debug

modules.services.xray: add debug info
modules.services.xray: revert version
2026-01-12 04:19:22 +08:00 · 2025-06-25 21:19:29 +08:00 · 2025-06-25 21:16:04 +08:00 · 2025-06-25 21:03:49 +08:00 · 2025-06-25 20:52:19 +08:00 · 2025-06-25 13:04:46 +08:00
138 changed files with 1800 additions and 1802 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,6 +1 @@
-*.png filter=lfs diff=lfs merge=lfs -text
-*.icm filter=lfs diff=lfs merge=lfs -text
-*.jpg filter=lfs diff=lfs merge=lfs -text
-*.webp filter=lfs diff=lfs merge=lfs -text
-*.efi filter=lfs diff=lfs merge=lfs -text
 flake/branch.nix merge=ours
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -54,3 +54,6 @@ creation_rules:
  - path_regex: devices/cross/secrets/chn.yaml$
    key_groups:
    - age: [ *chn, *pc, *one, *nas ]
+  - path_regex: devices/cross/secrets/acme.yaml$
+    key_groups:
+    - age: [ *chn, *nas, *pc, *srv3, *vps4, *vps6 ]
--- a/devices/cross/secrets/acme.yaml
+++ b/devices/cross/secrets/acme.yaml
@@ -0,0 +1,62 @@
+acme:
+    token: ENC[AES256_GCM,data:Zm4vCgYbrm8wtYMYqtRkMF7hm8feTcZXITKbJgWsgagWbbHE5Z8zoA==,iv:RSRw188gjoAdhTErApuF8tBSsD+aT3LGhifcy417Qzw=,tag:4ZHfkW8aCJ6BW8mtL261yQ==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOFEwcjQyUmlpRDJ1WVFt
+            WUJVM29wdTFwZmNWTHNkMFpjeThCaGt0VkJjCjZ1bnNGVnF0dmdKVE1VdzJoeXJk
+            ZXM0b0NZeENMY2g0R203Rnc4Y2x3QTQKLS0tIHVPc1NuaGx5ZE92R3VTenpiRGNI
+            UWhxZVBpL1VSMVFabVJ3WWUrMjlrRTAKpya6EFm4EQ3o35C5Bdyyaw4Qys8IM2fe
+            OrA5b9xElsEhfGzkpRXkEtsbMhbbpNu0zvDBpylU8rU70tffcWh1sA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdUowREVqOXBiZE02RUU2
+            RVU3MkxNVFRiaUFHQzlzdXpQNFRvanhDMGdjCm1qUytTNzAyY3g1OXI4L0hmK2Va
+            a0hJem5FNkFYTnBxbnhJT0QrbVBzdk0KLS0tIDkxeGYwTnNaUVVBa2NxT1dGWVRF
+            UE9uY2tjdE1ZTVFXSWI5czE1ZHVBV0UKYHyDTeejdMwfYW2u6r9MWZ9qJU2mTYJx
+            qK2/91+T5/paq23+gEpMJeCbCMfcws9xeaf4KgWdBr/JNgjNQ3mhyQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbjBLelBWR0ZpZEFrL3A2
+            UExIamd3aElvZUNCK2VwZVJrdHMyWGZNYnhJCnBoUlF4ZWtKMDVIYzhqUlpxZXpr
+            UlY4VnVwcFkxMzc0Q0VoQW03QU9BODQKLS0tIGtoRStxL3BFd09CMi9zT0pwZEwr
+            d0hRWnVQOWVxdGRxRXpBZGtMQ24xbm8KtlIU+T++8IQRDLXAH1pBXa6hNqHD19ti
+            AIZGn7+Eh/b6wOkndNpzLCWGVVm9yo7qMY7AzYNIz7SU/9a0JPGuGQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbFVkbjdHWm9xTlEwbzBE
+            Ky9KcjVvc0l2ZkJnOVdxVzFpUDMydDRuNWtVCmpkYXl1dG91TG84em16cFlRcG5y
+            WTBKM1VuWmV3dUlpcE1ka093aHh6REEKLS0tIC91OHF0TnhDUjlqVWcvMjl1czlm
+            YVRXZS9PRVpwNmFaY3pNT0JZNzB3R2MKHClUpTySdpU8AFNYoqT37KWkJbPgmd2+
+            UhtufEWWgSL6j/npU0yxHNcsmU5gfd45TnTxp4sSOupJUDM0B4FKlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObkt4a25UcGo4MnoxOVJQ
+            WkF6elVWODYvSWw1QWtPYTJKS1gxUXRDVjNJCndNcU5GUHhMZW5uTzNpV2NtYUVh
+            K0dYNGlmRzd5ZkZVaGd3cjJFVEFSMXMKLS0tIEVRQWtaY0d3TERsV0ZNcVc0Vyty
+            WnZxTGxOY0NROU4vYTl1WWREemptaDAKhzzRPyr370b7ccTM5DE+jOczmXDqZBt5
+            fYQ04+yLjcULNhqlu52mJRH1X5Se2pXbCzEG6JFiKCEra0wiYhoo5Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbjRpMWZ6eXZubjVUUlNL
+            Z0N3ZkhoeVoxVzVwMHJzQzhJVjZ5MFhTU3dFCllwVWVWbm1KMTlUcEd0empxS1J2
+            NzRSbkE5cEJLMmZCcjZBMTF0TUF2SEUKLS0tIFN6TVNEMU4rVVl1OEdzWGJSRmdl
+            cndmbU16NkRmMHo5ZlJYMUFBUmlIZDQKNVXn3/twQKZC+74tRlpG2wx0hLEZuuka
+            DKtNg6nnhd/UsVNF6/MSTwjnwXeilNemV7ffAbSE4tixcfBV3niILg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-09T13:04:33Z"
+    mac: ENC[AES256_GCM,data:xKqvMTW+TTKPtuHh/pSGvxXXIpeKtzVWgwKPibGX9UTIpnDNzfylmkT6OouqQyI/HTQmiL67ch6gaFSMAbXfpw7JA9YpKif6p84rs3RelKzRLKinDpUtcvWhY1DEA2nsNWOdFHxu7EZhHRbXttRoB372kdV5063MJRvwuqslMpo=,iv:T4ff9w1AYGO9JIzuJz6VbPoS19OcIy9zFvOMLp3F2LE=,tag:x5Yk7tVSilKK68ZRhAnsIw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/devices/cross/secrets/default.yaml
+++ b/devices/cross/secrets/default.yaml
@@ -28,13 +28,13 @@ users:
    pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
    #ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
    reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
+    #ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
+    zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
 telegram:
    token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
    user:
        chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
        hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:M8/R019chds8zr2BqnRnKP40NZxwq4fz06NaOeOOFYecLyDjIOq5mg==,iv:VPr4XD0Y+6G1P1xwMDyrWPiTvCYdiMV0nPcmqCvIA3Y=,tag:KEyCIHRmRkNviA4bMTMybg==,type:str]
 nginx:
    maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
 sops:
@@ -174,7 +174,7 @@ sops:
            UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
            +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-14T01:17:28Z"
-    mac: ENC[AES256_GCM,data:r1FWYKz9aJtmhH7MLPqwZjG0W7LULScGd63CnIqsm2AbFIs6DgW33zDsgwrl1oblx/zYGda3irB5s1+otR38DU0VE7jqLYzHpb3eLsE986ZTwe9Tujy6BJm2Pyng60BJTTBwKU8awS2WpbTUivK1aVivNfBffQIL5Scv/qkyH3U=,iv:1USu0hh8IM2T/w1Fm/udGswPJcxKmvcG6XwlS2ku6iY=,tag:F/rZiGc3KTaNA0YtrWF3+w==,type:str]
+    lastmodified: "2025-06-09T12:54:56Z"
+    mac: ENC[AES256_GCM,data:pAJ1mr02yp41jTcvy56OCUvJZh0NJXqAj582F85eevOIVy/GKQyvBonSkT0vN85q8UXw6tsNBpSqLi5MEoP2QhSP6x6mMZ6fHHGtkhw2ROmuTcfGdHDIq0SMU6arukEVDFlVsoneNXUUmdvwDjxAGv4qf7sI4ynPwu0V9xurYiI=,iv:ZuCObomHvfEPEKnepRyTOiojOEh6mfWW+bF/ytsTqiU=,tag:k0WuI8eewWeCQkiXDisjZw==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2
--- a/devices/cross/wireguard.nix
+++ b/devices/cross/wireguard.nix
@@ -2,6 +2,7 @@ inputs:
 let
  publicKey =
  {
+    vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
    vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
    pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
    nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
@@ -61,7 +62,7 @@ let
          # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
          (builtins.listToAttrs
          (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps6" "srv3" ])
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
          ))
          # 校内网络
--- a/devices/jykang.xmuhpc/default.nix
+++ b/devices/jykang.xmuhpc/default.nix
@@ -1,8 +1,8 @@
-# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' .#jykang
-# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' -qR ./result | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' --export > data.nar
-# cat data.nar  | nix-store --import
-inputs:
-let pkgs = import inputs.nixpkgs (import ../../modules/system/nixpkgs/buildNixpkgsConfig.nix
+# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
+# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | sudo xargs nix-store --store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export > data.nar
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
 {
  inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
  nixpkgs = { march = null; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; };
@@ -12,4 +12,5 @@ in pkgs.symlinkJoin
  name = "jykang";
  paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit ];
  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs; };
 }
--- a/devices/jykang.xmuhpc/files/.config/nix/nix.conf
+++ b/devices/jykang.xmuhpc/files/.config/nix/nix.conf
@@ -0,0 +1 @@
+store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log
--- a/devices/nas/default.nix
+++ b/devices/nas/default.nix
@@ -4,7 +4,7 @@ inputs:
  {
    nixos =
    {
-      model = { type = "desktop"; private = true; };
+      model.private = true;
      system =
      {
        fileSystems =
@@ -19,25 +19,15 @@ inputs:
        };
        initrd.sshd = {};
        nixpkgs.march = "silvermont";
-        networking = {};
+        network = {};
      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      hardware.gpu.type = "intel";
      services =
      {
        sshd = {};
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-          dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
-        };
+        xray.client.dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
        beesd."/".hashTableSizeMB = 10 * 128;
-        nfs."/" = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc";
+        nfs."/" = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc")];
      };
    };
  };
--- a/devices/nas/secrets.yaml
+++ b/devices/nas/secrets.yaml
@@ -21,7 +21,7 @@ sops:
            by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
            kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-19T01:47:25Z"
-    mac: ENC[AES256_GCM,data:J79zVjfGgptSjh+ShPBOd+lJ9i+NuS2Uw7P4ZvF7xeahn7fbT8bercsBv1F1USwW2ituTBMZFmxaspGjAD+azEM2X7zSJnVtbKr+T9FY6i2N+kPIxdseyw93JLZ1pPTy9bQeXRAJYlJHyEw4zHEpMBbWSI88I+i43s2xkScwEuU=,iv:4Ge0dHPxa4zF++0eeHy8fH7t5ndFznhFAKnrV7WOOXs=,tag:+UG3b93zFo/EfOfCQrPoBg==,type:str]
+    lastmodified: "2025-06-09T01:22:01Z"
+    mac: ENC[AES256_GCM,data:OxRUW3e2SXTTdb7Iwvsf/UaHsTIVxohJwRIFExh5N/dJhU9Ui8omKBjkooiGaysrZEVEZNAWSp2zvTPXUdZrtW2fikyhF6Fsg7jUFFTqhV/sjYMy7gISbfkcGF9SuYGByuuySyXPqsfg+ESeBmMVZiqDSEPYJWu+q8OwThdhsAM=,iv:UnSfmuxcV+tr7wd59Xg0MG2QbP2uOshVhN5C++9ZSzA=,tag:cWiG85xv2OuiBOoAlvVBGw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/devices/one/default.nix
+++ b/devices/one/default.nix
@@ -17,24 +17,13 @@ inputs:
          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
          swap = [ "/nix/swap/swap" ];
          resume = { device = "/dev/mapper/root"; offset = 4728064; };
-          rollingRootfs = {};
        };
        nixpkgs.march = "tigerlake";
-        kernel.variant = "cachyos-lts";
      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      hardware.gpu.type = "intel";
      services =
      {
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-        };
+        xray.client = {};
        beesd."/".hashTableSizeMB = 64;
        sshd = {};
      };
--- a/devices/pc/bios/Bootx64.efi
+++ b/devices/pc/bios/Bootx64.efi
--- a/devices/pc/bios/DisplayEngine.efi
+++ b/devices/pc/bios/DisplayEngine.efi
--- a/devices/pc/bios/SetupBrowser.efi
+++ b/devices/pc/bios/SetupBrowser.efi
--- a/devices/pc/bios/UiApp.efi
+++ b/devices/pc/bios/UiApp.efi
--- a/devices/pc/color/TPLCD_161B_Default.icm
+++ b/devices/pc/color/TPLCD_161B_Default.icm
--- a/devices/pc/color/TPLCD_161B_Native.icm
+++ b/devices/pc/color/TPLCD_161B_Native.icm
--- a/devices/pc/color/TPLCD_161B_Native_HDR.icm
+++ b/devices/pc/color/TPLCD_161B_Native_HDR.icm
--- a/devices/pc/color/TPLCD_161B_REC709.icm
+++ b/devices/pc/color/TPLCD_161B_REC709.icm
--- a/devices/pc/color/TPLCD_161B_sRGB.icm
+++ b/devices/pc/color/TPLCD_161B_sRGB.icm
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@@ -17,6 +17,7 @@ inputs:
              "/nix" = "/nix";
              "/nix/rootfs/current" = "/";
              "/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
+              "/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
            };
            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
              { mountPoint = "/nix/remote/nas"; hard = false; };
@@ -28,38 +29,35 @@ inputs:
              { mapper = "swap"; ssd = true; before = [ "root1" ]; };
          };
          swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
        };
        grub.windowsEntries."08D3-10DE" = "Windows";
-        nix.marches =
-        [
-          "znver2" "znver3" "znver4"
-          # FXSR SAHF XSAVE
-          "sandybridge"
-          # FXSR PREFETCHW RDRND SAHF
-          "silvermont"
-          # SAHF FXSR XSAVE RDRND LZCNT HLE
-          "haswell"
-          # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
-          "broadwell"
-          # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-          "skylake" "cascadelake"
-          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
-          "tigerlake"
-          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
-          # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
-          "alderlake"
-        ];
+        nix =
+        {
+          marches =
+          [
+            "znver2" "znver3" "znver4"
+            # FXSR SAHF XSAVE
+            "sandybridge"
+            # FXSR PREFETCHW RDRND SAHF
+            "silvermont"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE
+            "haswell"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+            "broadwell"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+            "skylake" "cascadelake"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
+            "tigerlake"
+            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+            "alderlake"
+          ];
+          remote.master.host.srv2-node0 = [ "skylake" ];
+        };
        nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
        sysctl.laptop-mode = 5;
      };
-      hardware =
-      {
-        cpus = [ "amd" ];
-        gpu = { type = "nvidia"; nvidia.dynamicBoost = true; };
-        legion = {};
-      };
+      hardware = { gpu = { type = "nvidia"; nvidia.dynamicBoost = true; }; legion = {}; };
      services =
      {
        samba =
@@ -74,30 +72,13 @@ inputs:
          };
        };
        sshd = {};
-        xray.client =
-        {
-          enable = true;
-          # TODO: remove on next month
-          xray =
-          {
-            serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
-            serverName = "xserver.srv3.chn.moe";
-          };
-          dnsmasq.hosts = builtins.listToAttrs
-          (
-            (builtins.map
-              (name: { inherit name; value = "144.34.225.59"; })
-              [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
-            ++ (builtins.map
-              (name: { inherit name; value = "0.0.0.0"; })
-              [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
-          )
-          // {
-            "4006024680.com" = "192.168.199.1";
-            "hpc.xmu.edu.cn" = "121.192.191.11";
-          };
-        };
-        acme.cert."debug.mirism.one" = {};
+        xray.client.dnsmasq.hosts = builtins.listToAttrs
+        (
+          (builtins.map
+            (name: { inherit name; value = "144.34.225.59"; })
+            [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
+        )
+        // { "4006024680.com" = "192.168.199.1"; };
        nix-serve = {};
        misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
        beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
@@ -120,17 +101,17 @@ inputs:
          };
        };
        ollama = {};
-        docker = {};
+        podman = {};
        ananicy = {};
        keyd = {};
+        lumericalLicenseManager.macAddress = "745d22c7d297";
        searx = {};
-        kvm = {};
+        kvm.aarch64 = true;
        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
-        nfs."/" = "192.168.84.0/24";
+        nfs."/" = [ "192.168.84.0/24" ];
      };
      bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
-      packages = { android-studio = {}; mathematica = {}; vasp = {}; };
-      user.users = [ "chn" "test" ];
+      packages = { mathematica = {}; vasp = {}; lammps = {}; };
    };
    boot.loader.grub =
    {
@@ -164,7 +145,6 @@ inputs:
    services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
    # 允许kvm读取物理硬盘
    users.users.qemu-libvirtd.extraGroups = [ "disk" ];
-    networking.extraHosts = "144.34.225.59 mirism.one beta.mirism.one ng01.mirism.one";
    services.colord.enable = true;
  };
 }
--- a/devices/srv1/default.nix
+++ b/devices/srv1/default.nix
@@ -16,10 +16,8 @@ inputs:
              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
        };
      };
-      hardware.cpus = [ "intel" ];
      services =
      {
        sshd.passwordAuthentication = true;
--- a/devices/srv1/node0/default.nix
+++ b/devices/srv1/node0/default.nix
@@ -8,25 +8,26 @@ inputs:
      system =
      {
        nixpkgs.march = "cascadelake";
-        networking.static =
+        network =
        {
-          eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
-          eno146 = { ip = "192.168.178.1"; mask = 24; };
+          static =
+          {
+            eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
+            eno146 = { ip = "192.168.178.1"; mask = 24; };
+          };
+          masquerade = [ "eno146" ];
+          trust = [ "eno146" ];
        };
      };
      services =
      {
-        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
+        sshd.motd = true;
+        xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
        beesd."/" = { hashTableSizeMB = 128; threads = 4; };
        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
      };
      packages.packages._prebuildPackages =
        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
    };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    # TODO: why?
-    networking.firewall.trustedInterfaces = [ "eno146" ];
  };
 }
--- a/devices/srv1/node1/default.nix
+++ b/devices/srv1/node1/default.nix
@@ -7,13 +7,14 @@ inputs:
      system =
      {
        nixpkgs.march = "broadwell";
-        networking.static.eno2 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        network =
+        {
+          static.eno2 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "eno2" ];
+        };
      };
      services.beesd."/".threads = 4;
    };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
  };
 }
--- a/devices/srv1/node2/default.nix
+++ b/devices/srv1/node2/default.nix
@@ -7,26 +7,25 @@ inputs:
      system =
      {
        nixpkgs.march = "broadwell";
-        networking.static =
+        network =
        {
-          br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
-          eno2 = { ip = "192.168.178.3"; mask = 24; };
+          static =
+          {
+            br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+            eno2 = { ip = "192.168.178.3"; mask = 24; };
+          };
+          trust = [ "eno2" ];
+          bridge.br0.interfaces = [ "eno1" ];
        };
        fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
          { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
      };
      services =
      {
-        xray.client.enable = true;
+        xray.client = {};
        beesd."/".threads = 4;
        kvm.nodatacow = true;
      };
    };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
-    # add a bridge for kvm
-    # 设置桥接之后，不能再给eno1配置ip，需要转而给 br0 配置ip
-    networking.bridges.br0.interfaces = [ "eno1" ];
  };
 }
--- a/devices/srv2/default.nix
+++ b/devices/srv2/default.nix
@@ -18,7 +18,6 @@ inputs:
              { mountPoint = "/nix/remote/pc"; hard = false; };
          };
          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
        };
        nixpkgs.cuda.capabilities =
        [
@@ -35,7 +34,7 @@ inputs:
      hardware.gpu.type = "nvidia";
      services =
      {
-        sshd = { passwordAuthentication = true; groupBanner = true; };
+        sshd = {};
        slurm =
        {
          enable = true;
@@ -80,8 +79,8 @@ inputs:
          };
        };
      };
-      packages.vasp = {};
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
+      packages = { vasp = {}; mumax = {}; lammps = {}; };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" "zqq" ];
    };
  };
 }
--- a/devices/srv2/node0/default.nix
+++ b/devices/srv2/node0/default.nix
@@ -5,33 +5,28 @@ inputs:
    nixos =
    {
      model.cluster.nodeType = "master";
-      hardware.cpus = [ "intel" ];
      system =
      {
        nixpkgs.march = "skylake";
-        networking =
+        network =
        {
          static.eno2 = { ip = "192.168.178.1"; mask = 24; };
          wireless = [ "457的5G" ];
+          masquerade = [ "eno2" ];
+          trust = [ "eno2" ];
        };
+        nix.remote.slave = {};
      };
      services =
      {
-        xray.client =
-        {
-          enable = true;
-          dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
-        };
+        xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
        beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
        groupshare = {};
        hpcstat = {};
        ollama = {};
+        sshd = { groupBanner = true; motd = true; };
      };
    };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    networking.firewall.trustedInterfaces = [ "eno2" ];
  };
 }
--- a/devices/srv2/node1/default.nix
+++ b/devices/srv2/node1/default.nix
@@ -4,18 +4,18 @@ inputs:
  {
    nixos =
    {
-      hardware.cpus = [ "amd" ];
      system =
      {
        nixpkgs.march = "znver3";
-        networking.static.enp58s0 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        network =
+        {
+          static.enp58s0 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "enp58s0" ];
+        };
      };
      services.beesd."/".hashTableSizeMB = 64;
    };
    services.hardware.bolt.enable = true;
-    boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "enp58s0" ];
  };
 }
--- a/devices/srv3/README.md
+++ b/devices/srv3/README.md
@@ -41,10 +41,9 @@
  独立的 IPv6 免费，但暂不支持（技术上没有准备好，如果有人有需要我就去准备）。
 * 只卖朋友和朋友的朋友（总之得有人保证别拿去做坏事）。
  若此定价对您来说仍然难以接受，可以联系我，打五折或者免费。
-* 此价格有效期三个月（2025-05-17 至 2025-08-17）。
-  05-17 前免费，08-17 后定价会视情况调整（例如将流量计入收费项目，内存部分相应降价），在那之前会公布新的定价。
+* 此价格 2025 年 9 月 17 日前有效。之后大概率也不会调整，但保留调整的权利。
 * 预计收入无法覆盖成本。如果某个月的收入高于成本，承诺会将多出的部分捐出去。
-* 非 kvm 虚拟机的服务（例如，只跑一个 docker 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
+* 非 kvm 虚拟机的服务（例如，只跑一个 podman 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
 * 配置随时可以调整。所以按照自己这个月够用的来就行，不需要为未来留余量。但每次调整都需要重启虚拟机。
 * 母鸡价格 40 美元每月，配置在下方列出。
  * 机房: LAX3 （IP：srv3.chn.moe）
--- a/devices/srv3/default.nix
+++ b/devices/srv3/default.nix
@@ -15,19 +15,21 @@ inputs:
            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
          swap = [ "/dev/mapper/swap" ];
-          rollingRootfs = {};
        };
        nixpkgs.march = "haswell";
        initrd.sshd = {};
-        networking.static.eno1 =
+        network =
        {
-          ip = "23.135.236.216";
-          mask = 24;
-          gateway = "23.135.236.1";
-          dns = "8.8.8.8";
+          bridge.nixvirt.interfaces = [ "eno1" ];
+          static.nixvirt =
+          {
+            ip = "23.135.236.216";
+            mask = 24;
+            gateway = "23.135.236.1";
+            dns = "8.8.8.8";
+          };
        };
      };
-      hardware.cpus = [ "intel" ];
      services =
      {
        beesd."/" = { hashTableSizeMB = 128; threads = 4;};
@@ -36,12 +38,14 @@ inputs:
        {
          alikia =
          {
-            hardware = { memoryMB = 1024; cpus = 1; };
+            memory.sizeMB = 1024;
+            cpu.count = 1;
            network = { address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
          };
          pen =
          {
-            hardware = { memoryMB = 512; cpus = 1; };
+            memory.sizeMB = 512;
+            cpu.count = 1;
            network =
            {
              address = 3;
@@ -62,7 +66,8 @@ inputs:
          test =
          {
            owner = "chn";
-            hardware = { memoryMB = 512; cpus = 1; };
+            memory.sizeMB = 4096;
+            cpu.count = 4;
            network =
            {
              address = 4;
@@ -72,7 +77,8 @@ inputs:
          };
          reonokiy =
          {
-            hardware = { memoryMB = 4 * 1024; cpus = 4; };
+            memory.sizeMB = 4 * 1024;
+            cpu.count = 4;
            network = { address = 5; portForward.tcp = [{ host = 5694; guest = 22; }]; };
          };
        };
@@ -84,25 +90,23 @@ inputs:
          synapse.matrixHostname = "synapse.chn.moe";
          matrix = { port = 8009; redisPort = 6380; };
        };
-        vaultwarden.enable = true;
+        vaultwarden = {};
        photoprism.enable = true;
        nextcloud = {};
-        freshrss.enable = true;
+        freshrss = {};
        send = {};
        huginn = {};
-        httpapi.enable = true;
-        gitea = { enable = true; ssh = {}; };
+        httpapi = {};
+        gitea = {};
        grafana = {};
        fail2ban = {};
-        xray.server.serverName = "xserver.srv3.chn.moe";
-        docker = {};
+        xray.server = {};
+        podman = {};
        peertube = {};
        nginx.applications.webdav.instances."webdav.chn.moe" = {};
        open-webui.ollamaHost = "192.168.83.3";
      };
      user.users = [ "chn" "aleksana" "alikia" "pen" "reonokiy" ];
    };
-    # TODO: use a generic way
-    boot.initrd.systemd.network.networks."10-eno1" = inputs.config.systemd.network.networks."10-eno1";
  };
 }
--- a/devices/srv3/secrets.yaml
+++ b/devices/srv3/secrets.yaml
@@ -75,48 +75,8 @@ xray-server:
        user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
        #ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
        user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
-        #ENC[AES256_GCM,data:qbXmxTn+Mwk3zw==,iv:8F/0ELOwXMrKaigfRmwvGREujqNwM6XjIeaPyr6JS5U=,tag:PF/PAQCwzH7uOj+xgM0rKw==,type:comment]
-        user2: ENC[AES256_GCM,data:cA2oKqGsKuZyydMQspbSrWqsQIAde/VtGIPybC2gr3Bg355H,iv:YOj+6f6YR3Ze3x5IrqdqzXp9e3v1jdAu8re1Is6Q4eQ=,tag:n/CV6+PX/y+okpJwRraSDA==,type:str]
-        #ENC[AES256_GCM,data:VcLtO+6YWg==,iv:TWM3IY00V+LaJzk+E8ji/v7Ol4TCvSP/FHzFsV5MGIE=,tag:CijsW2O/AKpWgQUm6ipPeg==,type:comment]
-        user3: ENC[AES256_GCM,data:F3HK6znDEsN8UO7B9vBs03jyjqoQ+MGCcNJuOeglSBzLD2Hy,iv:TKBRe8Qmn9DL4AEilX20YcKbz6bydKsQUuUd5lyM2jE=,tag:nAyrTD4zkJ6CjLuj29zuJQ==,type:str]
-        #ENC[AES256_GCM,data:UFE3pg02VA==,iv:thT5OYPIHLIjKB7uiAk5vff8rtsgwncdo+U0KmW3uTE=,tag:qGWmSsI1mzg8ZbpunxBuyw==,type:comment]
-        user4: ENC[AES256_GCM,data:FYMQFFTCue+umBl5OwJvlZ+NyocsRbkycr+y1L6d6LPdR9px,iv:ZX9Z0dqmBvvXlz+oEYd7vQ5rW5lvmlc+bneDguQld30=,tag:y3d7aDWOtO0T3Yf5pGnffQ==,type:str]
        #ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
        user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
-        #ENC[AES256_GCM,data:tmlMaaDT4Q==,iv:zDBCjdBioiXGbJve03VcwCt81hiFxyKqql9rp6zW25g=,tag:cxedo8U2FICH5yMoPXwQMg==,type:comment]
-        user6: ENC[AES256_GCM,data:LzYfIXgZP0q9FpxDM6skSTiwOxEO+N5wuFq86KAazqe8zS/h,iv:Jh7bWMVr5U69L1uARLMUciWvv/aRjJJeEXvU5bo8e3A=,tag:PxesHErVSlkbuNeeRpQfEA==,type:str]
-        #ENC[AES256_GCM,data:boB2Ug==,iv:echGnXhoj2wX7GDj302nbirmzQFCqql2jtY0JaNyla4=,tag:7YnhNwCFZ9rOstanr0wGcw==,type:comment]
-        user7: ENC[AES256_GCM,data:s1O6GRn/9T9DWKlcXJTnOoAPZnPgHGBpZZcEDAKRtiYAI/5p,iv:JyaGsolN5WgQekPYxJiJbniuxLPf3+elHHbd3+ZrLtc=,tag:32wNUTqyyaKoPRQdB4U0SA==,type:str]
-        #ENC[AES256_GCM,data:cvG7WQcnwj+u9A==,iv:ui40+u9yE/Prksmiqed1NjuHyNP2RGtgSMazfI8ultc=,tag:he2F4i71Z8gFdW3fmRdhUA==,type:comment]
-        user8: ENC[AES256_GCM,data:roCYRvszJo7weozfIRoGgUhIs1f2a5/a2d1b/Iy6WEbbehOS,iv:tcOsL0SE4qMRPZIGOlzRIaMJvcapx2H9HK4D8qmSbIs=,tag:Z0skFdgtpjSR7jli3dwd5A==,type:str]
-        #ENC[AES256_GCM,data:IFXAXr0RVg/DCA==,iv:pKdnsUFX4XXJIZleA71fAfua1ibSa/2tgjdqnhbt/Rg=,tag:2Fv397j/uJDFZ/uvBxtrQw==,type:comment]
-        user9: ENC[AES256_GCM,data:5HP+OVmf+dsS8sDHakC7Yx1HVutMoTbITONHQiSvHw+17M9J,iv:TYDf7lx04pHohbGBbPJvOAoIGUKqil59k4Pt405/9kA=,tag:HUxT/uSR8sYCXQ8uX69Fqg==,type:str]
-        #ENC[AES256_GCM,data:7TJeKZM=,iv:FKcgDOtV417n1xmufqB3WENrbZ0V93sI5/XhiDYouMw=,tag:TchW2jgxZAXHvvMYY089dA==,type:comment]
-        user10: ENC[AES256_GCM,data:+u1KwJo3Y4enFM2RVr379GF7O6r9bWofUEZ2994IIC+Ce2NV,iv:ssKA5y3JM4tm+JdVznQFUAYmlrHaWd8hQXs6R/aEXN8=,tag:Q5uuM1sBZJRYBe4XXTL3ZQ==,type:str]
-        #ENC[AES256_GCM,data:O3qEWI+vFA==,iv:R7HLFRNszV6yXwciNfk/rTbDQYLmKsTCQFCfWIpJdfY=,tag:DjuM2a48/lDF11aLIf3Fgw==,type:comment]
-        user11: ENC[AES256_GCM,data:4HDGJq9nl8oGeQEo0XBEUiJweAaZ9yWc9Ib1TM91Djj2jH8d,iv:1i9/bZhHkhc8dP9Pg4gIRnCms61AP9VYxAG4acV3gpQ=,tag:vID9DEXZu3wGbXDqsLVEAg==,type:str]
-        #ENC[AES256_GCM,data:CdJubErTSg==,iv:UKn0lvbCzJnE241Tg3yjSx4xZNbp5sa/NfgIlRNU5z8=,tag:6FMGY6hbMQQFoN31z4e4uw==,type:comment]
-        user12: ENC[AES256_GCM,data:U+ynUYI+l6McI9oWF4PNiLUwvNowdseZ5gO8o73cX8MsXS2+,iv:r0KIBXczRkubZqyM/LUBPp/x9Zb/rvDJIKGGKkR3EfY=,tag:yn7806HD7ei57UtpuPjlkg==,type:str]
-        #ENC[AES256_GCM,data:3trgclrgDXhKUg==,iv:qyLmCBaB5ql950diUj7YlPi6P3a0hYH8adADEI0AGrU=,tag:Oleq79giA9/gYBO8Carznw==,type:comment]
-        user13: ENC[AES256_GCM,data:M6JXRrqnKrdihAA1aUg9zzJfhCK5TLLRf4wZkemnlHyaXnLL,iv:OA6i+BGYTr9gILE3jzFILLZvPRZeAvmSbXEStihN3aw=,tag:WcpTKRC8crDhzKHcxjtICQ==,type:str]
-        #ENC[AES256_GCM,data:VryB1AM=,iv:6FdWfpQ53bdpkXZ22gpy8GxKb1X7bak0K/Oa56mP7Uw=,tag:VBg7u7MSMl4Pr72W6ugYEg==,type:comment]
-        user14: ENC[AES256_GCM,data:g8y07VaxsuTs74L5xF/XDlmYetOfXFwHEr+FCHRtFLKwTAVq,iv:TjT49pTk97l3u1wGG7BmqZr/LAMC2765er3HGarOANw=,tag:zt1ojulNjWcuKIdix6NFJw==,type:str]
-        #ENC[AES256_GCM,data:Bawjfo3ubW1eXA==,iv:m2/ViC9AIZUV3Wl9EBYV5L0QQDw7QgXPpQ7WX22XpQ8=,tag:1wqpie9BuDi7BiDCvRIWog==,type:comment]
-        user15: ENC[AES256_GCM,data:2Ylnb7ZJgr3ha0rXrjkscPX9zJI2L9aydfL5Ndl2b9cJmVUC,iv:mu0GlGGXH4njmi4KzsvFSJN2zC5IcXVQ6oqVv2ClWpM=,tag:AIhnDqQehLyJY+wh7RWTYg==,type:str]
-        #ENC[AES256_GCM,data:uORLUE+excPAuw==,iv:K1Qch9qkg5T59+lcMC7vHWu1mnOv2dH5cOAZHX8HhgQ=,tag:chVMn/kb3Rr3f2igjbsAUA==,type:comment]
-        user16: ENC[AES256_GCM,data:D4lPjTb2kaYfUSCCRaMpGNtzLIfvPvfiJK+kkTQtSMOBglpN,iv:FCpHHBSKDYA+H6fgabNggXJlenzg5am5excBknpD1uU=,tag:FPQaBfLiZ5PBJa8gCpBfTA==,type:str]
-        #ENC[AES256_GCM,data:Cfs0Ul9BHWW/oQ==,iv:OOcRWmc7fy2RnE7+TtSBauKa1k1/unC1nFJ2SJ3yWqk=,tag:q6MjcXEYuep1eRw5BJspqw==,type:comment]
-        user17: ENC[AES256_GCM,data:2mzbUcGRye0cdgQxoTzSeKaM+m1dUPvKq61uBnGvZDFXrqQ7,iv:hxkruf0Xo1ZNJ/ym5YdLGJF5aK5nXZMJ46XC18Aksmc=,tag:KrUCTgDgYndxhi8QSYpGwA==,type:str]
-        #ENC[AES256_GCM,data:vHvpcqJaH2hPTg==,iv:S1WbgLU+15FMJr699YGY4f9r8wIg880tjJo6W6APhx0=,tag:F7fbA83eco8/Qd6u4vUMbA==,type:comment]
-        user18: ENC[AES256_GCM,data:LwZKy71ecB/E2EMIaUuFV0a7j+16EWo8LA9/0Gc8lpXAQpaT,iv:+cjrRDSvW7KFGDlpI6W+eDi3bux+eQl6NXNjnUoj7L0=,tag:PurtN+Vede0DNTQqbea1Ig==,type:str]
-        #ENC[AES256_GCM,data:rhbv9bL/0d7pGA==,iv:XvKiQWO72BfHhVRyti5ST9+f9tPUne2IcMNC08kD9r8=,tag:qhA6q4MrX3lAELrrGM8LCQ==,type:comment]
-        user19: ENC[AES256_GCM,data:jOyA913cS21eGwjUPY/XrQUBofoHwsCHghpmjzGx7cBzk/K0,iv:wXAnuSUhJ+gwGvMF7/YsfgeTHOvQC+S6rM5DzypvOuo=,tag:b/FsoypjkVYLSfyowNL2Nw==,type:str]
-        #ENC[AES256_GCM,data:Q48F7+SNdz7duKY=,iv:KIb6lIJWAVXKekBhwPztkySYDA7IP4jMjDsWy+waeFQ=,tag:s8hEz2zrh1ZXNKi/IuVV4Q==,type:comment]
-        user20: ENC[AES256_GCM,data:D6+eQdWO/W4P1ul9zQLpUQxqNA+kytz5ZHH6HmU/jwSuq3hU,iv:U4H7Ez0P3gWBLVeQ6O4PN4AmVP7Ij3oArhMmfT1BWic=,tag:l6TNsJFXXH/+yMcszkVRrQ==,type:str]
-        #ENC[AES256_GCM,data:F8qJksiC3Z8GbJc=,iv:yDBYQLUFFSXMn5Vo69rXzGBWzA+GkYw1qHS/ShisH7w=,tag:mnxj03thlYN5KhKDUO7hug==,type:comment]
-        user21: ENC[AES256_GCM,data:QeSxzBR6fLAyoUsA4aGKilYHcF42SNdkwjdwWZbxNvqZU6bf,iv:ocZGB4i8M7qM9Ypp3BUlGIdGL0AQx8NdO5yBZFLB6fk=,tag:WMFmljoJSnCU8BL/GfiZMg==,type:str]
-        #ENC[AES256_GCM,data:LxUne7UMT32f,iv:AyVaLB7Ni6HB5BE+InEG99TQsEzdQG7EXoHXC8PLGlQ=,tag:j5GoVfDsqoHypkxYFNPjyg==,type:comment]
-        user22: ENC[AES256_GCM,data:lzFvCb/zbTZs2jmYUfl3onGeWjBCdjxcIzAIff/fm6Qre+HZ,iv:eSiosE3eOrl7iLnOV41w+pwdtcske/4R1Bf1D1qxsOo=,tag:r69jFKp/FlxN3MEL5E6EXA==,type:str]
    private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
 peertube:
    secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
@@ -144,7 +104,7 @@ sops:
            d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
            eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-26T10:55:01Z"
-    mac: ENC[AES256_GCM,data:ek8oYslh51198fhnYy8LgZQBo3QEnCumeSzLEIEFp/bQshfPVtiMt29n37y89GZjfvd/UL/J/i4sxHqF328+MoMtIYwcDzJoHp/ZNJYZoM19UjEsPL5YemRRXz++gw3tvDgqPzYvtr93pg6+WcPNToIhzsew7QzYj2xLiSaecvQ=,iv:wk8RcTUbZwUHRAgNRuZ3SWWv6O57hHBCkccYNZiMwPQ=,tag:8bwhsrkk8bVMwThZQPkNXg==,type:str]
+    lastmodified: "2025-06-09T01:35:04Z"
+    mac: ENC[AES256_GCM,data:q2BolEBB6Ik8yx6NHnnE3Wcl2rGVZN86dpfLJrrFOxWd8fZyfBQ/00v4dUZSZw0aQoMj1V2RBDyVtScuRiH0NVb6+RfX+0t3zTEf6guuJdurczLBz9+D51+Th3KE1uk+UjI7J+Q/TOWTvoGMj8P4XZCXQsCDIct/vbLGqNB9CgM=,iv:/6xR7KXXLejm9Iuqcxc/7IqLEckNhmaJTKzJGonSrng=,tag:XdeCoEkHefw2HqTGSchUJA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/devices/test-pc-vm/default.nix
+++ b/devices/test-pc-vm/default.nix
@@ -13,12 +13,10 @@ inputs:
            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          rollingRootfs = {};
        };
        nixpkgs.march = "znver4";
-        networking = {};
+        network = {};
      };
-      hardware.cpus = [ "amd" ];
      services.sshd = {};
    };
  };
--- a/devices/test-pc/default.nix
+++ b/devices/test-pc/default.nix
@@ -13,12 +13,10 @@ inputs:
            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          rollingRootfs = {};
        };
        nixpkgs.march = "znver4";
-        networking = {};
+        network = { dhcp = [ "nixvirt" ]; bridge.nixvirt.interfaces = [ "enp1s0" ]; };
      };
-      hardware.cpus = [ "amd" ];
      services =
      {
        sshd = {};
@@ -29,17 +27,19 @@ inputs:
          {
            chn =
            {
-              hardware = { memoryMB = 2048; cpus = 4; };
+              memory = { sizeMB = 2048; dedicated = true; };
+              cpu = { count = 4; set = builtins.genList builtins.toString 4; };
              network =
              {
-                address = 2;
-                portForward = { tcp = [{ host = 5693; guest = 22; }]; web = [ "example.chn.moe" ]; };
+                bridge = true;
+                vnc.port = 15901;
              };
            };
            chn2 =
            {
              owner = "chn";
-              hardware = { memoryMB = 2048; cpus = 4; };
+              memory.sizeMB = 2048;
+              cpu.count = 4;
              network = { address = 3; portForward.tcp = [{ host = 5694; guest = 22; }]; };
            };
          };
--- a/devices/test/default.nix
+++ b/devices/test/default.nix
@@ -13,12 +13,10 @@ inputs:
            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          rollingRootfs = {};
        };
        nixpkgs.march = "haswell";
-        networking = {};
+        network = {};
      };
-      hardware.cpus = [ "intel" ];
      services =
      {
        sshd = {};
--- a/devices/vps4/default.nix
+++ b/devices/vps4/default.nix
@@ -17,19 +17,17 @@ inputs:
            };
          };
          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
        nixpkgs.march = "znver2";
        initrd.sshd = {};
-        networking = {};
+        network = {};
      };
      services =
      {
        sshd = {};
        fail2ban = {};
-        beesd."/".hashTableSizeMB = 64;
-        xray.server.serverName = "xserver.vps4.chn.moe";
+        xray.server = {};
      };
    };
  };
--- a/devices/vps4/secrets.yaml
+++ b/devices/vps4/secrets.yaml
@@ -4,27 +4,43 @@ xray-server:
        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
-        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
+        #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
+        user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
+        #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
+        user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
+        #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
+        user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
+        #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
+        user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
+        user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
+        #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
+        user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
+        #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
+        user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
+        #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
+        user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
+        #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
+        user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
+        #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
+        user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
+        #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
+        user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
+        #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
+        user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
+        #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
+        user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
+        #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
+        user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
+        #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
+        user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
+        #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
+        user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
+        #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
+        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
-        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
-        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
-    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
+wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
          enc: |
@@ -44,8 +60,7 @@ sops:
            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:19:55Z"
-    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
-    pgp: []
+    lastmodified: "2025-06-09T07:42:38Z"
+    mac: ENC[AES256_GCM,data:fQm8aI6KdoJVxcl4MQP7Q6EZVqmmLFo9A3Hjo/tKZA+VOYvQWFBxIKwy5Cj0SBi4pWsSjwG6pJZ7m6Wh/dDK4KlgkoaXgAYj+efHtScOH5Gkb0sTpAkHNL+/CJ/cO1doXiXRGj47fn1QB9o9WBaomtOWQbzDts4eFs9pdm8TAq4=,iv:91Ilig4j0ELHEatTY7ALKwwr8AzYnRwhKbdWDcufZF4=,tag:UfwaudQTNKu+uryCZjo3mw==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -17,19 +17,16 @@ inputs:
            };
          };
          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
        nixpkgs.march = "znver2";
        initrd.sshd = {};
-        networking = {};
-        # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
+        network = {};
      };
      services =
      {
        sshd = {};
-        xray.server.serverName = "vps6.xserver.chn.moe";
-        frpServer = { enable = true; serverName = "frp.chn.moe"; };
+        xray.server = {};
        nginx =
        {
          streamProxy.map =
@@ -63,10 +60,26 @@ inputs:
        beesd."/" = {};
      };
    };
-    specialisation.generic.configuration =
+    networking.nftables.tables.forward =
    {
-      nixos.system.nixpkgs.march = inputs.lib.mkForce null;
-      system.nixos.tags = [ "generic" ];
+      family = "inet";
+      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
+      ''
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain output {
+          type nat hook output priority dstnat; policy accept;
+          # 需要忽略透明代理发出的流量（gid 不是 nginx）
+          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
+            counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname wg0 meta mark & 4 == 4 counter masquerade
+        }
+      '';
    };
  };
 }
--- a/devices/vps6/secrets.yaml
+++ b/devices/vps6/secrets.yaml
@@ -1,5 +1,3 @@
-frp:
-    token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
 xray-server:
    clients:
        #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment]
@@ -7,44 +5,39 @@ xray-server:
        #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
        user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
        #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
-        #ENC[AES256_GCM,data:s6BwbmIwmC1J+vA27pPGh0Q+Rmowkd8ES3hYOny3vX+tjWtW+qiWBz2A9M4=,iv:XXPPaVyP7fEUhNJay2mjjC2f3Vg3wYtBUDoSYQt1Iew=,tag:B2WAfg2Oqwp0t0gE7Jdq6w==,type:comment]
+        user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
        #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
        user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
        #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
-        #ENC[AES256_GCM,data:RVChRrOl3R8DiKPS7yduAu5RG7d4VkOZ5akRTp18mK7Hz/xQ7FpxlNqGJcQ=,iv:j7naYq9tD+G5dDB8+hyUVosA3p2O4wlkcxIBlO7hRdo=,tag:TvlSmZwTDGLCX7qOR5Clhg==,type:comment]
+        user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
        #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
        user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
-        #ENC[AES256_GCM,data:nTsDaAIVIP28YBCw0XONqWoYziAYhszJhLBlJfbFM6w2NB0nQcYWAanhkkA=,iv:rezGcsfxcAUjTtBFd099TDrV+K59cb0gbJCCVqH+nCA=,tag:5g2Zl82MNuHTf12Tb0GWcg==,type:comment]
        #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
        user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
        #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        #ENC[AES256_GCM,data:hG7EUK7V9QObh7rHKtgTESwNLOf16WXoQrCAAEiK8Nzsr7atwh9DqNIJAww=,iv:3zAY7CImCzvNmsVK/OG3VgYSUL1wdt+keYtuskGO7Gg=,tag:7JeGHrlVkAUOX7bhd8UJaA==,type:comment]
+        user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
        #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        #ENC[AES256_GCM,data:C6ri4a3iCXf7I3PWSoPk1y4143TTFugot1MMxdawWxGyfg/P7SYUBMs+T0U=,iv:v2lCOw+p0hJhXNsUpTSCvqNSBtPaPJGMrk6ukJYtB+w=,tag:WXq9rUYDQKN/cZzZ7CFQvA==,type:comment]
+        user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
        #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
-        #ENC[AES256_GCM,data:Gs2pJl4YMPRBDZCmd/1ycXJcArdIb8cUAQ+09OuRm7z/x1ATc9xVr7dE+C4b,iv:JYf4sTzJh7PoQe5yFAC60mJ5zKUIof7QKm5jMfiF5xE=,tag:/CJPT/OmblQvzqkQ1VCP/Q==,type:comment]
-        #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
-        #ENC[AES256_GCM,data:JOabknMamJFImHErEcsrAMuYBXzJkw/Gm0+6rWrer2ePsoOakN/A3ByCPzwQ,iv:wnUFMeGfkUMkkpJBrFswy1SwJzVBDehEoilnzb43MgY=,tag:sXCKkiwtDp9v7ptpuAfOhQ==,type:comment]
+        user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
        #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        #ENC[AES256_GCM,data:LRRsL6u+FH3jHa8UAhEXrb3UTQss9piBle2aH2xuuFw0cupmRd5PlSOBIbvQ,iv:0cccpn4bWkrla6COI5g6pDDW1JoVK4UULYteXoJp38s=,tag:+EFlWxGIw7k85Q2RIL/YHg==,type:comment]
+        user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
        #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
-        #ENC[AES256_GCM,data:JFKeeVBSBO8pWttZy/fTX1YaVV69Et1GmHVDLZ1E5vUY3BvajjjS04t7V5TG,iv:rZJQTe5+YgJ6X6uPoQcpTw4AF+gQCVSMe7maFetLEPg=,tag:H4ravqgOgQYgVXMayv7tXw==,type:comment]
-        #ENC[AES256_GCM,data:R8lN5T0=,iv:FXLf8Vtjg+PkwNhxXWDViMKqwn7tFMaPhio9zhnudZw=,tag:34gxRH+P9lmkUxlOPKcYMg==,type:comment]
-        #ENC[AES256_GCM,data:dpOaSMuXhIiwb+yD3TgOIKkeWBusQvqHbj4PuvH/anF5/P8JagplDpBSIimJ,iv:PkVIthbA21sFC4J4VmwZ/1HZqA6qbjVPnJoRszmeVbs=,tag:PcXPRYLzuC9F0YfNT4mi3A==,type:comment]
+        user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
        #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
-        #ENC[AES256_GCM,data:DeWybZ68gAH4cukohO+OQqeNrnRlUdclGHFeH8aBcn0aq1iWh1UCgtiT5xXd,iv:HYq+CiPWCswr+7+uwUblN8N6T38WU/qu9F5VzaLp4Gg=,tag:YKunlBxH4H71FRSuPxR8Uw==,type:comment]
+        user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
        #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
-        #ENC[AES256_GCM,data:tkJTZZjJfQdU0EDQw9mmc1GRlSpqdwOdsE/QCw4BedDbixjElKqUC5MPRR/b,iv:/3obljBcGiXJfzlTQivkVcaWWcsiqokuU/DmUTchpwg=,tag:E80OLtqoM5XuGk2/xYBYKw==,type:comment]
+        user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
        #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
-        #ENC[AES256_GCM,data:LXBBph+nPScs6CSHPKwMSvcgFtWrmcOHEhhDZUNClb/7ixJFno82QnRwrnTp,iv:00I8csKFj65qeK8RPbbQ18oQZBrYKeFV3eGwfFXyGDc=,tag:uWUPNfu5Tmqr2LDkijc5cA==,type:comment]
+        user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
        #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
-        #ENC[AES256_GCM,data:ttTvPgRtQ4tYmYBSNaO+Bbs/Kz85vuNX+2Od4cOG6yD9yqrSdfLRwVvedVol,iv:ZWZX5rytwefvte/NgNlmmp9FN9vuZ62KVhVgVwX+g7s=,tag:uXx87i/ly6GkLgXA4+QULw==,type:comment]
+        user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
        #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
        user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
        #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
        user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
        #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
-        #ENC[AES256_GCM,data:FnindYeqk6g6aZgajHVejfHPqeF+uSX3QzbrDS6XLZz52aQF5ZQSiJQCaDha,iv:c/mrS0jfy5EzQe4Tkm0QqBH9/okJnCsRZFGhzSjeit0=,tag:e5otDw+I2d7moybCx4jeqw==,type:comment]
+        user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
    private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 send:
    redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
@@ -71,7 +64,7 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-18T07:37:52Z"
-    mac: ENC[AES256_GCM,data:nfUU2BsDuErJGm8sVB9shRv4N+cIFZmAF1vWF4iZmcJwjP2PekVWcp4COPAlapy5oVhMutr39oW6VsltTR27jVxhI4+dueurMU7KRLD5Bwpk5hQmMAfZxvl4GaP50zehJbCwfApiX9CcjwCUxUjraTs4rG6LK2+8d5Z0PYosm2A=,iv:TR63cpbe3z0K4bWpbEnv/DE9jnAJV1Zv+Aj0HXoA16Y=,tag:fS78JUapMvBtZCFtM1z07A==,type:str]
+    lastmodified: "2025-06-12T23:51:02Z"
+    mac: ENC[AES256_GCM,data:3QxWxinb3a7jvmHJO1kcePNwd/igurjFWVJw/sGKBuZpo47LU+W8132b9GpKs79AedDa5BM5yu0XN+CPrkviMcNuX5a3lLy8oI22a1N8fuKjEehld1Jq/boitGIsgJgb/M0Hn6yIq1ytuWuxoj2cOvmkEfNuyWRew+htI4DhJ/E=,iv:OyCWfcn218oaA970T9miIWIGSwOFeUbtWI0xO/02Hrw=,tag:c8riJplInFN1ZSPH3ze0QQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/devices/xmuhk/README.md
+++ b/devices/xmuhk/README.md
@@ -0,0 +1,21 @@
+# install nix
+
+1. download [nix-portable](https://github.com/DavHau/nix-portable),
+  move the executable file to `$PATH`, rename it to `nix-portable` and make it executable.
+2. create several symlinks (including `nix` `nix-store` etc.) to it.
+3. create file `~/.config/nix/nix.conf` with the following content: `ignored-acls = lustre.lov`
+4. run `nix --version`, wait for it to initialize and print the version.
+
+# install or update packages
+
+1. run `nix build github:CHN-beta/nixos#xmuhk` elsewhere (on NixOS is better, to avoid impure from FHS envs)
+2. `nix-store --export $(nix-store -qR ./result) | xz -T0 | pv > xmuhk.nar.xz`
+3. copy `xmuhk.nar.xz` to hpc, import it with `cat xmuhk.nar.xz | nix-store --import`
+4. create gcroot symlink: `ln -s /nix/store/xxxx-xmuhk ~/.nix-portable/nix/var/nix/gcroots/current`
+5. optionally `nix gc`
+6. create `nix-exec` in `$PATH` with the following content, make it executable:
+   ```sh
+   #!/usr/bin/env sh
+   nix shell ~/.nix-portable/nix/var/nix/gcroots/current -c "$(basename "$0")" "$@"
+   ```
+7. make symlinks to `nix-exec` for needed commands, e.g. `ln -s singularity nix-exec`
--- a/devices/xmuhk/default.nix
+++ b/devices/xmuhk/default.nix
@@ -0,0 +1,71 @@
+# sudo nix build --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' .#xmuhk
+# sudo nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' -qR ./result | sudo xargs nix-store --store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' --export > data.nar
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = null; cuda = null; nixRoot = "/public/home/xmuhk/.nix"; };
+  });
+  # go = pkgs.go.overrideAttrs (prev:
+  # {
+  #   buildInputs = builtins.filter (x: x != pkgs.glibc.static) prev.buildInputs;
+  # });
+  # buildGoModule = pkgs.buildGoModule.override { inherit go; };
+  # singularity = (pkgs.singularity.override { inherit buildGoModule; }).overrideAttrs (prev:
+  # {
+  #   configureFlags = builtins.filter (x: x != "--without-libsubid") prev.configureFlags;
+  #   buildInputs = prev.buildInputs ++ [ pkgs.shadow ];
+  #   # env.CGO_ENABLED = "1";
+  #   # autoPatchelfFlags = [ "--keep-libc" ];
+  # });
+  singularity = pkgs.singularity.overrideAttrs (prev:
+  {
+    configureFlags = builtins.filter (x: x != "--without-libsubid") prev.configureFlags;
+    buildInputs = prev.buildInputs ++ [ pkgs.shadow ];
+    # env.CGO_ENABLED = "1";
+    # autoPatchelfFlags = [ "--keep-libc" ];
+  });
+  lumericalLicenseManager = 
+    let
+      ip = "${pkgs.iproute2}/bin/ip";
+      awk = "${pkgs.gawk}/bin/awk";
+      sed = "${pkgs.gnused}/bin/sed";
+      chmod = "${pkgs.coreutils}/bin/chmod";
+      sing = "${singularity}/bin/singularity";
+    in pkgs.writeShellScriptBin "lumericalLicenseManager"
+    ''
+      echo "Cleaning up..."
+      rm -rf /tmp/lumerical
+      mkdir -p /tmp/lumerical
+
+      echo 'Searching for en* interface...'
+      iface=$(${ip} -o link show | ${awk} -F': ' '/^[0-9]+: en/ {print $2; exit}')
+      if [ -n "$iface" ]; then
+        echo "Found interface: $iface"
+        echo 'Extracting MAC address...'
+        mac=$(${ip} link show "$iface" | ${awk} '/link\/ether/ {print $2}' | ${sed} 's/://g')
+        echo "Extracted MAC address: $mac"
+      else
+        echo "No interface starting with 'en' found." >&2
+        exit 1
+      fi
+
+      echo 'Creating license file...'
+      cp ${inputs.self.src.lumerical.licenseManager.sifImageFile} /tmp/lumerical/license.txt
+      ${chmod} +w /tmp/lumerical/license.txt
+      ${sed} -i "s|xxxxxxxxxxxxx|$mac|" /tmp/lumerical/license.txt
+      ${sed} -i 's|2022.1231|2035.1231|g' /tmp/lumerical/license.txt
+
+      echo "Starting license manager..."
+      ${sing} run --pwd /home/ansys_inc/shared_files/licensing --writable-tmpfs \
+        ${inputs.self.src.lumerical.licenseManager.sifImageFile}
+    '';
+in pkgs.symlinkJoin
+{
+  name = "xmuhk";
+  paths = (with pkgs; [ hello ]) ++ [ lumericalLicenseManager ];
+  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs singularity; };
+}
--- a/devices/xmuhk/files/.config/nix/nix.conf
+++ b/devices/xmuhk/files/.config/nix/nix.conf
@@ -0,0 +1 @@
+store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log
--- a/doc/todo.md
+++ b/doc/todo.md
@@ -1,7 +1,14 @@
-* 完善 slurm 文档，调整 slurm 设置：内存，nice
-* 调整 sbatch-tui 选项
-* 打包 cachyos
+* 测试 huggin rsshub
 * 打包 intel 编译器
 * 切换到 niri，清理 plasma
 * 调整其它用户的 zsh 配置
 * 调整 motd
+* 找到 wg1 不能稳定工作的原因；确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
+* 备份系统
+* 备份数据
+* 清理 mariadb，移动到 persistent
+* 清理多余文件
+* 移动日志到 persistent
+* 更新 srv1
+* 告知将代理改到 xserver2
+* 准备单独一个的 archive
--- a/flake.lock
+++ b/flake.lock
@@ -3,12 +3,12 @@
    "blog": {
      "flake": false,
      "locked": {
-        "lastModified": 1748496213,
+        "lastModified": 1748787595,
        "lfs": true,
-        "narHash": "sha256-yoJ8G3ZmYu/qdDBckj/qz5ErOtpBlqHBqxMaL3ZTKuI=",
+        "narHash": "sha256-FFkwHb9DEdBjBaaH6JuhlmpP7ReSEWTy79P3i/eH708=",
        "ref": "refs/heads/public",
-        "rev": "005a0715053936815c5e4be26236915d915d81c2",
-        "revCount": 29,
+        "rev": "d9020a59f07f7ced60c854f324df8879b249e8b6",
+        "revCount": 32,
        "type": "git",
        "url": "https://git.chn.moe/chn/blog-public.git"
      },
@@ -38,18 +38,23 @@
        "type": "github"
      }
    },
-    "cachyos-lts": {
+    "buildproxy": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
      "locked": {
-        "lastModified": 1743535541,
-        "narHash": "sha256-OlBtXY26w9OcAmpqrTvxaG4/rfDdavauQF2eRxb+ySs=",
-        "owner": "drakon64",
-        "repo": "nixos-cachyos-kernel",
-        "rev": "8516d89c4e0c4a25cea1be8431db3963359ee81b",
+        "lastModified": 1709212359,
+        "narHash": "sha256-La70ax79Hrp/Vz2G3gzI4fLgRd2z3lJrYLvCf+xcTj4=",
+        "owner": "polygon",
+        "repo": "nix-buildproxy",
+        "rev": "c26d73992ddae96812501b5ae1cc45037d8b10be",
        "type": "github"
      },
      "original": {
-        "owner": "drakon64",
-        "repo": "nixos-cachyos-kernel",
+        "owner": "polygon",
+        "repo": "nix-buildproxy",
        "type": "github"
      }
    },
@@ -498,12 +503,12 @@
    "nixos-wallpaper": {
      "flake": false,
      "locked": {
-        "lastModified": 1744994349,
+        "lastModified": 1749300029,
        "lfs": true,
-        "narHash": "sha256-DMVWLep/yoR05kfYqjQxazjZXEUw/CRLoELajXQq3eM=",
+        "narHash": "sha256-m5rQGDo9sogrNFtHNdf4CiUe4odqOVStj03ikUQX7NE=",
        "ref": "refs/heads/main",
-        "rev": "5e4d102f5da8c27589083fb90e3f6edd8383ced8",
-        "revCount": 6,
+        "rev": "8da808801224ac49758e4df095922be0c84650c8",
+        "revCount": 8,
        "type": "git",
        "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
      },
@@ -515,11 +520,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748494270,
-        "narHash": "sha256-SRyjwD3RfMXpY0/69WErFQ/P8UG1aD5qQQNvEd/NGLs=",
+        "lastModified": 1749016257,
+        "narHash": "sha256-Vi+QhXm6Kau233v7ijtdD5aNpE4RpnUjRUhXGwi7pxk=",
        "owner": "CHN-beta",
        "repo": "nixpkgs",
-        "rev": "3eb4afeaf2384476d35dbb5dc51675c5ec1d2b62",
+        "rev": "5835771b10e3197408d3ac7d32558c8e2ae0ab8d",
        "type": "github"
      },
      "original": {
@@ -610,11 +615,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1746921044,
-        "narHash": "sha256-R4hz/Wl2QZDbgj09u9tDdQKY8SS9JIm0F2wc9LKOjD0=",
+        "lastModified": 1750554037,
+        "narHash": "sha256-XE/lFNhz5lsriMm/yjXkvSZz5DfvKJLUjsS6pP8EC50=",
        "owner": "CHN-beta",
        "repo": "nixpkgs",
-        "rev": "5d04a9f5d569ed7632ee926021d6ab35729fd8d4",
+        "rev": "f6b1f449aa69592d8f9bce2d4141766b667294ac",
        "type": "github"
      },
      "original": {
@@ -713,16 +718,17 @@
    "openxlsx": {
      "flake": false,
      "locked": {
-        "lastModified": 1745313465,
-        "narHash": "sha256-HOYgrF3eU8yZIML6Soz7MHXlHpM4TB71zM/IGzwLHRY=",
+        "lastModified": 1716560554,
+        "narHash": "sha256-Aqn1830lG4g7BbwEeePhvGawLarmrIMnF2MXROTUBCw=",
        "owner": "troldal",
        "repo": "OpenXLSX",
-        "rev": "86af3b043f6b13b09e591a920a49ea1f9724d4a1",
+        "rev": "f85f7f1bd632094b5d78d4d1f575955fc3801886",
        "type": "github"
      },
      "original": {
        "owner": "troldal",
        "repo": "OpenXLSX",
+        "rev": "f85f7f1bd632094b5d78d4d1f575955fc3801886",
        "type": "github"
      }
    },
@@ -824,7 +830,7 @@
      "inputs": {
        "blog": "blog",
        "bscpkgs": "bscpkgs",
-        "cachyos-lts": "cachyos-lts",
+        "buildproxy": "buildproxy",
        "catppuccin": "catppuccin",
        "concurrencpp": "concurrencpp",
        "cppcoro": "cppcoro",
@@ -860,6 +866,7 @@
        "rycee": "rycee",
        "sops-nix": "sops-nix",
        "sqlite-orm": "sqlite-orm",
+        "sticker": "sticker",
        "stickerpicker": "stickerpicker",
        "tgbot-cpp": "tgbot-cpp",
        "ufo": "ufo",
@@ -936,6 +943,24 @@
        "type": "github"
      }
    },
+    "sticker": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1748842256,
+        "lfs": true,
+        "narHash": "sha256-os0NWrft+N/HFy/+WRWup4fOHZLSLHANejih7qdXPxA=",
+        "ref": "refs/heads/main",
+        "rev": "2826c739c5602c5998afdcb3d041d521a214429a",
+        "revCount": 1,
+        "type": "git",
+        "url": "https://git.chn.moe/chn/sticker.git"
+      },
+      "original": {
+        "lfs": true,
+        "type": "git",
+        "url": "https://git.chn.moe/chn/sticker.git"
+      }
+    },
    "stickerpicker": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,7 +3,6 @@

  inputs =
  {
-    self.lfs = true;
    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-25.05";
    nixpkgs-2411.url = "github:CHN-beta/nixpkgs/nixos-24.11";
    nixpkgs-2311.url = "github:CHN-beta/nixpkgs/nixos-23.11";
@@ -26,8 +25,8 @@
    };
    catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
    bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
-    cachyos-lts.url = "github:drakon64/nixos-cachyos-kernel";
    nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
+    buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };

    misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
    rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -42,7 +41,7 @@
    rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
    lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
    mumax = { url = "github:CHN-beta/mumax"; flake = false; };
-    openxlsx = { url = "github:troldal/OpenXLSX"; flake = false; };
+    openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
    sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
    nc4nix = { url = "github:helsinki-systems/nc4nix"; flake = false; };
    hextra = { url = "github:imfing/hextra"; flake = false; };
@@ -57,9 +56,10 @@
    fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
    mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
    phono3py = { url = "github:phonopy/phono3py"; flake = false; };
+    sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
  };

-  outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in
+  outputs = inputs: let localLib = import ./flake/lib inputs.nixpkgs.lib; in
  {
    packages.x86_64-linux = import ./flake/packages.nix { inherit inputs localLib; };
    nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; };
--- a/flake/branch.nix
+++ b/flake/branch.nix
@@ -1 +1 @@
-"next"
+"production"
--- a/flake/dns/config/chn.moe.nix
+++ b/flake/dns/config/chn.moe.nix
@@ -5,11 +5,11 @@ let
    autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" ];
    nas = [ "initrd.nas" ];
    office = [ "srv2-node0" ];
-    vps4 = [ "initrd.vps4" "xserver.vps4" ];
+    vps4 = [ "initrd.vps4" "xserver2.vps4" ];
    vps6 =
    [
-      "blog" "catalog" "coturn" "element" "frp" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
-      "ua" "vps6.xserver" "铜锣湾实验室"
+      "blog" "catalog" "coturn" "element" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
+      "ua" "xserver2" "xserver2.vps6" "铜锣湾实验室"
    ];
    "xlog.autoroute" = [ "xlog" ];
    "wg0.srv1-node0" = [ "wg0.srv1" ];
@@ -17,11 +17,12 @@ let
    srv3 =
    [
      "chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
-      "xserver.srv3" "example"
+      "xserver2.srv3" "example"
    ];
    srv1-node0 = [ "srv1" ];
    srv2-node0 = [ "srv2" ];
    "wg1.pc" = [ "nix-store" ];
+    "wg1.nas" = [ "nix-store.nas" ];
  };
  a =
  {
--- a/modules/system/nixpkgs/buildNixpkgsConfig.nix
+++ b/modules/system/nixpkgs/buildNixpkgsConfig.nix
@@ -18,10 +18,10 @@ let
      inherit allowInsecurePredicate;
      allowUnfree = true;
      android_sdk.accept_license = true;
+      allowBroken = true;
    }
    // (inputs.lib.optionalAttrs (nixpkgs.march != null)
    {
-      # TODO: test znver3 do use AVX
      oneapiArch = let match = {}; in match.${nixpkgs.march} or nixpkgs.march;
      nvhpcArch = nixpkgs.march;
      # contentAddressedByDefault = true;
@@ -35,12 +35,11 @@ in platformConfig //
  [
    inputs.topInputs.nur-xddxdd.overlays.inSubTree
    inputs.topInputs.nix-vscode-extensions.overlays.default
+    inputs.topInputs.buildproxy.overlays.default
    (final: prev:
    {
      inherit (inputs.topInputs.nix-vscode-extensions.overlays.default final prev) nix-vscode-extensions;
      firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
-      linuxPackages_cachyos_lts =
-        final.linuxPackagesFor (inputs.topInputs.cachyos-lts.overlays.default final prev).linuxPackages_cachyos;
    })
    inputs.topInputs.self.overlays.default
    (final: prev:
@@ -58,6 +57,7 @@ in platformConfig //
        };
        libvirt = (prev.libvirt.override { iptables = final.nftables; }).overrideAttrs
          (prev: { patches = prev.patches or [] ++ [ ./libvirt.patch ]; });
+        podman = prev.podman.override { iptables = final.nftables; };
        root = (prev.root.override { stdenv = final.gcc13Stdenv; }).overrideAttrs (prev:
        {
          patches = prev.patches or [] ++ [ ./root.patch ];
@@ -75,41 +75,7 @@ in platformConfig //
            pkgs-unstable =
            {
              source = "nixpkgs-unstable";
-              overlay = final: prev:
-                (inputs.topInputs.self.overlays.default final prev);
-                # {
-                #   ollama = prev.ollama.override { cudaPackages = final.cudaPackages_12_8; };
-                # }
-                # // inputs.lib.optionalAttrs (nixpkgs.march != null)
-                # {
-                #   pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
-                #   {
-                #     scipy = prev.scipy.overridePythonAttrs (prev:
-                #       { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
-                #     rapidocr-onnxruntime = prev.rapidocr-onnxruntime.overridePythonAttrs { doCheck = false; };
-                #     cfn-lint = prev.cfn-lint.overridePythonAttrs { doCheck = false; };
-                #   })];
-                #   rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
-                #   ctranslate2 = (prev.ctranslate2.override { withCUDA = false; withCuDNN = false; })
-                #     .overrideAttrs (prev:
-                #       { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
-                #   valkey = prev.valkey.overrideAttrs { doCheck = false; };
-                # }
-                # // inputs.lib.optionalAttrs
-                #   (builtins.elem nixpkgs.march [ "skylake" "silvermont" "broadwell" "znver3" ])
-                #   { redis = prev.redis.overrideAttrs { doCheck = false; }; }
-                # // inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx2Support)
-                # {
-                #   haskellPackages = prev.haskellPackages.override
-                #   {
-                #     overrides = final: prev:
-                #     {
-                #       crypton = prev.crypton.overrideAttrs
-                #         (prev: { configureFlags = prev.configureFlags or [] ++ [ "--ghc-option=-optc-mno-avx2" ]; });
-                #     };
-                #   };
-                # }
-                #   // (inputs.topInputs.self.overlays.default final prev);
+              overlay = inputs.topInputs.self.overlays.default;
            };
          };
          packages = name: import inputs.topInputs.${source.${name}.source or source.${name}}
@@ -123,6 +89,8 @@ in platformConfig //
      )
      // (inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx512Support)
        { gsl = prev.gsl.overrideAttrs { doCheck = false; }; })
+      // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx512Support)
+        { libhwy = prev.libhwy.override { stdenv = final.genericPackages.stdenv; }; })
      // (inputs.lib.optionalAttrs (nixpkgs.march != null)
      {
        libinsane = prev.libinsane.overrideAttrs (prev:
@@ -139,7 +107,6 @@ in platformConfig //
            sed -i '/CPPUNIT_TEST.testDubiousArrayFormulasFODS/d' sc/qa/unit/functions_array.cxx
          '';});});
        opencolorio = prev.opencolorio.overrideAttrs (prev: { doCheck = false; });
-        # TODO: maybe something really broken?
        openvswitch = prev.openvswitch.overrideAttrs (prev: { doCheck = false; });
        rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
        valkey = prev.valkey.overrideAttrs { doCheck = false; };
@@ -147,17 +114,18 @@ in platformConfig //
        # https://github.com/embree/embree/issues/115
        embree = prev.embree.override { stdenv = final.genericPackages.stdenv; };
        simde = prev.simde.override { stdenv = final.genericPackages.stdenv; };
+        ctranslate2 = prev.ctranslate2.overrideAttrs (prev:
+          { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
        pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
-        {
-          scipy = prev.scipy.overridePythonAttrs (prev:
-            { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
-          rich = prev.rich.overridePythonAttrs (prev:
-            { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
-          # paperwork-backend = prev.paperwork-backend.overrideAttrs (prev: { doCheck = false; });
-        })];
+        (
+          {
+            scipy = prev.scipy.overridePythonAttrs (prev:
+              { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
+            rich = prev.rich.overridePythonAttrs (prev:
+              { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
+          }
+        ))];
        inherit (final.pkgs-2411) intelPackages_2023;
      })
-      # // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
-      #   { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
  )];
 }
--- a/flake/lib/buildNixpkgsConfig/libvirt.patch
+++ b/flake/lib/buildNixpkgsConfig/libvirt.patch
--- a/flake/lib/buildNixpkgsConfig/root.patch
+++ b/flake/lib/buildNixpkgsConfig/root.patch
--- a/flake/lib/buildNixpkgsConfig/telegram.patch
+++ b/flake/lib/buildNixpkgsConfig/telegram.patch
--- a/flake/lib/default.nix
+++ b/flake/lib/default.nix
@@ -86,4 +86,6 @@ lib: rec
      if (builtins.typeOf pattern) != "list" then throw "pattern should be a list"
      else if pattern == [] then origin
      else deepReplace (builtins.tail pattern) (replace ((builtins.head pattern) // { content = origin; }));
+  
+  buildNixpkgsConfig = import ./buildNixpkgsConfig;
 }
--- a/flake/packages.nix
+++ b/flake/packages.nix
@@ -23,27 +23,32 @@
      version = inputs.self.rev or "dirty";
      stdenv = pkgs.pkgsStatic.gcc14Stdenv;
    };
-  inherit (pkgs.localPackages) blog;
  inherit (pkgs.localPackages.pkgsStatic) chn-bsub;
  vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
  {
    gfortran = pkgs.pkgsStatic.gfortran;
    lapack = pkgs.pkgsStatic.openblas;
  };
-  jykang = import ../devices/jykang.xmuhpc inputs;
+  jykang = import ../devices/jykang.xmuhpc { inherit inputs localLib; };
+  xmuhk = import ../devices/xmuhk { inherit inputs localLib; };
  src =
    let getDrv = x:
      if pkgs.lib.isDerivation x then [ x ]
      else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
      else if builtins.isList x then builtins.concatMap getDrv x
      else [];
-    in pkgs.writeClosure (getDrv (inputs.self.outputs.src));
+    in pkgs.concatText "src" (getDrv (inputs.self.outputs.src));
  dns-push = pkgs.callPackage ./dns
  {
    inherit localLib;
    tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
    octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
  };
+  archive =
+    let devices =
+      [ "nas" "one" "pc" "srv1-node0" "srv1-node1" "srv1-node2" "srv2-node0" "srv2-node1" "srv3" "vps4" "vps6" ];
+    in pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.map
+      (d: "${inputs.self.outputs.nixosConfigurations.${d}.config.system.build.toplevel}") devices));
 }
 // (builtins.listToAttrs (builtins.map
  (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })
--- a/flake/src.nix
+++ b/flake/src.nix
@@ -64,6 +64,52 @@
    finalImageTag = "latest";
  };
  misskey = {};
+  lumerical =
+  {
+    lumerical = pkgs.requireFile
+    {
+      name = "lumerical.zip";
+      sha256 = "03nfacykfzal29jdmygrgkl0fqsc3yqp4ig86h1h9sirci87k94c";
+      hashMode = "recursive";
+      message = "Source not found.";
+    };
+    licenseManager =
+    {
+      crack = pkgs.requireFile
+      {
+        name = "crack";
+        sha256 = "1a1k3nlaidi0kk2xxamb4pm46iiz6k3sxynhd65y8riylrkck3md";
+        hashMode = "recursive";
+        message = "Source file not found.";
+      };
+      src = pkgs.requireFile
+      {
+        name = "src";
+        sha256 = "1h93r0bb37279dzghi3k2axf0b8g0mgacw0lcww5j3sx0sqjbg4l";
+        hashMode = "recursive";
+        message = "Source file not found.";
+      };
+      image = "7bb3a43bd1ad6103a57f700b13d11d486b6ea117838201e4a29d79b33ac72e3a";
+      imageFile = pkgs.requireFile
+      {
+        name = "lumericalLicenseManager.tar";
+        sha256 = "ftEZADv8Mgo5coNKs+gxPZPl/YTV3FMMgrF3wUIBEiQ=";
+        message = "Source not found.";
+      };
+      license = pkgs.requireFile
+      {
+        name = "license";
+        sha256 = "07rwin14py6pl1brka7krz7k2g9x41h7ks7dmp1lxdassan86484";
+        message = "Source file not found.";
+      };
+      sifImageFile = pkgs.requireFile
+      {
+        name = "lumericalLicenseManager.sif";
+        sha256 = "i0HGLiRWoKuQYYx44GBkDBbyUvFLbfFShi/hx7KBSuU=";
+        message = "Source file not found.";
+      };
+    };
+  };
  vesta =
  {
    version = "3.90.5a";
@@ -134,4 +180,12 @@
      "intel.oneapi.lin.compilers-common,v=2025.1.1+10"
    ];
  };
+  rsshub =  pkgs.dockerTools.pullImage
+  {
+    imageName = "diygod/rsshub";
+    imageDigest = "sha256:1f9d97263033752bf5e20c66a75e134e6045b6d69ae843c1f6610add696f8c22";
+    hash = "sha256-zN47lhQc3EX28LmGF4N3rDUPqumwmhfGn1OpvBYd2Vw=";
+    finalImageName = "rsshub";
+    finalImageTag = "latest";
+  };
 }
--- a/modules/hardware/cpu.nix
+++ b/modules/hardware/cpu.nix
@@ -0,0 +1,29 @@
+inputs:
+{
+  options.nixos.hardware.cpu = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.enum [ "intel" "amd" ];
+    default = let inherit (inputs.config.nixos.system.nixpkgs) march; in
+      if march == null then null
+      else if inputs.lib.hasPrefix "znver" march then "amd"
+      else if (inputs.lib.hasSuffix "lake" march)
+        || (builtins.elem march [ "sandybridge" "silvermont" "haswell" "broadwell" ])
+        then "intel"
+      else null;
+  };
+  config = let inherit (inputs.config.nixos.hardware) cpu; in inputs.lib.mkIf (cpu != null) (inputs.lib.mkMerge
+  [
+    (inputs.lib.mkIf (cpu == "intel")
+    {
+      hardware.cpu.intel.updateMicrocode = true;
+      boot.initrd.availableKernelModules =
+        [ "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp" ];
+    })
+    (inputs.lib.mkIf (cpu == "amd")
+    {
+      hardware.cpu.amd = { updateMicrocode = true; ryzen-smu.enable = true; };
+      environment.systemPackages = with inputs.pkgs; [ zenmonitor ];
+      programs.ryzen-monitor-ng.enable = true;
+    })
+  ]);
+}
--- a/modules/hardware/cpus.nix
+++ b/modules/hardware/cpus.nix
@@ -1,26 +0,0 @@
-inputs:
-{
-  options.nixos.hardware.cpus = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
-  config = let inherit (inputs.config.nixos.hardware) cpus; in inputs.lib.mkIf (cpus != [])
-  {
-    hardware.cpu = builtins.listToAttrs
-      (builtins.map (name: { inherit name; value = { updateMicrocode = true; }; }) cpus);
-    boot =
-    {
-      initrd.availableKernelModules =
-        let modules =
-        {
-          intel =
-          [
-            "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
-          ];
-          amd = [];
-        };
-        in builtins.concatLists (builtins.map (cpu: modules.${cpu}) cpus);
-    };
-    environment.systemPackages =
-      let packages = with inputs.pkgs; { intel = []; amd = [ zenmonitor ]; };
-      in builtins.concatLists (builtins.map (cpu: packages.${cpu}) cpus);
-  };
-}
--- a/modules/model.nix
+++ b/modules/model.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.model = let inherit (inputs.lib) mkOption types; in
  {
    hostname = mkOption { type = types.nonEmptyStr; };
-    type = mkOption { type = types.enum [ "vps" "desktop" "server" ]; default = "vps"; };
+    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
    private = mkOption { type = types.bool; default = false; };
    cluster = mkOption
    {
--- a/modules/packages/android-studio.nix
+++ b/modules/packages/android-studio.nix
@@ -1,12 +0,0 @@
-inputs:
-{
-  options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
-  {
-    nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];
-  };
-}
--- a/modules/packages/chromium.nix
+++ b/modules/packages/chromium.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
  {
--- a/modules/packages/desktop.nix
+++ b/modules/packages/desktop.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
  {
@@ -30,7 +30,7 @@ inputs:
          obs-studio (inkscape-with-extensions.override { inkscapeExtensions = null; }) kdePackages.kcolorchooser
          kdePackages.kdenlive
          # development
-          adb-sync scrcpy dbeaver-bin aircrack-ng fprettify
+          adb-sync scrcpy dbeaver-bin aircrack-ng fprettify waveterm
          # password and key management
          yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
          kdePackages.kleopatra
@@ -49,15 +49,14 @@ inputs:
          # browser
          google-chrome tor-browser
          # office
-          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain
-          ydict pspp libreoffice-qt6-fresh ocrmypdf typst
+          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain activitywatch
+          ydict pspp libreoffice-qt6-fresh ocrmypdf typst kdePackages.kruler
          # required by ltex-plus.vscode-ltex-plus
          ltex-ls ltex-ls-plus
          # matplot++ needs old gnuplot
          inputs.pkgs.pkgs-2311.gnuplot
          # math, physics and chemistry
-          octaveFull ovito localPackages.vesta localPackages.v-sim mpi geogebra6 localPackages.ufo
-          inputs.pkgs.pkgs-2311.hdfview qalculate-qt
+          octaveFull mpi geogebra6 qalculate-qt
          # virtualization
          bottles wineWowPackages.stagingFull
          # media
@@ -67,14 +66,14 @@ inputs:
        ];
        _pythonPackages = [(pythonPackages: with pythonPackages;
        [
-          phonopy scipy scikit-learn jupyterlab autograd inputs.pkgs.localPackages.phono3py numpy 
+          scipy scikit-learn jupyterlab autograd numpy 
        ])];
      };
      user.sharedModules =
      [{
        config.programs =
        {
-          plasma =
+          plasma = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde")
          {
            enable = true;
            configFile =
@@ -86,9 +85,15 @@ inputs:
                  inherit (inputs.topInputs) nixos-wallpaper;
                  isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
                    [ "png" "jpg" "jpeg" "webp" ];
+                  listDirRecursive =
+                    let listDir = dir:
+                      if dir.value == "directory" then builtins.concatLists
+                        (builtins.map (f: listDir f) (inputs.localLib.attrsToList (builtins.readDir dir.name)))
+                      else [ dir ];
+                    in dir: listDir { name = dir; value = "directory"; };
                in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")
                  (builtins.filter (f: (isPicture f.name) && (f.value == "regular"))
-                    (inputs.localLib.attrsToList (builtins.readDir nixos-wallpaper))));
+                    (listDirRecursive nixos-wallpaper)));
            };
            powerdevil =
              let config =
@@ -114,8 +119,9 @@ inputs:
      adb.enable = true;
      wireshark = { enable = true; package = inputs.pkgs.wireshark; };
      yubikey-touch-detector.enable = true;
-      kdeconnect.enable = true;
-      kde-pim = { enable = true; kmail = true; };
+      kdeconnect.enable = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde") true;
+      kde-pim = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde")
+        { enable = true; kmail = true; };
    };
    services.pcscd.enable = true;
  };
--- a/modules/packages/firefox.nix
+++ b/modules/packages/firefox.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
  {
@@ -24,7 +24,11 @@ inputs:
          {
            enable = true;
            nativeMessagingHosts = with inputs.pkgs;
-              [ kdePackages.plasma-browser-integration uget-integrator ];
+            (
+              [ uget-integrator ]
+              ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+                [ kdePackages.plasma-browser-integration ])
+            );
            # TODO: use fixed-version of plugins
            policies.DefaultDownloadDirectory = "\${home}/Downloads";
            profiles.default =
@@ -33,8 +37,9 @@ inputs:
              [
                tampermonkey bitwarden cookies-txt dualsub firefox-color i-dont-care-about-cookies
                metamask pakkujs rsshub-radar rsspreview tabliss tree-style-tab ublock-origin
-                wappalyzer grammarly plasma-integration zotero-connector smartproxy kiss-translator
-              ];
+                wappalyzer grammarly zotero-connector smartproxy kiss-translator
+              ] ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+                [ plasma-integration ]);
              search = { default = "google"; force = true; };
              userChrome = builtins.readFile "${inputs.topInputs.lepton}/userChrome.css";
              userContent = builtins.readFile "${inputs.topInputs.lepton}/userContent.css";
--- a/modules/packages/lammps.nix
+++ b/modules/packages/lammps.nix
@@ -1,22 +1,23 @@
 inputs:
 {
  options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
  config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
  {
-    nixos.packages.packages._packages =
-      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
-      in
-        if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
-          .overrideAttrs (prev:
-          {
-            cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
-            nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
-            buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
-          }))]
-        else [ inputs.pkgs.lammps-mpi ];
+    nixos.packages =
+    {
+      molecule = {};
+      packages._packages =
+        let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
+        in
+          if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
+            .overrideAttrs (prev:
+            {
+              cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
+              nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
+              buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
+            }))]
+          else [ inputs.pkgs.lammps-mpi ];
+    };
  };
 }
--- a/modules/packages/mathematica.nix
+++ b/modules/packages/mathematica.nix
@@ -1,10 +1,7 @@
 inputs:
 {
  options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
  config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
    { nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; };
 }
--- a/modules/packages/minimal.nix
+++ b/modules/packages/minimal.nix
@@ -1,8 +1,8 @@
 inputs:
 {
-  options.nixos.packages.server = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.packages.minimal = let inherit (inputs.lib) mkOption types; in mkOption
    { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.packages) server; in inputs.lib.mkIf (server != null)
+  config = let inherit (inputs.config.nixos.packages) minimal; in inputs.lib.mkIf (minimal != null)
  {
    nixos.packages.packages =
    {
@@ -34,21 +34,16 @@ inputs:
        # nix tools
        nix-output-monitor nix-tree ssh-to-age nix-inspect
        # development
-        gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
+        gdb try rr hexo-cli gh nix-init hugo
        (octodns.withProviders (_: with octodns-providers; [ cloudflare ]))
        # stupid things
        toilet lolcat localPackages.stickerpicker graph-easy
        # office
        pdfgrep ffmpeg-full hdf5
      ]
-        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
-      _pythonPackages = [(pythonPackages: with pythonPackages;
-      [
-        openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2
-        certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus odfpy
-        # for vasp plot-workfunc.py
-        ase
-      ])];
+        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
+        ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+          [ inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix ]);
    };
    programs =
    {
--- a/modules/packages/molecule.nix
+++ b/modules/packages/molecule.nix
@@ -0,0 +1,20 @@
+inputs:
+{
+  options.nixos.packages.molecule = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) molecule; in inputs.lib.mkIf (molecule != null)
+  {
+    nixos.packages.packages =
+    {
+      _packages = with inputs.pkgs;
+        [ ovito localPackages.vesta localPackages.v-sim localPackages.ufo inputs.pkgs.pkgs-2311.hdfview ];
+      _pythonPackages = [(pythonPackages: with pythonPackages;
+      [
+        phonopy inputs.pkgs.localPackages.phono3py
+      ])];
+    };
+  };
+}
--- a/modules/packages/mumax.nix
+++ b/modules/packages/mumax.nix
@@ -1,14 +1,7 @@
 inputs:
 {
  options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default =
-      if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
-        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-      then {}
-      else null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
  config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
  {
    nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];
--- a/modules/packages/nushell.nix
+++ b/modules/packages/nushell.nix
@@ -1,10 +1,7 @@
 inputs:
 {
  options.nixos.packages.nushell = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = {};
-  };
+    { type = types.nullOr (types.submodule {}); default = {}; };
  config = let inherit (inputs.config.nixos.packages) nushell; in inputs.lib.mkIf (nushell != null)
  {
    nixos =
--- a/modules/packages/steam.nix
+++ b/modules/packages/steam.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
  {
--- a/modules/packages/vasp.nix
+++ b/modules/packages/vasp.nix
@@ -4,16 +4,20 @@ inputs:
    { type = types.nullOr (types.submodule {}); default = null; };
  config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
  {
-    nixos.packages.packages = with inputs.pkgs;
+    nixos.packages =
    {
-      _packages =
-      (
-        [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
-          ++ (inputs.lib.optional
-            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-            localPackages.vasp.nvidia)
-      );
-      _pythonPackages = [(_: [ localPackages.py4vasp ])];
+      molecule = {};
+      packages = with inputs.pkgs;
+      {
+        _packages =
+        (
+          [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
+            ++ (inputs.lib.optional
+              (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
+              localPackages.vasp.nvidia)
+        );
+        _pythonPackages = [(_: [ localPackages.py4vasp ])];
+      };
    };
  };
 }
--- a/modules/packages/vscode.nix
+++ b/modules/packages/vscode.nix
@@ -3,7 +3,7 @@ inputs:
  options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
  {
    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
  };
  config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
  {
@@ -72,9 +72,12 @@ inputs:
                ltex-plus.vscode-ltex-plus
              ]
              # jupyter
-              # TODO: use last release
+              # TODO: pick all extensions from nixpkgs or nix-vscode-extensions, explicitly
              ++ (with vscode-extensions.ms-toolsai;
-                [ jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow ]);
+              [
+                jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
+                datawrangler
+              ]);
          extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
        }
      )];
--- a/modules/services/acme.nix
+++ b/modules/services/acme.nix
@@ -48,7 +48,7 @@ inputs:
        CLOUDFLARE_DNS_API_TOKEN=${inputs.config.sops.placeholder."acme/token"}
        CLOUDFLARE_PROPAGATION_TIMEOUT=300
      '';
-      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
+      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/acme.yaml";
    };
  };
 }
--- a/modules/services/docker.nix
+++ b/modules/services/docker.nix
@@ -1,31 +0,0 @@
-inputs:
-{
-  options.nixos.services.docker = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.services) docker; in inputs.lib.mkIf (docker != null)
-  {
-    virtualisation.docker =
-    {
-      enable = true;
-      # prevent create btrfs subvol
-      storageDriver = "overlay2";
-      daemon.settings.dns = [ "1.1.1.1" ];
-      rootless =
-      {
-        enable = true;
-        setSocketVariable = true;
-        daemon.settings =
-        {
-          features.buildkit = true;
-          # dns 127.0.0.1 make docker not work
-          dns = [ "1.1.1.1" ];
-          # prevent create btrfs subvol
-          storage-driver = "overlay2";
-          live-restore = true;
-        };
-      };
-    };
-    hardware.nvidia-container-toolkit.enable = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.cuda != null) true;
-    networking.firewall.trustedInterfaces = [ "docker0" ];
-  };
-}
--- a/modules/services/freshrss.nix
+++ b/modules/services/freshrss.nix
@@ -1,52 +1,33 @@
 inputs:
 {
-  options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in mkOption
  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) freshrss;
-      inherit (inputs.lib) mkIf;
-    in mkIf freshrss.enable
+    type = types.nullOr (types.submodule { options =
    {
-      services.freshrss =
-      {
-        enable = true;
-        baseUrl = "https://${freshrss.hostname}";
-        defaultUser = "chn";
-        passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
-        database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
-        virtualHost = null;
-      };
-      sops.secrets =
-      {
-        "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
-        "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
-      };
-      systemd.services.freshrss-config.after = [ "mysql.service" ];
-      nixos.services =
-      {
-        mariadb = { enable = true; instances.freshrss = {}; };
-        nginx.https.${freshrss.hostname} =
-        {
-          location =
-          {
-            "/".static =
-            {
-              root = "${inputs.pkgs.freshrss}/p";
-              index = [ "index.php" ];
-              tryFiles = [ "$uri" "$uri/" "$uri/index.php" ];
-            };
-            "~ ^.+?\.php(/.*)?$".php =
-            {
-              root = "${inputs.pkgs.freshrss}/p";
-              fastcgiPass =
-                "unix:${inputs.config.services.phpfpm.pools.${inputs.config.services.freshrss.pool}.socket}";
-            };
-          };
-        };
-      };
+      hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) freshrss; in inputs.lib.mkIf (freshrss != null)
+  {
+    services.freshrss =
+    {
+      enable = true;
+      baseUrl = "https://${freshrss.hostname}";
+      defaultUser = "chn";
+      passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
+      database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
    };
+    sops.secrets =
+    {
+      "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
+      "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
+    };
+    systemd.services.freshrss-config.after = [ "mysql.service" ];
+    nixos.services =
+    {
+      mariadb = { enable = true; instances.freshrss = {}; };
+      nginx.https.${freshrss.hostname}.global.configName = "freshrss";
+    };
+  };
 }
--- a/modules/services/frp.nix
+++ b/modules/services/frp.nix
@@ -1,203 +0,0 @@
-inputs:
-{
-  options.nixos.services = let inherit (inputs.lib) mkOption types; in
-  {
-    frpClient =
-    {
-      enable = mkOption { type = types.bool; default = false; };
-      serverName = mkOption { type = types.nonEmptyStr; };
-      user = mkOption { type = types.nonEmptyStr; };
-      tcp = mkOption
-      {
-        type = types.attrsOf (types.submodule (inputs:
-        {
-          options =
-          {
-            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            localPort = mkOption { type = types.ints.unsigned; };
-            remoteIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            remotePort = mkOption { type = types.ints.unsigned; default = inputs.config.localPort; };
-          };
-        }));
-        default = {};
-      };
-      stcp = mkOption
-      {
-        type = types.attrsOf (types.submodule (inputs:
-        {
-          options =
-          {
-            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            localPort = mkOption { type = types.ints.unsigned; };
-          };
-        }));
-        default = {};
-      };
-      stcpVisitor = mkOption
-      {
-        type = types.attrsOf (types.submodule (inputs:
-        {
-          options =
-          {
-            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
-            localPort = mkOption { type = types.ints.unsigned; };
-          };
-        }));
-        default = {};
-      };
-    };
-    frpServer =
-    {
-      enable = mkOption { type = types.bool; default = false; };
-      serverName = mkOption { type = types.nonEmptyStr; };
-    };
-  };
-  config =
-    let
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (inputs.lib.strings) splitString;
-      inherit (inputs.localLib) attrsToList;
-      inherit (inputs.config.nixos.services) frpClient frpServer;
-      inherit (builtins) map listToAttrs;
-    in mkMerge
-    [
-      (
-        mkIf frpClient.enable
-        {
-          systemd.services.frpc =
-            let
-              frpc = "${inputs.pkgs.frp}/bin/frpc";
-              config = inputs.config.sops.templates."frpc.json";
-            in
-            {
-              description = "Frp Client Service";
-              after = [ "network.target" ];
-              serviceConfig =
-              {
-                Type = "simple";
-                User = "frp";
-                Restart = "always";
-                RestartSec = "5s";
-                ExecStart = "${frpc} -c ${config.path}";
-                LimitNOFILE = 1048576;
-              };
-              wantedBy= [ "multi-user.target" ];
-              restartTriggers = [ config.file ];
-            };
-          sops =
-          {
-            templates."frpc.json" =
-            {
-              owner = inputs.config.users.users.frp.name;
-              group = inputs.config.users.users.frp.group;
-              content = builtins.toJSON
-              {
-                auth.token = inputs.config.sops.placeholder."frp/token";
-                user = frpClient.user;
-                serverAddr = frpClient.serverName;
-                serverPort = 7000;
-                proxies =
-                (map
-                  (tcp:
-                  {
-                    name = tcp.name;
-                    type = "tcp";
-                    transport.useCompression = true;
-                    inherit (tcp.value) localIp localPort remotePort;
-                  })
-                  (attrsToList frpClient.tcp))
-                ++ (map
-                  (stcp:
-                  {
-                    name = stcp.name;
-                    type = "stcp";
-                    transport.useCompression = true;
-                    secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
-                    allowUsers = [ "*" ];
-                    inherit (stcp.value) localIp localPort;
-                  })
-                  (attrsToList frpClient.stcp));
-                visitors = map
-                  (stcp:
-                  {
-                    name = stcp.name;
-                    type = "stcp";
-                    transport.useCompression = true;
-                    secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
-                    serverUser = builtins.elemAt (splitString "." stcp.name) 0;
-                    serverName = builtins.elemAt (splitString "." stcp.name) 1;
-                    bindAddr = stcp.value.localIp;
-                    bindPort = stcp.value.localPort;
-                  })
-                  (attrsToList frpClient.stcpVisitor);
-              };
-            };
-            secrets = listToAttrs
-            (
-              [{ name = "frp/token"; value = {}; }]
-              ++ (map
-                (stcp: { name = "frp/stcp/${stcp.name}"; value = {}; })
-                (attrsToList (with frpClient; stcp // stcpVisitor)))
-            );
-          };
-          users =
-          {
-            users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
-            groups.frp.gid = inputs.config.nixos.user.gid.frp;
-          };
-        }
-      )
-      (
-        mkIf frpServer.enable
-        {
-          systemd.services.frps =
-            let
-              frps = "${inputs.pkgs.frp}/bin/frps";
-              config = inputs.config.sops.templates."frps.json";
-            in
-            {
-              description = "Frp Server Service";
-              after = [ "network.target" ];
-              serviceConfig =
-              {
-                Type = "simple";
-                User = "frp";
-                Restart = "on-failure";
-                RestartSec = "5s";
-                ExecStart = "${frps} -c ${config.path}";
-                LimitNOFILE = 1048576;
-              };
-              wantedBy= [ "multi-user.target" ];
-              restartTriggers = [ config.file ];
-            };
-          sops =
-          {
-            templates."frps.json" =
-            {
-              owner = inputs.config.users.users.frp.name;
-              group = inputs.config.users.users.frp.group;
-              content = builtins.toJSON
-              {
-                auth.token = inputs.config.sops.placeholder."frp/token";
-                transport.tls = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
-                {
-                  force = true;
-                  certFile = "${cert}/full.pem";
-                  keyFile = "${cert}/key.pem";
-                  serverName = frpServer.serverName;
-                };
-              };
-            };
-            secrets."frp/token" = {};
-          };
-          nixos.services.acme.cert.${frpServer.serverName}.group = "frp";
-          users =
-          {
-            users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
-            groups.frp.gid = inputs.config.nixos.user.gid.frp;
-          };
-          networking.firewall.allowedTCPPorts = [ 7000 ];
-        }
-      )
-    ];
-}
--- a/modules/services/gitea.nix
+++ b/modules/services/gitea.nix
@@ -1,20 +1,19 @@
 inputs:
 {
-  options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in mkOption
  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "git.chn.moe"; };
-    ssh = mkOption
+    type = types.nullOr (types.submodule { options =
    {
-      type = types.nullOr (types.submodule { options =
+      hostname = mkOption { type = types.str; default = "git.chn.moe"; };
+      ssh =
      {
        hostname = mkOption { type = types.str; default = "ssh.${inputs.config.nixos.services.gitea.hostname}"; };
        port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
-      };});
-      default = null;
-    };
+      };
+    };});
+    default = null;
  };
-  config = let inherit (inputs.config.nixos.services) gitea; in inputs.lib.mkIf gitea.enable
+  config = let inherit (inputs.config.nixos.services) gitea; in inputs.lib.mkIf (gitea != null)
  {
    services.gitea =
    {
@@ -31,8 +30,8 @@ inputs:
          ROOT_URL = "https://${gitea.hostname}";
          DOMAIN = gitea.hostname;
          HTTP_PORT = 3002;
-          SSH_DOMAIN = inputs.lib.mkIf (gitea.ssh != null) gitea.ssh.hostname;
-          SSH_PORT = inputs.lib.mkIf ((gitea.ssh.port or null) != null) gitea.ssh.port;
+          SSH_DOMAIN = gitea.ssh.hostname;
+          SSH_PORT = inputs.lib.mkIf (gitea.ssh.port != null) gitea.ssh.port;
        };
        mailer =
        {
@@ -45,6 +44,8 @@ inputs:
        };
        service.DISABLE_REGISTRATION = true;
        security.LOGIN_REMEMBER_DAYS = 365;
+        "git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 1800; })
+          [ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
      };
    };
    nixos.services =
--- a/modules/services/httpapi.nix
+++ b/modules/services/httpapi.nix
@@ -1,47 +1,45 @@
 inputs:
 {
-  options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in mkOption
  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) httpapi;
-      inherit (inputs.lib) mkIf;
-      inherit (builtins) toString map;
-    in mkIf httpapi.enable
+    type = types.nullOr (types.submodule { options =
    {
-      nixos.services =
+      hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) httpapi; in inputs.lib.mkIf (httpapi != null)
+  {
+    nixos.services =
+    {
+      phpfpm.instances.httpapi = {};
+      nginx.https.${httpapi.hostname}.location =
      {
-        phpfpm.instances.httpapi = {};
-        nginx.https.${httpapi.hostname}.location =
+        "/files".static.root = "/srv/api";
+        "/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
+        "/notify.php".php =
        {
-          "/files".static.root = "/srv/api";
-          "/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
-          "/notify.php".php =
-          {
-            root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
-            fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
-          };
+          root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
+          fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
        };
      };
-      sops =
-      {
-        templates."httpapi/notify.php" =
-        {
-          owner = inputs.config.users.users.httpapi.name;
-          group = inputs.config.users.users.httpapi.group;
-          content =
-            let
-              placeholder = inputs.config.sops.placeholder;
-              request = "https://api.telegram.org/bot${placeholder."telegram/token"}"
-                + "/sendMessage?chat_id=${placeholder."telegram/user/chn"}&text=";
-            in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
-        };
-        secrets = let sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml"; in
-          { "telegram/token" = { inherit sopsFile; }; "telegram/user/chn" = { inherit sopsFile; }; };
-      };
-      systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
    };
+    sops =
+    {
+      templates."httpapi/notify.php" =
+      {
+        owner = inputs.config.users.users.httpapi.name;
+        group = inputs.config.users.users.httpapi.group;
+        content =
+          let
+            placeholder = inputs.config.sops.placeholder;
+            request = "https://api.telegram.org/bot${placeholder."telegram/token"}"
+              + "/sendMessage?chat_id=${placeholder."telegram/user/chn"}&text=";
+          in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
+      };
+      secrets = let sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml"; in
+        { "telegram/token" = { inherit sopsFile; }; "telegram/user/chn" = { inherit sopsFile; }; };
+    };
+    systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
+  };
 }
--- a/modules/services/huginn.nix
+++ b/modules/services/huginn.nix
@@ -15,14 +15,13 @@ inputs:
      image = "ghcr.io/huginn/huginn:latest";
      imageFile = inputs.topInputs.self.src.huginn;
      ports = [ "127.0.0.1:3000:3000/tcp" ];
-      extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
      environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
    };
    sops =
    {
      templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
      ''
-        MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
+        MYSQL_PORT_3306_TCP_ADDR=host.containers.internal
        HUGINN_DATABASE_NAME=huginn
        HUGINN_DATABASE_USERNAME=huginn
        HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
@@ -51,7 +50,7 @@ inputs:
          https.${huginn.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
        };
        mariadb.instances.huginn = {};
-        docker = {};
+        podman = {};
      };
    };
  };
--- a/modules/services/kvm.nix
+++ b/modules/services/kvm.nix
@@ -5,21 +5,17 @@ inputs:
    type = types.nullOr (types.submodule { options =
    {
      nodatacow = mkOption { type = types.bool; default = false; };
-      autoSuspend = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+      aarch64 = mkOption { type = types.bool; default = false; };
    };});
    default = null;
  };
  config = let inherit (inputs.config.nixos.services) kvm; in inputs.lib.mkIf (kvm != null)
  {
    nix.settings.system-features = [ "kvm" ];
-    boot =
+    boot = let inherit (inputs.config.nixos.hardware) cpu; in
    {
-      kernelModules = 
-        let modules = { intel = [ "kvm-intel" ]; amd = []; };
-        in builtins.concatLists (builtins.map (cpu: modules.${cpu}) inputs.config.nixos.hardware.cpus);
-      extraModprobeConfig =
-        let configs = { intel = "options kvm_intel nested=1"; amd = ""; };
-        in builtins.concatStringsSep "\n" (builtins.map (cpu: configs.${cpu}) inputs.config.nixos.hardware.cpus);
+      kernelModules = { intel = [ "kvm-intel" ]; amd = []; }.${cpu};
+      extraModprobeConfig = { intel = "options kvm_intel nested=1"; amd = ""; }.${cpu};
    };
    virtualisation =
    {
@@ -33,7 +29,8 @@ inputs:
        parallelShutdown = 4;
        qemu =
        {
-          ovmf.packages = with inputs.pkgs; [ OVMF.fd pkgsCross.aarch64-multiplatform.OVMF.fd ];
+          ovmf.packages = with inputs.pkgs;
+            ([ OVMF.fd ] ++ inputs.lib.optionals kvm.aarch64 [ pkgsCross.aarch64-multiplatform.OVMF.fd ]);
          swtpm.enable = true;
        };
      };
@@ -43,82 +40,17 @@ inputs:
    {
      persistence."/nix/nodatacow".directories = inputs.lib.mkIf kvm.nodatacow
        [{ directory = "/var/lib/libvirt/images"; mode = "0711"; }];
-      systemPackages = with inputs.pkgs; [ qemu_full win-spice guestfs-tools virt-manager virt-viewer ];
+      systemPackages = with inputs.pkgs;
+        [ win-spice guestfs-tools virt-manager virt-viewer inputs.config.virtualisation.libvirtd.qemu.package ];
    };
-    systemd =
-    {
-      services =
-        let
-          virsh = "${inputs.pkgs.libvirt}/bin/virsh";
-          hibernate = inputs.pkgs.writeShellScript "libvirt-hibernate"
-          ''
-            if [ "$(LANG=C ${virsh} domstate $1)" = 'running' ]
-            then
-              if ${virsh} dompmsuspend "$1" disk
-              then
-                echo "Waiting for $1 to suspend"
-                while ! [ "$(LANG=C ${virsh} domstate $1)" = 'shut off' ]
-                do
-                  sleep 1
-                done
-                echo "$1 suspended"
-                touch "/tmp/libvirt.$1.suspended"
-              else
-                echo "Failed to suspend $1"
-              fi
-            fi
-          '';
-          resume = inputs.pkgs.writeShellScript "libvirt-resume"
-          ''
-            if [ "$(LANG=C ${virsh} domstate $1)" = 'shut off' ] && [ -f "/tmp/libvirt.$1.suspended" ]
-            then
-              if ${virsh} start "$1"
-              then
-                echo "Waiting for $1 to resume"
-                while ! [ "$(LANG=C ${virsh} domstate $1)" = 'running' ]
-                do
-                  sleep 1
-                done
-                echo "$1 resumed"
-                rm "/tmp/libvirt.$1.suspended"
-              else
-                echo "Failed to resume $1"
-              fi
-            fi
-          '';
-          makeHibernate = machine:
-          {
-            name = "libvirt-hibernate-${machine}";
-            value =
-            {
-              description = "libvirt hibernate ${machine}";
-              wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              before = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              serviceConfig = { Type = "oneshot"; ExecStart = "${hibernate} ${machine}"; };
-            };
-          };
-          makeResume = machine:
-          {
-            name = "libvirt-resume-${machine}";
-            value =
-            {
-              description = "libvirt resume ${machine}";
-              wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              after = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-              serviceConfig = { Type = "oneshot"; ExecStart = "${resume} ${machine}"; };
-            };
-          };
-          makeServices = serviceFunction: builtins.map serviceFunction kvm.autoSuspend;
-        in builtins.listToAttrs (makeServices makeHibernate ++ makeServices makeResume);
-      mounts =
-      [{
-        what = "${inputs.topInputs.nixvirt.lib.guest-install.virtio-win.iso}";
-        where = "/var/lib/libvirt/images/virtio-win.iso";
-        options = "bind";
-        wantedBy = [ "local-fs.target" ];
-      }];
-    };
-    # workaround a libvirt bug
+    systemd.mounts =
+    [{
+      what = "${inputs.topInputs.nixvirt.lib.guest-install.virtio-win.iso}";
+      where = "/var/lib/libvirt/images/virtio-win.iso";
+      options = "bind";
+      wantedBy = [ "local-fs.target" ];
+    }];
+    # libvirt does not setup "allow udp {53, 67}" by default
    # https://github.com/NixOS/nixpkgs/issues/263359#issuecomment-1987267279
    networking.firewall.interfaces."virbr*".allowedUDPPorts = [ 53 67 ];
    hardware.ksm.enable = true;
--- a/modules/services/lumericalLicenseManager/Dockerfile
+++ b/modules/services/lumericalLicenseManager/Dockerfile
@@ -0,0 +1,26 @@
+# 大概这样做：
+# cp -r ~/repo/stuff/44/Lumerical_Suite_2023_R1_CentOS/{LicenseManager,Crack,License} .
+# podman build .
+# podman image save --format oci-archive 6803f9562b941c23db81a2eae5914561f96fa748536199a010fe6f24922b2878 -o image.tar
+# singularity build image.sif oci-archive://image.tar
+# nix store add-file ./image.tar --name lumericalLicenseManager.tar
+# nix hash file /nix/store/v626n153vdr8sib52623gx1ych8zfsa6-lumericalLicenseManager.tar
+# nix store add-file ./image.sif --name lumericalLicenseManager.sif
+# nix hash file /nix/store/wr4i09smarzwyn1g2jhxlpkxghcwa01l-lumericalLicenseManager.sif
+
+FROM centos:7
+
+USER root
+
+COPY ./LicenseManager /tmp/LicenseManager
+RUN chmod +x /tmp/LicenseManager/INSTALL && \
+  /tmp/LicenseManager/INSTALL -silent -install_dir /home/ansys_inc -lm && \
+  rm -rf /tmp/LicenseManager
+COPY ./Crack/ansys_inc/ /home/ansys_inc
+# RUN sed -i "s|127.0.0.1|0.0.0.0|g" /home/ansys_inc/shared_files/licensing/tools/tomcat/conf/server.xml
+RUN chmod -R 777 /home/ansys_inc
+RUN ln -s ld-linux-x86-64.so.2 /lib64/ld-lsb-x86-64.so.3
+COPY ./License/license.txt /home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
+
+WORKDIR /home/ansys_inc/shared_files/licensing
+CMD ["/bin/sh", "-c", "(./start_ansysli &); (./start_lmcenter &); tail -f /dev/null"]
--- a/modules/services/lumericalLicenseManager/default.nix
+++ b/modules/services/lumericalLicenseManager/default.nix
@@ -0,0 +1,25 @@
+inputs:
+{
+  options.nixos.services.lumericalLicenseManager = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      macAddress = mkOption { type = types.str; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) lumericalLicenseManager;
+    in inputs.lib.mkIf (lumericalLicenseManager != null)
+  {
+    virtualisation.oci-containers.containers.lumericalLicenseManager =
+    {
+      inherit (inputs.topInputs.self.src.lumerical.licenseManager) image imageFile;
+      extraOptions = [ "--network=host" ];
+      volumes =
+        let license = inputs.pkgs.localPackages.lumerical.license.override
+          { inherit (lumericalLicenseManager) macAddress; };
+        in [ "${license}:/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic" ];
+    };
+    nixos.services.podman = {};
+  };
+}
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@@ -57,7 +57,7 @@ inputs:
          };
        in builtins.listToAttrs (builtins.map
          (package: { name = package; value = inputs.pkgs.fetchNextcloudApp (getInfo package); })
-          [ "maps" "phonetrack" "twofactor_webauthn" "calendar" ]);
+          [ "phonetrack" "twofactor_webauthn" "calendar" ]);
    };
    nixos.services =
    {
--- a/modules/services/nfs.nix
+++ b/modules/services/nfs.nix
@@ -1,20 +1,16 @@
 inputs:
 {
  options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.attrsOf types.nonEmptyStr; default = {}; }; # export = accessLimit
+    { type = types.attrsOf (types.nonEmptyListOf types.nonEmptyStr); default = {}; }; # export = accessLimit
  config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != {})
  {
-    services =
+    services.nfs.server =
    {
-      rpcbind.enable = true;
-      nfs.server =
-      {
-        enable = true;
-        exports = builtins.concatStringsSep "\n" (builtins.map
-          (export: "${export.name} ${export.value}(rw,no_root_squash,sync,crossmnt)")
-          (inputs.localLib.attrsToList nfs));
-      };
+      enable = true;
+      exports =
+        let clientString = clients: builtins.concatStringsSep " " (builtins.map
+          (client: "${client}(rw,no_root_squash,sync,crossmnt)") clients);
+        in inputs.lib.concatLines (inputs.lib.mapAttrsToList (n: v: "${n} ${clientString v}") nfs);
    };
-    networking.firewall.allowedTCPPorts = [ 2049 ];
  };
 }
--- a/modules/services/nginx/applications/sticker/default.nix
+++ b/modules/services/nginx/applications/sticker/default.nix
@@ -11,7 +11,7 @@ inputs:
        mkdir -p $out
        cp -r ${inputs.topInputs.stickerpicker}/web/* $out
        chmod -R +w $out
-        cp -r ${./web}/* $out
+        cp -r ${inputs.topInputs.sticker}/web/* $out
      '');
      index = [ "index.html" ];
    };
--- a/modules/services/nginx/applications/sticker/.gitignore
+++ b/modules/services/nginx/applications/sticker/.gitignore
@@ -1,2 +0,0 @@
-/config.json
-/sticker-import.session
--- a/modules/services/nginx/applications/sticker/web/packs/LINE_nachonekodayo.json
+++ b/modules/services/nginx/applications/sticker/web/packs/LINE_nachonekodayo.json
--- a/modules/services/nginx/applications/sticker/web/packs/Mare_by_WuMingv2Bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/Mare_by_WuMingv2Bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/Sakurada_Shiro.json
+++ b/modules/services/nginx/applications/sticker/web/packs/Sakurada_Shiro.json
--- a/modules/services/nginx/applications/sticker/web/packs/TheDonaldTrump.json
+++ b/modules/services/nginx/applications/sticker/web/packs/TheDonaldTrump.json
--- a/modules/services/nginx/applications/sticker/web/packs/csaexi.json
+++ b/modules/services/nginx/applications/sticker/web/packs/csaexi.json
--- a/modules/services/nginx/applications/sticker/web/packs/index.json
+++ b/modules/services/nginx/applications/sticker/web/packs/index.json
@@ -1,19 +0,0 @@
-{
-  "packs": [
-    "Mare_by_WuMingv2Bot.json",
-    "line_191054124446_by_moe_sticker_bot.json",
-    "Sakurada_Shiro.json",
-    "loli_DaiSi_by_WuMingv2Bot.json",
-    "listentoweiwei_by_WuMingv2Bot.json",
-    "csaexi.json",
-    "wechat_transfer_zhcn.json",
-    "teamtimothy_bilibili.json",
-    "line26158619ac0d_by_moe_sticker_bot.json",
-    "LINE_nachonekodayo.json",
-    "zhehelima.json",
-    "TheDonaldTrump.json",
-    "line_173195293297_by_moe_sticker_bot.json",
-    "line261586194a0d_by_moe_sticker_bot.json"
-  ],
-  "homeserver_url": "https://matrix.chn.moe"
-}
--- a/modules/services/nginx/applications/sticker/web/packs/line261586194a0d_by_moe_sticker_bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/line261586194a0d_by_moe_sticker_bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/line26158619ac0d_by_moe_sticker_bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/line26158619ac0d_by_moe_sticker_bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/line_173195293297_by_moe_sticker_bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/line_173195293297_by_moe_sticker_bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/line_191054124446_by_moe_sticker_bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/line_191054124446_by_moe_sticker_bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/listentoweiwei_by_WuMingv2Bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/listentoweiwei_by_WuMingv2Bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/loli_DaiSi_by_WuMingv2Bot.json
+++ b/modules/services/nginx/applications/sticker/web/packs/loli_DaiSi_by_WuMingv2Bot.json
--- a/modules/services/nginx/applications/sticker/web/packs/teamtimothy_bilibili.json
+++ b/modules/services/nginx/applications/sticker/web/packs/teamtimothy_bilibili.json
--- a/modules/services/nginx/applications/sticker/web/packs/wechat_transfer_zhcn.json
+++ b/modules/services/nginx/applications/sticker/web/packs/wechat_transfer_zhcn.json
--- a/modules/services/nginx/applications/sticker/web/packs/zhehelima.json
+++ b/modules/services/nginx/applications/sticker/web/packs/zhehelima.json
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -366,38 +366,13 @@ inputs:
        systemd.services.nginx-proxy =
          let
            ip = "${inputs.pkgs.iproute2}/bin/ip";
-            nft = "${inputs.pkgs.nftables}/bin/nft";
-            nftConfigFile = inputs.pkgs.writeText "nginx.nft"
-            ''
-              table inet nginx {
-                chain output {
-                  type route hook output priority mangle; policy accept;
-                  # 由本机发出、gid 为 nginx、但源地址不是本地监听的地址，说明是透明代理的第一个包，将这个流标记
-                  # 但这个包本身不需要处理，正常路由即可。
-                  meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
-                    ct state new counter ct mark set ct mark | 2
-                  # 由本机发出、作为透明代理的回复，它不能按照通常的路由，它需要被打上标记并被路由到本地
-                  # 这对应于透明代理到本地的服务的情况
-                  ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
-                  return
-                }
-                # 还需要处理透明代理到其它机器的情况，它们的回复需要在 prerouting 中标记
-                chain prerouting {
-                  type filter hook prerouting priority mangle; policy accept;
-                  ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
-                  return
-                }
-              }
-            '';
            start = inputs.pkgs.writeShellScript "nginx-proxy.start"
            ''
-              ${nft} -f ${nftConfigFile}
              ${ip} rule add fwmark 2/2 table 200
              ${ip} route add local 0.0.0.0/0 dev lo table 200
            '';
            stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
            ''
-              ${nft} delete table inet nginx
              ${ip} rule del fwmark 2/2 table 200
              ${ip} route del local 0.0.0.0/0 dev lo table 200
            '';
@@ -415,6 +390,30 @@ inputs:
            wants = [ "network.target" ];
            wantedBy= [ "multi-user.target" ];
          };
+        networking.nftables.tables.nginx =
+        {
+          family = "inet";
+          content =
+          ''
+            chain output {
+              type route hook output priority mangle; policy accept;
+              # 由本机发出、gid 为 nginx、但源地址不是本地监听的地址，说明是透明代理的第一个包，将这个流标记
+              # 但这个包本身不需要处理，正常路由即可。
+              meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
+                ct state new counter ct mark set ct mark | 2
+              # 由本机发出、作为透明代理的回复，它不能按照通常的路由，它需要被打上标记并被路由到本地
+              # 这对应于透明代理到本地的服务的情况
+              ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
+              return
+            }
+            # 还需要处理透明代理到其它机器的情况，它们的回复需要在 prerouting 中标记
+            chain prerouting {
+              type filter hook prerouting priority mangle; policy accept;
+              ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
+              return
+            }
+          '';
+        };
      })
      # streamProxy
      {
--- a/modules/services/nixvirt.nix
+++ b/modules/services/nixvirt.nix
@@ -1,4 +1,3 @@
-# TODO: fix libvirtd network
 inputs:
 {
  options.nixos.services.nixvirt = let inherit (inputs.lib) mkOption types; in mkOption
@@ -19,19 +18,31 @@ inputs:
          {
            uuid = mkOption { type = types.nonEmptyStr; default = defaultUuid; };
            owner = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-            hardware =
+            storage =
            {
-              storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-              memoryMB = mkOption { type = types.ints.unsigned; };
-              cpus = mkOption { type = types.ints.unsigned; };
-              mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
+              name = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+              nodatacow = mkOption { type = types.bool; default = false; };
+            };
+            memory =
+            {
+              sizeMB = mkOption { type = types.ints.unsigned; };
+              dedicated = mkOption { type = types.bool; default = false; };
+            };
+            cpu =
+            {
+              count = mkOption { type = types.ints.unsigned; };
+              hyprthread = mkOption { type = types.bool; default = false; };
+              set = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
            };
            network =
            {
-              address = mkOption { type = types.ints.unsigned; };
+              mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
+              address = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
+              bridge = mkOption { type = types.bool; default = false; };
              vnc =
              {
-                port = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
+                port = mkOption
+                  { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
                openFirewall = mkOption { type = types.bool; default = true; };
              };
              portForward = rec
@@ -54,6 +65,13 @@ inputs:
  };
  config = let inherit (inputs.config.nixos.services) nixvirt; in inputs.lib.mkIf (nixvirt != null)
  {
+    assertions = builtins.map
+      (vm:
+      {
+        assertion = vm.value.cpu.set != null -> builtins.length vm.value.cpu.set == vm.value.cpu.count;
+        message = "nixvirt.instance.${vm.name}.cpu.set must have the same length as cpu.count";
+      })
+      (inputs.localLib.attrsToList nixvirt.instance);
    virtualisation =
    {
      libvirt =
@@ -63,7 +81,12 @@ inputs:
        connections."qemu:///system" = let inherit (inputs.topInputs.nixvirt) lib; in
        {
          domains = builtins.map
-            (vm: { definition = inputs.config.sops.templates."${vm.name}.xml".path; active = true; restart = false; })
+            (vm:
+            {
+              definition = inputs.config.sops.templates."nixvirt/${vm.name}.xml".path;
+              active = true;
+              restart = false;
+            })
            (inputs.localLib.attrsToList nixvirt.instance);
          networks =
          [{
@@ -74,10 +97,10 @@ inputs:
                host = builtins.map
                  (vm:
                  {
-                    inherit (vm.hardware) mac;
+                    inherit (vm.network) mac;
                    ip = "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}";
                  })
-                  (builtins.attrValues nixvirt.instance);
+                  (builtins.filter (vm: vm.network.address != null) (builtins.attrValues nixvirt.instance));
              in lib.network.writeXML (base // { ip = base.ip // { dhcp = base.ip.dhcp // { inherit host; }; }; });
            active = true;
            # never restart the network
@@ -126,50 +149,113 @@ inputs:
      templates = builtins.listToAttrs (builtins.map
        (vm:
        {
-          name = "${vm.name}.xml";
-          value.content =
-            let
-              inherit (inputs.topInputs.nixvirt) lib;
-              base = lib.domain.templates.linux
-              {
-                inherit (vm) name;
-                inherit (vm.value) uuid;
-                memory = { count = vm.value.hardware.memoryMB; unit = "MiB"; };
-                storage_vol = "/var/lib/libvirt/images/${vm.value.hardware.storage}.img";
-                install_vol = "${inputs.topInputs.self.src.iso.netboot}";
-                virtio_video = false;
-              };
-            in lib.domain.getXML (base //
+          name = "nixvirt/${vm.name}.xml";
+          value.content = inputs.topInputs.nixvirt.lib.domain.getXML
+          # port from 8bcc23e27a62297254d0e9c87281e650ff777132
+          {
+            inherit (vm) name;
+            inherit (vm.value) uuid;
+            type = "kvm";
+            vcpu = { placement = "static"; count = vm.value.cpu.count; };
+            cputune = inputs.lib.optionalAttrs (vm.value.cpu.set != null)
            {
-              devices =
-                # remove spicevmc, which needs spice
-                (builtins.removeAttrs base.devices [ "channel" "redirdev" "sound" "audio" ])
-                // {
-                  graphics =
-                  {
-                    type = "vnc";
-                    autoport = false;
-                    port = vm.value.network.vnc.port;
-                    listen.type = "address";
-                    passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
-                  };
-                  interface = base.devices.interface // { mac.address = vm.value.hardware.mac; };
-                  disk = builtins.map (disk: disk // { driver = disk.driver // { type = "raw"; }; }) base.devices.disk;
-                };
-              cpu = base.cpu // { topology = { sockets = 1; dies = 1; cores = vm.value.hardware.cpus; threads = 1; };};
-              vcpu = { placement = "static"; count = vm.value.hardware.cpus; };
-              os = (builtins.removeAttrs base.os [ "boot" ]) //
+              vcpupin = builtins.genList
+                (cpu: { vcpu = cpu; cpuset = builtins.elemAt vm.value.cpu.set cpu; })
+                vm.value.cpu.count;
+            };
+            memory =
+            {
+              count = vm.value.memory.sizeMB;
+              unit = "MiB";
+              nosharepages = vm.value.memory.dedicated;
+              locked = vm.value.memory.dedicated;
+            };
+            os =
+            {
+              type = "hvm";
+              arch = "x86_64";
+              machine = "q35";
+              bootmenu = { enable = true; timeout = 15000; };
+              loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
+              nvram =
              {
-                loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
-                nvram =
-                {
-                  template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
-                  path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
-                  templateFormat = "raw";
-                  format = "raw";
-                };
+                template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
+                path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
+                templateFormat = "raw";
+                format = "raw";
              };
-            });
+            };
+            features = { acpi = {}; apic = {}; };
+            cpu =
+            {
+              mode = "host-passthrough";
+              topology =
+              {
+                sockets = 1;
+                dies = 1;
+                cores = if vm.value.cpu.hyprthread then vm.value.cpu.count / 2 else vm.value.cpu.count;
+                threads = if vm.value.cpu.hyprthread then 2 else 1;
+              };
+            };
+            clock =
+            {
+              offset = "utc";
+              timer =
+              [
+                { name = "rtc"; tickpolicy = "catchup"; }
+                { name = "pit"; tickpolicy = "delay"; }
+                { name = "hpet"; present = false; }
+              ];
+            };
+            devices =
+            {
+              emulator = "${inputs.config.virtualisation.libvirtd.qemu.package}/bin/qemu-system-x86_64";
+              disk =
+              [
+                {
+                  type = "file";
+                  device = "disk";
+                  driver = { name = "qemu"; type = "raw"; cache = "none"; discard = "unmap"; };
+                  source.file = "${if vm.value.storage.nodatacow then "/nix/nodatacow" else ""}/var/lib/libvirt/images/"
+                    + "${vm.value.storage.name}.img";
+                  target = { dev = "vda"; bus = "virtio"; };
+                  boot.order = 1;
+                }
+                {
+                  type = "file";
+                  device = "cdrom";
+                  driver = { name = "qemu"; type = "raw"; };
+                  source.file = "${inputs.topInputs.self.src.iso.netboot}";
+                  target = { dev = "sdc"; bus = "sata"; };
+                  readonly = true;
+                  boot.order = 10;
+                }
+              ];
+              interface =
+              {
+                type = "bridge";
+                model.type = "virtio";
+                mac.address = vm.value.network.mac;
+                source.bridge = if vm.value.network.bridge then "nixvirt" else "virbr0";
+              };
+              input =
+              [
+                { type = "tablet"; bus = "usb"; }
+                { type = "mouse"; bus = "ps2"; }
+                { type = "keyboard"; bus = "ps2"; }
+              ];
+              graphics =
+              {
+                type = "vnc";
+                autoport = false;
+                port = vm.value.network.vnc.port;
+                listen.type = "address";
+                passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
+              };
+              video.model = { type = "qxl"; ram = 65536; vram = 65536; vgamem = 16384; heads = 1; primary = true; };
+              rng = { model = "virtio"; backend = { model = "random"; source = /dev/urandom; }; };
+            };
+          };
        })
        (inputs.localLib.attrsToList nixvirt.instance));
      secrets = builtins.listToAttrs (builtins.map
@@ -202,24 +288,25 @@ inputs:
      group = "root";
      setuid = true;
    };
-    networking.firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
-      (builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt.instance));
-    # TODO: use existing options
-    systemd.services.nixvirt-forward =
-      let
-        nftRules = builtins.concatLists (builtins.concatLists (builtins.map
-          (vm: builtins.map
-            (protocol: builtins.map
-              (port: "${protocol} dport ${builtins.toString port.host} fib daddr type local counter dnat ip to "
-                + "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"
-                + ":${builtins.toString port.guest}")
-              vm.network.portForward.${protocol})
-            [ "tcp" "udp" ])
-          (builtins.attrValues nixvirt.instance)));
-        nft = "${inputs.pkgs.nftables}/bin/nft";
-        nftConfigFile = inputs.pkgs.writeText "nixvirt.nft"
-        ''
-          table inet nixvirt {
+    networking =
+    {
+      firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
+        (builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt.instance));
+      nftables.tables.nixvirt =
+      {
+        family = "inet";
+        content =
+          let nftRules = builtins.concatLists (builtins.concatLists (builtins.map
+            (vm: builtins.map
+              (protocol: builtins.map
+                (port: "${protocol} dport ${builtins.toString port.host} fib daddr type local counter dnat ip to "
+                  + "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"
+                  + ":${builtins.toString port.guest}")
+                vm.network.portForward.${protocol})
+              [ "tcp" "udp" ])
+            (builtins.attrValues nixvirt.instance)));
+          in
+          ''
            chain prerouting {
              type nat hook prerouting priority dstnat; policy accept;
              ${builtins.concatStringsSep "\n" nftRules}
@@ -228,22 +315,13 @@ inputs:
              type nat hook output priority dstnat; policy accept;
              ${builtins.concatStringsSep "\n" nftRules}
            }
-          }
-        '';
-        start = inputs.pkgs.writeShellScript "nixvirt.start" "${nft} -f ${nftConfigFile}";
-        stop = inputs.pkgs.writeShellScript "nixvirt.stop" "${nft} delete table inet nixvirt";
-      in
-      {
-        description = "nixvirt port forward";
-        after = [ "nftables.service" "nixvirt.service" ];
-        serviceConfig =
-        {
-          Type = "oneshot";
-          RemainAfterExit = true;
-          ExecStart = start;
-          ExecStop = stop;
-        };
-        wantedBy= [ "multi-user.target" ];
+          '';
      };
+    };
+    boot.kernelParams =
+      let cpusets = builtins.concatLists (builtins.map
+        (vm: vm.cpu.set)
+        (builtins.filter (vm: vm.cpu.set != null) (builtins.attrValues nixvirt.instance)));
+      in inputs.lib.mkIf (cpusets != []) [ "isolcpus=${builtins.concatStringsSep "," cpusets}" ];
  };
 }
--- a/modules/services/podman.nix
+++ b/modules/services/podman.nix
@@ -0,0 +1,26 @@
+inputs:
+{
+  options.nixos.services.podman = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) podman; in inputs.lib.mkIf (podman != null)
+  {
+    virtualisation =
+    {
+      containers =
+      {
+        enable = true;
+        containersConf.settings.network.firewall_driver = "nftables";
+      };
+      podman =
+      {
+        enable = true;
+        # Create a `docker` alias for podman, to use it as a drop-in replacement
+        dockerCompat = true;
+        # Required for containers under podman-compose to be able to talk to each other.
+        defaultNetwork.settings.dns_enabled = true;
+      };
+    };
+    hardware.nvidia-container-toolkit.enable = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.cuda != null) true;
+    networking.firewall.trustedInterfaces = [ "podman0" ]; 
+  };
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
chn	97cd45caf6	debug	2025-06-25 21:19:29 +08:00
chn	13c6dda325	modules.services.xray: add debug info	2025-06-25 21:16:04 +08:00
chn	13d571477b	modules.services.xray: revert version	2025-06-25 21:03:49 +08:00
chn	75e3b31219	modules.services.xray: add counter	2025-06-25 20:52:19 +08:00
chn	b5002abe0d	devices.xmuhk: add nix config	2025-06-25 13:04:46 +08:00
chn	42080c0b9a	devices.jykang: fix passthru	2025-06-25 12:53:56 +08:00
chn	26c1e14910	devices.xmuhk: setup nix	2025-06-25 12:48:48 +08:00
chn	5f9c8e3df2	devices.pc: setup xmuhk mount	2025-06-25 12:39:50 +08:00
chn	3219a7283e	devices.jykang: fix nix setting	2025-06-25 12:36:51 +08:00
chn	37d2126c1a	Revert "devices.jykang: setup" This reverts commit `e35e6b2e5d`.	2025-06-25 12:33:44 +08:00
chn	2ebd87a5e6	Revert "devices.jykang: remove nix bin path from PATH" This reverts commit `5e7ccc47cb`.	2025-06-25 12:33:19 +08:00
chn	078292edb7	Revert "devices.jykang: cleanup" This reverts commit `d1fc2b0a1c`.	2025-06-25 12:32:54 +08:00
chn	a8bbc1d47a	devices.xmuhk: some singularity fix	2025-06-25 12:27:46 +08:00
chn	fae98186d2	devices.xmuhk: add passthru	2025-06-25 10:51:28 +08:00
chn	715fa9572f	Revert "devices.xmuhk: use host singularity" This reverts commit `2b43d84981`.	2025-06-25 10:49:21 +08:00
chn	2b43d84981	devices.xmuhk: use host singularity	2025-06-25 10:44:48 +08:00
chn	959df1f144	devices.xmuhk: patch singularity	2025-06-25 10:40:33 +08:00
chn	12dd286e99	devices.xmuhk.lumericalLicenseManager: loose interface name	2025-06-25 10:18:15 +08:00
chn	257e13e463	devices.xmuhk: add lumericalLicenseManager	2025-06-25 10:14:46 +08:00
chn	692de14ca0	modules.services.lumericalLicenseManager: rebuild clean image	2025-06-25 10:00:13 +08:00
chn	5a913287a3	packages.lumerical.createLicense: init	2025-06-25 09:38:30 +08:00
chn	833acb4c21	flake.src: add lumericalLicenseManager.sif	2025-06-25 09:27:53 +08:00
chn	fba563c19b	modules.user.chn.ssh: update xmuhk ip	2025-06-25 08:42:31 +08:00
chn	62806e0bab	packages.lumerical.lumerical: add openmpi support	2025-06-24 21:42:14 +08:00
chn	efa024f0ae	modules.services.lumericalLicenseManager: allow set macAddress	2025-06-24 21:21:35 +08:00
chn	86495bb56f	packages.lumerical.license: init	2025-06-24 21:15:44 +08:00
chn	30efbe92a9	flake.src: add license file	2025-06-24 21:08:38 +08:00
chn	0d7eaae89c	devices.xmuhk: init	2025-06-24 20:48:45 +08:00
chn	e35e6b2e5d	devices.jykang: setup	2025-06-24 19:07:13 +08:00
chn	5e7ccc47cb	devices.jykang: remove nix bin path from PATH	2025-06-24 18:43:50 +08:00
chn	d1fc2b0a1c	devices.jykang: cleanup	2025-06-24 18:43:05 +08:00
chn	b9dba325a9	flake.lib.buildNixpkgsConfig: move	2025-06-24 18:40:38 +08:00
chn	66bae0761f	devices.srv3: add resource to test vm	2025-06-24 17:28:56 +08:00
chn	714cd7c69f	package.lumericalLicenseManager: init	2025-06-24 17:28:38 +08:00
chn	9c50c656a0	devices.jykang: add passthru	2025-06-24 15:11:29 +08:00
chn	e7771e8bdc	packages.lumerical.raw: use bundled qt	2025-06-24 14:47:45 +08:00
chn	348fb3006a	packages.lumerical: add raw packages	2025-06-24 14:46:42 +08:00
chn	52a7c41b93	packages.lumerical: fix packaging	2025-06-24 14:15:47 +08:00
chn	7321486c25	Revert "devices.pc: remove lumericalLicenseManager" This reverts commit `8b36f79574`.	2025-06-24 14:05:45 +08:00
chn	0df3891fbd	modules.services.lumericalLicenseManager: update license date	2025-06-24 14:04:50 +08:00
chn	40652454e4	devices.pc: remove acme cert debug.mirism.one	2025-06-24 13:40:44 +08:00
chn	8b36f79574	devices.pc: remove lumericalLicenseManager	2025-06-24 13:38:58 +08:00
chn	855f656370	packages.lumerical: use fhsenv	2025-06-24 13:22:39 +08:00
chn	3f781ac120	modules.services.lumericalLicenseManager: use host network	2025-06-24 11:47:31 +08:00
chn	71c90fe22a	modules.services.lumericalLicenseManager: fix	2025-06-24 10:36:22 +08:00
chn	571b13476b	Revert "modules.services.lumericalLicenseManager: reove" This reverts commit `b72575045a`.	2025-06-24 10:20:01 +08:00
chn	8d3a779c28	Revert "packages.lumerical: remove" This reverts commit `f5caaaefe4`.	2025-06-24 10:19:53 +08:00
chn	c7ab6b7536	modules.system.gui: fix	2025-06-23 10:58:31 +08:00
chn	4d55cb17c1	devices.pc: enable remote build	2025-06-23 10:56:42 +08:00
chn	05ab0566cc	module.system.gui: remove a workaround for KDE	2025-06-23 09:28:00 +08:00
chn	8f36c57ff2	modules.system.gui: add implementation option	2025-06-22 22:09:06 +08:00
chn	ef02d3c7f8	modules.system.kernel: remote hibernate-progress v6.6	2025-06-22 11:50:15 +08:00
chn	fabc48e0fc	modules.system.kernel: add xanmod-unstable	2025-06-22 11:47:57 +08:00
chn	78d58ab06e	flake: update nixpkgs-unstable	2025-06-22 09:01:36 +08:00
chn	4fa5f39eb4	modules.system.fileSystems.rollingRootfs: fix	2025-06-21 23:33:48 +08:00
chn	3b8f573ccb	modules.system.fileSystems.rollingRootfs: split	2025-06-21 23:27:45 +08:00
chn	7fe7b2aa00	modules.system.fileSystems.rollingRootfs: add backup	2025-06-21 23:24:16 +08:00
chn	9c10a367b2	modules.hardware.cpu: amd add ryzen-smu	2025-06-21 23:15:03 +08:00
chn	1f726c3eef	modules.services.gitea: cleanup	2025-06-18 11:35:39 +08:00
chn	e8774e5943	modules.services.httpapi: 整理	2025-06-18 11:29:21 +08:00
chn	a107201eb4	modules.packages.desktop: add waveterm	2025-06-18 08:53:05 +08:00
chn	608693e1c5	modules.packages.vscode: add datawrangler	2025-06-15 17:18:57 +08:00
chn	a8dc47bc3d	Revert "modules.packages.vscode: add datawrangler" This reverts commit `d322beb664`.	2025-06-15 17:18:10 +08:00
chn	d322beb664	modules.packages.vscode: add datawrangler	2025-06-15 17:07:08 +08:00
chn	4d42334ed7	modules.services.podman: fix	2025-06-15 13:40:45 +08:00
chn	c8d6ec6ff6	modules.system.nixpkgs.buildNixpkgsConfig: let podman use nftables	2025-06-15 13:20:09 +08:00
chn	8ac73e5836	modules.services.podman: fix	2025-06-15 13:09:38 +08:00
chn	7f496e3f6c	modules.services.huginn/rsshub: use podman	2025-06-15 12:44:38 +08:00
chn	bfeeb85235	modules.services.kvm: fix	2025-06-15 12:36:17 +08:00
chn	5f909eed0c	Revert "modules.services.kvm: remove workaround" This reverts commit `e4e85996f5`.	2025-06-15 12:30:27 +08:00
chn	c75c07f8df	modules.services.podman: init, replace docker	2025-06-15 12:21:41 +08:00
chn	1a1e8c3b65	git: remove usage of git lfs	2025-06-15 11:45:12 +08:00
chn	82b04b897a	devices.srv3: set pricing date	2025-06-14 13:11:10 +08:00
chn	9ef5d5f35d	modules.packages.android-studio: remove	2025-06-13 19:33:05 +08:00
chn	1932d80220	modules.services.kvm: fix	2025-06-13 17:42:59 +08:00
chn	bc12375d04	modules.services.vaultwarden: cleanup	2025-06-13 08:05:18 +08:00
chn	1dde3e856b	modules.services.frp: remove	2025-06-13 07:51:23 +08:00
chn	a7976ae167	modules.services.nfs: remove rpcbind, remove firewall rule	2025-06-13 07:49:42 +08:00
chn	746b438058	modules.hardware.cpu: must set, auto deduce from nixpkgs.march	2025-06-12 21:14:19 +08:00
chn	f480369f68	modules.hardware.cpu: cleanup	2025-06-12 21:06:15 +08:00
chn	e4e85996f5	modules.services.kvm: remove workaround	2025-06-12 20:59:27 +08:00
chn	890744ad77	modules.services.kvm: prevent qemu double build	2025-06-12 20:58:54 +08:00
chn	06967ccffd	modules.services.kvm: aarch64 support as optional	2025-06-12 20:58:03 +08:00
chn	a1ce57fdbe	modules.service.kvm: remove autoSuspend option	2025-06-12 20:50:49 +08:00
chn	832ca323d1	modules.system.fileSystems: set resume device to swap if only one swap device is defined	2025-06-12 20:49:05 +08:00
chn	4c3a1a817d	modules.system.fileSystems.rollingRootfs: enable as default	2025-06-12 20:38:46 +08:00
chn	a5a39007f6	devices.pc: remove user test	2025-06-12 17:37:57 +08:00
chn	766bf76564	modules.services.nfs: allow multiple clients	2025-06-12 17:31:50 +08:00
chn	dd6298798c	modules.user: fix root git config	2025-06-11 20:24:37 +08:00
chn	efbb595678	modules.packages.desktop: add kruler	2025-06-11 15:45:48 +08:00
chn	179caceae0	modules.hardware.cpu: 整理	2025-06-11 12:22:37 +08:00
chn	8f2d054ae8	modules.system.nix-ld: enable for all system types by default	2025-06-11 09:11:59 +08:00
chn	98c0d7824a	Revert "modules.packages.vscode: fix" This reverts commit `b48d3eeec1`.	2025-06-11 09:11:28 +08:00
chn	b48d3eeec1	modules.packages.vscode: fix	2025-06-11 09:06:09 +08:00
chn	cca3d3afd3	devices.cross.secrets.acme: update token	2025-06-09 21:04:41 +08:00
chn	0a2c1fe437	devices.cross.secrets.acme: split	2025-06-09 20:54:59 +08:00
chn	9320855ceb	devices.vps4/vps6: delete xray user	2025-06-09 15:42:40 +08:00
chn	dcc7f21f73	devices.srv3/vps4/vps6: clean up xray user	2025-06-09 09:35:40 +08:00
chn	6d1e006741	devices.nas: disable nix-serve	2025-06-09 09:22:22 +08:00
chn	2b281efb50	flake: update nixos-wallpaper	2025-06-08 10:34:51 +08:00
chn	de8aaf388c	flake.packages.archive: fix	2025-06-07 21:32:34 +08:00
chn	50e6069aed	modules.system.sysctl: set max mount	2025-06-07 21:27:02 +08:00
chn	dc0f444481	flake.dns: setup xserver2	2025-06-07 20:45:24 +08:00
chn	f57bd8bb9b	flake.packages.src: fix	2025-06-06 17:58:33 +08:00
chn	39d4ff9d4f	flake.packages: add archive	2025-06-06 17:56:56 +08:00
chn	24718f4125	add doc	2025-06-06 08:42:49 +08:00
chn	21b04d953d	Revert "modules.services.xray: fix mark" This reverts commit `21e9f53b39`.	2025-06-05 20:08:06 +08:00
chn	21e9f53b39	modules.services.xray: fix mark	2025-06-05 19:48:45 +08:00
chn	b8f27cc8e9	Revert "modules.services.wireguard: enable refresh" This reverts commit `587bd4ded1`.	2025-06-05 18:57:03 +08:00
chn	587bd4ded1	modules.services.wireguard: enable refresh	2025-06-05 18:39:47 +08:00
chn	f1c231bccc	modules.system.nixpkgs.buildNixpkgsConfig: cleanup	2025-06-05 17:55:43 +08:00
chn	601dfa050d	Revert "modules.system.nixpkgs.buildNixpkgsConfig: use allowUnfreePredicate" This reverts commit `4887332da8`.	2025-06-05 17:54:30 +08:00
chn	4887332da8	modules.system.nixpkgs.buildNixpkgsConfig: use allowUnfreePredicate	2025-06-05 17:52:49 +08:00
chn	f310054b03	devices.vps4: add xray user	2025-06-05 15:42:22 +08:00
chn	8ced3ce943	flake.dns: set xserver2	2025-06-05 15:42:22 +08:00
chn	47617baea8	modules.services.xray.server: set serverName default to xserver2	2025-06-05 15:42:13 +08:00
chn	65d05e7676	modules.services.xray.client: not set ip; use xserver2 as default	2025-06-05 15:42:05 +08:00
chn	feed87db2d	modules.server.xray: remove unused options	2025-06-05 14:51:41 +08:00
chn	8faf4b1d5c	modules.services.nixvirt: add nftables table for port forwarding	2025-06-05 12:01:22 +08:00
chn	d88d904013	modules.packages.desktop: add activitywatch	2025-06-05 12:01:22 +08:00
chn	5793e62f6a	modules.services.xray.client: use existing nftables options	2025-06-05 12:01:18 +08:00
chn	9c267052b0	modules.services.nginx: fix nft rules	2025-06-05 11:20:02 +08:00
chn	c69bd56b5f	devices.vps6: forward using wg0	2025-06-05 10:46:23 +08:00
chn	8e9185ec6b	devices.vps4/6: move forward to vps6	2025-06-05 10:43:20 +08:00
chn	9774ea9a2d	modules.services.sshd.motd: fix	2025-06-05 10:34:58 +08:00
chn	ed57489bb3	Reapply "users.zqq: add ssh key" This reverts commit `38df611978`.	2025-06-05 10:24:07 +08:00
chn	2c3687b785	devices.vps4: add forward table	2025-06-05 10:16:02 +08:00
chn	627f9cf9a8	devices.vps4: enable wireguard	2025-06-04 19:52:20 +08:00
chn	d83c3f38da	devices.srv2: disable password authentication for SSH	2025-06-04 19:46:41 +08:00
chn	f43da51a0a	modules.services.gitea: longer git timeouts	2025-06-04 16:03:07 +08:00
chn	7a3f945ca8	fix peertube	2025-06-04 13:51:41 +08:00
chn	1c42579bc4	modules.services.sshd: fix lolcat	2025-06-04 12:34:01 +08:00
chn	5d295ce114	update nixpkgs (no change)	2025-06-04 12:22:51 +08:00
chn	0dc2fe9131	Reapply "revert slurm version" This reverts commit `3988d626fc`.	2025-06-04 12:16:19 +08:00
chn	9aed79f30d	modules.services.slurm: disable upstream nvml	2025-06-04 12:09:35 +08:00
chn	32fe05d653	Revert "modules.services.slurm: remove nvml support, upstream already has it" This reverts commit `351f8cd9fa`.	2025-06-04 12:08:18 +08:00
chn	3988d626fc	Revert "revert slurm version" This reverts commit `2b2fbd4ab5`.	2025-06-04 12:08:03 +08:00
chn	2b2fbd4ab5	revert slurm version	2025-06-04 11:57:17 +08:00
chn	351f8cd9fa	modules.services.slurm: remove nvml support, upstream already has it	2025-06-04 11:44:52 +08:00
chn	5b95c9d5a5	fix mariadb	2025-06-04 11:28:43 +08:00
chn	2f4034a3f8	modules.system.networking -> network	2025-06-03 08:49:10 +08:00
chn	45eaad9ee2	modules.system.networking: bridge.devs -> bridge.interfaces	2025-06-03 08:45:48 +08:00
chn	77df06600d	devices.pc: remove unused dnsmasq resolve	2025-06-02 23:23:02 +08:00
chn	e55578eb81	devices.pc: remove unused hosts	2025-06-02 23:22:14 +08:00
chn	1224574cfa	devices.pc: use vps4 proxy	2025-06-02 23:21:57 +08:00
chn	2d4555757e	modules.system.kernel: fix initrd bridge	2025-06-02 22:08:35 +08:00
chn	80b72bde87	modules.system.networking: fix	2025-06-02 19:34:26 +08:00
chn	70c53aa3cc	modules.system.initrd: fix	2025-06-02 18:56:15 +08:00
chn	e6abe12bad	devices.srv3: bridge interface	2025-06-02 17:21:31 +08:00
chn	ff6cb0c803	modules.system.fileSystems.nfs: auto enable network in initrd	2025-06-02 17:21:31 +08:00
chn	b8e5327c09	modules.system.networking: add trust masquerade	2025-06-02 17:21:25 +08:00
chn	e6e636ea09	modules.system.initrd: fix network config	2025-06-02 17:21:21 +08:00
chn	cac01d62a1	devices.nas: add nix-serve	2025-06-02 14:24:15 +08:00
chn	949cf6c326	modules.services.nginx.applications.sticker: fix	2025-06-02 13:34:53 +08:00
chn	04d6e0bc32	flake: set branch	2025-06-02 13:12:49 +08:00
chn	5884f26e5c	flake: lock openxlsx	2025-06-02 13:11:56 +08:00
chn	7fed1fee7f	add doc	2025-06-02 13:08:38 +08:00
chn	dc24c38857	modules.service.rsshub: use docker image	2025-06-02 13:06:56 +08:00
chn	3073c1ad9c	modules.system.nixpkgs.buildNixpkgsConfig: fix ctranslate2	2025-06-02 12:54:41 +08:00
chn	5a534cd763	flake: update blog	2025-06-01 22:23:36 +08:00
chn	42b6ffe6c8	modules.system.nixpkgs.buildNixpkgsConfig: fix	2025-06-01 16:01:19 +08:00
chn	e8423a9153	modules.system.nixpkgs.buildNixpkgsConfig: allow broken	2025-06-01 15:28:27 +08:00
chn	ce94df1856	modules.packages.desktop: fix	2025-06-01 15:18:18 +08:00
chn	1768853fba	modules.user.hjp: fix	2025-06-01 14:30:38 +08:00
chn	e5b982560d	modules.packages.desktop: fix	2025-06-01 13:30:54 +08:00
chn	e8e380e469	Merge branch 'next' into production	2025-06-01 13:29:42 +08:00
chn	62774e052a	devices.vps4: disable beesd	2025-06-01 13:29:29 +08:00
chn	656ffa32ac	modules.services.nextcloud: fix	2025-06-01 13:29:29 +08:00
chn	c499715522	modules.services.freshrss: fix	2025-06-01 13:29:29 +08:00
chn	2eb0dedb04	packages.mirism-old: fix	2025-06-01 13:29:29 +08:00
chn	298bba7dcd	flake: fix blog build	2025-06-01 13:29:29 +08:00
chn	5ddaf317d6	modules.packages: remove unused python packages	2025-06-01 13:29:29 +08:00
chn	b56f81fc23	devices.vps6: remove generic specialisation	2025-06-01 13:29:29 +08:00
chn	9ee1927cde	modules.system.nixpkgs.buildNixpkgsConfig: fix build for nas	2025-06-01 13:29:29 +08:00
chn	918ff6641b	devices.vps4: disable beesd	2025-06-01 13:01:36 +08:00
chn	7c20bab9ec	modules.services.nextcloud: fix	2025-06-01 12:48:12 +08:00
chn	1c88cf7607	modules.services.freshrss: fix	2025-06-01 12:47:58 +08:00
chn	b96dda6f08	packages.mirism-old: fix	2025-06-01 12:47:40 +08:00
chn	01c1389c79	flake: fix blog build	2025-06-01 11:06:46 +08:00
chn	2c76ca9425	modules.packages: remove unused python packages	2025-06-01 10:01:10 +08:00
chn	2c1e466966	devices.vps6: remove generic specialisation	2025-06-01 09:44:20 +08:00
chn	82435ec7ea	modules.system.nixpkgs.buildNixpkgsConfig: fix build for nas	2025-06-01 09:42:59 +08:00
chn	c26bdc7fd6	modules.packages.desktop: list dir recursive	2025-05-31 16:53:14 +08:00
chn	73b1e11052	modules.services.nixvirt: fix	2025-05-31 16:00:18 +08:00
chn	76c5317b86	modules.services.nixvirt: fix cpu pin	2025-05-31 15:38:47 +08:00
chn	ca3564ab44	modules.services.nixvirt: fix	2025-05-31 15:10:27 +08:00
chn	6748c57588	devices.test-pc: fix	2025-05-31 15:02:27 +08:00
chn	a8103fb3da	modules.services.nixvirt: typo	2025-05-31 15:02:06 +08:00
chn	14683a9711	devices.test-pc: test dedicated memory and cpu	2025-05-31 15:00:10 +08:00
chn	22697b4caf	modules.services.nixvirt: typo	2025-05-31 14:59:51 +08:00
chn	37eb856076	devices.nas: switch to minimal	2025-05-31 14:54:55 +08:00
chn	38f6f97c2a	devices.test-pc: fix	2025-05-31 14:52:13 +08:00
chn	7662b92c95	modules.system.networking: fix	2025-05-31 14:42:22 +08:00
chn	7a55486bb2	modules.system.networking: fix	2025-05-31 14:36:51 +08:00
chn	62913af307	modules.system.networking: fix	2025-05-31 14:23:33 +08:00
chn	c96f02281d	devices.test-pc: fix	2025-05-31 13:45:48 +08:00
chn	c76256de89	modules.system.networking: fix	2025-05-31 13:39:34 +08:00
chn	491ff62f89	devices.test-pc: test bridge network	2025-05-31 13:37:38 +08:00
chn	c9dce7648c	modules.services.nixvirt: allow network bridge	2025-05-31 13:33:24 +08:00
chn	b0d0566b7c	modules.system.networking: add bridge networking support	2025-05-31 13:26:13 +08:00
chn	5d6a98225d	modules.services.nixvirt: allow cpu isolation	2025-05-31 12:58:05 +08:00
chn	533f2d96f0	modules.services/nixvirt: memory allow lock in memory	2025-05-31 12:24:06 +08:00
chn	5fc8a9f7e8	modules.services.nixvirt: storage allow nodatacow	2025-05-31 12:20:58 +08:00
chn	38ea01a1f0	modules.services.nixvirt: 移动选项	2025-05-31 12:18:16 +08:00
chn	b2cad6faee	modules.services.nixvirt: format	2025-05-31 12:14:52 +08:00
chn	cbbb6485fc	devices.pc/srv2: add lammps	2025-05-31 12:05:21 +08:00
chn	1f3d8a189e	modules.packages: split molecule packages	2025-05-31 12:04:05 +08:00
chn	0a9eac14de	modules.system: do not enable something on server	2025-05-31 11:56:55 +08:00
chn	8cb7807383	modules.packages: do not install a lot of packages on server	2025-05-31 11:53:26 +08:00
chn	5b11399fab	modules.packages.android-studio: format	2025-05-31 11:50:12 +08:00
chn	dc61586a4e	modules.packages.server -> minimal	2025-05-31 11:49:45 +08:00
chn	450fac54c7	modules.packages.nushell: format	2025-05-31 11:45:47 +08:00
chn	674ea92cf4	modules.packages.lammps: do not install by default	2025-05-31 11:45:12 +08:00
chn	3fbb32955e	modules.packages.mumax: do not install as default	2025-05-31 11:44:14 +08:00
chn	1a196c3eec	format	2025-05-31 11:43:05 +08:00
chn	71af517886	modules.model: vps -> minimal	2025-05-31 11:41:48 +08:00
chn	97be517f27	modules.services.nixvirt: do not use template from nixvirt	2025-05-31 11:40:42 +08:00
chn	ba9c67d7e8	modules.system.kernel: remove cachyos kernel	2025-05-31 11:20:56 +08:00
chn	f53e3d726a	devices.one: use xanmod kernel	2025-05-31 11:19:21 +08:00
chn	f09d1f0717	Reapply "modules.system.nixpkgs.buildNixpkgsConfig: disable contentAddressedByDefault" This reverts commit `8babcc5185`.	2025-05-31 11:17:33 +08:00
chn	7f442b2532	modules.services.nixvirt: fix sops path	2025-05-31 11:08:47 +08:00
chn	32b47cd5dd	Merge branch 'temp' into next	2025-05-31 10:28:46 +08:00
chn	8babcc5185	Revert "modules.system.nixpkgs.buildNixpkgsConfig: disable contentAddressedByDefault" This reverts commit `30c283523a`.	2025-05-29 20:52:24 +08:00
				`@@ -0,0 +1 @@`
				`store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log`
				`@@ -0,0 +1 @@`
				`store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log`