debug

modules.services.xray: add debug info
modules.services.xray: revert version
2026-01-12 09:49:22 +08:00 · 2025-06-25 21:19:29 +08:00 · 2025-06-25 21:16:04 +08:00 · 2025-06-25 21:03:49 +08:00 · 2025-06-25 20:52:19 +08:00 · 2025-06-25 13:04:46 +08:00
432 changed files with 10563 additions and 11839 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,5 +1 @@
-*.png filter=lfs diff=lfs merge=lfs -text
-*.icm filter=lfs diff=lfs merge=lfs -text
-*.jpg filter=lfs diff=lfs merge=lfs -text
-*.webp filter=lfs diff=lfs merge=lfs -text
-*.efi filter=lfs diff=lfs merge=lfs -text
+flake/branch.nix merge=ours
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ build
 .vscode
 .cache
 .ccls-cache
+archive
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,61 +3,57 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
  - &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
  - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
-  - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-  - &surface age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
  - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
-  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-  - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-  - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
-  - &pcvm age1jmu4jym0e0xkq5shx2g7ef4xzre94vaxy2n4fcn0kp94dtlupdxqkzyyp7
+  - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+  - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+  - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+  - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+  - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+  - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+  - &srv3 age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+  - &test age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
+  - &test-pc age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
+  - &test-pc-vm age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
 creation_rules:
  - path_regex: devices/pc/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *pc
+    key_groups: [{ age: [ *chn, *pc ] }]
  - path_regex: devices/vps4/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps4
+    key_groups: [{ age: [ *chn, *vps4 ] }]
  - path_regex: devices/vps6/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps6
-  - path_regex: devices/vps7/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps7
+    key_groups: [{ age: [ *chn, *vps6 ] }]
  - path_regex: devices/nas/.*$
+    key_groups: [{ age: [ *chn, *nas ] }]
+  - path_regex: devices/one/.*$
+    key_groups: [{ age: [ *chn, *one ] }]
+  - path_regex: devices/srv1/secrets/.*$
+    key_groups: [{ age: [ *chn, *srv1-node0, *srv1-node1, *srv1-node2 ] }]
+  - path_regex: devices/srv1/node0/.*$
+    key_groups: [{ age: [ *chn, *srv1-node0 ] }]
+  - path_regex: devices/srv1/node1/.*$
+    key_groups: [{ age: [ *chn, *srv1-node1 ] }]
+  - path_regex: devices/srv1/node2/.*$
+    key_groups: [{ age: [ *chn, *srv1-node2 ] }]
+  - path_regex: devices/srv2/secrets/.*$
+    key_groups: [{ age: [ *chn, *srv2-node0, *srv2-node1 ] }]
+  - path_regex: devices/srv2/node0/.*$
+    key_groups: [{ age: [ *chn, *srv2-node0 ] }]
+  - path_regex: devices/srv2/node1/.*$
+    key_groups: [{ age: [ *chn, *srv2-node1 ] }]
+  - path_regex: devices/srv3/.*$
+    key_groups: [{ age: [ *chn, *srv3 ] }]
+  - path_regex: devices/test/.*$
+    key_groups: [{ age: [ *chn, *test ] }]
+  - path_regex: devices/test-pc/.*$
+    key_groups: [{ age: [ *chn, *test-pc ] }]
+  - path_regex: devices/test-pc-vm/.*$
+    key_groups: [{ age: [ *chn, *test-pc-vm ] }]
+  - path_regex: devices/cross/secrets/default.yaml$
    key_groups:
-    - age:
-      - *chn
-      - *nas
-  - path_regex: devices/surface/.*$
+    - age: [ *chn, *pc, *vps4, *vps6, *nas, *one, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
+      *srv3, *test, *test-pc, *test-pc-vm]
+  - path_regex: devices/cross/secrets/chn.yaml$
    key_groups:
-    - age:
-      - *chn
-      - *surface
-  - path_regex: devices/xmupc1/.*$
+    - age: [ *chn, *pc, *one, *nas ]
+  - path_regex: devices/cross/secrets/acme.yaml$
    key_groups:
-    - age:
-      - *chn
-      - *xmupc1
-  - path_regex: devices/xmupc2/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *xmupc2
-  - path_regex: devices/pi3b/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *pi3b
-  - path_regex: devices/pcvm/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *pcvm
+    - age: [ *chn, *nas, *pc, *srv3, *vps4, *vps6 ]
--- a/README.md
+++ b/README.md
@@ -0,0 +1,26 @@
+This is my NixOS configuration. I use it to manage:
+* some vps serving some websites and services (misskey, synapse), etc.
+* my laptop (Lenovo R9000P 2023), and my tablet (One Netbook One Mix 4).
+* some cluster for scientific computing (vasp, lammps, etc).
+With the following highlights:
+* All binary is compiled for specific CPU (`-march=xxx`, like that on Gentoo). 
+* All packages and configurations are managed by Nix, as much reproducible as possible.
+
+## Using overlay
+
+An overlay is provided through `outputs.overlays.default`, you could use it in your `configuration.nix` like this:
+
+```nix
+{
+  inputs.chn-nixos.url = "github:CHN-beta/nixos";
+  outputs.nixosConfigurations.my-host = inputs.nixpkgs.lib.nixosSystem
+  {
+    modules = [({pkgs, ...}: { config =
+    {
+      nixpkgs.overlays = [ inputs.chn-nixos.overlays.default ];
+      environment.systemPackages = [ pkgs.localPackages.vasp.intel ];
+    };})];
+  };
+}
+```
+
--- a/blog/.gitignore
+++ b/blog/.gitignore
@@ -1,4 +0,0 @@
-/themes
-/public
-/.hugo_build.lock
-/resources/_gen
--- a/blog/archetypes/default.md
+++ b/blog/archetypes/default.md
@@ -1,5 +0,0 @@
-+++
-title = '{{ replace .File.ContentBaseName "-" " " | title }}'
-date = {{ .Date }}
-draft = true
-+++
--- a/blog/content/_index.md
+++ b/blog/content/_index.md
@@ -1,19 +0,0 @@
---
-type: docs
---
-
-嗨，我的朋友，欢迎你！我想我会喜欢你的（如果我们之前没有仇的话）。
-
-左侧是这个网站的目录，你可以看到这个网站上有哪些文章。
-点进某一篇文章后，右侧会出现当前文章的目录。
-上方还有搜索框和一些外部网站的链接。
-
-本站的主要内容被分为“文档”和“博客”两个部分。
-文档部分是一些比较系统化的内容，比如某些教程，
-  会随着时间的推移而更新，并会翻译成英语（如果我觉得有必要的话）。
-博客部分是一些随手写的东西，大概写好之后就再也不会更新，其中的技术性内容也不保证完全正确，
-  往往充满了我自己的主观猜测。
-
-{{< callout emoji="🏗️" >}}
-  早期施工中，请戴好安全帽小心前行，谨防突然出现的 404。
-{{< /callout >}}
--- a/blog/content/about.md
+++ b/blog/content/about.md
@@ -1,19 +0,0 @@
---
-title: 关于本站
---
-
-嗨，我的朋友，欢迎你！我想我会喜欢你的（如果我们之前没有仇的话）。
-
-左侧是这个网站的目录，你可以看到这个网站上有哪些文章。
-点进某一篇文章后，右侧会出现当前文章的目录。
-上方还有搜索框和一些外部网站的链接。
-
-本站的主要内容被分为“文档”和“博客”两个部分。
-文档部分是一些比较系统化的内容，比如某些教程，
-  会随着时间的推移而更新，并会翻译成英语（如果我觉得有必要的话）。
-博客部分是一些随手写的东西，大概写好之后就再也不会更新，其中的技术性内容也不保证完全正确，
-  往往充满了我自己的主观猜测。
-
-{{< callout emoji="🏗️" >}}
-  早期施工中，请戴好安全帽小心前行，谨防突然出现的 404。
-{{< /callout >}}
--- a/blog/content/docs/example/_index.md
+++ b/blog/content/docs/example/_index.md
@@ -1,7 +0,0 @@
---
-weight: 1
-bookFlatSection: true
-title: "Example Site"
---
-
-{{< callout emoji="🏗️" >}} 施工中 {{< /callout >}}
--- a/blog/content/posts/_index.md
+++ b/blog/content/posts/_index.md
@@ -1,5 +0,0 @@
---
-title: Blog
---
-
-我得在这里写点什么
--- a/blog/content/posts/helloworld.md
+++ b/blog/content/posts/helloworld.md
@@ -1,49 +0,0 @@
---
-title: Helloworld
-date: 2024-08-24T20:13:59+08:00
-draft: false
-summary: 为什么不问问神奇海螺呢？
-math: true
---
-
-# 一级标题
-
-## 二级标题
-
-### 三级标题
-
-hello world!
-
-* 无序列表1
-* 无序列表2
-* 无序列表3
-
-1. 有序列表1
-2. 有序列表2
-3. 有序列表3
-
-> 这是一个引用
-> 写了两行
-
-如果段与段之间
-没有空行
-会怎样？
-
-```c++
-#include <iostream>
-using namespace std;
-int main() {
-    cout << "Hello, World!" << endl;
-    return 0;
-}
-```
-
-这是一个行内代码`printf("Hello, World!\n");`，和行内公式 $E=mc^2$。
-
-$$
-\int_{-\infty}^{+\infty} e^{-x^2} \dd x = \sqrt{\pi}
-$$
-
-**这是粗体文本**，*这是斜体文本*。
-
-[这是一个链接](https://www.example.com)
--- a/blog/data/icons.yaml
+++ b/blog/data/icons.yaml
@@ -1,6 +0,0 @@
-misskey: <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 1 24 22"><path fill="currentColor" d="M8.91 16.892c-1.039.003-1.931-.63-2.352-1.366c-.225-.322-.67-.437-.676 0v2.014q0 1.215-.876 2.1q-.85.86-2.078.86q-1.2 0-2.077-.86A2.93 2.93 0 0 1 0 17.54V6.46q0-.936.526-1.695a2.86 2.86 0 0 1 1.402-1.088a2.9 2.9 0 0 1 1-.177q1.353 0 2.253 1.063l2.997 3.515c.067.05.263.437.732.437c.47 0 .692-.386.758-.437l2.972-3.515Q13.567 3.5 14.918 3.5q.501 0 1.001.177a2.73 2.73 0 0 1 1.377 1.088q.55.758.55 1.695v11.08q0 1.215-.875 2.1q-.852.86-2.078.86q-1.201 0-2.078-.86a2.93 2.93 0 0 1-.85-2.1v-2.014c-.05-.55-.531-.204-.702 0c-.45.843-1.313 1.361-2.352 1.366M21.448 8.61q-1.05 0-1.802-.733q-.726-.759-.726-1.822c0-1.063.242-1.307.726-1.796a2.44 2.44 0 0 1 1.802-.758q1.05 0 1.803.758q.75.735.75 1.796q0 1.063-.75 1.822q-.751.732-1.803.733m.025.507q1.05 0 1.777.758q.75.759.751 1.822v6.248q0 1.064-.75 1.821a2.4 2.4 0 0 1-1.778.734q-1.05 0-1.802-.733a2.5 2.5 0 0 1-.75-1.822v-6.248a2.5 2.5 0 0 1 .75-1.822a2.44 2.44 0 0 1 1.802-.758"/></svg>
-fediverse: <svg xmlns="http://www.w3.org/2000/svg" viewBox="20 20 216 216"><g fill="none"><path fill="#a730b8" d="M61.39 100.77a22.47 22.47 0 0 1-9.605 9.569l52.727 52.981l12.712-6.448zm69.548 69.882l-12.712 6.448l26.717 26.846a22.47 22.47 0 0 1 9.606-9.57z"/><path fill="#5496be" d="m191.943 121.734l-29.851 15.142l2.201 14.091l33.775-17.133a22.5 22.5 0 0 1-6.125-12.1m-47.18 23.932l-70.579 35.802a22.5 22.5 0 0 1 6.127 12.101l66.653-33.812z"/><path fill="#ce3d1a" d="m122.066 57.476l-34.057 66.548l10.055 10.103l36.059-70.459a22.45 22.45 0 0 1-12.057-6.192m-42.915 83.856l-17.25 33.708c4.56.772 8.77 2.934 12.056 6.192l15.249-29.797z"/><path fill="#d0188f" d="M51.492 110.487a22.44 22.44 0 0 1-11.218 2.347a23 23 0 0 1-2.168-.226l10.073 64.489a22.44 22.44 0 0 1 11.218-2.347q1.09.06 2.167.227z"/><path fill="#5b36e9" d="M80.364 193.888c.23 1.498.31 3.014.235 4.528a22.5 22.5 0 0 1-2.369 8.867l64.42 10.347a22.5 22.5 0 0 1-.236-4.528a22.5 22.5 0 0 1 2.37-8.867z"/><path fill="#30b873" d="m198.294 134.069l-29.733 58.102a22.45 22.45 0 0 1 12.058 6.193l29.734-58.101a22.45 22.45 0 0 1-12.059-6.194"/><path fill="#ebe305" d="M157.741 51.894a22.47 22.47 0 0 1-9.606 9.57l46.047 46.267a22.47 22.47 0 0 1 9.606-9.57z"/><path fill="#f47601" d="m115.713 45.14l-58.21 29.527a22.5 22.5 0 0 1 6.127 12.1l58.208-29.528a22.5 22.5 0 0 1-6.125-12.098"/><path fill="#57c115" d="M148.029 61.518a22.44 22.44 0 0 1-11.403 2.44a22 22 0 0 1-1.966-.206l5.157 33.048l14.069 2.26zm-5.216 54.494l12.191 78.134a22.45 22.45 0 0 1 11.055-2.265a23 23 0 0 1 2.349.258l-11.525-73.868z"/><path fill="#dbb210" d="M63.671 87.014a22.5 22.5 0 0 1 .247 4.6a22.5 22.5 0 0 1-2.334 8.803l33.043 5.312l6.494-12.695zm56.632 9.103l-6.495 12.696l78.072 12.55c-.224-1.481-.3-2.98-.226-4.476a22.5 22.5 0 0 1 2.395-8.915z"/><path fill="#ffca00" fill-opacity="0.996" d="M136.737 61.918c11.258.614 20.881-8.023 21.495-19.292c.613-11.268-8.016-20.9-19.275-21.515c-11.258-.613-20.881 8.024-21.495 19.292c-.613 11.269 8.017 20.901 19.275 21.515"/><path fill="#64ff00" fill-opacity="0.996" d="M212.966 138.513c11.259.614 20.882-8.023 21.495-19.292c.614-11.268-8.016-20.9-19.274-21.514s-20.882 8.023-21.495 19.292c-.613 11.268 8.016 20.901 19.274 21.514"/><path fill="#00a3ff" fill-opacity="0.996" d="M163.727 234.728c11.258.614 20.882-8.024 21.495-19.292s-8.016-20.901-19.274-21.515s-20.882 8.024-21.495 19.292c-.614 11.269 8.016 20.901 19.274 21.515"/><path fill="#9500ff" fill-opacity="0.996" d="M57.066 217.597c11.258.613 20.881-8.024 21.495-19.292c.613-11.269-8.017-20.901-19.275-21.515s-20.882 8.023-21.495 19.292c-.613 11.268 8.016 20.901 19.275 21.515"/><path fill="#f00" fill-opacity="0.996" d="M40.385 110.794c11.258.614 20.881-8.023 21.495-19.292c.613-11.268-8.017-20.9-19.275-21.514S21.724 78.01 21.11 89.28c-.613 11.268 8.017 20.901 19.275 21.514"/></g></svg>
-matrix: <svg xmlns="http://www.w3.org/2000/svg" viewBox="30 20 196 216"><path fill="currentColor" d="M72 216a8 8 0 0 1-8 8H40a8 8 0 0 1-8-8V40a8 8 0 0 1 8-8h24a8 8 0 0 1 0 16H48v160h16a8 8 0 0 1 8 8M216 32h-24a8 8 0 0 0 0 16h16v160h-16a8 8 0 0 0 0 16h24a8 8 0 0 0 8-8V40a8 8 0 0 0-8-8m-32 88a32 32 0 0 0-56-21.13a31.93 31.93 0 0 0-40.71-6.15A8 8 0 0 0 72 96v64a8 8 0 0 0 16 0v-40a16 16 0 0 1 32 0v40a8 8 0 0 0 16 0v-40a16 16 0 0 1 32 0v40a8 8 0 0 0 16 0Z"/></svg>
-wechat: <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="currentColor" d="M15.85 8.14c.39 0 .77.03 1.14.08C16.31 5.25 13.19 3 9.44 3c-4.25 0-7.7 2.88-7.7 6.43c0 2.05 1.15 3.86 2.94 5.04L3.67 16.5l2.76-1.19c.59.21 1.21.38 1.87.47c-.09-.39-.14-.79-.14-1.21c-.01-3.54 3.44-6.43 7.69-6.43M12 5.89a.96.96 0 1 1 0 1.92a.96.96 0 0 1 0-1.92M6.87 7.82a.96.96 0 1 1 0-1.92a.96.96 0 0 1 0 1.92"/><path fill="currentColor" d="M22.26 14.57c0-2.84-2.87-5.14-6.41-5.14s-6.41 2.3-6.41 5.14s2.87 5.14 6.41 5.14c.58 0 1.14-.08 1.67-.2L20.98 21l-1.2-2.4c1.5-.94 2.48-2.38 2.48-4.03m-8.34-.32a.96.96 0 1 1 .96-.96c.01.53-.43.96-.96.96m3.85 0a.96.96 0 1 1 0-1.92a.96.96 0 0 1 0 1.92"/></svg>
-qq: <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g fill="none"><path d="m12.593 23.258l-.011.002l-.071.035l-.02.004l-.014-.004l-.071-.035q-.016-.005-.024.005l-.004.01l-.017.428l.005.02l.01.013l.104.074l.015.004l.012-.004l.104-.074l.012-.016l.004-.017l-.017-.427q-.004-.016-.017-.018m.265-.113l-.013.002l-.185.093l-.01.01l-.003.011l.018.43l.005.012l.008.007l.201.093q.019.005.029-.008l.004-.014l-.034-.614q-.005-.018-.02-.022m-.715.002a.02.02 0 0 0-.027.006l-.006.014l-.034.614q.001.018.017.024l.015-.002l.201-.093l.01-.008l.004-.011l.017-.43l-.003-.012l-.01-.01z"/><path fill="currentColor" d="M12 2a6.285 6.285 0 0 0-6.276 5.937l-.146 2.63a28 28 0 0 0-.615 1.41c-1.24 3.073-1.728 5.773-1.088 6.032c.335.135.913-.426 1.566-1.432a6.67 6.67 0 0 0 1.968 3.593c-1.027.35-1.91.828-1.91 1.33c0 .509 2.48.503 4.239.5h.001c.549-.002 1.01-.008 1.38-.057a6.7 6.7 0 0 0 1.76 0c.37.05.833.055 1.382.056c1.76.004 4.239.01 4.239-.499c0-.502-.883-.979-1.909-1.33a6.67 6.67 0 0 0 1.967-3.586c.65 1.002 1.227 1.56 1.56 1.425c.64-.259.154-2.96-1.088-6.032a28 28 0 0 0-.607-1.395l-.147-2.645A6.285 6.285 0 0 0 12 2"/></g></svg>
-gitea: <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><path fill="currentColor" fill-rule="evenodd" d="M15.46 3.206s.14-.003.245.102l.01.01c.064.06.258.244.285 1.074c0 2.902-1.405 5.882-1.405 5.882a9 9 0 0 1-.359.713c-.458.802-.786 1.153-.786 1.153s-.318.379-.675.595c-.415.265-.72.263-.72.263L7.247 13c-.636-.079-1.29-.736-1.927-1.578c-.47-.677-.779-1.413-.779-1.413s-2.51.034-3.675-1.394C.235 7.895.103 7.067.06 6.769q0-.012-.004-.029c-.05-.324-.285-1.873.821-2.86c.517-.496 1.148-.638 1.37-.684c.371-.081.667-.06.903-.044l.09.006c.391.035 3.99.216 3.99.216s1.532.066 2.27.056c0 0 .003 1.853.003 2.78q.105.048.211.1l.212.1V3.427q.494-.005.996-.017h.011c1.545-.036 4.528-.204 4.528-.204ZM2.113 8.026s.28.26.94.477c.43.152 1.094.231 1.094.231S3.699 7.5 3.516 6.757c-.22-.886-.4-2.398-.4-2.398s-.438-.015-.789.079c-.766.19-.98.763-.98.763s-.384.688.036 1.813c.244.672.73 1.013.73 1.013Zm8.084 3.607c.344-.023.499-.392.499-.392s1.24-2.486 1.4-2.878a.7.7 0 0 0 .046-.438c-.07-.267-.39-.412-.39-.412l-1.926-.935l-.165.339l-.18.369a.46.46 0 0 1 .128.341s.433.186.743.387c0 0 .257.135.32.425c.075.273-.04.488-.066.539l-.002.003s-.216.51-.343.774l-.004.007q-.07.144-.139.28a.454.454 0 1 1-.32-.15s.41-.84.468-1.033c0 0 .096-.24.048-.38a.47.47 0 0 0-.19-.188a6 6 0 0 0-.678-.34s-.076.068-.18.09a.5.5 0 0 1-.158.014l-.611 1.25a.46.46 0 0 1 .046.587a.46.46 0 0 1-.578.138a.46.46 0 0 1-.232-.51a.46.46 0 0 1 .44-.35L8.8 7.886a.457.457 0 0 1 .361-.744l.185-.375l.167-.341l-.579-.281s-.251-.125-.458-.072a.6.6 0 0 0-.114.039c-.189.084-.31.33-.31.33L6.668 9.293s-.124.254-.068.46c.048.252.325.397.325.397l2.874 1.4l.135.054s.114.04.262.03Z" clip-rule="evenodd"/></svg>
--- a/blog/default.nix
+++ b/blog/default.nix
@@ -1,13 +0,0 @@
-{ stdenv, hextra, hugo }: stdenv.mkDerivation
-{
-  name = "blog";
-  src = ./.;
-  nativeBuildInputs = [ hugo ];
-  configurePhase =
-  ''
-    mkdir themes
-    ln -s ${hextra} themes/hextra
-  '';
-  buildPhase = "hugo";
-  installPhase = "cp -r public $out";
-}
--- a/blog/hugo.yaml
+++ b/blog/hugo.yaml
@@ -1,132 +0,0 @@
-baseURL: https://blog.chn.moe/
-theme: hextra
-
-enableRobotsTXT: true
-enableGitInfo: false
-enableEmoji: true
-hasCJKLanguage: true
-
-# services:
-#   googleAnalytics:
-#     ID: G-MEASUREMENT_ID
-
-outputs:
-  home: [ html ]
-  page: [ html ]
-  section: [ html, rss ]
-
-defaultContentLanguage: zh-cn
-languages:
-  zh-cn:
-    languageName: 简体中文
-    languageCode: zh-CN
-    weight: 1
-    title: My New Hugo Site
-  en:
-    languageName: English
-    weight: 2
-    title: My New Hugo Site
-    contentDir: content/en
-
-# Needed for mermaid/katex shortcodes
-markup:
-  goldmark:
-    renderer:
-      unsafe: true
-  highlight:
-    noClasses: false
-
-enableInlineShortcodes: true
-
-menu:
-  main:
-    - name: Search
-      weight: 1
-      params:
-        type: search
-
-  sidebar:
-    - identifier: more
-      name: More
-      params:
-        type: separator
-      weight: 1
-    - identifier: welcome
-      name: 欢迎页
-      pageRef: /
-      weight: 2
-    - identifier: about
-      name: 关于本站
-      pageRef: /about
-      weight: 3
-    - identifier: contact
-      name: 联系我
-      pageRef: /contact
-      weight: 4
-
-params:
-  description: Modern, responsive, batteries-included Hugo theme for creating beautiful static websites.
-  navbar:
-    displayTitle: true
-    displayLogo: true
-    logo:
-      path: images/logo.svg
-      dark: images/logo-dark.svg
-      # width: 40
-      # height: 20
-      # link: /
-    width: wide
-  page:
-    # full (100%), wide (90rem), normal (1280px)
-    width: normal
-  theme:
-    # light | dark | system
-    default: system
-    displayToggle: true
-  footer:
-    enable: true
-    displayCopyright: true
-    displayPoweredBy: true
-    width: normal
-  displayUpdatedDate: true
-  dateFormat: "January 2, 2006"
-  search:
-    enable: true
-    type: flexsearch
-    flexsearch:
-      # index page by: content | summary | heading | title
-      index: content
-      # full | forward | reverse | strict
-      # https://github.com/nextapps-de/flexsearch/#tokenizer-prefix-search
-      tokenize: forward
-  editURL:
-    enable: true
-    base: "https://github.com/imfing/hextra/edit/main/exampleSite/content"
-  blog:
-    list:
-      displayTags: true
-      # date | lastmod | publishDate | title | weight
-      sortBy: date
-      sortOrder: desc # or "asc"
-  highlight:
-    copy:
-      enable: true
-      # hover | always
-      display: hover
-  comments:
-    # TODO: enable cusdis
-    enable: false
-    type: giscus
-    # https://giscus.app/
-    giscus:
-      repo: imfing/hextra
-      repoId: R_kgDOJ9fJag
-      category: General
-      categoryId: DIC_kwDOJ9fJas4CY7gW
-      # mapping: pathname
-      # strict: 0
-      # reactionsEnabled: 1
-      # emitMetadata: 0
-      # inputPosition: top
-      # lang: en
-  math: true
--- a/devices/cross/default.nix
+++ b/devices/cross/default.nix
@@ -0,0 +1 @@
+inputs: { imports = inputs.localLib.findModules ./.; }
--- a/devices/cross/luks-manual/default.nix
+++ b/devices/cross/luks-manual/default.nix
@@ -0,0 +1,27 @@
+inputs:
+let devices =
+{
+  nas =
+  {
+    "/dev/disk/by-partlabel/nas-root3".mapper = "root3";
+    "/dev/disk/by-partlabel/nas-root4".mapper = "root4";
+    "/dev/disk/by-partlabel/nas-swap" = { mapper = "swap"; ssd = true; };
+  };
+  vps4."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
+  vps6."/dev/disk/by-uuid/961d75f0-b4ad-4591-a225-37b385131060" = { mapper = "root"; ssd = true; };
+  srv3 =
+  {
+    "/dev/disk/by-partlabel/srv3-root1" = { mapper = "root1"; ssd = true; };
+    "/dev/disk/by-partlabel/srv3-swap" = { mapper = "swap"; ssd = true; };
+  };
+};
+in
+{
+  config =
+  {
+    nixos.system.fileSystems.luks.manual =
+      let inherit (inputs.config.nixos.model) hostname;
+      in if devices ? ${hostname} then devices.${hostname} else inputs.lib.mkOptionDefault null;
+    home-manager.users.chn.config.nixos.decrypt = devices;
+  };
+}
--- a/modules/system/fileSystems/nas.key
+++ b/modules/system/fileSystems/nas.key
--- a/devices/cross/luks-manual/srv3.key
+++ b/devices/cross/luks-manual/srv3.key
--- a/modules/system/fileSystems/vps4.key
+++ b/modules/system/fileSystems/vps4.key
--- a/modules/system/fileSystems/vps6.key
+++ b/modules/system/fileSystems/vps6.key
--- a/devices/cross/secrets/acme.yaml
+++ b/devices/cross/secrets/acme.yaml
@@ -0,0 +1,62 @@
+acme:
+    token: ENC[AES256_GCM,data:Zm4vCgYbrm8wtYMYqtRkMF7hm8feTcZXITKbJgWsgagWbbHE5Z8zoA==,iv:RSRw188gjoAdhTErApuF8tBSsD+aT3LGhifcy417Qzw=,tag:4ZHfkW8aCJ6BW8mtL261yQ==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOFEwcjQyUmlpRDJ1WVFt
+            WUJVM29wdTFwZmNWTHNkMFpjeThCaGt0VkJjCjZ1bnNGVnF0dmdKVE1VdzJoeXJk
+            ZXM0b0NZeENMY2g0R203Rnc4Y2x3QTQKLS0tIHVPc1NuaGx5ZE92R3VTenpiRGNI
+            UWhxZVBpL1VSMVFabVJ3WWUrMjlrRTAKpya6EFm4EQ3o35C5Bdyyaw4Qys8IM2fe
+            OrA5b9xElsEhfGzkpRXkEtsbMhbbpNu0zvDBpylU8rU70tffcWh1sA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdUowREVqOXBiZE02RUU2
+            RVU3MkxNVFRiaUFHQzlzdXpQNFRvanhDMGdjCm1qUytTNzAyY3g1OXI4L0hmK2Va
+            a0hJem5FNkFYTnBxbnhJT0QrbVBzdk0KLS0tIDkxeGYwTnNaUVVBa2NxT1dGWVRF
+            UE9uY2tjdE1ZTVFXSWI5czE1ZHVBV0UKYHyDTeejdMwfYW2u6r9MWZ9qJU2mTYJx
+            qK2/91+T5/paq23+gEpMJeCbCMfcws9xeaf4KgWdBr/JNgjNQ3mhyQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbjBLelBWR0ZpZEFrL3A2
+            UExIamd3aElvZUNCK2VwZVJrdHMyWGZNYnhJCnBoUlF4ZWtKMDVIYzhqUlpxZXpr
+            UlY4VnVwcFkxMzc0Q0VoQW03QU9BODQKLS0tIGtoRStxL3BFd09CMi9zT0pwZEwr
+            d0hRWnVQOWVxdGRxRXpBZGtMQ24xbm8KtlIU+T++8IQRDLXAH1pBXa6hNqHD19ti
+            AIZGn7+Eh/b6wOkndNpzLCWGVVm9yo7qMY7AzYNIz7SU/9a0JPGuGQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbFVkbjdHWm9xTlEwbzBE
+            Ky9KcjVvc0l2ZkJnOVdxVzFpUDMydDRuNWtVCmpkYXl1dG91TG84em16cFlRcG5y
+            WTBKM1VuWmV3dUlpcE1ka093aHh6REEKLS0tIC91OHF0TnhDUjlqVWcvMjl1czlm
+            YVRXZS9PRVpwNmFaY3pNT0JZNzB3R2MKHClUpTySdpU8AFNYoqT37KWkJbPgmd2+
+            UhtufEWWgSL6j/npU0yxHNcsmU5gfd45TnTxp4sSOupJUDM0B4FKlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObkt4a25UcGo4MnoxOVJQ
+            WkF6elVWODYvSWw1QWtPYTJKS1gxUXRDVjNJCndNcU5GUHhMZW5uTzNpV2NtYUVh
+            K0dYNGlmRzd5ZkZVaGd3cjJFVEFSMXMKLS0tIEVRQWtaY0d3TERsV0ZNcVc0Vyty
+            WnZxTGxOY0NROU4vYTl1WWREemptaDAKhzzRPyr370b7ccTM5DE+jOczmXDqZBt5
+            fYQ04+yLjcULNhqlu52mJRH1X5Se2pXbCzEG6JFiKCEra0wiYhoo5Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbjRpMWZ6eXZubjVUUlNL
+            Z0N3ZkhoeVoxVzVwMHJzQzhJVjZ5MFhTU3dFCllwVWVWbm1KMTlUcEd0empxS1J2
+            NzRSbkE5cEJLMmZCcjZBMTF0TUF2SEUKLS0tIFN6TVNEMU4rVVl1OEdzWGJSRmdl
+            cndmbU16NkRmMHo5ZlJYMUFBUmlIZDQKNVXn3/twQKZC+74tRlpG2wx0hLEZuuka
+            DKtNg6nnhd/UsVNF6/MSTwjnwXeilNemV7ffAbSE4tixcfBV3niILg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-09T13:04:33Z"
+    mac: ENC[AES256_GCM,data:xKqvMTW+TTKPtuHh/pSGvxXXIpeKtzVWgwKPibGX9UTIpnDNzfylmkT6OouqQyI/HTQmiL67ch6gaFSMAbXfpw7JA9YpKif6p84rs3RelKzRLKinDpUtcvWhY1DEA2nsNWOdFHxu7EZhHRbXttRoB372kdV5063MJRvwuqslMpo=,iv:T4ff9w1AYGO9JIzuJz6VbPoS19OcIy9zFvOMLp3F2LE=,tag:x5Yk7tVSilKK68ZRhAnsIw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/devices/cross/secrets/chn.yaml
+++ b/devices/cross/secrets/chn.yaml
@@ -0,0 +1,56 @@
+chn:
+    age: ENC[AES256_GCM,data:MSJe0mI4PUkl4B/R6no/Zsb7STRZcZBKz7+CckMnEuSrjNx/5Jxv6IugUEAREXEUxmpNi7Sx6aR8SYDqJO5UaaGYbCp+PN8DrBg=,iv:185PoGeQ3+D6rYI1xdfrciKu9nj/8d2yya//U39vS6s=,tag:mhP0Ix2iX3uaAqPAnin3Jg==,type:str]
+    rsa: ENC[AES256_GCM,data:yHnveqSfwd2sLYLOm4tkXoHj08zFRQsaSEL0NJz76dFCO/ZnyIbFh8WnW1y6bUUKzWl4AZxcLIBL0GCf+5R+gDRcXLLGCY6TziRb5fo/6ryJ9EbqntVI5V7oXUPSmGMPuhWcVFB2YurgdvFgXMAki7HMmXLD3xMzFp2/my1mBTOqksJiHL1Bq56bBOQihQ8FEpESc6E/lS7hA6oq8u2RIKKLDCDScdLTmbl1XmzO2xqoPoWJNGkW1PBVUzMMSfmfpswfUK4Tt09o7AwnCUsb5u4PC9aGLUdhjS/Q+zdDpXLZpU1VuX4Nypqmyx0v1KgMIDVu2FNl2OUbTvHCDW3OwMkCA2ww4OlD4p9BFTszAzs8eFxSyCZkiWNp+SfI9WgjsZV4S1nJJfIIlkZYqja7DYOQEyeS0IZ7jyuGsTBhy5iTjekiCUa9iEBXmHHw5I80H/mhDeLyYKnnSttPi4xNt8flO9k3TDURFNW4L/2sEexoL0BLCkt/nGolEcyHCvWKm+UOnfYEJ5G1/NwufFrQybzP+TuiqSauGk5oIEi/vvcX2/luwdPyOONeY2SrHoLehh6lhbM9WExdpSfawWAWB43NabKZf7Wp6JLsadZCUvlfQSvM7YE+Z9ZZPffsiPIiKkkABR5FnKVmO52AfX73r17VJgK2fMeabW4o1ktVzMX12tW2+GpzlOTDXcdKnzjdDQMv+u1Hyn9H/K1S1HmB9RZkyTXzUMR3iC5A4VSy+iFqIgA/kTvwKxjYfTBOvaME9kqqF40E+s7Vx2lM9gvfwYXm/OHSIKJkpo8m+DdGShyMD/iopZPW+QayavXdw1ilVWlJxwwCn+KDq/nsQhWMXH5A+7f0d/P+I2kKQWNNhAFm7Bq6+FrIa7FOT+u85Bl6r9rdnmfkz3rKYlvXFkvlr2fYA7UIzc3vFJadxLL1gvIeedmiuTgyY2JzljvWxAxOKbD9H/EAkl1dKMx2xc6IalXj1ERUcZSl90ijaUfkmxqFjZWXDkFLOipPFoNF4RXF0Bf7H8uWBajvrZOifwXoiYFygnl4vHbLQmdzgjs+lBEsEjTflCxaeRfGNUrqYdIN1MOOMXaaTBk4AkHHVxi6EplJS6Z31qnaecNGSlT2SdoGmKPy5IiS0E9gtOq9w81OBh85zoTh0I2XGWyJmhvOpJIReQEUiFb5vlXc1ryPp6etlitECxBTDGqu1BIqYroivwpWSLFYihOsZtmSUuRRRKlWMq19CFZ2KkmrT+APWMVBv4F/6uaapEQaLFrmDys2G4kCR7Arc04OvVizPUhwGPfcceG9VjsR/CJY/VUq1wFTyjrjCffyIOIXtYr+kYNFtYj5SekpopDxUCTAcuTdtAZlegfrqSss6nsBCFvMQUO30ng0rzRpTXnTt9iHkPnfXU1KLcv6lXU4+5nvHatICyaY0pYLNYWBzpFgp6sOiWWJCZi28jgE91HcaaGnleSoNw/ouTasgF23anqvcABKWuUMSRCsIsSBLQWDTPUo+jfm9NuzduDhIdYKhN0HMCCrHVJdWbYBmG23qqqHoHmEu926ClaP5VDo3PNci2yFKg9gcbjeWD4gCXoVE9tm1OwYucQyMyX/SVb0w+M+k2+yVX+Vx/LBqUkXtbWGfDmwHW3b7j3AZr1pHMx+Trv26p4V4cyOaf6nBezbawYF0M7pRHQQLXpjTru9c/dEEZCOefmDyzTLyShDhfCBiBky8hF0bf5NfF6NfL12fcMlAvtk8OaQC+gd4VL3umQpwmLO8pupnv/5tQAR3R37rfgkLv/N/D4Bbz84TvviEa9aPsY+1XlXsunYIkF1xJVunv+YAR4aexDfd6aapfdV1YXxhrvCMZNDF+kxQJ93i5o2+nyUvXBNrrqlWTTX3HSmTYfOZ5npSUMQRYUG2UduU56NHk8QmUi/mwZJX0mCrpHg2lH9+EIwdgMO8V21rZnE9Yj/ujn29lTvqEWOV1uHgbAS9fGbH9LsS4VhC7V1B4uWyzGEvj8g4hl+rC2c85v6rblgn409JTDCioffFlSS35+6AsKKO6u8Xh7neo8c5SxvYsEOW4EAfnemVns8TOdJViy07bB8XtZU4v2/MHhgA24TKr7wlPfrTvF9UFNx2OK8c3aYP78Xp8cb3j60z3HjqCFFEZyHDD4Ync5BFB36sBbqHHcah+kFl3ZtQnUI5LGZvG6mvSGFMmAhiEzTnsVN/TJglll2uXMIcZpJSwxKIw==,iv:Ks1ESu5QeD5a6dmk+0MHD8mrM0QejBSZwQ1fKjTQiuY=,tag:uLDGeiQHHUUUY00n4jlf8A==,type:str]
+    ed25519: ENC[AES256_GCM,data:/2Iqm2LOPkjQk0tEJpdICkiUOZ4fT/+tiEgpkCb02/YT+6l4W6cAY4mv3nQZOROaYg2gafzLT+e2UDSyX/fIbh3jA+OKnbUlWQVnzRUoz1QxdoqLjYTVCB5DkECYQveeWdt8Er1sGMzkdlvIkPdfj99RLmKKwwtHI1AXkR741V6t8X3LVRVFJrCBpudczA78Rr6CaTR5BXsEKxbXmD5kGJlYD70yHkrLA9MgWQa+/oIO/2CzjkQx5ULQ9fr/VwlIWXfLiCvHmKyVEtweqSSH3bSn1qC3usVAZaJSnOObAJGeQuS+FcxizbKDXjgc69Jg67mDf5k6VBxTF/xP0YegQpZlVxnwggSN6yyPHJ9zjk27NmsqHfE3fq/TQf2Pk91wIgfV0zN020vmidRKiP5z54aaEO6lnPHPELl7BZQ51NUyYKmh5SL6IX05x64GqRrbPtxhzWSj+WVeWmbVJcoxbohzugjTG1Uj+cxcEfqe7Th50pFjHbyCEIWxhk8toQ7r8VxkuYREkXwSYTm/mx43FZnwDhLkFuIYOh/v+7ln/Cxg+xATUbwZS6RwuN+pIRz75eq7VjwD9sb+pj2K,iv:FTrh8tnL8OlD6PkdXWnqFTkZ5VdxMJL5CncfjK1J/C0=,tag:+cWIwl0CZFERXZoegTpSDg==,type:str]
+    ed25519_sk: ENC[AES256_GCM,data:NFTheH+JMIu0bdyKOVgFjGIfgKE9o404S6EvK9yelSiYY5/WFRbzRwhSLZC9senT4rMUl9sErjix1nJMesV1DByTvdZqljPGChxac5/JglgZr9NgvhDYLjSnrT0GYlGAgxmDrnSHj2CyPm+5Ael27325QDMLjKnmluvSZaNB7qB+4BNQBEytx5NfLiA26EAxKPqMSDoFFZp/y6FdWFH4sEWz5WAp03shXs+EPmcnSu/9wykjwg7gKvbQJqoB3MJ5N4MsLr7EBPcpOdWvx0E5xZ8GgmuWYxRJNZDILfS5pgaD74uPEj1nODfGd3N0kBBCeKq/clq9hPDfjyrAmTd9EEDJu+q3nf7P6zTIZ0WJ1ZN/hnC7WcpL/p5Y4nDr99u1rd5x+hhk9TI07SPTJBqjpg6oAgM+Dq02jJvCn4VuoxlCTx/dkXyofReU0bjovUXOMEwCfxHwMDa5/QxQ2qYQhNC8x4O+DwxjnhNg1BNVFAVT4mBVxCshKyhQ1C/w8tBTJzD8YkigAKlokI5VoxCINex3SQs2+6NQpCOyiw6TMtH+M54zVlUQeKypOSNmS91crC52/6b9XMA=,iv:xDaelebavplMYLG9c2JUv1ceXJxejTuhjZ/AGHfklrw=,tag:x4zjZasKadbVDf8Zsg+wiA==,type:str]
+    rsa.ppk: ENC[AES256_GCM,data:9njXWqYEZ7jd0u0lvtmIarEka6n6oHmMeLFvBGejAt2cXZdrZzn5hdotT1+yGrPQYH5n5+f5R8E9wSAZK9Xwn5qfLxXkjmOOVd+L+UFr8fNwlac2GK8Z2OpYKSKg8JbNRw7kgl3ktu8xE6IWqTdL75idvW5JI9iXSSLT9o86oV25HN5Ku/JzRRc9ZlrSugxza/w2yUv7ICT4wGw600aXWhF4R9c2vf6+vZyxaBt7BzaT2+IPPrxDxoW6jx+1fATlwTSiqcKD/0ymy0Hk4ryhI6Vk7BaK5ePC405pdghXA3zwHvRKoFtZGPLy7+iQe4GLE1GEOLN+3MSSAlJEnGMKnwP93IqcAghIXAFXHaJzY1a/492waYqXCc3H/SOlI52oKjZY/SUKoSkDxRoY0wr3OdseFgV/BEWgrunN0MakTiqY6Q8okMX3LXeaUHwnIK9t01eLpvIUA2Y1wI7Olx2Ez1Tp1yPjACTZlQrOPOiCeumlRey15bGNywV3p+DY5wM3zqBn+529MauJv7W2NYIJ6do26hAVpe5FMYb0l/G8AYg0E+AJ2nfVRb8Gu5MxprSNQQEMca+PxKSsmCvicBeNuDreZwt7vpMAb8ndv8O96k8cz2G126Rpe6dgsf3XND3VLWJpYIJYG+KA2AaVCvayAcHRUfIZdZ+wMDJFP+nQHk8wH8/Zu6mWL0nkgFMIj7C/xymdIO1Ugc2CjUlZZtSkgZ6JnAQ+rs94B7QBSCcEnkd4kOU4CvrH1eIyxXS1YH6KhYVhOIXeZFvtI38ergae/ruHfruU4tYk9sj+MmiK7tQDVfiu+XY56mrYt46sDOe36nUDAw1xMLV18Wu7P3wh2zwLrHzRcpTljlcilEh6NQTbIZBm5oQUCJhtYkfPtfsOUs6EKR6Zte1xQE6jdMES6Nnki4OAyv6ZC847jZGkGVg2nFkg8K0d3HoLqsIb3AJMgSNoZtImsGdo4I/jgiBdt9GEjXj5o6zYAvt+F/fea8Lvz/JveU4eL+HA5++pSuuFH33eYntPsPeoi3aXMt3HgHpan9hUAYNSTn0IBrEbsFPkxdaPVhyVygZo7nVzMc1z8xRhMuDv/0DlRpSzd0CM/5nFsaexX03W2ByKUatEP+DXxWswXXV0pod1Q65Jp8X6jr3KrGdzgQ+xqT7yCLDInMP08ug8d3MV8cPvdTLKRy3H789WyBKKH9LE6L36ron3571L2C1YRqnSaCtLF4PZWcYhR8QW8DWhU/tQVPc39ny0PazwEKJK4vAuFc9voYTHMgYJ9fvM+TCRQVRi92yECtHO0XsS08UVz4aJpiBnpCf6k26e9Fv5nZkpjeG8l6j1/FLSbUUzM8Ig8JVJZXOV2mkZxB+UVGAaIAaIFuxHJ0u8EVqNGW/yRneZiFop/j+4/rUmR5QaXsqlp6dIjqGiGQxkAsNVc5TiRG4ChQJn50UyqUFWNT/YIFZyJnE051ztZzl0DXoqLdfjn63HJZ0E7OLVwpe6xYQ3DGvwmH+siq5mdjbhF8477C1oes7q+Pc8L8vlYRTIKeLGm5asN2ZyPDigpAnDcPsZUh4Z1EY9/uu1CTG4A2yUdx1Wk9+1ZZf+X8SGK5YyQofuA1WJR3Nxvxr0K2ThUJc2X4jy1x5FCWqINotiHWEj1VLKUEU/eqWcchp99/r6Ai9DBrsuwd7zLq1/EzWyGRFL04aoaHWkzq/2uxs5mBwJYAoRBhXS544JbWgl3k9gnhiTdwzmHxuJqGLQGGLT4kc7va/ym81dPQE5QlMlEsmf0ecHyT9X67GYIsxQtxi8tepM9ycWVRkH2skYVSodOdNvwRZkmtJIzw2lECdx3Sx3u1RAudXMUdGzviUas1+4V7L5w95QF8mQCS5gkHwu11mH6T6aRGLFRUfKNkbOGoiCzOeGsnoQr0IzkwWZ6Kpk/1z8txKIxNfdM3woxAGKbQ==,iv:rU+t8OnwA5yGRQZYSI9GQcfaZY2EjCPxrsoSzlCy1Ok=,tag:5H2oYeXpEkwIhtnAz6uywQ==,type:str]
+    xmuhk: ENC[AES256_GCM,data:I87DH/L3FE/qmYNJ4GPbvuEZ0BU3ljoxjVO+C4UUSGiFq+d0SwqteH8X36SZHsPVOJLtbw+HDxvHuu8avCdPgyg+utYQ902PnU6ldvxpPak2eK/mZQo9KOKNQa6U2QPL7Yq3odemlAHTTp8BD5yOc4gnxGP5/TZZt3jcSAza17tqXwO1dDE0o0ilQ4v5SW4AtBF9Tph5sTyYy9+RlGagvUc35hgl00gDzoTd8ydvFGWSVKO5nTRMQQUfJ1/t5L9ruH4+5+W7Ic6bRXGCSSJ+iKUUcR/N2Bjizcae7TOXZ4VmqkCBHUYDcRnI7kLI3An2dliuPsgyIGVBOzmayNFn8MXjJritptbbm1zC60xzJFaamkQdSTTwUBXNVY5Y/0m/W20/AxyMOvpyxWCDx9XKYK9J6BxqI/uSkJ+IIxHZuiDmY8pF4l6THOd37anRxP2u3S2+yv1sVxqu1cVKR4fmtKqry27KcGkRFwU78qm5QQlSOcxXNSp6gsX5BOb7y0f6rWekRmHLN3gcXJPpEF3AYRXhQZs81J9Tij7F/jemXSG8282PHkvZOnnJQZjb02uVu5NxF+8couaYF18oFjncPlPDrJXEtT2tSabma0fneiLDXnlZ05oPXyWbn81b/KvNxgsDnUAOf3p1sdmIcMG2FLSc2jmaeAF2dCnn7EMjWHwpoR9OeTt5Iq2XIvBzqLsq0dfX22OFCxdO+MX3yWEwZQsU/78n45jiIMOFHZq7GuUsMEd6/p1A9yyuEpkhgqxKRPCIzbmJEaLDAiFSeKw5Q8y5u3sE6NWCJouRsyYaBVtjBYuPCxRA/C5MwiJNL8GCxC++GYWn0OTiAmLMbFyFWVMtwcfVD+SRaOdjzL6v2VvtQpAmNnz4FXdQUb2PpImN/s6Rdg1ca9hPMVkqqgfdc5OC1KvwJP6M3s6g7xzarzTz0whJ0mhNthAHWa0rrnnIEdXa1bdxMEHafkv0VTsUayqfU8kA6pILUFz7d7pot1xrs7ucgw+eqT193kc4XyqxJQK26eWuUVyP1Qd5MnBTQnFXplqIY2sTjisICpvhEAdDeWNN0ouXLFEuQfvfINTydGgITMfQgZbdUuqC4PtdnatZGnwEsuXjRpQ2SA6y1mP3gG3AEvfYnhgg+S1F0pcpN4sa9B1DHvs6ILRaNSnHTHWklD1sMD2YXTgpuFHKtxZMa7dc+pCh4vyGViSgauNaACK/91+OlLPoeIPeQoREvzkOhz+VYXRtG6N5lTMLuubhgOdicBKz8Qt9S9BZTOiJ1hEb4uXXTXwkgulUa77Rd5HEnr31l3BvsNrCt3fDNT8Ec46ICeoRnDjPEIZpXTTUZc7C/J1UUuDCQ1dzVmGrZaM6vyRCFzVa6rgj138CkAp2zF5QzJPyHtyrciPCQfgLweAoT6+tUBOngZNcZ+gSZYrA4uRmwlob9Af6uZEL/GA4zRcSCj73h/7VDhjI4IgaxtiTGsMEmHtGBdryVIPuT8eRcdx6tDkulgQvFi0ku9iqKuBCYpveK+y6OO+5V7GIow7gMfU5AGDNYTNkrVIkhV+Bm5Y3s43eHhda6xxVFR948QvrbYIf3PFMcla2tc0LTOk7r/Fyt/3ij77aVjblq+gfoPtFrbEhvg9Yp8NDnlnuqYel+D24eV+Gd6vY79Gu+JGMgZvFlvEhqJSrKVQ8r4lXl8FMP+S8P5XxXkzf6SNbj1Qm0cwTEtg8p00vt4vH8MaYbSFSSwUeJkOEolDMFSW8FPvqenz1tFq8ShFXB7fuNaU1iqyldnSU3xpswjP8RyrSkZPMClSr2esuLx21+YYSJ90zHtB9kLGdTmp9D5hkGa4IpsbvGVlEvB+yfU9AoFwOi+PoajlxabMHFqIwlyGbl5pXd8Da7PFI1PGfkUa9rPBiusk2IDhXGJn7M00HcWzSjfepkE5EbxzXH0NlsXsqCpGlP1KvDIx4NCYMWJgf7iWebytUqO+AR8nAZlIV95b22EzcsGjAzo0SfqBQnyE9D3y4x/JdKKVy8rW8w/++DeAqQw00VE1JfFubi9NLCzqUQV3zgrEb3SC0yswCMowydXV8Ahl+79Km3Hdnm9H2s94iOlIWMCOV/RKWI/qZujq4ccQdvl77GC+5vXEY6bccNfkIMNPCby9O2383EmS2PzLzMdV0rEBoKkotib+i9IRVKIWJ+pwJwWF/ZPdO/ZcX5ds6oT/U9+RLk+Bq2eLAUwHEVd5mhw2V8Ngj9mp0O9P5vcWQhovnYQRh0WJwJUM1mWfiVLS1IZktndP1efTWR+SPw47tuVcuMcX3vxfReERMAIiO1EcR8+9WYzoSasB16sm9sN1nJUx/LgThjzRTszfy+GFJJZ4dIY/noYyH9LvIz5rHKAAbja5c0PjB22DXOdEjARoXIWHTTH1Ab7/eVk/ixbHOx9sOET9C/koI/URX1XtTRIuM1UXt4OJbIn3fvuPOywHTkWeF5WV/19ZrMHSIM/JHGYc4au/sD06C+wJZseXLPXSIJF2LgabEXJjvHsb++gccqD0GofcJVJzgYuOaJ0ZydbJn670xa/qludJ1nMuSEc3Py4jTOs0vyfrMkDQHWUScT1C/HsQH1YcCKeyAZMSh4hphM7MtAY9v60cnhsyOAwmBhVaZGZSaFIWyf1+ea2eTLnF6HEF0HSYl7L0hd1i8bPBxoyjB2DIbxbzR7TiaMuPQ/HPNhZhXuFfZK6iBjrGDlhGCn/vlFgsSCGCdcLwKBdC8dpfgpyf65ccvtIXMQGFZMQynIDNCBnALF5dtTQprXf/O1WRuZSLAF/H7q+2gXl9hMKeCLWfGbGE/cWvrRw81efgjUQ8AuFUttR2wUL2u26JgrDuoCG9+vhs4S4x2tXDooucqIRQDAUEIE6gF6NsWDi33K5baQ3RA5Z6btNPNQkqXtz4yQE0Zlh9mFT/jkXGRfZ6RtJbT5jWdHQONXaTHTFK43eZlViM1VydoEwiCrclyWYHWswKyLNjQWATICe7X9NYyU/S/Rj9dIRUUzm2KjLfMEfjyiLS5MLDu9lmKUdXAcz4nFcCWIc4VRR5fMsMh6Zvk8eh/vn176Ic58byvfjsAAflZ2QQyZLaA+Utr8YbpxwbRp8WYg0Ktt7q3rlh2WegEa6wKdESqcb53dlK8qw3ICPW4XhFAA37Ru4zlZ5O+ayDoCvrsWE924VXe+1ctjGQ5via4ctDTXXl+GALQPbLmEfwSyvaC332fbZ6YRM1fY6GmnliWCfgHh0cPwuGNmXbhn/Bftsy+jL6ljma//pnkHfQrynho8XeW0edyrXY91CJtkHKhF4h4SVq4tLQ4cRFEjFfkwy4UXZ7m6AnY1cr83iGqbuU1TnKn91mxiBoPWx0arRHeTSCK/xRcBOF7NqBdmEMMefeq2lLuv+8VVKFBFUKCL5e0rKcQ1N2G2ALtrgWVjsaI0eJSyD9aGSADnlMWu14g/msECa5Clvzw2Q==,iv:cv9sYcivQZc/hz+Sri9iLkRHV3uStIvwT2/083DsUtQ=,tag:re/iwRtY/mlnxibqXBnkPg==,type:str]
+github:
+    token: ENC[AES256_GCM,data:t95+VgTEkcpsYGty95nKg+4QU86rVnJjw/LZEAk6PHc3ZR3GjPLBtg==,iv:1d/tXqknfEh+GFYj22TRtr7Sq9GpE8NujfAKDwJttD8=,tag:LNyI9Tul7g5mm1gM9ijWMw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6S0QycmIralcxUVc2TFZU
+            SjVWZHpJT2tZQzByRUtvbzk5OGFHVzY2UlFFClRMSlIxTmk1ZGZsazdkRDRzOEJ5
+            NVZYZGhTdFJIaHBxT1BlN0NDdkEzNEkKLS0tIFBzYWtVMnN2YzRLdW80WTUxS2xZ
+            QnRDZEpyanBZRmVuS1ZjUHNTbWdpb28KWO91rInbh3dvKgVAICB/GAePL9XfsKK8
+            VDbUUst0RgI/z4xKftw+49HJWvzFpo+pzEzvsU5jZiQwIH19ufGcZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2a2V0Q09VYW5NbGpkZVBa
+            Wi81c2lTVHZLeEpaeTB3UFh5ajNWZno5akRrCmdHS0pDdnVqMExkR1V0aEg0OHRn
+            UzA0YkwyMHZESHNtbm45MEdsdjF5NTAKLS0tIHBIbFdndk1kRU5nQ0pBVFZhZ3JE
+            TStEQzdYL3VCbU1yUmdmd1RKQVYvbzQKx7fkginIVesbwrM9/9JPKpJMcHhxqJS7
+            lOa4aN7TlcTo2QswOABJCKXyZwb3LpWoZioQ/jvBPkSFxKarTBC2LQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcWN4b1NnQ3VoUC94elFm
+            VUUwWGlveWUreTk2VG4yMmhzdVd6VEJaUmo4CnNhcVdRRVRoTUFpUjJlVDNaWlZ1
+            QXVSVWZDNTlUdWZpVXpqQWl2RXFzUkEKLS0tIGdMbUVLTkJzUmpxUWZieEVWb2Zr
+            Zk1hSFZFaXQ1ZVcyYnFhUHVaWFM2eEEKMAhn8H7rIt82esqOEwL+19zKxyB/0KjI
+            x5S/tAzJIqRY5qilkEXBDekgWKFXj7fLKRfifuWAYT7tMC8E2bODVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbjVoUHA4RnBVdUZVV0Ft
+            bUQ4YmJJNVB1Ni9RWW5SSWpzaG1ZVGYzUWpFCmJvZnFZYW9sWEo5amhjYkNZVWpm
+            SE1xb1c3cjFaUnBITDIyOFhVRFdPS0UKLS0tIFQ5M29rRDRIYmxPeTNHYWVubkMv
+            UjFLR3hxSVZVajY0WURiUklveHpzVVkKUwCaBC10Iq931J1umHA3xCWfi1mrmTAx
+            vaJiadYqmMSwYk8g5thQ4jjweh133nL1AdxjmAZOVPgYUr6rmcRfXA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-10T22:08:33Z"
+    mac: ENC[AES256_GCM,data:s0GsJysfnqxdLi99gBsTlE7kZ3prTrhCuCtgp3HD3d41r1mMxQ7F8NqBm1jBc5vhYHcHQgS/YfSQ1kM6+RDXN2dZ5NMzchyXtcq9h7smEKxizRbIx0PSoBZfnxR4LTZfBDi4LUBPVVSjb6A+7FDcfXAp+pM/ciuxmvNH9965Xws=,iv:zHiROdgHavc/sCH7oV1cm0JpSBRjxj8QR6yUZzK/fAo=,tag:2TeMi2a71YOawddL/EeJSQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/cross/secrets/default.yaml
+++ b/devices/cross/secrets/default.yaml
@@ -0,0 +1,180 @@
+users:
+    #ENC[AES256_GCM,data:2KeaiyOl51RB,iv:BGqlx1jzOWgG1zaxGfDtWfpbrgFCgAiTbPPMHoRP6KM=,tag:VhbvcwxV561iB03zIhvPQg==,type:comment]
+    xll: ENC[AES256_GCM,data:Y9jk/9yKwYiUeC9h7NkNNRYllyakXco108J8ZPLYQT+u7NsIMZ4kw27IjV4ytwH3k5Xid4jLKEsmKayNAW7kPNdbFfACcugL7w==,iv:cDtPmsHefigsqJZMPqOReVj9YOOgDXQhmulUHYUqYfo=,tag:8SS8dstzuon6f3y4pVA+wQ==,type:str]
+    #ENC[AES256_GCM,data:fptM8gt/IHBZ,iv:gX09x6/ZRXIXG0wOFBUCj6ZtMaTXebcSzvFMsS8vxcY=,tag:M5KFPF8Gmsd87lQ/hqhXnA==,type:comment]
+    zem: ENC[AES256_GCM,data:w0797tV3yFqXbZmhB48kvxK1SJCAFpIjgja2sai2YQB2Z3ELJaQMTIsmgI6p85m/Q15nzFVPdEAsxz6ts3eskRttOSw9mXeNyA==,iv:D3yesKHqbhab1Zk5ZKAm9sKi5KXVt+0JD0pOO5VgptY=,tag:ySURHTqQc0Rxd2u1igZ8Kg==,type:str]
+    #ENC[AES256_GCM,data:XwSZ0w8UgIgR,iv:i4tBBEC/lagRmk7AbzFFjDEnKOzxObkTul/wc+tyyXA=,tag:EKrU4YZ4iOaXpbn/lrZJlw==,type:comment]
+    yjq: ENC[AES256_GCM,data:Oy6b2sl59z2WA5/ifzJoq1KHzvbo+Izwac7yInRPGURxymUU/KvwW8p/XXIJsKkd2BjNaYkdELjNVrhTFd/tRhK+mCy8GSK4Lg==,iv:AGVSFIyqI5HNA+5e+ME3FKKoYMS4MCi4gjaxknord1A=,tag:ayLj6n98F2r62WdDqIaE3w==,type:str]
+    #ENC[AES256_GCM,data:H1WyypgcuhcF,iv:mw2bcXzisgxeUIw6zC4nwHPhsrz5XNIsL72aGyEwyX0=,tag:A2Cb+DuX0BM61TK6/nWEgw==,type:comment]
+    gb: ENC[AES256_GCM,data:ZfcJtiEmdZux90Vqn/L8oq16C10rfRPhxX+FnskJ/+OfdAVheEt9IeIdXpkVfIXU68rIBhDFI60Andm9gmddqoQqHhBj/W9gAA==,iv:fyCkc92YxeIumHODfOU2PWpVfeDJ8RKxKHRfFUYGF0g=,tag:cIn5rZSN8fONNz2GNSUOow==,type:str]
+    #ENC[AES256_GCM,data:5q0u/KpWah5X,iv:FiMDektaHAFHenCT89skQ7gQgoMHdY8BtoyEv0L3npA=,tag:tNtRbpY2bYIUVjLx+IwGvg==,type:comment]
+    wp: ENC[AES256_GCM,data:EcAOCjsqNFzRQtgjgtLn4X7G05cTN/SCmEGCtV/DRISj20Y3kMzbOSmtJoeII7mVA1WITxjhyBXX7abFjD80sZMGF4Th87kXiA==,iv:er9mbrz3F81vHLGPNYiyVO80hOXI3ZjFUuJbMaYWNeE=,tag:le7Fw45V0pdkHoXywdjFsA==,type:str]
+    #ENC[AES256_GCM,data:bh0mHOovPAba,iv:doFuGvLagS17tgNm28J+T1qTvXAzPsenVN3heTDkNts=,tag:e0lsqlvXVk6lDqe1xGkemQ==,type:comment]
+    hjp: ENC[AES256_GCM,data:agAmi5i8cdAC5B75E92PbDGG399AJyI87zbgErtYxM5CHLTBxPjAfqLLEAHTdRbfo53wHQEbG4/fFkunwrHrCdspKtsuFrK4xg==,iv:m+MregSzL5EsuNW/oiJXJIFeq4n1CAaQQV9AKId7rxg=,tag:nOI//Z/4gBfB7F2jwX7cWA==,type:str]
+    #ENC[AES256_GCM,data:jHalo04u3gd+,iv:RjIwI0Kqmy0uVTxRRu1gNG/2eZXnl7iiuC9KOSV1RfU=,tag:Jvza//JVEtLwdtYk5+sY+Q==,type:comment]
+    lly: ENC[AES256_GCM,data:5ZHy3nXe4SoGi+hu+woQwB/h7HyLdDlE6fkO6FXttEW4ZaBjIqiXOz2M9XMTmcMih9S7fGJPXDBD76oHGVY5W5ytyi3i1wyaFg==,iv:RWhQFYAIs5AELumViQRTsVPNfsV59zQYDFVX+DZpPrc=,tag:R3E1IBUAN7XOjrwNEwjZ5A==,type:str]
+    #ENC[AES256_GCM,data:fz4CpQWCXmHX,iv:8UexUxCvtcmk7S8qPdKd3jxro7PspCYX6G7ujAEQ7HM=,tag:LgyieyMQ0zZLD0EW+POeoQ==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:WfdbkyWIDl+lD3xPC5TMBQ+U2hIjHYyhNhnZ1PH9uowSdRCqoPAJ2GS7X35WrlrgTl67ByaTwhXP8r9LR7eL0YwdivTL/wxOXw==,iv:OBaEPQVBeShs+UH2BBIBLGT44tPiVyQ8G1ReZ4jALH0=,tag:SnwGrb3eI57rJUoqE6HR0g==,type:str]
+    #ENC[AES256_GCM,data:OWTTbVhXIxSp,iv:GP6a2S9XdQ0xzTBQ91zkEgrNMtY1WVodTH/F/wh/mqU=,tag:6nzpvk9RFsAJxaL0Qiau0A==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:NMnWdKTGyK9AhrmzdDaxgzeFbbc0TGPlfYzOr7g0zexxBTjyJiwox9thEglkkyA23e5GgNs6zObqUknZT3M7/epzbQDoSQYCmQ==,iv:+nSj1P2LlME48VjSF1t2ziPkhgKiDlLkAaL+PBCV/hU=,tag:41YqBFHAbfrmbf3kVC45CQ==,type:str]
+    #ENC[AES256_GCM,data:0QMjEtxrhSj8,iv:YyMHdZTx/OViWBZ+1CGGAwaOLlqR6WdrKG1g44sZGYE=,tag:N5uMwbWJJF+DGiopdYm2Mw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:c+HRdDZPugIVI2vmuOlorhjZzxS11c6CJiZ3ZEwFFHfIoIUmGsXoRPGraJ0BjI3W+XZbI6qk211yufTgXLVj7nOVi0PW/9mteg==,iv:H8DlkTjkL/f6Oa2LG3dHRsJuWkEqokUJ/mjMyDnEAc4=,tag:0QmUyfAbYnn7vs4AdwQtYw==,type:str]
+    #ENC[AES256_GCM,data:F347rPlEQZyz,iv:VlbVlc/tFmmoe8lVDza7ZJgHavZ/1NM9mK3KZNVrpbk=,tag:iRdvv0ajtgrJgMe87vBFfA==,type:comment]
+    zzn: ENC[AES256_GCM,data:P76cGOGJK3B7Z3nxZ9BlvvyegJ+4JX25kax7/Bj/0VKsH1cGEfyvNbPH8qYUZqm+zUvqEoFNZKWM4+IQKO7Zo9IXCJhGItL1Nw==,iv:e9lnHecgzSrHJkxumRpKGHzGlYbM5Yov4F4Dd4fIqrc=,tag:G7Cr7d1KZfldzYNRL1eSpA==,type:str]
+    aleksana: ENC[AES256_GCM,data:xRqQLPpcv0Ymz7wV0jDDz1i6eKIZKEXvqofO58VSHEC9aVSTLV7aXLw2kQ8PrAPo4FAkne2F6MYQGRwZFIHOjxfhw+ncXVDHxg==,iv:OSbT/f2LRUFY3DEyCCbWkPzwsrsNdVz6ah5ITRt+Kjc=,tag:00z36RTe76p1uxFCchGcpg==,type:str]
+    #ENC[AES256_GCM,data:xAGWajpTpg2keMthwQ==,iv:sQreB2mExZlWgVsig7885zf4LI6RFSitYUnD4ngvhfQ=,tag:viEY1wUVlDCqKm5ucQWzsA==,type:comment]
+    alikia: ENC[AES256_GCM,data:N4lyS8XZSxP3su+Frz00BPU+II+N6nosu4yOLPSG7zxefcJoG7i5bG3bzb1OQLc/x4fTuD2Wd6mEy6q66cizBkGn3xQHZIaW2w==,iv:FO64ACjOS6+UzWKP5WdcFOGZTzslfetX/VAxyUPZ3ds=,tag:6Kf0MCRUj9cbxyk4TsH8iA==,type:str]
+    #ENC[AES256_GCM,data:1br5bc3q0jBn4WrJzQ==,iv:YmIFhDd9Wl4dcKJLBC6A3v7oUXhBin6ZOuJknSiaYfw=,tag:8gtEBug4vHQkxN/9tLjqSw==,type:comment]
+    pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
+    #ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
+    reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
+    #ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
+    zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
+telegram:
+    token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
+    user:
+        chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
+        hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR09MUytUL2h3cWlIanNF
+            VWd6SVNWOGVlVVpGbGtyQWxnZlk0cEx2TFJzCmhtbGRFcDdlWDAxU3NneXloSS9U
+            WXBtQmg4dFhOb3J3bThCUDliUmJ4NVUKLS0tIG1uQjdiODdHWVVrVGIwb2lPN1V1
+            QjVyWFAzQTRDWXMyMXdUNytKcy9abmsKZ6maa6DoKPkDAYXGLVoLWIi3fzzs1SVF
+            C/9y2PG/j7F8Pd4hUHl7ILWN/VNbYKQwGYp59+kKeAzeSHkJeTTKyg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaitpVkkvNEFOMEZXK2s0
+            Z1o0UTZ4NFRrd2NqNzhNVWhncmdWWDlzZ2swCkthMU50WldYajN1eEZCRVRUZ2d6
+            TU8za1R0aUdCV3hZaVlIRE01UHdYc2MKLS0tIFNWcFdVWGc5dUVtWnVVbGh1WFVU
+            UzFsYS9tL0xNeDBmQWIrTVB2MkVtdVUKjMADWap5h4NGj3ESamUHz3+8AtO2sOL6
+            wFm/sTfEuhFqO8bodtBXB/veQOrr97Dw8PhO/6CO5JdGTEyFIZ3DoQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOFprRWZQaVpMQkxJN2Vw
+            RVB6QXN6bDJPcEt3YURaby9PZm1FZHhDRmtZClBiV0JobHZRejhWVzhOZThRTTJ1
+            UE91bzdWMjJvYllIWXBmQkNReThIc00KLS0tIGRLa0V1b3ZWSVQzc01sUlBMVzBz
+            blZyM0FpelBoTE5Ia2J3S2c0WE5FcVEKKTJ5jzNLkLixv+8DlcTrR9sWs6GihPG6
+            x9w/Zu5H4DK9EVFyksTujRZZMI6o4lHzl2VIrgkTNQUwIPtsqo5KMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQWwvbXZoNHFxM1Y3L0pO
+            cDlML1ZWWXppeWxaZjZwOFVvbHNubmxEYUI4ClB6Wm00dTRFUE8xTFNlUmdacjFU
+            VGNiMFk1SHpOVnJ6RWdyVXk3WGkxZm8KLS0tIDFnamZqa1VqdUVXWFN5YW5CNGhh
+            UHc5bCsvVFV2eDlLR2Q3STFCQXpZRzgKSVvG8HcDtBJAh8iNrQd+UKbgs/k5Yf2t
+            KqMdODturfudk8QJn3pR97essszrsK/HS4yptp71bBSj3qK50Lp/rg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Rkc2MVhUc0tTUkNsenQ2
+            aVM1dG9MSVpwaFloU1ZRWmVsaEtYVGY3NlFnCm5PM0VpWVFKdExJbExIMnZ0Tmw1
+            eCtVdkRpVW9lcFA5bWwwbWNaYTMzejQKLS0tIHA4MTd1anM4NWtmQUx1cVlsWFVQ
+            bk5iV2xRazdoZnY1dGhKSGFFdUFWY3MKGoxBih7fDQoZFxj8JjiRAl8D3/8xWBeq
+            RS/8C6v+/V+Afnv9QN6uYt0l4YeGn8tv1TRNWXHZl0A6DFjzouwhZw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzN2hsZGExRnFaclpUNEdr
+            bkJJM2gySmtzUlVmZWoxZ3pST2l2dGtCdnhnClNWeVZqWTJ1Mk1pMGZCaXppU0lY
+            RUtlT3YrQmZuVTZ3TjJYMlhGMTVMMncKLS0tIDJsaVQ3aHZIWHhXOFJ1WmpQUDNk
+            SjBSRm4wWjhpUzFmVUtwdGUvbmVIV0EKzgfa9i+VJLPvBRrFbNavZtG1hK6jazoD
+            WHkWedx4AUUJQQlp12Wetj/0yY9jF3BLv/wvEAusq6Z4dO2aHr3sRA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcWFOcXAyYjNoSEhLdEtC
+            ang3bHJ2RmtaL2RManE0K3B0elg4aHJmODB3ClZLSXA5MmhVT2ZZSm9KSUlod3BB
+            V05lT3h0a3NQZnMrNERwNk1LTHRiVlkKLS0tIElESTNEVUpZbk93WFpXNnRTYzY5
+            K2tkMlVCRnBKdVRzWk9aQy9kUUx3L1kKNO9LsaJDfF0v/XCMYV0lmHLFakbVjj+H
+            wGJZQYgu/sETDZQVMeu42fQ++IKElmpfq2/o6+gM7aI0RxLqnBryfw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYnBzd1k5UEhXZ0wxSU02
+            elZkYlhDWC9CbWFkRlM2bCs2dzNTSlk4TUJnCm1WVnVxaUYwZ1QvNHJRb29ER21P
+            UWhOb2tETWRJR09Sb0l6VXRMaU5KZlkKLS0tIFA3TldTUmJ0Y0xJemJPS0wwK05D
+            SHVXTGUraDE4anJOZFFuaHBKV1lMSWMKemZfKWbI0YR4QuR5zqvGKSnU3HzwZHvo
+            DJ9u2eq7R7OwtDscn9qCwPThORxLMWdI3n+3+XVwAysqW2efrvnGgA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOFZQZmRHVUdjTXpDbFFm
+            SGt1d2lmYXVZa21iSFhMOTUzMmRIU3BIOUI4CmFvT1BMZmE1eC9tV3dJbVJ4ME8z
+            N25hc0NyZmtMbGFxYmtPSkFkSGZ4bFEKLS0tIE5sUFBTanJONjhtR3BnYjVYdlYr
+            NVZNeDFJOGJIdFlacE9LMmFuakZYUkUKmuK+ogCs3WH9TiGiUfRZ9L98aqRli91A
+            1xHYMJOc5FwI+jaHp1m7nkn+egIOmKvyyejI2ZHQ84tItS+aoiI0bw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRHdHMFAvRFRCNmNES2R0
+            Q3ptRDVrQ3JHaXBxSUlldVd5WUNFc1ZQeDBFCnNiMFErODJhbk5LQ1VGd01oU1N2
+            eXk4Q3VRcUNNWURDUitUMWNOQlJaeWsKLS0tIDRKQ2M1Rnpla3o1NTlCeC9wbGJo
+            cGZxcDUyYzZBMXRpbi94RkcvQXc5aDAKrHpvCDpECN5HS1qeNoiOwKWpT46bLQBd
+            404XgHar20AswgDIjAMp5KJ1pkluQ9j5pVKNFjqJ+9sb3RLYM7Z06Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR3RhUHBORW1BNFh5M1c0
+            QlhmUDY1T0ZmN2dGaUhLOVkxN2NiUklBU1hVCjY0MXBoNmw0ekpQYlMzdFZhNFA5
+            NE9XdnlaaGdiSU1BYkRvcThaYmpVcTAKLS0tIGk4UHMwK20yQ2w0N0hoQnZYK2Fk
+            czU0M2dQbU8rMkZJbEJaZ1NhcE1yZFEKUWe5IaDuPjfQ/m76m6DdvF8HWmDiVH1k
+            IQk6sIJfbcINGOVP+JYGJPWgq6LGg1EdW4ONctosVk6kxRO30N0rVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YXF5aGRobkFVdFQzRFBp
+            NnhvdWtxU2dxa2s4d2FiYnBrdmMvakU1cFhvCnJ4NWVCc0t2ajFpdWVMM25XUnE4
+            a3E3N0laOEYwNDBNdTc4WjdZR2R3M1EKLS0tIC9WRGpJSUhhM0JGZVJWaHlvSkRH
+            bXErdTlYQWh3cmZITWxIeDYzaklWbmcKKG08GymtessnDUfg/AgmQh9eyJx25Y+c
+            RyhAdNl6Lu2Hv7e/oqr23SmwFuhzgPl6eL8t1Nz3s1KraShZazjpQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSK2tkZXZkYWZWcEFhS1h2
+            YTk2N3F4L3AzNzdmZXhLRXpOLzlRa1NNSXlnCjRNL3paejlRUTZrVEFwdWdzRzVp
+            NVFReGwrZk9IdVhQSnFzK3lVMWRPOTgKLS0tIGs2azNoQm51ZDZrOEJDbEhRVTFu
+            aVdEZ0s4SjljZFc5ZTJwK3ZON3VlRVkKB1apktkRqW0R/Epn3bZf/Aym5evUmxm+
+            TLkJxTT6TVcgjobcpFvMmI+pqRWfh5Opj9a9lSe5QvsXxdgOs0mvzg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWlhIdTdtNkpZU3Y5T1Vl
+            WjZXLzJYVDdweFpITEh6cmszOVYrZWI5eTM0CmNSTnd4T3g0dFNiTDNCM2hEOTVo
+            OS85R0VqdEZkTlhGWFNRZFpXZGlWTFEKLS0tIHQ1YWJrZERJUlZwZnU3RThucVRL
+            NHdwcGl2Wk11TFdCd25OTE1nVDNYd2MKOxa2f7bFgFE2zCR1kKtC6giQhr1P79W0
+            MKxil/x2T8rBNkK6sN0PjkphKdg9LVit86ilHPwTgnkl9oz8Cs6X5A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmL1ZjRzJNQVFNekFUVlQv
+            SmJWMDRZMXNDaTNNd093b25kSk5nTDg0K244CmVLK08xKzlleXpWblRkbGZVMENi
+            U0NGVVhycUN6OEZDNjFBUndSdnRLdE0KLS0tIHJEeTVIY2xwZWdqdG9JRVhsRENq
+            UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
+            +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-09T12:54:56Z"
+    mac: ENC[AES256_GCM,data:pAJ1mr02yp41jTcvy56OCUvJZh0NJXqAj582F85eevOIVy/GKQyvBonSkT0vN85q8UXw6tsNBpSqLi5MEoP2QhSP6x6mMZ6fHHGtkhw2ROmuTcfGdHDIq0SMU6arukEVDFlVsoneNXUUmdvwDjxAGv4qf7sI4ynPwu0V9xurYiI=,iv:ZuCObomHvfEPEKnepRyTOiojOEh6mfWW+bF/ytsTqiU=,tag:k0WuI8eewWeCQkiXDisjZw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/devices/cross/ssh.nix
+++ b/devices/cross/ssh.nix
@@ -0,0 +1,113 @@
+inputs:
+let
+  devices =
+  {
+    vps4 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIF7Y0tjt1XLPjqJ8HEB26W9jVfJafRQ3pv5AbPaxEc/Z";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIJkOPTFvX9f+Fn/KHOIvUgoRiJfq02T42lVGQhpMUGJq";
+    };
+    vps6 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
+      # 通过 initrd.xxx.chn.moe 访问
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
+    };
+    nas =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
+    };
+    one.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
+    pc.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
+    srv1-node0 =
+      { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs"; extraAccess = [ "srv1" ]; };
+    srv1-node1 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIFmG/ZzLDm23NeYa3SSI0a0uEyQWRFkaNRE9nB8egl7";
+      # 不能直接访问，需要通过哪个机器跳转
+      proxyJump = "srv1";
+    };
+    srv1-node2 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDhgEApzHhVPDvdVFPRuJ/zCDiR1K+rD4sZzH77imKPE";
+      proxyJump = "srv1";
+    };
+    srv2-node0 =
+      { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIJZ/+divGnDr0x+UlknA84Tfu6TPD+zBGmxWZY4Z38P6"; extraAccess = [ "srv2" ]; };
+    srv2-node1 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
+      proxyJump = "srv2";
+    };
+    srv3 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIg2wuwWqIOWNx1kVmreF6xTrGaW7rIaXsEPfCMe+5P9";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIPW7XPhNsIV0ZllaueVMHIRND97cHb6hE9O21oLaEdCX";
+      # 默认仅包括wireguard访问的域名和直接访问的域名，这里写额外的域名
+      extraAccess = [ "ssh.git" ];
+    };
+  };
+in
+{
+  config =
+  {
+    programs.ssh.knownHosts = builtins.listToAttrs (builtins.concatLists (builtins.map
+      (device:
+      [{
+        inherit (device) name;
+        value =
+        {
+          publicKey = "ssh-ed25519 ${device.value.publicKey}";
+          hostNames =
+            # 直接访问
+            [ "${device.name}.chn.moe" ]
+            # 通过 wirewireguard 访问
+            ++ (builtins.map (net: "${net}.${device.name}.chn.moe")
+              (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net))
+            # 额外的域名
+            ++ (builtins.map (domain: "${domain}.chn.moe") device.value.extraAccess or []);
+        };
+      }]
+        ++ inputs.lib.optionals (device.value ? initrdPublicKey)
+        [{
+          name = "initrd.${device.name}";
+          value =
+          {
+            publicKey = "ssh-ed25519 ${device.value.initrdPublicKey}";
+            hostNames = [ "initrd.${device.name}.chn.moe" ];
+          };
+        }])
+      (inputs.localLib.attrsToList devices)));
+    nixos.user.sharedModules = [{ config.programs.ssh.matchBlocks =
+      let genericConfig =
+        { forwardX11 = true; forwardX11Trusted = true; forwardAgent = true; extraOptions.AddKeysToAgent = "yes"; };
+      in builtins.listToAttrs (builtins.concatLists (builtins.concatLists
+      [
+        # 直接访问
+        (builtins.map
+          (device: builtins.map
+            (name:
+            {
+              inherit name;
+              value = genericConfig //
+                { host = name; hostname = "${name}.chn.moe"; proxyJump = device.value.proxyJump or null; };
+            })
+            ((device.value.extraAccess or []) ++ [ device.name ]))
+          (inputs.localLib.attrsToList devices))
+        # 通过 wireguard 访问
+        (builtins.concatLists (builtins.map
+          (net: builtins.map
+            (device: builtins.map
+              (name:
+              {
+                name = "${net}.${name}";
+                value = genericConfig // { host = "${net}.${name}"; hostname = "${net}.${name}.chn.moe"; };
+              })
+              ((device.value.extraAccess or []) ++ [ device.name ]))
+            (inputs.localLib.attrsToList devices))
+          (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net)))
+      ]));
+    }];
+  };
+}
--- a/devices/cross/wireguard.nix
+++ b/devices/cross/wireguard.nix
@@ -0,0 +1,245 @@
+inputs:
+let
+  publicKey =
+  {
+    vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
+    vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
+    pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
+    nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
+    one = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
+    srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
+    srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww=";
+    srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo=";
+    srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
+    srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc=";
+    srv3 = "a1pUi12SN6fIFiHA9W0N1ycuSz1fWUSpZnjz20OPaBk=";
+  };
+  dns = inputs.topInputs.self.config.dns.wireguard;
+  networks = # 对于每个网络，只需要设置每个设备的 listenPort，以及每个设备的每个 peer 的 publicKey endpoint allowedIPs
+  {
+    # 星形网络，所有流量通过 vps6 中转
+    wg0 = let vps6ListenIp = "144.34.225.59"; in
+    {
+      devices =
+      {
+        vps6 =
+        {
+          listenPort = 51820;
+          peer = builtins.listToAttrs (builtins.map
+            (peerName:
+            {
+              name = peerName;
+              value =
+              {
+                publicKey = publicKey.${peerName};
+                allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.${builtins.toString dns.peer.${peerName}}" ];
+              };
+            })
+            (inputs.lib.remove "vps6" (builtins.attrNames publicKey)));
+        };
+      }
+      // (builtins.listToAttrs (builtins.map
+        (deviceName:
+        {
+          name = deviceName;
+          value.peer.vps6 =
+          {
+            publicKey = publicKey.vps6;
+            endpoint = "${vps6ListenIp}:51820";
+            allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.0/24" ];
+          };
+        })
+        (inputs.lib.remove "vps6" (builtins.attrNames publicKey))));
+    };
+    # 两两互连
+    wg1 =
+      let
+        inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
+        # 设备之间可以直接连接的子网
+        # 若一个设备可以主动接受连接，则设置它接受连接的 ip；否则设置为 null
+        subnet =
+        [
+          # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
+          (builtins.listToAttrs
+          (
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
+              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
+          ))
+          # 校内网络
+          (builtins.listToAttrs
+          (
+            (builtins.map (n: { name = n; value = getAddress n; }) [ "srv1-node0" "srv2-node0" ])
+              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" ])
+          ))
+          # 办公室或者宿舍局域网
+          (builtins.listToAttrs (builtins.map (n: { name = n; value = getAddress n; }) [ "pc" "nas" "one" ]))
+          # 集群内部网络
+          (builtins.listToAttrs (builtins.map
+            (n: { name = "srv1-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
+            (builtins.genList (n: n) 3)))
+          (builtins.listToAttrs (builtins.map
+            (n: { name = "srv2-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
+            (builtins.genList (n: n) 2)))
+        ];
+        # 给定起止点，返回最短路径的第一跳的目的地
+        # 如果两个设备不能连接，返回 null; 
+        # 如果可以直接、主动连接，返回 { ip = 地址; }；如果可以直接连接但是被动连接，返回 { ip = null; }；
+        # 如果需要中转，返回 { jump = 下一跳; }
+        connection =
+          let
+            # 将给定子网翻译成一列边，返回 [{ dev1 = null or ip; dev2 = null or ip; }]
+            netToEdges = subnet:
+              let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
+              in inputs.lib.unique (builtins.concatLists (builtins.map
+                (dev1: builtins.map
+                  (dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
+                  (inputs.lib.remove dev1 (builtins.attrNames subnet)))
+                devWithAddress));
+            # 在一个图中加入一个边，current 的结构是：from.to = null or { ip = "" or null; length = l; jump = ""; }
+            addEdge = current: newEdge: builtins.mapAttrs
+              (nameFrom: valueFrom: builtins.mapAttrs
+                (nameTo: valueTo:
+                  # 忽略自己到自己的路
+                  if nameFrom == nameTo then null
+                  # 如果要加入的边包含起点
+                  else if newEdge ? "${nameFrom}" then
+                    # 如果要加入的边包含终点，那么这两个点可以直连
+                    if newEdge ? "${nameTo}" then { ip = newEdge.${nameTo}; length = 1; }
+                    else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
+                      # 如果边的另外一个点到终点可以连接
+                      if current.${edgePoint2}.${nameTo} != null then
+                        # 如果之前不能连接，则使用新的连接
+                        if current.${nameFrom}.${nameTo} == null then
+                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
+                        # 如果之前可以连接，且新连接更短，同样更新连接
+                        else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
+                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
+                        # 否则，不更新连接
+                        else current.${nameFrom}.${nameTo}
+                      # 否则，不更新连接
+                      else current.${nameFrom}.${nameTo}
+                  # 如果要加入的边包不包含起点但包含终点
+                  else if newEdge ? "${nameTo}" then
+                    let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
+                    # 如果起点与另外一个点可以相连
+                    if current.${nameFrom}.${edgePoint2} != null then
+                      # 如果之前不能连接，则使用新的连接
+                      if current.${nameFrom}.${nameTo} == null then
+                      {
+                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
+                        length = current.${nameFrom}.${edgePoint2}.length + 1;
+                      }
+                      # 如果之前可以连接，且新连接更短，同样更新连接
+                      else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
+                      {
+                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
+                        length = current.${nameFrom}.${edgePoint2}.length + 1;
+                      }
+                      # 否则，不更新连接
+                      else current.${nameFrom}.${nameTo}
+                    # 如果起点与另外一个点不可以相连，则不改变连接
+                    else current.${nameFrom}.${nameTo}
+                  # 如果要加入的边不包含起点和终点
+                  else
+                    let
+                      edgePoints = builtins.attrNames newEdge;
+                      p1 = builtins.elemAt edgePoints 0;
+                      p2 = builtins.elemAt edgePoints 1;
+                    in
+                      # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
+                      if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
+                        # 如果之前不能连接，则新连接必然是唯一的连接，使用新连接
+                        if current.${nameFrom}.${nameTo} == null then
+                        {
+                          jump = current.${nameFrom}.${p1}.jump or p1;
+                          length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
+                        }
+                        # 如果之前可以连接，那么反过来一定也能连接，选取三种连接中最短的
+                        else builtins.head (inputs.lib.sort
+                          (a: b: if a == null then false else if b == null then true else a.length < b.length)
+                          [
+                            # 原先的连接
+                            current.${nameFrom}.${nameTo}
+                            # 正着连接
+                            {
+                              jump = current.${nameFrom}.${p1}.jump or p1;
+                              length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
+                            }
+                            # 反着连接
+                            {
+                              jump = current.${nameFrom}.${p2}.jump or p2;
+                              length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
+                            }
+                          ])
+                      # 如果正着不能连接、反过来可以连接，那么反过来连接一定是唯一的通路，使用反向的连接
+                      else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
+                      {
+                        jump = current.${nameFrom}.${p2}.jump or p2;
+                        length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
+                      }
+                      # 如果正着连接、反向连接都不行，那么就不更新连接
+                      else current.${nameFrom}.${nameTo})
+                valueFrom)
+              current;
+            # 初始时，所有点之间都不连接
+            init = builtins.listToAttrs (builtins.map
+              (dev1:
+              {
+                name = dev1;
+                value = builtins.listToAttrs (builtins.map
+                  (dev2: { name = dev2; value = null; })
+                  (builtins.attrNames publicKey));
+              })
+              (builtins.attrNames publicKey));
+          in builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges subnet));
+      in
+      {
+        devices = builtins.listToAttrs (builtins.map
+          (deviceName:
+          {
+            name = deviceName;
+            value =
+            {
+              listenPort = 51820 + dns.peer.${deviceName};
+              peer = builtins.listToAttrs (builtins.concatLists (builtins.map
+                (peerName:
+                  # 如果不能直连，就不用加 peer
+                  inputs.lib.optionals (connection.${deviceName}.${peerName} ? ip)
+                  [{
+                    name = peerName;
+                    value =
+                    {
+                      publicKey = publicKey.${peerName};
+                      allowedIPs =
+                        [ "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${peerName}}" ]
+                        ++ builtins.map
+                          (destination:
+                            "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${destination}}")
+                          (builtins.filter
+                            (destination: connection.${deviceName}.${destination}.jump or null == peerName)
+                            (builtins.attrNames publicKey));
+                    }
+                      // inputs.lib.optionalAttrs (connection.${deviceName}.${peerName}.ip != null)
+                      {
+                        endpoint = "${connection.${deviceName}.${peerName}.ip}:"
+                          + builtins.toString (51820 + dns.peer.${peerName});
+                      };
+                  }])
+                (inputs.lib.remove deviceName (builtins.attrNames publicKey))));
+            };
+          })
+          (builtins.attrNames publicKey));
+      };
+  };
+in
+{
+  config.nixos.services.wireguard = inputs.lib.mkMerge (builtins.map
+    (network:
+      let inherit (inputs.config.nixos.model) hostname;
+      in inputs.lib.optionalAttrs (network.value.devices ? ${hostname}) { ${network.name} =
+        network.value.devices.${hostname}
+        // {
+          ip = "192.168.${builtins.toString dns.net.${network.name}}.${builtins.toString dns.peer.${hostname}}";
+        };})
+    (inputs.localLib.attrsToList networks));
+}
--- a/devices/jykang.xmuhpc/default.nix
+++ b/devices/jykang.xmuhpc/default.nix
@@ -0,0 +1,16 @@
+# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
+# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | sudo xargs nix-store --store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export > data.nar
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+{
+  inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+  nixpkgs = { march = null; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; };
+});
+in pkgs.symlinkJoin
+{
+  name = "jykang";
+  paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit ];
+  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs; };
+}
--- a/devices/jykang.xmuhpc/files/.bash_logout
+++ b/devices/jykang.xmuhpc/files/.bash_logout
--- a/devices/jykang.xmuhpc/files/.bash_profile
+++ b/devices/jykang.xmuhpc/files/.bash_profile
--- a/devices/jykang.xmuhpc/files/.bashrc
+++ b/devices/jykang.xmuhpc/files/.bashrc
@@ -35,8 +35,11 @@ if [ -f /etc/bashrc ]; then
 fi

 if [ -z "${BASHRC_SOURCED-}" ]; then
-	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
+	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts:$HOME/.nix/state/gcroots/current/bin
 	export BASHRC_SOURCED=1
+	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
+		export PATH=$HOME/wuyaping/lyj/bin:$PATH
+	fi
 fi

 [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
--- a/devices/jykang.xmuhpc/files/.config/nix/nix.conf
+++ b/devices/jykang.xmuhpc/files/.config/nix/nix.conf
@@ -0,0 +1 @@
+store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log
--- a/devices/jykang.xmuhpc/files/.ssh/authorized_keys
+++ b/devices/jykang.xmuhpc/files/.ssh/authorized_keys
@@ -6,6 +6,10 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDn1pfGen7kjPTHsbb8AgrUJWOeFPHK5S4M97Lcj3tv
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCW2fx1Sim7X2i/e/RBPEl1q/XbV7wa9pmZfnRINHIv24MCUgtNZ5GHEEW7dvzrQBeRj3I7CAyK8fbuhv/l8HuDtjxJJ1fmcBp9UG5vfpb/UTxayJxHBRrwokp2JL7HKVviI6d8FcNa/T0CMoUNYXnel6dE3B78k9Q0dDxlOGS1MzgsP3Pn66lm0ww9FRAVHe+KkhFmwyQ1VHUxHgK4QjCIt7+9+PJE7fK0aVWBsR309pui7Pbm6mgd4d6mwiBeVvxsNGnI4DsO1hz4N2GapuQy19PDiG7A4H41Z5RYQnv/3XTy4TBXOFQm77v6pyGkCmG6BGnRdvMB6C0hWPJvudbsA/BNp4ApL7/CrwTdLp1z6ToAOLvKrUQAM+hcbJimnFVMXqz7iSYg99XTnzue7ncecp19XiaDJbM47bGXcT4nTO5XaiMYi2xGAHIrij5GIuFF5ymKYSp5ejb1VucMdKlaaAmS10+wdUcuT7tzX/IuVr5aqg2dsxT5aJCRhZ1k2V0= xly@xmuhpc
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRpyIU8ZuYTa0LvsVHmJZ1FA7Lbp4PObjkwo+UcpCP8 wp@xmupc1
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRZp8xp9hVO7e/6eflQsnFZj853IRVywc97cTevnWbg hjp@xmupc1
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh wm
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss

 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc
--- a/devices/jykang.xmuhpc/files/.vaspkit
+++ b/devices/jykang.xmuhpc/files/.vaspkit
--- a/devices/jykang.xmuhpc/files/linwei/chn/software/hpcstat/bin/bsub
+++ b/devices/jykang.xmuhpc/files/linwei/chn/software/hpcstat/bin/bsub
--- a/devices/nas/default.nix
+++ b/devices/nas/default.nix
@@ -4,6 +4,7 @@ inputs:
  {
    nixos =
    {
+      model.private = true;
      system =
      {
        fileSystems =
@@ -11,57 +12,22 @@ inputs:
          mount =
          {
            vfat."/dev/disk/by-uuid/627D-1FAA" = "/boot";
-            btrfs =
-            {
-              "/dev/mapper/nix"."/nix" = "/nix";
-              "/dev/mapper/root3" =
-              {
-                "/nix/rootfs" = "/nix/rootfs";
-                "/nix/persistent" = "/nix/persistent";
-                "/nix/nodatacow" = "/nix/nodatacow";
-                "/nix/rootfs/current" = "/";
-                "/nix/backup" = "/nix/backup";
-              };
-            };
+            btrfs."/dev/mapper/root3" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
          };
-          decrypt.manual =
-          {
-            enable = true;
-            devices =
-            {
-              "/dev/disk/by-uuid/a47f06e1-dc90-40a4-89ea-7c74226a5449".mapper = "root3";
-              "/dev/disk/by-uuid/b3408fb5-68de-405b-9587-5e6fbd459ea2".mapper = "root4";
-              "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
-            };
-            delayedMount = [ "/" "/nix" ];
-          };
-          swap = [ "/nix/swap/swap" ];
+          swap = [ "/dev/mapper/swap" ];
          rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
        };
-        initrd.sshd.enable = true;
+        initrd.sshd = {};
        nixpkgs.march = "silvermont";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        networking = { hostname = "nas"; networkd = {}; };
+        network = {};
      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      hardware.gpu.type = "intel";
      services =
      {
-        snapper.enable = true;
        sshd = {};
-        xray.client = { enable = true; dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1"; };
-        smartd.enable = true;
-        beesd.instances =
-        {
-          root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 128; };
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
-          wireguardIp = "192.168.83.4";
-        };
+        xray.client.dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
+        beesd."/".hashTableSizeMB = 10 * 128;
+        nfs."/" = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc")];
      };
    };
  };
--- a/devices/nas/secrets.yaml
+++ b/devices/nas/secrets.yaml
@@ -1,14 +1,7 @@
 xray-client:
    uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
+wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
          enc: |
@@ -28,8 +21,7 @@ sops:
            by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
            kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-24T05:14:57Z"
-    mac: ENC[AES256_GCM,data:9xKBuoVeotcZfiqsKg+iXxOc5BV9kGVvR5f9Anu6DauBceYIBxgeVCDU3dRUPz67MkOK/n2w9+gLchQxUyK8G4ECRTESL+GKpZslNVThb2j6vswLXNBHqsQCoQBlYOiKw5ZM1gpdYJPni8qpsdGvTwc5JkW+FH6v1BdZWaUhc3U=,iv:SyLiMXsQhS+8FFlSMXiD9ETD+mIsz6mePXnJzBODK5g=,tag:YpiU58lJ5Nb78EMyEmJdbw==,type:str]
-    pgp: []
+    lastmodified: "2025-06-09T01:22:01Z"
+    mac: ENC[AES256_GCM,data:OxRUW3e2SXTTdb7Iwvsf/UaHsTIVxohJwRIFExh5N/dJhU9Ui8omKBjkooiGaysrZEVEZNAWSp2zvTPXUdZrtW2fikyhF6Fsg7jUFFTqhV/sjYMy7gISbfkcGF9SuYGByuuySyXPqsfg+ESeBmMVZiqDSEPYJWu+q8OwThdhsAM=,iv:UnSfmuxcV+tr7wd59Xg0MG2QbP2uOshVhN5C++9ZSzA=,tag:cWiG85xv2OuiBOoAlvVBGw==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.10.2
--- a/devices/one/default.nix
+++ b/devices/one/default.nix
@@ -0,0 +1,33 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model = { type = "desktop"; private = true; };
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
+            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
+          swap = [ "/nix/swap/swap" ];
+          resume = { device = "/dev/mapper/root"; offset = 4728064; };
+        };
+        nixpkgs.march = "tigerlake";
+      };
+      hardware.gpu.type = "intel";
+      services =
+      {
+        xray.client = {};
+        beesd."/".hashTableSizeMB = 64;
+        sshd = {};
+      };
+      bugs = [ "xmunet" ];
+    };
+  };
+}
--- a/devices/one/secrets.yaml
+++ b/devices/one/secrets.yaml
@@ -0,0 +1,32 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
+wireguard: ENC[AES256_GCM,data:OuduClOu9y9adCcV1+U/NLp/t1yWPkuyptproTJv4beImptrLOVGbhb5fb8=,iv:qa1jpzAlUEhPBznZw6j4CYquTCpmNZ+uNbyHjH2qGy4=,tag:+5I2CRuyCAMSy74xVtdJGA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
+            ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
+            TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
+            eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
+            2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
+            OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
+            eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
+            ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
+            LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-10T10:44:01Z"
+    mac: ENC[AES256_GCM,data:Sso6g9UEH7faygbcrypsnB/4h8cIwveLdVI+YgDDfTHMC5nxXj+xtfFHhzao1pkyvF0avUVjsMVXLRcB48eDcbZdXwBvoNKg0mpL7VAeOnDuwElI6GGpRVTaOsZC9LT9d1kuGkmavMljCvmaA3sPLZsvW3Hqjdicj+suMoQJ/nE=,iv:DYf0m9PfJ1qx3gI/6T6ByxJWHrdVGgiNMCVhcBOrgBw=,tag:Ddw2HFuCmk6PFnxF4G13hQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/pc/bios/Bootx64.efi
+++ b/devices/pc/bios/Bootx64.efi
--- a/devices/pc/bios/DisplayEngine.efi
+++ b/devices/pc/bios/DisplayEngine.efi
--- a/devices/pc/bios/SetupBrowser.efi
+++ b/devices/pc/bios/SetupBrowser.efi
--- a/devices/pc/bios/UiApp.efi
+++ b/devices/pc/bios/UiApp.efi
--- a/devices/pc/color/TPLCD_161B_Default.icm
+++ b/devices/pc/color/TPLCD_161B_Default.icm
--- a/devices/pc/color/TPLCD_161B_Native.icm
+++ b/devices/pc/color/TPLCD_161B_Native.icm
--- a/devices/pc/color/TPLCD_161B_Native_HDR.icm
+++ b/devices/pc/color/TPLCD_161B_Native_HDR.icm
--- a/devices/pc/color/TPLCD_161B_REC709.icm
+++ b/devices/pc/color/TPLCD_161B_REC709.icm
--- a/devices/pc/color/TPLCD_161B_sRGB.icm
+++ b/devices/pc/color/TPLCD_161B_sRGB.icm
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@@ -4,6 +4,7 @@ inputs:
  {
    nixos =
    {
+      model = { type = "desktop"; private = true; };
      system =
      {
        fileSystems =
@@ -11,19 +12,25 @@ inputs:
          mount =
          {
            vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
-            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            btrfs."/dev/mapper/root1" =
+            {
+              "/nix" = "/nix";
+              "/nix/rootfs/current" = "/";
+              "/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
+              "/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
+            };
+            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
+              { mountPoint = "/nix/remote/nas"; hard = false; };
          };
-          decrypt.auto =
+          luks.auto =
          {
            "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
              { mapper = "swap"; ssd = true; before = [ "root1" ]; };
          };
          swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
        };
-        grub.windowsEntries."7AF0-D2F2" = "Windows";
+        grub.windowsEntries."08D3-10DE" = "Windows";
        nix =
        {
          marches =
@@ -33,54 +40,28 @@ inputs:
            "sandybridge"
            # FXSR PREFETCHW RDRND SAHF
            "silvermont"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE
+            "haswell"
            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
            "broadwell"
            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
-            "skylake"
+            "skylake" "cascadelake"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
+            "tigerlake"
            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
            "alderlake"
          ];
-          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
-          githubToken.enable = true;
+          remote.master.host.srv2-node0 = [ "skylake" ];
        };
-        nixpkgs =
-          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
-        kernel =
-        {
-          variant = "xanmod-latest";
-          patches = [ "hibernate-progress" "amdgpu" ];
-          modules.modprobeConfig =
-            [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
-        };
-        networking.hostname = "pc";
+        nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
        sysctl.laptop-mode = 5;
-        gui.enable = true;
-      };
-      hardware =
-      {
-        cpus = [ "amd" ];
-        gpu =
-        {
-          type = "amd+nvidia";
-          nvidia = { prime.busId = { amd = "5:0:0"; nvidia = "1:0:0"; }; dynamicBoost = true; driver = "latest"; };
-        };
-        legion = {};
-      };
-      virtualization =
-      {
-        waydroid.enable = true;
-        docker.enable = true;
-        kvmHost = { enable = true; gui = true; };
-        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
      };
+      hardware = { gpu = { type = "nvidia"; nvidia.dynamicBoost = true; }; legion = {}; };
      services =
      {
-        snapper.enable = true;
        samba =
        {
-          enable = true;
-          private = true;
          hostsAllowed = "192.168. 127.";
          shares =
          {
@@ -91,98 +72,79 @@ inputs:
          };
        };
        sshd = {};
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.hosts = builtins.listToAttrs
-          (
-            (builtins.map
-              (name: { inherit name; value = "74.211.99.69"; })
-              [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
-            ++ (builtins.map
-              (name: { inherit name; value = "0.0.0.0"; })
-              [
-                "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
-                "dispatchcnglobal.yuanshen.com"
-              ])
-          );
-        };
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
-        acme.cert."debug.mirism.one" = {};
-        frpClient =
-        {
-          enable = true;
-          serverName = "frp.chn.moe";
-          user = "pc";
-          stcpVisitor."yy.vnc".localPort = 6187;
-        };
-        nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
-        smartd.enable = true;
+        xray.client.dnsmasq.hosts = builtins.listToAttrs
+        (
+          (builtins.map
+            (name: { inherit name; value = "144.34.225.59"; })
+            [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
+        )
+        // { "4006024680.com" = "192.168.199.1"; };
+        nix-serve = {};
        misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
-          wireguardIp = "192.168.83.3";
-        };
-        gamemode = { enable = true; drmDevice = 1; };
+        beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
        slurm =
        {
          enable = true;
-          cpu = { cores = 16; threads = 2; mpiThreads = 2; openmpThreads = 4; };
-          memoryMB = 90112;
-          gpus."4060" = 1;
+          master = "pc";
+          node.pc =
+          {
+            name = "pc"; address = "127.0.0.1";
+            cpu = { sockets = 2; cores = 8; threads = 2; };
+            memoryGB = 80;
+            gpus."4060" = 1;
+          };
+          partitions.localhost = [ "pc" ];
+          tui =
+          {
+            cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
+            gpuQueues = [{ name = "localhost"; gpuIds = [ "4060" ]; }];
+          };
        };
        ollama = {};
+        podman = {};
+        ananicy = {};
+        keyd = {};
+        lumericalLicenseManager.macAddress = "745d22c7d297";
+        searx = {};
+        kvm.aarch64 = true;
+        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
+        nfs."/" = [ "192.168.84.0/24" ];
      };
-      bugs = [ "xmunet" "backlight" "amdpstate" ];
+      bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
+      packages = { mathematica = {}; vasp = {}; lammps = {}; };
    };
-    boot =
+    boot.loader.grub =
    {
-      kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2015"'' ];
-      loader.grub =
+      extraFiles =
      {
-        extraFiles =
-        {
-          "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
-          "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
-          "UiApp.efi" = ./bios/UiApp.efi;
-          "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        };
-        extraEntries = 
-        ''
-          menuentry 'Advanced UEFI Firmware Settings' {
-            insmod fat
-            insmod chain
-            chainloader @bootRoot@/EFI/Boot/Bootx64.efi
-          }
-        '';
+        "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
+        "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
+        "UiApp.efi" = ./bios/UiApp.efi;
+        "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
+        "nixos.iso" = inputs.topInputs.self.src.iso.nixos;
      };
+      extraEntries = 
+      ''
+        menuentry 'Advanced UEFI Firmware Settings' {
+          insmod fat
+          insmod chain
+          chainloader @bootRoot@/EFI/Boot/Bootx64.efi
+        }
+        menuentry 'Live ISO' {
+          set iso_path=@bootRoot@/nixos.iso
+          export iso_path
+          search --set=root --file "$iso_path"
+          loopback loop "$iso_path"
+          root=(loop)
+          configfile /boot/grub/loopback.cfg
+          loopback --delete loop
+        }
+      '';
    };
    # 禁止鼠标等在睡眠时唤醒
    services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
-    networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
+    # 允许kvm读取物理硬盘
+    users.users.qemu-libvirtd.extraGroups = [ "disk" ];
    services.colord.enable = true;
-    environment.persistence."/nix/archive" =
-    {
-      hideMounts = true;
-      users.chn.directories = builtins.map
-        (dir: { directory = "repo/${dir}"; user = "chn"; group = "chn"; mode = "0755"; })
-        [ "BPD-paper" "kurumi-asmr" "BPD-paper-old" "SiC-20240705" ];
-    };
-    specialisation =
-    {
-      nvidia.configuration =
-      {
-        nixos =
-        {
-          hardware.gpu.type = inputs.lib.mkForce "nvidia";
-          services.gamemode.drmDevice = inputs.lib.mkForce 0;
-        };
-        system.nixos.tags = [ "nvidia" ];
-      };
-    };
  };
 }
--- a/devices/pc/secrets/default.yaml
+++ b/devices/pc/secrets/default.yaml
@@ -1,28 +1,18 @@
 xray-client:
    uuid: ENC[AES256_GCM,data:XU7/GZ8cJmDwNsrQfoFHrquZT5QkjvTPZfnghX3BLyvPLlrX,iv:e/BQkZ5ydWD4P/qT9OUloB8/cXImfkG3YZnuIeNLoTc=,tag:EW3ZBzGnyIrUfcMeJqm4aA==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:e+ZPOwOobbShxm5zZqmIeM4cmP4JQT8kDQ0goKsSwpIKmJAzi8WutQ==,iv:ZKOzKa98yWTM2LkC4+rzA6rTW4afm3oAG4nc/2vk7Bg=,tag:Qctw1sk1SC/a6Xv5Fju8EA==,type:str]
-frp:
-    token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
-    stcp:
-        yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
 store:
    signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:PVV4VAvB22KoA8EM8Honb+KWYhydXdmTAVlDw/XnTcbaIY+5Km2gGA==,iv:7PfytRbpW4G2iDNqysvZnB0YsQFVUL5Kr1DNsBzuhCA=,tag:z2J14fdD7AUNabN+6kUojA==,type:str]
 postgresql:
    misskey_misskey: ENC[AES256_GCM,data:MSDbQffk/WjZ6EYiwVuUMdhdv9VE59ZM7t4XldOKRO0=,iv:J/x9t4Pk5zi7Av9fbzxgAbbtbEUZttSx/JGRmmgmvE4=,tag:CwFR9K++T7YqYR932z3IAg==,type:str]
 redis:
    misskey-misskey: ENC[AES256_GCM,data:vcvQ/hs/F3BZd1sfvWwfEeB8vVoqdnprxobcmL6xsmg=,iv:S32yrjrjj56HbxTlfFGjOb+sO2M9KKEDEazCrpQWj6Q=,tag:iwnvqwQEdd6jicx9jJBdbg==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:oIpiXJvEoyryS4eEutoe85Af0L5a5iNuOsCWCat9KEhr2ecY/vRimk/1fbA=,iv:dm2hTSNX7Q38yASon5o1jxEJZbWPXUWYydXYMBHF/sE=,tag:yrANhwIF/wHQGHGA1bfPgw==,type:str]
+wireguard: ENC[AES256_GCM,data:9QoVM69efr3+UGEo/GPY6IBBxfcqE+3erRTrqSdeTf4XziVMlzWTMdhV9jU=,iv:3abQtZ8cpejqXsJPx6SvSS2cXAKMDkEKEhl9LE319RQ=,tag:1uBPK/0VLPPMzj4rl+iQMQ==,type:str]
 mariadb:
    slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
 nix:
    remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
-github:
-    token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str]
-age: ENC[AES256_GCM,data:EPjip4/tz50e+blPko9NpzDamLRO6BVy64kDnGAhUJJ/bMw6V9Of8RzuiqUupIjEmFiUcgWf9ZsV5RZO3Ai9udq0W7mYS1Y/zn4=,iv:TBs/o6mp8t+S3Ma5/QhnLhzgl852HB3sEzKy9SvKJjU=,tag:2yMUVWPua2g0VOkaXpJzKQ==,type:str]
+searx:
+    secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -47,8 +37,8 @@ sops:
            OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
            +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-01T15:21:26Z"
-    mac: ENC[AES256_GCM,data:eigkz85LgrpqqKTw5obgc14e9jtnmZJnjkD1iTOdXkluaqQyHC8qO2mgOfzKTM3dqusDA/hij+DR8nQbFzsBCFtvVdwb9chCqZLGo/fiJKvN8xt7Ccev8K5gS9nDnVmA7aUDgu1YWjZd3f/JpILlp2rsc5cozfcEAJoGFoSeWh0=,iv:FdzSdD6K8/6X39KcpcX+FEjkoiDWp7K4LWIN2ZdqXGM=,tag:vN1VD238pLcFm4s8KJsakA==,type:str]
+    lastmodified: "2025-05-24T11:27:02Z"
+    mac: ENC[AES256_GCM,data:uNkThOX3NEUeiaJVavZ0rCpQRT+GbRXADiMuAwb/tg38fBrKQeUO9ohicl/UfiDFRTfCaiuH3T757jX2b51go2s0B6n7DOvPYYZ5EWGnM69RFxrdDfWfge8n8/SHmuKR9dPJb/eSa8HAs8uDnqBPoR5SqG5lnyZs3a7P/kjK2T4=,iv:snmnuYmcuyhGs4YrIGFLmDffFE9yecB/vsM0MvxBR4k=,tag:vbqA7jvVCFHvLoLmKbfO4g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2
--- a/devices/pcarm/default.nix
+++ b/devices/pcarm/default.nix
@@ -1,28 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/CE84-E0D8" = "/boot";
-            btrfs."/dev/disk/by-uuid/61f51d93-d3e5-4028-a903-332fafbfd365" =
-              { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-          };
-          rollingRootfs = {};
-        };
-        networking = { hostname = "pcarm"; networkd = {}; };
-        nixpkgs.arch = "aarch64";
-        kernel.variant = "nixos";
-        sops.enable = false;
-      };
-      services.sshd = {};
-    };
-  };
-}
--- a/devices/pcvm/default.nix
+++ b/devices/pcvm/default.nix
@@ -1,28 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/AE90-1DD1" = "/boot";
-            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          decrypt.auto."/dev/disk/by-uuid/a9e4a508-3f0b-492e-b932-e2019be28615" = { mapper = "root"; ssd = true; };
-          rollingRootfs = {};
-        };
-        kernel.variant = "xanmod-latest";
-        networking.hostname = "pcvm";
-        initrd.sshd.enable = true;
-      };
-      hardware.cpus = [ "amd" ];
-      services.sshd = {};
-    };
-  };
-}
--- a/devices/pcvm/secrets.yaml
+++ b/devices/pcvm/secrets.yaml
@@ -1,39 +0,0 @@
-hello: ENC[AES256_GCM,data:7xCy5PqPVdUNIdzqaGQLsPA88mAfRt6T57LjFDwOaTlhdejLPrBdyN4=,iv:dM0QWDpylPjnbtdNrjV8LHISNi/U718+xooFm0qTcbI=,tag:d5HbLG7yF3QRz7nP+4aeiA==,type:str]
-example_key: ENC[AES256_GCM,data:K5SD4k9jL5r4ZSUwNQ==,iv:mJrZshT0PKmT7OJE/ZBUWzq1Gc6xXymFbypxwQtQJq8=,tag:I4+AyMh+AVpmWa1fdIJpyA==,type:str]
-#ENC[AES256_GCM,data:vHj6+kNand8d1AzgXTaOMQ==,iv:j6b3SDqzVgY8U/puEm9UcpJYGK84gF/YIXzRbG0radQ=,tag:yzfXKHReJ0++3fhk2ztbBA==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:vRjjfVSy8g5mBZVM/oU=,iv:C+HE4Q157eNhEmcDJSMJINfMgztf6XfELCjotg8q3XU=,tag:JSQDItdYbCCs65tmbeR6tg==,type:str]
-    - ENC[AES256_GCM,data:xzfN6WiT8r8YcWtS+H4=,iv:btlOvqrn0pITT3rCTIjgS2b5TrfNKym0yPEnE7bJDqg=,tag:Wf40b8zBhrv452OKodkU+w==,type:str]
-example_number: ENC[AES256_GCM,data:akqZ12u1wl4Zww==,iv:hS3NBWI7o6dZLtsIsoVHYdtyqpUmbQrpMHPhRRzEd18=,tag:1voFm4LuupWJMGP3xd0k4A==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:wWEU8w==,iv:rf8uwo+sP9YFyPmoxROVVmrx+q6Yr0PIOWznM96w9XY=,tag:nVJdD1Z7U8zVRBxs8gLvQQ==,type:bool]
-    - ENC[AES256_GCM,data:gVe51tg=,iv:eOJ2TOWStHpckNyYx2UdLcipshFpjcWtEids5c+Q8bs=,tag:0iSjlC/TgNfl7ZtXmttgaQ==,type:bool]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTGliaUlvOVlxejZhSDZi
-            YU96S0VPOE5Ldk56WlJjTzBSRm9oYnBoQ0NBCnhJWmg3KzUrT1VyemRiSWtQeklS
-            UFFFTjdod0g1d1EvYWJoOElJSjIrWTgKLS0tIDlaQnJOMTZRUms4am1mQjV5MzFJ
-            QlhKL1ltY2lGZGU0clhIRTRsSW5BOTgK4gKbhvF1bV/YdKOxzqrecHPDAKPOd81V
-            YnWgLpP6h+zycx80iqwsfqiQJdPyDrfhB43ksn2oxsX0qXtLI9j9TQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jmu4jym0e0xkq5shx2g7ef4xzre94vaxy2n4fcn0kp94dtlupdxqkzyyp7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRU1IRXZkbFQ4elgydTlv
-            VlRVKzJIWDVCZk5xaTd0Y2JXS2l0Mi85Zm1jCnNkS0NETm5SaG9WUE9Mb3RtbE5B
-            YTRmWHNXTk9hZHNBT0FxT1RNNnFMNEkKLS0tIGRWNWpLcDVtOEdGZHFPT3paeVo2
-            QWsreTlaVW5Bd2lZb3JZeTdjcG9WQlEKy3p4QnjPrJtfaueLKBzMz7VZ9QfrTer1
-            lEP8mInFprR65LtpoKabsTWQwkzURzB/OdbKSYG2o6Rlqy9L3d5eBw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-02T23:46:35Z"
-    mac: ENC[AES256_GCM,data:OncqYSgPSoge5Nw6eh0A4cm0KXSQhmSpGIu5WSv38LdMto5fNLIK2VRIwaXfq9nyf10bxNN7xSADj2GPhMiwlHM8nIQXtxdlWsZfEOc/qOWM8nz+9DPKtKGD6RZcDLDRhNTDxzPXGWIuY1tDKQpUlt/iDlymSskcqSrdTfBqCGk=,iv:NesxRr6FXXApE8aafnAV3x6hwCoAxoEly/QkcyAQ8Pw=,tag:3o37dr4vKLqEENIdj8RHXw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/devices/pi3b/default.nix
+++ b/devices/pi3b/default.nix
@@ -1,42 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/ABC6-6B3E" = "/boot";
-            btrfs."/dev/disk/by-uuid/c459c6c0-23a6-4ef2-945a-0bfafa9a45b6" =
-              { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        networking = { hostname = "pi3b"; networkd = {}; };
-        nixpkgs.arch = "aarch64";
-        kernel.variant = "nixos";
-      };
-      services =
-      {
-        # snapper.enable = true;
-        sshd = {};
-        xray.client.enable = true;
-        fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "X5SwWQk3JDT8BDxd04PYXTJi5E20mZKP6PplQ+GDnhI=";
-          wireguardIp = "192.168.83.8";
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 32; };
-      };
-    };
-  };
-}
--- a/devices/pi3b/secrets.yaml
+++ b/devices/pi3b/secrets.yaml
@@ -1,33 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:82Xg9VkmkLrKKcZfojA7dHqqMZh45n+eL4T5qZ1z/xy9k0q5,iv:/2j9flBDwjY6JW2mHYo1S2VE+ruu6gxrw8BzSyoiPcc=,tag:iq8wzfIRyq1T18k3vStVGw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:8whySpY/4WPWx2+t7IOgn+qjKCsv+BgRtaAFLrP8L0fV3TJdLob5vwDplHk=,iv:kXTDwOyJNzbjPtlzQqNsXtuk3EXFdF9CAsYkvImbyDE=,tag:tsK9nCMmwEb0c08rJ3Iwyg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TzU0U2Facm5yWkYrREgw
-            a1Fxc1MxaHYwRWUzUHpsbDBHYVoxb1NKVDAwCjNuUFlabzJ0aWtGMFBQb05nSlRP
-            akwrWDI0QnZBYkFmSUpWZFFnYmQ2aDQKLS0tIGlIQ3lTREN4WXgxV3pNdjdaakF6
-            ZnppV1ZRZzZ5Smt2NGsyRndjTFdnV00KaWVPGLWPnqINH6AHKS/84kuYy/v1v4Tb
-            QdehcMiq5ZF5XLqOX5sMDLu8h96FIklqOSTZNFkzr+s9VYv/UO58rg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEZERkRSZUdSN2dySnlI
-            aDFjdXFCWnlJZlpYQmR1WEE2RzdCaVp1WFEwCjd1N1ZpMUExZ0ZBWmFwSHg3RUs4
-            RkRYTjRMWmE5cTA4Z2JJUGgyN05HSmMKLS0tIFpKZmd2Q2k2bnNYK1V2ZnNQNUxH
-            aDU3Vm95ZkpvSTJDMjJEOFY1ZjhrQlUKLdMYiOj6tlzwLpwZsTQVSQ8hHart0ba3
-            NS7+SprzJRb0hQXrvyU6s9zho8dPOw8wiGbscmMXSVS/Kar3eQigmg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-28T13:31:33Z"
-    mac: ENC[AES256_GCM,data:fuppF9gFh3O6ZqJRTcVxNqVlz2y5f4xR39JIeInKblh4hNhrdnQg7oh8repoZeXHVRewGeGyxSqzUg+Twy8J+q+d6TSmiDVViD/SHse5rPns2Egt671geF7JmGEB/yKSCbECjGCp0QFgYYEg/vUOaV3v1a0s7LLTE/t2haPIaYc=,iv:f4T7JGxKB3WmEtETuSH7ApKRJ8ptPwZPfspyqc8+vmM=,tag:GF5br+e/p6qHsNCTjfIBCA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/devices/srv1/default.nix
+++ b/devices/srv1/default.nix
@@ -0,0 +1,67 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
+          {
+            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root" =
+              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          swap = [ "/nix/swap/swap" ];
+        };
+      };
+      services =
+      {
+        sshd.passwordAuthentication = true;
+        slurm =
+        {
+          enable = true;
+          master = "srv1-node0";
+          node =
+          {
+            srv1-node0 =
+            {
+              name = "n0"; address = "192.168.178.1";
+              cpu = { sockets = 4; cores = 20; threads = 2; };
+              memoryGB = 112;
+            };
+            srv1-node1 =
+            {
+              name = "n1"; address = "192.168.178.2";
+              cpu = { sockets = 4; cores = 8; threads = 2; };
+              memoryGB = 112;
+            };
+            srv1-node2 =
+            {
+              name = "n2"; address = "192.168.178.3";
+              cpu = { sockets = 4; cores = 8; threads = 2; };
+              memoryGB = 56;
+            };
+          };
+          partitions =
+          {
+            n0 = [ "srv1-node0" ];
+            n1 = [ "srv1-node1" ];
+            n2 = [ "srv1-node2" ];
+            all = [ "srv1-node0" "srv1-node1" "srv1-node2" ];
+          };
+          tui.cpuQueues =
+          [
+            { name = "n0"; mpiThreads = 8; openmpThreads = 10; }
+            { name = "n1"; mpiThreads = 8; openmpThreads = 4; }
+          ];
+        };
+      };
+      packages.vasp = {};
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
+    };
+  };
+}
--- a/devices/srv1/node0/default.nix
+++ b/devices/srv1/node0/default.nix
@@ -0,0 +1,33 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "master";
+      system =
+      {
+        nixpkgs.march = "cascadelake";
+        network =
+        {
+          static =
+          {
+            eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
+            eno146 = { ip = "192.168.178.1"; mask = 24; };
+          };
+          masquerade = [ "eno146" ];
+          trust = [ "eno146" ];
+        };
+      };
+      services =
+      {
+        sshd.motd = true;
+        xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
+        beesd."/" = { hashTableSizeMB = 128; threads = 4; };
+        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
+      };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
+    };
+  };
+}
--- a/devices/srv1/node0/secrets.yaml
+++ b/devices/srv1/node0/secrets.yaml
@@ -0,0 +1,34 @@
+wireguard: ENC[AES256_GCM,data:B5YdOhpXruQY1Hqb7hpIyPZinSNG+Ub/jE2/hiwZT2WCHjT6Ujz/W8eKbuk=,iv:XcfZb34SjYEsxvo6HEGCd7wy0dsrNIEJ0bORznZZceA=,tag:uFlbepSwch2wJCRITlVNTA==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUpac093NWh3bnZqWkFY
+            WGorTlk3WWJRb0RYVWVQc1JacU9GZDhFN0RnCkJkQnJoTkZtYkFEQ1JDZXA1Qzdp
+            dWxtc3RFbUd4TEZobXBQVWVlL3VETVEKLS0tIExoMUNidEZob2dtTWhmS0VHbDJn
+            RFNiU0xMOG1UNVY5TTYrcW1GTnIwb0kKyCl+eqpGtqN047+t1C/c1prIaP3tm1jk
+            1ObtsmGwCxDyIkayqB3WF9DWhNHipXHZXrWT+JQJTD30BABBex+ufg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WXJ0dmh3RTBMci9pVVh6
+            cWsyNHVub2U1RFhLSnJPSFI1S2lGV21nYm1ZCll2TUQybmtaaTdYd0dGSXVNV1Y3
+            TC9zbWJQOENsQm1Nc1ZwUTMvczJGK0UKLS0tIHJRemNhdWpRa1pkRnhTZjhCODNM
+            OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
+            2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-10T10:44:35Z"
+    mac: ENC[AES256_GCM,data:lfckL0SJXq+eY3d9SUHihE4Alp6VAI7ugoQygMsphi91yvmAZ1YBbrTVxjzQpL1dT+7zhOhzE2dTqCLXUl1gjbYYo1S6zco73EdU4k/AX3LEAhCJCxG1LVvN/Kf+XoMSauFM7z+E8zZJCvT9/Jijxy/Ty/XBoP9z7gmpQSuRntI=,iv:5hVa0bsv3B9/I+BSxNYOYHFRnM3BfP8GvhlM65lWLFo=,tag:gs2NOe7h6AqYbmCBUMd9FA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/srv1/node1/default.nix
+++ b/devices/srv1/node1/default.nix
@@ -0,0 +1,20 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        nixpkgs.march = "broadwell";
+        network =
+        {
+          static.eno2 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "eno2" ];
+        };
+      };
+      services.beesd."/".threads = 4;
+    };
+  };
+}
--- a/devices/srv1/node1/secrets.yaml
+++ b/devices/srv1/node1/secrets.yaml
@@ -0,0 +1,30 @@
+wireguard: ENC[AES256_GCM,data:D4ukKVu4yn3hS3AZJqt3XTgZNbt44Vyiu6I5lCNw9c/VEqXBx3GDlKdcVPY=,iv:S1S0sU0vQcTahFI+GyBz1n/0LVsK3ImFDuLtuQxmgik=,tag:oZ1NWOCcsRb+kjfq/LcL2w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRXgwcllHZmZHcHZmZllq
+            c2NrbnFSaVVBTnhSNk9Pb1ZSWGp6UlVaanlVCkNObzcwUlYwZDdyOTByOXA5M0lz
+            QTJQMFcvWGY2VmZFS1kydjJSWmgyazQKLS0tIEs0VHZJckcyZUZaWURqZjdoQkVI
+            Zzl2RUFBRCtuMkpidWU1cmZlZWU0OEEKyMO8I43PiG+1Eu/8aKuNPKeA50P1bSyD
+            Nv5xyKaqcs6737Gw/zk0tY7EkeeruDfemxgsb527g3hYogHNXr9oOw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcEo5a2srUTlhWXFQd2FJ
+            YmtBMzJqZE53R0J6TG80UWxMQ1A1WEpFNzJFCkJBSWQ3S2pTVnpGZ2JlRnpBYU1J
+            UWRKdEduQ1JMQ05GejVaakZYNzh4STgKLS0tIFBMVTN1MDcwVERucmoyWm5MQWcz
+            cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF
+            r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-16T05:03:27Z"
+    mac: ENC[AES256_GCM,data:13eXFmTRo9lZvQ3+iApHuei5r/OCSCs2gxqEe3nmavQgq1kQXKcD+4ciS/Shd9CJFZrjAu9oRByu5ZeZOnj11u6z3EmnXIwHptMEZe+N6r+Z2uKcBUa/TSJBnYcCrMQ1NM16GXRTi1bwpx4iT4v377lgd1orCa5C10iD6W3/9b0=,iv:FBGi1hSAu0Bz5NKz4mixfbUXbjI725RHccmEO4/jumo=,tag:vCHzTsTV7kJKNapFTxS55A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/srv1/node2/default.nix
+++ b/devices/srv1/node2/default.nix
@@ -0,0 +1,31 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        nixpkgs.march = "broadwell";
+        network =
+        {
+          static =
+          {
+            br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+            eno2 = { ip = "192.168.178.3"; mask = 24; };
+          };
+          trust = [ "eno2" ];
+          bridge.br0.interfaces = [ "eno1" ];
+        };
+        fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+          { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
+      };
+      services =
+      {
+        xray.client = {};
+        beesd."/".threads = 4;
+        kvm.nodatacow = true;
+      };
+    };
+  };
+}
--- a/devices/srv1/node2/secrets.yaml
+++ b/devices/srv1/node2/secrets.yaml
@@ -0,0 +1,32 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
+wireguard: ENC[AES256_GCM,data:xoIm26btEBuHjgcIrB8gRHAaEdBq3/E5XtoF0YPxnSHB7k3GWJfAxeL4vrw=,iv:HuOFNUgGROF97beF6C4amspd+NV/2uO6OihNMz23hSY=,tag:YJjFM8mqYOuJEulpVHt8FA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WlJNWmp2VUxpcXR3NE92
+            TnNuLzg0SVZKdmt1cEVZU2FodXZPdmt6Rm5rClhrbDh3SzFlMU9LVFpEZDFLUGZZ
+            d2RBTVNCamNBWFVEVW9FMjYxcUE4Rm8KLS0tIHBwYjlMU2tnUTZweDBYcmZXUC9l
+            OWFUeE9xdldpTUQ3cDFENjU4YUVwSkUKp7yZGpvKMSm6rvsoPbcaqVznL3wzGEXB
+            OGzrmgY083Gyjb5P/0wPY0ShGMWfWQW6vGchoqVuwr4oHKT3APcrIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRjBjdGFEMjR6QnQ0a3Nz
+            c2lmVWE0bFh3amRULytZOVhYS3dkL2JmRVhVClVQalh1WjJqcWcxT3ZXMWduN3Nl
+            UzdFNXNQUmtaaTVIVVFVYXkyZEFPUncKLS0tIExrTDA0OEJzQklQOHNJZzBJdzJP
+            MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
+            Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-16T05:04:26Z"
+    mac: ENC[AES256_GCM,data:JlAgVoTpT6NRT1gvYQre6N8PzHLxbC9z1E42OM40Qs/nhcjYnsRNPiUEvSUClgx+B2G99S/b9R/wQqovBQFtdRDdlCMhz0ZVgLe48ak74EOYn6fwXy37amXP6doW86wS/N2fQeKhyMiJPHurRGamm+jsUUALohx6p1zm47NWL0c=,iv:oQV5be92oyOj0h6IrEY70VfoJYqEFVMtI0PYEALIXfo=,tag:WlH+fTUlPynhupXpBvdl+g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/srv1/secrets/munge.key
+++ b/devices/srv1/secrets/munge.key
@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:ul1xMmQ5FZVIKct4KbgnTStsT5cH3sRvmaApZez4WZ36zF3q3M4o0dcwuWXxl9Ay8+Kd1zzUCZy26FRj85IwAel6POkmIlXl51Awou3iWuGBqUlS6IL9MIERMR6lTlisOK2l2PJ7IJBichFwwDrxImnt06B68Z7JWOyrLMfQhwg=,iv:nHePsGpRWMj4CdZ8wxr4xCJAcSndHsRju+AMyK54vNw=,tag:+CC0EJbTmIjRijr1SZpF3g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c0lOZnZXY0ljWCs2aFoz\ncHVQNVJJK3loVEI1amIzYWU3YUJjbWtUa0I0CmJnaUhhT2pEeG1ySGxHOU1LMk5z\nak9RNkxXRkxBelVTYks1TXJuazNjRVEKLS0tIE9JbktPcGFvYWk2NWV1K2J1SXhT\nQVpubWhsUTJ4SWNXTFNvRjQ3aE1kUFEKeuatL0NX6KbvZL3hafjbNPeBFDFBxSOv\no6Jvm9s4/Lp5m6YRVcQyInAoycC+O7GYwfCKVbPNMAamOhDraIoE4w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOEFXV01sRXM5bTc2TGdE\nMWZraktqOUpTSWk0Vk1KNUdqNnVVNWptZkJJCktYMk5jL2ExTTMyY2NOUXdybUNi\nZ2hhTlBtaVZlZ3BDd0xBWTRoKzBJbmcKLS0tIEQyQlByNmtxdUFuQVZ6N3I3Rjdk\ndW1ldlIrZ0lxenZPMVNBcFJDMDM5QncK7p/F1Usnp2OQZ0Mp+cpQBY+ELu5n3UrD\nZN14dzPqnPpoC5nKOzGp7veg8ssH5VCX0xxI8ZJCihKwyJG/FP3pBQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeDhuTkJFclM3dS9wV3Nz\naFdrVS9KSENEMklhdVgxcFpEU2N2ZWVKL0VFCmFVSHhybW9YNU5HVHliL1VVcmNk\nWHpsQTFGMWYvc1loNGVGUm54K0VwYzAKLS0tIEhYOE9nMnk2OFl2dFZRWlNTVTZt\nM2VBaGpTMSs5bzJwMHdJREV5ZzVzbGsKu0al3a6aJ40GbcCH4tF0Va6XgNxXOZmM\n7HXqH6s25dqbKTa8iNpGeaJhjRBzkyLjq1uRtQ9X4vXg9RuRhNYPxQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaHJ6U0hlZGVkWHptby9T\nVk1ONHovUTZKZUFZaW9XZVVoRk9UVWMxUldRCkNacG5FelBQbVZCbWhvSkx2TFJi\nZmd1VXFRODZNWmlGT1hJcUszbTM1Y1kKLS0tIElXRzRsTldKbTV1ZlZLNUJhVWdn\ndnRTMnc0cHpKaC82Z05VYlJ3a3luTm8KNBEKH7yeyzSyCh5D6YYc3Oayie6xDWEl\nyJVZHVmk87fzDtmVSP07KbiWeGur9epHCEjA0et/76+RXObIQQ6XGQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-15T11:11:36Z",
+		"mac": "ENC[AES256_GCM,data:bV7T1HfvM2n8+Vus9oDO5yoWDGtWYOd6d/zJ86/sXB4psg7aXVNedYSn+98SJdpYKHRcSuMJ9D4h62nAawERB6u8EmW8kxh8fuVLb6tj+9fWF1iVqinL4LE3916+XzMqGzGVZZEXaVtPHqOue/D1sYtBrBCOEMMyq0cmLFY2JrE=,iv:eSrtmJLARmwuAQ1//x4XqCKDZybJmMtyefWyLPk+1j0=,tag:M5W+vO4RjVwS18C9wTIe2w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/devices/srv2/default.nix
+++ b/devices/srv2/default.nix
@@ -0,0 +1,86 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
+          {
+            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
+              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc"}:/" =
+              { mountPoint = "/nix/remote/pc"; hard = false; };
+          };
+          swap = [ "/nix/swap/swap" ];
+        };
+        nixpkgs.cuda.capabilities =
+        [
+          # p5000 p400
+          "6.1"
+          # 2080 Ti
+          "7.5"
+          # 3090
+          "8.6"
+          # 4090
+          "8.9"
+        ];
+      };
+      hardware.gpu.type = "nvidia";
+      services =
+      {
+        sshd = {};
+        slurm =
+        {
+          enable = true;
+          master = "srv2-node0";
+          node =
+          {
+            srv2-node0 =
+            {
+              name = "n0"; address = "192.168.178.1";
+              cpu = { sockets = 2; cores = 22; threads = 2; };
+              memoryGB = 240;
+              gpus."4090" = 1;
+            };
+            srv2-node1 =
+            {
+              name = "n1"; address = "192.168.178.2";
+              cpu = { sockets = 2; cores = 8; threads = 2; };
+              memoryGB = 80;
+              gpus = { "3090" = 1; "4090" = 1; };
+            };
+          };
+          partitions =
+          {
+            all = [ "srv2-node0" "srv2-node1" ];
+            n0 = [ "srv2-node0" ];
+            n1 = [ "srv2-node1" ];
+          };
+          defaultPartition = "all";
+          tui =
+          {
+            cpuQueues =
+            [
+              { name = "n0"; mpiThreads = 8; openmpThreads = 5; memoryGB = 216; allocateCpus = 43; }
+              { name = "n1"; mpiThreads = 4; openmpThreads = 3; memoryGB = 32; allocateCpus = 12; }
+            ];
+            gpuQueues =
+            [
+              { name = "all"; gpuIds = [ "4090" "3090" ]; }
+              { name = "n0"; gpuIds = [ "4090" ]; }
+              { name = "n1"; gpuIds = [ "3090" "4090" ]; }
+            ];
+          };
+        };
+      };
+      packages = { vasp = {}; mumax = {}; lammps = {}; };
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" "zqq" ];
+    };
+  };
+}
--- a/devices/srv2/node0/default.nix
+++ b/devices/srv2/node0/default.nix
@@ -0,0 +1,32 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.cluster.nodeType = "master";
+      system =
+      {
+        nixpkgs.march = "skylake";
+        network =
+        {
+          static.eno2 = { ip = "192.168.178.1"; mask = 24; };
+          wireless = [ "457的5G" ];
+          masquerade = [ "eno2" ];
+          trust = [ "eno2" ];
+        };
+        nix.remote.slave = {};
+      };
+      services =
+      {
+        xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
+        beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
+        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
+        groupshare = {};
+        hpcstat = {};
+        ollama = {};
+        sshd = { groupBanner = true; motd = true; };
+      };
+    };
+  };
+}
--- a/devices/srv2/node0/secrets.yaml
+++ b/devices/srv2/node0/secrets.yaml
@@ -0,0 +1,39 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
+wireguard: ENC[AES256_GCM,data:TEi3LAZA0BaPxeXA1yFMD6fQPRKSndVyAzNycCD/5CYXmNVyO7zv4o23ahg=,iv:tEKFPyuqmpsWf0vDoSaw4Ai6S5DzacZFA4otNgnknxY=,tag:qZJzr/Yyoex2hDfVtT6nYA==,type:str]
+mariadb:
+    slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
+hpcstat:
+    key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
+wireless:
+    #ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
+    457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl
+            emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6
+            ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4
+            M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP
+            rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo
+            a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr
+            Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM
+            M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
+            LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-10T10:44:43Z"
+    mac: ENC[AES256_GCM,data:6EeWT8IiCGyRdR/9WDoTTM8bBuhzf2LtP1kahCgfvFpU6g5HB+qG5O0eXaL0DMKg7OQJKHIS/wZVaEierVwno0CnP1WR7y9l6Rlab2nVG4YCNkEkwqZgIWFOUi0aZrZQc7WC3rUk1gxiJK38nEa4ebk8oqAbyHyKHsFAeUcMbqA=,iv:oqRLvYsXct+OwcymXslEH4o03vLNeV2eU/4zK8R+gKs=,tag:0d1DYjCGRewUd4aHPIpFSw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/srv2/node1/default.nix
+++ b/devices/srv2/node1/default.nix
@@ -0,0 +1,21 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        nixpkgs.march = "znver3";
+        network =
+        {
+          static.enp58s0 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "enp58s0" ];
+        };
+      };
+      services.beesd."/".hashTableSizeMB = 64;
+    };
+    services.hardware.bolt.enable = true;
+  };
+}
--- a/devices/srv2/node1/secrets.yaml
+++ b/devices/srv2/node1/secrets.yaml
@@ -0,0 +1,30 @@
+wireguard: ENC[AES256_GCM,data:zfyNpCZ2EhQdsz+/vknjtbT1vMLebil1tarIcxLoUQ3J5XOKTCQBay4jBL8=,iv:tF6I5HHhDMfoGAfrtkmvrlqsSpX9YZL8dtzxAgBCp5c=,tag:DeOFwrIGbwVtf42iO1dm6g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndWFBbXpxRlI3bmc2VFJD
+            Y2hLK1RobnBYVEd1SXpiYXc5Wk1Ia09UUWgwCjE2WVZySnhXNzBtNGdJak9lbjE4
+            dEp6NnNQc0dNNDZsb3Z4ek9zVk4xeDAKLS0tIGVLdDBxOVZ2ek1MN0MwTTlwZTh4
+            T2VSaWx3UkxpZ2d6NC84djNpbGZUYUUKJHx6GZcnJpSoPE0HFvU+B4CsNtrcg8lx
+            LGaLYmciM87kXY1enOEzDk6px9GX9hFy6/73XBJVrIU0OC/w671vHw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUHUrcnoySm9CcVJCdXRk
+            YmRzQ25mOFJBQjFtS01VWkxUTUU5WUI5WUdJCktLSFM3ZWl6N3ZUaTVpdWdNU09y
+            RTFCczNTeHNhYzNmbWtjNTdOMW9ITnMKLS0tIHFNT3JCbFB6K0FodTJrS3FtRGVq
+            c0I4VUdiZytoQWRsUUhBVStDR2VPT3MKDkDQ3sKJjotYUfoBWF85t3LYtz1OVFws
+            2IdtJBHISb5j3xnAs/UUHDPzjUUsgb+sTHm9krQy3LDuELNY6KGMPw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-16T05:05:21Z"
+    mac: ENC[AES256_GCM,data:aPNsWBi4sm4UhX1qpk412eYNCZltKkRMWWgopZw6mjMLSOSb6E1yi8NjRJMj04RpE2XoVCkKP6R5Qo0I95wxY5qZHJuUp/5srqjAf/fHWz1QmXThogaMzM2jue7+NHUSQXrPnh0ZspXD47HyxMUOhlnewZ3EfOw7B5qKAYR1f6I=,iv:mnwtf0B7x5AbMzivg27zqIkhBdkDb5qq8eDBCGMdK0c=,tag:PCtirta++gCSsQsQo+bSmA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/xmupc2/secrets/munge.key
+++ b/devices/xmupc2/secrets/munge.key
@@ -8,11 +8,15 @@
 		"age": [
 			{
 				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWYmNFOFlnbm1FdXdGWUNr\nOGN3THhDUyt4SDVzcHY5dEYrSWsrQm1UOFJvCmhXaWFlcC8wazROaXZzcm9tUnFM\nQlphZ0x6c0RhbzY0aGVFbXdOa1BHbG8KLS0tIHF2YUNTVnZ3Z25FSnFlTEdmdXhE\nb3Z2UEp1c2UrOUp3NEdNcE5HSFptbzAKWGSTwv6xUNs/f+p0Bhpzg8zZ7EVK8kMm\no13fru2Cnqrw8Cj0zfx+7LODpBVzo03fLYKqZ6kbPZGa12ihk+fD4g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeDlnOGlTYlY5a2wyaUxo\nSk5uaFVQWTY1Q25ad0NkSTQ2bTZEYU5ibWg4ClpnM1NLbFArUEtndjFGamgwdDBF\nWnNMalNRWWhLL2V3S1RWRHh3MGErUUUKLS0tIGt0MGJ4SzNDTWZNUHM0djFDSjdo\nbDMvbWRDVURzQmVWdGFQeDVWQmN5Q2MKBpbH7QXL1sf0c7ix9yd2r7vEBScixvBM\nom1tHgJmwxhep7DSyvjg/xslag7U2vF69gPrcAlnAndZsLCtsYdvyw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRVMrenM2Q1ZheFVPc2Rz\nYVd6UGoxbkpSQlZsNFN1dmIzSkl6SERwaTBRCjlHV3MvTEpxbDY4OHZjeUd5NmRF\nRmc1NzVCMTA0bDhwajNlMWZKTlNKK2cKLS0tIHRZZ0cxY2dwV21iRDlmeE5UZkM4\nK1dKV24yY3FKV2J3U2VzZWt2QnBSTHcKn8mq+1RnJG/nBbH2mAFpSFSTHDWvMqJj\nsziW9lK0cH6bPxhcpDO4oG8K08bdGHUVGtx2Zk81CDqzfamlMzzG2Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa2Z5V0VPRWhYaXZ3STBa\nMWVsS01CYVBzeHM0T29pUWtQYlVyWCtheFRzCk5JYUpqN1cwWDFwUkZ2Q2xkL3U5\nRlNpMTQ2QTBQZFdYMmJIZjdnOWNjalEKLS0tIEZZREZPVmQxZ25MaHlMZ0VuWExT\nR2dJZ1lWdGt5dWNIM1FyQ2dZV0dlTTQKhUnA3pnoXb18/b/Jzyk0fC6GnmIMmYfl\nVgzCoCDSHNSvW/qUoT22hJfZCMFvIzOHEpmufMHCecZdisUozfWFuQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYnBaYmprYTIySWFnOVhk\nTThHNEptc2luWTFxSTBBMnY1Q1FkQjNBaWlBClFRbWlIdmRRVnZ0TGJVTlhNRHN0\nS1JZZnJLU2xCS3Q4ZTBDWU9ScnBtOEEKLS0tIFNCMmtDd0VJR0JucUJSZHo3dHZl\nWm9ZQ0dOamZvSTNQNW1uWW85TGxRTWMKKm7NdN69Q7F+KcR7u3kTxhQuzikGUdEZ\n8AkowBgHRndxNgdC6wYV1VeqEkDxXqR/430+EQS0jQQrIXpuXkCDkQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-03-09T07:59:38Z",
--- a/devices/srv3/README.md
+++ b/devices/srv3/README.md
@@ -0,0 +1,101 @@
+# 定价与配置
+
+售卖两类 kvm 虚拟机。它们都按照需求的内存和硬盘定价。
+
+## 普通虚拟机
+
+* 硬盘每 10 GB 0.056 美元每月；内存每 128 MB 0.044 美元每月。每 1G 内存附带 1 核心 CPU，内存不够 1G 的给 1 核心 CPU。
+  * 例如，4C4G/100G 的配置，每月 2 美元。
+  * 这个价格相当于母鸡价格的 70% 。
+* 适合绝大多数轻度负载。不适合的情况包括：
+  * 硬盘需要禁用 CoW 以获得尽可能高的 IOPS，例如较大的、繁忙的数据库（例如大型 mastodon/misskey 实例）。
+  * 希望内存中的数据一直驻留在内存中（而不是被交换到 swap 中）。
+* **可能会超售**，但我凭良心保证，当你需要时，仍然可以占满内存和硬盘；长期占满硬盘和内存不算滥用。
+  * 前期肯定不会超售（笑死，根本没有那么多用户）。
+  * 永远不会滥售；但后期可能会视情况调整价格。如果涨价，会延迟三个月生效。如果降价则立即生效。
+  * 万一出现卖超太多了、不够用的情况，我会自掏腰包增加母鸡配置。
+* 实现细节：
+  * 硬盘会使用 raw 格式，放置在启用 CoW 的 btrfs 子卷中；不预先分配，用到时再分配。
+  * 内存会允许交换到 swap 中，并开启 KSM。
+* 限购：
+  * 每台内存不能超过 8 GB，硬盘不能超过 200 GB。有更大的需求请买下一个配置。
+  * 每个用户只能购买一台。
+  * 这个限购措施是为了防止有人和我抬杠，花 70% 的价格把整个母鸡买下来。并不是营销手段。合理需求的情况都可以谈。
+* 宿主机会自动创建快照，需要时可以回滚到几个小时或几天前的状态。
+
+## 独立虚拟机（资源独立分配）
+
+* 按照母鸡价格的 1 倍定价。也就是：硬盘每 100 GB 0.8 美元每月；每 5G 内存/2 CPU 2.5 美元每月。
+* 实现细节：
+  * 硬盘会使用 raw 格式，放置在禁用 CoW 的 btrfs 子卷中；预先分配所有容量。
+  * 内存会锁定在物理内存中。
+  * CPU 会隔离/锁定在物理 CPU 上。
+* 宿主机不会创建硬盘的快照。
+* 两类资源可以混合购买。比如可以硬盘按照独立虚拟机的价格购买，内存/CPU 按照普通虚拟机的价格购买。
+
+## 其它细节
+
+* 无论哪个方案，硬盘/内存长时间占满都不算滥用。对于第一个方案，CPU 是共享的，请不要长时间占满。
+* 暂不限制带宽，合理使用即可。
+* 默认共享 IPv4，支持端口转发（详见下文说明）。独立的 IPv4 每个每月 2 美元。
+  独立的 IPv6 免费，但暂不支持（技术上没有准备好，如果有人有需要我就去准备）。
+* 只卖朋友和朋友的朋友（总之得有人保证别拿去做坏事）。
+  若此定价对您来说仍然难以接受，可以联系我，打五折或者免费。
+* 此价格 2025 年 9 月 17 日前有效。之后大概率也不会调整，但保留调整的权利。
+* 预计收入无法覆盖成本。如果某个月的收入高于成本，承诺会将多出的部分捐出去。
+* 非 kvm 虚拟机的服务（例如，只跑一个 podman 容器，只跑某一个服务）定价私聊，大致上是上方价格再加上我的工作成本（事少的免费，事多的就要实收了）。
+* 配置随时可以调整。所以按照自己这个月够用的来就行，不需要为未来留余量。但每次调整都需要重启虚拟机。
+* 母鸡价格 40 美元每月，配置在下方列出。
+  * 机房: LAX3 （IP：srv3.chn.moe）
+  * CPU: Intel® Xeon E5-2650L v3 (12 Cores 24 Threads)
+  * Memory: 64GB ECC DDR4
+  * Storage: 1TB NVMe (可加，8 美元/TB，另有 NFS 3 美元/TB)
+  * Network: 1Gbps, 1x IPv4 (可加，2 美元/IPv4), 8TB/month
+
+# 操作
+
+我不提供网页端的控制面板（因为懒得搞，要是有人想替我搞的话那就提供）。
+
+在确认购买后，我会给你一个 VNC 端口和密码。虚拟机会首先启动到 netboot.xyz，你需要登陆 VNC 选择自己喜欢的发行版并安装。
+安装好系统之后，VNC 连接仍然可以使用，你可以使用它来重装系统等。如果你担心安全性，也可以告知我，将它关闭。
+
+此外，我还可以提供一个宿主机的账户（SSH 连接），用于强制重启虚拟机等（会做好权限的分隔的）。若有需要请告知我。
+
+# 共享 IP
+
+支持多种转发策略。
+
+* TCP/UDP 端口转发，就是最普通的转发。
+  这个方法只有一个坏处，就是多个虚拟机不能共享同一个公网 IP 的同一个端口。
+  这导致用户在访问时往往需要明确端口号而不能使用默认端口（因为默认端口已经被占用了），
+    例如需要使用 https://srv3.chn.moe:4321 而不是 https://srv3.chn.moe。
+  建议不面向普通用户的服务使用这个方法（例如，ssh，coturn，等）。
+* 利用 Nginx，根据一些信息分流再转发给虚拟机。这可以做到多个虚拟机共享同一个端口，但也有缺陷。具体来说，它有很多种方法：
+  * 依据 SNI 分流，并透明代理到虚拟机。
+    这个办法的缺点是，只支持 TLS 连接（例如 https），同时服务端看到的用户侧端口会变化（通常情况下不影响什么）。
+    只要这两个缺点不是问题，就建议用这个方法。
+  * 依据 SNI 分流，并使用代理协议（proxy protocol）转发给虚拟机。
+    相比于上一个方法，这个方法可以正确传递用户侧端口号，但需要虚拟机的服务端支持 proxy protocol。
+  * Nginx 依据 http 的 host 头分流，再发给虚拟机。
+    这个方法的缺点有很多，例如我需要修改你的域名的 DNS（用来申请证书），母鸡到虚拟机的连接不加密，只支持 http/https，等。
+    这个方法唯一的好处是，如果你不会配置 nginx，可以在宿主机上配置好，虚拟机只要跑后端的服务就行了。
+* 别转发了，直接在宿主机上处理。例如 80 到 443 的跳转。以及如果你想要 host 一个小的、不常改动的静态网站，等。
+
+# 杂项
+
+**如何调整虚拟机启动顺序（重启到 iso 而不是硬盘）？**
+
+先重启虚拟机，然后马上连接 VNC，可以看到“Tiano Core”的提示。这个提示只会停留 15 秒，所以重启虚拟机后要迅速连接 VNC。
+在这个界面按 ESC 就可以进入虚拟机的 BIOS，在这里可以修改虚拟机的一些设置（就像实体机的 BIOS 那样）。
+如果只是想临时从 ISO 启动，可以在这里选择“Boot Manager”，然后选择带 “CDROM” 那一项就可以了。
+
+**如何调整硬盘大小？**
+
+* 扩容：你需要在扩容**后**将分区和文件系统调整大（占用虚拟磁盘在末尾新增的空间）。
+* 缩容：你需要在缩容**前**将分区和文件系统调整小（在虚拟磁盘的末尾预留出要缩容的空间）。
+
+这些事情都最好你自己来做。我可以尝试帮忙，但不保证数据安全。
+
+**如何强制重启虚拟机/关机后如何开机？**
+
+登陆宿主机后，使用 `vm` 命令，不加任何参数，即可看到提示，按提示操作。
--- a/devices/srv3/default.nix
+++ b/devices/srv3/default.nix
@@ -0,0 +1,112 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.type = "server";
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/srv3-boot" = "/boot";
+            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+        };
+        nixpkgs.march = "haswell";
+        initrd.sshd = {};
+        network =
+        {
+          bridge.nixvirt.interfaces = [ "eno1" ];
+          static.nixvirt =
+          {
+            ip = "23.135.236.216";
+            mask = 24;
+            gateway = "23.135.236.1";
+            dns = "8.8.8.8";
+          };
+        };
+      };
+      services =
+      {
+        beesd."/" = { hashTableSizeMB = 128; threads = 4;};
+        sshd = {};
+        nixvirt.instance =
+        {
+          alikia =
+          {
+            memory.sizeMB = 1024;
+            cpu.count = 1;
+            network = { address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
+          };
+          pen =
+          {
+            memory.sizeMB = 512;
+            cpu.count = 1;
+            network =
+            {
+              address = 3;
+              portForward =
+              {
+                tcp =
+                [
+                  { host = 5690; guest = 22; }
+                  { host = 5691; guest = 80; }
+                  { host = 5692; guest = 443; }
+                  { host = 22000; guest = 22000; }
+                ];
+                udp = [{ host = 22000; guest = 22000; }];
+                web = [ "natsume.nohost.me" ];
+              };
+            };
+          };
+          test =
+          {
+            owner = "chn";
+            memory.sizeMB = 4096;
+            cpu.count = 4;
+            network =
+            {
+              address = 4;
+              vnc.openFirewall = false;
+              portForward = { tcp = [{ host = 5693; guest = 22; }]; web = [ "example.chn.moe" ]; };
+            };
+          };
+          reonokiy =
+          {
+            memory.sizeMB = 4 * 1024;
+            cpu.count = 4;
+            network = { address = 5; portForward.tcp = [{ host = 5694; guest = 22; }]; };
+          };
+        };
+        rsshub = {};
+        misskey.instances =
+          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
+        synapse.instances =
+        {
+          synapse.matrixHostname = "synapse.chn.moe";
+          matrix = { port = 8009; redisPort = 6380; };
+        };
+        vaultwarden = {};
+        photoprism.enable = true;
+        nextcloud = {};
+        freshrss = {};
+        send = {};
+        huginn = {};
+        httpapi = {};
+        gitea = {};
+        grafana = {};
+        fail2ban = {};
+        xray.server = {};
+        podman = {};
+        peertube = {};
+        nginx.applications.webdav.instances."webdav.chn.moe" = {};
+        open-webui.ollamaHost = "192.168.83.3";
+      };
+      user.users = [ "chn" "aleksana" "alikia" "pen" "reonokiy" ];
+    };
+  };
+}
--- a/devices/srv3/secrets.yaml
+++ b/devices/srv3/secrets.yaml
@@ -0,0 +1,110 @@
+wireguard: ENC[AES256_GCM,data:Coe4iIEnJVDb4a9KUVTRkXl4kng5Zo6x1Iyr0ErgR2b9bN287mvO6jPUPSc=,iv:fiNUUKobJjitcoxBemIah5Cl5+dSz2Q7sbiOT8bDrRM=,tag:rHfNeRGTxnyVYAu8P/2ewA==,type:str]
+nixvirt:
+    alikia: ENC[AES256_GCM,data:sP3sWN0RrBU=,iv:TetUcaxsRXl0QsGAyXbVUAW12AXjChVN1/X+ku+3nO4=,tag:kBupoPqVlwHuCnwVdBJBKQ==,type:str]
+    pen: ENC[AES256_GCM,data:okvzUul3UXk=,iv:hcBhsUMP8jdhhKuKdHD1lZi8ixNAC729HfMQ79UzyNk=,tag:SRRav39ScHn0O/sf86CIOw==,type:str]
+    test: ENC[AES256_GCM,data:MYlMmzgbW9c=,iv:q1qPAwFTh0fj2IHBIlnrOMbTU2BnwIYzOFUHVqWCY/Q=,tag:Mb2bJJemg/LxpKI5whNvQw==,type:str]
+    reonokiy: ENC[AES256_GCM,data:J/ZM0Vavmnk=,iv:ZT1cMF/JWLWmXyBx331XkBQerOhLJeOd0a53jcSC4S4=,tag:/WCwzOg5LlAS5ZaiI5DSIw==,type:str]
+nginx:
+    detectAuth:
+        chn: ENC[AES256_GCM,data:cek6iIlJXgU191uzq44rTw==,iv:r7aMj5UzH1sbKkxvS8oyw6kpIcpRygD4ype8qkmnNa0=,tag:x2jWZnnFCO0sHj/OS2BQbA==,type:str]
+        led: ENC[AES256_GCM,data:JiCmbknE,iv:Z2RFOWIPUk2jaR6qd4PgRb7LwwHSKNapPQq996Mx+yI=,tag:mq6Vtwjw31DKig3Dl4xU+w==,type:str]
+redis:
+    rsshub: ENC[AES256_GCM,data:+wEclSJGMLBMt7Ss2fMlUgq5kRyNiOheQnRvVtbW47eG2mFODBaw04Qftb80aaSE6YpCTNslBGdIjcpIC7FTUA==,iv:6Caod/1AnUxEEC7ZwVrtDZ1kP6Qu50R+9I3eda/p0pk=,tag:/EYXZ6yl3QupVrzIHQMdbA==,type:str]
+    misskey-misskey: ENC[AES256_GCM,data:nCrH0B3A5B6yMAgTd5TA56PKqJUxwtHeS6BvuUseyKAVbqH581TGsO80mNQ0AJRjviw5o3ftTay79nJnmGld6Q==,iv:fhGcgbpNBo9yUpFDWtuzMos2iPhMdWyc88S0fZDxGao=,tag:QIZ72z5VBqd5pFgaEvMTZg==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:WS+SVmxYs3cNc/+sJQLNYDO0ZkZvmqzW9hCGdDae/N06KGicgiGOKV8LDe1UviGGGzXzB5VG0YvAprEGhUURcQ==,iv:6Ur9FL2+RzU4tfK2V4TaaCpempS1JSSMHz6ebg3mp7c=,tag:qCNqJ3SauPdpxo3f4NVg2g==,type:str]
+    nextcloud: ENC[AES256_GCM,data:pwxtefU7CjTxyogcpPpvQxvdnYIpggaBHZ+/PaT9lhVfvFcNtBBZ1eeOGbUXMZc7BnkFAUDVTVjr5KV75CeX6Q==,iv:65K3PsNfesaAJ7rSRI66o5UEM3SW5KdUnGc4h9WMkUE=,tag:e2nx9vTlkGekvhm8lYsMkg==,type:str]
+    send: ENC[AES256_GCM,data:QCfqbGYuBrlwfuHiSsZIZ1OBVnSO9QjhlPWGVRysKbQK+As/RGbJ5QYtPOyKfRg2L1d5Irfu1aGRoVrzpA8O1Q==,iv:MWzJP+JBwf131X030MnzNKMJ3d4Fq/GtbHpuan4N53Y=,tag:z29HS/FQXTvgN1e1HZFJkg==,type:str]
+    synapse-synapse: ENC[AES256_GCM,data:C6eXXK6SvMmvIa8dVjttorYBScC1SfILqXPMYDCpewVyJCUFzQK3NB8KUz9TMov4P5n+Lm5YItjrUgnhNJA5jQ==,iv:ziJ5JK/+M9d+R6/O/4hQy5DPBw/4XSZVQvIcy55aHRY=,tag:nv0rre2/kyhKu4C5JSE5dg==,type:str]
+    synapse-matrix: ENC[AES256_GCM,data:E72t568kxMjz+x+nC0kIJJFfgt6njlW8Wx6RuqnI736vW7IaA7scNVQ03lXpqZlKS1M7wUhb1QRPowJxNjSK7A==,iv:5qGHIWb7XXrnbjPQVWt+EcX/yDEV4Ny+TIo5OaRHwOk=,tag:O+SQBmZ7xpToSJYmcSCRWA==,type:str]
+    peertube: ENC[AES256_GCM,data:lxf5JtlGfDsYY2kzqaas8zPmS3u7Xch6onLVe2yoQZL6Eeb94V8yncqezGFcsGv1k3Xfr4ncoEraupO3RtKYSw==,iv:VM3SAORs2Ol/WKYCffLlHNPAzA37Kp2fgToM1faS7Ew=,tag:gwI80Kn00QOU+9vRsUKchQ==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:BUHwrGGcniD/7+hSHkXegopgG1bRGSt+OXJxKdMOEyeawAkG96af+njJ+WgcZ6KAzQdWtqJATdiTOxpznkvKfA==,iv:9hF/jcGyWFNPzzqVyaVXEabeaGDE92bpVYq1oxvQGOY=,tag:nZObCyAfuMr+B+rlUhCMMA==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:saLuu3wFcqRW2yNF9aZZ4zc6njm6pqqcUUqRTbijXELvZwMy+G+OMKuvgsh71NLDJiNDZdOBAOdUUXlC+okBFQ==,iv:kcHjlpndXENhASkenLN8fNLJjHmcuLN+i7+a+fLjxyU=,tag:Sbr74hl4GsCts2Diw8veRw==,type:str]
+    synapse_synapse: ENC[AES256_GCM,data:NfXD6BHV9za79NW1kLvJjdOLeHjtcrzx9O9W65jgHYneEmUNKO1nuBgs3PrI8tkBPkmn55UdC+4v2WFjHWXrkQ==,iv:YdF0liKfIBT3CHCr1ufguu9qqYpfXfjOhJY5BO79orE=,tag:OWyN3Zh6uvm10LmCBipJ4w==,type:str]
+    vaultwarden: ENC[AES256_GCM,data:4thZ0nGnbprVntYH2wG2PAgAJcAYuexQPOJBSpC1ivQgNbmn89L5pSANx5fvYewa834mlqSWHWeSqIw/81tDqg==,iv:d6gARu6yGzALNZrgpvaxWqM1cdkalA17GZ4EVWHqYUc=,tag:guYaW+Ds1TylCLw/naD2mA==,type:str]
+    nextcloud: ENC[AES256_GCM,data:jeJSAF+oeEXL2BqKbzngnSVvpxE5yuzRq2LLu6EyKT76xHP/whP7QuRxns23dsJnUr55qaRUzDunvoFco8MCZw==,iv:0lxolTDXskNvrVEAC4dV/mIgCMi3B0xH+xVT40Brii0=,tag:YvUtW172rmKK6pY/+4WhXQ==,type:str]
+    gitea: ENC[AES256_GCM,data:D+WDCVPTAcOg/gpxlcaNHFVHBC8uKOs5VZKQYuF0qNZQn0H0dWQS89K3DsgjBKck7ugiZOyXKUHISBVrfBn+VQ==,iv:qkahWBx8q1g6wlzXKM5Bl1PqxwkprCZzzCq1vGWaj7E=,tag:hWX9jF2qx60QrOForU7LLw==,type:str]
+    grafana: ENC[AES256_GCM,data:Hm92Qnz5QVWwk6P61vrnnxDFLtdVx2vOMKwy3sRSv+KDnNSYvRNyLQUkyuf7Nh0S167XgAxDPTZQb9k6AjO36g==,iv:oXmfVDr63NGv4rRBb12V9l9dNXxQK7Se/2fbK40d2a0=,tag:DNeeRwEShxUhowkIfr1feg==,type:str]
+    synapse_matrix: ENC[AES256_GCM,data:HdhB5WAxBa+BaFBVoIo6RwhOxhN5WrTLR11kah9H1sBS5GDPldDw0H274faWFwE/UwXO2ggBEAYvACXr/rXkvQ==,iv:NxOsZqxsP9BSgdlW43AuQGw0VjSGx77wygjdDcINf8s=,tag:CtbG4zcXG2QFFP4dGgOxzg==,type:str]
+    peertube: ENC[AES256_GCM,data:6P8muSWzJ+A71nZZKlCXRCRwr1HWu7yrSw5bkeHg5As917frrbOMmDCpf21H0q+eagx/ZrRIWod2JXc2YGKCfg==,iv:G/zZeYbDCHffACCvhJlKlJ1cUCkw0+raq5G1ubqIRAg=,tag:HeQA3ueNo/t+8JR9jVUUPQ==,type:str]
+rsshub:
+    pixiv-refreshtoken: ENC[AES256_GCM,data:3nQdmn5RAaeqeI7S/0gPUGOzt7rkizpk3Ouz+pXwbqKBpikXKm4amvwg1Q==,iv:sze0u8un0xyumqHj0YeKcBD9xKZRW77rQdQn7auIf8I=,tag:bWqg+/pBaQJ2J3hjx05hlw==,type:str]
+    youtube-key: ENC[AES256_GCM,data:NZPG5iYrkOof+L3SKp9SqXmXOt37hvqCxTTibkzXv5TBPcCjPhCe,iv:Re6966w0oRtvHDCt9eYvswDMLNKcM+stIAA+P1qpWbg=,tag:0jNqPlGoXr0bHGMgHUZXCA==,type:str]
+    youtube-client-id: ENC[AES256_GCM,data:7BOIrxA5FIUo/31p3yqrLJKJhV9IUB25//w343eBoAnr3uD6J9zeLO3nIQv99vItioqFA1RmygCeer9pG7j/FI/MmmT8nGzPcw==,iv:mzKY2XghoXhKTTkO6EiG+ZJFsM39TX6UXJbzh0UA7vc=,tag:w7oiCvURV8yFxxoFR2P/jw==,type:str]
+    youtube-client-secret: ENC[AES256_GCM,data:JCyNb9biROLSx0RHkr0FqZ26nhU/LRBEnzfx91mmq+Ux0/A=,iv:fEMmanWtWaKBVUJVIeMSu+XV3v8xeccDY3DTJr4LOsk=,tag:bT+XedAZu94h053/1zr7Ow==,type:str]
+    youtube-refresh-token: ENC[AES256_GCM,data:TXNvLTfF4K5RT4D0anzXds/fcdPy3FXddGt5xxLIaxbKIqCAtsQyLEhA+SfQXaBk6T/yKIhtd/H/BLu1jOkiZsFL/8i5GSRSIXyagFrCfh/7tEqhCB0u52Hz5Xy4pkZiqd/AXx84Og==,iv:s+q2ffpJP/rcKu/Pw4KosM5/7boFPArJxgbqL0f1ZkI=,tag:chUtPpJbYuhjv09lRdXHMw==,type:str]
+    twitter-auth-token: ENC[AES256_GCM,data:scLoap0kDJW8Q9+h9S/JKYafyCUgx75RV7akHY/BYEmFhRNRq5Z2Lg==,iv:GhP3nyaK18PDcoHc18zhuuPAPnfEWgUagBrZNDY3toQ=,tag:qsE2rIgrmlxBW8D3i10KUw==,type:str]
+    bilibili-cookie: ENC[AES256_GCM,data:fdAX5CpbJZv3fxRdA5SpFwNUZ0jYgYuv8SyKfbJzm5toQ8S5TrQ9WnQk6Jwweqmg3VDRD5l6l/irGsRlLdjt3p7fyAJy0wtzY0jD1xGw8XhdKWevMTysg1YQcMijkJSI0oHpofis975M6EDjcURPWwlR6GqW6POOpMep97siOxiNyBi32TbZHqvIWa1YfyuMcngYMEsShpzWAZCCvLYXoBINXebG1JPHU2xua7EHMO+VH7UFNVCyBYmOw4iXBJ4YFaXqxjQTBza4GDDZ/RVBvO5Egdjovjpj1DR/hOEG4xJHpg6xTsFw,iv:WQTVuovkZjzuu5w743GkMcWqu2p7dmPr9sKHemkbxG4=,tag:eszbpreVfC4LtxnRte241Q==,type:str]
+    zhihu-cookies: ENC[AES256_GCM,data:ssemzXs7ub4z7pw4hWGSfzBfKH/xzv8bhtqC1dDbZJCnwZ4D4/U9ES9QDrPeKT5AjbdLV/WBvJqWKcwTQjGnRhMrgK2MU2/8Et61mur5WE5GPQjwhWV5JaTMhSxKS3pZtpyvIgy+0iwOj8QQS6mbujHnpb/y0fhszlmUQPBL4eIxm269/FyjBLeRivrJvSmMpLQxxwh2/GTojMPH2F3bclsdMHgZhvYGdJ65hSWn2Q==,iv:PffeWFhC+dYkLSDQKuIHRRDjqE7By/ZIuZIhkjCGDig=,tag:p4iJwqLfqkiKOi/KnoyfQA==,type:str]
+mail:
+    bot: ENC[AES256_GCM,data:XngvO9b98ccRoW9WgfX/Pg==,iv:SE8SK49zhYhDxl6f2UonCzTPcKg23CzbI5V/fOh5zOA=,tag:IXGwnSU+Vx0BQxjgvyBnCQ==,type:str]
+synapse:
+    synapse:
+        coturn: ENC[AES256_GCM,data:TQqNzjJV8iM46JZQOKqkydkSrDFH2El4EE1ZCjUPpZ6EM7UHfjjxP536sm7c7adxIZzrj2TlzKufhlGFYfZ8xQ==,iv:OVguyW8sQzfczVHMaMTg6+J0wzTzeTb2zZkXnMEZ4Jk=,tag:dYLMU2bHyg/IR1oyujsoRQ==,type:str]
+        registration: ENC[AES256_GCM,data:MXlRld2ugF3qDVPbrd3TGiwdFhJEcxKDsvmEV4P9Qap/zp1WcMzfo+wAeXtq18MV7Fw=,iv:ztN6q+1ql9b4NMiyuDEmWbnpWeOPmbEftymMDQ3C53M=,tag:+BI9t1jSNNcfrIU6AaDOXw==,type:str]
+        macaroon: ENC[AES256_GCM,data:hVkFqtfaOL64qNGjIfmSORm0D8lOvA/H3Mrm11Glrgy11ACjh+zI1CSglQC0SmaKSP0=,iv:ydNz3kXOelPxSFKshjH9+iYw4OItm6QoNGuks8kSDow=,tag:TCHyMXc+gT+fxVyd7HexMQ==,type:str]
+        form: ENC[AES256_GCM,data:lykxrVPMWz1sBk5GoMRHfHhsVxcT7txvLJ9GM48Jyff5HXh1z4IWuZzOu8HkrELkJrA=,iv:QGV8vqor+wByS9z37sF/iPfrNaL/0jU/yUGiphEl4Fw=,tag:Mg/Oz5hI+oDnp58aQF6Rew==,type:str]
+        signing-key: ENC[AES256_GCM,data:Ov+ly2t3abRunse65ccPpQgqKzDrF8B2wMaCJt3Bxa+QDu6WwD8DD4E+pcQK5/HaTdsQte8Z/3f2Kw==,iv:SSMjSTrhgHt6iz+oyHe0sHm3Eb82ks5z8DR1Puc1raE=,tag:9X+T4n/6Vl4tUbVM0LJySA==,type:str]
+    matrix:
+        coturn: ENC[AES256_GCM,data:BmnF4oyUdbESzOwlqQ5SXYgeUnWgyFE0pdBox33JmaMcOvRPtckD9p38UeMTxp8Pccarmx6f83rdHsifeoiWaw==,iv:1bb3Tn67HTHVNR9ohH1HtqS8wh6t7qtTEl5MNbwn7h8=,tag:xlxMZtqew4pTc9ztY74cHg==,type:str]
+        registration: ENC[AES256_GCM,data:LB5tWjoAsftqszYZGOXtqLFXa0HyU1b6lVUrBup5SJJdB2ZOnPsNtcgEkZLtMUlQ//M=,iv:jvLEwPv4iKuKfOPV08sPb9Z2XMnN+074DCQX+ARDPf4=,tag:4QxCLcOSQ30dU2Z+0OzGYg==,type:str]
+        macaroon: ENC[AES256_GCM,data:JSlovYowIe0C2jEFsIJci6+M1GYgbINdp0XkY58oOk1/ztyMnABSXcgZ73pEpLeUCvY=,iv:r2d5COTXL3gz9pb4GxuFQjM5DHsmwAfDy/eqlZyZJoM=,tag:yRn/OBcy1IqMvJQYD9sA6Q==,type:str]
+        form: ENC[AES256_GCM,data:sN24Yj5miXmUsvEmeSDOxFJxAetQdEJw+kEPNq+iMXyEexqEgoYBseH6kbFZwZAVrBo=,iv:ZtRkme3U1ofUBzT2J9SeRov1+rN5CrSi/ExKX7S5DNY=,tag:gGj8l5JXlzX+2sdHsLfQAg==,type:str]
+        signing-key: ENC[AES256_GCM,data:nmP8lwTAYGHc0LYcEj2AJE1XwSJBfA/NK+K6/0KGsufxwS1VhCXUWX9s3oEUPwuteTGZesaDVep1Qg==,iv:NcJEhlz6WgorViN2oiUG7kLy8N5kUzr5cD7Z4PRGdTg=,tag:WiWhIKaE5UQwEXunUokaNQ==,type:str]
+vaultwarden:
+    #ENC[AES256_GCM,data:rD0YOnSNf23ZjJhRWWia3+Zbpl6/cynCKlQQFhzaWIclHBk7YU3Z4E9J+YuWzlO8BM0bbp+zMxFGEFvbMrSHEHQ=,iv:PzQOCpSrjFb/aYn70oKrpb3jDy8rtZKPkLQ8qv0GMyE=,tag:wRfa4oHzAKD3BNYghIjZKA==,type:comment]
+    admin_token: ENC[AES256_GCM,data:oEIaHRqRIVQh+lSv+4p6G26bIKCtAQiw3t/C24C465THrwVa05D2Sax1IZ1JaHKgOmLzo8vxteBmJarARyC4kAnw2vb5bDPT1KCO/6u99mXhQyF3NY3FjmDwWHqTHHZT29dwAmtdFRz7rJQowLVqhBVQzNePdQ==,iv:QVAZ9JwwebqD7zxS8+Ai3K5V60bQbe+ewDc+JBXDMuM=,tag:vUYNlVf7ccooiBIXQWQC0g==,type:str]
+mariadb:
+    photoprism: ENC[AES256_GCM,data:JWeUPE1mb79IzyIsJime2yaBH+/yno2vbXAXO5E6Tx+al7bUlEH5JzYqz8+g8Jkiz3HhRNI4tcGUcVE7kkLgfA==,iv:ZJlIUGbEL/mGLWzjNEwgvzuzZZZrTy5D7e0eZ5+Ouvg=,tag:WY7/sUd2p2viKKDKsj1TLg==,type:str]
+    freshrss: ENC[AES256_GCM,data:/qt890Ly7zvuZB4Zn5xHLflc3L6Ex9JDa1BAinbG7OOkPGpnC83g8ivaQA3xL/CU1FRsm9V1OW4Bv2eN7VDhrQ==,iv:xQG5j3e4C7HWGct6gAET9uVUhGFv0BYVMLdL/1sj664=,tag:YaqjUNk7ybjfitrRpreQwQ==,type:str]
+    huginn: ENC[AES256_GCM,data:vbXI6k3IvTDgQNtKNX9VVJmanO6l+mLoOTq6djEuKfSQAO5UKMq9Xec2rsAibq4reKh503C4too3n2GU1Wo+FA==,iv:rSHmytVa2QWiZ1HH+8AOTOgimYcmPwo4fXgSSq7o+fQ=,tag:5DkdG0TarAs3cSsgPfFNJw==,type:str]
+photoprism:
+    adminPassword: ENC[AES256_GCM,data:X9af31Z4xGu8XJjMfsf3+whEdx96KHMyfJKO+5Q4q1nlnZD+cLjO8Lza2soO1fFndXcowRYsReUAzmXjH8Ffvg==,iv:LmH+JDA3YwydSNr8KbePPDga5ukGFol/BGrHNOZUxPg=,tag:T2HbUNcHnYD5c3GR5rnRmA==,type:str]
+nextcloud:
+    admin: ENC[AES256_GCM,data:mhTb6UPo3fIGlKPpER+Lcr2Jyv1nMk5jbQtxoN4txGJAFaJIhK+iAiZDZXBtOiysYqatcC2orJdgt9je8BAVWQ==,iv:G/uDlOGUt/F1GgxpIMGvVuFjcagVnHBudSGXZi3rrXY=,tag:hdE3Pf3G/xrnKaUkYO1WsA==,type:str]
+freshrss:
+    chn: ENC[AES256_GCM,data:Z4UmsXv1KiVfZMIQOEHH,iv:pF5lQLggkxm9y7taDVcp366JKp8U+8akNEdPA+Nf9Uo=,tag:0TajgUI/VgM3FxG1j6c/jA==,type:str]
+huginn:
+    invitationCode: ENC[AES256_GCM,data:JDN913i+zf6+obWxrNAbgx1NJGPyewRm,iv:lqnjbSk46J0ZJN6ccbbiCiOK92W8fj2mWRwQHKqy2dc=,tag:UYZesryRlfAMo7xhKQ7zgw==,type:str]
+grafana:
+    secret: ENC[AES256_GCM,data:1Wfq8QmhzKBObdktheFPySzXYlOJzHWbYYQXgn3beLOwSlW9f7bUn+wIrRoj1e8WlFJkAU2xywzjzzy/UwpSYA==,iv:/0YoHTs54O+cT6VVt1U5CYXr2qEdY2kijOlnMZMW4d0=,tag:SD/IELlcgfS7p9NBEa6D/g==,type:str]
+    chn: ENC[AES256_GCM,data:8R92k7RH1491u6lfQdM0U3SG8TPi3vWhZyj810XSjnA=,iv:8v6ijLHgoTPT6MGoP/lWB+UEZCCgOpvfskWCJJ63Udo=,tag:k9SHzJ9d54Rny3n8EbksOw==,type:str]
+xray-server:
+    clients:
+        #ENC[AES256_GCM,data:RIih,iv:1KQsPDpbG1A0NFT72tO6sSuQ84vfW07DST+/XzpNZvY=,tag:D3AHUPlCJGyVBbDalTHobQ==,type:comment]
+        user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
+        #ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
+        user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
+        #ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
+        user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
+    private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
+peertube:
+    secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
+    password: ENC[AES256_GCM,data:OaoqvUzWZz4LvVwZMbOSeq0mZyTqWT/E1Dt/N0XwEGwn9LLtarG/LrzV24BMS503N7NIxePVBK0jJCdbO7sI3Q==,iv:aaInNy3UmdF+aOu+Lzo7F0FvEVRbsn2XDwmYLNtYaFE=,tag:l/ONyeZJtZjS6IqwQgMs7A==,type:str]
+open-webui:
+    openai: ENC[AES256_GCM,data:5B1wPAOx3GsLDoYBKHWFzoyXFmn93fdcq6UC2rCt/P5zYLA4VNzfsp0=,iv:Y2gTLCmwB5wY4dhN73HRvTqSMVXbAEd+RjRbgUEuTeE=,tag:vcfNhXpG0C3twFBsm7PHwA==,type:str]
+    webui: ENC[AES256_GCM,data:Lg32DZ5GC+AYzWc4WloNMQlnpsqW67s5/kXzYwE=,iv:ECncgdYoLkX9GUOX26MXFSO8JOZahUDjTdKV87IRNJ8=,tag:J/5tTR3MI0iGIVDrlacYEg==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaURzWlFQNUpObmtvaUd2
+            bVc2UXRHajFPeXR5eTNqQnBhaWVOTXRDSEhVCjJVREN5MzF2MXhMSGIvNlM0endj
+            ZGVhTUFrTXVXRTlvYThaRVZBWmwxd2sKLS0tIDNTME1EaHFKY2J2SWxrRWFpaVJ4
+            Sm5xUlU2TXpyMUJQWVpoRUdlTnVjOFkKZErjPuX3nNFc3jFPBX462qs9hwguyxUD
+            POxmT4DMCPAaEz+lNB+Qa03P3TYFJ3LfqTsO7QXO2f9113wFqF2lFg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd2RzNEttTzk5cXVhc2RK
+            R3hxM1N4TmkyNGp0Z2ZwODZBL0RuMW1qNjFjCkI0N2FMUkd0eENPK0w4MWVJY2d4
+            NWlvUFdQbUh3SFIycDczZlg0ZEJMalkKLS0tIGs4dHlocTRseXRWYVFxMkdrV2x2
+            d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
+            eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-09T01:35:04Z"
+    mac: ENC[AES256_GCM,data:q2BolEBB6Ik8yx6NHnnE3Wcl2rGVZN86dpfLJrrFOxWd8fZyfBQ/00v4dUZSZw0aQoMj1V2RBDyVtScuRiH0NVb6+RfX+0t3zTEf6guuJdurczLBz9+D51+Th3KE1uk+UjI7J+Q/TOWTvoGMj8P4XZCXQsCDIct/vbLGqNB9CgM=,iv:/6xR7KXXLejm9Iuqcxc/7IqLEckNhmaJTKzJGonSrng=,tag:XdeCoEkHefw2HqTGSchUJA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/devices/surface/default.nix
+++ b/devices/surface/default.nix
@@ -1,68 +0,0 @@
-inputs:
-{
-  imports = inputs.localLib.mkModules [ inputs.topInputs.nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
-            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          decrypt.auto =
-          {
-            "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
-            "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
-          };
-          swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "skylake";
-        nix = { substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; githubToken.enable = true; };
-        kernel = { variant = "xanmod-lts"; patches = [ "surface" "hibernate-progress" ]; };
-        networking.hostname = "surface";
-        gui.enable = true;
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
-      virtualization = { docker.enable = true; waydroid.enable = true; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = {};
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.hosts = builtins.listToAttrs (builtins.map
-            (name: { inherit name; value = "0.0.0.0"; })
-            [
-              "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
-              "dispatchcnglobal.yuanshen.com"
-            ]);
-        };
-        firewall.trustedInterfaces = [ "virbr0" ];
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "j7qEeODVMH31afKUQAmKRGLuqg8Bxd0dIPbo17LHqAo=";
-          wireguardIp = "192.168.83.5";
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-      };
-      bugs = [ "xmunet" "suspend-hibernate-no-platform" ];
-      packages.vasp = null;
-    };
-    powerManagement.resumeCommands = ''${inputs.pkgs.systemd}/bin/systemctl restart iptsd'';
-    services.iptsd.config =
-    {
-      Touch = { DisableOnPalm = true; DisableOnStylus = true; Overshoot = 0.5; };
-      Contacts = { Neutral = "Average"; NeutralValue = 10; };
-    };
-  };
-}
--- a/devices/surface/secrets.yaml
+++ b/devices/surface/secrets.yaml
@@ -1,36 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
-github:
-    token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str]
-age: ENC[AES256_GCM,data:KEaMrk9eldR6oCqNqSpwhbJKj+JrN1KBkDL5p9itaszGf4tnDRidcleCQi1Ae17osYXIEh4+OxX/d6RKb9TP6JMLJe0iq6c9sC8=,iv:ztiP2Vz4AFZkd8ZG7xYlqYrV3JZYvmX07Ez6GtJ6yp0=,tag:PS8oSkkrrpgYYVfjbTtkaQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1pvWkVGSFg5TVAvRlhu
-            TnFnMEszcDRWWHlQanAyRkRpQWdqQkdhTzFvCjBqUG4xNFBiRnlSeTNQSmdkVkdD
-            UlVCQjRFVExuZHdrSnViajZGZ3c2dWsKLS0tIHlQYU5VeGpEQzllMmxLSnJZZzZx
-            N1R3Mkhxa0dOVlJiU0V2OEZVVzZVMFkKae3c1axl22uxh9wMygAHs6q1WA5ImOS8
-            uzKSthWSqtC7DMqgUFaaSjBYM2TN3l402syx71xVFyyAmCcGZbbJcg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHJVRGIwQUFpVER5SWxq
-            YjJOT0lXN3dFOFpjMFlWV3JCbmZFN0hnNEJBClpQUEczK2RWTGlVTmJRbVZaUC8y
-            bEFrL1RjTTNlYVNnRVRBZlRjaTlnUEEKLS0tIE5GM01pTGFFcWVVSWEvUHE3Z08r
-            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
-            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-01T15:22:09Z"
-    mac: ENC[AES256_GCM,data:Br2+miNeZI41QyTXdhJ5Mdwq5no/d4kJgESwiltcRZV/Pax8R+GFeLDg/AQFoh1fLHU6bTX45SN0wnIrIeCnkoXV0U2RiT7bdtBaDrGxqnFvjMVE0VaUrj9bpagta13tahsEfI17cyUq4BqwS4BXx60RXvbvs9jZ5/dfpYunGsc=,iv:FfWYfS40XcFgF8lEYK4IHypLzz7svFxPL+WuudQm3oA=,tag:0KDBdf7w6BdcQ8Qt3k1isg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0
--- a/devices/test-pc-vm/default.nix
+++ b/devices/test-pc-vm/default.nix
@@ -0,0 +1,23 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+        };
+        nixpkgs.march = "znver4";
+        network = {};
+      };
+      services.sshd = {};
+    };
+  };
+}
--- a/devices/test-pc-vm/secrets.yaml
+++ b/devices/test-pc-vm/secrets.yaml
@@ -0,0 +1,26 @@
+nixvirt:
+    chn: ENC[AES256_GCM,data:0llBtdnPLl8=,iv:0w0huoNCvIiaL77Thj1iAwRY5edDlN7I4mMwiNKCzOc=,tag:Eh1b7dymn7jQtL5/rsxC1Q==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
+            dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
+            TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
+            TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
+            HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
+            Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
+            VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
+            Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
+            vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-16T05:29:11Z"
+    mac: ENC[AES256_GCM,data:s1HBVQUDbYP63EntEXe/+9mqFj2zGEtx3ibFauBYmjJvtvw2hs44ODNebMxjasT8zTYICJWWZJxwMvpUs/CbcmSjPAXTV8379lzlOmG2wZLezF+9jWdJi3ZDvM9Y1D0/4GnaIRHof/+kPn/ykFE/gQhP5PQ4OtoV+VTR2fuwDaA=,iv:TUTM8tyZxiAjU3afazfmse+LL53hrSFSCIX4KIDyQq8=,tag:Vx4GsOPAXaZz0rEjsJS8sw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/devices/test-pc/default.nix
+++ b/devices/test-pc/default.nix
@@ -0,0 +1,50 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+        };
+        nixpkgs.march = "znver4";
+        network = { dhcp = [ "nixvirt" ]; bridge.nixvirt.interfaces = [ "enp1s0" ]; };
+      };
+      services =
+      {
+        sshd = {};
+        nixvirt =
+        {
+          subnet = 123;
+          instance =
+          {
+            chn =
+            {
+              memory = { sizeMB = 2048; dedicated = true; };
+              cpu = { count = 4; set = builtins.genList builtins.toString 4; };
+              network =
+              {
+                bridge = true;
+                vnc.port = 15901;
+              };
+            };
+            chn2 =
+            {
+              owner = "chn";
+              memory.sizeMB = 2048;
+              cpu.count = 4;
+              network = { address = 3; portForward.tcp = [{ host = 5694; guest = 22; }]; };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/devices/test-pc/secrets.yaml
+++ b/devices/test-pc/secrets.yaml
@@ -0,0 +1,27 @@
+nixvirt:
+    chn: ENC[AES256_GCM,data:0llBtdnPLl8=,iv:0w0huoNCvIiaL77Thj1iAwRY5edDlN7I4mMwiNKCzOc=,tag:Eh1b7dymn7jQtL5/rsxC1Q==,type:str]
+    chn2: ENC[AES256_GCM,data:vlvFNwMfTMg=,iv:DKgX3DCvkfADF/Pj31bRTx/dfTiMxv/JaeN76Kppob8=,tag:SOioaCz/CvvLn2jB+08THQ==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGQ0R20zci9aU1l4d2Fs
+            YkRZQ1FGUW1vSEd3S3FBdGlSTXB4dW54UVJJCk5MMEFZSzdYTFRQL1FRZUFWTXFh
+            cC90bUx2dkdHUFVoMkhyNjR6U0w1QTAKLS0tIDZHZE4yNlV4cFBTVGN4c3VYZXZ5
+            enZoU21MQ2VJbHlhSnhwUkNXZjV6OXcKzvdz1TNs/PDISx+QSi6cJ8vWNtZo4jfD
+            qsrwpxvHou/wptLzYg5gXQuXB0izpOW/AtqA1XqLcTUbLzcRhqFvMg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWUJVZmdVbWxXck5EY0tR
+            cFRwZTlWVVpObjFneE95bXNPSUxjNE1DTlg0ClNQRy8yVmF6QWxuY3RGLzdJVEE4
+            WXEwb1NGVUlJWFRqeWlyN1J0eE15QnMKLS0tIENRQWJ0VXlzNHV6MXh0QUVRZlJu
+            RFFteDMzeGltVER3QjlpdUllZVNJS3MKyOMAu5xYr1z0YlNDFvaE4l4bposMTPUJ
+            K13yerfRBxDlOrMhG/lSovusBPkmS3HejDedGgYi1WMvgLuOkNWZ2A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-18T01:55:44Z"
+    mac: ENC[AES256_GCM,data:wGHagytOT30EgjPezkaLXrqml/tn8oMzplYgThb9JbnXJzpCMnZnXeAlnRW/zdXY+Vt+kRfGCm2W/3sif5wB+gu5DCIeGC6OZy9brMVIQLceQ6Wp7IwPTDjMIGYtqe+T3QX6LFAMPUVZOHNBL9eRdO27G2TGP1ojH69MwNt4aQo=,iv:Rn26bQ8crsVFbLAxPcvLeQWwRP484rS/UFnmg8xeTwc=,tag:zs4S6VPNKFUZU6xxC2rIuQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/devices/test/default.nix
+++ b/devices/test/default.nix
@@ -0,0 +1,27 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
+            btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+        };
+        nixpkgs.march = "haswell";
+        network = {};
+      };
+      services =
+      {
+        sshd = {};
+        nginx = { enable = true; applications.example = {}; };
+      };
+    };
+  };
+}
--- a/devices/test/secrets.yaml
+++ b/devices/test/secrets.yaml
@@ -0,0 +1,30 @@
+hello: ENC[AES256_GCM,data:y6Kl7kHqgft7T1eiFEeIppvosCACIcVWIQm6TzjS6RgUkJEg17GEZFRy2zTvVg==,iv:wChah8rTtEkkR8pRHO9NdhaGBwsTrrP+tPp7k2SOdn0=,tag:jRdYgJoKz+Q+/m8l/03JoQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
+            dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
+            TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
+            TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
+            HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
+            Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
+            VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
+            Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
+            vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-10T03:54:30Z"
+    mac: ENC[AES256_GCM,data:JMr6ybbOk7tDZKUo11bd0xwUfLUuE4DIB5sYOCEVuaXLpDirgMgNSQgayqnnYDLOC7kGA7wDbbcxWhdaT8TcyYwdeha3SgA9mjkruPtOZ4R+ozfLDeqa59h2P+xronaOCDdl9G2JbhLA+k/S2ImBP43iPbcycJViSQs0RrntMxY=,iv:3ZILO4L01r4I2SJWOxe4pp9XLWo6KPPl3t/IbIf07+8=,tag:jhf73Y42fOYmeQS2oA0qSA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/devices/vps4/default.nix
+++ b/devices/vps4/default.nix
@@ -16,29 +16,18 @@ inputs:
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        initrd.sshd.enable = true;
-        networking = { hostname = "vps4"; networkd = {}; };
-        kernel.variant = "xanmod-latest";
+        initrd.sshd = {};
+        network = {};
      };
      services =
      {
-        snapper.enable = true;
        sshd = {};
        fail2ban = {};
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
-        xray.server = { serverName = "xserver.vps4.chn.moe"; userNumber = 4; };
+        xray.server = {};
      };
    };
  };
--- a/devices/vps4/secrets.yaml
+++ b/devices/vps4/secrets.yaml
@@ -4,27 +4,43 @@ xray-server:
        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
-        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
+        #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
+        user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
+        #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
+        user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
+        #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
+        user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
+        #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
+        user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
+        user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
+        #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
+        user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
+        #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
+        user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
+        #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
+        user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
+        #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
+        user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
+        #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
+        user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
+        #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
+        user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
+        #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
+        user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
+        #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
+        user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
+        #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
+        user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
+        #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
+        user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
+        #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
+        user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
+        #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
+        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
-        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
-        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
-    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
+wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
          enc: |
@@ -44,8 +60,7 @@ sops:
            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:19:55Z"
-    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
-    pgp: []
+    lastmodified: "2025-06-09T07:42:38Z"
+    mac: ENC[AES256_GCM,data:fQm8aI6KdoJVxcl4MQP7Q6EZVqmmLFo9A3Hjo/tKZA+VOYvQWFBxIKwy5Cj0SBi4pWsSjwG6pJZ7m6Wh/dDK4KlgkoaXgAYj+efHtScOH5Gkb0sTpAkHNL+/CJ/cO1doXiXRGj47fn1QB9o9WBaomtOWQbzDts4eFs9pdm8TAq4=,iv:91Ilig4j0ELHEatTY7ALKwwr8AzYnRwhKbdWDcufZF4=,tag:UfwaudQTNKu+uryCZjo3mw==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -12,32 +12,21 @@ inputs:
          {
            btrfs =
            {
-              "/dev/disk/by-uuid/24577c0e-d56b-45ba-8b36-95a848228600"."/boot" = "/boot";
+              "/dev/disk/by-uuid/0067ef91-06f7-416e-88cb-4880ce04afa4"."/boot" = "/boot";
              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
            };
          };
-          decrypt.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
        };
        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
-        nixpkgs.march = "sandybridge";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        initrd.sshd.enable = true;
-        networking = { hostname = "vps6"; networkd = {}; };
-        # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
+        nixpkgs.march = "znver2";
+        initrd.sshd = {};
+        network = {};
      };
      services =
      {
-        snapper.enable = true;
        sshd = {};
-        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 20; };
-        frpServer = { enable = true; serverName = "frp.chn.moe"; };
+        xray.server = {};
        nginx =
        {
          streamProxy.map =
@@ -47,14 +36,11 @@ inputs:
            "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
          }
          // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.pc.chn.moe"; })
-            [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.pc.chn.moe"; })
+            [ "xn--qbtm095lrg0bfka60z" ]))
          // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
-            [
-              "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "kkmeeting" "api" "git" "grafana" "vikunja" "write" "blog"
-            ]));
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.srv3.chn.moe"; })
+            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
          applications =
          {
            element.instances."element.chn.moe" = {};
@@ -62,28 +48,38 @@ inputs:
            catalog.enable = true;
            main.enable = true;
            nekomia.enable = true;
+            blog = {};
+            sticker = {};
+            tgapi = {};
          };
        };
        coturn = {};
        httpua = {};
        mirism.enable = true;
        fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" "xmupc2" "pi3b" ];
-          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
-          wireguardIp = "192.168.83.1";
-          listenIp = "74.211.99.69";
-          lighthouse = true;
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
+        beesd."/" = {};
      };
    };
-    specialisation.generic.configuration =
+    networking.nftables.tables.forward =
    {
-      nixos.system.nixpkgs.march = inputs.lib.mkForce null;
-      system.nixos.tags = [ "generic" ];
+      family = "inet";
+      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
+      ''
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain output {
+          type nat hook output priority dstnat; policy accept;
+          # 需要忽略透明代理发出的流量（gid 不是 nginx）
+          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
+            counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+        }
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname wg0 meta mark & 4 == 4 counter masquerade
+        }
+      '';
    };
  };
 }
--- a/devices/vps6/secrets.yaml
+++ b/devices/vps6/secrets.yaml
@@ -1,7 +1,3 @@
-acme:
-    token: ENC[AES256_GCM,data:lJc2A1Q5vxWQsSchA5pvXSYW+DjBCkdSbWVD7+Py+lG/6nGUmEAHVw==,iv:ZcysHsiLQzD/7vMn1wTCE5lw7/IgkH3oLem5xCjnf7Q=,tag:7EC+S79HRCG/Q+bqVcGVDw==,type:str]
-frp:
-    token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
 xray-server:
    clients:
        #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment]
@@ -9,65 +5,46 @@ xray-server:
        #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
        user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
        #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
-        user2: ENC[AES256_GCM,data:e7ITe2ZouKr8dXT7SYATyzbzHaVeu6AKt1OcQKk3U0nsQgoa,iv:UbOOuojy6OAFEH8lGhKe5Hs+2K6FX5MZ8Br9AB007gs=,tag:5XeB4YngzTcHZvCpXe/ZXA==,type:str]
-        #ENC[AES256_GCM,data:93BxR0AEdQ==,iv:rf69GWpuxYt7fu1Fyv55pynuQDhi+TA5CwZK3cc3yBo=,tag:/hLy6atNMxLw6G3/qgMM4g==,type:comment]
+        user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
+        #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
        user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
        #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
-        user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
-        #ENC[AES256_GCM,data:PTYBkBHs16U=,iv:qr3u7OveM1CmTBIf9gZK4fTRuLCpcZCwf8jmnd1L3Co=,tag:w3O41NG7yCwCVqPGh/6SXA==,type:comment]
+        user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
+        #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
        user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
-        #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
-        user6: ENC[AES256_GCM,data:YzLlf37SxKmU1/QA7gUIJsGid3KZNoAGOew8xR7cmw5l8ZmX,iv:SfKubo2jfjtxKn9odDiokMEZyPFfYZ/wwyYtBrgvgmM=,tag:+hxwIU5uBhzQyrKX4r3oiw==,type:str]
        #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
        user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
        #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        user8: ENC[AES256_GCM,data:H1gPtqF8vryD0rVH7HYzpMuZ3lufOBYczKwaTr4PidQtTyQK,iv:wh7NwFc/1ogNrnTTpm5L9dBqDVkvWiIsJZelR2mtR4Q=,tag:oEFdMFZJ9UYhsSVdefJ4rg==,type:str]
+        user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
        #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        user9: ENC[AES256_GCM,data:HVK9KvGfOcwn1joc3VrkjBjE6hrxQPOBD5RTtQUgBPepToh6,iv:VK9aQ64L/GajpledBxC8PNB1BdNYEqwcdL3GKttgxvs=,tag:O/piztCYBARtAFxTMNXGaA==,type:str]
-        #ENC[AES256_GCM,data:b839t/OihMOmz0gIcTo43r2MIw==,iv:8kaAFG7DhFOoitcvbFaAvE1NUSLFrFhy1KiMrqs4r/c=,tag:G4vSADa52ZfN5y5ytoFJoQ==,type:comment]
-        user10: ENC[AES256_GCM,data:xjVkr/wy7OxRuNZKfQagfNxdVxTEyQP1ZhnR6jHy2gjBQ0RD,iv:G6iOBCHOqlvfEENY/ega/TUm81wgT2OOdZKZ6bPfg9o=,tag:p8AMa3bGsIl0hWQ09lSzgA==,type:str]
-        #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
-        user11: ENC[AES256_GCM,data:BIZ2zRgGv5/9AexiZZvu+m4A62YUWtAkjWWMu89GteqpWMBq,iv:13IJcDf18LjoxJk7uoKnuFZT6Ihxrxsy7DBaAaiFqus=,tag:RN7wj+uPneCkqNlMRyYrXw==,type:str]
+        user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
+        #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
+        user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
        #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        user12: ENC[AES256_GCM,data:FAF9lXOzXW9CrZgnQ1a2+E8snZj2+JHqP5Gny92k09o/Wzga,iv:/qZuAtFmUQE7A9lMzJUoCvGx+3Sv9Ioh2ahch3puaC4=,tag:urwbLwGkSX3e85NCjyPhhg==,type:str]
+        user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
        #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
-        user13: ENC[AES256_GCM,data:ExbnvWDIBqga5+k2mpoT8AKBOXAvUNMjBTPXUKrmtWzz4l+L,iv:UI7CvSx2FHYGf6BEHS4e3iwHZZWkl2Zt5xg2WdKbLvY=,tag:ad0c7YW2Bxo+Dn+BoSZ0Ng==,type:str]
-        #ENC[AES256_GCM,data:R8lN5T0=,iv:FXLf8Vtjg+PkwNhxXWDViMKqwn7tFMaPhio9zhnudZw=,tag:34gxRH+P9lmkUxlOPKcYMg==,type:comment]
-        user14: ENC[AES256_GCM,data:dgNPPlJD5JOFPbKhlvlRHBLmUNKeDm/JAiawUVpBE7H07Box,iv:w+t9BkqYvlxVKr+x0MwtBz0/YSR/7z1OnZLIoPdW4gc=,tag:CR3GLbaO0jSQgA2HuwzRqg==,type:str]
-        #ENC[AES256_GCM,data:X80nhW5a/JQ1IQ==,iv:2UTsNLLDr4uBAEcPyvmep1fqH43JLUiHc/zqQWChfDk=,tag:DJEArs1nVnlcJgqM2uy17A==,type:comment]
-        user15: ENC[AES256_GCM,data:6AskiMLLl0HV6tm2rYpV46XW0jePQy+wme2oi3M7He7WsgVM,iv:lGfnFn69Vnjv5J3rp5sRazD5/B+8Nk8MNG7HIyf4HKA=,tag:Vbg82tdn3noOfhKVVx0Phg==,type:str]
+        user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
        #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
-        user16: ENC[AES256_GCM,data:fo6KJXlPDn7+FmxjEJQo9d79rDYemLFx6LanYZcJpKJR7Gxq,iv:yEUKPNZ9idrSqyVO9fhksP/7bjPMT/LzNK2VSq503/c=,tag:M87D44SIo9JzDB3ZyKu7fA==,type:str]
+        user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
        #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
-        user17: ENC[AES256_GCM,data:gQInIcNFxJuCSsMDGq4yTp5JdMMmJRy1tY3PGLoLuuIXWV0a,iv:ya4n9Z7T9/bxeHqi5QqwJprEzDMsT6X0BuEXRS67wWk=,tag:RcjQfAHv8uc3PgN5c4bySA==,type:str]
+        user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
        #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
-        user18: ENC[AES256_GCM,data:dssxPEv8srXydunolaaDAYYo+BOXhp2PoqidOWH3z6NYBpyB,iv:WCLcMMwQJiHZBwreQpaOZp2saXvjBwgYUqSf7HQhMgA=,tag:5jsAVcgAgO+7JhBINz6tzQ==,type:str]
+        user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
        #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
-        user19: ENC[AES256_GCM,data:+Mh15DR9xvFAwks86iuHEA9FpObKWTSuVOEzUDpBUS/h0hOz,iv:zYIkic2bibvwCBpomnJ9465mda1rbm3RERBZY9twXuc=,tag:bwdL6DAGgkGYhYFI2C4A+A==,type:str]
+        user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
+        #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
+        user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
+        #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
+        user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
+        #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
+        user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
    private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
-nginx:
-    #ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
-    #ENC[AES256_GCM,data:rVTLpe3uIQ5LArPnEY8N8kjtHq8kZddbqR+nyUaia72Y7PWEfHzy6wgx3Q==,iv:AZEufH3zfVL0XbUh3CQZGYcx6zIMFV4tF+jHf73IplU=,tag:B/UbtQh5dGrctNih2uoO8w==,type:comment]
-    #ENC[AES256_GCM,data:InzwjKl3R4SJSXTz5u1Pt0kf2HYEtKfSkJO0cbPhhXADNp2/Tn0nwQJFy9EzpMvK9mw8+l5LadbY0tIwmTVvV5yxUQo78HcgXWInfp/zJ+GG1L/RQOHck74lEA==,iv:UBMRYPd0loOQBs3mNyndiKPu72aRA8HbOKWDfUWPQg8=,tag:t/ONqdwpWcbo/2vy5TOjlA==,type:comment]
-    #ENC[AES256_GCM,data:HTinhnsAbVujUOuLIVT/CkvdtTN9Nk7wZKZ5SyrPC+vZ/cB9E10FffMYLQ==,iv:Clby9A7MIUSknNFkzKuWEDL0yUW/ctd6KShCIEYrDZA=,tag:CJKORoXrspDjRmaSHUnlqw==,type:comment]
-    #ENC[AES256_GCM,data:cwAb68VgebTwCCeAFUbOG0CUAuggfRnLNv9NWldJN+E9NY4WKxs12Nz7yX/vtelcqqJ2TOUL78uAR88Nzavv7VtCTZRivWjRG6GvAUyRdv8lAZo=,iv:PScTSTCuVnsoZlvyTVL+ZgqqEm4m2/fUqWzPwE+PvuY=,tag:1jeRsHqgMheXbcnhRicsnw==,type:comment]
-    #ENC[AES256_GCM,data:V5XRrTvyeezkcJqw1/BhhZz5K/egpl+PtNwjAGELjWRp7IqDfRsInxBKEg==,iv:LdOTkL22HvaNbiUi6hG8o0ownfZ22OKFGxCuGPqG8xU=,tag:/06I/mLzBlgS489iuwFTuw==,type:comment]
-    #ENC[AES256_GCM,data:i9PXzaO1od7HimP/6vxYfh30SxFbdXRDcnXujH3VrvngFcWaVcXgigncp3cboi6RoERSZ6yakxviVyEBIS4v0qRfombj2UtJg8N3Kg==,iv:aohIMhAYfZhlGDrcEvi+Qc16nF8ZgrPUGhWj/7nl8Fs=,tag:o70qsk/2cAbZgbVBwfl3Ew==,type:comment]
-    maxmind-license: ENC[AES256_GCM,data:sESU6uK9EYLido9/0sXO2Zw1SjuKmxPh4r3giJcaG7068gn1kByjsA==,iv:htnFgnLrH35zSvmlRAdoRDLFIpKroKO5dW9TNK9soUc=,tag:6pJuc54SrKP5n0kJJ7fGyA==,type:str]
 send:
    redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
 coturn:
    auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:4DKPPqQkjb33rQzFIz863A2arDRQA9AivWFBaWTf0xXDX4hWvJFiIlJQfvE=,iv:0R2TH3CMxHgwVjojzjE2Gnp8SXonmBDLWF7hB33NiX0=,tag:vgtV8JkuCdspleN/SvgIqQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:LskBPmXZk3hRZ2bChXZjmRzzGd2A2GKrUZMknCDXTpTzOdP/RDibRvgI75HLWg==,iv:9lJKuGLD5HuQinWvvAvwWFAvEJofUGkJsxKNpqZrGmI=,tag:pTmTOlsYIY6Uqd69AtrnBA==,type:str]
-    chat: ENC[AES256_GCM,data:0ehCIvd7sBFc,iv:OwdiIoPrt/e1YgsCrYcqqMYhsJuEtKW2pSKNVxahMV4=,tag:ig2CfQxwzv2ppIutU6371w==,type:str]
+wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
          enc: |
@@ -87,8 +64,7 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-30T10:43:57Z"
-    mac: ENC[AES256_GCM,data:Mg/DZghIkaWM5KEjk5zg3S0L5qPa8/rkc2ooSjA1ewzbDhTKls2tzv7fQqLx2WQtcJiKkoVx22UkiL0AzBwJdCr3473vx93ajTVK9HNu3jqXmuzSiv2iVS21EX9tyBNiL6uWlVAtlVfMMs69PEUF+EJIYY5TkVVPaQjzEebwo5w=,iv:tFON7RVSnNNHo5U4dRuMGDhH5iPGShW9uoda+apiIjI=,tag:3nG/u7vaChFBHoDsLLb23w==,type:str]
-    pgp: []
+    lastmodified: "2025-06-12T23:51:02Z"
+    mac: ENC[AES256_GCM,data:3QxWxinb3a7jvmHJO1kcePNwd/igurjFWVJw/sGKBuZpo47LU+W8132b9GpKs79AedDa5BM5yu0XN+CPrkviMcNuX5a3lLy8oI22a1N8fuKjEehld1Jq/boitGIsgJgb/M0Hn6yIq1ytuWuxoj2cOvmkEfNuyWRew+htI4DhJ/E=,iv:OyCWfcn218oaA970T9miIWIGSwOFeUbtWI0xO/02Hrw=,tag:c8riJplInFN1ZSPH3ze0QQ==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.10.2
--- a/devices/vps7/default.nix
+++ b/devices/vps7/default.nix
@@ -1,80 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            btrfs =
-            {
-              "/dev/disk/by-uuid/e36287f7-7321-45fa-ba1e-d126717a65f0"."/boot" = "/boot";
-              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-            };
-          };
-          decrypt.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
-        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-        initrd.sshd.enable = true;
-        networking = { hostname = "vps7"; networkd = {}; };
-      };
-      services =
-      {
-        snapper.enable = true;
-        sshd = {};
-        rsshub.enable = true;
-        wallabag.enable = true;
-        misskey.instances =
-          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
-        synapse.instances =
-        {
-          synapse.matrixHostname = "synapse.chn.moe";
-          matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
-        };
-        vaultwarden.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-        photoprism.enable = true;
-        nextcloud = {};
-        freshrss.enable = true;
-        send.enable = true;
-        huginn.enable = true;
-        fz-new-order = {};
-        nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; blog = {}; };
-        httpapi.enable = true;
-        gitea = { enable = true; ssh = {}; };
-        grafana.enable = true;
-        fail2ban = {};
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
-          wireguardIp = "192.168.83.2";
-          listenIp = "144.126.144.62";
-        };
-        vikunja.enable = true;
-        chatgpt = {};
-        xray.server = { serverName = "xserver.vps7.chn.moe"; userNumber = 4; };
-        writefreely = {};
-      };
-    };
-    specialisation.generic.configuration =
-    {
-      nixos.system.nixpkgs.march = inputs.lib.mkForce null;
-      system.nixos.tags = [ "generic" ];
-    };
-  };
-}
--- a/devices/vps7/secrets.yaml
+++ b/devices/vps7/secrets.yaml
@@ -1,153 +0,0 @@
-acme:
-    token: ENC[AES256_GCM,data:D5D9Voteggfoc7Hj/xdhGEHmFIkG2H0Y0t2AfSY7hjRlsQhUoAzCRg==,iv:JLUjY/6DJrNsG0YZ0WD/Dmjgjsbx26VANAQvZnyj6l4=,tag:WBQv8AvPW5+XK8FAzppnNw==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
-        led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
-        chat: ENC[AES256_GCM,data:1HJiO1zU5SX4G56oWxv5zqGyUqnBWByrtSnQ01wvmZ7PmRkrV+DV6StMg5DtJR9HhkWYnbXlbnBHzP+poPUMag==,iv:sfwI62nwGSnsdj1RyADWgXvp5AY+9RQdtSooxbKFWTs=,tag:pN/LF0mo7RXWoIPPzzs8qw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
-redis:
-    rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
-    wallabag: ENC[AES256_GCM,data:WkiqS9TOHxYalDp7Ssgg2x7vj4D58psQ5au4a0e3LZBecERwzUKmrhbVKRuDvNTwWbYxSds9SAca0wN+pWmrmA==,iv:QqHlzSXG1I4+p8wd58lcQs8TqAF3foxiYVdgL8L3IpA=,tag:CPtFgIeFL5W25gtd6NFkrg==,type:str]
-    misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
-    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
-    nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
-    send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
-    mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
-    synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
-    synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
-postgresql:
-    wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
-    misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
-    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
-    synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
-    vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
-    nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
-    mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
-    gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
-    grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
-    akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
-    synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
-    vikunja: ENC[AES256_GCM,data:syb4NYBxL3DdmZmcC+em0klmm6bkkIL/DH/gnzShYRiaezRFskT+yay9govn++SpbuvkoCJq/GYAFxNL+hcVtw==,iv:TQUgdzYQ0gqsAmux9v3BAQFNzHnCTZ+X/OC0b9Bfya8=,tag:b1AsiAW5XzA3DzGdf8J03g==,type:str]
-rsshub:
-    pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
-    youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
-    youtube-client-id: ENC[AES256_GCM,data:dPo4+HsfXHdxrgF9F0qJmOGcSHDCn2KIkHx3ZYZU94iv8ImiPI9dTRfoz0zq8UIN7rwIKidQu9GxCRrg9aXk34pc35SXzEh8JQ==,iv:ROVHb0QjVsNae9eJevG6qc5dc4gkrGt+Y7S2QYrzmQ4=,tag:Advoh75OKPC7CnIeL4GFbA==,type:str]
-    youtube-client-secret: ENC[AES256_GCM,data:c/ALpo/4qJdccMgYiSLg9ZgG7ddaMYxHwJYZ/ogJN2ED21k=,iv:CkrIq+Vpuq28CsRNwdKRLnBq6L8NF37y4xhhnmHQHqQ=,tag:SKtHpm/QZWnGViDtSKlUUQ==,type:str]
-    youtube-refresh-token: ENC[AES256_GCM,data:pnXQ1euCdix2H7IxudmUUcpxc2OUhciKT8OcGV89c/EpoXHgx1+eLxwY5rRszroWwjge9M001RGHngvD/ny3phfWAwYmIzMJxun2f7JCPe7ybMesWmPSkiqVBss1Zfic1uB8mNM/yw==,iv:8p8/vATY8F3YuGA1TtjekiuaKOMnQyTMjrwDBJaK4VU=,tag:/jVg9FDOuLMNrupgrywpBQ==,type:str]
-    twitter-auth-token: ENC[AES256_GCM,data:65SbHggbYtfSfaaxJxRgD6+HpOX4vIfjnVZmOAZ9illPMYOu9MIchQ==,iv:49UuC8n6AGj1skuHzQX39Q/QuKlB9IxogIfiiy1GBnw=,tag:Rq6b0H9UFVZ19tU8ZeelRg==,type:str]
-    bilibili-cookie: ENC[AES256_GCM,data:58nO7ADu2oH/OgLJNYrEEzhf1J0zt8EpuygnSANkGXJju5oSmtM7WLnaMEjC96q14OTTA9QLiFVsbxiFY1eUnraA5W7g7+6CYRXVRZaxz91D/dhKzHGTMjB/LynnNqEIc6liONlcHbyjZNQ+WIqPtjVpCKMN7Mi8cv81/cFX/1GqAwncgDD2oXh1hMPOVY4dYcGKuOG0GjlY6RgOgTPqU3HawQjnoWQjPF+lq2rnWD5HP9ZTxOYa7hm2GgPrxkq1fkRrq+kKYeDh+6M7VLDcm5Fpf+biq6F8fZWzmw4NlVZT9BG0vJFa,iv:vxYXg9Yg9qIWFQXtwTYa4Ds0KSxZYg3M6xdtXKbdaig=,tag:TzCPehk9w+BL4wwgDc1CPg==,type:str]
-mail:
-    bot-encoded: ENC[AES256_GCM,data:HstqDfhKoLqDip9O+mwYGbNlNQ==,iv:CZSTfxJHhI6nG7501cQdJiZ9l3uKS7d5YsA8iVTUuoE=,tag:Rj3rvXJzDp8XzODV/gABog==,type:str]
-    bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
-synapse:
-    synapse:
-        coturn: ENC[AES256_GCM,data:9MDq0eXLHjJ8Cd2d1iogS1lnjI0A2+0ZK8OtLKRLqT16BVzQQJyhbkAYwkn1+9ppfrazsHFGrk7DVsA7PWjdmA==,iv:SOjwZIyzkMK9Q1fGkmBSr6nSIarNe/WeD91GPJRuZjg=,tag:1GljmXdK80NKTPSg6xJz0A==,type:str]
-        registration: ENC[AES256_GCM,data:MmRJ3el59XaTwFImuCsiAm2zXeGhgvyUyw9AIv7FvxR4N3YWnHKALcQJtG52N4bmLXU=,iv:vm2R7XGzGET0eTcD2trl3xD2I09NzYmx5NPIY4KK4xM=,tag:exm8/ehPufeqtp6j61ap0Q==,type:str]
-        macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
-        form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
-        signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
-        sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
-    matrix:
-        coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
-        registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
-        macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
-        form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
-        signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
-        sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
-vaultwarden:
-    #ENC[AES256_GCM,data:yFDD8GHjZWHN/Yh53DseevKAhDVwrHX60e8sGZnF4BUsUuPA/4S2PRzj7CtlpFzUH3kb0i+HkLKRvbchg93U3as=,iv:JGG7daEKs0oMKTNVi9GS7PrXn/8rFtVkHknACsEQR+g=,tag:RSN6fojLsI4dcuPu2eTiWA==,type:comment]
-    admin_token: ENC[AES256_GCM,data:OpjREmxJSRj+aGVoP8KKRE7ClNqRtaV8va4WLVmpl1AO6D0q/GapJvhORHQb5s5ZjIAgvWTz1w+fh050Q9sPwRsNUke3FIcyeNy7k0PHgnnVIdxnU1Vn9KMz/SovjQ0/qEQ7tArvW/EXtKfwnP9lsz9m94VBvA==,iv:9AvDqMa2PeQOSrP2th3YBgA2RxPl3oKZTyUzi/yjRTM=,tag:HYFTQDgWvBsHQk8IZxWkfw==,type:str]
-mariadb:
-    photoprism: ENC[AES256_GCM,data:TF1SZVFnvzyE+7vrHYYUS4Juqhbiw9QcJx7p3Xj88xyBFcTqS1YjzAKs/9GQ1PuzdBrt6hXm/XtJILHiuktnSg==,iv:sd9sQEuIePL6LzUYbFtmdecJ57sMrkF0coalBf8KFqQ=,tag:P/knaKYTJ+aXu4l6IixISA==,type:str]
-    freshrss: ENC[AES256_GCM,data:ydqCbj3UbsLC1e++p5ixb5Kpmk2BsYd0urcfw8T51Is5N1/gQ7P0zgR33AOteAxw2oj85WQZhxu3eAN7BCXV5A==,iv:1oiMo1wwFNXiTZLsf4UPZSJfKFIWLI3h947TC06CVy4=,tag:Otq1oeKBnWXhqNilfsywPQ==,type:str]
-    huginn: ENC[AES256_GCM,data:1Tdg1WDwGgFSXdChgif8knWS24BIFYnmaiSjJXxs5uj/v/5fJ1alb4K4XHW/kFRjQbuAOFfJiJ9ogJ1KAyk17A==,iv:qLMaQpVaKrjP7g2lWzhaNLghxwiV4YJmyYY1hrpu5I8=,tag:566JCENvOxgwD7tM3aQBiw==,type:str]
-    writefreely: ENC[AES256_GCM,data:+5jsON4SpeWKWZWlbn233XuQ/6HDzaS3XxUxDbUqAp8S/XGmn/QuFK2f375QJEiyZsnrIYkbN/CiOjdTw+nNzg==,iv:8mKqWegyxrT6908P5G0olVZzpP+BwpE7SYODEry7F3A=,tag:HeYoT0RFJGzX6DWcBQy7Jg==,type:str]
-photoprism:
-    adminPassword: ENC[AES256_GCM,data:gB81joOfS8h05BNy2YmD/N0cpLPa/vAduDcQBeHiY/WkcnvqSXnXsOfnvbP74KQfoP4W35oFkfyGVPUBSB83tg==,iv:AkN2NoqMXVHQA9fHTTR7xbEapEqy/D61mHn7O23hyYk=,tag:WV+siDA3VnRkOYnP4Z9Qhw==,type:str]
-nextcloud:
-    admin: ENC[AES256_GCM,data:1rglLrLtRf3yXQwfHDMZLewk8ueIbMFOC+1mtoAyLKnDmcQAoEQZ1vHw/hpKkFXJQ+QyX3sP8eUjRXuBEIVl3A==,iv:lfEGPEw9ybSdOYLDdaGCLXKgCvgRxn3k9eIy2DJHDYU=,tag:j4qRexbEAgK5HAGhr/wxfA==,type:str]
-freshrss:
-    chn: ENC[AES256_GCM,data:XGcgfuRozJ/xowtmFPSW,iv:yZ9LTuVE8dGyrtE3vxLA2jLErvmt67XC0jefl1njiOM=,tag:J5d+oGFWhfXEFwVOnsJ2iA==,type:str]
-huginn:
-    invitationCode: ENC[AES256_GCM,data:+m2AabRzUiCFy3MAKTB8d1IE05WHTcmZ,iv:ccdIPHl9N+bvPR/QCwZUwZOfWTeW6gWhhBjOpL85JRg=,tag:Ir2085K04XUGkAuoCG+7VQ==,type:str]
-fz-new-order:
-    token: ENC[AES256_GCM,data:qhwWRflJbW1QMOhiPfbTIrEdQJyVtfZ1QycCgstdKD1Nh40=,iv:GvZ8MJig64l34jkvuJbMMjyNaPT5yz0/pFCc6KEPTvA=,tag:cMXo/6F9thl8k2iAhT507Q==,type:str]
-    uids:
-        #ENC[AES256_GCM,data:O3DOE3jFCg==,iv:9shUoHCLXsJPKHELlyWdreouEcyOqhsfVI2KaqwC4CU=,tag:tYKVv+/DuesSijZwWGdrig==,type:comment]
-        user0: ENC[AES256_GCM,data:2sieulGmi7mCYrJH24djrrmHArrFbOHZ9wUuKvY4f2k=,iv:lb5ODFOeQQ+D9HZnMw48n/DGRB7L51U4frBVcPx1mvk=,tag:MwZua6u+G478uGOwtGu4fQ==,type:str]
-        #ENC[AES256_GCM,data:yeA9zF8Tug==,iv:VZuWLZnt1RBmkBWudKVvgJkYfqxIj/umEHVCfR6IG3k=,tag:1kj7HyjVT59n05VYJ1uP+w==,type:comment]
-        user1: ENC[AES256_GCM,data:Aw0ydspmf+PXKU27Pdzn4q/nY4sxXCADL1WGB7vm3eo=,iv:uTmVvGlW1HfdvoNbupSw3GyShsWTGVCoNrvVJ5BPUy0=,tag:k9KIoCWM6bSprwR8dmN+Hg==,type:str]
-        #ENC[AES256_GCM,data:4G7DyLVVgQ==,iv:Ht/exln1QtL2BxjCaOTIXHRPDiSFYP4zIa7VaeMCuhE=,tag:btVLXf+WS/YgzRFbVFoAfQ==,type:comment]
-        user2: ENC[AES256_GCM,data:P5gmhaQ+VOWVOjTrsx34zUS8dsqIkzCwOImIE8TIfUc=,iv:IoJIUcNJmaBTyr0Ut6R7BN/UqyK8p4HtiwbXUl171pE=,tag:k99PGSL1cEALTmFVWH1uSg==,type:str]
-        #ENC[AES256_GCM,data:TGrZBuCRgQ==,iv:9IOJ3Bkw9udS/y93TTtZ9o79aDq3Bb+DMEogJG77iqA=,tag:S/XcPX1f89IyfZnMoR9s/A==,type:comment]
-        user3: ENC[AES256_GCM,data:cAzf2X20rtQYyz1rLK6b4jo8utuUOdUHVYfCWdfPTDY=,iv:L5cg7aNdfnLTH2dKl4bWCqaujJ9tIvBJrJIoDIaBLwk=,tag:9Al6Wig4lz1my6hgozSsIA==,type:str]
-        #ENC[AES256_GCM,data:b4iJ73sUoQ==,iv:A2hmi7lCR15E5jVR8E71GQuHgF4TdjDuQadXOtBon6k=,tag:eopTJdjN16u7PtpZdhKymQ==,type:comment]
-        user4: ENC[AES256_GCM,data:nUJ0lPuFOUVGCtq0IRSh5dAkAna7hoow1YOtFEgSoZc=,iv:D8phoZxdbQ2/Zaeq8498eRb0a7SZD5WnVdKv+u2pBak=,tag:Obu01n34JjyAVnF0f3uKzg==,type:str]
-    config0:
-        username: ENC[AES256_GCM,data:p8+q8u1A,iv:9s52kS5yLB4vQuGVXNtA4amZqT3eHTTybsbsQZRiFnk=,tag:7SA4SEzMHpP9H/rwoE+UJQ==,type:str]
-        password: ENC[AES256_GCM,data:58+gFodT,iv:ohZlT1BwnzCYv84xHgFsLRkiPMpE8lB8QVHwr0QtDWc=,tag:XF047RnXs6IbKsTnsm0D6g==,type:str]
-        comment: ENC[AES256_GCM,data:T4XcbF1c,iv:hHdsMjU8rzPiduhT05v98pgDqxRW/Km5zmXCEZaT2AI=,tag:LWvwIEfbW2IuDELr4fEXKg==,type:str]
-    config1:
-        username: ENC[AES256_GCM,data:xWP1cesh,iv:11KFZ/J9PScz/oW2+H5BWgw0+ETkCXlcYOMuPpgjEs0=,tag:HswEVzm6ElRjIDsZyEfZcA==,type:str]
-        password: ENC[AES256_GCM,data:Da/E7ZeZ,iv:gIoheXeTErV3+CtZSEDsX7pGzRahHWlKYQ6QZ6W2eu8=,tag:0oQzQ5DJiS2hqMQfU6JRWw==,type:str]
-        comment: ENC[AES256_GCM,data:etfZKwbh,iv:XqqF3D0PpCPd2Q/CCu/PAH4SrvXAOu+lIXvSht/KfKk=,tag:7jyG33foxneRK2wvI/5uBg==,type:str]
-gitlab:
-    secret: ENC[AES256_GCM,data:hBax7ClSuttBacykKw42pvrvowZW8OeTry/0rkmy5BHyLM7HllNYCOw+tupIOdhVEfgJPWQeBeGuyFHt7lPRWQ==,iv:zOM+eMW04Z9QkTchkAXWYHg2eWTQmGEs/dHtUnvNVd8=,tag:RzLyecuASl9CcmQSuabN6w==,type:str]
-    otp: ENC[AES256_GCM,data:Hgq5Tyq+BUTsexVsjFWf07fY0znPL50+qIm+fhuVljlauXBZouQjJKMhqTs9zhLECOktYUtp0wrNa++nO1Ys9A==,iv:Am51j8QjDtldtsZL8uCu0I3pr/SQ6R8KUQinznZjClg=,tag:hbtrlG0MGNL3VcbQUG/irQ==,type:str]
-    dbFile: ENC[AES256_GCM,data:AKxE/Z4jooDlkIl3WpQZIlN+MLxlZ7SEWVF12/8f9aq7LtVl5B0RDA6bZbeM0PU8h4eGcSX9feSpLIVpvBAQxQ==,iv:li6hBLw9filwVVXa01oICtvY9UJsMgB+3XYOgZyCTnY=,tag:wC18TzVMM+dcpIi8wwCcIw==,type:str]
-    root: ENC[AES256_GCM,data:nPO4MT7BWuCHnWkbHPRYygMpieGsni4+BQs6HVwxBqH5KuD0O7I3PQlcgntxb4kWbqvyWstYW+k9LdscSEzgXg==,iv:fgfW8BljGlOIQzGK+UiEFcT6Hp5ieA8C86kwT8xRlO4=,tag:eSWPda0NYBe47uVYCOUiLg==,type:str]
-grafana:
-    secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
-    chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
-vikunja:
-    jwtsecret: ENC[AES256_GCM,data:p6e22qPJzTGB21oWhSr8AA4bfrele9ZOHVtZ8BHgX21IhoKdm58coGtSX1CGXR7J6+1/74RdLY9K88nGrM1F1w==,iv:DGUO8rhf7Lg9dTqSmzlR/Jd2K4oUjO8w9E5bihwsykI=,tag:SpX6UI0QIju/tC1fIL9CCg==,type:str]
-chatgpt:
-    key: ENC[AES256_GCM,data:bkLxKUqkjwpUeqeAZCaAgKiOse8QtZ0zOn9TQNA84+B3rxNiTFPisI8=,iv:Zd5dO5Sdt4HCvNZgS2K0FjJAzti6oE22vahYQl99TrI=,tag:E3o+X84tRsIEGU9Jfb85JQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Mr6KrAzYoDXA+dPT3oXqK2wm9ahTjZ5GVE/iRPsmcM+S2MABT+8ramyHz9oIFw==,iv:nIZ8rpSxz2GwMbDQFfG3xauMQjiriZ1oxFMrEQeH7sQ=,tag:y5U1T1vV/mmdE/CeaeTR8g==,type:str]
-    chat: ENC[AES256_GCM,data:8w/0EI64a1dC,iv:dHu9JHcUY7QPd9YBKXnrRXQB2K6jpnLrSFs+1IJmkio=,tag:3ucN3uNnBxxRF+cbLsa1nQ==,type:str]
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:aAZS,iv:Z+iJG7yC6HJeNdKCCpsZSc9Ny7kAt6GYfXUtZozMb4A=,tag:iMfwjqqmLvu5a8YpF7a0zQ==,type:comment]
-        user0: ENC[AES256_GCM,data:Q8MFrN/3SRgzSlwTx2GmpP/gvG1vpYiVgjsESzUoomsJaigP,iv:oLsf7AX3FE0tFOkJAbqrZVrCa6UxKjp450Sl1rs2Vs0=,tag:5w+AX0p4Or1GAQsEU3NxOQ==,type:str]
-        #ENC[AES256_GCM,data:j3zVwqHmag==,iv:8+ol60wNlbV2RzMBe47VxIrZuec8aXDUNcQvHcxKuiA=,tag:1AgCMfZf9vzWiWDS6hkw2Q==,type:comment]
-        user1: ENC[AES256_GCM,data:ucCiL7uoSafFUP9IiwKOjJqgwNxNLmuHxYXsLYl0fBgbCT3F,iv:RbNPwvSWibODQqySRc+YW65nUvRwaeXT0eDh02sfrwM=,tag:iE7GGrkBxljBT9HdPzDOfA==,type:str]
-        #ENC[AES256_GCM,data:x7dwVDe22M8=,iv:+fT7VUxZGd8SgS0PnEBqHLPLDuywu4s01iWB6TA/BKQ=,tag:CxfP7xSd4L9RBulSfViHaQ==,type:comment]
-        user2: ENC[AES256_GCM,data:e6PbRg30dzOJSXNmU6TML4AaFsSWEvZwN7MHAEX6fEW2p3hW,iv:Y+YYAO6hY9e/T8LSCr34M7riGmSzFIocmWwAwWjnZQs=,tag:LTkdGcRyrx7HqvbSYSsv4A==,type:str]
-        #ENC[AES256_GCM,data:j83rYg==,iv:3oEdAoVz7aMcezcy2chTO0LQTtKpTrJJoQZx3PC03BU=,tag:ABteEIyr2Y6MbGQhmrQySQ==,type:comment]
-        user3: ENC[AES256_GCM,data:Uk0Ax9FVzmmYs+ggWy7z6FEkuj2tppGlvnQdoW6PDI1VA9oI,iv:wSxigXleRUalQR1/TzKfdUVrdyEUuq+Wg42gSv1QMAI=,tag:qn6nBWv6MlGhMarCfI13BA==,type:str]
-    private-key: ENC[AES256_GCM,data:TarrinCFzWkB5zCc7i7f3B3tFfxrF+cGnrg4bw9CAGKWBazSJHCviY8Imw==,iv:azHdrc6AlgS9RPwGVsYRb8bBeC/askCdut1rnv9TA3I=,tag:AT2lLraKVgbp9GmlLJiI+w==,type:str]
-writefreely:
-    chn: ENC[AES256_GCM,data:YvhPa69sVdiljm9Ix6yQh6YCEpFvC9iw5Yx72MBcGr7+swdbvWDAfMmGFY066mAPvhpwZX/IEivKvrS0t/OSnw==,iv:7s2yEb30YaCAtNeevbur0HL28nXHVIqmCx6Bngh+HWk=,tag:yx0JK8RNQMVcYLBSxNj+uw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb0FWUkoxeWZ4K1lOb2k5
-            cUZXQktjSTY3djFZOEJyL1dWd0dmWHV4Y3dzClMvSWNiNk9YSzFoRmhQSG9wb1NG
-            ejRUeStyKy9qYWFwWHJraXFWREdhZFkKLS0tIExMb3VCWm13ZkJ3UXcrM3IrRGQv
-            ZjhMWlAyRUpUYkVjb2lidHZPNkg4SUEKctTzocxhVXJ56sHH4BO6QkS5Rn9k/y2U
-            IrZHT9b3nyyyZxhctOArjBXohwt1asNeAe7qsTypTtAMgKTRwggX9Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Vi8vRTFFTW5tNW9OdnNQ
-            MEpxeXY5MnRzTE9GUkRLMVl1cTRBcU1FSmhnCkdmY3RCcy9oS2lZOVJ0Ni9RL041
-            UWo0TkxMblRqSkZoaDVYZm9xRFBCeDgKLS0tIEFVVkl0bUdoN3FVcThVRHpmVEJk
-            SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
-            HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-02T23:57:33Z"
-    mac: ENC[AES256_GCM,data:Tp7uSF3G1WALzv7jPSXGyIJbwYLHz4sF73NUoAI6KPboLs3juhDiZjJfkBkIIv4BawWNTvvAQfBL6hbpPbn3bLpkTvU8TiHyP9yiY5kJkid37I2s8KOHHaxKSu4CXlkAeXdZX0I1iujAOsKYUd2GnN19V07K0qwCtZOVvZXvjsk=,iv:fcsE7qXrcoaRdTv0C4nmfNvIDXtTXiKyF7TCfnkvRPg=,tag:Dgdq4gT2lzhkXZ10uUCwwQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0
--- a/devices/xmuhk/README.md
+++ b/devices/xmuhk/README.md
@@ -0,0 +1,21 @@
+# install nix
+
+1. download [nix-portable](https://github.com/DavHau/nix-portable),
+  move the executable file to `$PATH`, rename it to `nix-portable` and make it executable.
+2. create several symlinks (including `nix` `nix-store` etc.) to it.
+3. create file `~/.config/nix/nix.conf` with the following content: `ignored-acls = lustre.lov`
+4. run `nix --version`, wait for it to initialize and print the version.
+
+# install or update packages
+
+1. run `nix build github:CHN-beta/nixos#xmuhk` elsewhere (on NixOS is better, to avoid impure from FHS envs)
+2. `nix-store --export $(nix-store -qR ./result) | xz -T0 | pv > xmuhk.nar.xz`
+3. copy `xmuhk.nar.xz` to hpc, import it with `cat xmuhk.nar.xz | nix-store --import`
+4. create gcroot symlink: `ln -s /nix/store/xxxx-xmuhk ~/.nix-portable/nix/var/nix/gcroots/current`
+5. optionally `nix gc`
+6. create `nix-exec` in `$PATH` with the following content, make it executable:
+   ```sh
+   #!/usr/bin/env sh
+   nix shell ~/.nix-portable/nix/var/nix/gcroots/current -c "$(basename "$0")" "$@"
+   ```
+7. make symlinks to `nix-exec` for needed commands, e.g. `ln -s singularity nix-exec`
--- a/devices/xmuhk/default.nix
+++ b/devices/xmuhk/default.nix
@@ -0,0 +1,71 @@
+# sudo nix build --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' .#xmuhk
+# sudo nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' -qR ./result | sudo xargs nix-store --store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' --export > data.nar
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = null; cuda = null; nixRoot = "/public/home/xmuhk/.nix"; };
+  });
+  # go = pkgs.go.overrideAttrs (prev:
+  # {
+  #   buildInputs = builtins.filter (x: x != pkgs.glibc.static) prev.buildInputs;
+  # });
+  # buildGoModule = pkgs.buildGoModule.override { inherit go; };
+  # singularity = (pkgs.singularity.override { inherit buildGoModule; }).overrideAttrs (prev:
+  # {
+  #   configureFlags = builtins.filter (x: x != "--without-libsubid") prev.configureFlags;
+  #   buildInputs = prev.buildInputs ++ [ pkgs.shadow ];
+  #   # env.CGO_ENABLED = "1";
+  #   # autoPatchelfFlags = [ "--keep-libc" ];
+  # });
+  singularity = pkgs.singularity.overrideAttrs (prev:
+  {
+    configureFlags = builtins.filter (x: x != "--without-libsubid") prev.configureFlags;
+    buildInputs = prev.buildInputs ++ [ pkgs.shadow ];
+    # env.CGO_ENABLED = "1";
+    # autoPatchelfFlags = [ "--keep-libc" ];
+  });
+  lumericalLicenseManager = 
+    let
+      ip = "${pkgs.iproute2}/bin/ip";
+      awk = "${pkgs.gawk}/bin/awk";
+      sed = "${pkgs.gnused}/bin/sed";
+      chmod = "${pkgs.coreutils}/bin/chmod";
+      sing = "${singularity}/bin/singularity";
+    in pkgs.writeShellScriptBin "lumericalLicenseManager"
+    ''
+      echo "Cleaning up..."
+      rm -rf /tmp/lumerical
+      mkdir -p /tmp/lumerical
+
+      echo 'Searching for en* interface...'
+      iface=$(${ip} -o link show | ${awk} -F': ' '/^[0-9]+: en/ {print $2; exit}')
+      if [ -n "$iface" ]; then
+        echo "Found interface: $iface"
+        echo 'Extracting MAC address...'
+        mac=$(${ip} link show "$iface" | ${awk} '/link\/ether/ {print $2}' | ${sed} 's/://g')
+        echo "Extracted MAC address: $mac"
+      else
+        echo "No interface starting with 'en' found." >&2
+        exit 1
+      fi
+
+      echo 'Creating license file...'
+      cp ${inputs.self.src.lumerical.licenseManager.sifImageFile} /tmp/lumerical/license.txt
+      ${chmod} +w /tmp/lumerical/license.txt
+      ${sed} -i "s|xxxxxxxxxxxxx|$mac|" /tmp/lumerical/license.txt
+      ${sed} -i 's|2022.1231|2035.1231|g' /tmp/lumerical/license.txt
+
+      echo "Starting license manager..."
+      ${sing} run --pwd /home/ansys_inc/shared_files/licensing --writable-tmpfs \
+        ${inputs.self.src.lumerical.licenseManager.sifImageFile}
+    '';
+in pkgs.symlinkJoin
+{
+  name = "xmuhk";
+  paths = (with pkgs; [ hello ]) ++ [ lumericalLicenseManager ];
+  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs singularity; };
+}
--- a/devices/xmuhk/files/.config/nix/nix.conf
+++ b/devices/xmuhk/files/.config/nix/nix.conf
@@ -0,0 +1 @@
+store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log
--- a/devices/xmupc1/README.md
+++ b/devices/xmupc1/README.md
@@ -1,298 +0,0 @@
-# 硬件
-
-* CPU：16 核 32 线程。
-* 内存：96 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * 3090：24 G 显存。
-  * 2080Ti: 12 G 显存。
-* 硬盘：2 T。
-
-# 队列系统（SLURM）
-
-## 基本概念
-
-SLURM 是一个用来对任务排队的系统，轮到某个任务时，再调用其它程序来执行这个任务。
-
-## 常用命令
-
-我做了一个 TUI 界面，用起来比较简单，大多情况下可以满足需求。命令为：
-
-```bash
-sbatch-tui
-```
-
-或
-
-```bash
-sbatch
-```
-
-如果需要在提交任务时指定更详细的细节，或者要编写脚本批量提交任务，则在 `sbatch` 后面加上参数，这时是直接调用来自 SLURM 的 `sbatch` 命令。
-常用的参数见下文。更详细的内容见 SLURM 的官方文档。
-
-提交一个 VASP GPU 任务的例子：
-
-```bash
-sbatch --gpus=1 --ntasks-per-gpu=1 --job-name="my great job" --output=output.txt vasp-nvidia
-```
-
-* `--gpus` 指定使用GPU 的情况：
-  * 要占用任意一个 GPU（排到这个任务时哪个空闲就使用哪个），写 `--gpus=1`。要占用任意两个就写 `--gpus=2`，以此类推。
-    但一般来说，**单个任务不要占用超过一个 GPU**，多个显卡的速度会比单个更慢。
-  * 要指定具体使用哪个 GPU 时，写 `--gpus=4090:1`。2080 Ti 需要写为 `2080_ti`，P5000 需要写为 `p5000`。
-  * 当需要使用多个不同类型的显卡（例如，指定使用一个 3090 和一个 4090）时，写 `--gres=gpu:3090:1,gpu:4090:1`。
-* `--ntasks-per-gpu=1` 对于 VASP 来说一定要写。
-* `--job-name=xxx` 指定任务的名字。可以简写为 `-J`。也可以不指定。
-* 默认情况下，一个 task 会搭配分配一个 CPU 核（一个线程），一般已经够用。如果一定要修改，用 `--cpus-per-task`。
-* `vasp-nvidia` 指调用 std 版本，要使用 gam 或 ncl 版本时，写为例如 `vasp-nvidia-gam`。
-
-提交一个 VASP CPU 任务的例子：
-
-```bash
-sbatch --ntasks=4 --cpus-per-task=4 --hint=nomultithread --job-name="my great job" --output=output.txt vasp-intel
-```
-
-* `--ntasks=4 --cpus-per-task=4` 指定使用占用多少核。
-  * CPU 的调度是个非常复杂的问题，而且 slurm 和 Intel MPI 之间的兼容性也不算好，因此**推荐照抄下面的设置**。
-    也可以自己测试一下怎样分配更好，但不要随意地设置。不同的设置会成倍地影响性能。
-    * 对于 xmupc1：`--ntasks=3 --cpus-per-task=4`。
-    * 对于 xmupc2：`--ntasks=4 --cpus-per-task=10`。
-* `--hint=nomultithread` 记得写。
-* `--job-name=xxx` 指定任务的名字。可以简写为 `-J`。也可以不指定。
-* `vasp-intel` 指调用 std 版本，要使用 gam 或 ncl 版本时，写为例如 `vasp-intel-gam`。
-
-要把其它程序提交到队列里，也是类似的写法。请自行举一反三。
-
-要列出已经提交（包括已经完成、取消、失败）的任务：
-
-```bash
-squeue -t all -l
-```
-
-取消一个任务：
-
-```bash
-# 按任务的 id 取消
-scancel 114514
-# 按任务的名字取消
-scancel -n my_great_job
-# 取消一个用户的所有任务
-scancel -u chn
-```
-
-要将自己已经提交的一个任务优先级提到最高（相应降低其它任务的优先级，使得总体来说不影响别人的任务）：
-
-```bash
-scontrol top 114514
-sudo scontrol update JobId=3337 Nice=-2147483645
-```
-
-要显示一个任务的详细信息（不包括服务器重启之前算过的任务）：
-
-```bash
-scontrol show job 114514
-```
-
-要显示一个任务的详细信息（包括服务器重启之前算过的任务）：
-
-```bash
-sacct --units M --format=ALL -j 114514 | bat -S
-```
-
-## `sbatch` 的更多参数
-
-```bash
-# 提交一个新任务，但是礼让后面的任务（推迟到指定时间再开始排队）
--begin=16:00 --begin=now+1hour
-# 指定工作目录
--chdir=/path/to/your/workdir
-# 指定备注
--comment="my great job"
-# 指定任务的 ddl，算不完就杀掉
--deadline=now+1hour
-# 标准错误输出写到别的文件里
--error=error.log
-# 将一些环境变量传递给任务（=ALL是默认行为）
--export=ALL,MY_ENV_VAR=my_value
-# 不传递现在的环境变量
--export=NONE
-# 打开一个文件作为标准输入
--input=
-# 发生一些事件（任务完成等）时发邮件
--mail-type=NONE,BEGIN,END,FAIL,REQUEUE,ALL --mail-user=chn@chn.moe
-# 要求分配内存（不会真的限制内存使用，只是在分配资源时会考虑）
--mem=20G --mem-per-cpu --mem-per-gpu
-# 输出文件是否覆盖
--open-mode={append|truncate}
-# 指定输出文件
-o, --output=<filename_pattern>
-# 不排队，直接跑（超额分配）
-s, --oversubscribe
-# 包裹一个二进制程序
--wrap=
-# 设置为最低优先级
--nice=10000
-```
-
-# 支持的连接协议
-
-## SSH
-
-ssh 就是 putty winscp 之类的工具使用的那个协议。
-
-* 地址：xmupc1.chn.moe
-* 端口：6007
-* 用户名：自己名字的拼音首字母
-* 可以用密码登陆，也可以用证书登陆。
-
-从一台服务器登陆到其它服务器，只需要使用 `ssh`` 命令：
-
-```bash
-ssh jykang
-ssh xmupc1
-ssh xmupc2
-ssh user@host
-```
-
-直接从另外一台服务器下载文件，可以使用 `rsync` 命令：
-
-```bash
-rsync -avzP jykang:/path/to/remote/directory_or_file /path/to/local/directory
-```
-
-将另外一个服务器的某个目录挂载到这个服务器，可以使用 `sshfs` 命令：
-
-```bash
-sshfs jykang:/path/to/remote/directory /path/to/local/directory
-```
-
-用完之后记得卸载（不卸载也不会有什么后果，只是怕之后忘记了以为这是本地的目录，以及如果网络不稳定的话，运行在这里的软件可能会卡住）：
-
-```bash
-umount /path/to/local/directory
-```
-
-如果不喜欢敲命令来挂载/卸载远程目录，也可以 RDP 登陆后用 dolphin。
-
-## RDP
-
-就是 windows 那个远程桌面。
-
-* 地址：xmupc1.chn.moe
-* 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-RDP 暂时没有硬件加速（主要是毛玻璃之类的特效会有点卡）。
-
-记得在连接时，点击“显示选项”，将“体验”中的连接速度改为“LAN（10 Mbps 或更高）”，不然会很卡。
-
-## samba
-
-samba 就是 windows 共享文件夹的那个协议。
-
-* 地址：因为懒得管理暂时禁用。
-
-在 windows 上，可以直接在资源管理器中输入 `\\xmupc1.chn.moe` 访问。
-也可以将它作为一个网络驱动器添加（地址同样是 `\\xmupc1.chn.moe`）。
-
-# 计算软件
-
-## VASP
-
-VASP 有很多很多个版本，具体来说：
-
-* VASP 可以用不同的编译器编译。目前安装的有：nvidia、intel。nvidia 使用 GPU 计算，intel 能用 CPU 计算。其它版本性能不佳，没有安装。
-* VASP 的 std/gam/ncl 版本有一点区别，一般用 std，只有一个 gamma 点的时候用 gam 会快一点，系统中存在方向不平行的磁矩时必须用 ncl。
-* 无论哪个版本，都集成了下面这些补丁：
-  * HDF5：用于生成 hdf5 格式的输出文件。
-  * wannier90：我也不知道干啥的，随手加上的。
-  * OPTCELL：如果存在一个 `OPTCELL` 文件，VASP 会据此决定弛豫时仅优化哪几个晶胞参数。
-  * MPI shared memory：用来减小内存占用。
-  * VTST tools：用来计算 neb。
-
-如何提交 VASP 到队列系统已经在上面介绍过了。下面的例子是，如果要直接运行一个任务的写法：
-
-```bash
-vasp-nvidia-env mpirun -np 1 -x CUDA_DEVICE_ORDER=PCI_BUS_ID -x CUDA_VISIBLE_DEVICES=0 -x OMP_NUM_THREADS=4 vasp-std
-vasp-intel-env mpirun -n 2 -genv OMP_NUM_THREADS=4 vasp-std
-```
-
-其中 `CUDA_VISIBLE_DEVICES` 用于指定用哪几个显卡计算（多个显卡用逗号分隔）。
-要查看显卡的编号，可以用 `CUDA_DEVICE_ORDER=PCI_BUS_ID vasp-nvidia-env nvaccelinfo` 命令。
-
-这里 `vasp-xxx-env` 命令的作用是，进入一个安装了对应版本的 VASP 的环境，实际上和 VASP 关系不大；
-  后面的 `mpirun xxx` 才是真的调用 VASP。
-所以实际上你也可以在这个环境里做别的事情，例如执行上面的 `nvaccelinfo` 命令。
-
-要使用 VTST tools 里带的脚本，需要在命令前加上 `vtstscripts` 。例如：
-
-```bash
-vtstscripts dist.pl POSCAR.init POSCAR.final
-```
-
-## mumax
-
-问龚斌，我没用过。
-
-## lammps
-
-除了我应该没人用，就不写了。
-
-## quantum espresso
-
-我也只用过一次。大规模用到了再说吧。
-
-# 其它软件
-
-我自己电脑上有的软件，服务器都有装，用于科研的比如 VESTA 什么的。可以自己去菜单里翻一翻。
-
-## 操作系统
-
-操作系统是 NixOS，是一个相对来说比较小众的系统。
-它是一个所谓“函数式”的系统。
-也就说，理想情况下，系统的状态（包括装了什么软件、每个软件和服务的设置等等）是由一组配置文件唯一决定的（这组配置文件放在 `/etc/nixos` 中）。
-要修改系统的状态（新增软件、修改设置等等），只需要修改这组配置文件，然后要求系统应用这组配置文件就可以了，
-  系统会自动计算出应该怎么做（增加、删除、修改哪些文件，重启哪些服务等等）。
-这样设计有许多好处，例如可以方便地回滚到之前任意一个时刻的状态（方便在调试时试错）；
-  一份配置文件可以描述多台机器的系统，在一台上调试好后在其它机器上直接部署；
-  以及适合抄或者引用别人写好的配置文件。
-
-以上都是对于管理员来说的好处。对于用户来说的好处不是太多，但是也有一些。
-举个例子，如果用户需要使用一个没有安装的软件（例如 `phonopy`，当然实际上这个已经装了），只需要在要执行的命令前加一个逗号：
-
-```bash
-, phonopy --dim 2 2 2
-```
-
-系统就会帮你下载所有的依赖，并在一个隔离的环境中运行这个命令（不会影响这之后系统的状态）。
-
-还有一个命令可能也有用，叫 `try`。
-它会在当前的文件系统上添加一个 overlay，之后执行的命令对文件的修改只会发生在这个 overlay 上；
-  命令执行完成后，它会告诉你哪些文件发生了改变，然后可以选择实际应用这些改变还是丢弃这些改变。
-例如：
-
-```bash
-try phonopy --dim 2 2 2
-```
-
-这个命令和 NixOS 无关，只是突然想起来了。
-
-## 文件系统
-
-文件系统是 BtrFS。它的好处有：
-
-* 同样的内容只占用一份空间；以及内容会被压缩存储（在读取时自动解压）。这样大致可以节省一半左右的空间。
-  例如现在 xll 目录里放了 213 G 文件，但只占用了 137 G 空间。
-* 每小时自动备份，放置在 `/nix/persistent/.snapshots` 中，大致上会保留最近一周的备份。如果你误删了什么文件，可以去里面找回。
-
-## ZSH
-
-所谓 “shell” 就是将敲击的一行行命令转换成操作系统能理解的系统调用（C 语言的函数）的那个东西，也就是负责解释敲进去的命令的意思的那个程序。
-
-大多情况下默认的 shell 是 bash，但我装的服务器上用 zsh。
-zsh 几乎完全兼容 bash 的语法，除此以外有一些顺手的功能：
-* 如果忘记了曾经输入过的一个命令，输入其中的几个连续的字母或者单词（不一定是开头的几个字母），然后按 `↑` 键，就会自动在历史命令中依次搜索。
-  例如我输入 `install` 按几下 `↑` 键，就可以找到 `sudo nixos-rebuild boot --flake . --install-bootloader --option substituters https://nix-store.chn.moe` 这个东西。
-* 如果从头开始输入一个曾经输入过的命令，会用浅灰色提示这个命令。要直接补全全部命令，按 `→` 键。要补全一个单词，按 `Ctrl` + `→` 键。
-* 常用的命令，以及常用命令的常用选项，按几下 `tab` 键，会自动补全或者弹出提示。
--- a/devices/xmupc1/default.nix
+++ b/devices/xmupc1/default.nix
@@ -1,97 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            # TODO: reparition
-            vfat."/dev/disk/by-uuid/467C-02E3" = "/boot";
-            btrfs =
-            {
-              "/dev/disk/by-uuid/2f9060bc-09b5-4348-ad0f-3a43a91d158b"."/nix" = "/nix";
-              "/dev/disk/by-uuid/a04a1fb0-e4ed-4c91-9846-2f9e716f6e12" =
-              {
-                "/nix/rootfs" = "/nix/rootfs";
-                "/nix/persistent" = "/nix/persistent";
-                "/nix/nodatacow" = "/nix/nodatacow";
-                "/nix/rootfs/current" = "/";
-              };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs =
-        {
-          march = "znver3";
-          cuda =
-          {
-            enable = true;
-            capabilities =
-            [
-              # p5000 p400
-              "6.1"
-              # 2080 Ti
-              "7.5"
-              # 3090
-              "8.6"
-              # 4090
-              "8.9"
-            ];
-            forwardCompat = false;
-          };
-        };
-        gui = { enable = true; preferred = false; autoStart = true; };
-        networking.hostname = "xmupc1";
-        nix.remote.slave.enable = true;
-      };
-      hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; };
-      virtualization = { waydroid.enable = true; docker.enable = true; kvmHost = { enable = true; gui = true; }; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
-        smartd.enable = true;
-        beesd.instances =
-        {
-          root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-          nix = { device = "/nix"; hashTableSizeMB = 512; };
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
-          wireguardIp = "192.168.83.6";
-        };
-        slurm =
-        {
-          enable = true;
-          cpu = { cores = 16; threads = 2; mpiThreads = 3; openmpThreads = 4; };
-          memoryMB = 94208;
-          gpus = { "2080_ti" = 1; "3090" = 1; "4090" = 1; };
-        };
-        xrdp = { enable = true; hostname = [ "xmupc1.chn.moe" ]; };
-        samba =
-        {
-          enable = true;
-          hostsAllowed = "";
-          shares = { home.path = "/home"; root.path = "/"; };
-        };
-        groupshare = {};
-        hpcstat = {};
-      };
-      bugs = [ "xmunet" "amdpstate" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "zzn" ];
-    };
-    services.hardware.bolt.enable = true;
-  };
-}
--- a/devices/xmupc1/secrets/default.yaml
+++ b/devices/xmupc1/secrets/default.yaml
@@ -1,59 +0,0 @@
-acme:
-    token: ENC[AES256_GCM,data:KKMdZgzciiM+n0Hdsb8vivjmCw6SiqJMbEAmvFwFQgvS9zpCNSyh+g==,iv:GbNJrVLmFudVzgoLdf+j8JsEPRvrQhBu3+2585grReQ=,tag:3tNL+2hoz2R9aOz0TUTjVQ==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:/7R7w+fiMw54Cmd7y/wT/s8RMqFMf3Fc0Mph0ZhURmCzowkmLEhtmw==,iv:i+Z+2NbssI864Edwf73SQfaeFuWoqr+U8eQ/8R23FOk=,tag:8ITlkS97vlsmHM1HDk6/3A==,type:str]
-xray-client:
-    uuid: ENC[AES256_GCM,data:4PM/d263HgBseIgRplgo5ahJ8u8HuPznXt2hW5O+VawS6WjP,iv:98Ymj4eiCGQPMcaHBI9zJAaRagm82mF0LY2c9bzA+/s=,tag:8imXq/hxAxS5XKy0uWIBPw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:Azaqung7llErB7/IdnOnEkwjQ39yQHKcO7VgvMDCDTExM7nS0zx+yMYX4ls=,iv:FX8oLHMBVEnKkYOg8q2A9vFmtRZDws5T87+lEl7+2G8=,tag:DdOQUbNKB6JK7Tp6McQ0Og==,type:str]
-users:
-    #ENC[AES256_GCM,data:1RG/IM/UrLCk,iv:LY2QCBN0gYwuhVwS/WIrjt4MEHhjPPQG+cjTZJhU6Zc=,tag:AEL+smmitSqW+D70K74LbQ==,type:comment]
-    xll: ENC[AES256_GCM,data:YauaeGHDVAnMXp9hSz4r4jNsioF79Q+WplfsYGpl4g5FxoakhfjRlnfzrLmMO3mWEIBOmDqeShbDEulyV5O47CIBGaMUUHe+Gg==,iv:RNwRfghJBb0PO4A/T5d5J1U0NsXdygXlWq/FfF8MO4U=,tag:BOh666TYGbCCHcgB/uBhTw==,type:str]
-    #ENC[AES256_GCM,data:zxOQcoOzJNBK,iv:YJQB8lV+nhwm5XYMpDIyt0IDHBlHTiHO8cpgXkXe/dQ=,tag:re5ekGkYRewPdxv83mtLUQ==,type:comment]
-    zem: ENC[AES256_GCM,data:bIxVN4T3Gh3aSa1gylkPmW3/uT5xQAlruC+L3zk0Tc3KvwBCQA5DpxXU8ZxjeK0P0xGi02U7gFWgm+yxp6otdCsUEmWed4EHHw==,iv:vpKpY0nRUwuI5mCcYTOD3zN/E21wHl4ZbRDUPoFmdhQ=,tag:m5WTzCgOTC7oqU4yfV9gkQ==,type:str]
-    #ENC[AES256_GCM,data:ZnMFN0WzjKDd,iv:t1YHrNoHOohYsdBOqoV6OtfS5ig6CTS8jW5mKy0oSQA=,tag:WkgrH1ZXcbHruxJY/hVsmg==,type:comment]
-    yjq: ENC[AES256_GCM,data:ua0DINHutjt2Pk+SfHRQRV99mT3Cnw6rRKO8VRIAlP0dY6QhK9wkNdyRYWYRBKVrWgyFQMGNFYAxIpymjF/X7mBOVI2sOHLgkw==,iv:PUZ6S0KICuqoSA2sDLxdL4gtAOQnQXOUY+5f3qDZgpc=,tag:f39P34vAUOrV23BsKkRarA==,type:str]
-    #ENC[AES256_GCM,data:6qNjSdjck4Vz,iv:c/GNqCNgRgwgL+2f6Vumtjb/ub9WCBSy8R02NRCDqk8=,tag:b/tucJsHTjSfcK0vgHtE8A==,type:comment]
-    gb: ENC[AES256_GCM,data:3eAKBiJoC1owCHTFd3Xq8vI8VK980evePc92xCXJJ21M9D1MdbwN8ySZ3Ovjk7VfQmEo8oRv1Ll1sftyrXYoeTHmJsNDxCpR6A==,iv:Ju/ERNuGrgO5kYlbvmkbLJkgiW3Elou34AsJTFITCUg=,tag:POVlxYh9kZ1BMSbt97IVOQ==,type:str]
-    #ENC[AES256_GCM,data:/2y613pek/CO,iv:gqSh74Ac0BxPdO+fOsQ0K8t2YduwyTVOjMq/A5Wmoz0=,tag:jLUYXu7f27FruwH5rUUZSA==,type:comment]
-    wp: ENC[AES256_GCM,data:3jeHpeu1YlFhK2+o19q2/JyJPhZFivPbUQzJJbJZ15GzAVh7i1VsTSN31LufXAgsC8KjZHAPhEZlGYvnGpCvPzoISQa5NVAJdQ==,iv:bL3ohgbjA2agFKDwgw0H3LgiHTWB4Y5KlQAtHfEMr+w=,tag:SfLtj7iDcmV3dgOlITFvxA==,type:str]
-    #ENC[AES256_GCM,data:YIlY7n5pcJTp,iv:Y/+ogxaMgSl0vcMPRr3qdSHjjnnhY+N2Q6jFojzIDyQ=,tag:zat02jxJ8jI2uk8noslmHQ==,type:comment]
-    hjp: ENC[AES256_GCM,data:Ii4P9ZsUOEh3cqt3AKWlgUH1CMNnmHln9QNWdTRR3vZXkkR5j5qKAIrAltml/i3xFlt4hftYNufnupog4UlAVWQJhYBlhCSE4g==,iv:eKWmUcKItjd1dsvVP1se5CAhIFqV/eVH03gPJhBau1E=,tag:ZTE0BTSoDpJGqECklGjs2g==,type:str]
-    #ENC[AES256_GCM,data:hCgqHfpmeJ1Z,iv:pEKUNxhUyNAVtniTIQ2IpMPmXr2O+twq2/3Y2lIoqdw=,tag:RTqcI0XCoOymQD3r4+yS9Q==,type:comment]
-    zzn: ENC[AES256_GCM,data:/CSffToFJiBotXZ5rPkz0UNgI/iC0ftusPF2Ce6Of3XckjpCcikWj6n3ahJ24XsWQjp3EvacOiBorh+Kg16LjCEl0P2RMIitTQ==,iv:u9IFdp/jw7ehTshPzQVssLeh33iBYCPjSyJSLsc5EVo=,tag:/KXgmU7dcTKG8C4Y7NcMhw==,type:str]
-mariadb:
-    slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
-hpcstat:
-    key: ENC[AES256_GCM,data:POK329h/joF7WdSBwSE1EkYH/pZ9X+wiTKcVWLZjmh7gM9d7HONbN/PqsYNFTHJVR0GgysqpLEcPN2OFGs/SSeH86o04cAdjAVznKZgt1Q34QGYy6b+io15P3lbmK0kTKmeGt5qEhGkBh6BVBoSyqbKAknvUqJ17ZkL17kyRaKffm3Zais7keEJCFdyRF6oSz2kl2CvEmKNWPWDdO9EpgqgYlm9mwu95/k9Hx5eyUjiFpxc3fdFTESGbe0ZYAqKQ0eLFfLLorQp0pAzxCbbxIzZEgyxjzkICXKa1n7Zz6h1ON2Rsqq0Q4hEYJdWGLtvOH/VLVxvNWjW4Er6i3lWGhZRiDDrxLErQGONI+X7QqbneFCnMCZGln3pAfNtOr+KX58ij/egyzmb7bKZrARqnm+X+/I/L0+VS1PfDdLP53GaX7mfKYpcH6z7O2F/zjpuXQTV8njs64YlvgyYXsCaghEUBzehsruwRsBEkTIb4R2AlqItpbesMnNNUJ4Cr/B7Bw6O+gHeJ+oK4ZPBYbgso,iv:B2eWjydl8m8nbcPw2fZfxCnj57utWM9ABj2eJ1pRKWQ=,tag:5W9ZwVSJvm1KvZnf/E5Tug==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Mu7guAFUu+UoHvo/h1blcI6Kg3mvng6zNc/HKXuCdf73ujziK0mXwPcf7t7d/w==,iv:BkA4d0OJ4lTD7csZJQHcDnYe7SYcFbwRVYOQAWOQ2lQ=,tag:GuJ4z5pe2znTY3xNT2WF+w==,type:str]
-    chat: ENC[AES256_GCM,data:OC8ElUPmfsVL,iv:WgZMJP2ugZbqZyihdNtL1xMH8u9VpLNzO8DGpDL4w4k=,tag:u4cKABikuMUbCIm5zCnk6A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RWIreCtMeTZ0UE9Zd2di
-            VE9tR0x6SUNyWjlPV1BqMU5Tb0RTSXNGN2hNCkxuVjFFb0xJZTBMekxqdE96RlRh
-            czF0dHQxdVhsNE5tVWg0Q2RmYktsWDgKLS0tIFY3dHRlbFpsWUsyTzA3RVR1Qyts
-            UUJHMU13cm1lOXhRYzhSWlFyTFltYWcKDUxABRGskWWpHEFL44gHYzAqaQ3AmBDt
-            LcL/4IiEs3TwOpuY+WTVx8JKZBOsxcSlNahiDuCnoTbL4gZTPnd0pA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbHd4ZHhsTk5leDlreC9E
-            TVAzRXVuS0Judk5zTGVWRVhWSUhpMFdscEg0ClVFYzZYZG9hNjJKTlRVZ1I3eXVq
-            M2Y5by85dE1QM25yQ3g3bFVSL2tsVlkKLS0tIHVYbGxrT0hOQkZ5SHBsQ3UyaVly
-            ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
-            IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-31T15:59:56Z"
-    mac: ENC[AES256_GCM,data:zd3ivzjgdbwGZpZssHeIwwkKFfHDxo/dzvb8ptw9noZ4hDVoC5RL9M/OLN6GrRM0wtpNFZJDs7Zz0i1zMascXdVu6mou/0il6/96r+FkQVBJWbrkY36Lk7ntDAcQmZKWxSUfSF0JPHx1rbkIQSVtsLQrpui9UDxaY5DP23xjLQg=,iv:+ouEpSlo0EovK0Qh27tm7NXSYncbjEc/EMWfWHIrCqE=,tag:4CHXmsJ4LhFBmbep3Wil3w==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0
--- a/devices/xmupc1/secrets/munge.key
+++ b/devices/xmupc1/secrets/munge.key
@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:tuEymMXW0f7Rui5wrz/xozphTEq6ffkYIfNIoURFNHwH2Cg+aKHz2ox0gk02BJARhPMDrxCYlChkcrEI0ma/T0eBe9sWz3tA8AOwU1lHSZ06d/JWzW7IUIyTac2mnjt3/jY/qpnR4A8wtHwD0j4zkzXgUgFwq7k/fs24acEE4Jo=,iv:iDTS0xswLrwkOYmfomE5hluVONgJYia/RjINDy7T3R0=,tag:oIYNpFCuT2D+X1QEJJiHew==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFRRa0NsOUp5MEg3UHcx\nc3g1VFZEQS9Tci9QSnNFYnIrT3hUdVU5cWxjCnU5UXVEdTFXczJzcHVvSjF2WHdB\nYmpyQVVaUFozKzJIZThBbXUxb2k2YzAKLS0tIHE1QXVrOXo1Y3VXMzJJYitWU3Qv\neDF1cndrSi94clh1cS9NczN0UW9pOXcKtrnIj3WovMYdcg5nWnnyRhJhTGLrlwxW\nxQ6bmNrfbZedmCNdjY2lPXmudMXJ8YlWe/HGCe94x3iFlaSwCIGUsA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocFl1SHJEemRySlBnMmNn\nVW9RS1NNdlo4M3l2WGlQaHJmbDBHcjMwaVVnCnY5WExPOXZJVEdYSlJ6UTRBMGJj\ncmlYaUNVV1hnWTNkaWVuV2VuaXN2eU0KLS0tIDBTYnd2NmVYTUJKaHZWRWo3ZlUx\nTEtPZWc2RE1XNG9WTXFOTllWVUVWeUkK+9aLz1rygGAQjpG+oMNUtrDkQaDfg+2q\nnl/CtZZrFD6NXGw6Di0X5t9fQu295NTJ/0qjXnfMigG8gDtxkE+/7g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-02-26T06:04:53Z",
-		"mac": "ENC[AES256_GCM,data:y0RkPyUwwff95BFL951TxS/x5ORzMsxFJVjopSw+8iVtswD8MT1nmsbwyth4C9OnJ/IAtnZk/CjAt72a68AZpPI+2W/JqJq20ohFoquDNhTlsoyLWdO3Vjrd+Wo3hp0+iKQ3e/uYrF1sTqQO9a3OIxu2sVLM0gEDmIe2nJpLJQo=,iv:EjXTQvVdjzfClNfQ3rPxAFVWVqr7sSOz4ap+nshPEAk=,tag:DcIlf9W7NNqQ+gf8f46MwQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
-	}
-}
--- a/devices/xmupc1/tunnel.md
+++ b/devices/xmupc1/tunnel.md
@@ -1,39 +0,0 @@
-# 使用 SSH 隧道连接
-
-在学校外且不使用厦大 VPN 时，无法直接连接到学校的服务器，可以通过下面的方法连接到：
-  首先连接到 vps6.chn.moe。这个服务器在校外（洛杉矶），因此可以直接连接到。
-  同时，它通过别的方式与学校的服务器保持着连接，利用这个保持着的连接，跳回到学校的服务器。
-
-这个跳转的过程不需要手动操作，只需要将软件设置好即可。
-
-## PuTTY
-
-1. 首先设置一个名为 `vps6` 的会话。
-   1. 在 Session 页，填入 `vps6.chn.moe` 作为 Host Name。
-   2. 在 Connection -> SSH -> Auth -> Credentials 页，在 “Private key file for authentication“ 选择密钥文件。
-   3. 在 Connection -> Data 页，在 “Auto-login username” 填写用户名。
-   4. 回到 Session 页，在 “Saved Sessions” 填入 `vps6` 并点击 “Save” 保存配置。
-2. 再设置一个名为 `wireguard.xmupc1` 的会话。
-   1. 在 Session 页，填入 `wireguard.xmupc1.chn.moe` 作为 Host Name。
-   2. 在 Connection -> SSH -> Auth -> Credentials 页和 Connection -> Data 页，需要修改的设置与在 `vps6` 会话中相同。
-   3. 在 Connection -> Proxy 页，设置 Proxy type 为 `SSH to proxy and use port forwarding`，Proxy hostname 为 `vps6`。
-   4. 回到 Session 页，在 “Saved Sessions” 填入 `wireguard.xmupc1` 并点击 “Save” 保存配置。
-
-之后双击双击 `wireguard.xmupc1` 会话即可连接到学校的服务器。
-
-## WinSCP
-
-1. 在登陆界面，点击 “新建站点”。
-   1. 设置 “文件协议” 为 `SCP`，“主机名” 为 `wireguard.xmupc1.chn.moe`，并输入用户名。
-   2. 然后点击右下角 “高级” 继续修改设置。
-   3. 在 连接 -> 隧道 页，勾选 “通过 SSH 隧道进行连接”，主机名填写 `vps6.chn.moe`，选择密钥文件，并填写用户名。
-   4. 在 SSH -> 验证 页，选择密钥文件。
-   5. 点击 “确定”，再点击 “保存”。
-
-## OpenSSH
-
-下面是一个命令的示例：
-
-```bash
-ssh -J username@vps6.chn.moe username@wireguard.xmupc1.chn.moe
-```
--- a/devices/xmupc2/README.md
+++ b/devices/xmupc2/README.md
@@ -1,29 +0,0 @@
-# 硬件
-
-* CPU：44 核 88 线程。
-* 内存：256 G。
-* 显卡：
-  * 4090：24 G 显存。
-  * ~~P5000：16 G 显存~~暂时拔掉了，否则 4090 供电不够。
-* 硬盘：18 T。
-
-# 支持的连接协议
-
-## SSH
-
-* 地址：xmupc2.chn.moe
-* 端口：6394
-* 用户名：自己名字的拼音首字母
-* 可以用密码登陆，也可以用证书登陆。
-
-## RDP
-
-* 地址：xmupc2.chn.moe:3390
-* 用户名：自己名字的拼音首字母
-* 密码和 ssh 一样（使用同样的验证机制）。
-
-## samba
-
-因端口冲突暂时禁用。
-
-其它内容请阅读 [xmupc1](../xmupc1) 的说明，两台机器的软件大致是一样的。
--- a/devices/xmupc2/default.nix
+++ b/devices/xmupc2/default.nix
@@ -1,79 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-uuid/23CA-F4C4" = "/boot";
-            btrfs =
-            {
-              "/dev/disk/by-uuid/d187e03c-a2b6-455b-931a-8d35b529edac" =
-                { "/nix/rootfs/current" = "/"; "/nix" = "/nix"; };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs =
-        {
-          march = "skylake";
-          cuda =
-          {
-            enable = true;
-            capabilities =
-            [
-              # p5000 p400
-              "6.1"
-              # 2080 Ti
-              "7.5"
-              # 3090
-              "8.6"
-              # 4090
-              "8.9"
-            ];
-            forwardCompat = false;
-          };
-        };
-        gui = { enable = true; preferred = false; autoStart = true; };
-        networking.hostname = "xmupc2";
-        nix.remote.slave.enable = true;
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "nvidia"; };
-      virtualization = { waydroid.enable = true; docker.enable = true; kvmHost = { enable = true; gui = true; }; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = { passwordAuthentication = true; groupBanner = true; };
-        xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
-        smartd.enable = true;
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
-          wireguardIp = "192.168.83.7";
-        };
-        slurm =
-        {
-          enable = true;
-          cpu = { sockets = 2; cores = 22; threads = 2; mpiThreads = 4; openmpThreads = 10; };
-          memoryMB = 253952;
-          gpus."4090" = 1;
-        };
-        xrdp = { enable = true; hostname = [ "xmupc2.chn.moe" ]; };
-        samba = { enable = true; hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
-        groupshare = {};
-      };
-      bugs = [ "xmunet" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" ];
-    };
-  };
-}
--- a/devices/xmupc2/secrets/default.yaml
+++ b/devices/xmupc2/secrets/default.yaml
@@ -1,52 +0,0 @@
-acme:
-    token: ENC[AES256_GCM,data:Wb7Gons3HCMK5WGIZpG4XrrqZ5G6bymjuKMW6IUjLiK0CIXFz/ARNg==,iv:zc4BgHcc+O7SHQbJkff11fBwgsd+TFtvSEGJ/qrzVo4=,tag:K+Nu9kenTtTnin4+hDCdWA==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:FPVSD8otQMNpbESNEHXCfQjB/zi3OVwZoyLijUtnHQlQzec7KVSiGw==,iv:DkkwCqvRmcFHQIXseh2fycCxZboJMYhHPu67GddenY4=,tag:iHEC8r5GcuB1QcZ5Uf8Skw==,type:str]
-xray-client:
-    uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:0Vw9NVs/Kxc52zUlmeAPFeOG8msdL0YopjhzFKRWhv6+kfb+SFObOP8EJ2M=,iv:KgIZIawbnN+1sIcMjNECkdtujPbg7yQktKVc25SXavI=,tag:b79oZP+GZKmM3OVFshvFhg==,type:str]
-users:
-    #ENC[AES256_GCM,data:FP1Mr1TmRI4L,iv:3K4LMbOQPvF1ORWNyaXDoC5MXn3yColR4eKs9sm9y5s=,tag:f3guTegVXw1A6aqolKQnqA==,type:comment]
-    xll: ENC[AES256_GCM,data:CAEd+usnLKoQZ+0PLEiJfbZpz2pyn+I/edC2KbNXBXZPAgT7IDENMnSQyxme899KqRVL4nLrtHs82aA8+kl/dE+QYSTCFVVuHg==,iv:Hs8rb0Iu5Xw74p9/cL2gWfPLh61VaLzIltKUSjRFZjc=,tag:/u5vI0oTMQbNoCEzhcWqOw==,type:str]
-    #ENC[AES256_GCM,data:UIns0CnC/QmJ,iv:Gn4XDPcdTyDLXAgGq7qwayrN206Gx7JsJ3V9G+4bTyA=,tag:FITVs8Tgkiq1XoS8joXM1Q==,type:comment]
-    zem: ENC[AES256_GCM,data:znpGuS8LVxaztnwQlIwu3hykWRBUtQvOsniLaOasXDbw9lHGX8lwwYJuCE+0I14HmiZK/RrrouIwfAfcjZQzPyjJ/SRoOG1Vyg==,iv:YXHX43y99/w9102vhsvFLVOUtJmuRnLVLu+ywfn9URY=,tag:AzsmkXOyX7y/D+ndteuMmA==,type:str]
-    #ENC[AES256_GCM,data:6vMItERptBsX,iv:G0sDjEfLciheMxTZbeLIbWKlimPD1ANIk/VVdhQifXA=,tag:oR9FEdVx6W+0uDeKfb37iw==,type:comment]
-    yjq: ENC[AES256_GCM,data:sGPQ0xALULREnhzl9g/V91M5osMglsSps6R4gYn5OZc/4xVC1phF3qajVN3YMOr7kKgkHbF2Rjm6/2vuK0k1iYZnFswUAmFlmw==,iv:5vG1hn7SlX6HCpas2BgxBSwWqLby8OCxcH3EKNvceIc=,tag:TVwFBAuosKnEOZecq1phXw==,type:str]
-    #ENC[AES256_GCM,data:ALHxkRABA+ll,iv:r1IDiHLFcTdLID3q16zrLTavAwQfddC7bXMKcFZFveI=,tag:4Pd0/Q1BmH4gJjaM4hbqqQ==,type:comment]
-    gb: ENC[AES256_GCM,data:z4CrtdmdLJJ0qZzr7qvihnluJQgjtciX56KdEmtemiRu0llEJk9qz6a23aJ7m40Sfc38elF1/LsvjOuBOC87+BVkKDCj76phag==,iv:WrFVxkr3snmqDXZx5kAYCLp7ixEIzxoT7El3rV7Ovqg=,tag:iExf2Y/HObHQrKMTRvqn7A==,type:str]
-    #ENC[AES256_GCM,data:XfNExliq7noL,iv:K+rFlZHF1oY5rsTzaO0mgxiE1VlKdtPTifAaesg321k=,tag:Dja8NmPWZdJkf/J/96/wAw==,type:comment]
-    wp: ENC[AES256_GCM,data:yjMDez28pJUo6riIHypQQgjGFbuLwy87eG4ek/+Li2w8b4Cm5JckRvs26o+S0blfICc8WqIqEJGakT2wVBE5O1jGfniKn3PhTA==,iv:dOA318XRd2EXxmTIlk6GhlAR/FBpbKkbPJJCXTwFCxM=,tag:9MkXNUuAoplAzE+4eJpr0w==,type:str]
-    #ENC[AES256_GCM,data:YGcTkNCeu3m7,iv:jYmVrfRFwQoX1XxeSzS23wRMAD/AnzYBXQjI76Ke2FE=,tag:WJfSmjdggzPojDcJ6GzP+A==,type:comment]
-    hjp: ENC[AES256_GCM,data:0R5SfBFKuLGurwINnTj31FOrwwfY9bqVS1rG/a0HqIYd+Ui8/2ffFBx0Et+tYIqcxXEJpGbvse43V0naNKmFKlLanfcy9YV/Hg==,iv:mpAUmcVHWWLoreEsG9ha09jxte8mQCLt/A7nm04iX9Y=,tag:bia9pjL0MAcs9vj1gKCVCQ==,type:str]
-mariadb:
-    slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl
-            emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6
-            ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4
-            M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP
-            rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo
-            a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr
-            Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM
-            M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
-            LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-30T06:31:36Z"
-    mac: ENC[AES256_GCM,data:UUzv3IewuF4rhbrL2haJ0495p1d4wXA7LHa5ogc5TSv+ZAYuN/HL3VCXQzzKQrzqD3LtgC3DrGgmMNGVyAIzqVFYYxVuAwb03ov+lOp3SHvLTCMqkETbcE525aAIVWNqBXp7RBn7tKC4AD4y7AQihSYhBXO8VF1PeccjaCnN7R8=,iv:G0s8qchlgcm5HVshTKnGyt8nk+D4QYyP7n+5R0TOb8A=,tag:DspvfLf1pBs+/ol8GzT7Xw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0
--- a/doc/setup.md
+++ b/doc/setup.md
@@ -23,4 +23,9 @@ systemd-machine-id-setup --root=/mnt/nix/persistent
 pg_dump -h 127.0.0.1 -U synapse -Fc -f synaps.dump synapse
 pg_restore -h 127.0.0.1 -U misskey -d misskey --data-only --jobs=4 misskey.dump
 cryptsetup luksUUID --uuid=<the new UUID> /dev/sda1
+mungekey -k munge.key
+mv munge.key munge.key.orig
+sops -e --input-type binary --output-type binary munge.key.orig > munge.key
+rm munge.key.orig
+sudo nix build --store 'local?root=/mnt' --option substituters https://nix-store.chn.moe --option require-sigs false  /nix/store/khhqmly5295ns33dz1s3m3sb79icj6bi-nixos-system-srv3-production-24.11
 ```
--- a/doc/todo.md
+++ b/doc/todo.md
@@ -0,0 +1,14 @@
+* 测试 huggin rsshub
+* 打包 intel 编译器
+* 切换到 niri，清理 plasma
+* 调整其它用户的 zsh 配置
+* 调整 motd
+* 找到 wg1 不能稳定工作的原因；确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
+* 备份系统
+* 备份数据
+* 清理 mariadb，移动到 persistent
+* 清理多余文件
+* 移动日志到 persistent
+* 更新 srv1
+* 告知将代理改到 xserver2
+* 准备单独一个的 archive
--- a/doc/upgrade.md
+++ b/doc/upgrade.md
@@ -0,0 +1,12 @@
+* merge upstream, update flake
+* update src
+* fix all build errors
+* update modules (synapse)
+* update postgresql nextcloud
+* update stateVersion
+* switch
+* fix disabled packages
+* upstream patches
+* merge upstream again
+* switch
+* build all
--- a/doc/迁移服务器.md
+++ b/doc/迁移服务器.md
@@ -0,0 +1,9 @@
+1. 调整代码，编译。
+2. 将系统上传到新机。不要 rebuild。
+3. 如果原机数据比较多，则先传输一个快照过去。
+4. 将原机停机，修改 dns。
+5. 传输原机的数据到新机，但不要替换子卷。
+6. 替换 initrd ssh key，rebuild。
+7. 替换子卷。
+8. 替换 luks 密钥。
+9. 重启。
--- a/flake.lock
+++ b/flake.lock
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`inputs: { imports = inputs.localLib.findModules ./.; }`
				`@@ -0,0 +1 @@`
				`store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log`
				`@@ -0,0 +1 @@`
				`store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log`