test

This reverts commit 789298596b.

.gitignore

@@ -6,3 +6,4 @@ build
 .vscode
 .cache
 .ccls-cache
+archive

.sops.yaml

@@ -1,29 +1,22 @@
 keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &chn age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
   - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
-  - &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
   - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-  - &surface age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
-  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-  - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-  - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
+  - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
   - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
   - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
   - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
   - &srv1-node3 age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5
+  - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+  - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
 creation_rules:
   - path_regex: devices/pc/.*$
     key_groups:
     - age:
       - *chn
       - *pc
-  - path_regex: devices/vps4/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps4
   - path_regex: devices/vps6/.*$
     key_groups:
     - age:
@@ -39,26 +32,11 @@ creation_rules:
     - age:
       - *chn
       - *nas
-  - path_regex: devices/surface/.*$
+  - path_regex: devices/one/.*$
     key_groups:
     - age:
       - *chn
-      - *surface
-  - path_regex: devices/xmupc1/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *xmupc1
-  - path_regex: devices/xmupc2/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *xmupc2
-  - path_regex: devices/pi3b/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *pi3b
+      - *one
   - path_regex: devices/srv1/node0/.*$
     key_groups:
     - age:
@@ -79,3 +57,13 @@ creation_rules:
     - age:
       - *chn
       - *srv1-node3
+  - path_regex: devices/srv2/node0/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *srv2-node0
+  - path_regex: devices/srv2/node1/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *srv2-node1

README.md

@@ -0,0 +1,26 @@
+This is my NixOS configuration. I use it to manage:
+* some vps serving some websites and services (misskey, synapse), etc.
+* my laptop (Lenovo R9000P 2023), and my tablet (One Netbook One Mix 4).
+* some cluster for scientific computing (vasp, lammps, etc).
+With the following highlights:
+* All binary is compiled for specific CPU (`-march=xxx`, like that on Gentoo). 
+* All packages and configurations are managed by Nix, as much reproducible as possible.
+
+## Using overlay
+
+An overlay is provided through `outputs.overlays.default`, you could use it in your `configuration.nix` like this:
+
+```nix
+{
+  inputs.chn-nixos.url = "github:CHN-beta/nixos";
+  outputs.nixosConfigurations.my-host = inputs.nixpkgs.lib.nixosSystem
+  {
+    modules = [({pkgs, ...}: { config =
+    {
+      nixpkgs.overlays = [ inputs.chn-nixos.overlays.default ];
+      environment.systemPackages = [ pkgs.localPackages.vasp.intel ];
+    };})];
+  };
+}
+```
+

devices/cross/default.nix

@@ -0,0 +1 @@
+inputs: { imports = inputs.localLib.findModules ./.; }

devices/cross/luks-manual/default.nix

@@ -0,0 +1,22 @@
+inputs:
+let devices =
+{
+  nas =
+  {
+    "/dev/disk/by-uuid/a47f06e1-dc90-40a4-89ea-7c74226a5449".mapper = "root3";
+    "/dev/disk/by-uuid/b3408fb5-68de-405b-9587-5e6fbd459ea2".mapper = "root4";
+    "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
+  };
+  vps6."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
+  vps7."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
+};
+in
+{
+  config =
+  {
+    nixos.system.fileSystems.luks.manual =
+      let inherit (inputs.config.nixos.model) hostname;
+      in if devices ? ${hostname} then devices.${hostname} else inputs.lib.mkOptionDefault null;
+    home-manager.users.chn.config.nixos.decrypt = devices;
+  };
+}

devices/cross/wireguard.nix

@@ -0,0 +1,70 @@
+inputs:
+let devices =
+{
+  vps6 =
+  {
+    peers = [ "pc" "nas" "one" "vps7" "srv2-node0" "srv1-node0" ];
+    publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
+    wireguardIp = "192.168.83.1";
+    listenIp = "74.211.99.69";
+    lighthouse = true;
+  };
+  vps7 =
+  {
+    peers = [ "vps6" ];
+    publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
+    wireguardIp = "192.168.83.2";
+    listenIp = "144.126.144.62";
+  };
+  pc =
+  {
+    peers = [ "vps6" ];
+    behindNat = true;
+    publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
+    wireguardIp = "192.168.83.3";
+  };
+  nas =
+  {
+    peers = [ "vps6" ];
+    behindNat = true;
+    publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
+    wireguardIp = "192.168.83.4";
+  };
+  one =
+  {
+    peers = [ "vps6" ];
+    behindNat = true;
+    publicKey = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
+    wireguardIp = "192.168.83.5";
+  };
+  srv2-node0 =
+  {
+    peers = [ "vps6" ];
+    behindNat = true;
+    publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
+    wireguardIp = "192.168.83.7";
+  };
+  srv1-node0 =
+  {
+    peers = [ "vps6" ];
+    behindNat = true;
+    publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
+    wireguardIp = "192.168.83.9";
+  };
+};
+in
+{
+  config.nixos.services.wireguard = inputs.lib.mkIf (devices ? ${inputs.config.nixos.model.hostname})
+  (
+    let
+      buildConfig = cfg:
+      {
+        inherit (cfg) publicKey wireguardIp;
+        lighthouse = inputs.lib.mkIf (cfg ? lighthouse) cfg.lighthouse;
+        behindNat = inputs.lib.mkIf (cfg ? behindNat) cfg.behindNat;
+        listenIp = inputs.lib.mkIf (cfg ? listenIp) cfg.listenIp;
+      };
+      this = devices.${inputs.config.nixos.model.hostname};
+    in (buildConfig this) // { peers = builtins.map (peer: buildConfig (devices.${peer})) this.peers; }
+  );
+}

devices/jykang.xmuhpc/.bashrc

@@ -37,6 +37,9 @@ fi
 if [ -z "${BASHRC_SOURCED-}" ]; then
 	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
 	export BASHRC_SOURCED=1
+	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
+		export PATH=$HOME/wuyaping/lyj/bin:$PATH
+	fi
 fi
 
 [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"

devices/jykang.xmuhpc/.ssh/authorized_keys

@@ -8,6 +8,8 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRpyIU8ZuYTa0LvsVHmJZ1FA7Lbp4PObjkwo+UcpCP8
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRZp8xp9hVO7e/6eflQsnFZj853IRVywc97cTevnWbg hjp@xmupc1
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh wm
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss
 
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc

devices/nas/default.nix

@@ -24,17 +24,6 @@ inputs:
               };
             };
           };
-          luks.manual =
-          {
-            enable = true;
-            devices =
-            {
-              "/dev/disk/by-uuid/a47f06e1-dc90-40a4-89ea-7c74226a5449".mapper = "root3";
-              "/dev/disk/by-uuid/b3408fb5-68de-405b-9587-5e6fbd459ea2".mapper = "root4";
-              "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
-            };
-            delayedMount = [ "/" "/nix" ];
-          };
           swap = [ "/nix/swap/swap" ];
           rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
         };
@@ -46,23 +35,14 @@ inputs:
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
       {
-        snapper.enable = true;
         sshd = {};
         xray.client = { enable = true; dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1"; };
-        smartd.enable = true;
         beesd.instances =
         {
           root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
           nix = { device = "/nix"; hashTableSizeMB = 128; };
         };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
-          wireguardIp = "192.168.83.4";
-        };
-        misskey.instances.misskey = {};
+        smartd = {};
       };
     };
   };

devices/nas/secrets.yaml

@@ -3,13 +3,7 @@ xray-client:
 acme:
     token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
 wireguard:
-    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:ezBawTyn+oPKKy6sQuj2BQXhnO4PTbxYWRpQR9URCxqD7bFlnmWU1Q==,iv:eD4yLDA209x6HFtDaqyj8kRxTImdyZCgOminHWb9vt4=,tag:mx+qPp4L9jHRvL90XH1RwA==,type:str]
-redis:
-    misskey-misskey: ENC[AES256_GCM,data:daHnurnqW0MI2uHd3gNT+ZczmytRdwBSsHGkCwNH9hJFMJW/U56HtjG5ivOQzYprWJ5uzgN98ivocbwzJEAGfg==,iv:aE9kvEErN06FNPPFQNchbmg/+SJCKT3QzCN/JTlZovk=,tag:iMo3MTssxKKT02zi8gCZPA==,type:str]
-postgresql:
-    misskey_misskey: ENC[AES256_GCM,data:QhsmKzYmAV0kGPhtRjTK7npt/Nop5JM9EFPpD8K6KfUJ48w+r+4vTORmERu7D2+fE3XDXxNZeSJg//bGxMmhfg==,iv:qkjkrqepjQ4kbwoaceQSzEP5TjLsiY7ih/ESj5RFpHw=,tag:UtZVW30xcsbGUjU2HjoUvw==,type:str]
+    privateKey: ENC[AES256_GCM,data:H+CDLqfMV5Kcd42LbrU1GpnyJYB1y0bSRBaRR9jNctmlReADRVuvA1y1zLM=,iv:SztfuX+Tm3bO82VfDOjjP2Bmv7IComa1poZfQ48YXVs=,tag:aA35tsgvZQDexSDgD4RjlQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -34,8 +28,8 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-05T02:43:05Z"
-    mac: ENC[AES256_GCM,data:NyXFwcVCCRfU+QSJVwov38SzRag1vhgfyQ0xtOheKtK/UaA+2Vqiqatp/lKWeri9ltpw5xWBYQnmE6aBHEkrj5RvoXeho3CUWiSqsB/3COn3FSfXGGJ2M642dnCtWqHfTrGNW7bhq/lBisODvtv+SAs108R5yYXhXWotUs/p+W0=,iv:Wsel2unj5X/dBCwt5sLzHmUIqm9c0uqzzpfnUkxq5cc=,tag:a5/I8GWuUOy4F4lOx9TH+w==,type:str]
+    lastmodified: "2025-01-19T03:04:43Z"
+    mac: ENC[AES256_GCM,data:ns1NlfKruRwlUv4u4J5i/lQmaEo0HVxEWZlauWBFO0AqXxdU9+X+MbufxkqqjbfSryJ3bqBSMdsVUNX87rZGoESWoLLiwLIRuRJTx7jtGppNiHN4LaP95TqliATWZAGZr/xUe2xNUrvgRqSgToT8ah6IxyZblTr1brnUMRTI+Gc=,iv:KbkkbkeJUrgNUmFbqCI2ifk0UDUfPJ80LTRTzaFRA9s=,tag:uKzMN2zURmBzWY4XUnOACg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2

devices/one/default.nix

@@ -0,0 +1,37 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model = { type = "desktop"; private = true; };
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
+            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
+          swap = [ "/nix/swap/swap" ];
+          resume = { device = "/dev/mapper/root"; offset = 4728064; };
+          rollingRootfs = {};
+        };
+        nixpkgs.march = "tigerlake";
+        # recent kernel make touchscreen not work
+        kernel.variant = "xanmod-lts";
+      };
+      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      services =
+      {
+        xray.client.enable = true;
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+        sshd = {};
+      };
+      virtualization.kvmHost = { enable = true; gui = true; };
+      bugs = [ "xmunet" ];
+    };
+  };
+}

devices/one/secrets.yaml

@@ -0,0 +1,46 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:+zy72VDj8hs1GH7E1U04WhiGq0xkIPGC8pHbAYR70OK5E6EOdkQwKA==,iv:oYNSrOH3pLhltYw2NX1d4s6jiUgMssWiIK//62i0ptQ=,tag:C5ekSVjmwSEphsTZ/DLcsg==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:/x9HJWh4Kpp5xy4TfuC/bP4Z/gMOFgAalz91cewHj1/tPxFe5R/nQA==,iv:K696zu685ydzwFMKIrqz1GiYLMKGM1dLNDWdhH4U0L8=,tag:nFwqXc7RPIYcQxVIu6GWgw==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:NgA5rHB6GwqiNSx1mhxObywuiZWq5qpcNrlpk6HaD9hzQoL0j1IrrgMCqkU=,iv:ZZUlSJeQPN2/JxjhR08FdEZl3gCFuNpJ3M93C6JovHs=,tag:rCtWHOYCmgZKF1lRlIAReA==,type:str]
+github:
+    token: ENC[AES256_GCM,data:rGiseVhDBU+rNcz92QXHeqAQ4lC7l5dba8d7rGUIIoEcpBVGwGh/5w==,iv:lf4aMBAQxI140qJsMLqHpI3dKRw6HiV20cyn0WFWbT8=,tag:w1P9MrqgUAmPzVWkIFs1jg==,type:str]
+chn:
+    age: ENC[AES256_GCM,data:eI7ZtgOdcI0sWrD0MmbPEOnImVaacTrR/rDtZcUKSlUIMlpFga7HYOKUZbgMvqaxZK9YLuddB4setggrPvEx+rXpTU4fx0s5Ce4=,iv:5aYVpf5/nr/ssGAZDiSs4/5HP4aPDya0DZ8OfrhHowg=,tag:ImzDxw/1GB4/krCnNAxJ8Q==,type:str]
+    rsa: ENC[AES256_GCM,data:TirRkEaW0sTstTp3JoHz1KCTo3F1zozjsUUHVxJ9v+rmZRfH3DjwOKeGHsiKtJWo16yqHpQjcBmInWzgnFUZtM87lzW5YaKOPDwBwsbLtP9NxaFTU74kU05Y8E2Aireg1LlmLvu8sRHy/SwVHdML1AUZ4g9sLCLcb/eQcWQmawdsl7Y2xkPQlBfKiophu7dkEPw51vUoKvYzM47R9RI5cRFCNZtUfr4hOk23L7XoVL0Aejqd6pBoENCJ+nCXp4kUTYqrSPqHuQuuYwb0thsrd++g4vmSQQWCN/KkYAg8UPvAN3hMGF+4f0S5Zdr+g0Lb2KHQkpBofOlBZ3P1uTmm/2s9R6brqFrz38OGWK8ZouNZyDPC+FwJfMywm3GRf87rCzEjF0bAix3J779YDG31uaJJhTjRa4q/2Uvk8YXbebTZEuQ5dK1bav+730dOeGF7oa8oBVVQjB2KYzInuuVGdLoVMeaiRlpJpK4ZU3SnzjUheiq7fAdJcqM3QxgK2vIy4kL6LcniSm4J/b7IZjsbxAdkFRN0VZOgHQiO+IICbbhNftSXCCFgFvG3Yl5dzCtqUGYoYEpZwMwJQZJuFJqfCzRFb83jAAjGSN9OByGbu7flsaqRR1YjKNs6BgJOnyhbQ2YJrozOuzw8ZquuDURP+WmP4NnKOAZ6J06Imupkd3Q/pfYxSzSuNrfXYqSHeczDgb8IOc37rfPWGXLgEvDVuSYvYNf+jgSap0aGhHRJ65dvRsZE/GXVuRhTnpzF0vuoVJpifrzkgHehklUGPOLhvnzTwLryHvnO2VJpZ7hhlreeVGf6iZ7fDYJW91OvNX9b3WvtWV985n892jeFCW6/OHfNhv6VBjj/YeNMrZVy9JLwDe5DmxQBH9GIc5S1AGVuTzZBLsd9L+ZFonGfxbwpPtATFCvaftaTed55cXkZvj499rfu6KkGzCPP79tNQSyCRGPrq2pLGyAAMh40+8gkCgKmrw7ZrdhoUvBllKrAMGb8kd9FQ74OPD6vhb/IXMBc4+N1i5d+XiONOOKyVHpz8y/XS1rHnQO1sSN0Wkhgoc48m0zN/frmZzBw2xiYnG19rd5CHSRRbK50JgI4unMNiJKWNQjqnDxsKJu/WSOKeOFK7g5lcKl1D/XPYOeFUm0ZWmqhb9XrF0f045RHKNEMwkYbRJZaJcPQ36H7+99pYGjjZzY7KVUVlc+7ttQiUoOIkGKI8A06Q7fSXxBWA9x8Om9CdKPT3g/MnELl9Bg8kf7Pc+McWmGxdKzjhzEL1ElMTWfuM/a8hU7SMDjHtCHdxwngLn8+krt0HJ5SwEcDs0KUYEBRDwDpooDVNEUTHL8zEKE8zVl49lkN0NX/Wu0LvnQeJ0NjrFkF3eDpGyPbkXKgqzTMSaA45gK48UsCzKkMaqmTpCyfISyhMeEQm3danslHL01P20GoY/zWLsvOgO96p7X/j6nRv8RCHNH8pu2ve9d8V3Zu5DuHW6+ODOfaCihxkkSqD4jv5OFgISD6afLiBShVMcH8tKkEFph+Zd8COYmuUBZ5ez+BvXmMG1DsVs0/RNY9G8PG7GOoyWVU52JaJw3Awl56o47vDviBGjHi9bF5+5Je/il9csvcuokvyhsRxJ4vBwGJUNI0xtBK0/6wX2GTd10CisYw/fKOyGPgKyquGJlsODLV5JzmWY7GmI8MmVKYrPyVjPmegClnDdkxjknQGnGmEuyPLSTR03OmzR5YQ5e8Nl97mQWAr8kX/vxiQmCfufAZCJOfxoy5RRkDMuvVYlnpl5DtSPMUg+DXO9243gxqYSNCopbcAdkMH2ylkAAIzrmZym3E0EWFz98JLl9RkD1/jI80QUmZwsf3JU8pbtfV8yLs+xOrvZ0MQZc+uDvvDsi/2ZYQKfwWqmx64oK00vncyDHH9zhvwxauSfiqkA7K98ZgajrcEbU3nSfGPgdXxTlVpIufhK8k5QVM80DoMEvq+1i78ZsOd/zHFH90tyzZ1ploIY+mptGWMHJNpdBnXgy5KlUkmSuf5PUQ/xoD7UybxuamriO18IrjiQOE3pDhA1GTXz0iM+UOSceysEgNnINh+gRUbGX97YAoTS4pXGyzjYfoY8vMFmkD3DzTNClV2MSVtjuBR+dDwa58SvAAwyw55oQdILw+dogh/qGmL7MSvmssw3mxM7hsEfDu7Kea5FFVZJbgPh5VDZ/hHTWHU6gapgt1QvQQ4kNQuXJnNfooIaMWRg==,iv:9FUcJX6puazsRTBtKfuhvbY8jA5pdVHD4PfChtSX314=,tag:bxLTovW44jFhGkzGzwCHiQ==,type:str]
+    ed25519: ENC[AES256_GCM,data:KLBlDuxOdHnqmVU1KtDrd1r44VzuCYhQW8+7KDAXLD5XGKBP9ip41ZByuRxVUnhVtTP9LRlUt7qvEjPen4hn7HxH+Ic5tghN400JFKpnmxmnjZGbelIheAuRYU0t6BKFvTvcaKD5sNhpoYX9P29L+Yobt59Lo9dc96dF8xy6iWE4X+FPYBsxtheGOMDW/I0CLKF82pv+yy01EFDKLBLciPkweUcCf4642Xv/Lv1knCIhxnCGa5fD7XpqNbz/VfTiqgIDUScISIo5cXJQIp4Dho2SIaf3nMg8BQB5iNRDcyU45m01M36SaYKU7xBuJN7pRP+vtPySavtjbmqLbowFM9iQArpHCV+VT7cF6D35lPcn6hsZ9xEIP6XIpQU+cl6RrNmV+Rbxlzi/wGTYB6pWrfmrJaJpDPkYvyO9uy76yaljkbL03LgAsc7ittNkCEJ3xXznr9AHKH382JTHlQtMbKZPBUCAa8T7kJmu9gdfpj3yqJtvdHkOi+RIjls84l7X2OO3vhUzuRqx5FAboxKfDcPgifXV2t3d9wfMTlH8ziJGHiz8RKZJife6tdP2G7nKtSchjTyv9JqFQhTF,iv:C5KL23GV5Cs2vzHix8UNBcDSOvQgNvhewd96BMGpjj8=,tag:0zwTPg+AJyb/pCKV0zEQqA==,type:str]
+    ed25519_sk: ENC[AES256_GCM,data:v8pEsJ2p9cBr+wFIvcVwtHMVfuYUtFOtjbr/SuusDfAzlJJNQ6jIQxrynFwiPGf+zKRKgOmQ55XdlTHnCMztK0stDzPSs15IzgIXf1xTKNsEZVh077VM4a+DAnQMWJVjslcf/ljU0Ec5yoEGuerO03Q7Ud3ffCdObdWCwYYN++QEJ63eKSQhzMZ1LFH0YLizhvIEeqe/NYsYncA+js8uL92/97e7W1Ui2iGwC1kB4gDe0QijmaVKv4yThaw2SlcHiBuKlenkuXZu1h26Z23oa3d/GpEscuNjgY6EKFBHwg9bZIDDH2V+Gt0sWe7lWfAUR6g9DlvXZQ5J2PR+eMaQmKIYKQJRfIogAzA4sh25ecazPDgU5MtJX8W2QO4yDDvbM6TclCFPjnqSPZFpqPu5Dmess2dKMFxq8F+BEJ9typonLcX2YsFizeIZ+y4cbmyINTV3WlMd/hVCOTIadmsTshEIwquKMkKpsxzlu0DRNt1IIj9InqcQmUDfXDJlOYQlE0YPjZnUZmHEq+s+yIhkR21a1dtJ7f5T7YU5de12OiTjn3ekMhw6fSncGIWobwLvezXplLJ0+JM=,iv:QSO+YZLxSwQ69K20+qp5J7R70C6yqZ76LjhXkbfnM98=,tag:TKGQeFJdkBGmj7KO37XOjA==,type:str]
+    rsa.ppk: ENC[AES256_GCM,data:XBM/HD3mv2BD3Dp1LP0i+mSSSyUBrA38RzAQIIQlraFhID9oZBUTzqdSqXDeLtS1p6y2xAOxBVkH/D4WR1kOpXgw3LgNuvb1YFvZkYjCf5QgH9sxMSjiaXRdRHSAuF1b3MpGkgH7gmZRFTc5WkKvia7qzJgwGF0qNwS5j+lB1g0U0oXR6vguqb0gYcA2dKH2tpj/CqGJVAzkZCd1BxQygTpewcb2cbnVG+lb1kixD/r3q2PBoviS56BRCHbwoLhHLSn/y6XOnWqcaBgpBzwE7aZqTWa1QnRtv0OtUkGilrB+SBcXvMDNc0Xts2hhsHuc1DCB4CsAaEY37SEHKJhdZEVHoAZ9dJzScMntcRTES4AjhHXoBUpNy6wvTTLwdw58dXLkxfMdVl4LZ9Lcoc+mFfgPrNpvkvYVh8X0HiDC1FLgoEU8IQXPPW1HJCTGRbPAMRwXXtwxpmDN0byEnLH81JfxvSxnNZkvLu9qRyWC+IRknUALh3KkqzalzpuA3btDkyGBFDSX5phITtTmm0R1eSJg0R/BbFAogHz6NA/2KPoz9TtNH0nkQfDqiYfYub2J+8w9QsAr1k+0Wew9DeAF9eLaNTJSUeDlvz/Rq/DJLyUfOGIpCiY4cecJ5nbHPvdIia7qM3NBeGE0ImQspjjXaZH9WSaUZ/sjJu26LRNj7qJP9DWv8VfxkJ4BuRuYqP0qlWYFd36b38EQbgTiPoDHZoiIXG+1/cfqTf00bKskMl/gmEdoyoa2OZRO9K78iZLu7JFmqL7MoEaOUiLbNHymp7U6QgBdvbqeZxYmcIiMfvWK9Pudxrt5ts6rUDeZgJ02IdZy3BpDIjFBu8OXBHf5U4f+EIjuWDI39S8FOFy7Nv/XVcz9LIqPfR5j1hO+5Gdgqmx30xiccJRM2QZUxh5vC4m9wIFyg0HRrXYF/m7FRiTt3m5VXut4jWMyUbxSNaZMHlq8Lof+Wb/nbEv4HiQxywKCmDQ2YWotJita1fRgXNFCiV+BaEO3MTozUF+aGugBT7YvnufheVrAEVtxRnzD84kTsfvg1uDybvxGOJsj41HfDNOyEkHpsagCj8dcaqtIOPmg42oGEeoGO8sLeVQieVA/OzwDoBk+fC0gwa76t99VANrqdg+rVmHI5rF532j0jXJR9Nr59mZF9yzj0ECHOyRHEj7OkBRFKS9hLshifGJ6GvSNjEm59ohrf4S3ZIfkLx0fZUjmIovXDc6nxaazTd2ww5ZH1P+pkPtFLaGTqvlEKEQJ1zekzBYKH+gze6WP/LK6q/8RianwKB/5kuMbRkk3dsUF7fh017ir2DA7+nedU3Kk7d7/mM01eQHNcIED/BprFGQenuCUl64rn6V7XTdAKWlhusF5fQruU2bXdjO1ojGh8topWyz8Wp7TxN7cRSlU7SLLnXcLuNP2DfrfwDEAL8HNn4K4LJLJAB0gZiPi5Hz9nT1J54mWdifDgaeHbijsWmqrDZwpE/D6hYpXTMU8YWOM0RRf/5ECRCCmh0C+BZvx1CKncsd6BBAa3uMoB4hXMGtMSSpT5ZkDhcoU5h2XNoBSjRLmmbDYraUk9VqByRanZ9zpRGpvb5SFF0OFzuELl3bDxlw0NjYEKSh1lMWSSpVaTDm1XdNcpajXqFmBTN8x2oP77tnLlPPrFbcoXdn6k3jmvTzYpBk0FRv582ZYaHhH0iXkrp8/R4GtWA5VjqfZ7pGSZSBIu4OjzjdxXvee0ZK5Z1kR7MfR4G0S0BGgYbTPdoy5exm6Xfwy3qzKlfKI0vni8ttjbiACq+/ImMPUmvCSgtqnGTUejF4rEDrvJLZHrybQQ83X7/QoXrt9MzJB5gR7xCr80FdsEgT7ZnPd+arZJRJfryYHaMsZ83FTikc+eM62gRm1Hj5TdCUtHgmgwQraH3+GGgIWRQVZRxZoPf1RlAYRH+9i1+BiqdLxqdBECA==,iv:vaQNKRMYwXIFl+8Q1IKgpEHGd+pAAGzn27sLNlqS5sk=,tag:DQrSrQ06amQRcFhHJvy9xw==,type:str]
+    xmuhk: ENC[AES256_GCM,data:7Si22B70Q/tM8iiUwhNKeMvCOXcDeRQRJsLNfmi+IxTRL1Xgj7nCYRihRoqk/kNqGlW7EiLGp/D30tbnd4V0TOOd25je4bVF3DFKOkvD8x9iJX5GwT5KA0Kc0uVOLawYT55OxxsdsjDvYUENSobdqgHNw+uBQM3cXc1mkKSarzhq+ZaRJpuPPFApORCL96sLFBTYyChgQDPSKz8zU2YMjurC5gQAgZVMXHw5WJdrd2m9fl/asUJlbJprISqJ61zKALYC/fYosAPZVvQfVnzp3gmhJuZQrhoLsGELSFFc8t4/urlIjGhi7BM8sAT+6ZYxGSKGcgqP3K6cavzLr8eIvuG3nnZxZJzelS3LscVtjLI5Ddv6Luyjn59Pc+NLDHTEbAM9aIRsL4TPLtW1ebqqCk+rkqxvP0zhLKnA25DKKYjOGlAydbCbxcCX8/l0gjtiu6MJkaw2mC1Ppw9OrO5f+GQRiUFIsmFTAMViiQ44gZxCVPCPa08hxgmkwRp/PvdH0+nzxK6IuBWZIZV/M712LGPT9lrhaEDT0PSyGwcHMWcVu+ziZHGbG+vbeSk3pyv5Ou+uvG1DUxAh/7cp9YLL5U90UkI3WSBsge2bBtURQLnQIrGyQO9xk+3heXzcfxYl3kL2ARA7BIvyXrwpd/77WmRPhdL8YCax1z2+cK7kP4HWOhhpXNcIPRN5qwuPVRJCBcSBacahJO6PLpbEJ0nXM5D5XY0s9COkWfIPyUNA0b78LHB5pGMP+rRF6w7OYNbniNM3zHZnNyw3DyMT+V8PBfcmj8p3KF0rgdD0USvm4C4B1zvKVFK2P3ZMw0K/L78Xp4bTx1q1eA9qiqe0SPPc1BvgyRksS49VYtL47bA380MOmvgj+xwW+qTEozBW1HxaCJuqJBLxIX8i7LXSkSSGL64QOj+j2Eulbc6Sgg1g82XKpQZivkq/yGR77zODEshlaVUWkzSFSVOFF3aQGK28jl1U3HZpfPCCx7uaXZoaNTwwR9dsZh+t5YJJb1oKRlzgIWo7DB8CJufxX64uSFT2prY3sITfAuH12C4TrmjwP7tt0ZbTVgtvych1MGa1PY2225Bs1BgxLRVSSn6MRYz68NiE8xahRqwkK1306+r1jPjuEIjBdkoG46MR/eo/OF2n1xXkyLkwQAFlsk0+CGuGFzAj+f/++s85N8/ctPINJXGt31uEooD8fcBNnDGBSc4YQYtpVWCviJaaE/fRXzldfKB73V4Tidyg60fDJCNfJI8r/Ic3YFBGiQGTH6beitg72mQuLp5vlrxBhCqGYsEZkW5x/wcoJoEot5rirQKq3trIrL2nTF12AYQbNPjbJBavnpPds2UctkiUM+JP3CIiolAvqLMML79fRNeCsvUtDqbHTGU53/qbx3NlkIIqF4JHbK8Ckr9WHnTGAugbMgiNKQ3PKlSdV+vG1clb3fbHgMWRbv4xZq2KdJq7iibGUEBvO5rqr9YngqdOxhsQmyAh1ibkIbtJh3TcXkNUcw2h/tAalxV1xmbT0Glp42GU0pgUr0aGkjepoCH8jYkmmft4l9qy8t8Gi4EdAe3ImdTqKxwpp1CG+hoR2Laqp7z7UpXkILYfZxHwQa7NZSok2WZXEHeZJbCciREqZAUOW7EtdZGG619XJ0YTWxeZl6/+1oOA6TUb/r1HnSGo+xfNhzUeQcDsyf4SWpr2X6IUP+qUnOciCsSFRklJgj/JCteIK8GKIij34ODehPKZB0BZC1fqx3mZbqbTN2RA3adJV4asKam6kAtExqhuVyv8Mn2LTSMKwMkCi8DLPtvFSqpicffSUkkAs/X6HNSVrUTpA4sjkqLz3aoRLAMrijMYz19dvgb4MM8vv0zYaip2RYxkLnl0VrBrrIaNWiHRsiCR7pTPJaE+0k7QRWh3Hk9yX3UADTMOy7SIrqGlz1uihPodz9DeWGZ7ddMXeabWrRIh+In2Hyvs0HdhlEWgYyIefVIWZpCWVheDNCPb40RcEKB7WVDrbXrn3zWqM4DFCeemvd705OTzF5LUQ0Ql8prYKw2N30fC4l2OT3LWr0fhdsgsLBfKojoVSxFPG0WLxfS2Hhu4Qb94nSJlvjFtsiNAcTooXZKd64+WeJTdfDEE7Z7VoGgU2c6LsIUpWjY69KZy9BscY2hZUZFBgM/4iznyOvtyiWYJP1cUy3pDg4aAcoF8xTB5oqpCjI97jxAOYIKWIJj7aOoy9dpoT8BWu0fS0GobBSZAyZ37rGIomPni2jQUmaBPSvmRTQhyq2qHpgTIUYzphpZ5pva9jQbYp8ejR+sUMVf/EKVUzFTG/YhjAzIfTjZePnoxw10JkFS+n0Nq5Qqz1aMK/ie7sHg2DON4z4sJZ9z6jR8KOKOVfBlrwOFYQ2ViG4ut3EHDBIu7qWpSrtWza4cnGnADhPTLh3wjqFTD/j0wRkR9Bs9fzSShuoG8Kgm6zlBUX2bVwb0SLSqFNRSyReXjPq2gjma8iJPT6o+aSWpIfsYf1FsQsG6rJFaw5JxSz2oyi8TSIYStJInjjNDgw4sk4/Xk99pwEnHe+sOUNNhu6BPPm3KpAKIKm6HNwZJK836qvqAqwtL/d5QJYwpc8EBuxpCvijJe4nBR4HZnFJfDH+llhn/tDe+GOVLs6OHtdU/N5UbpBu7k2O4mq1kQhc1uRU+H9l6KxPQ0vjnAvRhUjcqVTtJzzpnZ1wfFDWlRqwoCshT5Ohc3PhS204au3OUZWtbXEcWSG5Lh9Gs5W6Rw5mPplFFYZVisoGvv/KnoSpm6opYjoMSBobNWgi7Zu9IgtrjZ63ddmJs22zvE6UjaUpHOF91QOOwlNCVdwJ7SQXv6gEL5mXC4GdgUW7oDyprHysSbL2ec6KxsP+qXgPa/S9KYo5uriJ1MQxRDbhjQjkjq0augD7zgiX95aUDvTjG8GP8JNs1U1QMi1Xg1TSLyE45kbRIZ5WWuT5iJOS+SHr66Qpvg05ymHwX/Mt7aHLe27XXOSGmZoQPcr/6rF851No+o9qSdaeVAK4lvrcmE6KeQWsQ3pW6TytE6qdGWgW3f/SuPTKVIgNk8aPWH6lbTZc4RbZpwlxpMeFP98xcwfkV0dzmTVax3UAUdVCH/LH+LLT/tgTiHh9H29rI/nvvOP6+lSj3O6xUvArl9wFLo7txQtFc/BAmeUicVdHCF78Fv7E3hlGkL1PhURuf7DO4m8pTkA9NKN7cZUUGVF9DI4PVmGJSmvF36ees63CqDSb4ZTnRdcPt/chXLmIamFlugG046eKPKsQ17dk05UZqQ2Mw8A9V7jMeJIiE27ZnjB4mnn3aO4g8mGyuUDysWlRxTbBlW57whOXEFMdczp1Hvsn37+3GJgduYifrC4iI3PwrBM7ZClL8t6z5QecRLnRsRZDdLhpB2nePP4VU/JSYYy/Rq/vqoM/MfFLeJr+YMijAKO49Jdd4RSDDStrnbBq6snW9cyPlgUko44w==,iv:/FD0wfUdv26ZDkSneTnAkHoei6+I/YgyNrOfsDTP2Fs=,tag:rKPUUlSmCrD9iEKhZR0+GQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
+            ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
+            TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
+            eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
+            2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
+            OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
+            eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
+            ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
+            LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-12T06:44:16Z"
+    mac: ENC[AES256_GCM,data:/uuP0StTdBz+Z2FddjGDP7i5lZhT0z4vCd22twm6lzp4WkpSklX+YMPRddqvwT/zsJpJIFf1+vK9VtPZBW721SB7AZx4oC1f42adFHjBtSXO3QJPI8cfUx6wdvcjwN3ySXYIcf/qi34ePmFm9amr4xU9jzN1OaZhKUt5Y7kq2LY=,iv:RJUr4u5UKJh9X0xh1lvdE6HWKxnaxKoDi95V3Pj80f8=,tag:D71HJ8LgJrGIu31WV8KaCg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

devices/pc/default.nix

@@ -4,7 +4,7 @@ inputs:
   {
     nixos =
     {
-      model.type = "desktop";
+      model = { type = "desktop"; private = true; };
       system =
       {
         fileSystems =
@@ -25,40 +25,36 @@ inputs:
           rollingRootfs = {};
         };
         grub.windowsEntries."08D3-10DE" = "Windows";
-        nix =
-        {
-          marches =
-          [
-            "znver2" "znver3" "znver4"
-            # FXSR SAHF XSAVE
-            "sandybridge"
-            # FXSR PREFETCHW RDRND SAHF
-            "silvermont"
-            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
-            "broadwell"
-            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-            "skylake" "cascadelake"
-            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
-            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
-            "alderlake"
-          ];
-          githubToken.enable = true;
-        };
-        nixpkgs =
-          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
+        nix.marches =
+        [
+          "znver2" "znver3" "znver4"
+          # FXSR SAHF XSAVE
+          "sandybridge"
+          # FXSR PREFETCHW RDRND SAHF
+          "silvermont"
+          # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+          "broadwell"
+          # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+          "skylake" "cascadelake"
+          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
+          "tigerlake"
+          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+          # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+          "alderlake"
+        ];
+        nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
         kernel =
         {
-          variant = "cachyos";
+          # TODO: switch to cachyos-lts
+          variant = "xanmod-latest";
           patches = [ "hibernate-progress" ];
-          modules.modprobeConfig =
-            [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
         };
         sysctl.laptop-mode = 5;
       };
       hardware =
       {
         cpus = [ "amd" ];
-        gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "latest"; }; };
+        gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "beta"; }; };
         legion = {};
       };
       virtualization =
@@ -68,7 +64,6 @@ inputs:
       };
       services =
       {
-        snapper.enable = true;
         samba =
         {
           enable = true;
@@ -92,10 +87,7 @@ inputs:
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
             ++ (builtins.map
               (name: { inherit name; value = "0.0.0.0"; })
-              [
-                "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
-                "dispatchcnglobal.yuanshen.com"
-              ])
+              [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
             ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
           );
         };
@@ -105,19 +97,15 @@ inputs:
           enable = true;
           serverName = "frp.chn.moe";
           user = "pc";
-          stcpVisitor."yy.vnc".localPort = 6187;
+          stcpVisitor =
+          {
+            "yy.vnc".localPort = 6187;
+            "temp.ssh".localPort = 6188;
+          };
         };
         nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
-        smartd.enable = true;
         misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
         beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
-          wireguardIp = "192.168.83.3";
-        };
         gamemode = { enable = true; drmDevice = 0; };
         slurm =
         {
@@ -127,40 +115,47 @@ inputs:
           {
             name = "pc"; address = "127.0.0.1";
             cpu = { cores = 16; threads = 2; };
-            memoryMB = 90112;
+            memoryMB = 80 * 1024;
             gpus."4060" = 1;
           };
           partitions.localhost = [ "pc" ];
-          tui = { cpuMpiThreads = 4; cpuOpenmpThreads = 4; gpus = [ "4060" ]; };
+          tui = { cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; }]; gpuIds = [ "4060" ]; };
         };
         ollama = {};
         docker = {};
         ananicy = {};
         keyd = {};
       };
-      bugs = [ "xmunet" "backlight" "amdpstate" ];
+      bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
+      packages = { android-studio = {}; mathematica = {}; };
     };
-    boot =
+    boot.loader.grub =
     {
-      kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2015"'' ];
-      loader.grub =
+      extraFiles =
       {
-        extraFiles =
-        {
-          "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
-          "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
-          "UiApp.efi" = ./bios/UiApp.efi;
-          "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        };
-        extraEntries = 
-        ''
-          menuentry 'Advanced UEFI Firmware Settings' {
-            insmod fat
-            insmod chain
-            chainloader @bootRoot@/EFI/Boot/Bootx64.efi
-          }
-        '';
+        "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
+        "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
+        "UiApp.efi" = ./bios/UiApp.efi;
+        "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
+        "nixos.iso" = inputs.topInputs.self.src.iso;
       };
+      extraEntries = 
+      ''
+        menuentry 'Advanced UEFI Firmware Settings' {
+          insmod fat
+          insmod chain
+          chainloader @bootRoot@/EFI/Boot/Bootx64.efi
+        }
+        menuentry 'Live ISO' {
+          set iso_path=@bootRoot@/nixos.iso
+          export iso_path
+          search --set=root --file "$iso_path"
+          loopback loop "$iso_path"
+          root=(loop)
+          configfile /boot/grub/loopback.cfg
+          loopback --delete loop
+        }
+      '';
     };
     # 禁止鼠标等在睡眠时唤醒
     services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
@@ -168,30 +163,5 @@ inputs:
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
     networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
-    environment.persistence."/nix/archive" =
-    {
-      hideMounts = true;
-      users.chn.directories = builtins.map
-        (dir: { directory = "repo/${dir}"; user = "chn"; group = "chn"; mode = "0755"; })
-        [ "BPD-paper" "kurumi-asmr" "BPD-paper-old" "SiC-20240705" ];
-    };
-    specialisation =
-    {
-      hybrid.configuration =
-      {
-        nixos =
-        {
-          hardware.gpu =
-            { type = inputs.lib.mkForce "amd+nvidia"; nvidia.prime.busId = { amd = "6:0:0"; nvidia = "1:0:0"; }; };
-          services.gamemode.drmDevice = inputs.lib.mkForce 1;
-        };
-        system.nixos.tags = [ "hybrid" ];
-      };
-      xanmod.configuration =
-      {
-        nixos.system.kernel.variant = inputs.lib.mkForce "xanmod-latest";
-        system.nixos.tags = [ "xanmod" ];
-      };
-    };
   };
 }

devices/pc/secrets/default.yaml

@@ -6,6 +6,7 @@ frp:
     token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
     stcp:
         yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
+        temp.ssh: ENC[AES256_GCM,data:XG9WpTR8Bw==,iv:XiMTPN8Gx1nNssf4r+VXTvUATiUNsOYJ2jeHjhDSyTs=,tag:JS3NlA4cs/6IA19PJYrStg==,type:str]
 store:
     signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
 nginx:
@@ -22,10 +23,23 @@ nix:
     remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
 github:
     token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str]
-age: ENC[AES256_GCM,data:EPjip4/tz50e+blPko9NpzDamLRO6BVy64kDnGAhUJJ/bMw6V9Of8RzuiqUupIjEmFiUcgWf9ZsV5RZO3Ai9udq0W7mYS1Y/zn4=,iv:TBs/o6mp8t+S3Ma5/QhnLhzgl852HB3sEzKy9SvKJjU=,tag:2yMUVWPua2g0VOkaXpJzKQ==,type:str]
+chn:
+    age: ENC[AES256_GCM,data:bxmGYdxcF0OTe8LIVuBUEIs1014k4l/UoN+k90B85FOcTSzeVuSbjpFTRgNDj68MQiqoERGy8mFkKC6pbDFhnlXyns3AsxCnoZw=,iv:U93Lo5JAxJzIdTTuVtMhfirbMA3VSCtP/SoZikDWLyo=,tag:Ld0wZK06PNuvEeXu6PysZQ==,type:str]
+    rsa: ENC[AES256_GCM,data:asERfFj4Wx2dIJr9rnZ9i2fUxYnMY8RoIB/6mOOmeBE4yZPc1zMbhUX2aFftTgCsqH6ZC6qi15k1YWlRHrJqqyLyIGCukIbRwPMtlowU9Gr36YSok0NFrkQbUT9zjlns8NGqiHJAPKYhFed20hjN+IhgnDuFxtDEjA711b88z5prlm+NpKQ8Ohj6fKLWR+xEj/+KHWgF4K4WJMIZxu+jfRagHg6nwJBvWJDPZJQin/ZeCMqvH2XZkgujuUjXNfNhBhOENgaFtkW8/o6oZCySBctsCFXkgRK/7YbTO+Szzn3rJ878QGPMQJLqSONP62YlzCPO50B8Gsd9wBz1f6RKZrmXIElOdTNgTyPp1jL8zOWlSb14n0gVNoEi32JtkU5PNXYr86rHUX6zHbjdSimqqmhZl6tvBc/cKNQ9UoJ1syIe4xzN61je9Va6bJJt+WBipfn72z3KGAgR6yucKh7RX7Up7iiVTaxpq8BTsfUWvd/1Ar7jQb3YojOVRcX7CE4Iil7L8v2vj7pP8ecmo/ejggQiK9iGqWbeoQGh/j7ZhAYdx0ZY4lAk/HUc8z9yMfTxv64WQbCkHIeAnrstfHFXjzkX8zKYiKxvQr4mSCuHTusZFJ58hXOtSwFmE9tg1EESojoFP08kE+CuSCEjGCHT8V0snCFDMTEBZzGQzXpNfPNPILUEWpDSZj+ec+fM5jP1LEBErtg4JXeCqWD42SpR9wJxE2vs+D/Yt5a4OohbbzyxvWJLYAOuNflIguEIthdJEIN69fGmOBuxNU5witRXKx2rGbsdnIqzEloij5Utxy6uDrh3qqSHvqApd6+r+mAHZRtEUqRkvB1DOMNm/5iDEzOjrw0GEF2meHMRDGP8EEuEvXiaMevyPL3RIWuxxlVZBDlr0a8FwTmNlaGas4HHtLKsAH17wjolTJ6Uz3xFT2+WhsyvD7cARWETZSUd+9UBgylamsebDERhiDOo3t6VuHNuNwp5xwxtNVje3dmHRTzkI1WLaDxYbxPq7J2eGCpSYb4hKoexuWZCs7ian3UTBnvLig5w13eXJmhsbpSjt8p7hnEohL/f5v6PmxrH/+OKA1IE9PApJ3gaptaDeLOWa3uKtGxKJMSqsZprpb7D3kma+Zy1H2txvmKSmTGwT8wCQymWo90OF2NZCKtcXxAlj//cl7OBF0BbEqY3XMngZnpRiQX/VSzddvjwAjtnhf3VsE1V5vXk5j6ECExshjPqQ5kOuzUY62hiOT0V0X81uVRhdx6QVUDpWL3fumuipc+fEm/f9mwuhgv0mGvrpVyFF16GY5ne6W/N1HWEBBuBbJUtxjUEttZDAZxtKLyKjZtC6qJe9GoHaDtHBba1f7aloVDMU18tEyqO/EyPxDDUn55ToiGuk6lSQPy/las8V7YMCxDbBaVeRczCZRkEKbRPyI+hTN3yF+bw0HDDOJc8s1DO+h6xYauLhCS9V9f/QKgrXNWpJKm+JDGRO+ZAr/r/AARSE8nKvNOn7ML0VCWw8pWSHNL7iDcsngpk82W+b/a1maVN0ujub6mKyWhtJOkqxFFirKvFJLx78SRDYTVdiENE3YKgXYKB7r0RltjXACbAMCGcqXYudoDShopN0+oRu6mDAIpnrFOJykr7KaZZuu9DjxtxMRXu9OX0IuXnJ6kthHL8i6IQQNPj+Ky0Gfoh0I0+BbyTPigN2c+LJVe823VXgR9oVc/kpnjZF0BSCJQePR68MTKspwzE1NMvVF+ofRPkR3uXJs46w3eW1NIcds+AkmaonyUOa9Nlt/wRbGzZhboV86n2zn8qHEvZZjYX/oMfrVezuCsuyYSnyCzBrZMz+oHf4m/poa0K7wZWczatT9tVaUIFGgfwG6N/PutyKx/kbaJEIWefZgMqqwJNLDByP0IhFEJQk6yGr1kMJOBoD5qWI2WLObYUZ7mlOvtaa9iJAwdlQTEPjCB6mSL0kcXmR47DdDi/v1fiJ3dBmNskUwoNYPmdAowRe+pTj7fTsm4aDZJV533g4BWG2HgHmaEpAso78V6ScApgNiirqe5QuBxFnGrbPeNyiT72X0PFht5ovD9HbaHCYkt10lzlkW9i0whu2YPUtiVtecijS2AndST61YLVEXyj2NDlngFoCOGK10yCPqon7n5QPjv3unuvArTUD4lIjg28gn4fQmhwN53KqhLgYOQ3lRQLIWGbR1DT9pPQtYtDtFTv5SpiFTelUZcN7MIOD8jP3g==,iv:Hy9rTArntNBlYLShRbs7gWL5kcabBd30oH/Ib0vO2LI=,tag:GeibYKs+2b91rA6On6KrcA==,type:str]
+    ed25519: ENC[AES256_GCM,data:zHHSiY9cQ8odPTu9v0kiLQ80ssBrzTLkihVboYdhO04fnH1VakzKNISj1mUZIsixdHGPR1Fd1gBr1sSA8I5tES0QsOjqF777Wwjg8en5foIwgr0Ue5jMFlIdM4VkFZVNQBOV1z8rsc75nEpP+4XiQ57/ca6Nlaye0zIe+8uU+06YO9vfRVE5II67DRAN8aoUeGKW0uiBGIggkxzgPd2+pvQuC1QPbEWwCuNP18azSRqrZW0XnE65tJn4wQhoUQBQIIYWk81CMSBRn5VO0KIaYyVI7VY+Mi+XqgU2223tqaaivt1bDHfhMCsbqXtyWcT8kwZF5s4LyTdK8mKaREwHqen0jRSsaEV0Yfy4Wgq74fSm4oaqAeZLLj0O3/SEDjsWSwdRW2IU6WpT4b9Nh14dBi670Ke2tcwgF3Q4fh7+nPN6nAUPQPtzxPIVrW4FCbB9BV79A4IPLr/dItjC5wrMpw6ibhMe5WF0FAxA0Vuhz3Ob6lqWsai5f+XvrIgObCnyb05Ing40u522dMLYRJt+bP2Xx27cKrgKZTQdZnzSmXdEQGzFH0so4rgMyhNl4DEhr1b2FlnqPbTTLZul,iv:B7lfJnud2IYPtoMPny4jr6xVsLUyIiKC+Q7ztVHuqvs=,tag:ShnpzJBtG5B4xJkPJqATKQ==,type:str]
+    ed25519_sk: ENC[AES256_GCM,data:Zx271cuqIw+rj13VDR/JRY0vSWMwg+mXaxfpePol+vbCmV3LhSa61OSMy2iWIg05Lz3jwf9XE8lUWIAiajNgcLRg3k7ftwpbTCpyxoLE0U0l3DknbccaqM9riSyHX1UxXV0HYIsK5jb+vBjaDTvBqmCTmd91cG9Sn5Zo9GxdklebUeGLVmNe/9ldIaZU1XW8UHWvc2murzjF2HSkYDAMp6eKcnUPSo5u0QVrPVbo6g3iziw7Gwag0Xr/bVfoP7XZHrTobRcse8Sd+apRTinU1bHqcuHFaPwwfHsj/w9VRZJMCpwgg2V4DWyMTKZRjTohN6PUEqBmPc93Ep1DH/E7GmrGvAtBZ2yB9TLhjVoN+xH3ITbur2NtIIN9a3JPnEMoFtJgX4f1YQhUH9c3h6URDxdWtmBe78RxQCMk7OtHZ4UmhKxoUZUJoZuxvnccfQ0QcjtF3RN9rzP/ZPST3Cxvu2yUOPySl27Yp+eKjIOJ3rdorC9D3UhKbbb57O1/ABwPAiRfZjr45+wvgCGnZkOJZiXCiNoYeyw8UHMgvsICZuRM2HHPlh9GX577Np7QSwoFkYiEBFGJBO8=,iv:WWEwRDersTZYC3fEYLjWMtUtcyWXh9gLKyJVpaj73Vw=,tag:bqIFY6oaUMWIqMVfFwe4dw==,type:str]
+    rsa.ppk: ENC[AES256_GCM,data:wCFbvosUbnbikayf/h0Z7gelFGs4quD2WQlZJcBjp4MiXTGYVxj8oNr3y6aqkmpfyoKd2J/vNJeMFEzqXkGVyH4JyvQaiR8zoedFVSWqusD+sq0DuWDzMpdPmosTdM2frqo+w5MHJ87ybCJxynFH5xVC08jbTABFdkLPf+LULmxtipy0Np6UQuO50+XFyT12r1ZxPxj8eXGLg5z0sRSM+97EdJuoA4gpL2butioiIfDJ8RiudnyfhPzoh4V96zZsK8eQ+33HcFQYhKbaPtOcIswK6FkBUyaKCg2odCMFaRtzgFWIKqAuvcMVooEPz8epb0OPajn58rMCwjEfNK0jFaD0yKmdd9ExogDD0cJfp3jK+uuV/UpLUczkk10c2lbNHZ4DHCsNRPgll6DxcOx3zJbF/0ua2Wmbv1VV6JoT58Rzq/Ri8DeeIBuF9tlItFGJpRLnUN0MaHD/V6myggQuo9aAuI9p6VNSJ1aV5noPONi8efeG7kOGe09jQcOmmltHM915khZ7Veu/Oby9ZDCI0TErLzsQiO40Y4NW5B4Gd801CaDPKSxxCdsVgaEWiZU053KzH0qa+0YwXt+ffanRGrY4TtLsrJdEmiF0AnOaWYs/znPkWZXMTSLPTk6Be3yoTfxxq1ggT6AWF9p9/nlMPdhkfLUrOnAV6uQq3fStKFq3gTCyHxNZ5dx/XyrN96Kd3OTCgflJbD8lCqABSH9jZwfdh06HZ74pB15yNGFLvhOIhJwn5E0H+WW26MkFUnDSWHz1R0vIJEKnyy3lSPRweFM2MxAtEMOBOjqvlN0C32oCEoKknM6t/S3s4lwlMtUrqsAme4uYlUzPbEVPmzzMRpYhr+UM+MoG4nmovtRrIOL0ELunU6nsEaxxiHymCwGWJDyD/7W9lh93lV3dGP7X87IcfTt9rTUj6+YJS2pqkycZRtnPWkVDlzkS/I8MOL90jIEk0/YkTRWbB5GDcJ8a878mKW0/YPcpfC6MbRsYPo6eDz4KIGKxHDPezRfnOJC/gs72rIrEiC6h7bfW+XGye5VwvMtZefXFjCVyh+ZVco45UPertfLqT9Ewr1mfo5SfgaBJHSs58IuV2vXyfIJeIdO8BXS/YEUxcmWAI9PG1gOJz9lSHbyrm8RtnXZ+f8NJNOT2m7zyF1cYfscGaQ0gTTSP6+0uSTWsZOYuc8rObFP5OU/99yIkDXZv8gVG9YrlAjP1RtwXSlsbzj9EYlUUNQyKYoMnZDwTQL9qlqQVuP2ndL7QpRg8lusnFHZGivgyNWZ6bae3QWe2yTgD5BaXH00u4sktdZsPHAVa6p3XMppmoSuVX63FVsimJ5qzDJp+yRhIbUAPD8KwHYrGLkV/q6SBV8Der184m/MbACv3dCGf3RHzrx4LWWtrpaqntTTbUrQo/BJagY6Vyb22kmFs2gpBB6VJJc4Srq+6RbuQq7Oo2PNaHjbLxkhFIqTRX7Z1/m0nvbuLIN3HIqtxzBEAod0vDUAhEF+Vw92tSTJmirEM4pEDrQn7v1klp67f+40Hlxt5dTXiOZO9fXr0jTF7Or5pnRxSQ9FvlzPDcMuaaiDuBBzVQABZC9wBNCWzUIhAF/RGXqv4Xs1oIpLrWzeg7Vo2QVHRTXEZn1mxnX4LOVFAfkvV6U09NW8T35qU7QyTqzl06jHqAutEPTU4Se6w9FqMEDZ2lMUZ83iO1u6Yj859mFLFRIguhK+cIFzIUOfcwUFKEH5RV741zx1wN2UMac3jgQwzkV70gz6h1Kwbb5B02FZCEaW0222A7A7oSkzuYFD7qZNrQTlsdeqsrsjp9XC95TZBBw/mEE62xp4sLV9UTgKOGSyERigawFfoUAlE8XGrbMIaHUgKBJKTMXAe7Ljc3HIaHczwUJAnYDsu48Pan1KZpF4CsiBO6H2lDVXfKl8GuePd9QkVgi9GFqulA9rWypk4hg==,iv:/O35CB1rNDim/CKsot0sWMM+qEN96vqr9Z4fVG1A3Dg=,tag:pKbid3MCW2I5XouRNXSk8Q==,type:str]
+    xmuhk: ENC[AES256_GCM,data:z51um3KAQodAHZqeLAd53wRuQ+s/vFISxNKu0uZQSdUAtrL4BAj8LBJ743CV/HkrqpaCjClK0Vnn7yhFY3+NFq4fFCIAjVRWdvsfHARKbWEufJtNk5JVn5dLahPCMq0A0ZEZwghJ17opHOVMY4o/QiTyyAEeuD+4zSAh6ofko159WVtK4gDwexgg+bb74EtOxJPxnyV7jdZczH72aD1gwd29WhzSuMiCIAb7SiRhA+QEpvrzKLcT6C2ZPqrMoPbiXD4z/UTfOSEtOFZMfdUFPuExPCCVnHcqSbTlXRRWUMFX8rxFLyWaUjOB4+rvTVDYLGZCS+rtPlgfFEhGs5LGNLQvzvXTiftyfi2xMfg2uhm+0RLUPQQvajbU+akfQbUQVkGi3BklNEQquuxTzedUws7B6OU7WCpgpLCGcg2jyT6AtCF54k3VOVdu0eOjlja3dI3knMixUaHu8bZ+g0xwJCbiab2eaZiDqhoDnCxeuOXBZTdCF8OvGiD5rneDf0r0H8q/7d+jwOvW3d+Pw64ObDUUsa5gzfqOaHNH3ktaRB52dJfg3iBCwj96CNPTY3vEvmNKJ4ruGpP5x5AZ57SfprHeoqXHp7cBMjypgEG+NrJlAFyUdeaO39mHKn9V/jq3bX6SQkNrv8oFPAlbULNyZbOkwEE4g+34H4uV14sEXn3k36tdVb/vX+YfF/FDWjg7Y/kZhvDUOek6Kbd/ps2peavVK0War4RjnJ1GKSUZivj482GnJ6T9exuNnnHwBa+VmONr+OYcrcTTcKwQ8TGWjewA1GT5Dtyphlpk7MJvoUw/i+JCSNbfTZwIDb6J5s89yEd9ES6KfGFMb3KMRRSnM+ozLK85EvFeyHSxhl2XQJQwEz/S7Q6eTKlOQESSIxLDqifOnhKdN/xVdEpXpy51v/x5dqaOYKgYnI8gx1UpsMR5AJKkF5ft0n0yHjz1UQc6ZSDdaj7t5u2EoYB9/lLBjC338Rtq2UPAPhETHA4IPvp3Vg34Z5UO8L1L0Uo6c7cbrTpVAAmbCwzkKbfGsAh2Zhz0u8Y31rMO8W2kqveaaSt1P71EVA1eYaxUUtaq50dn6miWuIVPTbY8AJ9lZVXOlbOoNLrh/wP3Rp43RClVeiEnxLD/EgRp8Vw3P4E6rbVpnP2pZCetD+WyTlnGx8QoC1dpiosCMlcy/M8BNwvqgphgQZrZhu2OT7WqVt/ie4QcKBg+Fje2lwU6TGjGEwwsS/taCWBjMrOBWktI/ZOW4IqV4/FdzuvYDsfDfplIQeFSaFOwFCX3Q0PLNhtL3fRYeUsK76eTCAQxXB+LhE6wJpxznz1cAUqZG9/lYmqe19rIh1P1UWdlnCQI/35ar7dInH+/D38a6PbtcmunHfuqSdXqK7KF03CFQCTLjhmy9DHo+15mAhP8m/AjvGNNnF4X+POc+1hnNSML5ZNS52dRJ4zaHgPmiXWpcUdF4YNPb92IWelyOD1kmzylXl4NFGeVA4D0yVWaOANAzoYrgydoyeq2pOGYEwmVRmJPj2BnUWr3k/t47cyZthRzZZsIYNoTvBCSgy8l0t+YuKiIZh6goQFRR6lpo7aTpEDDRUcNoq0Vq6fyClbtEvl0KZbFwhQy+/3uIiaEYvhUDcDKqOqoHqd1HE8Vs2ETsBbIeTe1IL9J35a+WJuUgkl9iUUrMoRLr7apVsypGBQ8a9mUe/YA9S6UH/+lFVk4aXczYMG2/d1BSAJcvroDbka2NntHZeYI4700wlhmMK6TkOxQi7w3BcNv2N164wf7l3FgtRGpo7Md+ryJF7y/50cyljl1DX9NULM/9Qw291A18TL5ZKRvJjGhQgBJOo67IV8itKYoSxsitE7cudKBT6pqDGsFhvbBusEBP0VpPIRIziwH58SkiJ1M1WHpgmp9pnIjRhiw0Nl/j0SMEGtzjlfaZsKwk3uGjLHkC757WU5mIcCiuPPl87QDTqc6/PDcU4r6CVN10Ppx7OsViCg5sH5A0+/Zj67NJTrdNO5iawTozo4alnMMhfhl5xpuFO8oXviiy4mAez8AFIjaYoujhlPww03w7/u52iIbiHFiNyIzMoo0nqlHKJ9MfI9fmTsxpD+2zF8bnatDkdiDRg+Gn6H1pfHGH/XxT9yIqVlMpzSs3WXEjgTcYzLwYDDHTdnkbd4pAPBkX5vXfptRLWF8wNessEvfOhm6IGxjyXiNipbhWNjRzvs8WohB8c5dfpqnPWEz3GopA7a/vTFI7elDZ5VoJYclaoAQpESnEXNupT/DiZcOGvyk9kupmwgeoE7kWxMy9Wc2mg8Do4sxw4yV6pvqm94Ne8Bu0OEd7DkHDCxuJQfXLL387HoXWgn+on603FGEIaTSrkWUx4T7AxGjQgd5q3t8RsSXsWVACEodx0AcqzqS98f8qOmZ4Ivqq8W2UCqVmY/GYnemoxfRGRN+mW9znfYTO57ywQA9HLJ9V8XYX1AYdeaWu59WUcQ1oNzNB3ZB5QQ50AmHrkJj0Zn92fgL8olp5rGoOtjHqQCewJlBCQKoWVUzsUZMAM6GQrXxvf3ORytTXYUW+zXOiKxuyZHg4RZ5cs+Py9hvquEFE3D92UI/iwkNvOLW38eeVdR4U1/qKc1U1oFkgZuB5EC+NyXekYgyAaqWlS4K6x0Q77UvXcsKxSOghDbKoFUw0kxXlxI1+MhAUECKopvQoXsADw6Yy/3VgzpoFvaj9lFttwSb2IIScgaxxciOwRaQIbSh6joWbWQWtEowK9BUObRKJ3ED4jS4Te+Pp43dI38fZ/+Ng3y4nYj/jdAqRhTE7jhSzdK8LYGcUrxOodTa28q3pHBvJJiBgQDEnEoJUKl7PJcggUdPbAhi5ywy28SxZ3i1qTeMu8TVjMwdkjQ/1hCeqWGX1PldSqw1cOTub71zkrj1m0rLY/noaWCOwjjaorz87UjcV1+k2NH2oZ1o4EXgybBrAlahAxD3AFKumkvViTe/lprYpbaecse6393K/9SpD0+Qb+WbDgq/eZ0FwsdFblAG4xLZUOpwwqCa3F44n9el+Cuzpxzaap7HUjyFxwSz2MsLGAC1e4tX9GD9e+g4f7XozPSxgMunNAuFsIbD680Y7q/cgpIGCba6oIWlpe6TJQD7EOh4/nAw4FTWuljUHp/1ZROpnLRG5oEOxIm8Wi8GmoRyhNMCnvZEo7LPfNJP4cJmiWFmtIhHRFzefr2o6roWM5mhZsZkxuMK5rFQU39TNo3bj03CT0OlrIqeEMFVxj1wjaPo/4eBcHC4hJKeUzdSp1cNlW+u0l+C1SpMsfhQvDGaD254i0LwDaYSSAJymG3B72UfqlsCOT9GEH9FUj3lNskX2FR3NXvT9et15X57LHjXOSmYjn9EuQcYRv2/476WjQqX/d2v57vGqfRQxWmFdMBTo5747pDo6eaXCxbql8jzgFncGxMqcp+R7k4j8T0Fl4kuSbYpQo2wunJp7iACAQ==,iv:gdfp0dUqeJegQuoExquRV9GTtMo3eL1LWFKYOm5REkw=,tag:jsSkfWALdHsoNevaYkJyhA==,type:str]
 user:
     #ENC[AES256_GCM,data:a4mHxr7bn7BV,iv:FYQk3yv3XgxNO9CnrQefo3WqhO0Sf8Mihfp+Iw4AcWM=,tag:jebxvG+xUidghf5dOlvDYA==,type:comment]
     zzn: ENC[AES256_GCM,data:xBSve41JclBYQULPN7yV/1Eyo3u+CHAewVetKHwjvl6Te0kk/+aLx6gs8EpOJGmVaiSAdt6F2ayHXUD8RXXpJIOnnEHk88kqbw==,iv:XPxMLvlVtaZvpWnau5Jwlj/5ty5Zyw4F44ix5G64Z84=,tag:uJfWb0PCebdMtxXMfueULQ==,type:str]
+wechat2tg:
+    token: ENC[AES256_GCM,data:PrZWR8WiZ7grkpTLqMxwbnkwZttl7n0e1lc1mdHJiFUWq/PqG2wNBC27C58jMg==,iv:02XHhfpN8YPix0REbJDnsBbvCwifbdwBwfuJ2glbvjo=,tag:6aWNqBfwulsjMbl+D6L9vw==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:fqOn2FiLDWZeTUV3hrLIclHTVE0LBDKUW7BK1bRCe0ni5D+hsbM2NdUPWaT4dQ==,iv:j7zQdnz7x7xqVAA882gyCQdjukOLOEvpJ+h5QdS6IP0=,tag:ypeg5xmiqtQ3n+WoF1mNqQ==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:mmofAUxaBCFW,iv:/+bGUlHeNT5WgTtkzxoTFNCE5G+JJcJa6i9Ccbbrf0E=,tag:ax4wPxgSbh+yWd7Gpkapaw==,type:str]
+        hjp: ENC[AES256_GCM,data:T/M4wXMHa8Ko4g==,iv:eGzdteZgYRmIQp3qD79+Mhsvo5e9DL1ezkypnnofL6o=,tag:WjTPnEvU4H4tZG3GccpZrw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -50,8 +64,8 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-04T01:39:48Z"
-    mac: ENC[AES256_GCM,data:VkpF9zTWRLMriukAif6lfp8uy6+IcPDYUnXCQ5XLUtSstEyUoaVBjn+VVAoKkLX3MnyR6gyiYVWDDJmXrsyNoQpjRVQR0yu0p6p7sB3voGKiNxhw5qGwZj4IIXnHFWvktgWiawCiUkmSTUUHxe0XjAh7AWxjGqgAs/oyWGq/YfE=,iv:IQbJAhW/y18s57CAwRPeypQreBqQb0KkJAgIZ90QXJU=,tag:a0AB3l83j31Ex6PH9ziHRg==,type:str]
+    lastmodified: "2025-02-25T02:37:11Z"
+    mac: ENC[AES256_GCM,data:JjbAGoJowO96UKmgrEbnovS5T0jko5kqP4jRvG7NwBbxC2l8HETRI6lFgLep9AJYCWj8BK1kPM2FA53RqrACALMl22hjQcQZLnKCI1fHzv8xg112Sw0aP2rT1AouEbVOVqFSsF+Qa6wxVzfoijoqgxnjkBF3c4Dryget2yXEIfY=,iv:R+C1fRI6Wv+w47wZ7Yp03OYX3UQD1eV7wkL9flsZ5eQ=,tag:JnBaUvqbwfBe9Ygl8FkLdQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2

devices/pi3b/default.nix

@@ -1,42 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/ABC6-6B3E" = "/boot";
-            btrfs."/dev/disk/by-uuid/c459c6c0-23a6-4ef2-945a-0bfafa9a45b6" =
-              { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        networking = {};
-        nixpkgs.arch = "aarch64";
-        kernel.variant = "nixos";
-      };
-      services =
-      {
-        # snapper.enable = true;
-        sshd = {};
-        xray.client.enable = true;
-        fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "X5SwWQk3JDT8BDxd04PYXTJi5E20mZKP6PplQ+GDnhI=";
-          wireguardIp = "192.168.83.8";
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 32; };
-      };
-    };
-  };
-}

devices/pi3b/secrets.yaml

@@ -1,33 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:82Xg9VkmkLrKKcZfojA7dHqqMZh45n+eL4T5qZ1z/xy9k0q5,iv:/2j9flBDwjY6JW2mHYo1S2VE+ruu6gxrw8BzSyoiPcc=,tag:iq8wzfIRyq1T18k3vStVGw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:8whySpY/4WPWx2+t7IOgn+qjKCsv+BgRtaAFLrP8L0fV3TJdLob5vwDplHk=,iv:kXTDwOyJNzbjPtlzQqNsXtuk3EXFdF9CAsYkvImbyDE=,tag:tsK9nCMmwEb0c08rJ3Iwyg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TzU0U2Facm5yWkYrREgw
-            a1Fxc1MxaHYwRWUzUHpsbDBHYVoxb1NKVDAwCjNuUFlabzJ0aWtGMFBQb05nSlRP
-            akwrWDI0QnZBYkFmSUpWZFFnYmQ2aDQKLS0tIGlIQ3lTREN4WXgxV3pNdjdaakF6
-            ZnppV1ZRZzZ5Smt2NGsyRndjTFdnV00KaWVPGLWPnqINH6AHKS/84kuYy/v1v4Tb
-            QdehcMiq5ZF5XLqOX5sMDLu8h96FIklqOSTZNFkzr+s9VYv/UO58rg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEZERkRSZUdSN2dySnlI
-            aDFjdXFCWnlJZlpYQmR1WEE2RzdCaVp1WFEwCjd1N1ZpMUExZ0ZBWmFwSHg3RUs4
-            RkRYTjRMWmE5cTA4Z2JJUGgyN05HSmMKLS0tIFpKZmd2Q2k2bnNYK1V2ZnNQNUxH
-            aDU3Vm95ZkpvSTJDMjJEOFY1ZjhrQlUKLdMYiOj6tlzwLpwZsTQVSQ8hHart0ba3
-            NS7+SprzJRb0hQXrvyU6s9zho8dPOw8wiGbscmMXSVS/Kar3eQigmg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-28T13:31:33Z"
-    mac: ENC[AES256_GCM,data:fuppF9gFh3O6ZqJRTcVxNqVlz2y5f4xR39JIeInKblh4hNhrdnQg7oh8repoZeXHVRewGeGyxSqzUg+Twy8J+q+d6TSmiDVViD/SHse5rPns2Egt671geF7JmGEB/yKSCbECjGCp0QFgYYEg/vUOaV3v1a0s7LLTE/t2haPIaYc=,iv:f4T7JGxKB3WmEtETuSH7ApKRJ8ptPwZPfspyqc8+vmM=,tag:GF5br+e/p6qHsNCTjfIBCA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

devices/srv1/default.nix

@@ -22,9 +22,7 @@ inputs:
       hardware.cpus = [ "intel" ];
       services =
       {
-        snapper.enable = true;
         sshd.passwordAuthentication = true;
-        smartd.enable = true;
         slurm =
         {
           enable = true;
@@ -35,25 +33,25 @@ inputs:
             {
               name = "n0"; address = "192.168.178.1";
               cpu = { sockets = 4; cores = 20; threads = 2; };
-              memoryMB = 122880;
+              memoryMB = 112 * 1024;
             };
             srv1-node1 =
             {
               name = "n1"; address = "192.168.178.2";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryMB = 56 * 1024;
             };
             srv1-node2 =
             {
               name = "n2"; address = "192.168.178.3";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 61440;
+              memoryMB = 56 * 1024;
             };
             srv1-node3 =
             {
               name = "n3"; address = "192.168.178.4";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 38912;
+              memoryMB = 32 * 1024;
             };
           };
           partitions =
@@ -63,7 +61,11 @@ inputs:
             fdtd = [ "srv1-node2" ];
             all = [ "srv1-node0" "srv1-node1" "srv1-node2" "srv1-node3" ];
           };
-          tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; };
+          tui.cpuQueues =
+          [
+            { mpiThreads = 8; openmpThreads = 10; }
+            { name = "old"; mpiThreads = 8; openmpThreads = 4; }
+          ];
           setupFirewall = true;
         };
       };

devices/srv1/node0/default.nix

@@ -18,14 +18,6 @@ inputs:
       {
         xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
         beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
-          wireguardIp = "192.168.83.9";
-        };
-        nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
         xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
         samba =
         {

devices/srv1/node0/secrets/default.yaml

@@ -25,6 +25,11 @@ users:
     GROUPIII-2: ENC[AES256_GCM,data:ifWnLx1YEewdviqHK8fdesM3c1m1T4g6twnz1cGv1yc4jit68pQWLrRMivdsM4tUcyU9GKwCaElVlvh+dgyy8EZQPKCbvJX6GA==,iv:T5FWReeZ0QOkGJiNfrVrUBhAhbXxlFQJKqQV2tzw9AQ=,tag:XClXGZDWGuoGxzPW7ne2Pg==,type:str]
     #ENC[AES256_GCM,data:t8QUVYG4v7fE,iv:N8hDAV7wulPHcfnYTXuZRhb9dQPZqKpfMKK1+ITaZTA=,tag:eKMJDOmqoWWQbv/mm3LaAw==,type:comment]
     GROUPIII-3: ENC[AES256_GCM,data:VlAA+g7SRZyhPSl0Gd1KS7dCwNgRA/o+d8anN88A7E8bSE1ckeTSp+J4YrbbUlLasLhliOZ/nDC0rti+hckGCrjMwweMorSIWg==,iv:7u1yNrN7uxHCF1MsJ2qt1jyQ0ZYYCYKUHwRff50P9oI=,tag:3raCWjdButfmcdy8mH25Jw==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:OVbdcyczH4O7TUsTL0fX3fhx9mL+8QQF3b9SIShmH/gwcJ1jy9WtWtx9wHRvFA==,iv:SX/fLPMkqmslHcRlqQQhqwodC0FHhWrpp6GR2eSF/vQ=,tag:0odoc4CpoI6yA08OWxmYRw==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:3XT6iMfK3+Oi,iv:eqDWPQ0uOj/htImZmLyeYgcjLH4/8E5Yx46XJFp4KUc=,tag:7nVlWPnoLRAH0JrNJ2MGFA==,type:str]
+        hjp: ENC[AES256_GCM,data:JWw/yuOu4flIEg==,iv:i5xr1j9XHjY2UNoBMrpH7YiNb6Oeea7yJAZp+LIYQjQ=,tag:r5Jj2kRPZYpX21xpsVyClg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -49,8 +54,8 @@ sops:
             OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
             2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-29T06:38:23Z"
-    mac: ENC[AES256_GCM,data:n7MVBKCUW4xpIiVO4ysBqlG89LjzpDBx9GJWQTrSenLWV/YrIGUxA6QDlRg7yhqV9ldF9Q7hDve1KHw7OxKRx5ot5OZiD3Bq3TwJfS2DarJ2vi9oc1J+CXXach8gp3m4C4RkPJ/y1i3jB2nRfSw5Z/TtdPMbvGXlHh+hhriAqxM=,iv:tyBcXMZzgeUOgYJtU1XkptPOlNoFwH+4z6xTD89aKOw=,tag:apXU989ZL+D8WhWKFTdXTg==,type:str]
+    lastmodified: "2025-02-25T02:37:29Z"
+    mac: ENC[AES256_GCM,data:TAfa+s7zakHPggKZmnk6/WdffNi/uS872bv6rO9G+oMh6RsTW0YnqtgswjBsqaZkimYJyYaFmf0UfiuMbCXEmPMjRTBagYJ8i3yG4cmPpskZYtDQj/Xh/XkVulb/2v9WTG8IQ8g1FMrH1J6PkK2meqEG11h+3dI66FtmUD47beY=,iv:bfSElvPF53iotTZaQVflArNJ2FMV8ogySyQtr0Yy0FA=,tag:adL3coofeQGlIY+BUpxtMg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2

devices/srv1/node1/default.nix

@@ -4,17 +4,13 @@ inputs:
   {
     nixos =
     {
-      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
         networking.static.eno2 =
           { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
     specialisation.no-share-home.configuration =
     {

devices/srv1/node2/default.nix

@@ -4,7 +4,6 @@ inputs:
   {
     nixos =
     {
-      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
@@ -13,20 +12,14 @@ inputs:
           br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
           eno2 = { ip = "192.168.178.3"; mask = 24; };
         };
-        fileSystems.mount =
-        {
-          nfs."192.168.178.1:/home" = "/home";
-          btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
-            { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
-        };
+        fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+          { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
       };
       services =
       {
         xray.client.enable = true;
         beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
       };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
       virtualization.kvmHost = { enable = true; gui = true; };
     };
     specialisation.no-share-home.configuration =

devices/srv1/node3/default.nix

@@ -4,17 +4,13 @@ inputs:
   {
     nixos =
     {
-      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
         networking.static.eno2 =
           { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
     specialisation.no-share-home.configuration =
     {

devices/srv2/default.nix

@@ -0,0 +1,80 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
+          {
+            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
+              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = {};
+        };
+        nixpkgs.cuda.capabilities =
+        [
+          # p5000 p400
+          "6.1"
+          # 2080 Ti
+          "7.5"
+          # 3090
+          "8.6"
+          # 4090
+          "8.9"
+        ];
+      };
+      hardware.gpu = { type = "nvidia"; nvidia.open = false; };
+      services =
+      {
+        sshd = { passwordAuthentication = true; groupBanner = true; };
+        slurm =
+        {
+          enable = true;
+          master = "srv2-node0";
+          node =
+          {
+            srv2-node0 =
+            {
+              name = "n0"; address = "192.168.178.1";
+              cpu = { sockets = 2; cores = 22; threads = 2; };
+              memoryMB = 240 * 1024;
+              gpus."4090" = 1;
+            };
+            srv2-node1 =
+            {
+              name = "n1"; address = "192.168.178.2";
+              cpu = { cores = 16; threads = 2; };
+              memoryMB = 80 * 1024;
+              gpus = { "3090" = 1; "4090" = 1; };
+            };
+          };
+          partitions =
+          {
+            all = [ "srv2-node0" "srv2-node1" ];
+            n0 = [ "srv2-node0" ];
+            n1 = [ "srv2-node1" ];
+          };
+          defaultPartition = "all";
+          tui =
+          {
+            cpuQueues =
+            [
+              { name = "n0"; mpiThreads = 8; openmpThreads = 5; }
+              { name = "n1"; mpiThreads = 3; openmpThreads = 4; }
+            ];
+            gpuIds = [ "4090" "3090" ];
+            gpuPartition = "all";
+          };
+        };
+      };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
+    };
+  };
+}

devices/srv2/node0/default.nix

@@ -0,0 +1,34 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "master";
+      hardware.cpus = [ "intel" ];
+      system =
+      {
+        nixpkgs.march = "skylake";
+        networking =
+        {
+          static.eno2 = { ip = "192.168.178.1"; mask = 24; };
+          wireless = [ "457的5G" ];
+        };
+      };
+      services =
+      {
+        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno2" ]; };
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; loadAverage = 8;  };
+        xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
+        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
+        groupshare = {};
+        hpcstat = {};
+        ollama = {};
+      };
+    };
+    # allow other machine access network by this machine
+    systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
+    # without this, tproxy does not work
+    networking.firewall.trustedInterfaces = [ "eno2" ];
+  };
+}

devices/srv2/node0/secrets/default.yaml

@@ -23,6 +23,16 @@ users:
     lly: ENC[AES256_GCM,data:tP/NtJcMUtZPvuAqoM6KhCMybhsTxKSq4WWW3SBzQ/O0FmUXhECQc5CQnI4J9PlalP7Ug+uUQzeBMnHN84pkKNIeHVJhqjU8Zw==,iv:7TPPuSfXypSRnnhuy8LJSXIB+KB+3vWV0G7AbCZpB6s=,tag:iSLgRxOHgUolByFyvwltNQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
+hpcstat:
+    key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:dCDqQhNiuIGJAdbun2uwCBV1smrpvKvwi5AGOs+QWK0ANNVBoSHuUNPeNH2Ivg==,iv:Vcp/OPW8IRPHlqumPxYAfVLtZbdG3rB8VeXM34xBYSk=,tag:vKMihlMdwrPY0XKErtgwIA==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:NoWnuxCZGkQx,iv:9eSyerth1oOTWJFdOeB1zL2QrXoPv+X2LTUDQZuxdkg=,tag:Ep66od22bQffeL41ff5a2w==,type:str]
+        hjp: ENC[AES256_GCM,data:+a6dMGEnrX5Dug==,iv:2l8TbmBNOB7nRfh9UoQi0S6CMRIYFeab6P3+8V8pwW0=,tag:AK4Rtu3N0o7Rqy0sjNe0EQ==,type:str]
+wireless:
+    #ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
+    457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -47,8 +57,8 @@ sops:
             M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
             LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-26T12:27:03Z"
-    mac: ENC[AES256_GCM,data:q1EihAxiS23XoKWt4ogBo34pP7J6i/yFglmmvFIdWKIgwaoXWFexKrdu1oRZBIxISW+3b/NzkuUm1anu3sGFGiirDpllg8wu8ezXJJODb8yTU0HJpZ/9vjBPm+ZBt5zFzGky7kmW+qOFfUsZkr8dCiJil/Z0HrXrY2d59ksxhto=,iv:7b6ePa4xXdjrj8O2JWAptsONz8gPApS3roYMuRyrztU=,tag:uzOcc8H2W6VvGDkrex5M6A==,type:str]
+    lastmodified: "2025-02-25T02:36:44Z"
+    mac: ENC[AES256_GCM,data:VF48FNkamR6RPowHxQxlgRNQZqCGbHvO5d1mk3Tj0WW99wMFIo4wrH4i000lGlUGXWhuPlYcxHtDzP6/984fBKYvHg1Q0a/x1cXB812lvWNhDQZwpIG8lvr2AQyKYYYFMcpgxk8GZFRd4eY7evlVIfW2gqyUZflRbZzTmKCa2f4=,iv:ndLQpwtO6rPNuQdBU/MSTtVderU9H14jTJs0vClQl4A=,tag:h4lQ8JYVBoxhO9S+ncpVxQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/srv2/node1/default.nix

@@ -0,0 +1,26 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      hardware.cpus = [ "amd" ];
+      system =
+      {
+        nixpkgs.march = "znver3";
+        networking.static.enp58s0 =
+          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+      };
+      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+    };
+    services.hardware.bolt.enable = true;
+    specialisation.no-share-home.configuration =
+    {
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
+    };
+    boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "enp58s0" ];
+  };
+}

devices/srv2/node1/secrets/default.yaml

@@ -23,13 +23,6 @@ users:
     zzn: ENC[AES256_GCM,data:/CSffToFJiBotXZ5rPkz0UNgI/iC0ftusPF2Ce6Of3XckjpCcikWj6n3ahJ24XsWQjp3EvacOiBorh+Kg16LjCEl0P2RMIitTQ==,iv:u9IFdp/jw7ehTshPzQVssLeh33iBYCPjSyJSLsc5EVo=,tag:/KXgmU7dcTKG8C4Y7NcMhw==,type:str]
     #ENC[AES256_GCM,data:TN/ycWtGSCNY,iv:pSilXx4zKs53XX/L0+QFbwv13rutQG11sU0EgVhaJEA=,tag:L+MpcYYlsMnSpS1JQdnwIQ==,type:comment]
     lly: ENC[AES256_GCM,data:XkRaNI0SqooptH/OexBCzZ4RYvA3s7qXbpCtLVidJ4pZU/o7EHlIcvMbeRxqdujhXNQ+vbS3o7CmhwJK2JVVPCCVsd6k0gMDdw==,iv:v/2mgDuR+/lb8mtyv6sn4Z9XXnuDoXkT0DeNQ7850fU=,tag:T8xxo9C7kFSNlLDjEaZK0Q==,type:str]
-mariadb:
-    slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
-hpcstat:
-    key: ENC[AES256_GCM,data:POK329h/joF7WdSBwSE1EkYH/pZ9X+wiTKcVWLZjmh7gM9d7HONbN/PqsYNFTHJVR0GgysqpLEcPN2OFGs/SSeH86o04cAdjAVznKZgt1Q34QGYy6b+io15P3lbmK0kTKmeGt5qEhGkBh6BVBoSyqbKAknvUqJ17ZkL17kyRaKffm3Zais7keEJCFdyRF6oSz2kl2CvEmKNWPWDdO9EpgqgYlm9mwu95/k9Hx5eyUjiFpxc3fdFTESGbe0ZYAqKQ0eLFfLLorQp0pAzxCbbxIzZEgyxjzkICXKa1n7Zz6h1ON2Rsqq0Q4hEYJdWGLtvOH/VLVxvNWjW4Er6i3lWGhZRiDDrxLErQGONI+X7QqbneFCnMCZGln3pAfNtOr+KX58ij/egyzmb7bKZrARqnm+X+/I/L0+VS1PfDdLP53GaX7mfKYpcH6z7O2F/zjpuXQTV8njs64YlvgyYXsCaghEUBzehsruwRsBEkTIb4R2AlqItpbesMnNNUJ4Cr/B7Bw6O+gHeJ+oK4ZPBYbgso,iv:B2eWjydl8m8nbcPw2fZfxCnj57utWM9ABj2eJ1pRKWQ=,tag:5W9ZwVSJvm1KvZnf/E5Tug==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Mu7guAFUu+UoHvo/h1blcI6Kg3mvng6zNc/HKXuCdf73ujziK0mXwPcf7t7d/w==,iv:BkA4d0OJ4lTD7csZJQHcDnYe7SYcFbwRVYOQAWOQ2lQ=,tag:GuJ4z5pe2znTY3xNT2WF+w==,type:str]
-    chat: ENC[AES256_GCM,data:OC8ElUPmfsVL,iv:WgZMJP2ugZbqZyihdNtL1xMH8u9VpLNzO8DGpDL4w4k=,tag:u4cKABikuMUbCIm5zCnk6A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -54,8 +47,8 @@ sops:
             ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
             IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-26T12:26:52Z"
-    mac: ENC[AES256_GCM,data:TiF/QAh6Y8Xn+3B1rlg+FvZFJ4fGP+szvvopbiEzO6AWBYp8dcD6MmaZstVzJL1BrRIQ3GENcq7EVyfZMWQlW8aRsVF/RrWOSpAKI1tiWDl+10Ov3zjr+Q8sFYTfblWXYH7Tq9pcWBChj1Kj88Ri5xRRfJTuelQoL0igHQBwfFM=,iv:ikzexH8P3CYu7SrRXwWd1Ar3+PEXSSjSVj5E3jwcZyQ=,tag:i5/F33/KcDJVQ4ceYtRErQ==,type:str]
+    lastmodified: "2025-01-11T12:43:41Z"
+    mac: ENC[AES256_GCM,data:exCwRlOqvMRvqStZfI0P1nXE9KX0GxVGhPD4PEkDXhm35CtFXJj6toZyJqHUt9XrrlW6NHzXbQszeHV0/EmdItJK3HupRMopetBTSBmkH3FpuCrD8QZ4Ukm60ZQq1YiAlgE+HqOGhz+eYvUI9WPwci05Hi3Ea/a7ASsE3UWyc9Q=,iv:BX26ZpZGVsYUkZu//hD1Go18T+UWpGCChHFGFMUHmJE=,tag:0RvkrXGBc1ZN3MqaNHOHGA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/srv2/node1/secrets/munge.key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:fkOaCmCk6e8KTUq9zvhYPL6o24Vcja909NoKl7CIy+8H1D2bX31JEa42D0CfLFxvkA/kVcUehVbwL9Ax0ufBa33O73VrTggU9u4qolgpjmibIINXlQrl1MtEQu66MHpq971czzTCACGHz27/cUCUU2wBZWCCv9Zyk22OJgzDgYs=,iv:cDAcl4w4MKERttP4Bv7TZ701jSHVMquSqj6HqyyQ1sU=,tag:aSm/gR7zWYMZN8Iu6VEf6w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTnkwcE9RWHdrOEdyaW8v\nbUxiQ0pmcW1ha1E3ZkRmaWpqYWFXUm5NVVZRCkVHT2xhbnQ2MkFiczdPRktaRTlI\nT0lhcDdOd2hoeHZMM1RnVWdiUHpoZ1UKLS0tIGxZaDdMNW5LNU9DWkt1ZHJlQ3M1\nTi9GaFEyMFFYLzFyL05kaEVQTDB6Vk0KUlNgX2N8n9NsLJuFflkH92EbxnMp37dg\nArhpRuUXscHZ62Z9eR3cgXwfFTAYzYBhL0M6uE/jwfDEV3jw9fNyaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTjcvWVcxSWRVdHp3amtj\nVk54dTdRZUdXaGFuUTRLNVk2Uk5xWkx6WlRFCkxHUlhoTlJOTnN0TjhNZHFIV0tY\nQi9kUFh3R2lZYm9UdWFGZmFKZDFQdFUKLS0tIFo3b1IrNGFZaVVYZXpTYlFiVjNo\nV3QwU1RRaFExOXlnUmdJMlFmQmZJdm8Kzs/5XnsdYfJvLMCS/Uidwz7zQ2AphqRb\nWD+ua4DLsGIzVDCFzkuVcROBrJC8zkI8PGSd0pgFiV8zUKwEbyHG3w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-11T12:46:25Z",
+		"mac": "ENC[AES256_GCM,data:qqwInEypo5r5bCu8r2x/CHdLxFZRxjlBfvSdhO9DeINGOtPB33WvjNei3UiuqROKWIa6tOpXSjz4jUdhI88aA4lip6JUPu4rfat/GaJDP6FjtDqtKuBoZRv1YG1QY1cAuENjzi30092rZNhC1vnh38IjmcyHffM2phgkG2JRmL0=,iv:f1BbcrBH6YmEODUh6SM16LiJH85/MU5GhW4hpy9k0yE=,tag:/c0/783cQ1c4oJ0Rfcw+Mg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

devices/surface/default.nix

@@ -1,66 +0,0 @@
-inputs:
-{
-  imports = inputs.localLib.mkModules [ inputs.topInputs.nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
-  config =
-  {
-    nixos =
-    {
-      model.type = "desktop";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
-            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          luks.auto =
-          {
-            "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
-            "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
-          };
-          swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "skylake";
-        nix = { substituters = [ "https://nix-store.chn.moe?priority=100" ]; githubToken.enable = true; };
-        kernel = { variant = "xanmod-latest"; patches = [ "surface" "hibernate-progress" ]; };
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = {};
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.hosts = builtins.listToAttrs (builtins.map
-            (name: { inherit name; value = "0.0.0.0"; })
-            [
-              "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
-              "dispatchcnglobal.yuanshen.com"
-            ]);
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "j7qEeODVMH31afKUQAmKRGLuqg8Bxd0dIPbo17LHqAo=";
-          wireguardIp = "192.168.83.5";
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-        waydroid = {};
-        docker = {};
-      };
-      bugs = [ "xmunet" "suspend-hibernate-no-platform" ];
-    };
-    powerManagement.resumeCommands = ''${inputs.pkgs.systemd}/bin/systemctl restart iptsd'';
-    services.iptsd.config =
-    {
-      Touchscreen = { DisableOnPalm = true; DisableOnStylus = true; Overshoot = 0.5; };
-      Contacts = { Neutral = "Average"; NeutralValue = 10; };
-    };
-  };
-}

devices/surface/secrets.yaml

@@ -1,36 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
-github:
-    token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str]
-age: ENC[AES256_GCM,data:KEaMrk9eldR6oCqNqSpwhbJKj+JrN1KBkDL5p9itaszGf4tnDRidcleCQi1Ae17osYXIEh4+OxX/d6RKb9TP6JMLJe0iq6c9sC8=,iv:ztiP2Vz4AFZkd8ZG7xYlqYrV3JZYvmX07Ez6GtJ6yp0=,tag:PS8oSkkrrpgYYVfjbTtkaQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1pvWkVGSFg5TVAvRlhu
-            TnFnMEszcDRWWHlQanAyRkRpQWdqQkdhTzFvCjBqUG4xNFBiRnlSeTNQSmdkVkdD
-            UlVCQjRFVExuZHdrSnViajZGZ3c2dWsKLS0tIHlQYU5VeGpEQzllMmxLSnJZZzZx
-            N1R3Mkhxa0dOVlJiU0V2OEZVVzZVMFkKae3c1axl22uxh9wMygAHs6q1WA5ImOS8
-            uzKSthWSqtC7DMqgUFaaSjBYM2TN3l402syx71xVFyyAmCcGZbbJcg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHJVRGIwQUFpVER5SWxq
-            YjJOT0lXN3dFOFpjMFlWV3JCbmZFN0hnNEJBClpQUEczK2RWTGlVTmJRbVZaUC8y
-            bEFrL1RjTTNlYVNnRVRBZlRjaTlnUEEKLS0tIE5GM01pTGFFcWVVSWEvUHE3Z08r
-            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
-            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-01T15:22:09Z"
-    mac: ENC[AES256_GCM,data:Br2+miNeZI41QyTXdhJ5Mdwq5no/d4kJgESwiltcRZV/Pax8R+GFeLDg/AQFoh1fLHU6bTX45SN0wnIrIeCnkoXV0U2RiT7bdtBaDrGxqnFvjMVE0VaUrj9bpagta13tahsEfI17cyUq4BqwS4BXx60RXvbvs9jZ5/dfpYunGsc=,iv:FfWYfS40XcFgF8lEYK4IHypLzz7svFxPL+WuudQm3oA=,tag:0KDBdf7w6BdcQ8Qt3k1isg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/vps4/default.nix

@@ -1,44 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            btrfs =
-            {
-              "/dev/disk/by-uuid/403fe853-8648-4c16-b2b5-3dfa88aee351"."/boot" = "/boot";
-              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-            };
-          };
-          luks.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
-        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        initrd.sshd = {};
-        networking = {};
-      };
-      services =
-      {
-        snapper.enable = true;
-        sshd = {};
-        fail2ban = {};
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
-        xray.server = { serverName = "xserver.vps4.chn.moe"; userNumber = 4; };
-      };
-    };
-  };
-}

devices/vps4/secrets.yaml

@@ -1,51 +0,0 @@
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:d7cv,iv:RHzGIDLuuKejCTQ5YlNNITkCS3VoprsqH/kHckdpAv0=,tag:3cYw7uyUmXALo3v7SiqLJA==,type:comment]
-        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
-        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
-        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
-        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
-        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
-    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
-        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
-        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
-    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNamN1TytweDd3blJsR2ZH
-            ZmlocFZjT3ZaUjlVbG1vVSt4a2s2SjJIaGtRCjRneDV6cHYwdGJOY1BDVS9DeDVC
-            cDdNbUdtSGRHNU1yZFpPc1MzRS92ME0KLS0tIFpmamNmTFYrRGRqbTFVSzBhUlNa
-            VllXdzZ3bEc3UFY0YjZRKzBUcGgyVkUKqI1ojiLbF87alAkEwyrm8wuW2fLbmj8d
-            YBIpoDCZ7AwR5uHWQAtl7BWJV1zab+rA3zvaf2BsrVA1A+RWOtYT/Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWitsSnRVSzJDZG9ZSE5I
-            bmt2NEFDanR3aFJyYVNnU1NlUldRb2RUVXhNClQrTkgzR1dPNWp3endZTUl5SmRs
-            dEtkSWk4aWJEc2hhbWlXZkxpNGhacFUKLS0tIGZNSG43R0NKYmdFMzdXbmJjSExJ
-            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
-            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:19:55Z"
-    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/vps6/default.nix

@@ -16,12 +16,6 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          luks.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
           swap = [ "/nix/swap/swap" ];
           rollingRootfs = {};
         };
@@ -34,7 +28,6 @@ inputs:
       };
       services =
       {
-        snapper.enable = true;
         sshd = {};
         xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
         frpServer = { enable = true; serverName = "frp.chn.moe"; };
@@ -51,15 +44,7 @@ inputs:
             [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
           // (builtins.listToAttrs (builtins.map
             (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
-            [
-              "xn--s8w913fdga" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "api" "git" "grafana" "peertube"
-            ]))
-          // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.nas.chn.moe"; })
-            [
-              "misskey"
-            ]));
+            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
           applications =
           {
             element.instances."element.chn.moe" = {};
@@ -68,21 +53,13 @@ inputs:
             main.enable = true;
             nekomia.enable = true;
             blog = {};
+            sticker = {};
           };
         };
         coturn = {};
         httpua = {};
         mirism.enable = true;
         fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ];
-          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
-          wireguardIp = "192.168.83.1";
-          listenIp = "74.211.99.69";
-          lighthouse = true;
-        };
         beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
       };
     };

devices/vps6/secrets.yaml

@@ -14,7 +14,7 @@ xray-server:
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
         user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
-        #ENC[AES256_GCM,data:PTYBkBHs16U=,iv:qr3u7OveM1CmTBIf9gZK4fTRuLCpcZCwf8jmnd1L3Co=,tag:w3O41NG7yCwCVqPGh/6SXA==,type:comment]
+        #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
         #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
         user6: ENC[AES256_GCM,data:YzLlf37SxKmU1/QA7gUIJsGid3KZNoAGOew8xR7cmw5l8ZmX,iv:SfKubo2jfjtxKn9odDiokMEZyPFfYZ/wwyYtBrgvgmM=,tag:+hxwIU5uBhzQyrKX4r3oiw==,type:str]
@@ -24,7 +24,7 @@ xray-server:
         user8: ENC[AES256_GCM,data:H1gPtqF8vryD0rVH7HYzpMuZ3lufOBYczKwaTr4PidQtTyQK,iv:wh7NwFc/1ogNrnTTpm5L9dBqDVkvWiIsJZelR2mtR4Q=,tag:oEFdMFZJ9UYhsSVdefJ4rg==,type:str]
         #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
         user9: ENC[AES256_GCM,data:HVK9KvGfOcwn1joc3VrkjBjE6hrxQPOBD5RTtQUgBPepToh6,iv:VK9aQ64L/GajpledBxC8PNB1BdNYEqwcdL3GKttgxvs=,tag:O/piztCYBARtAFxTMNXGaA==,type:str]
-        #ENC[AES256_GCM,data:b839t/OihMOmz0gIcTo43r2MIw==,iv:8kaAFG7DhFOoitcvbFaAvE1NUSLFrFhy1KiMrqs4r/c=,tag:G4vSADa52ZfN5y5ytoFJoQ==,type:comment]
+        #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
         user10: ENC[AES256_GCM,data:xjVkr/wy7OxRuNZKfQagfNxdVxTEyQP1ZhnR6jHy2gjBQ0RD,iv:G6iOBCHOqlvfEENY/ega/TUm81wgT2OOdZKZ6bPfg9o=,tag:p8AMa3bGsIl0hWQ09lSzgA==,type:str]
         #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
         user11: ENC[AES256_GCM,data:BIZ2zRgGv5/9AexiZZvu+m4A62YUWtAkjWWMu89GteqpWMBq,iv:13IJcDf18LjoxJk7uoKnuFZT6Ihxrxsy7DBaAaiFqus=,tag:RN7wj+uPneCkqNlMRyYrXw==,type:str]
@@ -66,7 +66,8 @@ wireguard:
     privateKey: ENC[AES256_GCM,data:4DKPPqQkjb33rQzFIz863A2arDRQA9AivWFBaWTf0xXDX4hWvJFiIlJQfvE=,iv:0R2TH3CMxHgwVjojzjE2Gnp8SXonmBDLWF7hB33NiX0=,tag:vgtV8JkuCdspleN/SvgIqQ==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:LskBPmXZk3hRZ2bChXZjmRzzGd2A2GKrUZMknCDXTpTzOdP/RDibRvgI75HLWg==,iv:9lJKuGLD5HuQinWvvAvwWFAvEJofUGkJsxKNpqZrGmI=,tag:pTmTOlsYIY6Uqd69AtrnBA==,type:str]
-    chat: ENC[AES256_GCM,data:0ehCIvd7sBFc,iv:OwdiIoPrt/e1YgsCrYcqqMYhsJuEtKW2pSKNVxahMV4=,tag:ig2CfQxwzv2ppIutU6371w==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:5kjoZ4G/NYRG,iv:jGMjDxKUJACTbC2SraMzKsXpC3QSIePJZSsjZ+8JG+c=,tag:dD8SPgIM/+VcmAd3fcZw8g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -91,8 +92,8 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-26T04:24:17Z"
-    mac: ENC[AES256_GCM,data:AXhLmyZWGD6KvMkyHqmCERE6eNE3pD5Pa/9mRBWZe4hiXL4mKTzCn5C/ODGQ1ZeQjDdP+awjJRvLRjMiYFhVlU8rKpg/f2G1gDr4cIbr61sCdzXKX8wFW0G7bJWxxpAC4X59+u9EJ3sNcyf7bJrMdkTzTYpgXh29mtl2bprcdJQ=,iv:pK4hYexcWng3GwOmWGqgyMsmATnXgcwR3NH4UxCwpvE=,tag:zpv64JWoXc5cDCukDuW51g==,type:str]
+    lastmodified: "2025-02-25T02:32:20Z"
+    mac: ENC[AES256_GCM,data:mP+N/m77jBS1mQ4CsdRNZ38Z2da8BK00OqU+7q7LHxBpBzw+T9wQRQJ1esEq4cfTK8QLujJNZaFTixFHvo5a/mi0peymvdh4w+m5m9ph2UyKqcaRe+qt6MUuavkJYv86jBUxohnDAhPHmkXQOcgOGF1p7d47K08zUXqzOx4SETI=,iv:U5g1lMN5yzusKUPAfi+pZj7TAxnw8HEorMStDwnfnaU=,tag:nE4J/N4cjs0wyO+S6sY4Pw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2

devices/vps7/default.nix

@@ -16,12 +16,6 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          luks.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
           swap = [ "/nix/swap/swap" ];
           rollingRootfs = {};
         };
@@ -33,10 +27,10 @@ inputs:
       };
       services =
       {
-        snapper.enable = true;
         sshd = {};
-        rsshub.enable = true;
-        misskey.instances.misskey.hostname = "xn--s8w913fdga.chn.moe";
+        rsshub = {};
+        misskey.instances =
+          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
         synapse.instances =
         {
           synapse.matrixHostname = "synapse.chn.moe";
@@ -47,21 +41,13 @@ inputs:
         photoprism.enable = true;
         nextcloud = {};
         freshrss.enable = true;
-        send.enable = true;
-        huginn.enable = true;
+        send = {};
+        huginn = {};
         fz-new-order = {};
         httpapi.enable = true;
         gitea = { enable = true; ssh = {}; };
-        grafana.enable = true;
+        grafana = {};
         fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
-          wireguardIp = "192.168.83.2";
-          listenIp = "144.126.144.62";
-        };
         xray.server = { serverName = "xserver.vps7.chn.moe"; userNumber = 4; };
         docker = {};
         peertube = {};

devices/vps7/secrets.yaml

@@ -3,11 +3,12 @@ acme:
 nginx:
     detectAuth:
         chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
-        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
+        led: ENC[AES256_GCM,data:Vb2p9v7U,iv:xJcKgvbc0KAP31uTpFiYlpvPoEHMWH3VkEqqyINKcyk=,tag:X2R+CHFj4N4i7cAK88IoSA==,type:str]
     maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
 redis:
     rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
     misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
     nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
     send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
@@ -15,6 +16,7 @@ redis:
     peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
     synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
     vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
     nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
@@ -30,6 +32,7 @@ rsshub:
     youtube-refresh-token: ENC[AES256_GCM,data:pnXQ1euCdix2H7IxudmUUcpxc2OUhciKT8OcGV89c/EpoXHgx1+eLxwY5rRszroWwjge9M001RGHngvD/ny3phfWAwYmIzMJxun2f7JCPe7ybMesWmPSkiqVBss1Zfic1uB8mNM/yw==,iv:8p8/vATY8F3YuGA1TtjekiuaKOMnQyTMjrwDBJaK4VU=,tag:/jVg9FDOuLMNrupgrywpBQ==,type:str]
     twitter-auth-token: ENC[AES256_GCM,data:65SbHggbYtfSfaaxJxRgD6+HpOX4vIfjnVZmOAZ9illPMYOu9MIchQ==,iv:49UuC8n6AGj1skuHzQX39Q/QuKlB9IxogIfiiy1GBnw=,tag:Rq6b0H9UFVZ19tU8ZeelRg==,type:str]
     bilibili-cookie: ENC[AES256_GCM,data:58nO7ADu2oH/OgLJNYrEEzhf1J0zt8EpuygnSANkGXJju5oSmtM7WLnaMEjC96q14OTTA9QLiFVsbxiFY1eUnraA5W7g7+6CYRXVRZaxz91D/dhKzHGTMjB/LynnNqEIc6liONlcHbyjZNQ+WIqPtjVpCKMN7Mi8cv81/cFX/1GqAwncgDD2oXh1hMPOVY4dYcGKuOG0GjlY6RgOgTPqU3HawQjnoWQjPF+lq2rnWD5HP9ZTxOYa7hm2GgPrxkq1fkRrq+kKYeDh+6M7VLDcm5Fpf+biq6F8fZWzmw4NlVZT9BG0vJFa,iv:vxYXg9Yg9qIWFQXtwTYa4Ds0KSxZYg3M6xdtXKbdaig=,tag:TzCPehk9w+BL4wwgDc1CPg==,type:str]
+    zhihu-cookies: ENC[AES256_GCM,data:DgpvRB7IuRe1KuPFqhCbtyFrC02AUlaA9UWS+d8ix0nweItXwZrkqC03lXQY7nJr54H3SfKXNhtUp4nJmV2hqNQOqekrXVsKrG++UmcAr5Ciw1lTmilqM220igJ9YwiHxtsZrWgp4sTPlTTQIFu5xrGnvlSntBjXAjzStTk1R4XRmLV427QuKbNNQ5MjPXS1PYrtN0d4/qXLx74pNd9ZsNd9F4V0E75Zt6vKE8F7aA==,iv:5Lu/HD8Iw655pg84eFs2eEQS68QqA99uMBHlgelZvrI=,tag:Pnd7VWIAgNt+1vo+vyWDpQ==,type:str]
 mail:
     bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
 synapse:
@@ -88,7 +91,8 @@ wireguard:
     privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:Mr6KrAzYoDXA+dPT3oXqK2wm9ahTjZ5GVE/iRPsmcM+S2MABT+8ramyHz9oIFw==,iv:nIZ8rpSxz2GwMbDQFfG3xauMQjiriZ1oxFMrEQeH7sQ=,tag:y5U1T1vV/mmdE/CeaeTR8g==,type:str]
-    chat: ENC[AES256_GCM,data:8w/0EI64a1dC,iv:dHu9JHcUY7QPd9YBKXnrRXQB2K6jpnLrSFs+1IJmkio=,tag:3ucN3uNnBxxRF+cbLsa1nQ==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:75gj6MtpqZzq,iv:HekPpI2oJtD2UnbmQnTMXV0UwFzxdBKO5b2LpIcFSw4=,tag:bRFAeDk/YFivDAoNc5vwdA==,type:str]
 xray-server:
     clients:
         #ENC[AES256_GCM,data:aAZS,iv:Z+iJG7yC6HJeNdKCCpsZSc9Ny7kAt6GYfXUtZozMb4A=,tag:iMfwjqqmLvu5a8YpF7a0zQ==,type:comment]
@@ -127,8 +131,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-25T08:48:30Z"
-    mac: ENC[AES256_GCM,data:VtdB55WtONC5orgSMFPuELRVtjAC9REZIscEtWLZ8Cyo+FEYmFAlj+0cg/5aOk4dr2JVUnkcWNyefM8xw7m78yU3f5KruKH0N741ngkovhJnI1V6yuY9om/NXvux6dkYKmQcAXq87rYkoDg5CFxsU9RKJncBMCA7bekebzo0aIw=,iv:7Jv8ciLxXWkCzZeU82Wv8oxBcesjb9/qzWfn9tqyta8=,tag:aEnX4E5w64oY8bbJ5Z8MRg==,type:str]
+    lastmodified: "2025-02-25T02:32:05Z"
+    mac: ENC[AES256_GCM,data:MnL2eu1sUS6RnWKJhi0Z3A/x4Qaw8Fgov1PdpkBMHuJVBvmcnT1w8AbsxbOZZMd2bp20NWIzosKXBNuoAJzQx+Mtigtw2mnAzs9zcLhHu6e7OvCDVQ3o9FUEz43V59VzLCDpyj2zvzFanPa9h/Aw6WTs2Qu16xaUB1FVFRzxYfg=,iv:FYNyF2KEWDbCDMTI5XCSeGOE4KSIFjX5VUqT20JMxCs=,tag:NcYVt8jtfAljJhs8m8gYFw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/xmupc1/default.nix

@@ -1,103 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/467C-02E3" = "/boot";
-            btrfs =
-            {
-              "/dev/disk/by-uuid/2f9060bc-09b5-4348-ad0f-3a43a91d158b"."/nix" = "/nix";
-              "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12" =
-              {
-                "/nix/rootfs" = "/nix/rootfs";
-                "/nix/persistent" = "/nix/persistent";
-                "/nix/nodatacow" = "/nix/nodatacow";
-                "/nix/rootfs/current" = "/";
-              };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs =
-        {
-          march = "znver3";
-          cuda =
-          {
-            enable = true;
-            capabilities =
-            [
-              # p5000 p400
-              "6.1"
-              # 2080 Ti
-              "7.5"
-              # 3090
-              "8.6"
-              # 4090
-              "8.9"
-            ];
-            forwardCompat = false;
-          };
-        };
-        nix.remote.slave.enable = true;
-      };
-      hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; };
-      virtualization.kvmHost = { enable = true; gui = true; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        xray.client.enable = true;
-        smartd.enable = true;
-        beesd.instances =
-        {
-          root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 512; };
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
-          wireguardIp = "192.168.83.6";
-        };
-        slurm =
-        {
-          enable = true;
-          master = "xmupc1";
-          node.xmupc1 =
-          {
-            name = "xmupc1"; address = "127.0.0.1";
-            cpu = { cores = 16; threads = 2; };
-            memoryMB = 94208;
-            gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; };
-          };
-          partitions.localhost = [ "xmupc1" ];
-          tui = { cpuMpiThreads = 3; cpuOpenmpThreads = 4; gpus = [ "p5000" "3090" "4090" ]; };
-        };
-        xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
-        samba =
-        {
-          enable = true;
-          hostsAllowed = "";
-          shares = { home.path = "/home"; root.path = "/"; };
-        };
-        groupshare = {};
-        hpcstat = {};
-        docker = {};
-      };
-      bugs = [ "xmunet" "amdpstate" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" ];
-    };
-    services.hardware.bolt.enable = true;
-  };
-}

devices/xmupc1/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:tuEymMXW0f7Rui5wrz/xozphTEq6ffkYIfNIoURFNHwH2Cg+aKHz2ox0gk02BJARhPMDrxCYlChkcrEI0ma/T0eBe9sWz3tA8AOwU1lHSZ06d/JWzW7IUIyTac2mnjt3/jY/qpnR4A8wtHwD0j4zkzXgUgFwq7k/fs24acEE4Jo=,iv:iDTS0xswLrwkOYmfomE5hluVONgJYia/RjINDy7T3R0=,tag:oIYNpFCuT2D+X1QEJJiHew==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFRRa0NsOUp5MEg3UHcx\nc3g1VFZEQS9Tci9QSnNFYnIrT3hUdVU5cWxjCnU5UXVEdTFXczJzcHVvSjF2WHdB\nYmpyQVVaUFozKzJIZThBbXUxb2k2YzAKLS0tIHE1QXVrOXo1Y3VXMzJJYitWU3Qv\neDF1cndrSi94clh1cS9NczN0UW9pOXcKtrnIj3WovMYdcg5nWnnyRhJhTGLrlwxW\nxQ6bmNrfbZedmCNdjY2lPXmudMXJ8YlWe/HGCe94x3iFlaSwCIGUsA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocFl1SHJEemRySlBnMmNn\nVW9RS1NNdlo4M3l2WGlQaHJmbDBHcjMwaVVnCnY5WExPOXZJVEdYSlJ6UTRBMGJj\ncmlYaUNVV1hnWTNkaWVuV2VuaXN2eU0KLS0tIDBTYnd2NmVYTUJKaHZWRWo3ZlUx\nTEtPZWc2RE1XNG9WTXFOTllWVUVWeUkK+9aLz1rygGAQjpG+oMNUtrDkQaDfg+2q\nnl/CtZZrFD6NXGw6Di0X5t9fQu295NTJ/0qjXnfMigG8gDtxkE+/7g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-02-26T06:04:53Z",
-		"mac": "ENC[AES256_GCM,data:y0RkPyUwwff95BFL951TxS/x5ORzMsxFJVjopSw+8iVtswD8MT1nmsbwyth4C9OnJ/IAtnZk/CjAt72a68AZpPI+2W/JqJq20ohFoquDNhTlsoyLWdO3Vjrd+Wo3hp0+iKQ3e/uYrF1sTqQO9a3OIxu2sVLM0gEDmIe2nJpLJQo=,iv:EjXTQvVdjzfClNfQ3rPxAFVWVqr7sSOz4ap+nshPEAk=,tag:DcIlf9W7NNqQ+gf8f46MwQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
-	}
-}

devices/xmupc2/README.md

@@ -1,29 +0,0 @@
-# 硬件
-
-* CPU：44 核 88 线程。
-* 内存：256 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * ~~P5000：16 G 显存~~暂时拔掉了，否则 4090 供电不够。
-* 硬盘：18 T。
-
-# 支持的连接协议
-
-## SSH
-
-* 地址：xmupc2.chn.moe
-* 端口：6394
-* 用户名：自己名字的拼音首字母
-* 可以用密码登陆，也可以用证书登陆。
-
-## RDP
-
-* 地址：xmupc2.chn.moe:3390
-* 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-## samba
-
-因端口冲突暂时禁用。
-
-其它内容请阅读 [xmupc1](../xmupc1) 的说明，两台机器的软件大致是一样的。

devices/xmupc2/default.nix

@@ -1,95 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-uuid/23CA-F4C4" = "/boot";
-            btrfs =
-            {
-              "/dev/disk/by-uuid/d187e03c-a2b6-455b-931a-8d35b529edac" =
-                { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs =
-        {
-          march = "skylake";
-          cuda =
-          {
-            enable = true;
-            capabilities =
-            [
-              # p5000 p400
-              "6.1"
-              # 2080 Ti
-              "7.5"
-              # 3090
-              "8.6"
-              # 4090
-              "8.9"
-            ];
-            forwardCompat = false;
-          };
-        };
-        nix =
-        {
-          marches =
-          [
-            "broadwell" "skylake"
-            # AVX512F CLWB AVX512VL AVX512BW AVX512DQ AVX512CD AVX512VNNI
-            # "cascadelake"
-          ];
-          remote.slave.enable = true;
-        };
-        grub.windowsEntries."8F50-83B8" = "猿神，启动！";
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "nvidia"; };
-      virtualization.kvmHost = { enable = true; gui = true; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        xray.client.enable = true;
-        smartd.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
-          wireguardIp = "192.168.83.7";
-        };
-        slurm =
-        {
-          enable = true;
-          master = "xmupc2";
-          node.xmupc2 =
-          {
-            name = "xmupc2"; address = "127.0.0.1";
-            cpu = { sockets = 2; cores = 22; threads = 2; };
-            memoryMB = 253952;
-            gpus."4090" = 1;
-          };
-          partitions.localhost = [ "xmupc2" ];
-          tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; gpus = [ "4090" ]; };
-        };
-        xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; };
-        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
-        groupshare = {};
-        docker = {};
-      };
-      bugs = [ "xmunet" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" ];
-    };
-  };
-}

dns/config.yaml

@@ -0,0 +1,14 @@
+providers:
+  config:
+    class: octodns.provider.yaml.YamlProvider
+    directory: ./config
+  cloudflare:
+    class: octodns_cloudflare.CloudflareProvider
+    token: env/CLOUDFLARE_TOKEN
+    pagerules: false
+zones:
+  '*':
+    sources:
+      - cloudflare
+    targets:
+      - config

dns/config/chn.moe.yaml

@@ -0,0 +1,186 @@
+? ''
+: - type: A
+    value: 74.211.99.69
+  - type: MX
+    values:
+    - exchange: tuesday.mxrouting.net.
+      preference: 10
+    - exchange: tuesday-relay.mxrouting.net.
+      preference: 20
+  - type: TXT
+    value: v=spf1 include:mxlogin.com -all
+'*.vps4':
+  type: CNAME
+  value: vps4.chn.moe.
+'*.xsession':
+  type: CNAME
+  value: vps3.chn.moe.
+_xlog-challenge.xlog:
+  type: TXT
+  value: chn
+api:
+  type: CNAME
+  value: autoroute.chn.moe.
+autoroute:
+  type: NS
+  values:
+  - ns1.huaweicloud-dns.cn.
+  - ns1.huaweicloud-dns.com.
+  - ns1.huaweicloud-dns.net.
+  - ns1.huaweicloud-dns.org.
+blog:
+  type: CNAME
+  value: vps6.chn.moe.
+catalog:
+  type: CNAME
+  value: vps6.chn.moe.
+coturn:
+  type: CNAME
+  value: vps6.chn.moe.
+element:
+  type: CNAME
+  value: vps6.chn.moe.
+freshrss:
+  type: CNAME
+  value: vps7.chn.moe.
+frp:
+  type: CNAME
+  value: vps6.chn.moe.
+git:
+  type: CNAME
+  value: autoroute.chn.moe.
+grafana:
+  type: CNAME
+  value: autoroute.chn.moe.
+huginn:
+  type: CNAME
+  value: vps7.chn.moe.
+initrd.nas:
+  type: A
+  value: 192.168.1.2
+initrd.vps6:
+  type: CNAME
+  value: vps6.chn.moe.
+initrd.vps7:
+  type: CNAME
+  value: vps7.chn.moe.
+mail:
+  type: CNAME
+  value: tuesday.mxrouting.net.
+matrix:
+  type: CNAME
+  value: autoroute.chn.moe.
+misskey:
+  type: CNAME
+  value: vps6.chn.moe.
+nas:
+  type: A
+  value: 192.168.1.2
+nextcloud:
+  type: CNAME
+  value: vps7.chn.moe.
+nix-store:
+  type: CNAME
+  value: vps6.chn.moe.
+office:
+  type: A
+  value: 210.34.16.60
+peertube:
+  type: CNAME
+  value: autoroute.chn.moe.
+photoprism:
+  type: CNAME
+  value: vps7.chn.moe.
+rsshub:
+  type: CNAME
+  value: vps7.chn.moe.
+send:
+  type: CNAME
+  value: autoroute.chn.moe.
+srv1:
+  type: A
+  value: 59.77.36.250
+srv2:
+  type: CNAME
+  value: office.chn.moe.
+ssh.git:
+  type: CNAME
+  value: vps7.chn.moe.
+sticker:
+  type: CNAME
+  value: vps6.chn.moe.
+synapse:
+  type: CNAME
+  value: autoroute.chn.moe.
+synapse-admin:
+  type: CNAME
+  value: vps6.chn.moe.
+ua:
+  octodns:
+    cloudflare:
+      auto-ttl: true
+  ttl: 300
+  type: CNAME
+  value: vps6.chn.moe.
+vaultwarden:
+  octodns:
+    cloudflare:
+      auto-ttl: true
+  ttl: 300
+  type: CNAME
+  value: vps7.chn.moe.
+vps6:
+  type: A
+  value: 74.211.99.69
+vps6.xserver:
+  type: CNAME
+  value: vps6.chn.moe.
+vps7:
+  type: A
+  value: 144.126.144.62
+webdav:
+  type: CNAME
+  value: vps7.chn.moe.
+webmail:
+  type: CNAME
+  value: tuesday.mxrouting.net.
+wireguard.nas:
+  type: A
+  value: 192.168.83.4
+wireguard.one:
+  type: A
+  value: 192.168.83.5
+wireguard.pc:
+  type: A
+  value: 192.168.83.3
+wireguard.srv1:
+  type: A
+  value: 192.168.83.9
+wireguard.srv2:
+  type: A
+  value: 192.168.83.7
+wireguard.vps6:
+  type: A
+  value: 192.168.83.1
+wireguard.vps7:
+  type: A
+  value: 192.168.83.2
+www:
+  type: CNAME
+  value: vps3.chn.moe.
+x._domainkey:
+  type: TXT
+  value: v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6xvkOMNYyOlY5mCjyL+Wx9PIWljb7WKLurGNnPNrKOrmSKQBAOwKOgv6SWABsuQMSZnoi33QVrqL2pFrGwAnPbhmQSesdAQW/D2ktaTp6iaRCT2eZTGz+dNdi9HCk1Uzkee8hU7L7KZISnNhvOrbBYbaICOwJWVYjk8hqSbIgyhK90IsTmrs9S4E5PSGxLjJ
+    Cpo0X0DPTtPD4ipH7kHnnD5DRO3fkxCvMAuWbnnt5+iUn/NuFQSC//dMqzs+IklBzZWdm/3n3GijkI5XK9rxnvg8V2/bk7SzJy7qeuLJPgbQgVDHCcIJKR0Ugl6CxpqQ8Jvcf0X0AtixVoVEWoyFQIDAQAB
+xlog:
+  type: CNAME
+  value: xlog.autoroute.chn.moe.
+xsession.vps7:
+  type: CNAME
+  value: vps7.chn.moe.
+铜锣湾:
+  type: CNAME
+  value: autoroute.chn.moe.
+铜锣湾实验室:
+  type: CNAME
+  value: vps6.chn.moe.

dns/config/mirism.one.yaml

@@ -0,0 +1,3 @@
+entry:
+  type: CNAME
+  value: vps6.chn.moe.

dns/config/nekomia.moe.yaml

@@ -0,0 +1,3 @@
+? ''
+: type: ALIAS
+  value: vps6.chn.moe.

flake.nix

@@ -6,16 +6,17 @@
     nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-24.11";
     "nixpkgs-23.11".url = "github:CHN-beta/nixpkgs/nixos-23.11";
     "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; };
-    sops-nix =
-    {
-      url = "github:Mic92/sops-nix";
-      inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
-    };
+    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    home-manager = { url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
     nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
-    impermanence.url = "github:nix-community/impermanence";
+    nix-vscode-extensions =
+    {
+      url = "github:nix-community/nix-vscode-extensions?rev=7aa26ebccf778efe880fda1290db9c1da56ffa4f";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    impermanence.url = "github:CHN-beta/impermanence";
     qchem = { url = "github:Nix-QChem/NixOS-QChem/master"; inputs.nixpkgs.follows = "nixpkgs"; };
     plasma-manager =
     {
@@ -23,7 +24,6 @@
       inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
     };
     nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nixos-hardware.url = "github:CHN-beta/nixos-hardware";
     envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-flatpak.url = "github:gmodena/nix-flatpak";
     chaotic =
@@ -34,9 +34,8 @@
     gricad = { url = "github:Gricad/nur-packages"; flake = false; };
     catppuccin.url = "github:catppuccin/nix";
     bscpkgs = { url = "git+https://git.chn.moe/chn/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
-    poetry2nix = { url = "github:nix-community/poetry2nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
-    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -48,11 +47,10 @@
     matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
     nameof = { url = "github:Neargye/nameof"; flake = false; };
     tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
-    v-sim = { url = "gitlab:l_sim/v_sim"; flake = false; };
+    v-sim = { url = "gitlab:l_sim/v_sim/master"; flake = false; };
     rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
     blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
     slate = { url = "github:TheBigWazz/Slate"; flake = false; };
-    linux-surface = { url = "github:linux-surface/linux-surface"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
     lmod = { url = "github:TACC/Lmod"; flake = false; };
     mumax = { url = "github:CHN-beta/mumax"; flake = false; };
@@ -68,6 +66,13 @@
     blog = { url = "git+https://git.chn.moe/chn/blog-public.git"; flake = false; };
     nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
     spectroscopy = { url = "github:skelton-group/Phonopy-Spectroscopy"; flake = false; };
+    vaspberry = { url = "github:Infant83/VASPBERRY"; flake = false; };
+    ufo = { url = "git+https://git.chn.moe/chn/ufo.git"; flake = false; };
+    highfive = { url = "git+https://github.com/CHN-beta/HighFive?submodules=1"; flake = false; };
+    stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
+    fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
+    octodns-cloudflare = { url = "github:octodns/octodns-cloudflare"; flake = false; };
+    mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

flake/dev.nix

@@ -5,24 +5,28 @@
     inputsFrom = [ pkgs.localPackages.biu ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
-  hpcstat = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  hpcstat = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
   {
     inputsFrom = [ (pkgs.localPackages.hpcstat.override { version = null; }) ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   sbatch-tui = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.sbatch-tui ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   ufo = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.ufo ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   chn-bsub = pkgs.mkShell
   {
@@ -44,4 +48,11 @@
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
   };
+  info = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.info ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
 }

flake/nixos.nix

@@ -1,51 +1,54 @@
 { inputs, localLib }:
-builtins.listToAttrs
+let
+  machine = [ "nas" "pc" "vps6" "vps7" "one" ];
+  cluster = { srv1 = 4; srv2 = 2; };
+in builtins.listToAttrs
 (
   (builtins.map
     (system:
     {
       name = system;
       value = inputs.nixpkgs.lib.nixosSystem
-      {
-        system = let arch.pi3b = "aarch64-linux"; in arch.${system} or "x86_64-linux";
-        specialArgs = { topInputs = inputs; inherit localLib; };
-        modules = localLib.mkModules
-        [
-          {
-            config =
-            {
-              nixpkgs.overlays = [ inputs.self.overlays.default ];
-              nixos.model.hostname = system;
-            };
-          }
-          ../modules
-          ../devices/${system}
-        ];
-      };
-    })
-    [ "nas" "pc" "pi3b" "surface" "vps4" "vps6" "vps7" "xmupc1" "xmupc2" ])
-  ++ (builtins.map
-    (node:
-    {
-      name = "srv1-${node}";
-      value = inputs.nixpkgs.lib.nixosSystem
       {
         system = "x86_64-linux";
         specialArgs = { topInputs = inputs; inherit localLib; };
         modules = localLib.mkModules
         [
-          {
-            config =
-            {
-              nixpkgs.overlays = [ inputs.self.overlays.default ];
-              nixos.model.cluster = { clusterName = "srv1"; nodeName = node; };
-            };
-          }
+          { config = { nixpkgs.overlays = [ inputs.self.overlays.default ]; nixos.model.hostname = system; }; }
           ../modules
-          ../devices/srv1
-          ../devices/srv1/${node}
+          ../devices/${system}
+          ../devices/cross
         ];
       };
     })
-    [ "node0" "node1" "node2" "node3" ])
+    machine)
+  ++ (builtins.concatLists (builtins.map
+    (cluster:
+      let nodes = builtins.genList (n: "node${builtins.toString n}") cluster.value;
+      in builtins.map
+        (node:
+        {
+          name = "${cluster.name}-${node}";
+          value = inputs.nixpkgs.lib.nixosSystem
+          {
+            system = "x86_64-linux";
+            specialArgs = { topInputs = inputs; inherit localLib; };
+            modules = localLib.mkModules
+            [
+              {
+                config =
+                {
+                  nixpkgs.overlays = [ inputs.self.overlays.default ];
+                  nixos.model.cluster = { clusterName = cluster.name; nodeName = node; };
+                };
+              }
+              ../modules
+              ../devices/${cluster.name}
+              ../devices/${cluster.name}/${node}
+              ../devices/cross
+            ];
+          };
+        })
+        nodes)
+    (localLib.attrsToList cluster)))
 )

flake/packages.nix

@@ -11,9 +11,11 @@
       openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
         (prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
       duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
+      glaze = pkgs.pkgsStatic.glaze.overrideAttrs
+        (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-Dglaze_ENABLE_FUZZING=OFF" ]; });
       # pkgsStatic.clangStdenv have a bug
       # https://github.com/NixOS/nixpkgs/issues/177129
-      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; };
+      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; inherit glaze; };
     in pkgs.pkgsStatic.localPackages.hpcstat.override
     {
       inherit openssh duc biu;
@@ -22,7 +24,12 @@
       stdenv = pkgs.pkgsStatic.gcc14Stdenv;
     };
   chn-bsub = pkgs.pkgsStatic.localPackages.chn-bsub;
-  blog = pkgs.callPackage inputs.blog { inherit (inputs) hextra; };
+  blog = pkgs.localPackages.blog;
+  vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
+  {
+    gfortran = pkgs.pkgsStatic.gfortran;
+    lapack = pkgs.pkgsStatic.openblas;
+  };
 }
 // (builtins.listToAttrs (builtins.map
   (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

flake/src.nix

@@ -1,4 +1,52 @@
 { inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
 {
-  git-lfs-transfer = "sha256-1cGlhLdnU6yTqzcB3J1cq3gawncbtdgkb3LFh2ZmXbM=";
+  git-lfs-transfer = "sha256-qHQeBI2b8EmUinowixqEuR6iGwNYQy3pSc8iPVfJemE=";
+  nvhpc =
+  {
+    src = pkgs.fetchurl
+    {
+      url = "https://developer.download.nvidia.com/hpc-sdk/24.11/nvhpc_2024_2411_Linux_x86_64_cuda_12.6.tar.gz";
+      sha256 = "080rb89p2z98b75wqssvp3s8x6b5n0556d0zskh3cfapcb08lh1r";
+    };
+    version = "24.11";
+    cudaVersion = "12.6";
+  };
+  iso = pkgs.fetchurl
+  {
+    url = "https://releases.nixos.org/nixos/24.11/nixos-24.11.714826.04ef94c4c158/"
+      + "nixos-minimal-24.11.714826.04ef94c4c158-x86_64-linux.iso";
+    sha256 = "12zkmlmvvp6g3syb347q4ffhdavfs3hz2qxvvlgrim6k0kzz436k";
+  };
+  nglview = pkgs.fetchPypi
+  {
+    pname = "nglview";
+    version = "3.1.2";
+    hash = "sha256-f2cu+itsoNs03paOW1dmsUsbPa3iEtL4oIPGAKETRc4=";
+  };
+  vtst =
+  {
+    patch = pkgs.fetchzip
+    {
+      url = "http://theory.cm.utexas.edu/code/vtstcode-204.tgz";
+      sha256 = "00qpqiabl568fwqjnmwqwr0jwg7s56xd9lv9lw8q4qxqy19cpg62";
+    };
+    script = pkgs.fetchzip
+    {
+      url = "http://theory.cm.utexas.edu/code/vtstscripts.tgz";
+      sha256 = "18gsw2850ig1mg4spp39i0ygfcwx0lqnamysn5whiax22m8d5z67";
+    };
+  };
+  huginn = pkgs.dockerTools.pullImage
+  {
+    imageName = "ghcr.io/huginn/huginn";
+    imageDigest = "sha256:fdaa76b95534f3c3a799d527821681dd61b8b6fc24de0a7e109fc665b627f115";
+    sha256 = "062c18360asnzl610n11vd46621cvkj26ay21l82f16r12k4qzwy";
+    finalImageName = "huginn/huginn";
+    finalImageTag = "latest";
+  };
+  misskey =
+  {
+    "https://github.com/aiscript-dev/aiscript-languageserver/releases/download/0.1.6/aiscript-dev-aiscript-languageserver-0.1.6.tgz" = "0092d5r67bhf4xkvrdn4a2rm1drjzy7b5sw8mi7hp4pqvpc20ylr";
+    "https://github.com/misskey-dev/tabler-icons/archive/refs/tags/3.29.0-mi.1913+5921534bc.tar.gz" = "1snwwcgxwlp9jwlq6pj4q0mypzp0c7b28m49mcwvr6dzq9vlpy2s";
+  };
 }

modules/bugs/default.nix

@@ -1,28 +1,38 @@
 inputs:
-  let
-    inherit (inputs.localLib) stripeTabs;
-    inherit (builtins) map attrNames;
-    inherit (inputs.lib) mkMerge mkIf mkOption types;
-    bugs =
+let bugs =
+{
+  # suspend & hibernate do not use platform
+  suspend-hibernate-no-platform.systemd.sleep.extraConfig =
+  ''
+    SuspendState=freeze
+    HibernateMode=shutdown
+  '';
+  # xmunet use old encryption
+  xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
+    (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
+  backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
+  amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
+  iwlwifi =
+  {
+    nixos.system.kernel.modules.modprobeConfig =
+      [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+    systemd.services = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
     {
-      # suspend & hibernate do not use platform
-      suspend-hibernate-no-platform.systemd.sleep.extraConfig =
-      ''
-        SuspendState=freeze
-        HibernateMode=shutdown
-      '';
-      # xmunet use old encryption
-      xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
-        (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
-      backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
-      amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
+      load-iwlwifi = rec
+        { wantedBy = [ "hibernate.target" ]; before = wantedBy; script = "${modprobe} iwlwifi iwlmvm"; };
+      unload-iwlwifi = rec
+        { wantedBy = [ "hibernate.target" ]; after = wantedBy; script = "${modprobe} -r iwlwifi iwlmvm"; };
     };
-  in
-    {
-      options.nixos.bugs = mkOption
-      {
-        type = types.listOf (types.enum (attrNames bugs));
-        default = [];
-      };
-      config = mkMerge (map (bug: mkIf (builtins.elem bug inputs.config.nixos.bugs) bugs.${bug}) (attrNames bugs));
-    }
+  };
+};
+in
+{
+  options.nixos.bugs = inputs.lib.mkOption
+  {
+    type = inputs.lib.types.listOf (inputs.lib.types.enum (builtins.attrNames bugs));
+    default = [];
+  };
+  config = inputs.lib.mkMerge (builtins.map
+    (bug: inputs.lib.mkIf (builtins.elem bug inputs.config.nixos.bugs) bugs.${bug})
+    (builtins.attrNames bugs));
+}

modules/default.nix

@@ -1,47 +1,40 @@
-inputs:
-  let
-    inherit (inputs) topInputs;
-    inherit (inputs.localLib) mkModules;
-  in
-  {
-    imports = mkModules
-    [
-      topInputs.home-manager.nixosModules.home-manager
-      topInputs.sops-nix.nixosModules.sops
-      topInputs.nix-index-database.nixosModules.nix-index
-      topInputs.nur-xddxdd.nixosModules.setupOverlay
-      topInputs.impermanence.nixosModules.impermanence
-      topInputs.nix-flatpak.nixosModules.nix-flatpak
-      topInputs.chaotic.nixosModules.default
-      { config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
-      topInputs.catppuccin.nixosModules.catppuccin
-      topInputs.aagl.nixosModules.default
-      (inputs:
+inputs: let inherit (inputs) topInputs; in
+{
+  imports = inputs.localLib.mkModules
+  [
+    topInputs.home-manager.nixosModules.home-manager
+    topInputs.sops-nix.nixosModules.sops
+    topInputs.nix-index-database.nixosModules.nix-index
+    topInputs.impermanence.nixosModules.impermanence
+    topInputs.nix-flatpak.nixosModules.nix-flatpak
+    topInputs.chaotic.nixosModules.default
+    { config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
+    topInputs.catppuccin.nixosModules.catppuccin
+    topInputs.aagl.nixosModules.default
+    (inputs:
+    {
+      config =
       {
-        config =
-        {
-          nixpkgs.overlays =
-          [
-            topInputs.qchem.overlays.default
-            topInputs.bscpkgs.overlays.default
-            topInputs.poetry2nix.overlays.default
-            topInputs.aagl.overlays.default
-            (final: prev:
-            {
-              nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
-              nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
-              nur-linyinfeng = (topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
-              firefox-addons = (import "${topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
-              inherit (import topInputs.gricad { pkgs = final; }) intel-oneapi intel-oneapi-2022;
-            })
-          ];
-          home-manager.sharedModules =
-          [
-            topInputs.plasma-manager.homeManagerModules.plasma-manager
-            topInputs.catppuccin.homeManagerModules.catppuccin
-          ];
-        };
-      })
-      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user ./model.nix
-    ];
-  }
+        nixpkgs.overlays =
+        [
+          topInputs.qchem.overlays.default
+          topInputs.bscpkgs.overlays.default
+          topInputs.aagl.overlays.default
+          topInputs.nur-xddxdd.overlays.inSubTree
+          (final: prev:
+          {
+            nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions.${prev.system};
+            nur-linyinfeng = (topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
+            firefox-addons = (import "${topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
+            inherit (import topInputs.gricad { pkgs = final; }) intel-oneapi intel-oneapi-2022;
+          })
+        ];
+        home-manager.sharedModules =
+        [
+          topInputs.plasma-manager.homeManagerModules.plasma-manager
+          topInputs.catppuccin.homeManagerModules.catppuccin
+        ];
+      };
+    })
+  ] ++ (inputs.localLib.findModules ./.);
+}

modules/hardware/default.nix

@@ -24,7 +24,7 @@ inputs:
           printing =
           {
             enable = true;
-            drivers = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.arch == "x86_64") [ inputs.pkgs.cnijfilter2 ];
+            drivers = [ inputs.pkgs.cnijfilter2 ];
             # TODO: remove in next update
             browsed.enable = false;
           };

modules/hardware/gpu.nix

@@ -22,6 +22,7 @@ inputs:
         busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
       };
       driver = mkOption { type = types.enum [ "production" "latest" "beta" ]; default = "production"; };
+      open = mkOption { type = types.bool; default = true; };
     };
   };
   config = let inherit (inputs.config.nixos.hardware) gpu; in inputs.lib.mkIf (gpu.type != null) (inputs.lib.mkMerge
@@ -47,8 +48,8 @@ inputs:
               let packages = with inputs.pkgs;
               {
                 # TODO: import from nixos-hardware instead
-                intel =
-                  [ (intel-vaapi-driver.override { enableHybridCodec = true; }) libvdpau-va-gl intel-media-driver ];
+                # enableHybridCodec is only needed for some old intel gpus (Atom, Nxxx, etc)
+                intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
                 nvidia = [ vaapiVdpau ];
                 amd = [];
               };
@@ -61,15 +62,11 @@ inputs:
             dynamicBoost.enable = inputs.lib.mkIf gpu.nvidia.dynamicBoost true;
             nvidiaSettings = true;
             package = inputs.config.boot.kernelPackages.nvidiaPackages.${gpu.nvidia.driver};
-            open = true; # TODO: remove when 560 is stable
+            inherit (gpu.nvidia) open;
             prime.allowExternalGpu = true;
           };
         };
         boot.blacklistedKernelModules = [ "nouveau" ];
-        environment.variables =
-          if builtins.elem "nvidia" gpus then { VDPAU_DRIVER = "nvidia"; }
-          else if builtins.elem "intel" gpus then { VDPAU_DRIVER = "va_gl"; }
-          else {};
         services.xserver.videoDrivers =
           let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
           in builtins.map (gpu: driver.${gpu}) gpus;

modules/model.nix

@@ -3,9 +3,8 @@ inputs:
   options.nixos.model = let inherit (inputs.lib) mkOption types; in
   {
     hostname = mkOption { type = types.nonEmptyStr; };
-    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
-    # not implemented yet
-    # private = mkOption { type = types.bool; };
+    type = mkOption { type = types.enum [ "vps" "desktop" "server" ]; default = "vps"; };
+    private = mkOption { type = types.bool; default = false; };
     cluster = mkOption
     {
       type = types.nullOr (types.submodule { options =
@@ -22,12 +21,5 @@ inputs:
     { networking.hostName = model.hostname; }
     (inputs.lib.mkIf (model.cluster != null)
       { nixos.model.hostname = "${model.cluster.clusterName}-${model.cluster.nodeName}"; })
-    # TODO: remove it
-    {
-      systemd.services = inputs.lib.mkIf (model.cluster.nodeType or null == "worker") (builtins.listToAttrs
-        (builtins.map
-          (user: { name = "home-manager-${inputs.utils.escapeSystemdPath user}"; value.enable = false; })
-          inputs.config.nixos.user.users));
-    }
   ];
 }

modules/packages/android-studio.nix

@@ -0,0 +1,12 @@
+inputs:
+{
+  options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
+  {
+    nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];
+  };
+}

modules/packages/default.nix

@@ -3,30 +3,23 @@ inputs:
   imports = inputs.localLib.findModules ./.;
   options.nixos.packages.packages = let inherit (inputs.lib) mkOption types; in
   {
-    extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
     _packages = mkOption { type = types.listOf types.unspecified; default = []; };
     _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
     _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    _pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+    _vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
   };
   config =
   {
     environment.systemPackages = with inputs.config.nixos.packages.packages;
-      (inputs.lib.lists.subtractLists excludePackages (_packages ++ extraPackages))
+      _packages
       ++ [
-        (inputs.pkgs.python3.withPackages (pythonPackages:
-          inputs.lib.lists.subtractLists
-            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
-              excludePythonPackages))
-            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
-              (_pythonPackages ++ extraPythonPackages)))))
+        (
+          (inputs.pkgs.python3.withPackages (pythonPackages:
+            builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages) _pythonPackages)))
+          .override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
         (inputs.pkgs.writeTextDir "share/prebuild-packages"
-          (builtins.concatStringsSep "\n" (builtins.map builtins.toString
-            (inputs.lib.lists.subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages)))))
+          (builtins.concatStringsSep "\n" (builtins.map builtins.toString _prebuildPackages)))
       ];
   };
 }

modules/packages/desktop/default.nix

@@ -16,7 +16,7 @@ inputs:
           # system management
           # TODO: module should add yubikey-touch-detector into path
           gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
-          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror
+          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror geekbench xpra
           (
             writeShellScriptBin "xclip"
             ''
@@ -43,7 +43,7 @@ inputs:
           warp-terminal
           # development
           adb-sync scrcpy dbeaver-bin cling aircrack-ng
-          weston cage openbox krita jetbrains.clion androidStudioPackages.stable.full fprettify
+          weston cage openbox krita jetbrains.clion fprettify
           # desktop sharing
           rustdesk-flutter
           # password and key management
@@ -52,28 +52,27 @@ inputs:
           # download
           qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
           # editor
-          typora # appflowy notion-app-enhanced joplin-desktop standardnotes logseq
+          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq obsidian
           # news
-          fluent-reader rssguard newsflash newsboat
+          fluent-reader rssguard newsflash newsboat follow
           # nix tools
           nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
           nix-template nil pnpm-lock-export bundix
           # instant messager
           element-desktop telegram-desktop discord zoom-us slack nur-linyinfeng.wemeet nheko
-          fluffychat signal-desktop qq nur-xddxdd.wechat-uos cinny-desktop
+          fluffychat signal-desktop qq nur-xddxdd.wechat-uos-sandboxed cinny-desktop
           # browser
           google-chrome tor-browser microsoft-edge
           # office
           crow-translate zotero pandoc libreoffice-qt texliveFull poppler_utils pdftk pdfchain davinci-resolve
-          # TODO: enable in next release
-          # hdfview
-          ydict texstudio
+          ydict texstudio panoply pspp paperwork
           # matplot++ needs old gnuplot
           inputs.pkgs."pkgs-23.11".gnuplot
           # math, physics and chemistry
-          octaveFull root ovito localPackages.vesta localPackages.v-sim
-          (mathematica.overrideAttrs (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; }))
-          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14; }) jmol mpi localPackages.ufo
+          octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
+          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14;
+            wannier90 = inputs.pkgs.wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; }; })
+          inputs.pkgs."pkgs-23.11".hdfview
           # virtualization
           virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
           # media

modules/packages/lammps.nix

@@ -8,7 +8,7 @@ inputs:
   config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
   {
     nixos.packages.packages._packages =
-      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null;
+      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
       in
         if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
           .overrideAttrs (prev:

modules/packages/mathematica.nix

@@ -0,0 +1,13 @@
+inputs:
+{
+  options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
+  {
+    nixos.packages.packages._packages = [ (inputs.pkgs.mathematica.overrideAttrs
+      (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; })) ];
+  };
+}

modules/packages/mumax.nix

@@ -5,7 +5,7 @@ inputs:
     type = types.nullOr (types.submodule {});
     default =
       if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
-        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
       then {}
       else null;
   };

modules/packages/root/17253.patch

@@ -0,0 +1,151 @@
+From 1d2acc921853825af02059183b683c35f5075302 Mon Sep 17 00:00:00 2001
+From: chn <chn@chn.moe>
+Date: Wed, 11 Dec 2024 22:33:40 +0800
+Subject: [PATCH] add C++23 support
+
+---
+ graf3d/eve7/inc/ROOT/REveCaloData.hxx             |  4 ++--
+ graf3d/eve7/src/REveCaloData.cxx                  |  3 +++
+ interpreter/cling/lib/Interpreter/CIFactory.cpp   | 15 +++++++++++----
+ .../Interpreter/IncrementalCUDADeviceCompiler.cpp |  2 ++
+ .../cling/tools/Jupyter/kernel/clingkernel.py     |  4 ++--
+ .../inc/RooStats/HistFactory/HistRef.h            |  3 +--
+ .../inc/RooFit/Detail/NormalizationHelpers.h      |  3 +--
+ 7 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/graf3d/eve7/inc/ROOT/REveCaloData.hxx b/graf3d/eve7/inc/ROOT/REveCaloData.hxx
+index 79d2e7069504c..33152334730f4 100644
+--- a/graf3d/eve7/inc/ROOT/REveCaloData.hxx
++++ b/graf3d/eve7/inc/ROOT/REveCaloData.hxx
+@@ -174,7 +174,7 @@ protected:
+ 
+ public:
+    REveCaloData(const char* n="REveCaloData", const char* t="");
+-   ~REveCaloData() override {}
++   ~REveCaloData() override;
+ 
+    void    FillImpliedSelectedSet(Set_t& impSelSet, const std::set<int>& sec_idcs) override;
+ 
+@@ -220,7 +220,7 @@ public:
+    Bool_t   GetWrapTwoPi() const { return fWrapTwoPi; }
+    void     SetWrapTwoPi(Bool_t w) { fWrapTwoPi=w; }
+ 
+-   void     SetSelector(REveCaloDataSelector* iSelector) { fSelector.reset(iSelector); }
++   void     SetSelector(REveCaloDataSelector* iSelector);
+    REveCaloDataSelector* GetSelector() { return fSelector.get(); }
+ 
+    Int_t WriteCoreJson(nlohmann::json &j, Int_t rnr_offset) override;
+diff --git a/graf3d/eve7/src/REveCaloData.cxx b/graf3d/eve7/src/REveCaloData.cxx
+index a5248f3c51d39..dc19d7d1be4a4 100644
+--- a/graf3d/eve7/src/REveCaloData.cxx
++++ b/graf3d/eve7/src/REveCaloData.cxx
+@@ -129,6 +129,9 @@ REveCaloData::REveCaloData(const char* n, const char* t):
+    // Constructor.
+ }
+ 
++REveCaloData::~REveCaloData() {}
++void REveCaloData::SetSelector(REveCaloDataSelector* iSelector) { fSelector.reset(iSelector); }
++
+ ////////////////////////////////////////////////////////////////////////////////
+ /// Process newly selected cells with given select-record.
+ 
+diff --git a/interpreter/cling/lib/Interpreter/CIFactory.cpp b/interpreter/cling/lib/Interpreter/CIFactory.cpp
+index 385c03682575d..d33ce3a0039c5 100644
+--- a/interpreter/cling/lib/Interpreter/CIFactory.cpp
++++ b/interpreter/cling/lib/Interpreter/CIFactory.cpp
+@@ -61,14 +61,18 @@ using namespace cling;
+ 
+ namespace {
+   static constexpr unsigned CxxStdCompiledWith() {
++    // The value of __cplusplus in GCC < 14 is 202100L when -std=c++2b or
++    // -std=c++23 is specified, thus we relax the check to 202100L.
++#if __cplusplus >= 202100L
++    return 23;
++#elif __cplusplus >  201703L
++    return 20;
++#elif __cplusplus > 201402L
++    return 17;
+     // The value of __cplusplus in GCC < 5.0 (e.g. 4.9.3) when
+     // either -std=c++1y or -std=c++14 is specified is 201300L, which fails
+     // the test for C++14 or more (201402L) as previously specified.
+     // I would claim that the check should be relaxed to:
+-#if __cplusplus >  201703L
+-    return 20;
+-#elif __cplusplus > 201402L
+-    return 17;
+ #elif __cplusplus > 201103L || (defined(_WIN32) && _MSC_VER >= 1900)
+     return 14;
+ #elif __cplusplus >= 201103L
+@@ -941,6 +945,8 @@ namespace {
+     // Sanity check that clang delivered the language standard requested
+     if (CompilerOpts.DefaultLanguage(&LangOpts)) {
+       switch (CxxStdCompiledWith()) {
++        case 23: assert(LangOpts.CPlusPlus23 && "Language version mismatch");
++          LLVM_FALLTHROUGH;
+         case 20: assert(LangOpts.CPlusPlus20 && "Language version mismatch");
+           LLVM_FALLTHROUGH;
+         case 17: assert(LangOpts.CPlusPlus17 && "Language version mismatch");
+@@ -1343,6 +1349,7 @@ namespace {
+       // and by enforcing the std version now cling is telling clang what to
+       // do, rather than after clang has dedcuded a default.
+       switch (CxxStdCompiledWith()) {
++        case 23: argvCompile.emplace_back("-std=c++23"); break;
+         case 20: argvCompile.emplace_back("-std=c++20"); break;
+         case 17: argvCompile.emplace_back("-std=c++17"); break;
+         case 14: argvCompile.emplace_back("-std=c++14"); break;
+diff --git a/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp b/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
+index ac6bd0e89444e..a492add8a01fc 100644
+--- a/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
++++ b/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
+@@ -117,6 +117,8 @@ namespace cling {
+       cppStdVersion = "-std=c++1z";
+     if (langOpts.CPlusPlus20)
+       cppStdVersion = "-std=c++20";
++    if (langOpts.CPlusPlus23)
++      cppStdVersion = "-std=c++23";
+ 
+     if (cppStdVersion.empty())
+       llvm::errs()
+diff --git a/interpreter/cling/tools/Jupyter/kernel/clingkernel.py b/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
+index 17fcbd116ecc6..17b4d24f23d86 100644
+--- a/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
++++ b/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
+@@ -90,8 +90,8 @@ def _banner_default(self):
+     flush_interval = Float(0.25, config=True)
+ 
+     std = CaselessStrEnum(default_value='c++11',
+-            values = ['c++11', 'c++14', 'c++1z', 'c++17', 'c++20', 'c++2b'],
+-            help="C++ standard to use, either c++2b, c++20, c++17, c++1z, c++14 or c++11").tag(config=True);
++            values = ['c++11', 'c++14', 'c++1z', 'c++17', 'c++20', 'c++2b', 'c++23' ],
++            help="C++ standard to use, either c++23, c++2b, c++20, c++17, c++1z, c++14 or c++11").tag(config=True);
+ 
+     def __init__(self, **kwargs):
+         super(ClingKernel, self).__init__(**kwargs)
+diff --git a/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h b/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
+index 7db9765004e0d..5b37542e6bdea 100644
+--- a/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
++++ b/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
+@@ -12,8 +12,7 @@
+ #define HISTFACTORY_HISTREF_H
+ 
+ #include <memory>
+-
+-class TH1;
++#include <TH1.h>
+ 
+ namespace RooStats{
+ namespace HistFactory {
+diff --git a/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h b/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
+index c66954d0f0549..a849d7c2c8b4b 100644
+--- a/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
++++ b/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
+@@ -70,8 +70,7 @@ template <class T>
+ std::unique_ptr<T> compileForNormSet(T const &arg, RooArgSet const &normSet)
+ {
+    RooFit::Detail::CompileContext ctx{normSet};
+-   std::unique_ptr<RooAbsArg> head = arg.compileForNormSet(normSet, ctx);
+-   return std::unique_ptr<T>{static_cast<T *>(head.release())};
++   return std::unique_ptr<T>{static_cast<T *>(arg.compileForNormSet(normSet, ctx).release())};
+ }
+ 
+ } // namespace Detail

modules/packages/root/17273.patch

@@ -0,0 +1,22 @@
+From ab80270dd50f4ae08e452daa3fd0eccc7f9f96ee Mon Sep 17 00:00:00 2001
+From: Danilo Piparo <danilo.piparo@cern.ch>
+Date: Sat, 14 Dec 2024 07:45:22 +0100
+Subject: [PATCH 1/2] [CMake] Allow to process cxx23 option
+
+---
+ cmake/modules/CheckCompiler.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmake/modules/CheckCompiler.cmake b/cmake/modules/CheckCompiler.cmake
+index 883bf0e2daed1..c2ac5df869797 100644
+--- a/cmake/modules/CheckCompiler.cmake
++++ b/cmake/modules/CheckCompiler.cmake
+@@ -161,7 +161,7 @@ set(CMAKE_CXX_STANDARD ${CXX_STANDARD_STRING} CACHE STRING "")
+ set(CMAKE_CXX_STANDARD_REQUIRED TRUE)
+ set(CMAKE_CXX_EXTENSIONS FALSE CACHE BOOL "")
+ 
+-if(NOT CMAKE_CXX_STANDARD MATCHES "17|20")
++if(NOT CMAKE_CXX_STANDARD MATCHES "17|20|23")
+   message(FATAL_ERROR "Unsupported C++ standard: ${CMAKE_CXX_STANDARD}. Supported standards are: 17, 20.")
+ endif()
+ 

modules/packages/root/default.nix

@@ -0,0 +1,31 @@
+inputs:
+{
+  options.nixos.packages.root = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = {}; };
+  config = let inherit (inputs.config.nixos.packages) root; in inputs.lib.mkIf (root != null)
+  {
+    nixos.packages.packages =
+      let
+        root = inputs.pkgs.root.overrideAttrs (prev:
+        {
+          patches = prev.patches or [] ++ [ ./17253.patch ./17273.patch ];
+          cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ];
+        });
+        jupyterPath = inputs.pkgs.jupyter-kernel.create { definitions.root = rec
+        {
+          displayName = "ROOT";
+          language = "c++";
+          argv = [ "/run/current-system/sw/bin/python3" "-m" "JupyROOT.kernel.rootkernel" "-f" "{connection_file}" ];
+          logo64 = "${root}/etc/root/notebook/kernels/root/logo-64x64.png";
+          logo32 = inputs.pkgs.runCommand "logo-32x32.png" {}
+            "${inputs.pkgs.imagemagick}/bin/convert ${logo64} -resize 32x32 $out";
+        };};
+      in
+      {
+        _packages = [ root ];
+        _pythonPackages = [(pythonPackages: with pythonPackages; [ metakernel notebook ])];
+        _pythonEnvFlags = [ "--prefix JUPYTER_PATH : ${jupyterPath}" "--suffix NIX_PYTHONPATH : ${root}/lib" ];
+        _vscodeEnvFlags = [ "--prefix JUPYTER_PATH : ${jupyterPath}" ];
+      };
+  };
+}

modules/packages/server.nix

@@ -9,10 +9,10 @@ inputs:
       _packages = with inputs.pkgs;
       [
         # basic tools
-        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij ipfetch localPackages.pslist
-        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch
+        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq zellij ipfetch localPackages.pslist
+        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch dateutils kitty
         # lsxx
-        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc
+        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools
         # top
         iotop iftop htop btop powertop s-tui
         # editor
@@ -22,26 +22,26 @@ inputs:
         # file manager
         tree eza trash-cli lsd broot file xdg-ninja mlocate
         # compress
-        pigz upx unzip zip lzip p7zip
+        pigz upx unzip zip lzip p7zip rar
         # file system management
         sshfs e2fsprogs duperemove compsize exfatprogs
         # disk management
-        smartmontools hdparm megacli gptfdisk
+        smartmontools hdparm gptfdisk megacli
         # encryption and authentication
-        apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
+        apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool libfido2
         # networking
         ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
         # nix tools
         nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
         gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
+        (octodns.withProviders (_: [ localPackages.octodns-cloudflare ]))
         # stupid things
-        toilet lolcat
+        toilet lolcat localPackages.stickerpicker graph-easy
         # office
         pdfgrep ffmpeg-full # todo-txt-cli 
       ]
-        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
-        ++ (inputs.lib.optional (inputs.config.nixos.system.nixpkgs.arch == "x86_64") rar);
+        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
       _pythonPackages = [(pythonPackages: with pythonPackages;
       [
         openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2

modules/packages/ssh.nix

@@ -7,16 +7,6 @@ inputs:
     services.openssh.knownHosts =
       let servers =
       {
-        vps4 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIF7Y0tjt1XLPjqJ8HEB26W9jVfJafRQ3pv5AbPaxEc/Z";
-          hostnames = [ "vps4.chn.moe" "104.234.37.61" ];
-        };
-        "initrd.vps4" =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJkOPTFvX9f+Fn/KHOIvUgoRiJfq02T42lVGQhpMUGJq";
-          hostnames = [ "initrd.vps4.chn.moe" "104.234.37.61" ];
-        };
         vps6 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
@@ -47,15 +37,15 @@ inputs:
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
           hostnames = [ "initrd.nas.chn.moe" "192.168.1.2" ];
         };
-        surface =
+        one =
         {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIFdm3DcfHdcLP0oSpVrWwIZ/b9lZuakBSPwCFz2BdTJ7";
-          hostnames = [ "192.168.1.4" "wireguard.surface.chn.moe" "192.168.83.5" ];
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
+          hostnames = [ "wireguard.one.chn.moe" "192.168.1.4" "192.168.83.5" ];
         };
         pc =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
-          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.105" "192.168.83.3" ];
+          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.3" "192.168.83.3" ];
         };
         hpc =
         {
@@ -67,20 +57,20 @@ inputs:
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
           hostnames = [ "github.com" ];
         };
-        xmupc1 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
-          hostnames = [ "[office.chn.moe]:6007" "[xmupc1.chn.moe]:6007" "wireguard.xmupc1.chn.moe" "192.168.83.6" ];
-        };
-        xmupc2 =
+        srv2-node0 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6";
-          hostnames = [ "[xmupc2.chn.moe]:6394" "wireguard.xmupc2.chn.moe" "192.168.83.7" ];
+          hostnames = [ "srv2.chn.moe" "wireguard.srv2.chn.moe" ];
+        };
+        srv2-node1 =
+        {
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
+          hostnames = [ "192.168.178.2" ];
         };
         srv1-node0 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs";
-          hostnames = [ "srv1.chn.moe" "node0.srv1.chn.moe" "wireguard.node0.srv1.chn.moe" ];
+          hostnames = [ "srv1.chn.moe" "wireguard.srv1.chn.moe" ];
         };
         srv1-node1 =
         {
@@ -131,10 +121,10 @@ inputs:
         (
           (builtins.map
             (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
-            [ "vps4" "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" ])
+            [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" "wireguard.one" ])
           ++ (builtins.map
             (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; forwardX11 = true; }; })
-            [ "wireguard.pc" "wireguard.surface" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ])
+            [ "wireguard.pc" "srv1" "wireguard.srv1" "srv2" "wireguard.srv2" ])
           ++ (builtins.map
             (host:
             {
@@ -150,11 +140,9 @@ inputs:
             [ "wlin" "hwang" ])
         )
         // rec {
-          xmupc1 = { host = "xmupc1"; hostname = "xmupc1.chn.moe"; port = 6007; forwardX11 = true; };
-          xmupc2 = { host = "xmupc2"; hostname = "xmupc2.chn.moe"; port = 6394; forwardX11 = true; };
           nas = { host = "nas"; hostname = "192.168.1.2"; forwardX11 = true; };
           pc = { host = "pc"; hostname = "192.168.1.3"; forwardX11 = true; };
-          surface = { host = "surface"; hostname = "192.168.1.4"; forwardX11 = true; };
+          one = { host = "one"; hostname = "192.168.1.4"; forwardX11 = true; };
           gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
           jykang =
           {
@@ -164,10 +152,13 @@ inputs:
             forwardAgent = true;
             extraOptions.AddKeysToAgent = "yes";
           };
-          "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.xmupc1"; };
+          "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.srv2"; };
+          srv1-node0 = { host = "srv1-node0"; hostname = "srv1.chn.moe"; };
           srv1-node1 = { host = "srv1-node1"; hostname = "192.168.178.2"; proxyJump = "srv1"; };
           srv1-node2 = { host = "srv1-node2"; hostname = "192.168.178.3"; proxyJump = "srv1"; };
           srv1-node3 = { host = "srv1-node3"; hostname = "192.168.178.4"; proxyJump = "srv1"; };
+          srv2-node0 = { host = "srv2-node0"; hostname = "srv2.chn.moe"; };
+          srv2-node1 = { host = "srv2-node1"; hostname = "192.168.178.2"; proxyJump = "srv2"; };
         };
       };
     })];

modules/packages/vasp.nix

@@ -8,12 +8,16 @@ inputs:
   # TODO: add more options to correctly configure VASP
   config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
   {
-    nixos.packages.packages._packages = with inputs.pkgs;
-    (
-      [ localPackages.vasp.intel localPackages.vasp.vtstscripts localPackages.py4vasp localPackages.vaspkit wannier90 ]
-        ++ (inputs.lib.optional
-          (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
-          localPackages.vasp.nvidia)
-    );
+    nixos.packages.packages = with inputs.pkgs;
+    {
+      _packages =
+      (
+        [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
+          ++ (inputs.lib.optional
+            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
+            localPackages.vasp.nvidia)
+      );
+      _pythonPackages = [(_: [ localPackages.py4vasp ])];
+    };
   };
 }

modules/packages/vscode.nix

@@ -18,17 +18,20 @@ inputs:
               (set:
               {
                 name = set;
-                value = nix-vscode-extensions.vscode-marketplace.${set} // vscode-extensions.${set} or {};
+                value = vscode-extensions.${set} or {}
+                  // nix-vscode-extensions.vscode-marketplace.${set}
+                  // nix-vscode-extensions.vscode-marketplace-release.${set} or {};
               })
               (inputs.lib.unique
               (
-                (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
-                ++ (builtins.attrNames vscode-extensions)
+                (builtins.attrNames vscode-extensions)
+                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
+                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace-release)
               )));
             in with extensions;
               (with github; [ copilot github-vscode-theme ])
               ++ (with intellsmi; [ comment-translate ])
-              ++ (with ms-vscode; [ cmake-tools cpptools cpptools-extension-pack hexeditor remote-explorer ])
+              ++ (with ms-vscode; [ cmake-tools cpptools-extension-pack hexeditor remote-explorer ])
               ++ (with ms-vscode-remote; [ remote-ssh ])
               ++ [
                 donjayamanne.githistory fabiospampinato.vscode-diff
@@ -51,7 +54,14 @@ inputs:
                 ms-python.python
                 # theme
                 pkief.material-icon-theme
-              ];
+                # direnv
+                mkhl.direnv
+              ]
+              # jupyter
+              # TODO: use last release
+              ++ (with vscode-extensions.ms-toolsai;
+                [ jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow ]);
+          extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
         }
       )];
     };

modules/packages/zsh/default.nix

@@ -4,72 +4,86 @@ inputs:
     { type = types.nullOr (types.submodule {}); default = {}; };
   config = let inherit (inputs.config.nixos.packages) zsh; in inputs.lib.mkIf (zsh != null)
   {
-    nixos.user.sharedModules = [(home-inputs: { config.programs =
-    {
-      zsh =
+    nixos.user.sharedModules = [(home-inputs: { config.programs = inputs.lib.mkMerge
+    [
+      # general config
       {
-        enable = true;
-        initExtraBeforeCompInit =
-        ''
-          # p10k instant prompt
-          P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-          [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-          HYPHEN_INSENSITIVE="true"
-          export PATH=~/bin:$PATH
-          function br
-          {
-            local cmd cmd_file code
-            cmd_file=$(mktemp)
-            if broot --outcmd "$cmd_file" "$@"; then
-              cmd=$(<"$cmd_file")
-              command rm -f "$cmd_file"
-              eval "$cmd"
-            else
-              code=$?
-              command rm -f "$cmd_file"
-              return "$code"
-            fi
-          }
-          alias todo="todo.sh"
-        '';
-        plugins =
-        [
-          {
-            file = "powerlevel10k.zsh-theme";
-            name = "powerlevel10k";
-            src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-          }
-          { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
-          {
-            name = "zsh-lsd";
-            src = inputs.pkgs.fetchFromGitHub
-            {
-              owner = "z-shell";
-              repo = "zsh-lsd";
-              rev = "65bb5ac49190beda263aae552a9369127961632d";
-              hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
-            };
-          }
-        ];
-        history =
+        zsh =
         {
-          path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
-          extended = true;
-          save = 100000000;
-          size = 100000000;
+          enable = true;
+          history =
+          {
+            path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+            extended = true;
+            save = 100000000;
+            size = 100000000;
+          };
+          syntaxHighlighting.enable = true;
+          autosuggestion.enable = true;
+          enableCompletion = true;
+          oh-my-zsh =
+          {
+            enable = true;
+            plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
+            theme = inputs.lib.mkDefault "clean";
+          };
+          # ensure ~/.zlogin exists
+          loginExtra = " ";
         };
-      };
-      # set bash history file path, avoid overwriting zsh history
-      bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
-    };})];
-    programs.zsh =
-    {
-      enable = true;
-      syntaxHighlighting.enable = true;
-      autosuggestions.enable = true;
-      enableCompletion = true;
-      ohMyZsh =
-        { enable = true; plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ]; };
-    };
+        # set bash history file path, avoid overwriting zsh history
+        bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
+      }
+      # config for root and chn
+      {
+        zsh = inputs.lib.mkIf (builtins.elem home-inputs.config.home.username [ "chn" "root" ])
+        {
+          plugins =
+          [
+            {
+              file = "powerlevel10k.zsh-theme";
+              name = "powerlevel10k";
+              src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+            }
+            { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
+            {
+              name = "zsh-lsd";
+              src = inputs.pkgs.fetchFromGitHub
+              {
+                owner = "z-shell";
+                repo = "zsh-lsd";
+                rev = "65bb5ac49190beda263aae552a9369127961632d";
+                hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
+              };
+            }
+          ];
+          initExtraBeforeCompInit =
+          ''
+            # p10k instant prompt
+            P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+            [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+            HYPHEN_INSENSITIVE="true"
+            export PATH=~/bin:$PATH
+            function br
+            {
+              local cmd cmd_file code
+              cmd_file=$(mktemp)
+              if broot --outcmd "$cmd_file" "$@"; then
+                cmd=$(<"$cmd_file")
+                command rm -f "$cmd_file"
+                eval "$cmd"
+              else
+                code=$?
+                command rm -f "$cmd_file"
+                return "$code"
+              fi
+            }
+            alias todo="todo.sh"
+          '';
+          oh-my-zsh.theme = "";
+        };
+      }
+    ];})];
+    environment.pathsToLink = [ "/share/zsh" ];
+    programs.zsh.enable = true;
   };
 }

modules/services/ananicy.nix

@@ -9,6 +9,11 @@ inputs:
       enable = true;
       package = inputs.pkgs.ananicy-cpp;
       rulesProvider = inputs.pkgs.ananicy-rules-cachyos;
+      extraRules =
+      [
+        { name = "YuanShen.exe"; type = "Game"; }
+        { name = "Typora"; type = "Doc-View"; }
+      ];
     };
   };
 }

modules/services/beesd.nix

@@ -55,5 +55,6 @@ inputs:
       IOWeight = 1;
       Nice = 19;
     };
+    nixos.packages.packages._packages = [ inputs.pkgs.bees ];
   };
 }

modules/services/default.nix

@@ -3,18 +3,20 @@ inputs:
   imports = inputs.localLib.findModules ./.;
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
   {
-    smartd.enable = mkOption { type = types.bool; default = false; };
-    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.model.type == "desktop"; };
+    smartd = mkOption
+    {
+      type = types.nullOr (types.submodule {});
+      default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    };
+    noisetorch = mkOption
+    {
+      type = types.nullOr (types.submodule {});
+      default = if inputs.config.nixos.model.type == "desktop" then {} else null;
+    };
   };
-  config =
-    let
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (inputs.localLib) stripeTabs attrsToList;
-      inherit (inputs.config.nixos) services;
-      inherit (builtins) map listToAttrs toString;
-    in mkMerge
-    [
-      (mkIf services.smartd.enable { services.smartd.enable = true; })
-      (mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })
-    ];
+  config = let inherit (inputs.config.nixos.services) smartd noisetorch; in inputs.lib.mkMerge
+  [
+    (inputs.lib.mkIf (smartd != null) { services.smartd.enable = true; })
+    (inputs.lib.mkIf (noisetorch != null) { programs.noisetorch.enable = true; })
+  ];
 }

modules/services/docker.nix

@@ -2,37 +2,29 @@ inputs:
 {
   options.nixos.services.docker = let inherit (inputs.lib) mkOption types; in mkOption
     { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.services) docker; in inputs.lib.mkMerge
-  [
-    (
-      inputs.lib.mkIf (docker != null)
-      {
-        # system-wide docker is not needed
-        # virtualisation.docker.enable = true;
-        virtualisation.docker.rootless =
-        {
-          enable = true;
-          setSocketVariable = true;
-          daemon.settings =
-          {
-            features.buildkit = true;
-            # dns 127.0.0.1 make docker not work
-            dns = [ "1.1.1.1" ];
-            # prevent create btrfs subvol
-            storage-driver = "overlay2";
-          };
-        };
-      }
-    )
-    # some docker settings should be set unconditionally, as some services depend on them
+  config = let inherit (inputs.config.nixos.services) docker; in inputs.lib.mkIf (docker != null)
+  {
+    virtualisation.docker =
     {
-      virtualisation.docker =
+      enable = true;
+      # prevent create btrfs subvol
+      storageDriver = "overlay2";
+      daemon.settings.dns = [ "1.1.1.1" ];
+      rootless =
       {
-        enableNvidia = inputs.lib.mkIf inputs.config.nixos.system.nixpkgs.cuda.enable true;
-        # prevent create btrfs subvol
-        storageDriver = "overlay2";
-        daemon.settings.dns = [ "1.1.1.1" ];
+        enable = true;
+        setSocketVariable = true;
+        daemon.settings =
+        {
+          features.buildkit = true;
+          # dns 127.0.0.1 make docker not work
+          dns = [ "1.1.1.1" ];
+          # prevent create btrfs subvol
+          storage-driver = "overlay2";
+        };
       };
-    }
-  ];
+    };
+    hardware.nvidia-container-toolkit.enable = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.cuda != null) true;
+    networking.firewall.trustedInterfaces = [ "docker0" ];
+  };
 }

modules/services/gitea.nix

@@ -43,7 +43,8 @@ inputs:
           SMTP_PORT = 465;
           USER = "bot@chn.moe";
         };
-        service.REGISTER_MANUAL_CONFIRM = true;
+        service.DISABLE_REGISTRATION = true;
+        security.LOGIN_REMEMBER_DAYS = 365;
       };
     };
     nixos.services =
@@ -51,22 +52,16 @@ inputs:
       nginx =
       {
         enable = true;
-        https."${gitea.hostname}".location =
+        https.${gitea.hostname}.location =
         {
           "/".proxy.upstream = "http://127.0.0.1:3002";
           "/robots.txt".static.root =
-            let
-              robotsFile = inputs.pkgs.fetchurl
-              {
-                url = "https://gitea.com/robots.txt";
-                sha256 = "144c5s3la4a85c9lygcnxhbxs3w5y23bkhhqx69fbp9yiqyxdkk2";
-              };
-              robotsDir = inputs.pkgs.runCommand "robots.txt" {}
-              ''
-                mkdir -p $out
-                cp ${robotsFile} $out/robots.txt
-              '';
-            in "${robotsDir}";
+            let robotsFile = inputs.pkgs.fetchurl
+            {
+              url = "https://gitea.com/robots.txt";
+              sha256 = "144c5s3la4a85c9lygcnxhbxs3w5y23bkhhqx69fbp9yiqyxdkk2";
+            };
+            in "${inputs.pkgs.runCommand "robots.txt" {} "mkdir -p $out; cp ${robotsFile} $out/robots.txt"}";
         };
       };
       postgresql.instances.gitea = {};

modules/services/grafana.nix

@@ -1,17 +1,18 @@
 inputs:
 {
-  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) grafana;
-      inherit (inputs.lib) mkIf;
-    in mkIf grafana.enable
+    type = types.nullOr (types.submodule { options =
     {
-      services.grafana =
+      hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) grafana; in inputs.lib.mkIf (grafana != null)
+  {
+    services =
+    {
+      grafana =
       {
         enable = true;
         declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
@@ -44,24 +45,58 @@ inputs:
             password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
           };
         };
-      };
-      nixos.services =
-      {
-        nginx =
+        provision =
         {
           enable = true;
-          https."${grafana.hostname}".location."/".proxy =
-            { upstream = "http://127.0.0.1:3001"; websocket = true; };
+          datasources.settings =
+          {
+            # prune = true;
+            datasources =
+            [{
+              name = "Prometheus";
+              type = "prometheus";
+              access = "proxy";
+              url = "http://localhost:9090";
+              editable = false;
+            }];
+          };
         };
-        postgresql.instances.grafana = {};
       };
-      sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+      prometheus =
       {
-        "grafana/mail" = { owner = owner; key = "mail/bot"; };
-        "grafana/secret".owner = owner;
-        "grafana/chn".owner = owner;
-        "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
-        "mail/bot" = {};
+        enable = true;
+        exporters =
+        {
+          node = { enable = true; enabledCollectors = [ "systemd" ]; };
+        };
+        scrapeConfigs =
+        [{
+          job_name = "lapetus";
+          static_configs =
+            [{ targets = [ "127.0.0.1:${toString inputs.config.services.prometheus.exporters.node.port}" ]; }];
+        }];
+        extraFlags = [ "--storage.tsdb.max-block-chunk-segment-size=16MB" ];
       };
     };
+    nixos.services =
+    {
+      nginx =
+      {
+        enable = true;
+        https.${grafana.hostname}.location."/".proxy =
+          { upstream = "http://127.0.0.1:3001"; websocket = true; };
+      };
+      postgresql.instances.grafana = {};
+    };
+    sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+    {
+      "grafana/mail" = { owner = owner; key = "mail/bot"; };
+      "grafana/secret".owner = owner;
+      "grafana/chn".owner = owner;
+      "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
+      "mail/bot" = {};
+    };
+    environment.persistence."/nix/nodatacow".directories =
+      [{ directory = "/var/lib/prometheus2"; user = "prometheus"; group = "prometheus"; mode = "0700"; }];
+  };
 }

modules/services/hpcstat.nix

@@ -16,7 +16,7 @@ inputs:
             curl = "${inputs.pkgs.curl}/bin/curl";
             cat = "${inputs.pkgs.coreutils}/bin/cat";
             token = inputs.config.sops.secrets."telegram/token".path;
-            chat = inputs.config.sops.secrets."telegram/chat".path;
+            chat = inputs.config.sops.secrets."telegram/user/chn".path;
             date = "${inputs.pkgs.coreutils}/bin/date";
             hpcstat = "${inputs.pkgs.localPackages.hpcstat}/bin/hpcstat";
             ssh = "${inputs.pkgs.openssh}/bin/ssh -i ${key} -o StrictHostKeyChecking=no"
@@ -76,7 +76,7 @@ inputs:
         calenders =
         {
           finishjob = "*-*-* *:*:00";
-          backupdb = "*-*-* *:00/10:00";
+          backupdb = "*-*-* 00/8:00:00";
           diskstat = "*-*-* 03/12:00:00";
         };
       in
@@ -108,7 +108,7 @@ inputs:
     sops.secrets =
     {
       "telegram/token" = { group = "telegram"; mode = "0440"; };
-      "telegram/chat" = { group = "telegram"; mode = "0440"; };
+      "telegram/user/chn" = { group = "telegram"; mode = "0440"; };
       "hpcstat/key" = { owner = "hpcstat"; group = "hpcstat"; };
     };
     users =

modules/services/httpapi.nix

@@ -36,10 +36,10 @@ inputs:
             let
               placeholder = inputs.config.sops.placeholder;
               request = "https://api.telegram.org/bot${placeholder."telegram/token"}"
-                + "/sendMessage?chat_id=${placeholder."telegram/chat"}&text=";
+                + "/sendMessage?chat_id=${placeholder."telegram/user/chn"}&text=";
             in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
         };
-        secrets = { "telegram/token" = {}; "telegram/chat" = {}; };
+        secrets = { "telegram/token" = {}; "telegram/user/chn" = {}; };
       };
       systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
     };

modules/services/huginn.nix

@@ -1,65 +1,58 @@
 inputs:
 {
-  options.nixos.services.huginn = let inherit (inputs.lib) mkOption types; in
+  options.nixos.services.huginn = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.nonEmptyStr; default = "huginn.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.lib) mkIf;
-      inherit (inputs.config.nixos.services) huginn;
-    in mkIf huginn.enable
+    type = types.nullOr (types.submodule { options =
     {
-      virtualisation.oci-containers.containers.huginn =
+      hostname = mkOption { type = types.str; default = "huginn.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) huginn; in inputs.lib.mkIf (huginn != null)
+  {
+    virtualisation.oci-containers.containers.huginn =
+    {
+      image = "huginn/huginn:5a1509b51188e0d16868be893c983d6fcfd232a5";
+      imageFile = inputs.topInputs.self.src.huginn;
+      ports = [ "127.0.0.1:3000:3000/tcp" ];
+      extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
+      environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
+    };
+    sops =
+    {
+      templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
+      ''
+        MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
+        HUGINN_DATABASE_NAME=huginn
+        HUGINN_DATABASE_USERNAME=huginn
+        HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
+        DOMAIN=${huginn.hostname}
+        RAILS_ENV=production
+        FORCE_SSL=true
+        INVITATION_CODE=${placeholder."huginn/invitationCode"}
+        SMTP_DOMAIN=mail.chn.moe
+        SMTP_USER_NAME=bot@chn.moe
+        SMTP_PASSWORD="${placeholder."mail/bot"}"
+        SMTP_SERVER=mail.chn.moe
+        SMTP_SSL=true
+        EMAIL_FROM_ADDRESS=bot@chn.moe
+        TIMEZONE=Beijing
+        DO_NOT_CREATE_DATABASE=true
+      '';
+      secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
+    };
+    nixos =
+    {
+      services =
       {
-        image = "huginn/huginn:5a1509b51188e0d16868be893c983d6fcfd232a5";
-        imageFile = inputs.pkgs.dockerTools.pullImage
+        nginx =
         {
-          imageName = "ghcr.io/huginn/huginn";
-          imageDigest = "sha256:6f7a5b41457b94490210221a8bd3aae32d4ebfc2652f97c14919aa8036d7294e";
-          sha256 = "1ha6c6bwdpdl98cwwxw5fan0j77ylgaziidqhnyh6anpzq35f540";
-          finalImageName = "huginn/huginn";
-          finalImageTag = "5a1509b51188e0d16868be893c983d6fcfd232a5";
-        };
-        ports = [ "127.0.0.1:3000:3000/tcp" ];
-        extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
-        environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
-      };
-      sops =
-      {
-        templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
-        ''
-          MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
-          HUGINN_DATABASE_NAME=huginn
-          HUGINN_DATABASE_USERNAME=huginn
-          HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
-          DOMAIN=${huginn.hostname}
-          RAILS_ENV=production
-          FORCE_SSL=true
-          INVITATION_CODE=${placeholder."huginn/invitationCode"}
-          SMTP_DOMAIN=mail.chn.moe
-          SMTP_USER_NAME=bot@chn.moe
-          SMTP_PASSWORD="${placeholder."mail/bot"}"
-          SMTP_SERVER=mail.chn.moe
-          SMTP_SSL=true
-          EMAIL_FROM_ADDRESS=bot@chn.moe
-          TIMEZONE=Beijing
-          DO_NOT_CREATE_DATABASE=true
-        '';
-        secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
-      };
-      nixos =
-      {
-        services =
-        {
-          nginx =
-          {
-            enable = true;
-            https."${huginn.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
-          };
-          mariadb.instances.huginn = {};
+          enable = true;
+          https.${huginn.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
         };
+        mariadb.instances.huginn = {};
+        docker = {};
       };
     };
+  };
 }

modules/services/misskey.nix

@@ -4,137 +4,131 @@ inputs:
   {
     type = types.attrsOf (types.submodule { options =
     {
-      autoStart = mkOption { type = types.bool; default = true; };
       port = mkOption { type = types.ints.unsigned; default = 9726; };
       redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
       hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
     };});
     default = {};
   };
-  config =
-    let
-      inherit (inputs.config.nixos.services) misskey;
-      inherit (inputs.localLib) attrsToList;
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (builtins) map listToAttrs toString replaceStrings filter;
-    in
-    {
-      systemd = mkMerge (map
-        (instance:
-        {
-          services."misskey-${instance.name}" = rec
-          {
-            enable = instance.value.autoStart;
-            description = "misskey ${instance.name}";
-            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
-            requires = after;
-            wantedBy = [ "multi-user.target" ];
-            environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
-            serviceConfig = rec
-            {
-              User = inputs.config.users.users."misskey-${instance.name}".name;
-              Group = inputs.config.users.users."misskey-${instance.name}".group;
-              WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
-              ExecStart = "${WorkingDirectory}/bin/misskey";
-              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-              Restart = "always";
-            };
-          };
-          tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
-            [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
-        })
-        (attrsToList misskey.instances));
-      fileSystems = mkMerge (map
-        (instance:
-        {
-          "/var/lib/misskey/${instance.name}/work" =
-          {
-            device = "${inputs.pkgs.localPackages.misskey}";
-            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
-          };
-          "/var/lib/misskey/${instance.name}/work/files" =
-          {
-            device = "/var/lib/misskey/${instance.name}/files";
-            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
-          };
-        })
-        (attrsToList misskey.instances));
-      sops.templates = listToAttrs (map
-        (instance:
-        {
-          name = "misskey/${instance.name}.yml";
-          value =
-          {
-            content =
-              let
-                placeholder = inputs.config.sops.placeholder;
-                redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
-              in
-              ''
-                url: https://${instance.value.hostname}/
-                port: ${toString instance.value.port}
-                db:
-                  host: 127.0.0.1
-                  port: 5432
-                  db: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
-                  user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
-                  pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"}
-                  extra:
-                    statement_timeout: 600000
-                dbReplications: false
-                redis:
-                  host: 127.0.0.1
-                  port: ${toString redis.port}
-                  pass: ${placeholder."redis/misskey-${instance.name}"}
-                id: 'aid'
-                proxyBypassHosts:
-                  - api.deepl.com
-                  - api-free.deepl.com
-                  - www.recaptcha.net
-                  - hcaptcha.com
-                  - challenges.cloudflare.com
-                proxyRemoteFiles: true
-                signToActivityPubGet: true
-                maxFileSize: 1073741824
-              '';
-            owner = inputs.config.users.users."misskey-${instance.name}".name;
-          };
-        })
-        (attrsToList misskey.instances));
-      users = mkMerge (map
-        (instance:
-        {
-          users."misskey-${instance.name}" =
-          {
-            uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
-            group = "misskey-${instance.name}";
-            home = "/var/lib/misskey/${instance.name}";
-            createHome = true;
-            isSystemUser = true;
-          };
-          groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
-        })
-        (attrsToList misskey.instances));
-      nixos.services =
+  config = let inherit (inputs.config.nixos.services) misskey; in
+  {
+    systemd = inputs.lib.mkMerge (builtins.map
+      (instance:
       {
-        redis.instances = listToAttrs (map
-          (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
-          (attrsToList misskey.instances));
-        postgresql.instances = listToAttrs (map
-          (instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
-          (attrsToList misskey.instances));
-        nginx =
+        services."misskey-${instance.name}" = rec
         {
-          enable = mkIf (misskey.instances != {}) true;
-          https = listToAttrs (map
-            (instance: with instance.value;
-            {
-              name = hostname;
-              value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
-            })
-            (attrsToList misskey.instances));
+          description = "misskey ${instance.name}";
+          after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
+          requires = after;
+          wantedBy = [ "multi-user.target" ];
+          environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
+          serviceConfig = rec
+          {
+            User = "misskey-${instance.name}";
+            Group = "misskey-${instance.name}";
+            WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
+            ExecStart = "${WorkingDirectory}/bin/misskey";
+            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+            Restart = "always";
+          };
         };
+        tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
+          [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    fileSystems = inputs.lib.mkMerge (builtins.map
+      (instance:
+      {
+        "/var/lib/misskey/${instance.name}/work" =
+        {
+          device = "${inputs.pkgs.localPackages.misskey}";
+          options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+        };
+        "/var/lib/misskey/${instance.name}/work/files" =
+        {
+          device = "/var/lib/misskey/${instance.name}/files";
+          options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+        };
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    sops.templates = builtins.listToAttrs (builtins.map
+      (instance:
+      {
+        name = "misskey/${instance.name}.yml";
+        value =
+        {
+          content =
+            let
+              placeholder = inputs.config.sops.placeholder;
+              redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
+            in
+            ''
+              url: https://${instance.value.hostname}/
+              port: ${toString instance.value.port}
+              db:
+                host: 127.0.0.1
+                port: 5432
+                db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
+                user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
+                pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
+                extra:
+                  statement_timeout: 600000
+              dbReplications: false
+              redis:
+                host: 127.0.0.1
+                port: ${builtins.toString redis.port}
+                pass: ${placeholder."redis/misskey-${instance.name}"}
+              id: 'aid'
+              proxyBypassHosts:
+                - api.deepl.com
+                - api-free.deepl.com
+                - www.recaptcha.net
+                - hcaptcha.com
+                - challenges.cloudflare.com
+              proxyRemoteFiles: true
+              signToActivityPubGet: true
+              maxFileSize: 1073741824
+              fulltextSearch:
+                provider: sqlPgroonga
+            '';
+          owner = "misskey-${instance.name}";
+        };
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    users = inputs.lib.mkMerge (builtins.map
+      (instance:
+      {
+        users."misskey-${instance.name}" =
+        {
+          uid = inputs.config.nixos.user.uid."misskey-${instance.name}";
+          group = "misskey-${instance.name}";
+          home = "/var/lib/misskey/${instance.name}";
+          createHome = true;
+          isSystemUser = true;
+        };
+        groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
+      })
+      (inputs.localLib.attrsToList misskey.instances));
+    nixos.services =
+    {
+      redis.instances = builtins.listToAttrs (builtins.map
+        (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
+        (inputs.localLib.attrsToList misskey.instances));
+      postgresql.instances = builtins.listToAttrs (builtins.map
+        (instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
+        (inputs.localLib.attrsToList misskey.instances));
+      nginx =
+      {
+        enable = inputs.lib.mkIf (misskey.instances != {}) true;
+        https = builtins.listToAttrs (builtins.map
+          (instance: with instance.value;
+          {
+            name = hostname;
+            value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
+          })
+          (inputs.localLib.attrsToList misskey.instances));
       };
     };
+  };
 }

modules/services/nextcloud.nix

@@ -16,7 +16,7 @@ inputs:
       hostName = nextcloud.hostname;
       appstoreEnable = false;
       https = true;
-      package = inputs.pkgs.nextcloud29;
+      package = inputs.pkgs.nextcloud30;
       maxUploadSize = "10G";
       config =
       {

modules/services/nginx/applications/blog.nix

@@ -8,6 +8,6 @@ inputs:
   config = let inherit (inputs.config.nixos.services.nginx.applications) blog; in inputs.lib.mkIf (blog != null)
     {
       nixos.services.nginx.https."blog.chn.moe".location."/".static =
-        { root = builtins.toString inputs.topInputs.self.packages.x86_64-linux.blog; index = [ "index.html" ]; };
+        { root = "${inputs.pkgs.localPackages.blog}"; index = [ "index.html" ]; };
     };
 }

modules/services/nginx/applications/sticker/.gitignore

@@ -0,0 +1,2 @@
+/config.json
+/sticker-import.session

modules/services/nginx/applications/sticker/default.nix

@@ -0,0 +1,22 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.sticker = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = {};
+  };
+  config = let inherit (inputs.config.nixos.services.nginx.applications) sticker; in inputs.lib.mkIf (sticker != null)
+  {
+    nixos.services.nginx.https."sticker.chn.moe".location."/".static =
+    {
+      root = builtins.toString (inputs.pkgs.runCommand "web" {}
+      ''
+        mkdir -p $out
+        cp -r ${inputs.topInputs.stickerpicker}/web/* $out
+        chmod -R +w $out
+        cp -r ${./web}/* $out
+      '');
+      index = [ "index.html" ];
+    };
+  };
+}

modules/services/nginx/applications/sticker/web/packs/index.json

@@ -0,0 +1,19 @@
+{
+  "packs": [
+    "Mare_by_WuMingv2Bot.json",
+    "line_191054124446_by_moe_sticker_bot.json",
+    "Sakurada_Shiro.json",
+    "loli_DaiSi_by_WuMingv2Bot.json",
+    "listentoweiwei_by_WuMingv2Bot.json",
+    "csaexi.json",
+    "wechat_transfer_zhcn.json",
+    "teamtimothy_bilibili.json",
+    "line26158619ac0d_by_moe_sticker_bot.json",
+    "LINE_nachonekodayo.json",
+    "zhehelima.json",
+    "TheDonaldTrump.json",
+    "line_173195293297_by_moe_sticker_bot.json",
+    "line261586194a0d_by_moe_sticker_bot.json"
+  ],
+  "homeserver_url": "https://matrix.chn.moe"
+}