user19: ENC[AES256_GCM,data:xALQ/0gw5FeInNhWACt4aL0PJhnXBBMrDIcmC8DuwKy8X8YS,iv:4AT8vFMFSnQ3f5W9dXyYlYGHegnN7+3Jvb+6AiIotgY=,tag:WLRWve/V37GK52xX61dphQ==,type:str]
+        #ENC[AES256_GCM,data:q9md9z3G56TxRxo=,iv:7iqkqUZkdTYZgDFG7W4LgUxu1Ej7BW2bbf/UKO6XHm0=,tag:rtTIzd11/w+ZaWylDO8qcQ==,type:comment]
+        user20: ENC[AES256_GCM,data:FoJvPPZZxUjPF/41kZnFeJl0tA6sMo3QZ861gJyOj/Z4H5b3,iv:oGjaZ6S4Cx18qOuxPhiJXsKsHgv78y6u5oe3yWegob4=,tag:Yaln5CwBcQxmOmPxK3QFWg==,type:str]
+        #ENC[AES256_GCM,data:NCSde360stul/Bg=,iv:s7sBwjT4gWqkRp2qRs6LVWmo6G9iul/YYGwFriLIOgU=,tag:b4n6y2Z9bGfdnMEd0Om1Ow==,type:comment]
+        user21: ENC[AES256_GCM,data:1ORcDJ3eb+ohwWYVQa2wqoEqJD+1SiSFP3ZGoSEzmn9v41xW,iv:QkZwkI4wxO6ELWozCSZCxR4/FUSeGSbPx655d8RzsD8=,tag:i9KcmcoV57zKNvRIMexV3g==,type:str]
+        #ENC[AES256_GCM,data:0nKWzfJN63aG,iv:TsVdd7xhf0m0v4hWYSrbLyU5yrfviBqWKW5iQ9fwmN4=,tag:h6k5YwGO3rWAdumWEWjOjQ==,type:comment]
+        user22: ENC[AES256_GCM,data:AOLJcash08/caBGQwAomJqn6twokZT3hR7v06LsA2SFzPO+d,iv:wR10fgBQJFdKMHiwnGrcpAPodojqF04MqICz3hS/NOg=,tag:i7QScjq+Q3bGCW31kmZ8cA==,type:str]
+        #ENC[AES256_GCM,data:MPxp5ByvaGlzT6E=,iv:jQgU1CkGL/7HWrPBfcuolcbH4JywEYishMgMs2U+Hf8=,tag:nUYRxYhuu84a4fB60c3/qA==,type:comment]
+        user23: ENC[AES256_GCM,data:Tu6wla+a1YJrwl4kPTBvOc7FfslJvU4dqvM0x8WWIgqMvtKx,iv:zHAK7zeW4oXnBDFhfhjYXG03utVV4e3Ytq4B3n2U1+A=,tag:LuGmEksvoxip5/2SUPptIQ==,type:str]
+        #ENC[AES256_GCM,data:N90c2ThJckmw+AE=,iv:Lrw0p/HLzWdz6WyO8CjHfnuIHsZut4eUcg786AYhGLI=,tag:J3s1QHEqmxA7Twaqy28X2w==,type:comment]
+        user24: ENC[AES256_GCM,data:oCBJAUCZMDMXcwQy5WTx4mgf+2R1P6GW3H47DQCQlqD3w/E6,iv:eBIbcALdsBo4DEgrqvF/Ikz96tDznZfGnyswPpnHF0s=,tag:VH9UpMdSCv6mUJhbNbB5NA==,type:str]
+        #ENC[AES256_GCM,data:L8sLOCZPDuDs/0I=,iv:fTGz1ic5oeVhPDKoioTBqaVgfPMx41Drsph757OJNZI=,tag:akxseSJLwJhQBbFUAQdbyw==,type:comment]
+        user25: ENC[AES256_GCM,data:mjGyAwUjgdnyIXwsHEF/QbZiyqF9qpq+iIFkG2YH28hs336f,iv:dqLR2uy+VguRnmn9HRuS8cTPf2n3Q7Z64t1n/iQInhE=,tag:CZHGF3z0pi6YD+jzXv2ZsQ==,type:str]
+    private-key: ENC[AES256_GCM,data:j3juaKDM2ybruxp0T+7BkGBRwLWWwZARnHg42r/lDYNn+HPSAAc3dKQKFg==,iv:lzyHejiEri4S4mzDPm7xtbvbva3Nssmx0MCzyt4SngI=,tag:0FpbyU7OlgpaLIoj93oNFg==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXhTN0RXRWRLK3A3RFRJ
+            ZzRkQVg0N043N1VObjFpdE05bnM4OWJQOTBJClhpVVFNN0ZmVVpzaThyREhLeFpI
+            SnErNXZVSWd3RW1DUlJ0eVpibTg2SFkKLS0tIFNVU1VCL0t5dWhRandrUmpITmlS
+            SW1mRzMyeVNpME53ZXhwQllWV1JxbkEKWze5y1HRR/79k7AIvofuc8RdkQVIEsJ2
+            H2djW/x3KmKTtDVB9DTBQZHpNOOHIJ/nX//JP3s93xvPUizD0olQHQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK1V2eks1QXUzODJiWXRD
+            Vi9pT1hBNXNDODE0NUNKRXZPbEJobVpEaWhBCjl2WFhiZ1Y2dUx5L3BaVjdVdS94
+            bUlKeGVNeEZJanUyazhsVG1ta2d6aEEKLS0tIFJYaVZCWXhyTDJNTW1EVnczS2ti
+            K1NNbk1uYUdpVnVYZEpiN3ZtbEpOK2MKI9G4JCU47BiW1zpWCgqtHuUaryIF3+Xn
+            hqE4/OIgF8od70eNZ5UWvMneQLsnDEcIOa9i9D/L9A3Hkn5AlRoPQQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MTZIWEQ1MVI0ZlNobHht
+            YjJjYndFaTVrOVNaaTNuVU9nNHJRdWlObkhjCnIwSTJBM3p2bXZOaWRZZ3MxSGV3
+            emJTL3JFQUJPN1d0QVEvVVU3RC9kaWcKLS0tIFNYZmVrWmVQRXd2MXF5NHdmbFhG
+            Q3lSOFNsdDRkWHJlazNCL0VDK1czdEkK+kp9jQrSV1IPTG+r8q0MRD9jbPSj0z0I
+            dVxhPAUNUqf4MPM/YbqA5YOhwZ89Z7gXsbtFezZbPNxIqyTISgcmJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19yt2tszdtnwylqh5qdmg25mlfd8cft0z24x4mp20fnyywfs88cxqgwt9m2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TGVpNmJ6bU9veTA5a2g5
+            VmFEemxkTUtuMllJcnZsWG5lOExkalFHNGtzCm4xSnZnVHhrWVZFS05MQ0xtNElw
+            dlpOU2JuSHFuYm5KUncxaFAwaUxhUlkKLS0tIGV6a3A2SnJWbEVvTFFNc3dHOU81
+            N1htdGwwNWtHR2R3cGdtNlF6ajF6MkkKSjbyxsPZYeXd/4A60g8E1aSIIwR3ca9g
+            /9p8PV1duXhKkJcGKgDiwL3FxrFZ54rpySZeqMC16nQtnk3Fzt1k9w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTZIY0dmUkFHWHNKZHN6
+            aEZyRkY3b0tnRGdJREQySHJBSkMxcFFxeUdzCjluYW0yRmM0V0RTQUhhcTFYU3VH
+            V2ZjK0grR0NEYW5kbzlVMHN4STFMdU0KLS0tIGRoNWNZTHdOWUpuaWhRQVZQZlkr
+            b3ovaWVTdHJ6SzBrS0JlVk5Fd2xBcHcK+RI+BsGiVQpd0hdAPZJwbzbTsb4xql6b
+            ozSUmoy7yLD/ubeKzkajXlF46ya5LonALUFkw6e0nbHKF85Rj9OBRA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-16T03:47:07Z"
+    mac: ENC[AES256_GCM,data:ekU7qBI4r3IEoKKx0DWooK8chmKt52ciKMBAbY3KxsWIN384mP1TLsmjSVB2emVgiJTB7fVHq5Zu0RZOPbrRdqS+FnRnlSwf7GdTxo7VjJV3/eCoMwsV1UEwsqTqr8DUhaYDlT8Wm08THrarlBYaaOKtEJ8Qas2ykOxVyJbyzAI=,iv:y294b1hMUX7GM/AjjEEbbpv4woIrj6OjRmNoZcRB26c=,tag:THsUv0NdNZWtrecpq6xtzA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

devices/cross/ssh.nix

@@ -13,12 +13,17 @@ let
       # 通过 initrd.xxx.chn.moe 访问
       initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
     };
+    vps9 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIG+D3saEp9zThXY466WroVtqIbBSYK9M/QcsiuGgxsTV";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINBXlJjt2XoJvKQ8Mb91dSF1ibJAwOYzx+TPeTW6nIlT";
+    };
     nas =
     {
       publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
       initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
+      extraAccess = [ "ssh.git" ];
     };
-    one.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
     pc.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
     srv1-node0 =
       { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs"; extraAccess = [ "srv1" ]; };
@@ -34,18 +39,16 @@ let
       proxyJump = "srv1";
     };
     srv2-node0 =
-      { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6"; extraAccess = [ "srv2" ]; };
+      { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp"; extraAccess = [ "srv2" ]; };
     srv2-node1 =
     {
-      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6";
       proxyJump = "srv2";
     };
-    srv3 =
+    srv2-node2 =
     {
-      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIg2wuwWqIOWNx1kVmreF6xTrGaW7rIaXsEPfCMe+5P9";
-      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIPW7XPhNsIV0ZllaueVMHIRND97cHb6hE9O21oLaEdCX";
-      # 默认仅包括wireguard访问的域名和直接访问的域名，这里写额外的域名
-      extraAccess = [ "ssh.git" ];
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIK9FZUOZ51pWdm2grTXDdSGMZ3g9DkvHUBvY8bFoTZjy";
+      proxyJump = "srv2";
     };
   };
 in
@@ -59,13 +62,7 @@ in
         value =
         {
           publicKey = "ssh-ed25519 ${device.value.publicKey}";
-          hostNames =
-            # 直接访问
-            [ "${device.name}.chn.moe" ]
-            # 通过 wirewireguard 访问
-            ++ (builtins.map (net: "${net}.${device.name}.chn.moe")
-              (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net))
-            # 额外的域名
+          hostNames = [ "${device.name}.chn.moe" "tinc0.${device.name}.chn.moe" "${device.name}.ts.chn.moe" ]
             ++ (builtins.map (domain: "${domain}.chn.moe") device.value.extraAccess or []);
         };
       }]
@@ -95,18 +92,26 @@ in
             })
             ((device.value.extraAccess or []) ++ [ device.name ]))
           (inputs.localLib.attrsToList devices))
-        # 通过 wireguard 访问
-        (builtins.concatLists (builtins.map
-          (net: builtins.map
-            (device: builtins.map
-              (name:
-              {
-                name = "${net}.${name}";
-                value = genericConfig // { host = "${net}.${name}"; hostname = "${net}.${name}.chn.moe"; };
-              })
-              ((device.value.extraAccess or []) ++ [ device.name ]))
-            (inputs.localLib.attrsToList devices))
-          (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net)))
+        # 通过 tinc 访问
+        (builtins.map
+          (device: builtins.map
+            (name:
+            {
+              name = "tinc0.${name}";
+              value = genericConfig // { host = "tinc0.${name}"; hostname = "tinc0.${name}.chn.moe"; };
+            })
+            (device.value.extraAccess or [] ++ [ device.name ]))
+          (inputs.localLib.attrsToList devices))
+        # 通过 tailscale 访问
+        (builtins.map
+          (device: builtins.map
+            (name:
+            {
+              name = "ts.${name}";
+              value = genericConfig // { host = "ts.${name}"; hostname = "${name}.ts.chn.moe"; };
+            })
+            (device.value.extraAccess or [] ++ [ device.name ]))
+          (inputs.localLib.attrsToList devices))
       ]));
     }];
   };

devices/cross/tinc.nix

@@ -0,0 +1,217 @@
+inputs:
+let
+  inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
+  inherit (inputs.config.nixos.model) hostname;
+  publicKey =
+  {
+    nas = "sSN3eeBgrMXF6/XYfEBe54TXmfHETOESX+SyrpGlmDK";
+    pc = "soafMZ/0EViMhKYNc8g8pp4sbhR/2HnnXwGQln0BgCK";
+    srv1-node0 = "ZKUwi386ZssXLQGORUzlRxof7NhXigUw3QZHAP0Pb8N";
+    srv1-node1 = "5eti59LrOMejEWYDxOYrh7SD93nLMSH+iX7vaBN4BrE";
+    srv1-node2 = "e6jW9g4QY357ocMRoW4P0s6UHAspvKJzmAGb/WT1a+H";
+    srv2-node0 = "zTv+o7K2SpcPp9YLrPe8iJqCunrCiJyqz13fXcDouEH";
+    srv2-node1 = "sk/w+GBrt0lzkTZ3y3vZ/eHKNrG8X95eqR9IuhCFYwB";
+    srv2-node2 = "csZoiTwZItonm6h+uqkJ5z9J6o1iFlBESQ2u97Wz2JL";
+    vps4 = "N03OoCyj4ADkeN3cimJI/bJrBw8g1kz3TJ+1BTe+oyA";
+    vps6 = "rYOCGG+B4isTifKJQqsEdfhQuQRnUiIsvz7uI7vZiDN";
+    vps9 = "fCAqgs9VcYpTLccwFtSkx3dwMDG6787MQX4ycekxRSJ";
+  };
+  # 描述可以直接的设备之间的连接（图上的路径）。若一个设备可以主动接受连接，则设置它接受连接的 ip；否则设置为 null
+  # 因为一条条路径描述起来比较麻烦，所以这里一次描述多条
+  subnets =
+  [
+    # vps
+    { device = inputs.lib.genAttrs [ "vps4" "vps6" "vps9" ] getAddress; distance = 1; }
+    # 使用 vps9 代理的机器
+    {
+      device = (inputs.lib.genAttrs [ "nas" "srv1-node0" "srv2-node0" ] (_: null)) // { vps9 = getAddress "vps9"; };
+      distance = 10;
+    }
+    # 使用 vps6 代理的机器
+    { device = { vps6 = getAddress "vps6"; pc = null; }; distance = 10; }
+    # 校内网络
+    { device = (inputs.lib.genAttrs [ "srv1-node0" "srv2-node0" ] getAddress) // { nas = null; }; distance = 1; }
+    # srv1 内部网络
+    {
+      device = inputs.lib.genAttrs' (builtins.genList (n: n) 3)
+        (n: inputs.lib.nameValuePair "srv1-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}");
+      distance = 1;
+    }
+    # srv2 内部网络
+    {
+      device = inputs.lib.genAttrs' (builtins.genList (n: n) 3)
+        (n: inputs.lib.nameValuePair "srv2-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}");
+      distance = 1;
+    }
+  ];
+  # 给定起止点，返回最短路径的第一跳的目的地，以及总路程长度
+  # 结构是：from.to = null or { address = xxx or null; length = xx; jump = xx; }
+  # 如果两个设备不能连接，返回 null;
+  # 如果可以主动连接，返回 { address = xxx; length = xx; jump = xx; }；
+  # 如果只可以被动连接，返回 { address = null; length = xx; jump = xx; }；
+  connection =
+    let
+      # 将给定子网翻译成一列边，返回 [{ device = { dev1 = null or ip; dev2 = null or ip; }; distance = xxx; }]
+      # 边中至少有一个端点是可以接受连接的
+      netToEdges = subnet: builtins.filter (v: v != null) (builtins.concatLists
+        (inputs.lib.imap
+          (i1: v1: inputs.lib.imap
+            (i2: v2:
+              if i2 <= i1 || (subnet.device.${v1} == null && subnet.device.${v2} == null) then null
+              else { device = inputs.lib.genAttrs [ v1 v2 ] (v: subnet.device.${v}); inherit (subnet) distance; })
+            (builtins.attrNames subnet.device))
+          (builtins.attrNames subnet.device)));
+      # 在一个图中加入一个边
+      # current 的结构是：from.to = null or { address = xxx or null; length = xx; jump = xx; }
+      addEdge = current: newEdge: builtins.mapAttrs
+        (nameFrom: valueFrom: builtins.mapAttrs
+          (nameTo: valueTo:
+            # 不处理自己到自己的路
+            if nameFrom == nameTo then null
+            # 如果要加入的边包含起点
+            else if newEdge.device ? "${nameFrom}" then
+              # 如果要加入的边包含终点，那么这两个点可以直连
+              if newEdge.device ? "${nameTo}"
+                then { address = newEdge.device.${nameTo}; length = newEdge.distance; jump = nameTo; }
+              else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge.device)); in
+                # 如果边的另外一个点到终点可以连接
+                if current.${edgePoint2}.${nameTo} != null then
+                  # 如果之前不能连接，或者之前的连接比新的要长，则使用新的连接
+                  if current.${nameFrom}.${nameTo} == null || (current.${nameFrom}.${nameTo}.length or 0
+                    > newEdge.distance + current.${edgePoint2}.${nameTo}.length or 0) then
+                  {
+                    address = newEdge.device.${edgePoint2};
+                    length = newEdge.distance + current.${edgePoint2}.${nameTo}.length;
+                    jump = edgePoint2;
+                  }
+                  # 否则，不更新连接
+                  else current.${nameFrom}.${nameTo}
+                # 否则，不更新连接
+                else current.${nameFrom}.${nameTo}
+            # 如果要加入的边包不包含起点但包含终点
+            else if newEdge.device ? "${nameTo}" then
+              let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge.device)); in
+              # 如果起点与另外一个点可以相连
+              if current.${nameFrom}.${edgePoint2} != null then
+                # 如果之前不能连接，或者新连接更短，则使用新的连接
+                if current.${nameFrom}.${nameTo} == null || (current.${nameFrom}.${nameTo}.length or 0
+                  > current.${nameFrom}.${edgePoint2}.length or 0 + newEdge.distance) then
+                {
+                  inherit (current.${nameFrom}.${edgePoint2}) address jump;
+                  length = newEdge.distance + current.${nameFrom}.${edgePoint2}.length;
+                }
+                # 否则，不更新连接
+                else current.${nameFrom}.${nameTo}
+              # 如果起点与另外一个点不可以相连，则不改变连接
+              else current.${nameFrom}.${nameTo}
+            # 如果要加入的边不包含起点和终点
+            else
+              let
+                edgePoints = builtins.attrNames newEdge.device;
+                p1 = builtins.elemAt edgePoints 0;
+                p2 = builtins.elemAt edgePoints 1;
+              in
+                # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
+                if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
+                  # 如果之前不能连接，则新连接必然是唯一的连接，使用新连接
+                  if current.${nameFrom}.${nameTo} == null then
+                  {
+                    inherit (current.${nameFrom}.${p1}) address jump;
+                    length = current.${nameFrom}.${p1}.length + newEdge.distance + current.${p2}.${nameTo}.length;
+                  }
+                  # 如果之前可以连接，那么反过来一定也能连接，选取三种连接中最短的
+                  else builtins.head (inputs.lib.sort (a: b: a.length < b.length)
+                    [
+                      # 原先的连接
+                      current.${nameFrom}.${nameTo}
+                      # 正着连接
+                      {
+                        inherit (current.${nameFrom}.${p1}) address jump;
+                        length = current.${nameFrom}.${p1}.length + newEdge.distance + current.${p2}.${nameTo}.length;
+                      }
+                      # 反着连接
+                      {
+                        inherit (current.${nameFrom}.${p2}) address jump;
+                        length = current.${nameFrom}.${p2}.length + newEdge.distance + current.${p1}.${nameTo}.length;
+                      }
+                    ])
+                # 如果正着不能连接、反过来可以连接，那么反过来连接一定是唯一的通路，使用反向的连接
+                else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
+                {
+                  inherit (current.${nameFrom}.${p2}) address jump;
+                  length = current.${nameFrom}.${p2}.length + newEdge.distance + current.${p1}.${nameTo}.length;
+                }
+                # 如果正着连接、反向连接都不行，那么就不更新连接
+                else current.${nameFrom}.${nameTo})
+          valueFrom)
+        current;
+      # 初始时，所有点之间都不连接
+      init = builtins.mapAttrs (_: _: builtins.mapAttrs (_: _: null) publicKey) publicKey;
+    in builtins.foldl' addEdge init (inputs.lib.flatten (builtins.map netToEdges subnets));
+  tincHostname = builtins.replaceStrings [ "-" ] [ "_" ];
+in
+{
+  config = inputs.lib.mkIf (builtins.hasAttr hostname publicKey)
+  {
+    services.tinc.networks.tinc0 = 
+    {
+      settings =
+      {
+        Interface = "tinc0";
+        Name = tincHostname hostname;
+        PingInterval = 10;
+        TCPOnly = true;
+        Proxy = inputs.lib.mkIf (inputs.config.nixos.services.xray.client != null) "socks5 127.0.0.1 10885";
+        ConnectTo = builtins.map tincHostname (builtins.attrNames
+          (inputs.lib.filterAttrs (n: v: (v.address or null != null) && (v.jump or null == n)) connection.${hostname}));
+        AutoConnect = false;
+        TunnelServer = true;
+      };
+      ed25519PrivateKeyFile = inputs.config.nixos.system.sops.secrets."tinc".path;
+      hostSettings = inputs.lib.mkMerge
+      [
+        # 本机
+        {
+          "${tincHostname hostname}" =
+          {
+            settings.Ed25519PublicKey = publicKey.${hostname};
+            subnets = [{ address = getAddress "tinc0.${hostname}"; weight = 0; }];
+          };
+        }
+        (inputs.lib.mkMerge (inputs.lib.mapAttrsToList
+          (n: v: { "${tincHostname v.jump}" = 
+          {
+            addresses = inputs.lib.optionals (v.address != null) [{ inherit (v) address; }];
+            settings = { Ed25519PublicKey = publicKey.${v.jump}; IndirectData = true; };
+            subnets =
+            [{
+              address = getAddress "tinc0.${n}";
+              # 最短路径已经被提前计算出来了，这里将权重统一设置为零
+              # 如果分开设置，两个节点会因为对权重的描述不统一而拒绝连接
+              weight = 0;
+            }];
+          };})
+          (inputs.lib.filterAttrs (_: v: v != null) connection.${hostname})))
+      ];
+    };
+    nixos.system =
+    {
+      sops.secrets."tinc".owner = "tinc-tinc0";
+      network.settings = inputs.lib.mkIf (inputs.config.nixos.system.network.implementation == "systemd-networkd")
+        { static."tinc0" = { ip = getAddress "tinc0.${hostname}"; mask = 24; }; };
+    };
+    environment =
+    {
+      etc = inputs.lib.mkIf (inputs.config.nixos.system.network.implementation == "networkmanager")
+      {
+        "tinc/tinc0/tinc-up".source = inputs.pkgs.writeShellScript "tinc-up"
+        ''
+          ${inputs.pkgs.iproute2}/bin/ip link set $INTERFACE up
+          ${inputs.pkgs.iproute2}/bin/ip addr add ${getAddress "tinc0.${hostname}"}/24 dev $INTERFACE
+        '';
+      };
+      systemPackages = [ inputs.config.services.tinc.networks.tinc0.package ];
+    };
+    networking.firewall = { allowedTCPPorts = [ 655 ]; allowedUDPPorts = [ 655 ]; trustedInterfaces = [ "tinc0" ]; };
+  };
+}

devices/cross/wireguard.nix

@@ -1,245 +0,0 @@
-inputs:
-let
-  publicKey =
-  {
-    vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
-    vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
-    pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
-    nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
-    one = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
-    srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
-    srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww=";
-    srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo=";
-    srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
-    srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc=";
-    srv3 = "a1pUi12SN6fIFiHA9W0N1ycuSz1fWUSpZnjz20OPaBk=";
-  };
-  dns = inputs.topInputs.self.config.dns.wireguard;
-  networks = # 对于每个网络，只需要设置每个设备的 listenPort，以及每个设备的每个 peer 的 publicKey endpoint allowedIPs
-  {
-    # 星形网络，所有流量通过 vps6 中转
-    wg0 = let vps6ListenIp = "144.34.225.59"; in
-    {
-      devices =
-      {
-        vps6 =
-        {
-          listenPort = 51820;
-          peer = builtins.listToAttrs (builtins.map
-            (peerName:
-            {
-              name = peerName;
-              value =
-              {
-                publicKey = publicKey.${peerName};
-                allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.${builtins.toString dns.peer.${peerName}}" ];
-              };
-            })
-            (inputs.lib.remove "vps6" (builtins.attrNames publicKey)));
-        };
-      }
-      // (builtins.listToAttrs (builtins.map
-        (deviceName:
-        {
-          name = deviceName;
-          value.peer.vps6 =
-          {
-            publicKey = publicKey.vps6;
-            endpoint = "${vps6ListenIp}:51820";
-            allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.0/24" ];
-          };
-        })
-        (inputs.lib.remove "vps6" (builtins.attrNames publicKey))));
-    };
-    # 两两互连
-    wg1 =
-      let
-        inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
-        # 设备之间可以直接连接的子网
-        # 若一个设备可以主动接受连接，则设置它接受连接的 ip；否则设置为 null
-        subnet =
-        [
-          # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
-          (builtins.listToAttrs
-          (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
-              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
-          ))
-          # 校内网络
-          (builtins.listToAttrs
-          (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "srv1-node0" "srv2-node0" ])
-              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" ])
-          ))
-          # 办公室或者宿舍局域网
-          (builtins.listToAttrs (builtins.map (n: { name = n; value = getAddress n; }) [ "pc" "nas" "one" ]))
-          # 集群内部网络
-          (builtins.listToAttrs (builtins.map
-            (n: { name = "srv1-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
-            (builtins.genList (n: n) 3)))
-          (builtins.listToAttrs (builtins.map
-            (n: { name = "srv2-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
-            (builtins.genList (n: n) 2)))
-        ];
-        # 给定起止点，返回最短路径的第一跳的目的地
-        # 如果两个设备不能连接，返回 null; 
-        # 如果可以直接、主动连接，返回 { ip = 地址; }；如果可以直接连接但是被动连接，返回 { ip = null; }；
-        # 如果需要中转，返回 { jump = 下一跳; }
-        connection =
-          let
-            # 将给定子网翻译成一列边，返回 [{ dev1 = null or ip; dev2 = null or ip; }]
-            netToEdges = subnet:
-              let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
-              in inputs.lib.unique (builtins.concatLists (builtins.map
-                (dev1: builtins.map
-                  (dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
-                  (inputs.lib.remove dev1 (builtins.attrNames subnet)))
-                devWithAddress));
-            # 在一个图中加入一个边，current 的结构是：from.to = null or { ip = "" or null; length = l; jump = ""; }
-            addEdge = current: newEdge: builtins.mapAttrs
-              (nameFrom: valueFrom: builtins.mapAttrs
-                (nameTo: valueTo:
-                  # 忽略自己到自己的路
-                  if nameFrom == nameTo then null
-                  # 如果要加入的边包含起点
-                  else if newEdge ? "${nameFrom}" then
-                    # 如果要加入的边包含终点，那么这两个点可以直连
-                    if newEdge ? "${nameTo}" then { ip = newEdge.${nameTo}; length = 1; }
-                    else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
-                      # 如果边的另外一个点到终点可以连接
-                      if current.${edgePoint2}.${nameTo} != null then
-                        # 如果之前不能连接，则使用新的连接
-                        if current.${nameFrom}.${nameTo} == null then
-                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
-                        # 如果之前可以连接，且新连接更短，同样更新连接
-                        else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
-                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
-                        # 否则，不更新连接
-                        else current.${nameFrom}.${nameTo}
-                      # 否则，不更新连接
-                      else current.${nameFrom}.${nameTo}
-                  # 如果要加入的边包不包含起点但包含终点
-                  else if newEdge ? "${nameTo}" then
-                    let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
-                    # 如果起点与另外一个点可以相连
-                    if current.${nameFrom}.${edgePoint2} != null then
-                      # 如果之前不能连接，则使用新的连接
-                      if current.${nameFrom}.${nameTo} == null then
-                      {
-                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
-                        length = current.${nameFrom}.${edgePoint2}.length + 1;
-                      }
-                      # 如果之前可以连接，且新连接更短，同样更新连接
-                      else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
-                      {
-                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
-                        length = current.${nameFrom}.${edgePoint2}.length + 1;
-                      }
-                      # 否则，不更新连接
-                      else current.${nameFrom}.${nameTo}
-                    # 如果起点与另外一个点不可以相连，则不改变连接
-                    else current.${nameFrom}.${nameTo}
-                  # 如果要加入的边不包含起点和终点
-                  else
-                    let
-                      edgePoints = builtins.attrNames newEdge;
-                      p1 = builtins.elemAt edgePoints 0;
-                      p2 = builtins.elemAt edgePoints 1;
-                    in
-                      # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
-                      if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
-                        # 如果之前不能连接，则新连接必然是唯一的连接，使用新连接
-                        if current.${nameFrom}.${nameTo} == null then
-                        {
-                          jump = current.${nameFrom}.${p1}.jump or p1;
-                          length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
-                        }
-                        # 如果之前可以连接，那么反过来一定也能连接，选取三种连接中最短的
-                        else builtins.head (inputs.lib.sort
-                          (a: b: if a == null then false else if b == null then true else a.length < b.length)
-                          [
-                            # 原先的连接
-                            current.${nameFrom}.${nameTo}
-                            # 正着连接
-                            {
-                              jump = current.${nameFrom}.${p1}.jump or p1;
-                              length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
-                            }
-                            # 反着连接
-                            {
-                              jump = current.${nameFrom}.${p2}.jump or p2;
-                              length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
-                            }
-                          ])
-                      # 如果正着不能连接、反过来可以连接，那么反过来连接一定是唯一的通路，使用反向的连接
-                      else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
-                      {
-                        jump = current.${nameFrom}.${p2}.jump or p2;
-                        length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
-                      }
-                      # 如果正着连接、反向连接都不行，那么就不更新连接
-                      else current.${nameFrom}.${nameTo})
-                valueFrom)
-              current;
-            # 初始时，所有点之间都不连接
-            init = builtins.listToAttrs (builtins.map
-              (dev1:
-              {
-                name = dev1;
-                value = builtins.listToAttrs (builtins.map
-                  (dev2: { name = dev2; value = null; })
-                  (builtins.attrNames publicKey));
-              })
-              (builtins.attrNames publicKey));
-          in builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges subnet));
-      in
-      {
-        devices = builtins.listToAttrs (builtins.map
-          (deviceName:
-          {
-            name = deviceName;
-            value =
-            {
-              listenPort = 51820 + dns.peer.${deviceName};
-              peer = builtins.listToAttrs (builtins.concatLists (builtins.map
-                (peerName:
-                  # 如果不能直连，就不用加 peer
-                  inputs.lib.optionals (connection.${deviceName}.${peerName} ? ip)
-                  [{
-                    name = peerName;
-                    value =
-                    {
-                      publicKey = publicKey.${peerName};
-                      allowedIPs =
-                        [ "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${peerName}}" ]
-                        ++ builtins.map
-                          (destination:
-                            "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${destination}}")
-                          (builtins.filter
-                            (destination: connection.${deviceName}.${destination}.jump or null == peerName)
-                            (builtins.attrNames publicKey));
-                    }
-                      // inputs.lib.optionalAttrs (connection.${deviceName}.${peerName}.ip != null)
-                      {
-                        endpoint = "${connection.${deviceName}.${peerName}.ip}:"
-                          + builtins.toString (51820 + dns.peer.${peerName});
-                      };
-                  }])
-                (inputs.lib.remove deviceName (builtins.attrNames publicKey))));
-            };
-          })
-          (builtins.attrNames publicKey));
-      };
-  };
-in
-{
-  config.nixos.services.wireguard = inputs.lib.mkMerge (builtins.map
-    (network:
-      let inherit (inputs.config.nixos.model) hostname;
-      in inputs.lib.optionalAttrs (network.value.devices ? ${hostname}) { ${network.name} =
-        network.value.devices.${hostname}
-        // {
-          ip = "192.168.${builtins.toString dns.net.${network.name}}.${builtins.toString dns.peer.${hostname}}";
-        };})
-    (inputs.localLib.attrsToList networks));
-}

devices/jykang.xmuhpc/default.nix

@@ -1,16 +0,0 @@
-# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
-# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | grep -Fxv -f <(ssh jykang find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export | xz -T0 | pv > jykang.nar.xz
-# cat data.nar | nix-store --import
-{ inputs, localLib }:
-let pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
-{
-  inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
-  nixpkgs = { march = "haswell"; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; nixos = false; };
-});
-in pkgs.symlinkJoin
-{
-  name = "jykang";
-  paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit pv btop ];
-  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
-  passthru = { inherit pkgs; };
-}

devices/jykang/default.nix

@@ -0,0 +1,25 @@
+# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
+# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | grep -Fxv -f <(ssh jykang find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export | xz -T0 | pv > jykang.nar.xz
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = "haswell"; nixRoot = "/data/gpfs01/jykang/.nix"; nixos = false; };
+  });
+  python-lyj =
+    let python = pkgs.pkgs-2411.python310.withPackages (_: [ pkgs.localPackages.pybinding ]);
+    in pkgs.runCommand "python-lyj" { }
+    ''
+      mkdir -p $out/bin
+      ln -s ${python}/bin/python3 $out/bin/python-lyj
+    '';
+  jykang = pkgs.symlinkJoin
+  {
+    name = "jykang";
+    paths = with pkgs; [ gnuplot localPackages.vaspkit pv python-lyj sqlite ];
+    postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+    passthru = { inherit pkgs; archive = pkgs.closureInfo { rootPaths = [ jykang.drvPath ]; }; };
+  };
+in jykang

devices/jykang/files/.ssh/authorized_keys

@@ -11,6 +11,8 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlBxisj3sU9QC8UC5gX6sakf7G03ybbkmHtD2cybuZA qmx
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWU/OlrP8bJ5k7IqpIwUC1COuVsmrYVreW/ieEdPYdj ccy
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXkM8TS8fDot22LTfU2jDVOqK20LmK8Rd7xO05vYns stq
 
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc
@@ -18,5 +20,6 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkT/P4MnzxBh8sRi0oQ88duNpY/ejFtptGqUQJVobj
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOF3LfnQiI8wpsXGn87bt7rbUZcgsdaOSOswk4Vf4dBautEdQZc0q+UDB2TlR2K8L7SPyywpl5z67euN5QRJLEwg8flTybiJp3EKDctYEM22sa36ONcSIJ/iHSdCkwtPXkBYreh9e+MAHfTroIKK5zM/P1QIN3NrknIXpWjLDF73ejrxE+EXRK6jbuWfo+5dnLnDoUFt1e+pYLZos5KRRB94Qt5I79D/cAg3hG+Zl2FCCOpn1hIdLo/kWJTKUPe61oUaIxriV6nCXp/pU1BHlM43hGowiHa4bVZIs8Eo4r7OI9thhSuS2BKSifibBKIicZtntSlS/I3xa5am28YLmrOiEXRsjPom7trO8qIhPfYOc/yFDg1gcpLxyNroCPooPBzPxUqrTT96Q4fDDTaqfyuVxQFxbYoFAqQs8/lw6WcGJ4fGC5JPsPiwoSdQy/B7gCfQcFjPXp1NH8Sx+xMLCmxRqdKSyeiEwoyB0tZ6ngaI73HFhCPX1/rLx3xv0zd/8= 03@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC96jp6qFrWt4651Arg+Ua6AU3CjftZuounKLlZ8s268Lo9Cba+nmoOGRNzefqr+f6/7KmFKd9+jqS3ZnKFQbzRFVzzHHIT7tSlgxFRw+yb553/vgm7z6d0HGd3B7XjpIpR7DrM/unnXtiT/WuX+UIKKQ1S4kHp4fTJxZuwzYgNWDsT7O/5H7nBoRVuUSG/achCzTq5V5WfNjvrGZypCmcCw5MTH3Iab4qQ7fhRK46e/OpgSMmsY1ZuEynIwVtimW4G10MUWZdawN4LHBNsCDBmBu0H1DYBb9AUW5IuifAyFPPlTOPtuzpEganaMwotcXiAwhfPQg1c0TfbB4ZJPow612dzxcflHAJyFy2LXbiG0rF48h0GpW5gY92QkeMQcbybKOS5yVlXynNNg0nL1bx+reu7Fy4jurc0facTaqzpSiyXsBLSOva+DZrxl2MBDLEdykkQMNIY69GeeC2XIN4tbfGDYU8VVtwnXJUkmeHAge5ypI1kkPhYRDxPDspym9M= 04@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9FmT0i2j9JsnyeVrEZP8gaWHnc5NnhJgb1sP8MP/pjx/GMEkms2LQvZYNw8MQvGA6HH/O2acy5NIdD69QkRlALXZlWpUQco8JDuJe7+2xkTMGPOAqB5YLMHRpFGHUmDMuSFGSg2YyLXaWXoWmib5xAvTL95xAcdNgp5xqWvO2N55edDeVOY5cTmIE2vC0nm5JSjMEMcIuqL8yJ3AweN4JkD8CVVy3po8f+krKsaYB+f21MqqSnCQ/cpKlWHuMN9k85hP/FB1E7gBXW/MuZ1uOm4IzjBhj8tYVN0UY7Mo2/9PhFqoBKGr6vs7Nx1mXBJ/A1lIKvW+ROvQ9ADpOfww6kPuHbX16gQ55JG7zneWeiP5pVaI4YZ4O1vAvARw/SaSFhRdpymPs5r+wdIDV9gGoqORrYqoPBz7Q02V71W+EV7WFAgxiJozO0vZwD9JJ2zivyIJfcVtIOMIvEhfsha7Hviut4JIOyoaEHjIZYsmvYHEeEBA4pTUHIUZlZj/St7U= 05@xmuhpc
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFL+fpLRUHy6Bop91ACIUjyekWn+ZGCEOzfrqnaEsn+ yj
 
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJRWge2+B1Et03n/B4ALBcAnjvtWPPmcFAoIlLP8oFkB hpcstat

devices/nas/default.nix

@@ -4,36 +4,68 @@ inputs:
   {
     nixos =
     {
-      model = { type = "server"; private = true; };
+      model.private = true;
       system =
       {
         fileSystems =
         {
           mount =
           {
-            vfat."/dev/disk/by-uuid/627D-1FAA" = "/boot";
-            btrfs."/dev/mapper/root3" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            vfat."/dev/disk/by-partlabel/nas-boot" = "/boot";
+            btrfs =
+            {
+              "/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+              "/dev/mapper/ssd1"."/nix/ssd" = "/nix/ssd";
+            };
           };
           swap = [ "/dev/mapper/swap" ];
-          rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
+          # TODO: snapshot should take place just before switching root
+          rollingRootfs.waitDevices =
+            [ "/dev/mapper/root2" "/dev/mapper/root3" "/dev/mapper/root4" "/dev/mapper/ssd1" "/dev/mapper/ssd2" ];
         };
         initrd.sshd = {};
-        nixpkgs.march = "silvermont";
-        network = {};
+        nixpkgs.march = "alderlake";
+        nix.marches = inputs.topInputs.self.nixosConfigurations.pc.config.nixos.system.nix.marches;
+        network.settings.static.enp3s0 =
+          { ip = "192.168.1.2"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; }; 
+        kernel.patches = [ "btrfs" ];
+        binfmt = {};
       };
       hardware.gpu.type = "intel";
       services =
       {
         sshd = {};
-        xray =
+        xray.client =
         {
-          client.dnsmasq = { extraInterfaces = [ "enp3s0" ]; hosts."git.nas.chn.moe" = "127.0.0.1"; };
-          xmuServer = {};
-          server.serverName = "xservernas.chn.moe";
+          xray.serverName = "xserver2.vps9.chn.moe";
+          coredns = { extraInterfaces = [ "enp3s0" ]; hosts."git.chn.moe" = "127.0.0.1"; };
         };
-        beesd."/" = { hashTableSizeMB = 10 * 128; threads = 4; };
-        nfs."/" = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc")];
+        beesd."/".hashTableSizeMB = 10 * 128;
+        postgresql.mountFrom = "ssd";
+        mariadb.mountFrom = "ssd";
+        rsshub = {};
+        misskey.instances =
+          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
+        synapse.instances =
+        {
+          synapse.matrixHostname = "synapse.chn.moe";
+          matrix = { port = 8009; redisPort = 6380; };
+        };
+        vaultwarden = {};
+        nextcloud = {};
+        freshrss = {};
+        send = {};
+        huginn = {};
+        httpapi = {};
+        gitea = {};
+        grafana = {};
+        podman = {};
+        peertube = {};
+        nginx.applications.webdav.instances."webdav.chn.moe" = {};
+        nfs."/" = [ "100.97.101.0/24" ];
       };
     };
+    systemd.tmpfiles.rules =
+      [ "w /sys/class/powercap/intel-rapl/intel-rapl:0/constraint_0_power_limit_uw - - - - 10000000" ];
   };
 }

devices/nas/secrets.yaml

@@ -1,12 +1,75 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
-wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
-xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str]
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:gToh4rgMOQ==,iv:A14sSC7ExbSZNOzzz6mOmWalSz9K6ROoSYgCqdF7j4U=,tag:1Jr2FfVQ9L2w+bWHh/NekQ==,type:comment]
-        user4: ENC[AES256_GCM,data:/ZrgvlpwDlKhcHqkBRsdqqJsNUxtb3ZnC36mc8qlJ+HP4mY3,iv:R5QzXY0mC72TDB0OcF4fJt3bc5L1Z96Q+n9kNbZP7m4=,tag:tjWSEcsG0udvQZZJ/RMTJw==,type:str]
-    private-key: ENC[AES256_GCM,data:34FOslwr3AZNDg4YrS95S20agGXwGJRNGnpogMR7utbt1ELUxfQkiAU1qw==,iv:4fiJCi6TJM+NIlfI1qFX/eCNhcVaCWGsLA7iMjQpATw=,tag:eLz8HlQMprQNryk5saqyVQ==,type:str]
+store:
+    signingKey: ENC[AES256_GCM,data:zr02XBgQ4H5jRnjpLtp9rjcysXP9qI7McOiBwaWhdylu5GevKmxlCd4h3pEUO74k+gJT88BzJ+S59P+6DS76Y5nlKqextGMzGjdq5XPkdDkSkKZBai2kkqBSyko=,iv:hyhroaDazMLFeLMGruiFeokZ2Tz3xKj+xCsiEUJ5faQ=,tag:w3805eqo6Y1pw65mjoRgOg==,type:str]
+nginx:
+    detectAuth:
+        chn: ENC[AES256_GCM,data:5kGvlFB332xf+PQCDmJ+EA==,iv:/BQI83lMdzmycQCe0k6Y8bwqV4Ma9vqgvgPWWqVAr1g=,tag:61AhVVNUx8+b55DkIjVifQ==,type:str]
+        led: ENC[AES256_GCM,data:XFlK2jjo,iv:rTCHmoFU4S++eBywCa7NXsAmSqcSgCFXxnW0RyFA2a0=,tag:aK5IejgS060FrxQfmdxohw==,type:str]
+redis:
+    rsshub: ENC[AES256_GCM,data:r2O88tXccKZw68Jg5tvUcpwf6y8Vs1kcZ7XbAReJ7aGyGH4MH3jTO72Hs7vh7185IUygXri0M2C6Ko2CY3gaLg==,iv:ZYbSqlcnga+JnC5Dxt2cTHiGTlkndSAB550ilSO+P1U=,tag:PgrW6H276sSvYe3NA6o/vA==,type:str]
+    misskey-misskey: ENC[AES256_GCM,data:Up0Q/4MjyCdXyL1EVoXbmW0J3QJCx1PlhClXSc2WpBNwpSfgmoJceLoXRbIs009JVjhn5tt7LO6EmwKiNc6yTA==,iv:myWj8+exXtg+t7Fs+ZPOLJXWtKEu0PyhTw68i7rnuTQ=,tag:WMpj06Swj3pMbSXgM0bNuQ==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:yLVCQaElMWBdVnKa9hBNEnSxfOx/582SoCDpQM9QjEgWzYOmPIVoRsTAs10Gsw3PezJW54S+AUrNg1mV0f8Nwg==,iv:xYXQt2CsZyymdKMIoqKLzLeTMNff7RwGzBGDfBOoxlM=,tag:L3V+AZZyOJow/Sf1RzD38A==,type:str]
+    nextcloud: ENC[AES256_GCM,data:/wv5hG7cmHz8S3d411cGxFY87MNmo/6V/vXJsWqYr4afoVLMlqUgpf6ZkSPcj2PKBmB/X+RR1s/Mus9RIJKpzw==,iv:WMdKp63LsMyOGheurm6bM4qUUNVe3/WmkvCQ8PWxqoo=,tag:PHjeJ052LtCqerED4bgACQ==,type:str]
+    send: ENC[AES256_GCM,data:5y0GGNdmVzl1Ro4bv8rab9dgmIOgNQBPPF02HfpOn/ctbSBzi9c96TJeIbDJVS2tN4P2+hSgP/XOR+hoM9prxw==,iv:4xf0b1/1f9vyVlQtIGmX5Ea/xNPyjXmA5/vazf5sOZA=,tag:b2211wLiDTvPKqRA3IpzOA==,type:str]
+    synapse-synapse: ENC[AES256_GCM,data:3lSmLz+sO9fwomeb/NCTlSRwpbegH6g1vp0qKg4G/hnWsKCu2mK6TDhQbLCSDQEagw4oBDN68yEBQ0C0tvmd3w==,iv:9rrv3XvB4ELcZhdi2KNxnYFw+XH96U4SM0X9ZSGp0KA=,tag:Qn8FdMMOaDeB9Wb11F44xA==,type:str]
+    synapse-matrix: ENC[AES256_GCM,data:NqDKomSPI6UcRDAjqVapBlmXXFHdHYS0w3jvJ4oQCvoeqYvNalkD009A6E6Br3w0/FGEKJQeTBI2MkYLlHAWcg==,iv:o8TDqzRDQCi4+Kv82BSTRyB4Y7mKhxM3c49hEbQuQmw=,tag:6RCKWwxC5Fw5N1QD/5UktQ==,type:str]
+    peertube: ENC[AES256_GCM,data:zzRRyCbXsqVVxDvS8kpBbOyozqi24d6G9K++/ToLQyt3TumefTssNehljNsb0oqsmZBLgLhND0T4WDhMf9//Ng==,iv:yDM/LREKnBW8noRzHPIdqg0TvmWAfxmVOplZkY8MSro=,tag:19uoxbEdGPOIzcQqm31H5Q==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:mcJM5hgd6Y6MjphFuH20QHU1zxPVnrd5CG3rwX3CekxpM4NzElhkD0pcWM0eTxbNQCM4V+lmjAvaQzBS8T9Mzg==,iv:eC2/GyNcZK31jxLYfRRw4l0aNhz1kcsjE/w4Y/P6ydQ=,tag:hNC2Fj327+O8/4/5/riTYw==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:z4C8J2dAu6OhtRzkHGLb1u3pUGeRuTF1EHzjduO45zF9cpMufIs52u8vhzwmrEXm7bJP2lomyFtQRWNPqtPkVw==,iv:QA56d2wcAseFuhI+lgR5Op0TbKrzs+1Cd5v8/0i8/gE=,tag:Df63HfuHZhDn/0SL2/6fdA==,type:str]
+    synapse_synapse: ENC[AES256_GCM,data:4Em7JbATF0Rs8pLjrVT9ZIxPaqecqxCGUtQPie69XWZIVuB/4AsmhPe4WmyJ2jPPmHBdzPHHLwQbd3ryusMzsg==,iv:49JsSMnsZzROuH5mXxMVEbkFOp0uf8gsps02vAH1Ovo=,tag:63LjUCFcnhqUsWqn/hDijQ==,type:str]
+    vaultwarden: ENC[AES256_GCM,data:qP5i100QGGHbYLbmgI29eU1vjx3S9zAAJ6SuahykqehFcowJMG/x9L4VCfw8nMmvoDZDUDvOKsE/8XH6tJ8c8g==,iv:f+yahEvIwdchADrtQsX0EllR6jGzqLA5zwnnAaUjnck=,tag:Iy5JbgktJSoUPszcinb9vQ==,type:str]
+    nextcloud: ENC[AES256_GCM,data:XBsqWgTwAMMQ+aZVf91w343yqL7a1xEswc8CeC0NWsM/ZwabQfYeToVDKlQEGnItuyBRZfhSzH+EUsF7pXDB9Q==,iv:OEoqECAOuyJ0wjsaof8GFYaftEv8z7vH64RWlGHU9XI=,tag:nFoMasHkPawFxiLvclsP6w==,type:str]
+    gitea: ENC[AES256_GCM,data:7afp3qF0jU+aGOktymlk4iDaK2EuYjLD0QcMQA2Nkxf+ac4PQFb1g4rsaPcxuNLn5ZFueq6QXCVUTPNdEeCJNA==,iv:OjNWbhRoi5fvVY8dtkoHWIPO1frXsmI8cuBxKgDHPmo=,tag:1s3+L08McDetU2BTMXWP+g==,type:str]
+    grafana: ENC[AES256_GCM,data:jsKB0+FFRGDfCG/alFwQF1fvI+TOFAUN6gc3zraMkCsRzn6SBzPsyuOiDthTCyS2dx0+arwmn93TzX1fm/vKuQ==,iv:Vl7IsQRuP8TBTDfwJSU/QrHTSowukXtGPG38fu3QcnA=,tag:L5G8sN6ZcOWyoeQgvTYGrg==,type:str]
+    synapse_matrix: ENC[AES256_GCM,data:uyV13dMgUzPLGmSGN3Hoi6u1tY9rMU186VUSl7HspZXFqhs+OmRGL86cf91o/owvz15WijIw4wuAP++T8MY4LA==,iv:TG7Fi3ETAvmrOxv8ZahnrOR7Z90Vf5YgHcOtPkzueJI=,tag:uH10mk1m0q3a0fGcDbH9HQ==,type:str]
+    peertube: ENC[AES256_GCM,data:J/qNYYuOhENTVFU+6Iz9P8Cy1FcHlD6xpPADDzdYDZuce9DEsnFq28d+tTJ7Z71IvOKvNySly7ru/R+Tu7rqpQ==,iv:sV34o2Zf7yLUovdVND7wh+rcoGglz4llc3xfSEllHNM=,tag:c9wzEAlWMINTN8TEZhDIRw==,type:str]
+rsshub:
+    pixiv-refreshtoken: ENC[AES256_GCM,data:PVWacd0SAg2n76ExpQy5Hdg2WK2IdokhnZ0PoY7rNz7pLkBjlrMjbtCenQ==,iv:wPCVw0VVL4b/9TLvGd3fU+dDr/gIlSyUOO5pKF3CuzM=,tag:HgUrPEOCZK9DYsyowi55Ag==,type:str]
+    youtube-key: ENC[AES256_GCM,data:XOPAZPIE8Hd3vKWAR8tlaXQp/FGeH2pIBmwym8h7TXUf+MGTGQko,iv:mv1csjmeKi/ZQIiuhzPIr3DPyygjWevhFGSK+URaQiA=,tag:yh4Zr9MpINU8O0eeH9+z3A==,type:str]
+    youtube-client-id: ENC[AES256_GCM,data:HEJQeFtoyXaSQqprbpGY7qvYYsq1u23CMM5kGvgGsoP1xvEMcwRa3Lza8OhL/lk0MtKH0krojDyUMzWPZtohG9U3ad/t18YQPg==,iv:vT4V3VZU4lJx2djtjIOow/xuER2LQ4reQUOgCPeW+9Y=,tag:MFvBv/3hs2H6BQWGU9eeFg==,type:str]
+    youtube-client-secret: ENC[AES256_GCM,data:7++nVoYfFxv304u9fxmk5W+38tP6Z+mMS/nh7adolhyfDXI=,iv:WlYBfwCz7//qM02ljM1prc/YnBwLOb60ATcUlnBK9ik=,tag:erwi1hRaSaUQ2cLp+S9QOw==,type:str]
+    youtube-refresh-token: ENC[AES256_GCM,data:o9KEBZ18h+taPc3WoQ4EsbR/WbFn3wRhgdvLAz7dmM05Cktf9pgZ8iI1idWQZCJ0ehYL5VyizNhHrmkocXsHzCJ6i79J3uBl5vggWZ4v6/5cUBtNZXq5DYYG/EVN2RXjOdrkzYZnQA==,iv:CQzgvwhofMljnhNXYh+t6BkPJ3OO4GRPOSFZOVXe7TY=,tag:/1i73kP+RrkP76Tho27wkA==,type:str]
+    twitter-auth-token: ENC[AES256_GCM,data:2OM7aZZYuE1A3aQMsDia5yy2cGVmaT7L3QljZ3J8IixA9zaJdFwu6w==,iv:vcc80V5PMqZk7lcvoyfl+XtoIhZ7g951OSRnXPywtao=,tag:EVL2NIiDTS5EHU8MxIZjpA==,type:str]
+    bilibili-cookie: ENC[AES256_GCM,data:PoylF8gAs3dpRSdV6ClpaV9J6jRqRIsAYPlv1NiWy43hHmvEQac1tVrQfm0WHsxV3SfEaphyVH18bgwAcWnkWHbMTzKTWtzsJ74WrihRgksPiuttUm0JkTTr16g0jUtF8kSJiajQfDKmL0pEY9k3mnGnLltjIfntnqbH6dM11FRFy0Ixg0USUPiPz+uFMpJ7x6RHp+ypfhvMYsi5uuCiloCYMV4cUcr65gGym7a72S74vPdPQRzuGoz9fsJn/aPGPlhZR9L2k98TzQjp2jz5lbbGLEH6O1AH/aW9QlDuooF1ki9SvanQ,iv:nO6Adc002Twmw4Qov+EkhVu2TBN0NUEgaCoWOaTu7hE=,tag:cHG00fvDaTR7kAYIMPsICw==,type:str]
+    zhihu-cookies: ENC[AES256_GCM,data:88obR6OzMhO07UM4Mqr928ik/LY8wjjuYRVJdFFJNwiq+q05DfKprrX0oh5barTBqWduZ/PZZzOswh8OgzyeVpRZwBLIz63AJSv+Zui6wV/KODITZs/iDC+UiEnGkh0kf93p3g/TUvxWDGwe7beydGiDXUZrvaQ2nKB7NBGAoohdsx3cXb+TPruj0U8G1GaqRscSjqoYJFhj30EJBH7Jqb687/Zms0oetgXi6KZ8Mw==,iv:tYjHMC7FVxQJ4mhst6pttxivCoSxVyv8qUPmXXDoqzs=,tag:c3UHpyGKvD48qi0rBlfyjA==,type:str]
+mail:
+    bot: ENC[AES256_GCM,data:redeWqYAJlHVivVtywOD+Q==,iv:mDZ+4K4aj+05/KRij0oH+v7/JiBxs7y/x08Nz7U1sSQ=,tag:2FRwDxmN/mIuBjE39jl/Ng==,type:str]
+synapse:
+    synapse:
+        coturn: ENC[AES256_GCM,data:IAgJ3Lni1s/AGQxz2Tt0EpFoIwRZ7Y9TtDHsm7fyCcfDLNvwhNorTod5MSgiqFtHhWLzXf/iqh3/cWitIeuxAg==,iv:QUGCkeFMO+CA3tAXbM8h4KALFic6XbnW5pCxtPtJyb8=,tag:dq6qECRfcyUvJX5EwCPDvQ==,type:str]
+        registration: ENC[AES256_GCM,data:HV4DXfW6h1Z/OaW73jXJ4oXs/FOJf4EXWrWlXsnqbOJyzhCszBOiGFAw/i+wx9sSB+k=,iv:8VIXG3Xqug8dYaw2Log9IrGpxqAXwXFk4MJ4JuzQsBY=,tag:3Ra69sIFOxtX4Wzehvz+lQ==,type:str]
+        macaroon: ENC[AES256_GCM,data:ilCgbQjqIALJd+rz0XmEo6TLqO44NCBBG2vKv8QITLntZ80bgedKACXZogfMVCv7pTI=,iv:LQG1/agu05i7kFL2vWFnSCttivD7yyDijhWFfq50Xq4=,tag:2VfNhZA5OogXI/RaWohDag==,type:str]
+        form: ENC[AES256_GCM,data:0NdGdzjSF1/Xo7jz+Y3sGK/szDlhgg6kWLCoBiqDmBSARZX8SnW9W5zlPKM4Xa0sG+o=,iv:XVxnFBK2f2tvhIshzQLqLeUMcO28MyLrrF5QZMUeUr8=,tag:5frMH5KQt1hL1u2ltDpApw==,type:str]
+        signing-key: ENC[AES256_GCM,data:JPjrh78ySJwmfL7l5C2OT6pelzMfqaWRQK7MoMv3lQ3VXcWKrVsJZlfRQaTJbaEgK+qSiHh0T99LGA==,iv:DFefjxW8U9YK3kCQUPyxOHsh+ZhUYEj5DfOlKVZePxA=,tag:u7oyKnuVDqkyvzwvsyfV/A==,type:str]
+    matrix:
+        coturn: ENC[AES256_GCM,data:ecDAOVKq9+tJklCJK3ktiWQ6Ky+O5fjr9zS3b3PjwJUyCpIADvVhWBTmFeaVy2ApfuWbugGw8d5wCscpOOy/aw==,iv:p9l9X0UBK2mDpkR9+OX/j+ETYxMdzZhjowzOvA6Uk/Q=,tag:5IC3IsfXg4JmJ+m9F4ehPA==,type:str]
+        registration: ENC[AES256_GCM,data:YnDk7rqVPi3uyzNSBvWLQPb2ZaayNzgubs4Hf0i/CN0hW4ha49AZtkcNka/hVtwTGMI=,iv:Zs7SpAecN8r2Sg7Ih190SUlbH5SLu19BDCUPX9ywYzw=,tag:RLZ6jIgOeFCDwzAu0008yA==,type:str]
+        macaroon: ENC[AES256_GCM,data:YmEJKAZ6dyjBVyvK3Xi68TZtJHUuljAQMhlR6I8vNUOxuP766XYkU/z/YaH3R2rVv9Y=,iv:1/C8Fm2CIpo6Y+YnE80EtWvHfG6cQu/mYd10XjagJdg=,tag:QmtfqZ/3as+4gdF/b2OuxA==,type:str]
+        form: ENC[AES256_GCM,data:rGLJQUMVpOBTCQEqQtiUk3SWitLL1tijBFqVDbohrUspUhTXgRmCQ/0eodhku3RiwcA=,iv:GSxZtwo4/FDRn/dA+L/NQFWcj45KEUSaV2sUL09vqe0=,tag:4dvt57c3Q73B6O/9/UsbNQ==,type:str]
+        signing-key: ENC[AES256_GCM,data:mUY9Fn7TcBPs4HhSpRkj1weFezAzr5ld1xYE8kZcjRNU05MCGLTbPa+av6pYr0HoAaSyzBXmKBBZMQ==,iv:wX092d4eAJ2jLce6Y1EfewxGZsLnwOSce5RJoikCiRg=,tag:Uegzv54CvAI8d0NTz3UesQ==,type:str]
+vaultwarden:
+    #ENC[AES256_GCM,data:wbKsGwBKrJYagX1AvY0o5FHXxOhrfjZ/+crasAh52uOFYGd0P8A7NnyF6JvNgH749dAT9H47DXRKBAclVVSqWPc=,iv:TZgJ7pwyGBpf7S4g7CL2dync2sGNzQ9369atAvLwFJ8=,tag:sxtkPHOmrjUb13zeWPBdng==,type:comment]
+    admin_token: ENC[AES256_GCM,data:TrgqQwXBoCdsLeWQYkur4zS+Z4nCoDDoePnN5vm+AIcgYXVwjxcf/0AwXQIxVNEypYysPpoHKOigwhkf5kLazAMiBZ0goAflJT/S4nOLo90s+9kDCADXWnCeHNhBUg8fUulNPBbpqdfFKCJgJCD2WTI+V5yFLQ==,iv:maKU6pcxis7Cyrx9x26cUTBzA6ZKcKJWSP23w+MDehw=,tag:GYpPHp2slC6V8aKA1FHFAg==,type:str]
+mariadb:
+    freshrss: ENC[AES256_GCM,data:Qjg5GIX13ccZi/DuqtWK0qzr2GK0GzzUdEZWXDhUhGxFWzgosADxDCc8wfOchItaJFefnVrpPxdAPvT+4TEH0g==,iv:oGii3o6sJYVc11kdQMh0Pa3GUbWqttFgjvSVEbTycZc=,tag:8GWWwuJjQBwDFl9pJvg90g==,type:str]
+    huginn: ENC[AES256_GCM,data:/hFQdG/RGrX75qd0+WgwhnwR7p/CEVx1vPksRSudxmc1m4VO/AVzgMCWAz4310ctTEnn4GZinvD6QGFta5IOSA==,iv:mrPDZA6Bnw+SPVDDe64tivvvQtHWvCsPJbEnPqm12g4=,tag:ihXbIJwwtQ0RfaNfcaop4Q==,type:str]
+nextcloud:
+    admin: ENC[AES256_GCM,data:DJK+u19VP9cFvq4/P0+f7erXxZkRWI4NRrX9HdHO96xy9wZMtB+hEDN3zLQnkTTtmd2ZLs9+c9BsUNXZperGDQ==,iv:zX8Nxt5+O/mGVt5l1j8IojBkgxg5oDae6KWTXYz0hRE=,tag:MRyMx0OXYTCmtaySP/umNw==,type:str]
+freshrss:
+    chn: ENC[AES256_GCM,data:wwHntnMeiGZ5v8CE7CGV,iv:snIdYdFpvv5HvcR5qucD2pZXXef3dhSU+2wK5SPrDjw=,tag:2RnujKKkQSoxvSNZPLS9Pg==,type:str]
+huginn:
+    invitationCode: ENC[AES256_GCM,data:E8rEdAfUQX9oJEnvxVF5PmYFMd9PN8+K,iv:gZtUf+AkICLHD4h2beHbEfyoL4bcoOv0sivDFDB3vVY=,tag:4tlsPuED6jCXNE0iOayXsg==,type:str]
+grafana:
+    secret: ENC[AES256_GCM,data:O2L0+R9QvOMJLKa941nxn+FeuZ5nOAm1iDlKW2vvk5Dyod0XLdGL1seWuYzpx+NL16qmC1u8jydDcBfUT+PAeA==,iv:Pqsr+POPAr8djdVMK5U4PiS1zUnZXLH3q588D/jOMys=,tag:QziP0kKT5oyI/RHaYHr2mw==,type:str]
+    chn: ENC[AES256_GCM,data:xMwWBYChRIxw5KDjgCYBJWkbRRo5FUtyhZ0+SVRIgjQ=,iv:EIjECQHx3/2t+oMC16B1Xfwa8guiST2pdIKM1hNcuFA=,tag:BP8ElnMevqF6urDgBP/UAg==,type:str]
+peertube:
+    secrets: ENC[AES256_GCM,data:9pm5hD8FdbmFIRZZX5+C0NyXn8qdt0OIlecu79xjVrWd8C6H7C01Uriw5M1qifTIJLDMvJC36Trci0/eniDsEA==,iv:iZ/KiwgFm5TyZBZxo8n9k3Lr3o3Vk+c4zFn9efPtJYw=,tag:HGgoRL1C3Nm/KTHGfq2Ejg==,type:str]
+    password: ENC[AES256_GCM,data:PNrcz2PnGF6WGa7vL5PBWiM03xsA2B2imPiwHpU0IMPN/CMh77eMVtwmoxtl6QkGl1UKb12975NJsfJwJPg9gg==,iv:vjFl6SFNqZhTHmmxRckYAj8nZ1IbFtTfTAxYkdSf/lI=,tag:K2PpVnu+919MddGl5qJn+w==,type:str]
+nixvirt:
+    yumieko: ENC[AES256_GCM,data:tO+67mdCFH8=,iv:vl+PLSBfMDk7rGmpjuZ8TnEC1B8tni2pphC7cTmxQU0=,tag:RVW5UaUD0g0HDpoGp2/mAA==,type:str]
+tinc: ENC[AES256_GCM,data:IziBdx/fkWltRubpBYcCuZ/jwM7U6OUA8WAglvMRoCN3eFjQEm3GN+J30tfTt8P2ngwHmaKJ7ry7rB7nhLmIUzhNrLEHprwZwqhAIgpMHo4pcCfJBE5Y7ba+kTk3eOI4waxwmfRqFdccmmkDTtw0En0WtSj0/ysOM4n8mmgeYxc5KIUNfasc0IHfHVtNahljvFUpExeT6Tpu9Caa1cznnFQYlMXsEGkveUHNOcEq4DWCUEVCTOE4/jcSg2j3+dJre3/Qz1ELi78=,iv:PmkrR2nccHrKrXr5V+YBVP4eQHBxPIw16ePfgjP7wgY=,tag:jsAh/QfimQ4swHnEtQsiIQ==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -27,7 +90,7 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-06T04:33:54Z"
-    mac: ENC[AES256_GCM,data:DMLcRc1hDS0x5Gt0WA/6kfEi7KKogeKHBfuW9gndj7fPqCyyYFzW9Mn8mZ3UhWB68c25GtKyLdo9T5yFivS90JB74kEWrQn/Nfdy0wW18BOloiRwLdSipoADwYwpJtr+JGNs9R6AqIAoDcbVJrr4q6kZh/Cjue6TJiyBdI4uirU=,iv:YOn7XzKAKtzucq6h0yAgj+Ee6L3srscnvieCOmZjBeo=,tag:lnAfv2pWVf5czeTgL4donQ==,type:str]
+    lastmodified: "2025-12-04T17:33:50Z"
+    mac: ENC[AES256_GCM,data:MjCnibcdkR927418wAlPUj5IXfbCQMS4QQOKvWRHdqqZHBQFw886Nx8YOXvH2PTgAhDWjzhuhnkF3InaY63zYqamJcKKwp/aIjZ97UXNKsZPKaVo48S9rBuHPFI/NceDSoMPZvgrMhgNguegdc6B8D2fwJPdtdSa6pJez1WQ9r8=,iv:kZnVRglmmWkR7f80bCX9Y5Th3dNI8TtUxx6P40d7E1o=,tag:5L0bfCYJq/EpvaT8BJA2QQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

devices/one/default.nix

@@ -1,35 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model = { type = "desktop"; private = true; };
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
-            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
-          swap = [ "/nix/swap/swap" ];
-          resume = { device = "/dev/mapper/root"; offset = 4728064; };
-        };
-        nixpkgs.march = "tigerlake";
-      };
-      hardware.gpu.type = "intel";
-      services =
-      {
-        xray.client = {};
-        beesd."/".hashTableSizeMB = 64;
-        sshd = {};
-        waydroid = {};
-      };
-      bugs = [ "xmunet" ];
-    };
-    specialisation.niri.configuration.nixos.system.gui.implementation = "niri";
-  };
-}

devices/one/secrets.yaml

@@ -1,32 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
-wireguard: ENC[AES256_GCM,data:OuduClOu9y9adCcV1+U/NLp/t1yWPkuyptproTJv4beImptrLOVGbhb5fb8=,iv:qa1jpzAlUEhPBznZw6j4CYquTCpmNZ+uNbyHjH2qGy4=,tag:+5I2CRuyCAMSy74xVtdJGA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
-            ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
-            TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
-            eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
-            2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
-            OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
-            eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
-            ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
-            LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-10T10:44:01Z"
-    mac: ENC[AES256_GCM,data:Sso6g9UEH7faygbcrypsnB/4h8cIwveLdVI+YgDDfTHMC5nxXj+xtfFHhzao1pkyvF0avUVjsMVXLRcB48eDcbZdXwBvoNKg0mpL7VAeOnDuwElI6GGpRVTaOsZC9LT9d1kuGkmavMljCvmaA3sPLZsvW3Hqjdicj+suMoQJ/nE=,iv:DYf0m9PfJ1qx3gI/6T6ByxJWHrdVGgiNMCVhcBOrgBw=,tag:Ddw2HFuCmk6PFnxF4G13hQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

devices/pc/default.nix

@@ -11,53 +11,48 @@ inputs:
         {
           mount =
           {
-            vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
-            btrfs."/dev/mapper/root1" =
+            vfat."/dev/disk/by-partlabel/pc-boot" = "/boot";
+            btrfs =
             {
-              "/nix" = "/nix";
-              "/nix/rootfs/current" = "/";
-              "/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
-              "/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
+              "/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+              "/dev/mapper/tf1" =
+              {
+                "/" = "/nix/tf";
+                "/nix/remote/jykang" = "/data/gpfs01/jykang/.nix";
+                "/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
+                "/nix/remote/wlin" = "/data/gpfs01/wlin/.nix";
+              };
             };
-            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
-              { mountPoint = "/nix/remote/nas"; hard = false; };
+            nfs."nas.ts.chn.moe:/" = { mountPoint = "/nix/remote/nas"; mountBeforeSwitch = false; };
           };
           luks.auto =
           {
-            "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
-            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
-              { mapper = "swap"; ssd = true; before = [ "root1" ]; };
+            "/dev/disk/by-partlabel/pc-root1" = { mapper = "root1"; ssd = true; };
+            "/dev/disk/by-partlabel/pc-tf1".mapper = "tf1";
+            "/dev/disk/by-partlabel/pc-tf2" = { mapper = "tf2"; ssd = true; };
           };
-          swap = [ "/dev/mapper/swap" ];
+          swap = [ "/nix/swap/swap" ];
+          resume = { device = "/dev/mapper/root1"; offset = 156901642; };
         };
         grub.windowsEntries."08D3-10DE" = "Windows";
-        nix =
-        {
-          marches =
-          [
-            "znver2" "znver3" "znver4"
-            # FXSR SAHF XSAVE
-            "sandybridge"
-            # FXSR PREFETCHW RDRND SAHF
-            "silvermont"
-            # SAHF FXSR XSAVE RDRND LZCNT HLE
-            "haswell"
-            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
-            "broadwell"
-            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-            "skylake" "cascadelake"
-            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
-            "tigerlake"
-            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
-            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
-            "alderlake"
-          ];
-          remote.master.host.srv2-node0 = [ "skylake" ];
-        };
-        nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
+        nix.marches =
+        [
+          "znver2" "znver3" "znver4" "znver5"
+          # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+          "broadwell"
+          # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+          "skylake" "cascadelake"
+          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT PCONFIG PREFETCHW PTWRITE RDRND
+          # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+          "alderlake"
+          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX PCONFIG
+          "icelake-server"
+        ];
+        nixpkgs = { march = "znver5"; rocm = true; };
         sysctl.laptop-mode = 5;
+        kernel = { variant = "cachyos"; patches = [ "btrfs" ]; };
       };
-      hardware = { gpu = { type = "nvidia"; nvidia.dynamicBoost = true; }; legion = {}; };
+      hardware = { gpu.type = "amd"; asus = {};};
       services =
       {
         samba =
@@ -72,20 +67,22 @@ inputs:
           };
         };
         sshd = {};
-        xray = 
+        xray.client.coredns =
         {
-          client.dnsmasq.hosts = builtins.listToAttrs
+          hosts = builtins.listToAttrs
           (
             (builtins.map
               (name: { inherit name; value = "144.34.225.59"; })
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
-          )
-          // { "4006024680.com" = "192.168.199.1"; };
-          xmuClient = {};
+          );
+          extraInterfaces = [ "wlp194s0" ];
+        };
+        harmonia.store = "/nix/tf";
+        beesd =
+        {
+          "/" = { hashTableSizeMB = 2 * 128; loadAverage = 4; };
+          "/nix/tf" = { hashTableSizeMB = 128; loadAverage = 4; };
         };
-        nix-serve = {};
-        misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
-        beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
         slurm =
         {
           enable = true;
@@ -95,60 +92,40 @@ inputs:
             name = "pc"; address = "127.0.0.1";
             cpu = { sockets = 2; cores = 8; threads = 2; };
             memoryGB = 80;
-            gpus."4060" = 1;
           };
           partitions.localhost = [ "pc" ];
-          tui =
-          {
-            cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
-            gpuQueues = [{ name = "localhost"; gpuIds = [ "4060" ]; }];
-          };
+          tui.cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
         };
         ollama = {};
         podman = {};
         ananicy = {};
         keyd = {};
-        lumericalLicenseManager = { macAddress = "74:5d:22:c7:d2:97"; autoStart = false; };
-        searx = {};
-        kvm.aarch64 = true;
-        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
-        nfs."/" = [ "192.168.84.0/24" ];
+        kvm = {};
+        mariadb.mountFrom = "nodatacow";
+        open-webui.ollamaHost = "127.0.0.1";
+        howdy = {};
+        postgresql.enable = true;
       };
-      bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
-      packages = { mathematica = {}; vasp = {}; android-studio = {}; lumerical = {}; };
+      bugs = [ "amdpstate" ];
+      packages = { mathematica = {}; vasp = {}; };
+      user.users = [ "chn" "lilydjwg" ];
     };
-    boot.loader.grub =
-    {
-      extraFiles =
-      {
-        "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
-        "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
-        "UiApp.efi" = ./bios/UiApp.efi;
-        "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        "nixos.iso" = inputs.topInputs.self.src.iso.nixos;
-      };
-      extraEntries = 
-      ''
-        menuentry 'Advanced UEFI Firmware Settings' {
-          insmod fat
-          insmod chain
-          chainloader @bootRoot@/EFI/Boot/Bootx64.efi
-        }
-        menuentry 'Live ISO' {
-          set iso_path=@bootRoot@/nixos.iso
-          export iso_path
-          search --set=root --file "$iso_path"
-          loopback loop "$iso_path"
-          root=(loop)
-          configfile /boot/grub/loopback.cfg
-          loopback --delete loop
-        }
-      '';
-    };
-    # 禁止鼠标等在睡眠时唤醒
-    services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
     # 允许kvm读取物理硬盘
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
     services.colord.enable = true;
+    services.udev.extraRules =
+    ''
+      # 禁止鼠标等在睡眠时唤醒
+      ACTION=="add", ATTR{power/wakeup}="disabled"
+      # CPU降压
+      SUBSYSTEM=="power_supply", KERNEL=="BAT0", ACTION=="*", RUN+="${inputs.pkgs.ryzenadj}/bin/ryzenadj --set-coall=0x0fff40"
+    '';
+    boot.kernelParams =
+    [
+      # 解决有时蓝牙不能使用的问题
+      "mt7925e.disable_aspm=1"
+      # 插拔电源和扩展坞不要唤醒电脑
+      "acpi.ec_no_wakeup=1"
+    ];
   };
 }

devices/pc/secrets/default.yaml

@@ -6,16 +6,14 @@ postgresql:
     misskey_misskey: ENC[AES256_GCM,data:MSDbQffk/WjZ6EYiwVuUMdhdv9VE59ZM7t4XldOKRO0=,iv:J/x9t4Pk5zi7Av9fbzxgAbbtbEUZttSx/JGRmmgmvE4=,tag:CwFR9K++T7YqYR932z3IAg==,type:str]
 redis:
     misskey-misskey: ENC[AES256_GCM,data:vcvQ/hs/F3BZd1sfvWwfEeB8vVoqdnprxobcmL6xsmg=,iv:S32yrjrjj56HbxTlfFGjOb+sO2M9KKEDEazCrpQWj6Q=,tag:iwnvqwQEdd6jicx9jJBdbg==,type:str]
-wireguard: ENC[AES256_GCM,data:9QoVM69efr3+UGEo/GPY6IBBxfcqE+3erRTrqSdeTf4XziVMlzWTMdhV9jU=,iv:3abQtZ8cpejqXsJPx6SvSS2cXAKMDkEKEhl9LE319RQ=,tag:1uBPK/0VLPPMzj4rl+iQMQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
 nix:
     remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
-searx:
-    secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str]
-xray-xmu-client:
-    uuid: ENC[AES256_GCM,data:XiUkReTJLAxZNWFVeD6EiOtUX5tsyPLFi6QyDBdHyB4v5/mD,iv:QppdtP2CFDEVhlrmDJKYBGc1zYGJvpGYxLfsBAMxDSI=,tag:jzMSFRit+aBzWMkaa3+5hA==,type:str]
-    cookie: ENC[AES256_GCM,data:0jqSEZloX2/c8Zg4WTKkLw==,iv:BKLm1KMoRrH0uO6hPMsv2a7sG0AwNRrdbpmABP4BszA=,tag:pBs+rQIhhNO4Qr6q1V3MUA==,type:str]
+tinc: ENC[AES256_GCM,data:qI2KAyJiC9m+IOzTQ7SFjWnjzzkxvNe6R2yxyK+C/YnEK4JdYqEETIMuqAUQxaSyHjKk9x6kDs3YPC2AyNKf+lc22YoB35Eo5ym+3+GDDPTL4wL4aI4xnGHVLH3JrSFHDyIbvu8R2NLnSy2j4O5Uj+jJmOz/b1xV8zeLbdoFwLgZCbcxvqkIwMlJdDGjAtjEb8eDkjtVzSRSPXohgYgmhxKZyA5/7c41e+/X6RIsHHeOD+Ppz5jlYAkRrsvAxGTfrMN2xTZopxc=,iv:E/8ys6ucmmaKawqrgumJdjTsC17F7Y0RgnHYfu3RIPQ=,tag:OZM/HG88gyF9TZXwHcd3nA==,type:str]
+open-webui:
+    openai: ENC[AES256_GCM,data:8CQLvoDuGtQ7PN+1SOmXF48dV/G6fDOiu6olkhSbWEjYcNO4VVmxtHw=,iv:rKBxOTB7/LXfXWVrBFBJeyn43R82oBYCxup8OzWvzKk=,tag:ByoyMizWc9Lpnt+ciYcszg==,type:str]
+    webui: ENC[AES256_GCM,data:G0fniAii8asP+NNTinHwrScrFVkFacoci6BvA24=,iv:ADQVIuf60eTDMwW7BAsfDhoTtsFKF5QDLsDkPAQxFBU=,tag:5siIJGNEa11EeHlurk1h5w==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -36,7 +34,7 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-01T07:22:50Z"
-    mac: ENC[AES256_GCM,data:f4fultak/52Gq6nn1hJJYw3AMeuR3J6gcxtPDG/WKkNV+B+gtabWp5R8J8wLWFJ4C1ZsGHDYMTvTfSUlDVdm1dGpxJtFzdfoBBdajj8s2mju6nMQUFoNFRmHDZEQBdIzfXpob1+7Rsr+bBmg7HnFvjR0ozuaQP9QHsHEZxJVbnU=,iv:xh4OIom1TFgKralXw6rrOR/1xpD5SpY2tHfJUq6v41o=,tag:0QOtWN6DcGf3/gorusbXtQ==,type:str]
+    lastmodified: "2025-12-18T13:32:13Z"
+    mac: ENC[AES256_GCM,data:iGNeV1hyiuhmLApu9o0IA75+oNJPp5I9ehTEdcVIyNQfKLeUbzcxz3tiKQNxxDy15vjtpBb/SicgSF60i6k54Y7KRRFadlRQ6erqZRj/6XlLqGwW0EKxN1EEEG9QNqMt6smA0WsdaoInmWWalaC14P55toU6LKbL05hSfSwtbXo=,iv:WEMF3u/8LwlIG5tAf25mM5IX7KHHXNpuhDxVzIAmZmU=,tag:PJc4r6b8ppQg/rcXsoDDpA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

devices/r2s/default.nix

@@ -12,7 +12,13 @@ inputs:
           mount.btrfs."/dev/disk/by-partlabel/r2s-root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           swap = [ "/nix/swap/swap" ];
         };
-        network = {};
+        # uboot 起始位置 0x8000 字节，这个地方还在分区表内部；除此以外还需要预留一些空间，预留32M足够。
+        uboot.buildArgs =
+        {
+          defconfig = "nanopi-r2s-rk3328_defconfig";
+          filesToInstall = [ "u-boot-rockchip.bin" ];
+          env.BL31 = "${inputs.pkgs.armTrustedFirmwareRK3328}/bl31.elf";
+        };
       };
       services =
       {

devices/srv1/default.nix

@@ -59,8 +59,10 @@ inputs:
             { name = "n1"; mpiThreads = 8; openmpThreads = 4; }
           ];
         };
+        mariadb.mountFrom = "nodatacow";
+        xray.client.xray.serverName = "xserver2.vps9.chn.moe";
       };
-      packages = { vasp = {}; lumerical = {}; };
+      packages.vasp = {};
       user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ];
     };
   };

devices/srv1/node0/default.nix

@@ -8,7 +8,7 @@ inputs:
       system =
       {
         nixpkgs.march = "cascadelake";
-        network =
+        network.settings =
         {
           static =
           {
@@ -19,16 +19,7 @@ inputs:
           trust = [ "eno146" ];
         };
       };
-      services =
-      {
-        sshd.motd = true;
-        xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
-        beesd."/" = { hashTableSizeMB = 128; threads = 4; };
-        xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
-        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
-      };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
+      services = { sshd.motd = true; beesd."/" = { hashTableSizeMB = 128; threads = 4; }; };
     };
   };
 }

devices/srv1/node0/secrets.yaml

@@ -1,13 +1,9 @@
-wireguard: ENC[AES256_GCM,data:B5YdOhpXruQY1Hqb7hpIyPZinSNG+Ub/jE2/hiwZT2WCHjT6Ujz/W8eKbuk=,iv:XcfZb34SjYEsxvo6HEGCd7wy0dsrNIEJ0bORznZZceA=,tag:uFlbepSwch2wJCRITlVNTA==,type:str]
 xray-client:
     uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
+tinc: ENC[AES256_GCM,data:tQLfvn0hrvdMx1WjWreSU7PwWhLFE6cyesc8EATRG/HiXOdmOo1Yx3n9VNywmzSdj+zKXcagnsRLX7/MsFJqnifNZ+2+L1+eMkSmP+J/ia3gwsJuLmh3Knn74d1njya59lJvSlGLJGtxbRdzd/Jx3cSbOVRAvOjLiYI+OjXgmoio8EmvL9XizVcFyOeNTG9IETSjygmCg1r99Mss0aBfWl7aTQmk1WHeEZFauS1PF9lrtEjoB2GeRGIEshW2ruecM3irDhxFNS4=,iv:SjUiLHoh3dvoT/fOuwKUSKvIm71ptZH6h0HQeNw5Lgc=,tag:/wW+LdccRODyZ0QTnxvW8g==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -27,8 +23,7 @@ sops:
             OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
             2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-10T10:44:35Z"
-    mac: ENC[AES256_GCM,data:lfckL0SJXq+eY3d9SUHihE4Alp6VAI7ugoQygMsphi91yvmAZ1YBbrTVxjzQpL1dT+7zhOhzE2dTqCLXUl1gjbYYo1S6zco73EdU4k/AX3LEAhCJCxG1LVvN/Kf+XoMSauFM7z+E8zZJCvT9/Jijxy/Ty/XBoP9z7gmpQSuRntI=,iv:5hVa0bsv3B9/I+BSxNYOYHFRnM3BfP8GvhlM65lWLFo=,tag:gs2NOe7h6AqYbmCBUMd9FA==,type:str]
-    pgp: []
+    lastmodified: "2025-10-12T08:54:25Z"
+    mac: ENC[AES256_GCM,data:FqqrUai8MNxO6gPQnRNqoROdQPiPnh42ixQgkWJxeBK3dnvNGCNAWtfUopnup6Qo0TcmAEQ38rmYFZbGlFLKMon0atov3tFmyvIAbOhHDnWxp+bTGDJJjw9Xs3vd4Yukd2ag2cgyS5hV9xO0N825oT3mzJFo6g8CukBLF3BH+kQ=,iv:3sfhIcSNVZsPw3tbyOjNi04NWpV+Nunx4i8d/RIsXtE=,tag:03Kx+HQ4uSR5QxBlBqc9Dw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/srv1/node1/default.nix

@@ -7,10 +7,9 @@ inputs:
       system =
       {
         nixpkgs.march = "broadwell";
-        network =
+        network.settings =
         {
-          static.eno2 =
-            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          static.eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; };
           trust = [ "eno2" ];
         };
       };

devices/srv1/node1/secrets.yaml

@@ -1,9 +1,7 @@
-wireguard: ENC[AES256_GCM,data:D4ukKVu4yn3hS3AZJqt3XTgZNbt44Vyiu6I5lCNw9c/VEqXBx3GDlKdcVPY=,iv:S1S0sU0vQcTahFI+GyBz1n/0LVsK3ImFDuLtuQxmgik=,tag:oZ1NWOCcsRb+kjfq/LcL2w==,type:str]
+tinc: ENC[AES256_GCM,data:s/mcjWKxEp8f6OgAUqkHg8IHA/coBtht20pqSdwGp9OBRta64xyzszeS6o8uW1cV65vm1qQR9XkC7nmBx7F9RAZpMwEYh3anAfzWvL1dd6nNl9NLaz9eqrRGJJH4lyMAmErQRF6epEe2Z0kfs3icsZJ3p8rmWSHjIETFR+pQvepTzLXfz7mi3EftqFxK6o5LXe6t2df7PD5q7x8loB7eu4Qyh14NrklgMifmGoNBsGdIBAiqbZ+3xMt2VgEk4wc7X2ZmBJFx19U=,iv:343e5eRAGxwhb4ITadyKJOcvCnLp5emgz737kBmYlig=,tag:O/cwMZJofSKxMhzFMBV+Mg==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:UxZlTqBDV5K3ywwERYYmW3ymTnioFQ7XS22I8ab5mdeI1TnD,iv:YR+07MWd5E97lz5iwMWjBLhd1tP0okhnodnmbWCVWxo=,tag:97EOKuBMdEm3ffdQuphMww==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -23,8 +21,7 @@ sops:
             cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF
             r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-16T05:03:27Z"
-    mac: ENC[AES256_GCM,data:13eXFmTRo9lZvQ3+iApHuei5r/OCSCs2gxqEe3nmavQgq1kQXKcD+4ciS/Shd9CJFZrjAu9oRByu5ZeZOnj11u6z3EmnXIwHptMEZe+N6r+Z2uKcBUa/TSJBnYcCrMQ1NM16GXRTi1bwpx4iT4v377lgd1orCa5C10iD6W3/9b0=,iv:FBGi1hSAu0Bz5NKz4mixfbUXbjI725RHccmEO4/jumo=,tag:vCHzTsTV7kJKNapFTxS55A==,type:str]
-    pgp: []
+    lastmodified: "2025-11-16T03:16:01Z"
+    mac: ENC[AES256_GCM,data:IRQxlKzSfCkAYESUDAgmkMAzhOiaqBBQC8ZniMKPM/11VlHGQpV89qB1NDSisdrCqFi9Iu4/iG6g6W/mc39x/V5MLdrQO9G3cGm568KWzh3rBZmD0wlkuCzQP1phFJpeLpg1BLWLn4i0nIWE/ER77pVtV/iA/vOWj0lmDb+GWvg=,iv:AmH3GJjPw9QMa+1utaXkqIfNuXI2qPXUrEVwPF3u1Io=,tag:fe2RiW1r2TAyftPcsuvowQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/srv1/node2/default.nix

@@ -7,11 +7,11 @@ inputs:
       system =
       {
         nixpkgs.march = "broadwell";
-        network =
+        network.settings =
         {
           static =
           {
-            br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+            br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; };
             eno2 = { ip = "192.168.178.3"; mask = 24; };
           };
           trust = [ "eno2" ];
@@ -22,7 +22,6 @@ inputs:
       };
       services =
       {
-        xray.client = {};
         beesd."/".threads = 4;
         kvm.nodatacow = true;
       };

devices/srv1/node2/secrets.yaml

@@ -1,11 +1,7 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
-wireguard: ENC[AES256_GCM,data:xoIm26btEBuHjgcIrB8gRHAaEdBq3/E5XtoF0YPxnSHB7k3GWJfAxeL4vrw=,iv:HuOFNUgGROF97beF6C4amspd+NV/2uO6OihNMz23hSY=,tag:YJjFM8mqYOuJEulpVHt8FA==,type:str]
+tinc: ENC[AES256_GCM,data:vDPVgWBFmzDvF98/oJvJ6Yj0rDkkTJGYYRJrLY454fzg4EOyGe4FwR1GgHqFeHo6e1Tk76K3odGiUGyOcWOtTCbEKKIli76/P9KCAY6sItTwc1xsPw540vIZXqFv0/lNladhgGznXKMQ4U9bzKuM+KcxmLlTE2QGJAhPeFox7OQmSYba3ww24+XXJaGWL1fZZaLFABZ56bTggNmY2z+orThg2i5yMrO5TjaGXMcFsFJg7A6HzDCv1TuBNRPTMeiWTYqSDFQGUcU=,iv:T25lfAmdpPz+mWJEPu/NK/2PFFP6jfphYTijjEg5o7Q=,tag:oTNOi81SZnsDEjZVTngoQw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -25,8 +21,7 @@ sops:
             MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
             Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-16T05:04:26Z"
-    mac: ENC[AES256_GCM,data:JlAgVoTpT6NRT1gvYQre6N8PzHLxbC9z1E42OM40Qs/nhcjYnsRNPiUEvSUClgx+B2G99S/b9R/wQqovBQFtdRDdlCMhz0ZVgLe48ak74EOYn6fwXy37amXP6doW86wS/N2fQeKhyMiJPHurRGamm+jsUUALohx6p1zm47NWL0c=,iv:oQV5be92oyOj0h6IrEY70VfoJYqEFVMtI0PYEALIXfo=,tag:WlH+fTUlPynhupXpBvdl+g==,type:str]
-    pgp: []
+    lastmodified: "2025-10-12T08:54:06Z"
+    mac: ENC[AES256_GCM,data:XUduuj65erI3cgddmtVLy5PnVPzqMk5y6ikpE38G+QwN+/ZdS5ZQ/FD/BWnXFohH6gk/ClBhS6EJO3G4e1J0yI1HngHjy6SN8Hpe9EmfxrQEyyEGb4/NS0vk0iMDr76nqlb7+dBreYdte/VQakOxvPHlMWYPZZ6oQvfx9k+Vsz8=,iv:uUiaNgfvKz1+5d0GHVFWEeAMM4kBKGON3xmTq8XDVeU=,tag:/3T1+DQHUWuONNBPFavIPQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/srv2/default.nix

@@ -12,8 +12,6 @@ inputs:
           vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
           btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
             { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc"}:/" =
-            { mountPoint = "/nix/remote/pc"; hard = false; };
         };
         nixpkgs.cuda.capabilities =
         [
@@ -21,6 +19,8 @@ inputs:
           "6.1"
           # 2080 Ti
           "7.5"
+          # A30
+          "8.0"
           # 3090
           "8.6"
           # 4090
@@ -40,46 +40,57 @@ inputs:
             srv2-node0 =
             {
               name = "n0"; address = "192.168.178.1";
-              cpu = { sockets = 2; cores = 22; threads = 2; };
-              memoryGB = 240;
-              gpus."4090" = 1;
-            };
-            srv2-node1 =
-            {
-              name = "n1"; address = "192.168.178.2";
               cpu = { sockets = 2; cores = 8; threads = 2; };
               memoryGB = 80;
               gpus = { "3090" = 1; "4090" = 1; };
             };
+            srv2-node1 =
+            {
+              name = "n1"; address = "192.168.178.2";
+              cpu = { sockets = 2; cores = 22; threads = 2; };
+              memoryGB = 240;
+              gpus."4090" = 1;
+            };
+            srv2-node2 =
+            {
+              name = "n2"; address = "192.168.178.3";
+              cpu = { sockets = 2; cores = 28; threads = 2; };
+              memoryGB = 496;
+              gpus.a30 = 2;
+            };
           };
           partitions =
           {
-            all = [ "srv2-node0" "srv2-node1" ];
+            all = [ "srv2-node0" "srv2-node1" "srv2-node2" ];
             n0 = [ "srv2-node0" ];
             n1 = [ "srv2-node1" ];
+            n2 = [ "srv2-node2" ];
           };
           defaultPartition = "all";
           tui =
           {
             cpuQueues =
             [
-              { name = "n0"; mpiThreads = 8; openmpThreads = 5; memoryGB = 216; allocateCpus = 43; }
-              { name = "n1"; mpiThreads = 4; openmpThreads = 3; memoryGB = 32; allocateCpus = 12; }
+              { name = "n1"; mpiThreads = 8; openmpThreads = 5; memoryGB = 208; allocateCpus = 43; }
+              { name = "n2"; mpiThreads = 8; openmpThreads = 6; memoryGB = 432; allocateCpus = 54; }
             ];
             gpuQueues =
             [
-              { name = "all"; gpuIds = [ "4090" "3090" ]; }
-              { name = "n0"; gpuIds = [ "4090" ]; }
-              { name = "n1"; gpuIds = [ "3090" "4090" ]; }
+              { name = "all"; gpuIds = [ "3090" "4090" "a30" ]; }
+              { name = "n0"; gpuIds = [ "3090" "4090" ]; }
+              { name = "n1"; gpuIds = [ "4090" ]; }
+              { name = "n2"; gpuIds = [ "a30" ]; }
             ];
           };
+          timeLimit = "48:00:00";
         };
+        xray.client.xray.serverName = "xserver2.vps9.chn.moe";
       };
-      packages.vasp = {};
+      packages = { vasp = {}; lumerical = {}; };
       user.users =
       [
         # 组内
-        "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "qmx"
+        "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "qmx" "xly"
         # 组外
         "yxf" # 小芳同志
         "hss" # 还没见到本人
@@ -87,6 +98,10 @@ inputs:
         "zqq" # 庄芹芹
         "zgq" # 希望能接好班
         "lly" # 这谁？
+        "ccy" # 陈超业
+        "twr" # 唐文睿，吴猛的学生
+        "lsp" # 李书平的不知道哪个学生要用
+        "stq" # 孙天骐
       ];
     };
   };

devices/srv2/node0/default.nix

@@ -7,28 +7,29 @@ inputs:
       model.cluster.nodeType = "master";
       system =
       {
-        nixpkgs.march = "skylake";
-        network =
+        nixpkgs.march = "znver3";
+        network.settings =
         {
-          static.eno2 = { ip = "192.168.178.1"; mask = 24; };
-          masquerade = [ "eno2" ];
-          trust = [ "eno2" ];
+          static.enp58s0 = { ip = "192.168.178.1"; mask = 24; };
+          trust = [ "enp58s0" ];
+          masquerade = [ "enp58s0" ];
         };
-        nix.remote.slave = {};
-        fileSystems.swap = [ "/dev/disk/by-partlabel/srv2-node0-swap" ];
+        fileSystems =
+        {
+          swap = [ "/dev/disk/by-partlabel/srv2-node0-swap" ];
+          rollingRootfs.waitDevices = builtins.map (n: "/dev/disk/by-partlabel/srv2-node0-root${builtins.toString n}")
+            (builtins.genList (n: n + 2) 3);
+        };
+        kernel.patches = [ "btrfs" ];
       };
       services =
       {
-        xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
-        beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
-        xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
-        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
-        groupshare = {};
+        beesd."/".hashTableSizeMB = 10 * 128;
         hpcstat = {};
-        ollama = {};
         sshd = { groupBanner = true; motd = true; };
-        speedtest = {};
+        lumericalLicenseManager.macAddress = "04:42:1a:26:0c:07";
       };
     };
+    services.hardware.bolt.enable = true;
   };
 }

devices/srv2/node0/secrets.yaml

@@ -1,34 +1,31 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
-wireguard: ENC[AES256_GCM,data:TEi3LAZA0BaPxeXA1yFMD6fQPRKSndVyAzNycCD/5CYXmNVyO7zv4o23ahg=,iv:tEKFPyuqmpsWf0vDoSaw4Ai6S5DzacZFA4otNgnknxY=,tag:qZJzr/Yyoex2hDfVtT6nYA==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
 hpcstat:
     key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
-wireless:
-    #ENC[AES256_GCM,data:n9OPSJsB7yNk,iv:xQzKJxqPB7uT83m/B4UoOje6NQbPLhuHR7Hp93oNz8A=,tag:gtsTx6ALnS/7fIDd7VimOg==,type:comment]
-    409的5G: ENC[AES256_GCM,data:K9wm3zedoil7jHgTcb+VmbdbkG2dgrMdr3BmDRUHDVADqLANMvnUMSecggYTO4HaiI9q6uv2/BSkluanD5K4Dw==,iv:7dGET3ULKlnaDMVmkuXDek+hQPLZ2VUbPqvEOX+5jlQ=,tag:MBGmQ0NNNqX+T9EsBiWCaw==,type:str]
+tinc: ENC[AES256_GCM,data:9S3QK3lLT59GNhppHc1IoC7bN0mntbcQIZmVjtxOpQxzJDJQ63jBCfoupyfjmW3JCpWSWtelZ58VPeTOHZ6NXr2xJMitvqGAiJzsd9ZGYvlv6+OR2swXVyDMBhcQpU+1ui/5zEPFDWIxRMIoIJL3VO9la6gxHQY1st5p2REh3VpSu0R/b1ormlmSPyRtjCS4LlGpXF8FnHilE9wOLm6AhtGhq5nAHAwPCj/gVpDNI0Y+88shBbNTRG4ucXsEX3S/+IgDLElB7nE=,iv:nEa5NMxfi9rc194TMEldAw1E7Bw24qM5htVUerd1nNU=,tag:A8GB/LFeBNyAq7MfpSFaQw==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl
-            emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6
-            ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4
-            M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP
-            rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuMmhpYzZ4eDJuWHlJMkZW
+            S2RZcXorSm1PeVdGdjBlekxuTTh2c0Z3OFI4CkU3K3FjdlhnMWpYRUI2Q0w4bFV1
+            bkQyOXVKdHlMRUJrMEdlTG1KMUREK2MKLS0tIEhhd1Zib3I5cW9ZODh1bmcrcTR2
+            SHdEbGcwaFhrMG83R213cjVzb25XUHcKcxYocTTMZw1V3o9pA1wAzmoHsMCmyMUh
+            Kk5PaZ9vF5IDL2H7f+OI1G6C1tJmgMWWbBh9xcSNv+qF/ydDuo4UIQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo
-            a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr
-            Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM
-            M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
-            LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZ0EyWGMxdEo1RUE3L3VU
+            ZVluRXlKcHRoOWI3bmRSbmNqcFlpUlZ5YjFnCmJQclRtdm5CYWxvY3VUSUxIaGRy
+            aElNUXAyYklnS2Z5SkVNR1JXRzg4RU0KLS0tIGVPQ2J0WjkwUWpoa2Z1WWNCTUJG
+            b3JKVnp1ZnRLcE9ocU9McVM3M3d4UjAKdu8xipFbNbIoYEcatUAUFe36CzP2E2HI
+            VSfPQWmRmb3/jF22b6Oy2B1DmDDvJ8T6+zUcp8J6C4Mln9oZj6dAZw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-12T04:13:47Z"
-    mac: ENC[AES256_GCM,data:W+e5d1scvV24AdVdl7Pisp9HxsXQ/tPjN2NV/Bd0RXZNBRB7LNQrSfk1GadboBnihW0ctAQOFk66PZsxwE2czfFL2/yzFxm9Cf11Mc822ZL3BwjnQBK4uR9LJrbjL7x1lFUk9v0AIPhjrir8F6dcX8mq6++hHNN0wjGaH3J9E0Y=,iv:RK7e4Dxog+Qsgk6gxK0f8PN8oF9bjWIrTyYK67Cdras=,tag:QSKsETYXbhnvhhjavP4UiA==,type:str]
+    lastmodified: "2025-10-27T06:32:42Z"
+    mac: ENC[AES256_GCM,data:x3Eod0i1X8/xee1DpHMzAqqEi4RruA+s1yrqOcH5xdWBZf3aosXGHvR/4+ev6enZ+HsuUOfN9dtfP5vMFSJXott+5tgXDL1hnk9x35dvMjRs1Q7VnOj20nWT/JUziz/2QgZQ5Y4Tfi3wq127GvITFn574LBKS76TqpLkSH+GUsQ=,iv:cxLYUKjJSJD6IigpmWZwcQNNolIYU9K0Go6WbewmJMU=,tag:lqC882yz/E4BvO4y9yz/yw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/srv2/node1/default.nix

@@ -6,17 +6,16 @@ inputs:
     {
       system =
       {
-        nixpkgs.march = "znver3";
-        network =
-        {
-          static.enp58s0 =
-            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-          trust = [ "enp58s0" ];
-        };
+        nixpkgs.march = "skylake";
+        network.settings =
+          { static.eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; }; trust = [ "eno2" ]; };
         fileSystems.swap = [ "/nix/swap/swap" ];
       };
-      services.beesd."/".hashTableSizeMB = 64;
+      services =
+      {
+        beesd."/" = {};
+        lumericalLicenseManager.macAddress = "70:20:84:09:a3:52";
+      };
     };
-    services.hardware.bolt.enable = true;
   };
 }

devices/srv2/node1/secrets.yaml

@@ -1,30 +1,27 @@
-wireguard: ENC[AES256_GCM,data:zfyNpCZ2EhQdsz+/vknjtbT1vMLebil1tarIcxLoUQ3J5XOKTCQBay4jBL8=,iv:tF6I5HHhDMfoGAfrtkmvrlqsSpX9YZL8dtzxAgBCp5c=,tag:DeOFwrIGbwVtf42iO1dm6g==,type:str]
+tinc: ENC[AES256_GCM,data:0fOvjy/b+87HS+bcNENY3jfxcxMLcjeQh/hT5HIUG2aCiTLbsmlqXTR9j18ZwcKAAEbzzDSonpPmQv/kGeMyvk9B4Q0En8FSdBaW5y5HQVLf32KlSoq8+MBRPTQREcHHMDZ/tQw02aAdq0jvYpHnFIKiqOZFfGhKo2oS12wxlR33n+zwqwyBu5quN0ynbwG+BMZua9uJrlsfFe8ttu5BHzl5xdCTVzmJ7vV7H1K7lJBwlDF62Rn6zsQV2uGaUew1ScephX/KC40=,iv:eA6YLGY+d4BldBAsqFsrrUiTY3Xa7eJ687C3gS7ofG0=,tag:40QXjFYc0ht7/OuIPDo1Wg==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:i87JKtJD5CEcGioPILKgJKyDpBX/o56XFBwD8WCBfpoevt6F,iv:KMtg7KqO5q+SYossPyE7tF74vZ3yg8v3u+Q8F63hvxw=,tag:10VBfnyAfB5NkdL9GAX66g==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndWFBbXpxRlI3bmc2VFJD
-            Y2hLK1RobnBYVEd1SXpiYXc5Wk1Ia09UUWgwCjE2WVZySnhXNzBtNGdJak9lbjE4
-            dEp6NnNQc0dNNDZsb3Z4ek9zVk4xeDAKLS0tIGVLdDBxOVZ2ek1MN0MwTTlwZTh4
-            T2VSaWx3UkxpZ2d6NC84djNpbGZUYUUKJHx6GZcnJpSoPE0HFvU+B4CsNtrcg8lx
-            LGaLYmciM87kXY1enOEzDk6px9GX9hFy6/73XBJVrIU0OC/w671vHw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzUvZG5PRzNzZGxTZkhm
+            N0hDdlp5S1p4aXFFUEc1d2RoUnVEOER0R0Q4CmpSTjFVa1FDQTYramRuS1k1WUFl
+            VlBCVFBleU4wZXA2ZFo1aEplMDl0Y2sKLS0tIEdmcnlNWnZtL2NhVU91S1ZaK3NY
+            b2R0MHI3aDNvUEc0TVRqM3BjOGRrSHMKD2SxfcKoxeuzF0spG3qt/q4D07JKK54o
+            +lgLCs+0A2cCHebxbeFPSRpd0kK1fY9O8yUmMPB8Y690mQPaNXOSQA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUHUrcnoySm9CcVJCdXRk
-            YmRzQ25mOFJBQjFtS01VWkxUTUU5WUI5WUdJCktLSFM3ZWl6N3ZUaTVpdWdNU09y
-            RTFCczNTeHNhYzNmbWtjNTdOMW9ITnMKLS0tIHFNT3JCbFB6K0FodTJrS3FtRGVq
-            c0I4VUdiZytoQWRsUUhBVStDR2VPT3MKDkDQ3sKJjotYUfoBWF85t3LYtz1OVFws
-            2IdtJBHISb5j3xnAs/UUHDPzjUUsgb+sTHm9krQy3LDuELNY6KGMPw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMzZXdjhISm1ITGdKeFNn
+            eHBrVDJXVzk5a2gxT1NDYVFEKzZHSGFONEZ3CkFtekZUQ3BPQkpTUVZNVUJnSGZZ
+            dFhKaENwd2xIdTF2aExNcHloTnVlK2sKLS0tIGZOcXpEL0ZVZ3BWeVhNVnRKb1U3
+            ZU40ZzNDU29HeGtMMVhELzBGMXZZVFkK16e15tjwN12BYnGutnGBWIs2KBCkOJww
+            wdgC+3aRnGjfb0Z8Htf8qUCW5omixcbaCmMoGmGsnkx1Agfr56qQ3w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-16T05:05:21Z"
-    mac: ENC[AES256_GCM,data:aPNsWBi4sm4UhX1qpk412eYNCZltKkRMWWgopZw6mjMLSOSb6E1yi8NjRJMj04RpE2XoVCkKP6R5Qo0I95wxY5qZHJuUp/5srqjAf/fHWz1QmXThogaMzM2jue7+NHUSQXrPnh0ZspXD47HyxMUOhlnewZ3EfOw7B5qKAYR1f6I=,iv:mnwtf0B7x5AbMzivg27zqIkhBdkDb5qq8eDBCGMdK0c=,tag:PCtirta++gCSsQsQo+bSmA==,type:str]
-    pgp: []
+    lastmodified: "2025-11-16T03:16:19Z"
+    mac: ENC[AES256_GCM,data:SvvHb6EPAkt96DprqDSTKIFwshSm2rxGtFmpB+q4l9ZUu1uCCVJM1Gnxaogxiwf1CAk3+I0908/vRp9rwALcyZdM47VJq4MST2FFmEYXn1109jrQCW1EgkXnMBJwP8ywe2JLlyRpPXcGJfC/HPuKMpyxts9EEk6TnEsdrEQFbwE=,iv:mb7ZqFuaq8xee2k9nw7zdW05puOuIdsTq7alkn5V6Ts=,tag:6ZsbryE20u4OEtUMVD5dDA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/srv2/node2/default.nix

@@ -0,0 +1,21 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        nixpkgs.march = "icelake-server";
+        network.settings =
+          { static.eno8303 = { ip = "192.168.178.3"; mask = 24; gateway = "192.168.178.1"; }; trust = [ "eno8303" ]; };
+        fileSystems.swap = [ "/nix/swap/swap" ];
+      };
+      services =
+      {
+        beesd."/" = {};
+        lumericalLicenseManager.macAddress = "b4:e9:b8:fc:9a:f9";
+      };
+    };
+  };
+}

devices/srv2/node2/secrets.yaml

@@ -0,0 +1,27 @@
+tinc: ENC[AES256_GCM,data:zz2sNzrCiqUvyccyhG7hzpF3E8RMdWWdIW98j4Kw8rSGZEKtSkCX/YDibTRSOIuSn/hX7P9FqKgoOgKhqQcuh2gsRjaZSbccMhc3NqOXujL5y586PD9xCk2bUXDXzmRiHx8oiB1rOO86KQovfevl0yGtfpDmkuqt14OXNXvrVoCA4ChfUVwy0Yw53JlQrXl9ZndRvP6pHN4esv9UmUxrA8b//hFyJHPzSKiIfX6NGx+htH0P5UUSxKomYNqCrrtJG9RoXSgo2Go=,iv:jy4qmcl5QDaA6ub7/vHQpgiWIFj4tw0IKxGeg40W/E0=,tag:g6+jb5fInKukYWvIekyDxw==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:jPo7ixnm8KnAfdC3b02qGrts7/0nc0Ahizj0EkFa15b5zr0F,iv:S41TMqOH5mqhF36B/ouMfCjim364LeeGbDnwQYiP4Po=,tag:aoC9JOZjtbduEMFijvDprA==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcEVHTVJPT3NtZGdPZDl0
+            Ui95UlU3djhwYnNuRVI2OTA1WDI4aHFGTUFjCmxGWFZWUnltbCtWbzlVUVJxVjFh
+            RFRGaHlzUkVHT3VoRWlUOFhNNW96ZUEKLS0tIDgrYkRDMEw5WnF3TEF1bWRYaWQ3
+            bWN4ZFRTcEJ4dWFObzk3ME1vRlBpOGMKnZZJT6NiUEIHemSxd1ppqTxnHRRCiO7J
+            r4smy21Et/E63WE6fvfzEltXb6Wlj+/ZUEMHUhyB6nmUa4udtTwQmg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k2y0vm4tmf88vg6zfed8q8zv544g4u0l5ry4kmm4hmzslvj5vdxskhat2n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SmdEYkJneTlNY05hSVVP
+            VDlhSGpWVzBMUVVNMWMvSDhqdWNjcE92clNnCmlJd3pMTFVZQ1pwazFWK1EwUlJU
+            NWs0bE5raEpiNjRCVkRzZTRTb1M5YmcKLS0tIHd1Y0JuTVBlWlF3OER1d2F4YmVS
+            bkk0ZWpobXh5dnFteTVVamxGT1RUblkKLU7cgLazHAzsstKjMW2GvwXkfNOtPzx8
+            QKIIM0rOXYUsDUQozrxRu2SChCJ/zkAxeLm6rvD1JYVMcUfuswCRlQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-16T03:16:36Z"
+    mac: ENC[AES256_GCM,data:0T9DXFvsCdDibpxBVX/GIkziEf9vR6Aic1+vIZFVPUkWCBa4/X7u7NF6Aeul/oIGy8WEH6EwyvijkFiHi4gzCoqetdHGDLeYXkBxarpSgUlcvcVbgd3EHsLJ2nclK7VAgrAu9NJpuXbiLGDl3IJyuW9qK2tzc1/ZfJHglpgyEh8=,iv:90D1aDIy8pI2MzeaZ+OwmKB4r7O2O1sibg4z7gAz6rE=,tag:mjaIC40oW5JWdlUvq0Ea7w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

devices/srv2/secrets/munge.key

@@ -1,28 +1,27 @@
 {
 	"data": "ENC[AES256_GCM,data:Um00c+kry3QrHEZVdlUws+gGGvtPKh8WzkpT6CHL7uwHRUWc+5E0bvlwXFJTkmPdGOOV2Jx9fGvSKpQb1/MPJhMhpCAw5n69QIRjVVURZcvVVFrl+eNO2sf/h2GTFvKRAtlcNAh7cvjkpiB3r+S7mRYSI914B7w8GLTdRFvtqYo=,iv:gk7S1SiA0iBAfpXLhhPJuexolP6w1XAd8M2H+sqqmoM=,tag:O8Eoa4LjEo14H/+1W5rcgQ==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeDlnOGlTYlY5a2wyaUxo\nSk5uaFVQWTY1Q25ad0NkSTQ2bTZEYU5ibWg4ClpnM1NLbFArUEtndjFGamgwdDBF\nWnNMalNRWWhLL2V3S1RWRHh3MGErUUUKLS0tIGt0MGJ4SzNDTWZNUHM0djFDSjdo\nbDMvbWRDVURzQmVWdGFQeDVWQmN5Q2MKBpbH7QXL1sf0c7ix9yd2r7vEBScixvBM\nom1tHgJmwxhep7DSyvjg/xslag7U2vF69gPrcAlnAndZsLCtsYdvyw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWam9aNkYxcEpURHI4N1lr\nOWFrUFA1a0hTUWNJM0FOMGNqT1h3d1dzRmlJCm9lOHBWRlRqY09DTW5oSmZtREtv\nUVI3aSsyWXczYmdRTG5VRWdCVFd4WEUKLS0tIGNjYmJDOVZKTjlENzFGVDJVMCtT\nWUsrRUpsM3dvQ3NkZnordnJ6djF6N1EKF53Up6zSFot6i2B+UO3H9NeFeyVA/R+X\naH9SuT+9Wox1lxDLhG/+S28tE4IyXZgbo+12sreQ3TkGslfxTwXTUA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa2Z5V0VPRWhYaXZ3STBa\nMWVsS01CYVBzeHM0T29pUWtQYlVyWCtheFRzCk5JYUpqN1cwWDFwUkZ2Q2xkL3U5\nRlNpMTQ2QTBQZFdYMmJIZjdnOWNjalEKLS0tIEZZREZPVmQxZ25MaHlMZ0VuWExT\nR2dJZ1lWdGt5dWNIM1FyQ2dZV0dlTTQKhUnA3pnoXb18/b/Jzyk0fC6GnmIMmYfl\nVgzCoCDSHNSvW/qUoT22hJfZCMFvIzOHEpmufMHCecZdisUozfWFuQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUW1uTUpHT0dOOHIwVTQw\nU0pzUng1RGhPNXcvMU5xMlZpMTFUaTMvNEdrCjA2MEt0aGVYcEhwRm9LMFU1eFc1\nT3RVOVBvSEcrM2hCMVFQTlFCeE4zRzQKLS0tIFhKT0VOVVgwQ3VCUld4dUc0ZXB6\ncUJDQXZWbXpoQWNQTFM5TGM4VEhUajAKMab/tG8ol/s/LjT/g6q9tmL6GOkMdh5C\n9rbkUo4YhLx8ZnDGfD+kfvyr4E23E0Y5uOs4G/VFesiJwDziWchX2A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYnBaYmprYTIySWFnOVhk\nTThHNEptc2luWTFxSTBBMnY1Q1FkQjNBaWlBClFRbWlIdmRRVnZ0TGJVTlhNRHN0\nS1JZZnJLU2xCS3Q4ZTBDWU9ScnBtOEEKLS0tIFNCMmtDd0VJR0JucUJSZHo3dHZl\nWm9ZQ0dOamZvSTNQNW1uWW85TGxRTWMKKm7NdN69Q7F+KcR7u3kTxhQuzikGUdEZ\n8AkowBgHRndxNgdC6wYV1VeqEkDxXqR/430+EQS0jQQrIXpuXkCDkQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDblAwYkhXd2xJaEJQYzVx\nWmZjRXhxN1F1cDAvcTFGSW54UWs4a09yaWdrCm9iZ1NPTmN0ejJvQyt2UWhaY1BV\nUDhZWHNuWUNvVGZ4eGVNS1lnOHlnNE0KLS0tIE9OWGVRMUNObUt2alFnTmh1eEVH\nNzg3ODkzNmRYYndIK2xXR0pUWTB6Z2MKj3b0sJI7y/QhvBjQbAg6gpBFszuGUuvq\neBsTeiuXJdyZru54qOJ3k6DGAnsS8lIYptwpi2jC24ebwG3QSpGjzg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1k2y0vm4tmf88vg6zfed8q8zv544g4u0l5ry4kmm4hmzslvj5vdxskhat2n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTzgwUXpjM3Z1c1VvdlNL\ndTdGdDlIcCtMVHJZeGs5ZUo4L2VNMUxFakNzCloyYUFLSDFHSjVhUzRoZWlPVFdS\nMWI5eXdMdGw1d3ZwcFNiNUZkSmxuZ2sKLS0tIHdsK1oxOUVMbUNxZ0toZlRsN1N6\nMUxNeTF0L0lRc3BnUExob0ZlaExVb0kKW7zPqfYAw8/RsGNpVBFhnObjfgqgxdkC\nEVQQYduAz+FkIdsN5/rrleyacbpCrEQcSTVTXpwLopoL/ukY1i0p/A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-03-09T07:59:38Z",
 		"mac": "ENC[AES256_GCM,data:zNh6Cioh4+r0+nx04yLqeQShozxl7bLLKSmwodnmHtVQVlOTjj5sDLMEAAmrj1Ym2KrBPJOgdm34Sl6AbsmiBLxzDcBKe6J68Y/LHIeaPkToRKpmoy9I9a177w0KzFXgNaU2ieH71egD+nf8JmGG61hDjpiJRpx1Lwxb16Bn+Xs=,iv:QxiUYymiGuH0EBwEhyg5gDzkSKvGhq0+0wERNEJ71UM=,tag:N1Nn9X9vrghwwJWC3kituA==,type:str]",
-		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}

devices/srv3/README.md

@@ -1,101 +0,0 @@
-# 定价与配置
-
-售卖两类 kvm 虚拟机。它们都按照需求的内存和硬盘定价。
-
-## 普通虚拟机
-
-* 硬盘每 10 GB 0.056 美元每月；内存每 128 MB 0.044 美元每月。每 1G 内存附带 1 核心 CPU，内存不够 1G 的给 1 核心 CPU。
-  * 例如，4C4G/100G 的配置，每月 2 美元。
-  * 这个价格相当于母鸡价格的 70% 。
-* 适合绝大多数轻度负载。不适合的情况包括：
-  * 硬盘需要禁用 CoW 以获得尽可能高的 IOPS，例如较大的、繁忙的数据库（例如大型 mastodon/misskey 实例）。
-  * 希望内存中的数据一直驻留在内存中（而不是被交换到 swap 中）。
-* **可能会超售**，但我凭良心保证，当你需要时，仍然可以占满内存和硬盘；长期占满硬盘和内存不算滥用。
-  * 前期肯定不会超售（笑死，根本没有那么多用户）。
-  * 永远不会滥售；但后期可能会视情况调整价格。如果涨价，会延迟三个月生效。如果降价则立即生效。
-  * 万一出现卖超太多了、不够用的情况，我会自掏腰包增加母鸡配置。
-* 实现细节：
-  * 硬盘会使用 raw 格式，放置在启用 CoW 的 btrfs 子卷中；不预先分配，用到时再分配。
-  * 内存会允许交换到 swap 中，并开启 KSM。
-* 限购：
-  * 每台内存不能超过 8 GB，硬盘不能超过 200 GB。有更大的需求请买下一个配置。
-  * 每个用户只能购买一台。
-  * 这个限购措施是为了防止有人和我抬杠，花 70% 的价格把整个母鸡买下来。并不是营销手段。合理需求的情况都可以谈。
-* 宿主机会自动创建快照，需要时可以回滚到几个小时或几天前的状态。
-
-## 独立虚拟机（资源独立分配）
-
-* 按照母鸡价格的 1 倍定价。也就是：硬盘每 100 GB 0.8 美元每月；每 5G 内存/2 CPU 2.5 美元每月。
-* 实现细节：
-  * 硬盘会使用 raw 格式，放置在禁用 CoW 的 btrfs 子卷中；预先分配所有容量。
-  * 内存会锁定在物理内存中。
-  * CPU 会隔离/锁定在物理 CPU 上。
-* 宿主机不会创建硬盘的快照。
-* 两类资源可以混合购买。比如可以硬盘按照独立虚拟机的价格购买，内存/CPU 按照普通虚拟机的价格购买。
-
-## 其它细节
-
-* 无论哪个方案，硬盘/内存长时间占满都不算滥用。对于第一个方案，CPU 是共享的，请不要长时间占满。
-* 暂不限制带宽，合理使用即可。
-* 默认共享 IPv4，支持端口转发（详见下文说明）。独立的 IPv4 每个每月 2 美元。
-  独立的 IPv6 免费，但暂不支持（技术上没有准备好，如果有人有需要我就去准备）。
-* 只卖朋友和朋友的朋友（总之得有人保证别拿去做坏事）。
-  若此定价对您来说仍然难以接受，可以联系我，打五折或者免费。
-* 此价格 2025 年 9 月 17 日前有效。之后大概率也不会调整，但保留调整的权利。
-* 预计收入无法覆盖成本。如果某个月的收入高于成本，承诺会将多出的部分捐出去。
-* 非 kvm 虚拟机的服务（例如，只跑一个 podman 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
-* 配置随时可以调整。所以按照自己这个月够用的来就行，不需要为未来留余量。但每次调整都需要重启虚拟机。
-* 母鸡价格 40 美元每月，配置在下方列出。
-  * 机房: LAX3 （IP：srv3.chn.moe）
-  * CPU: Intel® Xeon E5-2650L v3 (12 Cores 24 Threads)
-  * Memory: 64GB ECC DDR4
-  * Storage: 1TB NVMe (可加，8 美元/TB，另有 NFS 3 美元/TB)
-  * Network: 1Gbps, 1x IPv4 (可加，2 美元/IPv4), 8TB/month
-
-# 操作
-
-我不提供网页端的控制面板（因为懒得搞，要是有人想替我搞的话那就提供）。
-
-在确认购买后，我会给你一个 VNC 端口和密码。虚拟机会首先启动到 netboot.xyz，你需要登陆 VNC 选择自己喜欢的发行版并安装。
-安装好系统之后，VNC 连接仍然可以使用，你可以使用它来重装系统等。如果你担心安全性，也可以告知我，将它关闭。
-
-此外，我还可以提供一个宿主机的账户（SSH 连接），用于强制重启虚拟机等（会做好权限的分隔的）。若有需要请告知我。
-
-# 共享 IP
-
-支持多种转发策略。
-
-* TCP/UDP 端口转发，就是最普通的转发。
-  这个方法只有一个坏处，就是多个虚拟机不能共享同一个公网 IP 的同一个端口。
-  这导致用户在访问时往往需要明确端口号而不能使用默认端口（因为默认端口已经被占用了），
-    例如需要使用 https://srv3.chn.moe:4321 而不是 https://srv3.chn.moe。
-  建议不面向普通用户的服务使用这个方法（例如，ssh，coturn，等）。
-* 利用 Nginx，根据一些信息分流再转发给虚拟机。这可以做到多个虚拟机共享同一个端口，但也有缺陷。具体来说，它有很多种方法：
-  * 依据 SNI 分流，并透明代理到虚拟机。
-    这个办法的缺点是，只支持 TLS 连接（例如 https），同时服务端看到的用户侧端口会变化（通常情况下不影响什么）。
-    只要这两个缺点不是问题，就建议用这个方法。
-  * 依据 SNI 分流，并使用代理协议（proxy protocol）转发给虚拟机。
-    相比于上一个方法，这个方法可以正确传递用户侧端口号，但需要虚拟机的服务端支持 proxy protocol。
-  * Nginx 依据 http 的 host 头分流，再发给虚拟机。
-    这个方法的缺点有很多，例如我需要修改你的域名的 DNS（用来申请证书），母鸡到虚拟机的连接不加密，只支持 http/https，等。
-    这个方法唯一的好处是，如果你不会配置 nginx，可以在宿主机上配置好，虚拟机只要跑后端的服务就行了。
-* 别转发了，直接在宿主机上处理。例如 80 到 443 的跳转。以及如果你想要 host 一个小的、不常改动的静态网站，等。
-
-# 杂项
-
-**如何调整虚拟机启动顺序（重启到 iso 而不是硬盘）？**
-
-先重启虚拟机，然后马上连接 VNC，可以看到“Tiano Core”的提示。这个提示只会停留 15 秒，所以重启虚拟机后要迅速连接 VNC。
-在这个界面按 ESC 就可以进入虚拟机的 BIOS，在这里可以修改虚拟机的一些设置（就像实体机的 BIOS 那样）。
-如果只是想临时从 ISO 启动，可以在这里选择“Boot Manager”，然后选择带 “CDROM” 那一项就可以了。
-
-**如何调整硬盘大小？**
-
-* 扩容：你需要在扩容**后**将分区和文件系统调整大（占用虚拟磁盘在末尾新增的空间）。
-* 缩容：你需要在缩容**前**将分区和文件系统调整小（在虚拟磁盘的末尾预留出要缩容的空间）。
-
-这些事情都最好你自己来做。我可以尝试帮忙，但不保证数据安全。
-
-**如何强制重启虚拟机/关机后如何开机？**
-
-登陆宿主机后，使用 `vm` 命令，不加任何参数，即可看到提示，按提示操作。

devices/srv3/default.nix

@@ -1,125 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/srv3-boot" = "/boot";
-            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          swap = [ "/dev/mapper/swap" ];
-        };
-        nixpkgs.march = "haswell";
-        initrd.sshd = {};
-        network =
-        {
-          bridge.nixvirt.interfaces = [ "eno1" ];
-          static.nixvirt =
-          {
-            ip = "23.135.236.216";
-            mask = 24;
-            gateway = "23.135.236.1";
-            dns = "8.8.8.8";
-          };
-        };
-      };
-      services =
-      {
-        beesd."/" = { hashTableSizeMB = 128; threads = 4;};
-        sshd = {};
-        nixvirt.instance =
-        {
-          pen =
-          {
-            memory.sizeMB = 512;
-            cpu.count = 1;
-            network =
-            {
-              address = 3;
-              portForward =
-              {
-                tcp =
-                [
-                  { host = 5690; guest = 22; }
-                  { host = 5691; guest = 80; }
-                  { host = 5692; guest = 443; }
-                  { host = 22000; guest = 22000; }
-                ];
-                udp = [{ host = 22000; guest = 22000; }];
-                web = { httpsProxy = [ "natsume.nohost.me" ]; httpProxy = [ "natsume.nohost.me" ]; };
-              };
-            };
-          };
-          test =
-          {
-            owner = "chn";
-            memory.sizeMB = 4096;
-            cpu.count = 4;
-            network =
-            {
-              address = 4;
-              vnc.openFirewall = false;
-              portForward =
-              {
-                tcp = [{ host = 5693; guest = 22; }];
-                web = { httpsProxy = [ "example.chn.moe" ]; httpProxy = [ "example.chn.moe" ]; };
-              };
-            };
-          };
-          reonokiy =
-          {
-            memory.sizeMB = 4 * 1024;
-            cpu.count = 4;
-            network = { address = 5; portForward.tcp = [{ host = 5694; guest = 22; }]; };
-          };
-          yumieko =
-          {
-            memory.sizeMB = 8 * 1024;
-            cpu.count = 8;
-            network =
-            {
-              address = 6;
-              portForward =
-              {
-                tcp = [{ host = 5695; guest = 22; }];
-                web = { httpsProxy = [ "littlewing.yumieko.com" ]; httpProxy = [ "littlewing.yumieko.com" ]; };
-              };
-            };
-            storage.iso = "${inputs.topInputs.self.src.guix}";
-          };
-        };
-        rsshub = {};
-        misskey.instances =
-          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
-        synapse.instances =
-        {
-          synapse.matrixHostname = "synapse.chn.moe";
-          matrix = { port = 8009; redisPort = 6380; };
-        };
-        vaultwarden = {};
-        photoprism = {};
-        nextcloud = {};
-        freshrss = {};
-        send = {};
-        huginn = {};
-        httpapi = {};
-        gitea = {};
-        grafana = {};
-        fail2ban = {};
-        xray = { server = {}; xmuPersist = {}; };
-        podman = {};
-        peertube = {};
-        nginx.applications.webdav.instances."webdav.chn.moe" = {};
-        open-webui.ollamaHost = "192.168.83.3";
-      };
-      user.users = [ "chn" "aleksana" "alikia" "pen" "reonokiy" "yumieko" ];
-    };
-  };
-}

devices/srv3/secrets.yaml

@@ -1,112 +0,0 @@
-wireguard: ENC[AES256_GCM,data:Coe4iIEnJVDb4a9KUVTRkXl4kng5Zo6x1Iyr0ErgR2b9bN287mvO6jPUPSc=,iv:fiNUUKobJjitcoxBemIah5Cl5+dSz2Q7sbiOT8bDrRM=,tag:rHfNeRGTxnyVYAu8P/2ewA==,type:str]
-nixvirt:
-    pen: ENC[AES256_GCM,data:okvzUul3UXk=,iv:hcBhsUMP8jdhhKuKdHD1lZi8ixNAC729HfMQ79UzyNk=,tag:SRRav39ScHn0O/sf86CIOw==,type:str]
-    test: ENC[AES256_GCM,data:MYlMmzgbW9c=,iv:q1qPAwFTh0fj2IHBIlnrOMbTU2BnwIYzOFUHVqWCY/Q=,tag:Mb2bJJemg/LxpKI5whNvQw==,type:str]
-    reonokiy: ENC[AES256_GCM,data:J/ZM0Vavmnk=,iv:ZT1cMF/JWLWmXyBx331XkBQerOhLJeOd0a53jcSC4S4=,tag:/WCwzOg5LlAS5ZaiI5DSIw==,type:str]
-    yumieko: ENC[AES256_GCM,data:Nugm6tP4jxg=,iv:HweUreniPs3eDs1ucu/G/P/JZ4jfSaOAiLD2o5WeOUo=,tag:eoc1cVG7CD5WFoawDUUpnw==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:cek6iIlJXgU191uzq44rTw==,iv:r7aMj5UzH1sbKkxvS8oyw6kpIcpRygD4ype8qkmnNa0=,tag:x2jWZnnFCO0sHj/OS2BQbA==,type:str]
-        led: ENC[AES256_GCM,data:JiCmbknE,iv:Z2RFOWIPUk2jaR6qd4PgRb7LwwHSKNapPQq996Mx+yI=,tag:mq6Vtwjw31DKig3Dl4xU+w==,type:str]
-redis:
-    rsshub: ENC[AES256_GCM,data:+wEclSJGMLBMt7Ss2fMlUgq5kRyNiOheQnRvVtbW47eG2mFODBaw04Qftb80aaSE6YpCTNslBGdIjcpIC7FTUA==,iv:6Caod/1AnUxEEC7ZwVrtDZ1kP6Qu50R+9I3eda/p0pk=,tag:/EYXZ6yl3QupVrzIHQMdbA==,type:str]
-    misskey-misskey: ENC[AES256_GCM,data:nCrH0B3A5B6yMAgTd5TA56PKqJUxwtHeS6BvuUseyKAVbqH581TGsO80mNQ0AJRjviw5o3ftTay79nJnmGld6Q==,iv:fhGcgbpNBo9yUpFDWtuzMos2iPhMdWyc88S0fZDxGao=,tag:QIZ72z5VBqd5pFgaEvMTZg==,type:str]
-    misskey-misskey-old: ENC[AES256_GCM,data:WS+SVmxYs3cNc/+sJQLNYDO0ZkZvmqzW9hCGdDae/N06KGicgiGOKV8LDe1UviGGGzXzB5VG0YvAprEGhUURcQ==,iv:6Ur9FL2+RzU4tfK2V4TaaCpempS1JSSMHz6ebg3mp7c=,tag:qCNqJ3SauPdpxo3f4NVg2g==,type:str]
-    nextcloud: ENC[AES256_GCM,data:pwxtefU7CjTxyogcpPpvQxvdnYIpggaBHZ+/PaT9lhVfvFcNtBBZ1eeOGbUXMZc7BnkFAUDVTVjr5KV75CeX6Q==,iv:65K3PsNfesaAJ7rSRI66o5UEM3SW5KdUnGc4h9WMkUE=,tag:e2nx9vTlkGekvhm8lYsMkg==,type:str]
-    send: ENC[AES256_GCM,data:QCfqbGYuBrlwfuHiSsZIZ1OBVnSO9QjhlPWGVRysKbQK+As/RGbJ5QYtPOyKfRg2L1d5Irfu1aGRoVrzpA8O1Q==,iv:MWzJP+JBwf131X030MnzNKMJ3d4Fq/GtbHpuan4N53Y=,tag:z29HS/FQXTvgN1e1HZFJkg==,type:str]
-    synapse-synapse: ENC[AES256_GCM,data:C6eXXK6SvMmvIa8dVjttorYBScC1SfILqXPMYDCpewVyJCUFzQK3NB8KUz9TMov4P5n+Lm5YItjrUgnhNJA5jQ==,iv:ziJ5JK/+M9d+R6/O/4hQy5DPBw/4XSZVQvIcy55aHRY=,tag:nv0rre2/kyhKu4C5JSE5dg==,type:str]
-    synapse-matrix: ENC[AES256_GCM,data:E72t568kxMjz+x+nC0kIJJFfgt6njlW8Wx6RuqnI736vW7IaA7scNVQ03lXpqZlKS1M7wUhb1QRPowJxNjSK7A==,iv:5qGHIWb7XXrnbjPQVWt+EcX/yDEV4Ny+TIo5OaRHwOk=,tag:O+SQBmZ7xpToSJYmcSCRWA==,type:str]
-    peertube: ENC[AES256_GCM,data:lxf5JtlGfDsYY2kzqaas8zPmS3u7Xch6onLVe2yoQZL6Eeb94V8yncqezGFcsGv1k3Xfr4ncoEraupO3RtKYSw==,iv:VM3SAORs2Ol/WKYCffLlHNPAzA37Kp2fgToM1faS7Ew=,tag:gwI80Kn00QOU+9vRsUKchQ==,type:str]
-postgresql:
-    misskey_misskey: ENC[AES256_GCM,data:BUHwrGGcniD/7+hSHkXegopgG1bRGSt+OXJxKdMOEyeawAkG96af+njJ+WgcZ6KAzQdWtqJATdiTOxpznkvKfA==,iv:9hF/jcGyWFNPzzqVyaVXEabeaGDE92bpVYq1oxvQGOY=,tag:nZObCyAfuMr+B+rlUhCMMA==,type:str]
-    misskey_misskey_old: ENC[AES256_GCM,data:saLuu3wFcqRW2yNF9aZZ4zc6njm6pqqcUUqRTbijXELvZwMy+G+OMKuvgsh71NLDJiNDZdOBAOdUUXlC+okBFQ==,iv:kcHjlpndXENhASkenLN8fNLJjHmcuLN+i7+a+fLjxyU=,tag:Sbr74hl4GsCts2Diw8veRw==,type:str]
-    synapse_synapse: ENC[AES256_GCM,data:NfXD6BHV9za79NW1kLvJjdOLeHjtcrzx9O9W65jgHYneEmUNKO1nuBgs3PrI8tkBPkmn55UdC+4v2WFjHWXrkQ==,iv:YdF0liKfIBT3CHCr1ufguu9qqYpfXfjOhJY5BO79orE=,tag:OWyN3Zh6uvm10LmCBipJ4w==,type:str]
-    vaultwarden: ENC[AES256_GCM,data:4thZ0nGnbprVntYH2wG2PAgAJcAYuexQPOJBSpC1ivQgNbmn89L5pSANx5fvYewa834mlqSWHWeSqIw/81tDqg==,iv:d6gARu6yGzALNZrgpvaxWqM1cdkalA17GZ4EVWHqYUc=,tag:guYaW+Ds1TylCLw/naD2mA==,type:str]
-    nextcloud: ENC[AES256_GCM,data:jeJSAF+oeEXL2BqKbzngnSVvpxE5yuzRq2LLu6EyKT76xHP/whP7QuRxns23dsJnUr55qaRUzDunvoFco8MCZw==,iv:0lxolTDXskNvrVEAC4dV/mIgCMi3B0xH+xVT40Brii0=,tag:YvUtW172rmKK6pY/+4WhXQ==,type:str]
-    gitea: ENC[AES256_GCM,data:D+WDCVPTAcOg/gpxlcaNHFVHBC8uKOs5VZKQYuF0qNZQn0H0dWQS89K3DsgjBKck7ugiZOyXKUHISBVrfBn+VQ==,iv:qkahWBx8q1g6wlzXKM5Bl1PqxwkprCZzzCq1vGWaj7E=,tag:hWX9jF2qx60QrOForU7LLw==,type:str]
-    grafana: ENC[AES256_GCM,data:Hm92Qnz5QVWwk6P61vrnnxDFLtdVx2vOMKwy3sRSv+KDnNSYvRNyLQUkyuf7Nh0S167XgAxDPTZQb9k6AjO36g==,iv:oXmfVDr63NGv4rRBb12V9l9dNXxQK7Se/2fbK40d2a0=,tag:DNeeRwEShxUhowkIfr1feg==,type:str]
-    synapse_matrix: ENC[AES256_GCM,data:HdhB5WAxBa+BaFBVoIo6RwhOxhN5WrTLR11kah9H1sBS5GDPldDw0H274faWFwE/UwXO2ggBEAYvACXr/rXkvQ==,iv:NxOsZqxsP9BSgdlW43AuQGw0VjSGx77wygjdDcINf8s=,tag:CtbG4zcXG2QFFP4dGgOxzg==,type:str]
-    peertube: ENC[AES256_GCM,data:6P8muSWzJ+A71nZZKlCXRCRwr1HWu7yrSw5bkeHg5As917frrbOMmDCpf21H0q+eagx/ZrRIWod2JXc2YGKCfg==,iv:G/zZeYbDCHffACCvhJlKlJ1cUCkw0+raq5G1ubqIRAg=,tag:HeQA3ueNo/t+8JR9jVUUPQ==,type:str]
-rsshub:
-    pixiv-refreshtoken: ENC[AES256_GCM,data:3nQdmn5RAaeqeI7S/0gPUGOzt7rkizpk3Ouz+pXwbqKBpikXKm4amvwg1Q==,iv:sze0u8un0xyumqHj0YeKcBD9xKZRW77rQdQn7auIf8I=,tag:bWqg+/pBaQJ2J3hjx05hlw==,type:str]
-    youtube-key: ENC[AES256_GCM,data:NZPG5iYrkOof+L3SKp9SqXmXOt37hvqCxTTibkzXv5TBPcCjPhCe,iv:Re6966w0oRtvHDCt9eYvswDMLNKcM+stIAA+P1qpWbg=,tag:0jNqPlGoXr0bHGMgHUZXCA==,type:str]
-    youtube-client-id: ENC[AES256_GCM,data:7BOIrxA5FIUo/31p3yqrLJKJhV9IUB25//w343eBoAnr3uD6J9zeLO3nIQv99vItioqFA1RmygCeer9pG7j/FI/MmmT8nGzPcw==,iv:mzKY2XghoXhKTTkO6EiG+ZJFsM39TX6UXJbzh0UA7vc=,tag:w7oiCvURV8yFxxoFR2P/jw==,type:str]
-    youtube-client-secret: ENC[AES256_GCM,data:JCyNb9biROLSx0RHkr0FqZ26nhU/LRBEnzfx91mmq+Ux0/A=,iv:fEMmanWtWaKBVUJVIeMSu+XV3v8xeccDY3DTJr4LOsk=,tag:bT+XedAZu94h053/1zr7Ow==,type:str]
-    youtube-refresh-token: ENC[AES256_GCM,data:TXNvLTfF4K5RT4D0anzXds/fcdPy3FXddGt5xxLIaxbKIqCAtsQyLEhA+SfQXaBk6T/yKIhtd/H/BLu1jOkiZsFL/8i5GSRSIXyagFrCfh/7tEqhCB0u52Hz5Xy4pkZiqd/AXx84Og==,iv:s+q2ffpJP/rcKu/Pw4KosM5/7boFPArJxgbqL0f1ZkI=,tag:chUtPpJbYuhjv09lRdXHMw==,type:str]
-    twitter-auth-token: ENC[AES256_GCM,data:scLoap0kDJW8Q9+h9S/JKYafyCUgx75RV7akHY/BYEmFhRNRq5Z2Lg==,iv:GhP3nyaK18PDcoHc18zhuuPAPnfEWgUagBrZNDY3toQ=,tag:qsE2rIgrmlxBW8D3i10KUw==,type:str]
-    bilibili-cookie: ENC[AES256_GCM,data:fdAX5CpbJZv3fxRdA5SpFwNUZ0jYgYuv8SyKfbJzm5toQ8S5TrQ9WnQk6Jwweqmg3VDRD5l6l/irGsRlLdjt3p7fyAJy0wtzY0jD1xGw8XhdKWevMTysg1YQcMijkJSI0oHpofis975M6EDjcURPWwlR6GqW6POOpMep97siOxiNyBi32TbZHqvIWa1YfyuMcngYMEsShpzWAZCCvLYXoBINXebG1JPHU2xua7EHMO+VH7UFNVCyBYmOw4iXBJ4YFaXqxjQTBza4GDDZ/RVBvO5Egdjovjpj1DR/hOEG4xJHpg6xTsFw,iv:WQTVuovkZjzuu5w743GkMcWqu2p7dmPr9sKHemkbxG4=,tag:eszbpreVfC4LtxnRte241Q==,type:str]
-    zhihu-cookies: ENC[AES256_GCM,data:ssemzXs7ub4z7pw4hWGSfzBfKH/xzv8bhtqC1dDbZJCnwZ4D4/U9ES9QDrPeKT5AjbdLV/WBvJqWKcwTQjGnRhMrgK2MU2/8Et61mur5WE5GPQjwhWV5JaTMhSxKS3pZtpyvIgy+0iwOj8QQS6mbujHnpb/y0fhszlmUQPBL4eIxm269/FyjBLeRivrJvSmMpLQxxwh2/GTojMPH2F3bclsdMHgZhvYGdJ65hSWn2Q==,iv:PffeWFhC+dYkLSDQKuIHRRDjqE7By/ZIuZIhkjCGDig=,tag:p4iJwqLfqkiKOi/KnoyfQA==,type:str]
-mail:
-    bot: ENC[AES256_GCM,data:XngvO9b98ccRoW9WgfX/Pg==,iv:SE8SK49zhYhDxl6f2UonCzTPcKg23CzbI5V/fOh5zOA=,tag:IXGwnSU+Vx0BQxjgvyBnCQ==,type:str]
-synapse:
-    synapse:
-        coturn: ENC[AES256_GCM,data:TQqNzjJV8iM46JZQOKqkydkSrDFH2El4EE1ZCjUPpZ6EM7UHfjjxP536sm7c7adxIZzrj2TlzKufhlGFYfZ8xQ==,iv:OVguyW8sQzfczVHMaMTg6+J0wzTzeTb2zZkXnMEZ4Jk=,tag:dYLMU2bHyg/IR1oyujsoRQ==,type:str]
-        registration: ENC[AES256_GCM,data:MXlRld2ugF3qDVPbrd3TGiwdFhJEcxKDsvmEV4P9Qap/zp1WcMzfo+wAeXtq18MV7Fw=,iv:ztN6q+1ql9b4NMiyuDEmWbnpWeOPmbEftymMDQ3C53M=,tag:+BI9t1jSNNcfrIU6AaDOXw==,type:str]
-        macaroon: ENC[AES256_GCM,data:hVkFqtfaOL64qNGjIfmSORm0D8lOvA/H3Mrm11Glrgy11ACjh+zI1CSglQC0SmaKSP0=,iv:ydNz3kXOelPxSFKshjH9+iYw4OItm6QoNGuks8kSDow=,tag:TCHyMXc+gT+fxVyd7HexMQ==,type:str]
-        form: ENC[AES256_GCM,data:lykxrVPMWz1sBk5GoMRHfHhsVxcT7txvLJ9GM48Jyff5HXh1z4IWuZzOu8HkrELkJrA=,iv:QGV8vqor+wByS9z37sF/iPfrNaL/0jU/yUGiphEl4Fw=,tag:Mg/Oz5hI+oDnp58aQF6Rew==,type:str]
-        signing-key: ENC[AES256_GCM,data:Ov+ly2t3abRunse65ccPpQgqKzDrF8B2wMaCJt3Bxa+QDu6WwD8DD4E+pcQK5/HaTdsQte8Z/3f2Kw==,iv:SSMjSTrhgHt6iz+oyHe0sHm3Eb82ks5z8DR1Puc1raE=,tag:9X+T4n/6Vl4tUbVM0LJySA==,type:str]
-    matrix:
-        coturn: ENC[AES256_GCM,data:BmnF4oyUdbESzOwlqQ5SXYgeUnWgyFE0pdBox33JmaMcOvRPtckD9p38UeMTxp8Pccarmx6f83rdHsifeoiWaw==,iv:1bb3Tn67HTHVNR9ohH1HtqS8wh6t7qtTEl5MNbwn7h8=,tag:xlxMZtqew4pTc9ztY74cHg==,type:str]
-        registration: ENC[AES256_GCM,data:LB5tWjoAsftqszYZGOXtqLFXa0HyU1b6lVUrBup5SJJdB2ZOnPsNtcgEkZLtMUlQ//M=,iv:jvLEwPv4iKuKfOPV08sPb9Z2XMnN+074DCQX+ARDPf4=,tag:4QxCLcOSQ30dU2Z+0OzGYg==,type:str]
-        macaroon: ENC[AES256_GCM,data:JSlovYowIe0C2jEFsIJci6+M1GYgbINdp0XkY58oOk1/ztyMnABSXcgZ73pEpLeUCvY=,iv:r2d5COTXL3gz9pb4GxuFQjM5DHsmwAfDy/eqlZyZJoM=,tag:yRn/OBcy1IqMvJQYD9sA6Q==,type:str]
-        form: ENC[AES256_GCM,data:sN24Yj5miXmUsvEmeSDOxFJxAetQdEJw+kEPNq+iMXyEexqEgoYBseH6kbFZwZAVrBo=,iv:ZtRkme3U1ofUBzT2J9SeRov1+rN5CrSi/ExKX7S5DNY=,tag:gGj8l5JXlzX+2sdHsLfQAg==,type:str]
-        signing-key: ENC[AES256_GCM,data:nmP8lwTAYGHc0LYcEj2AJE1XwSJBfA/NK+K6/0KGsufxwS1VhCXUWX9s3oEUPwuteTGZesaDVep1Qg==,iv:NcJEhlz6WgorViN2oiUG7kLy8N5kUzr5cD7Z4PRGdTg=,tag:WiWhIKaE5UQwEXunUokaNQ==,type:str]
-vaultwarden:
-    #ENC[AES256_GCM,data:rD0YOnSNf23ZjJhRWWia3+Zbpl6/cynCKlQQFhzaWIclHBk7YU3Z4E9J+YuWzlO8BM0bbp+zMxFGEFvbMrSHEHQ=,iv:PzQOCpSrjFb/aYn70oKrpb3jDy8rtZKPkLQ8qv0GMyE=,tag:wRfa4oHzAKD3BNYghIjZKA==,type:comment]
-    admin_token: ENC[AES256_GCM,data:oEIaHRqRIVQh+lSv+4p6G26bIKCtAQiw3t/C24C465THrwVa05D2Sax1IZ1JaHKgOmLzo8vxteBmJarARyC4kAnw2vb5bDPT1KCO/6u99mXhQyF3NY3FjmDwWHqTHHZT29dwAmtdFRz7rJQowLVqhBVQzNePdQ==,iv:QVAZ9JwwebqD7zxS8+Ai3K5V60bQbe+ewDc+JBXDMuM=,tag:vUYNlVf7ccooiBIXQWQC0g==,type:str]
-mariadb:
-    photoprism: ENC[AES256_GCM,data:JWeUPE1mb79IzyIsJime2yaBH+/yno2vbXAXO5E6Tx+al7bUlEH5JzYqz8+g8Jkiz3HhRNI4tcGUcVE7kkLgfA==,iv:ZJlIUGbEL/mGLWzjNEwgvzuzZZZrTy5D7e0eZ5+Ouvg=,tag:WY7/sUd2p2viKKDKsj1TLg==,type:str]
-    freshrss: ENC[AES256_GCM,data:/qt890Ly7zvuZB4Zn5xHLflc3L6Ex9JDa1BAinbG7OOkPGpnC83g8ivaQA3xL/CU1FRsm9V1OW4Bv2eN7VDhrQ==,iv:xQG5j3e4C7HWGct6gAET9uVUhGFv0BYVMLdL/1sj664=,tag:YaqjUNk7ybjfitrRpreQwQ==,type:str]
-    huginn: ENC[AES256_GCM,data:vbXI6k3IvTDgQNtKNX9VVJmanO6l+mLoOTq6djEuKfSQAO5UKMq9Xec2rsAibq4reKh503C4too3n2GU1Wo+FA==,iv:rSHmytVa2QWiZ1HH+8AOTOgimYcmPwo4fXgSSq7o+fQ=,tag:5DkdG0TarAs3cSsgPfFNJw==,type:str]
-photoprism:
-    adminPassword: ENC[AES256_GCM,data:X9af31Z4xGu8XJjMfsf3+whEdx96KHMyfJKO+5Q4q1nlnZD+cLjO8Lza2soO1fFndXcowRYsReUAzmXjH8Ffvg==,iv:LmH+JDA3YwydSNr8KbePPDga5ukGFol/BGrHNOZUxPg=,tag:T2HbUNcHnYD5c3GR5rnRmA==,type:str]
-nextcloud:
-    admin: ENC[AES256_GCM,data:mhTb6UPo3fIGlKPpER+Lcr2Jyv1nMk5jbQtxoN4txGJAFaJIhK+iAiZDZXBtOiysYqatcC2orJdgt9je8BAVWQ==,iv:G/uDlOGUt/F1GgxpIMGvVuFjcagVnHBudSGXZi3rrXY=,tag:hdE3Pf3G/xrnKaUkYO1WsA==,type:str]
-freshrss:
-    chn: ENC[AES256_GCM,data:Z4UmsXv1KiVfZMIQOEHH,iv:pF5lQLggkxm9y7taDVcp366JKp8U+8akNEdPA+Nf9Uo=,tag:0TajgUI/VgM3FxG1j6c/jA==,type:str]
-huginn:
-    invitationCode: ENC[AES256_GCM,data:JDN913i+zf6+obWxrNAbgx1NJGPyewRm,iv:lqnjbSk46J0ZJN6ccbbiCiOK92W8fj2mWRwQHKqy2dc=,tag:UYZesryRlfAMo7xhKQ7zgw==,type:str]
-grafana:
-    secret: ENC[AES256_GCM,data:1Wfq8QmhzKBObdktheFPySzXYlOJzHWbYYQXgn3beLOwSlW9f7bUn+wIrRoj1e8WlFJkAU2xywzjzzy/UwpSYA==,iv:/0YoHTs54O+cT6VVt1U5CYXr2qEdY2kijOlnMZMW4d0=,tag:SD/IELlcgfS7p9NBEa6D/g==,type:str]
-    chn: ENC[AES256_GCM,data:8R92k7RH1491u6lfQdM0U3SG8TPi3vWhZyj810XSjnA=,iv:8v6ijLHgoTPT6MGoP/lWB+UEZCCgOpvfskWCJJ63Udo=,tag:k9SHzJ9d54Rny3n8EbksOw==,type:str]
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:RIih,iv:1KQsPDpbG1A0NFT72tO6sSuQ84vfW07DST+/XzpNZvY=,tag:D3AHUPlCJGyVBbDalTHobQ==,type:comment]
-        user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
-        #ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
-        user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
-        #ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
-        user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
-    private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
-peertube:
-    secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
-    password: ENC[AES256_GCM,data:OaoqvUzWZz4LvVwZMbOSeq0mZyTqWT/E1Dt/N0XwEGwn9LLtarG/LrzV24BMS503N7NIxePVBK0jJCdbO7sI3Q==,iv:aaInNy3UmdF+aOu+Lzo7F0FvEVRbsn2XDwmYLNtYaFE=,tag:l/ONyeZJtZjS6IqwQgMs7A==,type:str]
-open-webui:
-    openai: ENC[AES256_GCM,data:5B1wPAOx3GsLDoYBKHWFzoyXFmn93fdcq6UC2rCt/P5zYLA4VNzfsp0=,iv:Y2gTLCmwB5wY4dhN73HRvTqSMVXbAEd+RjRbgUEuTeE=,tag:vcfNhXpG0C3twFBsm7PHwA==,type:str]
-    webui: ENC[AES256_GCM,data:Lg32DZ5GC+AYzWc4WloNMQlnpsqW67s5/kXzYwE=,iv:ECncgdYoLkX9GUOX26MXFSO8JOZahUDjTdKV87IRNJ8=,tag:J/5tTR3MI0iGIVDrlacYEg==,type:str]
-xray-xmu-client:
-    cookie: ENC[AES256_GCM,data:z1KI3CUfPqyiI/B/qgrNhg==,iv:QEjUlMkkF/fdwwEIGiJJ5UxFGw869qAnpApmWaRn3GY=,tag:EbdJsYEslwJbARxDoEWrDA==,type:str]
-sops:
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaURzWlFQNUpObmtvaUd2
-            bVc2UXRHajFPeXR5eTNqQnBhaWVOTXRDSEhVCjJVREN5MzF2MXhMSGIvNlM0endj
-            ZGVhTUFrTXVXRTlvYThaRVZBWmwxd2sKLS0tIDNTME1EaHFKY2J2SWxrRWFpaVJ4
-            Sm5xUlU2TXpyMUJQWVpoRUdlTnVjOFkKZErjPuX3nNFc3jFPBX462qs9hwguyxUD
-            POxmT4DMCPAaEz+lNB+Qa03P3TYFJ3LfqTsO7QXO2f9113wFqF2lFg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd2RzNEttTzk5cXVhc2RK
-            R3hxM1N4TmkyNGp0Z2ZwODZBL0RuMW1qNjFjCkI0N2FMUkd0eENPK0w4MWVJY2d4
-            NWlvUFdQbUh3SFIycDczZlg0ZEJMalkKLS0tIGs4dHlocTRseXRWYVFxMkdrV2x2
-            d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
-            eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-01T05:55:35Z"
-    mac: ENC[AES256_GCM,data:MEgCbEJ/bwx3EVWVYQjb1RbNx8OlJkqelHPbMG5DzSRgcBcllptTFCanLIPZrg4FihkHx3b41Q5xsCXbras1njh4R1FeyLVVGZH7pYjZaPF2MRaD8nYeCHKlItWUVvHQTf5bRrTOOQoo4Kmn2by/xdMWwZlZwt0aBoGnEYBxGf0=,iv:lrPlg8cM5qPgQPpIUHF6WBVglTe9YQtI28hfJSgJ1vU=,tag:tjucRsf+tt9F03Mhjf+jeg==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

devices/vps4/default.nix

@@ -21,13 +21,12 @@ inputs:
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
         nixpkgs.march = "znver2";
         initrd.sshd = {};
-        network = {};
       };
       services =
       {
         sshd = {};
         fail2ban = {};
-        xray.server = {};
+        xray.server.serverName = "xserver2.vps4.chn.moe";
       };
     };
   };

devices/vps4/secrets.yaml

@@ -1,45 +1,4 @@
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:d7cv,iv:RHzGIDLuuKejCTQ5YlNNITkCS3VoprsqH/kHckdpAv0=,tag:3cYw7uyUmXALo3v7SiqLJA==,type:comment]
-        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
-        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
-        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
-        user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
-        #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
-        user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
-        #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
-        user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
-        #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
-        user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
-        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
-        #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
-        user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
-        #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
-        user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
-        #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
-        user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
-        #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
-        user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
-        #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
-        user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
-        #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
-        user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
-        #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
-        user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
-        #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
-        user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
-        #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
-        user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
-        #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
-        user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
-        #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
-        user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
-        #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
-        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
-    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
+tinc: ENC[AES256_GCM,data:MO+GKj5Ma1weblDjViBXUR5JS8fKoc5XQp6jVimhgip1MiulkUTgJ0Z+ecazAdBh9WnaI65SnLMXLMzk5wiJfblE5KJ+UlSvn7TXKvFPoWw9WXsU96to7D+IZNAYRXj6eMJ6g9j/u01Q348s5F9RE30C9jtk2mwM1n8yyAP/BuwcyyVZK6jOwtE5zsZyinGzLTCyD8pZqhVQ63qdrNMAdvNowl38cVm5pKYsiZiU9r8fzQJXS+5R65rJPxNKJ9CYBI3ca8OGJbY=,iv:bJgHF4CFagARNXFvkNFznzyUit6LsO75RiDTxZGsmr0=,tag:zDX6N6tDoooRUmovhgKsZw==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -60,7 +19,7 @@ sops:
             Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
             1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T07:42:38Z"
-    mac: ENC[AES256_GCM,data:fQm8aI6KdoJVxcl4MQP7Q6EZVqmmLFo9A3Hjo/tKZA+VOYvQWFBxIKwy5Cj0SBi4pWsSjwG6pJZ7m6Wh/dDK4KlgkoaXgAYj+efHtScOH5Gkb0sTpAkHNL+/CJ/cO1doXiXRGj47fn1QB9o9WBaomtOWQbzDts4eFs9pdm8TAq4=,iv:91Ilig4j0ELHEatTY7ALKwwr8AzYnRwhKbdWDcufZF4=,tag:UfwaudQTNKu+uryCZjo3mw==,type:str]
+    lastmodified: "2025-11-16T03:46:11Z"
+    mac: ENC[AES256_GCM,data:yRB5Y6raz1eCV/gOoJapJfmtXOEafgu4NyIbUVuyOvwV8XJtMQ3mihvlbi1ETdmNLqo8okiU4I1C/Pbgd2rOuW2E8Ymmcf9WSak+z46+YcXXTjKvYn1XRetae9l9hbB9ib6uBI0FlkhXflpf83yTibSF9codVhRsfRzTHfWPx+A=,iv:U0S5bV5ntwj38TOXc4C1yp6eFnHLxogjQw7hrFqjGLM=,tag:48vY9CStBQLnSHxK/eV+2A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/vps6/default.nix

@@ -21,12 +21,11 @@ inputs:
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "znver2";
         initrd.sshd = {};
-        network = {};
       };
       services =
       {
         sshd = {};
-        xray = { server = {}; xmuPersist = {}; };
+        xray.server = {};
         nginx =
         {
           streamProxy.map =
@@ -34,14 +33,14 @@ inputs:
             "anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
             "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
             "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
-            "xservernas.chn.moe" = { upstream = "wg0.nas.chn.moe:443"; proxyProtocol = false; };
+            "xservernas.chn.moe" = { upstream = "tinc0.nas.chn.moe:443"; proxyProtocol = false; };
           }
           // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.pc.chn.moe"; })
-            [ "xn--qbtm095lrg0bfka60z" ]))
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "tinc0.nas.chn.moe"; })
+            [ "xn--s8w913fdga" "matrix" ]))
           // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.srv3.chn.moe"; })
-            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "tinc0.pc.chn.moe"; })
+            [ "xn--qbtm095lrg0bfka60z" ]));
           applications =
           {
             element.instances."element.chn.moe" = {};
@@ -52,6 +51,7 @@ inputs:
             blog = {};
             sticker = {};
             tgapi = {};
+            short = {};
           };
         };
         coturn = {};
@@ -59,27 +59,38 @@ inputs:
         mirism = {};
         fail2ban = {};
         beesd."/" = {};
-        bind = {};
+        coredns.interface = "ens18";
+        headscale = {};
+        missgram = {};
       };
     };
     networking.nftables.tables.forward =
     {
       family = "inet";
-      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
+      content =
+        let
+          srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "tinc0.srv2-node0";
+          pc = inputs.topInputs.self.config.dns."chn.moe".getAddress "tinc0.pc";
+        in
       ''
         chain prerouting {
           type nat hook prerouting priority dstnat; policy accept;
           tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+          tcp dport 7012 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${pc}:22
         }
         chain output {
           type nat hook output priority dstnat; policy accept;
           # 需要忽略透明代理发出的流量（gid 不是 nginx）
-          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
+          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+            tcp dport 7011 fib daddr type local \
             counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+            tcp dport 7012 fib daddr type local \
+            counter meta mark set meta mark | 4 dnat ip to ${pc}:22
         }
         chain postrouting {
           type nat hook postrouting priority srcnat; policy accept;
-          oifname wg0 meta mark & 4 == 4 counter masquerade
+          oifname tinc0 meta mark & 4 == 4 counter masquerade
         }
       '';
     };

devices/vps6/secrets.yaml

@@ -1,51 +1,14 @@
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment]
-        user0: ENC[AES256_GCM,data:rJ00sfe/oJSry6Ixn4Bn+p41syqsOrdWv6fRGVCwPvn/unMY,iv:htTvFMvhIRkORA/gIU8J7CgA+tOncYQWh7sUh+F6XDs=,tag:VrSJBD7ti9WtSLHoWjMClw==,type:str]
-        #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
-        user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
-        #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
-        user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
-        #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
-        user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
-        #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
-        user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
-        #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
-        user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
-        #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
-        user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
-        #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
-        #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
-        #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
-        user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
-        #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
-        #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
-        user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
-        #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
-        user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
-        #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
-        user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
-        #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
-        user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
-        #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
-        user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
-        #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
-        user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
-        #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
-        user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
-        #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
-        user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
-    private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 send:
     redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
 coturn:
     auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
-wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
-xray-xmu-client:
-    cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str]
+tinc: ENC[AES256_GCM,data:E3OrPA67R48x5FJUW0ZbERlclz8Z/XokAaGTeBQLPEHSeqEArHYSZkdJRZejFrBruJPlGZMPNBQzlIBXOfXKwMnlBDaGJIIJHIzPDGG9W7QF4IIRK/BjVZHFwfKvZtbUDGsqLcCSe5+ttmyucBaFGquXhnD/Tu09uyWtRvS10KAJLY0Z2/16CFB1+8egJIcYw2TFXObo+KR92Va0qwiDSepKaJtYLimDGRKk04QGj+BYa5y8PjIG6bz8UG82mmCiV7XM3EPlSMA=,iv:kawsklNGFbRhxKuUwvNL2WyBxuYu2T/uks1cJ4i8NhA=,tag:V+jAaxQX7JCiR5+wIVW4Nw==,type:str]
+postgresql:
+    headscale: ENC[AES256_GCM,data:z2cyyT1TcIhNJCBeGn072aFI2nAioWZQvpyzoky4tWtMymKlw4ilOtSYAsp+kaNOoqvWSmoAQNJLNzeDk1iTCQ==,iv:hZdS/CAVBO0k/AmX3qw3YwTYgK49Aeu5QI3YCAduiZ0=,tag:2l4GPV/T2GHjAAUDX3LaEA==,type:str]
+    missgram: ENC[AES256_GCM,data:zUY6397ThfeHDD8/Msy3mWnTjXCkEhpgsUwcjXnhIiNET1J14hIojCbwUpdCtGTFF+RQOtaS9aGSp8ctQeWIwg==,iv:0+WeCoMFQFhnzjSfvz0ZnqK6FIn1QBHr9fB+tjBNSDk=,tag:Bf5krX2hxIPlkdiAXppSqA==,type:str]
+missgram:
+    secret: ENC[AES256_GCM,data:qsxJue8mGAJejSxOoPd4MXD06upnk0fxUM5EKPBs/WI=,iv:HaHj/vJkIERUQ0Lr93s9kaApNWPjDcpLu2897qmCjqA=,tag:u73jUDd6pGKk1yir/oF4hQ==,type:str]
+    telegramBotToken: ENC[AES256_GCM,data:kNGhj1SjyK1H8NJmJLi90cpGtWmmGpFEFFT/JkDX4QqxbOC6BfFIMgzVsZ5GVQ==,iv:sccRmCs8HBAvi9mDAaz8OjxqXLAVXepJHaj7RrUt6kI=,tag:RuK3EdRMVhS9pVDw50lW6A==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -66,7 +29,7 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-01T05:54:47Z"
-    mac: ENC[AES256_GCM,data:OtHwr58A1UOfYxQR88ay76fWmAyWPl5YtNbAiv0LXPLZPRtLGBJKuTjMaHr17AMepFZ+u5IPV2r8z1AUDj0opLXlv3Ik/DJ2PCcQTOBH+/lnSgzJKWfdCip9/wFR6N3dT0PKKLuBiURB9ZCYmtnq6E5+Guadc6ATYDSEpwbENZQ=,iv:kXsYMGjAtUlv1UqFU8Xv0zagohnpHkzSI72mq5HKY7k=,tag:KR+1A8l2VvbzDZV/00hbJg==,type:str]
+    lastmodified: "2025-12-28T09:13:01Z"
+    mac: ENC[AES256_GCM,data:rVjqBfoA/DUgb1Yqc3FzeMBPWJniAYKYcbLauh5flpKYfcTp01lr/pTbyB5BLEHZLOYwMf2PNjfG8zPDKv2z1cjYwoYEj9bur4N6pagR/NFuAoEvgOjm0YlrTVkskRmLxaqxYB749y4wWS04MvJhfPON4hWMdoYguPBmCpZMKqc=,iv:4ZVGsLKQNxqKmpaDcIpA21rAe51TKVR8diN5/d7SOQg=,tag:pIw/tqw+211V/0xK9M3hvg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

devices/vps9/default.nix

@@ -0,0 +1,39 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-partlabel/vps9-boot"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          swap = [ "/nix/swap/swap" ];
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:06:0a.0";
+        nixpkgs.march = "znver3";
+        initrd.sshd = {};
+      };
+      services =
+      {
+        sshd = {};
+        fail2ban = {};
+        xray.server.serverName = "xserver2.vps9.chn.moe";
+        nginx.streamProxy.map = builtins.listToAttrs (builtins.map
+          (site: { name = "${site}.chn.moe"; value.upstream.address = "tinc0.nas.chn.moe"; })
+          [
+            "xn--s8w913fdga" "matrix" "send" "git" "grafana" "peertube" "rsshub" "misskey" "synapse" "vaultwarden"
+            "nextcloud" "freshrss" "huginn" "api" "webdav"
+          ]);
+      };
+    };
+  };
+}

devices/vps9/secrets.yaml

@@ -0,0 +1,25 @@
+tinc: ENC[AES256_GCM,data:8XXuOm+sb8Pda3Aiwhv9jdX6Alxy+UUbG1+ZnvM5nIJa8K4RXjSAWv9DEVh2SDpqee1uzhf2IMOBCYzicubb/BPA0vQ90SCC607B/pYb4dFuBiir/4ma5JdIliJmt9yP8qfFZKXYPsocArYoC+IUiwnxNCVjz+Pv+OwYSKJBeSlkwnRr2MAWY/KGeKEcoDrPcRohHvG9f+bcqFuTW40UdMOJNhKM2jKJh0aKcWYJOXGjAdy+41vCvWXH2FIanx0/Zt9qsPb2A8s=,iv:AmNHeAIN8DyzpXdpyM65bzpc4/6egGE7ggjBt04MpkY=,tag:Wl9/b/msR1M/EtnIhws1AQ==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSDRKMEc0WkR6OHQ1YU5D
+            cFlOeHd3RHVvYVp1NUsyR2dmaEdXUmRLdWdFCjBBcnRDZUdMNTd2WDdOeWdWZDVV
+            cGljYlcveEFUWHFlRHNQY3liVlRKcmMKLS0tIEVIalhmamtlSEZNQVNjWUM2R1dH
+            YWVEN1F3MWVLR1NQeFdHZTZGeTZLWjAKSIgVt9oXe9xuJjPGcemmg/Dj6YCJyTvf
+            5IxdvzGExdX4J93evZC8Zae0WqtCcmveCftyzt+hfCL1A2NHLfxARA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19yt2tszdtnwylqh5qdmg25mlfd8cft0z24x4mp20fnyywfs88cxqgwt9m2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRUJQWDM1Wk9uZ0lITnU1
+            Tm1iUkY1VGlsc2lsV2pFQ0ZqVTQ2aUY1eVFzClpYSytyK2dGSHJUdmtiWGovbWkz
+            UEFFZlhMMzIrTDc1dHExYmRuYndmTmsKLS0tIERUSjJXN1IwVUFjWTFnOUhQZ2Fu
+            VUFBcEpmTDRaWGg2eVZGS0tDdVp0K3cK25bDJaKLhjBUjkJWBNskR0XVOML+3dTl
+            04hKjDrs2TMBB5G9k6pBqqLZhoofxb1UOhlYNXlLE20HSuVntWjCNw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-16T03:45:25Z"
+    mac: ENC[AES256_GCM,data:5X0wV19ir/HvL3bcKv1b+Uw3lt33WpOWZxw3Lcbb1pY4FS2wfKimoFgKtPGM3Xj6cTtfNqw/b/ts5D4scgXH8f2lnYX6Dfk9mtGDQXYZWOJmpLZW5l6EVXZB4Dkc7LJzU0sQ9OwWUFpB746sDZFiwLUWvlgeKeHknJ70p+Psv7I=,iv:cEDWeQPkCuscvthUPJjFu8TD5LqRaJ5MrGG7VdSLfH8=,tag:6gdgy5hkogRBZi/n+slRYw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

devices/wlin.xmuhpc/.bash_profile

@@ -1,12 +0,0 @@
-# .bash_profile
-
-# Get the aliases and functions
-if [ -f ~/.bashrc ]; then
-	. ~/.bashrc
-fi
-
-# User specific environment and startup programs
-
-PATH=$PATH:$HOME/bin
-
-export PATH

devices/wlin.xmuhpc/.bashrc

@@ -1,43 +0,0 @@
-# .bashrc
-
-# Source global definitions
-if [ -f /etc/bashrc ]; then
-	. /etc/bashrc
-fi
-
-export PATH=$PATH:/data/gpfs01/wlin/bin
-
-# User specific aliases and functions
-export PATH=/data/gpfs01/wlin/bin/vaspkit.1.4.1/bin:${PATH}
-#export PATH=~/bin:/data/gpfs01/wlin/opt/mpich_ifort/bin:$PATH
-#export LD_LIBRARY_PATH=/data/gpfs01/wlin/opt/mpich_ifort/lib:$LD_LIBRARY_PATH
-#export PATH=~/bin:/data/gpfs01/wlin/opt/mpich/bin:$PATH
-#export LD_LIBRARY_PATH=/data/gpfs01/wlin/opt/mpich/lib:$LD_LIBRARY_PATH
-export P4_RSHCOMMAND=ssh
- shopt -s cdspell
- export HISTCONTROL=ignoredups
-#shopt -s histappend
- PROMPT_COMMAND='history -a'
- export C3_RSH="ssh -x"
-export OMP_NUM_THREADS=1
-export MKL_NUM_THREADS=1
-alias grep='grep --color'
-USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` 
- 
-export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S  `whoami`@${USER_IP}: "
-export HISTFILESIZE=1000000
-export PROMPT_COMMAND="history -a; history -r;  $PROMPT_COMMAND"
-shopt -s histappend
-# Auto add env parameter $PROMPT_COMMAND when use non-Linux tty login by ssh.
-if [ "$SSH_CONNECTION" != '' -a "$TERM" != 'linux' ]; then
-declare -a HOSTIP
-HOSTIP=`echo $SSH_CONNECTION |awk '{print $3}'`
-export PROMPT_COMMAND='echo -ne "\033]0;${USER}@$HOSTIP:[${HOSTNAME%%.*}]:${PWD/#$HOME/~} \007"'
-fi
-ulimit -s unlimited
-export PYTHONPATH=/data/gpfs01/wlin/bin/VaspBandUnfolding-master:${PYTHONPATH}
-
-# vsts, see https://theory.cm.utexas.edu/vtsttools/scripts.html
-export PATH=$PATH:/data/gpfs01/wlin/yjj/vtstscripts-1022
-export PERL5LIB=/data/gpfs01/wlin/yjj/vtstscripts-1022
-

devices/wlin/bsub.nix

@@ -0,0 +1,9 @@
+{
+  normal = [ 4 4 20 ];
+  normal_1day = [ 4 7 28 ];
+  normal_1week = [ 4 7 28 ];
+  normal_2week = [ 6 8 48 ];
+  normal_1day_new = [ 4 6 24 ];
+  ocean_530_1day = [ 4 6 24 ];
+  ocean6226R_1day = [ 4 8 32 ];
+}

devices/wlin/default.nix

@@ -0,0 +1,25 @@
+# sudo nix build --store 'local?store=/data/gpfs01/wlin/.nix/store&state=/data/gpfs01/wlin/.nix/state&log=/data/gpfs01/wlin/.nix/log' .#wlin
+# sudo nix-store --store 'local?store=/data/gpfs01/wlin/.nix/store&state=/data/gpfs01/wlin/.nix/state&log=/data/gpfs01/wlin/.nix/log' -qR ./result | grep -Fxv -f <(ssh wlin find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/data/gpfs01/wlin/.nix/store&state=/data/gpfs01/wlin/.nix/state&log=/data/gpfs01/wlin/.nix/log' --export | pv > wlin.nar
+# cat wlin.nar | nix-store --import
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = "haswell"; nixRoot = "/data/gpfs01/wlin/.nix"; nixos = false; };
+  });
+  python = pkgs.python3.withPackages (ps: with ps; [ phonopy ]);
+  chn-bsub = pkgs.localPackages.chn-bsub.override
+    (prev: { bsubConfig = builtins.toFile "bsub.yaml" (builtins.toJSON (import ./bsub.nix)); });
+  wlin = pkgs.symlinkJoin
+  {
+    name = "wlin";
+    paths = with pkgs;
+    [
+      gnuplot localPackages.vaspkit pv python localPackages.vasp.intel chn-bsub hwloc
+      lsd glibc glibc.bin
+    ];
+    postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+    passthru = { inherit pkgs chn-bsub; archive = pkgs.closureInfo { rootPaths = [ wlin.drvPath ]; }; };
+  };
+in wlin

devices/wlin/files/.bash_profile

@@ -0,0 +1,3 @@
+if [ -f ~/.bashrc ]; then
+	. ~/.bashrc
+fi

devices/wlin/files/.bashrc

@@ -0,0 +1,10 @@
+if [ -f /etc/bashrc ]; then
+	. /etc/bashrc
+fi
+
+if [ -z "${BASHRC_SOURCED-}" ]; then
+	export PATH=$HOME/.nix/state/gcroots/current/bin:$HOME/bin:$PATH
+	ulimit -s unlimited
+	export HISTFILESIZE=1000000
+	export BASHRC_SOURCED=1
+fi

devices/wlin/files/.config/nix/nix.conf

@@ -0,0 +1,2 @@
+store = local?store=/data/gpfs01/wlin/.nix/store&state=/data/gpfs01/wlin/.nix/state&log=/data/gpfs01/wlin/.nix/log
+experimental-features = flakes nix-command

devices/xmuhk/default.nix

@@ -3,7 +3,7 @@ let
   pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
   {
     inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
-    nixpkgs = { march = null; cuda = null; nixRoot = "/public/home/xmuhk/.nix"; nixos = false; };
+    nixpkgs = { march = null; nixRoot = "/public/home/xmuhk/.nix"; nixos = false; };
   });
   lumericalLicenseManager = 
     let
@@ -59,11 +59,12 @@ let
       trap cleanup SIGINT SIGTERM SIGHUP EXIT
       tail -f /dev/null
     '';
-in pkgs.symlinkJoin
-{
-  name = "xmuhk";
-  paths = (with pkgs; [ hello btop htop iotop pv localPackages.lumerical.lumerical.cmd ])
-    ++ [ lumericalLicenseManager ];
-  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
-  passthru = { inherit pkgs; };
-}
+  xmuhk = pkgs.symlinkJoin
+  {
+    name = "xmuhk";
+    paths = (with pkgs; [ hello btop htop iotop pv localPackages.lumerical.lumerical.cmd ])
+      ++ [ lumericalLicenseManager ];
+    postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+    passthru = { inherit pkgs; archive = pkgs.closureInfo { rootPaths = [ xmuhk.drvPath ]; }; };
+  };
+in xmuhk

doc/branch.md

@@ -0,0 +1,2 @@
+* archive: archive
+* one-fprint: test fingerpint on one

doc/todo.md

@@ -1,14 +1,10 @@
-* 测试 huggin rsshub
 * 打包 intel 编译器
 * 切换到 niri，清理 plasma
 * 调整其它用户的 zsh 配置
 * 调整 motd
 * 找到 wg1 不能稳定工作的原因；确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
-* 备份系统
-* 备份数据
 * 清理 mariadb，移动到 persistent
 * 清理多余文件
 * 移动日志到 persistent
-* 更新 srv1
-* 告知将代理改到 xserver2
 * 准备单独一个的 archive
+* 测试透明代理代理其它机器的情况

flake.nix

@@ -3,37 +3,36 @@
 
   inputs =
   {
-    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-25.05";
+    self.submodules = true;
+    nixpkgs.url = ./nixpkgs;
+    nixpkgs-2505.url = "github:CHN-beta/nixpkgs/nixos-25.05";
     nixpkgs-2411.url = "github:CHN-beta/nixpkgs/nixos-24.11";
     nixpkgs-2311.url = "github:CHN-beta/nixpkgs/nixos-23.11";
     nixpkgs-2305.url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
-    home-manager = { url = "github:CHN-beta/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; };
+    home-manager = { url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs"; };
     sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-vscode-extensions =
-    {
-      url = "github:nix-community/nix-vscode-extensions?ref=4a7f92bdabb365936a8e8958948536cc2ceac7ba";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    nur-xddxdd = { url = "github:CHN-beta/nur-xddxdd"; inputs.nixpkgs.follows = "nixpkgs"; };
     impermanence.url = "github:CHN-beta/impermanence";
-    plasma-manager =
-    {
-      url = "github:pjones/plasma-manager";
-      inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
-    };
     nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-flatpak.url = "github:gmodena/nix-flatpak";
     catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
-    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-25.11"; inputs.nixpkgs.follows = "nixpkgs"; };
     winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
     nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
     buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };
-    niri.url = "github:sodiboo/niri-flake";
+    niri = { url = "github:sodiboo/niri-flake"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix4vscode =
+    {
+      url = "github:nix-community/nix4vscode?rev=6c603c201b11dafda616940bac1f295144ac1c41";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    dankmaterialshell = { url = "github:AvengeMedia/DankMaterialShell"; inputs.nixpkgs.follows = "nixpkgs"; };
+    harmonia.url = "github:nix-community/harmonia";
+    nix-cachyos-kernel = { url = "github:CHN-beta/nix-cachyos-kernel"; inputs.nixpkgs.follows = "nixpkgs"; };
 
-    misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
+    misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1&rev=4c0425d6a229d3a75f2ff01cc30cf90434381cec"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
     zpp-bits = { url = "github:eyalz800/zpp_bits"; flake = false; };
     concurrencpp = { url = "github:David-Haim/concurrencpp"; flake = false; };
@@ -45,24 +44,28 @@
     v-sim = { url = "gitlab:l_sim/v_sim/master"; flake = false; };
     rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
-    mumax = { url = "github:CHN-beta/mumax"; flake = false; };
+    mumax = { url = "github:mumax/3"; flake = false; };
     openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
     sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
     nc4nix = { url = "github:helsinki-systems/nc4nix"; flake = false; };
     hextra = { url = "github:imfing/hextra"; flake = false; };
     nu-scripts = { url = "github:nushell/nu_scripts"; flake = false; };
-    py4vasp = { url = "github:vasp-dev/py4vasp"; flake = false; };
+    py4vasp = { url = "github:vasp-dev/py4vasp?ref=v0.10.2"; flake = false; };
     pocketfft = { url = "github:mreineck/pocketfft"; flake = false; };
     blog = { url = "git+https://git.chn.moe/chn/blog-public.git?lfs=1"; flake = false; };
-    nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git?lfs=1"; flake = false; };
     vaspberry = { url = "github:Infant83/VASPBERRY"; flake = false; };
-    ufo = { url = "git+https://git.chn.moe/chn/ufo.git?lfs=1"; flake = false; };
     stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
     fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
     mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
-    phono3py = { url = "github:phonopy/phono3py"; flake = false; };
+    phono3py = { url = "github:phonopy/phono3py/v3.19.4"; flake = false; };
     sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
     speedtest = { url = "github:librespeed/speedtest"; flake = false; };
+    pybinding = { url = "git+https://github.com/dean0x7d/pybinding?submodules=1"; flake = false; };
+    brokenaxes = { url = "github:bendichter/brokenaxes"; flake = false; };
+    mirism-old = { url = "github:CHN-beta/mirism-old-public"; flake = false; };
+    sqlgen = { url = "git+https://github.com/getml/sqlgen?submodules=1"; flake = false; };
+    reflectcpp = { url = "git+https://github.com/getml/reflect-cpp?submodules=1"; flake = false; };
+    linux-asus = { url = "github:CHN-beta/linux-g14/6.18"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib inputs.nixpkgs.lib; in
@@ -71,11 +74,7 @@
     nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; };
     overlays.default = final: prev:
       { localPackages = (import ./packages { inherit localLib; pkgs = final; topInputs = inputs; }); };
-    config =
-    {
-      branch = import ./flake/branch.nix;
-      dns = inputs.self.packages.x86_64-linux.dns-push.meta.config;
-    };
+    config.dns = inputs.self.packages.x86_64-linux.dns-push.meta.config;
     devShells.x86_64-linux = import ./flake/dev.nix { inherit inputs; };
     src = import ./flake/src.nix { inherit inputs; };
     apps.x86_64-linux.dns-push = { type = "app"; program = "${inputs.self.packages.x86_64-linux.dns-push}"; };

flake/branch.nix

@@ -1 +0,0 @@
-"production"

flake/dev.nix

@@ -1,50 +1,64 @@
 { inputs }: let inherit (inputs.self.nixosConfigurations.pc) pkgs; in
 {
-  biu = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  biu = pkgs.mkShell
   {
     inputsFrom = [ pkgs.localPackages.biu ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
-  hpcstat = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
+  hpcstat = pkgs.mkShell
   {
     inputsFrom = [ (pkgs.localPackages.hpcstat.override { version = null; }) ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
-  sbatch-tui = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  sbatch-tui = pkgs.mkShell
   {
     inputsFrom = [ pkgs.localPackages.sbatch-tui ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
-  ufo = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  ufo = pkgs.mkShell
   {
     inputsFrom = [ pkgs.localPackages.ufo ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
   chn-bsub = pkgs.mkShell
   {
     inputsFrom = [ pkgs.localPackages.chn-bsub ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
   };
-  info = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  info = pkgs.mkShell
   {
     inputsFrom = [ pkgs.localPackages.info ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
-  vm = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  vm = pkgs.mkShell
   {
     inputsFrom = [ pkgs.localPackages.vm ];
-    packages = [ pkgs.clang-tools_18 ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
+  xinli = pkgs.mkShell
+  {
+    inputsFrom = [ pkgs.localPackages.xinli ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
+  missgram = pkgs.mkShell
+  {
+    inputsFrom = [ pkgs.localPackages.missgram ];
+    packages = [ pkgs.llvmPackages.clang-tools ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };

flake/dns/config/chn.moe.nix

@@ -1,46 +1,51 @@
-localLib:
+{ lib, localLib }:
 let
   cname =
   {
-    autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" ];
     nas = [ "initrd.nas" ];
-    office = [ "srv2-node0" "xserverxmu" ];
+    office = [ "xserverxmu" "srv2-node0" ];
     vps4 = [ "initrd.vps4" "xserver2.vps4" ];
     vps6 =
     [
-      "blog" "catalog" "coturn" "element" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
-      "ua" "xserver2" "xserver2.vps6" "铜锣湾实验室" "xservernas"
+      "blog" "catalog" "coturn" "element" "initrd.vps6" "sticker" "synapse-admin" "tgapi" "ua" "xserver2"
+      "xserver2.vps6" "s" "headscale" "missgram"
+      # to pc
+      "铜锣湾实验室"
     ];
     "xlog.autoroute" = [ "xlog" ];
-    "wg0.srv1-node0" = [ "wg0.srv1" ];
-    "wg0.srv2-node0" = [ "wg0.srv2" ];
-    srv3 =
-    [
-      "chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
-      "xserver2.srv3" "example"
-    ];
+    "tinc0.srv1-node0" = [ "tinc0.srv1" ];
+    "tinc0.srv2-node0" = [ "tinc0.srv2" ];
     srv1-node0 = [ "srv1" ];
     srv2-node0 = [ "srv2" ];
-    "wg1.pc" = [ "nix-store" ];
-    "wg1.nas" = [ "nix-store.nas" ];
+    "pc.ts" = [ "nix-store" "chat" ];
+    "nas.ts" = [ "ssh.git" ];
+    autoroute = [ "铜锣湾" "matrix" ];
+    vps9 =
+    [
+      "initrd.vps9" "xserver2.vps9"
+      # to nas
+      "git" "grafana" "peertube" "send" "vikunja" "xservernas" "freshrss" "huginn" "nextcloud"
+      "rsshub" "vaultwarden" "webdav" "synapse" "misskey" "api"
+    ];
   };
   a =
   {
     nas = "192.168.1.2";
     pc = "192.168.1.3";
-    one = "192.168.1.4";
-    office = "210.34.16.20";
+    office = "210.34.16.21";
     srv1-node0 = "59.77.36.250";
     vps4 = "104.234.37.61";
     vps6 = "144.34.225.59";
+    vps9 = "154.3.39.17";
     search = "127.0.0.1";
-    srv3 = "23.135.236.216";
     srv1-node1 = "192.168.178.2";
     srv1-node2 = "192.168.178.3";
     srv2-node1 = "192.168.178.2";
+    srv2-node2 = "192.168.178.3";
     "409test" = "192.168.1.5";
   };
-  wireguard = import ./wireguard.nix;
+  tinc = import ./tinc.nix;
+  tailscale = import ./tailscale.nix;
 in
 {
   "" =
@@ -58,6 +63,7 @@ in
   ];
   "_xlog-challenge.xlog" = { type = "TXT"; value = "chn"; };
   autoroute = { type = "NS"; values = "vps6.chn.moe."; };
+  ts = { type = "NS"; values = "vps6.chn.moe."; };
   "mail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
   "webmail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
   "x._domainkey" =
@@ -74,12 +80,9 @@ in
 // builtins.listToAttrs (builtins.map
   (a: {inherit (a) name; value = { inherit (a) value; type = "A"; }; })
   (localLib.attrsToList a))
-// builtins.listToAttrs (builtins.concatLists (builtins.map
-  (net: builtins.map
-    (peer:
-    {
-      name = "${net.name}.${peer.name}";
-      value = { type = "A"; value = "192.168.${builtins.toString net.value}.${builtins.toString peer.value}"; };
-    })
-    (localLib.attrsToList wireguard.peer))
-  (localLib.attrsToList wireguard.net)))
+// lib.mapAttrs'
+  (n: v: lib.nameValuePair "tinc0.${n}" { type = "A"; value = "192.168.85.${builtins.toString v}"; })
+  tinc
+// lib.mapAttrs'
+  (n: v: lib.nameValuePair "${n}.ts" { type = "A"; value = "100.97.101.${builtins.toString v}"; })
+  tailscale

flake/dns/config/tailscale.nix

@@ -0,0 +1,10 @@
+{
+  vps4 = 7;
+  vps6 = 2;
+  vps9 = 6;
+  pc = 1;
+  nas = 3;
+  srv2-node0 = 4;
+  srv2-node1 = 5;
+  srv2-node2 = 8;
+}

flake/dns/config/tinc.nix

@@ -0,0 +1,13 @@
+{
+  vps4 = 2;
+  vps6 = 1;
+  vps9 = 5;
+  pc = 3;
+  nas = 4;
+  srv1-node0 = 9;
+  srv1-node1 = 6;
+  srv1-node2 = 8;
+  srv2-node0 = 7;
+  srv2-node1 = 10;
+  srv2-node2 = 11;
+}

flake/dns/config/wireguard.nix

@@ -1,17 +0,0 @@
-{
-  net = { wg0 = 83; wg1 = 84; };
-  peer =
-  {
-    vps4 = 2;
-    vps6 = 1;
-    pc = 3;
-    nas = 4;
-    one = 5;
-    srv1-node0 = 9;
-    srv1-node1 = 6;
-    srv1-node2 = 8;
-    srv2-node0 = 7;
-    srv2-node1 = 10;
-    srv3 = 11;
-  };
-}

flake/dns/default.nix

@@ -4,7 +4,7 @@ let
     let addTtl' = attrs: attrs // { octodns.cloudflare.auto-ttl = true; };
     in builtins.mapAttrs (n: v: if builtins.isList v then builtins.map addTtl' v else addTtl' v) config;
   config = builtins.listToAttrs (builtins.map
-    (domain: { name = domain; value = import ./config/${domain}.nix localLib; })
+    (domain: { name = domain; value = import ./config/${domain}.nix { inherit lib localLib; }; })
     [ "chn.moe" "nekomia.moe" "mirism.one" ]);
   configDir = symlinkJoin
   {
@@ -15,7 +15,7 @@ let
   };
   meta.config = config //
   {
-    wireguard = import ./config/wireguard.nix;
+    tinc = import ./config/tinc.nix;
     "chn.moe" = config."chn.moe"
       // {
         # 查询域名对应的 ip

flake/lib/buildNixpkgsConfig/btop.patch

@@ -0,0 +1,76 @@
+diff --git a/src/btop_config.cpp b/src/btop_config.cpp
+index eaaa577..3074a08 100644
+--- a/src/btop_config.cpp
++++ b/src/btop_config.cpp
+@@ -234,6 +234,7 @@ namespace Config {
+ 		{"custom_gpu_name4",	"#* Custom gpu4 model name, empty string to disable."},
+ 		{"custom_gpu_name5",	"#* Custom gpu5 model name, empty string to disable."},
+ 	#endif
++		{"btrfs_group_subvolumes", "#* Show only the first subvolume of a btrfs filesystem."},
+ 	};
+ 
+ 	std::unordered_map<std::string_view, string> strings = {
+@@ -336,6 +337,7 @@ namespace Config {
+ 	#endif
+ 		{"terminal_sync", true},
+-		{"save_config_on_exit", true}
++		{"save_config_on_exit", true},
++		{"btrfs_group_subvolumes", false},
+ 	};
+ 	std::unordered_map<std::string_view, bool> boolsTmp;
+ 
+diff --git a/src/btop_menu.cpp b/src/btop_menu.cpp
+index 75ec31c..cfaec39 100644
+--- a/src/btop_menu.cpp
++++ b/src/btop_menu.cpp
+@@ -724,6 +724,15 @@ namespace Menu {
+ 				"kernel as used memory.",
+ 				"",
+ 				"True or False."},
++			{
++				"btrfs_group_subvolumes",
++				"(Linux) Show only first BTRFS subvolume.",
++				"",
++				"Set to true to only show the first BTRFS",
++				"subvolume mounted per disk.",
++				"",
++				"True or False.",
++			}
+ 		},
+ 		{
+ 			{"graph_symbol_net",
+diff --git a/src/linux/btop_collect.cpp b/src/linux/btop_collect.cpp
+index eebaa50..37d5745 100644
+--- a/src/linux/btop_collect.cpp
++++ b/src/linux/btop_collect.cpp
+@@ -2117,6 +2117,7 @@ namespace Mem {
+ 				auto use_fstab = Config::getB("use_fstab");
+ 				auto only_physical = Config::getB("only_physical");
+ 				auto zfs_hide_datasets = Config::getB("zfs_hide_datasets");
++				auto btrfs_group_subvolumes = Config::getB("btrfs_group_subvolumes");
+ 				auto& disks = mem.disks;
+ 				static std::unordered_map<string, future<pair<disk_info, int>>> disks_stats_promises;
+ 				ifstream diskread;
+@@ -2177,6 +2178,7 @@ namespace Mem {
+ 					vector<string> found;
+ 					found.reserve(last_found.size());
+ 					string dev, mountpoint, fstype;
++					std::unordered_set<string> found_btrfs_subvolumes;
+ 					while (not diskread.eof()) {
+ 						std::error_code ec;
+ 						diskread >> dev >> mountpoint >> fstype;
+@@ -2198,6 +2200,14 @@ namespace Mem {
+ 						size_t zfs_dataset_name_start = 0;
+ 						if (fstype == "zfs" && (zfs_dataset_name_start = dev.find('/')) != std::string::npos && zfs_hide_datasets) continue;
+ 
++						//? skip BtrFS subvolumes
++						if (btrfs_group_subvolumes and fstype == "btrfs") {
++							string devname = fs::canonical(dev, ec).filename();
++							if (!found_btrfs_subvolumes.insert(devname).second) {
++								continue;
++							}
++						}
++
+ 						if ((not use_fstab and not only_physical)
+ 						or (use_fstab and v_contains(fstab, mountpoint))
+ 						or (not use_fstab and only_physical and v_contains(fstypes, fstype))) {

flake/lib/buildNixpkgsConfig/default.nix

@@ -1,4 +1,4 @@
-# inputs = { lib, topInputs, ...}; nixpkgs = { march, cuda, nixRoot, nixos, arch };
+# inputs = { lib, topInputs, ...}; nixpkgs = { march, cuda, nixRoot, nixos, arch, rocm };
 { inputs, nixpkgs }:
 let
   platformConfig =
@@ -8,7 +8,7 @@ let
       ${if nixpkgs.nixos then "hostPlatform" else "localSystem"} =
         { system = "${nixpkgs.arch or "x86_64"}-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
     };
-  cudaConfig = inputs.lib.optionalAttrs (nixpkgs.cuda != null)
+  cudaConfig = inputs.lib.optionalAttrs (nixpkgs.cuda or null != null)
   (
     { cudaSupport = true; }
     // (inputs.lib.optionalAttrs (nixpkgs.cuda.capabilities != null)
@@ -16,8 +16,9 @@ let
     // (inputs.lib.optionalAttrs (nixpkgs.cuda.forwardCompat != null)
       { cudaForwardCompat = nixpkgs.cuda.forwardCompat; })
   );
+  rocmConfig = inputs.lib.optionalAttrs (nixpkgs.rocm or false) { rocmSupport = true; };
   allowInsecurePredicate = p: inputs.lib.warn "Allowing insecure package ${p.name or "${p.pname}-${p.version}"}" true;
-  config = cudaConfig
+  config = cudaConfig // rocmConfig
     // {
       inherit allowInsecurePredicate;
       allowUnfree = true;
@@ -26,11 +27,10 @@ let
     }
     // (inputs.lib.optionalAttrs (nixpkgs.march != null)
     {
-      oneapiArch = let match = {}; in match.${nixpkgs.march} or nixpkgs.march;
+      oneapiArch = let match.znver5 = "znver4"; in match.${nixpkgs.march} or nixpkgs.march;
       nvhpcArch = nixpkgs.march;
-      # contentAddressedByDefault = true;
     })
-    // (inputs.lib.optionalAttrs (nixpkgs.nixRoot != null)
+    // (inputs.lib.optionalAttrs (nixpkgs.nixRoot or null != null)
       { nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/state"; }; });
 in platformConfig //
 {
@@ -39,11 +39,12 @@ in platformConfig //
   [
     inputs.topInputs.aagl.overlays.default
     inputs.topInputs.nur-xddxdd.overlays.inSubTree
-    inputs.topInputs.nix-vscode-extensions.overlays.default
     inputs.topInputs.buildproxy.overlays.default
+    inputs.topInputs.nix4vscode.overlays.default
+    inputs.topInputs.bscpkgs.overlays.default
+    inputs.topInputs.nix-cachyos-kernel.overlay
     (final: prev:
     {
-      inherit (inputs.topInputs.nix-vscode-extensions.overlays.default final prev) nix-vscode-extensions;
       nur-linyinfeng = (inputs.topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
       firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
     })
@@ -63,87 +64,98 @@ in platformConfig //
         };
         libvirt = (prev.libvirt.override { iptables = final.nftables; }).overrideAttrs
           (prev: { patches = prev.patches or [] ++ [ ./libvirt.patch ]; });
-        podman = prev.podman.override { iptables = final.nftables; };
-        root = (prev.root.override { stdenv = final.gcc13Stdenv; }).overrideAttrs (prev:
-        {
-          patches = prev.patches or [] ++ [ ./root.patch ];
-          cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ];
-        });
+        tailscale = prev.tailscale.override { iptables = final.nftables; };
+        root = prev.root.overrideAttrs (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ]; });
         boost188 = prev.boost188.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./boost188.patch ]; });
-        inherit (final.pkgs-2411) iio-sensor-proxy;
-        inherit (final.pkgs-unstable) bees;
+        chromium = prev.chromium.override (prev:
+          { commandLineArgs = prev.commandLineArgs or "" + " --disable-features=GlobalShortcutsPortal"; });
+        google-chrome = prev.google-chrome.override (prev:
+          { commandLineArgs = prev.commandLineArgs or "" + " --disable-features=GlobalShortcutsPortal"; });
+        xray = prev.xray.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./xray.patch ]; });
+        btop = prev.btop.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./btop.patch ]; });
+        prrte = prev.prrte.overrideAttrs (prev:
+        {
+          configureFlags = prev.configureFlags or [] ++ [ "--with-lsf" ];
+          buildInputs = prev.buildInputs or [] ++ [ final.localPackages.lsf final.libnsl ];
+        });
+        cpptrace = prev.cpptrace.overrideAttrs (prev: { doCheck = !final.stdenv.hostPlatform.isStatic; });
       }
       // (
         let
+          marchFilter = version:
+            # old version of nixpkgs does not recognize znver5, use znver4 instead
+            inputs.lib.optionalAttrs (inputs.lib.versionOlder version "25.05") { znver5 = "znver4"; };
           source =
           {
             pkgs-2305 = "nixpkgs-2305";
             pkgs-2311 = "nixpkgs-2311";
-            pkgs-2411 = { source = "nixpkgs-2411"; overlay = inputs.topInputs.bscpkgs.overlays.default; };
-            pkgs-unstable =
+            pkgs-2411 =
             {
-              source = "nixpkgs-unstable";
-              overlay = inputs.topInputs.self.overlays.default;
+              source = "nixpkgs-2411";
+              overlays =
+              [
+                (final: prev: inputs.lib.optionalAttrs (nixpkgs.march != null)
+                {
+                  pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
+                  {
+                    sphinx = prev.sphinx.overridePythonAttrs (prev:
+                      { disabledTests = prev.disabledTests or [] ++ [ "test_xml_warnings" ]; });
+                  })];
+                })
+              ];
             };
           };
-          packages = name: import inputs.topInputs.${source.${name}.source or source.${name}}
-          {
-            localSystem = platformConfig.hostPlatform or platformConfig.localSystem or platformConfig;
-            inherit config;
-            overlays = [(source.${name}.overlay or (_: _: {}))];
-          };
+          packages = name:
+            let flakeSource = inputs.topInputs.${source.${name}.source or source.${name}};
+            in import flakeSource
+            {
+              localSystem =
+                if nixpkgs.march == null then { system = "${nixpkgs.arch or "x86_64"}-linux"; }
+                else
+                  let march = (marchFilter flakeSource.lib.version).${nixpkgs.march} or nixpkgs.march;
+                  in { system = "${nixpkgs.arch or "x86_64"}-linux"; gcc = { arch = march; tune = march; }; };
+              inherit config;
+              overlays = source.${name}.overlays or [(_: _: {})];
+            };
         in builtins.listToAttrs (builtins.map
           (name: { inherit name; value = packages name; }) (builtins.attrNames source))
       )
       // (inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx512Support)
         { gsl = prev.gsl.overrideAttrs { doCheck = false; }; })
-      // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx512Support)
-        { libhwy = prev.libhwy.override { stdenv = final.genericPackages.stdenv; }; })
+      // (inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.sse4_1Support)
+      {
+        frei0r = final.genericPackages.frei0r;
+      })
+      // (inputs.lib.optionalAttrs (nixpkgs.march == "alderlake")
+        { redis = prev.redis.overrideAttrs (prev: { doCheck = false; }); })
+      // (inputs.lib.optionalAttrs (nixpkgs.march == "cascadelake")
+        { postgresql_17 = prev.postgresql_17.override { jitSupport = false; }; })
       // (inputs.lib.optionalAttrs (nixpkgs.march != null)
       {
-        libinsane = prev.libinsane.overrideAttrs (prev:
-          { nativeCheckInputs = builtins.filter (p: p.pname != "valgrind") prev.nativeCheckInputs; });
+        ffmpeg_8 = prev.ffmpeg_8.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./ffmpeg.patch ]; });
+        ffmpeg_8-headless = prev.ffmpeg_8-headless.overrideAttrs
+          (prev: { patches = prev.patches or [] ++ [ ./ffmpeg.patch ]; });
+        ffmpeg_8-full = prev.ffmpeg_8-full.overrideAttrs
+          (prev: { patches = prev.patches or [] ++ [ ./ffmpeg.patch ]; });
+        ffmpeg = final.ffmpeg_8;
+        ffmpeg-headless = final.ffmpeg_8-headless;
+        ffmpeg-full = final.ffmpeg_8-full;
+        assimp = prev.assimp.override { stdenv = final.genericPackages.stdenv; };
+        xen = prev.xen.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./xen.patch ]; });
         lib2geom = prev.lib2geom.overrideAttrs (prev: { doCheck = false; });
-        libreoffice-qt6-fresh = prev.libreoffice-qt6-fresh.override (prev:
-          { unwrapped = prev.unwrapped.overrideAttrs (prev: { postPatch = prev.postPatch or "" +
-          ''
-            sed -i '/CPPUNIT_TEST.testDubiousArrayFormulasFODS/d' sc/qa/unit/functions_array.cxx
-          '';});});
-        libreoffice-still = prev.libreoffice-still.override (prev:
+        libreoffice-fresh = prev.libreoffice-fresh.override (prev:
           { unwrapped = prev.unwrapped.overrideAttrs (prev: { postPatch = prev.postPatch or "" +
           ''
             sed -i '/CPPUNIT_TEST.testDubiousArrayFormulasFODS/d' sc/qa/unit/functions_array.cxx
           '';});});
         opencolorio = prev.opencolorio.overrideAttrs (prev: { doCheck = false; });
-        openvswitch = prev.openvswitch.overrideAttrs (prev: { doCheck = false; });
         rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
-        valkey = prev.valkey.overrideAttrs { doCheck = false; };
-        # -march=xxx cause embree build failed
-        # https://github.com/embree/embree/issues/115
         embree = prev.embree.override { stdenv = final.genericPackages.stdenv; };
         simde = prev.simde.override { stdenv = final.genericPackages.stdenv; };
-        ctranslate2 = prev.ctranslate2.overrideAttrs (prev:
-          { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
         pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
-        (
-          {
-            scipy = prev.scipy.overridePythonAttrs (prev:
-              { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
-            rich = prev.rich.overridePythonAttrs (prev:
-              { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
-          }
-          // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx2Support)
-          {
-            numcodecs = prev.numcodecs.overridePythonAttrs (prev:
-            {
-              disabledTests = prev.disabledTests or []
-                ++ [ "test_encode_decode" "test_partial_decode" "test_blosc" ];
-            });
-          })
-        ))];
-        inherit (final.pkgs-2411) intelPackages_2023;
+        {
+          picosvg = prev.picosvg.overridePythonAttrs { doCheck = false; };
+        })];
       })
-      // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
-        { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
   )];
 }

flake/lib/buildNixpkgsConfig/ffmpeg.patch

@@ -0,0 +1,36 @@
+Index: FFmpeg/libavcodec/huffyuvdsp.c
+===================================================================
+--- FFmpeg.orig/libavcodec/huffyuvdsp.c
++++ FFmpeg/libavcodec/huffyuvdsp.c
+@@ -16,6 +16,13 @@
+  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+  */
+ 
++// GCC Vectorize with AVX will break huffyuv unit tests.
++#if defined(__GNUC__) && !defined(__clang__)
++    #if (__GNUC__ > 6)
++        #pragma GCC optimize ("no-tree-vectorize")
++    #endif
++#endif
++
+ #include <stdint.h>
+ 
+ #include "config.h"
+Index: FFmpeg/libavcodec/huffyuvenc.c
+===================================================================
+--- FFmpeg.orig/libavcodec/huffyuvenc.c
++++ FFmpeg/libavcodec/huffyuvenc.c
+@@ -28,6 +28,13 @@
+  * huffyuv encoder
+  */
+ 
++ // GCC Vectorize with AVX will break huffyuv unit tests.
++#if defined(__GNUC__) && !defined(__clang__)
++    #if (__GNUC__ > 6)
++        #pragma GCC optimize ("no-tree-vectorize")
++    #endif
++#endif
++
+ #include "config_components.h"
+ 
+ #include "avcodec.h"

flake/lib/buildNixpkgsConfig/root.patch

@@ -1,22 +0,0 @@
-From ab80270dd50f4ae08e452daa3fd0eccc7f9f96ee Mon Sep 17 00:00:00 2001
-From: Danilo Piparo <danilo.piparo@cern.ch>
-Date: Sat, 14 Dec 2024 07:45:22 +0100
-Subject: [PATCH 1/2] [CMake] Allow to process cxx23 option
-
----
- cmake/modules/CheckCompiler.cmake | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cmake/modules/CheckCompiler.cmake b/cmake/modules/CheckCompiler.cmake
-index 883bf0e2daed1..c2ac5df869797 100644
---- a/cmake/modules/CheckCompiler.cmake
-+++ b/cmake/modules/CheckCompiler.cmake
-@@ -161,7 +161,7 @@ set(CMAKE_CXX_STANDARD ${CXX_STANDARD_STRING} CACHE STRING "")
- set(CMAKE_CXX_STANDARD_REQUIRED TRUE)
- set(CMAKE_CXX_EXTENSIONS FALSE CACHE BOOL "")
- 
--if(NOT CMAKE_CXX_STANDARD MATCHES "17|20")
-+if(NOT CMAKE_CXX_STANDARD MATCHES "17|20|23")
-   message(FATAL_ERROR "Unsupported C++ standard: ${CMAKE_CXX_STANDARD}. Supported standards are: 17, 20.")
- endif()
- 

flake/lib/buildNixpkgsConfig/xen.patch

@@ -0,0 +1,15 @@
+diff --git a/xen/arch/x86/boot/Makefile b/xen/arch/x86/boot/Makefile
+index d45787665907..80c32163fbbd 100644
+--- a/xen/arch/x86/boot/Makefile
++++ b/xen/arch/x86/boot/Makefile
+@@ -40,8 +40,8 @@ LD32 := $(LD) $(subst x86_64,i386,$(LDFLAGS_DIRECT))
+ # are affected by both text_diff and text_gap.  Ensure the sum of gap and diff
+ # is greater than 2^16 so that any 16bit relocations if present in the object
+ # file turns into a build-time error.
+-text_gap := 0x010200
+-text_diff := 0x408020
++text_gap := 0x010240
++text_diff := 0x608040
+ 
+ $(obj)/build32.base.lds: AFLAGS-y += -DGAP=$(text_gap) -DTEXT_DIFF=$(text_diff)
+ $(obj)/build32.offset.lds: AFLAGS-y += -DGAP=$(text_gap) -DTEXT_DIFF=$(text_diff) -DAPPLY_OFFSET

flake/lib/buildNixpkgsConfig/xray.patch

@@ -0,0 +1,30 @@
+diff --git a/app/dns/nameserver_doh.go b/app/dns/nameserver_doh.go
+index cba59423..19c6d34f 100644
+--- a/app/dns/nameserver_doh.go
++++ b/app/dns/nameserver_doh.go
+@@ -1,7 +1,7 @@
+ package dns
+ 
+ import (
+-	"bytes"
++	"encoding/base64"
+ 	"context"
+ 	"crypto/tls"
+ 	go_errors "errors"
+@@ -188,14 +188,13 @@ func (s *DoHNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- er
+ }
+ 
+ func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte, error) {
+-	body := bytes.NewBuffer(b)
+-	req, err := http.NewRequest("POST", s.dohURL, body)
++	query := fmt.Sprintf("%s?dns=%s", s.dohURL, base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(b))
++	req, err := http.NewRequest("GET", query, nil)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 
+ 	req.Header.Add("Accept", "application/dns-message")
+-	req.Header.Add("Content-Type", "application/dns-message")
+ 
+ 	req.Header.Set("X-Padding", strings.Repeat("X", int(crypto.RandBetween(100, 1000))))
+ 

flake/lib/default.nix

@@ -14,30 +14,13 @@ lib: rec
       (
         let handle = module: let type = builtins.typeOf module; in
           if type == "path" || type == "string" then (handle (import module))
-          else if type == "lambda" then ({ pkgs, utils, ... }@inputs: (module inputs))
+          else if type == "lambda" && builtins.functionArgs module == {}
+            then ({ pkgs, utils, ... }@inputs: (module inputs))
           else module;
         in handle
       )
       moduleList);
 
-  # from: https://github.com/NixOS/nix/issues/3759
-  stripeTabs = text:
-    let
-      # Whether all lines start with a tab (or is empty)
-      shouldStripTab = lines: builtins.all (line: (line == "") || (lib.strings.hasPrefix "  " line)) lines;
-      # Strip a leading tab from all lines
-      stripTab = lines: builtins.map (line: lib.strings.removePrefix "  " line) lines;
-      # Strip tabs recursively until there are none
-      stripTabs = lines: if (shouldStripTab lines) then (stripTabs (stripTab lines)) else lines;
-    in
-      # Split into lines. Strip leading tabs. Concat back to string.
-      builtins.concatStringsSep "\n" (stripTabs (lib.strings.splitString "\n" text));
-  
-  # find an element in a list, return the index
-  findIndex = e: list:
-    let findIndex_ = i: list: if (builtins.elemAt list i) == e then i else findIndex_ (i + 1) list;
-    in findIndex_ 0 list;
-
   # return a list of path, including:
   # - all .nix file in the directory except for default.nix
   # - all directories containing a default.nix

flake/nixos.nix

@@ -1,7 +1,7 @@
 { inputs, localLib }:
 let
-  singles = [ "nas" "pc" "vps4" "vps6" "one" "srv3" "r2s" ];
-  cluster = { srv1 = 3; srv2 = 2; };
+  singles = [ "nas" "pc" "vps4" "vps6" "vps9" ];
+  cluster = { srv1 = 3; srv2 = 3; };
   deviceModules = builtins.listToAttrs
   (
     (builtins.map

flake/packages.nix

@@ -3,7 +3,7 @@
   pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
   {
     inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
-    nixpkgs = { march = null; cuda = null; nixRoot = null; nixos = false; };
+    nixpkgs = { march = null; nixos = false; };
   });
   hpcstat =
     let
@@ -12,9 +12,7 @@
       duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
       glaze = pkgs.pkgs-2411.pkgsStatic.glaze.overrideAttrs
         (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-Dglaze_ENABLE_FUZZING=OFF" ]; });
-      # pkgsStatic.clangStdenv have a bug
-      # https://github.com/NixOS/nixpkgs/issues/177129
-      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; inherit glaze; };
+      biu = pkgs.pkgsStatic.localPackages.biu.override { inherit glaze; };
     in pkgs.pkgsStatic.localPackages.hpcstat.override
     {
       inherit openssh duc biu;
@@ -28,7 +26,8 @@
     gfortran = pkgs.pkgsStatic.gfortran;
     lapack = pkgs.pkgsStatic.openblas;
   };
-  jykang = import ../devices/jykang.xmuhpc { inherit inputs localLib; };
+  jykang = import ../devices/jykang { inherit inputs localLib; };
+  wlin = import ../devices/wlin { inherit inputs localLib; };
   xmuhk = import ../devices/xmuhk { inherit inputs localLib; };
   src =
     let getDrv = x:
@@ -43,10 +42,17 @@
     tokenPath = inputs.self.nixosConfigurations.pc.config.nixos.system.sops.secrets."acme/token".path;
     octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
   };
-  archive = pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.concatLists
-  [
-    (inputs.nixpkgs.lib.mapAttrsToList (_: v: v.config.system.build.toplevel) inputs.self.outputs.nixosConfigurations)
-    [ src ]
-  ]));
+  archive =
+    let
+      systemWithBuildDeps = system:
+        (system.extendModules { modules = [{ config.system.includeBuildDependencies = true; }]; })
+          .config.system.build.toplevel;
+      systems = inputs.nixpkgs.lib.mapAttrs (_: v: systemWithBuildDeps v) inputs.self.outputs.nixosConfigurations;
+      inputListFile = pkgs.writeText "input-list"
+        (builtins.concatStringsSep "\n" (builtins.attrValues inputs));
+      archive = pkgs.writeText "archive" (builtins.concatStringsSep "\n"
+        ((builtins.attrValues systems) ++ [ src inputListFile ]));
+    in
+    archive // { passthru = archive.passthru // systems // { inherit src; inputs = inputListFile; }; };
 }
 // (builtins.mapAttrs (_: v: v.config.system.build.toplevel) inputs.self.outputs.nixosConfigurations)

flake/src.nix

@@ -1,4 +1,4 @@
-{ inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
+{ inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; inherit (inputs.nixpkgs) lib; in
 {
   nvhpc =
   {
@@ -29,7 +29,7 @@
     netboot = pkgs.fetchurl
     {
       url = "https://boot.netboot.xyz/ipxe/netboot.xyz.iso";
-      sha256 = "01hlslbi2i3jkzjwn24drhd2lriaqiwr9hb83r0nib9y1jvr3k5p";
+      sha256 = "0h7shj8gm3kzh7d7bcwygkp3fz5mac957accqhr9dhpjaj9dsmlr";
     };
   };
   vasp =
@@ -84,7 +84,7 @@
       };
       src = pkgs.requireFile
       {
-        name = "src";
+        name = "licenseManager";
         sha256 = "1h93r0bb37279dzghi3k2axf0b8g0mgacw0lcww5j3sx0sqjbg4l";
         hashMode = "recursive";
         message = "Source file not found.";
@@ -124,14 +124,6 @@
       sha256 = "Tq4AzQgde2KIWKA1k6JlxvdphGG9JluHMZjVw0fBUeQ=";
     };
   };
-  # nix-store --query --hash $(nix store add-path . --name 'mirism')
-  mirism-old = pkgs.requireFile
-  {
-    name = "mirism";
-    sha256 = "0f50pvdafhlmrlbf341mkp9q50v4ld5pbx92d2w1633f18zghbzf";
-    hashMode = "recursive";
-    message = "Source file not found.";
-  };
   pslist =
   {
     version = "1.4.0";
@@ -198,10 +190,34 @@
     url = "mirror://sourceforge/atomkit/Binaries/atomkit.0.9.0.linux.x64.tar.gz";
     sha256 = "0y9z7wva7zikh83w9q431lgn3bqkh1v5w6iz90dwc75wqwk0w5jr";
   };
-  guix = pkgs.fetchurl
+  btrfs =
   {
-    url = "https://ci.guix.gnu.org/download/2857";
-    name = "guix.iso";
-    sha256 = "0xqabnay8wwqc1a96db8ix1a6bhvgm84s5is1q67rr432q7gqgd4";
+    "6.12" =
+    {
+      patch = pkgs.fetchurl
+      {
+        url = "https://github.com/kakra/linux/pull/36.patch";
+        sha256 = "0wimihsvrxib6g23jcqdbvqlkqk6nbqjswfx9bzmpm1vlvzxj8m0";
+      };
+      structuredExtraConfig.BTRFS_EXPERIMENTAL = lib.kernel.yes;
+    };
+    "6.18" =
+    {
+      patch = pkgs.fetchurl
+      {
+        url = "https://github.com/kakra/linux/pull/40.patch";
+        sha256 = "02q3x64rdyj6nx7jdknlg7x69v10xxbm0ry2xbgr069dfdm2w1ya";
+      };
+      structuredExtraConfig = { BTRFS_ALLOCATOR_HINTS = lib.kernel.yes; BTRFS_READ_POLICIES = lib.kernel.yes; };
+    };
+  };
+  # download include from /opt/ibm/lsfsuite/lsf/10.1/include into lsf/include
+  # download lib from /opt/ibm/lsfsuite/lsf/10.1/linux2.6-glibc2.3-x86_64/lib into lsf/lib and only preserve .so
+  lsf = pkgs.requireFile
+  {
+    name = "lsf";
+    sha256 = "0rij4xx705yj1vr5jd31hb8izmb35vkrdql0850qc5cn30jnkf4l";
+    hashMode = "recursive";
+    message = "lsf not found.";
   };
 }

modules/default.nix

@@ -12,18 +12,12 @@ inputs: let inherit (inputs) topInputs; in
     topInputs.nixvirt.nixosModules.default
     topInputs.niri.nixosModules.niri
     { config.niri-flake.cache.enable = false; }
-    # TODO: Remove after next release
-    "${topInputs.nixpkgs-unstable}/nixos/modules/services/hardware/lact.nix"
-    (inputs:
-    {
-      config =
-      {
-        home-manager.sharedModules =
-        [
-          topInputs.plasma-manager.homeManagerModules.plasma-manager
-          topInputs.catppuccin.homeModules.catppuccin
-        ];
-      };
-    })
+    topInputs.harmonia.nixosModules.harmonia
+    { config.home-manager.sharedModules =
+    [
+      topInputs.catppuccin.homeModules.catppuccin
+      topInputs.dankmaterialshell.homeModules.dank-material-shell
+      topInputs.dankmaterialshell.homeModules.niri
+    ];}
   ] ++ (inputs.localLib.findModules ./.);
 }

modules/hardware/asus/asusd.ron

@@ -0,0 +1,28 @@
+(
+    charge_control_end_threshold: 100,
+    disable_nvidia_powerd_on_battery: true,
+    ac_command: "",
+    bat_command: "",
+    platform_profile_linked_epp: true,
+    platform_profile_on_battery: Quiet,
+    change_platform_profile_on_battery: false,
+    platform_profile_on_ac: Performance,
+    change_platform_profile_on_ac: false,
+    profile_quiet_epp: Power,
+    profile_balanced_epp: Performance,
+    profile_custom_epp: Performance,
+    profile_performance_epp: Performance,
+    ac_profile_tunings: {
+        Performance: (
+            enabled: false,
+            group: {},
+        ),
+    },
+    dc_profile_tunings: {
+        Balanced: (
+            enabled: false,
+            group: {},
+        ),
+    },
+    armoury_settings: {},
+)

modules/hardware/asus/default.nix

@@ -0,0 +1,14 @@
+inputs:
+{
+  options.nixos.hardware.asus = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.hardware) asus; in inputs.lib.mkIf (asus != null)
+  {
+    services =
+    {
+      asusd = { enable = true; enableUserService = true; asusdConfig.source = ./asusd.ron; };
+      supergfxd.enable = false;
+    };
+    programs.rog-control-center.enable = true;
+  };
+}

modules/hardware/cpu.nix

@@ -5,8 +5,8 @@ inputs:
     type = types.nullOr (types.enum [ "intel" "amd" ]);
     default = let inherit (inputs.config.nixos.system.nixpkgs) march; in
       if march == null then null
-      else if inputs.lib.hasPrefix "znver" march then "amd"
-      else if (inputs.lib.hasSuffix "lake" march)
+      else if inputs.lib.hasInfix "znver" march then "amd"
+      else if (inputs.lib.hasInfix "lake" march)
         || (builtins.elem march [ "sandybridge" "silvermont" "haswell" "broadwell" ])
         then "intel"
       else null;
@@ -22,7 +22,7 @@ inputs:
     (inputs.lib.mkIf (cpu == "amd")
     {
       hardware.cpu.amd = { updateMicrocode = true; ryzen-smu.enable = true; };
-      environment.systemPackages = with inputs.pkgs; [ zenmonitor ];
+      environment.systemPackages = with inputs.pkgs; [ zenmonitor ryzenadj ];
       programs.ryzen-monitor-ng.enable = true;
     })
   ]);

modules/hardware/default.nix

@@ -4,18 +4,17 @@ inputs:
   options.nixos.hardware =
     let
       inherit (inputs.lib) mkOption types;
-      default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+      genericOption = mkOption
+      {
+        type = types.nullOr (types.submodule {});
+        default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+      };
     in
-    {
-      joystick = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
-      printer = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
-      sound = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
-    };
+    { joystick = genericOption; printer = genericOption; sound = genericOption; bolt = genericOption; };
   config = let inherit (inputs.config.nixos) hardware; in inputs.lib.mkMerge
   [
-    # joystick
-    (inputs.lib.mkIf (hardware.joystick != null) { hardware = { xone.enable = true; xpadneo.enable = true; }; })
-    # printer
+    # TODO: enable after fix
+    # (inputs.lib.mkIf (hardware.joystick != null) { hardware = { xone.enable = true; xpadneo.enable = true; }; })
     (
       inputs.lib.mkIf (hardware.printer != null)
       {
@@ -26,7 +25,6 @@ inputs:
         };
       }
     )
-    # sound
     (
       inputs.lib.mkIf (hardware.sound != null)
       {
@@ -35,5 +33,6 @@ inputs:
         security.rtkit.enable = true;
       }
     )
+    (inputs.lib.mkIf (hardware.bolt != null) { services.hardware.bolt.enable = true; })
   ];
 }

modules/hardware/gpu.nix

@@ -2,25 +2,10 @@ inputs:
 {
   options.nixos.hardware.gpu = let inherit (inputs.lib) mkOption types; in
   {
-    type = mkOption
-    {
-      type = types.nullOr (types.enum
-      [
-        # single gpu
-        "intel" "nvidia" "amd"
-        # hibrid gpu: use nvidia prime offload mode
-        "intel+nvidia" "amd+nvidia"
-      ]);
-      default = null;
-    };
+    type = mkOption { type = types.nullOr (types.enum [ "intel" "nvidia" "amd" ]); default = null; };
     nvidia =
     {
       dynamicBoost = mkOption { type = types.bool; default = false; };
-      prime =
-      {
-        mode = mkOption { type = types.enum [ "offload" "sync" ]; default = "offload"; };
-        busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
-      };
       driver = mkOption { type = types.enum [ "production" "latest" "beta" ]; default = "production"; };
       open = mkOption { type = types.bool; default = true; };
     };
@@ -34,13 +19,11 @@ inputs:
         boot =
         {
           initrd.availableKernelModules =
-            let modules =
             {
               intel = [ "i915" ];
               nvidia = []; # early loading breaks resume from hibernation
               amd = [];
-            };
-            in builtins.concatLists (builtins.map (gpu: modules.${gpu}) gpus);
+            }.${gpu.type};
           blacklistedKernelModules = [ "nouveau" ];
         };
         hardware =
@@ -54,12 +37,12 @@ inputs:
                 # TODO: import from nixos-hardware instead
                 # enableHybridCodec is only needed for some old intel gpus (Atom, Nxxx, etc)
                 intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
-                nvidia = [ vaapiVdpau ];
+                nvidia = [ libva-vdpau-driver ];
                 amd = [];
               };
-              in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
+              in packages.${gpu.type};
           };
-          nvidia = inputs.lib.mkIf (builtins.elem "nvidia" gpus)
+          nvidia = inputs.lib.mkIf (gpu.type == "nvidia")
           {
             modesetting.enable = true;
             powerManagement.enable = true;
@@ -72,16 +55,16 @@ inputs:
         };
         services.xserver.videoDrivers =
           let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
-          in builtins.map (gpu: driver.${gpu}) gpus;
+          in [ driver.${gpu.type} ];
         nixos.packages.packages._packages =
           let packages = with inputs.pkgs;
           {
             intel = [ intel-gpu-tools ];
             nvidia = [ nvtopPackages.full ];
-            amd = [];
+            amd = [ radeontop ];
           };
-          in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
-        environment.etc."nvidia/nvidia-application-profiles-rc.d/vram" = inputs.lib.mkIf (builtins.elem "nvidia" gpus)
+          in packages.${gpu.type};
+        environment.etc."nvidia/nvidia-application-profiles-rc.d/vram" = inputs.lib.mkIf (gpu.type == "nvidia")
         {
           source = inputs.pkgs.writeText "save-vram" (builtins.toJSON
           {
@@ -91,30 +74,10 @@ inputs:
         };
       }
     )
-    # nvidia prime offload
-    (
-      inputs.lib.mkIf (inputs.lib.strings.hasSuffix "+nvidia" gpu.type) { hardware.nvidia =
-      {
-        prime =
-        {
-          offload = inputs.lib.mkIf (gpu.nvidia.prime.mode == "offload") { enable = true; enableOffloadCmd = true; };
-          sync = inputs.lib.mkIf (gpu.nvidia.prime.mode == "sync") { enable = true; };
-        }
-        // builtins.listToAttrs (builtins.map
-          (gpu: { name = "${if gpu.name == "amd" then "amdgpu" else gpu.name}BusId"; value = "PCI:${gpu.value}"; })
-          (inputs.localLib.attrsToList gpu.nvidia.prime.busId));
-        powerManagement.finegrained = inputs.lib.mkIf (gpu.nvidia.prime.mode == "offload") true;
-      };}
-    )
     # amdgpu
     (
-      inputs.lib.mkIf (inputs.lib.strings.hasPrefix "amd" gpu.type) { hardware.amdgpu =
-      {
-        opencl.enable = true;
-        initrd.enable = true;
-        legacySupport.enable = true;
-        amdvlk = { enable = true; support32Bit.enable = true; supportExperimental.enable = true; };
-      };}
+      inputs.lib.mkIf (inputs.lib.strings.hasPrefix "amd" gpu.type)
+        { hardware.amdgpu = { opencl.enable = true; initrd.enable = true; legacySupport.enable = true; };}
     )
   ]);
 }

modules/hardware/legion.nix

@@ -1,10 +0,0 @@
-inputs:
-{
-  options.nixos.hardware.legion = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.hardware) legion; in inputs.lib.mkIf (legion != null)
-  {
-    environment.systemPackages = [ inputs.pkgs.lenovo-legion ];
-    boot.extraModulePackages = [ inputs.config.boot.kernelPackages.lenovo-legion-module ];
-  };
-}

modules/packages/android-studio.nix

@@ -1,9 +0,0 @@
-inputs:
-{
-  options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
-  {
-    nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];
-  };
-}

modules/packages/btop.nix

@@ -0,0 +1,19 @@
+{ lib, pkgs, config, ... }:
+{
+  options.nixos.packages.btop = lib.mkOption { type = lib.types.nullOr (lib.types.submodule {}); default = {}; };
+  config = let inherit (config.nixos.packages) btop; in lib.mkIf (btop != null)
+  {
+    nixos =
+    {
+      packages.packages._packages = [ pkgs.btop ];
+      user.sharedModules =
+      [{
+        config.programs.btop =
+        {
+          enable = true;
+          settings.btrfs_group_subvolumes = true;
+        };
+      }];
+    };
+  };
+}

modules/packages/chromium.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
   {