devices.cross: set password for zgq

This reverts commit 21e9f53b39.

devices/cross/secrets/default.yaml

@@ -28,6 +28,9 @@ users:
     pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
     #ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
     reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
+    #ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
+    zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
+    zgq: ENC[AES256_GCM,data:cHYFToQ5ulEcb741Gg3X4lKj8ZJy1zcLHpkVQjQXt5hRAQtPsiPlegi2a1nUIAUb6sI//4ffcytlXpdK2sXewFe3ZiIXy3UVjQ==,iv:fKaPxpfh5ssOwAbmEsAPaQ45KrNtkHZb96IzWc6pD9s=,tag:Vt91B77SjxYaZ/HvWVBufA==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
     user:
@@ -174,7 +177,7 @@ sops:
             UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
             +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-14T01:17:28Z"
-    mac: ENC[AES256_GCM,data:r1FWYKz9aJtmhH7MLPqwZjG0W7LULScGd63CnIqsm2AbFIs6DgW33zDsgwrl1oblx/zYGda3irB5s1+otR38DU0VE7jqLYzHpb3eLsE986ZTwe9Tujy6BJm2Pyng60BJTTBwKU8awS2WpbTUivK1aVivNfBffQIL5Scv/qkyH3U=,iv:1USu0hh8IM2T/w1Fm/udGswPJcxKmvcG6XwlS2ku6iY=,tag:F/rZiGc3KTaNA0YtrWF3+w==,type:str]
+    lastmodified: "2025-07-05T04:25:07Z"
+    mac: ENC[AES256_GCM,data:x7wXcdExnf3grO9uS90dQMCSTgJiCyz5sdiek4EnYPsb/EVXfbzYnOo05T3ns8nNfQb6jCKBr/TZO6ZhOneaa/b8uZrG3c4EtDRVptm6+8PydgG5pv5ZiVLb83XR/t11xLWyzc8livLiTPb2RT0UglznOWCGPz20ULoI+JphGGc=,iv:iE7sRIyY2Espmaushcb0VJMjUZYhSGAqRdhmQRMkndU=,tag:0qsijRFyFshIKZTwVbvntw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/cross/wireguard.nix

@@ -2,6 +2,7 @@ inputs:
 let
   publicKey =
   {
+    vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
     vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
     pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
     nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
@@ -61,7 +62,7 @@ let
           # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
           (builtins.listToAttrs
           (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps6" "srv3" ])
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
               ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
           ))
           # 校内网络

devices/nas/default.nix

@@ -4,7 +4,7 @@ inputs:
   {
     nixos =
     {
-      model = { type = "desktop"; private = true; };
+      model.private = true;
       system =
       {
         fileSystems =
@@ -19,23 +19,13 @@ inputs:
         };
         initrd.sshd = {};
         nixpkgs.march = "silvermont";
-        networking = {};
+        network = {};
       };
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
       {
         sshd = {};
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-          dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
-        };
+        xray.client.dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
         beesd."/".hashTableSizeMB = 10 * 128;
         nfs."/" = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc";
       };

devices/nas/secrets.yaml

@@ -21,7 +21,7 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-19T01:47:25Z"
-    mac: ENC[AES256_GCM,data:J79zVjfGgptSjh+ShPBOd+lJ9i+NuS2Uw7P4ZvF7xeahn7fbT8bercsBv1F1USwW2ituTBMZFmxaspGjAD+azEM2X7zSJnVtbKr+T9FY6i2N+kPIxdseyw93JLZ1pPTy9bQeXRAJYlJHyEw4zHEpMBbWSI88I+i43s2xkScwEuU=,iv:4Ge0dHPxa4zF++0eeHy8fH7t5ndFznhFAKnrV7WOOXs=,tag:+UG3b93zFo/EfOfCQrPoBg==,type:str]
+    lastmodified: "2025-06-09T01:22:01Z"
+    mac: ENC[AES256_GCM,data:OxRUW3e2SXTTdb7Iwvsf/UaHsTIVxohJwRIFExh5N/dJhU9Ui8omKBjkooiGaysrZEVEZNAWSp2zvTPXUdZrtW2fikyhF6Fsg7jUFFTqhV/sjYMy7gISbfkcGF9SuYGByuuySyXPqsfg+ESeBmMVZiqDSEPYJWu+q8OwThdhsAM=,iv:UnSfmuxcV+tr7wd59Xg0MG2QbP2uOshVhN5C++9ZSzA=,tag:cWiG85xv2OuiBOoAlvVBGw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/one/default.nix

@@ -20,21 +20,11 @@ inputs:
           rollingRootfs = {};
         };
         nixpkgs.march = "tigerlake";
-        kernel.variant = "cachyos-lts";
       };
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
       {
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-        };
+        xray.client = {};
         beesd."/".hashTableSizeMB = 64;
         sshd = {};
       };

devices/pc/default.nix

@@ -74,29 +74,13 @@ inputs:
           };
         };
         sshd = {};
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-          dnsmasq.hosts = builtins.listToAttrs
-          (
-            (builtins.map
-              (name: { inherit name; value = "144.34.225.59"; })
-              [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
-            ++ (builtins.map
-              (name: { inherit name; value = "0.0.0.0"; })
-              [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
-          )
-          // {
-            "4006024680.com" = "192.168.199.1";
-            "hpc.xmu.edu.cn" = "121.192.191.11";
-          };
-        };
+        xray.client.dnsmasq.hosts = builtins.listToAttrs
+        (
+          (builtins.map
+            (name: { inherit name; value = "144.34.225.59"; })
+            [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
+        )
+        // { "4006024680.com" = "192.168.199.1"; };
         acme.cert."debug.mirism.one" = {};
         nix-serve = {};
         misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
@@ -129,7 +113,7 @@ inputs:
         nfs."/" = "192.168.84.0/24";
       };
       bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
-      packages = { android-studio = {}; mathematica = {}; vasp = {}; };
+      packages = { android-studio = {}; mathematica = {}; vasp = {}; lammps = {}; };
       user.users = [ "chn" "test" ];
     };
     boot.loader.grub =
@@ -164,7 +148,6 @@ inputs:
     services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
     # 允许kvm读取物理硬盘
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
-    networking.extraHosts = "144.34.225.59 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
   };
 }

devices/srv1/default.nix

@@ -63,7 +63,7 @@ inputs:
         };
       };
       packages.vasp = {};
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ];
     };
   };
 }

devices/srv1/node0/default.nix

@@ -8,25 +8,26 @@ inputs:
       system =
       {
         nixpkgs.march = "cascadelake";
-        networking.static =
+        network =
         {
-          eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
-          eno146 = { ip = "192.168.178.1"; mask = 24; };
+          static =
+          {
+            eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
+            eno146 = { ip = "192.168.178.1"; mask = 24; };
+          };
+          masquerade = [ "eno146" ];
+          trust = [ "eno146" ];
         };
       };
       services =
       {
-        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
+        sshd.motd = true;
+        xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
         beesd."/" = { hashTableSizeMB = 128; threads = 4; };
         samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
       };
       packages.packages._prebuildPackages =
         [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
     };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    # TODO: why?
-    networking.firewall.trustedInterfaces = [ "eno146" ];
   };
 }

devices/srv1/node1/default.nix

@@ -7,13 +7,14 @@ inputs:
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.static.eno2 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        network =
+        {
+          static.eno2 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "eno2" ];
+        };
       };
       services.beesd."/".threads = 4;
     };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
   };
 }

devices/srv1/node2/default.nix

@@ -7,26 +7,25 @@ inputs:
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.static =
+        network =
         {
-          br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
-          eno2 = { ip = "192.168.178.3"; mask = 24; };
+          static =
+          {
+            br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+            eno2 = { ip = "192.168.178.3"; mask = 24; };
+          };
+          trust = [ "eno2" ];
+          bridge.br0.interfaces = [ "eno1" ];
         };
         fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
           { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
       };
       services =
       {
-        xray.client.enable = true;
+        xray.client = {};
         beesd."/".threads = 4;
         kvm.nodatacow = true;
       };
     };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
-    # add a bridge for kvm
-    # 设置桥接之后，不能再给eno1配置ip，需要转而给 br0 配置ip
-    networking.bridges.br0.interfaces = [ "eno1" ];
   };
 }

devices/srv2/default.nix

@@ -35,7 +35,7 @@ inputs:
       hardware.gpu.type = "nvidia";
       services =
       {
-        sshd = { passwordAuthentication = true; groupBanner = true; };
+        sshd = {};
         slurm =
         {
           enable = true;
@@ -80,8 +80,8 @@ inputs:
           };
         };
       };
-      packages.vasp = {};
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
+      packages = { vasp = {}; mumax = {}; lammps = {}; };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" "zqq" ];
     };
   };
 }

devices/srv2/node0/default.nix

@@ -9,29 +9,24 @@ inputs:
       system =
       {
         nixpkgs.march = "skylake";
-        networking =
+        network =
         {
           static.eno2 = { ip = "192.168.178.1"; mask = 24; };
           wireless = [ "457的5G" ];
+          masquerade = [ "eno2" ];
+          trust = [ "eno2" ];
         };
       };
       services =
       {
-        xray.client =
-        {
-          enable = true;
-          dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
-        };
+        xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
         beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
         samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
         groupshare = {};
         hpcstat = {};
         ollama = {};
+        sshd = { groupBanner = true; motd = true; };
       };
     };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    networking.firewall.trustedInterfaces = [ "eno2" ];
   };
 }

devices/srv2/node1/default.nix

@@ -8,14 +8,15 @@ inputs:
       system =
       {
         nixpkgs.march = "znver3";
-        networking.static.enp58s0 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        network =
+        {
+          static.enp58s0 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "enp58s0" ];
+        };
       };
       services.beesd."/".hashTableSizeMB = 64;
     };
     services.hardware.bolt.enable = true;
-    boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "enp58s0" ];
   };
 }

devices/srv3/default.nix

@@ -19,12 +19,16 @@ inputs:
         };
         nixpkgs.march = "haswell";
         initrd.sshd = {};
-        networking.static.eno1 =
+        network =
         {
-          ip = "23.135.236.216";
-          mask = 24;
-          gateway = "23.135.236.1";
-          dns = "8.8.8.8";
+          bridge.nixvirt.interfaces = [ "eno1" ];
+          static.nixvirt =
+          {
+            ip = "23.135.236.216";
+            mask = 24;
+            gateway = "23.135.236.1";
+            dns = "8.8.8.8";
+          };
         };
       };
       hardware.cpus = [ "intel" ];
@@ -36,12 +40,14 @@ inputs:
         {
           alikia =
           {
-            hardware = { memoryMB = 1024; cpus = 1; };
+            memory.sizeMB = 1024;
+            cpu.count = 1;
             network = { address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
           };
           pen =
           {
-            hardware = { memoryMB = 512; cpus = 1; };
+            memory.sizeMB = 512;
+            cpu.count = 1;
             network =
             {
               address = 3;
@@ -62,7 +68,8 @@ inputs:
           test =
           {
             owner = "chn";
-            hardware = { memoryMB = 512; cpus = 1; };
+            memory.sizeMB = 512;
+            cpu.count = 1;
             network =
             {
               address = 4;
@@ -72,7 +79,8 @@ inputs:
           };
           reonokiy =
           {
-            hardware = { memoryMB = 4 * 1024; cpus = 4; };
+            memory.sizeMB = 4 * 1024;
+            cpu.count = 4;
             network = { address = 5; portForward.tcp = [{ host = 5694; guest = 22; }]; };
           };
         };
@@ -87,14 +95,14 @@ inputs:
         vaultwarden.enable = true;
         photoprism.enable = true;
         nextcloud = {};
-        freshrss.enable = true;
+        freshrss = {};
         send = {};
         huginn = {};
         httpapi.enable = true;
         gitea = { enable = true; ssh = {}; };
         grafana = {};
         fail2ban = {};
-        xray.server.serverName = "xserver.srv3.chn.moe";
+        xray.server = {};
         docker = {};
         peertube = {};
         nginx.applications.webdav.instances."webdav.chn.moe" = {};
@@ -102,7 +110,5 @@ inputs:
       };
       user.users = [ "chn" "aleksana" "alikia" "pen" "reonokiy" ];
     };
-    # TODO: use a generic way
-    boot.initrd.systemd.network.networks."10-eno1" = inputs.config.systemd.network.networks."10-eno1";
   };
 }

devices/srv3/secrets.yaml

@@ -75,48 +75,8 @@ xray-server:
         user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
         #ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
         user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
-        #ENC[AES256_GCM,data:qbXmxTn+Mwk3zw==,iv:8F/0ELOwXMrKaigfRmwvGREujqNwM6XjIeaPyr6JS5U=,tag:PF/PAQCwzH7uOj+xgM0rKw==,type:comment]
-        user2: ENC[AES256_GCM,data:cA2oKqGsKuZyydMQspbSrWqsQIAde/VtGIPybC2gr3Bg355H,iv:YOj+6f6YR3Ze3x5IrqdqzXp9e3v1jdAu8re1Is6Q4eQ=,tag:n/CV6+PX/y+okpJwRraSDA==,type:str]
-        #ENC[AES256_GCM,data:VcLtO+6YWg==,iv:TWM3IY00V+LaJzk+E8ji/v7Ol4TCvSP/FHzFsV5MGIE=,tag:CijsW2O/AKpWgQUm6ipPeg==,type:comment]
-        user3: ENC[AES256_GCM,data:F3HK6znDEsN8UO7B9vBs03jyjqoQ+MGCcNJuOeglSBzLD2Hy,iv:TKBRe8Qmn9DL4AEilX20YcKbz6bydKsQUuUd5lyM2jE=,tag:nAyrTD4zkJ6CjLuj29zuJQ==,type:str]
-        #ENC[AES256_GCM,data:UFE3pg02VA==,iv:thT5OYPIHLIjKB7uiAk5vff8rtsgwncdo+U0KmW3uTE=,tag:qGWmSsI1mzg8ZbpunxBuyw==,type:comment]
-        user4: ENC[AES256_GCM,data:FYMQFFTCue+umBl5OwJvlZ+NyocsRbkycr+y1L6d6LPdR9px,iv:ZX9Z0dqmBvvXlz+oEYd7vQ5rW5lvmlc+bneDguQld30=,tag:y3d7aDWOtO0T3Yf5pGnffQ==,type:str]
         #ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
         user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
-        #ENC[AES256_GCM,data:tmlMaaDT4Q==,iv:zDBCjdBioiXGbJve03VcwCt81hiFxyKqql9rp6zW25g=,tag:cxedo8U2FICH5yMoPXwQMg==,type:comment]
-        user6: ENC[AES256_GCM,data:LzYfIXgZP0q9FpxDM6skSTiwOxEO+N5wuFq86KAazqe8zS/h,iv:Jh7bWMVr5U69L1uARLMUciWvv/aRjJJeEXvU5bo8e3A=,tag:PxesHErVSlkbuNeeRpQfEA==,type:str]
-        #ENC[AES256_GCM,data:boB2Ug==,iv:echGnXhoj2wX7GDj302nbirmzQFCqql2jtY0JaNyla4=,tag:7YnhNwCFZ9rOstanr0wGcw==,type:comment]
-        user7: ENC[AES256_GCM,data:s1O6GRn/9T9DWKlcXJTnOoAPZnPgHGBpZZcEDAKRtiYAI/5p,iv:JyaGsolN5WgQekPYxJiJbniuxLPf3+elHHbd3+ZrLtc=,tag:32wNUTqyyaKoPRQdB4U0SA==,type:str]
-        #ENC[AES256_GCM,data:cvG7WQcnwj+u9A==,iv:ui40+u9yE/Prksmiqed1NjuHyNP2RGtgSMazfI8ultc=,tag:he2F4i71Z8gFdW3fmRdhUA==,type:comment]
-        user8: ENC[AES256_GCM,data:roCYRvszJo7weozfIRoGgUhIs1f2a5/a2d1b/Iy6WEbbehOS,iv:tcOsL0SE4qMRPZIGOlzRIaMJvcapx2H9HK4D8qmSbIs=,tag:Z0skFdgtpjSR7jli3dwd5A==,type:str]
-        #ENC[AES256_GCM,data:IFXAXr0RVg/DCA==,iv:pKdnsUFX4XXJIZleA71fAfua1ibSa/2tgjdqnhbt/Rg=,tag:2Fv397j/uJDFZ/uvBxtrQw==,type:comment]
-        user9: ENC[AES256_GCM,data:5HP+OVmf+dsS8sDHakC7Yx1HVutMoTbITONHQiSvHw+17M9J,iv:TYDf7lx04pHohbGBbPJvOAoIGUKqil59k4Pt405/9kA=,tag:HUxT/uSR8sYCXQ8uX69Fqg==,type:str]
-        #ENC[AES256_GCM,data:7TJeKZM=,iv:FKcgDOtV417n1xmufqB3WENrbZ0V93sI5/XhiDYouMw=,tag:TchW2jgxZAXHvvMYY089dA==,type:comment]
-        user10: ENC[AES256_GCM,data:+u1KwJo3Y4enFM2RVr379GF7O6r9bWofUEZ2994IIC+Ce2NV,iv:ssKA5y3JM4tm+JdVznQFUAYmlrHaWd8hQXs6R/aEXN8=,tag:Q5uuM1sBZJRYBe4XXTL3ZQ==,type:str]
-        #ENC[AES256_GCM,data:O3qEWI+vFA==,iv:R7HLFRNszV6yXwciNfk/rTbDQYLmKsTCQFCfWIpJdfY=,tag:DjuM2a48/lDF11aLIf3Fgw==,type:comment]
-        user11: ENC[AES256_GCM,data:4HDGJq9nl8oGeQEo0XBEUiJweAaZ9yWc9Ib1TM91Djj2jH8d,iv:1i9/bZhHkhc8dP9Pg4gIRnCms61AP9VYxAG4acV3gpQ=,tag:vID9DEXZu3wGbXDqsLVEAg==,type:str]
-        #ENC[AES256_GCM,data:CdJubErTSg==,iv:UKn0lvbCzJnE241Tg3yjSx4xZNbp5sa/NfgIlRNU5z8=,tag:6FMGY6hbMQQFoN31z4e4uw==,type:comment]
-        user12: ENC[AES256_GCM,data:U+ynUYI+l6McI9oWF4PNiLUwvNowdseZ5gO8o73cX8MsXS2+,iv:r0KIBXczRkubZqyM/LUBPp/x9Zb/rvDJIKGGKkR3EfY=,tag:yn7806HD7ei57UtpuPjlkg==,type:str]
-        #ENC[AES256_GCM,data:3trgclrgDXhKUg==,iv:qyLmCBaB5ql950diUj7YlPi6P3a0hYH8adADEI0AGrU=,tag:Oleq79giA9/gYBO8Carznw==,type:comment]
-        user13: ENC[AES256_GCM,data:M6JXRrqnKrdihAA1aUg9zzJfhCK5TLLRf4wZkemnlHyaXnLL,iv:OA6i+BGYTr9gILE3jzFILLZvPRZeAvmSbXEStihN3aw=,tag:WcpTKRC8crDhzKHcxjtICQ==,type:str]
-        #ENC[AES256_GCM,data:VryB1AM=,iv:6FdWfpQ53bdpkXZ22gpy8GxKb1X7bak0K/Oa56mP7Uw=,tag:VBg7u7MSMl4Pr72W6ugYEg==,type:comment]
-        user14: ENC[AES256_GCM,data:g8y07VaxsuTs74L5xF/XDlmYetOfXFwHEr+FCHRtFLKwTAVq,iv:TjT49pTk97l3u1wGG7BmqZr/LAMC2765er3HGarOANw=,tag:zt1ojulNjWcuKIdix6NFJw==,type:str]
-        #ENC[AES256_GCM,data:Bawjfo3ubW1eXA==,iv:m2/ViC9AIZUV3Wl9EBYV5L0QQDw7QgXPpQ7WX22XpQ8=,tag:1wqpie9BuDi7BiDCvRIWog==,type:comment]
-        user15: ENC[AES256_GCM,data:2Ylnb7ZJgr3ha0rXrjkscPX9zJI2L9aydfL5Ndl2b9cJmVUC,iv:mu0GlGGXH4njmi4KzsvFSJN2zC5IcXVQ6oqVv2ClWpM=,tag:AIhnDqQehLyJY+wh7RWTYg==,type:str]
-        #ENC[AES256_GCM,data:uORLUE+excPAuw==,iv:K1Qch9qkg5T59+lcMC7vHWu1mnOv2dH5cOAZHX8HhgQ=,tag:chVMn/kb3Rr3f2igjbsAUA==,type:comment]
-        user16: ENC[AES256_GCM,data:D4lPjTb2kaYfUSCCRaMpGNtzLIfvPvfiJK+kkTQtSMOBglpN,iv:FCpHHBSKDYA+H6fgabNggXJlenzg5am5excBknpD1uU=,tag:FPQaBfLiZ5PBJa8gCpBfTA==,type:str]
-        #ENC[AES256_GCM,data:Cfs0Ul9BHWW/oQ==,iv:OOcRWmc7fy2RnE7+TtSBauKa1k1/unC1nFJ2SJ3yWqk=,tag:q6MjcXEYuep1eRw5BJspqw==,type:comment]
-        user17: ENC[AES256_GCM,data:2mzbUcGRye0cdgQxoTzSeKaM+m1dUPvKq61uBnGvZDFXrqQ7,iv:hxkruf0Xo1ZNJ/ym5YdLGJF5aK5nXZMJ46XC18Aksmc=,tag:KrUCTgDgYndxhi8QSYpGwA==,type:str]
-        #ENC[AES256_GCM,data:vHvpcqJaH2hPTg==,iv:S1WbgLU+15FMJr699YGY4f9r8wIg880tjJo6W6APhx0=,tag:F7fbA83eco8/Qd6u4vUMbA==,type:comment]
-        user18: ENC[AES256_GCM,data:LwZKy71ecB/E2EMIaUuFV0a7j+16EWo8LA9/0Gc8lpXAQpaT,iv:+cjrRDSvW7KFGDlpI6W+eDi3bux+eQl6NXNjnUoj7L0=,tag:PurtN+Vede0DNTQqbea1Ig==,type:str]
-        #ENC[AES256_GCM,data:rhbv9bL/0d7pGA==,iv:XvKiQWO72BfHhVRyti5ST9+f9tPUne2IcMNC08kD9r8=,tag:qhA6q4MrX3lAELrrGM8LCQ==,type:comment]
-        user19: ENC[AES256_GCM,data:jOyA913cS21eGwjUPY/XrQUBofoHwsCHghpmjzGx7cBzk/K0,iv:wXAnuSUhJ+gwGvMF7/YsfgeTHOvQC+S6rM5DzypvOuo=,tag:b/FsoypjkVYLSfyowNL2Nw==,type:str]
-        #ENC[AES256_GCM,data:Q48F7+SNdz7duKY=,iv:KIb6lIJWAVXKekBhwPztkySYDA7IP4jMjDsWy+waeFQ=,tag:s8hEz2zrh1ZXNKi/IuVV4Q==,type:comment]
-        user20: ENC[AES256_GCM,data:D6+eQdWO/W4P1ul9zQLpUQxqNA+kytz5ZHH6HmU/jwSuq3hU,iv:U4H7Ez0P3gWBLVeQ6O4PN4AmVP7Ij3oArhMmfT1BWic=,tag:l6TNsJFXXH/+yMcszkVRrQ==,type:str]
-        #ENC[AES256_GCM,data:F8qJksiC3Z8GbJc=,iv:yDBYQLUFFSXMn5Vo69rXzGBWzA+GkYw1qHS/ShisH7w=,tag:mnxj03thlYN5KhKDUO7hug==,type:comment]
-        user21: ENC[AES256_GCM,data:QeSxzBR6fLAyoUsA4aGKilYHcF42SNdkwjdwWZbxNvqZU6bf,iv:ocZGB4i8M7qM9Ypp3BUlGIdGL0AQx8NdO5yBZFLB6fk=,tag:WMFmljoJSnCU8BL/GfiZMg==,type:str]
-        #ENC[AES256_GCM,data:LxUne7UMT32f,iv:AyVaLB7Ni6HB5BE+InEG99TQsEzdQG7EXoHXC8PLGlQ=,tag:j5GoVfDsqoHypkxYFNPjyg==,type:comment]
-        user22: ENC[AES256_GCM,data:lzFvCb/zbTZs2jmYUfl3onGeWjBCdjxcIzAIff/fm6Qre+HZ,iv:eSiosE3eOrl7iLnOV41w+pwdtcske/4R1Bf1D1qxsOo=,tag:r69jFKp/FlxN3MEL5E6EXA==,type:str]
     private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
 peertube:
     secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
@@ -144,7 +104,7 @@ sops:
             d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
             eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-26T10:55:01Z"
-    mac: ENC[AES256_GCM,data:ek8oYslh51198fhnYy8LgZQBo3QEnCumeSzLEIEFp/bQshfPVtiMt29n37y89GZjfvd/UL/J/i4sxHqF328+MoMtIYwcDzJoHp/ZNJYZoM19UjEsPL5YemRRXz++gw3tvDgqPzYvtr93pg6+WcPNToIhzsew7QzYj2xLiSaecvQ=,iv:wk8RcTUbZwUHRAgNRuZ3SWWv6O57hHBCkccYNZiMwPQ=,tag:8bwhsrkk8bVMwThZQPkNXg==,type:str]
+    lastmodified: "2025-06-09T01:35:04Z"
+    mac: ENC[AES256_GCM,data:q2BolEBB6Ik8yx6NHnnE3Wcl2rGVZN86dpfLJrrFOxWd8fZyfBQ/00v4dUZSZw0aQoMj1V2RBDyVtScuRiH0NVb6+RfX+0t3zTEf6guuJdurczLBz9+D51+Th3KE1uk+UjI7J+Q/TOWTvoGMj8P4XZCXQsCDIct/vbLGqNB9CgM=,iv:/6xR7KXXLejm9Iuqcxc/7IqLEckNhmaJTKzJGonSrng=,tag:XdeCoEkHefw2HqTGSchUJA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

devices/test-pc-vm/default.nix

@@ -16,7 +16,7 @@ inputs:
           rollingRootfs = {};
         };
         nixpkgs.march = "znver4";
-        networking = {};
+        network = {};
       };
       hardware.cpus = [ "amd" ];
       services.sshd = {};

devices/test-pc/default.nix

@@ -16,7 +16,7 @@ inputs:
           rollingRootfs = {};
         };
         nixpkgs.march = "znver4";
-        networking = {};
+        network = { dhcp = [ "nixvirt" ]; bridge.nixvirt.interfaces = [ "enp1s0" ]; };
       };
       hardware.cpus = [ "amd" ];
       services =
@@ -29,17 +29,19 @@ inputs:
           {
             chn =
             {
-              hardware = { memoryMB = 2048; cpus = 4; };
+              memory = { sizeMB = 2048; dedicated = true; };
+              cpu = { count = 4; set = builtins.genList builtins.toString 4; };
               network =
               {
-                address = 2;
-                portForward = { tcp = [{ host = 5693; guest = 22; }]; web = [ "example.chn.moe" ]; };
+                bridge = true;
+                vnc.port = 15901;
               };
             };
             chn2 =
             {
               owner = "chn";
-              hardware = { memoryMB = 2048; cpus = 4; };
+              memory.sizeMB = 2048;
+              cpu.count = 4;
               network = { address = 3; portForward.tcp = [{ host = 5694; guest = 22; }]; };
             };
           };

devices/test/default.nix

@@ -16,7 +16,7 @@ inputs:
           rollingRootfs = {};
         };
         nixpkgs.march = "haswell";
-        networking = {};
+        network = {};
       };
       hardware.cpus = [ "intel" ];
       services =

devices/vps4/default.nix

@@ -22,14 +22,13 @@ inputs:
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
         nixpkgs.march = "znver2";
         initrd.sshd = {};
-        networking = {};
+        network = {};
       };
       services =
       {
         sshd = {};
         fail2ban = {};
-        beesd."/".hashTableSizeMB = 64;
-        xray.server.serverName = "xserver.vps4.chn.moe";
+        xray.server = {};
       };
     };
   };

devices/vps4/secrets.yaml

@@ -4,27 +4,45 @@ xray-server:
         user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
         #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
         user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
-        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
+        #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
+        user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
+        #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
+        user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
+        #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
+        user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
+        #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
+        user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
         #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
+        user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
+        #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
+        user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
+        #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
+        user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
+        #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
+        user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
+        #ENC[AES256_GCM,data:oB64XheVxA==,iv:Ci9apSqTHQ02IFhqVvlC3hO8yWRKELVtJE3H/CUgFyY=,tag:4uV2aYzzZAUW+OZf7QEVPg==,type:comment]
+        user11: ENC[AES256_GCM,data:pk9b5lFhuAfhKMcTUIdlx6eQHn+MJaPQEs6flmUhhHA2ygj/,iv:UGuPrxJPh+V7vSFjmgmBc9vhg7qye5SrNCFiiTcnDk0=,tag:D/B4PTafZe4r/W/dVWC2CA==,type:str]
+        #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
+        user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
+        #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
+        user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
+        #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
+        user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
+        #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
+        user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
+        #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
+        user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
+        #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
+        user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
+        #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
+        user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
+        #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
+        user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
+        #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
+        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
     private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
-        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
-        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
-    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
+wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -44,8 +62,7 @@ sops:
             Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
             1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:19:55Z"
-    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
-    pgp: []
+    lastmodified: "2025-06-09T01:35:34Z"
+    mac: ENC[AES256_GCM,data:40uhvaJNu1ELo6xHYECEOTE0lVcrcMmZKJpLmE28D2pyXnl6UQza0j9O7944+Ii+VroSvm7juB86gR8/x6URabQF0l2HTiYtBvyPicxdobB209i5JSULiCUe1zlfz8WyQ4VnPAJ9SJny59ucMYxMh8RM4UPtXWLs5whcqt5ooSk=,iv:5odm078cRXnwTA233NV7edcYTfMmTLFLrGRhE/oi8SU=,tag:2t06LMMrRkmbAQbCad6URA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2

devices/vps6/default.nix

@@ -22,13 +22,12 @@ inputs:
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "znver2";
         initrd.sshd = {};
-        networking = {};
-        # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
+        network = {};
       };
       services =
       {
         sshd = {};
-        xray.server.serverName = "vps6.xserver.chn.moe";
+        xray.server = {};
         frpServer = { enable = true; serverName = "frp.chn.moe"; };
         nginx =
         {
@@ -63,10 +62,26 @@ inputs:
         beesd."/" = {};
       };
     };
-    specialisation.generic.configuration =
+    networking.nftables.tables.forward =
     {
-      nixos.system.nixpkgs.march = inputs.lib.mkForce null;
-      system.nixos.tags = [ "generic" ];
+      family = "inet";
+      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
+      ''
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain output {
+          type nat hook output priority dstnat; policy accept;
+          # 需要忽略透明代理发出的流量（gid 不是 nginx）
+          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
+            counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname wg0 meta mark & 4 == 4 counter masquerade
+        }
+      '';
     };
   };
 }

devices/vps6/secrets.yaml

@@ -7,44 +7,41 @@ xray-server:
         #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
         user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
         #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
-        #ENC[AES256_GCM,data:s6BwbmIwmC1J+vA27pPGh0Q+Rmowkd8ES3hYOny3vX+tjWtW+qiWBz2A9M4=,iv:XXPPaVyP7fEUhNJay2mjjC2f3Vg3wYtBUDoSYQt1Iew=,tag:B2WAfg2Oqwp0t0gE7Jdq6w==,type:comment]
+        user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
         #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
-        #ENC[AES256_GCM,data:RVChRrOl3R8DiKPS7yduAu5RG7d4VkOZ5akRTp18mK7Hz/xQ7FpxlNqGJcQ=,iv:j7naYq9tD+G5dDB8+hyUVosA3p2O4wlkcxIBlO7hRdo=,tag:TvlSmZwTDGLCX7qOR5Clhg==,type:comment]
+        user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
         #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
-        #ENC[AES256_GCM,data:nTsDaAIVIP28YBCw0XONqWoYziAYhszJhLBlJfbFM6w2NB0nQcYWAanhkkA=,iv:rezGcsfxcAUjTtBFd099TDrV+K59cb0gbJCCVqH+nCA=,tag:5g2Zl82MNuHTf12Tb0GWcg==,type:comment]
         #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
         user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
         #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        #ENC[AES256_GCM,data:hG7EUK7V9QObh7rHKtgTESwNLOf16WXoQrCAAEiK8Nzsr7atwh9DqNIJAww=,iv:3zAY7CImCzvNmsVK/OG3VgYSUL1wdt+keYtuskGO7Gg=,tag:7JeGHrlVkAUOX7bhd8UJaA==,type:comment]
+        user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
         #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        #ENC[AES256_GCM,data:C6ri4a3iCXf7I3PWSoPk1y4143TTFugot1MMxdawWxGyfg/P7SYUBMs+T0U=,iv:v2lCOw+p0hJhXNsUpTSCvqNSBtPaPJGMrk6ukJYtB+w=,tag:WXq9rUYDQKN/cZzZ7CFQvA==,type:comment]
+        user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
         #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
-        #ENC[AES256_GCM,data:Gs2pJl4YMPRBDZCmd/1ycXJcArdIb8cUAQ+09OuRm7z/x1ATc9xVr7dE+C4b,iv:JYf4sTzJh7PoQe5yFAC60mJ5zKUIof7QKm5jMfiF5xE=,tag:/CJPT/OmblQvzqkQ1VCP/Q==,type:comment]
+        user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
         #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
-        #ENC[AES256_GCM,data:JOabknMamJFImHErEcsrAMuYBXzJkw/Gm0+6rWrer2ePsoOakN/A3ByCPzwQ,iv:wnUFMeGfkUMkkpJBrFswy1SwJzVBDehEoilnzb43MgY=,tag:sXCKkiwtDp9v7ptpuAfOhQ==,type:comment]
+        user11: ENC[AES256_GCM,data:IFIVzbnZCyn0j7AG0ClBT4byyZyVtRk1JqlWsojqPIVenek2,iv:ONdq1qIXG2kbAjuM/tHSPxce7oD/MHcBw1pBYm9DlEk=,tag:OuzeX0K+fSO7jWadb1uSRQ==,type:str]
         #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        #ENC[AES256_GCM,data:LRRsL6u+FH3jHa8UAhEXrb3UTQss9piBle2aH2xuuFw0cupmRd5PlSOBIbvQ,iv:0cccpn4bWkrla6COI5g6pDDW1JoVK4UULYteXoJp38s=,tag:+EFlWxGIw7k85Q2RIL/YHg==,type:comment]
+        user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
         #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
-        #ENC[AES256_GCM,data:JFKeeVBSBO8pWttZy/fTX1YaVV69Et1GmHVDLZ1E5vUY3BvajjjS04t7V5TG,iv:rZJQTe5+YgJ6X6uPoQcpTw4AF+gQCVSMe7maFetLEPg=,tag:H4ravqgOgQYgVXMayv7tXw==,type:comment]
-        #ENC[AES256_GCM,data:R8lN5T0=,iv:FXLf8Vtjg+PkwNhxXWDViMKqwn7tFMaPhio9zhnudZw=,tag:34gxRH+P9lmkUxlOPKcYMg==,type:comment]
-        #ENC[AES256_GCM,data:dpOaSMuXhIiwb+yD3TgOIKkeWBusQvqHbj4PuvH/anF5/P8JagplDpBSIimJ,iv:PkVIthbA21sFC4J4VmwZ/1HZqA6qbjVPnJoRszmeVbs=,tag:PcXPRYLzuC9F0YfNT4mi3A==,type:comment]
+        user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
         #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
-        #ENC[AES256_GCM,data:DeWybZ68gAH4cukohO+OQqeNrnRlUdclGHFeH8aBcn0aq1iWh1UCgtiT5xXd,iv:HYq+CiPWCswr+7+uwUblN8N6T38WU/qu9F5VzaLp4Gg=,tag:YKunlBxH4H71FRSuPxR8Uw==,type:comment]
+        user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
         #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
-        #ENC[AES256_GCM,data:tkJTZZjJfQdU0EDQw9mmc1GRlSpqdwOdsE/QCw4BedDbixjElKqUC5MPRR/b,iv:/3obljBcGiXJfzlTQivkVcaWWcsiqokuU/DmUTchpwg=,tag:E80OLtqoM5XuGk2/xYBYKw==,type:comment]
+        user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
         #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
-        #ENC[AES256_GCM,data:LXBBph+nPScs6CSHPKwMSvcgFtWrmcOHEhhDZUNClb/7ixJFno82QnRwrnTp,iv:00I8csKFj65qeK8RPbbQ18oQZBrYKeFV3eGwfFXyGDc=,tag:uWUPNfu5Tmqr2LDkijc5cA==,type:comment]
+        user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
         #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
-        #ENC[AES256_GCM,data:ttTvPgRtQ4tYmYBSNaO+Bbs/Kz85vuNX+2Od4cOG6yD9yqrSdfLRwVvedVol,iv:ZWZX5rytwefvte/NgNlmmp9FN9vuZ62KVhVgVwX+g7s=,tag:uXx87i/ly6GkLgXA4+QULw==,type:comment]
+        user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
         #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
         user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
         #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
         user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
         #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
-        #ENC[AES256_GCM,data:FnindYeqk6g6aZgajHVejfHPqeF+uSX3QzbrDS6XLZz52aQF5ZQSiJQCaDha,iv:c/mrS0jfy5EzQe4Tkm0QqBH9/okJnCsRZFGhzSjeit0=,tag:e5otDw+I2d7moybCx4jeqw==,type:comment]
+        user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
     private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 send:
     redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
@@ -71,7 +68,7 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-18T07:37:52Z"
-    mac: ENC[AES256_GCM,data:nfUU2BsDuErJGm8sVB9shRv4N+cIFZmAF1vWF4iZmcJwjP2PekVWcp4COPAlapy5oVhMutr39oW6VsltTR27jVxhI4+dueurMU7KRLD5Bwpk5hQmMAfZxvl4GaP50zehJbCwfApiX9CcjwCUxUjraTs4rG6LK2+8d5Z0PYosm2A=,iv:TR63cpbe3z0K4bWpbEnv/DE9jnAJV1Zv+Aj0HXoA16Y=,tag:fS78JUapMvBtZCFtM1z07A==,type:str]
+    lastmodified: "2025-06-09T01:33:33Z"
+    mac: ENC[AES256_GCM,data:sRZaOvmwZqoxNFKrWtY19t4As7CEu1kXNR1XWO1uo28KEWQJ2n9HLRsdinjG70j/bFyTkXXiBz6Vlhx2RkdhHURKxe/UKuv/5szuGV/aE0NUGu+jYIaSbbIZpv1FkuUYuRFbuaSJnejEyQYW9ahaJYAJgXutqMY/e4xgUJ7Ooeo=,iv:PvAvKe/23u+aPP2moiNrkEqi0CgP9VCwfzcKC8S8Z1w=,tag:YburNo3mniyi4jyUjMF8DQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

doc/todo.md

@@ -1,7 +1,14 @@
-* 完善 slurm 文档，调整 slurm 设置：内存，nice
-* 调整 sbatch-tui 选项
-* 打包 cachyos
+* 测试 huggin rsshub
 * 打包 intel 编译器
 * 切换到 niri，清理 plasma
 * 调整其它用户的 zsh 配置
 * 调整 motd
+* 找到 wg1 不能稳定工作的原因；确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
+* 备份系统
+* 备份数据
+* 清理 mariadb，移动到 persistent
+* 清理多余文件
+* 移动日志到 persistent
+* 更新 srv1
+* 告知将代理改到 xserver2
+* 准备单独一个的 archive

flake.lock

@@ -3,12 +3,12 @@
     "blog": {
       "flake": false,
       "locked": {
-        "lastModified": 1748496213,
+        "lastModified": 1748787595,
         "lfs": true,
-        "narHash": "sha256-yoJ8G3ZmYu/qdDBckj/qz5ErOtpBlqHBqxMaL3ZTKuI=",
+        "narHash": "sha256-FFkwHb9DEdBjBaaH6JuhlmpP7ReSEWTy79P3i/eH708=",
         "ref": "refs/heads/public",
-        "rev": "005a0715053936815c5e4be26236915d915d81c2",
-        "revCount": 29,
+        "rev": "d9020a59f07f7ced60c854f324df8879b249e8b6",
+        "revCount": 32,
         "type": "git",
         "url": "https://git.chn.moe/chn/blog-public.git"
       },
@@ -38,18 +38,23 @@
         "type": "github"
       }
     },
-    "cachyos-lts": {
+    "buildproxy": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1743535541,
-        "narHash": "sha256-OlBtXY26w9OcAmpqrTvxaG4/rfDdavauQF2eRxb+ySs=",
-        "owner": "drakon64",
-        "repo": "nixos-cachyos-kernel",
-        "rev": "8516d89c4e0c4a25cea1be8431db3963359ee81b",
+        "lastModified": 1709212359,
+        "narHash": "sha256-La70ax79Hrp/Vz2G3gzI4fLgRd2z3lJrYLvCf+xcTj4=",
+        "owner": "polygon",
+        "repo": "nix-buildproxy",
+        "rev": "c26d73992ddae96812501b5ae1cc45037d8b10be",
         "type": "github"
       },
       "original": {
-        "owner": "drakon64",
-        "repo": "nixos-cachyos-kernel",
+        "owner": "polygon",
+        "repo": "nix-buildproxy",
         "type": "github"
       }
     },
@@ -498,12 +503,12 @@
     "nixos-wallpaper": {
       "flake": false,
       "locked": {
-        "lastModified": 1744994349,
+        "lastModified": 1749300029,
         "lfs": true,
-        "narHash": "sha256-DMVWLep/yoR05kfYqjQxazjZXEUw/CRLoELajXQq3eM=",
+        "narHash": "sha256-m5rQGDo9sogrNFtHNdf4CiUe4odqOVStj03ikUQX7NE=",
         "ref": "refs/heads/main",
-        "rev": "5e4d102f5da8c27589083fb90e3f6edd8383ced8",
-        "revCount": 6,
+        "rev": "8da808801224ac49758e4df095922be0c84650c8",
+        "revCount": 8,
         "type": "git",
         "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
       },
@@ -515,11 +520,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1748494270,
-        "narHash": "sha256-SRyjwD3RfMXpY0/69WErFQ/P8UG1aD5qQQNvEd/NGLs=",
+        "lastModified": 1749016257,
+        "narHash": "sha256-Vi+QhXm6Kau233v7ijtdD5aNpE4RpnUjRUhXGwi7pxk=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "3eb4afeaf2384476d35dbb5dc51675c5ec1d2b62",
+        "rev": "5835771b10e3197408d3ac7d32558c8e2ae0ab8d",
         "type": "github"
       },
       "original": {
@@ -713,16 +718,17 @@
     "openxlsx": {
       "flake": false,
       "locked": {
-        "lastModified": 1745313465,
-        "narHash": "sha256-HOYgrF3eU8yZIML6Soz7MHXlHpM4TB71zM/IGzwLHRY=",
+        "lastModified": 1716560554,
+        "narHash": "sha256-Aqn1830lG4g7BbwEeePhvGawLarmrIMnF2MXROTUBCw=",
         "owner": "troldal",
         "repo": "OpenXLSX",
-        "rev": "86af3b043f6b13b09e591a920a49ea1f9724d4a1",
+        "rev": "f85f7f1bd632094b5d78d4d1f575955fc3801886",
         "type": "github"
       },
       "original": {
         "owner": "troldal",
         "repo": "OpenXLSX",
+        "rev": "f85f7f1bd632094b5d78d4d1f575955fc3801886",
         "type": "github"
       }
     },
@@ -824,7 +830,7 @@
       "inputs": {
         "blog": "blog",
         "bscpkgs": "bscpkgs",
-        "cachyos-lts": "cachyos-lts",
+        "buildproxy": "buildproxy",
         "catppuccin": "catppuccin",
         "concurrencpp": "concurrencpp",
         "cppcoro": "cppcoro",
@@ -860,6 +866,7 @@
         "rycee": "rycee",
         "sops-nix": "sops-nix",
         "sqlite-orm": "sqlite-orm",
+        "sticker": "sticker",
         "stickerpicker": "stickerpicker",
         "tgbot-cpp": "tgbot-cpp",
         "ufo": "ufo",
@@ -936,6 +943,24 @@
         "type": "github"
       }
     },
+    "sticker": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1748842256,
+        "lfs": true,
+        "narHash": "sha256-os0NWrft+N/HFy/+WRWup4fOHZLSLHANejih7qdXPxA=",
+        "ref": "refs/heads/main",
+        "rev": "2826c739c5602c5998afdcb3d041d521a214429a",
+        "revCount": 1,
+        "type": "git",
+        "url": "https://git.chn.moe/chn/sticker.git"
+      },
+      "original": {
+        "lfs": true,
+        "type": "git",
+        "url": "https://git.chn.moe/chn/sticker.git"
+      }
+    },
     "stickerpicker": {
       "flake": false,
       "locked": {

flake.nix

@@ -26,8 +26,8 @@
     };
     catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
-    cachyos-lts.url = "github:drakon64/nixos-cachyos-kernel";
     nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
+    buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -42,7 +42,7 @@
     rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
     mumax = { url = "github:CHN-beta/mumax"; flake = false; };
-    openxlsx = { url = "github:troldal/OpenXLSX"; flake = false; };
+    openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
     sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
     nc4nix = { url = "github:helsinki-systems/nc4nix"; flake = false; };
     hextra = { url = "github:imfing/hextra"; flake = false; };
@@ -57,6 +57,7 @@
     fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
     mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
     phono3py = { url = "github:phonopy/phono3py"; flake = false; };
+    sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

flake/branch.nix

@@ -1 +1 @@
-"next"
+"production"

flake/dns/config/chn.moe.nix

@@ -5,11 +5,11 @@ let
     autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" ];
     nas = [ "initrd.nas" ];
     office = [ "srv2-node0" ];
-    vps4 = [ "initrd.vps4" "xserver.vps4" ];
+    vps4 = [ "initrd.vps4" "xserver2.vps4" ];
     vps6 =
     [
       "blog" "catalog" "coturn" "element" "frp" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
-      "ua" "vps6.xserver" "铜锣湾实验室"
+      "ua" "xserver2" "xserver2.vps6" "铜锣湾实验室"
     ];
     "xlog.autoroute" = [ "xlog" ];
     "wg0.srv1-node0" = [ "wg0.srv1" ];
@@ -17,11 +17,12 @@ let
     srv3 =
     [
       "chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
-      "xserver.srv3" "example"
+      "xserver2.srv3" "example"
     ];
     srv1-node0 = [ "srv1" ];
     srv2-node0 = [ "srv2" ];
     "wg1.pc" = [ "nix-store" ];
+    "wg1.nas" = [ "nix-store.nas" ];
   };
   a =
   {

flake/packages.nix

@@ -23,7 +23,6 @@
       version = inputs.self.rev or "dirty";
       stdenv = pkgs.pkgsStatic.gcc14Stdenv;
     };
-  inherit (pkgs.localPackages) blog;
   inherit (pkgs.localPackages.pkgsStatic) chn-bsub;
   vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
   {
@@ -37,13 +36,18 @@
       else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
       else if builtins.isList x then builtins.concatMap getDrv x
       else [];
-    in pkgs.writeClosure (getDrv (inputs.self.outputs.src));
+    in pkgs.concatText "src" (getDrv (inputs.self.outputs.src));
   dns-push = pkgs.callPackage ./dns
   {
     inherit localLib;
     tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
     octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
   };
+  archive =
+    let devices =
+      [ "nas" "one" "pc" "srv1-node0" "srv1-node1" "srv1-node2" "srv2-node0" "srv2-node1" "srv3" "vps4" "vps6" ];
+    in pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.map
+      (d: "${inputs.self.outputs.nixosConfigurations.${d}.config.system.build.toplevel}") devices));
 }
 // (builtins.listToAttrs (builtins.map
   (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

flake/src.nix

@@ -134,4 +134,12 @@
       "intel.oneapi.lin.compilers-common,v=2025.1.1+10"
     ];
   };
+  rsshub =  pkgs.dockerTools.pullImage
+  {
+    imageName = "diygod/rsshub";
+    imageDigest = "sha256:1f9d97263033752bf5e20c66a75e134e6045b6d69ae843c1f6610add696f8c22";
+    hash = "sha256-zN47lhQc3EX28LmGF4N3rDUPqumwmhfGn1OpvBYd2Vw=";
+    finalImageName = "rsshub";
+    finalImageTag = "latest";
+  };
 }

modules/model.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.model = let inherit (inputs.lib) mkOption types; in
   {
     hostname = mkOption { type = types.nonEmptyStr; };
-    type = mkOption { type = types.enum [ "vps" "desktop" "server" ]; default = "vps"; };
+    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
     private = mkOption { type = types.bool; default = false; };
     cluster = mkOption
     {

modules/packages/android-studio.nix

@@ -1,10 +1,7 @@
 inputs:
 {
   options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
   {
     nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];

modules/packages/chromium.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
   {

modules/packages/desktop.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
   {
@@ -49,15 +49,14 @@ inputs:
           # browser
           google-chrome tor-browser
           # office
-          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain
+          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain activitywatch
           ydict pspp libreoffice-qt6-fresh ocrmypdf typst
           # required by ltex-plus.vscode-ltex-plus
           ltex-ls ltex-ls-plus
           # matplot++ needs old gnuplot
           inputs.pkgs.pkgs-2311.gnuplot
           # math, physics and chemistry
-          octaveFull ovito localPackages.vesta localPackages.v-sim mpi geogebra6 localPackages.ufo
-          inputs.pkgs.pkgs-2311.hdfview qalculate-qt
+          octaveFull mpi geogebra6 qalculate-qt
           # virtualization
           bottles wineWowPackages.stagingFull
           # media
@@ -67,7 +66,7 @@ inputs:
         ];
         _pythonPackages = [(pythonPackages: with pythonPackages;
         [
-          phonopy scipy scikit-learn jupyterlab autograd inputs.pkgs.localPackages.phono3py numpy 
+          scipy scikit-learn jupyterlab autograd numpy 
         ])];
       };
       user.sharedModules =
@@ -86,9 +85,15 @@ inputs:
                   inherit (inputs.topInputs) nixos-wallpaper;
                   isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
                     [ "png" "jpg" "jpeg" "webp" ];
+                  listDirRecursive =
+                    let listDir = dir:
+                      if dir.value == "directory" then builtins.concatLists
+                        (builtins.map (f: listDir f) (inputs.localLib.attrsToList (builtins.readDir dir.name)))
+                      else [ dir ];
+                    in dir: listDir { name = dir; value = "directory"; };
                 in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")
                   (builtins.filter (f: (isPicture f.name) && (f.value == "regular"))
-                    (inputs.localLib.attrsToList (builtins.readDir nixos-wallpaper))));
+                    (listDirRecursive nixos-wallpaper)));
             };
             powerdevil =
               let config =

modules/packages/firefox.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
   {

modules/packages/lammps.nix

@@ -1,22 +1,23 @@
 inputs:
 {
   options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
   {
-    nixos.packages.packages._packages =
-      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
-      in
-        if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
-          .overrideAttrs (prev:
-          {
-            cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
-            nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
-            buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
-          }))]
-        else [ inputs.pkgs.lammps-mpi ];
+    nixos.packages =
+    {
+      molecule = {};
+      packages._packages =
+        let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
+        in
+          if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
+            .overrideAttrs (prev:
+            {
+              cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
+              nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
+              buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
+            }))]
+          else [ inputs.pkgs.lammps-mpi ];
+    };
   };
 }

modules/packages/mathematica.nix

@@ -1,10 +1,7 @@
 inputs:
 {
   options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
     { nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; };
 }

modules/packages/minimal.nix

@@ -1,8 +1,8 @@
 inputs:
 {
-  options.nixos.packages.server = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.packages.minimal = let inherit (inputs.lib) mkOption types; in mkOption
     { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.packages) server; in inputs.lib.mkIf (server != null)
+  config = let inherit (inputs.config.nixos.packages) minimal; in inputs.lib.mkIf (minimal != null)
   {
     nixos.packages.packages =
     {
@@ -42,13 +42,6 @@ inputs:
         pdfgrep ffmpeg-full hdf5
       ]
         ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
-      _pythonPackages = [(pythonPackages: with pythonPackages;
-      [
-        openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2
-        certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus odfpy
-        # for vasp plot-workfunc.py
-        ase
-      ])];
     };
     programs =
     {

modules/packages/molecule.nix

@@ -0,0 +1,20 @@
+inputs:
+{
+  options.nixos.packages.molecule = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) molecule; in inputs.lib.mkIf (molecule != null)
+  {
+    nixos.packages.packages =
+    {
+      _packages = with inputs.pkgs;
+        [ ovito localPackages.vesta localPackages.v-sim localPackages.ufo inputs.pkgs.pkgs-2311.hdfview ];
+      _pythonPackages = [(pythonPackages: with pythonPackages;
+      [
+        phonopy inputs.pkgs.localPackages.phono3py
+      ])];
+    };
+  };
+}

modules/packages/mumax.nix

@@ -1,14 +1,7 @@
 inputs:
 {
   options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default =
-      if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
-        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-      then {}
-      else null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
   {
     nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];

modules/packages/nushell.nix

@@ -1,10 +1,7 @@
 inputs:
 {
   options.nixos.packages.nushell = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = {};
-  };
+    { type = types.nullOr (types.submodule {}); default = {}; };
   config = let inherit (inputs.config.nixos.packages) nushell; in inputs.lib.mkIf (nushell != null)
   {
     nixos =

modules/packages/steam.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
   {

modules/packages/vasp.nix

@@ -4,16 +4,20 @@ inputs:
     { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
   {
-    nixos.packages.packages = with inputs.pkgs;
+    nixos.packages =
     {
-      _packages =
-      (
-        [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
-          ++ (inputs.lib.optional
-            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-            localPackages.vasp.nvidia)
-      );
-      _pythonPackages = [(_: [ localPackages.py4vasp ])];
+      molecule = {};
+      packages = with inputs.pkgs;
+      {
+        _packages =
+        (
+          [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
+            ++ (inputs.lib.optional
+              (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
+              localPackages.vasp.nvidia)
+        );
+        _pythonPackages = [(_: [ localPackages.py4vasp ])];
+      };
     };
   };
 }

modules/packages/vscode.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
   {

modules/services/freshrss.nix

@@ -1,52 +1,33 @@
 inputs:
 {
-  options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) freshrss;
-      inherit (inputs.lib) mkIf;
-    in mkIf freshrss.enable
+    type = types.nullOr (types.submodule { options =
     {
-      services.freshrss =
-      {
-        enable = true;
-        baseUrl = "https://${freshrss.hostname}";
-        defaultUser = "chn";
-        passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
-        database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
-        virtualHost = null;
-      };
-      sops.secrets =
-      {
-        "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
-        "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
-      };
-      systemd.services.freshrss-config.after = [ "mysql.service" ];
-      nixos.services =
-      {
-        mariadb = { enable = true; instances.freshrss = {}; };
-        nginx.https.${freshrss.hostname} =
-        {
-          location =
-          {
-            "/".static =
-            {
-              root = "${inputs.pkgs.freshrss}/p";
-              index = [ "index.php" ];
-              tryFiles = [ "$uri" "$uri/" "$uri/index.php" ];
-            };
-            "~ ^.+?\.php(/.*)?$".php =
-            {
-              root = "${inputs.pkgs.freshrss}/p";
-              fastcgiPass =
-                "unix:${inputs.config.services.phpfpm.pools.${inputs.config.services.freshrss.pool}.socket}";
-            };
-          };
-        };
-      };
+      hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) freshrss; in inputs.lib.mkIf (freshrss != null)
+  {
+    services.freshrss =
+    {
+      enable = true;
+      baseUrl = "https://${freshrss.hostname}";
+      defaultUser = "chn";
+      passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
+      database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
     };
+    sops.secrets =
+    {
+      "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
+      "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
+    };
+    systemd.services.freshrss-config.after = [ "mysql.service" ];
+    nixos.services =
+    {
+      mariadb = { enable = true; instances.freshrss = {}; };
+      nginx.https.${freshrss.hostname}.global.configName = "freshrss";
+    };
+  };
 }

modules/services/gitea.nix

@@ -45,6 +45,8 @@ inputs:
         };
         service.DISABLE_REGISTRATION = true;
         security.LOGIN_REMEMBER_DAYS = 365;
+        "git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 1800; })
+          [ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
       };
     };
     nixos.services =

modules/services/nextcloud.nix

@@ -57,7 +57,7 @@ inputs:
           };
         in builtins.listToAttrs (builtins.map
           (package: { name = package; value = inputs.pkgs.fetchNextcloudApp (getInfo package); })
-          [ "maps" "phonetrack" "twofactor_webauthn" "calendar" ]);
+          [ "phonetrack" "twofactor_webauthn" "calendar" ]);
     };
     nixos.services =
     {

modules/services/nginx/applications/sticker.nix

@@ -11,7 +11,7 @@ inputs:
         mkdir -p $out
         cp -r ${inputs.topInputs.stickerpicker}/web/* $out
         chmod -R +w $out
-        cp -r ${./web}/* $out
+        cp -r ${inputs.topInputs.sticker}/web/* $out
       '');
       index = [ "index.html" ];
     };

modules/services/nginx/applications/sticker/.gitignore

@@ -1,2 +0,0 @@
-/config.json
-/sticker-import.session

modules/services/nginx/applications/sticker/web/packs/index.json

@@ -1,19 +0,0 @@
-{
-  "packs": [
-    "Mare_by_WuMingv2Bot.json",
-    "line_191054124446_by_moe_sticker_bot.json",
-    "Sakurada_Shiro.json",
-    "loli_DaiSi_by_WuMingv2Bot.json",
-    "listentoweiwei_by_WuMingv2Bot.json",
-    "csaexi.json",
-    "wechat_transfer_zhcn.json",
-    "teamtimothy_bilibili.json",
-    "line26158619ac0d_by_moe_sticker_bot.json",
-    "LINE_nachonekodayo.json",
-    "zhehelima.json",
-    "TheDonaldTrump.json",
-    "line_173195293297_by_moe_sticker_bot.json",
-    "line261586194a0d_by_moe_sticker_bot.json"
-  ],
-  "homeserver_url": "https://matrix.chn.moe"
-}

modules/services/nginx/default.nix

@@ -366,38 +366,13 @@ inputs:
         systemd.services.nginx-proxy =
           let
             ip = "${inputs.pkgs.iproute2}/bin/ip";
-            nft = "${inputs.pkgs.nftables}/bin/nft";
-            nftConfigFile = inputs.pkgs.writeText "nginx.nft"
-            ''
-              table inet nginx {
-                chain output {
-                  type route hook output priority mangle; policy accept;
-                  # 由本机发出、gid 为 nginx、但源地址不是本地监听的地址，说明是透明代理的第一个包，将这个流标记
-                  # 但这个包本身不需要处理，正常路由即可。
-                  meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
-                    ct state new counter ct mark set ct mark | 2
-                  # 由本机发出、作为透明代理的回复，它不能按照通常的路由，它需要被打上标记并被路由到本地
-                  # 这对应于透明代理到本地的服务的情况
-                  ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
-                  return
-                }
-                # 还需要处理透明代理到其它机器的情况，它们的回复需要在 prerouting 中标记
-                chain prerouting {
-                  type filter hook prerouting priority mangle; policy accept;
-                  ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
-                  return
-                }
-              }
-            '';
             start = inputs.pkgs.writeShellScript "nginx-proxy.start"
             ''
-              ${nft} -f ${nftConfigFile}
               ${ip} rule add fwmark 2/2 table 200
               ${ip} route add local 0.0.0.0/0 dev lo table 200
             '';
             stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
             ''
-              ${nft} delete table inet nginx
               ${ip} rule del fwmark 2/2 table 200
               ${ip} route del local 0.0.0.0/0 dev lo table 200
             '';
@@ -415,6 +390,30 @@ inputs:
             wants = [ "network.target" ];
             wantedBy= [ "multi-user.target" ];
           };
+        networking.nftables.tables.nginx =
+        {
+          family = "inet";
+          content =
+          ''
+            chain output {
+              type route hook output priority mangle; policy accept;
+              # 由本机发出、gid 为 nginx、但源地址不是本地监听的地址，说明是透明代理的第一个包，将这个流标记
+              # 但这个包本身不需要处理，正常路由即可。
+              meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
+                ct state new counter ct mark set ct mark | 2
+              # 由本机发出、作为透明代理的回复，它不能按照通常的路由，它需要被打上标记并被路由到本地
+              # 这对应于透明代理到本地的服务的情况
+              ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
+              return
+            }
+            # 还需要处理透明代理到其它机器的情况，它们的回复需要在 prerouting 中标记
+            chain prerouting {
+              type filter hook prerouting priority mangle; policy accept;
+              ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
+              return
+            }
+          '';
+        };
       })
       # streamProxy
       {

modules/services/nixvirt.nix

@@ -1,4 +1,3 @@
-# TODO: fix libvirtd network
 inputs:
 {
   options.nixos.services.nixvirt = let inherit (inputs.lib) mkOption types; in mkOption
@@ -19,19 +18,31 @@ inputs:
           {
             uuid = mkOption { type = types.nonEmptyStr; default = defaultUuid; };
             owner = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-            hardware =
+            storage =
             {
-              storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-              memoryMB = mkOption { type = types.ints.unsigned; };
-              cpus = mkOption { type = types.ints.unsigned; };
-              mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
+              name = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+              nodatacow = mkOption { type = types.bool; default = false; };
+            };
+            memory =
+            {
+              sizeMB = mkOption { type = types.ints.unsigned; };
+              dedicated = mkOption { type = types.bool; default = false; };
+            };
+            cpu =
+            {
+              count = mkOption { type = types.ints.unsigned; };
+              hyprthread = mkOption { type = types.bool; default = false; };
+              set = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
             };
             network =
             {
-              address = mkOption { type = types.ints.unsigned; };
+              mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
+              address = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
+              bridge = mkOption { type = types.bool; default = false; };
               vnc =
               {
-                port = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
+                port = mkOption
+                  { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
                 openFirewall = mkOption { type = types.bool; default = true; };
               };
               portForward = rec
@@ -54,6 +65,13 @@ inputs:
   };
   config = let inherit (inputs.config.nixos.services) nixvirt; in inputs.lib.mkIf (nixvirt != null)
   {
+    assertions = builtins.map
+      (vm:
+      {
+        assertion = vm.value.cpu.set != null -> builtins.length vm.value.cpu.set == vm.value.cpu.count;
+        message = "nixvirt.instance.${vm.name}.cpu.set must have the same length as cpu.count";
+      })
+      (inputs.localLib.attrsToList nixvirt.instance);
     virtualisation =
     {
       libvirt =
@@ -63,7 +81,12 @@ inputs:
         connections."qemu:///system" = let inherit (inputs.topInputs.nixvirt) lib; in
         {
           domains = builtins.map
-            (vm: { definition = inputs.config.sops.templates."${vm.name}.xml".path; active = true; restart = false; })
+            (vm:
+            {
+              definition = inputs.config.sops.templates."nixvirt/${vm.name}.xml".path;
+              active = true;
+              restart = false;
+            })
             (inputs.localLib.attrsToList nixvirt.instance);
           networks =
           [{
@@ -74,10 +97,10 @@ inputs:
                 host = builtins.map
                   (vm:
                   {
-                    inherit (vm.hardware) mac;
+                    inherit (vm.network) mac;
                     ip = "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}";
                   })
-                  (builtins.attrValues nixvirt.instance);
+                  (builtins.filter (vm: vm.network.address != null) (builtins.attrValues nixvirt.instance));
               in lib.network.writeXML (base // { ip = base.ip // { dhcp = base.ip.dhcp // { inherit host; }; }; });
             active = true;
             # never restart the network
@@ -126,50 +149,113 @@ inputs:
       templates = builtins.listToAttrs (builtins.map
         (vm:
         {
-          name = "${vm.name}.xml";
-          value.content =
-            let
-              inherit (inputs.topInputs.nixvirt) lib;
-              base = lib.domain.templates.linux
-              {
-                inherit (vm) name;
-                inherit (vm.value) uuid;
-                memory = { count = vm.value.hardware.memoryMB; unit = "MiB"; };
-                storage_vol = "/var/lib/libvirt/images/${vm.value.hardware.storage}.img";
-                install_vol = "${inputs.topInputs.self.src.iso.netboot}";
-                virtio_video = false;
-              };
-            in lib.domain.getXML (base //
+          name = "nixvirt/${vm.name}.xml";
+          value.content = inputs.topInputs.nixvirt.lib.domain.getXML
+          # port from 8bcc23e27a62297254d0e9c87281e650ff777132
+          {
+            inherit (vm) name;
+            inherit (vm.value) uuid;
+            type = "kvm";
+            vcpu = { placement = "static"; count = vm.value.cpu.count; };
+            cputune = inputs.lib.optionalAttrs (vm.value.cpu.set != null)
             {
-              devices =
-                # remove spicevmc, which needs spice
-                (builtins.removeAttrs base.devices [ "channel" "redirdev" "sound" "audio" ])
-                // {
-                  graphics =
-                  {
-                    type = "vnc";
-                    autoport = false;
-                    port = vm.value.network.vnc.port;
-                    listen.type = "address";
-                    passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
-                  };
-                  interface = base.devices.interface // { mac.address = vm.value.hardware.mac; };
-                  disk = builtins.map (disk: disk // { driver = disk.driver // { type = "raw"; }; }) base.devices.disk;
-                };
-              cpu = base.cpu // { topology = { sockets = 1; dies = 1; cores = vm.value.hardware.cpus; threads = 1; };};
-              vcpu = { placement = "static"; count = vm.value.hardware.cpus; };
-              os = (builtins.removeAttrs base.os [ "boot" ]) //
+              vcpupin = builtins.genList
+                (cpu: { vcpu = cpu; cpuset = builtins.elemAt vm.value.cpu.set cpu; })
+                vm.value.cpu.count;
+            };
+            memory =
+            {
+              count = vm.value.memory.sizeMB;
+              unit = "MiB";
+              nosharepages = vm.value.memory.dedicated;
+              locked = vm.value.memory.dedicated;
+            };
+            os =
+            {
+              type = "hvm";
+              arch = "x86_64";
+              machine = "q35";
+              bootmenu = { enable = true; timeout = 15000; };
+              loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
+              nvram =
               {
-                loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
-                nvram =
-                {
-                  template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
-                  path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
-                  templateFormat = "raw";
-                  format = "raw";
-                };
+                template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
+                path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
+                templateFormat = "raw";
+                format = "raw";
               };
-            });
+            };
+            features = { acpi = {}; apic = {}; };
+            cpu =
+            {
+              mode = "host-passthrough";
+              topology =
+              {
+                sockets = 1;
+                dies = 1;
+                cores = if vm.value.cpu.hyprthread then vm.value.cpu.count / 2 else vm.value.cpu.count;
+                threads = if vm.value.cpu.hyprthread then 2 else 1;
+              };
+            };
+            clock =
+            {
+              offset = "utc";
+              timer =
+              [
+                { name = "rtc"; tickpolicy = "catchup"; }
+                { name = "pit"; tickpolicy = "delay"; }
+                { name = "hpet"; present = false; }
+              ];
+            };
+            devices =
+            {
+              emulator = "${inputs.config.virtualisation.libvirtd.qemu.package}/bin/qemu-system-x86_64";
+              disk =
+              [
+                {
+                  type = "file";
+                  device = "disk";
+                  driver = { name = "qemu"; type = "raw"; cache = "none"; discard = "unmap"; };
+                  source.file = "${if vm.value.storage.nodatacow then "/nix/nodatacow" else ""}/var/lib/libvirt/images/"
+                    + "${vm.value.storage.name}.img";
+                  target = { dev = "vda"; bus = "virtio"; };
+                  boot.order = 1;
+                }
+                {
+                  type = "file";
+                  device = "cdrom";
+                  driver = { name = "qemu"; type = "raw"; };
+                  source.file = "${inputs.topInputs.self.src.iso.netboot}";
+                  target = { dev = "sdc"; bus = "sata"; };
+                  readonly = true;
+                  boot.order = 10;
+                }
+              ];
+              interface =
+              {
+                type = "bridge";
+                model.type = "virtio";
+                mac.address = vm.value.network.mac;
+                source.bridge = if vm.value.network.bridge then "nixvirt" else "virbr0";
+              };
+              input =
+              [
+                { type = "tablet"; bus = "usb"; }
+                { type = "mouse"; bus = "ps2"; }
+                { type = "keyboard"; bus = "ps2"; }
+              ];
+              graphics =
+              {
+                type = "vnc";
+                autoport = false;
+                port = vm.value.network.vnc.port;
+                listen.type = "address";
+                passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
+              };
+              video.model = { type = "qxl"; ram = 65536; vram = 65536; vgamem = 16384; heads = 1; primary = true; };
+              rng = { model = "virtio"; backend = { model = "random"; source = /dev/urandom; }; };
+            };
+          };
         })
         (inputs.localLib.attrsToList nixvirt.instance));
       secrets = builtins.listToAttrs (builtins.map
@@ -202,24 +288,25 @@ inputs:
       group = "root";
       setuid = true;
     };
-    networking.firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
-      (builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt.instance));
-    # TODO: use existing options
-    systemd.services.nixvirt-forward =
-      let
-        nftRules = builtins.concatLists (builtins.concatLists (builtins.map
-          (vm: builtins.map
-            (protocol: builtins.map
-              (port: "${protocol} dport ${builtins.toString port.host} fib daddr type local counter dnat ip to "
-                + "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"
-                + ":${builtins.toString port.guest}")
-              vm.network.portForward.${protocol})
-            [ "tcp" "udp" ])
-          (builtins.attrValues nixvirt.instance)));
-        nft = "${inputs.pkgs.nftables}/bin/nft";
-        nftConfigFile = inputs.pkgs.writeText "nixvirt.nft"
-        ''
-          table inet nixvirt {
+    networking =
+    {
+      firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
+        (builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt.instance));
+      nftables.tables.nixvirt =
+      {
+        family = "inet";
+        content =
+          let nftRules = builtins.concatLists (builtins.concatLists (builtins.map
+            (vm: builtins.map
+              (protocol: builtins.map
+                (port: "${protocol} dport ${builtins.toString port.host} fib daddr type local counter dnat ip to "
+                  + "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"
+                  + ":${builtins.toString port.guest}")
+                vm.network.portForward.${protocol})
+              [ "tcp" "udp" ])
+            (builtins.attrValues nixvirt.instance)));
+          in
+          ''
             chain prerouting {
               type nat hook prerouting priority dstnat; policy accept;
               ${builtins.concatStringsSep "\n" nftRules}
@@ -228,22 +315,13 @@ inputs:
               type nat hook output priority dstnat; policy accept;
               ${builtins.concatStringsSep "\n" nftRules}
             }
-          }
-        '';
-        start = inputs.pkgs.writeShellScript "nixvirt.start" "${nft} -f ${nftConfigFile}";
-        stop = inputs.pkgs.writeShellScript "nixvirt.stop" "${nft} delete table inet nixvirt";
-      in
-      {
-        description = "nixvirt port forward";
-        after = [ "nftables.service" "nixvirt.service" ];
-        serviceConfig =
-        {
-          Type = "oneshot";
-          RemainAfterExit = true;
-          ExecStart = start;
-          ExecStop = stop;
-        };
-        wantedBy= [ "multi-user.target" ];
+          '';
       };
+    };
+    boot.kernelParams =
+      let cpusets = builtins.concatLists (builtins.map
+        (vm: vm.cpu.set)
+        (builtins.filter (vm: vm.cpu.set != null) (builtins.attrValues nixvirt.instance)));
+      in inputs.lib.mkIf (cpusets != []) [ "isolcpus=${builtins.concatStringsSep "," cpusets}" ];
   };
 }

modules/services/rsshub.nix

@@ -4,41 +4,26 @@ inputs:
   {
     type = types.nullOr (types.submodule { options =
     {
-      hostname = mkOption { type = types.nonEmptyStr; default = "rsshub.chn.moe"; };
+      hostname = mkOption { type = types.str; default = "rsshub.chn.moe"; };
     };});
     default = null;
   };
   config = let inherit (inputs.config.nixos.services) rsshub; in inputs.lib.mkIf (rsshub != null)
   {
-    systemd =
+    virtualisation.oci-containers.containers.rsshub =
     {
-      services.rsshub =
-      {
-        description = "rsshub";
-        after = [ "network.target" "redis-rsshub.service" ];
-        requires = [ "redis-rsshub.service" ];
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig =
-        {
-          User = "rsshub";
-          Group = "rsshub";
-          EnvironmentFile = inputs.config.sops.templates."rsshub/env".path;
-          WorkingDirectory = "${inputs.pkgs.localPackages.rsshub}";
-          ExecStart = "${inputs.pkgs.localPackages.rsshub}/bin/rsshub";
-          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-        };
-        restartTriggers = [ inputs.config.sops.templates."rsshub/env".content ];
-      };
-      tmpfiles.rules = [ "d /var/cache/rsshub 0700 rsshub rsshub" ];
+      image = "rsshub:latest";
+      imageFile = inputs.topInputs.self.src.rsshub;
+      ports = [ "127.0.0.1:5221:5221/tcp" ];
+      extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
+      environmentFiles = [ inputs.config.sops.templates."rsshub/env".path ];
     };
     sops =
     {
       templates."rsshub/env".content = let placeholder = inputs.config.sops.placeholder; in
       ''
         PORT=5221
-        CACHE_TYPE=redis
-        REDIS_URL='redis://:${placeholder."redis/rsshub"}@127.0.0.1:7116'
+        CACHE_TYPE=memory
         PIXIV_REFRESHTOKEN='${placeholder."rsshub/pixiv-refreshtoken"}'
         YOUTUBE_KEY='${placeholder."rsshub/youtube-key"}'
         YOUTUBE_CLIENT_ID='${placeholder."rsshub/youtube-client-id"}'
@@ -59,15 +44,7 @@ inputs:
         "zhihu-cookies"
       ]));
     };
-    users =
-    {
-      users.rsshub = { uid = inputs.config.nixos.user.uid.rsshub; group = "rsshub"; isSystemUser = true; };
-      groups.rsshub.gid = inputs.config.nixos.user.gid.rsshub;
-    };
-    nixos.services =
-    {
-      redis.instances.rsshub.port = 7116;
-      nginx = { enable = true; https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5221"; };
-    };
+    nixos.services.nginx =
+      { enable = true; https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5221"; };
   };
 }

modules/services/slurm.nix

@@ -53,7 +53,7 @@ inputs:
       {
         slurm =
         {
-          package = (inputs.pkgs.slurm.override { enableGtk2 = true; }).overrideAttrs
+          package = (inputs.pkgs.slurm.override { enableX11 = false; enableNVML = false; }).overrideAttrs
             (prev:
               let
                 inherit (inputs.config.nixos.system.nixpkgs) cuda;

modules/services/sshd/default.nix

@@ -6,6 +6,7 @@ inputs:
     {
       passwordAuthentication = mkOption { type = types.bool; default = false; };
       groupBanner = mkOption { type = types.bool; default = false; };
+      motd = mkOption { type = types.bool; default = false; };
     };});
     default = null;
   };
@@ -25,8 +26,7 @@ inputs:
         };
       };
     }
-    # 如果是服务器，那么启用 motd
-    (inputs.lib.mkIf (inputs.config.nixos.model.type == "server")
+    (inputs.lib.mkIf sshd.motd
     {
       nixos =
       {
@@ -34,7 +34,7 @@ inputs:
           [ (inputs.pkgs.fancy-motd.overrideAttrs { src = inputs.topInputs.fancy-motd; }) ];
         user.sharedModules = [(home-inputs: { config.programs.zsh.loginExtra =
         ''
-          [ -f /etc/fancy-motd/banner ] && lolcat -f /etc/fancy-motd/banner
+          [ -f /etc/fancy-motd/banner ] && (lolcat -f /etc/fancy-motd/banner 2> /dev/null)
           motd
         '';})];
       };

modules/services/xray.nix

@@ -2,32 +2,38 @@ inputs:
 {
   options.nixos.services.xray = let inherit (inputs.lib) mkOption types; in
   {
-    client =
+    client = mkOption
     {
-      enable = mkOption { type = types.bool; default = false; };
-      xray =
+      type = types.nullOr (types.submodule (submoduleInputs: { options =
       {
-        serverAddress = mkOption { type = types.nonEmptyStr; default = "144.34.225.59"; };
-        serverName = mkOption { type = types.nonEmptyStr; default = "vps6.xserver.chn.moe"; };
-      };
-      dnsmasq =
-      {
-        extraInterfaces = mkOption
+        xray =
         {
-          type = types.listOf types.nonEmptyStr;
-          default = inputs.lib.optional (inputs.config.nixos.services.docker != null) "docker0";
+          serverName = mkOption { type = types.nonEmptyStr; default = "xserver2.chn.moe"; };
+          serverAddress = mkOption
+          {
+            type = types.nonEmptyStr;
+            default = inputs.topInputs.self.config.dns."chn.moe".getAddress
+              (inputs.lib.removeSuffix ".chn.moe" submoduleInputs.config.xray.serverName);
+          };
         };
-        hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
-      };
-      v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
-      # 是否允许代理来自其它机器的流量（相关端口会被放行）
-      allowForward = mkOption { type = types.bool; default = true; };
+        dnsmasq =
+        {
+          extraInterfaces = mkOption
+          {
+            type = types.listOf types.nonEmptyStr;
+            default = inputs.lib.optional (inputs.config.nixos.services.docker != null) "docker0";
+          };
+          hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
+        };
+        v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
+      };}));
+      default = null;
     };
     server = mkOption
     {
       type = types.nullOr (types.submodule { options =
       {
-        serverName = mkOption { type = types.nonEmptyStr; };
+        serverName = mkOption { type = types.nonEmptyStr; default = "xserver2.chn.moe"; };
       };});
       default = null;
     };
@@ -37,12 +43,12 @@ inputs:
     {
       assertions =
       [{
-        assertion = !(xray.client.enable && xray.server != null);
+        assertion = !(xray.client != null && xray.server != null);
         message = "Currenty xray.client and xray.server could not be simutaniusly enabled.";
       }];
     }
     (
-      inputs.lib.mkIf xray.client.enable
+      inputs.lib.mkIf (xray.client != null)
       {
         services =
         {
@@ -57,7 +63,7 @@ inputs:
               server = [ "127.0.0.1#10853" ];
               interface = xray.client.dnsmasq.extraInterfaces ++ [ "lo" ];
               bind-dynamic = true;
-              address = map (host: "/${host.name}/${host.value}")
+              address = builtins.map (host: "/${host.name}/${host.value}")
                 (inputs.localLib.attrsToList xray.client.dnsmasq.hosts);
             };
           };
@@ -69,132 +75,127 @@ inputs:
           {
             owner = inputs.config.users.users.v2ray.name;
             group = inputs.config.users.users.v2ray.group;
-            content =
-              let
-                chinaDns = "223.5.5.5";
-                foreignDns = "8.8.8.8";
-              in
-              builtins.toJSON
+            content = let chinaDns = "223.5.5.5"; foreignDns = "8.8.8.8"; in builtins.toJSON
+            {
+              log.loglevel = "warning";
+              dns =
               {
-                log.loglevel = "warning";
-                dns =
-                {
-                  servers =
-                  # 先尝试匹配域名列表进行查询，若匹配成功则使用前两个 dns 查询。
-                  # 若匹配域名列表失败，或者匹配成功但是查询到的 IP 不在期望的 IP 列表中，则回落到使用后两个 dns 依次查询。
-                  [
-                    {
-                      address = chinaDns;
-                      domains = [ "geosite:geolocation-cn" ];
-                      expectIPs = [ "geoip:cn" ];
-                      skipFallback = true;
-                    }
-                    {
-                      address = foreignDns;
-                      domains = [ "geosite:geolocation-!cn" ];
-                      expectIPs = [ "geoip:!cn" ];
-                      skipFallback = true;
-                    }
-                    { address = chinaDns; expectIPs = [ "geoip:cn" ]; }
-                    { address = foreignDns; }
-                  ];
-                  disableCache = true;
-                  queryStrategy = "UseIPv4";
-                  tag = "dns-internal";
-                };
-                inbounds =
+                servers =
+                # 先尝试匹配域名列表进行查询，若匹配成功则使用前两个 dns 查询。
+                # 若匹配域名列表失败，或者匹配成功但是查询到的 IP 不在期望的 IP 列表中，则回落到使用后两个 dns 依次查询。
                 [
                   {
-                    port = 10853;
-                    protocol = "dokodemo-door";
-                    settings = { address = "8.8.8.8"; network = "tcp,udp"; port = 53; };
-                    tag = "dns-in";
+                    address = chinaDns;
+                    domains = [ "geosite:geolocation-cn" ];
+                    expectIPs = [ "geoip:cn" ];
+                    skipFallback = true;
                   }
                   {
-                    port = 10880;
-                    protocol = "dokodemo-door";
-                    settings = { network = "tcp,udp"; followRedirect = true; };
-                    streamSettings.sockopt.tproxy = "tproxy";
-                    sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
-                    tag = "common-in";
+                    address = foreignDns;
+                    domains = [ "geosite:geolocation-!cn" ];
+                    expectIPs = [ "geoip:!cn" ];
+                    skipFallback = true;
                   }
-                  {
-                    port = 10881;
-                    protocol = "dokodemo-door";
-                    settings = { network = "tcp,udp"; followRedirect = true; };
-                    streamSettings.sockopt.tproxy = "tproxy";
-                    tag = "xmu-in";
-                  }
-                  {
-                    port = 10883;
-                    protocol = "dokodemo-door";
-                    settings = { network = "tcp,udp"; followRedirect = true; };
-                    streamSettings.sockopt.tproxy = "tproxy";
-                    tag = "proxy-in";
-                  }
-                  { port = 10884; protocol = "socks"; settings.udp = true; tag = "proxy-socks-in"; }
-                  { port = 10882; protocol = "socks"; settings.udp = true; tag = "direct-in"; }
+                  { address = chinaDns; expectIPs = [ "geoip:cn" ]; }
+                  { address = foreignDns; }
                 ];
-                outbounds =
-                [
-                  {
-                    protocol = "vless";
-                    settings.vnext =
-                    [{
-                      address = xray.client.xray.serverAddress;
-                      port = 443;
-                      users =
-                      [{
-                        id = inputs.config.sops.placeholder."xray-client/uuid";
-                        encryption = "none";
-                        flow = "xtls-rprx-vision-udp443";
-                      }];
-                    }];
-                    streamSettings =
-                    {
-                      network = "raw";
-                      security = "reality";
-                      realitySettings =
-                      {
-                        serverName = xray.client.xray.serverName;
-                        publicKey = "Nl0eVZoDF9d71_3dVsZGJl3UWR9LCv3B14gu7G6vhjk";
-                        fingerprint = "firefox";
-                      };
-                    };
-                    tag = "proxy-vless";
-                  }
-                  { protocol = "freedom"; tag = "direct"; }
-                  { protocol = "dns"; tag = "dns-out"; }
-                  {
-                    protocol = "socks";
-                    settings.servers = [{ address = "127.0.0.1"; port = 10069; }];
-                    tag = "xmu-out";
-                  }
-                  { protocol = "blackhole"; tag = "block"; }
-                ];
-                routing =
-                {
-                  domainStrategy = "AsIs";
-                  rules = builtins.map (rule: rule // { type = "field"; })
-                  [
-                    { inboundTag = [ "dns-in" ]; outboundTag = "dns-out"; }
-                    { inboundTag = [ "dns-internal" ]; ip = [ chinaDns ]; outboundTag = "direct"; }
-                    { inboundTag = [ "dns-internal" ]; ip = [ foreignDns ]; outboundTag = "proxy-vless"; }
-                    { inboundTag = [ "dns-internal" ]; outboundTag = "block"; }
-                    { inboundTag = [ "xmu-in" ]; outboundTag = "xmu-out"; }
-                    { inboundTag = [ "direct-in" ]; outboundTag = "direct"; }
-                    { inboundTag = [ "proxy-in" "proxy-socks-in" ]; outboundTag = "proxy-vless"; }
-                    { inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-cn" ]; outboundTag = "direct"; }
-                    {
-                      inboundTag = [ "common-in" ];
-                      domain = [ "geosite:geolocation-!cn" ];
-                      outboundTag = "proxy-vless";
-                    }
-                    { inboundTag = [ "common-in" ]; ip = [ "geoip:cn" ]; outboundTag = "direct"; }
-                    { inboundTag = [ "common-in" ]; outboundTag = "proxy-vless"; }
-                  ];
-                };
+                disableCache = true;
+                queryStrategy = "UseIPv4";
+                tag = "dns-internal";
               };
+              inbounds =
+              [
+                {
+                  port = 10853;
+                  protocol = "dokodemo-door";
+                  settings = { address = "8.8.8.8"; network = "tcp,udp"; port = 53; };
+                  tag = "dns-in";
+                }
+                {
+                  port = 10880;
+                  protocol = "dokodemo-door";
+                  settings = { network = "tcp,udp"; followRedirect = true; };
+                  streamSettings.sockopt.tproxy = "tproxy";
+                  sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
+                  tag = "common-in";
+                }
+                {
+                  port = 10881;
+                  protocol = "dokodemo-door";
+                  settings = { network = "tcp,udp"; followRedirect = true; };
+                  streamSettings.sockopt.tproxy = "tproxy";
+                  tag = "xmu-in";
+                }
+                {
+                  port = 10883;
+                  protocol = "dokodemo-door";
+                  settings = { network = "tcp,udp"; followRedirect = true; };
+                  streamSettings.sockopt.tproxy = "tproxy";
+                  tag = "proxy-in";
+                }
+                { port = 10884; protocol = "socks"; settings.udp = true; tag = "proxy-socks-in"; }
+                { port = 10882; protocol = "socks"; settings.udp = true; tag = "direct-in"; }
+              ];
+              outbounds =
+              [
+                {
+                  protocol = "vless";
+                  settings.vnext =
+                  [{
+                    address = xray.client.xray.serverAddress;
+                    port = 443;
+                    users =
+                    [{
+                      id = inputs.config.sops.placeholder."xray-client/uuid";
+                      encryption = "none";
+                      flow = "xtls-rprx-vision-udp443";
+                    }];
+                  }];
+                  streamSettings =
+                  {
+                    network = "raw";
+                    security = "reality";
+                    realitySettings =
+                    {
+                      inherit (xray.client.xray) serverName;
+                      publicKey = "Nl0eVZoDF9d71_3dVsZGJl3UWR9LCv3B14gu7G6vhjk";
+                      fingerprint = "firefox";
+                    };
+                  };
+                  tag = "proxy-vless";
+                }
+                { protocol = "freedom"; tag = "direct"; }
+                { protocol = "dns"; tag = "dns-out"; }
+                {
+                  protocol = "socks";
+                  settings.servers = [{ address = "127.0.0.1"; port = 10069; }];
+                  tag = "xmu-out";
+                }
+                { protocol = "blackhole"; tag = "block"; }
+              ];
+              routing =
+              {
+                domainStrategy = "AsIs";
+                rules = builtins.map (rule: rule // { type = "field"; })
+                [
+                  { inboundTag = [ "dns-in" ]; outboundTag = "dns-out"; }
+                  { inboundTag = [ "dns-internal" ]; ip = [ chinaDns ]; outboundTag = "direct"; }
+                  { inboundTag = [ "dns-internal" ]; ip = [ foreignDns ]; outboundTag = "proxy-vless"; }
+                  { inboundTag = [ "dns-internal" ]; outboundTag = "block"; }
+                  { inboundTag = [ "xmu-in" ]; outboundTag = "xmu-out"; }
+                  { inboundTag = [ "direct-in" ]; outboundTag = "direct"; }
+                  { inboundTag = [ "proxy-in" "proxy-socks-in" ]; outboundTag = "proxy-vless"; }
+                  { inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-cn" ]; outboundTag = "direct"; }
+                  {
+                    inboundTag = [ "common-in" ];
+                    domain = [ "geosite:geolocation-!cn" ];
+                    outboundTag = "proxy-vless";
+                  }
+                  { inboundTag = [ "common-in" ]; ip = [ "geoip:cn" ]; outboundTag = "direct"; }
+                  { inboundTag = [ "common-in" ]; outboundTag = "proxy-vless"; }
+                ];
+              };
+            };
           };
           secrets."xray-client/uuid" = {};
         };
@@ -215,93 +216,26 @@ inputs:
             };
             restartTriggers = [ inputs.config.sops.templates."xray-client.json".file ];
           };
-          # TODO: use existing options
           v2ray-forwarder =
           {
             description = "v2ray-forwarder Daemon";
             after = [ "network.target" ];
             wantedBy = [ "multi-user.target" ];
-            serviceConfig =
-              let
-                ip = "${inputs.pkgs.iproute2}/bin/ip";
-                nft = "${inputs.pkgs.nftables}/bin/nft";
-                autoPort = "10880";
-                xmuPort = "10881";
-                proxyPort = "10883";
-              in
-              {
-                Type = "oneshot";
-                RemainAfterExit = true;
-                ExecStart =
-                  let
-                    loNet =
-                    [
-                      "0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
-                      "192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
-                      "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4"
-                    ];
-                    loNetStr = builtins.concatStringsSep ", " loNet;
-                    noproxyUserStr = builtins.concatStringsSep ", " (builtins.map
-                      (user: builtins.toString inputs.config.nixos.user.uid.${user})
-                      (xray.client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ]));
-                    nftConfigFile = inputs.pkgs.writeText "v2ray.nft"
-                    ''
-                      table inet v2ray {
-                        set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; }
-                        set xmu_net { type ipv4_addr; flags interval; }
-                        set noproxy_net { type ipv4_addr; flags interval; elements = { 223.5.5.5 }; }
-                        set noproxy_src_net { type ipv4_addr; flags interval; }
-                        set proxy_net { type ipv4_addr; flags interval; elements = { 8.8.8.8 }; }
-
-                        chain prerouting {
-                          type filter hook prerouting priority mangle; policy accept;
-                          meta l4proto != { tcp, udp } counter return
-
-                          # 对于目标地址为本机的新建的流，标记并永不代理
-                          fib daddr type local ct state new counter ct mark set ct mark | 1 return
-                          ct mark & 1 == 1 counter return
-
-                          ip saddr @noproxy_src_net return
-                          ip daddr @noproxy_net return
-                          ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } \
-                            tproxy ip to :${xmuPort} meta mark set meta mark | 1
-                          ip daddr @proxy_net meta l4proto { tcp, udp } tproxy ip to :${proxyPort} \
-                            meta mark set meta mark | 1
-                          ip daddr @lo_net return
-                          meta l4proto { tcp, udp } tproxy ip to :${autoPort} meta mark set meta mark | 1
-
-                          return
-                        }
-
-                        chain output {
-                          type route hook output priority mangle; policy accept;
-                          ct mark & 1 == 1 counter return
-                          meta skuid { ${noproxyUserStr} } return
-
-                          ip saddr @noproxy_src_net return
-                          ip daddr @noproxy_net return
-                          ip daddr @xmu_net meta mark set meta mark | 1
-                          ip daddr @proxy_net meta mark set meta mark | 1
-                          ip daddr @lo_net return
-                          meta l4proto { tcp, udp } meta mark set meta mark | 1
-
-                          return
-                        }
-                      }
-                    '';
-                  in inputs.pkgs.writeShellScript "v2ray-forwarder.start"
-                  ''
-                    ${nft} -f ${nftConfigFile}
-                    ${ip} rule add fwmark 1/1 table 100
-                    ${ip} route add local 0.0.0.0/0 dev lo table 100
-                  '';
-                ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop"
-                ''
-                  ${nft} delete table inet v2ray
-                  ${ip} rule del fwmark 1/1 table 100
-                  ${ip} route del local 0.0.0.0/0 dev lo table 100
-                '';
-              };
+            serviceConfig = let ip = "${inputs.pkgs.iproute2}/bin/ip"; in
+            {
+              Type = "oneshot";
+              RemainAfterExit = true;
+              ExecStart = inputs.pkgs.writeShellScript "v2ray-forwarder.start"
+              ''
+                ${ip} rule add fwmark 1/1 table 100
+                ${ip} route add local 0.0.0.0/0 dev lo table 100
+              '';
+              ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop"
+              ''
+                ${ip} rule del fwmark 1/1 table 100
+                ${ip} route del local 0.0.0.0/0 dev lo table 100
+              '';
+            };
           };
         };
         users =
@@ -310,12 +244,77 @@ inputs:
           groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
         };
         environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
-        networking.firewall =
+        networking =
         {
-          allowedTCPPorts = [ 53 ];
-          allowedUDPPorts = [ 53 ];
-          allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
-          allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
+          nftables.tables.v2ray =
+          {
+            family = "inet";
+            content =
+              let
+                autoPort = "10880";
+                xmuPort = "10881";
+                proxyPort = "10883";
+                loNet =
+                [
+                  "0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
+                  "192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
+                  "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4"
+                ];
+                loNetStr = builtins.concatStringsSep ", " loNet;
+                noproxyUserStr = builtins.concatStringsSep ", " (builtins.map
+                  (user: builtins.toString inputs.config.nixos.user.uid.${user})
+                  (xray.client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ]));
+              in
+              ''
+                set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; }
+                set xmu_net { type ipv4_addr; flags interval; }
+                set noproxy_net { type ipv4_addr; flags interval; elements = { 223.5.5.5 }; }
+                set noproxy_src_net { type ipv4_addr; flags interval; }
+                set proxy_net { type ipv4_addr; flags interval; elements = { 8.8.8.8 }; }
+
+                chain prerouting {
+                  type filter hook prerouting priority mangle; policy accept;
+                  meta l4proto != { tcp, udp } counter return
+
+                  # 对于目标地址为本机的新建的流，标记并永不代理
+                  fib daddr type local ct state new counter ct mark set ct mark | 1 return
+                  ct mark & 1 == 1 counter return
+
+                  ip saddr @noproxy_src_net return
+                  ip daddr @noproxy_net return
+                  ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } \
+                    tproxy ip to :${xmuPort} meta mark set meta mark | 1
+                  ip daddr @proxy_net meta l4proto { tcp, udp } tproxy ip to :${proxyPort} \
+                    meta mark set meta mark | 1
+                  ip daddr @lo_net return
+                  meta l4proto { tcp, udp } tproxy ip to :${autoPort} meta mark set meta mark | 1
+
+                  return
+                }
+
+                chain output {
+                  type route hook output priority mangle; policy accept;
+                  ct mark & 1 == 1 counter return
+                  meta skuid { ${noproxyUserStr} } return
+
+                  ip saddr @noproxy_src_net return
+                  ip daddr @noproxy_net return
+                  ip daddr @xmu_net meta mark set meta mark | 1
+                  ip daddr @proxy_net meta mark set meta mark | 1
+                  ip daddr @lo_net return
+                  meta l4proto { tcp, udp } meta mark set meta mark | 1
+
+                  return
+                }
+              '';
+          };
+          firewall =
+          {
+            allowedTCPPorts = [ 53 ];
+            allowedUDPPorts = [ 53 ];
+            allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
+            allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
+          };
         };
       }
     )
@@ -327,11 +326,7 @@ inputs:
             .xray-server.clients;
         in
         {
-          services.xray =
-          {
-            enable = true;
-            settingsFile = inputs.config.sops.templates."xray-server.json".path;
-          };
+          services.xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
           sops =
           {
             templates."xray-server.json" =
@@ -353,7 +348,7 @@ inputs:
                       protocol = "vless";
                       settings =
                       {
-                        clients = map
+                        clients = builtins.map
                           (n:
                           {
                             id = inputs.config.sops.placeholder."xray-server/clients/${n}";

modules/system/fileSystems/nfs.nix

@@ -13,41 +13,45 @@ inputs:
     ]);
     default = {};
   };
-  config = let inherit (inputs.config.nixos.system.fileSystems.mount) nfs; in inputs.lib.mkIf (nfs != {})
-  {
-    fileSystems = builtins.listToAttrs (builtins.map
-      (device:
+  config =
+    let inherit (inputs.config.nixos.system.fileSystems.mount) nfs;
+    in inputs.lib.mkIf (nfs != {}) (inputs.lib.mkMerge
+    [
       {
-        name = device.value.mountPoint or device.value;
-        value =
+        fileSystems = builtins.listToAttrs (builtins.map
+          (device:
+          {
+            name = device.value.mountPoint or device.value;
+            value =
+            {
+              device = device.name;
+              fsType = "nfs4";
+              neededForBoot = device.value.hard or true;
+              options = builtins.concatLists
+              [
+                # sync every seconds
+                [ "actimeo=1" "noatime" ]
+                # when try to mount at startup, wait 15 minutes before giving up
+                (inputs.lib.optionals (device.value.hard or true) [ "retry=15" "x-systemd.device-timeout=15min" ])
+                # do not fail, just try continuously in background
+                # nfs4 use tcp, tcp itself will retransmit several times, which is enough
+                (inputs.lib.optionals (!(device.value.hard or true))
+                  [ "bg" "soft" "retrans=1" "timeo=20" "softreval" "x-systemd.requires=network-online.target" ])
+              ];
+            };
+          })
+          (inputs.localLib.attrsToList nfs));
+        services.rpcbind.enable = true;
+      }
+      (inputs.lib.mkIf (builtins.any (mount: mount.hard or true) (builtins.attrValues nfs))
+      {
+        boot.initrd.systemd.extraBin =
         {
-          device = device.name;
-          fsType = "nfs4";
-          neededForBoot = device.value.hard or true;
-          options = builtins.concatLists
-          [
-            # sync every seconds
-            [ "actimeo=1" "noatime" ]
-            # when try to mount at startup, wait 15 minutes before giving up
-            (inputs.lib.optionals (device.value.hard or true) [ "retry=15" "x-systemd.device-timeout=15min" ])
-            # do not fail, just try continuously in background
-            # nfs4 use tcp, tcp itself will retransmit several times, which is enough
-            (inputs.lib.optionals (!(device.value.hard or true))
-              [ "bg" "soft" "retrans=1" "timeo=20" "softreval" "x-systemd.requires=network-online.target" ])
-          ];
+          "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
+          "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
+          "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
         };
+        nixos.system.initrd.network = {};
       })
-      (inputs.localLib.attrsToList nfs));
-    boot.initrd = inputs.lib.mkIf (builtins.any (mount: mount.hard or true) (builtins.attrValues nfs))
-    {
-      network.enable = true;
-      systemd.extraBin =
-      {
-        "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-        "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-        "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
-      };
-    };
-    services.rpcbind.enable = true;
-  };
+    ]);
 }

modules/system/font.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
+  config = inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
   {
     fonts =
     {

modules/system/gui.nix

@@ -3,7 +3,7 @@ inputs:
   config = inputs.lib.mkMerge
   [
     # enable gui
-    (inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
+    (inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
     {
       services =
       {

modules/system/initrd.nix

@@ -3,6 +3,15 @@ inputs:
   options.nixos.system.initrd = let inherit (inputs.lib) mkOption types; in
   {
     sshd = mkOption { type = types.nullOr (types.submodule {}); default = null; };
+    network = mkOption
+    {
+      type = types.nullOr (types.submodule { options =
+      {
+        # null: enable all interfaces configured in systemd.network
+        interfaces = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
+      };});
+      default = null;
+    };
   };
   config = let inherit (inputs.config.nixos.system) initrd; in inputs.lib.mkMerge
   [
@@ -16,17 +25,54 @@ inputs:
     (
       inputs.lib.mkIf (initrd.sshd != null)
       {
+        boot.initrd.network.ssh =
+          { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
+        nixos.system.initrd.network = {};
+      }
+    )
+    (
+      inputs.lib.mkIf (initrd.network != null)
+      {
+        assertions =
+        [{
+          assertion = inputs.config.nixos.system.network != null;
+          message = "initrd network requires systemd networkd.";
+        }];
         boot =
         {
           initrd =
           {
-            network =
-            {
-              enable = true;
-              ssh = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
-            };
+            network.enable = true;
             # resolved does not work in initrd, causing network.target to fail
             services.resolved.enable = false;
+            systemd.network =
+              let inherit (inputs.config.nixos.system.network) dhcp static bridge; in
+              let
+                networks = inputs.lib.unique
+                (
+                  dhcp ++ (builtins.attrNames static) ++ (builtins.attrNames bridge)
+                  ++ (builtins.concatLists (builtins.map (network: network.interfaces) (builtins.attrValues bridge)))
+                );
+                netdevs = builtins.attrNames bridge;
+              in
+              {
+                networks = builtins.listToAttrs (builtins.map
+                  (network: { name = "10-${network}"; value = inputs.config.systemd.network.networks."10-${network}"; })
+                  (builtins.filter
+                    (network:
+                      if initrd.network.interfaces == null then true
+                      else builtins.elem network initrd.network.interfaces
+                    )
+                    networks));
+                netdevs = builtins.listToAttrs (builtins.map
+                  (netdev: { name = "10-${netdev}"; value = inputs.config.systemd.network.netdevs."10-${netdev}"; })
+                  (builtins.filter
+                    (netdev:
+                      if initrd.network.interfaces == null then true
+                      else builtins.elem netdev initrd.network.interfaces
+                    )
+                    netdevs));
+              };
           };
           # do not use ip=xxx, as it will override systemd-networkd configurations
           # kernelParams = [ "ip=on" ];

modules/system/kernel/default.nix

@@ -4,74 +4,66 @@ inputs:
   {
     variant = mkOption
     {
-      type = types.nullOr (types.enum [ "nixos" "xanmod-lts" "xanmod-latest" "cachyos" "cachyos-lts" ]);
+      type = types.nullOr (types.enum [ "nixos" "xanmod-lts" "xanmod-latest" ]);
       default = "xanmod-lts";
     };
     patches = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
     modules.modprobeConfig = mkOption { type = types.listOf types.str; default = []; };
   };
-  config = let inherit (inputs.config.nixos.system) kernel; in inputs.lib.mkMerge
-  [
+  config = let inherit (inputs.config.nixos.system) kernel; in
+  {
+    boot =
     {
-      boot =
+      kernelModules = [ "br_netfilter" ];
+      # modprobe --show-depends
+      initrd.availableKernelModules =
+      [
+        "bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "sd_mod"
+        "sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
+        "virtio_net" "virtio_ring" "virtio_scsi" "cryptd" "libaes"
+        "ahci" "ata_piix" "nvme" "sdhci_acpi" "virtio_pci" "xhci_pci"
+        # network for nas
+        "igb"
+        # disk for srv1
+        "megaraid_sas"
+        # disks for cluster
+        "nfs" "nfsv4"
+        # netowrk for srv1
+        "bnx2x" "tg3"
+        # network for srv2
+        "e1000e" "igb" "atlantic" "igc"
+        # temp wireless for nas
+        "r8712u"
+        # network for srv3
+        "igb"
+        # touchscreen for one
+        "pinctrl-tigerlake"
+        # bridge network
+        "bridge"
+      ]
+        ++ (inputs.lib.optionals (kernel.variant != "nixos") [ "crypto_simd" ]);
+      extraModulePackages = with inputs.config.boot.kernelPackages; [ v4l2loopback zenpower ];
+      extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
+      kernelParams = [ "delayacct" ];
+      kernelPackages = inputs.lib.mkIf (kernel.variant != null)
       {
-        kernelModules = [ "br_netfilter" ];
-        # modprobe --show-depends
-        initrd.availableKernelModules =
-        [
-          "bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "sd_mod"
-          "sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
-          "virtio_net" "virtio_ring" "virtio_scsi" "cryptd" "libaes"
-          "ahci" "ata_piix" "nvme" "sdhci_acpi" "virtio_pci" "xhci_pci"
-          # networking for nas
-          "igb"
-          # disk for srv1
-          "megaraid_sas"
-          # disks for cluster
-          "nfs" "nfsv4"
-          # netowrk for srv1
-          "bnx2x" "tg3"
-          # network for srv2
-          "e1000e" "igb" "atlantic" "igc"
-          # temp wireless for nas
-          "r8712u"
-          # network for srv3
-          "igb"
-          # touchscreen for one
-          "pinctrl-tigerlake"
-        ]
-          ++ (inputs.lib.optionals (kernel.variant != "nixos") [ "crypto_simd" ]);
-        extraModulePackages = with inputs.config.boot.kernelPackages; [ v4l2loopback zenpower ];
-        extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
-        kernelParams = [ "delayacct" ];
-        kernelPackages = inputs.lib.mkIf (kernel.variant != null)
-        {
-          nixos = inputs.pkgs.linuxPackages;
-          xanmod-lts = inputs.pkgs.linuxPackages_xanmod;
-          xanmod-latest = inputs.pkgs.linuxPackages_xanmod_latest;
-          cachyos = inputs.pkgs.linuxPackages_cachyos;
-          # TODO: package cachyos-lts
-          cachyos-lts = inputs.pkgs.linuxPackages_cachyos_lts;
-        }.${kernel.variant};
-        kernelPatches =
-          let
-            patches =
-            {
-              hibernate-progress =
-              [{
-                name = "hibernate-progress";
-                patch =
-                  let version = inputs.lib.versions.majorMinor inputs.config.boot.kernelPackages.kernel.version;
-                  in ./hibernate-progress-${version}.patch;
-              }];
-            };
-          in builtins.concatLists (builtins.map (name: patches.${name}) kernel.patches);
-      };
-    }
-    # enable scx when using cachyos
-    (
-      inputs.lib.mkIf (builtins.elem kernel.variant [ "cachyos" "cachyos-lts" ])
-        { services.scx = { enable = true; scheduler = "scx_rustland"; }; }
-    )
-  ];
+        nixos = inputs.pkgs.linuxPackages;
+        xanmod-lts = inputs.pkgs.linuxPackages_xanmod;
+        xanmod-latest = inputs.pkgs.linuxPackages_xanmod_latest;
+      }.${kernel.variant};
+      kernelPatches =
+        let
+          patches =
+          {
+            hibernate-progress =
+            [{
+              name = "hibernate-progress";
+              patch =
+                let version = inputs.lib.versions.majorMinor inputs.config.boot.kernelPackages.kernel.version;
+                in ./hibernate-progress-${version}.patch;
+            }];
+          };
+        in builtins.concatLists (builtins.map (name: patches.${name}) kernel.patches);
+    };
+  };
 }

modules/system/network.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  options.nixos.system.networking = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.system.network = let inherit (inputs.lib) mkOption types; in mkOption
   {
     # null: use network-manager; otherwise use networkd
     type = types.nullOr (types.submodule { options =
@@ -17,12 +17,22 @@ inputs:
         };});
         default = {};
       };
+      bridge = mkOption
+      {
+        type = types.attrsOf (types.submodule { options =
+        {
+          interfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+        };});
+        default = {};
+      };
       # wpa_passphrase SSID(wifi name) PSK(password)
       wireless = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
+      trust = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+      masquerade = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
     };});
     default = null;
   };
-  config = let inherit (inputs.config.nixos.system) networking; in inputs.lib.mkMerge
+  config = let inherit (inputs.config.nixos.system) network; in inputs.lib.mkMerge
   [
     # general config
     {
@@ -51,7 +61,7 @@ inputs:
       };
       networking.nftables = { enable = true; flushRuleset = false; };
     }
-    (inputs.localLib.mkConditional (networking == null)
+    (inputs.localLib.mkConditional (network == null)
       {
         networking.networkmanager =
         {
@@ -65,9 +75,9 @@ inputs:
         systemd.network =
         {
           enable = true;
-          networks = builtins.listToAttrs
-          (
-            (builtins.map
+          networks = inputs.lib.mkMerge
+          [
+            (builtins.listToAttrs (builtins.map
               (network:
               {
                 name = "10-${network}";
@@ -78,8 +88,8 @@ inputs:
                   linkConfig.RequiredForOnline = "routable";
                 };
               })
-              networking.dhcp)
-            ++ (builtins.map
+              network.dhcp))
+            (builtins.listToAttrs (builtins.map
               (network:
               {
                 name = "10-${network.name}";
@@ -93,31 +103,63 @@ inputs:
                   dns = inputs.lib.mkIf (network.value.dns != null) [ network.value.dns ];
                 };
               })
-              (inputs.localLib.attrsToList networking.static))
-          );
+              (inputs.localLib.attrsToList network.static)))
+            (builtins.listToAttrs (builtins.map
+              (network:
+              {
+                name = "10-${network.name}";
+                value =
+                {
+                  matchConfig.Name = network.name;
+                  bridgeConfig = {};
+                  linkConfig.RequiredForOnline = "routable";
+                };
+              })
+              (inputs.localLib.attrsToList network.bridge)))
+            (builtins.listToAttrs (builtins.concatLists (builtins.map
+              (bridge: builtins.map
+                (network:
+                {
+                  name = "10-${network}";
+                  value =
+                  {
+                    matchConfig.Name = network;
+                    networkConfig.Bridge = bridge.name;
+                    linkConfig.RequiredForOnline = "enslaved";
+                  };
+                }) bridge.value.interfaces)
+              (inputs.localLib.attrsToList network.bridge))))
+            (builtins.listToAttrs (builtins.map
+              (network: { name = "10-${network}"; value.networkConfig.IPMasquerade = "both"; })
+              network.masquerade))
+          ];
+          netdevs = builtins.listToAttrs (builtins.map
+            (network: { name = "10-${network}"; value.netdevConfig = { Name = network; Kind = "bridge"; }; })
+            (builtins.attrNames network.bridge));
         };
         networking =
         {
           useNetworkd = true;
-          wireless = inputs.lib.mkIf (networking.wireless != null)
+          wireless = inputs.lib.mkIf (network.wireless != null)
           {
             enable = true;
             networks = builtins.listToAttrs (builtins.map
               (network: { name = network; value.pskRaw = "ext:${network}"; })
-              networking.wireless);
+              network.wireless);
             secretsFile = inputs.config.sops.templates."wireless.env".path;
           };
+          firewall.trustedInterfaces = network.trust;
         };
         # dnsable dns fallback, use provided dns servers or no dns
         services.resolved.fallbackDns = [];
-        sops = inputs.lib.mkIf (networking.wireless != null)
+        sops = inputs.lib.mkIf (network.wireless != null)
         {
           templates."wireless.env".content = builtins.concatStringsSep "\n" (builtins.map
             (network: "${network}=${inputs.config.sops.placeholder."wireless/${network}"}")
-            networking.wireless);
+            network.wireless);
           secrets = builtins.listToAttrs (builtins.map
             (network: { name = "wireless/${network}"; value = {}; })
-            networking.wireless);
+            network.wireless);
         };
     })
   ];

modules/system/nixpkgs/buildNixpkgsConfig.nix

@@ -18,10 +18,10 @@ let
       inherit allowInsecurePredicate;
       allowUnfree = true;
       android_sdk.accept_license = true;
+      allowBroken = true;
     }
     // (inputs.lib.optionalAttrs (nixpkgs.march != null)
     {
-      # TODO: test znver3 do use AVX
       oneapiArch = let match = {}; in match.${nixpkgs.march} or nixpkgs.march;
       nvhpcArch = nixpkgs.march;
       # contentAddressedByDefault = true;
@@ -35,12 +35,11 @@ in platformConfig //
   [
     inputs.topInputs.nur-xddxdd.overlays.inSubTree
     inputs.topInputs.nix-vscode-extensions.overlays.default
+    inputs.topInputs.buildproxy.overlays.default
     (final: prev:
     {
       inherit (inputs.topInputs.nix-vscode-extensions.overlays.default final prev) nix-vscode-extensions;
       firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
-      linuxPackages_cachyos_lts =
-        final.linuxPackagesFor (inputs.topInputs.cachyos-lts.overlays.default final prev).linuxPackages_cachyos;
     })
     inputs.topInputs.self.overlays.default
     (final: prev:
@@ -75,41 +74,7 @@ in platformConfig //
             pkgs-unstable =
             {
               source = "nixpkgs-unstable";
-              overlay = final: prev:
-                (inputs.topInputs.self.overlays.default final prev);
-                # {
-                #   ollama = prev.ollama.override { cudaPackages = final.cudaPackages_12_8; };
-                # }
-                # // inputs.lib.optionalAttrs (nixpkgs.march != null)
-                # {
-                #   pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
-                #   {
-                #     scipy = prev.scipy.overridePythonAttrs (prev:
-                #       { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
-                #     rapidocr-onnxruntime = prev.rapidocr-onnxruntime.overridePythonAttrs { doCheck = false; };
-                #     cfn-lint = prev.cfn-lint.overridePythonAttrs { doCheck = false; };
-                #   })];
-                #   rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
-                #   ctranslate2 = (prev.ctranslate2.override { withCUDA = false; withCuDNN = false; })
-                #     .overrideAttrs (prev:
-                #       { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
-                #   valkey = prev.valkey.overrideAttrs { doCheck = false; };
-                # }
-                # // inputs.lib.optionalAttrs
-                #   (builtins.elem nixpkgs.march [ "skylake" "silvermont" "broadwell" "znver3" ])
-                #   { redis = prev.redis.overrideAttrs { doCheck = false; }; }
-                # // inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx2Support)
-                # {
-                #   haskellPackages = prev.haskellPackages.override
-                #   {
-                #     overrides = final: prev:
-                #     {
-                #       crypton = prev.crypton.overrideAttrs
-                #         (prev: { configureFlags = prev.configureFlags or [] ++ [ "--ghc-option=-optc-mno-avx2" ]; });
-                #     };
-                #   };
-                # }
-                #   // (inputs.topInputs.self.overlays.default final prev);
+              overlay = inputs.topInputs.self.overlays.default;
             };
           };
           packages = name: import inputs.topInputs.${source.${name}.source or source.${name}}
@@ -123,6 +88,8 @@ in platformConfig //
       )
       // (inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx512Support)
         { gsl = prev.gsl.overrideAttrs { doCheck = false; }; })
+      // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx512Support)
+        { libhwy = prev.libhwy.override { stdenv = final.genericPackages.stdenv; }; })
       // (inputs.lib.optionalAttrs (nixpkgs.march != null)
       {
         libinsane = prev.libinsane.overrideAttrs (prev:
@@ -139,7 +106,6 @@ in platformConfig //
             sed -i '/CPPUNIT_TEST.testDubiousArrayFormulasFODS/d' sc/qa/unit/functions_array.cxx
           '';});});
         opencolorio = prev.opencolorio.overrideAttrs (prev: { doCheck = false; });
-        # TODO: maybe something really broken?
         openvswitch = prev.openvswitch.overrideAttrs (prev: { doCheck = false; });
         rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
         valkey = prev.valkey.overrideAttrs { doCheck = false; };
@@ -147,17 +113,18 @@ in platformConfig //
         # https://github.com/embree/embree/issues/115
         embree = prev.embree.override { stdenv = final.genericPackages.stdenv; };
         simde = prev.simde.override { stdenv = final.genericPackages.stdenv; };
+        ctranslate2 = prev.ctranslate2.overrideAttrs (prev:
+          { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
         pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
-        {
-          scipy = prev.scipy.overridePythonAttrs (prev:
-            { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
-          rich = prev.rich.overridePythonAttrs (prev:
-            { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
-          # paperwork-backend = prev.paperwork-backend.overrideAttrs (prev: { doCheck = false; });
-        })];
+        (
+          {
+            scipy = prev.scipy.overridePythonAttrs (prev:
+              { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
+            rich = prev.rich.overridePythonAttrs (prev:
+              { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
+          }
+        ))];
         inherit (final.pkgs-2411) intelPackages_2023;
       })
-      # // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
-      #   { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
   )];
 }

modules/system/sysctl.nix

@@ -16,6 +16,8 @@ inputs:
         "kernel.sysrq" = 1;
         # set to larger value, otherwise the system will be very slow on low memory machines
         "vm.vfs_cache_pressure" = 100;
+        # when building archive, nix need more than 100k mounts
+        "fs.mount-max" = 1000000;
       };
     }
     (inputs.lib.mkIf (sysctl.laptop-mode != null) { boot.kernel.sysctl."vm.laptop_mode" = sysctl.laptop-mode; })

modules/user/chn/plasma/autostart.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
+  config = inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
   {
     home-manager.users.chn.config.home.file =
       let

modules/user/chn/plasma/shortcuts.nix

@@ -1,6 +1,6 @@
 inputs:
 {
-  config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
+  config = inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
   {
     home-manager.users.chn.config.programs.plasma =
     {

modules/user/default.nix

@@ -32,6 +32,8 @@ inputs:
         alikia = 1018;
         pen = 1019;
         reonokiy = 1020;
+        zqq = 1021;
+        zgq = 1022;
         misskey-misskey = 2000;
         misskey-misskey-old = 2001;
         frp = 2002;
@@ -117,7 +119,12 @@ inputs:
       users.users.root =
       {
         shell = inputs.pkgs.zsh;
-        openssh.authorizedKeys.keys = [(builtins.readFile ./chn/id_ed25519_sk.pub)];
+        openssh.authorizedKeys.keys = inputs.lib.mkMerge
+        [
+          [(builtins.readFile ./chn/id_ed25519_sk.pub)]
+          (inputs.lib.mkIf (inputs.config.nixos.model.cluster.clusterName or null == "srv1")
+            [(builtins.readFile ./zgq/id_ed25519.pub)])
+        ];
         hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
       };
       home-manager.users.root = homeInputs:

modules/user/hjp/default.nix

@@ -2,7 +2,7 @@ inputs:
 {
   config = let inherit (inputs.config.nixos) user; in inputs.lib.mkIf (builtins.elem "hjp" user.users)
   {
-    home-manager.users.hjp.config.programs.zsh.initExtra =
+    home-manager.users.hjp.config.programs.zsh.initContent =
     ''
       export PATH=$PATH:/home/hjp/software/intel/oneapi/compiler/latest/bin
       export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/hjp/software/intel/oneapi/compiler/latest/lib

modules/user/zgq/default.nix

@@ -0,0 +1,8 @@
+inputs:
+{
+  config = let inherit (inputs.config.nixos) user; in inputs.lib.mkIf (builtins.elem "zgq" user.users)
+  {
+    users.users.zgq.extraGroups = inputs.lib.mkIf (inputs.config.nixos.model.cluster.clusterName or null == "srv1")
+      [ "wheel" ];
+  };
+}

modules/user/zgq/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHnhPmiGpuK0OlMPLM9QFYpjcr5/WoG8IFoC9EDLSqc zgq

modules/user/zqq/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM+Hi3Jo/xb7vDm5L75jybjjrE6z7quveuKd0mTeXDP zqq@xmupc1

packages/blog-buildproxy.nix

@@ -0,0 +1,17 @@
+{ fetchurl }:
+[
+  {
+    url = "https://cdn.jsdelivr.net/npm/flexsearch@0.8.143/dist/flexsearch.bundle.min.js";
+    file = fetchurl
+    {
+      url = "https://cdn.jsdelivr.net/npm/flexsearch@0.8.143/dist/flexsearch.bundle.min.js";
+      sha256 = "0k3g87h84s667m7zphlsaqzvkdka4rszq5pw66cvngjpi8d98gj3";
+    };
+    status_code = 200;
+    headers =
+    {
+      "content-type" = "application/javascript; charset=utf-8";
+      "content-length" = "46087";
+    };
+  }
+]

packages/default.nix

@@ -1,7 +1,6 @@
 inputs: rec
 {
   vesta = inputs.pkgs.callPackage ./vesta.nix { src = inputs.topInputs.self.src.vesta; };
-  rsshub = inputs.pkgs.callPackage ./rsshub.nix { inherit mkPnpmPackage; src = inputs.topInputs.rsshub; };
   misskey = inputs.pkgs.callPackage ./misskey.nix
   {
     inherit mkPnpmPackage;
@@ -26,11 +25,12 @@ inputs: rec
   tgbot-cpp = inputs.pkgs.callPackage ./tgbot-cpp.nix { src = inputs.topInputs.tgbot-cpp; };
   mirism-old = inputs.pkgs.callPackage ./mirism-old.nix
   {
-    inherit cppcoro nameof tgbot-cpp date;
+    inherit cppcoro nameof date;
+    inherit (inputs.pkgs.pkgs-2305) boost;
     src = inputs.topInputs.self.src.mirism-old;
-    nghttp2 = inputs.pkgs.callPackage "${inputs.topInputs.nixpkgs-2305}/pkgs/development/libraries/nghttp2"
-      { enableAsioLib = true; stdenv = inputs.pkgs.gcc12Stdenv; };
+    nghttp2 = inputs.pkgs.pkgs-2305.nghttp2.override { enableAsioLib = true; };
     stdenv = inputs.pkgs.gcc12Stdenv;
+    tgbot-cpp = tgbot-cpp.override { stdenv = inputs.pkgs.gcc12Stdenv; };
   };
   cppcoro = inputs.pkgs.callPackage ./cppcoro { src = inputs.topInputs.cppcoro; };
   date = inputs.pkgs.callPackage ./date.nix { src = inputs.topInputs.date; };
@@ -120,7 +120,11 @@ inputs: rec
   };
   stickerpicker = inputs.pkgs.python3Packages.callPackage ./stickerpicker.nix { src = inputs.topInputs.stickerpicker; };
   info = inputs.pkgs.callPackage ./info { inherit biu; stdenv = inputs.pkgs.clang18Stdenv; };
-  blog = inputs.pkgs.callPackage inputs.topInputs.blog { inherit (inputs.topInputs) hextra; };
+  blog = inputs.pkgs.callPackage inputs.topInputs.blog
+  {
+    inherit (inputs.topInputs) hextra;
+    buildProxy = inputs.pkgs.lib.mkBuildproxy ./blog-buildproxy.nix;
+  };
   phono3py = inputs.pkgs.python3Packages.callPackage ./phono3py.nix { src = inputs.topInputs.phono3py; };
   vm = inputs.pkgs.callPackage ./vm { inherit biu; stdenv = inputs.pkgs.clang18Stdenv; };
   oneapiPackages = inputs.pkgs.lib.makeScope inputs.pkgs.newScope (final:

packages/rsshub.nix

@@ -1,25 +0,0 @@
-{
-  lib, mkPnpmPackage, nodejs, writeShellScript,
-  bash, chromium, src, git
-}: (mkPnpmPackage.override { inherit nodejs; })
-  {
-    inherit src;
-    extraNativeBuildInputs = [ bash git ];
-    extraAttrs =
-    {
-      PUPPETEER_SKIP_DOWNLOAD = true;
-      postInstall =
-        let startScript = writeShellScript "rsshub"
-        ''
-          export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm chromium git ]}:$PATH
-          export CHROMIUM_EXECUTABLE_PATH=chromium
-          export COREPACK_ENABLE_STRICT=0
-          pnpm start
-        '';
-        in
-        ''
-          mkdir -p $out/bin
-          cp ${startScript} $out/bin/rsshub
-        '';
-    };
-  }

packages/tgbot-cpp.nix

@@ -4,5 +4,6 @@
   inherit src;
   nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ boost openssl zlib curl ];
+  cmakeFlags = [ "-DBUILD_SHARED_LIBS=ON" ];
   propagatedBuildInputs = buildInputs;
 }