services.kvm: add nodatacow option

This reverts commit e3b1b749b0.

.gitattributes

@@ -3,3 +3,4 @@
 *.jpg filter=lfs diff=lfs merge=lfs -text
 *.webp filter=lfs diff=lfs merge=lfs -text
 *.efi filter=lfs diff=lfs merge=lfs -text
+flake/branch.nix merge=ours

.sops.yaml

@@ -4,72 +4,44 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
   - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
-  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-  - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-  - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
   - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
   - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
   - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
   - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
-  - &srv1-node3 age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5
+  - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+  - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+  - &srv3 age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
 creation_rules:
   - path_regex: devices/pc/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *pc
+    key_groups: [{ age: [ *chn, *pc ] }]
   - path_regex: devices/vps6/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps6
+    key_groups: [{ age: [ *chn, *vps6 ] }]
   - path_regex: devices/vps7/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps7
+    key_groups: [{ age: [ *chn, *vps7 ] }]
   - path_regex: devices/nas/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *nas
-  - path_regex: devices/xmupc1/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *xmupc1
-  - path_regex: devices/xmupc2/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *xmupc2
-  - path_regex: devices/pi3b/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *pi3b
+    key_groups: [{ age: [ *chn, *nas ] }]
   - path_regex: devices/one/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *one
+    key_groups: [{ age: [ *chn, *one ] }]
+  - path_regex: devices/srv1/secrets/.*$
+    key_groups: [{ age: [ *chn, *srv1-node0, *srv1-node1, *srv1-node2 ] }]
   - path_regex: devices/srv1/node0/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *srv1-node0
+    key_groups: [{ age: [ *chn, *srv1-node0 ] }]
   - path_regex: devices/srv1/node1/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *srv1-node1
+    key_groups: [{ age: [ *chn, *srv1-node1 ] }]
   - path_regex: devices/srv1/node2/.*$
+    key_groups: [{ age: [ *chn, *srv1-node2 ] }]
+  - path_regex: devices/srv2/secrets/.*$
+    key_groups: [{ age: [ *chn, *srv2-node0, *srv2-node1 ] }]
+  - path_regex: devices/srv2/node0/.*$
+    key_groups: [{ age: [ *chn, *srv2-node0 ] }]
+  - path_regex: devices/srv2/node1/.*$
+    key_groups: [{ age: [ *chn, *srv2-node1 ] }]
+  - path_regex: devices/srv3/.*$
+    key_groups: [{ age: [ *chn, *srv3 ] }]
+  - path_regex: devices/cross/secrets/default.yaml$
     key_groups:
-    - age:
-      - *chn
-      - *srv1-node2
-  - path_regex: devices/srv1/node3/.*$
+    - age: [ *chn, *pc, *vps6, *vps7, *nas, *one, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
+        *srv3 ]
+  - path_regex: devices/cross/secrets/chn.yaml$
     key_groups:
-    - age:
-      - *chn
-      - *srv1-node3
+    - age: [ *chn, *pc, *one, *nas ]

README.md

@@ -0,0 +1,26 @@
+This is my NixOS configuration. I use it to manage:
+* some vps serving some websites and services (misskey, synapse), etc.
+* my laptop (Lenovo R9000P 2023), and my tablet (One Netbook One Mix 4).
+* some cluster for scientific computing (vasp, lammps, etc).
+With the following highlights:
+* All binary is compiled for specific CPU (`-march=xxx`, like that on Gentoo). 
+* All packages and configurations are managed by Nix, as much reproducible as possible.
+
+## Using overlay
+
+An overlay is provided through `outputs.overlays.default`, you could use it in your `configuration.nix` like this:
+
+```nix
+{
+  inputs.chn-nixos.url = "github:CHN-beta/nixos";
+  outputs.nixosConfigurations.my-host = inputs.nixpkgs.lib.nixosSystem
+  {
+    modules = [({pkgs, ...}: { config =
+    {
+      nixpkgs.overlays = [ inputs.chn-nixos.overlays.default ];
+      environment.systemPackages = [ pkgs.localPackages.vasp.intel ];
+    };})];
+  };
+}
+```
+

devices/cross/default.nix

@@ -0,0 +1 @@
+inputs: { imports = inputs.localLib.findModules ./.; }

devices/cross/luks-manual/default.nix

@@ -0,0 +1,27 @@
+inputs:
+let devices =
+{
+  nas =
+  {
+    "/dev/disk/by-partlabel/nas-root3".mapper = "root3";
+    "/dev/disk/by-partlabel/nas-root4".mapper = "root4";
+    "/dev/disk/by-partlabel/nas-swap" = { mapper = "swap"; ssd = true; };
+  };
+  vps6."/dev/disk/by-uuid/961d75f0-b4ad-4591-a225-37b385131060" = { mapper = "root"; ssd = true; };
+  vps7."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
+  srv3 =
+  {
+    "/dev/disk/by-partlabel/srv3-root1" = { mapper = "root1"; ssd = true; };
+    "/dev/disk/by-partlabel/srv3-swap" = { mapper = "swap"; ssd = true; };
+  };
+};
+in
+{
+  config =
+  {
+    nixos.system.fileSystems.luks.manual =
+      let inherit (inputs.config.nixos.model) hostname;
+      in if devices ? ${hostname} then devices.${hostname} else inputs.lib.mkOptionDefault null;
+    home-manager.users.chn.config.nixos.decrypt = devices;
+  };
+}

devices/cross/secrets/chn.yaml

@@ -0,0 +1,56 @@
+chn:
+    age: ENC[AES256_GCM,data:MSJe0mI4PUkl4B/R6no/Zsb7STRZcZBKz7+CckMnEuSrjNx/5Jxv6IugUEAREXEUxmpNi7Sx6aR8SYDqJO5UaaGYbCp+PN8DrBg=,iv:185PoGeQ3+D6rYI1xdfrciKu9nj/8d2yya//U39vS6s=,tag:mhP0Ix2iX3uaAqPAnin3Jg==,type:str]
+    rsa: ENC[AES256_GCM,data:yHnveqSfwd2sLYLOm4tkXoHj08zFRQsaSEL0NJz76dFCO/ZnyIbFh8WnW1y6bUUKzWl4AZxcLIBL0GCf+5R+gDRcXLLGCY6TziRb5fo/6ryJ9EbqntVI5V7oXUPSmGMPuhWcVFB2YurgdvFgXMAki7HMmXLD3xMzFp2/my1mBTOqksJiHL1Bq56bBOQihQ8FEpESc6E/lS7hA6oq8u2RIKKLDCDScdLTmbl1XmzO2xqoPoWJNGkW1PBVUzMMSfmfpswfUK4Tt09o7AwnCUsb5u4PC9aGLUdhjS/Q+zdDpXLZpU1VuX4Nypqmyx0v1KgMIDVu2FNl2OUbTvHCDW3OwMkCA2ww4OlD4p9BFTszAzs8eFxSyCZkiWNp+SfI9WgjsZV4S1nJJfIIlkZYqja7DYOQEyeS0IZ7jyuGsTBhy5iTjekiCUa9iEBXmHHw5I80H/mhDeLyYKnnSttPi4xNt8flO9k3TDURFNW4L/2sEexoL0BLCkt/nGolEcyHCvWKm+UOnfYEJ5G1/NwufFrQybzP+TuiqSauGk5oIEi/vvcX2/luwdPyOONeY2SrHoLehh6lhbM9WExdpSfawWAWB43NabKZf7Wp6JLsadZCUvlfQSvM7YE+Z9ZZPffsiPIiKkkABR5FnKVmO52AfX73r17VJgK2fMeabW4o1ktVzMX12tW2+GpzlOTDXcdKnzjdDQMv+u1Hyn9H/K1S1HmB9RZkyTXzUMR3iC5A4VSy+iFqIgA/kTvwKxjYfTBOvaME9kqqF40E+s7Vx2lM9gvfwYXm/OHSIKJkpo8m+DdGShyMD/iopZPW+QayavXdw1ilVWlJxwwCn+KDq/nsQhWMXH5A+7f0d/P+I2kKQWNNhAFm7Bq6+FrIa7FOT+u85Bl6r9rdnmfkz3rKYlvXFkvlr2fYA7UIzc3vFJadxLL1gvIeedmiuTgyY2JzljvWxAxOKbD9H/EAkl1dKMx2xc6IalXj1ERUcZSl90ijaUfkmxqFjZWXDkFLOipPFoNF4RXF0Bf7H8uWBajvrZOifwXoiYFygnl4vHbLQmdzgjs+lBEsEjTflCxaeRfGNUrqYdIN1MOOMXaaTBk4AkHHVxi6EplJS6Z31qnaecNGSlT2SdoGmKPy5IiS0E9gtOq9w81OBh85zoTh0I2XGWyJmhvOpJIReQEUiFb5vlXc1ryPp6etlitECxBTDGqu1BIqYroivwpWSLFYihOsZtmSUuRRRKlWMq19CFZ2KkmrT+APWMVBv4F/6uaapEQaLFrmDys2G4kCR7Arc04OvVizPUhwGPfcceG9VjsR/CJY/VUq1wFTyjrjCffyIOIXtYr+kYNFtYj5SekpopDxUCTAcuTdtAZlegfrqSss6nsBCFvMQUO30ng0rzRpTXnTt9iHkPnfXU1KLcv6lXU4+5nvHatICyaY0pYLNYWBzpFgp6sOiWWJCZi28jgE91HcaaGnleSoNw/ouTasgF23anqvcABKWuUMSRCsIsSBLQWDTPUo+jfm9NuzduDhIdYKhN0HMCCrHVJdWbYBmG23qqqHoHmEu926ClaP5VDo3PNci2yFKg9gcbjeWD4gCXoVE9tm1OwYucQyMyX/SVb0w+M+k2+yVX+Vx/LBqUkXtbWGfDmwHW3b7j3AZr1pHMx+Trv26p4V4cyOaf6nBezbawYF0M7pRHQQLXpjTru9c/dEEZCOefmDyzTLyShDhfCBiBky8hF0bf5NfF6NfL12fcMlAvtk8OaQC+gd4VL3umQpwmLO8pupnv/5tQAR3R37rfgkLv/N/D4Bbz84TvviEa9aPsY+1XlXsunYIkF1xJVunv+YAR4aexDfd6aapfdV1YXxhrvCMZNDF+kxQJ93i5o2+nyUvXBNrrqlWTTX3HSmTYfOZ5npSUMQRYUG2UduU56NHk8QmUi/mwZJX0mCrpHg2lH9+EIwdgMO8V21rZnE9Yj/ujn29lTvqEWOV1uHgbAS9fGbH9LsS4VhC7V1B4uWyzGEvj8g4hl+rC2c85v6rblgn409JTDCioffFlSS35+6AsKKO6u8Xh7neo8c5SxvYsEOW4EAfnemVns8TOdJViy07bB8XtZU4v2/MHhgA24TKr7wlPfrTvF9UFNx2OK8c3aYP78Xp8cb3j60z3HjqCFFEZyHDD4Ync5BFB36sBbqHHcah+kFl3ZtQnUI5LGZvG6mvSGFMmAhiEzTnsVN/TJglll2uXMIcZpJSwxKIw==,iv:Ks1ESu5QeD5a6dmk+0MHD8mrM0QejBSZwQ1fKjTQiuY=,tag:uLDGeiQHHUUUY00n4jlf8A==,type:str]
+    ed25519: ENC[AES256_GCM,data:/2Iqm2LOPkjQk0tEJpdICkiUOZ4fT/+tiEgpkCb02/YT+6l4W6cAY4mv3nQZOROaYg2gafzLT+e2UDSyX/fIbh3jA+OKnbUlWQVnzRUoz1QxdoqLjYTVCB5DkECYQveeWdt8Er1sGMzkdlvIkPdfj99RLmKKwwtHI1AXkR741V6t8X3LVRVFJrCBpudczA78Rr6CaTR5BXsEKxbXmD5kGJlYD70yHkrLA9MgWQa+/oIO/2CzjkQx5ULQ9fr/VwlIWXfLiCvHmKyVEtweqSSH3bSn1qC3usVAZaJSnOObAJGeQuS+FcxizbKDXjgc69Jg67mDf5k6VBxTF/xP0YegQpZlVxnwggSN6yyPHJ9zjk27NmsqHfE3fq/TQf2Pk91wIgfV0zN020vmidRKiP5z54aaEO6lnPHPELl7BZQ51NUyYKmh5SL6IX05x64GqRrbPtxhzWSj+WVeWmbVJcoxbohzugjTG1Uj+cxcEfqe7Th50pFjHbyCEIWxhk8toQ7r8VxkuYREkXwSYTm/mx43FZnwDhLkFuIYOh/v+7ln/Cxg+xATUbwZS6RwuN+pIRz75eq7VjwD9sb+pj2K,iv:FTrh8tnL8OlD6PkdXWnqFTkZ5VdxMJL5CncfjK1J/C0=,tag:+cWIwl0CZFERXZoegTpSDg==,type:str]
+    ed25519_sk: ENC[AES256_GCM,data:NFTheH+JMIu0bdyKOVgFjGIfgKE9o404S6EvK9yelSiYY5/WFRbzRwhSLZC9senT4rMUl9sErjix1nJMesV1DByTvdZqljPGChxac5/JglgZr9NgvhDYLjSnrT0GYlGAgxmDrnSHj2CyPm+5Ael27325QDMLjKnmluvSZaNB7qB+4BNQBEytx5NfLiA26EAxKPqMSDoFFZp/y6FdWFH4sEWz5WAp03shXs+EPmcnSu/9wykjwg7gKvbQJqoB3MJ5N4MsLr7EBPcpOdWvx0E5xZ8GgmuWYxRJNZDILfS5pgaD74uPEj1nODfGd3N0kBBCeKq/clq9hPDfjyrAmTd9EEDJu+q3nf7P6zTIZ0WJ1ZN/hnC7WcpL/p5Y4nDr99u1rd5x+hhk9TI07SPTJBqjpg6oAgM+Dq02jJvCn4VuoxlCTx/dkXyofReU0bjovUXOMEwCfxHwMDa5/QxQ2qYQhNC8x4O+DwxjnhNg1BNVFAVT4mBVxCshKyhQ1C/w8tBTJzD8YkigAKlokI5VoxCINex3SQs2+6NQpCOyiw6TMtH+M54zVlUQeKypOSNmS91crC52/6b9XMA=,iv:xDaelebavplMYLG9c2JUv1ceXJxejTuhjZ/AGHfklrw=,tag:x4zjZasKadbVDf8Zsg+wiA==,type:str]
+    rsa.ppk: ENC[AES256_GCM,data:9njXWqYEZ7jd0u0lvtmIarEka6n6oHmMeLFvBGejAt2cXZdrZzn5hdotT1+yGrPQYH5n5+f5R8E9wSAZK9Xwn5qfLxXkjmOOVd+L+UFr8fNwlac2GK8Z2OpYKSKg8JbNRw7kgl3ktu8xE6IWqTdL75idvW5JI9iXSSLT9o86oV25HN5Ku/JzRRc9ZlrSugxza/w2yUv7ICT4wGw600aXWhF4R9c2vf6+vZyxaBt7BzaT2+IPPrxDxoW6jx+1fATlwTSiqcKD/0ymy0Hk4ryhI6Vk7BaK5ePC405pdghXA3zwHvRKoFtZGPLy7+iQe4GLE1GEOLN+3MSSAlJEnGMKnwP93IqcAghIXAFXHaJzY1a/492waYqXCc3H/SOlI52oKjZY/SUKoSkDxRoY0wr3OdseFgV/BEWgrunN0MakTiqY6Q8okMX3LXeaUHwnIK9t01eLpvIUA2Y1wI7Olx2Ez1Tp1yPjACTZlQrOPOiCeumlRey15bGNywV3p+DY5wM3zqBn+529MauJv7W2NYIJ6do26hAVpe5FMYb0l/G8AYg0E+AJ2nfVRb8Gu5MxprSNQQEMca+PxKSsmCvicBeNuDreZwt7vpMAb8ndv8O96k8cz2G126Rpe6dgsf3XND3VLWJpYIJYG+KA2AaVCvayAcHRUfIZdZ+wMDJFP+nQHk8wH8/Zu6mWL0nkgFMIj7C/xymdIO1Ugc2CjUlZZtSkgZ6JnAQ+rs94B7QBSCcEnkd4kOU4CvrH1eIyxXS1YH6KhYVhOIXeZFvtI38ergae/ruHfruU4tYk9sj+MmiK7tQDVfiu+XY56mrYt46sDOe36nUDAw1xMLV18Wu7P3wh2zwLrHzRcpTljlcilEh6NQTbIZBm5oQUCJhtYkfPtfsOUs6EKR6Zte1xQE6jdMES6Nnki4OAyv6ZC847jZGkGVg2nFkg8K0d3HoLqsIb3AJMgSNoZtImsGdo4I/jgiBdt9GEjXj5o6zYAvt+F/fea8Lvz/JveU4eL+HA5++pSuuFH33eYntPsPeoi3aXMt3HgHpan9hUAYNSTn0IBrEbsFPkxdaPVhyVygZo7nVzMc1z8xRhMuDv/0DlRpSzd0CM/5nFsaexX03W2ByKUatEP+DXxWswXXV0pod1Q65Jp8X6jr3KrGdzgQ+xqT7yCLDInMP08ug8d3MV8cPvdTLKRy3H789WyBKKH9LE6L36ron3571L2C1YRqnSaCtLF4PZWcYhR8QW8DWhU/tQVPc39ny0PazwEKJK4vAuFc9voYTHMgYJ9fvM+TCRQVRi92yECtHO0XsS08UVz4aJpiBnpCf6k26e9Fv5nZkpjeG8l6j1/FLSbUUzM8Ig8JVJZXOV2mkZxB+UVGAaIAaIFuxHJ0u8EVqNGW/yRneZiFop/j+4/rUmR5QaXsqlp6dIjqGiGQxkAsNVc5TiRG4ChQJn50UyqUFWNT/YIFZyJnE051ztZzl0DXoqLdfjn63HJZ0E7OLVwpe6xYQ3DGvwmH+siq5mdjbhF8477C1oes7q+Pc8L8vlYRTIKeLGm5asN2ZyPDigpAnDcPsZUh4Z1EY9/uu1CTG4A2yUdx1Wk9+1ZZf+X8SGK5YyQofuA1WJR3Nxvxr0K2ThUJc2X4jy1x5FCWqINotiHWEj1VLKUEU/eqWcchp99/r6Ai9DBrsuwd7zLq1/EzWyGRFL04aoaHWkzq/2uxs5mBwJYAoRBhXS544JbWgl3k9gnhiTdwzmHxuJqGLQGGLT4kc7va/ym81dPQE5QlMlEsmf0ecHyT9X67GYIsxQtxi8tepM9ycWVRkH2skYVSodOdNvwRZkmtJIzw2lECdx3Sx3u1RAudXMUdGzviUas1+4V7L5w95QF8mQCS5gkHwu11mH6T6aRGLFRUfKNkbOGoiCzOeGsnoQr0IzkwWZ6Kpk/1z8txKIxNfdM3woxAGKbQ==,iv:rU+t8OnwA5yGRQZYSI9GQcfaZY2EjCPxrsoSzlCy1Ok=,tag:5H2oYeXpEkwIhtnAz6uywQ==,type:str]
+    xmuhk: ENC[AES256_GCM,data:I87DH/L3FE/qmYNJ4GPbvuEZ0BU3ljoxjVO+C4UUSGiFq+d0SwqteH8X36SZHsPVOJLtbw+HDxvHuu8avCdPgyg+utYQ902PnU6ldvxpPak2eK/mZQo9KOKNQa6U2QPL7Yq3odemlAHTTp8BD5yOc4gnxGP5/TZZt3jcSAza17tqXwO1dDE0o0ilQ4v5SW4AtBF9Tph5sTyYy9+RlGagvUc35hgl00gDzoTd8ydvFGWSVKO5nTRMQQUfJ1/t5L9ruH4+5+W7Ic6bRXGCSSJ+iKUUcR/N2Bjizcae7TOXZ4VmqkCBHUYDcRnI7kLI3An2dliuPsgyIGVBOzmayNFn8MXjJritptbbm1zC60xzJFaamkQdSTTwUBXNVY5Y/0m/W20/AxyMOvpyxWCDx9XKYK9J6BxqI/uSkJ+IIxHZuiDmY8pF4l6THOd37anRxP2u3S2+yv1sVxqu1cVKR4fmtKqry27KcGkRFwU78qm5QQlSOcxXNSp6gsX5BOb7y0f6rWekRmHLN3gcXJPpEF3AYRXhQZs81J9Tij7F/jemXSG8282PHkvZOnnJQZjb02uVu5NxF+8couaYF18oFjncPlPDrJXEtT2tSabma0fneiLDXnlZ05oPXyWbn81b/KvNxgsDnUAOf3p1sdmIcMG2FLSc2jmaeAF2dCnn7EMjWHwpoR9OeTt5Iq2XIvBzqLsq0dfX22OFCxdO+MX3yWEwZQsU/78n45jiIMOFHZq7GuUsMEd6/p1A9yyuEpkhgqxKRPCIzbmJEaLDAiFSeKw5Q8y5u3sE6NWCJouRsyYaBVtjBYuPCxRA/C5MwiJNL8GCxC++GYWn0OTiAmLMbFyFWVMtwcfVD+SRaOdjzL6v2VvtQpAmNnz4FXdQUb2PpImN/s6Rdg1ca9hPMVkqqgfdc5OC1KvwJP6M3s6g7xzarzTz0whJ0mhNthAHWa0rrnnIEdXa1bdxMEHafkv0VTsUayqfU8kA6pILUFz7d7pot1xrs7ucgw+eqT193kc4XyqxJQK26eWuUVyP1Qd5MnBTQnFXplqIY2sTjisICpvhEAdDeWNN0ouXLFEuQfvfINTydGgITMfQgZbdUuqC4PtdnatZGnwEsuXjRpQ2SA6y1mP3gG3AEvfYnhgg+S1F0pcpN4sa9B1DHvs6ILRaNSnHTHWklD1sMD2YXTgpuFHKtxZMa7dc+pCh4vyGViSgauNaACK/91+OlLPoeIPeQoREvzkOhz+VYXRtG6N5lTMLuubhgOdicBKz8Qt9S9BZTOiJ1hEb4uXXTXwkgulUa77Rd5HEnr31l3BvsNrCt3fDNT8Ec46ICeoRnDjPEIZpXTTUZc7C/J1UUuDCQ1dzVmGrZaM6vyRCFzVa6rgj138CkAp2zF5QzJPyHtyrciPCQfgLweAoT6+tUBOngZNcZ+gSZYrA4uRmwlob9Af6uZEL/GA4zRcSCj73h/7VDhjI4IgaxtiTGsMEmHtGBdryVIPuT8eRcdx6tDkulgQvFi0ku9iqKuBCYpveK+y6OO+5V7GIow7gMfU5AGDNYTNkrVIkhV+Bm5Y3s43eHhda6xxVFR948QvrbYIf3PFMcla2tc0LTOk7r/Fyt/3ij77aVjblq+gfoPtFrbEhvg9Yp8NDnlnuqYel+D24eV+Gd6vY79Gu+JGMgZvFlvEhqJSrKVQ8r4lXl8FMP+S8P5XxXkzf6SNbj1Qm0cwTEtg8p00vt4vH8MaYbSFSSwUeJkOEolDMFSW8FPvqenz1tFq8ShFXB7fuNaU1iqyldnSU3xpswjP8RyrSkZPMClSr2esuLx21+YYSJ90zHtB9kLGdTmp9D5hkGa4IpsbvGVlEvB+yfU9AoFwOi+PoajlxabMHFqIwlyGbl5pXd8Da7PFI1PGfkUa9rPBiusk2IDhXGJn7M00HcWzSjfepkE5EbxzXH0NlsXsqCpGlP1KvDIx4NCYMWJgf7iWebytUqO+AR8nAZlIV95b22EzcsGjAzo0SfqBQnyE9D3y4x/JdKKVy8rW8w/++DeAqQw00VE1JfFubi9NLCzqUQV3zgrEb3SC0yswCMowydXV8Ahl+79Km3Hdnm9H2s94iOlIWMCOV/RKWI/qZujq4ccQdvl77GC+5vXEY6bccNfkIMNPCby9O2383EmS2PzLzMdV0rEBoKkotib+i9IRVKIWJ+pwJwWF/ZPdO/ZcX5ds6oT/U9+RLk+Bq2eLAUwHEVd5mhw2V8Ngj9mp0O9P5vcWQhovnYQRh0WJwJUM1mWfiVLS1IZktndP1efTWR+SPw47tuVcuMcX3vxfReERMAIiO1EcR8+9WYzoSasB16sm9sN1nJUx/LgThjzRTszfy+GFJJZ4dIY/noYyH9LvIz5rHKAAbja5c0PjB22DXOdEjARoXIWHTTH1Ab7/eVk/ixbHOx9sOET9C/koI/URX1XtTRIuM1UXt4OJbIn3fvuPOywHTkWeF5WV/19ZrMHSIM/JHGYc4au/sD06C+wJZseXLPXSIJF2LgabEXJjvHsb++gccqD0GofcJVJzgYuOaJ0ZydbJn670xa/qludJ1nMuSEc3Py4jTOs0vyfrMkDQHWUScT1C/HsQH1YcCKeyAZMSh4hphM7MtAY9v60cnhsyOAwmBhVaZGZSaFIWyf1+ea2eTLnF6HEF0HSYl7L0hd1i8bPBxoyjB2DIbxbzR7TiaMuPQ/HPNhZhXuFfZK6iBjrGDlhGCn/vlFgsSCGCdcLwKBdC8dpfgpyf65ccvtIXMQGFZMQynIDNCBnALF5dtTQprXf/O1WRuZSLAF/H7q+2gXl9hMKeCLWfGbGE/cWvrRw81efgjUQ8AuFUttR2wUL2u26JgrDuoCG9+vhs4S4x2tXDooucqIRQDAUEIE6gF6NsWDi33K5baQ3RA5Z6btNPNQkqXtz4yQE0Zlh9mFT/jkXGRfZ6RtJbT5jWdHQONXaTHTFK43eZlViM1VydoEwiCrclyWYHWswKyLNjQWATICe7X9NYyU/S/Rj9dIRUUzm2KjLfMEfjyiLS5MLDu9lmKUdXAcz4nFcCWIc4VRR5fMsMh6Zvk8eh/vn176Ic58byvfjsAAflZ2QQyZLaA+Utr8YbpxwbRp8WYg0Ktt7q3rlh2WegEa6wKdESqcb53dlK8qw3ICPW4XhFAA37Ru4zlZ5O+ayDoCvrsWE924VXe+1ctjGQ5via4ctDTXXl+GALQPbLmEfwSyvaC332fbZ6YRM1fY6GmnliWCfgHh0cPwuGNmXbhn/Bftsy+jL6ljma//pnkHfQrynho8XeW0edyrXY91CJtkHKhF4h4SVq4tLQ4cRFEjFfkwy4UXZ7m6AnY1cr83iGqbuU1TnKn91mxiBoPWx0arRHeTSCK/xRcBOF7NqBdmEMMefeq2lLuv+8VVKFBFUKCL5e0rKcQ1N2G2ALtrgWVjsaI0eJSyD9aGSADnlMWu14g/msECa5Clvzw2Q==,iv:cv9sYcivQZc/hz+Sri9iLkRHV3uStIvwT2/083DsUtQ=,tag:re/iwRtY/mlnxibqXBnkPg==,type:str]
+github:
+    token: ENC[AES256_GCM,data:t95+VgTEkcpsYGty95nKg+4QU86rVnJjw/LZEAk6PHc3ZR3GjPLBtg==,iv:1d/tXqknfEh+GFYj22TRtr7Sq9GpE8NujfAKDwJttD8=,tag:LNyI9Tul7g5mm1gM9ijWMw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6S0QycmIralcxUVc2TFZU
+            SjVWZHpJT2tZQzByRUtvbzk5OGFHVzY2UlFFClRMSlIxTmk1ZGZsazdkRDRzOEJ5
+            NVZYZGhTdFJIaHBxT1BlN0NDdkEzNEkKLS0tIFBzYWtVMnN2YzRLdW80WTUxS2xZ
+            QnRDZEpyanBZRmVuS1ZjUHNTbWdpb28KWO91rInbh3dvKgVAICB/GAePL9XfsKK8
+            VDbUUst0RgI/z4xKftw+49HJWvzFpo+pzEzvsU5jZiQwIH19ufGcZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2a2V0Q09VYW5NbGpkZVBa
+            Wi81c2lTVHZLeEpaeTB3UFh5ajNWZno5akRrCmdHS0pDdnVqMExkR1V0aEg0OHRn
+            UzA0YkwyMHZESHNtbm45MEdsdjF5NTAKLS0tIHBIbFdndk1kRU5nQ0pBVFZhZ3JE
+            TStEQzdYL3VCbU1yUmdmd1RKQVYvbzQKx7fkginIVesbwrM9/9JPKpJMcHhxqJS7
+            lOa4aN7TlcTo2QswOABJCKXyZwb3LpWoZioQ/jvBPkSFxKarTBC2LQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcWN4b1NnQ3VoUC94elFm
+            VUUwWGlveWUreTk2VG4yMmhzdVd6VEJaUmo4CnNhcVdRRVRoTUFpUjJlVDNaWlZ1
+            QXVSVWZDNTlUdWZpVXpqQWl2RXFzUkEKLS0tIGdMbUVLTkJzUmpxUWZieEVWb2Zr
+            Zk1hSFZFaXQ1ZVcyYnFhUHVaWFM2eEEKMAhn8H7rIt82esqOEwL+19zKxyB/0KjI
+            x5S/tAzJIqRY5qilkEXBDekgWKFXj7fLKRfifuWAYT7tMC8E2bODVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbjVoUHA4RnBVdUZVV0Ft
+            bUQ4YmJJNVB1Ni9RWW5SSWpzaG1ZVGYzUWpFCmJvZnFZYW9sWEo5amhjYkNZVWpm
+            SE1xb1c3cjFaUnBITDIyOFhVRFdPS0UKLS0tIFQ5M29rRDRIYmxPeTNHYWVubkMv
+            UjFLR3hxSVZVajY0WURiUklveHpzVVkKUwCaBC10Iq931J1umHA3xCWfi1mrmTAx
+            vaJiadYqmMSwYk8g5thQ4jjweh133nL1AdxjmAZOVPgYUr6rmcRfXA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-10T22:08:33Z"
+    mac: ENC[AES256_GCM,data:s0GsJysfnqxdLi99gBsTlE7kZ3prTrhCuCtgp3HD3d41r1mMxQ7F8NqBm1jBc5vhYHcHQgS/YfSQ1kM6+RDXN2dZ5NMzchyXtcq9h7smEKxizRbIx0PSoBZfnxR4LTZfBDi4LUBPVVSjb6A+7FDcfXAp+pM/ciuxmvNH9965Xws=,iv:zHiROdgHavc/sCH7oV1cm0JpSBRjxj8QR6yUZzK/fAo=,tag:2TeMi2a71YOawddL/EeJSQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/cross/secrets/default.yaml

@@ -0,0 +1,154 @@
+users:
+    #ENC[AES256_GCM,data:2KeaiyOl51RB,iv:BGqlx1jzOWgG1zaxGfDtWfpbrgFCgAiTbPPMHoRP6KM=,tag:VhbvcwxV561iB03zIhvPQg==,type:comment]
+    xll: ENC[AES256_GCM,data:Y9jk/9yKwYiUeC9h7NkNNRYllyakXco108J8ZPLYQT+u7NsIMZ4kw27IjV4ytwH3k5Xid4jLKEsmKayNAW7kPNdbFfACcugL7w==,iv:cDtPmsHefigsqJZMPqOReVj9YOOgDXQhmulUHYUqYfo=,tag:8SS8dstzuon6f3y4pVA+wQ==,type:str]
+    #ENC[AES256_GCM,data:fptM8gt/IHBZ,iv:gX09x6/ZRXIXG0wOFBUCj6ZtMaTXebcSzvFMsS8vxcY=,tag:M5KFPF8Gmsd87lQ/hqhXnA==,type:comment]
+    zem: ENC[AES256_GCM,data:w0797tV3yFqXbZmhB48kvxK1SJCAFpIjgja2sai2YQB2Z3ELJaQMTIsmgI6p85m/Q15nzFVPdEAsxz6ts3eskRttOSw9mXeNyA==,iv:D3yesKHqbhab1Zk5ZKAm9sKi5KXVt+0JD0pOO5VgptY=,tag:ySURHTqQc0Rxd2u1igZ8Kg==,type:str]
+    #ENC[AES256_GCM,data:XwSZ0w8UgIgR,iv:i4tBBEC/lagRmk7AbzFFjDEnKOzxObkTul/wc+tyyXA=,tag:EKrU4YZ4iOaXpbn/lrZJlw==,type:comment]
+    yjq: ENC[AES256_GCM,data:Oy6b2sl59z2WA5/ifzJoq1KHzvbo+Izwac7yInRPGURxymUU/KvwW8p/XXIJsKkd2BjNaYkdELjNVrhTFd/tRhK+mCy8GSK4Lg==,iv:AGVSFIyqI5HNA+5e+ME3FKKoYMS4MCi4gjaxknord1A=,tag:ayLj6n98F2r62WdDqIaE3w==,type:str]
+    #ENC[AES256_GCM,data:H1WyypgcuhcF,iv:mw2bcXzisgxeUIw6zC4nwHPhsrz5XNIsL72aGyEwyX0=,tag:A2Cb+DuX0BM61TK6/nWEgw==,type:comment]
+    gb: ENC[AES256_GCM,data:ZfcJtiEmdZux90Vqn/L8oq16C10rfRPhxX+FnskJ/+OfdAVheEt9IeIdXpkVfIXU68rIBhDFI60Andm9gmddqoQqHhBj/W9gAA==,iv:fyCkc92YxeIumHODfOU2PWpVfeDJ8RKxKHRfFUYGF0g=,tag:cIn5rZSN8fONNz2GNSUOow==,type:str]
+    #ENC[AES256_GCM,data:5q0u/KpWah5X,iv:FiMDektaHAFHenCT89skQ7gQgoMHdY8BtoyEv0L3npA=,tag:tNtRbpY2bYIUVjLx+IwGvg==,type:comment]
+    wp: ENC[AES256_GCM,data:EcAOCjsqNFzRQtgjgtLn4X7G05cTN/SCmEGCtV/DRISj20Y3kMzbOSmtJoeII7mVA1WITxjhyBXX7abFjD80sZMGF4Th87kXiA==,iv:er9mbrz3F81vHLGPNYiyVO80hOXI3ZjFUuJbMaYWNeE=,tag:le7Fw45V0pdkHoXywdjFsA==,type:str]
+    #ENC[AES256_GCM,data:bh0mHOovPAba,iv:doFuGvLagS17tgNm28J+T1qTvXAzPsenVN3heTDkNts=,tag:e0lsqlvXVk6lDqe1xGkemQ==,type:comment]
+    hjp: ENC[AES256_GCM,data:agAmi5i8cdAC5B75E92PbDGG399AJyI87zbgErtYxM5CHLTBxPjAfqLLEAHTdRbfo53wHQEbG4/fFkunwrHrCdspKtsuFrK4xg==,iv:m+MregSzL5EsuNW/oiJXJIFeq4n1CAaQQV9AKId7rxg=,tag:nOI//Z/4gBfB7F2jwX7cWA==,type:str]
+    #ENC[AES256_GCM,data:jHalo04u3gd+,iv:RjIwI0Kqmy0uVTxRRu1gNG/2eZXnl7iiuC9KOSV1RfU=,tag:Jvza//JVEtLwdtYk5+sY+Q==,type:comment]
+    lly: ENC[AES256_GCM,data:5ZHy3nXe4SoGi+hu+woQwB/h7HyLdDlE6fkO6FXttEW4ZaBjIqiXOz2M9XMTmcMih9S7fGJPXDBD76oHGVY5W5ytyi3i1wyaFg==,iv:RWhQFYAIs5AELumViQRTsVPNfsV59zQYDFVX+DZpPrc=,tag:R3E1IBUAN7XOjrwNEwjZ5A==,type:str]
+    #ENC[AES256_GCM,data:fz4CpQWCXmHX,iv:8UexUxCvtcmk7S8qPdKd3jxro7PspCYX6G7ujAEQ7HM=,tag:LgyieyMQ0zZLD0EW+POeoQ==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:WfdbkyWIDl+lD3xPC5TMBQ+U2hIjHYyhNhnZ1PH9uowSdRCqoPAJ2GS7X35WrlrgTl67ByaTwhXP8r9LR7eL0YwdivTL/wxOXw==,iv:OBaEPQVBeShs+UH2BBIBLGT44tPiVyQ8G1ReZ4jALH0=,tag:SnwGrb3eI57rJUoqE6HR0g==,type:str]
+    #ENC[AES256_GCM,data:OWTTbVhXIxSp,iv:GP6a2S9XdQ0xzTBQ91zkEgrNMtY1WVodTH/F/wh/mqU=,tag:6nzpvk9RFsAJxaL0Qiau0A==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:NMnWdKTGyK9AhrmzdDaxgzeFbbc0TGPlfYzOr7g0zexxBTjyJiwox9thEglkkyA23e5GgNs6zObqUknZT3M7/epzbQDoSQYCmQ==,iv:+nSj1P2LlME48VjSF1t2ziPkhgKiDlLkAaL+PBCV/hU=,tag:41YqBFHAbfrmbf3kVC45CQ==,type:str]
+    #ENC[AES256_GCM,data:0QMjEtxrhSj8,iv:YyMHdZTx/OViWBZ+1CGGAwaOLlqR6WdrKG1g44sZGYE=,tag:N5uMwbWJJF+DGiopdYm2Mw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:c+HRdDZPugIVI2vmuOlorhjZzxS11c6CJiZ3ZEwFFHfIoIUmGsXoRPGraJ0BjI3W+XZbI6qk211yufTgXLVj7nOVi0PW/9mteg==,iv:H8DlkTjkL/f6Oa2LG3dHRsJuWkEqokUJ/mjMyDnEAc4=,tag:0QmUyfAbYnn7vs4AdwQtYw==,type:str]
+    #ENC[AES256_GCM,data:F347rPlEQZyz,iv:VlbVlc/tFmmoe8lVDza7ZJgHavZ/1NM9mK3KZNVrpbk=,tag:iRdvv0ajtgrJgMe87vBFfA==,type:comment]
+    zzn: ENC[AES256_GCM,data:P76cGOGJK3B7Z3nxZ9BlvvyegJ+4JX25kax7/Bj/0VKsH1cGEfyvNbPH8qYUZqm+zUvqEoFNZKWM4+IQKO7Zo9IXCJhGItL1Nw==,iv:e9lnHecgzSrHJkxumRpKGHzGlYbM5Yov4F4Dd4fIqrc=,tag:G7Cr7d1KZfldzYNRL1eSpA==,type:str]
+    aleksana: ENC[AES256_GCM,data:xRqQLPpcv0Ymz7wV0jDDz1i6eKIZKEXvqofO58VSHEC9aVSTLV7aXLw2kQ8PrAPo4FAkne2F6MYQGRwZFIHOjxfhw+ncXVDHxg==,iv:OSbT/f2LRUFY3DEyCCbWkPzwsrsNdVz6ah5ITRt+Kjc=,tag:00z36RTe76p1uxFCchGcpg==,type:str]
+    #ENC[AES256_GCM,data:xAGWajpTpg2keMthwQ==,iv:sQreB2mExZlWgVsig7885zf4LI6RFSitYUnD4ngvhfQ=,tag:viEY1wUVlDCqKm5ucQWzsA==,type:comment]
+    alikia: ENC[AES256_GCM,data:N4lyS8XZSxP3su+Frz00BPU+II+N6nosu4yOLPSG7zxefcJoG7i5bG3bzb1OQLc/x4fTuD2Wd6mEy6q66cizBkGn3xQHZIaW2w==,iv:FO64ACjOS6+UzWKP5WdcFOGZTzslfetX/VAxyUPZ3ds=,tag:6Kf0MCRUj9cbxyk4TsH8iA==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
+        hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:M8/R019chds8zr2BqnRnKP40NZxwq4fz06NaOeOOFYecLyDjIOq5mg==,iv:VPr4XD0Y+6G1P1xwMDyrWPiTvCYdiMV0nPcmqCvIA3Y=,tag:KEyCIHRmRkNviA4bMTMybg==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RzdocjRWTTFGWVdqb2JE
+            RDBiWjVNOHBSMlFNMHZOOFYxRzlVZmhKQ2w0CkpGbHRnNTY2NGdzVGx5QmprblNZ
+            YmxCd2Q2VW1SOVZIeDk3Q09LdHdheG8KLS0tIFl5WThUOGozc0xBYVBVVEVFdU4v
+            N2NKcnAwUE8zMDJhaWhqWTljNHppSjgKp4cb4FLsULkDS1VPZT9TLe8z8IH5Jt4d
+            nCqerHvO5j8yo3tPs0BXS675i2HAnup0KQZay7NV7bztbRhWtTiF/A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMnJuVVJjTWRIdzdiYlVS
+            RHo1OEx3Y29yL3NuVmduN1loaTgxR01kVXowCjl0ZVhVd1liUnJSWEVRNlR5MzdY
+            R29Pc0dJSXJvb2FjTDAwRW9xUCtQT2MKLS0tIFRUdHovemMvQkhUbkYzSVZyWmkv
+            ZGlKUHAySWVlKytIUThXQlNPSERadEkK8L3GpqrTiuRaFtICkQmc8RSxBz2XykMZ
+            irVZmqwE3787Ku3obqdBNPyB6w6tBGuf2g13PBpbctlYEioz9k5gKQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWDViT3JyRktZYldxN3Z0
+            V3RWSXlOT0JEd0xJWlk3TzUyRFpFRytSRmtzCk4vNUk0UFN3bkRaaGdzenFwK3Ez
+            WjdDVi80RGdENmp3TzBuRElFQmVwMmMKLS0tIHpsZU1XQ3p5N3FwNjJmRHMrSFVI
+            TE9odnJrWGx6UFltTjN3WHNobTlqa3cKifobNMMKnEckbPp+mfeQVDldbLzvGM4/
+            y6oSeXQzRKQwFOIH6z4nQjMiMKvpHDEcIbTzCrQ0QCxGKywH6PzmuQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS1lrQmkyRVNkWFFhWEpm
+            MXhOOEVWTTZQdkp6ajlFVGEvdmd1QlVQQXlBCjc5a1RobjhOb0ZXL2ZlSFVxV2hP
+            OXVVMXpqN2hGQnZOcmVVbzBQT3QvYTQKLS0tIE1KSm5RRDBabTBTaDl4d29Fb1o3
+            Wk5MNy9hQ1E1eTdzdG1Yb3Z2NlNTZlkKivBHX1XApj7EGG4k2N/5quJ2bINNt5lF
+            DTFZfjfZY5TKMxq+/LoxMB9i/eRXxcUNUA9Bkex0HhE+VZS2AcTgAw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpKy8yRHphTTcwc0dhYWFV
+            SnNEZWQ4d1d6Qmx1VGJ3aVdJRms3SDZ1NkdzCjVpYUx0bW0vb1NMKzlQOWU5YWdT
+            VlhXdEk0bGMvR0hjOFNBMWJuS2NUNlEKLS0tIENQWDZROFRuODh0N3h2RzVSVDZE
+            c25adTFUVUh4NThIb0F4aStlUVJGaFkKirqc9ny+BYJgNuGlwLxdpTSPVe3V69oO
+            qGN+m/nWfoPGO1hWZ55qR08P94VcP7KW0eK9r+TdrwQp9T1rOtHWZA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaWpFOUV1S2lGREdZak45
+            OVhCSk40OTMwMVhKZWJibmFsY0o1aE1PQWk4Cit6emhXU1QzV0ZueWs5R3VTRUg4
+            TjZrK2RIOUN1ZU12THZqR09YeWtyMjQKLS0tIFR4SUlCYk1rd2U4SlkvRi9SODR6
+            Nk5KamEzUTJkNi9lOFN3VXlEME5LN0kKwjcReB2V8kpavQTXift2KmHm603zTzw9
+            Cx+UO+hkOQGsOLg+Q9A8t850vuqwuq28XHFQFJ7Ac5owhxCpriH9uA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUm5INDhONE9hZjU5MGRn
+            ZzZLdUNPeHNSSHUrZzRxbTdjRGxhd2wyRWgwCjMzc2UrUEVOUTJqckR6WXpRR1p5
+            TlA5MUtFRXBjazBhc3Rzc3MraFl1dzQKLS0tIFpYajU3Q2hPajhFbURSaXZ3MURT
+            UXduR3Vvam54RmhoQkdrN1N2ejdEVmsKeC/robT8ijuPAQt75xnLFi+cz9i0idfU
+            xCgD6JpqaIMwalpIAuVh6KD/tE9mwWIZSeNk2InGX7/bWmMEB8Dcgw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUENVYm1DQ2h1aUxQaE5u
+            VlBIcU8rdzNaZk5wWHpPNnhPUlVIWGtucjFFCmY4dWdSMy9WSWhBWmZUZGVnWlNP
+            K0lFK1NLcGpzSDRXSG5SaUdxamgxekkKLS0tIGJWR0dTZ3kyd0dZSVRQVE93Rytl
+            R1pKVklVbUlZZk1IaUpYVzlQUkplV1kKKN8vFbUrnsxgw5ViYoMBoyxqUOxnpmaQ
+            YqMYedsrnvWvCx9xyu3Kj/MJ88zQchJzdVfg0dUcbY6KRz51m9HE2Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTmhtaXFZL1dTV1FZVktv
+            VUFMc2o3U2pubTgvbmNZMVIvcGVOZ0UrNGlrCnRwMENSUi80aWxjZ0xpQTVaU2Qr
+            OVUzYVdVTFpxWVB0WXZKTkV0akwxK0EKLS0tIEovQkZzMUFlM210MFZuMHdqVi8r
+            ZTR1VVB5akRxeWVtaUxoYUxKOEpSUzQK5sh8HyaZY1ww5vcoIktuVs/XUF88HYAO
+            tmJiqZniKeOJT4xpBCQoelJ++oVzSqEAg4h5jgCXWN6dstrc71oVrA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSWdybjBIZ2dieFZUbXY0
+            RjNZc200SXBrMkM2b2NQY01vQ2dUQ3RYWURZCnY1bUJ5TjZkdllxRkhRc1VkbVpR
+            cU5YU2V0RUhuaVFHNXhTd0JGNzVZVk0KLS0tIEc1L1dqYkZsN2xNMnlhKzgyeXRC
+            Z0YybnhlK0tNQWw0UXNsY0hzcFVTVncKXXjQiIi4TAdDbeoL7uN0IQmjd1koP0OX
+            2CVpK81DSNGPhS9wvrwE8QHkY10q07CHPWl7qr45ksD1XNG4PoTTFA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbi9wUEpGdjBYOE94NG1B
+            SXB5clBwdDl1OTZPcjdMMmU4ODlUQndBejI4CldtWDFlNjl6bG5IcUErZVE0OENx
+            QlBQYThrdzA5eDBMbk5acXYzb3BxVlUKLS0tIEJEc2MrejlSS0RVUkh2R2x0cjU5
+            QUVaU2I4eHc3MGxaTzd2VW5hN3RscW8KzzdxiJ2BLDUEKAq+a1dVzJp3uAD39hUV
+            gMsCnltQoWjGOFHWIXVWSOCB5HQ8MxeZpt8N/ZYKM1UnfhBFDfXRWw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdVFHbnpZWjZDRWh5Z24y
+            WmFWUGJ3bi9tbW9OYWJaOFQxdWtQYms0dUU4CmpRUnlLbTliY0FqS2JwMGpLNTgw
+            cGN4MUVJeEI4WEhYcjRDSDIxS2NKWGcKLS0tIExQc0xvd0pFK25IWml0RDgxVlpU
+            ZGsrNGpmYXFUUEEvVktjbnF5RHJ0eVkKJ6n4gnl0zcq9mHTWL+5bxJeLE1qKqAKV
+            3ycuAffiQ0Oxv1tSOXjt6ODSds7jDS3Kq2I7q4nG5eqZLiwFXCh25Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-03T10:05:18Z"
+    mac: ENC[AES256_GCM,data:E2Z+aQnvSmUcB26NCE1muh7dUdiSdLqwvZ7QQOV16VsazMNAFPv7WcXfxmRihfA3KZN6aI3xUl2IbIGbe3n1ulGeg6KivjsBA6od7fSenKj/JhdZCE2T0L/nJTQcqX9cnlKfcMovBqDcTWuSe3jEu+G9d9OoetIXJm44cpVeYvo=,iv:WHIogHg4gUImd2ELOCqZL3U8/4u64GUWVdLtY3o0Cts=,tag:fyFUzQJZRyUxeGfeSgtbkg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/cross/ssh.nix

@@ -0,0 +1,113 @@
+inputs:
+let
+  devices =
+  {
+    vps6 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
+      # 通过 initrd.xxx.chn.moe 访问
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
+    };
+    vps7 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
+      # 默认仅包括wireguard访问的域名和直接访问的域名，这里写额外的域名
+      extraAccess = [ "ssh.git" ];
+    };
+    nas =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
+    };
+    one.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
+    pc.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
+    srv1-node0 =
+      { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs"; extraAccess = [ "srv1" ]; };
+    srv1-node1 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIFmG/ZzLDm23NeYa3SSI0a0uEyQWRFkaNRE9nB8egl7";
+      # 不能直接访问，需要通过哪个机器跳转
+      proxyJump = "srv1";
+    };
+    srv1-node2 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDhgEApzHhVPDvdVFPRuJ/zCDiR1K+rD4sZzH77imKPE";
+      proxyJump = "srv1";
+    };
+    srv2-node0 =
+      { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6"; extraAccess = [ "srv2" ]; };
+    srv2-node1 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
+      proxyJump = "srv2";
+    };
+    srv3 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIg2wuwWqIOWNx1kVmreF6xTrGaW7rIaXsEPfCMe+5P9";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIPW7XPhNsIV0ZllaueVMHIRND97cHb6hE9O21oLaEdCX";
+    };
+  };
+in
+{
+  config =
+  {
+    programs.ssh.knownHosts = builtins.listToAttrs (builtins.concatLists (builtins.map
+      (device:
+      [{
+        inherit (device) name;
+        value =
+        {
+          publicKey = "ssh-ed25519 ${device.value.publicKey}";
+          hostNames =
+            # 直接访问
+            [ "${device.name}.chn.moe" ]
+            # 通过 wirewireguard 访问
+            ++ (builtins.map (net: "${net}.${device.name}.chn.moe")
+              (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net))
+            # 额外的域名
+            ++ (builtins.map (domain: "${domain}.chn.moe") device.value.extraAccess or []);
+        };
+      }]
+        ++ inputs.lib.optionals (device.value ? initrdPublicKey)
+        [{
+          name = "initrd.${device.name}";
+          value =
+          {
+            publicKey = "ssh-ed25519 ${device.value.initrdPublicKey}";
+            hostNames = [ "initrd.${device.name}.chn.moe" ];
+          };
+        }])
+      (inputs.localLib.attrsToList devices)));
+    nixos.user.sharedModules = [{ config.programs.ssh.matchBlocks =
+      let genericConfig =
+        { forwardX11 = true; forwardX11Trusted = true; forwardAgent = true; extraOptions.AddKeysToAgent = "yes"; };
+      in builtins.listToAttrs (builtins.concatLists (builtins.concatLists
+      [
+        # 直接访问
+        (builtins.map
+          (device: builtins.map
+            (name:
+            {
+              inherit name;
+              value = genericConfig //
+                { host = name; hostname = "${name}.chn.moe"; proxyJump = device.value.proxyJump or null; };
+            })
+            ((device.value.extraAccess or []) ++ [ device.name ]))
+          (inputs.localLib.attrsToList devices))
+        # 通过 wireguard 访问
+        (builtins.concatLists (builtins.map
+          (net: builtins.map
+            (device: builtins.map
+              (name:
+              {
+                name = "${net}.${name}";
+                value = genericConfig // { host = "${net}.${name}"; hostname = "${net}.${name}.chn.moe"; };
+              })
+              ((device.value.extraAccess or []) ++ [ device.name ]))
+            (inputs.localLib.attrsToList devices))
+          (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net)))
+      ]));
+    }];
+  };
+}

devices/cross/wireguard.nix

@@ -0,0 +1,245 @@
+inputs:
+let
+  publicKey =
+  {
+    vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
+    vps7 = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
+    pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
+    nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
+    one = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
+    srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
+    srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww=";
+    srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo=";
+    srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
+    srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc=";
+    srv3 = "a1pUi12SN6fIFiHA9W0N1ycuSz1fWUSpZnjz20OPaBk=";
+  };
+  dns = inputs.topInputs.self.config.dns.wireguard;
+  networks = # 对于每个网络，只需要设置每个设备的 listenPort，以及每个设备的每个 peer 的 publicKey endpoint allowedIPs
+  {
+    # 星形网络，所有流量通过 vps6 中转
+    wg0 = let vps6ListenIp = "144.34.225.59"; in
+    {
+      devices =
+      {
+        vps6 =
+        {
+          listenPort = 51820;
+          peer = builtins.listToAttrs (builtins.map
+            (peerName:
+            {
+              name = peerName;
+              value =
+              {
+                publicKey = publicKey.${peerName};
+                allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.${builtins.toString dns.peer.${peerName}}" ];
+              };
+            })
+            (inputs.lib.remove "vps6" (builtins.attrNames publicKey)));
+        };
+      }
+      // (builtins.listToAttrs (builtins.map
+        (deviceName:
+        {
+          name = deviceName;
+          value.peer.vps6 =
+          {
+            publicKey = publicKey.vps6;
+            endpoint = "${vps6ListenIp}:51820";
+            allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.0/24" ];
+          };
+        })
+        (inputs.lib.remove "vps6" (builtins.attrNames publicKey))));
+    };
+    # 两两互连
+    wg1 =
+      let
+        inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
+        # 设备之间可以直接连接的子网
+        # 若一个设备可以主动接受连接，则设置它接受连接的 ip；否则设置为 null
+        subnet =
+        [
+          # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
+          (builtins.listToAttrs
+          (
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps6" "vps7" "srv3" ])
+              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
+          ))
+          # 校内网络
+          (builtins.listToAttrs
+          (
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "srv1-node0" "srv2-node0" ])
+              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" ])
+          ))
+          # 办公室或者宿舍局域网
+          (builtins.listToAttrs (builtins.map (n: { name = n; value = getAddress n; }) [ "pc" "nas" "one" ]))
+          # 集群内部网络
+          (builtins.listToAttrs (builtins.map
+            (n: { name = "srv1-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
+            (builtins.genList (n: n) 3)))
+          (builtins.listToAttrs (builtins.map
+            (n: { name = "srv2-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
+            (builtins.genList (n: n) 2)))
+        ];
+        # 给定起止点，返回最短路径的第一跳的目的地
+        # 如果两个设备不能连接，返回 null; 
+        # 如果可以直接、主动连接，返回 { ip = 地址; }；如果可以直接连接但是被动连接，返回 { ip = null; }；
+        # 如果需要中转，返回 { jump = 下一跳; }
+        connection =
+          let
+            # 将给定子网翻译成一列边，返回 [{ dev1 = null or ip; dev2 = null or ip; }]
+            netToEdges = subnet:
+              let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
+              in inputs.lib.unique (builtins.concatLists (builtins.map
+                (dev1: builtins.map
+                  (dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
+                  (inputs.lib.remove dev1 (builtins.attrNames subnet)))
+                devWithAddress));
+            # 在一个图中加入一个边，current 的结构是：from.to = null or { ip = "" or null; length = l; jump = ""; }
+            addEdge = current: newEdge: builtins.mapAttrs
+              (nameFrom: valueFrom: builtins.mapAttrs
+                (nameTo: valueTo:
+                  # 忽略自己到自己的路
+                  if nameFrom == nameTo then null
+                  # 如果要加入的边包含起点
+                  else if newEdge ? "${nameFrom}" then
+                    # 如果要加入的边包含终点，那么这两个点可以直连
+                    if newEdge ? "${nameTo}" then { ip = newEdge.${nameTo}; length = 1; }
+                    else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
+                      # 如果边的另外一个点到终点可以连接
+                      if current.${edgePoint2}.${nameTo} != null then
+                        # 如果之前不能连接，则使用新的连接
+                        if current.${nameFrom}.${nameTo} == null then
+                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
+                        # 如果之前可以连接，且新连接更短，同样更新连接
+                        else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
+                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
+                        # 否则，不更新连接
+                        else current.${nameFrom}.${nameTo}
+                      # 否则，不更新连接
+                      else current.${nameFrom}.${nameTo}
+                  # 如果要加入的边包不包含起点但包含终点
+                  else if newEdge ? "${nameTo}" then
+                    let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
+                    # 如果起点与另外一个点可以相连
+                    if current.${nameFrom}.${edgePoint2} != null then
+                      # 如果之前不能连接，则使用新的连接
+                      if current.${nameFrom}.${nameTo} == null then
+                      {
+                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
+                        length = current.${nameFrom}.${edgePoint2}.length + 1;
+                      }
+                      # 如果之前可以连接，且新连接更短，同样更新连接
+                      else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
+                      {
+                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
+                        length = current.${nameFrom}.${edgePoint2}.length + 1;
+                      }
+                      # 否则，不更新连接
+                      else current.${nameFrom}.${nameTo}
+                    # 如果起点与另外一个点不可以相连，则不改变连接
+                    else current.${nameFrom}.${nameTo}
+                  # 如果要加入的边不包含起点和终点
+                  else
+                    let
+                      edgePoints = builtins.attrNames newEdge;
+                      p1 = builtins.elemAt edgePoints 0;
+                      p2 = builtins.elemAt edgePoints 1;
+                    in
+                      # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
+                      if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
+                        # 如果之前不能连接，则新连接必然是唯一的连接，使用新连接
+                        if current.${nameFrom}.${nameTo} == null then
+                        {
+                          jump = current.${nameFrom}.${p1}.jump or p1;
+                          length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
+                        }
+                        # 如果之前可以连接，那么反过来一定也能连接，选取三种连接中最短的
+                        else builtins.head (inputs.lib.sort
+                          (a: b: if a == null then false else if b == null then true else a.length < b.length)
+                          [
+                            # 原先的连接
+                            current.${nameFrom}.${nameTo}
+                            # 正着连接
+                            {
+                              jump = current.${nameFrom}.${p1}.jump or p1;
+                              length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
+                            }
+                            # 反着连接
+                            {
+                              jump = current.${nameFrom}.${p2}.jump or p2;
+                              length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
+                            }
+                          ])
+                      # 如果正着不能连接、反过来可以连接，那么反过来连接一定是唯一的通路，使用反向的连接
+                      else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
+                      {
+                        jump = current.${nameFrom}.${p2}.jump or p2;
+                        length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
+                      }
+                      # 如果正着连接、反向连接都不行，那么就不更新连接
+                      else current.${nameFrom}.${nameTo})
+                valueFrom)
+              current;
+            # 初始时，所有点之间都不连接
+            init = builtins.listToAttrs (builtins.map
+              (dev1:
+              {
+                name = dev1;
+                value = builtins.listToAttrs (builtins.map
+                  (dev2: { name = dev2; value = null; })
+                  (builtins.attrNames publicKey));
+              })
+              (builtins.attrNames publicKey));
+          in builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges subnet));
+      in
+      {
+        devices = builtins.listToAttrs (builtins.map
+          (deviceName:
+          {
+            name = deviceName;
+            value =
+            {
+              listenPort = 51820 + dns.peer.${deviceName};
+              peer = builtins.listToAttrs (builtins.concatLists (builtins.map
+                (peerName:
+                  # 如果不能直连，就不用加 peer
+                  inputs.lib.optionals (connection.${deviceName}.${peerName} ? ip)
+                  [{
+                    name = peerName;
+                    value =
+                    {
+                      publicKey = publicKey.${peerName};
+                      allowedIPs =
+                        [ "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${peerName}}" ]
+                        ++ builtins.map
+                          (destination:
+                            "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${destination}}")
+                          (builtins.filter
+                            (destination: connection.${deviceName}.${destination}.jump or null == peerName)
+                            (builtins.attrNames publicKey));
+                    }
+                      // inputs.lib.optionalAttrs (connection.${deviceName}.${peerName}.ip != null)
+                      {
+                        endpoint = "${connection.${deviceName}.${peerName}.ip}:"
+                          + builtins.toString (51820 + dns.peer.${peerName});
+                      };
+                  }])
+                (inputs.lib.remove deviceName (builtins.attrNames publicKey))));
+            };
+          })
+          (builtins.attrNames publicKey));
+      };
+  };
+in
+{
+  config.nixos.services.wireguard = inputs.lib.mkMerge (builtins.map
+    (network:
+      let inherit (inputs.config.nixos.model) hostname;
+      in inputs.lib.optionalAttrs (network.value.devices ? ${hostname}) { ${network.name} =
+        network.value.devices.${hostname}
+        // {
+          ip = "192.168.${builtins.toString dns.net.${network.name}}.${builtins.toString dns.peer.${hostname}}";
+        };})
+    (inputs.localLib.attrsToList networks));
+}

devices/jykang.xmuhpc/default.nix

@@ -0,0 +1,15 @@
+# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' .#jykang
+# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' -qR ./result | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' --export > data.nar
+# cat data.nar  | nix-store --import
+inputs:
+let pkgs = import inputs.nixpkgs (import ../../modules/system/nixpkgs/buildNixpkgsConfig.nix
+{
+  inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+  nixpkgs = { march = null; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; };
+});
+in pkgs.symlinkJoin
+{
+  name = "jykang";
+  paths = with pkgs; [ hello iotop gnuplot ];
+  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+}

devices/jykang.xmuhpc/files/.bashrc

@@ -35,7 +35,7 @@ if [ -f /etc/bashrc ]; then
 fi
 
 if [ -z "${BASHRC_SOURCED-}" ]; then
-	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
+	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts:$HOME/.nix/state/gcroots/current/bin
 	export BASHRC_SOURCED=1
 	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
 		export PATH=$HOME/wuyaping/lyj/bin:$PATH

devices/nas/default.nix

@@ -4,6 +4,7 @@ inputs:
   {
     nixos =
     {
+      model = { type = "desktop"; private = true; };
       system =
       {
         fileSystems =
@@ -11,58 +12,22 @@ inputs:
           mount =
           {
             vfat."/dev/disk/by-uuid/627D-1FAA" = "/boot";
-            btrfs =
-            {
-              "/dev/mapper/nix"."/nix" = "/nix";
-              "/dev/mapper/root3" =
-              {
-                "/nix/rootfs" = "/nix/rootfs";
-                "/nix/persistent" = "/nix/persistent";
-                "/nix/nodatacow" = "/nix/nodatacow";
-                "/nix/rootfs/current" = "/";
-                "/nix/backup" = "/nix/backup";
-              };
-            };
+            btrfs."/dev/mapper/root3" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
-          luks.manual =
-          {
-            enable = true;
-            devices =
-            {
-              "/dev/disk/by-uuid/a47f06e1-dc90-40a4-89ea-7c74226a5449".mapper = "root3";
-              "/dev/disk/by-uuid/b3408fb5-68de-405b-9587-5e6fbd459ea2".mapper = "root4";
-              "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
-            };
-            delayedMount = [ "/" "/nix" ];
-          };
-          swap = [ "/nix/swap/swap" ];
+          swap = [ "/dev/mapper/swap" ];
           rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
         };
         initrd.sshd = {};
         nixpkgs.march = "silvermont";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
         networking = {};
       };
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
       {
-        snapper.enable = true;
         sshd = {};
         xray.client = { enable = true; dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1"; };
-        smartd.enable = true;
-        beesd.instances =
-        {
-          root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 128; };
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
-          wireguardIp = "192.168.83.4";
-        };
-        misskey.instances.misskey = {};
+        beesd = { "/" = { hashTableSizeMB = 10 * 128; threads = 4; }; "/nix" = {}; };
+        nfs."/" = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc";
       };
     };
   };

devices/nas/secrets.yaml

@@ -1,15 +1,11 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:ezBawTyn+oPKKy6sQuj2BQXhnO4PTbxYWRpQR9URCxqD7bFlnmWU1Q==,iv:eD4yLDA209x6HFtDaqyj8kRxTImdyZCgOminHWb9vt4=,tag:mx+qPp4L9jHRvL90XH1RwA==,type:str]
-redis:
-    misskey-misskey: ENC[AES256_GCM,data:daHnurnqW0MI2uHd3gNT+ZczmytRdwBSsHGkCwNH9hJFMJW/U56HtjG5ivOQzYprWJ5uzgN98ivocbwzJEAGfg==,iv:aE9kvEErN06FNPPFQNchbmg/+SJCKT3QzCN/JTlZovk=,tag:iMo3MTssxKKT02zi8gCZPA==,type:str]
-postgresql:
-    misskey_misskey: ENC[AES256_GCM,data:QhsmKzYmAV0kGPhtRjTK7npt/Nop5JM9EFPpD8K6KfUJ48w+r+4vTORmERu7D2+fE3XDXxNZeSJg//bGxMmhfg==,iv:qkjkrqepjQ4kbwoaceQSzEP5TjLsiY7ih/ESj5RFpHw=,tag:UtZVW30xcsbGUjU2HjoUvw==,type:str]
+wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
+wireless:
+    #ENC[AES256_GCM,data:wjStmDz44D13rg==,iv:7Qdqk/3VfS6kZNMSD6P4zyuRkzgIb1PcH56rWBhuD80=,tag:RVfRu9zMAenZBk3+RFC9wg==,type:comment]
+    "457": ENC[AES256_GCM,data:at6sfLdZUj7JTkumDLzoBoM6rNH3SGXvzso2ryYEXiFzy24e8cMKql2Sw3CHqWH9+cS6+rzuRLLeLJQMDN3dHw==,iv:nHEdqAIF7WK6kPkm01LoDmypvkHOhIR+tf9cAlv+1hs=,tag:3lMuOZ4qatv1LOSMwMiEoQ==,type:str]
+store:
+    signingKey: ENC[AES256_GCM,data:Y1nbOt2boQQ94oBjQDoH7J7tkCIVx4f7Nrq0AC5Bqq/uGZnd7UCPv8hLnbjVcPTPHLMwnwzD9yvdYrLv+Q2HZJJQfQjO+sXkVZI4TpFJkqTofvrmDk4PL5tkh/4=,iv:eOM6wCO/qQaf5MMXWLROKFkfo6avm6IWWpgK1mNx6VY=,tag:ZC5xsTDdyCe1VxaBIC0ozQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -34,8 +30,8 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-05T02:43:05Z"
-    mac: ENC[AES256_GCM,data:NyXFwcVCCRfU+QSJVwov38SzRag1vhgfyQ0xtOheKtK/UaA+2Vqiqatp/lKWeri9ltpw5xWBYQnmE6aBHEkrj5RvoXeho3CUWiSqsB/3COn3FSfXGGJ2M642dnCtWqHfTrGNW7bhq/lBisODvtv+SAs108R5yYXhXWotUs/p+W0=,iv:Wsel2unj5X/dBCwt5sLzHmUIqm9c0uqzzpfnUkxq5cc=,tag:a5/I8GWuUOy4F4lOx9TH+w==,type:str]
+    lastmodified: "2025-04-23T07:15:56Z"
+    mac: ENC[AES256_GCM,data:Ex0JCgpvxHoEOVB+O+cXLIU5S3IWMgznUMDM6G3JhE+KuVyGyze+Cf0BRHLAtko2aszyIIMOx3NH2DoCl6m7gR9UbPRwzIwwnuaGGZ0Va8hTjosB/76LtDT6w3xkLdV4AjmYCu/Q1I01CvjL3OVQO1JLYn3V8JaU8WImy2wfhoQ=,iv:81aBMh8ls1MH/VybwEvr3aQtETnIHLv45i57Q5j8yt8=,tag:BBeuyAbajgsNQSq/7Un79Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.2

devices/one/default.nix

@@ -24,18 +24,10 @@ inputs:
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
       {
-        snapper.enable = true;
         xray.client.enable = true;
-        smartd.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
-          wireguardIp = "192.168.83.5";
-        };
+        beesd."/".hashTableSizeMB = 64;
         sshd = {};
+        kvm = {};
       };
       bugs = [ "xmunet" ];
     };

devices/one/secrets.yaml

@@ -1,20 +1,6 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:+zy72VDj8hs1GH7E1U04WhiGq0xkIPGC8pHbAYR70OK5E6EOdkQwKA==,iv:oYNSrOH3pLhltYw2NX1d4s6jiUgMssWiIK//62i0ptQ=,tag:C5ekSVjmwSEphsTZ/DLcsg==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:/x9HJWh4Kpp5xy4TfuC/bP4Z/gMOFgAalz91cewHj1/tPxFe5R/nQA==,iv:K696zu685ydzwFMKIrqz1GiYLMKGM1dLNDWdhH4U0L8=,tag:nFwqXc7RPIYcQxVIu6GWgw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:NgA5rHB6GwqiNSx1mhxObywuiZWq5qpcNrlpk6HaD9hzQoL0j1IrrgMCqkU=,iv:ZZUlSJeQPN2/JxjhR08FdEZl3gCFuNpJ3M93C6JovHs=,tag:rCtWHOYCmgZKF1lRlIAReA==,type:str]
-github:
-    token: ENC[AES256_GCM,data:rGiseVhDBU+rNcz92QXHeqAQ4lC7l5dba8d7rGUIIoEcpBVGwGh/5w==,iv:lf4aMBAQxI140qJsMLqHpI3dKRw6HiV20cyn0WFWbT8=,tag:w1P9MrqgUAmPzVWkIFs1jg==,type:str]
-chn:
-    age: ENC[AES256_GCM,data:eI7ZtgOdcI0sWrD0MmbPEOnImVaacTrR/rDtZcUKSlUIMlpFga7HYOKUZbgMvqaxZK9YLuddB4setggrPvEx+rXpTU4fx0s5Ce4=,iv:5aYVpf5/nr/ssGAZDiSs4/5HP4aPDya0DZ8OfrhHowg=,tag:ImzDxw/1GB4/krCnNAxJ8Q==,type:str]
-    rsa: ENC[AES256_GCM,data:TirRkEaW0sTstTp3JoHz1KCTo3F1zozjsUUHVxJ9v+rmZRfH3DjwOKeGHsiKtJWo16yqHpQjcBmInWzgnFUZtM87lzW5YaKOPDwBwsbLtP9NxaFTU74kU05Y8E2Aireg1LlmLvu8sRHy/SwVHdML1AUZ4g9sLCLcb/eQcWQmawdsl7Y2xkPQlBfKiophu7dkEPw51vUoKvYzM47R9RI5cRFCNZtUfr4hOk23L7XoVL0Aejqd6pBoENCJ+nCXp4kUTYqrSPqHuQuuYwb0thsrd++g4vmSQQWCN/KkYAg8UPvAN3hMGF+4f0S5Zdr+g0Lb2KHQkpBofOlBZ3P1uTmm/2s9R6brqFrz38OGWK8ZouNZyDPC+FwJfMywm3GRf87rCzEjF0bAix3J779YDG31uaJJhTjRa4q/2Uvk8YXbebTZEuQ5dK1bav+730dOeGF7oa8oBVVQjB2KYzInuuVGdLoVMeaiRlpJpK4ZU3SnzjUheiq7fAdJcqM3QxgK2vIy4kL6LcniSm4J/b7IZjsbxAdkFRN0VZOgHQiO+IICbbhNftSXCCFgFvG3Yl5dzCtqUGYoYEpZwMwJQZJuFJqfCzRFb83jAAjGSN9OByGbu7flsaqRR1YjKNs6BgJOnyhbQ2YJrozOuzw8ZquuDURP+WmP4NnKOAZ6J06Imupkd3Q/pfYxSzSuNrfXYqSHeczDgb8IOc37rfPWGXLgEvDVuSYvYNf+jgSap0aGhHRJ65dvRsZE/GXVuRhTnpzF0vuoVJpifrzkgHehklUGPOLhvnzTwLryHvnO2VJpZ7hhlreeVGf6iZ7fDYJW91OvNX9b3WvtWV985n892jeFCW6/OHfNhv6VBjj/YeNMrZVy9JLwDe5DmxQBH9GIc5S1AGVuTzZBLsd9L+ZFonGfxbwpPtATFCvaftaTed55cXkZvj499rfu6KkGzCPP79tNQSyCRGPrq2pLGyAAMh40+8gkCgKmrw7ZrdhoUvBllKrAMGb8kd9FQ74OPD6vhb/IXMBc4+N1i5d+XiONOOKyVHpz8y/XS1rHnQO1sSN0Wkhgoc48m0zN/frmZzBw2xiYnG19rd5CHSRRbK50JgI4unMNiJKWNQjqnDxsKJu/WSOKeOFK7g5lcKl1D/XPYOeFUm0ZWmqhb9XrF0f045RHKNEMwkYbRJZaJcPQ36H7+99pYGjjZzY7KVUVlc+7ttQiUoOIkGKI8A06Q7fSXxBWA9x8Om9CdKPT3g/MnELl9Bg8kf7Pc+McWmGxdKzjhzEL1ElMTWfuM/a8hU7SMDjHtCHdxwngLn8+krt0HJ5SwEcDs0KUYEBRDwDpooDVNEUTHL8zEKE8zVl49lkN0NX/Wu0LvnQeJ0NjrFkF3eDpGyPbkXKgqzTMSaA45gK48UsCzKkMaqmTpCyfISyhMeEQm3danslHL01P20GoY/zWLsvOgO96p7X/j6nRv8RCHNH8pu2ve9d8V3Zu5DuHW6+ODOfaCihxkkSqD4jv5OFgISD6afLiBShVMcH8tKkEFph+Zd8COYmuUBZ5ez+BvXmMG1DsVs0/RNY9G8PG7GOoyWVU52JaJw3Awl56o47vDviBGjHi9bF5+5Je/il9csvcuokvyhsRxJ4vBwGJUNI0xtBK0/6wX2GTd10CisYw/fKOyGPgKyquGJlsODLV5JzmWY7GmI8MmVKYrPyVjPmegClnDdkxjknQGnGmEuyPLSTR03OmzR5YQ5e8Nl97mQWAr8kX/vxiQmCfufAZCJOfxoy5RRkDMuvVYlnpl5DtSPMUg+DXO9243gxqYSNCopbcAdkMH2ylkAAIzrmZym3E0EWFz98JLl9RkD1/jI80QUmZwsf3JU8pbtfV8yLs+xOrvZ0MQZc+uDvvDsi/2ZYQKfwWqmx64oK00vncyDHH9zhvwxauSfiqkA7K98ZgajrcEbU3nSfGPgdXxTlVpIufhK8k5QVM80DoMEvq+1i78ZsOd/zHFH90tyzZ1ploIY+mptGWMHJNpdBnXgy5KlUkmSuf5PUQ/xoD7UybxuamriO18IrjiQOE3pDhA1GTXz0iM+UOSceysEgNnINh+gRUbGX97YAoTS4pXGyzjYfoY8vMFmkD3DzTNClV2MSVtjuBR+dDwa58SvAAwyw55oQdILw+dogh/qGmL7MSvmssw3mxM7hsEfDu7Kea5FFVZJbgPh5VDZ/hHTWHU6gapgt1QvQQ4kNQuXJnNfooIaMWRg==,iv:9FUcJX6puazsRTBtKfuhvbY8jA5pdVHD4PfChtSX314=,tag:bxLTovW44jFhGkzGzwCHiQ==,type:str]
-    ed25519: ENC[AES256_GCM,data:KLBlDuxOdHnqmVU1KtDrd1r44VzuCYhQW8+7KDAXLD5XGKBP9ip41ZByuRxVUnhVtTP9LRlUt7qvEjPen4hn7HxH+Ic5tghN400JFKpnmxmnjZGbelIheAuRYU0t6BKFvTvcaKD5sNhpoYX9P29L+Yobt59Lo9dc96dF8xy6iWE4X+FPYBsxtheGOMDW/I0CLKF82pv+yy01EFDKLBLciPkweUcCf4642Xv/Lv1knCIhxnCGa5fD7XpqNbz/VfTiqgIDUScISIo5cXJQIp4Dho2SIaf3nMg8BQB5iNRDcyU45m01M36SaYKU7xBuJN7pRP+vtPySavtjbmqLbowFM9iQArpHCV+VT7cF6D35lPcn6hsZ9xEIP6XIpQU+cl6RrNmV+Rbxlzi/wGTYB6pWrfmrJaJpDPkYvyO9uy76yaljkbL03LgAsc7ittNkCEJ3xXznr9AHKH382JTHlQtMbKZPBUCAa8T7kJmu9gdfpj3yqJtvdHkOi+RIjls84l7X2OO3vhUzuRqx5FAboxKfDcPgifXV2t3d9wfMTlH8ziJGHiz8RKZJife6tdP2G7nKtSchjTyv9JqFQhTF,iv:C5KL23GV5Cs2vzHix8UNBcDSOvQgNvhewd96BMGpjj8=,tag:0zwTPg+AJyb/pCKV0zEQqA==,type:str]
-    ed25519_sk: ENC[AES256_GCM,data:v8pEsJ2p9cBr+wFIvcVwtHMVfuYUtFOtjbr/SuusDfAzlJJNQ6jIQxrynFwiPGf+zKRKgOmQ55XdlTHnCMztK0stDzPSs15IzgIXf1xTKNsEZVh077VM4a+DAnQMWJVjslcf/ljU0Ec5yoEGuerO03Q7Ud3ffCdObdWCwYYN++QEJ63eKSQhzMZ1LFH0YLizhvIEeqe/NYsYncA+js8uL92/97e7W1Ui2iGwC1kB4gDe0QijmaVKv4yThaw2SlcHiBuKlenkuXZu1h26Z23oa3d/GpEscuNjgY6EKFBHwg9bZIDDH2V+Gt0sWe7lWfAUR6g9DlvXZQ5J2PR+eMaQmKIYKQJRfIogAzA4sh25ecazPDgU5MtJX8W2QO4yDDvbM6TclCFPjnqSPZFpqPu5Dmess2dKMFxq8F+BEJ9typonLcX2YsFizeIZ+y4cbmyINTV3WlMd/hVCOTIadmsTshEIwquKMkKpsxzlu0DRNt1IIj9InqcQmUDfXDJlOYQlE0YPjZnUZmHEq+s+yIhkR21a1dtJ7f5T7YU5de12OiTjn3ekMhw6fSncGIWobwLvezXplLJ0+JM=,iv:QSO+YZLxSwQ69K20+qp5J7R70C6yqZ76LjhXkbfnM98=,tag:TKGQeFJdkBGmj7KO37XOjA==,type:str]
-    rsa.ppk: ENC[AES256_GCM,data:XBM/HD3mv2BD3Dp1LP0i+mSSSyUBrA38RzAQIIQlraFhID9oZBUTzqdSqXDeLtS1p6y2xAOxBVkH/D4WR1kOpXgw3LgNuvb1YFvZkYjCf5QgH9sxMSjiaXRdRHSAuF1b3MpGkgH7gmZRFTc5WkKvia7qzJgwGF0qNwS5j+lB1g0U0oXR6vguqb0gYcA2dKH2tpj/CqGJVAzkZCd1BxQygTpewcb2cbnVG+lb1kixD/r3q2PBoviS56BRCHbwoLhHLSn/y6XOnWqcaBgpBzwE7aZqTWa1QnRtv0OtUkGilrB+SBcXvMDNc0Xts2hhsHuc1DCB4CsAaEY37SEHKJhdZEVHoAZ9dJzScMntcRTES4AjhHXoBUpNy6wvTTLwdw58dXLkxfMdVl4LZ9Lcoc+mFfgPrNpvkvYVh8X0HiDC1FLgoEU8IQXPPW1HJCTGRbPAMRwXXtwxpmDN0byEnLH81JfxvSxnNZkvLu9qRyWC+IRknUALh3KkqzalzpuA3btDkyGBFDSX5phITtTmm0R1eSJg0R/BbFAogHz6NA/2KPoz9TtNH0nkQfDqiYfYub2J+8w9QsAr1k+0Wew9DeAF9eLaNTJSUeDlvz/Rq/DJLyUfOGIpCiY4cecJ5nbHPvdIia7qM3NBeGE0ImQspjjXaZH9WSaUZ/sjJu26LRNj7qJP9DWv8VfxkJ4BuRuYqP0qlWYFd36b38EQbgTiPoDHZoiIXG+1/cfqTf00bKskMl/gmEdoyoa2OZRO9K78iZLu7JFmqL7MoEaOUiLbNHymp7U6QgBdvbqeZxYmcIiMfvWK9Pudxrt5ts6rUDeZgJ02IdZy3BpDIjFBu8OXBHf5U4f+EIjuWDI39S8FOFy7Nv/XVcz9LIqPfR5j1hO+5Gdgqmx30xiccJRM2QZUxh5vC4m9wIFyg0HRrXYF/m7FRiTt3m5VXut4jWMyUbxSNaZMHlq8Lof+Wb/nbEv4HiQxywKCmDQ2YWotJita1fRgXNFCiV+BaEO3MTozUF+aGugBT7YvnufheVrAEVtxRnzD84kTsfvg1uDybvxGOJsj41HfDNOyEkHpsagCj8dcaqtIOPmg42oGEeoGO8sLeVQieVA/OzwDoBk+fC0gwa76t99VANrqdg+rVmHI5rF532j0jXJR9Nr59mZF9yzj0ECHOyRHEj7OkBRFKS9hLshifGJ6GvSNjEm59ohrf4S3ZIfkLx0fZUjmIovXDc6nxaazTd2ww5ZH1P+pkPtFLaGTqvlEKEQJ1zekzBYKH+gze6WP/LK6q/8RianwKB/5kuMbRkk3dsUF7fh017ir2DA7+nedU3Kk7d7/mM01eQHNcIED/BprFGQenuCUl64rn6V7XTdAKWlhusF5fQruU2bXdjO1ojGh8topWyz8Wp7TxN7cRSlU7SLLnXcLuNP2DfrfwDEAL8HNn4K4LJLJAB0gZiPi5Hz9nT1J54mWdifDgaeHbijsWmqrDZwpE/D6hYpXTMU8YWOM0RRf/5ECRCCmh0C+BZvx1CKncsd6BBAa3uMoB4hXMGtMSSpT5ZkDhcoU5h2XNoBSjRLmmbDYraUk9VqByRanZ9zpRGpvb5SFF0OFzuELl3bDxlw0NjYEKSh1lMWSSpVaTDm1XdNcpajXqFmBTN8x2oP77tnLlPPrFbcoXdn6k3jmvTzYpBk0FRv582ZYaHhH0iXkrp8/R4GtWA5VjqfZ7pGSZSBIu4OjzjdxXvee0ZK5Z1kR7MfR4G0S0BGgYbTPdoy5exm6Xfwy3qzKlfKI0vni8ttjbiACq+/ImMPUmvCSgtqnGTUejF4rEDrvJLZHrybQQ83X7/QoXrt9MzJB5gR7xCr80FdsEgT7ZnPd+arZJRJfryYHaMsZ83FTikc+eM62gRm1Hj5TdCUtHgmgwQraH3+GGgIWRQVZRxZoPf1RlAYRH+9i1+BiqdLxqdBECA==,iv:vaQNKRMYwXIFl+8Q1IKgpEHGd+pAAGzn27sLNlqS5sk=,tag:DQrSrQ06amQRcFhHJvy9xw==,type:str]
-    xmuhk: ENC[AES256_GCM,data:7Si22B70Q/tM8iiUwhNKeMvCOXcDeRQRJsLNfmi+IxTRL1Xgj7nCYRihRoqk/kNqGlW7EiLGp/D30tbnd4V0TOOd25je4bVF3DFKOkvD8x9iJX5GwT5KA0Kc0uVOLawYT55OxxsdsjDvYUENSobdqgHNw+uBQM3cXc1mkKSarzhq+ZaRJpuPPFApORCL96sLFBTYyChgQDPSKz8zU2YMjurC5gQAgZVMXHw5WJdrd2m9fl/asUJlbJprISqJ61zKALYC/fYosAPZVvQfVnzp3gmhJuZQrhoLsGELSFFc8t4/urlIjGhi7BM8sAT+6ZYxGSKGcgqP3K6cavzLr8eIvuG3nnZxZJzelS3LscVtjLI5Ddv6Luyjn59Pc+NLDHTEbAM9aIRsL4TPLtW1ebqqCk+rkqxvP0zhLKnA25DKKYjOGlAydbCbxcCX8/l0gjtiu6MJkaw2mC1Ppw9OrO5f+GQRiUFIsmFTAMViiQ44gZxCVPCPa08hxgmkwRp/PvdH0+nzxK6IuBWZIZV/M712LGPT9lrhaEDT0PSyGwcHMWcVu+ziZHGbG+vbeSk3pyv5Ou+uvG1DUxAh/7cp9YLL5U90UkI3WSBsge2bBtURQLnQIrGyQO9xk+3heXzcfxYl3kL2ARA7BIvyXrwpd/77WmRPhdL8YCax1z2+cK7kP4HWOhhpXNcIPRN5qwuPVRJCBcSBacahJO6PLpbEJ0nXM5D5XY0s9COkWfIPyUNA0b78LHB5pGMP+rRF6w7OYNbniNM3zHZnNyw3DyMT+V8PBfcmj8p3KF0rgdD0USvm4C4B1zvKVFK2P3ZMw0K/L78Xp4bTx1q1eA9qiqe0SPPc1BvgyRksS49VYtL47bA380MOmvgj+xwW+qTEozBW1HxaCJuqJBLxIX8i7LXSkSSGL64QOj+j2Eulbc6Sgg1g82XKpQZivkq/yGR77zODEshlaVUWkzSFSVOFF3aQGK28jl1U3HZpfPCCx7uaXZoaNTwwR9dsZh+t5YJJb1oKRlzgIWo7DB8CJufxX64uSFT2prY3sITfAuH12C4TrmjwP7tt0ZbTVgtvych1MGa1PY2225Bs1BgxLRVSSn6MRYz68NiE8xahRqwkK1306+r1jPjuEIjBdkoG46MR/eo/OF2n1xXkyLkwQAFlsk0+CGuGFzAj+f/++s85N8/ctPINJXGt31uEooD8fcBNnDGBSc4YQYtpVWCviJaaE/fRXzldfKB73V4Tidyg60fDJCNfJI8r/Ic3YFBGiQGTH6beitg72mQuLp5vlrxBhCqGYsEZkW5x/wcoJoEot5rirQKq3trIrL2nTF12AYQbNPjbJBavnpPds2UctkiUM+JP3CIiolAvqLMML79fRNeCsvUtDqbHTGU53/qbx3NlkIIqF4JHbK8Ckr9WHnTGAugbMgiNKQ3PKlSdV+vG1clb3fbHgMWRbv4xZq2KdJq7iibGUEBvO5rqr9YngqdOxhsQmyAh1ibkIbtJh3TcXkNUcw2h/tAalxV1xmbT0Glp42GU0pgUr0aGkjepoCH8jYkmmft4l9qy8t8Gi4EdAe3ImdTqKxwpp1CG+hoR2Laqp7z7UpXkILYfZxHwQa7NZSok2WZXEHeZJbCciREqZAUOW7EtdZGG619XJ0YTWxeZl6/+1oOA6TUb/r1HnSGo+xfNhzUeQcDsyf4SWpr2X6IUP+qUnOciCsSFRklJgj/JCteIK8GKIij34ODehPKZB0BZC1fqx3mZbqbTN2RA3adJV4asKam6kAtExqhuVyv8Mn2LTSMKwMkCi8DLPtvFSqpicffSUkkAs/X6HNSVrUTpA4sjkqLz3aoRLAMrijMYz19dvgb4MM8vv0zYaip2RYxkLnl0VrBrrIaNWiHRsiCR7pTPJaE+0k7QRWh3Hk9yX3UADTMOy7SIrqGlz1uihPodz9DeWGZ7ddMXeabWrRIh+In2Hyvs0HdhlEWgYyIefVIWZpCWVheDNCPb40RcEKB7WVDrbXrn3zWqM4DFCeemvd705OTzF5LUQ0Ql8prYKw2N30fC4l2OT3LWr0fhdsgsLBfKojoVSxFPG0WLxfS2Hhu4Qb94nSJlvjFtsiNAcTooXZKd64+WeJTdfDEE7Z7VoGgU2c6LsIUpWjY69KZy9BscY2hZUZFBgM/4iznyOvtyiWYJP1cUy3pDg4aAcoF8xTB5oqpCjI97jxAOYIKWIJj7aOoy9dpoT8BWu0fS0GobBSZAyZ37rGIomPni2jQUmaBPSvmRTQhyq2qHpgTIUYzphpZ5pva9jQbYp8ejR+sUMVf/EKVUzFTG/YhjAzIfTjZePnoxw10JkFS+n0Nq5Qqz1aMK/ie7sHg2DON4z4sJZ9z6jR8KOKOVfBlrwOFYQ2ViG4ut3EHDBIu7qWpSrtWza4cnGnADhPTLh3wjqFTD/j0wRkR9Bs9fzSShuoG8Kgm6zlBUX2bVwb0SLSqFNRSyReXjPq2gjma8iJPT6o+aSWpIfsYf1FsQsG6rJFaw5JxSz2oyi8TSIYStJInjjNDgw4sk4/Xk99pwEnHe+sOUNNhu6BPPm3KpAKIKm6HNwZJK836qvqAqwtL/d5QJYwpc8EBuxpCvijJe4nBR4HZnFJfDH+llhn/tDe+GOVLs6OHtdU/N5UbpBu7k2O4mq1kQhc1uRU+H9l6KxPQ0vjnAvRhUjcqVTtJzzpnZ1wfFDWlRqwoCshT5Ohc3PhS204au3OUZWtbXEcWSG5Lh9Gs5W6Rw5mPplFFYZVisoGvv/KnoSpm6opYjoMSBobNWgi7Zu9IgtrjZ63ddmJs22zvE6UjaUpHOF91QOOwlNCVdwJ7SQXv6gEL5mXC4GdgUW7oDyprHysSbL2ec6KxsP+qXgPa/S9KYo5uriJ1MQxRDbhjQjkjq0augD7zgiX95aUDvTjG8GP8JNs1U1QMi1Xg1TSLyE45kbRIZ5WWuT5iJOS+SHr66Qpvg05ymHwX/Mt7aHLe27XXOSGmZoQPcr/6rF851No+o9qSdaeVAK4lvrcmE6KeQWsQ3pW6TytE6qdGWgW3f/SuPTKVIgNk8aPWH6lbTZc4RbZpwlxpMeFP98xcwfkV0dzmTVax3UAUdVCH/LH+LLT/tgTiHh9H29rI/nvvOP6+lSj3O6xUvArl9wFLo7txQtFc/BAmeUicVdHCF78Fv7E3hlGkL1PhURuf7DO4m8pTkA9NKN7cZUUGVF9DI4PVmGJSmvF36ees63CqDSb4ZTnRdcPt/chXLmIamFlugG046eKPKsQ17dk05UZqQ2Mw8A9V7jMeJIiE27ZnjB4mnn3aO4g8mGyuUDysWlRxTbBlW57whOXEFMdczp1Hvsn37+3GJgduYifrC4iI3PwrBM7ZClL8t6z5QecRLnRsRZDdLhpB2nePP4VU/JSYYy/Rq/vqoM/MfFLeJr+YMijAKO49Jdd4RSDDStrnbBq6snW9cyPlgUko44w==,iv:/FD0wfUdv26ZDkSneTnAkHoei6+I/YgyNrOfsDTP2Fs=,tag:rKPUUlSmCrD9iEKhZR0+GQ==,type:str]
+wireguard: ENC[AES256_GCM,data:OuduClOu9y9adCcV1+U/NLp/t1yWPkuyptproTJv4beImptrLOVGbhb5fb8=,iv:qa1jpzAlUEhPBznZw6j4CYquTCpmNZ+uNbyHjH2qGy4=,tag:+5I2CRuyCAMSy74xVtdJGA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -39,8 +25,8 @@ sops:
             ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
             LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-12T06:44:16Z"
-    mac: ENC[AES256_GCM,data:/uuP0StTdBz+Z2FddjGDP7i5lZhT0z4vCd22twm6lzp4WkpSklX+YMPRddqvwT/zsJpJIFf1+vK9VtPZBW721SB7AZx4oC1f42adFHjBtSXO3QJPI8cfUx6wdvcjwN3ySXYIcf/qi34ePmFm9amr4xU9jzN1OaZhKUt5Y7kq2LY=,iv:RJUr4u5UKJh9X0xh1lvdE6HWKxnaxKoDi95V3Pj80f8=,tag:D71HJ8LgJrGIu31WV8KaCg==,type:str]
+    lastmodified: "2025-04-10T10:44:01Z"
+    mac: ENC[AES256_GCM,data:Sso6g9UEH7faygbcrypsnB/4h8cIwveLdVI+YgDDfTHMC5nxXj+xtfFHhzao1pkyvF0avUVjsMVXLRcB48eDcbZdXwBvoNKg0mpL7VAeOnDuwElI6GGpRVTaOsZC9LT9d1kuGkmavMljCvmaA3sPLZsvW3Hqjdicj+suMoQJ/nE=,iv:DYf0m9PfJ1qx3gI/6T6ByxJWHrdVGgiNMCVhcBOrgBw=,tag:Ddw2HFuCmk6PFnxF4G13hQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/pc/default.nix

@@ -13,6 +13,8 @@ inputs:
           {
             vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
             btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
+              { mountPoint = "/nix/nas"; hard = false; };
           };
           luks.auto =
           {
@@ -25,36 +27,27 @@ inputs:
           rollingRootfs = {};
         };
         grub.windowsEntries."08D3-10DE" = "Windows";
-        nix =
-        {
-          marches =
-          [
-            "znver2" "znver3" "znver4"
-            # FXSR SAHF XSAVE
-            "sandybridge"
-            # FXSR PREFETCHW RDRND SAHF
-            "silvermont"
-            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
-            "broadwell"
-            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-            "skylake" "cascadelake"
-            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
-            "tigerlake"
-            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
-            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
-            "alderlake"
-          ];
-        };
-        nixpkgs =
-          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
-        kernel =
-        {
-          # TODO: switch to cachyos-lts
-          variant = "cachyos";
-          patches = [ "hibernate-progress" ];
-          modules.modprobeConfig =
-            [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
-        };
+        nix.marches =
+        [
+          "znver2" "znver3" "znver4"
+          # FXSR SAHF XSAVE
+          "sandybridge"
+          # FXSR PREFETCHW RDRND SAHF
+          "silvermont"
+          # SAHF FXSR XSAVE RDRND LZCNT HLE
+          "haswell"
+          # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+          "broadwell"
+          # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+          "skylake" "cascadelake"
+          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
+          "tigerlake"
+          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+          # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+          "alderlake"
+        ];
+        nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
+        kernel.variant = "cachyos-lts";
         sysctl.laptop-mode = 5;
       };
       hardware =
@@ -63,17 +56,10 @@ inputs:
         gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "beta"; }; };
         legion = {};
       };
-      virtualization =
-      {
-        kvmHost = { enable = true; gui = true; };
-        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
-      };
       services =
       {
-        snapper.enable = true;
         samba =
         {
-          enable = true;
           hostsAllowed = "192.168. 127.";
           shares =
           {
@@ -90,13 +76,16 @@ inputs:
           dnsmasq.hosts = builtins.listToAttrs
           (
             (builtins.map
-              (name: { inherit name; value = "74.211.99.69"; })
+              (name: { inherit name; value = "144.34.225.59"; })
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
             ++ (builtins.map
               (name: { inherit name; value = "0.0.0.0"; })
               [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
-            ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
-          );
+          )
+          // {
+            "4006024680.com" = "192.168.199.1";
+            "hpc.xmu.edu.cn" = "121.192.191.11";
+          };
         };
         acme.cert."debug.mirism.one" = {};
         frpClient =
@@ -110,17 +99,9 @@ inputs:
             "temp.ssh".localPort = 6188;
           };
         };
-        nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
-        smartd.enable = true;
+        nix-serve = {};
         misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
-          wireguardIp = "192.168.83.3";
-        };
+        beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
         gamemode = { enable = true; drmDevice = 0; };
         slurm =
         {
@@ -129,19 +110,28 @@ inputs:
           node.pc =
           {
             name = "pc"; address = "127.0.0.1";
-            cpu = { cores = 16; threads = 2; };
-            memoryMB = 90112;
+            cpu = { sockets = 2; cores = 8; threads = 2; };
+            memoryGB = 80;
             gpus."4060" = 1;
           };
           partitions.localhost = [ "pc" ];
-          tui = { cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; }]; gpuIds = [ "4060" ]; };
+          tui =
+          {
+            cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
+            gpuQueues = [{ name = "localhost"; gpuIds = [ "4060" ]; }];
+          };
         };
         ollama = {};
         docker = {};
         ananicy = {};
         keyd = {};
+        lumericalLicenseManager = {};
+        searx = {};
+        kvm = {};
+        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
+        nfs."/" = "192.168.84.0/24";
       };
-      bugs = [ "xmunet" "backlight" "amdpstate" ];
+      bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
       packages = { android-studio = {}; mathematica = {}; };
     };
     boot.loader.grub =
@@ -152,7 +142,7 @@ inputs:
         "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
         "UiApp.efi" = ./bios/UiApp.efi;
         "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        "nixos.iso" = inputs.topInputs.self.src.iso;
+        "nixos.iso" = inputs.topInputs.self.src.iso.nixos;
       };
       extraEntries = 
       ''
@@ -176,7 +166,7 @@ inputs:
     services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
     # 允许kvm读取物理硬盘
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
-    networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
+    networking.extraHosts = "144.34.225.59 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
   };
 }

devices/pc/secrets/default.yaml

@@ -1,7 +1,5 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:XU7/GZ8cJmDwNsrQfoFHrquZT5QkjvTPZfnghX3BLyvPLlrX,iv:e/BQkZ5ydWD4P/qT9OUloB8/cXImfkG3YZnuIeNLoTc=,tag:EW3ZBzGnyIrUfcMeJqm4aA==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:e+ZPOwOobbShxm5zZqmIeM4cmP4JQT8kDQ0goKsSwpIKmJAzi8WutQ==,iv:ZKOzKa98yWTM2LkC4+rzA6rTW4afm3oAG4nc/2vk7Bg=,tag:Qctw1sk1SC/a6Xv5Fju8EA==,type:str]
 frp:
     token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
     stcp:
@@ -9,32 +7,19 @@ frp:
         temp.ssh: ENC[AES256_GCM,data:XG9WpTR8Bw==,iv:XiMTPN8Gx1nNssf4r+VXTvUATiUNsOYJ2jeHjhDSyTs=,tag:JS3NlA4cs/6IA19PJYrStg==,type:str]
 store:
     signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:PVV4VAvB22KoA8EM8Honb+KWYhydXdmTAVlDw/XnTcbaIY+5Km2gGA==,iv:7PfytRbpW4G2iDNqysvZnB0YsQFVUL5Kr1DNsBzuhCA=,tag:z2J14fdD7AUNabN+6kUojA==,type:str]
 postgresql:
     misskey_misskey: ENC[AES256_GCM,data:MSDbQffk/WjZ6EYiwVuUMdhdv9VE59ZM7t4XldOKRO0=,iv:J/x9t4Pk5zi7Av9fbzxgAbbtbEUZttSx/JGRmmgmvE4=,tag:CwFR9K++T7YqYR932z3IAg==,type:str]
 redis:
     misskey-misskey: ENC[AES256_GCM,data:vcvQ/hs/F3BZd1sfvWwfEeB8vVoqdnprxobcmL6xsmg=,iv:S32yrjrjj56HbxTlfFGjOb+sO2M9KKEDEazCrpQWj6Q=,tag:iwnvqwQEdd6jicx9jJBdbg==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:oIpiXJvEoyryS4eEutoe85Af0L5a5iNuOsCWCat9KEhr2ecY/vRimk/1fbA=,iv:dm2hTSNX7Q38yASon5o1jxEJZbWPXUWYydXYMBHF/sE=,tag:yrANhwIF/wHQGHGA1bfPgw==,type:str]
+wireguard: ENC[AES256_GCM,data:9QoVM69efr3+UGEo/GPY6IBBxfcqE+3erRTrqSdeTf4XziVMlzWTMdhV9jU=,iv:3abQtZ8cpejqXsJPx6SvSS2cXAKMDkEKEhl9LE319RQ=,tag:1uBPK/0VLPPMzj4rl+iQMQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
 nix:
     remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
-github:
-    token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str]
-chn:
-    age: ENC[AES256_GCM,data:bxmGYdxcF0OTe8LIVuBUEIs1014k4l/UoN+k90B85FOcTSzeVuSbjpFTRgNDj68MQiqoERGy8mFkKC6pbDFhnlXyns3AsxCnoZw=,iv:U93Lo5JAxJzIdTTuVtMhfirbMA3VSCtP/SoZikDWLyo=,tag:Ld0wZK06PNuvEeXu6PysZQ==,type:str]
-    rsa: ENC[AES256_GCM,data:asERfFj4Wx2dIJr9rnZ9i2fUxYnMY8RoIB/6mOOmeBE4yZPc1zMbhUX2aFftTgCsqH6ZC6qi15k1YWlRHrJqqyLyIGCukIbRwPMtlowU9Gr36YSok0NFrkQbUT9zjlns8NGqiHJAPKYhFed20hjN+IhgnDuFxtDEjA711b88z5prlm+NpKQ8Ohj6fKLWR+xEj/+KHWgF4K4WJMIZxu+jfRagHg6nwJBvWJDPZJQin/ZeCMqvH2XZkgujuUjXNfNhBhOENgaFtkW8/o6oZCySBctsCFXkgRK/7YbTO+Szzn3rJ878QGPMQJLqSONP62YlzCPO50B8Gsd9wBz1f6RKZrmXIElOdTNgTyPp1jL8zOWlSb14n0gVNoEi32JtkU5PNXYr86rHUX6zHbjdSimqqmhZl6tvBc/cKNQ9UoJ1syIe4xzN61je9Va6bJJt+WBipfn72z3KGAgR6yucKh7RX7Up7iiVTaxpq8BTsfUWvd/1Ar7jQb3YojOVRcX7CE4Iil7L8v2vj7pP8ecmo/ejggQiK9iGqWbeoQGh/j7ZhAYdx0ZY4lAk/HUc8z9yMfTxv64WQbCkHIeAnrstfHFXjzkX8zKYiKxvQr4mSCuHTusZFJ58hXOtSwFmE9tg1EESojoFP08kE+CuSCEjGCHT8V0snCFDMTEBZzGQzXpNfPNPILUEWpDSZj+ec+fM5jP1LEBErtg4JXeCqWD42SpR9wJxE2vs+D/Yt5a4OohbbzyxvWJLYAOuNflIguEIthdJEIN69fGmOBuxNU5witRXKx2rGbsdnIqzEloij5Utxy6uDrh3qqSHvqApd6+r+mAHZRtEUqRkvB1DOMNm/5iDEzOjrw0GEF2meHMRDGP8EEuEvXiaMevyPL3RIWuxxlVZBDlr0a8FwTmNlaGas4HHtLKsAH17wjolTJ6Uz3xFT2+WhsyvD7cARWETZSUd+9UBgylamsebDERhiDOo3t6VuHNuNwp5xwxtNVje3dmHRTzkI1WLaDxYbxPq7J2eGCpSYb4hKoexuWZCs7ian3UTBnvLig5w13eXJmhsbpSjt8p7hnEohL/f5v6PmxrH/+OKA1IE9PApJ3gaptaDeLOWa3uKtGxKJMSqsZprpb7D3kma+Zy1H2txvmKSmTGwT8wCQymWo90OF2NZCKtcXxAlj//cl7OBF0BbEqY3XMngZnpRiQX/VSzddvjwAjtnhf3VsE1V5vXk5j6ECExshjPqQ5kOuzUY62hiOT0V0X81uVRhdx6QVUDpWL3fumuipc+fEm/f9mwuhgv0mGvrpVyFF16GY5ne6W/N1HWEBBuBbJUtxjUEttZDAZxtKLyKjZtC6qJe9GoHaDtHBba1f7aloVDMU18tEyqO/EyPxDDUn55ToiGuk6lSQPy/las8V7YMCxDbBaVeRczCZRkEKbRPyI+hTN3yF+bw0HDDOJc8s1DO+h6xYauLhCS9V9f/QKgrXNWpJKm+JDGRO+ZAr/r/AARSE8nKvNOn7ML0VCWw8pWSHNL7iDcsngpk82W+b/a1maVN0ujub6mKyWhtJOkqxFFirKvFJLx78SRDYTVdiENE3YKgXYKB7r0RltjXACbAMCGcqXYudoDShopN0+oRu6mDAIpnrFOJykr7KaZZuu9DjxtxMRXu9OX0IuXnJ6kthHL8i6IQQNPj+Ky0Gfoh0I0+BbyTPigN2c+LJVe823VXgR9oVc/kpnjZF0BSCJQePR68MTKspwzE1NMvVF+ofRPkR3uXJs46w3eW1NIcds+AkmaonyUOa9Nlt/wRbGzZhboV86n2zn8qHEvZZjYX/oMfrVezuCsuyYSnyCzBrZMz+oHf4m/poa0K7wZWczatT9tVaUIFGgfwG6N/PutyKx/kbaJEIWefZgMqqwJNLDByP0IhFEJQk6yGr1kMJOBoD5qWI2WLObYUZ7mlOvtaa9iJAwdlQTEPjCB6mSL0kcXmR47DdDi/v1fiJ3dBmNskUwoNYPmdAowRe+pTj7fTsm4aDZJV533g4BWG2HgHmaEpAso78V6ScApgNiirqe5QuBxFnGrbPeNyiT72X0PFht5ovD9HbaHCYkt10lzlkW9i0whu2YPUtiVtecijS2AndST61YLVEXyj2NDlngFoCOGK10yCPqon7n5QPjv3unuvArTUD4lIjg28gn4fQmhwN53KqhLgYOQ3lRQLIWGbR1DT9pPQtYtDtFTv5SpiFTelUZcN7MIOD8jP3g==,iv:Hy9rTArntNBlYLShRbs7gWL5kcabBd30oH/Ib0vO2LI=,tag:GeibYKs+2b91rA6On6KrcA==,type:str]
-    ed25519: ENC[AES256_GCM,data:zHHSiY9cQ8odPTu9v0kiLQ80ssBrzTLkihVboYdhO04fnH1VakzKNISj1mUZIsixdHGPR1Fd1gBr1sSA8I5tES0QsOjqF777Wwjg8en5foIwgr0Ue5jMFlIdM4VkFZVNQBOV1z8rsc75nEpP+4XiQ57/ca6Nlaye0zIe+8uU+06YO9vfRVE5II67DRAN8aoUeGKW0uiBGIggkxzgPd2+pvQuC1QPbEWwCuNP18azSRqrZW0XnE65tJn4wQhoUQBQIIYWk81CMSBRn5VO0KIaYyVI7VY+Mi+XqgU2223tqaaivt1bDHfhMCsbqXtyWcT8kwZF5s4LyTdK8mKaREwHqen0jRSsaEV0Yfy4Wgq74fSm4oaqAeZLLj0O3/SEDjsWSwdRW2IU6WpT4b9Nh14dBi670Ke2tcwgF3Q4fh7+nPN6nAUPQPtzxPIVrW4FCbB9BV79A4IPLr/dItjC5wrMpw6ibhMe5WF0FAxA0Vuhz3Ob6lqWsai5f+XvrIgObCnyb05Ing40u522dMLYRJt+bP2Xx27cKrgKZTQdZnzSmXdEQGzFH0so4rgMyhNl4DEhr1b2FlnqPbTTLZul,iv:B7lfJnud2IYPtoMPny4jr6xVsLUyIiKC+Q7ztVHuqvs=,tag:ShnpzJBtG5B4xJkPJqATKQ==,type:str]
-    ed25519_sk: ENC[AES256_GCM,data:Zx271cuqIw+rj13VDR/JRY0vSWMwg+mXaxfpePol+vbCmV3LhSa61OSMy2iWIg05Lz3jwf9XE8lUWIAiajNgcLRg3k7ftwpbTCpyxoLE0U0l3DknbccaqM9riSyHX1UxXV0HYIsK5jb+vBjaDTvBqmCTmd91cG9Sn5Zo9GxdklebUeGLVmNe/9ldIaZU1XW8UHWvc2murzjF2HSkYDAMp6eKcnUPSo5u0QVrPVbo6g3iziw7Gwag0Xr/bVfoP7XZHrTobRcse8Sd+apRTinU1bHqcuHFaPwwfHsj/w9VRZJMCpwgg2V4DWyMTKZRjTohN6PUEqBmPc93Ep1DH/E7GmrGvAtBZ2yB9TLhjVoN+xH3ITbur2NtIIN9a3JPnEMoFtJgX4f1YQhUH9c3h6URDxdWtmBe78RxQCMk7OtHZ4UmhKxoUZUJoZuxvnccfQ0QcjtF3RN9rzP/ZPST3Cxvu2yUOPySl27Yp+eKjIOJ3rdorC9D3UhKbbb57O1/ABwPAiRfZjr45+wvgCGnZkOJZiXCiNoYeyw8UHMgvsICZuRM2HHPlh9GX577Np7QSwoFkYiEBFGJBO8=,iv:WWEwRDersTZYC3fEYLjWMtUtcyWXh9gLKyJVpaj73Vw=,tag:bqIFY6oaUMWIqMVfFwe4dw==,type:str]
-    rsa.ppk: ENC[AES256_GCM,data:wCFbvosUbnbikayf/h0Z7gelFGs4quD2WQlZJcBjp4MiXTGYVxj8oNr3y6aqkmpfyoKd2J/vNJeMFEzqXkGVyH4JyvQaiR8zoedFVSWqusD+sq0DuWDzMpdPmosTdM2frqo+w5MHJ87ybCJxynFH5xVC08jbTABFdkLPf+LULmxtipy0Np6UQuO50+XFyT12r1ZxPxj8eXGLg5z0sRSM+97EdJuoA4gpL2butioiIfDJ8RiudnyfhPzoh4V96zZsK8eQ+33HcFQYhKbaPtOcIswK6FkBUyaKCg2odCMFaRtzgFWIKqAuvcMVooEPz8epb0OPajn58rMCwjEfNK0jFaD0yKmdd9ExogDD0cJfp3jK+uuV/UpLUczkk10c2lbNHZ4DHCsNRPgll6DxcOx3zJbF/0ua2Wmbv1VV6JoT58Rzq/Ri8DeeIBuF9tlItFGJpRLnUN0MaHD/V6myggQuo9aAuI9p6VNSJ1aV5noPONi8efeG7kOGe09jQcOmmltHM915khZ7Veu/Oby9ZDCI0TErLzsQiO40Y4NW5B4Gd801CaDPKSxxCdsVgaEWiZU053KzH0qa+0YwXt+ffanRGrY4TtLsrJdEmiF0AnOaWYs/znPkWZXMTSLPTk6Be3yoTfxxq1ggT6AWF9p9/nlMPdhkfLUrOnAV6uQq3fStKFq3gTCyHxNZ5dx/XyrN96Kd3OTCgflJbD8lCqABSH9jZwfdh06HZ74pB15yNGFLvhOIhJwn5E0H+WW26MkFUnDSWHz1R0vIJEKnyy3lSPRweFM2MxAtEMOBOjqvlN0C32oCEoKknM6t/S3s4lwlMtUrqsAme4uYlUzPbEVPmzzMRpYhr+UM+MoG4nmovtRrIOL0ELunU6nsEaxxiHymCwGWJDyD/7W9lh93lV3dGP7X87IcfTt9rTUj6+YJS2pqkycZRtnPWkVDlzkS/I8MOL90jIEk0/YkTRWbB5GDcJ8a878mKW0/YPcpfC6MbRsYPo6eDz4KIGKxHDPezRfnOJC/gs72rIrEiC6h7bfW+XGye5VwvMtZefXFjCVyh+ZVco45UPertfLqT9Ewr1mfo5SfgaBJHSs58IuV2vXyfIJeIdO8BXS/YEUxcmWAI9PG1gOJz9lSHbyrm8RtnXZ+f8NJNOT2m7zyF1cYfscGaQ0gTTSP6+0uSTWsZOYuc8rObFP5OU/99yIkDXZv8gVG9YrlAjP1RtwXSlsbzj9EYlUUNQyKYoMnZDwTQL9qlqQVuP2ndL7QpRg8lusnFHZGivgyNWZ6bae3QWe2yTgD5BaXH00u4sktdZsPHAVa6p3XMppmoSuVX63FVsimJ5qzDJp+yRhIbUAPD8KwHYrGLkV/q6SBV8Der184m/MbACv3dCGf3RHzrx4LWWtrpaqntTTbUrQo/BJagY6Vyb22kmFs2gpBB6VJJc4Srq+6RbuQq7Oo2PNaHjbLxkhFIqTRX7Z1/m0nvbuLIN3HIqtxzBEAod0vDUAhEF+Vw92tSTJmirEM4pEDrQn7v1klp67f+40Hlxt5dTXiOZO9fXr0jTF7Or5pnRxSQ9FvlzPDcMuaaiDuBBzVQABZC9wBNCWzUIhAF/RGXqv4Xs1oIpLrWzeg7Vo2QVHRTXEZn1mxnX4LOVFAfkvV6U09NW8T35qU7QyTqzl06jHqAutEPTU4Se6w9FqMEDZ2lMUZ83iO1u6Yj859mFLFRIguhK+cIFzIUOfcwUFKEH5RV741zx1wN2UMac3jgQwzkV70gz6h1Kwbb5B02FZCEaW0222A7A7oSkzuYFD7qZNrQTlsdeqsrsjp9XC95TZBBw/mEE62xp4sLV9UTgKOGSyERigawFfoUAlE8XGrbMIaHUgKBJKTMXAe7Ljc3HIaHczwUJAnYDsu48Pan1KZpF4CsiBO6H2lDVXfKl8GuePd9QkVgi9GFqulA9rWypk4hg==,iv:/O35CB1rNDim/CKsot0sWMM+qEN96vqr9Z4fVG1A3Dg=,tag:pKbid3MCW2I5XouRNXSk8Q==,type:str]
-    xmuhk: ENC[AES256_GCM,data:z51um3KAQodAHZqeLAd53wRuQ+s/vFISxNKu0uZQSdUAtrL4BAj8LBJ743CV/HkrqpaCjClK0Vnn7yhFY3+NFq4fFCIAjVRWdvsfHARKbWEufJtNk5JVn5dLahPCMq0A0ZEZwghJ17opHOVMY4o/QiTyyAEeuD+4zSAh6ofko159WVtK4gDwexgg+bb74EtOxJPxnyV7jdZczH72aD1gwd29WhzSuMiCIAb7SiRhA+QEpvrzKLcT6C2ZPqrMoPbiXD4z/UTfOSEtOFZMfdUFPuExPCCVnHcqSbTlXRRWUMFX8rxFLyWaUjOB4+rvTVDYLGZCS+rtPlgfFEhGs5LGNLQvzvXTiftyfi2xMfg2uhm+0RLUPQQvajbU+akfQbUQVkGi3BklNEQquuxTzedUws7B6OU7WCpgpLCGcg2jyT6AtCF54k3VOVdu0eOjlja3dI3knMixUaHu8bZ+g0xwJCbiab2eaZiDqhoDnCxeuOXBZTdCF8OvGiD5rneDf0r0H8q/7d+jwOvW3d+Pw64ObDUUsa5gzfqOaHNH3ktaRB52dJfg3iBCwj96CNPTY3vEvmNKJ4ruGpP5x5AZ57SfprHeoqXHp7cBMjypgEG+NrJlAFyUdeaO39mHKn9V/jq3bX6SQkNrv8oFPAlbULNyZbOkwEE4g+34H4uV14sEXn3k36tdVb/vX+YfF/FDWjg7Y/kZhvDUOek6Kbd/ps2peavVK0War4RjnJ1GKSUZivj482GnJ6T9exuNnnHwBa+VmONr+OYcrcTTcKwQ8TGWjewA1GT5Dtyphlpk7MJvoUw/i+JCSNbfTZwIDb6J5s89yEd9ES6KfGFMb3KMRRSnM+ozLK85EvFeyHSxhl2XQJQwEz/S7Q6eTKlOQESSIxLDqifOnhKdN/xVdEpXpy51v/x5dqaOYKgYnI8gx1UpsMR5AJKkF5ft0n0yHjz1UQc6ZSDdaj7t5u2EoYB9/lLBjC338Rtq2UPAPhETHA4IPvp3Vg34Z5UO8L1L0Uo6c7cbrTpVAAmbCwzkKbfGsAh2Zhz0u8Y31rMO8W2kqveaaSt1P71EVA1eYaxUUtaq50dn6miWuIVPTbY8AJ9lZVXOlbOoNLrh/wP3Rp43RClVeiEnxLD/EgRp8Vw3P4E6rbVpnP2pZCetD+WyTlnGx8QoC1dpiosCMlcy/M8BNwvqgphgQZrZhu2OT7WqVt/ie4QcKBg+Fje2lwU6TGjGEwwsS/taCWBjMrOBWktI/ZOW4IqV4/FdzuvYDsfDfplIQeFSaFOwFCX3Q0PLNhtL3fRYeUsK76eTCAQxXB+LhE6wJpxznz1cAUqZG9/lYmqe19rIh1P1UWdlnCQI/35ar7dInH+/D38a6PbtcmunHfuqSdXqK7KF03CFQCTLjhmy9DHo+15mAhP8m/AjvGNNnF4X+POc+1hnNSML5ZNS52dRJ4zaHgPmiXWpcUdF4YNPb92IWelyOD1kmzylXl4NFGeVA4D0yVWaOANAzoYrgydoyeq2pOGYEwmVRmJPj2BnUWr3k/t47cyZthRzZZsIYNoTvBCSgy8l0t+YuKiIZh6goQFRR6lpo7aTpEDDRUcNoq0Vq6fyClbtEvl0KZbFwhQy+/3uIiaEYvhUDcDKqOqoHqd1HE8Vs2ETsBbIeTe1IL9J35a+WJuUgkl9iUUrMoRLr7apVsypGBQ8a9mUe/YA9S6UH/+lFVk4aXczYMG2/d1BSAJcvroDbka2NntHZeYI4700wlhmMK6TkOxQi7w3BcNv2N164wf7l3FgtRGpo7Md+ryJF7y/50cyljl1DX9NULM/9Qw291A18TL5ZKRvJjGhQgBJOo67IV8itKYoSxsitE7cudKBT6pqDGsFhvbBusEBP0VpPIRIziwH58SkiJ1M1WHpgmp9pnIjRhiw0Nl/j0SMEGtzjlfaZsKwk3uGjLHkC757WU5mIcCiuPPl87QDTqc6/PDcU4r6CVN10Ppx7OsViCg5sH5A0+/Zj67NJTrdNO5iawTozo4alnMMhfhl5xpuFO8oXviiy4mAez8AFIjaYoujhlPww03w7/u52iIbiHFiNyIzMoo0nqlHKJ9MfI9fmTsxpD+2zF8bnatDkdiDRg+Gn6H1pfHGH/XxT9yIqVlMpzSs3WXEjgTcYzLwYDDHTdnkbd4pAPBkX5vXfptRLWF8wNessEvfOhm6IGxjyXiNipbhWNjRzvs8WohB8c5dfpqnPWEz3GopA7a/vTFI7elDZ5VoJYclaoAQpESnEXNupT/DiZcOGvyk9kupmwgeoE7kWxMy9Wc2mg8Do4sxw4yV6pvqm94Ne8Bu0OEd7DkHDCxuJQfXLL387HoXWgn+on603FGEIaTSrkWUx4T7AxGjQgd5q3t8RsSXsWVACEodx0AcqzqS98f8qOmZ4Ivqq8W2UCqVmY/GYnemoxfRGRN+mW9znfYTO57ywQA9HLJ9V8XYX1AYdeaWu59WUcQ1oNzNB3ZB5QQ50AmHrkJj0Zn92fgL8olp5rGoOtjHqQCewJlBCQKoWVUzsUZMAM6GQrXxvf3ORytTXYUW+zXOiKxuyZHg4RZ5cs+Py9hvquEFE3D92UI/iwkNvOLW38eeVdR4U1/qKc1U1oFkgZuB5EC+NyXekYgyAaqWlS4K6x0Q77UvXcsKxSOghDbKoFUw0kxXlxI1+MhAUECKopvQoXsADw6Yy/3VgzpoFvaj9lFttwSb2IIScgaxxciOwRaQIbSh6joWbWQWtEowK9BUObRKJ3ED4jS4Te+Pp43dI38fZ/+Ng3y4nYj/jdAqRhTE7jhSzdK8LYGcUrxOodTa28q3pHBvJJiBgQDEnEoJUKl7PJcggUdPbAhi5ywy28SxZ3i1qTeMu8TVjMwdkjQ/1hCeqWGX1PldSqw1cOTub71zkrj1m0rLY/noaWCOwjjaorz87UjcV1+k2NH2oZ1o4EXgybBrAlahAxD3AFKumkvViTe/lprYpbaecse6393K/9SpD0+Qb+WbDgq/eZ0FwsdFblAG4xLZUOpwwqCa3F44n9el+Cuzpxzaap7HUjyFxwSz2MsLGAC1e4tX9GD9e+g4f7XozPSxgMunNAuFsIbD680Y7q/cgpIGCba6oIWlpe6TJQD7EOh4/nAw4FTWuljUHp/1ZROpnLRG5oEOxIm8Wi8GmoRyhNMCnvZEo7LPfNJP4cJmiWFmtIhHRFzefr2o6roWM5mhZsZkxuMK5rFQU39TNo3bj03CT0OlrIqeEMFVxj1wjaPo/4eBcHC4hJKeUzdSp1cNlW+u0l+C1SpMsfhQvDGaD254i0LwDaYSSAJymG3B72UfqlsCOT9GEH9FUj3lNskX2FR3NXvT9et15X57LHjXOSmYjn9EuQcYRv2/476WjQqX/d2v57vGqfRQxWmFdMBTo5747pDo6eaXCxbql8jzgFncGxMqcp+R7k4j8T0Fl4kuSbYpQo2wunJp7iACAQ==,iv:gdfp0dUqeJegQuoExquRV9GTtMo3eL1LWFKYOm5REkw=,tag:jsSkfWALdHsoNevaYkJyhA==,type:str]
-user:
-    #ENC[AES256_GCM,data:a4mHxr7bn7BV,iv:FYQk3yv3XgxNO9CnrQefo3WqhO0Sf8Mihfp+Iw4AcWM=,tag:jebxvG+xUidghf5dOlvDYA==,type:comment]
-    zzn: ENC[AES256_GCM,data:xBSve41JclBYQULPN7yV/1Eyo3u+CHAewVetKHwjvl6Te0kk/+aLx6gs8EpOJGmVaiSAdt6F2ayHXUD8RXXpJIOnnEHk88kqbw==,iv:XPxMLvlVtaZvpWnau5Jwlj/5ty5Zyw4F44ix5G64Z84=,tag:uJfWb0PCebdMtxXMfueULQ==,type:str]
 wechat2tg:
     token: ENC[AES256_GCM,data:PrZWR8WiZ7grkpTLqMxwbnkwZttl7n0e1lc1mdHJiFUWq/PqG2wNBC27C58jMg==,iv:02XHhfpN8YPix0REbJDnsBbvCwifbdwBwfuJ2glbvjo=,tag:6aWNqBfwulsjMbl+D6L9vw==,type:str]
+searx:
+    secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -59,8 +44,8 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-14T01:12:53Z"
-    mac: ENC[AES256_GCM,data:Ak+LR+PkQG1g9wwlfLtDN2Dm8GdGfbb0qA9Spb3X0LkdCSFLBWqW0Jf88gHB0j/4HszYVaCAUFs+OlTvTjOtboOCTM7tH6z3dd0sU+EMHeK9cPz9kmDlF1LFFhD8dyqytEwq8/xN2MlTmbVoYQvVoGsrD8tP0B9NBPaQiLMPcrQ=,iv:9DthG+HGB3lCxb85YpfitNw2PWYwpdqWTo660gTOUew=,tag:yAH6o3LkGfvKF1UOdgWyyQ==,type:str]
+    lastmodified: "2025-04-13T05:59:15Z"
+    mac: ENC[AES256_GCM,data:/m/cioV71s7HJ7ObIDCr69wDLn2xk/lTRqmUCx46u7tzOwMsYqU6DghBsZuaUN1r22CbMi1wtmSziDisKStOGY27pswNe7IuEo4IhVz5sJNxcWCxpYo8ttrCUeaJ7Y0vFbseIn1l1UObfubhhvVdxDsE0RoxLK7Ka8hJW5aEksM=,iv:GKmlbRXFexMegBWBVx4vusA0ceZZnwGIN2FkSpGXMdY=,tag:yoCnH94Ph0AUjkN3CTg6wA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/pi3b/default.nix

@@ -1,42 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/ABC6-6B3E" = "/boot";
-            btrfs."/dev/disk/by-uuid/c459c6c0-23a6-4ef2-945a-0bfafa9a45b6" =
-              { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        networking = {};
-        nixpkgs.arch = "aarch64";
-        kernel.variant = "nixos";
-      };
-      services =
-      {
-        # snapper.enable = true;
-        sshd = {};
-        xray.client.enable = true;
-        fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "X5SwWQk3JDT8BDxd04PYXTJi5E20mZKP6PplQ+GDnhI=";
-          wireguardIp = "192.168.83.8";
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 32; };
-      };
-    };
-  };
-}

devices/pi3b/secrets.yaml

@@ -1,33 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:82Xg9VkmkLrKKcZfojA7dHqqMZh45n+eL4T5qZ1z/xy9k0q5,iv:/2j9flBDwjY6JW2mHYo1S2VE+ruu6gxrw8BzSyoiPcc=,tag:iq8wzfIRyq1T18k3vStVGw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:8whySpY/4WPWx2+t7IOgn+qjKCsv+BgRtaAFLrP8L0fV3TJdLob5vwDplHk=,iv:kXTDwOyJNzbjPtlzQqNsXtuk3EXFdF9CAsYkvImbyDE=,tag:tsK9nCMmwEb0c08rJ3Iwyg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TzU0U2Facm5yWkYrREgw
-            a1Fxc1MxaHYwRWUzUHpsbDBHYVoxb1NKVDAwCjNuUFlabzJ0aWtGMFBQb05nSlRP
-            akwrWDI0QnZBYkFmSUpWZFFnYmQ2aDQKLS0tIGlIQ3lTREN4WXgxV3pNdjdaakF6
-            ZnppV1ZRZzZ5Smt2NGsyRndjTFdnV00KaWVPGLWPnqINH6AHKS/84kuYy/v1v4Tb
-            QdehcMiq5ZF5XLqOX5sMDLu8h96FIklqOSTZNFkzr+s9VYv/UO58rg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEZERkRSZUdSN2dySnlI
-            aDFjdXFCWnlJZlpYQmR1WEE2RzdCaVp1WFEwCjd1N1ZpMUExZ0ZBWmFwSHg3RUs4
-            RkRYTjRMWmE5cTA4Z2JJUGgyN05HSmMKLS0tIFpKZmd2Q2k2bnNYK1V2ZnNQNUxH
-            aDU3Vm95ZkpvSTJDMjJEOFY1ZjhrQlUKLdMYiOj6tlzwLpwZsTQVSQ8hHart0ba3
-            NS7+SprzJRb0hQXrvyU6s9zho8dPOw8wiGbscmMXSVS/Kar3eQigmg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-28T13:31:33Z"
-    mac: ENC[AES256_GCM,data:fuppF9gFh3O6ZqJRTcVxNqVlz2y5f4xR39JIeInKblh4hNhrdnQg7oh8repoZeXHVRewGeGyxSqzUg+Twy8J+q+d6TSmiDVViD/SHse5rPns2Egt671geF7JmGEB/yKSCbECjGCp0QFgYYEg/vUOaV3v1a0s7LLTE/t2haPIaYc=,iv:f4T7JGxKB3WmEtETuSH7ApKRJ8ptPwZPfspyqc8+vmM=,tag:GF5br+e/p6qHsNCTjfIBCA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

devices/srv1/default.nix

@@ -22,9 +22,7 @@ inputs:
       hardware.cpus = [ "intel" ];
       services =
       {
-        snapper.enable = true;
         sshd.passwordAuthentication = true;
-        smartd.enable = true;
         slurm =
         {
           enable = true;
@@ -35,40 +33,33 @@ inputs:
             {
               name = "n0"; address = "192.168.178.1";
               cpu = { sockets = 4; cores = 20; threads = 2; };
-              memoryMB = 122880;
+              memoryGB = 112;
             };
             srv1-node1 =
             {
               name = "n1"; address = "192.168.178.2";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryGB = 112;
             };
             srv1-node2 =
             {
               name = "n2"; address = "192.168.178.3";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 61440;
-            };
-            srv1-node3 =
-            {
-              name = "n3"; address = "192.168.178.4";
-              cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 38912;
+              memoryGB = 56;
             };
           };
           partitions =
           {
-            localhost = [ "srv1-node0" ];
-            old = [ "srv1-node1" "srv1-node3" ];
-            fdtd = [ "srv1-node2" ];
-            all = [ "srv1-node0" "srv1-node1" "srv1-node2" "srv1-node3" ];
+            n0 = [ "srv1-node0" ];
+            n1 = [ "srv1-node1" ];
+            n2 = [ "srv1-node2" ];
+            all = [ "srv1-node0" "srv1-node1" "srv1-node2" ];
           };
           tui.cpuQueues =
           [
-            { mpiThreads = 8; openmpThreads = 10; }
-            { name = "old"; mpiThreads = 8; openmpThreads = 4; }
+            { name = "n0"; mpiThreads = 8; openmpThreads = 10; }
+            { name = "n1"; mpiThreads = 8; openmpThreads = 4; }
           ];
-          setupFirewall = true;
         };
       };
       user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];

devices/srv1/node0/default.nix

@@ -17,22 +17,9 @@ inputs:
       services =
       {
         xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
-          wireguardIp = "192.168.83.9";
-        };
-        nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
+        beesd."/" = { hashTableSizeMB = 128; threads = 4; };
         xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
-        samba =
-        {
-          enable = true;
-          hostsAllowed = "";
-          shares = { home.path = "/home"; root.path = "/"; };
-        };
+        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
       };
       packages.packages._prebuildPackages =
         [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];

devices/srv1/node0/secrets.yaml

@@ -0,0 +1,34 @@
+wireguard: ENC[AES256_GCM,data:B5YdOhpXruQY1Hqb7hpIyPZinSNG+Ub/jE2/hiwZT2WCHjT6Ujz/W8eKbuk=,iv:XcfZb34SjYEsxvo6HEGCd7wy0dsrNIEJ0bORznZZceA=,tag:uFlbepSwch2wJCRITlVNTA==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUpac093NWh3bnZqWkFY
+            WGorTlk3WWJRb0RYVWVQc1JacU9GZDhFN0RnCkJkQnJoTkZtYkFEQ1JDZXA1Qzdp
+            dWxtc3RFbUd4TEZobXBQVWVlL3VETVEKLS0tIExoMUNidEZob2dtTWhmS0VHbDJn
+            RFNiU0xMOG1UNVY5TTYrcW1GTnIwb0kKyCl+eqpGtqN047+t1C/c1prIaP3tm1jk
+            1ObtsmGwCxDyIkayqB3WF9DWhNHipXHZXrWT+JQJTD30BABBex+ufg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WXJ0dmh3RTBMci9pVVh6
+            cWsyNHVub2U1RFhLSnJPSFI1S2lGV21nYm1ZCll2TUQybmtaaTdYd0dGSXVNV1Y3
+            TC9zbWJQOENsQm1Nc1ZwUTMvczJGK0UKLS0tIHJRemNhdWpRa1pkRnhTZjhCODNM
+            OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
+            2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-10T10:44:35Z"
+    mac: ENC[AES256_GCM,data:lfckL0SJXq+eY3d9SUHihE4Alp6VAI7ugoQygMsphi91yvmAZ1YBbrTVxjzQpL1dT+7zhOhzE2dTqCLXUl1gjbYYo1S6zco73EdU4k/AX3LEAhCJCxG1LVvN/Kf+XoMSauFM7z+E8zZJCvT9/Jijxy/Ty/XBoP9z7gmpQSuRntI=,iv:5hVa0bsv3B9/I+BSxNYOYHFRnM3BfP8GvhlM65lWLFo=,tag:gs2NOe7h6AqYbmCBUMd9FA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/srv1/node0/secrets/default.yaml

@@ -1,56 +0,0 @@
-wireguard:
-    privateKey: ENC[AES256_GCM,data:egNwovz+DTKoaGs/QQXR3MD7AImGlMlBnYsAZ1nuYnlgTVPM28aiLJ4iLGM=,iv:cFcf/sjqTmGqceNwHnzrhs1IvhDPRJi5YkyFVpjrsrs=,tag:yUwvNYCHjK+7+xkM2cuQNQ==,type:str]
-xray-client:
-    uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
-mariadb:
-    slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:k5QU1aHvd/hSG4yncffSwnxQvhULHd0I8wtrXD2FcOH3SWswkmzMOA==,iv:WB18Wsl0nxUQ6Om3SXP5+0BtFbNZ8fCXTyPJqj6a9Ik=,tag:dKpr52W7Wdwws87r3hQxqw==,type:str]
-users:
-    #ENC[AES256_GCM,data:rNA32tcCmriP,iv:No3Hyee58jDzZaXOD8SJYzgQXXs58oAddwC5Q9mo55E=,tag:RgZO7fgZkAr3Pawqt0dwmQ==,type:comment]
-    xll: ENC[AES256_GCM,data:kq6gpuxBRbDP7Yi16WJrrsumnSfersI2kP5pT5efn5CjbL65JaW/Bff9P4OM6b3J21ObT0uRSmParBqW4OvN/UA4KXDhibqwRg==,iv:GvpNgy8kREgxp9v0cyIobgg2ZrrxylMmwq1hRaAoNA8=,tag:RpD/1FjWVglzt8sIAjjpsg==,type:str]
-    #ENC[AES256_GCM,data:nl+uNO7GVV4r,iv:8hUmN4uWOqJE0g1aYA5dqQq+0oCpYGKe//yuECpmyBM=,tag:79XibRYMadJNE5Uy1O+4Jw==,type:comment]
-    zem: ENC[AES256_GCM,data:t6zd/9ZoJWEkPhKyfaUXWQM2Y2unpUUq79SEKSt8nmWCQxlBk4PzMX031CwNde/0A4G3ARyIoU8vcFqp8NaBMA64INccKccrGQ==,iv:QOKpu7lm6uiPACNGa0QvHP81PP/4doS3r95h8/nexcs=,tag:J85l6pYh9WT/LyMbTrw+vA==,type:str]
-    #ENC[AES256_GCM,data:7SGmLzQyXKWo,iv:lr7nM0r7eMc+sCNO8OgwwELH41zTk3W/1i+0rnTc+9s=,tag:ZOkLRhEsFXX6bODu6wUyiQ==,type:comment]
-    yjq: ENC[AES256_GCM,data:8TF316O4M3UDoSA7rjBn12vUdHOcWXtrvuhqa6K65NaMhHU9rMrPHEikr0tqe5B5ojhh8PRRe+X/Dq19L4rJXThRfzdhALZzsA==,iv:2plZ2m0JuuUMQqYnyETCPH9x5jnLtNl396zvv7ay++s=,tag:X7YSLQOE9xnC63RWCht3GA==,type:str]
-    #ENC[AES256_GCM,data:yclOn8oHwLYQ,iv:Ba7Q84z6e9/3lv43wdN+bd/aqO/y5qR5I6Z5O6o7U6E=,tag:ecaNN9MgZqDYBCbTlsOZtw==,type:comment]
-    gb: ENC[AES256_GCM,data:piD2eh5iUXnCEkEyDULPkjbEG4Uc4izoVAuscbb9TPr7Q9WhCJX3FGRYrQp/wmZQ6UETR1jTejtbT9j/kI96BcN2onlwO/lqvw==,iv:oFWeoDp3GQA8aR+/AcJnhkovOWx7MgHoCKy5xdPIJMo=,tag:n2E+zuKckNAU7mOCJW+f1Q==,type:str]
-    #ENC[AES256_GCM,data:hfcOjdrvK+YD,iv:8rUsS1exsOx+2YEgdATNcWGKqmaCNbpY1EEq1Gv1utE=,tag:Z0lq2ctHBWDtx2tyxOSIBw==,type:comment]
-    wp: ENC[AES256_GCM,data:DUfGQpSg79W8KD/SWC2B4FqoPGoCrd1miczAQR5YApD00QopMmeDR28uTmHru2KU9DsjkdnWEbgfM49CwXt5FFJennqW36oYbg==,iv:D9+3CMZlJIHm+u14rAEikQoBM3jBQN8Lnx22DN2EIg4=,tag:ZegZmI1kf7Whcw3EE9dwPQ==,type:str]
-    #ENC[AES256_GCM,data:6pwUu43Lu5/h,iv:lZQ5F8v9VZRGuUoEMH15JLvx40N08ahTEbdEoKEuvsg=,tag:zPMQy6d9/RcukBO1cyeM4A==,type:comment]
-    hjp: ENC[AES256_GCM,data:dqoQ9hUbptm0//mlcFRrqLh1NpjxFPH+4jeyMG/x9Zvkszw7d71jvkO8KEPBfKnXpPBP2lvFyEqooIMWQJPYiIszHt2f0qSC7A==,iv:5nRcsaylcx74tQR1KddEpZUhmcynMvdHCcJYA7wfJnE=,tag:bGVKD1aDZJUlFg/zagP/eg==,type:str]
-    #ENC[AES256_GCM,data:Idordi28++/e,iv:5TR6Z14yluxPhrD7ye2mXEQpD53qS9/ZJIZ+S1sTqco=,tag:IkmLWXdxDmFQxtpJxL61pg==,type:comment]
-    GROUPIII-1: ENC[AES256_GCM,data:JuNtb5SRUrxfyjWFn3Be7EU51j/HlwiOpuN0m+Picf/2Bs97kflGnqGKstVRIjWEn4WzqscSaLRsbP9uFfSBHeJ152xfyOqkww==,iv:mQvIC6v+1fziRDYHYSFMOKof1ZcoFskpQDiCAF35sa0=,tag:0IL2VvdMorgE6oziscAB8Q==,type:str]
-    #ENC[AES256_GCM,data:kyJP952K5atd,iv:TLMUPKshuWqbQ6koiZ9eTXcoDS3jLXYy/gCZbMGrRl4=,tag:M2tLLogovoG2PCojt9CJ9Q==,type:comment]
-    GROUPIII-2: ENC[AES256_GCM,data:ifWnLx1YEewdviqHK8fdesM3c1m1T4g6twnz1cGv1yc4jit68pQWLrRMivdsM4tUcyU9GKwCaElVlvh+dgyy8EZQPKCbvJX6GA==,iv:T5FWReeZ0QOkGJiNfrVrUBhAhbXxlFQJKqQV2tzw9AQ=,tag:XClXGZDWGuoGxzPW7ne2Pg==,type:str]
-    #ENC[AES256_GCM,data:t8QUVYG4v7fE,iv:N8hDAV7wulPHcfnYTXuZRhb9dQPZqKpfMKK1+ITaZTA=,tag:eKMJDOmqoWWQbv/mm3LaAw==,type:comment]
-    GROUPIII-3: ENC[AES256_GCM,data:VlAA+g7SRZyhPSl0Gd1KS7dCwNgRA/o+d8anN88A7E8bSE1ckeTSp+J4YrbbUlLasLhliOZ/nDC0rti+hckGCrjMwweMorSIWg==,iv:7u1yNrN7uxHCF1MsJ2qt1jyQ0ZYYCYKUHwRff50P9oI=,tag:3raCWjdButfmcdy8mH25Jw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUpac093NWh3bnZqWkFY
-            WGorTlk3WWJRb0RYVWVQc1JacU9GZDhFN0RnCkJkQnJoTkZtYkFEQ1JDZXA1Qzdp
-            dWxtc3RFbUd4TEZobXBQVWVlL3VETVEKLS0tIExoMUNidEZob2dtTWhmS0VHbDJn
-            RFNiU0xMOG1UNVY5TTYrcW1GTnIwb0kKyCl+eqpGtqN047+t1C/c1prIaP3tm1jk
-            1ObtsmGwCxDyIkayqB3WF9DWhNHipXHZXrWT+JQJTD30BABBex+ufg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WXJ0dmh3RTBMci9pVVh6
-            cWsyNHVub2U1RFhLSnJPSFI1S2lGV21nYm1ZCll2TUQybmtaaTdYd0dGSXVNV1Y3
-            TC9zbWJQOENsQm1Nc1ZwUTMvczJGK0UKLS0tIHJRemNhdWpRa1pkRnhTZjhCODNM
-            OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
-            2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-29T06:38:23Z"
-    mac: ENC[AES256_GCM,data:n7MVBKCUW4xpIiVO4ysBqlG89LjzpDBx9GJWQTrSenLWV/YrIGUxA6QDlRg7yhqV9ldF9Q7hDve1KHw7OxKRx5ot5OZiD3Bq3TwJfS2DarJ2vi9oc1J+CXXach8gp3m4C4RkPJ/y1i3jB2nRfSw5Z/TtdPMbvGXlHh+hhriAqxM=,iv:tyBcXMZzgeUOgYJtU1XkptPOlNoFwH+4z6xTD89aKOw=,tag:apXU989ZL+D8WhWKFTdXTg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/srv1/node0/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:ul1xMmQ5FZVIKct4KbgnTStsT5cH3sRvmaApZez4WZ36zF3q3M4o0dcwuWXxl9Ay8+Kd1zzUCZy26FRj85IwAel6POkmIlXl51Awou3iWuGBqUlS6IL9MIERMR6lTlisOK2l2PJ7IJBichFwwDrxImnt06B68Z7JWOyrLMfQhwg=,iv:nHePsGpRWMj4CdZ8wxr4xCJAcSndHsRju+AMyK54vNw=,tag:+CC0EJbTmIjRijr1SZpF3g==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRTJCOTJqclZqV2ZTb3NG\nSUV1VVNnUVpqZGVCc2hlTVBkQUVtVGlQdEhVCk1aNjhhbDZuajhQL1l1allHOXV1\naGRoWEpTZ2haTFFqRDhlclEySjVmMXMKLS0tIFpPdHZvekhDaS9yam5GSEVhZFlw\nZGN1QTVYQjZuUXd0NklqdytYRjRSNWcKC+AmUlZiefdfnP1l/sbQHBUaZGN6ciT8\n/yI2ed25uFGwCo0h+yLywbuNQTv7AiBFM3R+KBSjNDkFSgiGfblVNQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VHhFMi9RZ2VjeUxqTHAz\nZklRbkRGVkg3NDR2elYwbXRHZ1dSQTEwNXl3CkdidmwwVUZJWDllRVdYRWM0WEtX\ncXlHbnlZd1h1Ni9UTEtHK0Z2YzNHcWMKLS0tIHl5ME9UaDBFSkRXeEh4OWNRajZu\nOUdGcHA4Q1I4dS9RMUV0YUZBYmZyK3cKSxvVdG+P9+esK3miJdW9BqgJdEMEq4iS\njWgh5lmSQaat3UzjkOVPPp9Xu3DRpzTFq+dM8bdGDTbzAdrUhxj87w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-09-15T11:11:36Z",
-		"mac": "ENC[AES256_GCM,data:bV7T1HfvM2n8+Vus9oDO5yoWDGtWYOd6d/zJ86/sXB4psg7aXVNedYSn+98SJdpYKHRcSuMJ9D4h62nAawERB6u8EmW8kxh8fuVLb6tj+9fWF1iVqinL4LE3916+XzMqGzGVZZEXaVtPHqOue/D1sYtBrBCOEMMyq0cmLFY2JrE=,iv:eSrtmJLARmwuAQ1//x4XqCKDZybJmMtyefWyLPk+1j0=,tag:M5W+vO4RjVwS18C9wTIe2w==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.0"
-	}
-}

devices/srv1/node1/default.nix

@@ -4,22 +4,13 @@ inputs:
   {
     nixos =
     {
-      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
         networking.static.eno2 =
           { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
-      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
-    };
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
+      services.beesd."/".threads = 4;
     };
     boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
     # make slurm sub process to be able to communicate with the master

devices/srv1/node1/secrets.yaml

@@ -0,0 +1,30 @@
+wireguard: ENC[AES256_GCM,data:D4ukKVu4yn3hS3AZJqt3XTgZNbt44Vyiu6I5lCNw9c/VEqXBx3GDlKdcVPY=,iv:S1S0sU0vQcTahFI+GyBz1n/0LVsK3ImFDuLtuQxmgik=,tag:oZ1NWOCcsRb+kjfq/LcL2w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRXgwcllHZmZHcHZmZllq
+            c2NrbnFSaVVBTnhSNk9Pb1ZSWGp6UlVaanlVCkNObzcwUlYwZDdyOTByOXA5M0lz
+            QTJQMFcvWGY2VmZFS1kydjJSWmgyazQKLS0tIEs0VHZJckcyZUZaWURqZjdoQkVI
+            Zzl2RUFBRCtuMkpidWU1cmZlZWU0OEEKyMO8I43PiG+1Eu/8aKuNPKeA50P1bSyD
+            Nv5xyKaqcs6737Gw/zk0tY7EkeeruDfemxgsb527g3hYogHNXr9oOw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcEo5a2srUTlhWXFQd2FJ
+            YmtBMzJqZE53R0J6TG80UWxMQ1A1WEpFNzJFCkJBSWQ3S2pTVnpGZ2JlRnpBYU1J
+            UWRKdEduQ1JMQ05GejVaakZYNzh4STgKLS0tIFBMVTN1MDcwVERucmoyWm5MQWcz
+            cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF
+            r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-16T05:03:27Z"
+    mac: ENC[AES256_GCM,data:13eXFmTRo9lZvQ3+iApHuei5r/OCSCs2gxqEe3nmavQgq1kQXKcD+4ciS/Shd9CJFZrjAu9oRByu5ZeZOnj11u6z3EmnXIwHptMEZe+N6r+Z2uKcBUa/TSJBnYcCrMQ1NM16GXRTi1bwpx4iT4v377lgd1orCa5C10iD6W3/9b0=,iv:FBGi1hSAu0Bz5NKz4mixfbUXbjI725RHccmEO4/jumo=,tag:vCHzTsTV7kJKNapFTxS55A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/srv1/node1/secrets/default.yaml

@@ -1,50 +0,0 @@
-users:
-    #ENC[AES256_GCM,data:dgM035YLtZfl,iv:h7pHQ6YFa4hxcHMihQTegHmkaCMlfPtqdCqvJxSsXt8=,tag:V2v9C2TfErIOAihtTQpnSw==,type:comment]
-    xll: ENC[AES256_GCM,data:/YL4vowFLFbbYv06yaKWZH5UNBKs0L6LQ+6O0IsiUZpgW5fGfp2A5JTlH6ne7RGyyTE4GNId0MC7byQbTHHwO+5zVYWpzjDCfQ==,iv:5/VKGsIohoutZf3F4Qj8PruAXSivQ0zsg1pwLwZbCLs=,tag:/vsrCISEbgQ7HnubWOtKow==,type:str]
-    #ENC[AES256_GCM,data:oT8PFxQdwEt6,iv:eD/wF2toUAT991S0aO7NklpKSnMDH40+73IhU83H9t4=,tag:mxxAUdfHgC/hlvmLc2MlAA==,type:comment]
-    zem: ENC[AES256_GCM,data:RpmSTr2ZKfUNWg5vYbKB00AG18GNQs+kgx82E9Mg5hoc3HKmbAyIzjxloMn/Bw3MOTnof6Cf1ZzVCs53Wz8YbZFClLEVdKhMKA==,iv:NQJQOxQa/RaGzvGgarq5kWL8ojB1bejEiqJUCJLxgyU=,tag:8cFFQ5kKpZji4YvEYOyzOg==,type:str]
-    #ENC[AES256_GCM,data:keNqy5SdClQT,iv:N5LX7VJEwLHQ5HsFINs6LupP3rv/XAWFR2e/S52N+Oc=,tag:cqBh1bL1jAEk3mT0pLDd5A==,type:comment]
-    yjq: ENC[AES256_GCM,data:TagWplgUyhaEAuFpup0TRIxWXIEGwsG/V+gOo/pXSGor30B/BF7+wVozYTZ/iSN7OJJw8I7IZGvxvh0v01BGz1RQO6MEEpSj5A==,iv:TeXXYlhfae78cJFdZk0Nnm24sP43wi9UM80vHwKfXFU=,tag:lhae9Ona5OMlTBAJg3PiIA==,type:str]
-    #ENC[AES256_GCM,data:jmRMNpJLMqEo,iv:UOfzRSPDFsJ52sa2FVaQsVcU2P2bOYPzh4JLZ/8+hCg=,tag:8rCEYFELB2geXhfUjfZ18A==,type:comment]
-    gb: ENC[AES256_GCM,data:RneeGyzmdxCceKPzOHaTtS1l6NzuS07NYBxYrLICMLWHPog08FTINWEZx1JmqbAloVna3wE43kPPa9s1w3VbtPBhzRpTVZfUtA==,iv:1vu79FhPiWQ2/G5xzzBdyc790yv/aYKIQFPhaDpBmoA=,tag:vkpT1bDfVufBkDmOs7RomQ==,type:str]
-    #ENC[AES256_GCM,data:swW/4Fii+fHz,iv:9UZ8W6RY+n3XZkDCxSP/CQQn1Ji+mo2aqgmG9wTF/I4=,tag:2ifOyc0oGzM1iM3rouvvMw==,type:comment]
-    wp: ENC[AES256_GCM,data:/cIBL7orNYqu6Ybahdd1UVdTbS1SHr3GGb3ib4FDxPUlp/Xr4ARMX+01N6pOahVYwE8Hwp6nr4TdvwFpe2/AE6v2rbyclSzJgA==,iv:ZGwmAgwiC15K5NhajLCTiuW2mLT2gt0KUicDFmMY+JE=,tag:8rcoY6/weOkML90FyDfiSw==,type:str]
-    #ENC[AES256_GCM,data:6KbDgRf0Lmsh,iv:2vhLHgIzhCrdvQ7w6lCPKOmLlOVRJ5gJ+Pw5NSiMVVc=,tag:E6PwWCsUn3tZwV95zFbwhA==,type:comment]
-    hjp: ENC[AES256_GCM,data:0hzP2t4ck/0GVa2OoZxETCSQvp0QYN+0MJYl5aJ5hzSOXbwBPlTcIbjckpWDacx4iKGw+skhv1Nhz9lGrhgvddzqb/o1GWkKUw==,iv:OzKTIxDm+AgDAy4rP31kts0PKHuNqBZWc0Vsvh6X8CY=,tag:7Y/6qP+TJd1o0a96gKq5JQ==,type:str]
-    #ENC[AES256_GCM,data:PQmtt6/8T8Nm,iv:ZDUkaQts3hUQ1nncynoGw8gNV9jYvnXz9rOaqRC6yLE=,tag:jN8sUWnqoWbMlkLEqVKNkg==,type:comment]
-    zzn: ENC[AES256_GCM,data:YNB9leH/qgXpApA+bnsZiBlfbQSEiOoqhDgKCbwz33zPVc8KRShSS4kWEseiMlYLv7Kfbfy94cEKLOaWBjuRmMrODmC3HZ+rtQ==,iv:Ju02Sz0PHoBftz2W818hmXQ3J/fzLacWv+gy4eGXvjU=,tag:B6mvgWUclyHXgno07jhXQw==,type:str]
-    #ENC[AES256_GCM,data:UVi9/5NV0ySV,iv:E7ZZvvf6lNJdT4esykilJxhpTu7gqmu9w4w8rII/RSk=,tag:pnl3G0qt7ZzXlA9YWo7LiA==,type:comment]
-    GROUPIII-1: ENC[AES256_GCM,data:M4LHqgN/WYk9Nh7Pawft1tplh/FiADu6GoyImyLGBk8rbNNLT5AXuNYGj97tVYxI0Hwek+zhnmcjAWdDtmkVzE7TcD1WAZbkTA==,iv:GN/jHnEikITXkLRR/tXnhYiTE5bIDOg1d9DrYeASoY4=,tag:hkoAHHYX+q1topjXkRyK2g==,type:str]
-    #ENC[AES256_GCM,data:EVL/9hYcFl4F,iv:EZ8PMqklNEky0i940vwyQFXrgBoQRwwGDjBgRB18KGg=,tag:cnQzCU7XZ0EO6ojGaEk4Dg==,type:comment]
-    GROUPIII-2: ENC[AES256_GCM,data:7HOyyFtPjhxtvz3cG561aslZ1Ct+DmR290XOxz34sA/vyA+gjvHTWoIpKPGVzSU8vGfaLLV4ta/nOUsK/VfUj00ngwTdkEDkrg==,iv:rkDAE24gaE7MzOcIUX87oMyK6ra0Pt/vUNrIV9p7aFY=,tag:24NTkSu8Fd785uC2Lwr2XQ==,type:str]
-    #ENC[AES256_GCM,data:sa3uVs8+996Q,iv:eN3S4x/UROkZWV3U2pZpvULgoPdh42lM/Q+jZ13ohsk=,tag:IG0q/+ti4tthAejVp7MCPw==,type:comment]
-    GROUPIII-3: ENC[AES256_GCM,data:jfeQWLGUWK4xfgRtS9RjjN76D+JLqTF526SI0XeYnUXtCsKhJYE88hgVnn7m/Af9g1OCj08+UDsM8cyKOJj3+m6h+IZQzCS4bg==,iv:Syf3SYAFvOtfOy4PeA/PcYbuUnABk6f5A+OmZYtdwv8=,tag:cib1RuKxGffjB7R5GSxotA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaHcyMnpWRTAwRzJ0MTFi
-            elk3QXNqdXQ2MEttNXhBOGF1Vlk5cW12YTM4ClRkUm5zUUo5NjVrNnBlSFFPOVVR
-            V3VxVWZQQ0VvTm9KZ2Y1L3BpRkFDTjgKLS0tIDJadStsQ1Vya0FMa21Da3ZhUDVN
-            RVVTQXY2NkdzbVFLY1pYYTRLSGM5WDgKbFabN/iH2YDJaSXdm+7EebKS/As1zH43
-            HjUp2LHN85/WQEx3VheZRGJBwpNn/Tdunhm0yTdNA1jpzQnO9bIMXg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TTlxNWhMS0dJbkZRSWsv
-            MitoM1NicmJzbVJBZnhUbnlJejBWVzU1TmpnCkxrVEs2eEE5VnVDN0NNaFZ0b3M0
-            SXFmc2JxblAvN29Eb2ZrR1llZkp6cmMKLS0tIGdQMjNIRXY2UGIxdGk2Q2V1MXJO
-            R1BkT1hoSWo1RlJnU0pCdTFYbDFoZmMKKF7cND1jSo+neTTJ+GwW4T0RTOX9mbME
-            58wjAtkrKSD2vDFMQ/vtPNiohAt6RMdClLVm50yh7Oh961YmvJYnbA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-29T06:38:35Z"
-    mac: ENC[AES256_GCM,data:UWDwXUfk4R9CfgU2gv1NZsusLq5+VTsvjGQNst99MuxLz4sox8CZuuYsDLB2dobKrJua107yqhbM8Ps42JJVHZEf3WHqP08tRbdIWNVoakYR6UJlNS3WZVR+LlheQI5PfJqPqa7VFgZeSVm7weIPCHqvHt+ak76oyJK1VsI0f+k=,iv:VL9s+LUA/TrOsJNQWC0/v0Yh+hT8uh2vitc9h1xHBEY=,tag:iA8yMpm+0ANAC+2BLN9Agw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/srv1/node1/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:GHsftJ/b50XSTy3wCX/ms8iGhs7oQMrqw5R+7PxrjAm/VzcYJbAQjYButIeNYB2/r87IGKDEMAskowocqyuhamTZS9n6eElDBZrEoUXc9J/lZvXrNqBa2pDsR5a58X6Paj2kMn8Ke9M3vwHcgniEgZtC2h5u6VwbgPMZniqYT5w=,iv:KhGKrf0tXdLb0sWc6kB9lXjj9jOU+wsy76xGFRmwdz8=,tag:s+NBphi1n00GflKqujZcfA==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPYWdxSzIrQzRaVnh3K292\nVGkwdWUxanpQbEllWlNvaHBoQ2VYR2pXcVZVCk14ZmxlK1pSWnpCZC8yaE84b1Ew\nNTJUTDErTUVxZzBqdGFORDc1TEo0REkKLS0tIFZJeFIvd3BDOGkwenMrWlAyVHdh\nTzRHNU02RWY4clJ4dk1IV3R4c0VTd2cKeX/tLKOnkbcAhkgCY+T4XWBgc7eUFecn\nfqd6Kxfg6P75OT6Z4ACKsHDGznGk8fYk+Ms67MSCGzr1HXaR14/eVQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxODlXSGpsYk5BZ1piSUhX\nUnlTQXpycmV3YlhLM01SMXZ2ZzFXWEU5MVNZCnVUNFRUTTVNaWVUZWY4dklFMmhW\nWUc1azJFNGJTZFVlRkdSZEd0eUozbk0KLS0tIDhUTFE3cHpFblZTa056R0lscHR4\nSXpoT2QrOU9mcDV2ZjR1bjV4cHZCdXMKyVyxBRY9oyhfj0ZMVRtjf8TT0qRJULwN\nosghj6bPqOFl3C9zBne1Xn/2mOj5lkMZP6MAMPtaW8nvsf/LkZx/Hg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-09-16T03:08:59Z",
-		"mac": "ENC[AES256_GCM,data:SjmuJVeJsamHE7Yv5Lvoyjp0CysTo3K1nyJgPI7KKp21H8Xq59g9/zbth4pCdIMHyt43MNUXFkhYD/Ox9ySoDEi2pr7H2kM9fcFM0W/ObM/gm/lt5jTLzzS+OkKys+Yw/WA2nIStSNq7rAb/SKFbHvj1P9YBsJxlOnBzTW7uu8g=,iv:tNjnqRX1D+vY8w7RxZzo+HdfjK9pXJpB5MKnb7EyUXk=,tag:PuLU5zmUH14ZxuTUPIz20Q==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.0"
-	}
-}

devices/srv1/node2/default.nix

@@ -4,7 +4,6 @@ inputs:
   {
     nixos =
     {
-      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
@@ -13,26 +12,15 @@ inputs:
           br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
           eno2 = { ip = "192.168.178.3"; mask = 24; };
         };
-        fileSystems.mount =
-        {
-          nfs."192.168.178.1:/home" = "/home";
-          btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
-            { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
-        };
+        fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+          { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
       };
       services =
       {
         xray.client.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
+        beesd."/".threads = 4;
+        kvm.nodatacow = true;
       };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
-      virtualization.kvmHost = { enable = true; gui = true; };
-    };
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
     };
     boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
     # make slurm sub process to be able to communicate with the master

devices/srv1/node2/secrets.yaml

@@ -0,0 +1,32 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
+wireguard: ENC[AES256_GCM,data:xoIm26btEBuHjgcIrB8gRHAaEdBq3/E5XtoF0YPxnSHB7k3GWJfAxeL4vrw=,iv:HuOFNUgGROF97beF6C4amspd+NV/2uO6OihNMz23hSY=,tag:YJjFM8mqYOuJEulpVHt8FA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WlJNWmp2VUxpcXR3NE92
+            TnNuLzg0SVZKdmt1cEVZU2FodXZPdmt6Rm5rClhrbDh3SzFlMU9LVFpEZDFLUGZZ
+            d2RBTVNCamNBWFVEVW9FMjYxcUE4Rm8KLS0tIHBwYjlMU2tnUTZweDBYcmZXUC9l
+            OWFUeE9xdldpTUQ3cDFENjU4YUVwSkUKp7yZGpvKMSm6rvsoPbcaqVznL3wzGEXB
+            OGzrmgY083Gyjb5P/0wPY0ShGMWfWQW6vGchoqVuwr4oHKT3APcrIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRjBjdGFEMjR6QnQ0a3Nz
+            c2lmVWE0bFh3amRULytZOVhYS3dkL2JmRVhVClVQalh1WjJqcWcxT3ZXMWduN3Nl
+            UzdFNXNQUmtaaTVIVVFVYXkyZEFPUncKLS0tIExrTDA0OEJzQklQOHNJZzBJdzJP
+            MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
+            Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-16T05:04:26Z"
+    mac: ENC[AES256_GCM,data:JlAgVoTpT6NRT1gvYQre6N8PzHLxbC9z1E42OM40Qs/nhcjYnsRNPiUEvSUClgx+B2G99S/b9R/wQqovBQFtdRDdlCMhz0ZVgLe48ak74EOYn6fwXy37amXP6doW86wS/N2fQeKhyMiJPHurRGamm+jsUUALohx6p1zm47NWL0c=,iv:oQV5be92oyOj0h6IrEY70VfoJYqEFVMtI0PYEALIXfo=,tag:WlH+fTUlPynhupXpBvdl+g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/srv1/node2/secrets/default.yaml

@@ -1,52 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
-users:
-    #ENC[AES256_GCM,data:bAA1+Mx9xsFr,iv:5GWh+DyuRydCKm8K1kaiTJIt4ReEugHFnKYfan6RAE4=,tag:VqcWjIMIYhkSj6f/ZclTVw==,type:comment]
-    xll: ENC[AES256_GCM,data:lqzwlETuKuKa2wh+ickMFiWyprcnIBfRBjri+NWoltxib/LWzEEbyetRc4AKyVaBiDhsOTw6MazPNy2mhcAFwb6pM+QKce5ntA==,iv:VaGQux8MJNPZeHwDpM+yJ47XvOul0qRE8xVdSWjYRhY=,tag:rBWdTPmJX9YsP0l1FtVbJw==,type:str]
-    #ENC[AES256_GCM,data:AgppEXaJcXhQ,iv:gI4nUzfy7w9yqaWlT1NYk1cHdErCJsrlilwYSGxxCdw=,tag:/A6zwbvQdhX9MLfAdXIVqw==,type:comment]
-    zem: ENC[AES256_GCM,data:t0rCwed8EzXbEuwTabzSLUd/Gln3YD9IT56JNVHwlodAvFYwtTDJe3cy7K17TmIkL1Nk/hAGzQ2BIZJxaKq7A5pSNIUO1zqMUQ==,iv:jSKCoNKQ5a91kK19w5mE0lJ9lh391ACq64UtLvJ4kLI=,tag:d6+IrgLyCw05vvLcCF5+yQ==,type:str]
-    #ENC[AES256_GCM,data:s39KO3hHcrOK,iv:ICtP2r9JMjcieHZdyHpj5Z1DympJUcHq2jPpjUwSOzM=,tag:Es3YS+mEg5I3SIujfs50jQ==,type:comment]
-    yjq: ENC[AES256_GCM,data:gOc59J2eiND+qJJRwLYvTymfrjWNRWw8IwLxDdS2cSu0yTN5SWF1eEg+tYmDqqhPmXkIlenL8VyIZD2P+Qi+Vi7l1pZMnneRCw==,iv:TsWOmHlClMgpXbNsCyvs+wkTvvKViAooA36+O4eQesk=,tag:jp5ZO9tlCPNTNZXWXCUEeg==,type:str]
-    #ENC[AES256_GCM,data:JmmZl+8nta5Q,iv:qWGS5i+ntmJ9x3HFClVdfypQKqSTUx827OFu/wxx3HQ=,tag:SzvgJtIQb1Z02GDwkAhveQ==,type:comment]
-    gb: ENC[AES256_GCM,data:pgwGyp/QC+h05grD345pJrJefm4NWd0e6mQEzrsqCbjMi9Ak2nUD+K09mIKQJ39NttC+NQZezRmKUJjDBH50s0O69nBlPOJtgA==,iv:ZLm6KUzD8fTq4YpxhdYjtp7bbDjP7Sy+0fnDO0W5GY0=,tag:H2mNHIQvHe+3YzZ9ITVdOg==,type:str]
-    #ENC[AES256_GCM,data:94hwxSaMkbIB,iv:4Xjukoo7rxeu4SWjwFeLo5fwSX6a8mpkTOIpnOnR/Io=,tag:XOjY6ziyDdMNo53NFSjcJQ==,type:comment]
-    wp: ENC[AES256_GCM,data:9/aVAQskZyQrfhVFVHfpdTWDLdoP2ZO7gG6bNcRpOJEBle3V9XqVSwmLViIIysy4XxoR3cym/7WXB96O3C8feK7sbihaRpT+Dg==,iv:WPnDArVKqV7u3EIQ0CMectK1W6gXKOo37oOybyob3As=,tag:1R/0qjRzif4/sTFSs55NuQ==,type:str]
-    #ENC[AES256_GCM,data:RluXnmnn8CAI,iv:OqzKfed5CARE/KKur0GXDpLBqStEva7YVoQMQX4+FnU=,tag:prOaqWk6ARxEKvnhOnCZhw==,type:comment]
-    hjp: ENC[AES256_GCM,data:Tb9vCi68B88UZc/ZVSxEI+esKOLlFcAPAaMk9FDmkBycZmzDjHfkUKCxVcOMtqeNSluVZ/5IFgowaYbk9ncK6yoYTjXjj1Z0lA==,iv:COs+ijt0h+UygyhWDQV23NRd/xBcfeqz6CO7D+xw7t8=,tag:RaIMaGrgHkidB9vqLR6cNw==,type:str]
-    #ENC[AES256_GCM,data:pymPvP+KjTd2,iv:g5tmBMQevuzES9FVlRten8Vzy5nvgamDNPo6Vy018T4=,tag:sMYZAyyAzEyS5CsAyC7xtw==,type:comment]
-    zzn: ENC[AES256_GCM,data:CJ8cOBjblYIc0GoiPnIbbWfYDfpQW5u31R9T/P0/aVuxi6P44wYYH0posVGthR1laqHIlu8bzgeRyTbBYir/Mw1AGokAnFLEPQ==,iv:dJXFcZ9f3xe3rcPzOLd6AMFh6EyJXlv3/+uR2x9XYsw=,tag:4I1WqtloUSXNeQ6AlVPY5g==,type:str]
-    #ENC[AES256_GCM,data:r1Rl1+lfgMad,iv:9RGwiYlePcXZFDxw5uc1yEwZ4N3lStmE1cGmsj5dPls=,tag:yGChsxZtIzDjMUgIkd+PdA==,type:comment]
-    GROUPIII-1: ENC[AES256_GCM,data:IIZpTdr5jpidbxYCQ+fODOHdoWI51upPI3yxYlrAAd+RE62t6PzAvHKFmKPivbHmQS5RZrJXE7zm9JtwiodRmPl0pYLxYNBpFQ==,iv:WQc1pOungm1gEqYPk/MITbjs1l83ikcys47CARRgoFk=,tag:sS2mXDIWl32ZZzDtictv9g==,type:str]
-    #ENC[AES256_GCM,data:VtrWQKVtCHtA,iv:ap/n2HxQ7dgKOA8rIfenv9LOwwAh1na8+I9O/k/wMxs=,tag:Vl03ortuZ5OS2qcBMnc59g==,type:comment]
-    GROUPIII-2: ENC[AES256_GCM,data:fkxYmHEQnCjx/srKBgjreIR0S7mcXyl1h3H80PFsH3A/yCGnJbFCGK1GW1++Q+tziOnEWCTLZ/l9dlPuB5BFSK7iHiVXtkOfVQ==,iv:z6duWl+LFpS5RJnCGxb3yvgHp96uJYoSsAThWrbGYfg=,tag:AKWisEg506eOgdp/4tLU7g==,type:str]
-    #ENC[AES256_GCM,data:e8HuWaLrvHx5,iv:ZKvfRQtOMV6v3MSCDVoPEsxldI+ZRYJBwrKAD8YZzPc=,tag:tPL3IyjC8f+S+6MoMJSd0A==,type:comment]
-    GROUPIII-3: ENC[AES256_GCM,data:if1S/3AxNLkWvDQJom+4EPRBOpkAPNTkEcqHHLAuEJATSNLlIhVLOPgt10cM4LWx2TdG8V2TcZip9qnr4ABHMsPF5vm6Y53r9Q==,iv:Rba0So8DXJrSC88mjwT8j2AVy84TPm0R6AVf2ZmXNBg=,tag:qiSeYLrw/6QJ7vMiPEZ66A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WlJNWmp2VUxpcXR3NE92
-            TnNuLzg0SVZKdmt1cEVZU2FodXZPdmt6Rm5rClhrbDh3SzFlMU9LVFpEZDFLUGZZ
-            d2RBTVNCamNBWFVEVW9FMjYxcUE4Rm8KLS0tIHBwYjlMU2tnUTZweDBYcmZXUC9l
-            OWFUeE9xdldpTUQ3cDFENjU4YUVwSkUKp7yZGpvKMSm6rvsoPbcaqVznL3wzGEXB
-            OGzrmgY083Gyjb5P/0wPY0ShGMWfWQW6vGchoqVuwr4oHKT3APcrIg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRjBjdGFEMjR6QnQ0a3Nz
-            c2lmVWE0bFh3amRULytZOVhYS3dkL2JmRVhVClVQalh1WjJqcWcxT3ZXMWduN3Nl
-            UzdFNXNQUmtaaTVIVVFVYXkyZEFPUncKLS0tIExrTDA0OEJzQklQOHNJZzBJdzJP
-            MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
-            Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-29T06:38:42Z"
-    mac: ENC[AES256_GCM,data:tb6UXalJcNqd1bCJ4pdWQ5lctAXMrwAJsGagNIjtAklVx/0vibEBTvtVdI3CSNA3OuDguyXc/ECGEqlPNpoRq/F5JINfnirEbaBL6KhNkFxaSLVP7mu1u0KH93qhzA2j4jofderpxj+FvOOMVZNuZkrcSPDoufPA/ypY+YaKuu8=,iv:KPyXi7AD6FSmoZKYUDh2zLZnArvdcHau5XZHk8CbwI4=,tag:7T1jUJ7eNkY9VYt2eP+brg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/srv1/node2/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:04fSLZEkne1LqLZNYpy1tFlKTVUgQNuX9L3cL66FVHD+LqGAyWJGlAnduY+fQMZdDhbBdeEnJKXjyQ2jdDCttuqbPRiJQChtD7ztf+oiP877N143iSY2G245aCjIrAzmFORkGZaQT7nD5oxgCPiLqJzkNPzgjN4HIDsVoYz6jtw=,iv:gTbiJmdXN/62/t53ddfDrYlNLe3AoujT4G03eFQXyZs=,tag:eAYfhXPERqsVKFSkcm+Abw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBb3JtVi92M2JUc3dKVzRt\na1kzNU8ycE1LTmdVZVNFNDNJZmpsTEdCK3hZCjNXajNpcGxXMDJxRjhPMmhFd2la\nZy8xUFZNZXhiVHFtbG9xVmJ3Q2d0NE0KLS0tIDlNWEJqcSsvQTFzc2FxL2F2bVVs\neS9UenMrYXNKbGJVTnZzN3VscWlrRk0K24RHbcTz56GV6AbQt7Yy9+1NClMpQFtk\nf/NO2RYuS0ciHwkJQEw7M48iJuwTSiv1pflXXkNvkl6/I7wPgS/eXw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSjFQbWd4SUhoOExTdnFk\nd3dVVytZaDAyc1F2eUowdmY0azFKbWJ2Z2pZCnhYQWJtVXVjTTRvTlI4SlVyVHh1\nZlBZTlFheVNKdzN5a0RHM3RkTDhzQncKLS0tIFlpbjRUSzdzS3ZuMW8welNRODdR\nWis0ajQrdUNqVWcwMWF4bVlUaWsrc00KfL/zF2RiAanljrNhRT99i2jPvLySMWXx\nEyzYRuTH8ZGXsX4T2VAPjreBt1ahJ/EgBWmCLibEVK62zWfdquAZKg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-09-20T05:31:41Z",
-		"mac": "ENC[AES256_GCM,data:7kp2KNU4O1yuBdu7cxzg8BytPWiP8hQ0/mWVKPPn4BXjFleyo8KzLC3XZn9Ovt2fHWiF/4hMreOPIDW1W+8n/DedLa2G+zkHiQDVBCyiLJ+FCELvNPdDwR37RvOJ0Oo3RtQaSK2xBhNwS2Qs1G7DemEGFrWXrZ/SeCG5H6bI4X4=,iv:zGG9jcC3McICjeYZd1aGud+VaUhLXg3J/demAqM4vUM=,tag:RINzMA36WfaTRuEy0cTQKQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.0"
-	}
-}

devices/srv1/node3/default.nix

@@ -1,28 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.cluster.nodeType = "worker";
-      system =
-      {
-        nixpkgs.march = "broadwell";
-        networking.static.eno2 =
-          { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
-      };
-      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
-    };
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
-    };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
-  };
-}

devices/srv1/node3/secrets/default.yaml

@@ -1,50 +0,0 @@
-users:
-    #ENC[AES256_GCM,data:uBjvj5Y6SIk8,iv:WxYu6Xkh2T7kb3uLqgkJJtHvCmWyvntcGfCKJfSfSmo=,tag:ueHbPNX3KOVO9RdQnw/nog==,type:comment]
-    xll: ENC[AES256_GCM,data:Cp2wBFygUBlZnf0oAAxB5L8/qD/LwKksp0YG4Ic7nay8E8kXJGSYDyTK5AdeVh8/MxLgVVY6LMWtUOzFe3WU1u71pgBGF4x+yw==,iv:wXfcHuJzqWmm++vysZW3z4TLEOkgWTUF/pqFDfgwny8=,tag:k9o2yp1AksTGOgREOLlprQ==,type:str]
-    #ENC[AES256_GCM,data:4CsCDEg/UChs,iv:ENErjaF65B1dCuD56/DCqe37WSCu1q28s2khMyF7I8E=,tag:q9mxHCAsuDGygseYU0pRDg==,type:comment]
-    zem: ENC[AES256_GCM,data:cPDlicY4vrQ5VTyfCVN0zH5EIV8kH2xqlFEUkmwO3TmKV69Qx0nE+6yiUhENKR72zY3p5w4ZFEtF7maqqklWvThkeSs059aFpA==,iv:g+nASIzOUZuyX5MCFcKOJKsKTQhcpSY4sIKArlVZh8o=,tag:WaAYcxHmFs6/EG3oy56xJA==,type:str]
-    #ENC[AES256_GCM,data:fu6KBkGEtzD/,iv:OzClxptcUbrbgmYYoQYcInG5Tl6HrjSRVrt3iIaSrqI=,tag:kc+AxJ7UI45j6eW69CiBkA==,type:comment]
-    yjq: ENC[AES256_GCM,data:QGpjtIrtio3Jc4kGam5cjqCHZJl2c0wWQAD8BXXhiWfwbQF+sQSTk2V3FbvOlHjqcT92ab8qWCCFjIqBH4DJUq+z/eleX6Y4wQ==,iv:aky2Q2kpEf2EhcR9UXIAyf+BSW9CIZCGbyZCp0l3X4c=,tag:RHLILdrK3duFA2iZDDigEw==,type:str]
-    #ENC[AES256_GCM,data:YUQ73+HZk69O,iv:wY5da+RRnPpXOD5+HdKkyYZ04ZpB3NBtRjRq5Utzlvw=,tag:BE8MhvbxTkn3rG4Pe/zitw==,type:comment]
-    gb: ENC[AES256_GCM,data:AkPFt/GGyeKdYtY/cW774Yi4rrxhTFRzXe/hf0rbwFESwf4pwgfdcr9e3bp6mfmNy86CCDMsUVPtg49q+DV+9CwHU1ETe1vIbg==,iv:L/kLfEjt3WEQmgAXjOAsnE2Sp45DQP9LLKcZe1FjnVs=,tag:HluImuMHEhiE8yAw3fjNQg==,type:str]
-    #ENC[AES256_GCM,data:WCkGncBugE2H,iv:ZN3edJuEDKrHo9OZs0jbU1ATI5+WpfVul5i7SK51ME0=,tag:rgxwqwPJcdDNMnRFlxNplA==,type:comment]
-    wp: ENC[AES256_GCM,data:n7S4got9Q/7s7rZQldnB1wJlB36uqjremc1UDeUmzs6I9Gp9YPj7dJBDAHBNzWruo83ciP6PygHcCmHzBojISgW/HdD5j9cgJw==,iv:ymjB5YWxJJXBA80a2MPYHXBV+bNxUhroPWu+1GJo4XY=,tag:GGVz7kzBrSomBityyZBdvg==,type:str]
-    #ENC[AES256_GCM,data:2aKW2wBhF2oG,iv:wXRX5ZAr5O0c/H1WvzK1+kG1NbZU92h89NgXB8lHfMk=,tag:gAW2oQxz2dUthyNvMlmxcA==,type:comment]
-    hjp: ENC[AES256_GCM,data:+9MKYP96nBdLFVcTkpSS/hiTLdTOf5+Rs3dpUus/ym7gl2+aA2rGtlGS+ozALeUV1seNlVAuyhclZG2dH9uhaudlQvQw5ntAzQ==,iv:eobXw5ahEl9I2HlXD+y3NtGFOlPulk+aKVFxuCRe2+g=,tag:zt6MveyltO2xxThG9grZqQ==,type:str]
-    #ENC[AES256_GCM,data:WLU7JBd7ZNES,iv:GkmmM1n0Squ0rundsz4Q+1dkF9BcCaV1hID8bt/gmxI=,tag:MMukyZlOeE0CcnI51VYPWg==,type:comment]
-    zzn: ENC[AES256_GCM,data:5uNrzv43K/TQlGDldxqUYscDoEduTJdRz0jgd5dBh3N3bMNHulZbD95IVAj87OkLgdOtlDPZz3DfB5oxKBVcV0XE/E7GwJKILg==,iv:SB/uOB1SdhC5zGCY/OzBRY6wgGQLwKYuFgekxZpX1Y4=,tag:ckOxmdXvhQjGMPssoLeMPQ==,type:str]
-    #ENC[AES256_GCM,data:xLPmYdIcIUz7,iv:NqaKJJgyMwfVfAYgEAMHXo1qLYfyOHhIcV++lseKcNQ=,tag:qXDuROf4A9T2H61KtrQUpQ==,type:comment]
-    GROUPIII-1: ENC[AES256_GCM,data:izqFF2JD0ZEeNlqrQ9sJcEcrnp/WmyJL46jszmR4fLwrFGcMoekSfOTkzjO8upogY5fIDsn02dwh4mLX74vA8DjeRTaDKZyyfw==,iv:lknYrGgDFQen2w8mtLNHewQXara1ikWvGdvVA8a6Fyg=,tag:EiiMBUhF6YOafD7MCIMA5A==,type:str]
-    #ENC[AES256_GCM,data:Zt6KCQ3chnLi,iv:RpMBGf2zDVWN13PpTr0Zj18ORdIZT2u34BestCjyLsU=,tag:aBuN2QGhxgnOXPC1NOoROQ==,type:comment]
-    GROUPIII-2: ENC[AES256_GCM,data:fAczfnHue47oHJm/8Hcu8iC+scxUQRNZlJWSCFnmtn8PzbOtPXGVLYaZJs3SRE0F7yYsOUZlHnEPaK5bFjCHioindbS0oimBfQ==,iv:F14TVM+UxXm0UbAgLmQpkI4v+jhQ84a4G8IuWRw1k/o=,tag:R+r0be31nLC0T6Isl9/sdA==,type:str]
-    #ENC[AES256_GCM,data:xccChTyxO80R,iv:tSxhbmVwhwD1IbXRNglS+WWMXfzUDaoJfCNqfKWqVko=,tag:XrFTahck6EKRf79NNeMRfg==,type:comment]
-    GROUPIII-3: ENC[AES256_GCM,data:LQAAYOKBVKRsVfwRJOr4jBCqnHKG60euQMngfuI82Dewwtnt4fKZ/iDg6otJIXwdMdiYI4ytr573GaAPyadt/UdDv+EqrLQ3qA==,iv:dD7djoiEBjrZCQCKkjzsVD+IK7T9sL02zxRG3b1uwQ8=,tag:sqJ0Q665aXVnPHWlTS0Rag==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQy8reUxHUm5leVk4dzhx
-            L0h2ZVVONnlEWlBXWlhKa082aXJGRlhIaUhZCkQxSFV3SHcyQjNCN3NyK3h0V1hN
-            SHVZYXJjenlPR2lrL1J0ZkpoTlQ3S1kKLS0tIEZPU2c4VHpzdEwzWTVTUk9OdDFI
-            em9JMjA0VFk3Q0NKSWt4YllkWHpYNWMKJxCl3tXFHSUfawt8pB21WLKvUWwTn+Jl
-            gz52soH0P/k7bg6Lx4gs5WywIIIOWnHg7p0BJS9BCmFWvXR442c2XQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaG1ZdERieVMzM2JjY3Zt
-            KzRTVCt6eVRsSmJXT3FKL0pSVHF0L25SSGlRCkg5bGVHcEhBam56bHdBcUZHRWF0
-            ODVkamc0RlJxNk5hRjMzTVRkYVNsam8KLS0tICsrTXdGMzZ2UmE1VmNyK3pwME1u
-            bHQzK1EvVEhvZFI5MjVxL0Q5UVZYdGsKJl2M3eOB0lRyu2VO1qDjW1pNJ9HhwAS6
-            g5yOa2fxLJn4bvmQAJYeNJ1Wi6sYaBvkbeOegjaKjW4ZvwhP5kWqRA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-29T06:38:50Z"
-    mac: ENC[AES256_GCM,data:pQDphBruG5s5trIOY1fvcCAnLDx+NcVJ6cEP48u92JRnM5cojYXbiFt6Mlq+bYLxkXb2PoKMBoohRbsNdYLRgz3BGAY//Kc5OHGWzi7r9t4/iuhcouZsV/6wHGnrJ0yECS2+LPkT+/JXnYv1ZJTpUR0TSmTvnCgJI6xpWt8HDSA=,iv:Oyn7UESWVDqh3kDFAX3opbC/XEYOa1s3wmGolc1uhTM=,tag:aasXTc9+bgLgCaLDNfbJGA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/srv1/node3/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:9uBZv+GmpEqEbpE1E4szW3EPA6AJPUprWMQs2XwXq/VfrOfVG+Dz6PsAfPgOgii9KMPZb+358lfdhXbKF2cjflMw9Iz1wc2eU8vrbbU7toisLnuYBm2676wKzatQVbL0SHvlyScVIEwNphTJdIPJuMD0JrFMfDV7J/jdgwdpPRE=,iv:fk1YA7IXX/9/jU9jqAg4YrFZrprm9zoBw5avnKtvBnw=,tag:rfsCsir2C4UsUTgfvbRCVg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRm9wakd5Z2cwblM4a3c3\nVURGS3prTHJ5R1RzOGpXaXFOcFlNWGJCTGtjCmt3Q2M1Z0FaTGRscDlOamI2L2Yy\nQUlaNWJMcHdEVVIzMzdYVXdVZVpHd3MKLS0tIGlscllCSnJCS1JDNEVXWXhJVUNa\naFlPSU9lZnpPbFY3VkI3NkNtVlNTWHcKfRcjJroaUVDePl+mg22NndJfFciAuolg\nsOEaEZCH/cIJg0XTXfM18ZRUl4IuMmR3D2L4KAhzbfADNmC81mpMLw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1lee0kl24f0ntss6m69zu2s2e7njdpkv9nl7rlf4nn7rvv0mlgvfqrte2y5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeDBPMWZnRXRPbkRXQVpm\nL0pwWDE4blRuYUV6QVJyOHBITUJjU1ViR25rCjRJTmF0MDhjNEhFQVNHZ3M4QUJ4\nQ05DbTlVbjhMMDhTdGlZN01tRUxOZE0KLS0tIEExMXZTSzJjeEdqcHBNWjhGSFIx\nQmJaSHh4dHdUTjRmWUZIUFdmVkI3YncKvCunmgurC7YO0Y5FssulaJ/VDvuiR5Y+\nOxfMe34ilsF+k8bTBAuYLlDCl8uQ14cPiOLAhAw1vdFgs9o8cs9MUg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-09-20T06:03:27Z",
-		"mac": "ENC[AES256_GCM,data:sEMEYJDZhhza1HvtmQ9maK9gXgBNfNGDhvSySoz/GuiTrs2Hhae/YI+o6DvYHPDUoOJGVwLjHVhfoIYw9CvoCZNm8Gn3fUSeP372x2kRAjFJYJ56qovU5hz7H/m1Mm9CQ38PvnsWMgc+dB1q0h01g4x7/URfjJDlU+Rq4n3f6B4=,iv:v/P0xSTBjGrmhzeAiS0eaQ4Y7pls9xCKPq9gysLuINY=,tag:SsCPc1av/pGpZS5AqzJdxA==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.0"
-	}
-}

devices/srv1/secrets/munge.key

@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:ul1xMmQ5FZVIKct4KbgnTStsT5cH3sRvmaApZez4WZ36zF3q3M4o0dcwuWXxl9Ay8+Kd1zzUCZy26FRj85IwAel6POkmIlXl51Awou3iWuGBqUlS6IL9MIERMR6lTlisOK2l2PJ7IJBichFwwDrxImnt06B68Z7JWOyrLMfQhwg=,iv:nHePsGpRWMj4CdZ8wxr4xCJAcSndHsRju+AMyK54vNw=,tag:+CC0EJbTmIjRijr1SZpF3g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c0lOZnZXY0ljWCs2aFoz\ncHVQNVJJK3loVEI1amIzYWU3YUJjbWtUa0I0CmJnaUhhT2pEeG1ySGxHOU1LMk5z\nak9RNkxXRkxBelVTYks1TXJuazNjRVEKLS0tIE9JbktPcGFvYWk2NWV1K2J1SXhT\nQVpubWhsUTJ4SWNXTFNvRjQ3aE1kUFEKeuatL0NX6KbvZL3hafjbNPeBFDFBxSOv\no6Jvm9s4/Lp5m6YRVcQyInAoycC+O7GYwfCKVbPNMAamOhDraIoE4w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOEFXV01sRXM5bTc2TGdE\nMWZraktqOUpTSWk0Vk1KNUdqNnVVNWptZkJJCktYMk5jL2ExTTMyY2NOUXdybUNi\nZ2hhTlBtaVZlZ3BDd0xBWTRoKzBJbmcKLS0tIEQyQlByNmtxdUFuQVZ6N3I3Rjdk\ndW1ldlIrZ0lxenZPMVNBcFJDMDM5QncK7p/F1Usnp2OQZ0Mp+cpQBY+ELu5n3UrD\nZN14dzPqnPpoC5nKOzGp7veg8ssH5VCX0xxI8ZJCihKwyJG/FP3pBQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeDhuTkJFclM3dS9wV3Nz\naFdrVS9KSENEMklhdVgxcFpEU2N2ZWVKL0VFCmFVSHhybW9YNU5HVHliL1VVcmNk\nWHpsQTFGMWYvc1loNGVGUm54K0VwYzAKLS0tIEhYOE9nMnk2OFl2dFZRWlNTVTZt\nM2VBaGpTMSs5bzJwMHdJREV5ZzVzbGsKu0al3a6aJ40GbcCH4tF0Va6XgNxXOZmM\n7HXqH6s25dqbKTa8iNpGeaJhjRBzkyLjq1uRtQ9X4vXg9RuRhNYPxQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaHJ6U0hlZGVkWHptby9T\nVk1ONHovUTZKZUFZaW9XZVVoRk9UVWMxUldRCkNacG5FelBQbVZCbWhvSkx2TFJi\nZmd1VXFRODZNWmlGT1hJcUszbTM1Y1kKLS0tIElXRzRsTldKbTV1ZlZLNUJhVWdn\ndnRTMnc0cHpKaC82Z05VYlJ3a3luTm8KNBEKH7yeyzSyCh5D6YYc3Oayie6xDWEl\nyJVZHVmk87fzDtmVSP07KbiWeGur9epHCEjA0et/76+RXObIQQ6XGQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-15T11:11:36Z",
+		"mac": "ENC[AES256_GCM,data:bV7T1HfvM2n8+Vus9oDO5yoWDGtWYOd6d/zJ86/sXB4psg7aXVNedYSn+98SJdpYKHRcSuMJ9D4h62nAawERB6u8EmW8kxh8fuVLb6tj+9fWF1iVqinL4LE3916+XzMqGzGVZZEXaVtPHqOue/D1sYtBrBCOEMMyq0cmLFY2JrE=,iv:eSrtmJLARmwuAQ1//x4XqCKDZybJmMtyefWyLPk+1j0=,tag:M5W+vO4RjVwS18C9wTIe2w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}

devices/srv2/default.nix

@@ -0,0 +1,86 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
+          {
+            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
+              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc"}:/" =
+              { mountPoint = "/nix/pc"; hard = false; };
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = {};
+        };
+        nixpkgs.cuda.capabilities =
+        [
+          # p5000 p400
+          "6.1"
+          # 2080 Ti
+          "7.5"
+          # 3090
+          "8.6"
+          # 4090
+          "8.9"
+        ];
+      };
+      hardware.gpu = { type = "nvidia"; nvidia.open = false; };
+      services =
+      {
+        sshd = { passwordAuthentication = true; groupBanner = true; };
+        slurm =
+        {
+          enable = true;
+          master = "srv2-node0";
+          node =
+          {
+            srv2-node0 =
+            {
+              name = "n0"; address = "192.168.178.1";
+              cpu = { sockets = 2; cores = 22; threads = 2; };
+              memoryGB = 240;
+              gpus."4090" = 1;
+            };
+            srv2-node1 =
+            {
+              name = "n1"; address = "192.168.178.2";
+              cpu = { sockets = 2; cores = 8; threads = 2; };
+              memoryGB = 80;
+              gpus = { "3090" = 1; "4090" = 1; };
+            };
+          };
+          partitions =
+          {
+            all = [ "srv2-node0" "srv2-node1" ];
+            n0 = [ "srv2-node0" ];
+            n1 = [ "srv2-node1" ];
+          };
+          defaultPartition = "all";
+          tui =
+          {
+            cpuQueues =
+            [
+              { name = "n0"; mpiThreads = 8; openmpThreads = 5; memoryGB = 216; allocateCpus = 43; }
+              { name = "n1"; mpiThreads = 4; openmpThreads = 3; memoryGB = 32; allocateCpus = 12; }
+            ];
+            gpuQueues =
+            [
+              { name = "all"; gpuIds = [ "4090" "3090" ]; }
+              { name = "n0"; gpuIds = [ "4090" ]; }
+              { name = "n1"; gpuIds = [ "3090" "4090" ]; }
+            ];
+          };
+        };
+      };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
+    };
+  };
+}

devices/srv2/node0/default.nix

@@ -0,0 +1,38 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "master";
+      hardware.cpus = [ "intel" ];
+      system =
+      {
+        nixpkgs.march = "skylake";
+        networking =
+        {
+          static.eno2 = { ip = "192.168.178.1"; mask = 24; };
+          wireless = [ "457的5G" ];
+        };
+      };
+      services =
+      {
+        xray.client =
+        {
+          enable = true;
+          dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
+        };
+        beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
+        xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
+        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
+        groupshare = {};
+        hpcstat = {};
+        ollama = {};
+      };
+    };
+    # allow other machine access network by this machine
+    systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
+    # without this, tproxy does not work
+    networking.firewall.trustedInterfaces = [ "eno2" ];
+  };
+}

devices/srv2/node0/secrets.yaml

@@ -0,0 +1,39 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
+wireguard: ENC[AES256_GCM,data:TEi3LAZA0BaPxeXA1yFMD6fQPRKSndVyAzNycCD/5CYXmNVyO7zv4o23ahg=,iv:tEKFPyuqmpsWf0vDoSaw4Ai6S5DzacZFA4otNgnknxY=,tag:qZJzr/Yyoex2hDfVtT6nYA==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
+hpcstat:
+    key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
+wireless:
+    #ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
+    457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl
+            emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6
+            ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4
+            M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP
+            rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo
+            a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr
+            Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM
+            M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
+            LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-10T10:44:43Z"
+    mac: ENC[AES256_GCM,data:6EeWT8IiCGyRdR/9WDoTTM8bBuhzf2LtP1kahCgfvFpU6g5HB+qG5O0eXaL0DMKg7OQJKHIS/wZVaEierVwno0CnP1WR7y9l6Rlab2nVG4YCNkEkwqZgIWFOUi0aZrZQc7WC3rUk1gxiJK38nEa4ebk8oqAbyHyKHsFAeUcMbqA=,iv:oqRLvYsXct+OwcymXslEH4o03vLNeV2eU/4zK8R+gKs=,tag:0d1DYjCGRewUd4aHPIpFSw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/srv2/node1/default.nix

@@ -0,0 +1,21 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      hardware.cpus = [ "amd" ];
+      system =
+      {
+        nixpkgs.march = "znver3";
+        networking.static.enp58s0 =
+          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+      };
+      services.beesd."/".hashTableSizeMB = 64;
+    };
+    services.hardware.bolt.enable = true;
+    boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "enp58s0" ];
+  };
+}

devices/srv2/node1/secrets.yaml

@@ -0,0 +1,30 @@
+wireguard: ENC[AES256_GCM,data:zfyNpCZ2EhQdsz+/vknjtbT1vMLebil1tarIcxLoUQ3J5XOKTCQBay4jBL8=,iv:tF6I5HHhDMfoGAfrtkmvrlqsSpX9YZL8dtzxAgBCp5c=,tag:DeOFwrIGbwVtf42iO1dm6g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndWFBbXpxRlI3bmc2VFJD
+            Y2hLK1RobnBYVEd1SXpiYXc5Wk1Ia09UUWgwCjE2WVZySnhXNzBtNGdJak9lbjE4
+            dEp6NnNQc0dNNDZsb3Z4ek9zVk4xeDAKLS0tIGVLdDBxOVZ2ek1MN0MwTTlwZTh4
+            T2VSaWx3UkxpZ2d6NC84djNpbGZUYUUKJHx6GZcnJpSoPE0HFvU+B4CsNtrcg8lx
+            LGaLYmciM87kXY1enOEzDk6px9GX9hFy6/73XBJVrIU0OC/w671vHw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUHUrcnoySm9CcVJCdXRk
+            YmRzQ25mOFJBQjFtS01VWkxUTUU5WUI5WUdJCktLSFM3ZWl6N3ZUaTVpdWdNU09y
+            RTFCczNTeHNhYzNmbWtjNTdOMW9ITnMKLS0tIHFNT3JCbFB6K0FodTJrS3FtRGVq
+            c0I4VUdiZytoQWRsUUhBVStDR2VPT3MKDkDQ3sKJjotYUfoBWF85t3LYtz1OVFws
+            2IdtJBHISb5j3xnAs/UUHDPzjUUsgb+sTHm9krQy3LDuELNY6KGMPw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-16T05:05:21Z"
+    mac: ENC[AES256_GCM,data:aPNsWBi4sm4UhX1qpk412eYNCZltKkRMWWgopZw6mjMLSOSb6E1yi8NjRJMj04RpE2XoVCkKP6R5Qo0I95wxY5qZHJuUp/5srqjAf/fHWz1QmXThogaMzM2jue7+NHUSQXrPnh0ZspXD47HyxMUOhlnewZ3EfOw7B5qKAYR1f6I=,iv:mnwtf0B7x5AbMzivg27zqIkhBdkDb5qq8eDBCGMdK0c=,tag:PCtirta++gCSsQsQo+bSmA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/srv2/secrets/munge.key

@@ -8,11 +8,15 @@
 		"age": [
 			{
 				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWYmNFOFlnbm1FdXdGWUNr\nOGN3THhDUyt4SDVzcHY5dEYrSWsrQm1UOFJvCmhXaWFlcC8wazROaXZzcm9tUnFM\nQlphZ0x6c0RhbzY0aGVFbXdOa1BHbG8KLS0tIHF2YUNTVnZ3Z25FSnFlTEdmdXhE\nb3Z2UEp1c2UrOUp3NEdNcE5HSFptbzAKWGSTwv6xUNs/f+p0Bhpzg8zZ7EVK8kMm\no13fru2Cnqrw8Cj0zfx+7LODpBVzo03fLYKqZ6kbPZGa12ihk+fD4g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeDlnOGlTYlY5a2wyaUxo\nSk5uaFVQWTY1Q25ad0NkSTQ2bTZEYU5ibWg4ClpnM1NLbFArUEtndjFGamgwdDBF\nWnNMalNRWWhLL2V3S1RWRHh3MGErUUUKLS0tIGt0MGJ4SzNDTWZNUHM0djFDSjdo\nbDMvbWRDVURzQmVWdGFQeDVWQmN5Q2MKBpbH7QXL1sf0c7ix9yd2r7vEBScixvBM\nom1tHgJmwxhep7DSyvjg/xslag7U2vF69gPrcAlnAndZsLCtsYdvyw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRVMrenM2Q1ZheFVPc2Rz\nYVd6UGoxbkpSQlZsNFN1dmIzSkl6SERwaTBRCjlHV3MvTEpxbDY4OHZjeUd5NmRF\nRmc1NzVCMTA0bDhwajNlMWZKTlNKK2cKLS0tIHRZZ0cxY2dwV21iRDlmeE5UZkM4\nK1dKV24yY3FKV2J3U2VzZWt2QnBSTHcKn8mq+1RnJG/nBbH2mAFpSFSTHDWvMqJj\nsziW9lK0cH6bPxhcpDO4oG8K08bdGHUVGtx2Zk81CDqzfamlMzzG2Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa2Z5V0VPRWhYaXZ3STBa\nMWVsS01CYVBzeHM0T29pUWtQYlVyWCtheFRzCk5JYUpqN1cwWDFwUkZ2Q2xkL3U5\nRlNpMTQ2QTBQZFdYMmJIZjdnOWNjalEKLS0tIEZZREZPVmQxZ25MaHlMZ0VuWExT\nR2dJZ1lWdGt5dWNIM1FyQ2dZV0dlTTQKhUnA3pnoXb18/b/Jzyk0fC6GnmIMmYfl\nVgzCoCDSHNSvW/qUoT22hJfZCMFvIzOHEpmufMHCecZdisUozfWFuQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYnBaYmprYTIySWFnOVhk\nTThHNEptc2luWTFxSTBBMnY1Q1FkQjNBaWlBClFRbWlIdmRRVnZ0TGJVTlhNRHN0\nS1JZZnJLU2xCS3Q4ZTBDWU9ScnBtOEEKLS0tIFNCMmtDd0VJR0JucUJSZHo3dHZl\nWm9ZQ0dOamZvSTNQNW1uWW85TGxRTWMKKm7NdN69Q7F+KcR7u3kTxhQuzikGUdEZ\n8AkowBgHRndxNgdC6wYV1VeqEkDxXqR/430+EQS0jQQrIXpuXkCDkQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-03-09T07:59:38Z",

devices/srv3/README.md

@@ -0,0 +1,102 @@
+# 定价与配置
+
+售卖两类 kvm 虚拟机。它们都按照需求的内存和硬盘定价。
+
+## 普通虚拟机
+
+* 硬盘每 10 GB 0.056 美元每月；内存每 128 MB 0.044 美元每月。每 1G 内存附带 1 核心 CPU，内存不够 1G 的给 1 核心 CPU。
+  * 例如，4C4G/100G 的配置，每月 2 美元。
+  * 这个价格相当于母鸡价格的 70% 。
+* 适合绝大多数轻度负载。不适合的情况包括：
+  * 硬盘需要禁用 CoW 以获得尽可能高的 IOPS，例如较大的、繁忙的数据库（例如大型 mastodon/misskey 实例）。
+  * 希望内存中的数据一直驻留在内存中（而不是被交换到 swap 中）。
+* **可能会超售**，但我凭良心保证，当你需要时，仍然可以占满内存和硬盘；长期占满硬盘和内存不算滥用。
+  * 前期肯定不会超售（笑死，根本没有那么多用户）。
+  * 永远不会滥售；但后期可能会视情况调整价格。
+  * 万一出现卖超太多了、不够用的情况，我会自掏腰包增加母鸡配置。
+* 实现细节：
+  * 硬盘会使用 raw 格式，放置在启用 CoW 的 btrfs 子卷中；不预先分配，用到时再分配。
+  * 内存会允许交换到 swap 中，并开启 KSM。
+* 限购：
+  * 每台内存不能超过 8 GB，硬盘不能超过 200 GB。有更大的需求请买下一个配置。
+  * 每个用户只能购买一台。
+  * 这个限购措施是为了防止有人和我抬杠，花 70% 的价格把整个母鸡买下来。并不是营销手段。合理需求的情况都可以谈。
+* 宿主机会自动创建快照，需要时可以回滚到几个小时或几天前的状态。
+
+## 独立虚拟机（资源独立分配）
+
+* 按照母鸡价格的 1 倍定价。也就是：硬盘每 100 GB 0.8 美元每月；每 5G 内存/2 CPU 2.5 美元每月。
+* 实现细节：
+  * 硬盘会使用 raw 格式，放置在禁用 CoW 的 btrfs 子卷中；预先分配所有容量。
+  * 内存会锁定在物理内存中。
+  * CPU 会隔离/锁定在物理 CPU 上。
+* 宿主机不会创建硬盘的快照。
+* 两类资源可以混合购买。比如可以硬盘按照独立虚拟机的价格购买，内存/CPU 按照普通虚拟机的价格购买。
+
+## 其它细节
+
+* 无论哪个方案，硬盘/内存长时间占满都不算滥用。对于第一个方案，CPU 是共享的，请不要长时间占满。
+* 暂不限制带宽，合理使用即可。
+* 默认共享 IPv4，支持端口转发（详见下文说明）。独立的 IPv4 每个每月 2 美元。
+  独立的 IPv6 免费，但暂不支持（技术上没有准备好，如果有人有需要我就去准备）。
+* 只卖朋友和朋友的朋友（总之得有人保证别拿去做坏事）。
+  若此定价对您来说仍然难以接受，可以联系我，打五折或者免费。
+* 此价格有效期三个月（2025-05-17 至 2025-08-17）。
+  05-17 前免费，08-17 后定价会视情况调整（例如将流量计入收费项目，内存部分相应降价），在那之前会公布新的定价。
+* 预计收入无法覆盖成本。如果某个月的收入高于成本，承诺会将多出的部分捐出去。
+* 非 kvm 虚拟机的服务（例如，只跑一个 docker 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
+* 配置随时可以调整。所以按照自己这个月够用的来就行，不需要为未来留余量。但每次调整都需要重启虚拟机。
+* 母鸡价格 40 美元每月，配置在下方列出。
+  * 机房: LAX3 （IP：srv3.chn.moe）
+  * CPU: Intel® Xeon E5-2650L v3 (12 Cores 24 Threads)
+  * Memory: 64GB ECC DDR4
+  * Storage: 1TB NVMe (可加，8 美元/TB，另有 NFS 3 美元/TB)
+  * Network: 1Gbps, 1x IPv4 (可加，2 美元/IPv4), 8TB/month
+
+# 操作
+
+我不提供网页端的控制面板（因为懒得搞，要是有人想替我搞的话那就提供）。
+
+在确认购买后，我会给你一个 VNC 端口和密码。虚拟机会首先启动到 netboot.xyz，你需要登陆 VNC 选择自己喜欢的发行版并安装。
+安装好系统之后，VNC 连接仍然可以使用，你可以使用它来重装系统等。如果你担心安全性，也可以告知我，将它关闭。
+
+此外，我还可以提供一个宿主机的账户（SSH 连接），用于强制重启虚拟机等（会做好权限的分隔的）。若有需要请告知我。
+
+# 共享 IP
+
+支持多种转发策略。
+
+* TCP/UDP 端口转发，就是最普通的转发。
+  这个方法只有一个坏处，就是多个虚拟机不能共享同一个公网 IP 的同一个端口。
+  这导致用户在访问时往往需要明确端口号而不能使用默认端口（因为默认端口已经被占用了），
+    例如需要使用 https://srv3.chn.moe:4321 而不是 https://srv3.chn.moe。
+  建议不面向普通用户的服务使用这个方法（例如，ssh，coturn，等）。
+* 利用 Nginx，根据一些信息分流再转发给虚拟机。这可以做到多个虚拟机共享同一个端口，但也有缺陷。具体来说，它有很多种方法：
+  * 依据 SNI 分流，并透明代理到虚拟机。
+    这个办法的缺点是，只支持 TLS 连接（例如 https），同时服务端看到的用户侧端口会变化（通常情况下不影响什么）。
+    只要这两个缺点不是问题，就建议用这个方法。
+  * 依据 SNI 分流，并使用代理协议（proxy protocol）转发给虚拟机。
+    相比于上一个方法，这个方法可以正确传递用户侧端口号，但需要虚拟机的服务端支持 proxy protocol。
+  * Nginx 依据 http 的 host 头分流，再发给虚拟机。
+    这个方法的缺点有很多，例如我需要修改你的域名的 DNS（用来申请证书），母鸡到虚拟机的连接不加密，只支持 http/https，等。
+    这个方法唯一的好处是，如果你不会配置 nginx，可以在宿主机上配置好，虚拟机只要跑后端的服务就行了。
+* 别转发了，直接在宿主机上处理。例如 80 到 443 的跳转。以及如果你想要 host 一个小的、不常改动的静态网站，等。
+
+# 杂项
+
+**如何调整虚拟机启动顺序（重启到 iso 而不是硬盘）？**
+
+先重启虚拟机，然后马上连接 VNC，就可以看到“按 ESC 选择启动菜单”或者“Tina Core”的提示。在这个界面按 F2 或者 ESC 就可以临时调整启动顺序。
+
+这个界面只会停留 15 秒，所以重启虚拟机后要迅速连接 VNC。
+
+**如何调整硬盘大小？**
+
+* 扩容：你需要在扩容**后**将分区和文件系统调整大（占用虚拟磁盘在末尾新增的空间）。
+* 缩容：你需要在缩容**前**将分区和文件系统调整小（在虚拟磁盘的末尾预留出要缩容的空间）。
+
+这些事情都最好你自己来做。我可以尝试帮忙，但不保证数据安全。
+
+**如何强制重启虚拟机/关机后如何开机？**
+
+登陆宿主机后，使用 `vm` 命令，不加任何参数，即可看到提示，按提示操作。

devices/srv3/default.nix

@@ -0,0 +1,46 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/srv3-boot" = "/boot";
+            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          rollingRootfs = {};
+        };
+        nixpkgs.march = "haswell";
+        initrd.sshd = {};
+        networking.static.eno1 =
+        {
+          ip = "23.135.236.216";
+          mask = 24;
+          gateway = "23.135.236.1";
+          dns = "8.8.8.8";
+        };
+      };
+      hardware.cpus = [ "intel" ];
+      services =
+      {
+        # 大部分空间用于存储虚拟机（nodatacow），其它内容不多
+        beesd."/".hashTableSizeMB = 32;
+        sshd = {};
+        nixvirt =
+        {
+          alikia = { memoryGB = 1; cpus = 1; address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
+        };
+      };
+      user.users = [ "chn" "aleksana" "alikia" ];
+    };
+    # TODO: use a generic way
+    boot.initrd.systemd.network.networks."10-eno1" = inputs.config.systemd.network.networks."10-eno1";
+  };
+}

devices/srv3/secrets.yaml

@@ -0,0 +1,33 @@
+wireguard: ENC[AES256_GCM,data:Coe4iIEnJVDb4a9KUVTRkXl4kng5Zo6x1Iyr0ErgR2b9bN287mvO6jPUPSc=,iv:fiNUUKobJjitcoxBemIah5Cl5+dSz2Q7sbiOT8bDrRM=,tag:rHfNeRGTxnyVYAu8P/2ewA==,type:str]
+nixvirt:
+    test: ENC[AES256_GCM,data:n2YTRQhm,iv:Ix2QI65W+ErkmatchCbLwczA885v799zS56cEdHkYAc=,tag:B7U/vm2PtNjIyVv4Ujrccg==,type:str]
+    alikia: ENC[AES256_GCM,data:sP3sWN0RrBU=,iv:TetUcaxsRXl0QsGAyXbVUAW12AXjChVN1/X+ku+3nO4=,tag:kBupoPqVlwHuCnwVdBJBKQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaURzWlFQNUpObmtvaUd2
+            bVc2UXRHajFPeXR5eTNqQnBhaWVOTXRDSEhVCjJVREN5MzF2MXhMSGIvNlM0endj
+            ZGVhTUFrTXVXRTlvYThaRVZBWmwxd2sKLS0tIDNTME1EaHFKY2J2SWxrRWFpaVJ4
+            Sm5xUlU2TXpyMUJQWVpoRUdlTnVjOFkKZErjPuX3nNFc3jFPBX462qs9hwguyxUD
+            POxmT4DMCPAaEz+lNB+Qa03P3TYFJ3LfqTsO7QXO2f9113wFqF2lFg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd2RzNEttTzk5cXVhc2RK
+            R3hxM1N4TmkyNGp0Z2ZwODZBL0RuMW1qNjFjCkI0N2FMUkd0eENPK0w4MWVJY2d4
+            NWlvUFdQbUh3SFIycDczZlg0ZEJMalkKLS0tIGs4dHlocTRseXRWYVFxMkdrV2x2
+            d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
+            eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-03T10:21:54Z"
+    mac: ENC[AES256_GCM,data:PVRdAhUKoNsFjPrSFZTFUKrb4qJK9nh1m+7IlJqiIbV55pSUHfjVjHkUjF03tGX4IhtmUlgjzKiF8m8uIEEc2VB3OyCRN/0Ao7OqUkPdoxMjCM10R/1LUqS4rGJ7kM5r5pAJPEnOzu/vhROqUO8sg7W52XxYd7C6pChmMKAo1/Y=,iv:BjldNYQ0MsLWGt9NEEg9r1wYhW2W/Tn4FqZP1DcgZLI=,tag:c07hlN/ZY3gvyF6EOPnSPA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

devices/vps6/default.nix

@@ -12,31 +12,23 @@ inputs:
           {
             btrfs =
             {
-              "/dev/disk/by-uuid/24577c0e-d56b-45ba-8b36-95a848228600"."/boot" = "/boot";
+              "/dev/disk/by-uuid/0067ef91-06f7-416e-88cb-4880ce04afa4"."/boot" = "/boot";
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          luks.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
           swap = [ "/nix/swap/swap" ];
           rollingRootfs = {};
         };
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
-        nixpkgs.march = "sandybridge";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
+        nixpkgs.march = "znver2";
         initrd.sshd = {};
         networking = {};
         # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
       };
       services =
       {
-        snapper.enable = true;
         sshd = {};
-        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
+        xray.server.serverName = "vps6.xserver.chn.moe";
         frpServer = { enable = true; serverName = "frp.chn.moe"; };
         nginx =
         {
@@ -47,19 +39,11 @@ inputs:
             "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
           }
           // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.pc.chn.moe"; })
-            [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.pc.chn.moe"; })
+            [ "xn--qbtm095lrg0bfka60z" ]))
           // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
-            [
-              "xn--s8w913fdga" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "api" "git" "grafana" "peertube"
-            ]))
-          // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.nas.chn.moe"; })
-            [
-              "misskey"
-            ]));
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.vps7.chn.moe"; })
+            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
           applications =
           {
             element.instances."element.chn.moe" = {};
@@ -69,22 +53,14 @@ inputs:
             nekomia.enable = true;
             blog = {};
             sticker = {};
+            tgapi = {};
           };
         };
         coturn = {};
         httpua = {};
         mirism.enable = true;
         fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "pc" "nas" "one" "vps7" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ];
-          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
-          wireguardIp = "192.168.83.1";
-          listenIp = "74.211.99.69";
-          lighthouse = true;
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
+        beesd."/" = {};
       };
     };
     specialisation.generic.configuration =

devices/vps6/secrets.yaml

@@ -1,5 +1,3 @@
-acme:
-    token: ENC[AES256_GCM,data:lJc2A1Q5vxWQsSchA5pvXSYW+DjBCkdSbWVD7+Py+lG/6nGUmEAHVw==,iv:ZcysHsiLQzD/7vMn1wTCE5lw7/IgkH3oLem5xCjnf7Q=,tag:7EC+S79HRCG/Q+bqVcGVDw==,type:str]
 frp:
     token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
 xray-server:
@@ -48,25 +46,14 @@ xray-server:
         user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
         #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
         user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
+        #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
+        user22: ENC[AES256_GCM,data:G+Ls2+bbcP4RmeYhPF44STdbqNiw0UZVxac6GQXJUyCehgjm,iv:vXbwtGWgBINUauS4rsDj+4yoropzZ4IHOZxF9/jLPTY=,tag:SN1BZbQTOfcAF6krXEXtjA==,type:str]
     private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
-nginx:
-    #ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
-    #ENC[AES256_GCM,data:rVTLpe3uIQ5LArPnEY8N8kjtHq8kZddbqR+nyUaia72Y7PWEfHzy6wgx3Q==,iv:AZEufH3zfVL0XbUh3CQZGYcx6zIMFV4tF+jHf73IplU=,tag:B/UbtQh5dGrctNih2uoO8w==,type:comment]
-    #ENC[AES256_GCM,data:InzwjKl3R4SJSXTz5u1Pt0kf2HYEtKfSkJO0cbPhhXADNp2/Tn0nwQJFy9EzpMvK9mw8+l5LadbY0tIwmTVvV5yxUQo78HcgXWInfp/zJ+GG1L/RQOHck74lEA==,iv:UBMRYPd0loOQBs3mNyndiKPu72aRA8HbOKWDfUWPQg8=,tag:t/ONqdwpWcbo/2vy5TOjlA==,type:comment]
-    #ENC[AES256_GCM,data:HTinhnsAbVujUOuLIVT/CkvdtTN9Nk7wZKZ5SyrPC+vZ/cB9E10FffMYLQ==,iv:Clby9A7MIUSknNFkzKuWEDL0yUW/ctd6KShCIEYrDZA=,tag:CJKORoXrspDjRmaSHUnlqw==,type:comment]
-    #ENC[AES256_GCM,data:cwAb68VgebTwCCeAFUbOG0CUAuggfRnLNv9NWldJN+E9NY4WKxs12Nz7yX/vtelcqqJ2TOUL78uAR88Nzavv7VtCTZRivWjRG6GvAUyRdv8lAZo=,iv:PScTSTCuVnsoZlvyTVL+ZgqqEm4m2/fUqWzPwE+PvuY=,tag:1jeRsHqgMheXbcnhRicsnw==,type:comment]
-    #ENC[AES256_GCM,data:V5XRrTvyeezkcJqw1/BhhZz5K/egpl+PtNwjAGELjWRp7IqDfRsInxBKEg==,iv:LdOTkL22HvaNbiUi6hG8o0ownfZ22OKFGxCuGPqG8xU=,tag:/06I/mLzBlgS489iuwFTuw==,type:comment]
-    #ENC[AES256_GCM,data:i9PXzaO1od7HimP/6vxYfh30SxFbdXRDcnXujH3VrvngFcWaVcXgigncp3cboi6RoERSZ6yakxviVyEBIS4v0qRfombj2UtJg8N3Kg==,iv:aohIMhAYfZhlGDrcEvi+Qc16nF8ZgrPUGhWj/7nl8Fs=,tag:o70qsk/2cAbZgbVBwfl3Ew==,type:comment]
-    maxmind-license: ENC[AES256_GCM,data:sESU6uK9EYLido9/0sXO2Zw1SjuKmxPh4r3giJcaG7068gn1kByjsA==,iv:htnFgnLrH35zSvmlRAdoRDLFIpKroKO5dW9TNK9soUc=,tag:6pJuc54SrKP5n0kJJ7fGyA==,type:str]
 send:
     redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
 coturn:
     auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:4DKPPqQkjb33rQzFIz863A2arDRQA9AivWFBaWTf0xXDX4hWvJFiIlJQfvE=,iv:0R2TH3CMxHgwVjojzjE2Gnp8SXonmBDLWF7hB33NiX0=,tag:vgtV8JkuCdspleN/SvgIqQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:LskBPmXZk3hRZ2bChXZjmRzzGd2A2GKrUZMknCDXTpTzOdP/RDibRvgI75HLWg==,iv:9lJKuGLD5HuQinWvvAvwWFAvEJofUGkJsxKNpqZrGmI=,tag:pTmTOlsYIY6Uqd69AtrnBA==,type:str]
-    chat: ENC[AES256_GCM,data:0ehCIvd7sBFc,iv:OwdiIoPrt/e1YgsCrYcqqMYhsJuEtKW2pSKNVxahMV4=,tag:ig2CfQxwzv2ppIutU6371w==,type:str]
+wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -91,8 +78,8 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-14T12:02:33Z"
-    mac: ENC[AES256_GCM,data:2iQLMkj/qg+TQodFXqCaSOhj1G2NGGr1ZEDewDm/6H2zteppgEw4vRls5GPUrxTQnC22NHKqih7REWa0Xv7L4eALkxrVYqWkPVcxvlt1RauW8XrW1JJhhLj+E/52AKqOxGd1CviuyyQS2M2cZzk1t3gNDpSZ8YdmhjYPUHk2SCA=,iv:imFhB5A4LZYhE3NqIbQazMqBzEtdv/c6r7DcY9yJqKE=,tag:eRTl/1vbmI3YsLLEyFyIAg==,type:str]
+    lastmodified: "2025-04-16T14:15:31Z"
+    mac: ENC[AES256_GCM,data:XOG+e115arZG1uvFoLxCfAqr2pLI2ndS6bZKRyQlWaJK0Gti8RpQt1jVZ+Q3y5Ga8tpAvd7k5MYgRL0/H400ENCleM3vsh5s3VXjlSSxq4mfdkwhUH2E0t8OQyf8VXvs0SXZKhTOljETPu1pggB6iFUfEZ5e0kKRLRYWI4Tt94Y=,iv:mt60iMiKTcQP4b/f684j2IyFSWYzmq3XGK19CfZB53c=,tag:NyhQ0Lptv2E4jHuYAxcelA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/vps7/default.nix

@@ -16,62 +16,43 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          luks.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
           swap = [ "/nix/swap/swap" ];
           rollingRootfs = {};
         };
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "znver2";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
         initrd.sshd = {};
         networking = {};
       };
       services =
       {
-        snapper.enable = true;
         sshd = {};
-        rsshub.enable = true;
-        misskey.instances.misskey.hostname = "xn--s8w913fdga.chn.moe";
+        rsshub = {};
+        misskey.instances =
+          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
         synapse.instances =
         {
           synapse.matrixHostname = "synapse.chn.moe";
           matrix = { port = 8009; redisPort = 6380; };
         };
         vaultwarden.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+        beesd."/".hashTableSizeMB = 128;
         photoprism.enable = true;
         nextcloud = {};
         freshrss.enable = true;
         send = {};
-        huginn.enable = true;
+        huginn = {};
         fz-new-order = {};
         httpapi.enable = true;
         gitea = { enable = true; ssh = {}; };
-        grafana.enable = true;
+        grafana = {};
         fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
-          wireguardIp = "192.168.83.2";
-          listenIp = "144.126.144.62";
-        };
-        xray.server = { serverName = "xserver.vps7.chn.moe"; userNumber = 4; };
+        xray.server.serverName = "xserver.vps7.chn.moe";
         docker = {};
         peertube = {};
         nginx.applications.webdav.instances."webdav.chn.moe" = {};
+        open-webui.ollamaHost = "192.168.83.3";
       };
     };
-    specialisation.generic.configuration =
-    {
-      nixos.system.nixpkgs.march = inputs.lib.mkForce null;
-      system.nixos.tags = [ "generic" ];
-    };
   };
 }

devices/vps7/secrets.yaml

@@ -1,13 +1,11 @@
-acme:
-    token: ENC[AES256_GCM,data:D5D9Voteggfoc7Hj/xdhGEHmFIkG2H0Y0t2AfSY7hjRlsQhUoAzCRg==,iv:JLUjY/6DJrNsG0YZ0WD/Dmjgjsbx26VANAQvZnyj6l4=,tag:WBQv8AvPW5+XK8FAzppnNw==,type:str]
 nginx:
     detectAuth:
         chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
-        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
+        led: ENC[AES256_GCM,data:Vb2p9v7U,iv:xJcKgvbc0KAP31uTpFiYlpvPoEHMWH3VkEqqyINKcyk=,tag:X2R+CHFj4N4i7cAK88IoSA==,type:str]
 redis:
     rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
     misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
     nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
     send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
@@ -15,6 +13,7 @@ redis:
     peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
     synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
     vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
     nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
@@ -30,6 +29,7 @@ rsshub:
     youtube-refresh-token: ENC[AES256_GCM,data:pnXQ1euCdix2H7IxudmUUcpxc2OUhciKT8OcGV89c/EpoXHgx1+eLxwY5rRszroWwjge9M001RGHngvD/ny3phfWAwYmIzMJxun2f7JCPe7ybMesWmPSkiqVBss1Zfic1uB8mNM/yw==,iv:8p8/vATY8F3YuGA1TtjekiuaKOMnQyTMjrwDBJaK4VU=,tag:/jVg9FDOuLMNrupgrywpBQ==,type:str]
     twitter-auth-token: ENC[AES256_GCM,data:65SbHggbYtfSfaaxJxRgD6+HpOX4vIfjnVZmOAZ9illPMYOu9MIchQ==,iv:49UuC8n6AGj1skuHzQX39Q/QuKlB9IxogIfiiy1GBnw=,tag:Rq6b0H9UFVZ19tU8ZeelRg==,type:str]
     bilibili-cookie: ENC[AES256_GCM,data:58nO7ADu2oH/OgLJNYrEEzhf1J0zt8EpuygnSANkGXJju5oSmtM7WLnaMEjC96q14OTTA9QLiFVsbxiFY1eUnraA5W7g7+6CYRXVRZaxz91D/dhKzHGTMjB/LynnNqEIc6liONlcHbyjZNQ+WIqPtjVpCKMN7Mi8cv81/cFX/1GqAwncgDD2oXh1hMPOVY4dYcGKuOG0GjlY6RgOgTPqU3HawQjnoWQjPF+lq2rnWD5HP9ZTxOYa7hm2GgPrxkq1fkRrq+kKYeDh+6M7VLDcm5Fpf+biq6F8fZWzmw4NlVZT9BG0vJFa,iv:vxYXg9Yg9qIWFQXtwTYa4Ds0KSxZYg3M6xdtXKbdaig=,tag:TzCPehk9w+BL4wwgDc1CPg==,type:str]
+    zhihu-cookies: ENC[AES256_GCM,data:DgpvRB7IuRe1KuPFqhCbtyFrC02AUlaA9UWS+d8ix0nweItXwZrkqC03lXQY7nJr54H3SfKXNhtUp4nJmV2hqNQOqekrXVsKrG++UmcAr5Ciw1lTmilqM220igJ9YwiHxtsZrWgp4sTPlTTQIFu5xrGnvlSntBjXAjzStTk1R4XRmLV427QuKbNNQ5MjPXS1PYrtN0d4/qXLx74pNd9ZsNd9F4V0E75Zt6vKE8F7aA==,iv:5Lu/HD8Iw655pg84eFs2eEQS68QqA99uMBHlgelZvrI=,tag:Pnd7VWIAgNt+1vo+vyWDpQ==,type:str]
 mail:
     bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
 synapse:
@@ -84,11 +84,7 @@ fz-new-order:
 grafana:
     secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
     chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Mr6KrAzYoDXA+dPT3oXqK2wm9ahTjZ5GVE/iRPsmcM+S2MABT+8ramyHz9oIFw==,iv:nIZ8rpSxz2GwMbDQFfG3xauMQjiriZ1oxFMrEQeH7sQ=,tag:y5U1T1vV/mmdE/CeaeTR8g==,type:str]
-    chat: ENC[AES256_GCM,data:8w/0EI64a1dC,iv:dHu9JHcUY7QPd9YBKXnrRXQB2K6jpnLrSFs+1IJmkio=,tag:3ucN3uNnBxxRF+cbLsa1nQ==,type:str]
+wireguard: ENC[AES256_GCM,data:rPZxIQ18KILFsCsriD0z649UqWPAl8M+49GI7bsEHr0t10rlYS8RiZFeKHk=,iv:rfS/PsX7y3ZBCs9YYPM4VoK9i7S2ShGHzcpBATx8Ots=,tag:i0spG0ZxB2Jm6XZwe19VDQ==,type:str]
 xray-server:
     clients:
         #ENC[AES256_GCM,data:aAZS,iv:Z+iJG7yC6HJeNdKCCpsZSc9Ny7kAt6GYfXUtZozMb4A=,tag:iMfwjqqmLvu5a8YpF7a0zQ==,type:comment]
@@ -103,6 +99,9 @@ xray-server:
 peertube:
     secrets: ENC[AES256_GCM,data:DAlig4wYCridlfS00YOqH++/4Rkssq2bkJ1bhERrsgeqdccwwnk6ADKpN2UBGANNYiTj2VUHsHT6mIWxPRcJvQ==,iv:kOedA1gAD7el6JbP8MujSCSfkkHM6CDDMSs2LwPmsGU=,tag:ZDS+LGX2hNXHw15Js2sBkQ==,type:str]
     password: ENC[AES256_GCM,data:jmKmQlFqHSmImfym2M3/+ItbPxx1GwgrLRZwk7KxqXGHFvqZ1ybCnfZCN8jmA1gVJLuPLTrYA9ggHwdKgVrknw==,iv:cBSb5PJsjHBAMgrxlZaVtw1aP39AXMtdk5pnnCyyZbQ=,tag:6TLoDRY6305lm4HVapT4yQ==,type:str]
+open-webui:
+    openai: ENC[AES256_GCM,data:wMSmoEMLcjbMkEOdzCt1CGbmGZ/iMOWk7PR4m452K+/gEQy00wa6B98=,iv:2hKpB1F0a/fz85RY2YNFXrw1Njbzd2pZ68ITp6b7mzA=,tag:0xUjiHszVXv8qfzV8z3Zhg==,type:str]
+    webui: ENC[AES256_GCM,data:+oEpNIyDEA1gH+Ax5P+ujKgXF8qleepYWwIVCuk=,iv:wmGy4T//UDAR8EC1w/j2vsCqi8dHOBnENLetp9+Ii/8=,tag:8OsFLn6xizQiTVJAEGPwWg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -127,8 +126,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-13T03:06:27Z"
-    mac: ENC[AES256_GCM,data:aIgKGuyrNWt2etXCtqHXxXwLSTkGhX3wk9NcHXv4u/rkZ3wUz8iJv24whMIN+ZFhQmNV1TLuPncd/O6bYra1YmG0FXSyBkgfQdVbCAR7ys1yXpdz00zcC7zMqm3CeNui89DZH27P5z6cDtNG4Z/dLz6lpln/ummYcdcb+/7KbZQ=,iv:Gl8turVRflUOB3PWqLfwU4JPoy0k9zLKir4CKB9628s=,tag:aJ8PDOfn/XBeklIlSkC2vg==,type:str]
+    lastmodified: "2025-04-12T09:08:37Z"
+    mac: ENC[AES256_GCM,data:cpstZVTMKxbUmB6UbkbaE8sUGVOuqWZre488eYv/7fR5si8amQ5rZ2S+F2UZNFpl598N8EQLPcHxxZYk12cOKB8rQxQsQeBu1N3AIfd/AmTAirYBqErzRVjGuR981PP1KoKi0O+8nMl0N6hnlFCUYrKD7mBF+l3TS4Fv98XFhZk=,iv:S7Kx5TszFPEWPQ3DY/rcDVkmcgFZr9GtmmiyHc/vWOg=,tag:7LuXtywrVNTvqmy1tWFI0Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

devices/xmupc1/README.md

@@ -1,298 +0,0 @@
-# 硬件
-
-* CPU：16 核 32 线程。
-* 内存：96 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * 3090：24 G 显存。
-  * P5000: 16 G 显存。
-* 硬盘：2 T。
-
-# 队列系统（SLURM）
-
-## 基本概念
-
-SLURM 是一个用来对任务排队的系统，轮到某个任务时，再调用其它程序来执行这个任务。
-
-## 常用命令
-
-我做了一个 TUI 界面，用起来比较简单，大多情况下可以满足需求。命令为：
-
-```bash
-sbatch-tui
-```
-
-或
-
-```bash
-sbatch
-```
-
-如果需要在提交任务时指定更详细的细节，或者要编写脚本批量提交任务，则在 `sbatch` 后面加上参数，这时是直接调用来自 SLURM 的 `sbatch` 命令。
-常用的参数见下文。更详细的内容见 SLURM 的官方文档。
-
-提交一个 VASP GPU 任务的例子：
-
-```bash
-sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" --output=output.txt vasp-nvidia
-```
-
-* `--gpus` 指定使用GPU 的情况：
-  * 要占用任意一个 GPU（排到这个任务时哪个空闲就使用哪个），写 `--gpus=1`。要占用任意两个就写 `--gpus=2`，以此类推。
-    但一般来说，**单个任务不要占用超过一个 GPU**，多个显卡的速度会比单个更慢。
-  * 要指定具体使用哪个 GPU 时，写 `--gpus=4090:1`。2080 Ti 需要写为 `2080_ti`，P5000 需要写为 `p5000`。
-  * 当需要使用多个不同类型的显卡（例如，指定使用一个 3090 和一个 4090）时，写 `--gres=gpu:3090:1,gpu:4090:1`。
-* `--ntasks-per-gpu=1` 对于 VASP 来说一定要写。
-* `--job-name=xxx` 指定任务的名字。可以简写为 `-J`。也可以不指定。
-* 默认情况下，一个 task 会搭配分配一个 CPU 核（一个线程），一般已经够用。如果一定要修改，用 `--cpus-per-task`。
-* `vasp-nvidia` 指调用 std 版本，要使用 gam 或 ncl 版本时，写为例如 `vasp-nvidia-gam`。
-
-提交一个 VASP CPU 任务的例子：
-
-```bash
-sbatch --ntasks=4 --cpus-per-task=4 --hint=nomultithread --job-name="my great job" --output=output.txt vasp-intel
-```
-
-* `--ntasks=4 --cpus-per-task=4` 指定使用占用多少核。
-  * CPU 的调度是个非常复杂的问题，而且 slurm 和 Intel MPI 之间的兼容性也不算好，因此**推荐照抄下面的设置**。
-    也可以自己测试一下怎样分配更好，但不要随意地设置。不同的设置会成倍地影响性能。
-    * 对于 xmupc1：`--ntasks=3 --cpus-per-task=4`。
-    * 对于 xmupc2：`--ntasks=4 --cpus-per-task=10`。
-* `--hint=nomultithread` 记得写。
-* `--job-name=xxx` 指定任务的名字。可以简写为 `-J`。也可以不指定。
-* `vasp-intel` 指调用 std 版本，要使用 gam 或 ncl 版本时，写为例如 `vasp-intel-gam`。
-
-要把其它程序提交到队列里，也是类似的写法。请自行举一反三。
-
-要列出已经提交（包括已经完成、取消、失败）的任务：
-
-```bash
-squeue -t all -l
-```
-
-取消一个任务：
-
-```bash
-# 按任务的 id 取消
-scancel 114514
-# 按任务的名字取消
-scancel -n my_great_job
-# 取消一个用户的所有任务
-scancel -u chn
-```
-
-要将自己已经提交的一个任务优先级提到最高（相应降低其它任务的优先级，使得总体来说不影响别人的任务）：
-
-```bash
-scontrol top 114514
-sudo scontrol update JobId=3337 Nice=-2147483645
-```
-
-要显示一个任务的详细信息（不包括服务器重启之前算过的任务）：
-
-```bash
-scontrol show job 114514
-```
-
-要显示一个任务的详细信息（包括服务器重启之前算过的任务）：
-
-```bash
-sacct --units M --format=ALL -j 114514 | bat -S
-```
-
-## `sbatch` 的更多参数
-
-```bash
-# 提交一个新任务，但是礼让后面的任务（推迟到指定时间再开始排队）
---begin=16:00 --begin=now+1hour
-# 指定工作目录
---chdir=/path/to/your/workdir
-# 指定备注
---comment="my great job"
-# 指定任务的 ddl，算不完就杀掉
---deadline=now+1hour
-# 标准错误输出写到别的文件里
---error=error.log
-# 将一些环境变量传递给任务（=ALL是默认行为）
---export=ALL,MY_ENV_VAR=my_value
-# 不传递现在的环境变量
---export=NONE
-# 打开一个文件作为标准输入
---input=
-# 发生一些事件（任务完成等）时发邮件
---mail-type=NONE,BEGIN,END,FAIL,REQUEUE,ALL --mail-user=chn@chn.moe
-# 要求分配内存（不会真的限制内存使用，只是在分配资源时会考虑）
---mem=20G --mem-per-cpu --mem-per-gpu
-# 输出文件是否覆盖
---open-mode={append|truncate}
-# 指定输出文件
--o, --output=<filename_pattern>
-# 不排队，直接跑（超额分配）
--s, --oversubscribe
-# 包裹一个二进制程序
---wrap=
-# 设置为最低优先级
---nice=10000
-```
-
-# 支持的连接协议
-
-## SSH
-
-ssh 就是 putty winscp 之类的工具使用的那个协议。
-
-* 地址：xmupc1.chn.moe
-* 端口：6007
-* 用户名：自己名字的拼音首字母
-* 可以用密码登陆，也可以用证书登陆。
-
-从一台服务器登陆到其它服务器，只需要使用 `ssh`` 命令：
-
-```bash
-ssh jykang
-ssh xmupc1
-ssh xmupc2
-ssh user@host
-```
-
-直接从另外一台服务器下载文件，可以使用 `rsync` 命令：
-
-```bash
-rsync -avzP jykang:/path/to/remote/directory_or_file /path/to/local/directory
-```
-
-将另外一个服务器的某个目录挂载到这个服务器，可以使用 `sshfs` 命令：
-
-```bash
-sshfs jykang:/path/to/remote/directory /path/to/local/directory
-```
-
-用完之后记得卸载（不卸载也不会有什么后果，只是怕之后忘记了以为这是本地的目录，以及如果网络不稳定的话，运行在这里的软件可能会卡住）：
-
-```bash
-umount /path/to/local/directory
-```
-
-如果不喜欢敲命令来挂载/卸载远程目录，也可以 RDP 登陆后用 dolphin。
-
-## RDP
-
-就是 windows 那个远程桌面。
-
-* 地址：xmupc1.chn.moe
-* 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-RDP 暂时没有硬件加速（主要是毛玻璃之类的特效会有点卡）。
-
-记得在连接时，点击“显示选项”，将“体验”中的连接速度改为“LAN（10 Mbps 或更高）”，不然会很卡。
-
-## samba
-
-samba 就是 windows 共享文件夹的那个协议。
-
-* 地址：因为懒得管理暂时禁用。
-
-在 windows 上，可以直接在资源管理器中输入 `\\xmupc1.chn.moe` 访问。
-也可以将它作为一个网络驱动器添加（地址同样是 `\\xmupc1.chn.moe`）。
-
-# 计算软件
-
-## VASP
-
-VASP 有很多很多个版本，具体来说：
-
-* VASP 可以用不同的编译器编译。目前安装的有：nvidia、intel。nvidia 使用 GPU 计算，intel 能用 CPU 计算。其它版本性能不佳，没有安装。
-* VASP 的 std/gam/ncl 版本有一点区别，一般用 std，只有一个 gamma 点的时候用 gam 会快一点，系统中存在方向不平行的磁矩时必须用 ncl。
-* 无论哪个版本，都集成了下面这些补丁：
-  * HDF5：用于生成 hdf5 格式的输出文件。
-  * wannier90：我也不知道干啥的，随手加上的。
-  * OPTCELL：如果存在一个 `OPTCELL` 文件，VASP 会据此决定弛豫时仅优化哪几个晶胞参数。
-  * MPI shared memory：用来减小内存占用。
-  * VTST tools：用来计算 neb。
-
-如何提交 VASP 到队列系统已经在上面介绍过了。下面的例子是，如果要直接运行一个任务的写法：
-
-```bash
-vasp-nvidia-env mpirun -np 1 -x CUDA_DEVICE_ORDER=PCI_BUS_ID -x CUDA_VISIBLE_DEVICES=0 -x OMP_NUM_THREADS=4 vasp-std
-vasp-intel-env mpirun -n 2 -genv OMP_NUM_THREADS=4 vasp-std
-```
-
-其中 `CUDA_VISIBLE_DEVICES` 用于指定用哪几个显卡计算（多个显卡用逗号分隔）。
-要查看显卡的编号，可以用 `CUDA_DEVICE_ORDER=PCI_BUS_ID vasp-nvidia-env nvaccelinfo` 命令。
-
-这里 `vasp-xxx-env` 命令的作用是，进入一个安装了对应版本的 VASP 的环境，实际上和 VASP 关系不大；
-  后面的 `mpirun xxx` 才是真的调用 VASP。
-所以实际上你也可以在这个环境里做别的事情，例如执行上面的 `nvaccelinfo` 命令。
-
-要使用 VTST tools 里带的脚本，需要在命令前加上 `vtstscripts` 。例如：
-
-```bash
-vtstscripts dist.pl POSCAR.init POSCAR.final
-```
-
-## mumax
-
-问龚斌，我没用过。
-
-## lammps
-
-除了我应该没人用，就不写了。
-
-## quantum espresso
-
-我也只用过一次。大规模用到了再说吧。
-
-# 其它软件
-
-我自己电脑上有的软件，服务器都有装，用于科研的比如 VESTA 什么的。可以自己去菜单里翻一翻。
-
-## 操作系统
-
-操作系统是 NixOS，是一个相对来说比较小众的系统。
-它是一个所谓“函数式”的系统。
-也就说，理想情况下，系统的状态（包括装了什么软件、每个软件和服务的设置等等）是由一组配置文件唯一决定的（这组配置文件放在 `/etc/nixos` 中）。
-要修改系统的状态（新增软件、修改设置等等），只需要修改这组配置文件，然后要求系统应用这组配置文件就可以了，
-  系统会自动计算出应该怎么做（增加、删除、修改哪些文件，重启哪些服务等等）。
-这样设计有许多好处，例如可以方便地回滚到之前任意一个时刻的状态（方便在调试时试错）；
-  一份配置文件可以描述多台机器的系统，在一台上调试好后在其它机器上直接部署；
-  以及适合抄或者引用别人写好的配置文件。
-
-以上都是对于管理员来说的好处。对于用户来说的好处不是太多，但是也有一些。
-举个例子，如果用户需要使用一个没有安装的软件（例如 `phonopy`，当然实际上这个已经装了），只需要在要执行的命令前加一个逗号：
-
-```bash
-, phonopy --dim 2 2 2
-```
-
-系统就会帮你下载所有的依赖，并在一个隔离的环境中运行这个命令（不会影响这之后系统的状态）。
-
-还有一个命令可能也有用，叫 `try`。
-它会在当前的文件系统上添加一个 overlay，之后执行的命令对文件的修改只会发生在这个 overlay 上；
-  命令执行完成后，它会告诉你哪些文件发生了改变，然后可以选择实际应用这些改变还是丢弃这些改变。
-例如：
-
-```bash
-try phonopy --dim 2 2 2
-```
-
-这个命令和 NixOS 无关，只是突然想起来了。
-
-## 文件系统
-
-文件系统是 BtrFS。它的好处有：
-
-* 同样的内容只占用一份空间；以及内容会被压缩存储（在读取时自动解压）。这样大致可以节省一半左右的空间。
-  例如现在 xll 目录里放了 213 G 文件，但只占用了 137 G 空间。
-* 每小时自动备份，放置在 `/nix/persistent/.snapshots` 中，大致上会保留最近一周的备份。如果你误删了什么文件，可以去里面找回。
-
-## ZSH
-
-所谓 “shell” 就是将敲击的一行行命令转换成操作系统能理解的系统调用（C 语言的函数）的那个东西，也就是负责解释敲进去的命令的意思的那个程序。
-
-大多情况下默认的 shell 是 bash，但我装的服务器上用 zsh。
-zsh 几乎完全兼容 bash 的语法，除此以外有一些顺手的功能：
-* 如果忘记了曾经输入过的一个命令，输入其中的几个连续的字母或者单词（不一定是开头的几个字母），然后按 `↑` 键，就会自动在历史命令中依次搜索。
-  例如我输入 `install` 按几下 `↑` 键，就可以找到 `sudo nixos-rebuild boot --flake . --install-bootloader --option substituters https://nix-store.chn.moe` 这个东西。
-* 如果从头开始输入一个曾经输入过的命令，会用浅灰色提示这个命令。要直接补全全部命令，按 `→` 键。要补全一个单词，按 `Ctrl` + `→` 键。
-* 常用的命令，以及常用命令的常用选项，按几下 `tab` 键，会自动补全或者弹出提示。

devices/xmupc1/default.nix

@@ -1,103 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/467C-02E3" = "/boot";
-            btrfs =
-            {
-              "/dev/disk/by-uuid/2f9060bc-09b5-4348-ad0f-3a43a91d158b"."/nix" = "/nix";
-              "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12" =
-              {
-                "/nix/rootfs" = "/nix/rootfs";
-                "/nix/persistent" = "/nix/persistent";
-                "/nix/nodatacow" = "/nix/nodatacow";
-                "/nix/rootfs/current" = "/";
-              };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs =
-        {
-          march = "znver3";
-          cuda =
-          {
-            enable = true;
-            capabilities =
-            [
-              # p5000 p400
-              "6.1"
-              # 2080 Ti
-              "7.5"
-              # 3090
-              "8.6"
-              # 4090
-              "8.9"
-            ];
-            forwardCompat = false;
-          };
-        };
-        nix.remote.slave.enable = true;
-      };
-      hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; };
-      virtualization.kvmHost = { enable = true; gui = true; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        xray.client.enable = true;
-        smartd.enable = true;
-        beesd.instances =
-        {
-          root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 512; };
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
-          wireguardIp = "192.168.83.6";
-        };
-        slurm =
-        {
-          enable = true;
-          master = "xmupc1";
-          node.xmupc1 =
-          {
-            name = "xmupc1"; address = "127.0.0.1";
-            cpu = { cores = 16; threads = 2; };
-            memoryMB = 94208;
-            gpus = { "p5000" = 1; "3090" = 1; "4090" = 1; };
-          };
-          partitions.localhost = [ "xmupc1" ];
-          tui = { cpuQueues = [{ mpiThreads = 3; openmpThreads = 4; }]; gpuIds = [ "p5000" "3090" "4090" ]; };
-        };
-        xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
-        samba =
-        {
-          enable = true;
-          hostsAllowed = "";
-          shares = { home.path = "/home"; root.path = "/"; };
-        };
-        groupshare = {};
-        hpcstat = {};
-        docker = {};
-      };
-      bugs = [ "xmunet" "amdpstate" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" ];
-    };
-    services.hardware.bolt.enable = true;
-  };
-}

devices/xmupc1/secrets/default.yaml

@@ -1,61 +0,0 @@
-acme:
-    token: ENC[AES256_GCM,data:KKMdZgzciiM+n0Hdsb8vivjmCw6SiqJMbEAmvFwFQgvS9zpCNSyh+g==,iv:GbNJrVLmFudVzgoLdf+j8JsEPRvrQhBu3+2585grReQ=,tag:3tNL+2hoz2R9aOz0TUTjVQ==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:/7R7w+fiMw54Cmd7y/wT/s8RMqFMf3Fc0Mph0ZhURmCzowkmLEhtmw==,iv:i+Z+2NbssI864Edwf73SQfaeFuWoqr+U8eQ/8R23FOk=,tag:8ITlkS97vlsmHM1HDk6/3A==,type:str]
-xray-client:
-    uuid: ENC[AES256_GCM,data:4PM/d263HgBseIgRplgo5ahJ8u8HuPznXt2hW5O+VawS6WjP,iv:98Ymj4eiCGQPMcaHBI9zJAaRagm82mF0LY2c9bzA+/s=,tag:8imXq/hxAxS5XKy0uWIBPw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:Azaqung7llErB7/IdnOnEkwjQ39yQHKcO7VgvMDCDTExM7nS0zx+yMYX4ls=,iv:FX8oLHMBVEnKkYOg8q2A9vFmtRZDws5T87+lEl7+2G8=,tag:DdOQUbNKB6JK7Tp6McQ0Og==,type:str]
-users:
-    #ENC[AES256_GCM,data:1RG/IM/UrLCk,iv:LY2QCBN0gYwuhVwS/WIrjt4MEHhjPPQG+cjTZJhU6Zc=,tag:AEL+smmitSqW+D70K74LbQ==,type:comment]
-    xll: ENC[AES256_GCM,data:YauaeGHDVAnMXp9hSz4r4jNsioF79Q+WplfsYGpl4g5FxoakhfjRlnfzrLmMO3mWEIBOmDqeShbDEulyV5O47CIBGaMUUHe+Gg==,iv:RNwRfghJBb0PO4A/T5d5J1U0NsXdygXlWq/FfF8MO4U=,tag:BOh666TYGbCCHcgB/uBhTw==,type:str]
-    #ENC[AES256_GCM,data:zxOQcoOzJNBK,iv:YJQB8lV+nhwm5XYMpDIyt0IDHBlHTiHO8cpgXkXe/dQ=,tag:re5ekGkYRewPdxv83mtLUQ==,type:comment]
-    zem: ENC[AES256_GCM,data:bIxVN4T3Gh3aSa1gylkPmW3/uT5xQAlruC+L3zk0Tc3KvwBCQA5DpxXU8ZxjeK0P0xGi02U7gFWgm+yxp6otdCsUEmWed4EHHw==,iv:vpKpY0nRUwuI5mCcYTOD3zN/E21wHl4ZbRDUPoFmdhQ=,tag:m5WTzCgOTC7oqU4yfV9gkQ==,type:str]
-    #ENC[AES256_GCM,data:ZnMFN0WzjKDd,iv:t1YHrNoHOohYsdBOqoV6OtfS5ig6CTS8jW5mKy0oSQA=,tag:WkgrH1ZXcbHruxJY/hVsmg==,type:comment]
-    yjq: ENC[AES256_GCM,data:ua0DINHutjt2Pk+SfHRQRV99mT3Cnw6rRKO8VRIAlP0dY6QhK9wkNdyRYWYRBKVrWgyFQMGNFYAxIpymjF/X7mBOVI2sOHLgkw==,iv:PUZ6S0KICuqoSA2sDLxdL4gtAOQnQXOUY+5f3qDZgpc=,tag:f39P34vAUOrV23BsKkRarA==,type:str]
-    #ENC[AES256_GCM,data:6qNjSdjck4Vz,iv:c/GNqCNgRgwgL+2f6Vumtjb/ub9WCBSy8R02NRCDqk8=,tag:b/tucJsHTjSfcK0vgHtE8A==,type:comment]
-    gb: ENC[AES256_GCM,data:3eAKBiJoC1owCHTFd3Xq8vI8VK980evePc92xCXJJ21M9D1MdbwN8ySZ3Ovjk7VfQmEo8oRv1Ll1sftyrXYoeTHmJsNDxCpR6A==,iv:Ju/ERNuGrgO5kYlbvmkbLJkgiW3Elou34AsJTFITCUg=,tag:POVlxYh9kZ1BMSbt97IVOQ==,type:str]
-    #ENC[AES256_GCM,data:/2y613pek/CO,iv:gqSh74Ac0BxPdO+fOsQ0K8t2YduwyTVOjMq/A5Wmoz0=,tag:jLUYXu7f27FruwH5rUUZSA==,type:comment]
-    wp: ENC[AES256_GCM,data:3jeHpeu1YlFhK2+o19q2/JyJPhZFivPbUQzJJbJZ15GzAVh7i1VsTSN31LufXAgsC8KjZHAPhEZlGYvnGpCvPzoISQa5NVAJdQ==,iv:bL3ohgbjA2agFKDwgw0H3LgiHTWB4Y5KlQAtHfEMr+w=,tag:SfLtj7iDcmV3dgOlITFvxA==,type:str]
-    #ENC[AES256_GCM,data:YIlY7n5pcJTp,iv:Y/+ogxaMgSl0vcMPRr3qdSHjjnnhY+N2Q6jFojzIDyQ=,tag:zat02jxJ8jI2uk8noslmHQ==,type:comment]
-    hjp: ENC[AES256_GCM,data:Ii4P9ZsUOEh3cqt3AKWlgUH1CMNnmHln9QNWdTRR3vZXkkR5j5qKAIrAltml/i3xFlt4hftYNufnupog4UlAVWQJhYBlhCSE4g==,iv:eKWmUcKItjd1dsvVP1se5CAhIFqV/eVH03gPJhBau1E=,tag:ZTE0BTSoDpJGqECklGjs2g==,type:str]
-    #ENC[AES256_GCM,data:hCgqHfpmeJ1Z,iv:pEKUNxhUyNAVtniTIQ2IpMPmXr2O+twq2/3Y2lIoqdw=,tag:RTqcI0XCoOymQD3r4+yS9Q==,type:comment]
-    zzn: ENC[AES256_GCM,data:/CSffToFJiBotXZ5rPkz0UNgI/iC0ftusPF2Ce6Of3XckjpCcikWj6n3ahJ24XsWQjp3EvacOiBorh+Kg16LjCEl0P2RMIitTQ==,iv:u9IFdp/jw7ehTshPzQVssLeh33iBYCPjSyJSLsc5EVo=,tag:/KXgmU7dcTKG8C4Y7NcMhw==,type:str]
-    #ENC[AES256_GCM,data:TN/ycWtGSCNY,iv:pSilXx4zKs53XX/L0+QFbwv13rutQG11sU0EgVhaJEA=,tag:L+MpcYYlsMnSpS1JQdnwIQ==,type:comment]
-    lly: ENC[AES256_GCM,data:XkRaNI0SqooptH/OexBCzZ4RYvA3s7qXbpCtLVidJ4pZU/o7EHlIcvMbeRxqdujhXNQ+vbS3o7CmhwJK2JVVPCCVsd6k0gMDdw==,iv:v/2mgDuR+/lb8mtyv6sn4Z9XXnuDoXkT0DeNQ7850fU=,tag:T8xxo9C7kFSNlLDjEaZK0Q==,type:str]
-mariadb:
-    slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
-hpcstat:
-    key: ENC[AES256_GCM,data:POK329h/joF7WdSBwSE1EkYH/pZ9X+wiTKcVWLZjmh7gM9d7HONbN/PqsYNFTHJVR0GgysqpLEcPN2OFGs/SSeH86o04cAdjAVznKZgt1Q34QGYy6b+io15P3lbmK0kTKmeGt5qEhGkBh6BVBoSyqbKAknvUqJ17ZkL17kyRaKffm3Zais7keEJCFdyRF6oSz2kl2CvEmKNWPWDdO9EpgqgYlm9mwu95/k9Hx5eyUjiFpxc3fdFTESGbe0ZYAqKQ0eLFfLLorQp0pAzxCbbxIzZEgyxjzkICXKa1n7Zz6h1ON2Rsqq0Q4hEYJdWGLtvOH/VLVxvNWjW4Er6i3lWGhZRiDDrxLErQGONI+X7QqbneFCnMCZGln3pAfNtOr+KX58ij/egyzmb7bKZrARqnm+X+/I/L0+VS1PfDdLP53GaX7mfKYpcH6z7O2F/zjpuXQTV8njs64YlvgyYXsCaghEUBzehsruwRsBEkTIb4R2AlqItpbesMnNNUJ4Cr/B7Bw6O+gHeJ+oK4ZPBYbgso,iv:B2eWjydl8m8nbcPw2fZfxCnj57utWM9ABj2eJ1pRKWQ=,tag:5W9ZwVSJvm1KvZnf/E5Tug==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Mu7guAFUu+UoHvo/h1blcI6Kg3mvng6zNc/HKXuCdf73ujziK0mXwPcf7t7d/w==,iv:BkA4d0OJ4lTD7csZJQHcDnYe7SYcFbwRVYOQAWOQ2lQ=,tag:GuJ4z5pe2znTY3xNT2WF+w==,type:str]
-    chat: ENC[AES256_GCM,data:OC8ElUPmfsVL,iv:WgZMJP2ugZbqZyihdNtL1xMH8u9VpLNzO8DGpDL4w4k=,tag:u4cKABikuMUbCIm5zCnk6A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RWIreCtMeTZ0UE9Zd2di
-            VE9tR0x6SUNyWjlPV1BqMU5Tb0RTSXNGN2hNCkxuVjFFb0xJZTBMekxqdE96RlRh
-            czF0dHQxdVhsNE5tVWg0Q2RmYktsWDgKLS0tIFY3dHRlbFpsWUsyTzA3RVR1Qyts
-            UUJHMU13cm1lOXhRYzhSWlFyTFltYWcKDUxABRGskWWpHEFL44gHYzAqaQ3AmBDt
-            LcL/4IiEs3TwOpuY+WTVx8JKZBOsxcSlNahiDuCnoTbL4gZTPnd0pA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbHd4ZHhsTk5leDlreC9E
-            TVAzRXVuS0Judk5zTGVWRVhWSUhpMFdscEg0ClVFYzZYZG9hNjJKTlRVZ1I3eXVq
-            M2Y5by85dE1QM25yQ3g3bFVSL2tsVlkKLS0tIHVYbGxrT0hOQkZ5SHBsQ3UyaVly
-            ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
-            IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-26T12:26:52Z"
-    mac: ENC[AES256_GCM,data:TiF/QAh6Y8Xn+3B1rlg+FvZFJ4fGP+szvvopbiEzO6AWBYp8dcD6MmaZstVzJL1BrRIQ3GENcq7EVyfZMWQlW8aRsVF/RrWOSpAKI1tiWDl+10Ov3zjr+Q8sFYTfblWXYH7Tq9pcWBChj1Kj88Ri5xRRfJTuelQoL0igHQBwfFM=,iv:ikzexH8P3CYu7SrRXwWd1Ar3+PEXSSjSVj5E3jwcZyQ=,tag:i5/F33/KcDJVQ4ceYtRErQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

devices/xmupc1/secrets/munge.key

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:tuEymMXW0f7Rui5wrz/xozphTEq6ffkYIfNIoURFNHwH2Cg+aKHz2ox0gk02BJARhPMDrxCYlChkcrEI0ma/T0eBe9sWz3tA8AOwU1lHSZ06d/JWzW7IUIyTac2mnjt3/jY/qpnR4A8wtHwD0j4zkzXgUgFwq7k/fs24acEE4Jo=,iv:iDTS0xswLrwkOYmfomE5hluVONgJYia/RjINDy7T3R0=,tag:oIYNpFCuT2D+X1QEJJiHew==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFRRa0NsOUp5MEg3UHcx\nc3g1VFZEQS9Tci9QSnNFYnIrT3hUdVU5cWxjCnU5UXVEdTFXczJzcHVvSjF2WHdB\nYmpyQVVaUFozKzJIZThBbXUxb2k2YzAKLS0tIHE1QXVrOXo1Y3VXMzJJYitWU3Qv\neDF1cndrSi94clh1cS9NczN0UW9pOXcKtrnIj3WovMYdcg5nWnnyRhJhTGLrlwxW\nxQ6bmNrfbZedmCNdjY2lPXmudMXJ8YlWe/HGCe94x3iFlaSwCIGUsA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocFl1SHJEemRySlBnMmNn\nVW9RS1NNdlo4M3l2WGlQaHJmbDBHcjMwaVVnCnY5WExPOXZJVEdYSlJ6UTRBMGJj\ncmlYaUNVV1hnWTNkaWVuV2VuaXN2eU0KLS0tIDBTYnd2NmVYTUJKaHZWRWo3ZlUx\nTEtPZWc2RE1XNG9WTXFOTllWVUVWeUkK+9aLz1rygGAQjpG+oMNUtrDkQaDfg+2q\nnl/CtZZrFD6NXGw6Di0X5t9fQu295NTJ/0qjXnfMigG8gDtxkE+/7g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-02-26T06:04:53Z",
-		"mac": "ENC[AES256_GCM,data:y0RkPyUwwff95BFL951TxS/x5ORzMsxFJVjopSw+8iVtswD8MT1nmsbwyth4C9OnJ/IAtnZk/CjAt72a68AZpPI+2W/JqJq20ohFoquDNhTlsoyLWdO3Vjrd+Wo3hp0+iKQ3e/uYrF1sTqQO9a3OIxu2sVLM0gEDmIe2nJpLJQo=,iv:EjXTQvVdjzfClNfQ3rPxAFVWVqr7sSOz4ap+nshPEAk=,tag:DcIlf9W7NNqQ+gf8f46MwQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
-	}
-}

devices/xmupc1/tunnel.md

@@ -1,39 +0,0 @@
-# 使用 SSH 隧道连接
-
-在学校外且不使用厦大 VPN 时，无法直接连接到学校的服务器，可以通过下面的方法连接到：
-  首先连接到 vps6.chn.moe。这个服务器在校外（洛杉矶），因此可以直接连接到。
-  同时，它通过别的方式与学校的服务器保持着连接，利用这个保持着的连接，跳回到学校的服务器。
-
-这个跳转的过程不需要手动操作，只需要将软件设置好即可。
-
-## PuTTY
-
-1. 首先设置一个名为 `vps6` 的会话。
-   1. 在 Session 页，填入 `vps6.chn.moe` 作为 Host Name。
-   2. 在 Connection -> SSH -> Auth -> Credentials 页，在 “Private key file for authentication“ 选择密钥文件。
-   3. 在 Connection -> Data 页，在 “Auto-login username” 填写用户名。
-   4. 回到 Session 页，在 “Saved Sessions” 填入 `vps6` 并点击 “Save” 保存配置。
-2. 再设置一个名为 `wireguard.xmupc1` 的会话。
-   1. 在 Session 页，填入 `wireguard.xmupc1.chn.moe` 作为 Host Name。
-   2. 在 Connection -> SSH -> Auth -> Credentials 页和 Connection -> Data 页，需要修改的设置与在 `vps6` 会话中相同。
-   3. 在 Connection -> Proxy 页，设置 Proxy type 为 `SSH to proxy and use port forwarding`，Proxy hostname 为 `vps6`。
-   4. 回到 Session 页，在 “Saved Sessions” 填入 `wireguard.xmupc1` 并点击 “Save” 保存配置。
-
-之后双击双击 `wireguard.xmupc1` 会话即可连接到学校的服务器。
-
-## WinSCP
-
-1. 在登陆界面，点击 “新建站点”。
-   1. 设置 “文件协议” 为 `SCP`，“主机名” 为 `wireguard.xmupc1.chn.moe`，并输入用户名。
-   2. 然后点击右下角 “高级” 继续修改设置。
-   3. 在 连接 -> 隧道 页，勾选 “通过 SSH 隧道进行连接”，主机名填写 `vps6.chn.moe`，选择密钥文件，并填写用户名。
-   4. 在 SSH -> 验证 页，选择密钥文件。
-   5. 点击 “确定”，再点击 “保存”。
-
-## OpenSSH
-
-下面是一个命令的示例：
-
-```bash
-ssh -J username@vps6.chn.moe username@wireguard.xmupc1.chn.moe
-```

devices/xmupc2/README.md

@@ -1,29 +0,0 @@
-# 硬件
-
-* CPU：44 核 88 线程。
-* 内存：256 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * ~~P5000：16 G 显存~~暂时拔掉了，否则 4090 供电不够。
-* 硬盘：18 T。
-
-# 支持的连接协议
-
-## SSH
-
-* 地址：xmupc2.chn.moe
-* 端口：6394
-* 用户名：自己名字的拼音首字母
-* 可以用密码登陆，也可以用证书登陆。
-
-## RDP
-
-* 地址：xmupc2.chn.moe:3390
-* 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-## samba
-
-因端口冲突暂时禁用。
-
-其它内容请阅读 [xmupc1](../xmupc1) 的说明，两台机器的软件大致是一样的。

devices/xmupc2/default.nix

@@ -1,95 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-uuid/23CA-F4C4" = "/boot";
-            btrfs =
-            {
-              "/dev/disk/by-uuid/d187e03c-a2b6-455b-931a-8d35b529edac" =
-                { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs =
-        {
-          march = "skylake";
-          cuda =
-          {
-            enable = true;
-            capabilities =
-            [
-              # p5000 p400
-              "6.1"
-              # 2080 Ti
-              "7.5"
-              # 3090
-              "8.6"
-              # 4090
-              "8.9"
-            ];
-            forwardCompat = false;
-          };
-        };
-        nix =
-        {
-          marches =
-          [
-            "broadwell" "skylake"
-            # AVX512F CLWB AVX512VL AVX512BW AVX512DQ AVX512CD AVX512VNNI
-            # "cascadelake"
-          ];
-          remote.slave.enable = true;
-        };
-        grub.windowsEntries."8F50-83B8" = "猿神，启动！";
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "nvidia"; };
-      virtualization.kvmHost = { enable = true; gui = true; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        xray.client.enable = true;
-        smartd.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
-          wireguardIp = "192.168.83.7";
-        };
-        slurm =
-        {
-          enable = true;
-          master = "xmupc2";
-          node.xmupc2 =
-          {
-            name = "xmupc2"; address = "127.0.0.1";
-            cpu = { sockets = 2; cores = 22; threads = 2; };
-            memoryMB = 253952;
-            gpus."4090" = 1;
-          };
-          partitions.localhost = [ "xmupc2" ];
-          tui = { cpuQueues = [{ mpiThreads = 8; openmpThreads = 10; }]; gpuIds = [ "4090" ]; };
-        };
-        xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; };
-        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
-        groupshare = {};
-        docker = {};
-      };
-      bugs = [ "xmunet" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" ];
-    };
-  };
-}

devices/xmupc2/secrets/default.yaml

@@ -1,54 +0,0 @@
-acme:
-    token: ENC[AES256_GCM,data:Wb7Gons3HCMK5WGIZpG4XrrqZ5G6bymjuKMW6IUjLiK0CIXFz/ARNg==,iv:zc4BgHcc+O7SHQbJkff11fBwgsd+TFtvSEGJ/qrzVo4=,tag:K+Nu9kenTtTnin4+hDCdWA==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:FPVSD8otQMNpbESNEHXCfQjB/zi3OVwZoyLijUtnHQlQzec7KVSiGw==,iv:DkkwCqvRmcFHQIXseh2fycCxZboJMYhHPu67GddenY4=,tag:iHEC8r5GcuB1QcZ5Uf8Skw==,type:str]
-xray-client:
-    uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:0Vw9NVs/Kxc52zUlmeAPFeOG8msdL0YopjhzFKRWhv6+kfb+SFObOP8EJ2M=,iv:KgIZIawbnN+1sIcMjNECkdtujPbg7yQktKVc25SXavI=,tag:b79oZP+GZKmM3OVFshvFhg==,type:str]
-users:
-    #ENC[AES256_GCM,data:FP1Mr1TmRI4L,iv:3K4LMbOQPvF1ORWNyaXDoC5MXn3yColR4eKs9sm9y5s=,tag:f3guTegVXw1A6aqolKQnqA==,type:comment]
-    xll: ENC[AES256_GCM,data:CAEd+usnLKoQZ+0PLEiJfbZpz2pyn+I/edC2KbNXBXZPAgT7IDENMnSQyxme899KqRVL4nLrtHs82aA8+kl/dE+QYSTCFVVuHg==,iv:Hs8rb0Iu5Xw74p9/cL2gWfPLh61VaLzIltKUSjRFZjc=,tag:/u5vI0oTMQbNoCEzhcWqOw==,type:str]
-    #ENC[AES256_GCM,data:UIns0CnC/QmJ,iv:Gn4XDPcdTyDLXAgGq7qwayrN206Gx7JsJ3V9G+4bTyA=,tag:FITVs8Tgkiq1XoS8joXM1Q==,type:comment]
-    zem: ENC[AES256_GCM,data:znpGuS8LVxaztnwQlIwu3hykWRBUtQvOsniLaOasXDbw9lHGX8lwwYJuCE+0I14HmiZK/RrrouIwfAfcjZQzPyjJ/SRoOG1Vyg==,iv:YXHX43y99/w9102vhsvFLVOUtJmuRnLVLu+ywfn9URY=,tag:AzsmkXOyX7y/D+ndteuMmA==,type:str]
-    #ENC[AES256_GCM,data:6vMItERptBsX,iv:G0sDjEfLciheMxTZbeLIbWKlimPD1ANIk/VVdhQifXA=,tag:oR9FEdVx6W+0uDeKfb37iw==,type:comment]
-    yjq: ENC[AES256_GCM,data:sGPQ0xALULREnhzl9g/V91M5osMglsSps6R4gYn5OZc/4xVC1phF3qajVN3YMOr7kKgkHbF2Rjm6/2vuK0k1iYZnFswUAmFlmw==,iv:5vG1hn7SlX6HCpas2BgxBSwWqLby8OCxcH3EKNvceIc=,tag:TVwFBAuosKnEOZecq1phXw==,type:str]
-    #ENC[AES256_GCM,data:ALHxkRABA+ll,iv:r1IDiHLFcTdLID3q16zrLTavAwQfddC7bXMKcFZFveI=,tag:4Pd0/Q1BmH4gJjaM4hbqqQ==,type:comment]
-    gb: ENC[AES256_GCM,data:z4CrtdmdLJJ0qZzr7qvihnluJQgjtciX56KdEmtemiRu0llEJk9qz6a23aJ7m40Sfc38elF1/LsvjOuBOC87+BVkKDCj76phag==,iv:WrFVxkr3snmqDXZx5kAYCLp7ixEIzxoT7El3rV7Ovqg=,tag:iExf2Y/HObHQrKMTRvqn7A==,type:str]
-    #ENC[AES256_GCM,data:XfNExliq7noL,iv:K+rFlZHF1oY5rsTzaO0mgxiE1VlKdtPTifAaesg321k=,tag:Dja8NmPWZdJkf/J/96/wAw==,type:comment]
-    wp: ENC[AES256_GCM,data:yjMDez28pJUo6riIHypQQgjGFbuLwy87eG4ek/+Li2w8b4Cm5JckRvs26o+S0blfICc8WqIqEJGakT2wVBE5O1jGfniKn3PhTA==,iv:dOA318XRd2EXxmTIlk6GhlAR/FBpbKkbPJJCXTwFCxM=,tag:9MkXNUuAoplAzE+4eJpr0w==,type:str]
-    #ENC[AES256_GCM,data:YGcTkNCeu3m7,iv:jYmVrfRFwQoX1XxeSzS23wRMAD/AnzYBXQjI76Ke2FE=,tag:WJfSmjdggzPojDcJ6GzP+A==,type:comment]
-    hjp: ENC[AES256_GCM,data:0R5SfBFKuLGurwINnTj31FOrwwfY9bqVS1rG/a0HqIYd+Ui8/2ffFBx0Et+tYIqcxXEJpGbvse43V0naNKmFKlLanfcy9YV/Hg==,iv:mpAUmcVHWWLoreEsG9ha09jxte8mQCLt/A7nm04iX9Y=,tag:bia9pjL0MAcs9vj1gKCVCQ==,type:str]
-    #ENC[AES256_GCM,data:Q3TFPjvcDmKh,iv:eZ1NXGQr9HogxWa46T26WL63nvqho2/KSji8Dgse76o=,tag:iSGPRMCMolp7LVFjJGPotg==,type:comment]
-    lly: ENC[AES256_GCM,data:tP/NtJcMUtZPvuAqoM6KhCMybhsTxKSq4WWW3SBzQ/O0FmUXhECQc5CQnI4J9PlalP7Ug+uUQzeBMnHN84pkKNIeHVJhqjU8Zw==,iv:7TPPuSfXypSRnnhuy8LJSXIB+KB+3vWV0G7AbCZpB6s=,tag:iSLgRxOHgUolByFyvwltNQ==,type:str]
-mariadb:
-    slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl
-            emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6
-            ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4
-            M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP
-            rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo
-            a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr
-            Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM
-            M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
-            LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-26T12:27:03Z"
-    mac: ENC[AES256_GCM,data:q1EihAxiS23XoKWt4ogBo34pP7J6i/yFglmmvFIdWKIgwaoXWFexKrdu1oRZBIxISW+3b/NzkuUm1anu3sGFGiirDpllg8wu8ezXJJODb8yTU0HJpZ/9vjBPm+ZBt5zFzGky7kmW+qOFfUsZkr8dCiJil/Z0HrXrY2d59ksxhto=,iv:7b6ePa4xXdjrj8O2JWAptsONz8gPApS3roYMuRyrztU=,tag:uzOcc8H2W6VvGDkrex5M6A==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

doc/setup.md

@@ -27,4 +27,5 @@ mungekey -k munge.key
 mv munge.key munge.key.orig
 sops -e --input-type binary --output-type binary munge.key.orig > munge.key
 rm munge.key.orig
+sudo nix build --store 'local?root=/mnt' --option substituters https://nix-store.chn.moe --option require-sigs false  /nix/store/khhqmly5295ns33dz1s3m3sb79icj6bi-nixos-system-srv3-production-24.11
 ```

doc/迁移服务器.md

@@ -0,0 +1,9 @@
+1. 调整代码，编译。
+2. 将系统上传到新机。不要 rebuild。
+3. 如果原机数据比较多，则先传输一个快照过去。
+4. 将原机停机，修改 dns。
+5. 传输原机的数据到新机，但不要替换子卷。
+6. 替换 initrd ssh key，rebuild。
+7. 替换子卷。
+8. 替换 luks 密钥。
+9. 重启。

flake.lock

@@ -25,15 +25,17 @@
     "blog": {
       "flake": false,
       "locked": {
-        "lastModified": 1733321482,
-        "narHash": "sha256-xSEMEFZQFdyYEQi9cK6wNqvqSSMbsGvqEA+mtyUC7QQ=",
+        "lastModified": 1742891194,
+        "lfs": true,
+        "narHash": "sha256-MTP/2zAh8VUft3mlgLOWYRuYslDKDu+YRM6BM8r9L9w=",
         "ref": "refs/heads/public",
-        "rev": "91de30ed2cedf45ba1dc1962f853994e4bb8f5d2",
-        "revCount": 10,
+        "rev": "99ec653eac9f8452500ee3a2d553728dd60a1a11",
+        "revCount": 27,
         "type": "git",
         "url": "https://git.chn.moe/chn/blog-public.git"
       },
       "original": {
+        "lfs": true,
         "type": "git",
         "url": "https://git.chn.moe/chn/blog-public.git"
       }
@@ -74,6 +76,21 @@
         "url": "https://git.chn.moe/chn/bscpkgs.git"
       }
     },
+    "cachyos-lts": {
+      "locked": {
+        "lastModified": 1742394059,
+        "narHash": "sha256-knN9uM2TZX0NvH9mKnpY8ukk4zuTfhljmTYnEAmxfHI=",
+        "owner": "drakon64",
+        "repo": "nixos-cachyos-kernel",
+        "rev": "e585b7a3fca1e7af76da44c4205c87fb53637b70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "drakon64",
+        "repo": "nixos-cachyos-kernel",
+        "type": "github"
+      }
+    },
     "catppuccin": {
       "locked": {
         "lastModified": 1734057772,
@@ -183,22 +200,6 @@
         "type": "github"
       }
     },
-    "eigen": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733870909,
-        "narHash": "sha256-hUVxiyRX4ctyYPS+yDsuQ8D/Uby9ocZV2u0fRQZc2Y4=",
-        "owner": "libeigen",
-        "repo": "eigen",
-        "rev": "af59ada0accc722ebd930ec65340156dbe62ffa1",
-        "type": "gitlab"
-      },
-      "original": {
-        "owner": "libeigen",
-        "repo": "eigen",
-        "type": "gitlab"
-      }
-    },
     "envfs": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -221,6 +222,22 @@
         "type": "github"
       }
     },
+    "fancy-motd": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1736588104,
+        "narHash": "sha256-+gMuluff5fySXAPz1V8f2IfRsOvJY4QOf58Bsn8O+UE=",
+        "owner": "CHN-beta",
+        "repo": "fancy-motd",
+        "rev": "9b01e6f007538a80c66d24a765df052984b88e95",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CHN-beta",
+        "repo": "fancy-motd",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -556,15 +573,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1733951536,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
-        "owner": "nix-community",
+        "lastModified": 1744526849,
+        "narHash": "sha256-dSV9W6he2Qs3Oq3XwKTUvXRLLra7JkOjAA8Gf4oXxBk=",
+        "owner": "CHN-beta",
         "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "f23a198156137477251f35db8282d74299dba15c",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
+        "owner": "CHN-beta",
         "ref": "release-24.11",
         "repo": "home-manager",
         "type": "github"
@@ -572,15 +589,15 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1731242966,
-        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
-        "owner": "nix-community",
+        "lastModified": 1736844146,
+        "narHash": "sha256-6eS83yDdY/Rwebm0ViqfWXtVgnNW6xk4EbEmf3uCZb8=",
+        "owner": "CHN-beta",
         "repo": "impermanence",
-        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
+        "rev": "6436d81394a3b83ff32e57de08d5adab2177ce7f",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
+        "owner": "CHN-beta",
         "repo": "impermanence",
         "type": "github"
       }
@@ -623,19 +640,19 @@
         "type": "github"
       }
     },
-    "lmod": {
+    "mac-style": {
       "flake": false,
       "locked": {
-        "lastModified": 1734125811,
-        "narHash": "sha256-eytDTLzRIbQ2M0wn4IVJkmOetoljX/SsdSnDU00i1GE=",
-        "owner": "TACC",
-        "repo": "Lmod",
-        "rev": "1dce13ccf52af75d952e3eb3268716af6e2d7882",
+        "lastModified": 1717900224,
+        "narHash": "sha256-tYB4fJ87UnYczaW8/w32cBzbwCw1+IDHp8BnHSyqNNg=",
+        "owner": "SergioRibera",
+        "repo": "s4rchiso-plymouth-theme",
+        "rev": "856bf3b7d239f995e4e9dde8458b9823cf0e96e4",
         "type": "github"
       },
       "original": {
-        "owner": "TACC",
-        "repo": "Lmod",
+        "owner": "SergioRibera",
+        "repo": "s4rchiso-plymouth-theme",
         "type": "github"
       }
     },
@@ -658,11 +675,11 @@
     "misskey": {
       "flake": false,
       "locked": {
-        "lastModified": 1732375939,
-        "narHash": "sha256-ZlyBBJniDJ8yS3ALMQ9gfsVUDTzp/U4Pr3SOtE5FttY=",
+        "lastModified": 1741081524,
+        "narHash": "sha256-nQeFtBJszv+cQS/AmH4b3dUrTghsJ1HV+IzI7FKwohM=",
         "ref": "refs/heads/chn-mod",
-        "rev": "bb3ae0b9c84126dada9ce7e13a42962a8889eba8",
-        "revCount": 26357,
+        "rev": "4257feb1a420f86767d021eb0b040e5cfb70eb0c",
+        "revCount": 26581,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/CHN-beta/misskey"
@@ -842,26 +859,28 @@
     "nixos-wallpaper": {
       "flake": false,
       "locked": {
-        "lastModified": 1715952274,
-        "narHash": "sha256-i2L4L9mV/wOl6QV+d8pyLZUHS+QIFJN5lYuQrP+CSjk=",
+        "lastModified": 1744538666,
+        "lfs": true,
+        "narHash": "sha256-zCwEdAOMllhrdUwpSfy8rqWzBjNjeNfCnqxDDYUEvZ4=",
         "ref": "refs/heads/main",
-        "rev": "1ad78b20b21c9f4f7ba5f4c897f74276763317eb",
-        "revCount": 1,
+        "rev": "7d2443415102cced84dfec8df7011d452fe3af7b",
+        "revCount": 5,
         "type": "git",
         "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
       },
       "original": {
+        "lfs": true,
         "type": "git",
         "url": "https://git.chn.moe/chn/nixos-wallpaper.git"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734506497,
-        "narHash": "sha256-QUO9YrOn10xSfc4Ov84GqbQclQPZwi4SPZC644HdNDc=",
+        "lastModified": 1743565176,
+        "narHash": "sha256-4ZWM5Y8FMuiGb3P7mh9gMPAR5gyJ+z93bAVd4h/JvoA=",
         "owner": "CHN-beta",
         "repo": "nixpkgs",
-        "rev": "94a86525c9e4fe0221191f6d6aa01d6186e0628b",
+        "rev": "6ff3bce5cee44d6ea68c8d5b38387f5b8e117658",
         "type": "github"
       },
       "original": {
@@ -947,6 +966,42 @@
         "type": "github"
       }
     },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1745632361,
+        "narHash": "sha256-8passzXtSBJzX3gX3Ifur1VsKJrO+3czaqSvwk37VhE=",
+        "owner": "CHN-beta",
+        "repo": "nixpkgs",
+        "rev": "cf2bbd1c49e1d9c7d9be4b02561e4a490a64aa48",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CHN-beta",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixvirt": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746422433,
+        "narHash": "sha256-nW0RYiwihHIqVOQZvBbeNmg68w95c4GBHPeZwAjCJeU=",
+        "owner": "CHN-beta",
+        "repo": "NixVirt",
+        "rev": "648bd88b426289728f54c0c3c19a861596c725bd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CHN-beta",
+        "repo": "NixVirt",
+        "type": "github"
+      }
+    },
     "nu-scripts": {
       "flake": false,
       "locked": {
@@ -1068,6 +1123,22 @@
         "type": "github"
       }
     },
+    "octodns-cloudflare": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1743461547,
+        "narHash": "sha256-XYZRiUZC7HtUrSo7fnJyL6gGPi/Npi8C+8msm7sVifE=",
+        "owner": "octodns",
+        "repo": "octodns-cloudflare",
+        "rev": "a306f9a83c1b1a89c7a7fca545618644ed50f869",
+        "type": "github"
+      },
+      "original": {
+        "owner": "octodns",
+        "repo": "octodns-cloudflare",
+        "type": "github"
+      }
+    },
     "openxlsx": {
       "flake": false,
       "locked": {
@@ -1085,6 +1156,23 @@
         "type": "github"
       }
     },
+    "phono3py": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740821378,
+        "narHash": "sha256-B9Q0AqINtyoiT+V00VHpBPDzXCqie6lGYeBiLl6UgRM=",
+        "owner": "phonopy",
+        "repo": "phono3py",
+        "rev": "7a2b54faa7993b6f24080783b85bd6d6dadb2ccc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "phonopy",
+        "ref": "v3.14.1",
+        "repo": "phono3py",
+        "type": "github"
+      }
+    },
     "plasma-manager": {
       "inputs": {
         "home-manager": [
@@ -1185,35 +1273,20 @@
         "type": "github"
       }
     },
-    "qd": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1452446912,
-        "narHash": "sha256-ftU28BMGUCq0or0nVkf9fryaLfqGnMonmHu7UuyjMTQ=",
-        "owner": "scibuilder",
-        "repo": "QD",
-        "rev": "a5dbb6136ac1739e7e6955bf7b0c0fa05f3b2cbd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "scibuilder",
-        "repo": "QD",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "aagl": "aagl",
         "blog": "blog",
         "blurred-wallpaper": "blurred-wallpaper",
         "bscpkgs": "bscpkgs",
+        "cachyos-lts": "cachyos-lts",
         "catppuccin": "catppuccin",
         "chaotic": "chaotic",
         "concurrencpp": "concurrencpp",
         "cppcoro": "cppcoro",
         "date": "date",
-        "eigen": "eigen",
         "envfs": "envfs",
+        "fancy-motd": "fancy-motd",
         "git-lfs-transfer": "git-lfs-transfer",
         "gricad": "gricad",
         "hextra": "hextra",
@@ -1221,7 +1294,7 @@
         "home-manager": "home-manager",
         "impermanence": "impermanence",
         "lepton": "lepton",
-        "lmod": "lmod",
+        "mac-style": "mac-style",
         "matplotplusplus": "matplotplusplus",
         "misskey": "misskey",
         "mumax": "mumax",
@@ -1234,15 +1307,18 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-23.05": "nixpkgs-23.05",
         "nixpkgs-23.11": "nixpkgs-23.11",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixvirt": "nixvirt",
         "nu-scripts": "nu-scripts",
         "nur-linyinfeng": "nur-linyinfeng",
         "nur-xddxdd": "nur-xddxdd",
+        "octodns-cloudflare": "octodns-cloudflare",
         "openxlsx": "openxlsx",
+        "phono3py": "phono3py",
         "plasma-manager": "plasma-manager",
         "pocketfft": "pocketfft",
         "py4vasp": "py4vasp",
         "qchem": "qchem",
-        "qd": "qd",
         "rsshub": "rsshub",
         "rycee": "rycee",
         "slate": "slate",
@@ -1262,11 +1338,11 @@
     "rsshub": {
       "flake": false,
       "locked": {
-        "lastModified": 1734135595,
-        "narHash": "sha256-D0mAiHuAFLMBZvBzspbqAlqXXdhYG45fhrYVkCdmA48=",
+        "lastModified": 1737621586,
+        "narHash": "sha256-3rlojj//tAVCdPz9NkkgsSQqxe9478ExOL1LyH4spPM=",
         "owner": "DIYgod",
         "repo": "RSSHub",
-        "rev": "3a8d34ee3f8cc38907296e74e923754297e249d4",
+        "rev": "62a61e5e7945d539bf89175c96bac2b4ab148bba",
         "type": "github"
       },
       "original": {
@@ -1533,15 +1609,17 @@
     "ufo": {
       "flake": false,
       "locked": {
-        "lastModified": 1735033622,
-        "narHash": "sha256-9/stVpqNKMUXEQHQWuU1mKVe8ODVpOjL5BYIdfY0P8A=",
+        "lastModified": 1743502543,
+        "lfs": true,
+        "narHash": "sha256-8ltPlFW1IRECUE2iaS5S5lLqKSDcF/k4RNH6NuAAPig=",
         "ref": "refs/heads/main",
-        "rev": "d4578c7991e48140b6f885b2acb110776b56040c",
-        "revCount": 76,
+        "rev": "745353d0896b31bb239abf6dd909dec29bfc866a",
+        "revCount": 79,
         "type": "git",
         "url": "https://git.chn.moe/chn/ufo.git"
       },
       "original": {
+        "lfs": true,
         "type": "git",
         "url": "https://git.chn.moe/chn/ufo.git"
       }

flake.nix

@@ -3,10 +3,12 @@
 
   inputs =
   {
+    self.lfs = true;
     nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-24.11";
     "nixpkgs-23.11".url = "github:CHN-beta/nixpkgs/nixos-23.11";
     "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    home-manager = { url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    home-manager = { url = "github:CHN-beta/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
     sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
     nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
@@ -15,7 +17,7 @@
       url = "github:nix-community/nix-vscode-extensions?rev=7aa26ebccf778efe880fda1290db9c1da56ffa4f";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    impermanence.url = "github:nix-community/impermanence";
+    impermanence.url = "github:CHN-beta/impermanence";
     qchem = { url = "github:Nix-QChem/NixOS-QChem/master"; inputs.nixpkgs.follows = "nixpkgs"; };
     plasma-manager =
     {
@@ -35,6 +37,8 @@
     bscpkgs = { url = "git+https://git.chn.moe/chn/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
     winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
     aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    cachyos-lts.url = "github:drakon64/nixos-cachyos-kernel";
+    nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -42,7 +46,6 @@
     concurrencpp = { url = "github:David-Haim/concurrencpp"; flake = false; };
     cppcoro = { url = "github:Garcia6l20/cppcoro"; flake = false; };
     date = { url = "github:HowardHinnant/date"; flake = false; };
-    eigen = { url = "gitlab:libeigen/eigen"; flake = false; };
     matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
     nameof = { url = "github:Neargye/nameof"; flake = false; };
     tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
@@ -51,7 +54,6 @@
     blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
     slate = { url = "github:TheBigWazz/Slate"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
-    lmod = { url = "github:TACC/Lmod"; flake = false; };
     mumax = { url = "github:CHN-beta/mumax"; flake = false; };
     openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
     sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
@@ -62,14 +64,17 @@
     nu-scripts = { url = "github:nushell/nu_scripts"; flake = false; };
     py4vasp = { url = "github:vasp-dev/py4vasp"; flake = false; };
     pocketfft = { url = "github:mreineck/pocketfft"; flake = false; };
-    blog = { url = "git+https://git.chn.moe/chn/blog-public.git"; flake = false; };
-    nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
+    blog = { url = "git+https://git.chn.moe/chn/blog-public.git?lfs=1"; flake = false; };
+    nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git?lfs=1"; flake = false; };
     spectroscopy = { url = "github:skelton-group/Phonopy-Spectroscopy"; flake = false; };
     vaspberry = { url = "github:Infant83/VASPBERRY"; flake = false; };
-    ufo = { url = "git+https://git.chn.moe/chn/ufo.git"; flake = false; };
+    ufo = { url = "git+https://git.chn.moe/chn/ufo.git?lfs=1"; flake = false; };
     highfive = { url = "git+https://github.com/CHN-beta/HighFive?submodules=1"; flake = false; };
     stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
-    qd = { url = "github:scibuilder/QD"; flake = false; };
+    fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
+    octodns-cloudflare = { url = "github:octodns/octodns-cloudflare"; flake = false; };
+    mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
+    phono3py = { url = "github:phonopy/phono3py/v3.14.1"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in
@@ -78,8 +83,13 @@
     nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; };
     overlays.default = final: prev:
       { localPackages = (import ./packages { inherit localLib; pkgs = final; topInputs = inputs; }); };
-    config = { archive = false; branch = "production"; };
+    config =
+    {
+      branch = import ./flake/branch.nix;
+      dns = inputs.self.packages.x86_64-linux.dns-push.meta.config;
+    };
     devShells.x86_64-linux = import ./flake/dev.nix { inherit inputs; };
     src = import ./flake/src.nix { inherit inputs; };
+    apps.x86_64-linux.dns-push = { type = "app"; program = "${inputs.self.packages.x86_64-linux.dns-push}"; };
   };
 }

flake/branch.nix

@@ -0,0 +1 @@
+"production"

flake/dev.nix

@@ -7,7 +7,7 @@
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
-  hpcstat = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  hpcstat = pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
   {
     inputsFrom = [ (pkgs.localPackages.hpcstat.override { version = null; }) ];
     packages = [ pkgs.clang-tools_18 ];
@@ -48,4 +48,18 @@
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
   };
+  info = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.info ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
+  vm = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.vm ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
 }

flake/dns/config.yaml

@@ -0,0 +1,14 @@
+providers:
+  config:
+    class: octodns.provider.yaml.YamlProvider
+    directory: env/OCTODNS_CONFIG
+  cloudflare:
+    class: octodns_cloudflare.CloudflareProvider
+    token: env/CLOUDFLARE_TOKEN
+    pagerules: false
+zones:
+  '*':
+    sources:
+      - config
+    targets:
+      - cloudflare

flake/dns/config/chn.moe.nix

@@ -0,0 +1,87 @@
+localLib:
+let
+  cname =
+  {
+    autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" "铜锣湾实验室" ];
+    nas = [ "initrd.nas" ];
+    office = [ "srv2-node0" ];
+    vps6 =
+    [
+      "blog" "catalog" "coturn" "element" "frp" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
+      "ua" "vps6.xserver"
+    ];
+    vps7 =
+    [
+      "chat" "freshrss" "huginn" "initrd.vps7" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
+      "xsession.vps7"
+    ];
+    "xlog.autoroute" = [ "xlog" ];
+    "wg0.srv1-node0" = [ "wg0.srv1" ];
+    "wg0.srv2-node0" = [ "wg0.srv2" ];
+    srv3 = [ "initrd.srv3" ];
+    srv1-node0 = [ "srv1" ];
+    srv2-node0 = [ "srv2" ];
+    "wg1.pc" = [ "nix-store" ];
+  };
+  a =
+  {
+    nas = "192.168.1.2";
+    pc = "192.168.1.3";
+    one = "192.168.1.4";
+    office = "210.34.16.60";
+    srv1-node0 = "59.77.36.250";
+    vps6 = "144.34.225.59";
+    vps7 = "144.126.144.62";
+    search = "127.0.0.1";
+    srv3 = "23.135.236.216";
+    srv1-node1 = "192.168.178.2";
+    srv1-node2 = "192.168.178.3";
+    srv2-node1 = "192.168.178.2";
+  };
+  wireguard = import ./wireguard.nix;
+in
+{
+  "" =
+  [
+    { type = "ALIAS"; value = "vps6.chn.moe."; }
+    {
+      type = "MX";
+      values =
+      [
+        { exchange = "tuesday.mxrouting.net."; preference = 10; }
+        { exchange = "tuesday-relay.mxrouting.net."; preference = 20; }
+      ];
+    }
+    { type = "TXT"; value = "v=spf1 include:mxlogin.com -all"; }
+  ];
+  "_xlog-challenge.xlog" = { type = "TXT"; value = "chn"; };
+  autoroute =
+  {
+    type = "NS";
+    values = builtins.map (suffix: "ns1.huaweicloud-dns.${suffix}.") [ "cn" "com" "net" "org" ];
+  };
+  "mail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
+  "webmail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
+  "x._domainkey" =
+  {
+    type = "TXT";
+    value = ''v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CjW96ffx1tVrJkt630lSRrdEF495OAkFbUxwgZm+EjMhdQtG3erl+AzcyjK3gJpg2ylqOYxCFElerqiN9IiggYy4z6tJwVqoh7bucMbO5J4EJQvFdbyRveq7LVm+n5Qgr/CRi6105zfpzX0NbQZoLINSJMCGOmWcYPZZYv7T260ghVFkn4qVpAkFqvvc+RBtY9P96nPZ+omYvpKDV+JReNanxBZRoxuKQDpYPZhV7E6mLulzHzFyuwDLg7THBCcmEr3DlAAeZcLdm6cTdwYTG2cMv2CUiocSdxmrZeBaWa1Xef+70ddrr823o105l6PP437L4337JIMH19g9iTT+QIDAQAB'';
+  };
+}
+// builtins.listToAttrs (builtins.concatLists (builtins.map
+  (cname: builtins.map
+    (name: { inherit name; value = { type = "CNAME"; value = "${cname.name}.chn.moe."; }; })
+    cname.value)
+  (localLib.attrsToList cname)))
+// builtins.listToAttrs (builtins.map
+  (a: {inherit (a) name; value = { inherit (a) value; type = "A"; }; })
+  (localLib.attrsToList a))
+// builtins.listToAttrs (builtins.concatLists (builtins.map
+  (net: builtins.map
+    (peer:
+    {
+      name = "${net.name}.${peer.name}";
+      value = { type = "A"; value = "192.168.${builtins.toString net.value}.${builtins.toString peer.value}"; };
+    })
+    (localLib.attrsToList wireguard.peer))
+  (localLib.attrsToList wireguard.net)))

flake/dns/config/mirism.one.nix

@@ -0,0 +1 @@
+_: { entry = { type = "CNAME"; value = "vps6.chn.moe."; }; }

flake/dns/config/nekomia.moe.nix

@@ -0,0 +1 @@
+_: { "" = { type = "ALIAS"; value = "vps6.chn.moe."; }; }

flake/dns/config/wireguard.nix

@@ -0,0 +1,17 @@
+{
+  net = { wg0 = 83; wg1 = 84; };
+  peer =
+  {
+    vps6 = 1;
+    vps7 = 2;
+    pc = 3;
+    nas = 4;
+    one = 5;
+    srv1-node0 = 9;
+    srv1-node1 = 6;
+    srv1-node2 = 8;
+    srv2-node0 = 7;
+    srv2-node1 = 10;
+    srv3 = 11;
+  };
+}

flake/dns/default.nix

@@ -0,0 +1,37 @@
+{ writeShellScript, writeTextDir, symlinkJoin, octodns, tokenPath, localLib, lib }:
+let
+  addTtl = config:
+    let addTtl' = attrs: attrs // { octodns.cloudflare.auto-ttl = true; };
+    in builtins.mapAttrs (n: v: if builtins.isList v then builtins.map addTtl' v else addTtl' v) config;
+  config = builtins.listToAttrs (builtins.map
+    (domain: { name = domain; value = import ./config/${domain}.nix localLib; })
+    [ "chn.moe" "nekomia.moe" "mirism.one" ]);
+  configDir = symlinkJoin
+  {
+    name = "config";
+    paths = builtins.map
+      (domain: writeTextDir "${domain.name}.yaml" (builtins.toJSON (addTtl domain.value)))
+      (localLib.attrsToList config);
+  };
+  meta.config = config //
+  {
+    wireguard = import ./config/wireguard.nix;
+    "chn.moe" = config."chn.moe"
+      // {
+        # 查询域名对应的 ip
+        getAddress = deviceName:
+          let
+            dns = meta.config."chn.moe";
+            f = domain:
+              if dns.${domain}.type == "A" then dns.${domain}.value
+              else if dns.${domain}.type == "CNAME" then f (lib.removeSuffix ".chn.moe." dns.${domain}.value)
+              else throw "Not found ${domain}";
+          in f deviceName;
+      };
+  };
+in lib.addMetaAttrs meta (writeShellScript "dns-push"
+''
+  export OCTODNS_CONFIG=${configDir}
+  export CLOUDFLARE_TOKEN=$(cat ${tokenPath})
+  ${octodns}/bin/octodns-sync --config-file ${./config.yaml} --doit --force
+'')

flake/nixos.nix

@@ -1,51 +1,34 @@
 { inputs, localLib }:
-builtins.listToAttrs
-(
-  (builtins.map
-    (system:
-    {
-      name = system;
-      value = inputs.nixpkgs.lib.nixosSystem
-      {
-        system = let arch.pi3b = "aarch64-linux"; in arch.${system} or "x86_64-linux";
-        specialArgs = { topInputs = inputs; inherit localLib; };
-        modules = localLib.mkModules
-        [
-          {
-            config =
-            {
-              nixpkgs.overlays = [ inputs.self.overlays.default ];
-              nixos.model.hostname = system;
-            };
-          }
-          ../modules
-          ../devices/${system}
-        ];
-      };
-    })
-    [ "nas" "pc" "pi3b" "vps6" "vps7" "xmupc1" "xmupc2" "one" ])
-  ++ (builtins.map
-    (node:
-    {
-      name = "srv1-${node}";
-      value = inputs.nixpkgs.lib.nixosSystem
-      {
-        system = "x86_64-linux";
-        specialArgs = { topInputs = inputs; inherit localLib; };
-        modules = localLib.mkModules
-        [
-          {
-            config =
-            {
-              nixpkgs.overlays = [ inputs.self.overlays.default ];
-              nixos.model.cluster = { clusterName = "srv1"; nodeName = node; };
-            };
-          }
-          ../modules
-          ../devices/srv1
-          ../devices/srv1/${node}
-        ];
-      };
-    })
-    [ "node0" "node1" "node2" "node3" ])
-)
+let
+  singles = [ "nas" "pc" "vps6" "vps7" "one" "srv3" ];
+  cluster = { srv1 = 3; srv2 = 2; };
+  deviceModules = builtins.listToAttrs
+  (
+    (builtins.map
+      (n: { name = n; value = [ { config.nixos.model.hostname = n; } ../modules ../devices/${n} ../devices/cross ]; })
+      singles)
+    ++ (builtins.concatLists (builtins.map
+      (cluster: builtins.map
+        (node:
+        {
+          name = "${cluster.name}-${node}";
+          value =
+          [
+            { config.nixos.model.cluster = { clusterName = cluster.name; nodeName = node; }; }
+            ../modules
+            ../devices/${cluster.name}
+            ../devices/${cluster.name}/${node}
+            ../devices/cross
+          ];
+        })
+        (builtins.genList (n: "node${builtins.toString n}") cluster.value))
+      (localLib.attrsToList cluster)))
+  );
+in builtins.mapAttrs
+  (_: v: inputs.nixpkgs.lib.nixosSystem
+  {
+    system = "x86_64-linux";
+    specialArgs = { topInputs = inputs; inherit localLib; };
+    modules = localLib.mkModules v;
+  })
+  deviceModules

flake/packages.nix

@@ -23,13 +23,27 @@
       version = inputs.self.rev or "dirty";
       stdenv = pkgs.pkgsStatic.gcc14Stdenv;
     };
-  chn-bsub = pkgs.pkgsStatic.localPackages.chn-bsub;
-  blog = pkgs.callPackage inputs.blog { inherit (inputs) hextra; };
+  inherit (pkgs.localPackages) blog;
+  inherit (pkgs.localPackages.pkgsStatic) chn-bsub;
   vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
   {
     gfortran = pkgs.pkgsStatic.gfortran;
     lapack = pkgs.pkgsStatic.openblas;
   };
+  jykang = import ../devices/jykang.xmuhpc inputs;
+  src =
+    let getDrv = x:
+      if pkgs.lib.isDerivation x then [ x ]
+      else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
+      else if builtins.isList x then builtins.concatMap getDrv x
+      else [];
+    in pkgs.writeClosure (getDrv (inputs.self.outputs.src));
+  dns-push = pkgs.callPackage ./dns
+  {
+    inherit localLib;
+    tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
+    octodns = pkgs.octodns.withProviders (_: [ pkgs.localPackages.octodns-cloudflare ]);
+  };
 }
 // (builtins.listToAttrs (builtins.map
   (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

flake/src.nix

@@ -8,14 +8,30 @@
       url = "https://developer.download.nvidia.com/hpc-sdk/24.11/nvhpc_2024_2411_Linux_x86_64_cuda_12.6.tar.gz";
       sha256 = "080rb89p2z98b75wqssvp3s8x6b5n0556d0zskh3cfapcb08lh1r";
     };
+    mpi = pkgs.requireFile
+    {
+      name = "openmpi-gitclone.tar.gz";
+      # download from https://developer.nvidia.com/networking/hpc-x/eula?mrequest=downloads&mtype=hpc&mver=hpc-x&mname=v2.22/hpcx-v2.22-gcc-doca_ofed-ubuntu24.04-cuda12-x86_64.tbz
+      # nix-prefetch-url file://$(pwd)/openmpi-gitclone.tar.gz
+      sha256 = "05r5x6mgw2f2kcq9vhdkfj42panchzlbpns8qy57y4jsbmabwabi";
+      message = "Source file not found.";
+    };
     version = "24.11";
     cudaVersion = "12.6";
   };
-  iso = pkgs.fetchurl
+  iso =
   {
-    url = "https://releases.nixos.org/nixos/24.11/nixos-24.11beta709057.0c582677378f"
-      + "/nixos-plasma6-24.11beta709057.0c582677378f-x86_64-linux.iso";
-    sha256 = "000wmfn6k5awqwsx9qldhdgahv4k09w4yzmvf0djs51qjdpha082";
+    nixos = pkgs.fetchurl
+    {
+      url = "https://releases.nixos.org/nixos/24.11/nixos-24.11.714826.04ef94c4c158/"
+        + "nixos-minimal-24.11.714826.04ef94c4c158-x86_64-linux.iso";
+      sha256 = "12zkmlmvvp6g3syb347q4ffhdavfs3hz2qxvvlgrim6k0kzz436k";
+    };
+    netboot = pkgs.fetchurl
+    {
+      url = "https://boot.netboot.xyz/ipxe/netboot.xyz.iso";
+      sha256 = "01hlslbi2i3jkzjwn24drhd2lriaqiwr9hb83r0nib9y1jvr3k5p";
+    };
   };
   nglview = pkgs.fetchPypi
   {
@@ -23,17 +39,112 @@
     version = "3.1.2";
     hash = "sha256-f2cu+itsoNs03paOW1dmsUsbPa3iEtL4oIPGAKETRc4=";
   };
-  vtst =
+  vasp =
   {
-    patch = pkgs.fetchzip
+    vasp = pkgs.requireFile
     {
-      url = "http://theory.cm.utexas.edu/code/vtstcode-204.tgz";
-      sha256 = "00qpqiabl568fwqjnmwqwr0jwg7s56xd9lv9lw8q4qxqy19cpg62";
+      name = "vasp.6.4.3.tgz";
+      # nix-prefetch-url file://$(pwd)/vasp.6.4.3.tgz
+      sha256 = "1x14dixils77rr4c6yqmxkvyzgfz6906badsw2shksd3y9ryfc7y";
+      message = "Source file not found.";
     };
-    script = pkgs.fetchzip
+    vtst =
     {
-      url = "http://theory.cm.utexas.edu/code/vtstscripts.tgz";
-      sha256 = "18gsw2850ig1mg4spp39i0ygfcwx0lqnamysn5whiax22m8d5z67";
+      patch = pkgs.fetchzip
+      {
+        url = "http://theory.cm.utexas.edu/code/vtstcode-204.tgz";
+        sha256 = "00qpqiabl568fwqjnmwqwr0jwg7s56xd9lv9lw8q4qxqy19cpg62";
+      };
+      script = pkgs.fetchzip
+      {
+        url = "http://theory.cm.utexas.edu/code/vtstscripts.tgz";
+        sha256 = "18gsw2850ig1mg4spp39i0ygfcwx0lqnamysn5whiax22m8d5z67";
+      };
     };
   };
+  huginn = pkgs.dockerTools.pullImage
+  {
+    imageName = "ghcr.io/huginn/huginn";
+    imageDigest = "sha256:68e2c7082cd51d417e5ce76fe123810e9d52f4ab2018569df5b74b913ed3bc64";
+    sha256 = "0jpdysdphy1lyj6zwx2b1kbgs6bfnpkkx85mf1b9ybh3is6gaz6s";
+    finalImageName = "ghcr.io/huginn/huginn";
+    finalImageTag = "latest";
+  };
+  misskey =
+  {
+    "https://github.com/aiscript-dev/aiscript-languageserver/releases/download/0.1.6/aiscript-dev-aiscript-languageserver-0.1.6.tgz" = "0092d5r67bhf4xkvrdn4a2rm1drjzy7b5sw8mi7hp4pqvpc20ylr";
+    "https://github.com/misskey-dev/tabler-icons/archive/refs/tags/3.30.0-mi.1932+ab127beee.tar.gz" = "09aa34a02rdpcvrhl6xddzy173pg7pi9i551s692ggc3pq7fmdhw";
+  };
+  xmuvpn = pkgs.dockerTools.pullImage
+  {
+    imageName = "hagb/docker-easyconnect";
+    imageDigest = "sha256:1c3a86e41c1d2425a4fd555d279deaec6ff1e3c2287853eb16d23c9cb6dc3409";
+    sha256 = "1jpk2y46lnk0mi6ir7hdx0p6378p0v6qjbh6jm9a4cv5abw0mb2k";
+    finalImageName = "hagb/docker-easyconnec";
+    finalImageTag = "7.6.7";
+  };
+  lumerical =
+  {
+    lumerical = pkgs.requireFile
+    {
+      name = "lumerical.zip";
+      sha256 = "03nfacykfzal29jdmygrgkl0fqsc3yqp4ig86h1h9sirci87k94c";
+      hashMode = "recursive";
+      message = "Source not found.";
+    };
+    licenseManagerImage = pkgs.requireFile
+    {
+      name = "lumericalLicenseManager.tar";
+      sha256 = "VOtYMnDRUP74O2lAqMqBDLnXtNS8AhbBhyZBj/2aVoE=";
+      message = "Source not found.";
+    };
+  };
+  vesta =
+  {
+    version = "3.90.0a";
+    src = pkgs.fetchurl
+    {
+      url = "https://jp-minerals.org/vesta/archives/testing/VESTA-gtk3-x86_64.tar.bz2";
+      sha256 = "0bsvfr3409g2v1wgnfixpkjz1yzl2j1nlrk5a5rkdfs94rrvxzaa";
+    };
+    desktopFile = pkgs.fetchurl
+    {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/VESTA.desktop?h=vesta&id=4fae08afc37ee0fd88d14328cf0d6b308fea04d1";
+      sha256 = "Tq4AzQgde2KIWKA1k6JlxvdphGG9JluHMZjVw0fBUeQ=";
+    };
+  };
+  # nix-store --query --hash $(nix store add-path . --name 'mirism')
+  mirism-old = pkgs.requireFile
+  {
+    name = "mirism";
+    sha256 = "0f50pvdafhlmrlbf341mkp9q50v4ld5pbx92d2w1633f18zghbzf";
+    hashMode = "recursive";
+    message = "Source file not found.";
+  };
+  pslist =
+  {
+    version = "1.4.0";
+    src = pkgs.fetchzip
+    {
+      url = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-4/pslist_1.4.0.orig.tar.xz";
+      sha256 = "1sp1h7ccniz658ms331npffpa9iz8llig43d9mlysll420nb3xqv";
+    };
+  };
+  vaspkit = rec
+  {
+    version = "1.5.1";
+    potcar = pkgs.requireFile
+    {
+      name = "POTCAR";
+      sha256 = "01adpp9amf27dd39m8svip3n6ax822vsyhdi6jn5agj13lis0ln3";
+      hashMode = "recursive";
+      message = "POTCAR not found.";
+    };
+    vaspkit = pkgs.fetchurl
+    {
+      url = "mirror://sourceforge/vaspkit/Binaries/vaspkit.${version}.linux.x64.tar.gz";
+      sha256 = "1cbj1mv7vx18icwlk9d2vfavsfd653943xg2ywzd8b7pb43xrfs1";
+    };
+  };
+  mathematica = pkgs.mathematica.src;
 }

local/pkgs/hpcstat/doc/setup.md

@@ -1 +0,0 @@
-Moved to [../../../../packages/hpcstat/doc/setup.md](../../../../packages/hpcstat/doc/setup.md)

modules/bugs/default.nix

@@ -1,28 +1,28 @@
 inputs:
-  let
-    inherit (inputs.localLib) stripeTabs;
-    inherit (builtins) map attrNames;
-    inherit (inputs.lib) mkMerge mkIf mkOption types;
-    bugs =
-    {
-      # suspend & hibernate do not use platform
-      suspend-hibernate-no-platform.systemd.sleep.extraConfig =
-      ''
-        SuspendState=freeze
-        HibernateMode=shutdown
-      '';
-      # xmunet use old encryption
-      xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
-        (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
-      backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
-      amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
-    };
-  in
-    {
-      options.nixos.bugs = mkOption
-      {
-        type = types.listOf (types.enum (attrNames bugs));
-        default = [];
-      };
-      config = mkMerge (map (bug: mkIf (builtins.elem bug inputs.config.nixos.bugs) bugs.${bug}) (attrNames bugs));
-    }
+let bugs =
+{
+  # suspend & hibernate do not use platform
+  suspend-hibernate-no-platform.systemd.sleep.extraConfig =
+  ''
+    SuspendState=freeze
+    HibernateMode=shutdown
+  '';
+  # xmunet use old encryption
+  xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
+    (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
+  backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
+  amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
+  iwlwifi.nixos.system.kernel.modules.modprobeConfig =
+    [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+};
+in
+{
+  options.nixos.bugs = inputs.lib.mkOption
+  {
+    type = inputs.lib.types.listOf (inputs.lib.types.enum (builtins.attrNames bugs));
+    default = [];
+  };
+  config = inputs.lib.mkMerge (builtins.map
+    (bug: inputs.lib.mkIf (builtins.elem bug inputs.config.nixos.bugs) bugs.${bug})
+    (builtins.attrNames bugs));
+}

modules/default.nix

@@ -1,46 +1,27 @@
-inputs:
-  let
-    inherit (inputs) topInputs;
-    inherit (inputs.localLib) mkModules;
-  in
-  {
-    imports = mkModules
-    [
-      topInputs.home-manager.nixosModules.home-manager
-      topInputs.sops-nix.nixosModules.sops
-      topInputs.nix-index-database.nixosModules.nix-index
-      topInputs.nur-xddxdd.nixosModules.setupOverlay
-      topInputs.impermanence.nixosModules.impermanence
-      topInputs.nix-flatpak.nixosModules.nix-flatpak
-      topInputs.chaotic.nixosModules.default
-      { config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
-      topInputs.catppuccin.nixosModules.catppuccin
-      topInputs.aagl.nixosModules.default
-      (inputs:
+inputs: let inherit (inputs) topInputs; in
+{
+  imports = inputs.localLib.mkModules
+  [
+    topInputs.home-manager.nixosModules.home-manager
+    topInputs.sops-nix.nixosModules.sops
+    topInputs.nix-index-database.nixosModules.nix-index
+    topInputs.impermanence.nixosModules.impermanence
+    topInputs.nix-flatpak.nixosModules.nix-flatpak
+    topInputs.chaotic.nixosModules.default
+    { config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
+    topInputs.catppuccin.nixosModules.catppuccin
+    topInputs.aagl.nixosModules.default
+    topInputs.nixvirt.nixosModules.default
+    (inputs:
+    {
+      config =
       {
-        config =
-        {
-          nixpkgs.overlays =
-          [
-            topInputs.qchem.overlays.default
-            topInputs.bscpkgs.overlays.default
-            topInputs.aagl.overlays.default
-            (final: prev:
-            {
-              nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
-              nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
-              nur-linyinfeng = (topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
-              firefox-addons = (import "${topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
-              inherit (import topInputs.gricad { pkgs = final; }) intel-oneapi intel-oneapi-2022;
-            })
-          ];
-          home-manager.sharedModules =
-          [
-            topInputs.plasma-manager.homeManagerModules.plasma-manager
-            topInputs.catppuccin.homeManagerModules.catppuccin
-          ];
-        };
-      })
-      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user ./model.nix
-    ];
-  }
+        home-manager.sharedModules =
+        [
+          topInputs.plasma-manager.homeManagerModules.plasma-manager
+          topInputs.catppuccin.homeManagerModules.catppuccin
+        ];
+      };
+    })
+  ] ++ (inputs.localLib.findModules ./.);
+}

modules/hardware/default.nix

@@ -24,7 +24,7 @@ inputs:
           printing =
           {
             enable = true;
-            drivers = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.arch == "x86_64") [ inputs.pkgs.cnijfilter2 ];
+            drivers = [ inputs.pkgs.cnijfilter2 ];
             # TODO: remove in next update
             browsed.enable = false;
           };

modules/hardware/gpu.nix

@@ -22,6 +22,7 @@ inputs:
         busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
       };
       driver = mkOption { type = types.enum [ "production" "latest" "beta" ]; default = "production"; };
+      open = mkOption { type = types.bool; default = true; };
     };
   };
   config = let inherit (inputs.config.nixos.hardware) gpu; in inputs.lib.mkIf (gpu.type != null) (inputs.lib.mkMerge
@@ -61,7 +62,7 @@ inputs:
             dynamicBoost.enable = inputs.lib.mkIf gpu.nvidia.dynamicBoost true;
             nvidiaSettings = true;
             package = inputs.config.boot.kernelPackages.nvidiaPackages.${gpu.nvidia.driver};
-            open = true; # TODO: remove when 560 is stable
+            inherit (gpu.nvidia) open;
             prime.allowExternalGpu = true;
           };
         };

modules/model.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.model = let inherit (inputs.lib) mkOption types; in
   {
     hostname = mkOption { type = types.nonEmptyStr; };
-    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
+    type = mkOption { type = types.enum [ "vps" "desktop" "server" ]; default = "vps"; };
     private = mkOption { type = types.bool; default = false; };
     cluster = mkOption
     {
@@ -21,12 +21,5 @@ inputs:
     { networking.hostName = model.hostname; }
     (inputs.lib.mkIf (model.cluster != null)
       { nixos.model.hostname = "${model.cluster.clusterName}-${model.cluster.nodeName}"; })
-    # TODO: remove it
-    {
-      systemd.services = inputs.lib.mkIf (model.cluster.nodeType or null == "worker") (builtins.listToAttrs
-        (builtins.map
-          (user: { name = "home-manager-${inputs.utils.escapeSystemdPath user}"; value.enable = false; })
-          inputs.config.nixos.user.users));
-    }
   ];
 }

modules/packages/desktop.nix

@@ -20,21 +20,18 @@ inputs:
           (
             writeShellScriptBin "xclip"
             ''
-              #!${bash}/bin/bash
-              if [ "$XDG_SESSION_TYPE" = "x11" ]; then
-                exec ${xclip}/bin/xclip -sel clip "$@"
-              else
-                exec ${wl-clipboard-x11}/bin/xclip "$@"
-              fi
+              if [ "$XDG_SESSION_TYPE" = "x11" ]; then exec ${xclip}/bin/xclip -sel clip "$@"
+              else exec ${wl-clipboard-x11}/bin/xclip "$@"; fi
             ''
           )
           # color management
           argyllcms xcalib
           # networking
-          remmina putty mtr-gui
+          pkgs-unstable.remmina putty mtr-gui
           # media
-          mpv nomacs yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk qcm
-          waifu2x-converter-cpp inkscape blender paraview vlc whalebird spotify obs-studio
+          mpv nomacs yesplaymusic simplescreenrecorder imagemagick gimp-with-plugins netease-cloud-music-gtk qcm
+          waifu2x-converter-cpp blender paraview vlc whalebird spotify obs-studio
+          (inkscape-with-extensions.override { inkscapeExtensions = null; })
           # themes
           klassy localPackages.slate localPackages.blurred-wallpaper tela-circle-icon-theme
           catppuccin catppuccin-sddm catppuccin-cursors catppuccinifier-gui catppuccinifier-cli catppuccin-plymouth
@@ -52,33 +49,39 @@ inputs:
           # download
           qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
           # editor
-          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq
+          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq obsidian pkgs-unstable.code-cursor
           # news
-          fluent-reader rssguard newsflash newsboat
+          fluent-reader rssguard newsflash newsboat follow
           # nix tools
           nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
           nix-template nil pnpm-lock-export bundix
           # instant messager
           element-desktop telegram-desktop discord zoom-us slack nur-linyinfeng.wemeet nheko
-          fluffychat signal-desktop qq nur-xddxdd.wechat-uos cinny-desktop
+          fluffychat signal-desktop qq nur-xddxdd.wechat-uos-sandboxed cinny-desktop
           # browser
           google-chrome tor-browser microsoft-edge
           # office
-          crow-translate zotero pandoc libreoffice-qt texliveFull poppler_utils pdftk pdfchain davinci-resolve
-          ydict texstudio panoply pspp
+          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain davinci-resolve
+          ydict texstudio panoply pspp paperwork libreoffice-qt6-fresh ocrmypdf typst
+          # required by ltex-plus.vscode-ltex-plus
+          pkgs-unstable.ltex-ls pkgs-unstable.ltex-ls-plus
           # matplot++ needs old gnuplot
           inputs.pkgs."pkgs-23.11".gnuplot
           # math, physics and chemistry
           octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
           (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14;
             wannier90 = inputs.pkgs.wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; }; })
-          inputs.pkgs."pkgs-23.11".hdfview
+          inputs.pkgs."pkgs-23.11".hdfview numbat qalculate-qt
           # virtualization
           virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
           # media
           nur-xddxdd.svp
           # for kdenlive auto subtitle
           openai-whisper
+          # TODO: remove on next release
+          # phonopy have some bug, we use the version from nixpkgs-unstable
+          (inputs.lib.hiPrio pkgs-unstable.python3Packages.phonopy)
+          (inputs.lib.hiPrio pkgs-unstable.localPackages.phono3py)
         ]
           ++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
             (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
@@ -139,16 +142,6 @@ inputs:
       honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
       sleepy-launcher = { enable = true; package = inputs.pkgs.sleepy-launcher; };
     };
-    nixpkgs.overlays = [(final: prev:
-    {
-      telegram-desktop = prev.telegram-desktop.override
-      {
-        unwrapped = prev.telegram-desktop.unwrapped.overrideAttrs (prev:
-        {
-          patches = prev.patches or [] ++ [ ./telegram.patch ];
-        });
-      };
-    })];
     services.pcscd.enable = true;
   };
 }

modules/packages/git.nix

@@ -15,6 +15,7 @@ inputs:
         core.quotepath = false;
         lfs.ssh.automultiplex = false; # 避免 lfs 一直要求触摸 yubikey
         receive.denyCurrentBranch = "warn"; # 允许 push 到非 bare 的仓库
+        merge.ours.driver = true; # 允许 .gitattributes 中设置的 merge=ours 生效
       };
     };
     nixos.packages.packages._packages = [ inputs.pkgs.localPackages.git-lfs-transfer ]; # make pure ssh lfs work

modules/packages/lammps.nix

@@ -8,7 +8,7 @@ inputs:
   config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
   {
     nixos.packages.packages._packages =
-      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null;
+      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
       in
         if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
           .overrideAttrs (prev:

modules/packages/mathematica.nix

@@ -6,8 +6,5 @@ inputs:
     default = null;
   };
   config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
-  {
-    nixos.packages.packages._packages = [ (inputs.pkgs.mathematica.overrideAttrs
-      (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; })) ];
-  };
+    { nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; };
 }

modules/packages/mumax.nix

@@ -5,7 +5,7 @@ inputs:
     type = types.nullOr (types.submodule {});
     default =
       if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
-        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
       then {}
       else null;
   };

modules/packages/server.nix

@@ -10,7 +10,7 @@ inputs:
       [
         # basic tools
         beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq zellij ipfetch localPackages.pslist
-        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch
+        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch dateutils kitty
         # lsxx
         pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools
         # top
@@ -22,30 +22,30 @@ inputs:
         # file manager
         tree eza trash-cli lsd broot file xdg-ninja mlocate
         # compress
-        pigz upx unzip zip lzip p7zip
+        pigz upx unzip zip lzip p7zip rar
         # file system management
         sshfs e2fsprogs duperemove compsize exfatprogs
         # disk management
-        smartmontools hdparm megacli gptfdisk
+        smartmontools hdparm gptfdisk megacli
         # encryption and authentication
-        apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
+        apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool libfido2
         # networking
         ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
         # nix tools
-        nix-output-monitor nix-tree ssh-to-age nix-inspect
+        pkgs-unstable.nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
         gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
+        (octodns.withProviders (_: [ localPackages.octodns-cloudflare ]))
         # stupid things
         toilet lolcat localPackages.stickerpicker graph-easy
         # office
-        pdfgrep ffmpeg-full # todo-txt-cli 
+        pdfgrep ffmpeg-full hdf5 # todo-txt-cli 
       ]
-        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
-        ++ (inputs.lib.optional (inputs.config.nixos.system.nixpkgs.arch == "x86_64") rar);
+        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
       _pythonPackages = [(pythonPackages: with pythonPackages;
       [
         openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2
-        certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus
+        certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus odfpy
         # for vasp plot-workfunc.py
         ase
       ])];

modules/packages/ssh.nix

@@ -1,104 +1,7 @@
 inputs:
 {
-  options.nixos.packages.ssh = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.packages) ssh; in inputs.lib.mkIf (ssh != null)
+  config =
   {
-    services.openssh.knownHosts =
-      let servers =
-      {
-        vps6 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
-          hostnames = [ "vps6.chn.moe" "wireguard.vps6.chn.moe" "74.211.99.69" "192.168.83.1" ];
-        };
-        "initrd.vps6" =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
-          hostnames = [ "initrd.vps6.chn.moe" "74.211.99.69" ];
-        };
-        vps7 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
-          hostnames = [ "vps7.chn.moe" "wireguard.vps7.chn.moe" "ssh.git.chn.moe" "144.126.144.62" "192.168.83.2" ];
-        };
-        "initrd.vps7" =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
-          hostnames = [ "initrd.vps7.chn.moe" "144.126.144.62" ];
-        };
-        nas =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
-          hostnames = [ "wireguard.nas.chn.moe" "192.168.1.2" "192.168.83.4" ];
-        };
-        "initrd.nas" =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
-          hostnames = [ "initrd.nas.chn.moe" "192.168.1.2" ];
-        };
-        one =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
-          hostnames = [ "wireguard.one.chn.moe" "192.168.1.4" "192.168.83.5" ];
-        };
-        pc =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
-          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.3" "192.168.83.3" ];
-        };
-        hpc =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
-          hostnames = [ "hpc.xmu.edu.cn" ];
-        };
-        github =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-          hostnames = [ "github.com" ];
-        };
-        xmupc1 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
-          hostnames = [ "[office.chn.moe]:6007" "[xmupc1.chn.moe]:6007" "wireguard.xmupc1.chn.moe" "192.168.83.6" ];
-        };
-        xmupc2 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6";
-          hostnames = [ "[xmupc2.chn.moe]:6394" "wireguard.xmupc2.chn.moe" "192.168.83.7" ];
-        };
-        srv1-node0 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs";
-          hostnames = [ "srv1.chn.moe" "node0.srv1.chn.moe" "wireguard.node0.srv1.chn.moe" ];
-        };
-        srv1-node1 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIIFmG/ZzLDm23NeYa3SSI0a0uEyQWRFkaNRE9nB8egl7";
-          hostnames = [ "192.168.178.2" ];
-        };
-        srv1-node2 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDhgEApzHhVPDvdVFPRuJ/zCDiR1K+rD4sZzH77imKPE";
-          hostnames = [ "192.168.178.3" ];
-        };
-        srv1-node3 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIO/4xbQNz6KNcEdjtBMGY8wUoFK1sCgamKl/r+kVjd7O";
-          hostnames = [ "192.168.178.4" ];
-        };
-      };
-      in builtins.listToAttrs (builtins.map
-        (server:
-        {
-          inherit (server) name;
-          value =
-          {
-            publicKey = "ssh-ed25519 ${server.value.ed25519}";
-            hostNames = server.value.hostnames;
-          };
-        })
-        (inputs.localLib.attrsToList servers));
     programs.ssh =
     {
       # maybe better network performance
@@ -107,6 +10,26 @@ inputs:
       enableAskPassword = true;
       askPassword = "${inputs.pkgs.systemd}/bin/systemd-ask-password";
       extraConfig = "AddKeysToAgent yes";
+      knownHosts =
+        let servers =
+        {
+          hpc =
+          {
+            ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
+            hostnames = [ "hpc.xmu.edu.cn" ];
+          };
+          hpc2 =
+          {
+            ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIMv22sVyZ0RgFrdrHKbqOvdhq7TKZKImKwbbTbtO5jqy";
+            hostnames = [ "hpc.xmu.edu.cn" ];
+          };
+          github =
+          {
+            ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+            hostnames = [ "github.com" ];
+          };
+        };
+        in builtins.mapAttrs (_: v: { publicKey = "ssh-ed25519 ${v.ed25519}"; hostNames = v.hostnames; }) servers;
     };
     environment.sessionVariables.SSH_ASKPASS_REQUIRE = "prefer";
     nixos.user.sharedModules =
@@ -117,34 +40,20 @@ inputs:
         controlMaster = "auto";
         controlPersist = "1m";
         compression = true;
-        matchBlocks = builtins.listToAttrs
-        (
-          (builtins.map
-            (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
-            [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" "wireguard.one" ])
-          ++ (builtins.map
-            (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; forwardX11 = true; }; })
-            [ "wireguard.pc" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ])
-          ++ (builtins.map
-            (host:
+        matchBlocks = builtins.listToAttrs (builtins.map
+          (host:
+          {
+            name = host;
+            value =
             {
-              name = host;
-              value =
-              {
-                host = host;
-                hostname = "hpc.xmu.edu.cn";
-                user = host;
-                setEnv.TERM = "chn_unset_ls_colors:xterm-256color";
-              };
-            })
-            [ "wlin" "hwang" ])
-        )
+              host = host;
+              hostname = "hpc.xmu.edu.cn";
+              user = host;
+              setEnv.TERM = "chn_unset_ls_colors:xterm-256color";
+            };
+          })
+          [ "wlin" "hwang" ])
         // rec {
-          xmupc1 = { host = "xmupc1"; hostname = "xmupc1.chn.moe"; port = 6007; forwardX11 = true; };
-          xmupc2 = { host = "xmupc2"; hostname = "xmupc2.chn.moe"; port = 6394; forwardX11 = true; };
-          nas = { host = "nas"; hostname = "192.168.1.2"; forwardX11 = true; };
-          pc = { host = "pc"; hostname = "192.168.1.3"; forwardX11 = true; };
-          one = { host = "one"; hostname = "192.168.1.4"; forwardX11 = true; };
           gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
           jykang =
           {
@@ -154,10 +63,7 @@ inputs:
             forwardAgent = true;
             extraOptions.AddKeysToAgent = "yes";
           };
-          "wireguard.jykang" = jykang // { host = "wireguard.jykang"; proxyJump = "wireguard.xmupc1"; };
-          srv1-node1 = { host = "srv1-node1"; hostname = "192.168.178.2"; proxyJump = "srv1"; };
-          srv1-node2 = { host = "srv1-node2"; hostname = "192.168.178.3"; proxyJump = "srv1"; };
-          srv1-node3 = { host = "srv1-node3"; hostname = "192.168.178.4"; proxyJump = "srv1"; };
+          "wg0.jykang" = jykang // { host = "wg0.jykang"; proxyJump = "wg0.srv2"; };
         };
       };
     })];

modules/packages/vasp.nix

@@ -14,7 +14,7 @@ inputs:
       (
         [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
           ++ (inputs.lib.optional
-            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
             localPackages.vasp.nvidia)
       );
       _pythonPackages = [(_: [ localPackages.py4vasp ])];

modules/packages/vscode.nix

@@ -56,6 +56,14 @@ inputs:
                 pkief.material-icon-theme
                 # direnv
                 mkhl.direnv
+                # svg viewer
+                vitaliymaz.vscode-svg-previewer
+                # draw
+                pomdtr.excalidraw-editor
+                # typst
+                myriad-dreamin.tinymist
+                # grammaly alternative
+                pkgs-unstable.vscode-extensions.ltex-plus.vscode-ltex-plus
               ]
               # jupyter
               # TODO: use last release

modules/packages/zsh/default.nix

@@ -4,72 +4,86 @@ inputs:
     { type = types.nullOr (types.submodule {}); default = {}; };
   config = let inherit (inputs.config.nixos.packages) zsh; in inputs.lib.mkIf (zsh != null)
   {
-    nixos.user.sharedModules = [(home-inputs: { config.programs =
-    {
-      zsh =
+    nixos.user.sharedModules = [(home-inputs: { config.programs = inputs.lib.mkMerge
+    [
+      # general config
       {
-        enable = true;
-        initExtraBeforeCompInit =
-        ''
-          # p10k instant prompt
-          P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-          [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-          HYPHEN_INSENSITIVE="true"
-          export PATH=~/bin:$PATH
-          function br
-          {
-            local cmd cmd_file code
-            cmd_file=$(mktemp)
-            if broot --outcmd "$cmd_file" "$@"; then
-              cmd=$(<"$cmd_file")
-              command rm -f "$cmd_file"
-              eval "$cmd"
-            else
-              code=$?
-              command rm -f "$cmd_file"
-              return "$code"
-            fi
-          }
-          alias todo="todo.sh"
-        '';
-        plugins =
-        [
-          {
-            file = "powerlevel10k.zsh-theme";
-            name = "powerlevel10k";
-            src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-          }
-          { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
-          {
-            name = "zsh-lsd";
-            src = inputs.pkgs.fetchFromGitHub
-            {
-              owner = "z-shell";
-              repo = "zsh-lsd";
-              rev = "65bb5ac49190beda263aae552a9369127961632d";
-              hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
-            };
-          }
-        ];
-        history =
+        zsh =
         {
-          path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
-          extended = true;
-          save = 100000000;
-          size = 100000000;
+          enable = true;
+          history =
+          {
+            path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+            extended = true;
+            save = 100000000;
+            size = 100000000;
+          };
+          syntaxHighlighting.enable = true;
+          autosuggestion.enable = true;
+          enableCompletion = true;
+          oh-my-zsh =
+          {
+            enable = true;
+            plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
+            theme = inputs.lib.mkDefault "clean";
+          };
+          # ensure ~/.zlogin exists
+          loginExtra = " ";
         };
-      };
-      # set bash history file path, avoid overwriting zsh history
-      bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
-    };})];
-    programs.zsh =
-    {
-      enable = true;
-      syntaxHighlighting.enable = true;
-      autosuggestions.enable = true;
-      enableCompletion = true;
-      ohMyZsh =
-        { enable = true; plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ]; };
-    };
+        # set bash history file path, avoid overwriting zsh history
+        bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
+      }
+      # config for root and chn
+      {
+        zsh = inputs.lib.mkIf (builtins.elem home-inputs.config.home.username [ "chn" "root" "aleksana" "alikia" ])
+        {
+          plugins =
+          [
+            {
+              file = "powerlevel10k.zsh-theme";
+              name = "powerlevel10k";
+              src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+            }
+            { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
+            {
+              name = "zsh-lsd";
+              src = inputs.pkgs.fetchFromGitHub
+              {
+                owner = "z-shell";
+                repo = "zsh-lsd";
+                rev = "65bb5ac49190beda263aae552a9369127961632d";
+                hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
+              };
+            }
+          ];
+          initExtraBeforeCompInit =
+          ''
+            # p10k instant prompt
+            P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+            [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+            HYPHEN_INSENSITIVE="true"
+            export PATH=~/bin:$PATH
+            function br
+            {
+              local cmd cmd_file code
+              cmd_file=$(mktemp)
+              if broot --outcmd "$cmd_file" "$@"; then
+                cmd=$(<"$cmd_file")
+                command rm -f "$cmd_file"
+                eval "$cmd"
+              else
+                code=$?
+                command rm -f "$cmd_file"
+                return "$code"
+              fi
+            }
+            alias todo="todo.sh"
+          '';
+          oh-my-zsh.theme = "";
+        };
+      }
+    ];})];
+    environment.pathsToLink = [ "/share/zsh" ];
+    programs.zsh.enable = true;
   };
 }

modules/services/acme.nix

@@ -48,7 +48,7 @@ inputs:
         CLOUDFLARE_DNS_API_TOKEN=${inputs.config.sops.placeholder."acme/token"}
         CLOUDFLARE_PROPAGATION_TIMEOUT=300
       '';
-      secrets."acme/token" = {};
+      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
     };
   };
 }

modules/services/beesd.nix

@@ -2,58 +2,34 @@ inputs:
 {
   options.nixos.services.beesd = let inherit (inputs.lib) mkOption types; in mkOption
   {
-    type = types.nullOr (types.submodule { options =
+    type = types.nullOr (types.attrsOf (types.submodule (submoduleInputs:
     {
-      instances = mkOption
+      options =
       {
-        type = types.attrsOf (types.oneOf
-        [
-          types.nonEmptyStr
-          (types.submodule (submoduleInputs:
-          {
-            options =
-            {
-              device = mkOption { type = types.nonEmptyStr; };
-              hashTableSizeMB = mkOption { type = types.ints.unsigned; default = 1024; };
-              threads = mkOption { type = types.ints.unsigned; default = 1; };
-              loadAverage = mkOption { type = types.ints.unsigned; default = submoduleInputs.config.threads; };
-            };
-          }))
-        ]);
-        default = {};
+        hashTableSizeMB = mkOption { type = types.ints.unsigned; default = 16; };
+        threads = mkOption { type = types.ints.unsigned; default = 1; };
+        loadAverage = mkOption { type = types.ints.unsigned; default = submoduleInputs.config.threads; };
       };
-    };});
+    })));
     default = null;
   };
   config = let inherit (inputs.config.nixos.services) beesd; in inputs.lib.mkIf (beesd != null)
   {
-    services.beesd.filesystems = builtins.listToAttrs (map
-      (instance:
+    services.beesd.filesystems = builtins.mapAttrs
+      (n: v:
       {
-        inherit (instance) name;
-        value =
-        {
-          spec = instance.value.device or instance.value;
-          hashTableSizeMB = instance.value.hashTableSizeMB or 1024;
-          extraOptions =
-          [
-            "--workaround-btrfs-send"
-            "--thread-count" "${builtins.toString instance.value.threads or 1}"
-            "--loadavg-target" "${builtins.toString instance.value.loadAverage or 1}"
-            "--scan-mode" "3"
-            "--verbose" "6"
-          ];
-        };
+        spec = n;
+        inherit (v) hashTableSizeMB;
+        extraOptions =
+        [
+          "--workaround-btrfs-send"
+          "--thread-count" "${builtins.toString v.threads}"
+          "--loadavg-target" "${builtins.toString v.loadAverage}"
+          "--scan-mode" "3"
+          "--verbose" "4"
+        ];
       })
-      (inputs.localLib.attrsToList beesd.instances));
-    systemd.slices.system-beesd.sliceConfig =
-    {
-      CPUSchedulingPolicy = "idle";
-      IOSchedulingClass = "idle";
-      IOSchedulingPriority = 4;
-      IOAccounting = true;
-      IOWeight = 1;
-      Nice = 19;
-    };
+      beesd;
+    nixos.packages.packages._packages = [ inputs.pkgs.bees ];
   };
 }