add freshrss

This reverts commit 1334fe2b47.

.gitignore

@@ -1 +1,3 @@
-result
+result
+result-man
+outputs

.sops.yaml

@@ -1,15 +1,47 @@
-keys:
+keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &chn age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-  - &chn-PC age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
-  - &chn-nixos-test age1thf94z6z4835nxsx56upa3s32vfqq2s6d67rpg7weawj2lrk25asw8smhh
+  - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+  - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+  - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
+  - &yoga age1qrea4twxdhd7fnvlq5v45528c90qy6hp2wa55kghsxzgut6n6fxs7w6u42
+  - &pe age1cahahn9hp265dkhduaec65vugk8fct2vt9ur6y54m4mgmyx4v4fq0etjhv
+  - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
 creation_rules:
-  - path_regex: secrets/chn-PC\.yaml$
+  - path_regex: secrets/pc\.yaml$
     key_groups:
     - age:
       - *chn
-      - *chn-PC
-  - path_regex: secrets/chn-nixos-test\.yaml$
+      - *pc
+  - path_regex: secrets/vps6\.yaml$
     key_groups:
     - age:
       - *chn
-      - *chn-nixos-test
+      - *vps6
+  - path_regex: secrets/vps4\.yaml$
+    key_groups:
+    - age:
+      - *chn
+  - path_regex: secrets/vps7\.yaml$
+    key_groups:
+    - age:
+      - *chn
+      - *vps7
+  - path_regex: secrets/nas\.yaml$
+    key_groups:
+    - age:
+      - *chn
+      - *nas
+  - path_regex: secrets/xmupc1\.yaml$
+    key_groups:
+    - age:
+      - *chn
+  - path_regex: secrets/yoga\.yaml$
+    key_groups:
+    - age:
+      - *chn
+      - *yoga
+  - path_regex: secrets/pe\.yaml$
+    key_groups:
+    - age:
+      - *chn
+      - *pe

flake.nix

@@ -1,153 +1,724 @@
 {
-	description = "Chn's NixOS Flake";
+  description = "CNH's NixOS Flake";
 
-	inputs =
-	{
-		nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-		nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05";
-		flake-utils.url = "github:numtide/flake-utils";
-		flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
-		nvfetcher =
-		{
-			url = "github:berberman/nvfetcher";
-			inputs =
-			{
-				nixpkgs.follows = "nixpkgs";
-				flake-utils.follows = "flake-utils";
-				flake-compat.follows = "flake-compat";
-			};
-		};
-		home-manager = { url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; };
-		sops-nix =
-		{
-			url = "github:Mic92/sops-nix";
-			inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs-stable"; };
-		};
-		touchix = { url = "github:CHN-beta/touchix"; inputs.nixpkgs.follows = "nixpkgs"; };
-		aagl =
-		{
-			url = "github:ezKEa/aagl-gtk-on-nix";
-			inputs = { nixpkgs.follows = "nixpkgs"; flake-compat.follows = "flake-compat"; };
-		};
-		nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
-		nur.url = "github:nix-community/NUR";
-		nixos-cn =
-		{
-			url = "github:nixos-cn/flakes";
-			inputs = { nixpkgs.follows = "nixpkgs"; flake-utils.follows = "flake-utils"; };
-		};
-		nur-xddxdd =
-		{
-			url = "github:xddxdd/nur-packages";
-			inputs =
-			{
-				flake-utils.follows = "flake-utils";
-				nixpkgs.follows = "nixpkgs-stable";
-			};
-		};
-		nix-vscode-extensions =
-		{
-			url = "github:nix-community/nix-vscode-extensions";
-			inputs =
-			{
-				nixpkgs.follows = "nixpkgs";
-				flake-utils.follows = "flake-utils";
-				flake-compat.follows = "flake-compat";
-			};
-		};
-		nix-alien =
-		{
-			url = "github:thiagokokada/nix-alien";
-			inputs =
-			{
-				flake-compat.follows = "flake-compat";
-				flake-utils.follows = "flake-utils";
-				nix-index-database.follows = "nix-index-database";
-			};
-		};
+  inputs =
+  {
+    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.05";
+    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    home-manager = { url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; };
+    sops-nix =
+    {
+      url = "github:Mic92/sops-nix";
+      inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
     };
+    touchix = { url = "github:CHN-beta/touchix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nur.url = "github:nix-community/NUR";
+    nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-vscode-extensions =
+    {
+      url = "github:nix-community/nix-vscode-extensions?rev=50c4bce16b93e7ca8565d51fafabc05e9f0515da";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nix-alien = { url = "github:thiagokokada/nix-alien"; inputs.nix-index-database.follows = "nix-index-database"; };
+    impermanence.url = "github:nix-community/impermanence";
+    qchem = { url = "github:Nix-QChem/NixOS-QChem"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixd = { url = "github:nix-community/nixd"; inputs.nixpkgs.follows = "nixpkgs"; };
+    napalm = { url = "github:nix-community/napalm"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixpak = { url = "github:nixpak/nixpak"; inputs.nixpkgs.follows = "nixpkgs"; };
+    deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    pnpm2nix-nzbr = { url = "github:CHN-beta/pnpm2nix-nzbr"; inputs.nixpkgs.follows = "nixpkgs"; };
+    lmix = { url = "github:CHN-beta/lmix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    dguibert-nur-packages = { url = "github:CHN-beta/dguibert-nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+  };
 
-	outputs = inputs: { nixosConfigurations =
-	{
-		"chn-PC" = inputs.nixpkgs.lib.nixosSystem
-		{
-			system = "x86_64-linux";
-			specialArgs = { inherit inputs; };
-			modules =
-			[
-				inputs.home-manager.nixosModules.home-manager
-				inputs.sops-nix.nixosModules.sops
-				inputs.touchix.nixosModules.v2ray-forwarder
-				inputs.aagl.nixosModules.default
-				inputs.nix-index-database.nixosModules.nix-index
-				inputs.nur.nixosModules.nur
-				({
-					config.nixpkgs.overlays =
-					[( final: prev:
-					{
-						touchix = inputs.touchix.packages."${prev.system}";
-						nix-vscode-extensions = inputs.nix-vscode-extensions.extensions."${prev.system}";
-					} )];
-				})
-
-				( import ./modules/basic.nix { hostName = "chn-PC"; })
-				./modules/fonts.nix
-				( import ./modules/i18n.nix { fcitx = true; } )
-				./modules/kde.nix
-				./modules/sops.nix
-				( import ./modules/boot/basic.nix { efi = true; timeout = 30; })
-				./modules/boot/chn-PC.nix
-				./modules/filesystem/chn-PC.nix
-				./modules/hardware/bluetooth.nix
-				./modules/hardware/joystick.nix
-				( import ./modules/hardware/nvidia-prime.nix { intelBusId = "PCI:0:2:0"; nvidiaBusId = "PCI:1:0:0"; } )
-				./modules/hardware/printer.nix
-				./modules/hardware/sound.nix
-				./modules/hardware/chn-PC.nix
-				./modules/networking/basic.nix
-				./modules/networking/ssh.nix
-				./modules/networking/wall_client.nix
-				./modules/networking/xmunet.nix
-				./modules/networking/chn-PC.nix
-				./modules/packages/terminal.nix
-				./modules/packages/gui.nix
-				./modules/packages/gaming.nix
-				./modules/packages/hpc.nix
-				./modules/users/root.nix
-				./modules/users/chn.nix
-				./modules/virtualisation/kvm_guest.nix
-				./modules/virtualisation/kvm_host.nix
-				./modules/virtualisation/waydroid.nix
-				./modules/home/root.nix
-				./modules/home/chn.nix
-			];
-		};
-
-		"chn-nixos-test" = inputs.nixpkgs.lib.nixosSystem
-		{
-			system = "x86_64-linux";
-			specialArgs = { inherit inputs; };
-			modules =
-			[
-				inputs.home-manager.nixosModules.home-manager
-				inputs.sops-nix.nixosModules.sops
-				inputs.nix-index-database.nixosModules.nix-index
-				( import ./modules/basic.nix { hostName = "chn-nixos-test"; })
-				( import ./modules/i18n.nix { fcitx = false; } )
-				./modules/sops.nix
-				( import ./modules/boot/basic.nix { efi = true; timeout = 30; })
-				./modules/boot/chn-nixos-test.nix
-				./modules/filesystem/chn-nixos-test.nix
-				./modules/hardware/chn-nixos-test.nix
-				./modules/networking/basic.nix
-				./modules/networking/ssh.nix
-				./modules/packages/terminal.nix
-				./modules/users/root.nix
-				./modules/users/chn.nix
-				./modules/virtualisation/kvm_guest.nix
-				./modules/home/root.nix
-				./modules/home/chn.nix
-			];
-		};
-	}; };
+  outputs = inputs:
+    let
+      localLib = import ./local/lib inputs.nixpkgs.lib;
+    in
+    {
+      packages.x86_64-linux =
+      {
+        default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
+          (builtins.concatStringsSep "\n" (builtins.map
+            (system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
+            [ "pc" "vps6" "vps7" "nas" "yoga" ]));
+      }
+      // (
+        builtins.listToAttrs (builtins.map
+          (system:
+          {
+            name = system;
+            value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
+          })
+          [ "pc" "vps6" "vps7" "nas" "yoga" ])
+      );
+      nixosConfigurations = builtins.listToAttrs (builtins.map
+        (system:
+        {
+          name = system.name;
+          value = inputs.nixpkgs.lib.nixosSystem
+          {
+            system = "x86_64-linux";
+            specialArgs = { topInputs = inputs; inherit localLib; };
+            modules = localLib.mkModules
+            (
+              [
+                (inputs: { config.nixpkgs.overlays = [(final: prev:
+                  { localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
+                ./modules
+              ]
+              ++ system.value
+            );
+          };
+        })
+        (localLib.attrsToList
+        {
+          "pc" =
+          [
+            (inputs: { config.nixos =
+            {
+              system =
+              {
+                fileSystems =
+                {
+                  mount =
+                  {
+                    vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
+                    btrfs =
+                    {
+                      "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
+                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+                    };
+                  };
+                  decrypt.auto =
+                  {
+                    "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
+                    "/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
+                  };
+                  mdadm =
+                    "ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
+                  swap = [ "/dev/mapper/swap" ];
+                  resume = "/dev/mapper/swap";
+                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+                };
+                grub =
+                {
+                  windowsEntries = { "7317-1DB6" = "Windows"; "7321-FA9C" = "Windows for malware"; };
+                  installDevice = "efi";
+                };
+                nix =
+                {
+                  marches =
+                  [
+                    "alderlake"
+                    # CX16
+                    "sandybridge"
+                    # CX16 SAHF FXSR
+                    "silvermont"
+                    # RDSEED MWAITX SHA CLZERO CX16 SSE4A ABM CLFLUSHOPT WBNOINVD
+                    "znver2" "znver3"
+                    # CX16 SAHF FXSR HLE RDSEED
+                    "broadwell"
+                  ];
+                  keepOutputs = true;
+                };
+                nixpkgs = { march = "alderlake"; cudaSupport = true; };
+                gui = { enable = true; preferred = true; };
+                kernel =
+                {
+                  useLts = true;
+                  patches = [ "cjktty" "preempt" ];
+                  modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+                };
+                impermanence.enable = true;
+                networking =
+                  { hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
+                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+              };
+              hardware =
+              {
+                cpus = [ "intel" ];
+                gpus = [ "intel" "nvidia" ];
+                bluetooth.enable = true;
+                joystick.enable = true;
+                printer.enable = true;
+                sound.enable = true;
+                prime =
+                  { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
+                gamemode.drmDevice = 1;
+              };
+              packages =
+              {
+                packageSet = "workstation";
+                extraPrebuildPackages = with inputs.pkgs; [ llvmPackages_git.stdenv ];
+                extraPythonPackages = [(pythonPackages:
+                  [ inputs.pkgs.localPackages.upho inputs.pkgs.localPackages.spectral ])];
+              };
+              virtualization =
+              {
+                waydroid.enable = true;
+                docker.enable = true;
+                kvmHost = { enable = true; gui = true; autoSuspend = [ "win10" "hardconnect" ]; };
+                # kvmGuest.enable = true;
+                nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
+              };
+              services =
+              {
+                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
+                fontconfig.enable = true;
+                samba =
+                {
+                  enable = true;
+                  private = true;
+                  hostsAllowed = "192.168. 127.";
+                  shares =
+                  {
+                    media.path = "/run/media/chn";
+                    home.path = "/home/chn";
+                    mnt.path = "/mnt";
+                    share.path = "/home/chn/share";
+                  };
+                };
+                sshd.enable = true;
+                xrayClient =
+                {
+                  enable = true;
+                  serverAddress = "74.211.99.69";
+                  serverName = "vps6.xserver.chn.moe";
+                  dns =
+                  {
+                    extraInterfaces = [ "docker0" ];
+                    hosts =
+                    {
+                      "mirism.one" = "216.24.188.24";
+                      "beta.mirism.one" = "216.24.188.24";
+                      "ng01.mirism.one" = "216.24.188.24";
+                      "debug.mirism.one" = "127.0.0.1";
+                      "initrd.vps6.chn.moe" = "74.211.99.69";
+                      "nix-store.chn.moe" = "127.0.0.1";
+                      "initrd.nas.chn.moe" = "192.168.1.185";
+                    };
+                  };
+                };
+                firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
+                acme = { enable = true; certs = [ "debug.mirism.one" ]; };
+                frpClient =
+                {
+                  enable = true;
+                  serverName = "frp.chn.moe";
+                  user = "pc";
+                  tcp.store = { localPort = 443; remotePort = 7676; };
+                };
+                nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
+                smartd.enable = true;
+                nginx =
+                {
+                  enable = true;
+                  transparentProxy.externalIp = [ "192.168.82.3" ];
+                  applications.misskey.instances."xn--qbtm095lrg0bfka60z.chn.moe" = {};
+                };
+                misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
+                beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
+              };
+              bugs =
+              [
+                "intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
+                "suspend-hibernate-waydroid" "embree" "nvme"
+              ];
+            };})
+          ];
+          "vps6" = 
+          [
+            (inputs: { config.nixos =
+            {
+              system =
+              {
+                fileSystems =
+                {
+                  mount =
+                  {
+                    btrfs =
+                    {
+                      "/dev/disk/by-uuid/24577c0e-d56b-45ba-8b36-95a848228600"."/boot" = "/boot";
+                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+                    };
+                  };
+                  decrypt.manual =
+                  {
+                    enable = true;
+                    devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
+                    delayedMount = [ "/" ];
+                  };
+                  swap = [ "/nix/swap/swap" ];
+                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+                };
+                grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
+                nixpkgs.march = "sandybridge";
+                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+                initrd =
+                {
+                  network.enable = true;
+                  sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
+                };
+                kernel.patches = [ "preempt" ];
+                impermanence.enable = true;
+                networking = { hostname = "vps6"; nebula.enable = true; };
+                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+              };
+              packages.packageSet = "server";
+              services =
+              {
+                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
+                sshd.enable = true;
+                xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; };
+                frpServer = { enable = true; serverName = "frp.chn.moe"; };
+                nginx =
+                {
+                  enable = true;
+                  transparentProxy =
+                  {
+                    externalIp = [ "74.211.99.69" "192.168.82.1" ];
+                    map =
+                    {
+                      "ng01.mirism.one" = 7411;
+                      "beta.mirism.one" = 9114;
+                    };
+                  };
+                  streamProxy =
+                  {
+                    enable = true;
+                    map =
+                    {
+                      "nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
+                      "anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
+                      "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
+                      "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; };
+                    };
+                  };
+                  applications =
+                  {
+                    misskey.instances =
+                    {
+                      "xn--qbtm095lrg0bfka60z.chn.moe".upstream.address = "internal.pc.chn.moe";
+                      "xn--s8w913fdga.chn.moe".upstream.address = "internal.vps7.chn.moe";
+                      "misskey.chn.moe".upstream = "internal.vps7.chn.moe:9727";
+                    };
+                    synapse.instances."synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
+                    vaultwarden = { enable = true; upstream.address = "internal.vps7.chn.moe"; };
+                    element.instances."element.chn.moe" = {};
+                    photoprism.instances."photoprism.chn.moe".upstream.address = "internal.vps7.chn.moe";
+                    nextcloud.proxy = { enable = true; upstream = "internal.vps7.chn.moe"; };
+                  };
+                };
+                coturn.enable = true;
+                beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 16; }; };
+              };
+            };})
+          ];
+          "vps7" =
+          [
+            (inputs: { config.nixos =
+            {
+              system =
+              {
+                fileSystems =
+                {
+                  mount =
+                  {
+                    btrfs =
+                    {
+                      "/dev/disk/by-uuid/e36287f7-7321-45fa-ba1e-d126717a65f0"."/boot" = "/boot";
+                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+                    };
+                  };
+                  decrypt.manual =
+                  {
+                    enable = true;
+                    devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
+                    delayedMount = [ "/" ];
+                  };
+                  swap = [ "/nix/swap/swap" ];
+                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+                };
+                grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
+                nixpkgs.march = "broadwell";
+                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+                initrd =
+                {
+                  network.enable = true;
+                  sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
+                };
+                kernel.patches = [ "preempt" ];
+                impermanence.enable = true;
+                networking = { hostname = "vps7"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; }; };
+                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+                gui.enable = true;
+              };
+              packages =
+              {
+                packageSet = "desktop";
+              };
+              services =
+              {
+                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
+                fontconfig.enable = true;
+                sshd.enable = true;
+                rsshub.enable = true;
+                nginx =
+                {
+                  enable = true;
+                  transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
+                  applications =
+                  {
+                    misskey.instances =
+                    {
+                      "xn--s8w913fdga.chn.moe" = {};
+                      "misskey.chn.moe".upstream.port = 9727;
+                    };
+                    synapse.instances."synapse.chn.moe" = {};
+                    vaultwarden.enable = true;
+                    photoprism.instances."photoprism.chn.moe" = {};
+                    nextcloud.instance.enable = true;
+                  };
+                };
+                wallabag.enable = true;
+                misskey.instances =
+                {
+                  misskey.hostname = "xn--s8w913fdga.chn.moe";
+                  misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
+                };
+                synapse.enable = true;
+                xrdp = { enable = true; hostname = "vps7.chn.moe"; };
+                vaultwarden.enable = true;
+                beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
+                photoprism.enable = true;
+                nextcloud.enable = true;
+              };
+            };})
+          ];
+          "nas" =
+          [
+            (inputs: { config.nixos =
+            {
+              system =
+              {
+                fileSystems =
+                {
+                  mount =
+                  {
+                    vfat."/dev/disk/by-uuid/13BC-F0C9" = "/boot/efi";
+                    btrfs =
+                    {
+                      "/dev/disk/by-uuid/0e184f3b-af6c-4f5d-926a-2559f2dc3063"."/boot" = "/boot";
+                      "/dev/mapper/nix"."/nix" = "/nix";
+                      "/dev/mapper/root1" =
+                      {
+                        "/nix/rootfs" = "/nix/rootfs";
+                        "/nix/persistent" = "/nix/persistent";
+                        "/nix/nodatacow" = "/nix/nodatacow";
+                        "/nix/rootfs/current" = "/";
+                      };
+                    };
+                  };
+                  decrypt.manual =
+                  {
+                    enable = true;
+                    devices =
+                    {
+                      "/dev/disk/by-uuid/5cf1d19d-b4a5-4e67-8e10-f63f0d5bb649".mapper = "root1";
+                      "/dev/disk/by-uuid/aa684baf-fd8a-459c-99ba-11eb7636cb0d".mapper = "root2";
+                      "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
+                    };
+                    delayedMount = [ "/" "/nix" ];
+                  };
+                  swap = [ "/nix/swap/swap" ];
+                  rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
+                };
+                initrd =
+                {
+                  network.enable = true;
+                  sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
+                };
+                grub.installDevice = "efi";
+                nixpkgs.march = "silvermont";
+                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+                kernel.patches = [ "cjktty" "preempt" ];
+                impermanence.enable = true;
+                networking =
+                  { hostname = "nas"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
+                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+                gui.enable = true;
+              };
+              hardware =
+              {
+                cpus = [ "intel" ];
+                gpus = [ "intel" ];
+              };
+              packages.packageSet = "desktop";
+              services =
+              {
+                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
+                fontconfig.enable = true;
+                samba =
+                {
+                  enable = true;
+                  hostsAllowed = "192.168. 127.";
+                  shares =
+                  {
+                    home.path = "/home";
+                    root.path = "/";
+                  };
+                };
+                sshd = { enable = true; passwordAuthentication = true; };
+                xrayClient =
+                {
+                  enable = true;
+                  serverAddress = "74.211.99.69";
+                  serverName = "vps6.xserver.chn.moe";
+                  dns.extraInterfaces = [ "docker0" ];
+                };
+                xrdp = { enable = true; hostname = [ "nas.chn.moe" "office.chn.moe" ]; };
+                groupshare.enable = true;
+                smartd.enable = true;
+                beesd =
+                {
+                  enable = true;
+                  instances =
+                  {
+                    root = { device = "/"; hashTableSizeMB = 2048; };
+                    nix = { device = "/nix"; hashTableSizeMB = 128; };
+                  };
+                };
+              };
+              users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
+            };})
+          ];
+          "xmupc1" =
+          [
+            (inputs: { config.nixos =
+            {
+              system =
+              {
+                fileSystems =
+                {
+                  mount =
+                  {
+                    vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
+                    btrfs =
+                    {
+                      "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
+                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+                    };
+                  };
+                  decrypt.auto =
+                  {
+                    "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
+                    "/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
+                  };
+                  mdadm =
+                    "ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
+                  swap = [ "/dev/mapper/swap" ];
+                  resume = "/dev/mapper/swap";
+                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+                };
+                grub.installDevice = "efi";
+                nixpkgs = { march = "znver3"; cudaSupport = true; };
+                nix =
+                {
+                  marches =
+                  [
+                    "znver3" "znver2"
+                    # PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT
+                    # PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI
+                    "alderlake"
+                    # SAHF FXSR XSAVE
+                    "sandybridge"
+                    # SAHF FXSR PREFETCHW RDRND
+                    "silvermont"
+                  ];
+                  substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+                };
+                gui.enable = true;
+                kernel =
+                {
+                  patches = [ "cjktty" "preempt" ];
+                  modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+                };
+                impermanence.enable = true;
+                networking.hostname = "xmupc1";
+                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+              };
+              hardware =
+              {
+                cpus = [ "intel" ];
+                gpus = [ "intel" "nvidia" ];
+                bluetooth.enable = true;
+                joystick.enable = true;
+                printer.enable = true;
+                sound.enable = true;
+                prime =
+                  { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
+              };
+              packages.packageSet = "workstation";
+              virtualization =
+              {
+                docker.enable = true;
+                kvmHost = { enable = true; gui = true; };
+              };
+              services =
+              {
+                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
+                fontconfig.enable = true;
+                samba =
+                {
+                  enable = true;
+                  hostsAllowed = "192.168. 127.";
+                  shares =
+                  {
+                    media.path = "/run/media/chn";
+                    home.path = "/home/chn";
+                    mnt.path = "/mnt";
+                    share.path = "/home/chn/share";
+                  };
+                };
+                sshd.enable = true;
+                xrayClient =
+                {
+                  enable = true;
+                  serverAddress = "74.211.99.69";
+                  serverName = "vps6.xserver.chn.moe";
+                  dns =
+                  {
+                    extraInterfaces = [ "docker0" ];
+                    hosts =
+                    {
+                      "mirism.one" = "216.24.188.24";
+                      "beta.mirism.one" = "216.24.188.24";
+                      "ng01.mirism.one" = "216.24.188.24";
+                      "debug.mirism.one" = "127.0.0.1";
+                      "initrd.vps6.chn.moe" = "74.211.99.69";
+                      "nix-store.chn.moe" = "127.0.0.1";
+                    };
+                  };
+                };
+                firewall.trustedInterfaces = [ "virbr0" ];
+                frpClient =
+                {
+                  enable = true;
+                  serverName = "frp.chn.moe";
+                  user = "xmupc1";
+                  tcp.store = { localPort = 443; remotePort = 7676; };
+                };
+                smartd.enable = true;
+                nginx = { enable = true; transparentProxy.enable = false; };
+                postgresql.enable = true;
+              };
+              bugs = [ "xmunet" "firefox" "embree" ];
+            };})
+          ];
+          "yoga" =
+          [
+            (inputs: { config.nixos =
+            {
+              system =
+              {
+                fileSystems =
+                {
+                  mount =
+                  {
+                    vfat."/dev/disk/by-uuid/86B8-CF80" = "/boot/efi";
+                    btrfs =
+                    {
+                      "/dev/disk/by-uuid/e252f81d-b4b3-479f-8664-380a9b73cf83"."/boot" = "/boot";
+                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+                    };
+                  };
+                  decrypt.auto."/dev/disk/by-uuid/8186d34e-005c-4461-94c7-1003a5bd86c0" =
+                    { mapper = "root"; ssd = true; };
+                  swap = [ "/nix/swap/swap" ];
+                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+                };
+                nixpkgs.march = "silvermont";
+                gui.enable = true;
+                grub.installDevice = "efi";
+                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+                kernel.patches = [ "cjktty" "preempt" ];
+                impermanence.enable = true;
+                networking.hostname = "yoga";
+                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+              };
+              hardware =
+              {
+                cpus = [ "intel" ];
+                gpus = [ "intel" ];
+                bluetooth.enable = true;
+                joystick.enable = true;
+                printer.enable = true;
+                sound.enable = true;
+                halo-keyboard.enable = true;
+              };
+              packages.packageSet = "desktop";
+              virtualization.docker.enable = true;
+              services =
+              {
+                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
+                fontconfig.enable = true;
+                sshd.enable = true;
+                xrayClient =
+                {
+                  enable = true;
+                  serverAddress = "74.211.99.69";
+                  serverName = "vps6.xserver.chn.moe";
+                  dns.extraInterfaces = [ "docker0" ];
+                };
+                firewall.trustedInterfaces = [ "virbr0" ];
+              };
+              bugs = [ "xmunet" "firmware-unstable" ];
+            };})
+          ];
+        }));
+      # sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont
+      # nix-serve -p 5000
+      # nix copy --substitute-on-destination --to ssh://server /run/current-system
+      # nix copy --to ssh://nixos@192.168.122.56 ./result
+      # sudo nixos-install --flake .#bootstrap
+      #    --option substituters http://192.168.122.1:5000 --option require-sigs false
+      # sudo chattr -i var/empty
+      # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+      # sudo nixos-rebuild switch --flake .#vps6 --log-format internal-json -v |& nom --json
+      # boot.shell_on_fail systemd.setenv=SYSTEMD_SULOGIN_FORCE=1
+      # sudo usbipd
+      # ssh -R 3240:127.0.0.1:3240 root@192.168.122.57
+      # modprobe vhci-hcd
+      # sudo usbip bind -b 3-6
+      # usbip attach -r 127.0.0.1 -b 3-6
+      # systemd-cryptenroll --fido2-device=auto /dev/vda2
+      # systemd-cryptsetup attach root /dev/vda2
+      deploy =
+      {
+        sshUser = "root";
+        user = "root";
+        fastConnection = true;
+        autoRollback = false;
+        magicRollback = false;
+        nodes = builtins.listToAttrs (builtins.map
+          (node:
+          {
+            name = node;
+            value =
+            {
+              hostname = node;
+              profiles.system.path = inputs.self.nixosConfigurations.${node}.pkgs.deploy-rs.lib.activate.nixos
+                  inputs.self.nixosConfigurations.${node};
+            };
+          })
+          [ "vps6" "vps7" "nas" "yoga" ]);
+      };
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
+      overlays.default = final: prev:
+        { localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); };
+    };
 }

local/lib/default.nix

@@ -0,0 +1,35 @@
+lib:
+{
+  attrsToList = Attrs: builtins.map ( name: { inherit name; value = Attrs.${name}; } ) ( builtins.attrNames Attrs );
+  mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
+    mkMerge [ ( mkIf condition trueResult ) ( mkIf (!condition) falseResult ) ];
+
+  # Behaviors of these two NixOS modules would be different:
+  # { pkgs, ... }@inputs: { environment.systemPackages = [ pkgs.hello ]; }
+  # inputs: { environment.systemPackages = [ pkgs.hello ]; }
+  # The second one would failed to evaluate because nixpkgs would not pass pkgs to it.
+  # So that we wrote a wrapper to make it always works like the first one.
+  mkModules = moduleList:
+    (builtins.map
+      (
+        let handle = module:
+          if ( builtins.typeOf module ) == "path" then (handle (import module))
+          else if ( builtins.typeOf module ) == "lambda" then ({ pkgs, utils, ... }@inputs: (module inputs))
+          else module;
+        in handle
+      )
+      moduleList);
+
+  # from: https://github.com/NixOS/nix/issues/3759
+  stripeTabs = text:
+    let
+      # Whether all lines start with a tab (or is empty)
+      shouldStripTab = lines: builtins.all (line: (line == "") || (lib.strings.hasPrefix "  " line)) lines;
+      # Strip a leading tab from all lines
+      stripTab = lines: builtins.map (line: lib.strings.removePrefix "  " line) lines;
+      # Strip tabs recursively until there are none
+      stripTabs = lines: if (shouldStripTab lines) then (stripTabs (stripTab lines)) else lines;
+    in
+      # Split into lines. Strip leading tabs. Concat back to string.
+      builtins.concatStringsSep "\n" (stripTabs (lib.strings.splitString "\n" text));
+}

local/pkgs/12to11/default.nix

@@ -0,0 +1,29 @@
+{
+  lib, stdenv, fetchsvn, xorg, libdrm
+}:
+
+stdenv.mkDerivation rec
+{
+  pname = "12to11";
+  version = "193";
+  src = fetchsvn
+  {
+    url = "svn://svn.code.sf.net/p/twelveto11/code";
+    rev = version;
+    sha256 = "12csy55f2xxj03c5b60dvip68mz8cggic6751y3hvj22ar4ncaaj";
+  };
+  postPatch =
+  ''
+    for i in *.c
+    do
+      sed -i -e "s|#include <drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
+    done
+    for i in tests/*.c
+    do
+      sed -i -e "s|#include <drm/drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
+    done
+  '';
+
+  nativeBuildInputs = [  ];
+  buildInputs = [ xorg.imake libdrm.dev ];
+}

local/pkgs/biu/default.nix

@@ -0,0 +1,17 @@
+{
+  stdenv, fetchFromGitHub, cmake, pkg-config, ninja,
+  fmt, boost, magic-enum, libbacktrace, concurrencpp, tgbot-cpp, nameof, eigen, range-v3
+}: stdenv.mkDerivation rec
+{
+  name = "libbiu";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "biu";
+    rev = "8ed2e52968f98d3a6ddbd01e86e57604ba3a7f54";
+    sha256 = "OqQ+QkjjIbpve/xn/DJA7ONw/bBg5zGNr+VJjc3o+K8=";
+  };
+  nativeBuildInputs = [ cmake pkg-config ninja ];
+  buildInputs = [ fmt boost magic-enum libbacktrace concurrencpp tgbot-cpp nameof eigen range-v3 ];
+  propagatedBuildInputs = buildInputs;
+}

local/pkgs/chromiumos-touch-keyboard/default.nix

@@ -0,0 +1,18 @@
+{ lib, stdenv, fetchFromGitHub, fetchurl, cmake }: stdenv.mkDerivation rec
+{
+  pname = "chromiumos-touch-keyboard";
+  version = "1.4.1";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "chromiumos_touch_keyboard";
+    rev = "32b72240ccac751a1b983152f65aa5b19503ffcf";
+    sha256 = "eFesDSBS2VzTOVfepgXYGynWvkrCSdCV9C/gcG/Ocbg=";
+  };
+  cmakeFlags = [ "-DCMAKE_CXX_FLAGS=-Wno-error=stringop-truncation" ];
+  nativeBuildInputs = [ cmake ];
+  postInstall =
+  ''
+    cp $out/etc/touch_keyboard/layouts/YB1-X9x-pc105.csv $out/etc/touch_keyboard/layout.csv
+  '';
+}

local/pkgs/concurrencpp/default.nix

@@ -0,0 +1,13 @@
+{ stdenv, fetchFromGitHub, cmake }: stdenv.mkDerivation rec
+{
+  pname = "concurrencpp";
+  version = "0.1.7";
+  src = fetchFromGitHub
+  {
+    owner = "David-Haim";
+    repo = "concurrencpp";
+    rev = "v.${version}";
+    sha256 = "4qT29YVjKEWcMrI5R5Ps8aD4grAAgz5VOxANjpp1oTo=";
+  };
+  nativeBuildInputs = [ cmake ];
+}

local/pkgs/default.nix

@@ -0,0 +1,41 @@
+{ lib, pkgs }: with pkgs; rec
+{
+  typora = callPackage ./typora {};
+  upho = python3Packages.callPackage ./upho {};
+  spectral = python3Packages.callPackage ./spectral {};
+  vesta = callPackage ./vesta {};
+  oneapi = callPackage ./oneapi {};
+  send = callPackage ./send {};
+  rsshub = callPackage ./rsshub {};
+  misskey = callPackage ./misskey { vips = unstablePackages.vips; };
+  mk-meili-mgn = callPackage ./mk-meili-mgn {};
+  phonon-unfolding = callPackage ./phonon-unfolding {};
+  # vasp = callPackage ./vasp
+  # {
+  #   stdenv = pkgs.lmix-pkgs.intel21Stdenv;
+  #   intel-mpi = pkgs.lmix-pkgs.intel-oneapi-mpi_2021_9_0;
+  #   ifort = pkgs.lmix-pkgs.intel-oneapi-ifort_2021_9_0;
+  # };
+  vasp = callPackage ./vasp
+  {
+    openmp = llvmPackages.openmp;
+    openmpi = pkgs.openmpi.override { cudaSupport = false; };
+  };
+  vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; };
+  # "12to11" = callPackage ./12to11 {};
+  huginn = callPackage ./huginn {};
+  v_sim = callPackage ./v_sim {};
+  concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; };
+  eigengdb = python3Packages.callPackage ./eigengdb {};
+  nodesoup = callPackage ./nodesoup {};
+  matplotplusplus = callPackage ./matplotplusplus { inherit nodesoup glad; };
+  zpp-bits = callPackage ./zpp-bits {};
+  eigen = callPackage ./eigen {};
+  nameof = callPackage ./nameof {};
+  pslist = callPackage ./pslist {};
+  glad = callPackage ./glad {};
+  chromiumos-touch-keyboard = callPackage ./chromiumos-touch-keyboard {};
+  yoga-support = callPackage ./yoga-support {};
+  tgbot-cpp = callPackage ./tgbot-cpp {};
+  biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
+}

local/pkgs/eigen/default.nix

@@ -0,0 +1,12 @@
+{ lib, stdenv, fetchFromGitLab, cmake }: stdenv.mkDerivation rec
+{
+  name = "eigen";
+  src = fetchFromGitLab
+  {
+    owner = "libeigen";
+    repo = name;
+    rev = "6d829e766ff1b1ab867d93631163cbc63ed5798f";
+    sha256 = "BXUnizcRPrOyiPpoyYJ4VVOjlG49aj80mgzPKmEYPKU=";
+  };
+  nativeBuildInputs = [ cmake ];
+}

local/pkgs/eigengdb/default.nix

@@ -0,0 +1,15 @@
+{ lib, fetchFromGitHub, buildPythonPackage, numpy, gdb }: buildPythonPackage
+{
+  name = "eigengdb";
+  src = fetchFromGitHub
+  {
+    owner = "dmillard";
+    repo = "eigengdb";
+    rev = "c741edef3f07f33429056eff48d79a62733ed494";
+    sha256 = "MTqOaWsKhWaPs3G5F/6bYZmQI5qS2hEGKGa3mwbgFaY=";
+  };
+  doCheck = false;
+  buildInputs = [ gdb ];
+  nativeBuildInputs = [ gdb ];
+  propagatedBuildInputs = [ numpy ];
+}

local/pkgs/glad/default.nix

@@ -0,0 +1,14 @@
+{ lib, stdenv, fetchFromGitHub, cmake, python3 }: stdenv.mkDerivation rec
+{
+  pname = "glad";
+  version = "0.1.36";
+  src = fetchFromGitHub
+  {
+    owner = "Dav1dde";
+    repo = "glad";
+    rev = "v${version}";
+    sha256 = "FtkPz0xchwmqE+QgS+nSJVYaAfJSTUmZsObV/IPypVQ=";
+  };
+  cmakeFlags = [ "-DGLAD_REPRODUCIBLE=ON" "-DGLAD_INSTALL=ON" ];
+  nativeBuildInputs = [ cmake python3 ];
+}

local/pkgs/huginn/default.nix

@@ -0,0 +1,29 @@
+{ lib, stdenv, bundlerEnv, fetchFromGitHub }:
+let
+  pname = "huginn";
+  version = "20230723";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "huginn";
+    rev = "a02977ad420a01b6460634af19f714db4a8f8f36";
+    hash = "sha256-Ty2EDCIjbvcf3PzPupcV4s7ZfAFTuYEjSfy0m+Yt3j4=";
+  };
+  gems = bundlerEnv
+  {
+    name = "${pname}-${version}-gems";
+    gemdir  = "${src}";
+    gemfile = "${src}/Gemfile";
+    lockfile = "${src}/Gemfile.lock";
+    gemset  = "${src}/gemset.nix";
+    copyGemFiles = true;
+  };
+in stdenv.mkDerivation
+{
+  inherit pname version src;
+  buildInputs = [ gems gems.wrappedRuby ];
+  installPhase =
+  ''
+    false
+  '';
+}

local/pkgs/matplotplusplus/default.nix

@@ -0,0 +1,25 @@
+{
+  stdenv, fetchFromGitHub, cmake, pkg-config, substituteAll,
+  gnuplot, libjpeg, libtiff, zlib, libpng, lapack, blas, fftw, opencv, nodesoup, cimg, glfw, libGL, python3, glad
+}: stdenv.mkDerivation
+{
+  pname = "matplotplusplus";
+  version = "1.2.0";
+  src = fetchFromGitHub
+  {
+    owner = "alandefreitas";
+    repo = "matplotplusplus";
+    rev = "a40344efa9dc5ea0c312e6e9ef4eb7238d98dc12";
+    sha256 = "6/dH/Rl2aAb8b+Ji5LwzkC+GWPOCBnYCrjy0qk8u/+I=";
+  };
+  cmakeFlags =
+  [
+    "-DBUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_EXAMPLES=OFF"
+    "-DMATPLOTPP_WITH_SYSTEM_NODESOUP=ON" "-DMATPLOTPP_WITH_SYSTEM_CIMG=ON"
+    "-DMATPLOTPP_BUILD_EXPERIMENTAL_OPENGL_BACKEND=ON" "-DGLAD_REPRODUCIBLE=ON"
+  ];
+  buildInputs = [ gnuplot libjpeg libtiff zlib libpng lapack blas fftw opencv nodesoup cimg glfw libGL glad ];
+  nativeBuildInputs = [ cmake pkg-config python3 ];
+  propagatedBuildInputs = [ libGL glad glfw ];
+  propagatedNativeBuildInputs = [ python3 ];
+}

local/pkgs/misskey/default.nix

@@ -0,0 +1,126 @@
+{
+  lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs_20, writeShellScript, buildFHSEnv,
+  bash, cypress, vips, pkg-config
+}:
+let
+  pname = "misskey";
+  version = "2023.10.2";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "misskey";
+    rev = "3f813d9808ebc1774457e02add8fe9c7a6937ff7";
+    sha256 = "63ZIil28jcMiL+c9FMj7m1OeCrLwsQZNHib+j8ar66s=";
+    fetchSubmodules = true;
+  };
+  originalPnpmPackage = mkPnpmPackage
+  {
+    inherit pname version src;
+    nodejs = nodejs_20;
+    copyPnpmStore = true;
+  };
+  startScript = writeShellScript "misskey"
+  ''
+    export PATH=${lib.makeBinPath [ bash nodejs_20 nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress ]}:$PATH
+    export CYPRESS_RUN_BINARY="${cypress}/bin/Cypress"
+    export NODE_ENV=production
+    pnpm run migrateandstart
+  '';
+  re2 = stdenv.mkDerivation rec
+  {
+    pname = "re2";
+    version = "1.20.3";
+    srcs =
+    [
+      (fetchurl
+      {
+        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.br";
+        sha256 = "0g2k0bki0zm0vaqpz25ww119qcs1flv63h6s5ib3103arpnzmb6d";
+      })
+      (fetchurl
+      {
+        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.gz";
+        sha256 = "1dr9zzzm67jknzvla1l5178lzmj6cfh8i1vsp5r4gkwdwbfh3ip0";
+      })
+      (fetchurl
+      {
+        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.br";
+        sha256 = "0wby987byhshb20np1gglj6y9ji7m7jza5jwa4hyxfxs1pkkmg1n";
+      })
+      (fetchurl
+      {
+        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.gz";
+        sha256 = "0q3dyxm63d2x0wxx23gdwym7r2gmaw4ahvmd35dgrj179ik290pi";
+      })
+      (fetchurl
+      {
+        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.br";
+        sha256 = "1wjmdni24353ppwfiyrv1zl9ci4g2habk0g2nz6b0sijagcy7bv3";
+      })
+      (fetchurl
+      {
+        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.gz";
+        sha256 = "0rgkryjh412g2m7rfrl2krsb9137prkk2y9ga8akn7qp1bqsbq1i";
+      })
+    ];
+    phases = [ "installPhase" ];
+    installPhase =
+    ''
+      mkdir -p $out/${version}
+      for i in $srcs
+      do
+        cp $i $out/${version}/''${i#*-}
+      done
+    '';
+  };
+in
+  stdenv.mkDerivation rec
+  {
+    inherit version src pname;
+    buildInputs =
+    [
+      bash nodejs_20 nodejs_20.pkgs.typescript nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress vips pkg-config
+    ];
+    nativeBuildInputs = buildInputs;
+    CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress";
+    NODE_ENV = "production";
+    RE2_DOWNLOAD_MIRROR = "${re2}";
+    RE2_DOWNLOAD_SKIP_PATH = "true";
+    configurePhase =
+    ''
+      export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
+      export npm_config_nodedir=${nodejs_20}
+
+      runHook preConfigure
+
+      store=$(pnpm store path)
+      mkdir -p $(dirname $store)
+
+      cp -f ${originalPnpmPackage.passthru.patchedLockfileYaml} pnpm-lock.yaml
+      cp -RL ${originalPnpmPackage.passthru.pnpmStore} $store
+      chmod -R +w $store
+      pnpm install --frozen-lockfile --offline
+
+      runHook postConfigure
+    '';
+    buildPhase =
+    ''
+      runHook preBuild
+      pnpm run build
+      runHook postBuild
+    '';
+    installPhase =
+    ''
+      runHook preInstall
+      mkdir -p $out
+      mv * .* $out
+      mkdir -p $out/bin
+      cp ${startScript} $out/bin/misskey
+      mkdir -p $out/files
+      runHook postInstall
+    '';
+    passthru =
+    {
+      inherit originalPnpmPackage startScript re2;
+    };
+  }

local/pkgs/mk-meili-mgn/default.nix

@@ -0,0 +1,16 @@
+{ lib, fetchFromGitHub, rustPlatform, pkg-config, openssl }:
+rustPlatform.buildRustPackage rec
+{
+  pname = "mk-meili-mgn";
+  version = "20230827";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "mk-meili-mgn";
+    rev = "53e282c992293ec735c9bc964f097b5bdbc3e48a";
+    hash = "sha256-KBSoEGfWKDXZHSzSzak1v0nxtQQGI15DQTyNAPhsIB4=";
+  };
+  cargoHash = "sha256-wNdMPPl2H2iSrNYjoij0Qg/c2S5RjTHpOMV1RfHU27g=";
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ openssl ];
+}

local/pkgs/nameof/default.nix

@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchFromGitHub }: stdenv.mkDerivation rec
+{
+  pname = "nameof";
+  version = "0.10.3";
+  src = fetchFromGitHub
+  {
+    owner = "Neargye";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "eHG0Y/BQGbwTrBHjq9SeSiIXaVqWp7PxIq7vCIECYPk=";
+  };
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out
+    cp -r $src/include $out
+    runHook postInstall
+  '';
+}

local/pkgs/nodesoup/default.nix

@@ -0,0 +1,13 @@
+{ stdenv, fetchFromGitHub, cmake, pkg-config, cairo, pcre2, xorg }: stdenv.mkDerivation rec
+{
+  name = "nodesoup";
+  src = fetchFromGitHub
+  {
+    owner = "olvb";
+    repo = "nodesoup";
+    rev = "3158ad082bb0cd1abee75418b12b35522dbca74f";
+    sha256 = "tFLq6QC3U3uvcuWsdRy2wnwcmAfH2MkI2oMcAiUBHSo=";
+  };
+  buildInputs = [ cairo pcre2.dev xorg.libXdmcp.dev ];
+  nativeBuildInputs = [ cmake pkg-config ];
+}

local/pkgs/phonon-unfolding/default.nix

@@ -0,0 +1,28 @@
+{
+  stdenv, fetchFromGitHub, gfortran, blas
+}:
+stdenv.mkDerivation
+{
+  pname = "phonon-unfolding";
+  version = "0";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "phonon_unfolding";
+    rev = "ec363ef2bad0ee18a0839a1681ea9915c0b72e1d";
+    hash = "sha256-zDTbtYk5OXf//6eS4gEF7IvrpWcRAz18ue48IDZnfSk=";
+  };
+  buildInputs = [ blas ];
+  nativeBuildInputs = [ gfortran ];
+  buildPhase =
+  ''
+    gfortran PhononUnfoldingModule.f90 -o PhononUnfoldingModule.mod -c
+    gfortran PhononUnfolding.f90 -c -o PhononUnfolding.mod
+    gfortran PhononUnfolding.mod PhononUnfoldingModule.mod -o PhononUnfolding -lblas
+  '';
+  installPhase =
+  ''
+    mkdir -p $out/bin
+    cp PhononUnfolding $out/bin
+  '';
+}

local/pkgs/pslist/default.nix

@@ -0,0 +1,27 @@
+# http://launchpadlibrarian.net/632309499/pslist_1.4.0-4_all.deb
+# https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-4/pslist_1.4.0.orig.tar.xz
+{ lib, stdenv, fetchzip, perl, procps }: stdenv.mkDerivation
+{
+  pname = "pslist";
+  version = "1.4.0";
+  src = fetchzip
+  {
+    url = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-4/pslist_1.4.0.orig.tar.xz";
+    sha256 = "1sp1h7ccniz658ms331npffpa9iz8llig43d9mlysll420nb3xqv";
+  };
+  buildInstall = [ perl procps ];
+  installPhase =
+  ''
+    mkdir -p $out/bin
+    cp $src/pslist $out/bin
+    ln -s pslist $out/bin/rkill
+    ln -s pslist $out/bin/rrenice
+    mkdir -p $out/share/man/man1
+    cp $src/pslist.1 $out/share/man/man1
+    ln -s pslist.1 $out/share/man/man1/rkill.1
+    ln -s pslist.1 $out/share/man/man1/rrenice.1
+
+    sed -i 's|/usr/bin/perl|${perl}/bin/perl|' $out/bin/pslist
+    sed -i 's|/bin/ps|${procps}/bin/ps|' $out/bin/pslist
+  '';
+}

local/pkgs/rsshub/default.nix

@@ -0,0 +1,57 @@
+{
+  lib, stdenv, mkPnpmPackage, fetchFromGitHub, nodejs, writeShellScript,
+  chromium, bash
+}:
+let
+  name = "rsshub";
+  src = fetchFromGitHub
+  {
+    owner = "DIYgod";
+    repo = "RSSHub";
+    rev = "67d4a7ed3f877a8ceac6caebe874c4ce5c210bd8";
+    sha256 = "baJQWGrr1RdZoI2uAGp2uJO9epbjAUjks76knJSwVdE=";
+  };
+  originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; };
+  nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };
+  rsshub-unwrapped = stdenv.mkDerivation
+  {
+    inherit src;
+    name = "${name}-unwrapped";
+    configurePhase = 
+    ''
+      export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
+      export npm_config_nodedir=${nodejs}
+
+      runHook preConfigure
+
+      ln -s ${nodeModules}/. node_modules
+
+      runHook postConfigure
+    '';
+    installPhase =
+    ''
+      runHook preInstall
+      mkdir -p $out
+      mv * .* $out
+      runHook postInstall
+    '';
+  };
+  startScript = writeShellScript "rsshub"
+  ''
+    cd ${rsshub-unwrapped}
+    export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm chromium ]}:$PATH
+    export CHROMIUM_EXECUTABLE_PATH=chromium
+    pnpm start
+  '';
+in stdenv.mkDerivation
+{
+  inherit name;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp ${startScript} $out/bin/rsshub
+    runHook postInstall
+  '';
+}

local/pkgs/send/default.nix

@@ -0,0 +1,15 @@
+{ buildNpmPackage, fetchFromGitHub, nodejs-16_x }:
+buildNpmPackage.override { nodejs = nodejs-16_x; }
+{
+  pname = "send";
+  version = "3.4.23";
+  src = fetchFromGitHub
+  {
+    owner = "timvisee";
+    repo = "send";
+    rev = "6ad2885a168148fb996d3983457bc39527c7c8e5";
+    hash = "sha256-/w9KhktDVSAmp6EVIRHFM63mppsIzYSm5F7CQQd/2+E=";
+  };
+  npmDepsHash = "sha256-r1iaurKuhpP0sevB5pFdtv9j1ikM1fKL7Jgakh4FzTI=";
+  makeCacheWritable = true;
+}

local/pkgs/spectral/default.nix

@@ -0,0 +1,15 @@
+{
+  lib, fetchPypi, buildPythonPackage,
+  numpy, pillow, wxPython_4_2, matplotlib, ipython, pyopengl
+}: buildPythonPackage rec
+{
+  pname = "spectral";
+  version = "0.23.1";
+  src = fetchPypi
+  {
+    inherit pname version;
+    sha256 = "sha256-4YIic1Je81g7J6lmIm1Vr+CefSmnI2z82LwN+x+Wj8I=";
+  };
+  doCheck = false;
+  propagatedBuildInputs = [ numpy pillow wxPython_4_2 matplotlib ipython pyopengl ];
+}

local/pkgs/tgbot-cpp/default.nix

@@ -0,0 +1,15 @@
+{ stdenv, fetchFromGitHub, cmake, pkg-config, boost, openssl, zlib, curl }: stdenv.mkDerivation rec
+{
+  pname = "tgbot-cpp";
+  version = "1.7.2";
+  src = fetchFromGitHub
+  {
+    owner = "reo7sp";
+    repo = "tgbot-cpp";
+    rev = "v${version}";
+    sha256 = "TKirSxEUqFB1WtzNEfU4EJK3p7V5xcFIvA2+QVX7TlA=";
+  };
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ boost openssl zlib curl.dev ];
+  propagatedBuildInputs = buildInputs;
+}

local/pkgs/typora/default.nix

@@ -0,0 +1,42 @@
+{ lib, stdenv, steam-run, fetchurl, writeShellScript }:
+let
+  typora-dist = stdenv.mkDerivation rec
+  {
+    pname = "typora-dist";
+    version = "1.6.6";
+    src = fetchurl
+    {
+      url = "https://download.typora.io/linux/typora_${version}_amd64.deb";
+      sha256 = "sha256-77mCgmsROLhfuOmOOyl2C5Ug2NfqEvcD+kMA3aiAQtA=";
+    };
+
+    dontFixup = true;
+
+    unpackPhase =
+    ''
+      ar x ${src}
+      tar xf data.tar.xz
+    '';
+    installPhase =
+    ''
+      mkdir -p $out
+      mv usr/share $out
+    '';
+  };
+in stdenv.mkDerivation rec
+{
+  pname = "typora";
+  inherit (typora-dist) version;
+  BuildInputs = [ typora-dist steam-run ];
+  startScript = writeShellScript "typora" "${steam-run}/bin/steam-run ${typora-dist}/share/typora/Typora $@";
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    mkdir -p $out/bin $out/share/applications
+    ln -s ${startScript} $out/bin/typora
+    cp ${typora-dist}/share/applications/typora.desktop $out/share/applications
+    sed -i "s|Exec=.*|Exec=${startScript} %U|g" $out/share/applications/typora.desktop
+    sed -i "s|Icon=.*|Icon=${typora-dist}/share/icons/hicolor/256x256/apps/typora.png|g" \
+      $out/share/applications/typora.desktop
+  '';
+}

local/pkgs/upho/default.nix

@@ -0,0 +1,14 @@
+{ lib, fetchFromGitHub, buildPythonPackage, numpy, h5py, phonopy }: buildPythonPackage rec
+{
+  pname = "upho";
+  version = "0.6.6";
+  src = fetchFromGitHub
+  {
+    owner = "CHN-beta";
+    repo = "upho";
+    rev = "0f27ac6918e8972c70692816438e4ac37ec6b348";
+    sha256 = "sha256-NvoV+AUH9MmGT4ohrLAAvpLs8APP2DOKYlZVliHrVRM=";
+  };
+  doCheck = false;
+  propagatedBuildInputs = [ numpy h5py phonopy ];
+}

local/pkgs/v_sim/default.nix

@@ -0,0 +1,28 @@
+{
+  stdenv, lib, fetchFromGitLab,
+  wrapGAppsHook, autoreconfHook, autoconf, libtool, intltool, gettext, automake, gtk-doc, pkg-config, gfortran, libxslt,
+  glib, gtk3, epoxy, libyaml
+}:
+stdenv.mkDerivation
+{
+  pname = "v_sim";
+  version = "3.8.0_p20230824";
+  src = fetchFromGitLab
+  {
+    owner = "l_sim";
+    repo = "v_sim";
+    rev = "8abc67b56795c19a8e2357d442b556c71d2441cb";
+    sha256 = "KQNd3BGvkZVsfIPVLEEMBptiFQYeCbWGR28ds2Y+w2Y=";
+  };
+  buildInputs = [ glib gtk3 epoxy libyaml ];
+  nativeBuildInputs =
+  [
+    autoreconfHook wrapGAppsHook autoconf libtool intltool gettext automake pkg-config
+    gtk-doc gfortran libxslt.bin
+  ];
+  enableParallelBuilding = true;
+  postPatch =
+  ''
+    ./autogen.sh
+  '';
+}

local/pkgs/vasp/default.nix

@@ -0,0 +1,77 @@
+# {
+#   stdenv, requireFile, config, rsync, intel-mpi, ifort,
+#   mkl
+# }:
+# stdenv.mkDerivation rec
+# {
+#   pname = "vasp";
+#   version = "6.4.0";
+#   # nix-store --query --hash $(nix store add-path ./vasp-6.4.0)
+#   src = requireFile
+#   {
+#     name = "${pname}-${version}";
+#     sha256 = "189i1l5q33ynmps93p2mwqf5fx7p4l50sls1krqlv8ls14s3m71f";
+#     hashMode = "recursive";
+#     message = "Source file not found.";
+#   };
+#   VASP_TARGET_CPU = if config ? oneapiArch then "-x${config.oneapiArch}" else "";
+#   MKLROOT = mkl;
+#   makeFlags = "DEPS=1";
+#   enableParallelBuilding = true;
+#   buildInputs = [ mkl intel-mpi ifort ];
+#   nativeBuildInputs = [ rsync ];
+#   configurePhase =
+#   ''
+#     cp arch/makefile.include.intel makefile.include
+#     echo "CPP_OPTIONS += -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj" >> makefile.include
+#     echo "OBJECTS_LIB += getshmem.o" >> makefile.include
+#     mkdir -p bin
+#   '';
+#   installPhase =
+#   ''
+#     mkdir -p $out/bin
+#     for i in std gam ncl; do
+#       cp bin/vasp_$i $out/bin/vasp-cpu-${version}-$i
+#     done
+#   '';
+#   doStrip = false;
+#   doFixup = false;
+# }
+{
+  stdenvNoCC, requireFile, rsync, blas, scalapack, openmpi, openmp, gfortran, gcc, fftwMpi
+}:
+stdenvNoCC.mkDerivation rec
+{
+  pname = "vasp";
+  version = "6.4.0";
+  # nix-store --query --hash $(nix store add-path ./vasp-6.4.0)
+  src = requireFile
+  {
+    name = "${pname}-${version}";
+    sha256 = "189i1l5q33ynmps93p2mwqf5fx7p4l50sls1krqlv8ls14s3m71f";
+    hashMode = "recursive";
+    message = "Source file not found.";
+  };
+  # VASP_TARGET_CPU = if config ? oneapiArch then "-x${config.oneapiArch}" else "";
+  # MKLROOT = mkl;
+  makeFlags = "DEPS=1";
+  enableParallelBuilding = true;
+  buildInputs = [ blas scalapack openmpi openmp gfortran gfortran.cc gcc fftwMpi.dev fftwMpi ];
+  nativeBuildInputs = [ rsync ];
+  FFTW_ROOT = fftwMpi.dev;
+  configurePhase =
+  ''
+    cp ${./makefile.include/${version}-gnu} makefile.include
+    chmod +w makefile.include
+    echo "CPP_OPTIONS += -Duse_shmem -Dshmem_bcast_buffer -Dshmem_rproj" >> makefile.include
+    echo "OBJECTS_LIB += getshmem.o" >> makefile.include
+    mkdir -p bin
+  '';
+  installPhase =
+  ''
+    mkdir -p $out/bin
+    for i in std gam ncl; do
+      cp bin/vasp_$i $out/bin/vasp-gnu-${version}-$i
+    done
+  '';
+}

local/pkgs/vasp/makefile.include/6.4.0-gnu

@@ -0,0 +1,94 @@
+# Default precompiler options
+CPP_OPTIONS = -DHOST=\"LinuxGNU\" \
+              -DMPI -DMPI_BLOCK=8000 -Duse_collective \
+              -DscaLAPACK \
+              -DCACHE_SIZE=4000 \
+              -Davoidalloc \
+              -Dvasp6 \
+              -Duse_bse_te \
+              -Dtbdyn \
+              -Dfock_dblbuf \
+              -D_OPENMP
+
+CPP         = gcc -E -C -w $*$(FUFFIX) >$*$(SUFFIX) $(CPP_OPTIONS)
+
+FC          = mpif90 -fopenmp
+FCL         = mpif90 -fopenmp
+
+FREE        = -ffree-form -ffree-line-length-none
+
+FFLAGS      = -w -ffpe-summary=none
+
+OFLAG       = -O3
+OFLAG_IN    = $(OFLAG)
+DEBUG       = -O0
+
+OBJECTS     = fftmpiw.o fftmpi_map.o fftw3d.o fft3dlib.o
+OBJECTS_O1 += fftw3d.o fftmpi.o fftmpiw.o
+OBJECTS_O2 += fft3dlib.o
+
+# For what used to be vasp.5.lib
+CPP_LIB     = $(CPP)
+FC_LIB      = $(FC)
+CC_LIB      = gcc
+CFLAGS_LIB  = -O
+FFLAGS_LIB  = -O1
+FREE_LIB    = $(FREE)
+
+OBJECTS_LIB = linpack_double.o
+
+# For the parser library
+CXX_PARS    = g++
+LLIBS       = -lstdc++
+
+##
+## Customize as of this point! Of course you may change the preceding
+## part of this file as well if you like, but it should rarely be
+## necessary ...
+##
+
+# When compiling on the target machine itself, change this to the
+# relevant target when cross-compiling for another architecture
+# VASP_TARGET_CPU ?= -march=native
+# FFLAGS     += $(VASP_TARGET_CPU)
+
+# For gcc-10 and higher (comment out for older versions)
+FFLAGS     += -fallow-argument-mismatch
+
+# BLAS and LAPACK (mandatory)
+# OPENBLAS_ROOT ?= /path/to/your/openblas/installation
+# BLASPACK    = -L$(OPENBLAS_ROOT)/lib -lopenblas
+BLASPACK    = -lblas
+
+# scaLAPACK (mandatory)
+# SCALAPACK_ROOT ?= /path/to/your/scalapack/installation
+# SCALAPACK   = -L$(SCALAPACK_ROOT)/lib -lscalapack
+SCALAPACK = -lscalapack
+
+LLIBS      += $(SCALAPACK) $(BLASPACK)
+
+# FFTW (mandatory)
+# FFTW_ROOT  ?= /path/to/your/fftw/installation
+# LLIBS      += -L$(FFTW_ROOT)/lib -lfftw3 -lfftw3_omp
+LLIBS      += -lfftw3 -lfftw3_omp
+INCS       += -I$(FFTW_ROOT)/include
+
+# HDF5-support (optional but strongly recommended)
+#CPP_OPTIONS+= -DVASP_HDF5
+#HDF5_ROOT  ?= /path/to/your/hdf5/installation
+#LLIBS      += -L$(HDF5_ROOT)/lib -lhdf5_fortran
+#INCS       += -I$(HDF5_ROOT)/include
+
+# For the VASP-2-Wannier90 interface (optional)
+#CPP_OPTIONS    += -DVASP2WANNIER90
+#WANNIER90_ROOT ?= /path/to/your/wannier90/installation
+#LLIBS          += -L$(WANNIER90_ROOT)/lib -lwannier
+
+# For the fftlib library (recommended)
+CPP_OPTIONS+= -Dsysv
+FCL        += fftlib.o
+CXX_FFTLIB  = g++ -fopenmp -std=c++11 -DFFTLIB_THREADSAFE
+# INCS_FFTLIB = -I./include -I$(FFTW_ROOT)/include
+INCS_FFTLIB = -I./include
+LIBS       += fftlib
+LLIBS      += -ldl

local/pkgs/vaspkit/default.nix

@@ -0,0 +1,64 @@
+{ stdenv, fetchurl, requireFile, autoPatchelfHook, makeWrapper, python3, attrsToList, gnused }:
+let
+  potcar = requireFile
+  {
+    name = "POTCAR";
+    sha256 = "01adpp9amf27dd39m8svip3n6ax822vsyhdi6jn5agj13lis0ln3";
+    hashMode = "recursive";
+    message = "POTCAR not found.";
+  };
+  unwrapped = stdenv.mkDerivation
+  {
+    pname = "vaspkit-unwrapped";
+    version = "1.4.1";
+    buildInputs = [ autoPatchelfHook stdenv.cc.cc ];
+    src = fetchurl
+    {
+      url = "mirror://sourceforge/vaspkit/Binaries/vaspkit.1.4.1.linux.x64.tar.gz";
+      sha256 = "0i5m7nbvqk7hzxisyydjvs2l8lnvj9vsxa170783kv9zmp51lnvs";
+    };
+    installPhase =
+    ''
+      runHook preInstall
+      mkdir -p $out
+      cp -r * $out
+      runHook postInstall
+    '';
+  };
+  python = python3.withPackages (pythonPackages: with pythonPackages; [ numpy scipy matplotlib ]);
+  envirmentVariables =
+  {
+    LDA_PATH = "${potcar}/PAW_LDA";
+    PBE_PATH = "${potcar}/PAW_PBE";
+    GGA_PATH = "${potcar}/PAW_PW91";
+    VASPKIT_UTILITIES_PATH = "${unwrapped}/utilities";
+    PYTHON_BIN = "${python}/bin/python";
+    AUTO_PLOT = ".TRUE.";
+  };
+in
+  stdenv.mkDerivation rec
+  {
+    pname = "vaspkit";
+    inherit (unwrapped) version;
+    phases = [ "installPhase" ];
+    buildInputs = [ makeWrapper ];
+    nativeBuildInputs = [ gnused ];
+    replaceEnv = builtins.concatStringsSep "" (map
+      (variable: ''sed 's|\(${variable.name}\s*=\s*\)\(\S\+\)|\1${variable.value}|g' -i $out/.vaspkit'' + "\n")
+      (attrsToList envirmentVariables));
+    installPhase =
+    ''
+      runHook preInstall
+
+      # setup ~/.vaspkit
+      mkdir -p $out
+      cp ${unwrapped}/how_to_set_environment_variables $out/.vaspkit
+
+      # setup wrapper
+      makeWrapper ${unwrapped}/bin/vaspkit $out/bin/vaspkit --set HOME $out;
+    ''
+    + replaceEnv
+    + ''
+      runHook postInstall
+    '';
+  }

local/pkgs/vesta/default.nix

@@ -0,0 +1,42 @@
+{
+  lib, stdenv, fetchurl, autoPatchelfHook, wrapGAppsHook, makeWrapper,
+  glib, gtk2, xorg, libGLU, gtk3, writeShellScript, gsettings-desktop-schemas, xdg-utils
+}:
+
+stdenv.mkDerivation rec
+{
+  pname = "vesta";
+  version = "3.5.5";
+  src = fetchurl
+  {
+    url = "https://jp-minerals.org/vesta/archives/${version}/VESTA-gtk3.tar.bz2";
+    sha256 = "sRzQNJA7+hsjLWmykqe6bH0p1/aGEB8hCuxCyPzxYHs=";
+  };
+  desktopFile = fetchurl
+  {
+    url = "https://aur.archlinux.org/cgit/aur.git/plain/VESTA.desktop?h=vesta&id=4fae08afc37ee0fd88d14328cf0d6b308fea04d1";
+    sha256 = "Tq4AzQgde2KIWKA1k6JlxvdphGG9JluHMZjVw0fBUeQ=";
+  };
+
+  nativeBuildInputs = [ autoPatchelfHook wrapGAppsHook makeWrapper ];
+  buildInputs = [ glib gtk2 xorg.libXxf86vm libGLU gtk3 xorg.libXtst ];
+
+  unpackPhase = "tar -xf ${src}";
+
+  installPhase =
+  ''
+    echo $out
+    mkdir -p $out/share/applications
+    cp ${desktopFile} $out/share/applications/vesta.desktop
+    sed -i "s|Exec=.*|Exec=$out/bin/vesta|" $out/share/applications/vesta.desktop
+    sed -i "s|Icon=.*|Icon=$out/opt/VESTA-gtk3/img/logo.png|" $out/share/applications/vesta.desktop
+
+    mkdir -p $out/opt
+    cp -r VESTA-gtk3 $out/opt/VESTA-gtk3
+
+    mkdir -p $out/bin
+    makeWrapper $out/opt/VESTA-gtk3/VESTA $out/bin/vesta
+
+    patchelf --remove-needed libjawt.so $out/opt/VESTA-gtk3/PowderPlot/libswt-awt-gtk-3346.so
+  '';
+}

local/pkgs/yoga-support/default.nix

@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, python3 }:
+let
+  python = python3.withPackages (ps: with ps; [ evdev pyudev ]);
+in stdenv.mkDerivation
+{
+  name = "yogabook-support";
+  src = fetchFromGitHub
+  {
+    owner = "jekhor";
+    repo = "yogabook-support";
+    rev = "8ecf7861e469ba4094115fff0e81d537135e3f22";
+    sha256 = "4UtiQooCaeUDHc9YE9EQRJ2MNKvOqqCv85k0YyI2BO4=";
+  };
+  buildInputs = [ python ];
+  installPhase =
+  ''
+    mkdir -p $out/bin
+    cp pen-key-handler yogabook-modes-handler $out/bin
+    mkdir -p $out/lib/udev/rules.d
+    cp 61-sensor-yogabook.rules $out/lib/udev/rules.d
+    mkdir -p $out/lib/udev/hwdb.d
+    cp 61-sensor-yogabook.hwdb $out/lib/udev/hwdb.d
+  '';
+}

local/pkgs/zpp-bits/default.nix

@@ -0,0 +1,18 @@
+{ stdenv, fetchFromGitHub }: stdenv.mkDerivation rec
+{
+  pname = "zpp-bits";
+  version = "4.4.19";
+  src = fetchFromGitHub
+  {
+    owner = "eyalz800";
+    repo = "zpp_bits";
+    rev = "v${version}";
+    sha256 = "ejIwrvCFALuBQbQhTfzjBb11oMR/akKnboB60GWbjlQ=";
+  };
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    mkdir -p $out/include
+    cp $src/zpp_bits.h $out/include
+  '';
+}

modules/basic.nix

@@ -1,30 +0,0 @@
-{ hostName }: { pkgs, ... }@inputs:
-{
-	config =
-	{
-		nixpkgs.hostPlatform = "x86_64-linux";
-		nix =
-		{
-			settings =
-			{
-				experimental-features = [ "nix-command" "flakes" ];
-				keep-outputs = true;
-				system-features = [ "big-parallel" ];
-				keep-failed = true;
-			};
-			daemonIOSchedClass = "idle";
-			daemonCPUSchedPolicy = "idle";
-		};
-		networking.hostName = hostName;
-		time.timeZone = "Asia/Shanghai";
-		system.stateVersion = "22.11";
-		nixpkgs.config.allowUnfree = true;
-		systemd =
-		{
-			extraConfig = "DefaultTimeoutStopSec=10s";
-			user.extraConfig = "DefaultTimeoutStopSec=10s";
-			services.nix-daemon.serviceConfig = { Slice = "-.slice"; Nice = "19"; };
-		};
-		programs.nix-ld.enable = true;
-	};
-}

modules/boot/basic.nix

@@ -1,17 +0,0 @@
-{ efi, timeout ? 5 }: { pkgs, ... }@inputs:
-{
-	config =
-	{
-		boot =
-		{
-			loader =
-			{
-				timeout = timeout;
-				systemd-boot.enable = true;
-				efi.canTouchEfiVariables = efi;
-			};
-			initrd.systemd.enable = true;
-		};
-		hardware.enableAllFirmware = true;
-	};
-}

modules/boot/chn-PC.nix

@@ -1,33 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		boot =
-		{
-			# kernelPackages = ( inputs.inputs.nixpkgs.lib.nixosSystem
-			# {
-			# 	system = "x86_64-linux";
-			# 	modules =
-			# 	[{
-			# 		nixpkgs =
-			# 		{
-			# 			hostPlatform = { system = "x86_64-linux"; gcc = { arch = "alderlake"; tune = "alderlake"; }; };
-			# 			config.allowUnfree = true;
-			# 		};
-			# 	}];
-			# } ).pkgs.linuxPackages_zen;
-			# kernelPackages = inputs.pkgs.linuxPackages_zen;
-			kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
-			initrd.availableKernelModules =
-			[
-				"ahci" "i915" "intel_cstate" "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" "nvme" "sr_mod"
-				"usb_storage" "virtio_blk" "virtio_pci" "xhci_pci"
-			];
-			kernelModules = [ "kvm-intel" ];
-			extraModprobeConfig = "options kvm_intel nested=1";
-			kernelParams = [ "delayacct" "acpi_osi=Linux" "resume_offset=19145984" ];
-			resumeDevice = "/dev/mapper/root";
-		};
-		hardware.cpu.intel.updateMicrocode = true;
-	};
-}

modules/boot/chn-nixos-test.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		boot =
-		{
-			kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
-			initrd.availableKernelModules = [ "ahci" "sr_mod" "usb_storage" "virtio_blk" "virtio_pci" "xhci_pci" ];
-		};
-	};
-}

modules/bugs/default.nix

@@ -0,0 +1,88 @@
+inputs:
+  let
+    inherit (inputs.localLib) stripeTabs;
+    inherit (builtins) map attrNames;
+    inherit (inputs.lib) mkMerge mkIf mkOption types;
+    bugs =
+    {
+      # intel i915 hdmi
+      intel-hdmi.boot.kernelPatches = [{ name = "intel-hdmi"; patch = ./intel-hdmi.patch; }];
+      # suspend & hibernate do not use platform
+      suspend-hibernate-no-platform.systemd.sleep.extraConfig =
+      ''
+        SuspendState=freeze
+        HibernateMode=shutdown
+      '';
+      # reload iwlwifi after resume from hibernate
+      hibernate-iwlwifi.systemd.services.reload-iwlwifi-after-hibernate =
+      {
+        description = "reload iwlwifi after resume from hibernate";
+        after = [ "systemd-hibernate.service" ];
+        serviceConfig.Type = "oneshot";
+        script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
+        ''
+          ${modprobe} -r iwlwifi
+          ${modprobe} iwlwifi
+          echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
+        '';
+        wantedBy = [ "systemd-hibernate.service" ];
+      };
+      # disable wakeup on lid open
+      suspend-lid-no-wakeup.systemd.services.lid-no-wakeup =
+      {
+        description = "lid no wake up";
+        serviceConfig.Type = "oneshot";
+        script =
+          let
+            cat = "${inputs.pkgs.coreutils}/bin/cat";
+            grep = "${inputs.pkgs.gnugrep}/bin/grep";
+          in
+          ''
+            if ${cat} /proc/acpi/wakeup | ${grep} LID0 | ${grep} -q enabled
+            then
+              echo LID0 > /proc/acpi/wakeup
+            fi
+          '';
+        wantedBy = [ "multi-user.target" ];
+      };
+      # xmunet use old encryption
+      xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
+        (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
+      suspend-hibernate-waydroid.systemd.services =
+        let
+          systemctl = "${inputs.pkgs.systemd}/bin/systemctl";
+        in
+        {
+          "waydroid-hibernate" =
+          {
+            description = "waydroid hibernate";
+            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            before = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            serviceConfig.Type = "oneshot";
+            script = "${systemctl} stop waydroid-container";
+          };
+          "waydroid-resume" =
+          {
+            description = "waydroid resume";
+            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            after = [ "systemd-hibernate.service" "systemd-suspend.service" ];
+            serviceConfig.Type = "oneshot";
+            script = "${systemctl} start waydroid-container";
+          };
+        };
+      firefox.programs.firefox.enable = inputs.lib.mkForce false;
+      embree.nixpkgs.overlays =
+        [(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
+      nvme.boot.kernelParams = [ "nvme_core.default_ps_max_latency_us=0" "iommu=soft" "pcie_aspm=off" ];
+      firmware-unstable.nixpkgs.overlays =
+        [ (final: prev: { linux-firmware = final.unstablePackages.linux-firmware; }) ];
+    };
+  in
+    {
+      options.nixos.bugs = mkOption
+      {
+        type = types.listOf (types.enum (attrNames bugs));
+        default = [];
+      };
+      config = mkMerge (map (bug: mkIf (builtins.elem bug inputs.config.nixos.bugs) bugs.${bug}) (attrNames bugs));
+    }

modules/bugs/intel-hdmi.patch

@@ -0,0 +1,14 @@
+diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
+index 55544d484318..d6f257f8fd14 100644
+--- a/drivers/gpu/drm/i915/display/intel_bios.c
++++ b/drivers/gpu/drm/i915/display/intel_bios.c
+@@ -2708,7 +2708,7 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
+ 	if (i915->display.vbt.ports[port]) {
+ 		drm_dbg_kms(&i915->drm,
+ 			    "More than one child device for port %c in VBT, using the first.\n",
+ 			    port_name(port));
+-		return;
++		// return;
+ 	}
+ 
+ 	sanitize_device_type(devdata, port);

modules/bugs/xmunet.patch

@@ -5,7 +5,7 @@
  	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
  	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
 -
-+        SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
  	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
  
  #ifdef SSL_MODE_NO_AUTO_CHAIN

modules/default.nix

@@ -0,0 +1,36 @@
+inputs:
+  let
+    inherit (inputs) topInputs;
+    inherit (inputs.localLib) mkModules;
+  in
+  {
+    imports = mkModules
+    [
+      topInputs.home-manager.nixosModules.home-manager
+      topInputs.sops-nix.nixosModules.sops
+      topInputs.aagl.nixosModules.default
+      topInputs.nix-index-database.nixosModules.nix-index
+      topInputs.nur.nixosModules.nur
+      topInputs.nur-xddxdd.nixosModules.setupOverlay
+      topInputs.impermanence.nixosModules.impermanence
+      (inputs: { config.nixpkgs.overlays =
+      [
+        topInputs.qchem.overlays.default
+        topInputs.nixd.overlays.default
+        topInputs.nix-alien.overlays.default
+        topInputs.napalm.overlays.default
+        topInputs.pnpm2nix-nzbr.overlays.default
+        topInputs.lmix.overlays.default
+        (final: prev: topInputs.aagl.overlays.default {} final.unstablePackages)
+        (import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
+        (final: prev:
+        {
+          touchix = topInputs.touchix.packages."${prev.system}";
+          nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
+          nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
+          deploy-rs = { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
+        })
+      ];})
+      ./hardware ./packages ./system ./virtualization ./services ./bugs ./users
+    ];
+  }

modules/filesystem/chn-PC.nix

@@ -1,31 +0,0 @@
-{
-	config =
-	{
-		fileSystems =
-		{
-			"/" =
-			{
-				device = "/dev/mapper/root";
-				fsType = "btrfs";
-				options = [ "subvol=@root,compress-force=zstd:3" ];
-			};
-			"/swap" = {
-				device = "/dev/mapper/root";
-				fsType = "btrfs";
-				options = [ "subvol=@swap" ];
-			};
-			"/boot" =
-			{
-				device = "/dev/disk/by-uuid/50DE-B72A";
-				fsType = "vfat";
-			};
-		};
-		swapDevices = [ { device = "/swap/swap"; } ];
-		boot.initrd.luks.devices.root =
-		{
-			device = "/dev/disk/by-partuuid/49fe75e3-bd94-4c75-9b21-2c77a1f74c4e";
-			header = "/dev/disk/by-partuuid/c341ca23-bb14-4927-9b31-a9dcc959d0f5";
-			allowDiscards = true;
-		};
-	};
-}

modules/filesystem/chn-nixos-test.nix

@@ -1,25 +0,0 @@
-{
-	config =
-	{
-		fileSystems =
-		{
-			"/" =
-			{
-				device = "/dev/mapper/root";
-				fsType = "btrfs";
-				options = [ "subvol=@root,compress-force=zstd:3" ];
-			};
-			"/boot" =
-			{
-				device = "/dev/disk/by-uuid/18C6-B1F4";
-				fsType = "vfat";
-			};
-		};
-		boot.initrd.luks.devices.root =
-		{
-			device = "/dev/disk/by-partuuid/4f419ebd-2b49-4959-aa5f-46cfdd0cfc3e";
-			header = "/dev/disk/by-partuuid/b0255c40-fd3c-4c95-9af7-4d64ad2e450f";
-			allowDiscards = true;
-		};
-	};
-}

modules/fonts.nix

@@ -1,16 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config.fonts =
-	{
-		fontDir.enable = true;
-		fonts = with inputs.pkgs;
-			[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
-		fontconfig.defaultFonts =
-		{
-			emoji = [ "Noto Color Emoji" ];
-			monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
-			sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
-			serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
-		};
-	};
-}

modules/hardware/bluetooth.nix

@@ -1 +0,0 @@
-{ config.hardware.bluetooth.enable = true; }

modules/hardware/chn-PC.nix

@@ -1 +0,0 @@
-{ config.nix.settings.system-features = [ "gccarch-alderlake" ]; }

modules/hardware/chn-nixos-test.nix

@@ -1 +0,0 @@
-{ config.nix.settings.system-features = [ "gccarch-alderlake" ]; }

modules/hardware/default.nix

@@ -0,0 +1,193 @@
+inputs:
+{
+  options.nixos.hardware = let inherit (inputs.lib) mkOption types; in
+  {
+    bluetooth.enable = mkOption { type = types.bool; default = false; };
+    joystick.enable = mkOption { type = types.bool; default = false; };
+    printer.enable = mkOption { type = types.bool; default = false; };
+    sound.enable = mkOption { type = types.bool; default = false; };
+    cpus = mkOption { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
+    gpus = mkOption { type = types.listOf (types.enum [ "intel" "nvidia" ]); default = []; };
+    prime =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      mode = mkOption { type = types.enum [ "offload" "sync" ]; default = "offload"; };
+      busId = mkOption { type = types.attrsOf types.str; default = {}; };
+    };
+    gamemode.drmDevice = mkOption { type = types.int; default = 0; };
+    halo-keyboard.enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.config.nixos) hardware;
+      inherit (builtins) listToAttrs map concatLists;
+      inherit (inputs.localLib) attrsToList;
+    in mkMerge
+    [
+      # bluetooth
+      (mkIf hardware.bluetooth.enable { hardware.bluetooth.enable = true; })
+      # joystick
+      (mkIf hardware.joystick.enable { hardware = { xone.enable = true; xpadneo.enable = true; }; })
+      # printer
+      (
+        mkIf hardware.printer.enable
+        {
+          services =
+          {
+            printing = { enable = true; drivers = [ inputs.pkgs.cnijfilter2 ]; };
+            avahi = { enable = true; nssmdns = true; openFirewall = true; };
+          };
+        }
+      )
+      # sound
+      (
+        mkIf hardware.sound.enable
+        {
+          hardware.pulseaudio.enable = false;
+          services.pipewire = { enable = true; alsa = { enable = true; support32Bit = true; }; pulse.enable = true; };
+          sound.enable = true;
+          security.rtkit.enable = true;
+          environment.etc."wireplumber/main.lua.d/50-alsa-config.lua".text =
+            let
+              content = builtins.readFile
+                (inputs.pkgs.wireplumber + "/share/wireplumber/main.lua.d/50-alsa-config.lua");
+              matched = builtins.match
+                ".*\n([[:space:]]*)(--\\[\"session\\.suspend-timeout-seconds\"][^\n]*)[\n].*" content;
+              spaces = builtins.elemAt matched 0;
+              comment = builtins.elemAt matched 1;
+              config = ''["session.suspend-timeout-seconds"] = 0'';
+            in
+              builtins.replaceStrings [(spaces + comment)] [(spaces + config)] content;
+        }
+      )
+      # cpus
+      (
+        mkIf (hardware.cpus != [])
+        {
+          hardware.cpu = listToAttrs
+            (map (name: { inherit name; value = { updateMicrocode = true; }; }) hardware.cpus);
+          boot.initrd.availableKernelModules =
+            let
+              modules =
+              {
+                intel = [ "intel_cstate" "aesni_intel" ];
+                amd = [];
+              };
+            in
+              concatLists (map (cpu: modules.${cpu}) hardware.cpus);
+        }
+      )
+      # gpus
+      (
+        mkIf (hardware.gpus != [])
+        {
+          boot.initrd.availableKernelModules =
+            let
+              modules =
+              {
+                intel = [ "i915" ];
+                nvidia = [ "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" ];
+              };
+            in
+              concatLists (map (gpu: modules.${gpu}) hardware.gpus);
+          hardware =
+          {
+            opengl =
+            {
+              enable = true;
+              driSupport = true;
+              extraPackages =
+                with inputs.pkgs;
+                let
+                  packages =
+                  {
+                    intel = [ intel-compute-runtime intel-media-driver libvdpau-va-gl ]; # intel-vaapi-driver
+                    nvidia = [ vaapiVdpau ];
+                  };
+                in
+                  concatLists (map (gpu: packages.${gpu}) hardware.gpus);
+              driSupport32Bit = true;
+            };
+            nvidia.nvidiaSettings = builtins.elem "nvidia" hardware.gpus;
+          };
+        }
+      )
+      (mkIf (builtins.elem "intel" hardware.gpus) { services.xserver.deviceSection = ''Driver "modesetting"''; })
+      # prime
+      (
+        mkIf hardware.prime.enable
+        {
+          hardware.nvidia = mkMerge
+          [
+            (
+              mkIf (hardware.prime.mode == "offload")
+              {
+                prime.offload = { enable = true; enableOffloadCmd = true; };
+                powerManagement = { finegrained = true; enable = true; };
+              }
+            )
+            (
+              mkIf (hardware.prime.mode == "sync")
+              {
+                prime = { sync.enable = true; };
+                # prime.forceFullCompositionPipeline = true;
+              }
+            )
+            {
+              prime = listToAttrs
+                (map (gpu: { inherit (gpu) value; name = "${gpu.name}BusId"; }) (attrsToList hardware.prime.busId));
+            }
+            
+          ];
+        }
+      )
+      { programs.gamemode.settings.gpu.gpu_device = "${toString hardware.gamemode.drmDevice}"; }
+      # halo-keyboard
+      (mkIf hardware.halo-keyboard.enable
+      (
+        let
+          keyboard = inputs.pkgs.localPackages.chromiumos-touch-keyboard;
+          support = inputs.pkgs.localPackages.yoga-support;
+        in
+        {
+          services.udev.packages = [ keyboard support ];
+          systemd.services =
+          {
+            touch-keyboard-handler.serviceConfig =
+            {
+              Type = "simple";
+              WorkingDirectory = "/etc/touch_keyboard";
+              # ExecStartPre = let sh = "${inputs.pkgs.bash}/bin/sh"; in
+              # [
+              #   ''-${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/export"''
+              #   ''${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/pwm0/enable"''
+              #   ''${sh} -c "echo 1 > /sys/class/pwm/pwmchip1/pwm0/enable"''
+              # ];
+              ExecStart = "${keyboard}/bin/touch_keyboard_handler";
+            };
+            yogabook-modes-handler =
+            {
+              wantedBy = [ "default.target" ];
+              serviceConfig =
+              {
+                Type = "simple";
+                ExecStart = "${support}/bin/yogabook-modes-handler";
+                StandardOutput = "journal";
+              };
+            };
+            monitor-sensor =
+            {
+              wantedBy = [ "default.target" ];
+              serviceConfig =
+              {
+                Type = "simple";
+                ExecStart = "${inputs.pkgs.iio-sensor-proxy}/bin/monitor-sensor --hinge";
+              };
+            };
+          };
+          environment.etc."touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
+        }
+      ))
+    ];
+}

modules/hardware/joystick.nix

@@ -1 +0,0 @@
-{ config.hardware = { xone.enable = true; xpadneo.enable = true; }; }

modules/hardware/nvidia-prime.nix

@@ -1,24 +0,0 @@
-{ intelBusId, nvidiaBusId }: { pkgs, ... }@inputs:
-{
-	config =
-	{
-		services.xserver.videoDrivers = inputs.lib.mkBefore [ "intel" "nvidia" ];
-		hardware.nvidia.prime =
-		{
-			offload.enable = true;
-			intelBusId = intelBusId;
-			nvidiaBusId = nvidiaBusId;
-		};
-		environment.systemPackages =
-		[(
-			inputs.pkgs.writeShellScriptBin "nvidia-offload"
-			''
-				export __NV_PRIME_RENDER_OFFLOAD=1
-				export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
-				export __GLX_VENDOR_LIBRARY_NAME=nvidia
-				export __VK_LAYER_NV_optimus=NVIDIA_only
-				exec "$@"
-			''
-		)];
-	};
-}

modules/hardware/printer.nix

@@ -1 +0,0 @@
-{ config.services.printing.enable = true; }

modules/hardware/sound.nix

@@ -1,22 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		sound.enable = true;
-		hardware.pulseaudio.enable = false;
-		security.rtkit.enable = true;
-		services.pipewire =
-		{
-			enable = true;
-			alsa = { enable = true; support32Bit = true; };
-			pulse.enable = true;
-		};
-		systemd.user.services.pipewire.serviceConfig.Nice = -20;
-		systemd.user.services.pipewire-pulse.serviceConfig.Nice = -20;
-		systemd.services.rtkit-daemon.serviceConfig.ExecStart =
-		[
-			""
-			"${inputs.pkgs.rtkit.outPath}/libexec/rtkit-daemon --our-realtime-priority=90 --max-realtime-priority=89 --min-nice-level=-19 --scheduling-policy=RR --rttime-usec-max=2000000 --users-max=100 --processes-per-user-max=1000 --threads-per-user-max=10000 --actions-burst-sec=10 --actions-per-burst-max=1000 --canary-cheep-msec=30000 --canary-watchdog-msec=60000"
-		];
-	};
-}

modules/home/chn.nix

@@ -1,7 +0,0 @@
-{
-	config.home-manager.users.chn = { pkgs, ... }:
-	{
-		home.stateVersion = "22.11";
-		programs.zsh = import ./zsh.nix { inherit pkgs; };
-	};
-}

modules/home/root.nix

@@ -1,12 +0,0 @@
-{
-	config.home-manager =
-	{
-		useGlobalPkgs = true;
-		useUserPackages = true;
-		users.root = { pkgs, ... }:
-		{
-			home.stateVersion = "22.11";
-			programs.zsh = import ./zsh.nix { inherit pkgs; };
-		};
-	};
-}

modules/home/zsh.nix

@@ -1,35 +0,0 @@
-{ pkgs }:
-{
-	enable = true;
-	initExtraBeforeCompInit =
-	''
-		# p10k instant prompt
-		P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-		[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-
-		HYPHEN_INSENSITIVE="true"
-	'';
-	plugins =
-	[
-		{
-			file = "powerlevel10k.zsh-theme";
-			name = "powerlevel10k";
-			src = "${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-		}
-		{
-			file = "p10k.zsh";
-			name = "powerlevel10k-config";
-			src = ./p10k-config;
-		}
-		{
-			name = "zsh-exa";
-			src = pkgs.fetchFromGitHub
-			{
-				owner = "ptavares";
-				repo = "zsh-exa";
-				rev = "0.2.3";
-				sha256 = "0vn3iv9d3c1a4rigq2xm52x8zjaxlza1pd90bw9mbbkl9iq8766r";
-			};
-		}
-	];
-}

modules/i18n.nix

@@ -1,20 +0,0 @@
-{ fcitx }: { pkgs, ... }@inputs:
-{
-	config.i18n =
-	{
-		defaultLocale = "zh_CN.UTF-8";
-		supportedLocales = ["zh_CN.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "C.UTF-8/UTF-8"];
-	}
-	//
-	(
-		if fcitx then
-		{
-			inputMethod =
-			{
-				enabled = "fcitx5";
-				fcitx5.addons = with inputs.pkgs; [ fcitx5-rime fcitx5-chinese-addons fcitx5-mozc ];
-			};
-		}
-		else {}
-	);
-}

modules/kde.nix

@@ -1,19 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		services.xserver =
-		{
-			enable = true;
-			displayManager.sddm.enable = true;
-			desktopManager.plasma5.enable = true;
-		};
-		environment =
-		{
-			sessionVariables."GTK_USE_PORTAL" = "1";
-			systemPackages = [ inputs.pkgs.libsForQt5.qtstyleplugin-kvantum ];
-		};
-		xdg.portal.extraPortals = with inputs.pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal-wlr ];
-		programs.xwayland.enable = true;
-	};
-}

modules/networking/basic.nix

@@ -1 +0,0 @@
-{ config.networking.networkmanager.enable = true; }

modules/networking/chn-PC.nix

@@ -1,9 +0,0 @@
-{
-	config.services.dnsmasq.settings.address =
-	[
-		"/mirism.one/216.24.188.24"
-		"/beta.mirism.one/216.24.188.24"
-		"/ng01.mirism.one/216.24.188.24"
-		"/debug.mirism.one/127.0.0.1"
-	];
-}

modules/networking/ssh.nix

@@ -1 +0,0 @@
-{ config.services.openssh.enable = true; }

modules/networking/wall_client.nix

@@ -1,49 +0,0 @@
-inputs:
-{
-	config =
-	{
-		services =
-		{
-			dnsmasq =
-			{
-				enable = true;
-				settings =
-				{
-					no-poll = true;
-					server = [ "127.0.0.1#10853" ];
-					listen-address = "127.0.0.1";
-					bind-interfaces = true;
-					ipset =
-					[
-						"/developer.download.nvidia.com/noproxy_net"
-						"/yuanshen.com/noproxy_net"
-						"/zoom.us/noproxy_net"
-					];	
-				};
-			};
-			xray = { enable = true; settingsFile = inputs.config.sops.secrets."xray.json".path; };
-			v2ray-forwarder = { enable = true; proxyPort = 10880; xmuPort = 10881; };
-		};
-		sops.secrets."xray.json" =
-			{ mode = "0440"; owner = "v2ray"; group = "v2ray"; restartUnits = [ "xray.service" ]; };
-		systemd.services.xray.serviceConfig =
-		{
-			DynamicUser = inputs.lib.mkForce false;
-			User = "v2ray";
-			Group = "v2ray";
-			CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-			AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-		};
-		users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
-		boot.kernel.sysctl =
-		{
-			"net.ipv4.conf.all.route_localnet" = true;
-			"net.ipv4.conf.default.route_localnet" = true;
-			"net.ipv4.conf.all.accept_local" = true;
-			"net.ipv4.conf.default.accept_local" = true;
-			"net.ipv4.ip_forward" = true;
-			"net.ipv4.ip_nonlocal_bind" = true;
-		};
-		environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
-	};
-}

modules/networking/xmunet.nix

@@ -1,7 +0,0 @@
-{
-	config.nixpkgs.config.packageOverrides = pkgs: 
-	{
-		wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs ( attrs:
-			{ patches = attrs.patches ++ [ ./xmunet.patch ]; });
-	};
-}

modules/packages/default.nix

@@ -0,0 +1,688 @@
+inputs:
+{
+  options.nixos.packages = let inherit (inputs.lib) mkOption types; in
+  {
+    packageSet = mkOption
+    {
+      type = types.enum
+      [
+        # no gui, only used for specific purpose
+        "server"
+        # gui, for daily use, but not install large programs such as matlab
+        "desktop"
+        # nearly everything
+        "workstation"
+      ];
+      default = "server";
+    };
+    extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    _packages = mkOption { type = types.listOf types.unspecified; default = []; };
+    _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (builtins) concatLists map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
+    in mkMerge
+    [
+      # >= server
+      {
+        nixos =
+        {
+          packages = with inputs.pkgs;
+          {
+            _packages = 
+            [
+              # shell
+              ksh
+              # basic tools
+              beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist
+              unstablePackages.fastfetch
+              # lsxx
+              pciutils usbutils lshw util-linux lsof
+              # top
+              iotop iftop htop btop powertop s-tui
+              # editor
+              nano bat
+              # downloader
+              wget aria2 curl
+              # file manager
+              tree exa trash-cli lsd broot file xdg-ninja mlocate
+              # compress
+              pigz rar upx unzip zip lzip p7zip
+              # file system management
+              sshfs e2fsprogs adb-sync duperemove compsize
+              # disk management
+              smartmontools hdparm
+              # encryption and authentication
+              apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
+              # networking
+              ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
+              # nix tools
+              nix-output-monitor nix-tree
+              # office
+              todo-txt-cli
+              # development
+              gdb unstablePackages.try
+            ] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
+            _pythonPackages = [(pythonPackages: with pythonPackages;
+            [
+              inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
+              certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
+            ])];
+          };
+          users.sharedModules = [(home-inputs:
+          {
+            config.programs =
+            {
+              zsh =
+              {
+                enable = true;
+                initExtraBeforeCompInit =
+                ''
+                  # p10k instant prompt
+                  P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+                  [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+                  HYPHEN_INSENSITIVE="true"
+                  export PATH=~/bin:$PATH
+                  function br
+                  {
+                    local cmd cmd_file code
+                    cmd_file=$(mktemp)
+                    if broot --outcmd "$cmd_file" "$@"; then
+                      cmd=$(<"$cmd_file")
+                      command rm -f "$cmd_file"
+                      eval "$cmd"
+                    else
+                      code=$?
+                      command rm -f "$cmd_file"
+                      return "$code"
+                    fi
+                  }
+                  alias todo="todo.sh"
+                '';
+                plugins =
+                [
+                  {
+                    file = "powerlevel10k.zsh-theme";
+                    name = "powerlevel10k";
+                    src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+                  }
+                  {
+                    file = "p10k.zsh";
+                    name = "powerlevel10k-config";
+                    src = ./p10k-config;
+                  }
+                  {
+                    name = "zsh-lsd";
+                    src = inputs.pkgs.fetchFromGitHub
+                    {
+                      owner = "z-shell";
+                      repo = "zsh-lsd";
+                      rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
+                      sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
+                    };
+                  }
+                ];
+                history =
+                {
+                  path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+                  extended = true;
+                  save = 100000000;
+                  size = 100000000;
+                  share = true;
+                };
+              };
+              direnv = { enable = true; nix-direnv.enable = true; };
+              git =
+              {
+                enable = true;
+                lfs.enable = true;
+                extraConfig =
+                {
+                  core.editor = if inputs.config.nixos.system.gui.preferred then "code --wait" else "vim";
+                  advice.detachedHead = false;
+                  merge.conflictstyle = "diff3";
+                  diff.colorMoved = "default";
+                };
+                package = inputs.pkgs.gitFull;
+                delta =
+                {
+                  enable = true;
+                  options =
+                  {
+                    side-by-side = true;
+                    navigate = true;
+                    syntax-theme = "GitHub";
+                    light = true;
+                    zero-style = "syntax white";
+                    line-numbers-zero-style = "#ffffff";
+                  };
+                };
+              };
+              ssh =
+              {
+                enable = true;
+                controlMaster = "auto";
+                controlPersist = "1m";
+                compression = true;
+              };
+              vim =
+              {
+                enable = true;
+                defaultEditor = true;
+                packageConfigurable = inputs.config.programs.vim.package;
+                settings =
+                {
+                  number = true;
+                  expandtab = false;
+                  shiftwidth = 2;
+                  tabstop = 2;
+                };
+                extraConfig =
+                ''
+                  set clipboard=unnamedplus
+                  colorscheme evening
+                '';
+              };
+            };
+          })];
+        };
+        programs =
+        {
+          nix-index-database.comma.enable = true;
+          nix-index.enable = true;
+          zsh =
+          {
+            enable = true;
+            syntaxHighlighting.enable = true;
+            autosuggestions.enable = true;
+            enableCompletion = true;
+            ohMyZsh =
+            {
+              enable = true;
+              plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
+              customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
+            };
+          };
+          ccache.enable = true;
+          command-not-found.enable = false;
+          adb.enable = true;
+          gnupg.agent = { enable = true; enableSSHSupport = true; };
+          autojump.enable = true;
+          git =
+          {
+            enable = true;
+            package = inputs.pkgs.gitFull;
+            lfs.enable = true;
+            config =
+            {
+              init.defaultBranch = "main";
+              core = { quotepath = false; editor = "vim"; };
+            };
+          };
+        };
+        services =
+        {
+          fwupd.enable = true;
+          udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
+          openssh.knownHosts =
+            let
+              servers =
+              {
+                vps6 =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
+                  hostnames = [ "vps6.chn.moe" "74.211.99.69" "192.168.82.1" ];
+                };
+                "initrd.vps6" =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
+                  hostnames = [ "initrd.vps6.chn.moe" "74.211.99.69" ];
+                };
+                vps7 =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
+                  hostnames = [ "vps7.chn.moe" "95.111.228.40" "192.168.82.2" ];
+                };
+                "initrd.vps7" =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
+                  hostnames = [ "initrd.vps7.chn.moe" "95.111.228.40" ];
+                };
+                nas =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
+                  hostnames = [ "[office.chn.moe]:5440" "192.168.82.4" ];
+                };
+                "initrd.nas" =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
+                  hostnames = [ "[office.chn.moe]:5440" ];
+                };
+                pc =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
+                  hostnames = [ "192.168.8.2.3" ];
+                };
+                hpc =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
+                  hostnames = [ "hpc.xmu.edu.cn" ];
+                };
+                github =
+                {
+                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+                  hostnames = [ "github.com" ];
+                };
+              };
+            in listToAttrs (concatLists (map
+              (server:
+              (
+                if builtins.pathExists ./ssh/${server.name}_rsa.pub then
+                [{
+                  name = "${server.name}-rsa";
+                  value =
+                  {
+                    publicKey = builtins.readFile ./ssh/${server.name}_rsa.pub;
+                    hostNames = server.value.hostnames;
+                  };
+                }]
+                else []
+              )
+              ++ (
+                if builtins.pathExists ./ssh/${server.name}_ecdsa.pub then
+                [{
+                  name = "${server.name}-ecdsa";
+                  value =
+                  {
+                    publicKey = builtins.readFile ./ssh/${server.name}_ecdsa.pub;
+                    hostNames = server.value.hostnames;
+                  };
+                }]
+                else []
+              )
+              ++ (
+                if server.value ? ed25519 then
+                [{
+                  name = "${server.name}-ed25519";
+                  value =
+                  {
+                    publicKey = server.value.ed25519;
+                    hostNames = server.value.hostnames;
+                  };
+                }]
+                else []
+              ))
+              (attrsToList servers)));
+        };
+        nix.settings.extra-sandbox-paths = [ inputs.config.programs.ccache.cacheDir ];
+        nixpkgs.config =
+        {
+          permittedInsecurePackages = with inputs.pkgs;
+          [
+            openssl_1_1.name electron_19.name nodejs-16_x.name python2.name electron_12.name
+          ];
+          allowUnfree = true;
+        };
+        home-manager =
+        {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+        };
+      }
+      # >= desktop
+      (
+        mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "workstation" ] )
+        {
+          nixos =
+          {
+            packages = with inputs.pkgs;
+            {
+              _packages =
+              [
+                # system management
+                gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
+                wayland-utils clinfo glxinfo vulkan-tools dracut etcher unstablePackages.btrfs-assistant
+                # nix tools
+                ssh-to-age deploy-rs.deploy-rs nixpkgs-fmt
+                # instant messager
+                element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
+                cinny-desktop # nur-xddxdd.wine-wechat thunder
+                # browser
+                google-chrome
+                # networking
+                remmina putty mtr-gui
+                # password and key management
+                bitwarden yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui
+                # download
+                qbittorrent yt-dlp nur-xddxdd.baidupcs-go wgetpaste
+                # office
+                unstablePackages.crow-translate zotero pandoc ydict
+                # development
+                scrcpy
+                # media
+                spotify yesplaymusic mpv nomacs simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
+                # text editor
+                localPackages.typora
+                # themes
+                orchis-theme tela-circle-icon-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme
+                arc-kde-theme materia-theme
+                # news
+                fluent-reader rssguard
+                # davinci-resolve playonlinux
+                weston cage openbox krita
+                genymotion hdfview electrum
+                (
+                  vscode-with-extensions.override
+                  {
+                    vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
+                      (with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
+                      ++ (with github; [ copilot copilot-chat copilot-labs github-vscode-theme ])
+                      ++ (with intellsmi; [ comment-translate deepl-translate ])
+                      ++ (with ms-python; [ isort python vscode-pylance ])
+                      ++ (with ms-toolsai;
+                      [
+                        jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
+                      ])
+                      ++ (with ms-vscode;
+                      [
+                        cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
+                        test-adapter-converter
+                      ])
+                      ++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
+                      ++ [
+                        donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
+                        llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
+                        oderwat.indent-rainbow
+                        twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
+                        james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
+                        yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
+                        redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
+                        hbenl.vscode-test-explorer
+                        jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
+                        hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
+                        feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
+                        njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
+                        gruntfuggly.todo-tree
+                      ];
+                  }
+                )
+              ] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
+            };
+            users.sharedModules =
+            [{
+              config =
+              {
+                programs =
+                {
+                  chromium =
+                  {
+                    enable = true;
+                    extensions =
+                    [
+                      { id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
+                      { id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
+                      { id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
+                      { id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
+                      { id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
+                      { id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
+                      { id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
+                      { id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
+                      { id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
+                      { id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
+                      { id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
+                      { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
+                      { id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
+                      { id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
+                      { id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
+                      { id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
+                      { id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
+                      { id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
+                      { id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
+                    ];
+                  };
+                  obs-studio =
+                  {
+                    enable = true;
+                    plugins = with inputs.pkgs.obs-studio-plugins;
+                      [ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
+                  };
+                };
+                home.file.".config/baloofilerc".text =
+                ''
+                  [Basic Settings]
+                  Indexing-Enabled=false
+                '';
+              };
+            }];
+          };
+          programs =
+          {
+            steam.enable = true;
+            kdeconnect.enable = true;
+            wireshark = { enable = true; package = inputs.pkgs.wireshark; };
+            firefox =
+            {
+              enable = true;
+              languagePacks = [ "zh-CN" "en-US" ];
+              nativeMessagingHosts.firefoxpwa = true;
+            };
+            vim.package = inputs.pkgs.genericPackages.vim-full;
+          };
+          nixpkgs.config.packageOverrides = pkgs: 
+          {
+            telegram-desktop = pkgs.telegram-desktop.overrideAttrs (attrs:
+            {
+              patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
+            });
+          };
+          services.pcscd.enable = true;
+        }
+      )
+      # >= workstation
+      (
+        mkIf (inputs.config.nixos.packages.packageSet == "workstation")
+        {
+          nixos.packages = with inputs.pkgs;
+          {
+            _packages =
+            [
+              # nix tools
+              nix-template appimage-run nil nixd nix-alien nix-serve node2nix nix-prefetch-github prefetch-npm-deps
+              nix-prefetch-docker pnpm-lock-export bundix
+              # instant messager
+              zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack # jail
+              # office
+              libreoffice-qt texlive.combined.scheme-full texstudio poppler_utils pdftk gnuplot pdfchain
+              # development
+              jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify
+              # media
+              nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
+              # virtualization
+              wineWowPackages.stagingFull virt-viewer bottles # wine64
+              # text editor
+              appflowy notion-app-enhanced joplin-desktop standardnotes
+              # math, physics and chemistry
+              mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
+              localPackages.vasp localPackages.phonon-unfolding localPackages.vaspkit jmol localPackages.v_sim
+              # news
+              newsflash newsboat
+            ];
+            _pythonPackages = [(pythonPackages: with pythonPackages;
+            [
+              phonopy tensorflow keras openai scipy scikit-learn jupyterlab
+            ])];
+            _prebuildPackages =
+            [
+              httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
+              unstablePackages.gcc13Stdenv
+            ];
+          };
+          programs =
+          {
+            anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
+            honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
+            nix-ld.enable = true;
+            gamemode =
+            {
+              enable = true;
+              settings =
+              {
+                general.renice = 10;
+                gpu =
+                {
+                  apply_gpu_optimisations = "accept-responsibility";
+                  nv_powermizer_mode = 1;
+                };
+                custom = let notify-send = "${inputs.pkgs.libnotify}/bin/notify-send"; in
+                {
+                  start = "${notify-send} 'GameMode started'";
+                  end = "${notify-send} 'GameMode ended'";
+                };
+              };
+            };
+            chromium =
+            {
+              enable = true;
+              extraOpts.PasswordManagerEnabled = false;
+            };
+          };
+        }
+      )
+      # apply package configs
+      {
+        environment.systemPackages = let inherit (inputs.lib.lists) subtractLists; in with inputs.config.nixos.packages;
+          (subtractLists excludePackages (_packages ++ extraPackages))
+          ++ [
+            (inputs.pkgs.python3.withPackages (pythonPackages:
+              subtractLists
+                (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
+                  excludePythonPackages))
+                (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
+                  (_pythonPackages ++ extraPythonPackages)))))
+            (inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
+            {
+              name = "prebuild-packages";
+              propagateBuildInputs = subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages);
+              phases = [ "installPhase" ];
+              installPhase =
+              ''
+                runHook preInstall
+                mkdir -p $out
+                runHook postInstall
+              '';
+            }) {})
+          ];
+      }
+    ];
+}
+
+    # programs.firejail =
+    # {
+    #   enable = true;
+    #   wrappedBinaries =
+    #   {
+    #     qq =
+    #     {
+    #       executable = "${inputs.pkgs.qq}/bin/qq";
+    #       profile = "${inputs.pkgs.firejail}/etc/firejail/linuxqq.profile";
+    #     };
+    #   };
+    # };
+
+# config.nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
+  # only replace stdenv for large and tested packages
+  # config.programs.ccache.packageNames = [ "webkitgtk" "libreoffice" "tensorflow" "linux" "chromium" ];
+  # config.nixpkgs.overlays = [(final: prev:
+  # {
+  #   libreoffice-qt = prev.libreoffice-qt.override (prev: { unwrapped = prev.unwrapped.override
+  #     (prev: { stdenv = final.ccacheStdenv.override { stdenv = prev.stdenv; }; }); });
+  #   python3 = prev.python3.override { packageOverrides = python-final: python-prev:
+  #     {
+  #       tensorflow = python-prev.tensorflow.override
+  #         { stdenv = final.ccacheStdenv.override { stdenv = python-prev.tensorflow.stdenv; }; };
+  #     };};
+  #   # webkitgtk = prev.webkitgtk.override (prev:
+  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.stdenv; }; enableUnifiedBuilds = false; });
+  #   wxGTK31 = prev.wxGTK31.override { stdenv = final.ccacheStdenv.override { stdenv = prev.wxGTK31.stdenv; }; };
+  #   wxGTK32 = prev.wxGTK32.override { stdenv = final.ccacheStdenv.override { stdenv = prev.wxGTK32.stdenv; }; };
+  #   # firefox-unwrapped = prev.firefox-unwrapped.override
+  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.firefox-unwrapped.stdenv; }; };
+  #   # chromium = prev.chromium.override
+  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.chromium.stdenv; }; };
+  #   # linuxPackages_xanmod_latest = prev.linuxPackages_xanmod_latest.override
+  #   # {
+  #   #   kernel = prev.linuxPackages_xanmod_latest.kernel.override
+  #   #   {
+  #   #     stdenv = final.ccacheStdenv.override { stdenv = prev.linuxPackages_xanmod_latest.kernel.stdenv; };
+  #   #     buildPackages = prev.linuxPackages_xanmod_latest.kernel.buildPackages //
+  #   #       { stdenv = prev.linuxPackages_xanmod_latest.kernel.buildPackages.stdenv; };
+  #   #   };
+  #   # };
+  # })];
+  # config.programs.ccache.packageNames = [ "libreoffice-unwrapped" ];
+
+# cross-x86_64-pc-linux-musl/gcc
+# dev-cpp/cpp-httplib ? how to use
+# dev-cpp/cppcoro
+# dev-cpp/date
+# dev-cpp/nameof
+# dev-cpp/scnlib
+# dev-cpp/tgbot-cpp
+# dev-libs/pocketfft
+# dev-util/intel-hpckit
+# dev-util/nvhpc
+# kde-misc/wallpaper-engine-kde-plugin
+# media-fonts/arphicfonts
+# media-fonts/sarasa-gothic
+# media-gfx/flameshot
+# media-libs/libva-intel-driver
+# media-libs/libva-intel-media-driver
+# media-sound/netease-cloud-music
+# net-vpn/frp
+# net-wireless/bluez-tools
+# sci-libs/mkl
+# sci-libs/openblas
+# sci-libs/pfft
+# sci-libs/scalapack
+# sci-libs/wannier90
+# sci-mathematics/ginac
+# sci-mathematics/mathematica
+# sci-mathematics/octave
+# sci-physics/lammps::touchfish-os
+# sci-physics/vsim
+# sci-visualization/scidavis
+# sys-apps/flatpak
+# sys-cluster/modules
+# sys-devel/distcc
+# sys-fs/btrfs-progs
+# sys-fs/compsize
+# sys-fs/dosfstools
+# sys-fs/duperemove
+# sys-fs/exfatprogs
+# sys-fs/mdadm
+# sys-fs/ntfs3g
+# sys-kernel/dracut
+# sys-kernel/linux-firmware
+# sys-kernel/xanmod-sources
+# sys-kernel/xanmod-sources:6.1.12
+# sys-kernel/xanmod-sources::touchfish-os
+# sys-libs/libbacktrace
+# sys-libs/libselinux
+# x11-apps/xinput
+# x11-base/xorg-apps
+# x11-base/xorg-fonts
+# x11-base/xorg-server
+# x11-misc/imwheel
+# x11-misc/optimus-manager
+# x11-misc/unclutter-xfixes
+
+#   ++ ( with inputs.pkgs.pkgsCross.mingwW64.buildPackages; [ gcc ] );

modules/packages/gaming.nix

@@ -1,13 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		environment.systemPackages = [ inputs.config.nur.repos.ataraxiasjel.proton-ge ];
-		programs =
-		{
-			anime-game-launcher.enable = true;
-			honkers-railway-launcher.enable = true;
-			steam.enable = true;
-		};
-	};
-}

modules/packages/gui.nix

@@ -1,87 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		environment.systemPackages = with inputs.pkgs;
-		[
-			( vscode-with-extensions.override
-			{
-				vscodeExtensions = (with vscode-extensions;
-				[
-					ms-vscode.cpptools
-					genieai.chatgpt-vscode
-					ms-ceintl.vscode-language-pack-zh-hans
-					llvm-vs-code-extensions.vscode-clangd
-					twxs.cmake
-					ms-vscode.cmake-tools
-					donjayamanne.githistory
-					github.copilot
-					github.github-vscode-theme
-					ms-vscode.hexeditor
-					oderwat.indent-rainbow
-					ms-toolsai.jupyter
-					ms-toolsai.vscode-jupyter-cell-tags
-					ms-toolsai.jupyter-keymap
-					ms-toolsai.jupyter-renderers
-					ms-toolsai.vscode-jupyter-slideshow
-					james-yu.latex-workshop
-					yzhang.markdown-all-in-one
-					pkief.material-icon-theme
-					equinusocio.vsc-material-theme
-					bbenoist.nix
-					ms-python.vscode-pylance
-					ms-python.python
-					ms-vscode-remote.remote-ssh
-					redhat.vscode-xml
-					dotjoshjohnson.xml
-				])
-				++ (with nix-vscode-extensions.vscode-marketplace;
-				[
-					jeff-hykin.better-cpp-syntax
-					ms-vscode.cpptools-extension-pack
-					ms-vscode.cpptools-themes
-					josetr.cmake-language-support-vscode
-					fredericbonnet.cmake-test-adapter
-					equinusocio.vsc-community-material-theme
-					guyutongxue.cpp-reference
-					intellsmi.comment-translate
-					intellsmi.deepl-translate
-					ms-vscode-remote.remote-containers
-					fabiospampinato.vscode-diff
-					cschlosser.doxdocgen
-					znck.grammarly
-					ms-python.isort
-					thfriedrich.lammps
-					leetcode.vscode-leetcode
-					equinusocio.vsc-material-theme-icons
-					gimly81.matlab
-					affenwiesel.matlab-formatter
-					xdebug.php-debug
-					ckolkman.vscode-postgres
-					ms-ossdata.vscode-postgresql
-					ms-vscode-remote.remote-ssh-edit
-					ms-vscode.remote-explorer
-					ms-vscode.test-adapter-converter
-					hbenl.vscode-test-explorer
-					hirse.vscode-ungit
-				]);
-			} )
-			qbittorrent # tunder
-			gparted snapper-gui
-			firefox google-chrome
-			zotero texlive.combined.scheme-full libreoffice-qt
-			element-desktop tdesktop discord
-			# jail
-			qq inputs.config.nur.repos.xddxdd.wechat-uos inputs.config.nur.repos.linyinfeng.wemeet
-			remmina
-			bitwarden
-			spotify yesplaymusic
-			crow-translate
-			scrcpy
-			mpv inputs.config.nur.repos.xddxdd.svp
-		]
-		++ (with inputs.lib; filter isDerivation (attrValues pkgs.plasma5Packages.kdeGear));
-		programs.wireshark.enable = true;
-		nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1u" "electron-19.0.7" ];
-	};
-}

modules/packages/hpc.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config.environment.systemPackages = with inputs.pkgs;
-	[
-		ovito paraview # vsim vesta
-		(python3.withPackages (ps: with ps; [ phonopy ]))
-		mathematica octave root
-	];
-}

modules/packages/p10k-config/p10k.zsh

@@ -33,6 +33,7 @@
   typeset -g POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(
     # =========================[ Line #1 ]=========================
     os_icon                 # os identifier
+    context                 # user@hostname
     dir                     # current directory
     vcs                     # git status
     # =========================[ Line #2 ]=========================
@@ -82,7 +83,6 @@
     azure                   # azure account name (https://docs.microsoft.com/en-us/cli/azure)
     gcloud                  # google cloud cli account and project (https://cloud.google.com/)
     google_app_cred         # google application credentials (https://cloud.google.com/docs/authentication/production)
-    context                 # user@hostname
     nordvpn                 # nordvpn connection status, linux only (https://nordvpn.com/)
     ranger                  # ranger shell (https://github.com/ranger/ranger)
     nnn                     # nnn shell (https://github.com/jarun/nnn)
@@ -1686,7 +1686,7 @@
   #   - verbose: Enable instant prompt and print a warning when detecting console output during
   #              zsh initialization. Choose this if you've never tried instant prompt, haven't
   #              seen the warning, or if you are unsure what this all means.
-  typeset -g POWERLEVEL9K_INSTANT_PROMPT=verbose
+  typeset -g POWERLEVEL9K_INSTANT_PROMPT=quiet
 
   # Hot reload allows you to change POWERLEVEL9K options after Powerlevel10k has been initialized.
   # For example, you can type POWERLEVEL9K_BACKGROUND=red and see your prompt turn red. Hot reload

modules/packages/ssh/github_ecdsa.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

modules/packages/ssh/github_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=

modules/packages/ssh/hpc_ecdsa.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDkkl7A9kWWBoi4b5g6Vus70ja1KhPfcZZjeU1/QbYdN8PRRw/hsGklrhefslKRbym/TMFS0ko0g5WUi9G5vbGw=

modules/packages/ssh/hpc_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgs8MvV2nczjGMZ548tuAhgvCEd4uHu0VhLDSwQG7Nh/UR4Pgc5T9Nf7Vfwg96Lah/pwD5my4RaWis6bLMmlkYyDBKFBOsGYQUe5J5XfZdxk8pz+7L0Hq6gPfAZAdNlUiuFVKsvkE+NF42NgJyXSYQicPbu5LQiFwZGXlW20+LO8uBQ1y1xabKVpg8XGwordduL99VepwEzeLK/st+UVfW+mKgxkf9TuxvD2fuYIDZM7y2rXqcjf4/6OXA5kACsYK1MgZSFxgO/m6+1uCC1qBDseMTA3D+Tsjf9VtcqUE9dMd/dJ/uuILHJ0+oIqkykTCecPLgJY3Vh8rAtln/lbId

modules/packages/ssh/nas_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0+xafJMnOGCHv6OLljaq8iJ3ZBaIezv7AJ9rVWJXFg/QJRYBwct35c4zaVom7If8F+Ss+BTLMp33HZ8gLpoat6LkjARjy65Ycog3NOnEposX2JjZEYXDbovxEmcJkDXAIVmnaBUi3r22z4UI8OqsHPeRXj017O0yQrQQYEAw/IO/tSNQZt2k8JHxAX50UTqGFdgkriO1fYHBocq48m0nn3sXrMuM3yBe5zy3NngOHxMn7UxjECmAElsuu/nu1x083pRnv5NSa+JxDGJ+S6Zhj3nGGNwZesa51I4cJjsYLxgmO/NxL1J86bDp6HhK9C9799ruG60pGTw6HcvbKTgx7klUgn4936wsy7qukWqp53MvqrLSJkRb/HHU9zZqvzcjbwet+Iv1OAAok5QC88j7Jgenk3nbZw4BNFd2r/8rOZuXheDnMKOa61dXxnvoAO3Euk0RPdZqW1slT/DDyD/kB6TPY7yOywNURNnrwzfSsmravKi6bGA5t2Ehhpf2LETM=

modules/packages/ssh/pc_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOyU7VvusseL2tDp7JkIXKGxRGQNHpYWVAPraUj17Xls7Z9e7HO6+GBiGP+bB9tZbzsoTNGHdXg8VaJmf98QAhhg0FcUb6IvWmfmPWzQ0MC8L+USqdDpaH7s9SOZF/yveNYCR5GOMmFdSW4OPVYIOrjPltDIe5S1SN2nOXvjxbLmuoMjg+5U4F0ii0ZaCRuMVDskeift+Amxe7iRnSzeDbECd0rJhaUb8gf3shz0Hp9lRUMej7cJH8LLP3m0s3Vk+kasKntz18MpJ6/3n+fR2aK75qkcq9FZaFA4tSIabh9eKoxlRCy7g8Qj6nNStW+ys/a1UYBFgAoTyE7e47o3dpcxR5oMLbeDwhOstWL0YOjEH1K5Wyj3eEOT71C6kuQBPcCJQ9q9hknRpW0mWe9Q6qaAzTgE9LLssijr/yTfYQk7zKEyo0i4f6buOfmyYZfnzfnCB3LiJKa98TVEEzrKYHIO44LwIkNf/YHOMDknzjYpav6HfDy+AebRHZFYhGax1YP/tP0Ve/FSq5rh6Vwuqa/zyfFUPZmZVf+EYXK7DdyuBhEZhBEu6QrjY60NRMTMLpnUZMcZXRAz9byMpAGcCYQv6gjU99ps8AkRjZNkn+FpAtDGT+oJxixQwyZMSxZ+ZuzkZGyBMeMplZXMMLICGZ2LRAgT0bxXLZUxHJBLwwnw==

modules/packages/ssh/vps6_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYiP+ELuG5KTmafVjBkY0ZSggJg+mDkvZpF8d7NljMst0YwKWV3IgHnkAGXdTd7jlRgm9HH6oc8rP2R6Q8EJmfr+xcL1IQIWKuYAoddHlpe2Ds4EE74xbgm5Elf7FpdYNHUH9XyVmMmIhVSpLw2N10jUhvYqw+h+xC2nObEKZuBOt/lqrTGbC/EMv3+sDv0ApBh8lKt2yfjt88pnAj1LKPANDgIYSyQOllHQWeUY/eD/5Qc9XWR3uWclslVaxriRmEA0sNZlOFCeRIyDbYpSzQBdcnojkwt7Z5kjhaqGlT9g00fdiqO0OMaeY/G8ki3QxqjONqTEDqK+DpEZFO6jyZARcY6ki0ANc0AO4qosEC3gEbAvVwyPwDFtyDggMTHlTzaw8iakMGSDEk10zKaUOgZYLzC2yCWYYQS5mae9wC1gkXIGD51/laeq2E7NpM+nha6kp9weLVyvwf0DLfwsiP+0qlCLrxBLTSRa0HQ+BnQMi4r16Ss7YJwLf/oXrbOVk=

modules/packages/ssh/vps7_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFwb7qi9/DvhpMvu43LRlTEC+3kPAA0KNeyk4FT4HlpRE/yxMxN6tgrP9vcx2c6TMfkRwIJKDcBuVVtKOVx+SDZo+nQBxpSz73v1qSmqlsy8D4gCk0a7cLgStb3Cvh0UZjJ5nVnxjzqY2CFnpnKYGmxL+a3qTj1KYPuA2wSsxkYVcHUfDj/uTtEDdRPaNTACsUxe1a57T/Tsjp+321+zKldYreozaABEBsexf9Z34+3vZvyQcfDB3QuxlBRPJBLik80QllpNpE1bqol8swoGEPbl/Ac7tNy+GtlwTG9SH1povmoT9K+8tjJaG2pD+z+vvgZQtJQh+aczYmEBJRZp3ksw1JH4eGqTWG/SDat9Isnx2NDhJe12b9izniDciuBScNySAazIDPidsCMUYjc9kgWdSOiODOtodj5IB+KazFVJgfpmzPv97LHVdjvR74usrgbFw2mYCw2YEiL3xjDYpQGmXSNklsQLwJiBe59oyS4QNpNYQzYD9StjgRIdvtmiM=

modules/packages/telegram.patch

@@ -0,0 +1,13 @@
+diff --git a/Telegram/SourceFiles/data/data_sponsored_messages.cpp b/Telegram/SourceFiles/data/data_sponsored_messages.cpp
+index fa21af4..211f3bf 100644
+--- a/Telegram/SourceFiles/data/data_sponsored_messages.cpp
++++ b/Telegram/SourceFiles/data/data_sponsored_messages.cpp
+@@ -175,7 +175,7 @@ void SponsoredMessages::inject(
+ }
+ 
+ bool SponsoredMessages::canHaveFor(not_null<History*> history) const {
+-	return history->peer->isChannel();
++	return false;
+ }
+ 
+ void SponsoredMessages::request(not_null<History*> history, Fn<void()> done) {

modules/packages/terminal.nix

@@ -1,41 +0,0 @@
-{ pkgs, ... }@inputs:
-{
-	config =
-	{
-		environment.systemPackages = with inputs.pkgs;
-		[
-			beep neofetch screen dos2unix tldr gnugrep
-			pciutils usbutils lshw powertop
-			ksh
-			vim nano
-			wget aria2 curl yt-dlp
-			tree git autojump exa
-			nix-output-monitor inputs.inputs.nix-alien.packages.x86_64-linux.nix-alien
-			apacheHttpd certbot-full
-			pigz rar unrar upx unzip zip
-			util-linux snapper
-			ocrmypdf pdfgrep
-			openssl ssh-to-age gnupg age sops
-			ipset iptables iproute2 dig nettools
-			gcc clang-tools
-		];
-		programs =
-		{
-			nix-index-database.comma.enable = true;
-			nix-index.enable = true;
-			command-not-found.enable = false;
-			zsh =
-			{
-				enable = true;
-				syntaxHighlighting.enable = true;
-				autosuggestions.enable = true;
-				enableCompletion = true;
-				ohMyZsh =
-				{
-					enable = true;
-					plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
-				};
-			};
-		};
-	};
-}

modules/services/acme.nix

@@ -0,0 +1,39 @@
+inputs:
+{
+  options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    certs = mkOption
+    {
+      type = types.listOf (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
+      default = [];
+    };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) acme;
+      inherit (builtins) map listToAttrs;
+    in mkIf acme.enable
+    {
+      security.acme =
+      {
+        acceptTerms = true;
+        defaults.email = "chn@chn.moe";
+        certs = listToAttrs (map
+          (cert:
+          {
+            name = if builtins.typeOf cert == "string" then cert else builtins.elemAt cert 0;
+            value =
+            {
+              dnsResolver = "8.8.8.8";
+              dnsProvider = "cloudflare";
+              credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
+              extraDomainNames = if builtins.typeOf cert == "string" then [] else builtins.tail cert;
+            };
+          })
+          acme.certs);
+      };
+      sops.secrets."acme/cloudflare.ini" = {};
+    };
+}

modules/services/beesd.nix

@@ -0,0 +1,50 @@
+inputs:
+{
+  options.nixos.services.beesd = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    instances = mkOption
+    {
+      type = types.attrsOf (types.oneOf
+      [
+        types.nonEmptyStr
+        (types.submodule { options =
+        {
+          device = mkOption { type = types.nonEmptyStr; };
+          hashTableSizeMB = mkOption { type = types.int; };
+        };})
+      ]);
+      default = {};
+    };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) beesd;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
+    in mkIf beesd.enable
+      {
+        services.beesd.filesystems = listToAttrs (map
+          (instance:
+          {
+            inherit (instance) name;
+            value =
+            {
+              spec = instance.value.device or instance.value;
+              hashTableSizeMB = instance.value.hashTableSizeMB or 1024;
+              extraOptions = [ "--thread-count" "1" "--scan-mode" "3" ];
+            };
+          })
+          (attrsToList beesd.instances));
+        systemd.slices.system-beesd.sliceConfig =
+        {
+          CPUSchedulingPolicy = "idle";
+          IOSchedulingClass = "idle";
+          IOSchedulingPriority = 4;
+          IOAccounting = true;
+          IOWeight = 1;
+          Nice = 19;
+        };
+      };
+}

modules/services/coturn.nix

@@ -0,0 +1,37 @@
+inputs:
+{
+  options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) coturn;
+      inherit (inputs.lib) mkIf;
+    in mkIf coturn.enable
+      {
+        services.coturn =
+          let
+            keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory;
+          in
+          {
+            enable = true;
+            use-auth-secret = true;
+            static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
+            realm = coturn.hostname;
+            cert = "${keydir}/full.pem";
+            pkey = "${keydir}/key.pem";
+            no-cli = true;
+          };
+        sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
+        nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; };
+        security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
+        networking.firewall = with inputs.config.services.coturn;
+        {
+          allowedUDPPorts = [ listening-port tls-listening-port ];
+          allowedTCPPorts = [ listening-port tls-listening-port ];
+          allowedUDPPortRanges = [ { from = min-port; to = max-port; } ];
+        };
+      };
+}

modules/services/default.nix

@@ -0,0 +1,194 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules
+  [
+    ./postgresql.nix
+    ./redis.nix
+    ./rsshub.nix
+    ./misskey.nix
+    ./nginx
+    ./meilisearch.nix
+    ./xray.nix
+    ./coturn.nix
+    ./synapse.nix
+    ./phpfpm.nix
+    ./xrdp.nix
+    ./groupshare.nix
+    ./acme.nix
+    ./samba.nix
+    ./sshd.nix
+    ./vaultwarden.nix
+    ./frp.nix
+    ./beesd.nix
+    ./snapper.nix
+    ./mariadb.nix
+    ./photoprism.nix
+    ./nextcloud.nix
+    ./freshrss.nix
+  ];
+  options.nixos.services = let inherit (inputs.lib) mkOption types; in
+  {
+    kmscon.enable = mkOption { type = types.bool; default = false; };
+    fontconfig.enable = mkOption { type = types.bool; default = false; };
+    firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+    nix-serve =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      hostname = mkOption { type = types.nonEmptyStr; };
+    };
+    smartd.enable = mkOption { type = types.bool; default = false; };
+    fileshelter.enable = mkOption { type = types.bool; default = false; };
+    wallabag.enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.localLib) stripeTabs attrsToList;
+      inherit (inputs.config.nixos) services;
+      inherit (builtins) map listToAttrs toString;
+    in mkMerge
+    [
+      (
+        mkIf services.kmscon.enable
+        {
+          services.kmscon =
+          {
+            enable = true;
+            fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
+          };
+        }
+      )
+      (
+        mkIf services.fontconfig.enable
+        {
+          fonts =
+          {
+            fontDir.enable = true;
+            fonts = with inputs.pkgs;
+              [ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
+            fontconfig.defaultFonts =
+            {
+              emoji = [ "Noto Color Emoji" ];
+              monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
+              sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
+              serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
+            };
+          };
+        }
+      )
+      { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
+      (
+        mkIf services.nix-serve.enable
+        {
+          services.nix-serve =
+          {
+            enable = true;
+            openFirewall = true;
+            secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
+          };
+          sops.secrets."store/signingKey" = {};
+          nixos.services.nginx.http.${services.nix-serve.hostname} =
+            { rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; };
+        }
+      )
+      (mkIf services.smartd.enable { services.smartd.enable = true; })
+      (
+        mkIf services.wallabag.enable
+        {
+          virtualisation.oci-containers.containers.wallabag =
+          {
+            image = "wallabag/wallabag:2.6.2";
+            imageFile = inputs.pkgs.dockerTools.pullImage
+            {
+              imageName = "wallabag/wallabag";
+              imageDigest = "sha256:241e5c71f674ee3f383f428e8a10525cbd226d04af58a40ce9363ed47e0f1de9";
+              sha256 = "0zflrhgg502w3np7kqmxij8v44y491ar2qbk7qw981fysia5ix09";
+              finalImageName = "wallabag/wallabag";
+              finalImageTag = "2.6.2";
+            };
+            ports = [ "127.0.0.1:4398:80/tcp" ];
+            extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
+            environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
+          };
+          # systemd.services.docker-wallabag.serviceConfig =
+          # {
+          #   User = "wallabag";
+          #   Group = "wallabag";
+          # };
+          sops =
+          {
+            templates."wallabag/env".content =
+              let
+                placeholder = inputs.config.sops.placeholder;
+              in
+              ''
+                SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
+                SYMFONY__ENV__DATABASE_HOST=host.docker.internal
+                SYMFONY__ENV__DATABASE_PORT=5432
+                SYMFONY__ENV__DATABASE_NAME=wallabag
+                SYMFONY__ENV__DATABASE_USER=wallabag
+                SYMFONY__ENV__DATABASE_PASSWORD=${placeholder."postgresql/wallabag"}
+                SYMFONY__ENV__REDIS_HOST=host.docker.internal
+                SYMFONY__ENV__REDIS_PORT=8790
+                SYMFONY__ENV__REDIS_PASSWORD=${placeholder."redis/wallabag"}
+                SYMFONY__ENV__SERVER_NAME=wallabag.chn.moe
+                SYMFONY__ENV__DOMAIN_NAME=https://wallabag.chn.moe
+                SYMFONY__ENV__TWOFACTOR_AUTH=false
+              '';
+              # SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
+              # SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
+              # SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
+            secrets =
+            {
+              "redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
+              "postgresql/wallabag" = {};
+              "mail/bot-encoded" = {};
+            };
+          };
+          services =
+          {
+            redis.servers.wallabag =
+            {
+              enable = true;
+              bind = null;
+              port = 8790;
+              requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
+            };
+            postgresql =
+            {
+              ensureDatabases = [ "wallabag" ];
+              ensureUsers =
+              [{
+                name = "wallabag";
+                ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
+              }];
+              # ALTER DATABASE db_name OWNER TO new_owner_name
+              # sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
+            };
+          };
+          nixos =
+          {
+            services =
+            {
+              nginx =
+              {
+                enable = true;
+                http."wallabag.chn.moe" =
+                {
+                  rewriteHttps = true;
+                  locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
+                };
+              };
+              postgresql.enable = true;
+            };
+            virtualization.docker.enable = true;
+          };
+          # users =
+          # {
+          #   users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
+          #   groups.wallabag = {};
+          # };
+        }
+      )
+    ];
+}

modules/services/freshrss.nix

@@ -0,0 +1,37 @@
+inputs:
+{
+  options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) freshrss;
+      inherit (inputs.lib) mkIf;
+    in mkIf freshrss.enable
+    {
+      services.freshrss =
+      {
+        enable = true;
+        baseUrl = "https://${freshrss.hostname}";
+        defaultUser = "chn";
+        passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
+        database =
+        {
+          type = "mysql";
+          passFile = inputs.config.sops.secrets."freshrss/mysql".path;
+        };
+      };
+      sops.secrets =
+      {
+        "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
+        "freshrss/db" =
+        {
+          owner = inputs.config.users.users.freshrss.name;
+          key = "mariadb/freshrss";
+        };
+      };
+      nixos.mariadb = { enable = true; instances.freshrss = {}; };
+    };
+}

modules/services/frp.nix

@@ -0,0 +1,154 @@
+inputs:
+{
+  options.nixos.services = let inherit (inputs.lib) mkOption types; in
+  {
+    frpClient =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      serverName = mkOption { type = types.nonEmptyStr; };
+      user = mkOption { type = types.nonEmptyStr; };
+      tcp = mkOption
+      {
+        type = types.attrsOf (types.submodule (inputs:
+        {
+          options =
+          {
+            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+            localPort = mkOption { type = types.ints.unsigned; };
+            remoteIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+            remotePort = mkOption { type = types.ints.unsigned; default = inputs.config.localPort; };
+          };
+        }));
+        default = {};
+      };
+    };
+    frpServer =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      serverName = mkOption { type = types.nonEmptyStr; };
+    };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.config.nixos.services) frpClient frpServer;
+      inherit (builtins) map listToAttrs;
+    in mkMerge
+    [
+      (
+        mkIf frpClient.enable
+        {
+          systemd.services.frpc =
+            let
+              frpc = "${inputs.pkgs.frp}/bin/frpc";
+              config = inputs.config.sops.templates."frpc.ini";
+            in
+            {
+              description = "Frp Client Service";
+              after = [ "network.target" ];
+              serviceConfig =
+              {
+                Type = "simple";
+                User = "frp";
+                Restart = "always";
+                RestartSec = "5s";
+                ExecStart = "${frpc} -c ${config.path}";
+                LimitNOFILE = 1048576;
+              };
+              wantedBy= [ "multi-user.target" ];
+              restartTriggers = [ config.file ];
+            };
+          sops =
+          {
+            templates."frpc.ini" =
+            {
+              owner = inputs.config.users.users.frp.name;
+              group = inputs.config.users.users.frp.group;
+              content = inputs.lib.generators.toINI {}
+              (
+                {
+                  common =
+                  {
+                    server_addr = frpClient.serverName;
+                    server_port = 7000;
+                    token = inputs.config.sops.placeholder."frp/token";
+                    user = frpClient.user;
+                    tls_enable = true;
+                  };
+                }
+                // (listToAttrs (map
+                  (tcp:
+                  {
+                    name = tcp.name;
+                    value =
+                    {
+                      type = "tcp";
+                      local_ip = tcp.value.localIp;
+                      local_port = tcp.value.localPort;
+                      remote_port = tcp.value.remotePort;
+                      use_compression = true;
+                    };
+                  })
+                  (attrsToList frpClient.tcp))
+                )
+              );
+            };
+            secrets."frp/token" = {};
+          };
+          users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
+        }
+      )
+      (
+        mkIf frpServer.enable
+        {
+          systemd.services.frps =
+            let
+              frps = "${inputs.pkgs.frp}/bin/frps";
+              config = inputs.config.sops.templates."frps.ini";
+            in
+            {
+              description = "Frp Server Service";
+              after = [ "network.target" ];
+              serviceConfig =
+              {
+                Type = "simple";
+                User = "frp";
+                Restart = "on-failure";
+                RestartSec = "5s";
+                ExecStart = "${frps} -c ${config.path}";
+                LimitNOFILE = 1048576;
+              };
+              wantedBy= [ "multi-user.target" ];
+              restartTriggers = [ config.file ];
+            };
+          sops =
+          {
+            templates."frps.ini" =
+            {
+              owner = inputs.config.users.users.frp.name;
+              group = inputs.config.users.users.frp.group;
+              content = inputs.lib.generators.toINI {}
+              {
+                common = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
+                {
+                  bind_port = 7000;
+                  bind_udp_port = 7000;
+                  token = inputs.config.sops.placeholder."frp/token";
+                  tls_cert_file = "${cert}/full.pem";
+                  tls_key_file = "${cert}/key.pem";
+                  tls_only = true;
+                  user_conn_timeout = 30;
+                };
+              };
+            };
+            secrets."frp/token" = {};
+          };
+          nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
+          security.acme.certs.${frpServer.serverName}.group = "frp";
+          users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
+          networking.firewall.allowedTCPPorts = [ 7000 ];
+        }
+      )
+    ];
+}

modules/services/groupshare.nix

@@ -0,0 +1,37 @@
+inputs:
+{
+  options.nixos.services.groupshare = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    # hard to read value from inputs.config.users.users.xxx.home, causing infinite recursion
+    mountPoints = mkOption { type = types.listOf types.str; default = []; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) listToAttrs map concatLists;
+      inherit (inputs.config.nixos.services) groupshare;
+      users = inputs.config.users.groups.groupshare.members;
+    in mkIf groupshare.enable
+    {
+      users.groups.groupshare = {};
+      systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
+        ++ (concatLists (map
+          (user:
+          [
+            "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
+            # systemd 253 does not support 'X' bit, it should be manually set
+            # sudo setfacl -m 'xxx' dir
+            # ("a /var/lib/groupshare/${user} - - - - "
+            #   + "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
+          ])
+          users));
+      fileSystems = listToAttrs (map
+        (mountPoint:
+        {
+          name = mountPoint;
+          value = { device = "/var/lib/groupshare"; options = [ "bind" ]; depends = [ "/home" "/var/lib" ]; };
+        })
+        groupshare.mountPoints);
+    };
+}

modules/services/mariadb.nix

@@ -0,0 +1,62 @@
+inputs:
+{
+  options.nixos.services.mariadb = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    instances = mkOption
+    {
+      type = types.attrsOf (types.submodule (submoduleInputs: { options =
+      {
+        database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+        user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+        passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+      };}));
+      default = {};
+    };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) mariadb;
+      inherit (inputs.lib) mkAfter mkIf;
+      inherit (inputs.localLib) attrsToList;
+      inherit (builtins) map listToAttrs concatStringsSep filter;
+    in mkIf mariadb.enable
+    {
+      services =
+      {
+        mysql =
+        {
+          enable = true;
+          package = inputs.pkgs.mariadb;
+          ensureDatabases = map (db: db.value.database) (attrsToList mariadb.instances);
+          ensureUsers = map
+            (db:
+            {
+              name = db.value.user;
+              ensurePermissions."${db.value.database}.*" = "ALL PRIVILEGES";
+            })
+            (attrsToList mariadb.instances);
+        };
+        mysqlBackup =
+        {
+          enable = true;
+          databases = map (db: db.value.database) (attrsToList mariadb.instances);
+        };
+      };
+      systemd.services.mysql.postStart = mkAfter (concatStringsSep "\n" (map
+        (db:
+          let
+            passwordFile =
+              if db.value.passwordFile or null != null then db.value.passwordFile
+              else inputs.config.sops.secrets."mariadb/${db.value.user}".path;
+            mysql = "${inputs.config.services.mysql.package}/bin/mysql";
+          in
+            # set user password
+            ''echo "ALTER USER '${db.value.user}'@'localhost' IDENTIFIED VIA unix_socket OR mysql_native_password ''
+              + ''USING PASSWORD('$(cat ${passwordFile})');" | ${mysql} -N'')
+        (attrsToList mariadb.instances)));
+      sops.secrets = listToAttrs (map
+        (db: { name = "mariadb/${db.value.user}"; value.owner = inputs.config.users.users.mysql.name; })
+        (filter (db: db.value.passwordFile == null) (attrsToList mariadb.instances)));
+    };
+}

modules/services/meilisearch.nix

@@ -0,0 +1,113 @@
+inputs:
+{
+  options.nixos.services.meilisearch = let inherit (inputs.lib) mkOption types; in
+  {
+    instances = mkOption
+    {
+      type = types.attrsOf (types.submodule (submoduleInputs: { options =
+      {
+        user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+        port = mkOption { type = types.ints.unsigned; };
+      };}));
+      default = {};
+    };
+    ioLimitDevice = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) meilisearch;
+      inherit (inputs.localLib) stripeTabs attrsToList;
+      inherit (builtins) map listToAttrs;
+    in
+    {
+      systemd =
+      {
+        services = listToAttrs (map
+          (instance:
+          {
+            name = "meilisearch-${instance.name}";
+            value =
+            {
+              description = "meiliSearch ${instance.name}";
+              wantedBy = [ "multi-user.target" ];
+              after = [ "network.target" ];
+              # environment.RUST_BACKTRACE = "full";
+              serviceConfig =
+              {
+                User = instance.value.user;
+                Group = inputs.config.users.users.${instance.value.user}.group;
+                ExecStart =
+                  let
+                    meilisearch = inputs.pkgs.unstablePackages.meilisearch.overrideAttrs (prev:
+                    {
+                      RUSTFLAGS = prev.RUSTFLAGS or [] ++ [ "-Clto=true" "-Cpanic=abort" "-Cembed-bitcode=yes"]
+                        ++ (
+                          let inherit (inputs.config.nixos.system.nixpkgs) march;
+                          in (if march != null then [ "-Ctarget-cpu=${march}" ] else [])
+                        );
+                    });
+                    config = inputs.config.sops.templates."meilisearch-${instance.name}.toml".path;
+                  in
+                    "${meilisearch}/bin/meilisearch --config-file-path ${config}";
+                Restart = "always";
+                StartLimitBurst = 3;
+                LimitNOFILE = "infinity";
+                LimitNPROC = "infinity";
+                LimitCORE = "infinity";
+                CPUSchedulingPolicy = "idle";
+                IOSchedulingClass = "idle";
+                IOSchedulingPriority = 4;
+                IOAccounting = true;
+                IOWeight = 1;
+                Nice = 19;
+                Slice = "-.slice";
+              }
+              // (if meilisearch.ioLimitDevice != null then
+              {
+                IOReadBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
+                IOWriteBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
+                # iostat -dx 1
+                IOReadIOPSMax = "${meilisearch.ioLimitDevice} 100";
+                IOWriteIOPSMax = "${meilisearch.ioLimitDevice} 100";
+              } else {});
+            };
+          })
+          (attrsToList meilisearch.instances));
+        tmpfiles.rules = map
+          (instance:
+            let
+              user = instance.value.user;
+              group = inputs.config.users.users.${instance.value.user}.group;
+            in
+              "d /var/lib/meilisearch/${instance.name} 0700 ${user} ${group}")
+          (attrsToList meilisearch.instances);
+      };
+      sops =
+      {
+        templates = listToAttrs (map
+          (instance:
+          {
+            name = "meilisearch-${instance.name}.toml";
+            value =
+            {
+              content =
+              ''
+                db_path = "/var/lib/meilisearch/${instance.name}"
+                http_addr = "0.0.0.0:${toString instance.value.port}"
+                master_key = "${inputs.config.sops.placeholder."meilisearch/${instance.name}"}"
+                env = "production"
+                dump_dir = "/var/lib/meilisearch/${instance.name}/dumps"
+                log_level = "INFO"
+                max_indexing_memory = "16Gb"
+                max_indexing_threads = 1
+              '';
+              owner = instance.value.user;
+            };
+          })
+          (attrsToList meilisearch.instances));
+        secrets = listToAttrs (map
+          (instance: { name = "meilisearch/${instance.name}"; value = {}; })
+          (attrsToList meilisearch.instances));
+      };
+    };
+}

modules/services/misskey.nix

@@ -0,0 +1,165 @@
+inputs:
+{
+  options.nixos.services.misskey.instances = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule { options =
+    {
+      autoStart = mkOption { type = types.bool; default = true; };
+      port = mkOption { type = types.ints.unsigned; default = 9726; };
+      redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
+      hostname = mkOption { type = types.str; default = "misskey.chn.moe"; };
+      meilisearch =
+      {
+        enable = mkOption { type = types.bool; default = true; };
+        port = mkOption { type = types.ints.unsigned; default = 7700; };
+      };
+    };});
+    default = {};
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) misskey;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (builtins) map listToAttrs toString replaceStrings filter;
+    in
+    {
+      systemd = mkMerge (map
+        (instance:
+        {
+          services."misskey-${instance.name}" = rec
+          {
+            enable = instance.value.autoStart;
+            description = "misskey ${instance.name}";
+            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ]
+              ++ (if instance.value.meilisearch.enable then [ "meilisearch-misskey-${instance.name}.service" ]
+                else []);
+            requires = after;
+            wantedBy = [ "multi-user.target" ];
+            environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
+            serviceConfig = rec
+            {
+              User = inputs.config.users.users."misskey-${instance.name}".name;
+              Group = inputs.config.users.users."misskey-${instance.name}".group;
+              WorkingDirectory = "/var/lib/misskey/${instance.name}/work";
+              ExecStart = "${WorkingDirectory}/bin/misskey";
+              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+              Restart = "always";
+            };
+          };
+          tmpfiles.rules =
+            [ "d /var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}" ];
+        })
+        (attrsToList misskey.instances));
+      fileSystems = mkMerge (map
+        (instance:
+        {
+          "/var/lib/misskey/${instance.name}/work" =
+          {
+            device = "${inputs.pkgs.localPackages.misskey}";
+            options = [ "bind" "private" "x-gvfs-hide" ];
+          };
+          "/var/lib/misskey/${instance.name}/work/files" =
+          {
+            device = "/var/lib/misskey/${instance.name}/files";
+            options = [ "bind" "private" "x-gvfs-hide" ];
+          };
+        })
+        (attrsToList misskey.instances));
+      sops.templates = listToAttrs (map
+        (instance:
+        {
+          name = "misskey/${instance.name}.yml";
+          value =
+          {
+            content =
+              let
+                placeholder = inputs.config.sops.placeholder;
+                redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
+                meilisearch = inputs.config.nixos.services.meilisearch.instances."misskey-${instance.name}";
+              in
+              ''
+                url: https://${instance.value.hostname}/
+                port: ${toString instance.value.port}
+                db:
+                  host: 127.0.0.1
+                  port: 5432
+                  db: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
+                  user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
+                  pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"}
+                  extra:
+                    statement_timeout: 60000
+                dbReplications: false
+                redis:
+                  host: 127.0.0.1
+                  port: ${toString redis.port}
+                  pass: ${placeholder."redis/misskey-${instance.name}"}
+                id: 'aid'
+                proxyBypassHosts:
+                  - api.deepl.com
+                  - api-free.deepl.com
+                  - www.recaptcha.net
+                  - hcaptcha.com
+                  - challenges.cloudflare.com
+                proxyRemoteFiles: true
+                signToActivityPubGet: true
+                maxFileSize: 1073741824
+              ''
+              + (if instance.value.meilisearch.enable then
+              ''
+                meilisearch:
+                  host: 127.0.0.1
+                  port: ${toString meilisearch.port}
+                  apiKey: ${placeholder."meilisearch/misskey-${instance.name}"}
+                  ssl: false
+                  index: misskey
+                  scope: globa
+              '' else "");
+            owner = inputs.config.users.users."misskey-${instance.name}".name;
+          };
+        })
+        (attrsToList misskey.instances));
+      users = mkMerge (map
+        (instance:
+        {
+          users."misskey-${instance.name}" =
+          {
+            isSystemUser = true;
+            group = "misskey-${instance.name}";
+            home = "/var/lib/misskey/${instance.name}";
+            createHome = true;
+          };
+          groups."misskey-${instance.name}" = {};
+        })
+        (attrsToList misskey.instances));
+      nixos.services =
+      {
+        redis.instances = listToAttrs (map
+          (instance:
+          {
+            name = "misskey-${instance.name}";
+            value.port = instance.value.redis.port;
+          })
+          (attrsToList misskey.instances));
+        postgresql =
+        {
+          enable = mkIf (misskey.instances != {}) true;
+          instances = listToAttrs (map
+            (instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
+            (attrsToList misskey.instances));
+        };
+        meilisearch.instances = listToAttrs (map
+          (instance:
+          {
+            name = "misskey-${instance.name}";
+            value =
+            {
+              user = inputs.config.users.users."misskey-${instance.name}".name;
+              port = instance.value.meilisearch.port;
+            };
+          })
+          (filter (instance: instance.value.meilisearch.enable) (attrsToList misskey.instances)));
+      };
+    };
+}

modules/services/nextcloud.nix

@@ -0,0 +1,89 @@
+inputs:
+{
+  options.nixos.services.nextcloud = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "nextcloud.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) nextcloud;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.lib) mkIf mkMerge;
+      inherit (builtins) map listToAttrs toString replaceStrings filter toJSON;
+    in mkIf nextcloud.enable
+    {
+      services.nextcloud =
+      {
+        enable = true;
+        hostName = nextcloud.hostname;
+        appstoreEnable = false;
+        https = true;
+        package = inputs.pkgs.nextcloud27;
+        maxUploadSize = "10G";
+        config =
+        {
+          dbtype = "pgsql";
+          dbpassFile = inputs.config.sops.secrets."nextcloud/postgresql".path;
+          dbport = 5432;
+          adminuser = "admin";
+          adminpassFile = inputs.config.sops.secrets."nextcloud/admin".path;
+          overwriteProtocol = "https";
+          defaultPhoneRegion = "CN";
+        };
+        configureRedis = true;
+        extraOptions =
+        {
+          mail_domain = "chn.moe";
+          mail_from_address = "bot";
+          mail_smtphost = "mail.chn.moe";
+          mail_smtpport = 465;
+          mail_smtpsecure = "ssl";
+          mail_smtpauth = true;
+          mail_smtpname = "bot@chn.moe";
+          updatechecker = false;
+        };
+        secretFile = inputs.config.sops.templates."nextcloud/secret".path;
+        extraApps =
+        {
+          maps = inputs.pkgs.fetchNextcloudApp
+          {
+            url = "https://github.com/nextcloud/maps/releases/download/v1.1.1/maps-1.1.1.tar.gz";
+            sha256 = "1rcmqnm5364h5gaq1yy6b6d7k17napgn0yc9ymrnn75bps9s71v9";
+          };
+          phonetrack = inputs.pkgs.fetchNextcloudApp
+          {
+            url = "https://github.com/julien-nc/phonetrack/releases/download/v0.7.6/phonetrack-0.7.6.tar.gz";
+            sha256 = "1p15vw7c5c1h08czyxi1r6svjd5hjmnc0i6is4vl3xq2kfjmcyyx";
+          };
+          twofactor_webauthn = inputs.pkgs.fetchNextcloudApp
+          {
+            url = "https://github.com/nextcloud-releases/twofactor_webauthn/releases/download/v1.2.0/twofactor_webauthn-v1.2.0.tar.gz";
+            sha256 = "1lqcw74rsnl8c4sirw9208ra3c8zl8zp93scs7y8fv2n4n60l465";
+          };
+        };
+      };
+      nixos.services =
+      {
+        postgresql = { enable = true; instances.nextcloud = {}; };
+        redis.instances.nextcloud.port = 3499;
+      };
+      sops =
+      {
+        templates."nextcloud/secret" =
+        {
+          content = toJSON
+          {
+            redis.password = inputs.config.sops.placeholder."redis/nextcloud";
+            mail_smtppassword = inputs.config.sops.placeholder."mail/bot";
+          };
+          owner = inputs.config.users.users.nextcloud.name;
+        };
+        secrets =
+        {
+          "nextcloud/postgresql" = { key = "postgresql/nextcloud"; owner = inputs.config.users.users.nextcloud.name; };
+          "nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
+        };
+      };
+    };
+}

modules/services/nginx/applications/default.nix

@@ -0,0 +1,12 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules
+  [
+    ./misskey.nix
+    ./synapse.nix
+    ./vaultwarden.nix
+    ./element.nix
+    ./photoprism.nix
+    ./nextcloud.nix
+  ];
+}

modules/services/nginx/applications/element.nix

@@ -0,0 +1,41 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.element.instances = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule (submoduleInputs: { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+      defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "element.chn.moe"; };
+    };}));
+    default = {};
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services.nginx.applications.element) instances;
+      inherit (inputs.localLib) attrsToList;
+      inherit (builtins) map listToAttrs toString;
+    in
+    {
+      nixos.services.nginx.http = listToAttrs (map
+        (instance: with instance.value;
+        {
+          name = hostname;
+          value =
+          {
+            rewriteHttps = true;
+            locations."/".static.root =
+              if defaultServer == null then toString inputs.pkgs.element-web
+              else toString (inputs.pkgs.element-web.override { conf =
+              {
+                default_server_config."m.homeserver" =
+                {
+                  base_url = "https://${defaultServer}";
+                  server_name = defaultServer;
+                };
+                disable_guests = false;
+              };});
+          };
+        })
+        (attrsToList instances));
+    };
+}

modules/services/nginx/applications/misskey.nix

@@ -0,0 +1,45 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.misskey.instances = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule (submoduleInputs: { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+      upstream = mkOption
+      {
+        type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
+        {
+          address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+          port = mkOption { type = types.ints.unsigned; default = 9726; };
+        };})];
+        default = "127.0.0.1:9726";
+      };
+    };}));
+    default = {};
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services.nginx.applications.misskey) instances;
+      inherit (inputs.localLib) attrsToList;
+      inherit (builtins) map listToAttrs toString;
+    in
+    {
+      nixos.services.nginx.http = listToAttrs (map
+        (proxy: with proxy.value;
+        {
+          name = hostname;
+          value =
+          {
+            rewriteHttps = true;
+            locations."/".proxy =
+            {
+              upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
+                else "http://${upstream.address}:${toString upstream.port}";
+              websocket = true;
+              setHeaders.Host = hostname;
+            };
+          };
+        })
+        (attrsToList instances));
+    };
+}

modules/services/nginx/applications/nextcloud.nix

@@ -0,0 +1,48 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.nextcloud = let inherit (inputs.lib) mkOption types; in
+  {
+    instance.enable = mkOption
+    {
+      type = types.addCheck types.bool (value: value -> inputs.config.nixos.services.nextcloud.enable);
+      default = false;
+    };
+    proxy =
+    {
+      enable = mkOption
+      {
+        type = types.addCheck types.bool
+          (value: value -> !inputs.config.nixos.services.nginx.applications.nextcloud.instance.enable);
+        default = false;
+      };
+      upstream = mkOption { type = types.nonEmptyStr; };
+    };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services.nginx.applications) nextcloud;
+      inherit (inputs.lib) mkIf mkMerge;
+      inherit (inputs.localLib) attrsToList;
+      inherit (builtins) map listToAttrs;
+    in mkMerge
+    [
+      (mkIf (nextcloud.instance.enable)
+      {
+        nixos.services.nginx.http.${inputs.config.nixos.services.nextcloud.hostname}.rewriteHttps = true;
+        services.nginx.virtualHosts.${inputs.config.nixos.services.nextcloud.hostname} = mkMerge
+        [
+          (inputs.config.services.nextcloud.nginx.recommendedConfig { upstream = "127.0.0.1"; })
+          { listen = [ { addr = "0.0.0.0"; port = 8417; ssl = true; extraParameters = [ "proxy_protocol" ]; } ]; }
+        ];
+      })
+      (mkIf (nextcloud.proxy.enable)
+      {
+        nixos.services.nginx.streamProxy.map.${inputs.config.nixos.services.nextcloud.hostname} =
+        {
+          upstream = "${nextcloud.proxy.upstream}:8417";
+          rewriteHttps = true;
+          proxyProtocol = true;
+        };
+      })
+    ];
+}

modules/services/nginx/applications/photoprism.nix

@@ -0,0 +1,45 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.photoprism.instances = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule (submoduleInputs: { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+      upstream = mkOption
+      {
+        type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
+        {
+          address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+          port = mkOption { type = types.ints.unsigned; default = 2342; };
+        };})];
+        default = "127.0.0.1:2342";
+      };
+    };}));
+    default = {};
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services.nginx.applications.photoprism) instances;
+      inherit (inputs.localLib) attrsToList;
+      inherit (builtins) map listToAttrs toString;
+    in
+    {
+      nixos.services.nginx.http = listToAttrs (map
+        (proxy: with proxy.value;
+        {
+          name = hostname;
+          value =
+          {
+            rewriteHttps = true;
+            locations."/".proxy =
+            {
+              upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
+                else "http://${upstream.address}:${toString upstream.port}";
+              websocket = true;
+              setHeaders.Host = hostname;
+            };
+          };
+        })
+        (attrsToList instances));
+    };
+}

modules/services/nginx/applications/synapse.nix

@@ -0,0 +1,46 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.synapse.instances = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.attrsOf (types.submodule (submoduleInputs: { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+      upstream = mkOption
+      {
+        type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
+        {
+          address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+          port = mkOption { type = types.ints.unsigned; default = 8008; };
+        };})];
+        default = "127.0.0.1:8008";
+      };
+    };}));
+    default = {};
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services.nginx.applications.synapse) instances;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.lib) mkIf mkMerge;
+      inherit (builtins) map listToAttrs;
+    in
+    {
+      nixos.services.nginx.http = listToAttrs (map
+        (proxy: with proxy.value;
+        {
+          name = hostname;
+          value =
+          {
+            rewriteHttps = true;
+            locations."/".proxy =
+            {
+              upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
+                else "http://${upstream.address}:${toString upstream.port}";
+              websocket = true;
+              setHeaders.Host = hostname;
+            };
+          };
+        })
+        (attrsToList instances));
+    };
+}

modules/services/nginx/applications/vaultwarden.nix

@@ -0,0 +1,44 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.vaultwarden = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
+    upstream = mkOption
+    {
+      type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
+      {
+        address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+        port = mkOption { type = types.ints.unsigned; default = 8000; };
+        websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
+      };})];
+      default = {};
+    };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services.nginx.applications) vaultwarden;
+      inherit (builtins) listToAttrs;
+      inherit (inputs.lib) mkIf;
+    in mkIf vaultwarden.enable
+    {
+      nixos.services.nginx.http."${vaultwarden.hostname}" =
+      {
+        rewriteHttps = true;
+        locations = let upstream = vaultwarden.upstream; in (listToAttrs (map
+          (location: { name = location; value.proxy =
+          {
+            upstream = "http://${upstream.address or upstream}:${builtins.toString upstream.port or 8000}";
+            setHeaders = { Host = vaultwarden.hostname; Connection = ""; };
+          };})
+          [ "/" "/notifications/hub/negotiate" ]))
+          // { "/notifications/hub".proxy =
+          {
+            upstream =
+              "http://${upstream.address or upstream}:${builtins.toString upstream.websocketPort or 3012}";
+            websocket = true;
+            setHeaders.Host = vaultwarden.hostname;
+          };};
+      };
+    };
+}

modules/services/nginx/default.nix

@@ -0,0 +1,387 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules
+  [
+    ./applications
+  ];
+  options.nixos.services.nginx = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    transparentProxy =
+    {
+      enable = mkOption { type = types.bool; default = true; };
+      externalIp = mkOption { type = types.listOf types.nonEmptyStr; };
+      map = mkOption { type = types.attrsOf types.ints.unsigned; default = {};};
+    };
+    http = mkOption
+    {
+      type = types.attrsOf (types.submodule { options =
+      {
+        rewriteHttps = mkOption { type = types.bool; default = false; };
+        http2 = mkOption { type = types.bool; default = true; };
+        addAuth = mkOption { type = types.bool; default = false; };
+        detectAuth = mkOption { type = types.bool; default = false; };
+        locations = mkOption
+        {
+          type = types.attrsOf (types.addCheck
+            (types.submodule { options =
+            {
+              proxy = mkOption
+              {
+                type = types.nullOr (types.submodule { options =
+                {
+                  upstream = mkOption { type = types.nonEmptyStr; };
+                  websocket = mkOption { type = types.bool; default = false; };
+                  setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
+                };});
+                default = null;
+              };
+              static = mkOption
+              {
+                type = types.nullOr (types.submodule { options =
+                {
+                  root = mkOption { type = types.nonEmptyStr; };
+                  index = mkOption { type = types.nonEmptyStr; default = "index.html"; };
+                };});
+                default = null;
+              };
+            };})
+            (value: (inputs.lib.count (value: value != null) (builtins.attrValues value)) == 1));
+          default = {};
+        };
+      };});
+      default = {};
+    };
+    streamProxy =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      port = mkOption { type = types.ints.unsigned; default = 5575; };
+      portWithProxyProtocol = mkOption { type = types.ints.unsigned; default = 5576; };
+      map = mkOption
+      {
+        type = types.attrsOf (types.oneOf
+        [
+          types.nonEmptyStr
+          (types.submodule { options =
+          {
+            upstream = mkOption { type = types.nonEmptyStr; };
+            rewriteHttps = mkOption { type = types.bool; default = false; };
+            proxyProtocol = mkOption { type = types.bool; default = false; };
+          };})
+        ]);
+        default = {};
+      };
+    };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.localLib) stripeTabs attrsToList;
+      inherit (inputs.config.nixos.services) nginx;
+      inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues;
+    in mkMerge
+    [
+      (mkIf nginx.enable
+      {
+        services =
+        {
+          nginx =
+          {
+            enable = true;
+            enableReload = true;
+            eventsConfig =
+            ''
+              worker_connections 524288;
+              use epoll;
+            '';
+            commonHttpConfig =
+            ''
+              geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
+                $geoip2_data_country_code country iso_code;
+              }
+              log_format http '[$time_local] $remote_addr-$geoip2_data_country_code "$host"'
+                ' $request_length $bytes_sent $status "$request" referer: "$http_referer" ua: "$http_user_agent"';
+              access_log syslog:server=unix:/dev/log http;
+              proxy_ssl_server_name on;
+              proxy_ssl_session_reuse off;
+              send_timeout 10m;
+            '';
+            proxyTimeout = "10m";
+            virtualHosts = listToAttrs (map
+              (site:
+              {
+                inherit (site) name;
+                value =
+                {
+                  serverName = site.name;
+                  listen = [ { addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; } ]
+                    ++ (if site.value.rewriteHttps then [ { addr = "0.0.0.0"; port = 80; } ] else []);
+                  useACMEHost = site.name;
+                  locations = listToAttrs (map
+                    (location:
+                    {
+                      inherit (location) name;
+                      value =
+                        if (location.value.proxy != null) then
+                        {
+                          proxyPass = location.value.proxy.upstream;
+                          proxyWebsockets = location.value.proxy.websocket;
+                          recommendedProxySettings = false;
+                          recommendedProxySettingsNoHost = true;
+                          extraConfig = concatStringsSep "\n"
+                          (
+                            (map
+                              (header: ''proxy_set_header ${header.name} "${header.value}";'')
+                              (attrsToList location.value.proxy.setHeaders))
+                            ++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
+                            ++ (
+                              if site.value.addAuth then
+                                ["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
+                              else [])
+                          );
+                        }
+                        else if (location.value.static != null) then
+                        {
+                          root = location.value.static.root;
+                          index = location.value.static.index;
+                        }
+                        else {};
+                    })
+                    (attrsToList site.value.locations));
+                  forceSSL = site.value.rewriteHttps;
+                  http2 = site.value.http2;
+                  basicAuthFile =
+                    if site.value.detectAuth then inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
+                    else null;
+                };
+              })
+              (attrsToList nginx.http));
+            recommendedZstdSettings = true;
+            recommendedTlsSettings = true;
+            recommendedProxySettings = true;
+            recommendedOptimisation = true;
+            recommendedGzipSettings = true;
+            recommendedBrotliSettings = true;
+            clientMaxBodySize = "0";
+            package =
+              let
+                nginx-geoip2 =
+                {
+                  name = "ngx_http_geoip2_module";
+                  src = inputs.pkgs.fetchFromGitHub
+                  {
+                    owner = "leev";
+                    repo = "ngx_http_geoip2_module";
+                    rev = "a607a41a8115fecfc05b5c283c81532a3d605425";
+                    hash = "sha256-CkmaeEa1iEAabJEDu3FhBUR7QF38koGYlyx+pyKZV9Y=";
+                  };
+                  meta.license = [];
+                };
+              in
+                (inputs.pkgs.nginxMainline.override (prev: { modules = prev.modules ++ [ nginx-geoip2 ]; }))
+                  .overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
+            streamConfig =
+            ''
+              geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb
+              {
+                $geoip2_data_country_code country iso_code;
+              }
+              resolver 8.8.8.8;
+            '';
+            # todo: use host dns
+            resolver.addresses = [ "8.8.8.8" ];
+          };
+          geoipupdate =
+          {
+            enable = true;
+            settings =
+            {
+              AccountID = 901296;
+              LicenseKey = inputs.config.sops.secrets."nginx/maxmind-license".path;
+              EditionIDs = [ "GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country" ];
+            };
+          };
+        };
+        sops =
+        {
+          templates = listToAttrs (map
+            (site:
+            {
+              name = "nginx/addAuth/${site.name}-template";
+              value =
+              {
+                content =
+                  let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${site.name}";
+                  in ''proxy_set_header Authorization "Basic ${placeholder}";'';
+                owner = inputs.config.users.users.nginx.name;
+              };
+            })
+            (filter (site: site.value.addAuth) (attrsToList nginx.http)));
+          secrets = { "nginx/maxmind-license".owner = inputs.config.users.users.nginx.name; }
+            // (listToAttrs (map
+              (site: { name = "nginx/detectAuth/${site.name}"; value.owner = inputs.config.users.users.nginx.name; })
+              (filter (site: site.value.detectAuth) (attrsToList nginx.http))))
+            // (listToAttrs (map
+              (site: { name = "nginx/addAuth/${site.name}"; value = {}; })
+              (filter (site: site.value.addAuth) (attrsToList nginx.http))));
+        };
+        systemd.services.nginx.serviceConfig =
+        {
+          CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+          AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+          LimitNPROC = 65536;
+          LimitNOFILE = 524288;
+        };
+        nixos.services.acme =
+        {
+          enable = true;
+          certs = map (cert: cert.name) (attrsToList nginx.http);
+        };
+        security.acme.certs = listToAttrs (map
+          (cert: { inherit (cert) name; value.group = inputs.config.services.nginx.group; })
+          (attrsToList nginx.http));
+      })
+      (mkIf nginx.transparentProxy.enable
+      {
+        services.nginx.streamConfig =
+        ''
+          log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
+            '"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
+          map $ssl_preread_server_name $transparent_proxy_backend
+          {
+            ${concatStringsSep "\n" (map
+              (x: ''                  "${x.name}" 127.0.0.1:${toString x.value};'')
+              (
+                (attrsToList nginx.transparentProxy.map)
+                ++ (map
+                  (site: { name = site.name; value = (if site.value.http2 then 443 else 3065); })
+                  (attrsToList nginx.http)
+                )
+              ))}
+            default 127.0.0.1:443;
+          }
+          server
+          {
+            ${concatStringsSep "\n            " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
+            ssl_preread on;
+            proxy_bind $remote_addr transparent;
+            proxy_pass $transparent_proxy_backend;
+            proxy_connect_timeout 1s;
+            proxy_socket_keepalive on;
+            proxy_buffer_size 128k;
+            access_log syslog:server=unix:/dev/log transparent_proxy;
+          }
+        '';
+        networking.firewall.allowedTCPPorts = [ 80 443 ];
+        systemd.services.nginx-proxy =
+          let
+            ipset = "${inputs.pkgs.ipset}/bin/ipset";
+            iptables = "${inputs.pkgs.iptables}/bin/iptables";
+            ip = "${inputs.pkgs.iproute}/bin/ip";
+            start = inputs.pkgs.writeShellScript "nginx-proxy.start"
+            (
+              ''
+                ${ipset} create nginx_proxy_port bitmap:port range 0-65535
+                ${iptables} -t mangle -N nginx_proxy_mark
+                ${iptables} -t mangle -A OUTPUT -j nginx_proxy_mark
+                ${iptables} -t mangle -A nginx_proxy_mark -s 127.0.0.1 -p tcp \
+                  -m set --match-set nginx_proxy_port src -j MARK --set-mark 2/2
+                ${iptables} -t mangle -N nginx_proxy
+                ${iptables} -t mangle -A PREROUTING -j nginx_proxy
+                ${iptables} -t mangle -A nginx_proxy -s 127.0.0.1 -p tcp \
+                  -m set --match-set nginx_proxy_port src -j MARK --set-mark 2/2
+                ${ip} rule add fwmark 2/2 table 200
+                ${ip} route add local 0.0.0.0/0 dev lo table 200
+              ''
+              + concatStringsSep "\n" (map
+                (port: ''${ipset} add nginx_proxy_port ${toString port}'')
+                (inputs.lib.unique ((attrValues nginx.transparentProxy.map) ++ [ 443 3065 ])))
+            );
+            stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
+            ''
+              ${iptables} -t mangle -F nginx_proxy_mark
+              ${iptables} -t mangle -D OUTPUT -j nginx_proxy_mark
+              ${iptables} -t mangle -X nginx_proxy_mark
+              ${iptables} -t mangle -F nginx_proxy
+              ${iptables} -t mangle -D PREROUTING -j nginx_proxy
+              ${iptables} -t mangle -X nginx_proxy
+              ${ip} rule del fwmark 2/2 table 200
+              ${ip} route del local 0.0.0.0/0 dev lo table 200
+              ${ipset} destroy nginx_proxy_port
+            '';
+          in
+          {
+            description = "nginx transparent proxy";
+            after = [ "network.target" ];
+            serviceConfig =
+            {
+              Type = "simple";
+              RemainAfterExit = true;
+              ExecStart = start;
+              ExecStop = stop;
+            };
+            wants = [ "network.target" ];
+            wantedBy= [ "multi-user.target" ];
+          };
+      })
+      (mkIf nginx.streamProxy.enable
+      {
+        services.nginx =
+        {
+          streamConfig =
+          ''
+            log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
+              '"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
+            map $ssl_preread_server_name $stream_proxy_backend
+            {
+              ${concatStringsSep "\n" (map
+                (x: ''                  "${x.name}" "${x.value.upstream or x.value}";'')
+                (attrsToList nginx.streamProxy.map))}
+            }
+            server
+            {
+              listen 127.0.0.1:${toString nginx.streamProxy.port};
+              ssl_preread on;
+              proxy_pass $stream_proxy_backend;
+              proxy_connect_timeout 10s;
+              proxy_socket_keepalive on;
+              proxy_buffer_size 128k;
+              access_log syslog:server=unix:/dev/log stream_proxy;
+            }
+            server
+            {
+              listen 127.0.0.1:${toString nginx.streamProxy.portWithProxyProtocol};
+              proxy_protocol on;
+              ssl_preread on;
+              proxy_pass $stream_proxy_backend;
+              proxy_connect_timeout 10s;
+              proxy_socket_keepalive on;
+              proxy_buffer_size 128k;
+              access_log syslog:server=unix:/dev/log stream_proxy;
+            }
+          '';
+          virtualHosts = listToAttrs (map
+            (site:
+            {
+              inherit (site) name;
+              value =
+              {
+                serverName = site.name;
+                listen = [ { addr = "0.0.0.0"; port = 80; } ];
+                locations."/".return = "301 https://${site.name}$request_uri";
+              };
+            })
+            (filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
+        };
+        nixos.services.nginx.transparentProxy.map = listToAttrs
+        (
+          (map
+            (site: { name = site.name; value = nginx.streamProxy.port; })
+            (filter (site: !(site.value.proxyProtocol or false)) (attrsToList nginx.streamProxy.map)))
+          ++ (map
+            (site: { name = site.name; value = nginx.streamProxy.portWithProxyProtocol; })
+            (filter (site: site.value.proxyProtocol or false) (attrsToList nginx.streamProxy.map)))
+        );
+      })
+    ];
+}

modules/services/photoprism.nix

@@ -0,0 +1,47 @@
+inputs:
+{
+  options.nixos.services.photoprism = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "photoprism.chn.moe"; };
+    port = mkOption { type = types.ints.unsigned; default = 2342; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) photoprism;
+    in mkIf photoprism.enable
+    {
+      services.photoprism =
+      {
+        enable = true;
+        originalsPath = inputs.config.services.photoprism.storagePath + "/originals";
+        settings =
+        {
+          PHOTOPRISM_SITE_URL = "https://${photoprism.hostname}";
+          PHOTOPRISM_HTTP_PORT = "${toString photoprism.port}";
+          PHOTOPRISM_DISABLE_TLS = "true";
+          PHOTOPRISM_DETECT_NSFW = "true";
+          PHOTOPRISM_UPLOAD_NSFW = "true";
+          PHOTOPRISM_DATABASE_DRIVER = "mysql";
+          PHOTOPRISM_DATABASE_SERVER = "127.0.0.1:3306";
+        };
+      };
+      systemd.services.photoprism =
+      {
+        after = [ "mariadb.service" ];
+        requires = [ "mariadb.service" ];
+        serviceConfig.EnvironmentFile = inputs.config.sops.templates."photoprism/env".path; 
+      };
+      sops =
+      {
+        templates."photoprism/env".content = let placeholder = inputs.config.sops.placeholder; in
+        ''
+          PHOTOPRISM_ADMIN_PASSWORD=${placeholder."photoprism/adminPassword"}
+          PHOTOPRISM_DATABASE_PASSWORD=${placeholder."mariadb/photoprism"}
+        '';
+        secrets."photoprism/adminPassword" = {}; 
+      };
+      nixos.services.mariadb = { enable = true; instances.photoprism = {}; };
+    };
+}

modules/services/phpfpm.nix

@@ -0,0 +1,60 @@
+inputs:
+{
+  options.nixos.services.phpfpm = let inherit (inputs.lib) mkOption types; in
+  {
+    instances = mkOption
+    {
+      type = types.attrsOf (types.submodule (submoduleInputs: { options =
+      {
+        user = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+        group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+        package = mkOption { type = types.nullOr types.package; default = null; };
+      };}));
+      default = {};
+    };
+  };
+  config =
+  let
+    inherit (builtins) map listToAttrs filter;
+    inherit (inputs.localLib) attrsToList;
+    inherit (inputs.config.nixos.services) phpfpm;
+  in
+  {
+    services.phpfpm.pools = listToAttrs (map
+      (pool:
+      {
+        inherit (pool) name;
+        value = rec
+        {
+          user = if pool.value.user == null then pool.name else pool.value.user;
+          group = if pool.value.group == null then inputs.config.users.users.${user}.group else pool.value.group;
+          phpPackage = if pool.value.package == null then inputs.pkgs.php else pool.value.package;
+          settings =
+          {
+            "pm" = "ondemand";
+            "pm.max_children" = 4;
+            "pm.process_idle_timeout" = "60s";
+            "pm.max_requests" = 128;
+          };
+        };
+      })
+      (attrsToList phpfpm.instances));
+    users =
+    {
+      users = listToAttrs (map
+        (pool:
+        {
+          inherit (pool) name;
+          value = { isSystemUser = true; group = pool.name; };
+        })
+        (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
+      groups = listToAttrs (map
+        (pool:
+        {
+          inherit (pool) name;
+          value = {};
+        })
+        (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
+    };
+  };
+}

modules/services/postgresql.nix

@@ -0,0 +1,91 @@
+inputs:
+{
+  options.nixos.services.postgresql = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    instances = mkOption
+    {
+      type = types.attrsOf (types.submodule (submoduleInputs: { options =
+      {
+        database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+        user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
+        passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+      };}));
+      default = {};
+    };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) postgresql;
+      inherit (inputs.lib) mkAfter concatStringsSep mkIf;
+      inherit (inputs.localLib) attrsToList;
+      inherit (builtins) map listToAttrs filter;
+    in mkIf postgresql.enable
+    {
+      services =
+      {
+        postgresql =
+        {
+          enable = true;
+          package = inputs.pkgs.postgresql_15;
+          enableTCPIP = true;
+          authentication = "host all all 0.0.0.0/0 md5";
+          settings =
+          {
+            unix_socket_permissions = "0700";
+            shared_buffers = "8192MB";
+            work_mem = "512MB";
+            autovacuum = "on";
+          };
+          # log_timezone = 'Asia/Shanghai'
+          # datestyle = 'iso, mdy'
+          # timezone = 'Asia/Shanghai'
+          # lc_messages = 'en_US.utf8'
+          # lc_monetary = 'en_US.utf8'
+          # lc_numeric = 'en_US.utf8'
+          # lc_time = 'en_US.utf8'
+          # default_text_search_config = 'pg_catalog.english'
+          # plperl.on_init = 'use utf8; use re; package utf8; require "utf8_heavy.pl";'
+          # mv /path/to/dir /path/to/dir_old
+          # mkdir /path/to/dir
+          # chattr +C /path/to/dir
+          # cp -a --reflink=never /path/to/dir_old/. /path/to/dir
+          # rm -rf /path/to/dir_old
+          ensureDatabases = map (db: db.value.database) (attrsToList postgresql.instances);
+          ensureUsers = map (db: { name = db.value.user; }) (attrsToList postgresql.instances);
+        };
+        postgresqlBackup =
+        {
+          enable = true;
+          pgdumpOptions = "-Fc";
+          compression = "none";
+          databases = map (db: db.value.database) (attrsToList postgresql.instances);
+        };
+      };
+      systemd.services.postgresql.postStart = mkAfter (concatStringsSep "\n" (map
+        (db:
+          let
+            passwordFile =
+              if db.value.passwordFile or null != null then db.value.passwordFile
+              else inputs.config.sops.secrets."postgresql/${db.value.user}".path;
+            in
+            # set user password
+            "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
+            # set db owner
+              + "\n"
+              + "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
+              + " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
+              + " | grep -E '^${db.value.user}$' -q"
+              + " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
+        (attrsToList postgresql.instances)));
+      sops.secrets = listToAttrs (map
+        (db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })
+        (filter (db: db.value.passwordFile == null) (attrsToList postgresql.instances)));
+    };
+}
+  # sops.secrets.drone-agent = {
+  #   owner = config.systemd.services.drone-agent.serviceConfig.User;
+  #   key = "drone";
+  # };
+# pg_dump -h 127.0.0.1 -U synapse -Fc -f synaps.dump synapse
+# pg_restore -h 127.0.0.1 -U misskey -d misskey --data-only --jobs=4 misskey.dump