modules.system.sops: rewrite

This reverts commit 8cc28f6629.

.gitattributes

@@ -1,6 +1 @@
-*.png filter=lfs diff=lfs merge=lfs -text
-*.icm filter=lfs diff=lfs merge=lfs -text
-*.jpg filter=lfs diff=lfs merge=lfs -text
-*.webp filter=lfs diff=lfs merge=lfs -text
-*.efi filter=lfs diff=lfs merge=lfs -text
 flake/branch.nix merge=ours

devices/cross/secrets/default.yaml

@@ -28,15 +28,18 @@ users:
     pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
     #ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
     reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
+    #ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
+    zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
+    zgq: ENC[AES256_GCM,data:cHYFToQ5ulEcb741Gg3X4lKj8ZJy1zcLHpkVQjQXt5hRAQtPsiPlegi2a1nUIAUb6sI//4ffcytlXpdK2sXewFe3ZiIXy3UVjQ==,iv:fKaPxpfh5ssOwAbmEsAPaQ45KrNtkHZb96IzWc6pD9s=,tag:Vt91B77SjxYaZ/HvWVBufA==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
     user:
         chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
         hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:M8/R019chds8zr2BqnRnKP40NZxwq4fz06NaOeOOFYecLyDjIOq5mg==,iv:VPr4XD0Y+6G1P1xwMDyrWPiTvCYdiMV0nPcmqCvIA3Y=,tag:KEyCIHRmRkNviA4bMTMybg==,type:str]
 nginx:
     maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:DrNdcyf2tiZ5nmjYmsG13V63ZuZhNG1c/kkGM7eXQWvRvDbu37nKWA==,iv:xc4gtNvZ/BYG+KmT1XgFfG3Z17bBLURazG8tz4/laxE=,tag:khnYVQWjiiaQC9VsJyLV6A==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -174,7 +177,7 @@ sops:
             UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
             +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-14T01:17:28Z"
-    mac: ENC[AES256_GCM,data:r1FWYKz9aJtmhH7MLPqwZjG0W7LULScGd63CnIqsm2AbFIs6DgW33zDsgwrl1oblx/zYGda3irB5s1+otR38DU0VE7jqLYzHpb3eLsE986ZTwe9Tujy6BJm2Pyng60BJTTBwKU8awS2WpbTUivK1aVivNfBffQIL5Scv/qkyH3U=,iv:1USu0hh8IM2T/w1Fm/udGswPJcxKmvcG6XwlS2ku6iY=,tag:F/rZiGc3KTaNA0YtrWF3+w==,type:str]
+    lastmodified: "2025-07-11T01:54:15Z"
+    mac: ENC[AES256_GCM,data:LTpoXloCTzNtcYOqwA8UXtaorMzFBmFKb6LdOH7mjMDLsqIGIoWeVClt7WPP76K1amsmqjFLYkrdraqqHabLJB2/XKoSObkgZzLoF0YsknMsgJhkqEb9IwCBILBfAJdgwhuZQKHrMKRs5pePqJYSX2ZlgL4MRkwc6U6GVChRLxY=,iv:MZky3t9fGPtNqEdGEG1SYxhuWqDppNutaFI4GitmoKY=,tag:YaTLM9PSH2rAdb5syDvK1g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/cross/wireguard.nix

@@ -2,6 +2,7 @@ inputs:
 let
   publicKey =
   {
+    vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
     vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
     pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
     nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
@@ -61,7 +62,7 @@ let
           # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
           (builtins.listToAttrs
           (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps6" "srv3" ])
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
               ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
           ))
           # 校内网络

devices/jykang.xmuhpc/default.nix

@@ -1,8 +1,8 @@
-# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' .#jykang
-# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' -qR ./result | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' --export > data.nar
-# cat data.nar  | nix-store --import
-inputs:
-let pkgs = import inputs.nixpkgs (import ../../modules/system/nixpkgs/buildNixpkgsConfig.nix
+# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
+# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | grep -Fxv -f <(ssh jykang find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export | xz -T0 | pv > jykang.nar.xz
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
 {
   inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
   nixpkgs = { march = null; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; };
@@ -10,6 +10,7 @@ let pkgs = import inputs.nixpkgs (import ../../modules/system/nixpkgs/buildNixpk
 in pkgs.symlinkJoin
 {
   name = "jykang";
-  paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit ];
+  paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit pv btop ];
   postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs; };
 }

devices/jykang.xmuhpc/files/.bashrc

@@ -35,7 +35,7 @@ if [ -f /etc/bashrc ]; then
 fi
 
 if [ -z "${BASHRC_SOURCED-}" ]; then
-	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts:$HOME/.nix/state/gcroots/current/bin
+	export PATH=$HOME/.nix/state/gcroots/current/bin:$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
 	export BASHRC_SOURCED=1
 	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
 		export PATH=$HOME/wuyaping/lyj/bin:$PATH

devices/jykang.xmuhpc/files/.config/nix/nix.conf

@@ -0,0 +1,2 @@
+store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log
+experimental-features = flakes nix-command

devices/jykang.xmuhpc/files/.ssh/authorized_keys

@@ -10,6 +10,7 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlBxisj3sU9QC8UC5gX6sakf7G03ybbkmHtD2cybuZA qmx
 
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc

devices/nas/default.nix

@@ -4,7 +4,7 @@ inputs:
   {
     nixos =
     {
-      model.private = true;
+      model = { type = "server"; private = true; };
       system =
       {
         fileSystems =
@@ -21,24 +21,13 @@ inputs:
         nixpkgs.march = "silvermont";
         network = {};
       };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      hardware.gpu.type = "intel";
       services =
       {
         sshd = {};
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-          dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
-        };
+        xray = { client.dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1"; xmuServer = {}; };
         beesd."/".hashTableSizeMB = 10 * 128;
-        nfs."/" = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc";
-        nix-serve.hostname = "nix-store.nas.chn.moe";
+        nfs."/" = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc")];
       };
     };
   };

devices/nas/secrets.yaml

@@ -1,8 +1,7 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
 wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
-store:
-    signingKey: ENC[AES256_GCM,data:P6N53f5LQObXW63yciSB11XMFtUlJsp1ZhPs/Wqt5iMR9pxI6CNa92CKWzGJFHvBGQ0ORjY9Qz928lEp9AOSpOsGwUhUFfm1QTKVIg8DTzcBuojIwCHUQAxPbVw=,iv:3RVKj7JZLWDyEjup4UgDj/9OT1Mxs5ouu+kFicBFhDY=,tag:EfwoT/2NfGu9sJbmRylSRQ==,type:str]
+xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str]
 sops:
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -23,7 +22,7 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-02T06:24:12Z"
-    mac: ENC[AES256_GCM,data:slnXbWsxKYIh0nocX+yjVlCNJ97ieeNF9IRSsUZ3XiSQJEmhW9TQ3Eb8TpvcTYpEkyXrb3b8Z3Lw79VTe3L64/TA+DYzpxfzo0E5CWQBRNSbHoL46FLLjc7sEmW+IiGdzoLUeOPDbYPKYIGfGxymPfuO+Wp3t42kxfWuXs3KiMQ=,iv:I1kRJ8SUQaFNIPFjcCGKvkyr2t7G8TN+WJOksP8Onbs=,tag:m1qMyGWpBwJ8yxyuxLHVJQ==,type:str]
+    lastmodified: "2025-06-30T10:53:22Z"
+    mac: ENC[AES256_GCM,data:XJIKLsszOcJfL9RDcFs7nTDfVIxUGtwhKZhkC7eCKni03b3M/sl2cIwAJ/L20Q+riP2HFcS1ljQA+SjlnY29KWr7DqJ1dM0qcqHjMSlWjurMWPgD4Lf8C7kx2J+6naYiQotQb6y7AfRF9XxAJUaHQe9DdlqHT/bmbtVW5VN1tzs=,iv:IhU7Wo19KOsqxdlSuZg3KtDc08E0dUq2Ahb1J09iLK4=,tag:N9TumoFTKEw/4DT51Lyjjg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/one/default.nix

@@ -17,25 +17,16 @@ inputs:
           luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
           swap = [ "/nix/swap/swap" ];
           resume = { device = "/dev/mapper/root"; offset = 4728064; };
-          rollingRootfs = {};
         };
         nixpkgs.march = "tigerlake";
       };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      hardware.gpu.type = "intel";
       services =
       {
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-        };
+        xray.client = {};
         beesd."/".hashTableSizeMB = 64;
         sshd = {};
+        waydroid = {};
       };
       bugs = [ "xmunet" ];
     };

devices/pc/default.nix

@@ -17,6 +17,7 @@ inputs:
               "/nix" = "/nix";
               "/nix/rootfs/current" = "/";
               "/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
+              "/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
             };
             nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
               { mountPoint = "/nix/remote/nas"; hard = false; };
@@ -28,38 +29,35 @@ inputs:
               { mapper = "swap"; ssd = true; before = [ "root1" ]; };
           };
           swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
         };
         grub.windowsEntries."08D3-10DE" = "Windows";
-        nix.marches =
-        [
-          "znver2" "znver3" "znver4"
-          # FXSR SAHF XSAVE
-          "sandybridge"
-          # FXSR PREFETCHW RDRND SAHF
-          "silvermont"
-          # SAHF FXSR XSAVE RDRND LZCNT HLE
-          "haswell"
-          # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
-          "broadwell"
-          # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-          "skylake" "cascadelake"
-          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
-          "tigerlake"
-          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
-          # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
-          "alderlake"
-        ];
+        nix =
+        {
+          marches =
+          [
+            "znver2" "znver3" "znver4"
+            # FXSR SAHF XSAVE
+            "sandybridge"
+            # FXSR PREFETCHW RDRND SAHF
+            "silvermont"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE
+            "haswell"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+            "broadwell"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+            "skylake" "cascadelake"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
+            "tigerlake"
+            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+            "alderlake"
+          ];
+          remote.master.host.srv2-node0 = [ "skylake" ];
+        };
         nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
         sysctl.laptop-mode = 5;
       };
-      hardware =
-      {
-        cpus = [ "amd" ];
-        gpu = { type = "nvidia"; nvidia.dynamicBoost = true; };
-        legion = {};
-      };
+      hardware = { gpu = { type = "nvidia"; nvidia.dynamicBoost = true; }; legion = {}; };
       services =
       {
         samba =
@@ -74,24 +72,17 @@ inputs:
           };
         };
         sshd = {};
-        xray.client =
+        xray = 
         {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.vps4";
-            serverName = "xserver.vps4.chn.moe";
-          };
-          dnsmasq.hosts = builtins.listToAttrs
+          client.dnsmasq.hosts = builtins.listToAttrs
           (
             (builtins.map
               (name: { inherit name; value = "144.34.225.59"; })
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
           )
           // { "4006024680.com" = "192.168.199.1"; };
+          xmuClient = {};
         };
-        acme.cert."debug.mirism.one" = {};
         nix-serve = {};
         misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
         beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
@@ -114,17 +105,17 @@ inputs:
           };
         };
         ollama = {};
-        docker = {};
+        podman = {};
         ananicy = {};
         keyd = {};
+        lumericalLicenseManager.macAddress = "74:5d:22:c7:d2:97";
         searx = {};
-        kvm = {};
+        kvm.aarch64 = true;
         nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
-        nfs."/" = "192.168.84.0/24";
+        nfs."/" = [ "192.168.84.0/24" ];
       };
       bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
-      packages = { android-studio = {}; mathematica = {}; vasp = {}; lammps = {}; };
-      user.users = [ "chn" "test" ];
+      packages = { mathematica = {}; vasp = {}; android-studio = {}; };
     };
     boot.loader.grub =
     {

devices/pc/secrets/default.yaml

@@ -13,11 +13,10 @@ nix:
     remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
 searx:
     secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str]
+xray-xmu-client:
+    uuid: ENC[AES256_GCM,data:XiUkReTJLAxZNWFVeD6EiOtUX5tsyPLFi6QyDBdHyB4v5/mD,iv:QppdtP2CFDEVhlrmDJKYBGc1zYGJvpGYxLfsBAMxDSI=,tag:jzMSFRit+aBzWMkaa3+5hA==,type:str]
+    cookie: ENC[AES256_GCM,data:fx/cqNNpI71FslngfeXFQA==,iv:xZEtOsKgS/8xNqF4B6NKI9+klrpNcraW17KKirMnEfM=,tag:YyczKED2Yo0D6I+RvMjJLg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -37,8 +36,7 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-24T11:27:02Z"
-    mac: ENC[AES256_GCM,data:uNkThOX3NEUeiaJVavZ0rCpQRT+GbRXADiMuAwb/tg38fBrKQeUO9ohicl/UfiDFRTfCaiuH3T757jX2b51go2s0B6n7DOvPYYZ5EWGnM69RFxrdDfWfge8n8/SHmuKR9dPJb/eSa8HAs8uDnqBPoR5SqG5lnyZs3a7P/kjK2T4=,iv:snmnuYmcuyhGs4YrIGFLmDffFE9yecB/vsM0MvxBR4k=,tag:vbqA7jvVCFHvLoLmKbfO4g==,type:str]
-    pgp: []
+    lastmodified: "2025-06-30T11:24:37Z"
+    mac: ENC[AES256_GCM,data:V6Gs9hCPIb42nW81Gmy1dz5LFLeX97UuzVbvst/rtuSJHdFzXKxYqIGjHNRK5mGWG/NdTXQ79ELlvpSOgKYAk6gn9ZMn9wCDDbe6spDoGBWL4Ky7mCiSPRcLZ++J+2nP0Q987kZ6IMdMWkFNJmOKWBX/nnp4/aicwyteqNHt4cI=,iv:1wWS0D4RJeWKERfqMQRB75Nh1oKSQzF+r5yOphMrg9Q=,tag:DBPZx1+X7nMLW9xsyEn62A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/srv1/default.nix

@@ -16,10 +16,8 @@ inputs:
               { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
         };
       };
-      hardware.cpus = [ "intel" ];
       services =
       {
         sshd.passwordAuthentication = true;
@@ -62,8 +60,8 @@ inputs:
           ];
         };
       };
-      packages.vasp = {};
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
+      packages = { vasp = {}; lumerical = {}; };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ];
     };
   };
 }

devices/srv1/node0/default.nix

@@ -21,8 +21,10 @@ inputs:
       };
       services =
       {
-        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
+        sshd.motd = true;
+        xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
         beesd."/" = { hashTableSizeMB = 128; threads = 4; };
+        xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
         samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
       };
       packages.packages._prebuildPackages =

devices/srv1/node2/default.nix

@@ -22,7 +22,7 @@ inputs:
       };
       services =
       {
-        xray.client.enable = true;
+        xray.client = {};
         beesd."/".threads = 4;
         kvm.nodatacow = true;
       };

devices/srv2/default.nix

@@ -7,18 +7,13 @@ inputs:
       model.type = "server";
       system =
       {
-        fileSystems =
+        fileSystems.mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
         {
-          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
-          {
-            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
-            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
-              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc"}:/" =
-              { mountPoint = "/nix/remote/pc"; hard = false; };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
+          vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+          btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
+            { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc"}:/" =
+            { mountPoint = "/nix/remote/pc"; hard = false; };
         };
         nixpkgs.cuda.capabilities =
         [
@@ -35,7 +30,7 @@ inputs:
       hardware.gpu.type = "nvidia";
       services =
       {
-        sshd = { passwordAuthentication = true; groupBanner = true; };
+        sshd = {};
         slurm =
         {
           enable = true;
@@ -80,8 +75,8 @@ inputs:
           };
         };
       };
-      packages = { vasp = {}; mumax = {}; lammps = {}; };
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
+      packages.vasp = {};
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" "zqq" "qmx" ];
     };
   };
 }

devices/srv2/node0/default.nix

@@ -5,30 +5,29 @@ inputs:
     nixos =
     {
       model.cluster.nodeType = "master";
-      hardware.cpus = [ "intel" ];
       system =
       {
         nixpkgs.march = "skylake";
         network =
         {
           static.eno2 = { ip = "192.168.178.1"; mask = 24; };
-          wireless = [ "457的5G" ];
-          # masquerade = [ "eno2" ];
+          wireless = [ "409" ];
+          masquerade = [ "eno2" ];
           trust = [ "eno2" ];
         };
+        nix.remote.slave = {};
+        fileSystems.swap = [ "/dev/disk/by-partlabel/srv2-node0-swap" ];
       };
       services =
       {
-        xray.client =
-        {
-          enable = true;
-          dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
-        };
+        xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
         beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
+        xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
         samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
         groupshare = {};
         hpcstat = {};
         ollama = {};
+        sshd = { groupBanner = true; motd = true; };
       };
     };
   };

devices/srv2/node0/secrets.yaml

@@ -6,13 +6,9 @@ mariadb:
 hpcstat:
     key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
 wireless:
-    #ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
-    457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
+    #ENC[AES256_GCM,data:n9OPSJsB7yNk,iv:xQzKJxqPB7uT83m/B4UoOje6NQbPLhuHR7Hp93oNz8A=,tag:gtsTx6ALnS/7fIDd7VimOg==,type:comment]
+    "409": ENC[AES256_GCM,data:XJ2apDx9E4RM7YzK6wYzxn4eBkVS3l6LIaMtUai2MZ/W0xkaixyV/g/s+cVQtgph2gEcNoLOWbsxr3h8CsrOTA==,iv:O643ytrgHKB4RM6lZKZcr0fLmS2icRnek9praw43jWc=,tag:6Pk7CmiJyvAeW/1V4mvRJQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -32,8 +28,7 @@ sops:
             M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
             LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-10T10:44:43Z"
-    mac: ENC[AES256_GCM,data:6EeWT8IiCGyRdR/9WDoTTM8bBuhzf2LtP1kahCgfvFpU6g5HB+qG5O0eXaL0DMKg7OQJKHIS/wZVaEierVwno0CnP1WR7y9l6Rlab2nVG4YCNkEkwqZgIWFOUi0aZrZQc7WC3rUk1gxiJK38nEa4ebk8oqAbyHyKHsFAeUcMbqA=,iv:oqRLvYsXct+OwcymXslEH4o03vLNeV2eU/4zK8R+gKs=,tag:0d1DYjCGRewUd4aHPIpFSw==,type:str]
-    pgp: []
+    lastmodified: "2025-07-10T10:08:37Z"
+    mac: ENC[AES256_GCM,data:ELeHLFJuOUs8CFIuu08zqp56AijpxxLKlfUo6cWmqwURy/BC6CTFqkNwsD8NirCzSsNTRnwk3pAVXPjJCrk8rnnH4uqiA639h3qMdEpHJLsVhv2+ounGObW7+R/IYJQaSmBWHzZimQsAbp2eVufu3mnu3wjUOhXM6xs0ofuxLWM=,iv:M7PK2S4Okb0MhsJ6d/bJfkMUOoXUMwbWVsHiuxE6Nt4=,tag:4QwSM0dU0mY5Xs03RS1FUw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/srv2/node1/default.nix

@@ -4,7 +4,6 @@ inputs:
   {
     nixos =
     {
-      hardware.cpus = [ "amd" ];
       system =
       {
         nixpkgs.march = "znver3";
@@ -14,6 +13,7 @@ inputs:
             { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
           trust = [ "enp58s0" ];
         };
+        fileSystems.swap = [ "/nix/swap/swap" ];
       };
       services.beesd."/".hashTableSizeMB = 64;
     };

devices/srv3/README.md

@@ -41,10 +41,9 @@
   独立的 IPv6 免费，但暂不支持（技术上没有准备好，如果有人有需要我就去准备）。
 * 只卖朋友和朋友的朋友（总之得有人保证别拿去做坏事）。
   若此定价对您来说仍然难以接受，可以联系我，打五折或者免费。
-* 此价格有效期三个月（2025-05-17 至 2025-08-17）。
-  05-17 前免费，08-17 后定价会视情况调整（例如将流量计入收费项目，内存部分相应降价），在那之前会公布新的定价。
+* 此价格 2025 年 9 月 17 日前有效。之后大概率也不会调整，但保留调整的权利。
 * 预计收入无法覆盖成本。如果某个月的收入高于成本，承诺会将多出的部分捐出去。
-* 非 kvm 虚拟机的服务（例如，只跑一个 docker 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
+* 非 kvm 虚拟机的服务（例如，只跑一个 podman 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
 * 配置随时可以调整。所以按照自己这个月够用的来就行，不需要为未来留余量。但每次调整都需要重启虚拟机。
 * 母鸡价格 40 美元每月，配置在下方列出。
   * 机房: LAX3 （IP：srv3.chn.moe）

devices/srv3/default.nix

@@ -15,7 +15,6 @@ inputs:
             btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
           swap = [ "/dev/mapper/swap" ];
-          rollingRootfs = {};
         };
         nixpkgs.march = "haswell";
         initrd.sshd = {};
@@ -31,7 +30,6 @@ inputs:
           };
         };
       };
-      hardware.cpus = [ "intel" ];
       services =
       {
         beesd."/" = { hashTableSizeMB = 128; threads = 4;};
@@ -68,8 +66,8 @@ inputs:
           test =
           {
             owner = "chn";
-            memory.sizeMB = 512;
-            cpu.count = 1;
+            memory.sizeMB = 4096;
+            cpu.count = 4;
             network =
             {
               address = 4;
@@ -92,18 +90,18 @@ inputs:
           synapse.matrixHostname = "synapse.chn.moe";
           matrix = { port = 8009; redisPort = 6380; };
         };
-        vaultwarden.enable = true;
-        photoprism.enable = true;
+        vaultwarden = {};
+        photoprism = {};
         nextcloud = {};
         freshrss = {};
         send = {};
         huginn = {};
-        httpapi.enable = true;
-        gitea = { enable = true; ssh = {}; };
+        httpapi = {};
+        gitea = {};
         grafana = {};
         fail2ban = {};
-        xray.server.serverName = "xserver.srv3.chn.moe";
-        docker = {};
+        xray.server = {};
+        podman = {};
         peertube = {};
         nginx.applications.webdav.instances."webdav.chn.moe" = {};
         open-webui.ollamaHost = "192.168.83.3";

devices/srv3/secrets.yaml

@@ -75,48 +75,8 @@ xray-server:
         user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
         #ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
         user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
-        #ENC[AES256_GCM,data:qbXmxTn+Mwk3zw==,iv:8F/0ELOwXMrKaigfRmwvGREujqNwM6XjIeaPyr6JS5U=,tag:PF/PAQCwzH7uOj+xgM0rKw==,type:comment]
-        user2: ENC[AES256_GCM,data:cA2oKqGsKuZyydMQspbSrWqsQIAde/VtGIPybC2gr3Bg355H,iv:YOj+6f6YR3Ze3x5IrqdqzXp9e3v1jdAu8re1Is6Q4eQ=,tag:n/CV6+PX/y+okpJwRraSDA==,type:str]
-        #ENC[AES256_GCM,data:VcLtO+6YWg==,iv:TWM3IY00V+LaJzk+E8ji/v7Ol4TCvSP/FHzFsV5MGIE=,tag:CijsW2O/AKpWgQUm6ipPeg==,type:comment]
-        user3: ENC[AES256_GCM,data:F3HK6znDEsN8UO7B9vBs03jyjqoQ+MGCcNJuOeglSBzLD2Hy,iv:TKBRe8Qmn9DL4AEilX20YcKbz6bydKsQUuUd5lyM2jE=,tag:nAyrTD4zkJ6CjLuj29zuJQ==,type:str]
-        #ENC[AES256_GCM,data:UFE3pg02VA==,iv:thT5OYPIHLIjKB7uiAk5vff8rtsgwncdo+U0KmW3uTE=,tag:qGWmSsI1mzg8ZbpunxBuyw==,type:comment]
-        user4: ENC[AES256_GCM,data:FYMQFFTCue+umBl5OwJvlZ+NyocsRbkycr+y1L6d6LPdR9px,iv:ZX9Z0dqmBvvXlz+oEYd7vQ5rW5lvmlc+bneDguQld30=,tag:y3d7aDWOtO0T3Yf5pGnffQ==,type:str]
         #ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
         user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
-        #ENC[AES256_GCM,data:tmlMaaDT4Q==,iv:zDBCjdBioiXGbJve03VcwCt81hiFxyKqql9rp6zW25g=,tag:cxedo8U2FICH5yMoPXwQMg==,type:comment]
-        user6: ENC[AES256_GCM,data:LzYfIXgZP0q9FpxDM6skSTiwOxEO+N5wuFq86KAazqe8zS/h,iv:Jh7bWMVr5U69L1uARLMUciWvv/aRjJJeEXvU5bo8e3A=,tag:PxesHErVSlkbuNeeRpQfEA==,type:str]
-        #ENC[AES256_GCM,data:boB2Ug==,iv:echGnXhoj2wX7GDj302nbirmzQFCqql2jtY0JaNyla4=,tag:7YnhNwCFZ9rOstanr0wGcw==,type:comment]
-        user7: ENC[AES256_GCM,data:s1O6GRn/9T9DWKlcXJTnOoAPZnPgHGBpZZcEDAKRtiYAI/5p,iv:JyaGsolN5WgQekPYxJiJbniuxLPf3+elHHbd3+ZrLtc=,tag:32wNUTqyyaKoPRQdB4U0SA==,type:str]
-        #ENC[AES256_GCM,data:cvG7WQcnwj+u9A==,iv:ui40+u9yE/Prksmiqed1NjuHyNP2RGtgSMazfI8ultc=,tag:he2F4i71Z8gFdW3fmRdhUA==,type:comment]
-        user8: ENC[AES256_GCM,data:roCYRvszJo7weozfIRoGgUhIs1f2a5/a2d1b/Iy6WEbbehOS,iv:tcOsL0SE4qMRPZIGOlzRIaMJvcapx2H9HK4D8qmSbIs=,tag:Z0skFdgtpjSR7jli3dwd5A==,type:str]
-        #ENC[AES256_GCM,data:IFXAXr0RVg/DCA==,iv:pKdnsUFX4XXJIZleA71fAfua1ibSa/2tgjdqnhbt/Rg=,tag:2Fv397j/uJDFZ/uvBxtrQw==,type:comment]
-        user9: ENC[AES256_GCM,data:5HP+OVmf+dsS8sDHakC7Yx1HVutMoTbITONHQiSvHw+17M9J,iv:TYDf7lx04pHohbGBbPJvOAoIGUKqil59k4Pt405/9kA=,tag:HUxT/uSR8sYCXQ8uX69Fqg==,type:str]
-        #ENC[AES256_GCM,data:7TJeKZM=,iv:FKcgDOtV417n1xmufqB3WENrbZ0V93sI5/XhiDYouMw=,tag:TchW2jgxZAXHvvMYY089dA==,type:comment]
-        user10: ENC[AES256_GCM,data:+u1KwJo3Y4enFM2RVr379GF7O6r9bWofUEZ2994IIC+Ce2NV,iv:ssKA5y3JM4tm+JdVznQFUAYmlrHaWd8hQXs6R/aEXN8=,tag:Q5uuM1sBZJRYBe4XXTL3ZQ==,type:str]
-        #ENC[AES256_GCM,data:O3qEWI+vFA==,iv:R7HLFRNszV6yXwciNfk/rTbDQYLmKsTCQFCfWIpJdfY=,tag:DjuM2a48/lDF11aLIf3Fgw==,type:comment]
-        user11: ENC[AES256_GCM,data:4HDGJq9nl8oGeQEo0XBEUiJweAaZ9yWc9Ib1TM91Djj2jH8d,iv:1i9/bZhHkhc8dP9Pg4gIRnCms61AP9VYxAG4acV3gpQ=,tag:vID9DEXZu3wGbXDqsLVEAg==,type:str]
-        #ENC[AES256_GCM,data:CdJubErTSg==,iv:UKn0lvbCzJnE241Tg3yjSx4xZNbp5sa/NfgIlRNU5z8=,tag:6FMGY6hbMQQFoN31z4e4uw==,type:comment]
-        user12: ENC[AES256_GCM,data:U+ynUYI+l6McI9oWF4PNiLUwvNowdseZ5gO8o73cX8MsXS2+,iv:r0KIBXczRkubZqyM/LUBPp/x9Zb/rvDJIKGGKkR3EfY=,tag:yn7806HD7ei57UtpuPjlkg==,type:str]
-        #ENC[AES256_GCM,data:3trgclrgDXhKUg==,iv:qyLmCBaB5ql950diUj7YlPi6P3a0hYH8adADEI0AGrU=,tag:Oleq79giA9/gYBO8Carznw==,type:comment]
-        user13: ENC[AES256_GCM,data:M6JXRrqnKrdihAA1aUg9zzJfhCK5TLLRf4wZkemnlHyaXnLL,iv:OA6i+BGYTr9gILE3jzFILLZvPRZeAvmSbXEStihN3aw=,tag:WcpTKRC8crDhzKHcxjtICQ==,type:str]
-        #ENC[AES256_GCM,data:VryB1AM=,iv:6FdWfpQ53bdpkXZ22gpy8GxKb1X7bak0K/Oa56mP7Uw=,tag:VBg7u7MSMl4Pr72W6ugYEg==,type:comment]
-        user14: ENC[AES256_GCM,data:g8y07VaxsuTs74L5xF/XDlmYetOfXFwHEr+FCHRtFLKwTAVq,iv:TjT49pTk97l3u1wGG7BmqZr/LAMC2765er3HGarOANw=,tag:zt1ojulNjWcuKIdix6NFJw==,type:str]
-        #ENC[AES256_GCM,data:Bawjfo3ubW1eXA==,iv:m2/ViC9AIZUV3Wl9EBYV5L0QQDw7QgXPpQ7WX22XpQ8=,tag:1wqpie9BuDi7BiDCvRIWog==,type:comment]
-        user15: ENC[AES256_GCM,data:2Ylnb7ZJgr3ha0rXrjkscPX9zJI2L9aydfL5Ndl2b9cJmVUC,iv:mu0GlGGXH4njmi4KzsvFSJN2zC5IcXVQ6oqVv2ClWpM=,tag:AIhnDqQehLyJY+wh7RWTYg==,type:str]
-        #ENC[AES256_GCM,data:uORLUE+excPAuw==,iv:K1Qch9qkg5T59+lcMC7vHWu1mnOv2dH5cOAZHX8HhgQ=,tag:chVMn/kb3Rr3f2igjbsAUA==,type:comment]
-        user16: ENC[AES256_GCM,data:D4lPjTb2kaYfUSCCRaMpGNtzLIfvPvfiJK+kkTQtSMOBglpN,iv:FCpHHBSKDYA+H6fgabNggXJlenzg5am5excBknpD1uU=,tag:FPQaBfLiZ5PBJa8gCpBfTA==,type:str]
-        #ENC[AES256_GCM,data:Cfs0Ul9BHWW/oQ==,iv:OOcRWmc7fy2RnE7+TtSBauKa1k1/unC1nFJ2SJ3yWqk=,tag:q6MjcXEYuep1eRw5BJspqw==,type:comment]
-        user17: ENC[AES256_GCM,data:2mzbUcGRye0cdgQxoTzSeKaM+m1dUPvKq61uBnGvZDFXrqQ7,iv:hxkruf0Xo1ZNJ/ym5YdLGJF5aK5nXZMJ46XC18Aksmc=,tag:KrUCTgDgYndxhi8QSYpGwA==,type:str]
-        #ENC[AES256_GCM,data:vHvpcqJaH2hPTg==,iv:S1WbgLU+15FMJr699YGY4f9r8wIg880tjJo6W6APhx0=,tag:F7fbA83eco8/Qd6u4vUMbA==,type:comment]
-        user18: ENC[AES256_GCM,data:LwZKy71ecB/E2EMIaUuFV0a7j+16EWo8LA9/0Gc8lpXAQpaT,iv:+cjrRDSvW7KFGDlpI6W+eDi3bux+eQl6NXNjnUoj7L0=,tag:PurtN+Vede0DNTQqbea1Ig==,type:str]
-        #ENC[AES256_GCM,data:rhbv9bL/0d7pGA==,iv:XvKiQWO72BfHhVRyti5ST9+f9tPUne2IcMNC08kD9r8=,tag:qhA6q4MrX3lAELrrGM8LCQ==,type:comment]
-        user19: ENC[AES256_GCM,data:jOyA913cS21eGwjUPY/XrQUBofoHwsCHghpmjzGx7cBzk/K0,iv:wXAnuSUhJ+gwGvMF7/YsfgeTHOvQC+S6rM5DzypvOuo=,tag:b/FsoypjkVYLSfyowNL2Nw==,type:str]
-        #ENC[AES256_GCM,data:Q48F7+SNdz7duKY=,iv:KIb6lIJWAVXKekBhwPztkySYDA7IP4jMjDsWy+waeFQ=,tag:s8hEz2zrh1ZXNKi/IuVV4Q==,type:comment]
-        user20: ENC[AES256_GCM,data:D6+eQdWO/W4P1ul9zQLpUQxqNA+kytz5ZHH6HmU/jwSuq3hU,iv:U4H7Ez0P3gWBLVeQ6O4PN4AmVP7Ij3oArhMmfT1BWic=,tag:l6TNsJFXXH/+yMcszkVRrQ==,type:str]
-        #ENC[AES256_GCM,data:F8qJksiC3Z8GbJc=,iv:yDBYQLUFFSXMn5Vo69rXzGBWzA+GkYw1qHS/ShisH7w=,tag:mnxj03thlYN5KhKDUO7hug==,type:comment]
-        user21: ENC[AES256_GCM,data:QeSxzBR6fLAyoUsA4aGKilYHcF42SNdkwjdwWZbxNvqZU6bf,iv:ocZGB4i8M7qM9Ypp3BUlGIdGL0AQx8NdO5yBZFLB6fk=,tag:WMFmljoJSnCU8BL/GfiZMg==,type:str]
-        #ENC[AES256_GCM,data:LxUne7UMT32f,iv:AyVaLB7Ni6HB5BE+InEG99TQsEzdQG7EXoHXC8PLGlQ=,tag:j5GoVfDsqoHypkxYFNPjyg==,type:comment]
-        user22: ENC[AES256_GCM,data:lzFvCb/zbTZs2jmYUfl3onGeWjBCdjxcIzAIff/fm6Qre+HZ,iv:eSiosE3eOrl7iLnOV41w+pwdtcske/4R1Bf1D1qxsOo=,tag:r69jFKp/FlxN3MEL5E6EXA==,type:str]
     private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
 peertube:
     secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
@@ -144,7 +104,7 @@ sops:
             d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
             eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-26T10:55:01Z"
-    mac: ENC[AES256_GCM,data:ek8oYslh51198fhnYy8LgZQBo3QEnCumeSzLEIEFp/bQshfPVtiMt29n37y89GZjfvd/UL/J/i4sxHqF328+MoMtIYwcDzJoHp/ZNJYZoM19UjEsPL5YemRRXz++gw3tvDgqPzYvtr93pg6+WcPNToIhzsew7QzYj2xLiSaecvQ=,iv:wk8RcTUbZwUHRAgNRuZ3SWWv6O57hHBCkccYNZiMwPQ=,tag:8bwhsrkk8bVMwThZQPkNXg==,type:str]
+    lastmodified: "2025-06-09T01:35:04Z"
+    mac: ENC[AES256_GCM,data:q2BolEBB6Ik8yx6NHnnE3Wcl2rGVZN86dpfLJrrFOxWd8fZyfBQ/00v4dUZSZw0aQoMj1V2RBDyVtScuRiH0NVb6+RfX+0t3zTEf6guuJdurczLBz9+D51+Th3KE1uk+UjI7J+Q/TOWTvoGMj8P4XZCXQsCDIct/vbLGqNB9CgM=,iv:/6xR7KXXLejm9Iuqcxc/7IqLEckNhmaJTKzJGonSrng=,tag:XdeCoEkHefw2HqTGSchUJA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/test-pc-vm/default.nix

@@ -1,25 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
-            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "znver4";
-        network = {};
-      };
-      hardware.cpus = [ "amd" ];
-      services.sshd = {};
-    };
-  };
-}

devices/test-pc-vm/secrets.yaml

@@ -1,26 +0,0 @@
-nixvirt:
-    chn: ENC[AES256_GCM,data:0llBtdnPLl8=,iv:0w0huoNCvIiaL77Thj1iAwRY5edDlN7I4mMwiNKCzOc=,tag:Eh1b7dymn7jQtL5/rsxC1Q==,type:str]
-sops:
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
-            dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
-            TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
-            TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
-            HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
-            Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
-            VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
-            Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
-            vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-16T05:29:11Z"
-    mac: ENC[AES256_GCM,data:s1HBVQUDbYP63EntEXe/+9mqFj2zGEtx3ibFauBYmjJvtvw2hs44ODNebMxjasT8zTYICJWWZJxwMvpUs/CbcmSjPAXTV8379lzlOmG2wZLezF+9jWdJi3ZDvM9Y1D0/4GnaIRHof/+kPn/ykFE/gQhP5PQ4OtoV+VTR2fuwDaA=,iv:TUTM8tyZxiAjU3afazfmse+LL53hrSFSCIX4KIDyQq8=,tag:Vx4GsOPAXaZz0rEjsJS8sw==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

devices/test-pc/default.nix

@@ -1,52 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
-            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "znver4";
-        network = { dhcp = [ "nixvirt" ]; bridge.nixvirt.interfaces = [ "enp1s0" ]; };
-      };
-      hardware.cpus = [ "amd" ];
-      services =
-      {
-        sshd = {};
-        nixvirt =
-        {
-          subnet = 123;
-          instance =
-          {
-            chn =
-            {
-              memory = { sizeMB = 2048; dedicated = true; };
-              cpu = { count = 4; set = builtins.genList builtins.toString 4; };
-              network =
-              {
-                bridge = true;
-                vnc.port = 15901;
-              };
-            };
-            chn2 =
-            {
-              owner = "chn";
-              memory.sizeMB = 2048;
-              cpu.count = 4;
-              network = { address = 3; portForward.tcp = [{ host = 5694; guest = 22; }]; };
-            };
-          };
-        };
-      };
-    };
-  };
-}

devices/test-pc/secrets.yaml

@@ -1,27 +0,0 @@
-nixvirt:
-    chn: ENC[AES256_GCM,data:0llBtdnPLl8=,iv:0w0huoNCvIiaL77Thj1iAwRY5edDlN7I4mMwiNKCzOc=,tag:Eh1b7dymn7jQtL5/rsxC1Q==,type:str]
-    chn2: ENC[AES256_GCM,data:vlvFNwMfTMg=,iv:DKgX3DCvkfADF/Pj31bRTx/dfTiMxv/JaeN76Kppob8=,tag:SOioaCz/CvvLn2jB+08THQ==,type:str]
-sops:
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGQ0R20zci9aU1l4d2Fs
-            YkRZQ1FGUW1vSEd3S3FBdGlSTXB4dW54UVJJCk5MMEFZSzdYTFRQL1FRZUFWTXFh
-            cC90bUx2dkdHUFVoMkhyNjR6U0w1QTAKLS0tIDZHZE4yNlV4cFBTVGN4c3VYZXZ5
-            enZoU21MQ2VJbHlhSnhwUkNXZjV6OXcKzvdz1TNs/PDISx+QSi6cJ8vWNtZo4jfD
-            qsrwpxvHou/wptLzYg5gXQuXB0izpOW/AtqA1XqLcTUbLzcRhqFvMg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWUJVZmdVbWxXck5EY0tR
-            cFRwZTlWVVpObjFneE95bXNPSUxjNE1DTlg0ClNQRy8yVmF6QWxuY3RGLzdJVEE4
-            WXEwb1NGVUlJWFRqeWlyN1J0eE15QnMKLS0tIENRQWJ0VXlzNHV6MXh0QUVRZlJu
-            RFFteDMzeGltVER3QjlpdUllZVNJS3MKyOMAu5xYr1z0YlNDFvaE4l4bposMTPUJ
-            K13yerfRBxDlOrMhG/lSovusBPkmS3HejDedGgYi1WMvgLuOkNWZ2A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-18T01:55:44Z"
-    mac: ENC[AES256_GCM,data:wGHagytOT30EgjPezkaLXrqml/tn8oMzplYgThb9JbnXJzpCMnZnXeAlnRW/zdXY+Vt+kRfGCm2W/3sif5wB+gu5DCIeGC6OZy9brMVIQLceQ6Wp7IwPTDjMIGYtqe+T3QX6LFAMPUVZOHNBL9eRdO27G2TGP1ojH69MwNt4aQo=,iv:Rn26bQ8crsVFbLAxPcvLeQWwRP484rS/UFnmg8xeTwc=,tag:zs4S6VPNKFUZU6xxC2rIuQ==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

devices/test/default.nix

@@ -1,29 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
-            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "haswell";
-        network = {};
-      };
-      hardware.cpus = [ "intel" ];
-      services =
-      {
-        sshd = {};
-        nginx = { enable = true; applications.example = {}; };
-      };
-    };
-  };
-}

devices/test/secrets.yaml

@@ -1,30 +0,0 @@
-hello: ENC[AES256_GCM,data:y6Kl7kHqgft7T1eiFEeIppvosCACIcVWIQm6TzjS6RgUkJEg17GEZFRy2zTvVg==,iv:wChah8rTtEkkR8pRHO9NdhaGBwsTrrP+tPp7k2SOdn0=,tag:jRdYgJoKz+Q+/m8l/03JoQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
-            dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
-            TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
-            TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
-            HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
-            Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
-            VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
-            Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
-            vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-10T03:54:30Z"
-    mac: ENC[AES256_GCM,data:JMr6ybbOk7tDZKUo11bd0xwUfLUuE4DIB5sYOCEVuaXLpDirgMgNSQgayqnnYDLOC7kGA7wDbbcxWhdaT8TcyYwdeha3SgA9mjkruPtOZ4R+ozfLDeqa59h2P+xronaOCDdl9G2JbhLA+k/S2ImBP43iPbcycJViSQs0RrntMxY=,iv:3ZILO4L01r4I2SJWOxe4pp9XLWo6KPPl3t/IbIf07+8=,tag:jhf73Y42fOYmeQS2oA0qSA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

devices/vps4/default.nix

@@ -17,7 +17,6 @@ inputs:
             };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
         };
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
         nixpkgs.march = "znver2";
@@ -28,7 +27,7 @@ inputs:
       {
         sshd = {};
         fail2ban = {};
-        xray.server.serverName = "xserver.vps4.chn.moe";
+        xray.server = {};
       };
     };
   };

devices/vps4/secrets.yaml

@@ -4,27 +4,43 @@ xray-server:
         user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
         #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
         user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
-        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
+        #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
+        user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
+        #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
+        user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
+        #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
+        user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
+        #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
+        user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
         #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
+        user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
+        #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
+        user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
+        #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
+        user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
+        #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
+        user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
+        #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
+        user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
+        #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
+        user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
+        #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
+        user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
+        #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
+        user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
+        #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
+        user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
+        #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
+        user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
+        #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
+        user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
+        #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
+        user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
+        #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
+        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
     private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
-        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
-        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
-    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
+wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -44,8 +60,7 @@ sops:
             Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
             1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:19:55Z"
-    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
-    pgp: []
+    lastmodified: "2025-06-09T07:42:38Z"
+    mac: ENC[AES256_GCM,data:fQm8aI6KdoJVxcl4MQP7Q6EZVqmmLFo9A3Hjo/tKZA+VOYvQWFBxIKwy5Cj0SBi4pWsSjwG6pJZ7m6Wh/dDK4KlgkoaXgAYj+efHtScOH5Gkb0sTpAkHNL+/CJ/cO1doXiXRGj47fn1QB9o9WBaomtOWQbzDts4eFs9pdm8TAq4=,iv:91Ilig4j0ELHEatTY7ALKwwr8AzYnRwhKbdWDcufZF4=,tag:UfwaudQTNKu+uryCZjo3mw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2

devices/vps6/default.nix

@@ -17,7 +17,6 @@ inputs:
             };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
         };
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "znver2";
@@ -27,8 +26,7 @@ inputs:
       services =
       {
         sshd = {};
-        xray.server.serverName = "vps6.xserver.chn.moe";
-        frpServer = { enable = true; serverName = "frp.chn.moe"; };
+        xray.server = {};
         nginx =
         {
           streamProxy.map =
@@ -48,7 +46,7 @@ inputs:
             element.instances."element.chn.moe" = {};
             synapse-admin.instances."synapse-admin.chn.moe" = {};
             catalog.enable = true;
-            main.enable = true;
+            main = {};
             nekomia.enable = true;
             blog = {};
             sticker = {};
@@ -57,10 +55,31 @@ inputs:
         };
         coturn = {};
         httpua = {};
-        mirism.enable = true;
+        mirism = {};
         fail2ban = {};
         beesd."/" = {};
       };
     };
+    networking.nftables.tables.forward =
+    {
+      family = "inet";
+      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
+      ''
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain output {
+          type nat hook output priority dstnat; policy accept;
+          # 需要忽略透明代理发出的流量（gid 不是 nginx）
+          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
+            counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname wg0 meta mark & 4 == 4 counter masquerade
+        }
+      '';
+    };
   };
 }

devices/vps6/secrets.yaml

@@ -1,5 +1,3 @@
-frp:
-    token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
 xray-server:
     clients:
         #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment]
@@ -7,44 +5,39 @@ xray-server:
         #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
         user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
         #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
-        #ENC[AES256_GCM,data:s6BwbmIwmC1J+vA27pPGh0Q+Rmowkd8ES3hYOny3vX+tjWtW+qiWBz2A9M4=,iv:XXPPaVyP7fEUhNJay2mjjC2f3Vg3wYtBUDoSYQt1Iew=,tag:B2WAfg2Oqwp0t0gE7Jdq6w==,type:comment]
+        user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
         #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
-        #ENC[AES256_GCM,data:RVChRrOl3R8DiKPS7yduAu5RG7d4VkOZ5akRTp18mK7Hz/xQ7FpxlNqGJcQ=,iv:j7naYq9tD+G5dDB8+hyUVosA3p2O4wlkcxIBlO7hRdo=,tag:TvlSmZwTDGLCX7qOR5Clhg==,type:comment]
+        user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
         #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
-        #ENC[AES256_GCM,data:nTsDaAIVIP28YBCw0XONqWoYziAYhszJhLBlJfbFM6w2NB0nQcYWAanhkkA=,iv:rezGcsfxcAUjTtBFd099TDrV+K59cb0gbJCCVqH+nCA=,tag:5g2Zl82MNuHTf12Tb0GWcg==,type:comment]
         #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
         user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
         #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        #ENC[AES256_GCM,data:hG7EUK7V9QObh7rHKtgTESwNLOf16WXoQrCAAEiK8Nzsr7atwh9DqNIJAww=,iv:3zAY7CImCzvNmsVK/OG3VgYSUL1wdt+keYtuskGO7Gg=,tag:7JeGHrlVkAUOX7bhd8UJaA==,type:comment]
+        user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
         #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        #ENC[AES256_GCM,data:C6ri4a3iCXf7I3PWSoPk1y4143TTFugot1MMxdawWxGyfg/P7SYUBMs+T0U=,iv:v2lCOw+p0hJhXNsUpTSCvqNSBtPaPJGMrk6ukJYtB+w=,tag:WXq9rUYDQKN/cZzZ7CFQvA==,type:comment]
+        user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
         #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
-        #ENC[AES256_GCM,data:Gs2pJl4YMPRBDZCmd/1ycXJcArdIb8cUAQ+09OuRm7z/x1ATc9xVr7dE+C4b,iv:JYf4sTzJh7PoQe5yFAC60mJ5zKUIof7QKm5jMfiF5xE=,tag:/CJPT/OmblQvzqkQ1VCP/Q==,type:comment]
-        #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
-        #ENC[AES256_GCM,data:JOabknMamJFImHErEcsrAMuYBXzJkw/Gm0+6rWrer2ePsoOakN/A3ByCPzwQ,iv:wnUFMeGfkUMkkpJBrFswy1SwJzVBDehEoilnzb43MgY=,tag:sXCKkiwtDp9v7ptpuAfOhQ==,type:comment]
+        user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
         #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        #ENC[AES256_GCM,data:LRRsL6u+FH3jHa8UAhEXrb3UTQss9piBle2aH2xuuFw0cupmRd5PlSOBIbvQ,iv:0cccpn4bWkrla6COI5g6pDDW1JoVK4UULYteXoJp38s=,tag:+EFlWxGIw7k85Q2RIL/YHg==,type:comment]
+        user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
         #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
-        #ENC[AES256_GCM,data:JFKeeVBSBO8pWttZy/fTX1YaVV69Et1GmHVDLZ1E5vUY3BvajjjS04t7V5TG,iv:rZJQTe5+YgJ6X6uPoQcpTw4AF+gQCVSMe7maFetLEPg=,tag:H4ravqgOgQYgVXMayv7tXw==,type:comment]
-        #ENC[AES256_GCM,data:R8lN5T0=,iv:FXLf8Vtjg+PkwNhxXWDViMKqwn7tFMaPhio9zhnudZw=,tag:34gxRH+P9lmkUxlOPKcYMg==,type:comment]
-        #ENC[AES256_GCM,data:dpOaSMuXhIiwb+yD3TgOIKkeWBusQvqHbj4PuvH/anF5/P8JagplDpBSIimJ,iv:PkVIthbA21sFC4J4VmwZ/1HZqA6qbjVPnJoRszmeVbs=,tag:PcXPRYLzuC9F0YfNT4mi3A==,type:comment]
+        user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
         #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
-        #ENC[AES256_GCM,data:DeWybZ68gAH4cukohO+OQqeNrnRlUdclGHFeH8aBcn0aq1iWh1UCgtiT5xXd,iv:HYq+CiPWCswr+7+uwUblN8N6T38WU/qu9F5VzaLp4Gg=,tag:YKunlBxH4H71FRSuPxR8Uw==,type:comment]
+        user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
         #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
-        #ENC[AES256_GCM,data:tkJTZZjJfQdU0EDQw9mmc1GRlSpqdwOdsE/QCw4BedDbixjElKqUC5MPRR/b,iv:/3obljBcGiXJfzlTQivkVcaWWcsiqokuU/DmUTchpwg=,tag:E80OLtqoM5XuGk2/xYBYKw==,type:comment]
+        user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
         #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
-        #ENC[AES256_GCM,data:LXBBph+nPScs6CSHPKwMSvcgFtWrmcOHEhhDZUNClb/7ixJFno82QnRwrnTp,iv:00I8csKFj65qeK8RPbbQ18oQZBrYKeFV3eGwfFXyGDc=,tag:uWUPNfu5Tmqr2LDkijc5cA==,type:comment]
+        user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
         #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
-        #ENC[AES256_GCM,data:ttTvPgRtQ4tYmYBSNaO+Bbs/Kz85vuNX+2Od4cOG6yD9yqrSdfLRwVvedVol,iv:ZWZX5rytwefvte/NgNlmmp9FN9vuZ62KVhVgVwX+g7s=,tag:uXx87i/ly6GkLgXA4+QULw==,type:comment]
+        user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
         #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
         user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
         #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
         user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
         #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
-        #ENC[AES256_GCM,data:FnindYeqk6g6aZgajHVejfHPqeF+uSX3QzbrDS6XLZz52aQF5ZQSiJQCaDha,iv:c/mrS0jfy5EzQe4Tkm0QqBH9/okJnCsRZFGhzSjeit0=,tag:e5otDw+I2d7moybCx4jeqw==,type:comment]
+        user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
     private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 send:
     redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
@@ -71,7 +64,7 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-18T07:37:52Z"
-    mac: ENC[AES256_GCM,data:nfUU2BsDuErJGm8sVB9shRv4N+cIFZmAF1vWF4iZmcJwjP2PekVWcp4COPAlapy5oVhMutr39oW6VsltTR27jVxhI4+dueurMU7KRLD5Bwpk5hQmMAfZxvl4GaP50zehJbCwfApiX9CcjwCUxUjraTs4rG6LK2+8d5Z0PYosm2A=,iv:TR63cpbe3z0K4bWpbEnv/DE9jnAJV1Zv+Aj0HXoA16Y=,tag:fS78JUapMvBtZCFtM1z07A==,type:str]
+    lastmodified: "2025-06-12T23:51:02Z"
+    mac: ENC[AES256_GCM,data:3QxWxinb3a7jvmHJO1kcePNwd/igurjFWVJw/sGKBuZpo47LU+W8132b9GpKs79AedDa5BM5yu0XN+CPrkviMcNuX5a3lLy8oI22a1N8fuKjEehld1Jq/boitGIsgJgb/M0Hn6yIq1ytuWuxoj2cOvmkEfNuyWRew+htI4DhJ/E=,iv:OyCWfcn218oaA970T9miIWIGSwOFeUbtWI0xO/02Hrw=,tag:c8riJplInFN1ZSPH3ze0QQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/xmuhk/README.md

@@ -0,0 +1,13 @@
+# install nix
+
+1. Build nix using `nix build github:NixOS/nixpkgs/nixos-24.11#nixStatic`, upload, create symlink `nix-store` `nix-build` etc. pointing to it.
+2. Upload `.config/nix/nix.conf`.
+
+# install or update packages
+
+1. On nixos, make sure `/public/home/xmuhk/.nix` is mounted correctly.
+2. Build using `sudo nix build --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' .#xmuhk` .
+3. Diff store using `sudo nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' -qR ./result | grep -Fxv -f <(ssh xmuhk find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' --export | xz -T0 | pv > xmuhk.nar.xz` .
+4. Upload `xmuhk.nar.xz` to hpc.
+5. On hpc, `pv xmuhk.nar.xz | xz -d | nix-store --import` .
+6. Create gcroot using `nix build /xxx-xmuhk -o .nix/state/gcroots/current`, where `/xxx-xmuhk` is the last path printed by `nix-store --import` .

devices/xmuhk/default.nix

@@ -0,0 +1,69 @@
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = null; cuda = null; nixRoot = "/public/home/xmuhk/.nix"; };
+  });
+  lumericalLicenseManager = 
+    let
+      ip = "${pkgs.iproute2}/bin/ip";
+      awk = "${pkgs.gawk}/bin/awk";
+      sed = "${pkgs.gnused}/bin/sed";
+      chmod = "${pkgs.coreutils}/bin/chmod";
+      sing = "/public/software/singularity/singularity-3.8.3/bin/singularity";
+    in pkgs.writeShellScriptBin "lumericalLicenseManager"
+    ''
+      echo "Cleaning up..."
+      ${sing} instance stop lumericalLicenseManager || true
+      [ -d /tmp/lumerical ] && chmod -R u+w /tmp/lumerical && rm -rf /tmp/lumerical || true
+      mkdir -p /tmp/lumerical
+      while true; do
+        if ! ss -tan | grep -q ".*TIME-WAIT .*:1084 "; then break; fi
+        sleep 10
+      done
+
+      echo "Extracting image..."
+      ${sing} build --sandbox /tmp/lumerical/lumericalLicenseManager \
+        ${inputs.self.src.lumerical.licenseManager.sifImageFile}
+      mkdir /tmp/lumerical/lumericalLicenseManager/public
+
+      echo 'Searching for en* interface...'
+      iface=$(${ip} -o link show | ${awk} -F': ' '/^[0-9]+: en/ {print $2; exit}')
+      if [ -n "$iface" ]; then
+        echo "Found interface: $iface"
+        echo 'Extracting MAC address...'
+        mac=$(${ip} link show "$iface" | ${awk} '/link\/ether/ {print $2}' | ${sed} 's/://g')
+        echo "Extracted MAC address: $mac"
+      else
+        echo "No interface starting with 'en' found." >&2
+        exit 1
+      fi
+
+      echo 'Creating license file...'
+      ${sed} -i "s|xxxxxxxxxxxxx|$mac|" \
+        /tmp/lumerical/lumericalLicenseManager/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
+      ${sed} -i 's|2022.1231|2035.1231|g' \
+        /tmp/lumerical/lumericalLicenseManager/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
+
+      echo "Starting license manager..."
+      ${sing} instance start --writable /tmp/lumerical/lumericalLicenseManager lumericalLicenseManager
+      ${sing} exec instance://lumericalLicenseManager /bin/sh -c \
+        "pushd /home/ansys_inc/shared_files/licensing; (./start_ansysli &); (./start_lmcenter &); tail -f /dev/null"
+
+      cleanup() {
+        echo "Stopping license manager..."
+        ${sing} instance stop lumericalLicenseManager
+        chmod -R u+w /tmp/lumerical && rm -rf /tmp/lumerical
+      }
+      trap cleanup SIGINT SIGTERM SIGHUP EXIT
+      tail -f /dev/null
+    '';
+in pkgs.symlinkJoin
+{
+  name = "xmuhk";
+  paths = (with pkgs; [ hello btop htop iotop pv localPackages.lumerical.lumerical.cmd ])
+    ++ [ lumericalLicenseManager ];
+  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs; };
+}

devices/xmuhk/files/.config/nix/nix.conf

@@ -0,0 +1,2 @@
+store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log
+experimental-features = flakes nix-command

doc/todo.md

@@ -1,6 +1,14 @@
-* 测试 vasp
 * 测试 huggin rsshub
 * 打包 intel 编译器
 * 切换到 niri，清理 plasma
 * 调整其它用户的 zsh 配置
 * 调整 motd
+* 找到 wg1 不能稳定工作的原因；确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
+* 备份系统
+* 备份数据
+* 清理 mariadb，移动到 persistent
+* 清理多余文件
+* 移动日志到 persistent
+* 更新 srv1
+* 告知将代理改到 xserver2
+* 准备单独一个的 archive

flake.lock

@@ -1,5 +1,27 @@
 {
   "nodes": {
+    "aagl": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750597708,
+        "narHash": "sha256-jpoh3tk4F4C0MZsXYqFt1fqm4qYOcyu3RtJlmpabpDo=",
+        "owner": "ezKEa",
+        "repo": "aagl-gtk-on-nix",
+        "rev": "5e4851010e05030553f2265ced86b155dfe0bb93",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ezKEa",
+        "ref": "release-25.05",
+        "repo": "aagl-gtk-on-nix",
+        "type": "github"
+      }
+    },
     "blog": {
       "flake": false,
       "locked": {
@@ -127,6 +149,27 @@
       }
     },
     "devshell": {
+      "inputs": {
+        "nixpkgs": [
+          "nur-linyinfeng",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741473158,
+        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "devshell_2": {
       "inputs": {
         "nixpkgs": [
           "nur-xddxdd",
@@ -166,11 +209,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
@@ -180,6 +223,22 @@
       }
     },
     "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -195,7 +254,58 @@
         "type": "github"
       }
     },
+    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "revCount": 57,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+      }
+    },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nur-linyinfeng",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749398372,
+        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
@@ -249,6 +359,42 @@
         "type": "github"
       }
     },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -437,6 +583,21 @@
         "type": "github"
       }
     },
+    "nix-flatpak": {
+      "locked": {
+        "lastModified": 1749394952,
+        "narHash": "sha256-WbWkzIvB0gqAdBLghdmUpGveY7MlAS2iMj3VEJnJ9yE=",
+        "owner": "gmodena",
+        "repo": "nix-flatpak",
+        "rev": "64c6e53a3999957c19ab95cda78bde466d8374cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gmodena",
+        "repo": "nix-flatpak",
+        "type": "github"
+      }
+    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -500,15 +661,31 @@
         "type": "github"
       }
     },
+    "nixos-stable": {
+      "locked": {
+        "lastModified": 1750646418,
+        "narHash": "sha256-4UAN+W0Lp4xnUiHYXUXAPX18t+bn6c4Btry2RqM9JHY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1f426f65ac4e6bf808923eb6f8b8c2bfba3d18c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixos-wallpaper": {
       "flake": false,
       "locked": {
-        "lastModified": 1744994349,
+        "lastModified": 1749300029,
         "lfs": true,
-        "narHash": "sha256-DMVWLep/yoR05kfYqjQxazjZXEUw/CRLoELajXQq3eM=",
+        "narHash": "sha256-m5rQGDo9sogrNFtHNdf4CiUe4odqOVStj03ikUQX7NE=",
         "ref": "refs/heads/main",
-        "rev": "5e4d102f5da8c27589083fb90e3f6edd8383ced8",
-        "revCount": 6,
+        "rev": "8da808801224ac49758e4df095922be0c84650c8",
+        "revCount": 8,
         "type": "git",
         "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
       },
@@ -520,11 +697,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1748494270,
-        "narHash": "sha256-SRyjwD3RfMXpY0/69WErFQ/P8UG1aD5qQQNvEd/NGLs=",
+        "lastModified": 1751630609,
+        "narHash": "sha256-mJ1XnKiLnNapGSUwyGdFD8tmQTzuJm8z3qaFC27guqE=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "3eb4afeaf2384476d35dbb5dc51675c5ec1d2b62",
+        "rev": "b263408b62d74a1e7a298fc47135653a70c227aa",
         "type": "github"
       },
       "original": {
@@ -615,11 +792,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1746921044,
-        "narHash": "sha256-R4hz/Wl2QZDbgj09u9tDdQKY8SS9JIm0F2wc9LKOjD0=",
+        "lastModified": 1750554037,
+        "narHash": "sha256-XE/lFNhz5lsriMm/yjXkvSZz5DfvKJLUjsS6pP8EC50=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "5d04a9f5d569ed7632ee926021d6ab35729fd8d4",
+        "rev": "f6b1f449aa69592d8f9bce2d4141766b667294ac",
         "type": "github"
       },
       "original": {
@@ -665,18 +842,45 @@
         "type": "github"
       }
     },
-    "nur-xddxdd": {
+    "nur-linyinfeng": {
       "inputs": {
         "devshell": "devshell",
+        "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils_2",
+        "nixos-stable": "nixos-stable",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nvfetcher": "nvfetcher",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1751049834,
+        "narHash": "sha256-xgLH6/ZtQJKWsham0Cj0nKGY8hde2fY8vZgSM5JfRik=",
+        "owner": "linyinfeng",
+        "repo": "nur-packages",
+        "rev": "d7a4ee64345bae20e75f40d6f35c705d22c216d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "linyinfeng",
+        "repo": "nur-packages",
+        "type": "github"
+      }
+    },
+    "nur-xddxdd": {
+      "inputs": {
+        "devshell": "devshell_2",
+        "flake-parts": "flake-parts_2",
         "nix-index-database": "nix-index-database_2",
         "nixpkgs": [
           "nixpkgs"
         ],
         "nixpkgs-24_05": "nixpkgs-24_05",
-        "nvfetcher": "nvfetcher",
+        "nvfetcher": "nvfetcher_2",
         "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "treefmt-nix": "treefmt-nix"
+        "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
         "lastModified": 1748081225,
@@ -694,8 +898,37 @@
     },
     "nvfetcher": {
       "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils_2",
+        "flake-compat": [
+          "nur-linyinfeng",
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "nur-linyinfeng",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nur-linyinfeng",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732501185,
+        "narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=",
+        "owner": "berberman",
+        "repo": "nvfetcher",
+        "rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "berberman",
+        "repo": "nvfetcher",
+        "type": "github"
+      }
+    },
+    "nvfetcher_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nur-xddxdd",
           "nixpkgs"
@@ -789,7 +1022,7 @@
     },
     "pre-commit-hooks-nix": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_4",
         "gitignore": "gitignore",
         "nixpkgs": [
           "nur-xddxdd",
@@ -828,6 +1061,7 @@
     },
     "root": {
       "inputs": {
+        "aagl": "aagl",
         "blog": "blog",
         "bscpkgs": "bscpkgs",
         "buildproxy": "buildproxy",
@@ -846,6 +1080,7 @@
         "mumax": "mumax",
         "nameof": "nameof",
         "nc4nix": "nc4nix",
+        "nix-flatpak": "nix-flatpak",
         "nix-index-database": "nix-index-database",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixos-wallpaper": "nixos-wallpaper",
@@ -856,6 +1091,7 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nixvirt": "nixvirt",
         "nu-scripts": "nu-scripts",
+        "nur-linyinfeng": "nur-linyinfeng",
         "nur-xddxdd": "nur-xddxdd",
         "openxlsx": "openxlsx",
         "phono3py": "phono3py",
@@ -872,6 +1108,7 @@
         "ufo": "ufo",
         "v-sim": "v-sim",
         "vaspberry": "vaspberry",
+        "winapps": "winapps",
         "zpp-bits": "zpp-bits"
       }
     },
@@ -1007,6 +1244,36 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tgbot-cpp": {
       "flake": false,
       "locked": {
@@ -1024,6 +1291,27 @@
       }
     },
     "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nur-linyinfeng",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750931469,
+        "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "nur-xddxdd",
@@ -1095,6 +1383,29 @@
         "type": "github"
       }
     },
+    "winapps": {
+      "inputs": {
+        "flake-compat": "flake-compat_5",
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730460191,
+        "narHash": "sha256-CWaNjs2kOpmsR8ieVwqcd7EAz5Kd3y8I5huZyYgGqlA=",
+        "owner": "winapps-org",
+        "repo": "winapps",
+        "rev": "b18efc4497c0994182bbe482808583c11cc51a2e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "winapps-org",
+        "ref": "feat-nix-packaging",
+        "repo": "winapps",
+        "type": "github"
+      }
+    },
     "zpp-bits": {
       "flake": false,
       "locked": {

flake.nix

@@ -3,7 +3,6 @@
 
   inputs =
   {
-    self.lfs = true;
     nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-25.05";
     nixpkgs-2411.url = "github:CHN-beta/nixpkgs/nixos-24.11";
     nixpkgs-2311.url = "github:CHN-beta/nixpkgs/nixos-23.11";
@@ -24,8 +23,12 @@
       url = "github:pjones/plasma-manager";
       inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
     };
+    nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-flatpak.url = "github:gmodena/nix-flatpak";
     catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; };
+    winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
     nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
     buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };
 
@@ -60,7 +63,7 @@
     sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
   };
 
-  outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in
+  outputs = inputs: let localLib = import ./flake/lib inputs.nixpkgs.lib; in
   {
     packages.x86_64-linux = import ./flake/packages.nix { inherit inputs localLib; };
     nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; };

flake/dns/config/chn.moe.nix

@@ -4,12 +4,12 @@ let
   {
     autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" ];
     nas = [ "initrd.nas" ];
-    office = [ "srv2-node0" ];
-    vps4 = [ "initrd.vps4" "xserver.vps4" ];
+    office = [ "srv2-node0" "xserverxmu" ];
+    vps4 = [ "initrd.vps4" "xserver2.vps4" ];
     vps6 =
     [
-      "blog" "catalog" "coturn" "element" "frp" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
-      "ua" "vps6.xserver" "铜锣湾实验室"
+      "blog" "catalog" "coturn" "element" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
+      "ua" "xserver2" "xserver2.vps6" "铜锣湾实验室"
     ];
     "xlog.autoroute" = [ "xlog" ];
     "wg0.srv1-node0" = [ "wg0.srv1" ];
@@ -17,7 +17,7 @@ let
     srv3 =
     [
       "chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
-      "xserver.srv3" "example"
+      "xserver2.srv3" "example"
     ];
     srv1-node0 = [ "srv1" ];
     srv2-node0 = [ "srv2" ];
@@ -29,7 +29,7 @@ let
     nas = "192.168.1.2";
     pc = "192.168.1.3";
     one = "192.168.1.4";
-    office = "210.34.16.60";
+    office = "210.34.16.20";
     srv1-node0 = "59.77.36.250";
     vps4 = "104.234.37.61";
     vps6 = "144.34.225.59";

flake/lib/buildNixpkgsConfig/default.nix

@@ -22,24 +22,25 @@ let
     }
     // (inputs.lib.optionalAttrs (nixpkgs.march != null)
     {
-      # TODO: test znver3 do use AVX
       oneapiArch = let match = {}; in match.${nixpkgs.march} or nixpkgs.march;
       nvhpcArch = nixpkgs.march;
       # contentAddressedByDefault = true;
     })
     // (inputs.lib.optionalAttrs (nixpkgs.nixRoot != null)
-      { nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/var"; }; });
+      { nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/state"; }; });
 in platformConfig //
 {
   inherit config;
   overlays =
   [
+    inputs.topInputs.aagl.overlays.default
     inputs.topInputs.nur-xddxdd.overlays.inSubTree
     inputs.topInputs.nix-vscode-extensions.overlays.default
     inputs.topInputs.buildproxy.overlays.default
     (final: prev:
     {
       inherit (inputs.topInputs.nix-vscode-extensions.overlays.default final prev) nix-vscode-extensions;
+      nur-linyinfeng = (inputs.topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
       firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
     })
     inputs.topInputs.self.overlays.default
@@ -58,6 +59,7 @@ in platformConfig //
         };
         libvirt = (prev.libvirt.override { iptables = final.nftables; }).overrideAttrs
           (prev: { patches = prev.patches or [] ++ [ ./libvirt.patch ]; });
+        podman = prev.podman.override { iptables = final.nftables; };
         root = (prev.root.override { stdenv = final.gcc13Stdenv; }).overrideAttrs (prev:
         {
           patches = prev.patches or [] ++ [ ./root.patch ];
@@ -75,38 +77,7 @@ in platformConfig //
             pkgs-unstable =
             {
               source = "nixpkgs-unstable";
-              overlay = final: prev:
-                (inputs.topInputs.self.overlays.default final prev);
-                # {
-                #   ollama = prev.ollama.override { cudaPackages = final.cudaPackages_12_8; };
-                # }
-                # // inputs.lib.optionalAttrs (nixpkgs.march != null)
-                # {
-                #   pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
-                #   {
-                #     scipy = prev.scipy.overridePythonAttrs (prev:
-                #       { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
-                #     rapidocr-onnxruntime = prev.rapidocr-onnxruntime.overridePythonAttrs { doCheck = false; };
-                #     cfn-lint = prev.cfn-lint.overridePythonAttrs { doCheck = false; };
-                #   })];
-                #   rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
-                #   valkey = prev.valkey.overrideAttrs { doCheck = false; };
-                # }
-                # // inputs.lib.optionalAttrs
-                #   (builtins.elem nixpkgs.march [ "skylake" "silvermont" "broadwell" "znver3" ])
-                #   { redis = prev.redis.overrideAttrs { doCheck = false; }; }
-                # // inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx2Support)
-                # {
-                #   haskellPackages = prev.haskellPackages.override
-                #   {
-                #     overrides = final: prev:
-                #     {
-                #       crypton = prev.crypton.overrideAttrs
-                #         (prev: { configureFlags = prev.configureFlags or [] ++ [ "--ghc-option=-optc-mno-avx2" ]; });
-                #     };
-                #   };
-                # }
-                #   // (inputs.topInputs.self.overlays.default final prev);
+              overlay = inputs.topInputs.self.overlays.default;
             };
           };
           packages = name: import inputs.topInputs.${source.${name}.source or source.${name}}
@@ -154,17 +125,19 @@ in platformConfig //
               { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
             rich = prev.rich.overridePythonAttrs (prev:
               { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
-            # paperwork-backend = prev.paperwork-backend.overrideAttrs (prev: { doCheck = false; });
           }
-          # // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx2Support)
-          #   {
-          #     numcodecs = prev.numcodecs.overridePythonAttrs (prev:
-          #       { disabledTests = prev.disabledTests or [] ++ [ "test_encode_decode" "test_partial_decode" ]; });
-          #   })
+          // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx2Support)
+          {
+            numcodecs = prev.numcodecs.overridePythonAttrs (prev:
+            {
+              disabledTests = prev.disabledTests or []
+                ++ [ "test_encode_decode" "test_partial_decode" "test_blosc" ];
+            });
+          })
         ))];
         inherit (final.pkgs-2411) intelPackages_2023;
       })
-      # // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
-      #   { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
+      // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
+        { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
   )];
 }

flake/lib/default.nix

@@ -1,6 +1,6 @@
 lib: rec
 {
-  attrsToList = attrs: builtins.map (name: { inherit name; value = attrs.${name}; }) (builtins.attrNames attrs);
+  inherit (lib) attrsToList;
   mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
     mkMerge [ ( mkIf condition trueResult ) ( mkIf (!condition) falseResult ) ];
 
@@ -86,4 +86,6 @@ lib: rec
       if (builtins.typeOf pattern) != "list" then throw "pattern should be a list"
       else if pattern == [] then origin
       else deepReplace (builtins.tail pattern) (replace ((builtins.head pattern) // { content = origin; }));
+  
+  buildNixpkgsConfig = import ./buildNixpkgsConfig;
 }

flake/packages.nix

@@ -1,17 +1,16 @@
 { inputs, localLib }: rec
 {
-  pkgs = (import inputs.nixpkgs
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
   {
-    system = "x86_64-linux";
-    config.allowUnfree = true;
-    overlays = [ inputs.self.overlays.default ];
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = null; cuda = null; nixRoot = null; };
   });
   hpcstat =
     let
       openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
         (prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
       duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
-      glaze = pkgs.pkgsStatic.glaze.overrideAttrs
+      glaze = pkgs.pkgs-2411.pkgsStatic.glaze.overrideAttrs
         (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-Dglaze_ENABLE_FUZZING=OFF" ]; });
       # pkgsStatic.clangStdenv have a bug
       # https://github.com/NixOS/nixpkgs/issues/177129
@@ -29,20 +28,26 @@
     gfortran = pkgs.pkgsStatic.gfortran;
     lapack = pkgs.pkgsStatic.openblas;
   };
-  jykang = import ../devices/jykang.xmuhpc inputs;
+  jykang = import ../devices/jykang.xmuhpc { inherit inputs localLib; };
+  xmuhk = import ../devices/xmuhk { inherit inputs localLib; };
   src =
     let getDrv = x:
       if pkgs.lib.isDerivation x then [ x ]
       else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
       else if builtins.isList x then builtins.concatMap getDrv x
       else [];
-    in pkgs.writeClosure (getDrv (inputs.self.outputs.src));
+    in pkgs.concatText "src" (getDrv (inputs.self.outputs.src));
   dns-push = pkgs.callPackage ./dns
   {
     inherit localLib;
-    tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
+    tokenPath = inputs.self.nixosConfigurations.pc.config.nixos.system.sops.secrets."acme/token".path;
     octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
   };
+  archive =
+    let devices =
+      [ "nas" "one" "pc" "srv1-node0" "srv1-node1" "srv1-node2" "srv2-node0" "srv2-node1" "srv3" "vps4" "vps6" ];
+    in pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.map
+      (d: "${inputs.self.outputs.nixosConfigurations.${d}.config.system.build.toplevel}") devices));
 }
 // (builtins.listToAttrs (builtins.map
   (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

flake/src.nix

@@ -64,6 +64,52 @@
     finalImageTag = "latest";
   };
   misskey = {};
+  lumerical =
+  {
+    lumerical = pkgs.requireFile
+    {
+      name = "lumerical.zip";
+      sha256 = "03nfacykfzal29jdmygrgkl0fqsc3yqp4ig86h1h9sirci87k94c";
+      hashMode = "recursive";
+      message = "Source not found.";
+    };
+    licenseManager =
+    {
+      crack = pkgs.requireFile
+      {
+        name = "crack";
+        sha256 = "1a1k3nlaidi0kk2xxamb4pm46iiz6k3sxynhd65y8riylrkck3md";
+        hashMode = "recursive";
+        message = "Source file not found.";
+      };
+      src = pkgs.requireFile
+      {
+        name = "src";
+        sha256 = "1h93r0bb37279dzghi3k2axf0b8g0mgacw0lcww5j3sx0sqjbg4l";
+        hashMode = "recursive";
+        message = "Source file not found.";
+      };
+      image = "7bb3a43bd1ad6103a57f700b13d11d486b6ea117838201e4a29d79b33ac72e3a";
+      imageFile = pkgs.requireFile
+      {
+        name = "lumericalLicenseManager.tar";
+        sha256 = "ftEZADv8Mgo5coNKs+gxPZPl/YTV3FMMgrF3wUIBEiQ=";
+        message = "Source not found.";
+      };
+      license = pkgs.requireFile
+      {
+        name = "license";
+        sha256 = "07rwin14py6pl1brka7krz7k2g9x41h7ks7dmp1lxdassan86484";
+        message = "Source file not found.";
+      };
+      sifImageFile = pkgs.requireFile
+      {
+        name = "lumericalLicenseManager.sif";
+        sha256 = "i0HGLiRWoKuQYYx44GBkDBbyUvFLbfFShi/hx7KBSuU=";
+        message = "Source file not found.";
+      };
+    };
+  };
   vesta =
   {
     version = "3.90.5a";

modules/bugs/default.nix

@@ -12,8 +12,12 @@ let bugs =
     (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
   backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
   amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
-  iwlwifi.nixos.system.kernel.modules.modprobeConfig =
-    [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+  iwlwifi.boot.extraModprobeConfig =
+  ''
+    options iwlwifi power_save=0
+    options iwlmvm power_scheme=1
+    options iwlwifi uapsd_disable=1
+  '';
 };
 in
 {

modules/default.nix

@@ -6,8 +6,12 @@ inputs: let inherit (inputs) topInputs; in
     topInputs.sops-nix.nixosModules.sops
     topInputs.nix-index-database.nixosModules.nix-index
     topInputs.impermanence.nixosModules.impermanence
+    topInputs.nix-flatpak.nixosModules.nix-flatpak
     topInputs.catppuccin.nixosModules.catppuccin
+    topInputs.aagl.nixosModules.default
     topInputs.nixvirt.nixosModules.default
+    # TODO: Remove after next release
+    "${topInputs.nixpkgs-unstable}/nixos/modules/services/hardware/lact.nix"
     (inputs:
     {
       config =

modules/hardware/cpu.nix

@@ -0,0 +1,29 @@
+inputs:
+{
+  options.nixos.hardware.cpu = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.enum [ "intel" "amd" ];
+    default = let inherit (inputs.config.nixos.system.nixpkgs) march; in
+      if march == null then null
+      else if inputs.lib.hasPrefix "znver" march then "amd"
+      else if (inputs.lib.hasSuffix "lake" march)
+        || (builtins.elem march [ "sandybridge" "silvermont" "haswell" "broadwell" ])
+        then "intel"
+      else null;
+  };
+  config = let inherit (inputs.config.nixos.hardware) cpu; in inputs.lib.mkIf (cpu != null) (inputs.lib.mkMerge
+  [
+    (inputs.lib.mkIf (cpu == "intel")
+    {
+      hardware.cpu.intel.updateMicrocode = true;
+      boot.initrd.availableKernelModules =
+        [ "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp" ];
+    })
+    (inputs.lib.mkIf (cpu == "amd")
+    {
+      hardware.cpu.amd = { updateMicrocode = true; ryzen-smu.enable = true; };
+      environment.systemPackages = with inputs.pkgs; [ zenmonitor ];
+      programs.ryzen-monitor-ng.enable = true;
+    })
+  ]);
+}

modules/hardware/cpus.nix

@@ -1,26 +0,0 @@
-inputs:
-{
-  options.nixos.hardware.cpus = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
-  config = let inherit (inputs.config.nixos.hardware) cpus; in inputs.lib.mkIf (cpus != [])
-  {
-    hardware.cpu = builtins.listToAttrs
-      (builtins.map (name: { inherit name; value = { updateMicrocode = true; }; }) cpus);
-    boot =
-    {
-      initrd.availableKernelModules =
-        let modules =
-        {
-          intel =
-          [
-            "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
-          ];
-          amd = [];
-        };
-        in builtins.concatLists (builtins.map (cpu: modules.${cpu}) cpus);
-    };
-    environment.systemPackages =
-      let packages = with inputs.pkgs; { intel = []; amd = [ zenmonitor ]; };
-      in builtins.concatLists (builtins.map (cpu: packages.${cpu}) cpus);
-  };
-}

modules/packages/chromium.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
   {

modules/packages/desktop.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
   {
@@ -15,7 +15,8 @@ inputs:
         [
           # system management
           # TODO: module should add yubikey-touch-detector into path
-          gparted yubikey-touch-detector btrfs-assistant kdePackages.qtstyleplugin-kvantum cpu-x wl-mirror xpra
+          gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
+          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror geekbench xpra
           (
             writeShellScriptBin "xclip"
             ''
@@ -23,57 +24,84 @@ inputs:
               else exec ${wl-clipboard-x11}/bin/xclip "$@"; fi
             ''
           )
+          # color management
+          argyllcms xcalib
           # networking
-          remmina putty kdePackages.krdc
+          remmina putty mtr-gui
           # media
-          mpv nomacs simplescreenrecorder imagemagick gimp-with-plugins qcm waifu2x-converter-cpp blender paraview vlc
-          obs-studio (inkscape-with-extensions.override { inkscapeExtensions = null; }) kdePackages.kcolorchooser
-          kdePackages.kdenlive
+          mpv nomacs simplescreenrecorder imagemagick gimp-with-plugins netease-cloud-music-gtk qcm
+          waifu2x-converter-cpp blender paraview vlc whalebird spotify obs-studio
+          (inkscape-with-extensions.override { inkscapeExtensions = null; })
+          # terminal
+          warp-terminal
           # development
-          adb-sync scrcpy dbeaver-bin aircrack-ng fprettify
+          adb-sync scrcpy dbeaver-bin cling aircrack-ng
+          weston cage openbox krita fprettify # jetbrains.clion 
+          # desktop sharing
+          rustdesk-flutter
           # password and key management
           yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
-          kdePackages.kleopatra
+          electrum jabref john crunch
           # download
-          qbittorrent wgetpaste rclone
+          qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
           # editor
-          typora
+          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq obsidian code-cursor
           # news
-          fluent-reader newsflash follow
+          fluent-reader rssguard newsflash newsboat follow
           # nix tools
-          nixpkgs-fmt nixd nix-serve nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
-          # required by vscode nix tools
-          nil
+          nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
+          nix-template nil bundix
           # instant messager
-          element-desktop telegram-desktop discord zoom-us slack nheko
+          element-desktop telegram-desktop discord zoom-us slack nheko hexchat halloy
+          fluffychat signal-desktop qq nur-xddxdd.wechat-uos-sandboxed cinny-desktop
           # browser
           google-chrome tor-browser
           # office
-          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain
-          ydict pspp libreoffice-qt6-fresh ocrmypdf typst
+          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain davinci-resolve
+          ydict texstudio panoply pspp libreoffice-qt6-fresh ocrmypdf typst # paperwork
           # required by ltex-plus.vscode-ltex-plus
           ltex-ls ltex-ls-plus
           # matplot++ needs old gnuplot
-          inputs.pkgs.pkgs-2311.gnuplot
+          pkgs-2311.gnuplot
           # math, physics and chemistry
-          octaveFull mpi geogebra6 qalculate-qt
+          octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
+          (quantum-espresso.override
+          {
+            stdenv = gcc14Stdenv;
+            gfortran = gfortran14;
+            wannier90 = wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; };
+          })
+          pkgs-2311.hdfview numbat qalculate-qt
+          (if inputs.config.nixos.system.nixpkgs.cuda != null then localPackages.mumax else emptyDirectory)
+          (if inputs.config.nixos.system.nixpkgs.cuda != null
+            then (lammps.override { stdenv = cudaPackages.backendStdenv; }).overrideAttrs (prev:
+            {
+              cmakeFlags = prev.cmakeFlags ++
+                [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
+              nativeBuildInputs = prev.nativeBuildInputs ++ [ cudaPackages.cudatoolkit ];
+              buildInputs = prev.buildInputs ++ [ mpi ];
+            })
+            else lammps-mpi)
           # virtualization
-          bottles wineWowPackages.stagingFull
+          virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
           # media
           nur-xddxdd.svp
           # for kdenlive auto subtitle
           openai-whisper
-        ];
+        ]
+          ++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
+            (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
         _pythonPackages = [(pythonPackages: with pythonPackages;
         [
-          scipy scikit-learn jupyterlab autograd numpy 
+          phonopy scipy scikit-learn jupyterlab autograd inputs.pkgs.localPackages.phono3py
+          tensorflow keras numpy
         ])];
       };
       user.sharedModules =
       [{
         config.programs =
         {
-          plasma =
+          plasma = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde")
           {
             enable = true;
             configFile =
@@ -119,9 +147,20 @@ inputs:
       adb.enable = true;
       wireshark = { enable = true; package = inputs.pkgs.wireshark; };
       yubikey-touch-detector.enable = true;
-      kdeconnect.enable = true;
-      kde-pim = { enable = true; kmail = true; };
+      kdeconnect.enable = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde") true;
+      kde-pim = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde")
+        { enable = true; kmail = true; };
+      coolercontrol =
+      {
+        enable = true;
+        nvidiaSupport = if inputs.config.nixos.hardware.gpu.type == null then false
+          else inputs.lib.hasSuffix "nvidia" inputs.config.nixos.hardware.gpu.type;
+      };
+      anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
+      honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
+      sleepy-launcher = { enable = true; package = inputs.pkgs.sleepy-launcher; };
+      alvr = { enable = true; openFirewall = true; };
     };
-    services.pcscd.enable = true;
+    services = { pcscd.enable = true; lact.enable = true; };
   };
 }

modules/packages/firefox.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
   {
@@ -24,7 +24,11 @@ inputs:
           {
             enable = true;
             nativeMessagingHosts = with inputs.pkgs;
-              [ kdePackages.plasma-browser-integration uget-integrator ];
+            (
+              [ uget-integrator ]
+              ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+                [ kdePackages.plasma-browser-integration ])
+            );
             # TODO: use fixed-version of plugins
             policies.DefaultDownloadDirectory = "\${home}/Downloads";
             profiles.default =
@@ -33,8 +37,9 @@ inputs:
               [
                 tampermonkey bitwarden cookies-txt dualsub firefox-color i-dont-care-about-cookies
                 metamask pakkujs rsshub-radar rsspreview tabliss tree-style-tab ublock-origin
-                wappalyzer grammarly plasma-integration zotero-connector smartproxy kiss-translator
-              ];
+                wappalyzer grammarly zotero-connector smartproxy kiss-translator
+              ] ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+                [ plasma-integration ]);
               search = { default = "google"; force = true; };
               userChrome = builtins.readFile "${inputs.topInputs.lepton}/userChrome.css";
               userContent = builtins.readFile "${inputs.topInputs.lepton}/userContent.css";

modules/packages/flatpak.nix

@@ -0,0 +1,12 @@
+inputs:
+{
+  options.nixos.packages.flatpak = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) flatpak; in inputs.lib.mkIf (flatpak != null)
+  {
+    services.flatpak = { enable = true; uninstallUnmanaged = true; };
+  };
+}

modules/packages/lammps.nix

@@ -1,23 +0,0 @@
-inputs:
-{
-  options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
-  {
-    nixos.packages =
-    {
-      molecule = {};
-      packages._packages =
-        let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
-        in
-          if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
-            .overrideAttrs (prev:
-            {
-              cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
-              nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
-              buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
-            }))]
-          else [ inputs.pkgs.lammps-mpi ];
-    };
-  };
-}

modules/packages/lumerical.nix

@@ -0,0 +1,13 @@
+inputs:
+{
+  options.nixos.packages.lumerical = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.packages) lumerical; in inputs.lib.mkIf (lumerical != null)
+  {
+    nixos =
+    {
+      packages.packages._packages = [ inputs.pkgs.localPackages.lumerical.lumerical.cmd ];
+      services.lumericalLicenseManager = {};
+    };
+  };
+}

modules/packages/minimal.nix

@@ -30,18 +30,30 @@ inputs:
         # encryption and authentication
         apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool libfido2
         # networking
-        ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
+        ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools openvpn
+        parted
         # nix tools
         nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
-        gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
+        gdb try rr hexo-cli gh nix-init hugo
         (octodns.withProviders (_: with octodns-providers; [ cloudflare ]))
         # stupid things
         toilet lolcat localPackages.stickerpicker graph-easy
         # office
         pdfgrep ffmpeg-full hdf5
       ]
-        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
+        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
+        ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+          [ inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix ]);
+      _pythonPackages = [(pythonPackages: with pythonPackages;
+      [
+        openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2 certifi 
+        charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus
+        # allow pandas read odf
+        odfpy
+        # for vasp plot-workfunc.py
+        ase
+      ])];
     };
     programs =
     {

modules/packages/molecule.nix

@@ -1,20 +0,0 @@
-inputs:
-{
-  options.nixos.packages.molecule = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
-  };
-  config = let inherit (inputs.config.nixos.packages) molecule; in inputs.lib.mkIf (molecule != null)
-  {
-    nixos.packages.packages =
-    {
-      _packages = with inputs.pkgs;
-        [ ovito localPackages.vesta localPackages.v-sim localPackages.ufo inputs.pkgs.pkgs-2311.hdfview ];
-      _pythonPackages = [(pythonPackages: with pythonPackages;
-      [
-        phonopy inputs.pkgs.localPackages.phono3py
-      ])];
-    };
-  };
-}

modules/packages/mumax.nix

@@ -1,9 +0,0 @@
-inputs:
-{
-  options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
-  {
-    nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];
-  };
-}

modules/packages/steam.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
   {

modules/packages/vasp.nix

@@ -4,20 +4,14 @@ inputs:
     { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
   {
-    nixos.packages =
+    nixos.packages.packages = with inputs.pkgs;
     {
-      molecule = {};
-      packages = with inputs.pkgs;
-      {
-        _packages =
-        (
-          [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
-            ++ (inputs.lib.optional
-              (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-              localPackages.vasp.nvidia)
-        );
-        _pythonPackages = [(_: [ localPackages.py4vasp ])];
-      };
+      _packages =
+      [
+        localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90
+        (if inputs.config.nixos.system.nixpkgs.cuda != null then localPackages.vasp.nvidia else emptyDirectory)
+      ];
+      _pythonPackages = [(_: [ localPackages.py4vasp ])];
     };
   };
 }

modules/packages/vscode.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
   {
@@ -72,9 +72,12 @@ inputs:
                 ltex-plus.vscode-ltex-plus
               ]
               # jupyter
-              # TODO: use last release
+              # TODO: pick all extensions from nixpkgs or nix-vscode-extensions, explicitly
               ++ (with vscode-extensions.ms-toolsai;
-                [ jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow ]);
+              [
+                jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
+                datawrangler
+              ]);
           extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
         }
       )];

modules/packages/winapps/default.nix

@@ -0,0 +1,47 @@
+inputs:
+{
+  options.nixos.packages.winapps = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) winapps; in inputs.lib.mkIf (winapps != null)
+  {
+    nixos.packages.packages._packages =
+    [
+      (inputs.pkgs.callPackage "${inputs.topInputs.winapps}/packages/winapps" {})
+      (inputs.pkgs.runCommand "winapps-windows" {}
+      ''
+        mkdir -p $out/share/applications
+        cp ${inputs.pkgs.replaceVars ./windows.desktop { path = inputs.topInputs.winapps; }} \
+          $out/share/applications/windows.desktop
+      '')
+    ]
+      ++ builtins.map
+        (p: inputs.pkgs.runCommand "winapps-${p}" {}
+        ''
+          mkdir -p $out/share/applications
+          source ${inputs.topInputs.winapps}/apps/${p}/info
+          # replace \ with \\
+          WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/\\/\\\\/g')
+          # replace space with \s
+          WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/ /\\s/g')
+          cat > $out/share/applications/${p}.desktop << EOF
+          [Desktop Entry]
+          Name=$NAME
+          Exec=winapps manual "$WIN_EXECUTABLE" %F
+          Terminal=false
+          Type=Application
+          Icon=${inputs.topInputs.winapps}/apps/${p}/icon.svg
+          StartupWMClass=$FULL_NAME
+          Comment=$FULL_NAME
+          Categories=$CATEGORIES
+          MimeType=$MIME_TYPES
+          EOF
+        '')
+        [
+          "access-o365" "acrobat-x-pro" "cmd" "excel-o365" "explorer" "illustrator-cc" "powerpoint-o365"
+          "visual-studio-comm" "word-o365"
+        ];
+  };
+}

modules/packages/winapps/windows.desktop

@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=Windows
+Exec=winapps windows %F
+Terminal=false
+Type=Application
+Icon=@path@/icons/windows.svg
+StartupWMClass=Micorosoft Windows
+Comment=Micorosoft Windows
+Categories=Windows

modules/packages/zsh/default.nix

@@ -63,6 +63,7 @@ inputs:
                 [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
                 HYPHEN_INSENSITIVE="true"
                 export PATH=~/bin:$PATH
+                zstyle ':vcs_info:*' disable-patterns "/nix/remote/*"
               '';
               oh-my-zsh.theme = "";
             };

modules/services/acme.nix

@@ -34,21 +34,21 @@ inputs:
           name = builtins.elemAt cert.value.domains 0;
           value =
           {
-            credentialsFile = inputs.config.sops.templates."acme/cloudflare.ini".path;
+            credentialsFile = inputs.config.nixos.system.sops.templates."acme/cloudflare.ini".path;
             extraDomainNames = builtins.tail cert.value.domains;
             group = inputs.lib.mkIf (cert.value.group != null) cert.value.group;
           };
         })
         (inputs.localLib.attrsToList acme.cert));
     };
-    sops =
+    nixos.system.sops =
     {
       templates."acme/cloudflare.ini".content =
       ''
-        CLOUDFLARE_DNS_API_TOKEN=${inputs.config.sops.placeholder."acme/token"}
+        CLOUDFLARE_DNS_API_TOKEN=${inputs.config.nixos.system.sops.placeholder."acme/token"}
         CLOUDFLARE_PROPAGATION_TIMEOUT=300
       '';
-      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
+      secrets."acme/token" = {};
     };
   };
 }

modules/services/beesd.nix

@@ -25,7 +25,6 @@ inputs:
           inherit (fs.value) hashTableSizeMB;
           extraOptions =
           [
-            "--workaround-btrfs-send"
             "--thread-count" "${builtins.toString fs.value.threads}"
             "--loadavg-target" "${builtins.toString fs.value.loadAverage}"
             "--scan-mode" "3"

modules/services/coturn.nix

@@ -14,14 +14,17 @@ inputs:
     {
       enable = true;
       use-auth-secret = true;
-      static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
+      static-auth-secret-file = inputs.config.nixos.system.sops.secrets."coturn/auth-secret".path;
       realm = coturn.hostname;
       cert = "${keydir}/full.pem";
       pkey = "${keydir}/key.pem";
       no-cli = true;
     };
-    sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
-    nixos.services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
+    nixos =
+    {
+      system.sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
+      services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
+    };
     networking.firewall = with inputs.config.services.coturn;
     {
       allowedUDPPorts = [ listening-port tls-listening-port ];

modules/services/docker.nix

@@ -1,31 +0,0 @@
-inputs:
-{
-  options.nixos.services.docker = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.services) docker; in inputs.lib.mkIf (docker != null)
-  {
-    virtualisation.docker =
-    {
-      enable = true;
-      # prevent create btrfs subvol
-      storageDriver = "overlay2";
-      daemon.settings.dns = [ "1.1.1.1" ];
-      rootless =
-      {
-        enable = true;
-        setSocketVariable = true;
-        daemon.settings =
-        {
-          features.buildkit = true;
-          # dns 127.0.0.1 make docker not work
-          dns = [ "1.1.1.1" ];
-          # prevent create btrfs subvol
-          storage-driver = "overlay2";
-          live-restore = true;
-        };
-      };
-    };
-    hardware.nvidia-container-toolkit.enable = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.cuda != null) true;
-    networking.firewall.trustedInterfaces = [ "docker0" ];
-  };
-}

modules/services/freshrss.nix

@@ -15,19 +15,18 @@ inputs:
       enable = true;
       baseUrl = "https://${freshrss.hostname}";
       defaultUser = "chn";
-      passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
-      database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
-    };
-    sops.secrets =
-    {
-      "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
-      "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
+      passwordFile = inputs.config.nixos.system.sops.secrets."freshrss/chn".path;
+      database = { type = "mysql"; passFile = inputs.config.nixos.system.sops.secrets."freshrss/db".path; };
     };
     systemd.services.freshrss-config.after = [ "mysql.service" ];
-    nixos.services =
+    nixos =
     {
-      mariadb = { enable = true; instances.freshrss = {}; };
-      nginx.https.${freshrss.hostname}.global.configName = "freshrss";
+      services = { mariadb.instances.freshrss = {}; nginx.https.${freshrss.hostname}.global.configName = "freshrss"; };
+      system.sops.secrets =
+      {
+        "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
+        "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
+      };
     };
   };
 }

modules/services/frp.nix

@@ -1,203 +0,0 @@
-inputs:
-{
-  options.nixos.services = let inherit (inputs.lib) mkOption types; in
-  {
-    frpClient =
-    {
-      enable = mkOption { type = types.bool; default = false; };
-      serverName = mkOption { type = types.nonEmptyStr; };
-      user = mkOption { type = types.nonEmptyStr; };
-      tcp = mkOption
-      {
-        type = types.attrsOf (types.submodule (inputs:
-        {
-          options =
-          {
-            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            localPort = mkOption { type = types.ints.unsigned; };
-            remoteIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            remotePort = mkOption { type = types.ints.unsigned; default = inputs.config.localPort; };
-          };
-        }));
-        default = {};
-      };
-      stcp = mkOption
-      {
-        type = types.attrsOf (types.submodule (inputs:
-        {
-          options =
-          {
-            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            localPort = mkOption { type = types.ints.unsigned; };
-          };
-        }));
-        default = {};
-      };
-      stcpVisitor = mkOption
-      {
-        type = types.attrsOf (types.submodule (inputs:
-        {
-          options =
-          {
-            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            localPort = mkOption { type = types.ints.unsigned; };
-          };
-        }));
-        default = {};
-      };
-    };
-    frpServer =
-    {
-      enable = mkOption { type = types.bool; default = false; };
-      serverName = mkOption { type = types.nonEmptyStr; };
-    };
-  };
-  config =
-    let
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (inputs.lib.strings) splitString;
-      inherit (inputs.localLib) attrsToList;
-      inherit (inputs.config.nixos.services) frpClient frpServer;
-      inherit (builtins) map listToAttrs;
-    in mkMerge
-    [
-      (
-        mkIf frpClient.enable
-        {
-          systemd.services.frpc =
-            let
-              frpc = "${inputs.pkgs.frp}/bin/frpc";
-              config = inputs.config.sops.templates."frpc.json";
-            in
-            {
-              description = "Frp Client Service";
-              after = [ "network.target" ];
-              serviceConfig =
-              {
-                Type = "simple";
-                User = "frp";
-                Restart = "always";
-                RestartSec = "5s";
-                ExecStart = "${frpc} -c ${config.path}";
-                LimitNOFILE = 1048576;
-              };
-              wantedBy= [ "multi-user.target" ];
-              restartTriggers = [ config.file ];
-            };
-          sops =
-          {
-            templates."frpc.json" =
-            {
-              owner = inputs.config.users.users.frp.name;
-              group = inputs.config.users.users.frp.group;
-              content = builtins.toJSON
-              {
-                auth.token = inputs.config.sops.placeholder."frp/token";
-                user = frpClient.user;
-                serverAddr = frpClient.serverName;
-                serverPort = 7000;
-                proxies =
-                (map
-                  (tcp:
-                  {
-                    name = tcp.name;
-                    type = "tcp";
-                    transport.useCompression = true;
-                    inherit (tcp.value) localIp localPort remotePort;
-                  })
-                  (attrsToList frpClient.tcp))
-                ++ (map
-                  (stcp:
-                  {
-                    name = stcp.name;
-                    type = "stcp";
-                    transport.useCompression = true;
-                    secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
-                    allowUsers = [ "*" ];
-                    inherit (stcp.value) localIp localPort;
-                  })
-                  (attrsToList frpClient.stcp));
-                visitors = map
-                  (stcp:
-                  {
-                    name = stcp.name;
-                    type = "stcp";
-                    transport.useCompression = true;
-                    secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
-                    serverUser = builtins.elemAt (splitString "." stcp.name) 0;
-                    serverName = builtins.elemAt (splitString "." stcp.name) 1;
-                    bindAddr = stcp.value.localIp;
-                    bindPort = stcp.value.localPort;
-                  })
-                  (attrsToList frpClient.stcpVisitor);
-              };
-            };
-            secrets = listToAttrs
-            (
-              [{ name = "frp/token"; value = {}; }]
-              ++ (map
-                (stcp: { name = "frp/stcp/${stcp.name}"; value = {}; })
-                (attrsToList (with frpClient; stcp // stcpVisitor)))
-            );
-          };
-          users =
-          {
-            users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
-            groups.frp.gid = inputs.config.nixos.user.gid.frp;
-          };
-        }
-      )
-      (
-        mkIf frpServer.enable
-        {
-          systemd.services.frps =
-            let
-              frps = "${inputs.pkgs.frp}/bin/frps";
-              config = inputs.config.sops.templates."frps.json";
-            in
-            {
-              description = "Frp Server Service";
-              after = [ "network.target" ];
-              serviceConfig =
-              {
-                Type = "simple";
-                User = "frp";
-                Restart = "on-failure";
-                RestartSec = "5s";
-                ExecStart = "${frps} -c ${config.path}";
-                LimitNOFILE = 1048576;
-              };
-              wantedBy= [ "multi-user.target" ];
-              restartTriggers = [ config.file ];
-            };
-          sops =
-          {
-            templates."frps.json" =
-            {
-              owner = inputs.config.users.users.frp.name;
-              group = inputs.config.users.users.frp.group;
-              content = builtins.toJSON
-              {
-                auth.token = inputs.config.sops.placeholder."frp/token";
-                transport.tls = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
-                {
-                  force = true;
-                  certFile = "${cert}/full.pem";
-                  keyFile = "${cert}/key.pem";
-                  serverName = frpServer.serverName;
-                };
-              };
-            };
-            secrets."frp/token" = {};
-          };
-          nixos.services.acme.cert.${frpServer.serverName}.group = "frp";
-          users =
-          {
-            users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
-            groups.frp.gid = inputs.config.nixos.user.gid.frp;
-          };
-          networking.firewall.allowedTCPPorts = [ 7000 ];
-        }
-      )
-    ];
-}

modules/services/gitea.nix

@@ -1,28 +1,31 @@
 inputs:
 {
-  options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "git.chn.moe"; };
-    ssh = mkOption
+    type = types.nullOr (types.submodule { options =
     {
-      type = types.nullOr (types.submodule { options =
+      hostname = mkOption { type = types.str; default = "git.chn.moe"; };
+      ssh =
       {
         hostname = mkOption { type = types.str; default = "ssh.${inputs.config.nixos.services.gitea.hostname}"; };
         port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
-      };});
-      default = null;
-    };
+      };
+    };});
+    default = null;
   };
-  config = let inherit (inputs.config.nixos.services) gitea; in inputs.lib.mkIf gitea.enable
+  config = let inherit (inputs.config.nixos.services) gitea; in inputs.lib.mkIf (gitea != null)
   {
     services.gitea =
     {
       enable = true;
       lfs.enable = true;
-      mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path;
+      mailerPasswordFile = inputs.config.nixos.system.sops.secrets."gitea/mail".path;
       database =
-        { createDatabase = false; type = "postgres"; passwordFile = inputs.config.sops.secrets."gitea/db".path; };
+      {
+        createDatabase = false;
+        type = "postgres";
+        passwordFile = inputs.config.nixos.system.sops.secrets."gitea/db".path;
+      };
       settings =
       {
         session.COOKIE_SECURE = true;
@@ -31,8 +34,8 @@ inputs:
           ROOT_URL = "https://${gitea.hostname}";
           DOMAIN = gitea.hostname;
           HTTP_PORT = 3002;
-          SSH_DOMAIN = inputs.lib.mkIf (gitea.ssh != null) gitea.ssh.hostname;
-          SSH_PORT = inputs.lib.mkIf ((gitea.ssh.port or null) != null) gitea.ssh.port;
+          SSH_DOMAIN = gitea.ssh.hostname;
+          SSH_PORT = inputs.lib.mkIf (gitea.ssh.port != null) gitea.ssh.port;
         };
         mailer =
         {
@@ -45,14 +48,21 @@ inputs:
         };
         service.DISABLE_REGISTRATION = true;
         security.LOGIN_REMEMBER_DAYS = 365;
+        "git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 1800; })
+          [ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
       };
     };
-    nixos.services =
+    nixos =
     {
-      nginx =
+      system.sops.secrets =
       {
-        enable = true;
-        https.${gitea.hostname}.location =
+        "gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
+        "gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
+        "mail/bot" = {};
+      };
+      services =
+      {
+        nginx.https.${gitea.hostname}.location =
         {
           "/".proxy.upstream = "http://127.0.0.1:3002";
           "/robots.txt".static.root =
@@ -63,14 +73,8 @@ inputs:
             };
             in "${inputs.pkgs.runCommand "robots.txt" {} "mkdir -p $out; cp ${robotsFile} $out/robots.txt"}";
         };
+        postgresql.instances.gitea = {};
       };
-      postgresql.instances.gitea = {};
-    };
-    sops.secrets =
-    {
-      "gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
-      "gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
-      "mail/bot" = {};
     };
   };
 }

modules/services/grafana.nix

@@ -24,7 +24,7 @@ inputs:
             enabled = true;
             host = "mail.chn.moe";
             user = "bot@chn.moe";
-            password = "$__file{${inputs.config.sops.secrets."grafana/mail".path}}";
+            password = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/mail".path}}";
             from_address = "bot@chn.moe";
             ehlo_identity = grafana.hostname;
             startTLS_policy = "MandatoryStartTLS";
@@ -32,9 +32,9 @@ inputs:
           server = { root_url = "https://${grafana.hostname}"; http_port = 3001; enable_gzip = true; };
           security =
           {
-            secret_key = "$__file{${inputs.config.sops.secrets."grafana/secret".path}}";
+            secret_key = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/secret".path}}";
             admin_user = "chn";
-            admin_password = "$__file{${inputs.config.sops.secrets."grafana/chn".path}}";
+            admin_password = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/chn".path}}";
             admin_email = "chn@chn.moe";
           };
           database =
@@ -42,7 +42,7 @@ inputs:
             type = "postgres";
             host = "127.0.0.1:5432";
             user = "grafana";
-            password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
+            password = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/db".path}}";
           };
         };
         provision =
@@ -78,23 +78,21 @@ inputs:
         extraFlags = [ "--storage.tsdb.max-block-chunk-segment-size=16MB" ];
       };
     };
-    nixos.services =
+    nixos =
     {
-      nginx =
+      services =
       {
-        enable = true;
-        https.${grafana.hostname}.location."/".proxy =
-          { upstream = "http://127.0.0.1:3001"; websocket = true; };
+        nginx.https.${grafana.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3001"; websocket = true; };
+        postgresql.instances.grafana = {};
+      };
+      system.sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+      {
+        "grafana/mail" = { owner = owner; key = "mail/bot"; };
+        "grafana/secret".owner = owner;
+        "grafana/chn".owner = owner;
+        "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
+        "mail/bot" = {};
       };
-      postgresql.instances.grafana = {};
-    };
-    sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
-    {
-      "grafana/mail" = { owner = owner; key = "mail/bot"; };
-      "grafana/secret".owner = owner;
-      "grafana/chn".owner = owner;
-      "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
-      "mail/bot" = {};
     };
     environment.persistence."/nix/nodatacow".directories =
       [{ directory = "/var/lib/prometheus2"; user = "prometheus"; group = "prometheus"; mode = "0700"; }];

modules/services/hpcstat.nix

@@ -15,13 +15,13 @@ inputs:
             grep = "${inputs.pkgs.gnugrep}/bin/grep";
             curl = "${inputs.pkgs.curl}/bin/curl";
             cat = "${inputs.pkgs.coreutils}/bin/cat";
-            token = inputs.config.sops.secrets."telegram/token".path;
-            chat = inputs.config.sops.secrets."telegram/user/chn".path;
+            token = inputs.config.nixos.system.sops.secrets."telegram/token".path;
+            chat = inputs.config.nixos.system.sops.secrets."telegram/user/chn".path;
             date = "${inputs.pkgs.coreutils}/bin/date";
             hpcstat = "${inputs.pkgs.localPackages.hpcstat}/bin/hpcstat";
             ssh = "${inputs.pkgs.openssh}/bin/ssh -i ${key} -o StrictHostKeyChecking=no"
               + " -o ForwardAgent=yes -o AddKeysToAgent=yes";
-            key = inputs.config.sops.secrets."hpcstat/key".path;
+            key = inputs.config.nixos.system.sops.secrets."hpcstat/key".path;
             jykang = "${inputs.topInputs.self}/devices/jykang.xmuhpc/files";
             ssh-agent = "${inputs.pkgs.openssh}/bin/ssh-agent";
           in
@@ -105,10 +105,10 @@ inputs:
           (inputs.localLib.attrsToList calenders));
         tmpfiles.rules = [ "d /var/lib/hpcstat 0700 hpcstat hpcstat" ];
       };
-    sops.secrets = let sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml"; in
+    nixos.system.sops.secrets =
     {
-      "telegram/token" = { group = "telegram"; mode = "0440"; inherit sopsFile; };
-      "telegram/user/chn" = { group = "telegram"; mode = "0440"; inherit sopsFile; };
+      "telegram/token" = { group = "telegram"; mode = "0440"; };
+      "telegram/user/chn" = { group = "telegram"; mode = "0440"; };
       "hpcstat/key" = { owner = "hpcstat"; group = "hpcstat"; };
     };
     users =

modules/services/httpapi.nix

@@ -1,18 +1,18 @@
 inputs:
 {
-  options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) httpapi;
-      inherit (inputs.lib) mkIf;
-      inherit (builtins) toString map;
-    in mkIf httpapi.enable
+    type = types.nullOr (types.submodule { options =
     {
-      nixos.services =
+      hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) httpapi; in inputs.lib.mkIf (httpapi != null)
+  {
+    nixos =
+    {
+      services =
       {
         phpfpm.instances.httpapi = {};
         nginx.https.${httpapi.hostname}.location =
@@ -21,12 +21,12 @@ inputs:
           "/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
           "/notify.php".php =
           {
-            root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
+            root = builtins.dirOf inputs.config.nixos.system.sops.templates."httpapi/notify.php".path;
             fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
           };
         };
       };
-      sops =
+      system.sops =
       {
         templates."httpapi/notify.php" =
         {
@@ -34,14 +34,14 @@ inputs:
           group = inputs.config.users.users.httpapi.group;
           content =
             let
-              placeholder = inputs.config.sops.placeholder;
+              inherit (inputs.config.sops) placeholder;
               request = "https://api.telegram.org/bot${placeholder."telegram/token"}"
                 + "/sendMessage?chat_id=${placeholder."telegram/user/chn"}&text=";
             in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
         };
-        secrets = let sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml"; in
-          { "telegram/token" = { inherit sopsFile; }; "telegram/user/chn" = { inherit sopsFile; }; };
+        secrets = { "telegram/token" = {}; "telegram/user/chn" = {}; };
       };
-      systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
     };
+    systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
+  };
 }

modules/services/httpua.nix

@@ -14,7 +14,10 @@ inputs:
     {
       phpfpm.instances.httpua = {};
       nginx.http.${httpua.hostname}.php =
-        { root = "${./.}"; fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi; };
+      {
+        root = builtins.toString (inputs.pkgs.writeTextDir "index.php" "<?php echo $_SERVER['HTTP_USER_AGENT']; ?>");
+        fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
+      };
     };
   };
 }

modules/services/httpua/index.php

@@ -1 +0,0 @@
-<?php echo $_SERVER['HTTP_USER_AGENT']; ?>

modules/services/huginn.nix

@@ -15,43 +15,38 @@ inputs:
       image = "ghcr.io/huginn/huginn:latest";
       imageFile = inputs.topInputs.self.src.huginn;
       ports = [ "127.0.0.1:3000:3000/tcp" ];
-      extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
-      environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
-    };
-    sops =
-    {
-      templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
-      ''
-        MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
-        HUGINN_DATABASE_NAME=huginn
-        HUGINN_DATABASE_USERNAME=huginn
-        HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
-        DOMAIN=${huginn.hostname}
-        RAILS_ENV=production
-        FORCE_SSL=true
-        INVITATION_CODE=${placeholder."huginn/invitationCode"}
-        SMTP_DOMAIN=mail.chn.moe
-        SMTP_USER_NAME=bot@chn.moe
-        SMTP_PASSWORD="${placeholder."mail/bot"}"
-        SMTP_SERVER=mail.chn.moe
-        SMTP_SSL=true
-        EMAIL_FROM_ADDRESS=bot@chn.moe
-        TIMEZONE=Beijing
-        DO_NOT_CREATE_DATABASE=true
-      '';
-      secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
+      environmentFiles = [ inputs.config.nixos.system.sops.templates."huginn/env".path ];
     };
     nixos =
     {
       services =
       {
-        nginx =
-        {
-          enable = true;
-          https.${huginn.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
-        };
+        nginx.https.${huginn.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
         mariadb.instances.huginn = {};
-        docker = {};
+        podman = {};
+      };
+      system.sops =
+      {
+        templates."huginn/env".content = let inherit (inputs.config.nixos.system.sops) placeholder; in
+        ''
+          MYSQL_PORT_3306_TCP_ADDR=host.containers.internal
+          HUGINN_DATABASE_NAME=huginn
+          HUGINN_DATABASE_USERNAME=huginn
+          HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
+          DOMAIN=${huginn.hostname}
+          RAILS_ENV=production
+          FORCE_SSL=true
+          INVITATION_CODE=${placeholder."huginn/invitationCode"}
+          SMTP_DOMAIN=mail.chn.moe
+          SMTP_USER_NAME=bot@chn.moe
+          SMTP_PASSWORD="${placeholder."mail/bot"}"
+          SMTP_SERVER=mail.chn.moe
+          SMTP_SSL=true
+          EMAIL_FROM_ADDRESS=bot@chn.moe
+          TIMEZONE=Beijing
+          DO_NOT_CREATE_DATABASE=true
+        '';
+        secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
       };
     };
   };

modules/services/kvm.nix

@@ -5,21 +5,17 @@ inputs:
     type = types.nullOr (types.submodule { options =
     {
       nodatacow = mkOption { type = types.bool; default = false; };
-      autoSuspend = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+      aarch64 = mkOption { type = types.bool; default = false; };
     };});
     default = null;
   };
   config = let inherit (inputs.config.nixos.services) kvm; in inputs.lib.mkIf (kvm != null)
   {
     nix.settings.system-features = [ "kvm" ];
-    boot =
+    boot = let inherit (inputs.config.nixos.hardware) cpu; in
     {
-      kernelModules = 
-        let modules = { intel = [ "kvm-intel" ]; amd = []; };
-        in builtins.concatLists (builtins.map (cpu: modules.${cpu}) inputs.config.nixos.hardware.cpus);
-      extraModprobeConfig =
-        let configs = { intel = "options kvm_intel nested=1"; amd = ""; };
-        in builtins.concatStringsSep "\n" (builtins.map (cpu: configs.${cpu}) inputs.config.nixos.hardware.cpus);
+      kernelModules = { intel = [ "kvm-intel" ]; amd = []; }.${cpu};
+      extraModprobeConfig = { intel = "options kvm_intel nested=1"; amd = ""; }.${cpu};
     };
     virtualisation =
     {
@@ -33,7 +29,8 @@ inputs:
         parallelShutdown = 4;
         qemu =
         {
-          ovmf.packages = with inputs.pkgs; [ OVMF.fd pkgsCross.aarch64-multiplatform.OVMF.fd ];
+          ovmf.packages = with inputs.pkgs;
+            ([ OVMF.fd ] ++ inputs.lib.optionals kvm.aarch64 [ pkgsCross.aarch64-multiplatform.OVMF.fd ]);
           swtpm.enable = true;
         };
       };
@@ -43,82 +40,17 @@ inputs:
     {
       persistence."/nix/nodatacow".directories = inputs.lib.mkIf kvm.nodatacow
         [{ directory = "/var/lib/libvirt/images"; mode = "0711"; }];
-      systemPackages = with inputs.pkgs; [ qemu_full win-spice guestfs-tools virt-manager virt-viewer ];
+      systemPackages = with inputs.pkgs;
+        [ win-spice guestfs-tools virt-manager virt-viewer inputs.config.virtualisation.libvirtd.qemu.package ];
     };
-    systemd =
-    {
-      services =
-        let
-          virsh = "${inputs.pkgs.libvirt}/bin/virsh";
-          hibernate = inputs.pkgs.writeShellScript "libvirt-hibernate"
-          ''
-            if [ "$(LANG=C ${virsh} domstate $1)" = 'running' ]
-            then
-              if ${virsh} dompmsuspend "$1" disk
-              then
-                echo "Waiting for $1 to suspend"
-                while ! [ "$(LANG=C ${virsh} domstate $1)" = 'shut off' ]
-                do
-                  sleep 1
-                done
-                echo "$1 suspended"
-                touch "/tmp/libvirt.$1.suspended"
-              else
-                echo "Failed to suspend $1"
-              fi
-            fi
-          '';
-          resume = inputs.pkgs.writeShellScript "libvirt-resume"
-          ''
-            if [ "$(LANG=C ${virsh} domstate $1)" = 'shut off' ] && [ -f "/tmp/libvirt.$1.suspended" ]
-            then
-              if ${virsh} start "$1"
-              then
-                echo "Waiting for $1 to resume"
-                while ! [ "$(LANG=C ${virsh} domstate $1)" = 'running' ]
-                do
-                  sleep 1
-                done
-                echo "$1 resumed"
-                rm "/tmp/libvirt.$1.suspended"
-              else
-                echo "Failed to resume $1"
-              fi
-            fi
-          '';
-          makeHibernate = machine:
-          {
-            name = "libvirt-hibernate-${machine}";
-            value =
-            {
-              description = "libvirt hibernate ${machine}";
-              wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              before = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              serviceConfig = { Type = "oneshot"; ExecStart = "${hibernate} ${machine}"; };
-            };
-          };
-          makeResume = machine:
-          {
-            name = "libvirt-resume-${machine}";
-            value =
-            {
-              description = "libvirt resume ${machine}";
-              wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              after = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              serviceConfig = { Type = "oneshot"; ExecStart = "${resume} ${machine}"; };
-            };
-          };
-          makeServices = serviceFunction: builtins.map serviceFunction kvm.autoSuspend;
-        in builtins.listToAttrs (makeServices makeHibernate ++ makeServices makeResume);
-      mounts =
-      [{
-        what = "${inputs.topInputs.nixvirt.lib.guest-install.virtio-win.iso}";
-        where = "/var/lib/libvirt/images/virtio-win.iso";
-        options = "bind";
-        wantedBy = [ "local-fs.target" ];
-      }];
-    };
-    # workaround a libvirt bug
+    systemd.mounts =
+    [{
+      what = "${inputs.topInputs.nixvirt.lib.guest-install.virtio-win.iso}";
+      where = "/var/lib/libvirt/images/virtio-win.iso";
+      options = "bind";
+      wantedBy = [ "local-fs.target" ];
+    }];
+    # libvirt does not setup "allow udp {53, 67}" by default
     # https://github.com/NixOS/nixpkgs/issues/263359#issuecomment-1987267279
     networking.firewall.interfaces."virbr*".allowedUDPPorts = [ 53 67 ];
     hardware.ksm.enable = true;

modules/services/lumericalLicenseManager/Dockerfile

@@ -0,0 +1,26 @@
+# 大概这样做：
+# cp -r ~/repo/stuff/44/Lumerical_Suite_2023_R1_CentOS/{LicenseManager,Crack,License} .
+# podman build .
+# podman image save --format oci-archive 6803f9562b941c23db81a2eae5914561f96fa748536199a010fe6f24922b2878 -o image.tar
+# singularity build image.sif oci-archive://image.tar
+# nix store add-file ./image.tar --name lumericalLicenseManager.tar
+# nix hash file /nix/store/v626n153vdr8sib52623gx1ych8zfsa6-lumericalLicenseManager.tar
+# nix store add-file ./image.sif --name lumericalLicenseManager.sif
+# nix hash file /nix/store/wr4i09smarzwyn1g2jhxlpkxghcwa01l-lumericalLicenseManager.sif
+
+FROM centos:7
+
+USER root
+
+COPY ./LicenseManager /tmp/LicenseManager
+RUN chmod +x /tmp/LicenseManager/INSTALL && \
+  /tmp/LicenseManager/INSTALL -silent -install_dir /home/ansys_inc -lm && \
+  rm -rf /tmp/LicenseManager
+COPY ./Crack/ansys_inc/ /home/ansys_inc
+# RUN sed -i "s|127.0.0.1|0.0.0.0|g" /home/ansys_inc/shared_files/licensing/tools/tomcat/conf/server.xml
+RUN chmod -R 777 /home/ansys_inc
+RUN ln -s ld-linux-x86-64.so.2 /lib64/ld-lsb-x86-64.so.3
+COPY ./License/license.txt /home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
+
+WORKDIR /home/ansys_inc/shared_files/licensing
+CMD ["/bin/sh", "-c", "(./start_ansysli &); (./start_lmcenter &); tail -f /dev/null"]

modules/services/lumericalLicenseManager/default.nix

@@ -0,0 +1,37 @@
+inputs:
+{
+  options.nixos.services.lumericalLicenseManager = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      macAddress = mkOption
+      {
+        type = types.str;
+        default = if inputs.config.nixos.system.network != null then "00:01:23:45:67:89" else null;
+      };
+      createFakeInterface = mkOption { type = types.bool; default = inputs.config.nixos.system.network != null; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) lumericalLicenseManager;
+    in inputs.lib.mkIf (lumericalLicenseManager != null)
+  {
+    virtualisation.oci-containers.containers.lumericalLicenseManager =
+    {
+      inherit (inputs.topInputs.self.src.lumerical.licenseManager) image imageFile;
+      extraOptions = [ "--network=host" ];
+      volumes =
+        let
+          macAddress = builtins.replaceStrings [ ":" ] [ "" ] lumericalLicenseManager.macAddress;
+          license = inputs.pkgs.localPackages.lumerical.license.override { inherit macAddress; };
+        in [ "${license}:/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic" ];
+    };
+    nixos.services.podman = {};
+    systemd.network = inputs.lib.mkIf lumericalLicenseManager.createFakeInterface
+    {
+      netdevs.ensFakeLumerical.netdevConfig = { Kind = "dummy"; Name = "ensFakeLumerical"; };
+      networks."10-ensFakeLumerical" =
+        { matchConfig.Name = "ensFakeLumerical"; linkConfig.MACAddress = lumericalLicenseManager.macAddress; };
+    };
+  };
+}

modules/services/mariadb.nix

@@ -40,13 +40,13 @@ inputs:
         let
           passwordFile =
             if db.value.passwordFile or null != null then db.value.passwordFile
-            else inputs.config.sops.secrets."mariadb/${db.value.user}".path;
+            else inputs.config.nixos.system.sops.secrets."mariadb/${db.value.user}".path;
           mysql = "${inputs.config.services.mysql.package}/bin/mysql";
         in
           # force user use password auth
           ''echo "ALTER USER '${db.value.user}' IDENTIFIED BY '$(cat ${passwordFile})';" | ${mysql} -N'')
       (inputs.localLib.attrsToList mariadb.instances)));
-    sops.secrets = builtins.listToAttrs (builtins.map
+    nixos.system.sops.secrets = builtins.listToAttrs (builtins.map
       (db: { name = "mariadb/${db.value.user}"; value.owner = inputs.config.users.users.mysql.name; })
       (builtins.filter (db: db.value.passwordFile == null) (inputs.localLib.attrsToList mariadb.instances)));
     environment.persistence."/nix/nodatacow".directories =

modules/services/mirism.nix

@@ -1,75 +1,60 @@
 inputs:
 {
-  options.nixos.services.mirism = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.mirism = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) mirism; in inputs.lib.mkIf (mirism != null)
   {
-    enable = mkOption { type = types.bool; default = false; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) mirism;
-      inherit (inputs.lib) mkIf;
-      inherit (builtins) map listToAttrs toString concatLists;
-    in mkIf mirism.enable
+    users =
     {
-      users =
-      {
-        users.mirism = { uid = inputs.config.nixos.user.uid.mirism; group = "mirism"; isSystemUser = true; };
-        groups.mirism.gid = inputs.config.nixos.user.gid.mirism;
-      };
-      systemd =
-      {
-        services = listToAttrs (map
-          (instance:
-          {
-            name = "mirism-${instance}";
-            value =
-            {
-              description = "mirism ${instance}";
-              after = [ "network.target" ];
-              wantedBy = [ "multi-user.target" ];
-              serviceConfig =
-              {
-                User = inputs.config.users.users.mirism.name;
-                Group = inputs.config.users.users.mirism.group;
-                ExecStart = "${inputs.pkgs.localPackages.mirism-old}/bin/${instance}";
-                RuntimeMaxSec = "1d";
-                Restart = "always";
-              };
-            };
-          })
-          [ "ng01" "beta" ]);
-        tmpfiles.rules = concatLists (map
-          (dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
-          [ "" "entry." ]);
-      };
-      nixos.services =
-      {
-        nginx =
-        {
-          enable = true;
-          transparentProxy.map = { "ng01.mirism.one" = 7411; "beta.mirism.one" = 9114; };
-          https = listToAttrs (map
-            (instance:
-            {
-              name = "${instance}mirism.one";
-              value.location."/".static = { root = "/srv/${instance}mirism"; index = [ "index.html" ]; };
-            })
-            [ "entry." "" ]);
-        };
-        acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
-      };
-      environment.etc = listToAttrs (concatLists (map
-        (instance:
-        [
-          {
-            name = "letsencrypt/live/${instance}.mirism.one/fullchain.pem";
-            value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/fullchain.pem";
-          }
-          {
-            name = "letsencrypt/live/${instance}.mirism.one/privkey.pem";
-            value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/key.pem";
-          }
-        ])
-        [ "ng01" "beta" ]));
+      users.mirism = { uid = inputs.config.nixos.user.uid.mirism; group = "mirism"; isSystemUser = true; };
+      groups.mirism.gid = inputs.config.nixos.user.gid.mirism;
     };
+    systemd =
+    {
+      services = builtins.listToAttrs (builtins.map
+        (instance:
+        {
+          name = "mirism-${instance}";
+          value =
+          {
+            description = "mirism ${instance}";
+            after = [ "network.target" ];
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig =
+            {
+              User = inputs.config.users.users.mirism.name;
+              Group = inputs.config.users.users.mirism.group;
+              ExecStart = "${inputs.pkgs.localPackages.mirism-old}/bin/${instance}";
+              RuntimeMaxSec = "1d";
+              Restart = "always";
+            };
+          };
+        })
+        [ "ng01" "beta" ]);
+      tmpfiles.rules = builtins.concatLists (builtins.map
+        (dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
+        [ "" "entry." ]);
+    };
+    nixos.services =
+    {
+      nginx =
+      {
+        transparentProxy.map = { "ng01.mirism.one" = 7411; "beta.mirism.one" = 9114; };
+        https = builtins.listToAttrs (builtins.map
+          (instance: inputs.lib.nameValuePair "${instance}mirism.one"
+            { location."/".static = { root = "/srv/${instance}mirism"; index = [ "index.html" ]; }; })
+          [ "entry." "" ]);
+      };
+      acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
+    };
+    environment.etc = builtins.listToAttrs (builtins.concatLists (builtins.map
+      (instance:
+      [
+        (inputs.lib.nameValuePair "letsencrypt/live/${instance}.mirism.one/fullchain.pem"
+          { source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/fullchain.pem"; })
+        (inputs.lib.nameValuePair "letsencrypt/live/${instance}.mirism.one/privkey.pem"
+          { source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/key.pem"; })
+      ])
+      [ "ng01" "beta" ]));
+  };
 }

modules/services/misskey.nix

@@ -22,7 +22,8 @@ inputs:
           after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
           requires = after;
           wantedBy = [ "multi-user.target" ];
-          environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
+          environment.MISSKEY_CONFIG_YML =
+            inputs.config.nixos.system.sops.templates."misskey/${instance.name}.yml".path;
           serviceConfig = rec
           {
             User = "misskey-${instance.name}";
@@ -53,50 +54,6 @@ inputs:
         };
       })
       (inputs.localLib.attrsToList misskey.instances));
-    sops.templates = builtins.listToAttrs (builtins.map
-      (instance:
-      {
-        name = "misskey/${instance.name}.yml";
-        value =
-        {
-          content =
-            let
-              placeholder = inputs.config.sops.placeholder;
-              redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
-            in
-            ''
-              url: https://${instance.value.hostname}/
-              port: ${toString instance.value.port}
-              db:
-                host: 127.0.0.1
-                port: 5432
-                db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
-                user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
-                pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
-                extra:
-                  statement_timeout: 600000
-              dbReplications: false
-              redis:
-                host: 127.0.0.1
-                port: ${builtins.toString redis.port}
-                pass: ${placeholder."redis/misskey-${instance.name}"}
-              id: 'aid'
-              proxyBypassHosts:
-                - api.deepl.com
-                - api-free.deepl.com
-                - www.recaptcha.net
-                - hcaptcha.com
-                - challenges.cloudflare.com
-              proxyRemoteFiles: true
-              signToActivityPubGet: true
-              maxFileSize: 1073741824
-              fulltextSearch:
-                provider: sqlPgroonga
-            '';
-          owner = "misskey-${instance.name}";
-        };
-      })
-      (inputs.localLib.attrsToList misskey.instances));
     users = inputs.lib.mkMerge (builtins.map
       (instance:
       {
@@ -111,18 +68,17 @@ inputs:
         groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
       })
       (inputs.localLib.attrsToList misskey.instances));
-    nixos.services =
+    nixos =
     {
-      redis.instances = builtins.listToAttrs (builtins.map
-        (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
-        (inputs.localLib.attrsToList misskey.instances));
-      postgresql.instances = builtins.listToAttrs (builtins.map
-        (instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
-        (inputs.localLib.attrsToList misskey.instances));
-      nginx =
+      services =
       {
-        enable = inputs.lib.mkIf (misskey.instances != {}) true;
-        https = builtins.listToAttrs (builtins.map
+        redis.instances = builtins.listToAttrs (builtins.map
+          (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
+          (inputs.localLib.attrsToList misskey.instances));
+        postgresql.instances = builtins.listToAttrs (builtins.map
+          (instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
+          (inputs.localLib.attrsToList misskey.instances));
+        nginx.https = builtins.listToAttrs (builtins.map
           (instance: with instance.value;
           {
             name = hostname;
@@ -130,6 +86,50 @@ inputs:
           })
           (inputs.localLib.attrsToList misskey.instances));
       };
+      system.sops.templates = builtins.listToAttrs (builtins.map
+        (instance:
+        {
+          name = "misskey/${instance.name}.yml";
+          value =
+          {
+            content =
+              let
+                placeholder = inputs.config.nixos.system.sops.placeholder;
+                redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
+              in
+              ''
+                url: https://${instance.value.hostname}/
+                port: ${toString instance.value.port}
+                db:
+                  host: 127.0.0.1
+                  port: 5432
+                  db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
+                  user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
+                  pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
+                  extra:
+                    statement_timeout: 600000
+                dbReplications: false
+                redis:
+                  host: 127.0.0.1
+                  port: ${builtins.toString redis.port}
+                  pass: ${placeholder."redis/misskey-${instance.name}"}
+                id: 'aid'
+                proxyBypassHosts:
+                  - api.deepl.com
+                  - api-free.deepl.com
+                  - www.recaptcha.net
+                  - hcaptcha.com
+                  - challenges.cloudflare.com
+                proxyRemoteFiles: true
+                signToActivityPubGet: true
+                maxFileSize: 1073741824
+                fulltextSearch:
+                  provider: sqlPgroonga
+              '';
+            owner = "misskey-${instance.name}";
+          };
+        })
+        (inputs.localLib.attrsToList misskey.instances));
     };
   };
 }

modules/services/nextcloud.nix

@@ -21,9 +21,9 @@ inputs:
       config =
       {
         dbtype = "pgsql";
-        dbpassFile = inputs.config.sops.secrets."nextcloud/postgresql".path;
+        dbpassFile = inputs.config.nixos.system.sops.secrets."nextcloud/postgresql".path;
         adminuser = "admin";
-        adminpassFile = inputs.config.sops.secrets."nextcloud/admin".path;
+        adminpassFile = inputs.config.nixos.system.sops.secrets."nextcloud/admin".path;
       };
       configureRedis = true;
       settings =
@@ -39,7 +39,7 @@ inputs:
         overwriteprotocol = "https";
         default_phone_region = "CN";
       };
-      secretFile = inputs.config.sops.templates."nextcloud/secret".path;
+      secretFile = inputs.config.nixos.system.sops.templates."nextcloud/secret".path;
       extraApps =
         let
           version = inputs.lib.versions.major inputs.config.services.nextcloud.package.version;
@@ -59,27 +59,30 @@ inputs:
           (package: { name = package; value = inputs.pkgs.fetchNextcloudApp (getInfo package); })
           [ "phonetrack" "twofactor_webauthn" "calendar" ]);
     };
-    nixos.services =
+    nixos =
     {
-      postgresql.instances.nextcloud = {};
-      redis.instances.nextcloud.port = 3499;
-      nginx = { enable = true; https.${nextcloud.hostname}.global.configName = nextcloud.hostname; };
-    };
-    sops =
-    {
-      templates."nextcloud/secret" =
+      system.sops =
       {
-        content = builtins.toJSON
+        templates."nextcloud/secret" =
         {
-          redis.password = inputs.config.sops.placeholder."redis/nextcloud";
-          mail_smtppassword = inputs.config.sops.placeholder."mail/bot";
+          content = builtins.toJSON
+          {
+            redis.password = inputs.config.nixos.system.sops.placeholder."redis/nextcloud";
+            mail_smtppassword = inputs.config.nixos.system.sops.placeholder."mail/bot";
+          };
+          owner = inputs.config.users.users.nextcloud.name;
+        };
+        secrets =
+        {
+          "nextcloud/postgresql" = { key = "postgresql/nextcloud"; owner = inputs.config.users.users.nextcloud.name; };
+          "nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
         };
-        owner = inputs.config.users.users.nextcloud.name;
       };
-      secrets =
+      services =
       {
-        "nextcloud/postgresql" = { key = "postgresql/nextcloud"; owner = inputs.config.users.users.nextcloud.name; };
-        "nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
+        postgresql.instances.nextcloud = {};
+        redis.instances.nextcloud.port = 3499;
+        nginx.https.${nextcloud.hostname}.global.configName = nextcloud.hostname;
       };
     };
     systemd.services.nextcloud-setup = rec { requires = [ "postgresql.service" ]; after = requires; };

modules/services/nfs.nix

@@ -1,20 +1,16 @@
 inputs:
 {
   options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.attrsOf types.nonEmptyStr; default = {}; }; # export = accessLimit
+    { type = types.attrsOf (types.nonEmptyListOf types.nonEmptyStr); default = {}; }; # export = accessLimit
   config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != {})
   {
-    services =
+    services.nfs.server =
     {
-      rpcbind.enable = true;
-      nfs.server =
-      {
-        enable = true;
-        exports = builtins.concatStringsSep "\n" (builtins.map
-          (export: "${export.name} ${export.value}(rw,no_root_squash,sync,crossmnt)")
-          (inputs.localLib.attrsToList nfs));
-      };
+      enable = true;
+      exports =
+        let clientString = clients: builtins.concatStringsSep " " (builtins.map
+          (client: "${client}(rw,no_root_squash,sync,crossmnt)") clients);
+        in inputs.lib.concatLines (inputs.lib.mapAttrsToList (n: v: "${n} ${clientString v}") nfs);
     };
-    networking.firewall.allowedTCPPorts = [ 2049 ];
   };
 }

modules/services/nginx/applications/main.nix

@@ -1,23 +1,13 @@
 inputs:
 {
-  options.nixos.services.nginx.applications.main = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.nginx.applications.main = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services.nginx.applications) main; in inputs.lib.mkIf (main != null)
   {
-    enable = mkOption { type = types.bool; default = false; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services.nginx.applications) main;
-      inherit (inputs.lib) mkIf;
-    in mkIf main.enable
+    nixos.services.nginx.https."chn.moe".location =
     {
-      nixos.services.nginx.https."chn.moe".location =
-      {
-        "/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
-        "/.well-known/matrix/server".proxy =
-        {
-          setHeaders.Host = "matrix.chn.moe";
-          upstream = "https://matrix.chn.moe";
-        };
-      };
+      "/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
+      "/.well-known/matrix/server".proxy = { setHeaders.Host = "matrix.chn.moe"; upstream = "https://matrix.chn.moe"; };
     };
+  };
 }

modules/services/nginx/default.nix

@@ -3,7 +3,6 @@ inputs:
   imports = inputs.localLib.findModules ./.;
   options.nixos.services.nginx = let inherit (inputs.lib) mkOption types; in
   {
-    enable = mkOption { type = types.bool; default = false; };
     # transparentProxy -> https(with proxyProtocol) or transparentProxy -> streamProxy -> https(with proxyProtocol)
     # https without proxyProtocol listen on private ip, with proxyProtocol listen on all ip
     # streamProxy listen on private ip
@@ -16,825 +15,99 @@ inputs:
       {
         httpsPort = 3065;
         httpsPortShift = { http2 = 1; proxyProtocol = 2; };
-        httpsLocationTypes = [ "proxy" "static" "php" "return" "cgi" "alias" ];
-        httpTypes = [ "rewriteHttps" "php" ];
+        httpsLocationTypes = [ "proxy" "static" "php" "return" "alias" ];
+        httpTypes = [ "rewriteHttps" "php" "proxy" ];
         streamPort = 5575;
-        streamPortShift = { proxyProtocol = 1; };
+        streamPortShift.proxyProtocol = 1;
       };
     };
-    transparentProxy =
-    {
-      # only disable in some rare cases
-      enable = mkOption { type = types.bool; default = true; };
-      externalIp = mkOption { type = types.listOf types.nonEmptyStr; default = [ "0.0.0.0" ]; };
-      # proxy to 127.0.0.1:${specified port}
-      map = mkOption
-      {
-        type = types.attrsOf (types.oneOf
-        [
-          # proxy to 127.0.0.1:${specified port}
-          types.ints.unsigned
-          # proxy to specified ip:port
-          types.nonEmptyStr
-        ]);
-        default = {};
-      };
-    };
-    streamProxy =
-    {
-      map = mkOption
-      {
-        type = types.attrsOf (types.oneOf
-        [
-          # proxy to specified ip:port without proxyProtocol
-          types.nonEmptyStr
-          (types.submodule { options =
-          {
-            upstream = mkOption
-            {
-              type = types.oneOf
-              [
-                # proxy to specified ip:port with or without proxyProtocol
-                types.nonEmptyStr
-                (types.submodule { options =
-                {
-                  address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-                  # if port not specified, guess from proxyProtocol enabled or not, assume http2 enabled
-                  port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
-                };})
-              ];
-              default = {};
-            };
-            proxyProtocol = mkOption { type = types.bool; default = true; };
-            addToTransparentProxy = mkOption { type = types.bool; default = true; };
-            rewriteHttps = mkOption { type = types.bool; default = true; };
-          };})
-        ]);
-        default = {};
-      };
-    };
-    https = mkOption
-    {
-      type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
-      {
-        global =
-        {
-          configName = mkOption
-          {
-            type = types.nonEmptyStr;
-            default = "https:${siteSubmoduleInputs.config._module.args.name}";
-          };
-          root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-          index = mkOption
-          {
-            type = types.nullOr (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
-            default = null;
-          };
-          charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-          detectAuth = mkOption
-          {
-            type = types.nullOr (types.submodule { options =
-            {
-              text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
-              users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
-            };});
-            default = null;
-          };
-          rewriteHttps = mkOption { type = types.bool; default = true; };
-          tlsCert = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-        };
-        listen = mkOption
-        {
-          type = types.attrsOf (types.submodule { options =
-          {
-            http2 = mkOption { type = types.bool; default = true; };
-            proxyProtocol = mkOption { type = types.bool; default = true; };
-            # if proxyProtocol not enabled, add to transparentProxy only
-            # if proxyProtocol enabled, add to transparentProxy and streamProxy
-            addToTransparentProxy = mkOption { type = types.bool; default = true; };
-          };});
-          default.main = {};
-        };
-        location = mkOption
-        {
-          type = types.attrsOf (types.submodule { options =
-            let
-              genericOptions =
-              {
-                # should be set to non null value if global root is null
-                root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-                detectAuth = mkOption
-                {
-                  type = types.nullOr (types.submodule { options =
-                  {
-                    text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
-                    users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
-                  };});
-                  default = null;
-                };
-              };
-            in
-            {
-              # only one should be specified
-              proxy = mkOption
-              {
-                type = types.nullOr (types.submodule { options =
-                {
-                  inherit (genericOptions) detectAuth;
-                  upstream = mkOption { type = types.nonEmptyStr; };
-                  websocket = mkOption { type = types.bool; default = false; };
-                  setHeaders = mkOption
-                  {
-                    type = types.attrsOf types.str;
-                    default.Host = siteSubmoduleInputs.config._module.args.name;
-                  };
-                  # echo -n "username:password" | base64
-                  addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-                };});
-                default = null;
-              };
-              static = mkOption
-              {
-                type = types.nullOr (types.submodule { options =
-                {
-                  inherit (genericOptions) detectAuth root;
-                  index = mkOption
-                  {
-                    type = types.nullOr
-                      (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
-                    default = null;
-                  };
-                  charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-                  tryFiles = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
-                  webdav = mkOption { type = types.bool; default = false; };
-                };});
-                default = null;
-              };
-              php = mkOption
-              {
-                type = types.nullOr (types.submodule { options =
-                  { inherit (genericOptions) detectAuth root; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
-                default = null;
-              };
-              return = mkOption
-              {
-                type = types.nullOr (types.submodule { options =
-                  { return = mkOption { type = types.nonEmptyStr; }; };});
-                default = null;
-              };
-              cgi = mkOption
-              {
-                type = types.nullOr (types.submodule { options = { inherit (genericOptions) detectAuth root; };});
-                default = null;
-              };
-              alias = mkOption
-              {
-                type = types.nullOr (types.submodule { options =
-                {
-                  path = mkOption { type = types.nonEmptyStr; };
-                };});
-                default = null;
-              };
-            };});
-          default = {};
-        };
-      };}));
-      default = {};
-    };
-    http = mkOption
-    {
-      type = types.attrsOf (types.submodule (submoduleInputs: { options =
-      {
-        rewriteHttps = mkOption
-        {
-          type = types.nullOr (types.submodule { options =
-          {
-            hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; 
-          };});
-          default = null;
-        };
-        php = mkOption
-        {
-          type = types.nullOr (types.submodule { options =
-            { root = mkOption { type = types.nonEmptyStr; }; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
-          default = null;
-        };
-        proxy = mkOption
-        {
-          type = types.nullOr (types.submodule { options =
-          {
-            upstream = mkOption { type = types.nonEmptyStr; };
-            websocket = mkOption { type = types.bool; default = false; };
-            setHeaders = mkOption
-            {
-              type = types.attrsOf types.str;
-              default.Host = submoduleInputs.config._module.args.name;
-            };
-          };});
-          default = null;
-        };
-      };}));
-      default = {};
-    };
   };
-  config =
-    let
-      inherit (inputs.localLib) attrsToList;
-      inherit (inputs.config.nixos.services) nginx;
-      inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues concatLists;
-      concatAttrs = list: listToAttrs (concatLists (map (attrs: attrsToList attrs) list));
-    in inputs.lib.mkIf nginx.enable (inputs.lib.mkMerge
-    [
-      # generic config
+  config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf
+    (nginx.http != {} || nginx.https != {} || nginx.streamProxy.map != {} || nginx.transparentProxy.map != {})
+  {
+    services =
+    {
+      nginx =
       {
-        services =
-        {
-          nginx =
-          {
-            enable = true;
-            enableReload = true;
-            eventsConfig =
-            ''
-              worker_connections 524288;
-              use epoll;
-            '';
-            commonHttpConfig =
-            ''
-              geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
-                $geoip2_data_country_code country iso_code;
-              }
-              log_format http '[$time_local] $remote_addr-$geoip2_data_country_code "$host"'
-                ' $request_length $bytes_sent $status "$request" referer: "$http_referer" ua: "$http_user_agent"';
-              access_log syslog:server=unix:/dev/log http;
-              proxy_ssl_server_name on;
-              proxy_ssl_session_reuse off;
-              send_timeout 1d;
-              # nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
-              # this make it redirect to /docs/ without hostname
-              absolute_redirect off;
-              # allow realip module to set ip
-              set_real_ip_from 0.0.0.0/0;
-              real_ip_header proxy_protocol;
-            '';
-            proxyTimeout = "1d";
-            recommendedZstdSettings = true;
-            recommendedTlsSettings = true;
-            recommendedProxySettings = true;
-            recommendedOptimisation = true;
-            recommendedGzipSettings = true;
-            recommendedBrotliSettings = true;
-            clientMaxBodySize = "0";
-            package =
-              let
-                nginx-geoip2 =
-                {
-                  name = "ngx_http_geoip2_module";
-                  src = inputs.pkgs.fetchFromGitHub
-                  {
-                    owner = "leev";
-                    repo = "ngx_http_geoip2_module";
-                    rev = "a607a41a8115fecfc05b5c283c81532a3d605425";
-                    hash = "sha256-CkmaeEa1iEAabJEDu3FhBUR7QF38koGYlyx+pyKZV9Y=";
-                  };
-                  meta.license = [];
-                };
-              in
-                (inputs.pkgs.nginxMainline.override (prev: { modules = prev.modules ++ [ nginx-geoip2 ]; }))
-                  .overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
-            streamConfig =
-            ''
-              geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
-                $geoip2_data_country_code country iso_code;
-              }
-              resolver 8.8.8.8;
-            '';
-            # todo: use host dns
-            resolver.addresses = [ "8.8.8.8" ];
-          };
-          geoipupdate =
-          {
-            enable = true;
-            settings =
-            {
-              AccountID = 901296;
-              LicenseKey = inputs.config.sops.secrets."nginx/maxmind-license".path;
-              EditionIDs = [ "GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country" ];
-            };
-          };
-        };
-        networking.firewall.allowedTCPPorts = [ 80 443 ];
-        sops.secrets."nginx/maxmind-license" =
-        {
-          owner = inputs.config.users.users.nginx.name;
-          sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
-        };
-        systemd.services.nginx.serviceConfig =
-        {
-          CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
-          AmbientCapabilities = [ "CAP_NET_ADMIN" ];
-          LimitNPROC = 65536;
-          LimitNOFILE = 524288;
-        };
-      }
-      # transparentProxy
-      (inputs.lib.mkIf nginx.transparentProxy.enable
-      {
-        services.nginx.streamConfig =
+        enable = true;
+        enableReload = true;
+        eventsConfig =
         ''
-          log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
-            '"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
-          map $ssl_preread_server_name $transparent_proxy_backend {
-            ${concatStringsSep "\n    " (builtins.map
-              (x:
-                let upstrem = if builtins.isInt x.value then "127.0.0.1:${builtins.toString x.value}" else x.value;
-                in ''"${x.name}" ${upstrem};'')
-              (attrsToList nginx.transparentProxy.map))}
-            default 127.0.0.1:${toString (with nginx.global; (httpsPort + httpsPortShift.http2))};
-          }
-          server {
-            ${concatStringsSep "\n    " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
-            ssl_preread on;
-            proxy_bind $remote_addr transparent;
-            proxy_pass $transparent_proxy_backend;
-            proxy_connect_timeout 1s;
-            proxy_socket_keepalive on;
-            proxy_buffer_size 128k;
-            access_log syslog:server=unix:/dev/log transparent_proxy;
-          }
+          worker_connections 524288;
+          use epoll;
         '';
-        # TODO: use existing options
-        systemd.services.nginx-proxy =
-          let
-            ip = "${inputs.pkgs.iproute2}/bin/ip";
-            nft = "${inputs.pkgs.nftables}/bin/nft";
-            nftConfigFile = inputs.pkgs.writeText "nginx.nft"
-            ''
-              table inet nginx {
-                chain output {
-                  type route hook output priority mangle; policy accept;
-                  # 由本机发出、gid 为 nginx、但源地址不是本地监听的地址，说明是透明代理的第一个包，将这个流标记
-                  # 但这个包本身不需要处理，正常路由即可。
-                  meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
-                    ct state new counter ct mark set ct mark | 2
-                  # 由本机发出、作为透明代理的回复，它不能按照通常的路由，它需要被打上标记并被路由到本地
-                  # 这对应于透明代理到本地的服务的情况
-                  ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
-                  return
-                }
-                # 还需要处理透明代理到其它机器的情况，它们的回复需要在 prerouting 中标记
-                chain prerouting {
-                  type filter hook prerouting priority mangle; policy accept;
-                  ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
-                  return
-                }
-              }
-            '';
-            start = inputs.pkgs.writeShellScript "nginx-proxy.start"
-            ''
-              ${nft} -f ${nftConfigFile}
-              ${ip} rule add fwmark 2/2 table 200
-              ${ip} route add local 0.0.0.0/0 dev lo table 200
-            '';
-            stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
-            ''
-              ${nft} delete table inet nginx
-              ${ip} rule del fwmark 2/2 table 200
-              ${ip} route del local 0.0.0.0/0 dev lo table 200
-            '';
-          in
-          {
-            description = "nginx transparent proxy";
-            after = [ "network.target" ];
-            serviceConfig =
-            {
-              Type = "oneshot";
-              RemainAfterExit = true;
-              ExecStart = start;
-              ExecStop = stop;
-            };
-            wants = [ "network.target" ];
-            wantedBy= [ "multi-user.target" ];
-          };
-      })
-      # streamProxy
-      {
-        services.nginx.streamConfig =
+        commonHttpConfig =
         ''
-          log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
-            '"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
-          map $ssl_preread_server_name $stream_proxy_backend {
-            ${concatStringsSep "\n    " (map
-              (x:
-                let
-                  upstream =
-                    if (builtins.typeOf x.value.upstream == "string") then
-                      x.value.upstream
-                    else
-                      let
-                        port = with nginx.global;
-                          if x.value.upstream.port == null then
-                            httpsPort + httpsPortShift.http2
-                              + (if x.value.proxyProtocol then httpsPortShift.proxyProtocol else 0)
-                          else x.value.upstream.port;
-                      in "${x.value.upstream.address}:${toString port}";
-                in ''"${x.name}" "${upstream}";'')
-              (attrsToList nginx.streamProxy.map))}
-          }
-          server {
-            listen 127.0.0.1:${toString nginx.global.streamPort};
-            ssl_preread on;
-            proxy_pass $stream_proxy_backend;
-            proxy_connect_timeout 10s;
-            proxy_socket_keepalive on;
-            proxy_buffer_size 128k;
-            access_log syslog:server=unix:/dev/log stream_proxy;
-          }
-          server {
-            listen 127.0.0.1:${toString (with nginx.global; (streamPort + streamPortShift.proxyProtocol))};
-            proxy_protocol on;
-            ssl_preread on;
-            proxy_pass $stream_proxy_backend;
-            proxy_connect_timeout 10s;
-            proxy_socket_keepalive on;
-            proxy_buffer_size 128k;
-            access_log syslog:server=unix:/dev/log stream_proxy;
+          geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
+            $geoip2_data_country_code country iso_code;
           }
+          log_format http '[$time_local] $remote_addr-$geoip2_data_country_code "$host"'
+            ' $request_length $bytes_sent $status "$request" referer: "$http_referer" ua: "$http_user_agent"';
+          access_log syslog:server=unix:/dev/log http;
+          proxy_ssl_server_name on;
+          proxy_ssl_session_reuse off;
+          send_timeout 1d;
+          # nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
+          # this make it redirect to /docs/ without hostname
+          absolute_redirect off;
+          # allow realip module to set ip
+          set_real_ip_from 0.0.0.0/0;
+          real_ip_header proxy_protocol;
         '';
-        nixos.services.nginx =
-        {
-          transparentProxy.map = listToAttrs
-          (
-            (map
-              (site: { inherit (site) name; value = nginx.global.streamPort; })
-              (filter
-                (site: (!(site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
-                (attrsToList nginx.streamProxy.map)))
-            ++ (map
-              (site: { inherit (site) name; value = with nginx.global; streamPort + streamPortShift.proxyProtocol; })
-              (filter
-                (site: ((site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
-                (attrsToList nginx.streamProxy.map)))
-          );
-          http = listToAttrs (map
-            (site: { inherit (site) name; value.rewriteHttps = {}; })
-            (filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
-        };
-      }
-      # https assertions
-      {
-        # only one type should be specified in each location
-        assertions =
-        (
-          (map
-            (location:
-            {
-              assertion = (inputs.lib.count
-                (x: x != null)
-                (map (type: location.value.${type}) nginx.global.httpsLocationTypes)) <= 1;
-              message = "Only one type shuold be specified in ${location.name}";
-            })
-            (concatLists (map
-              (site: (map
-                (location: { inherit (location) value; name = "${site.name} ${location.name}"; })
-                (attrsToList site.value.location)))
-              (attrsToList nginx.https))))
-          # root should be specified either in global or in each location
-          ++ (map
-            (location:
-            {
-              assertion = (location.value.root or "") != null;
-              message = "Root should be specified in ${location.name}";
-            })
-            (concatLists (map
-              (site: (map
-                  (location: { inherit (location) value; name = "${site.name} ${location.name}"; })
-                  (attrsToList site.value.location)))
-              (filter (site: site.value.global.root == null) (attrsToList nginx.https)))))
-        );
-      }
-      # https
-      (
-        let
-          # merge different types of locations
-          sites = map
-            (site:
-            {
-              inherit (site) name;
-              value =
-              {
-                inherit (site.value) global;
-                listens = attrValues site.value.listen;
-                locations = map
-                  (location:
-                  {
-                    inherit (location) name;
-                    value = 
-                      let _ = builtins.head (filter (type: type.value != null) (attrsToList location.value));
-                      in _.value // { type = _.name; };
-                  })
-                  (attrsToList site.value.location);
-              };
-            })
-            (attrsToList nginx.https);
-        in
-        {
-          services =
+        proxyTimeout = "1d";
+        recommendedZstdSettings = true;
+        recommendedTlsSettings = true;
+        # do not set Host header
+        recommendedProxySettings = false;
+        recommendedProxySettingsNoHost = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedBrotliSettings = true;
+        clientMaxBodySize = "0";
+        package =
+          let nginx-geoip2 =
           {
-            nginx.virtualHosts = listToAttrs (map
-              (site:
-              {
-                name = site.value.global.configName;
-                value =
-                {
-                  serverName = site.name;
-                  root = inputs.lib.mkIf (site.value.global.root != null) site.value.global.root;
-                  basicAuthFile = inputs.lib.mkIf (site.value.global.detectAuth != null)
-                  (
-                    let secret = "nginx/templates/detectAuth/${inputs.lib.strings.escapeURL site.name}-global";
-                    in inputs.config.sops.templates.${secret}.path
-                  );
-                  extraConfig = concatStringsSep "\n"
-                  (
-                    (
-                      let inherit (site.value.global) index; in
-                        if (builtins.typeOf index == "list") then [ "index ${concatStringsSep " " index};" ]
-                        else if (index == "auto") then [ "autoindex on;" ]
-                        else []
-                    )
-                    ++ (
-                      let inherit (site.value.global) detectAuth; in
-                        if (detectAuth != null) then [ ''auth_basic "${detectAuth.text}"'' ] else []
-                    )
-                    ++ (
-                      let inherit (site.value.global) charset; in
-                        if (charset != null) then [ "charset ${charset};" ] else []
-                    )
-                  );
-                  listen = map
-                    (listen:
-                    {
-                      addr = if listen.proxyProtocol then "0.0.0.0" else "127.0.0.1";
-                      port = with nginx.global; httpsPort
-                        + (if listen.http2 then httpsPortShift.http2 else 0)
-                        + (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0);
-                      ssl = true;
-                      proxyProtocol = listen.proxyProtocol;
-                      extraParameters = inputs.lib.mkIf listen.http2 [ "http2" ];
-                    })
-                    site.value.listens;
-                  # do not automatically add http2 listen
-                  http2 = false;
-                  onlySSL = true;
-                  useACMEHost = inputs.lib.mkIf (site.value.global.tlsCert == null) site.name;
-                  sslCertificate = inputs.lib.mkIf (site.value.global.tlsCert != null)
-                    "${site.value.global.tlsCert}/fullchain.pem";
-                  sslCertificateKey = inputs.lib.mkIf (site.value.global.tlsCert != null)
-                    "${site.value.global.tlsCert}/privkey.pem";
-                  locations = listToAttrs (map
-                  (location:
-                  {
-                    inherit (location) name;
-                    value =
-                    {
-                      basicAuthFile = inputs.lib.mkIf (location.value.detectAuth or null != null)
-                      (
-                        let
-                          inherit (inputs.lib.strings) escapeURL;
-                          secret = "nginx/templates/detectAuth/${escapeURL site.name}/${escapeURL location.name}";
-                        in inputs.config.sops.templates.${secret}.path
-                      );
-                      root = inputs.lib.mkIf (location.value.root or null != null) location.value.root;
-                    }
-                    // {
-                      proxy =
-                      {
-                        proxyPass = location.value.upstream;
-                        proxyWebsockets = location.value.websocket;
-                        recommendedProxySettings = false;
-                        recommendedProxySettingsNoHost = true;
-                        extraConfig = concatStringsSep "\n"
-                        (
-                          (map
-                            (header: ''proxy_set_header ${header.name} "${header.value}";'')
-                            (attrsToList location.value.setHeaders))
-                          ++ (
-                            if location.value.detectAuth != null || site.value.global.detectAuth != null
-                              then [ "proxy_hide_header Authorization;" ]
-                              else []
-                          )
-                          ++ (
-                            if location.value.addAuth != null then
-                              let authFile = "nginx/templates/addAuth/${location.value.addAuth}";
-                              in [ "include ${inputs.config.sops.templates.${authFile}.path};" ]
-                            else [])
-                        );
-                      };
-                      static =
-                      {
-                        index = inputs.lib.mkIf (builtins.typeOf location.value.index == "list")
-                          (concatStringsSep " " location.value.index);
-                        tryFiles = inputs.lib.mkIf (location.value.tryFiles != null)
-                          (concatStringsSep " " location.value.tryFiles);
-                        extraConfig = inputs.lib.mkMerge
-                        [
-                          (inputs.lib.mkIf (location.value.index == "auto") "autoindex on;")
-                          (inputs.lib.mkIf (location.value.charset != null) "charset ${location.value.charset};")
-                          (inputs.lib.mkIf location.value.webdav
-                          ''
-                            dav_access user:rw group:rw;
-                            dav_methods PUT DELETE MKCOL COPY MOVE;
-                            dav_ext_methods PROPFIND OPTIONS;
-                            create_full_put_path on;
-                          '')
-                        ];
-                      };
-                      php.extraConfig =
-                      ''
-                        fastcgi_pass ${location.value.fastcgiPass};
-                        fastcgi_split_path_info ^(.+\.php)(/.*)$;
-                        fastcgi_param PATH_INFO $fastcgi_path_info;
-                        include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
-                      '';
-                      return.return = location.value.return;
-                      cgi.extraConfig =
-                      ''
-                        include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
-                        fastcgi_pass unix:${inputs.config.services.fcgiwrap.socketAddress};
-                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-                      '';
-                      alias.alias = location.value.path;
-                    }.${location.value.type};
-                  })
-                  site.value.locations);
-                };
-              })
-              sites);
-            fcgiwrap = inputs.lib.mkIf
-            (
-              filter (site: site != []) (map
-                (site: filter (location: location.value.type == "cgi") site.value.locations)
-                sites)
-              != []
-            )
-              (with inputs.config.users.users.nginx; { enable = true; user = name; inherit group; });
-          };
-          nixos.services =
-          {
-            nginx =
-              let
-                # { name = domain; value = listen = { http2 = xxx, proxyProtocol = xxx }; }
-                listens = filter
-                  (listen: listen.value.addToTransparentProxy)
-                  (concatLists (map
-                    (site: map (listen: { inherit (site) name; value = listen; }) site.value.listens)
-                    sites));
-              in
-              {
-                transparentProxy.map = listToAttrs (map
-                  (site:
-                  {
-                    inherit (site) name;
-                    value = with nginx.global; httpsPort + (if site.value.http2 then httpsPortShift.http2 else 0);
-                  })
-                  (filter (listen: !listen.value.proxyProtocol) listens));
-                streamProxy.map = listToAttrs (map
-                  (site:
-                  {
-                    inherit (site) name;
-                    value =
-                    {
-                      upstream.port = with nginx.global; httpsPort + httpsPortShift.proxyProtocol
-                        + (if site.value.http2 then httpsPortShift.http2 else 0);
-                      proxyProtocol = true;
-                      rewriteHttps = inputs.lib.mkDefault false;
-                    };
-                  })
-                  (filter (listen: listen.value.proxyProtocol) listens));
-                http = listToAttrs (map
-                  (site: { inherit (site) name; value.rewriteHttps = {}; })
-                  (filter (site: site.value.global.rewriteHttps) sites));
-              };
-            acme.cert = listToAttrs (map
-              (site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
-              sites);
-          };
-          sops =
-            let
-              inherit (inputs.lib.strings) escapeURL;
-              detectAuthUsers = concatLists (map
-                (site:
-                (
-                  (map
-                    (location:
-                    {
-                      name = "${escapeURL site.name}/${escapeURL location.name}";
-                      value = location.value.detectAuth.users;
-                    })
-                    (filter (location: location.value.detectAuth or null != null) site.value.locations))
-                  ++ (if site.value.global.detectAuth != null then
-                    [ { name = "${escapeURL site.name}-global"; value = site.value.global.detectAuth.users; } ]
-                    else [])
-                ))
-                sites);
-              addAuth = concatLists (map
-                (site: map
-                  (location:
-                  {
-                    name = "${escapeURL site.name}/${escapeURL location.name}";
-                    value = location.value.addAuth;
-                  })
-                  (filter (location: location.value.addAuth or null != null) site.value.locations)
-                )
-                sites);
-            in
+            name = "ngx_http_geoip2_module";
+            src = inputs.pkgs.fetchFromGitHub
             {
-              templates = listToAttrs
-              (
-                (map
-                  (detectAuth:
-                  {
-                    name = "nginx/templates/detectAuth/${detectAuth.name}";
-                    value =
-                    {
-                      owner = inputs.config.users.users.nginx.name;
-                      content = concatStringsSep "\n" (map
-                        (user: "${user}:{PLAIN}${inputs.config.sops.placeholder."nginx/detectAuth/${user}"}")
-                        detectAuth.value);
-                    };
-                  })
-                  detectAuthUsers)
-                ++ (map
-                  (addAuth:
-                  {
-                    name = "nginx/templates/addAuth/${addAuth.name}";
-                    value =
-                    {
-                      owner = inputs.config.users.users.nginx.name;
-                      content =
-                        let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${addAuth.value}";
-                        in ''proxy_set_header Authorization "Basic ${placeholder}";'';
-                    };
-                  })
-                  addAuth)
-              );
-              secrets = listToAttrs
-              (
-                (map
-                  (secret: { name = "nginx/detectAuth/${secret}"; value = {}; })
-                  (inputs.lib.unique (concatLists (map (detectAuth: detectAuth.value) detectAuthUsers))))
-                ++ (map
-                  (secret: { name = "nginx/addAuth/${secret}"; value = {}; })
-                  (inputs.lib.unique (map (addAuth: addAuth.value) addAuth)))
-              );
+              owner = "leev";
+              repo = "ngx_http_geoip2_module";
+              rev = "a607a41a8115fecfc05b5c283c81532a3d605425";
+              hash = "sha256-CkmaeEa1iEAabJEDu3FhBUR7QF38koGYlyx+pyKZV9Y=";
             };
-        }
-      )
-      # http
+            meta.license = [];
+          };
+          in (inputs.pkgs.nginxMainline.override (prev: { modules = prev.modules ++ [ nginx-geoip2 ]; }))
+              .overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
+        streamConfig =
+        ''
+          geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
+            $geoip2_data_country_code country iso_code;
+          }
+          resolver 8.8.8.8;
+        '';
+        # anyway to use host dns?
+        resolver.addresses = [ "8.8.8.8" ];
+      };
+      geoipupdate =
       {
-        assertions = map
-          (site:
-          {
-            assertion = (inputs.lib.count (x: x != null) (map (type: site.value.${type}) nginx.global.httpTypes)) <= 1;
-            message = "Only one type shuold be specified in ${site.name}";
-          })
-          (attrsToList nginx.http);
-        services.nginx.virtualHosts = listToAttrs (map
-          (site:
-          {
-            name = "http.${site.name}";
-            value = { serverName = site.name; listen = [ { addr = "0.0.0.0"; port = 80; } ]; }
-            // (if site.value.rewriteHttps != null then
-              { locations."/".return = "301 https://${site.value.rewriteHttps.hostname}$request_uri"; }
-              else {})
-            // (if site.value.php != null then
-              {
-                extraConfig = "index index.php;";
-                root = site.value.php.root;
-                locations."~ ^.+?.php(/.*)?$".extraConfig =
-                ''
-                  fastcgi_pass ${site.value.php.fastcgiPass};
-                  fastcgi_split_path_info ^(.+\.php)(/.*)$;
-                  fastcgi_param PATH_INFO $fastcgi_path_info;
-                  include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
-                '';
-              }
-              else {})
-            // (if site.value.proxy != null then
-              {
-                locations."/" =
-                {
-                  proxyPass = site.value.proxy.upstream;
-                  proxyWebsockets = site.value.proxy.websocket;
-                  recommendedProxySettings = false;
-                  recommendedProxySettingsNoHost = true;
-                  extraConfig = builtins.concatStringsSep "\n" (builtins.map
-                    (header: ''proxy_set_header ${header.name} "${header.value}";'')
-                    (inputs.localLib.attrsToList site.value.proxy.setHeaders));
-                };
-              }
-              else {});
-          })
-          (attrsToList nginx.http));
-      }
-    ]);
+        enable = true;
+        settings =
+        {
+          AccountID = 901296;
+          LicenseKey = inputs.config.nixos.system.sops.secrets."nginx/maxmind-license".path;
+          EditionIDs = [ "GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country" ];
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    nixos.system.sops.secrets."nginx/maxmind-license".owner = inputs.config.users.users.nginx.name;
+    systemd.services.nginx.serviceConfig =
+    {
+      CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+      LimitNPROC = 65536;
+      LimitNOFILE = 524288;
+    };
+  };
 }

modules/services/nginx/http.nix

@@ -0,0 +1,77 @@
+inputs:
+{
+  options.nixos.services.nginx.http = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule (submoduleInputs: { options =
+    {
+      rewriteHttps = mkOption
+      {
+        type = types.nullOr (types.submodule { options =
+        {
+          hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; 
+        };});
+        default = null;
+      };
+      php = mkOption
+      {
+        type = types.nullOr (types.submodule { options =
+          { root = mkOption { type = types.nonEmptyStr; }; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
+        default = null;
+      };
+      proxy = mkOption
+      {
+        type = types.nullOr (types.submodule { options =
+        {
+          upstream = mkOption { type = types.nonEmptyStr; };
+          websocket = mkOption { type = types.bool; default = false; };
+          setHeaders = mkOption
+            { type = types.attrsOf types.str; default.Host = submoduleInputs.config._module.args.name; };
+        };});
+        default = null;
+      };
+    };}));
+    default = {};
+  };
+  config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.http != {})
+  {
+    assertions = inputs.lib.mapAttrsToList
+      (n: v:
+      {
+        assertion = (inputs.lib.count (x: x != null) (builtins.map (type: v.${type}) nginx.global.httpTypes)) <= 1;
+        message = "Only one type shuold be specified in ${n}";
+      })
+      nginx.http;
+    services.nginx.virtualHosts = inputs.lib.mapAttrs'
+      (n: v:
+      {
+        name = "http.${n}";
+        value = { serverName = n; listen = [ { addr = "0.0.0.0"; port = 80; } ]; }
+        // (inputs.lib.optionalAttrs (v.rewriteHttps != null)
+          { locations."/".return = "301 https://${v.rewriteHttps.hostname}$request_uri"; })
+        // (inputs.lib.optionalAttrs (v.php != null)
+          {
+            extraConfig = "index index.php;";
+            root = v.php.root;
+            locations."~ ^.+?.php(/.*)?$".extraConfig =
+            ''
+              fastcgi_pass ${v.php.fastcgiPass};
+              fastcgi_split_path_info ^(.+\.php)(/.*)$;
+              fastcgi_param PATH_INFO $fastcgi_path_info;
+              include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
+            '';
+          })
+        // (inputs.lib.optionalAttrs (v.proxy != null)
+          {
+            locations."/" =
+            {
+              proxyPass = v.proxy.upstream;
+              proxyWebsockets = v.proxy.websocket;
+              extraConfig = builtins.concatStringsSep "\n" (inputs.lib.mapAttrsToList
+                (n: v: ''proxy_set_header ${n} "${v}";'')
+                v.proxy.setHeaders);
+            };
+          });
+      })
+      nginx.http;
+  };
+}

modules/services/nginx/https.nix

@@ -0,0 +1,393 @@
+inputs:
+{
+  options.nixos.services.nginx.https = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
+    {
+      global =
+      {
+        configName = mkOption
+          { type = types.nonEmptyStr; default = "https:${siteSubmoduleInputs.config._module.args.name}"; };
+        root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+        index = mkOption
+        {
+          type = types.nullOr (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
+          default = null;
+        };
+        charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+        detectAuth = mkOption
+        {
+          type = types.nullOr (types.submodule { options =
+          {
+            text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
+            users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
+          };});
+          default = null;
+        };
+        rewriteHttps = mkOption { type = types.bool; default = true; };
+        tlsCert = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+      };
+      listen = mkOption
+      {
+        type = types.attrsOf (types.submodule { options =
+        {
+          http2 = mkOption { type = types.bool; default = true; };
+          proxyProtocol = mkOption { type = types.bool; default = true; };
+          # if proxyProtocol not enabled, add to transparentProxy only
+          # if proxyProtocol enabled, add to transparentProxy and streamProxy
+          addToTransparentProxy = mkOption { type = types.bool; default = true; };
+        };});
+        default.main = {};
+      };
+      location = mkOption
+      {
+        type = types.attrsOf (types.submodule { options =
+          let genericOptions =
+          {
+            # should be set to non null value if global root is null
+            root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+            detectAuth = mkOption
+            {
+              type = types.nullOr (types.submodule { options =
+              {
+                text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
+                users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
+              };});
+              default = null;
+            };
+          };
+          in
+          {
+            # only one should be specified
+            proxy = mkOption
+            {
+              type = types.nullOr (types.submodule { options =
+              {
+                inherit (genericOptions) detectAuth;
+                upstream = mkOption { type = types.nonEmptyStr; };
+                websocket = mkOption { type = types.bool; default = false; };
+                grpc = mkOption { type = types.bool; default = false; };
+                setHeaders = mkOption
+                  { type = types.attrsOf types.str; default.Host = siteSubmoduleInputs.config._module.args.name; };
+                # echo -n "username:password" | base64
+                addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+              };});
+              default = null;
+            };
+            static = mkOption
+            {
+              type = types.nullOr (types.submodule { options =
+              {
+                inherit (genericOptions) detectAuth root;
+                index = mkOption
+                {
+                  type = types.nullOr
+                    (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
+                  default = null;
+                };
+                charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+                tryFiles = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
+                webdav = mkOption { type = types.bool; default = false; };
+              };});
+              default = null;
+            };
+            php = mkOption
+            {
+              type = types.nullOr (types.submodule { options =
+                { inherit (genericOptions) detectAuth root; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
+              default = null;
+            };
+            return = mkOption
+            {
+              type = types.nullOr (types.submodule { options = { return = mkOption { type = types.nonEmptyStr; }; };});
+              default = null;
+            };
+            alias = mkOption
+            {
+              type = types.nullOr (types.submodule { options =
+              {
+                path = mkOption { type = types.nonEmptyStr; };
+              };});
+              default = null;
+            };
+          };});
+        default = {};
+      };
+    };}));
+    default = {};
+  };
+  config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.https != {}) (inputs.lib.mkMerge
+  [
+    # https assertions
+    {
+      # only one type should be specified in each location
+      assertions =
+      (
+        (builtins.map
+          (location:
+          {
+            assertion = 1 >= (inputs.lib.count (x: x != null)
+              (builtins.map (type: location.value.${type}) nginx.global.httpsLocationTypes));
+            message = "Only one type shuold be specified in ${location.name}";
+          })
+          (builtins.concatLists (inputs.lib.mapAttrsToList
+            (sn: sv: (inputs.lib.mapAttrsToList (ln: lv: inputs.lib.nameValuePair "${sn} ${ln}" lv) sv.location))
+            nginx.https)))
+        # root should be specified either in global or in each location
+        ++ (builtins.map
+          (location:
+          {
+            assertion = (location.value.root or "") != null;
+            message = "Root should be specified in ${location.name}";
+          })
+          (builtins.concatLists (builtins.map
+            (site: (inputs.lib.mapAttrsToList
+                (n: v: inputs.lib.nameValuePair "${site.name} ${n}" v)
+                site.value.location))
+            (builtins.filter (site: site.value.global.root == null) (inputs.localLib.attrsToList nginx.https)))))
+      );
+    }
+    # https
+    (
+      # merge different types of locations
+      let sites = inputs.lib.mapAttrsToList
+        (sn: sv: inputs.lib.nameValuePair sn
+        {
+          inherit (sv) global;
+          listens = builtins.attrValues sv.listen;
+          locations = inputs.lib.mapAttrsToList
+            (ln: lv: inputs.lib.nameValuePair ln
+            (
+              let _ = builtins.head (builtins.filter (type: type.value != null) (inputs.localLib.attrsToList lv));
+              in _.value // { type = _.name; }
+            ))
+            sv.location;
+        })
+        nginx.https;
+      in
+      {
+        services.nginx.virtualHosts = builtins.listToAttrs (builtins.map
+          (site:
+          {
+            name = site.value.global.configName;
+            value =
+            {
+              serverName = site.name;
+              root = inputs.lib.mkIf (site.value.global.root != null) site.value.global.root;
+              basicAuthFile = inputs.lib.mkIf (site.value.global.detectAuth != null)
+              (
+                let secret = "nginx/templates/detectAuth/${inputs.lib.strings.escapeURL site.name}-global";
+                in inputs.config.nixos.system.sops.templates.${secret}.path
+              );
+              extraConfig = builtins.concatStringsSep "\n"
+              (
+                (
+                  let inherit (site.value.global) index; in
+                    if (builtins.typeOf index == "list") then [ "index ${builtins.concatStringsSep " " index};" ]
+                    else if (index == "auto") then [ "autoindex on;" ]
+                    else []
+                )
+                ++ (
+                  let inherit (site.value.global) detectAuth;
+                  in inputs.lib.optionals (detectAuth != null) [ ''auth_basic "${detectAuth.text}"'' ]
+                )
+                ++ (
+                  let inherit (site.value.global) charset;
+                  in inputs.lib.optionals (charset != null) [ "charset ${charset};" ]
+                )
+              );
+              listen = builtins.map
+                (listen:
+                {
+                  addr = if listen.proxyProtocol then "0.0.0.0" else "127.0.0.1";
+                  port = with nginx.global; httpsPort
+                    + (if listen.http2 then httpsPortShift.http2 else 0)
+                    + (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0);
+                  ssl = true;
+                  proxyProtocol = listen.proxyProtocol;
+                  extraParameters = inputs.lib.mkIf listen.http2 [ "http2" ];
+                })
+                site.value.listens;
+              # do not automatically add http2 listen
+              http2 = false;
+              onlySSL = true;
+              useACMEHost = inputs.lib.mkIf (site.value.global.tlsCert == null) site.name;
+              sslCertificate = inputs.lib.mkIf (site.value.global.tlsCert != null)
+                "${site.value.global.tlsCert}/fullchain.pem";
+              sslCertificateKey = inputs.lib.mkIf (site.value.global.tlsCert != null)
+                "${site.value.global.tlsCert}/privkey.pem";
+              locations = builtins.listToAttrs (builtins.map
+                (location:
+                {
+                  inherit (location) name;
+                  value =
+                  {
+                    basicAuthFile = inputs.lib.mkIf (location.value.detectAuth or null != null)
+                    (
+                      let
+                        inherit (inputs.lib.strings) escapeURL;
+                        secret = "nginx/templates/detectAuth/${escapeURL site.name}/${escapeURL location.name}";
+                      in inputs.config.nixos.system.sops.templates.${secret}.path
+                    );
+                    root = inputs.lib.mkIf (location.value.root or null != null) location.value.root;
+                  }
+                  // {
+                    proxy =
+                    {
+                      proxyWebsockets = location.value.websocket;
+                      extraConfig = builtins.concatStringsSep "\n"
+                      (
+                        [ "${if location.value.grpc then "grpc" else "proxy"}_pass ${location.value.upstream};" ]
+                        ++ (inputs.lib.mapAttrsToList (n: v: ''proxy_set_header ${n} "${v}";'')
+                          location.value.setHeaders)
+                        ++ (inputs.lib.optionals
+                          (location.value.detectAuth != null || site.value.global.detectAuth != null)
+                          [ "proxy_hide_header Authorization;" ]
+                        )
+                        ++ (inputs.lib.optionals (location.value.addAuth != null)
+                          (
+                            let authFile = "nginx/templates/addAuth/${location.value.addAuth}";
+                            in [ "include ${inputs.config.nixos.system.sops.templates.${authFile}.path};" ]
+                          ))
+                      );
+                    };
+                    static =
+                    {
+                      index = inputs.lib.mkIf (builtins.typeOf location.value.index == "list")
+                        (builtins.concatStringsSep " " location.value.index);
+                      tryFiles = inputs.lib.mkIf (location.value.tryFiles != null)
+                        (builtins.concatStringsSep " " location.value.tryFiles);
+                      extraConfig = inputs.lib.mkMerge
+                      [
+                        (inputs.lib.mkIf (location.value.index == "auto") "autoindex on;")
+                        (inputs.lib.mkIf (location.value.charset != null) "charset ${location.value.charset};")
+                        (inputs.lib.mkIf location.value.webdav
+                        ''
+                          dav_access user:rw group:rw;
+                          dav_methods PUT DELETE MKCOL COPY MOVE;
+                          dav_ext_methods PROPFIND OPTIONS;
+                          create_full_put_path on;
+                        '')
+                      ];
+                    };
+                    php.extraConfig =
+                    ''
+                      fastcgi_pass ${location.value.fastcgiPass};
+                      fastcgi_split_path_info ^(.+\.php)(/.*)$;
+                      fastcgi_param PATH_INFO $fastcgi_path_info;
+                      include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
+                    '';
+                    return.return = location.value.return;
+                    alias.alias = location.value.path;
+                  }.${location.value.type};
+                })
+                site.value.locations);
+            };
+          })
+          sites);
+        nixos =
+        {
+          services =
+          {
+            nginx =
+            # { name = domain; value = listen = { http2 = xxx, proxyProtocol = xxx }; }
+              let listens = builtins.filter
+                (listen: listen.value.addToTransparentProxy)
+                (builtins.concatLists (builtins.map
+                  (site: builtins.map (listen: { inherit (site) name; value = listen; }) site.value.listens)
+                  sites));
+              in
+              {
+                transparentProxy.map = builtins.listToAttrs (builtins.map
+                  (site:
+                  {
+                    inherit (site) name;
+                    value = with nginx.global; httpsPort + (if site.value.http2 then httpsPortShift.http2 else 0);
+                  })
+                  (builtins.filter (listen: !listen.value.proxyProtocol) listens));
+                streamProxy.map = builtins.listToAttrs (builtins.map
+                  (site:
+                  {
+                    inherit (site) name;
+                    value =
+                    {
+                      upstream.port = with nginx.global; httpsPort + httpsPortShift.proxyProtocol
+                        + (if site.value.http2 then httpsPortShift.http2 else 0);
+                      proxyProtocol = true;
+                      rewriteHttps = inputs.lib.mkDefault false;
+                    };
+                  })
+                  (builtins.filter (listen: listen.value.proxyProtocol) listens));
+                http = builtins.listToAttrs (builtins.map
+                  (site: { inherit (site) name; value.rewriteHttps = {}; })
+                  (builtins.filter (site: site.value.global.rewriteHttps) sites));
+              };
+            acme.cert = builtins.listToAttrs (builtins.map
+              (site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
+              sites);
+          };
+          system.sops =
+            let
+              inherit (inputs.lib.strings) escapeURL;
+              detectAuthUsers = builtins.concatLists (builtins.map
+                (site:
+                (
+                  (builtins.map
+                    (location:
+                    {
+                      name = "${escapeURL site.name}/${escapeURL location.name}";
+                      value = location.value.detectAuth.users;
+                    })
+                    (builtins.filter (location: location.value.detectAuth or null != null) site.value.locations))
+                  ++ (inputs.lib.optionals (site.value.global.detectAuth != null)
+                    [ { name = "${escapeURL site.name}-global"; value = site.value.global.detectAuth.users; } ])
+                ))
+                sites);
+              addAuth = builtins.concatLists (builtins.map
+                (site: builtins.map
+                  (location:
+                  {
+                    name = "${escapeURL site.name}/${escapeURL location.name}";
+                    value = location.value.addAuth;
+                  })
+                  (builtins.filter (location: location.value.addAuth or null != null) site.value.locations)
+                )
+                sites);
+            in
+            {
+              templates = let inherit (inputs.config.nixos.system.sops) placeholder; in builtins.listToAttrs
+              (
+                (builtins.map
+                  (detectAuth: inputs.lib.nameValuePair "nginx/templates/detectAuth/${detectAuth.name}"
+                  {
+                    owner = inputs.config.users.users.nginx.name;
+                    content = builtins.concatStringsSep "\n" (builtins.map
+                      (user: "${user}:{PLAIN}${placeholder."nginx/detectAuth/${user}"}")
+                      detectAuth.value);
+                  })
+                  detectAuthUsers)
+                ++ (builtins.map
+                  (addAuth: inputs.lib.nameValuePair "nginx/templates/addAuth/${addAuth.name}"
+                  {
+                    owner = inputs.config.users.users.nginx.name;
+                    content =
+                      ''proxy_set_header Authorization "Basic ${placeholder."nginx/addAuth/${addAuth.value}"}";'';
+                  })
+                  addAuth)
+              );
+              secrets = builtins.listToAttrs
+              (
+                (builtins.map
+                  (secret: { name = "nginx/detectAuth/${secret}"; value = {}; })
+                  (inputs.lib.unique (builtins.concatLists (builtins.map (detectAuth: detectAuth.value)
+                    detectAuthUsers))))
+                ++ (builtins.map
+                  (secret: { name = "nginx/addAuth/${secret}"; value = {}; })
+                  (inputs.lib.unique (builtins.map (addAuth: addAuth.value) addAuth)))
+              );
+            };
+        };
+      }
+    )
+  ]);
+}

modules/services/nginx/streamProxy.nix

@@ -0,0 +1,97 @@
+inputs:
+{
+  options.nixos.services.nginx.streamProxy = let inherit (inputs.lib) mkOption types; in
+  {
+    map = mkOption
+    {
+      type = types.attrsOf (types.oneOf
+      [
+        # proxy to specified ip:port without proxyProtocol
+        types.nonEmptyStr
+        (types.submodule { options =
+        {
+          upstream = mkOption
+          {
+            type = types.oneOf
+            [
+              # proxy to specified ip:port with or without proxyProtocol
+              types.nonEmptyStr
+              (types.submodule { options =
+              {
+                address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+                # if port not specified, guess from proxyProtocol enabled or not, assume http2 enabled
+                port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
+              };})
+            ];
+            default = {};
+          };
+          proxyProtocol = mkOption { type = types.bool; default = true; };
+          addToTransparentProxy = mkOption { type = types.bool; default = true; };
+          rewriteHttps = mkOption { type = types.bool; default = true; };
+        };})
+      ]);
+      default = {};
+    };
+  };
+  config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.streamProxy.map != {})
+  {
+    services.nginx.streamConfig =
+    ''
+      log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
+        '"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
+      map $ssl_preread_server_name $stream_proxy_backend {
+        ${builtins.concatStringsSep "\n    " (inputs.lib.mapAttrsToList
+          (n: v:
+            let
+              upstream =
+                if (builtins.typeOf v.upstream == "string") then v.upstream
+                else
+                  let port = with nginx.global;
+                    if v.upstream.port == null then
+                      httpsPort + httpsPortShift.http2 + (if v.proxyProtocol then httpsPortShift.proxyProtocol else 0)
+                    else v.upstream.port;
+                  in "${v.upstream.address}:${builtins.toString port}";
+            in ''"${n}" "${upstream}";'')
+          nginx.streamProxy.map)}
+      }
+      server {
+        listen 127.0.0.1:${toString nginx.global.streamPort};
+        ssl_preread on;
+        proxy_pass $stream_proxy_backend;
+        proxy_connect_timeout 10s;
+        proxy_socket_keepalive on;
+        proxy_buffer_size 128k;
+        access_log syslog:server=unix:/dev/log stream_proxy;
+      }
+      server {
+        listen 127.0.0.1:${builtins.toString (with nginx.global; (streamPort + streamPortShift.proxyProtocol))};
+        proxy_protocol on;
+        ssl_preread on;
+        proxy_pass $stream_proxy_backend;
+        proxy_connect_timeout 10s;
+        proxy_socket_keepalive on;
+        proxy_buffer_size 128k;
+        access_log syslog:server=unix:/dev/log stream_proxy;
+      }
+    '';
+    nixos.services.nginx =
+    {
+      transparentProxy.map = builtins.listToAttrs
+      (
+        (builtins.map
+          (site: { inherit (site) name; value = nginx.global.streamPort; })
+          (builtins.filter
+            (site: (!(site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
+            (inputs.localLib.attrsToList nginx.streamProxy.map)))
+        ++ (builtins.map
+          (site: { inherit (site) name; value = with nginx.global; streamPort + streamPortShift.proxyProtocol; })
+          (builtins.filter
+            (site: ((site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
+            (inputs.localLib.attrsToList nginx.streamProxy.map)))
+      );
+      http = builtins.listToAttrs (builtins.map
+        (site: { inherit (site) name; value.rewriteHttps = {}; })
+        (builtins.filter (site: site.value.rewriteHttps or false) (inputs.localLib.attrsToList nginx.streamProxy.map)));
+    };
+  };
+}