update root

This reverts commit b3af5b20b0.

.gitignore

@@ -6,3 +6,4 @@ build
 .vscode
 .cache
 .ccls-cache
+archive

.sops.yaml

@@ -1,14 +1,13 @@
 keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &chn age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
   - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
-  - &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
   - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-  - &surface age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
   - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
   - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
   - &pi3b age1yjgswvexp0x0de0sw4u6hamruzeluxccmx2enxazl6pwhhsr2s9qlxdemq
+  - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
   - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
   - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
   - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
@@ -19,11 +18,6 @@ creation_rules:
     - age:
       - *chn
       - *pc
-  - path_regex: devices/vps4/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *vps4
   - path_regex: devices/vps6/.*$
     key_groups:
     - age:
@@ -39,11 +33,6 @@ creation_rules:
     - age:
       - *chn
       - *nas
-  - path_regex: devices/surface/.*$
-    key_groups:
-    - age:
-      - *chn
-      - *surface
   - path_regex: devices/xmupc1/.*$
     key_groups:
     - age:
@@ -59,6 +48,11 @@ creation_rules:
     - age:
       - *chn
       - *pi3b
+  - path_regex: devices/one/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *one
   - path_regex: devices/srv1/node0/.*$
     key_groups:
     - age:

devices/jykang.xmuhpc/.bashrc

@@ -37,6 +37,9 @@ fi
 if [ -z "${BASHRC_SOURCED-}" ]; then
 	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
 	export BASHRC_SOURCED=1
+	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
+		export PATH=$HOME/wuyaping/lyj/bin:$PATH
+	fi
 fi
 
 [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"

devices/jykang.xmuhpc/.ssh/authorized_keys

@@ -7,6 +7,8 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCW2fx1Sim7X2i/e/RBPEl1q/XbV7wa9pmZfnRINHIv
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMRpyIU8ZuYTa0LvsVHmJZ1FA7Lbp4PObjkwo+UcpCP8 wp@xmupc1
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRZp8xp9hVO7e/6eflQsnFZj853IRVywc97cTevnWbg hjp@xmupc1
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh wm
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
 
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc

devices/nas/default.nix

@@ -24,7 +24,7 @@ inputs:
               };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices =
@@ -38,10 +38,10 @@ inputs:
           swap = [ "/nix/swap/swap" ];
           rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
         };
-        initrd.sshd.enable = true;
+        initrd.sshd = {};
         nixpkgs.march = "silvermont";
         nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        networking.networkd = {};
+        networking = {};
       };
       hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
       services =
@@ -62,6 +62,7 @@ inputs:
           publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
           wireguardIp = "192.168.83.4";
         };
+        misskey.instances.misskey = {};
       };
     };
   };

devices/nas/secrets.yaml

@@ -4,6 +4,12 @@ acme:
     token: ENC[AES256_GCM,data:OrYgBRU1VPpkpDzYMFHINfPSHsXEKABdZOcgiAiBJKcreBoaSVHUvg==,iv:XIeZPJhzmUi5ZHKBCYN5UA9HWH1K+26SvcIWVrHAYDA=,tag:3F93syLBZjcHwnRRkUEjlw==,type:str]
 wireguard:
     privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:ezBawTyn+oPKKy6sQuj2BQXhnO4PTbxYWRpQR9URCxqD7bFlnmWU1Q==,iv:eD4yLDA209x6HFtDaqyj8kRxTImdyZCgOminHWb9vt4=,tag:mx+qPp4L9jHRvL90XH1RwA==,type:str]
+redis:
+    misskey-misskey: ENC[AES256_GCM,data:daHnurnqW0MI2uHd3gNT+ZczmytRdwBSsHGkCwNH9hJFMJW/U56HtjG5ivOQzYprWJ5uzgN98ivocbwzJEAGfg==,iv:aE9kvEErN06FNPPFQNchbmg/+SJCKT3QzCN/JTlZovk=,tag:iMo3MTssxKKT02zi8gCZPA==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:QhsmKzYmAV0kGPhtRjTK7npt/Nop5JM9EFPpD8K6KfUJ48w+r+4vTORmERu7D2+fE3XDXxNZeSJg//bGxMmhfg==,iv:qkjkrqepjQ4kbwoaceQSzEP5TjLsiY7ih/ESj5RFpHw=,tag:UtZVW30xcsbGUjU2HjoUvw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,8 +34,8 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-24T05:14:57Z"
-    mac: ENC[AES256_GCM,data:9xKBuoVeotcZfiqsKg+iXxOc5BV9kGVvR5f9Anu6DauBceYIBxgeVCDU3dRUPz67MkOK/n2w9+gLchQxUyK8G4ECRTESL+GKpZslNVThb2j6vswLXNBHqsQCoQBlYOiKw5ZM1gpdYJPni8qpsdGvTwc5JkW+FH6v1BdZWaUhc3U=,iv:SyLiMXsQhS+8FFlSMXiD9ETD+mIsz6mePXnJzBODK5g=,tag:YpiU58lJ5Nb78EMyEmJdbw==,type:str]
+    lastmodified: "2024-10-05T02:43:05Z"
+    mac: ENC[AES256_GCM,data:NyXFwcVCCRfU+QSJVwov38SzRag1vhgfyQ0xtOheKtK/UaA+2Vqiqatp/lKWeri9ltpw5xWBYQnmE6aBHEkrj5RvoXeho3CUWiSqsB/3COn3FSfXGGJ2M642dnCtWqHfTrGNW7bhq/lBisODvtv+SAs108R5yYXhXWotUs/p+W0=,iv:Wsel2unj5X/dBCwt5sLzHmUIqm9c0uqzzpfnUkxq5cc=,tag:a5/I8GWuUOy4F4lOx9TH+w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0

devices/one/default.nix

@@ -0,0 +1,50 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model = { type = "desktop"; private = true; };
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
+            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          };
+          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
+          swap = [ "/nix/swap/swap" ];
+          resume = { device = "/dev/mapper/root"; offset = 728784; };
+          rollingRootfs = {};
+        };
+        nixpkgs.march = "tigerlake";
+      };
+      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      services =
+      {
+        snapper.enable = true;
+        xray.client.enable = true;
+        smartd.enable = true;
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
+          wireguardIp = "192.168.83.5";
+        };
+        sshd = {};
+      };
+      bugs = [ "xmunet" ];
+    };
+    boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2015"'' ];
+    security =
+    {
+      pam.services.kde.rules.auth.pass =
+        { modulePath = "pam_succeed_if.so"; args = [ "user" "=" "chn" ]; control = "sufficient"; order = 0; };
+      sudo.wheelNeedsPassword = false;
+    };
+  };
+}

devices/one/secrets.yaml

@@ -0,0 +1,40 @@
+xray-client:
+    uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:+zy72VDj8hs1GH7E1U04WhiGq0xkIPGC8pHbAYR70OK5E6EOdkQwKA==,iv:oYNSrOH3pLhltYw2NX1d4s6jiUgMssWiIK//62i0ptQ=,tag:C5ekSVjmwSEphsTZ/DLcsg==,type:str]
+nginx:
+    maxmind-license: ENC[AES256_GCM,data:/x9HJWh4Kpp5xy4TfuC/bP4Z/gMOFgAalz91cewHj1/tPxFe5R/nQA==,iv:K696zu685ydzwFMKIrqz1GiYLMKGM1dLNDWdhH4U0L8=,tag:nFwqXc7RPIYcQxVIu6GWgw==,type:str]
+wireguard:
+    privateKey: ENC[AES256_GCM,data:NgA5rHB6GwqiNSx1mhxObywuiZWq5qpcNrlpk6HaD9hzQoL0j1IrrgMCqkU=,iv:ZZUlSJeQPN2/JxjhR08FdEZl3gCFuNpJ3M93C6JovHs=,tag:rCtWHOYCmgZKF1lRlIAReA==,type:str]
+github:
+    token: ENC[AES256_GCM,data:rGiseVhDBU+rNcz92QXHeqAQ4lC7l5dba8d7rGUIIoEcpBVGwGh/5w==,iv:lf4aMBAQxI140qJsMLqHpI3dKRw6HiV20cyn0WFWbT8=,tag:w1P9MrqgUAmPzVWkIFs1jg==,type:str]
+age: ENC[AES256_GCM,data:5QX7wYQpbKSX88bAWSRqi8Y3Pmwb1KZ6LYrHURs7N2VHjbXOaSM9lm1GRrUjUHQE/r2CUku3TnMphczBMb0qLxSliay7QB2W0+o=,iv:qCTpul0ESBN7NWznBR8546A+Is7x7+Su4yHDX1b+FNY=,tag:aVU7B5lygQrBh5l260jJLQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
+            ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
+            TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
+            eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
+            2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
+            OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
+            eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
+            ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
+            LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-09T13:35:05Z"
+    mac: ENC[AES256_GCM,data:2ILRlQddIKvJubKth/y7+UndarVUv2VQNZmaSbMc/m35qY5nln6Oy32TmCASS5EX+wWXwb/8waWlniPrDQLKdB2vE8PdqQQiYbHgmUQU7bauG8jLPNag47CNhTLMd6C1xymWS42Ie56pi0eNazCXoxIApNBXGtM/ITtBjCMDBHE=,iv:6NLogRo0ibBR+gTb52yAY9l6zrrWdC97whHe0c2tV54=,tag:CNwvVwEBbckgjUG54BhXjQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

devices/pc/default.nix

@@ -4,6 +4,7 @@ inputs:
   {
     nixos =
     {
+      model = { type = "desktop"; private = true; };
       system =
       {
         fileSystems =
@@ -13,7 +14,7 @@ inputs:
             vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
             btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
-          decrypt.auto =
+          luks.auto =
           {
             "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
             "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
@@ -23,7 +24,7 @@ inputs:
           resume = "/dev/mapper/swap";
           rollingRootfs = {};
         };
-        grub.windowsEntries."7AF0-D2F2" = "Windows";
+        grub.windowsEntries."08D3-10DE" = "Windows";
         nix =
         {
           marches =
@@ -37,24 +38,24 @@ inputs:
             "broadwell"
             # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
             "skylake" "cascadelake"
+            # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
+            "tigerlake"
             # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
             # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
             "alderlake"
           ];
-          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" "srv1-node0" "srv1-node1" ]; };
-          githubToken.enable = true;
         };
         nixpkgs =
           { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
         kernel =
         {
+          # TODO: switch to cachyos-lts
           variant = "xanmod-latest";
-          patches = [ "hibernate-progress" "amdgpu" ];
+          patches = [ "hibernate-progress" ];
           modules.modprobeConfig =
             [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
         };
         sysctl.laptop-mode = 5;
-        gui.enable = true;
       };
       hardware =
       {
@@ -62,7 +63,7 @@ inputs:
         gpu =
         {
           type = "amd+nvidia";
-          nvidia = { prime.busId = { amd = "5:0:0"; nvidia = "1:0:0"; }; dynamicBoost = true; driver = "latest"; };
+          nvidia = { dynamicBoost = true; driver = "beta"; prime.busId = { amd = "6:0:0"; nvidia = "1:0:0"; }; };
         };
         legion = {};
       };
@@ -77,7 +78,6 @@ inputs:
         samba =
         {
           enable = true;
-          private = true;
           hostsAllowed = "192.168. 127.";
           shares =
           {
@@ -98,10 +98,7 @@ inputs:
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
             ++ (builtins.map
               (name: { inherit name; value = "0.0.0.0"; })
-              [
-                "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
-                "dispatchcnglobal.yuanshen.com"
-              ])
+              [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
             ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
           );
         };
@@ -137,58 +134,49 @@ inputs:
             gpus."4060" = 1;
           };
           partitions.localhost = [ "pc" ];
+          tui = { cpuMpiThreads = 4; cpuOpenmpThreads = 4; gpus = [ "4060" ]; };
         };
         ollama = {};
-        waydroid = {};
         docker = {};
+        ananicy = {};
+        keyd = {};
       };
       bugs = [ "xmunet" "backlight" "amdpstate" ];
-      user.users = [ "chn" "zzn" ];
+      packages = { android-studio = {}; mathematica = {}; };
     };
-    boot =
+    boot.loader.grub =
     {
-      kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2015"'' ];
-      loader.grub =
+      extraFiles =
       {
-        extraFiles =
-        {
-          "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
-          "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
-          "UiApp.efi" = ./bios/UiApp.efi;
-          "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        };
-        extraEntries = 
-        ''
-          menuentry 'Advanced UEFI Firmware Settings' {
-            insmod fat
-            insmod chain
-            chainloader @bootRoot@/EFI/Boot/Bootx64.efi
-          }
-        '';
+        "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
+        "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
+        "UiApp.efi" = ./bios/UiApp.efi;
+        "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
+        "nixos.iso" = inputs.topInputs.self.src.iso;
       };
+      extraEntries = 
+      ''
+        menuentry 'Advanced UEFI Firmware Settings' {
+          insmod fat
+          insmod chain
+          chainloader @bootRoot@/EFI/Boot/Bootx64.efi
+        }
+        menuentry 'Live ISO' {
+          set iso_path=@bootRoot@/nixos.iso
+          export iso_path
+          search --set=root --file "$iso_path"
+          loopback loop "$iso_path"
+          root=(loop)
+          configfile /boot/grub/loopback.cfg
+          loopback --delete loop
+        }
+      '';
     };
     # 禁止鼠标等在睡眠时唤醒
     services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
+    # 允许kvm读取物理硬盘
+    users.users.qemu-libvirtd.extraGroups = [ "disk" ];
     networking.extraHosts = "74.211.99.69 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
-    environment.persistence."/nix/archive" =
-    {
-      hideMounts = true;
-      users.chn.directories = builtins.map
-        (dir: { directory = "repo/${dir}"; user = "chn"; group = "chn"; mode = "0755"; })
-        [ "BPD-paper" "kurumi-asmr" "BPD-paper-old" "SiC-20240705" ];
-    };
-    specialisation =
-    {
-      nvidia.configuration =
-      {
-        nixos =
-        {
-          hardware.gpu.type = inputs.lib.mkForce "nvidia";
-          services.gamemode.drmDevice = inputs.lib.mkForce 0;
-        };
-        system.nixos.tags = [ "nvidia" ];
-      };
-    };
   };
 }

devices/pc/secrets/default.yaml

@@ -26,6 +26,8 @@ age: ENC[AES256_GCM,data:EPjip4/tz50e+blPko9NpzDamLRO6BVy64kDnGAhUJJ/bMw6V9Of8Rz
 user:
     #ENC[AES256_GCM,data:a4mHxr7bn7BV,iv:FYQk3yv3XgxNO9CnrQefo3WqhO0Sf8Mihfp+Iw4AcWM=,tag:jebxvG+xUidghf5dOlvDYA==,type:comment]
     zzn: ENC[AES256_GCM,data:xBSve41JclBYQULPN7yV/1Eyo3u+CHAewVetKHwjvl6Te0kk/+aLx6gs8EpOJGmVaiSAdt6F2ayHXUD8RXXpJIOnnEHk88kqbw==,iv:XPxMLvlVtaZvpWnau5Jwlj/5ty5Zyw4F44ix5G64Z84=,tag:uJfWb0PCebdMtxXMfueULQ==,type:str]
+wechat2tg:
+    token: ENC[AES256_GCM,data:PrZWR8WiZ7grkpTLqMxwbnkwZttl7n0e1lc1mdHJiFUWq/PqG2wNBC27C58jMg==,iv:02XHhfpN8YPix0REbJDnsBbvCwifbdwBwfuJ2glbvjo=,tag:6aWNqBfwulsjMbl+D6L9vw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -50,8 +52,8 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-04T01:39:48Z"
-    mac: ENC[AES256_GCM,data:VkpF9zTWRLMriukAif6lfp8uy6+IcPDYUnXCQ5XLUtSstEyUoaVBjn+VVAoKkLX3MnyR6gyiYVWDDJmXrsyNoQpjRVQR0yu0p6p7sB3voGKiNxhw5qGwZj4IIXnHFWvktgWiawCiUkmSTUUHxe0XjAh7AWxjGqgAs/oyWGq/YfE=,iv:IQbJAhW/y18s57CAwRPeypQreBqQb0KkJAgIZ90QXJU=,tag:a0AB3l83j31Ex6PH9ziHRg==,type:str]
+    lastmodified: "2024-12-10T04:14:38Z"
+    mac: ENC[AES256_GCM,data:WLaeLyNQgw7DuRL/mAPRyHPR+i4YuYhf8TT5/5e6Hg14Fs2uvewHB7d2RLefRAg5IlCFerKioNuaAVDK079wCS95OjK5pAuq4rXIcodYSF7wD/yHfdsGp3ptr68rkdurcN1iSw4Xw+gkUjjq3irQYqtTQNGde4ez4O8KEe2tnHo=,iv:o+0siRY3emKZEDCuqya4A29h6F3oNSKGOjEshCXE+UM=,tag:77x58NANaAOsjxFKwuBmvQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

devices/pi3b/default.nix

@@ -18,7 +18,7 @@ inputs:
           swap = [ "/nix/swap/swap" ];
           rollingRootfs = {};
         };
-        networking.networkd = {};
+        networking = {};
         nixpkgs.arch = "aarch64";
         kernel.variant = "nixos";
       };

devices/srv1/default.nix

@@ -4,11 +4,12 @@ inputs:
   {
     nixos =
     {
+      model.type = "server";
       system =
       {
         fileSystems =
         {
-          mount = let inherit (inputs.config.nixos.system.cluster) clusterName nodeName; in
+          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
           {
             vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
             btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root" =
@@ -17,14 +18,12 @@ inputs:
           swap = [ "/nix/swap/swap" ];
           rollingRootfs = {};
         };
-        kernel.variant = "xanmod-lts";
-        gui.enable = true;
       };
       hardware.cpus = [ "intel" ];
       services =
       {
         snapper.enable = true;
-        sshd = {};
+        sshd.passwordAuthentication = true;
         smartd.enable = true;
         slurm =
         {
@@ -48,25 +47,27 @@ inputs:
             {
               name = "n2"; address = "192.168.178.3";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryMB = 61440;
             };
             srv1-node3 =
             {
               name = "n3"; address = "192.168.178.4";
               cpu = { sockets = 4; cores = 8; threads = 2; };
-              memoryMB = 30720;
+              memoryMB = 38912;
             };
           };
           partitions =
           {
             localhost = [ "srv1-node0" ];
-            old = [ "srv1-node1" "srv1-node2" "srv1-node3" ];
+            old = [ "srv1-node1" "srv1-node3" ];
+            fdtd = [ "srv1-node2" ];
+            all = [ "srv1-node0" "srv1-node1" "srv1-node2" "srv1-node3" ];
           };
           tui = { cpuMpiThreads = 8; cpuOpenmpThreads = 10; };
           setupFirewall = true;
         };
       };
-      user.users = [ "chn" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
     };
   };
 }

devices/srv1/node0/default.nix

@@ -4,24 +4,19 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "master";
       system =
       {
-        nix = { marches = [ "cascadelake" "broadwell" ]; remote.slave.enable = true; };
         nixpkgs.march = "cascadelake";
-        networking.networkd.static =
+        networking.static =
         {
           eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
           eno146 = { ip = "192.168.178.1"; mask = 24; };
         };
-        cluster.nodeType = "master";
       };
       services =
       {
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.extraInterfaces = [ "eno146" ];
-        };
+        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
         beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; };
         wireguard =
         {
@@ -30,31 +25,20 @@ inputs:
           publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
           wireguardIp = "192.168.83.9";
         };
+        nfs = { root = "/"; exports = [ "/home" ]; accessLimit = "192.168.178.0/24"; };
+        xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
       };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
     };
-    services.nfs.server =
-    {
-      enable = true;
-      exports = 
-      ''
-        / 192.168.178.0/24(rw,no_root_squash,fsid=0,sync,crossmnt)
-        /home 192.168.178.0/24(rw,no_root_squash,sync,crossmnt)
-      '';
-    };
-    networking =
-    {
-      firewall.allowedTCPPorts = [ 2049 ];
-    };
+    # allow other machine access network by this machine
     systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
-    services.rpcbind.enable = true;
-    fileSystems =
-    {
-      "/nix/share/home" =
-      {
-        device = "/home";
-        options = [ "rbind" ];
-      };
-    };
     # without this, tproxy does not work
     # TODO: why?
     networking.firewall.trustedInterfaces = [ "eno146" ];

devices/srv1/node0/secrets/default.yaml

@@ -4,6 +4,27 @@ xray-client:
     uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str]
+acme:
+    token: ENC[AES256_GCM,data:k5QU1aHvd/hSG4yncffSwnxQvhULHd0I8wtrXD2FcOH3SWswkmzMOA==,iv:WB18Wsl0nxUQ6Om3SXP5+0BtFbNZ8fCXTyPJqj6a9Ik=,tag:dKpr52W7Wdwws87r3hQxqw==,type:str]
+users:
+    #ENC[AES256_GCM,data:rNA32tcCmriP,iv:No3Hyee58jDzZaXOD8SJYzgQXXs58oAddwC5Q9mo55E=,tag:RgZO7fgZkAr3Pawqt0dwmQ==,type:comment]
+    xll: ENC[AES256_GCM,data:kq6gpuxBRbDP7Yi16WJrrsumnSfersI2kP5pT5efn5CjbL65JaW/Bff9P4OM6b3J21ObT0uRSmParBqW4OvN/UA4KXDhibqwRg==,iv:GvpNgy8kREgxp9v0cyIobgg2ZrrxylMmwq1hRaAoNA8=,tag:RpD/1FjWVglzt8sIAjjpsg==,type:str]
+    #ENC[AES256_GCM,data:nl+uNO7GVV4r,iv:8hUmN4uWOqJE0g1aYA5dqQq+0oCpYGKe//yuECpmyBM=,tag:79XibRYMadJNE5Uy1O+4Jw==,type:comment]
+    zem: ENC[AES256_GCM,data:t6zd/9ZoJWEkPhKyfaUXWQM2Y2unpUUq79SEKSt8nmWCQxlBk4PzMX031CwNde/0A4G3ARyIoU8vcFqp8NaBMA64INccKccrGQ==,iv:QOKpu7lm6uiPACNGa0QvHP81PP/4doS3r95h8/nexcs=,tag:J85l6pYh9WT/LyMbTrw+vA==,type:str]
+    #ENC[AES256_GCM,data:7SGmLzQyXKWo,iv:lr7nM0r7eMc+sCNO8OgwwELH41zTk3W/1i+0rnTc+9s=,tag:ZOkLRhEsFXX6bODu6wUyiQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:8TF316O4M3UDoSA7rjBn12vUdHOcWXtrvuhqa6K65NaMhHU9rMrPHEikr0tqe5B5ojhh8PRRe+X/Dq19L4rJXThRfzdhALZzsA==,iv:2plZ2m0JuuUMQqYnyETCPH9x5jnLtNl396zvv7ay++s=,tag:X7YSLQOE9xnC63RWCht3GA==,type:str]
+    #ENC[AES256_GCM,data:yclOn8oHwLYQ,iv:Ba7Q84z6e9/3lv43wdN+bd/aqO/y5qR5I6Z5O6o7U6E=,tag:ecaNN9MgZqDYBCbTlsOZtw==,type:comment]
+    gb: ENC[AES256_GCM,data:piD2eh5iUXnCEkEyDULPkjbEG4Uc4izoVAuscbb9TPr7Q9WhCJX3FGRYrQp/wmZQ6UETR1jTejtbT9j/kI96BcN2onlwO/lqvw==,iv:oFWeoDp3GQA8aR+/AcJnhkovOWx7MgHoCKy5xdPIJMo=,tag:n2E+zuKckNAU7mOCJW+f1Q==,type:str]
+    #ENC[AES256_GCM,data:hfcOjdrvK+YD,iv:8rUsS1exsOx+2YEgdATNcWGKqmaCNbpY1EEq1Gv1utE=,tag:Z0lq2ctHBWDtx2tyxOSIBw==,type:comment]
+    wp: ENC[AES256_GCM,data:DUfGQpSg79W8KD/SWC2B4FqoPGoCrd1miczAQR5YApD00QopMmeDR28uTmHru2KU9DsjkdnWEbgfM49CwXt5FFJennqW36oYbg==,iv:D9+3CMZlJIHm+u14rAEikQoBM3jBQN8Lnx22DN2EIg4=,tag:ZegZmI1kf7Whcw3EE9dwPQ==,type:str]
+    #ENC[AES256_GCM,data:6pwUu43Lu5/h,iv:lZQ5F8v9VZRGuUoEMH15JLvx40N08ahTEbdEoKEuvsg=,tag:zPMQy6d9/RcukBO1cyeM4A==,type:comment]
+    hjp: ENC[AES256_GCM,data:dqoQ9hUbptm0//mlcFRrqLh1NpjxFPH+4jeyMG/x9Zvkszw7d71jvkO8KEPBfKnXpPBP2lvFyEqooIMWQJPYiIszHt2f0qSC7A==,iv:5nRcsaylcx74tQR1KddEpZUhmcynMvdHCcJYA7wfJnE=,tag:bGVKD1aDZJUlFg/zagP/eg==,type:str]
+    #ENC[AES256_GCM,data:Idordi28++/e,iv:5TR6Z14yluxPhrD7ye2mXEQpD53qS9/ZJIZ+S1sTqco=,tag:IkmLWXdxDmFQxtpJxL61pg==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:JuNtb5SRUrxfyjWFn3Be7EU51j/HlwiOpuN0m+Picf/2Bs97kflGnqGKstVRIjWEn4WzqscSaLRsbP9uFfSBHeJ152xfyOqkww==,iv:mQvIC6v+1fziRDYHYSFMOKof1ZcoFskpQDiCAF35sa0=,tag:0IL2VvdMorgE6oziscAB8Q==,type:str]
+    #ENC[AES256_GCM,data:kyJP952K5atd,iv:TLMUPKshuWqbQ6koiZ9eTXcoDS3jLXYy/gCZbMGrRl4=,tag:M2tLLogovoG2PCojt9CJ9Q==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:ifWnLx1YEewdviqHK8fdesM3c1m1T4g6twnz1cGv1yc4jit68pQWLrRMivdsM4tUcyU9GKwCaElVlvh+dgyy8EZQPKCbvJX6GA==,iv:T5FWReeZ0QOkGJiNfrVrUBhAhbXxlFQJKqQV2tzw9AQ=,tag:XClXGZDWGuoGxzPW7ne2Pg==,type:str]
+    #ENC[AES256_GCM,data:t8QUVYG4v7fE,iv:N8hDAV7wulPHcfnYTXuZRhb9dQPZqKpfMKK1+ITaZTA=,tag:eKMJDOmqoWWQbv/mm3LaAw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:VlAA+g7SRZyhPSl0Gd1KS7dCwNgRA/o+d8anN88A7E8bSE1ckeTSp+J4YrbbUlLasLhliOZ/nDC0rti+hckGCrjMwweMorSIWg==,iv:7u1yNrN7uxHCF1MsJ2qt1jyQ0ZYYCYKUHwRff50P9oI=,tag:3raCWjdButfmcdy8mH25Jw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,8 +49,8 @@ sops:
             OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
             2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-15T10:53:47Z"
-    mac: ENC[AES256_GCM,data:0bZzNFEh3hRHLLImLLxYiN82QW4JAiyvuzRtE2MH8xa+VAE1kKy+ceED32zhEKl/yG/9lbGaz0bZz/+ouZyBd6ejvAbOaHZGRc+GY4VyLQfvpEx+7W19VVTGW1Wsae1zQv6WAML2cRsSbZX7FZNTGnTH8YKC9nXB+y+RTOtR7x0=,iv:+t1Agt5UmaloJ45onPWbcqu5geHNaMwF8WojmZeRiY8=,tag:IZbqzVl6LVVaJUHJSYkY4w==,type:str]
+    lastmodified: "2024-09-29T06:38:23Z"
+    mac: ENC[AES256_GCM,data:n7MVBKCUW4xpIiVO4ysBqlG89LjzpDBx9GJWQTrSenLWV/YrIGUxA6QDlRg7yhqV9ldF9Q7hDve1KHw7OxKRx5ot5OZiD3Bq3TwJfS2DarJ2vi9oc1J+CXXach8gp3m4C4RkPJ/y1i3jB2nRfSw5Z/TtdPMbvGXlHh+hhriAqxM=,iv:tyBcXMZzgeUOgYJtU1XkptPOlNoFwH+4z6xTD89aKOw=,tag:apXU989ZL+D8WhWKFTdXTg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/srv1/node1/default.nix

@@ -4,55 +4,25 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.networkd.static =
-        {
-          eno1 = { ip = "192.168.1.11"; mask = 24; gateway = "192.168.1.1"; };
-          eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        };
-        cluster.nodeType = "worker";
-        initrd.sshd.enable = true;
-        nix.remote.slave.enable = true;
+        networking.static.eno2 =
+          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._packages = [(inputs.pkgs.runCommand "master-system" {}
-      ''
-        mkdir -p $out/share
-        ln -s ${inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel} \
-          $out/share/master-system
-      '')];
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
-    specialisation =
+    specialisation.no-share-home.configuration =
     {
-      no-share-home.configuration =
-      {
-        nixos =
-        {
-          services.slurm.enable = inputs.lib.mkForce false;
-          system.cluster.nodeType = inputs.lib.mkForce "master";
-        };
-        system.nixos.tags = [ "no-share-home" ];
-      };
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
     };
-    fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
-    {
-      "/home" =
-      {
-        device = "192.168.178.1:/home";
-        fsType = "nfs";
-        neededForBoot = true;
-      };
-    };
-    boot.initrd.network.enable = true; 
     boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    boot.initrd.systemd.extraBin =
-    {
-      "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-      "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-      "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
-    };
-    services.rpcbind.enable = true;
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "eno2" ];
   };
 }

devices/srv1/node1/secrets/default.yaml

@@ -1,4 +1,24 @@
-hello: ENC[AES256_GCM,data:wA==,iv:kLAdTomvGSJRmZiO916Ort8crRCp05vlSamVMJ/gLbU=,tag:QTxIe+dhLWVljw9Svuu7Tg==,type:int]
+users:
+    #ENC[AES256_GCM,data:dgM035YLtZfl,iv:h7pHQ6YFa4hxcHMihQTegHmkaCMlfPtqdCqvJxSsXt8=,tag:V2v9C2TfErIOAihtTQpnSw==,type:comment]
+    xll: ENC[AES256_GCM,data:/YL4vowFLFbbYv06yaKWZH5UNBKs0L6LQ+6O0IsiUZpgW5fGfp2A5JTlH6ne7RGyyTE4GNId0MC7byQbTHHwO+5zVYWpzjDCfQ==,iv:5/VKGsIohoutZf3F4Qj8PruAXSivQ0zsg1pwLwZbCLs=,tag:/vsrCISEbgQ7HnubWOtKow==,type:str]
+    #ENC[AES256_GCM,data:oT8PFxQdwEt6,iv:eD/wF2toUAT991S0aO7NklpKSnMDH40+73IhU83H9t4=,tag:mxxAUdfHgC/hlvmLc2MlAA==,type:comment]
+    zem: ENC[AES256_GCM,data:RpmSTr2ZKfUNWg5vYbKB00AG18GNQs+kgx82E9Mg5hoc3HKmbAyIzjxloMn/Bw3MOTnof6Cf1ZzVCs53Wz8YbZFClLEVdKhMKA==,iv:NQJQOxQa/RaGzvGgarq5kWL8ojB1bejEiqJUCJLxgyU=,tag:8cFFQ5kKpZji4YvEYOyzOg==,type:str]
+    #ENC[AES256_GCM,data:keNqy5SdClQT,iv:N5LX7VJEwLHQ5HsFINs6LupP3rv/XAWFR2e/S52N+Oc=,tag:cqBh1bL1jAEk3mT0pLDd5A==,type:comment]
+    yjq: ENC[AES256_GCM,data:TagWplgUyhaEAuFpup0TRIxWXIEGwsG/V+gOo/pXSGor30B/BF7+wVozYTZ/iSN7OJJw8I7IZGvxvh0v01BGz1RQO6MEEpSj5A==,iv:TeXXYlhfae78cJFdZk0Nnm24sP43wi9UM80vHwKfXFU=,tag:lhae9Ona5OMlTBAJg3PiIA==,type:str]
+    #ENC[AES256_GCM,data:jmRMNpJLMqEo,iv:UOfzRSPDFsJ52sa2FVaQsVcU2P2bOYPzh4JLZ/8+hCg=,tag:8rCEYFELB2geXhfUjfZ18A==,type:comment]
+    gb: ENC[AES256_GCM,data:RneeGyzmdxCceKPzOHaTtS1l6NzuS07NYBxYrLICMLWHPog08FTINWEZx1JmqbAloVna3wE43kPPa9s1w3VbtPBhzRpTVZfUtA==,iv:1vu79FhPiWQ2/G5xzzBdyc790yv/aYKIQFPhaDpBmoA=,tag:vkpT1bDfVufBkDmOs7RomQ==,type:str]
+    #ENC[AES256_GCM,data:swW/4Fii+fHz,iv:9UZ8W6RY+n3XZkDCxSP/CQQn1Ji+mo2aqgmG9wTF/I4=,tag:2ifOyc0oGzM1iM3rouvvMw==,type:comment]
+    wp: ENC[AES256_GCM,data:/cIBL7orNYqu6Ybahdd1UVdTbS1SHr3GGb3ib4FDxPUlp/Xr4ARMX+01N6pOahVYwE8Hwp6nr4TdvwFpe2/AE6v2rbyclSzJgA==,iv:ZGwmAgwiC15K5NhajLCTiuW2mLT2gt0KUicDFmMY+JE=,tag:8rcoY6/weOkML90FyDfiSw==,type:str]
+    #ENC[AES256_GCM,data:6KbDgRf0Lmsh,iv:2vhLHgIzhCrdvQ7w6lCPKOmLlOVRJ5gJ+Pw5NSiMVVc=,tag:E6PwWCsUn3tZwV95zFbwhA==,type:comment]
+    hjp: ENC[AES256_GCM,data:0hzP2t4ck/0GVa2OoZxETCSQvp0QYN+0MJYl5aJ5hzSOXbwBPlTcIbjckpWDacx4iKGw+skhv1Nhz9lGrhgvddzqb/o1GWkKUw==,iv:OzKTIxDm+AgDAy4rP31kts0PKHuNqBZWc0Vsvh6X8CY=,tag:7Y/6qP+TJd1o0a96gKq5JQ==,type:str]
+    #ENC[AES256_GCM,data:PQmtt6/8T8Nm,iv:ZDUkaQts3hUQ1nncynoGw8gNV9jYvnXz9rOaqRC6yLE=,tag:jN8sUWnqoWbMlkLEqVKNkg==,type:comment]
+    zzn: ENC[AES256_GCM,data:YNB9leH/qgXpApA+bnsZiBlfbQSEiOoqhDgKCbwz33zPVc8KRShSS4kWEseiMlYLv7Kfbfy94cEKLOaWBjuRmMrODmC3HZ+rtQ==,iv:Ju02Sz0PHoBftz2W818hmXQ3J/fzLacWv+gy4eGXvjU=,tag:B6mvgWUclyHXgno07jhXQw==,type:str]
+    #ENC[AES256_GCM,data:UVi9/5NV0ySV,iv:E7ZZvvf6lNJdT4esykilJxhpTu7gqmu9w4w8rII/RSk=,tag:pnl3G0qt7ZzXlA9YWo7LiA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:M4LHqgN/WYk9Nh7Pawft1tplh/FiADu6GoyImyLGBk8rbNNLT5AXuNYGj97tVYxI0Hwek+zhnmcjAWdDtmkVzE7TcD1WAZbkTA==,iv:GN/jHnEikITXkLRR/tXnhYiTE5bIDOg1d9DrYeASoY4=,tag:hkoAHHYX+q1topjXkRyK2g==,type:str]
+    #ENC[AES256_GCM,data:EVL/9hYcFl4F,iv:EZ8PMqklNEky0i940vwyQFXrgBoQRwwGDjBgRB18KGg=,tag:cnQzCU7XZ0EO6ojGaEk4Dg==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:7HOyyFtPjhxtvz3cG561aslZ1Ct+DmR290XOxz34sA/vyA+gjvHTWoIpKPGVzSU8vGfaLLV4ta/nOUsK/VfUj00ngwTdkEDkrg==,iv:rkDAE24gaE7MzOcIUX87oMyK6ra0Pt/vUNrIV9p7aFY=,tag:24NTkSu8Fd785uC2Lwr2XQ==,type:str]
+    #ENC[AES256_GCM,data:sa3uVs8+996Q,iv:eN3S4x/UROkZWV3U2pZpvULgoPdh42lM/Q+jZ13ohsk=,tag:IG0q/+ti4tthAejVp7MCPw==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:jfeQWLGUWK4xfgRtS9RjjN76D+JLqTF526SI0XeYnUXtCsKhJYE88hgVnn7m/Af9g1OCj08+UDsM8cyKOJj3+m6h+IZQzCS4bg==,iv:Syf3SYAFvOtfOy4PeA/PcYbuUnABk6f5A+OmZYtdwv8=,tag:cib1RuKxGffjB7R5GSxotA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +43,8 @@ sops:
             R1BkT1hoSWo1RlJnU0pCdTFYbDFoZmMKKF7cND1jSo+neTTJ+GwW4T0RTOX9mbME
             58wjAtkrKSD2vDFMQ/vtPNiohAt6RMdClLVm50yh7Oh961YmvJYnbA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-16T03:04:24Z"
-    mac: ENC[AES256_GCM,data:2uq4QvP4l+WvV5G1FOj9nNmC9ZRvJcLUsLU0/Wrh7b6f+30g0lkw5M/WtHFd9CjrfB1O98Cvm3Y3ABsSTue5OLuAjACc+Jz5wvRbuLkWRNRU4HNdaAJIzN5Fqd6w+SR8vzLCe+NTcDlhEjdD0zcrRGD4+aM/cnn228sCTtRw1JY=,iv:MhHsNC/VJVPI8LVN9xuY4JZFlinuDI3C3Igo/O9/gbs=,tag:4jIbeOwspn7yZCrn8xKVrA==,type:str]
+    lastmodified: "2024-09-29T06:38:35Z"
+    mac: ENC[AES256_GCM,data:UWDwXUfk4R9CfgU2gv1NZsusLq5+VTsvjGQNst99MuxLz4sox8CZuuYsDLB2dobKrJua107yqhbM8Ps42JJVHZEf3WHqP08tRbdIWNVoakYR6UJlNS3WZVR+LlheQI5PfJqPqa7VFgZeSVm7weIPCHqvHt+ak76oyJK1VsI0f+k=,iv:VL9s+LUA/TrOsJNQWC0/v0Yh+hT8uh2vitc9h1xHBEY=,tag:iA8yMpm+0ANAC+2BLN9Agw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/srv1/node2/default.nix

@@ -4,52 +4,41 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.networkd.static.eno2 =
-          { ip = "192.168.178.3"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        cluster.nodeType = "worker";
-        initrd.sshd.enable = true;
-        nix.remote.slave.enable = true;
-      };
-      services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._packages = [(inputs.pkgs.runCommand "master-system" {}
-      ''
-        mkdir -p $out/share
-        ln -s ${inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel} \
-          $out/share/master-system
-      '')];
-    };
-    specialisation =
-    {
-      no-share-home.configuration =
-      {
-        nixos =
+        networking.static =
         {
-          services.slurm.enable = inputs.lib.mkForce false;
-          system.cluster.nodeType = inputs.lib.mkForce "master";
+          br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+          eno2 = { ip = "192.168.178.3"; mask = 24; };
+        };
+        fileSystems.mount =
+        {
+          nfs."192.168.178.1:/home" = "/home";
+          btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
+            { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
         };
-        system.nixos.tags = [ "no-share-home" ];
       };
-    };
-    fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
-    {
-      "/home" =
+      services =
       {
-        device = "192.168.178.1:/home";
-        fsType = "nfs";
-        neededForBoot = true;
+        xray.client.enable = true;
+        beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
       };
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
+      virtualization.kvmHost = { enable = true; gui = true; };
     };
-    boot.initrd.network.enable = true; 
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    boot.initrd.systemd.extraBin =
+    specialisation.no-share-home.configuration =
     {
-      "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-      "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-      "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
     };
-    services.rpcbind.enable = true;
+    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "eno2" ];
+    # add a bridge for kvm
+    # 设置桥接之后，不能再给eno1配置ip，需要转而给 br0 配置ip
+    networking.bridges.br0.interfaces = [ "eno1" ];
   };
 }

devices/srv1/node2/secrets/default.yaml

@@ -1,4 +1,26 @@
-hello: ENC[AES256_GCM,data:/WGwXDnQio1BwD/zPoURTjVzTasWICOA7CBsgT5DbYIkKLt5DxzogeYWpiqjVg==,iv:BY82U/y9V8PYtn3Bre+nabGBcVgFbppIQZb7GhgY62I=,tag:JFqrezoWNJ8ZACCKQ43n5g==,type:str]
+xray-client:
+    uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
+users:
+    #ENC[AES256_GCM,data:bAA1+Mx9xsFr,iv:5GWh+DyuRydCKm8K1kaiTJIt4ReEugHFnKYfan6RAE4=,tag:VqcWjIMIYhkSj6f/ZclTVw==,type:comment]
+    xll: ENC[AES256_GCM,data:lqzwlETuKuKa2wh+ickMFiWyprcnIBfRBjri+NWoltxib/LWzEEbyetRc4AKyVaBiDhsOTw6MazPNy2mhcAFwb6pM+QKce5ntA==,iv:VaGQux8MJNPZeHwDpM+yJ47XvOul0qRE8xVdSWjYRhY=,tag:rBWdTPmJX9YsP0l1FtVbJw==,type:str]
+    #ENC[AES256_GCM,data:AgppEXaJcXhQ,iv:gI4nUzfy7w9yqaWlT1NYk1cHdErCJsrlilwYSGxxCdw=,tag:/A6zwbvQdhX9MLfAdXIVqw==,type:comment]
+    zem: ENC[AES256_GCM,data:t0rCwed8EzXbEuwTabzSLUd/Gln3YD9IT56JNVHwlodAvFYwtTDJe3cy7K17TmIkL1Nk/hAGzQ2BIZJxaKq7A5pSNIUO1zqMUQ==,iv:jSKCoNKQ5a91kK19w5mE0lJ9lh391ACq64UtLvJ4kLI=,tag:d6+IrgLyCw05vvLcCF5+yQ==,type:str]
+    #ENC[AES256_GCM,data:s39KO3hHcrOK,iv:ICtP2r9JMjcieHZdyHpj5Z1DympJUcHq2jPpjUwSOzM=,tag:Es3YS+mEg5I3SIujfs50jQ==,type:comment]
+    yjq: ENC[AES256_GCM,data:gOc59J2eiND+qJJRwLYvTymfrjWNRWw8IwLxDdS2cSu0yTN5SWF1eEg+tYmDqqhPmXkIlenL8VyIZD2P+Qi+Vi7l1pZMnneRCw==,iv:TsWOmHlClMgpXbNsCyvs+wkTvvKViAooA36+O4eQesk=,tag:jp5ZO9tlCPNTNZXWXCUEeg==,type:str]
+    #ENC[AES256_GCM,data:JmmZl+8nta5Q,iv:qWGS5i+ntmJ9x3HFClVdfypQKqSTUx827OFu/wxx3HQ=,tag:SzvgJtIQb1Z02GDwkAhveQ==,type:comment]
+    gb: ENC[AES256_GCM,data:pgwGyp/QC+h05grD345pJrJefm4NWd0e6mQEzrsqCbjMi9Ak2nUD+K09mIKQJ39NttC+NQZezRmKUJjDBH50s0O69nBlPOJtgA==,iv:ZLm6KUzD8fTq4YpxhdYjtp7bbDjP7Sy+0fnDO0W5GY0=,tag:H2mNHIQvHe+3YzZ9ITVdOg==,type:str]
+    #ENC[AES256_GCM,data:94hwxSaMkbIB,iv:4Xjukoo7rxeu4SWjwFeLo5fwSX6a8mpkTOIpnOnR/Io=,tag:XOjY6ziyDdMNo53NFSjcJQ==,type:comment]
+    wp: ENC[AES256_GCM,data:9/aVAQskZyQrfhVFVHfpdTWDLdoP2ZO7gG6bNcRpOJEBle3V9XqVSwmLViIIysy4XxoR3cym/7WXB96O3C8feK7sbihaRpT+Dg==,iv:WPnDArVKqV7u3EIQ0CMectK1W6gXKOo37oOybyob3As=,tag:1R/0qjRzif4/sTFSs55NuQ==,type:str]
+    #ENC[AES256_GCM,data:RluXnmnn8CAI,iv:OqzKfed5CARE/KKur0GXDpLBqStEva7YVoQMQX4+FnU=,tag:prOaqWk6ARxEKvnhOnCZhw==,type:comment]
+    hjp: ENC[AES256_GCM,data:Tb9vCi68B88UZc/ZVSxEI+esKOLlFcAPAaMk9FDmkBycZmzDjHfkUKCxVcOMtqeNSluVZ/5IFgowaYbk9ncK6yoYTjXjj1Z0lA==,iv:COs+ijt0h+UygyhWDQV23NRd/xBcfeqz6CO7D+xw7t8=,tag:RaIMaGrgHkidB9vqLR6cNw==,type:str]
+    #ENC[AES256_GCM,data:pymPvP+KjTd2,iv:g5tmBMQevuzES9FVlRten8Vzy5nvgamDNPo6Vy018T4=,tag:sMYZAyyAzEyS5CsAyC7xtw==,type:comment]
+    zzn: ENC[AES256_GCM,data:CJ8cOBjblYIc0GoiPnIbbWfYDfpQW5u31R9T/P0/aVuxi6P44wYYH0posVGthR1laqHIlu8bzgeRyTbBYir/Mw1AGokAnFLEPQ==,iv:dJXFcZ9f3xe3rcPzOLd6AMFh6EyJXlv3/+uR2x9XYsw=,tag:4I1WqtloUSXNeQ6AlVPY5g==,type:str]
+    #ENC[AES256_GCM,data:r1Rl1+lfgMad,iv:9RGwiYlePcXZFDxw5uc1yEwZ4N3lStmE1cGmsj5dPls=,tag:yGChsxZtIzDjMUgIkd+PdA==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:IIZpTdr5jpidbxYCQ+fODOHdoWI51upPI3yxYlrAAd+RE62t6PzAvHKFmKPivbHmQS5RZrJXE7zm9JtwiodRmPl0pYLxYNBpFQ==,iv:WQc1pOungm1gEqYPk/MITbjs1l83ikcys47CARRgoFk=,tag:sS2mXDIWl32ZZzDtictv9g==,type:str]
+    #ENC[AES256_GCM,data:VtrWQKVtCHtA,iv:ap/n2HxQ7dgKOA8rIfenv9LOwwAh1na8+I9O/k/wMxs=,tag:Vl03ortuZ5OS2qcBMnc59g==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fkxYmHEQnCjx/srKBgjreIR0S7mcXyl1h3H80PFsH3A/yCGnJbFCGK1GW1++Q+tziOnEWCTLZ/l9dlPuB5BFSK7iHiVXtkOfVQ==,iv:z6duWl+LFpS5RJnCGxb3yvgHp96uJYoSsAThWrbGYfg=,tag:AKWisEg506eOgdp/4tLU7g==,type:str]
+    #ENC[AES256_GCM,data:e8HuWaLrvHx5,iv:ZKvfRQtOMV6v3MSCDVoPEsxldI+ZRYJBwrKAD8YZzPc=,tag:tPL3IyjC8f+S+6MoMJSd0A==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:if1S/3AxNLkWvDQJom+4EPRBOpkAPNTkEcqHHLAuEJATSNLlIhVLOPgt10cM4LWx2TdG8V2TcZip9qnr4ABHMsPF5vm6Y53r9Q==,iv:Rba0So8DXJrSC88mjwT8j2AVy84TPm0R6AVf2ZmXNBg=,tag:qiSeYLrw/6QJ7vMiPEZ66A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +45,8 @@ sops:
             MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
             Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T05:30:52Z"
-    mac: ENC[AES256_GCM,data:nSrkKUo4yB57aetzdJ1sjSKcm5STQ6jfMhvY4/tXft2P9zRYigSP4PkZj7z+knxcIx9sFdA86h8X45oUjxaAa5xDJpgmvC/EEKxm5rZtVTxYYYdy40W72qThVuKUasWpYrrGZbZEbTu3Dad1yfJTilwofRtxoo1Nmj5lMvw+HRo=,iv:UvBSF5GLEj+hTZksrIV3Ow+HQ/xjqwCUuwqkdz8g0Qg=,tag:U5wJPhmeevB2i2GBgMGBFQ==,type:str]
+    lastmodified: "2024-09-29T06:38:42Z"
+    mac: ENC[AES256_GCM,data:tb6UXalJcNqd1bCJ4pdWQ5lctAXMrwAJsGagNIjtAklVx/0vibEBTvtVdI3CSNA3OuDguyXc/ECGEqlPNpoRq/F5JINfnirEbaBL6KhNkFxaSLVP7mu1u0KH93qhzA2j4jofderpxj+FvOOMVZNuZkrcSPDoufPA/ypY+YaKuu8=,iv:KPyXi7AD6FSmoZKYUDh2zLZnArvdcHau5XZHk8CbwI4=,tag:7T1jUJ7eNkY9VYt2eP+brg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/srv1/node3/default.nix

@@ -4,52 +4,25 @@ inputs:
   {
     nixos =
     {
+      model.cluster.nodeType = "worker";
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.networkd.static.eno2 =
+        networking.static.eno2 =
           { ip = "192.168.178.4"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
-        cluster.nodeType = "worker";
-        initrd.sshd.enable = true;
-        nix.remote.slave.enable = true;
+        fileSystems.mount.nfs."192.168.178.1:/home" = "/home";
       };
       services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; };
-      packages.packages._packages = [(inputs.pkgs.runCommand "master-system" {}
-      ''
-        mkdir -p $out/share
-        ln -s ${inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel} \
-          $out/share/master-system
-      '')];
+      packages.packages._prebuildPackages =
+        [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ];
     };
-    specialisation =
+    specialisation.no-share-home.configuration =
     {
-      no-share-home.configuration =
-      {
-        nixos =
-        {
-          services.slurm.enable = inputs.lib.mkForce false;
-          system.cluster.nodeType = inputs.lib.mkForce "master";
-        };
-        system.nixos.tags = [ "no-share-home" ];
-      };
+      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
+      system.nixos.tags = [ "no-share-home" ];
     };
-    fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker")
-    {
-      "/home" =
-      {
-        device = "192.168.178.1:/home";
-        fsType = "nfs";
-        neededForBoot = true;
-      };
-    };
-    boot.initrd.network.enable = true; 
     boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    boot.initrd.systemd.extraBin =
-    {
-      "ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
-      "mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
-      "mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
-    };
-    services.rpcbind.enable = true;
+    # make slurm sub process to be able to communicate with the master
+    networking.firewall.trustedInterfaces = [ "eno2" ];
   };
 }

devices/srv1/node3/secrets/default.yaml

@@ -1,4 +1,24 @@
-hello: ENC[AES256_GCM,data:DCfr682OxZ49pR5Q/sYZxqMdmUothpOOQOiKiPc0Xoh/gJ19qA0yVrO7aKk3Bg==,iv:B01Qfkiy3/B3MYskqFAxEZNoGjb8+A5wcyjq8Bj987k=,tag:e3/VHntKiG+/8xHz/nFXYg==,type:str]
+users:
+    #ENC[AES256_GCM,data:uBjvj5Y6SIk8,iv:WxYu6Xkh2T7kb3uLqgkJJtHvCmWyvntcGfCKJfSfSmo=,tag:ueHbPNX3KOVO9RdQnw/nog==,type:comment]
+    xll: ENC[AES256_GCM,data:Cp2wBFygUBlZnf0oAAxB5L8/qD/LwKksp0YG4Ic7nay8E8kXJGSYDyTK5AdeVh8/MxLgVVY6LMWtUOzFe3WU1u71pgBGF4x+yw==,iv:wXfcHuJzqWmm++vysZW3z4TLEOkgWTUF/pqFDfgwny8=,tag:k9o2yp1AksTGOgREOLlprQ==,type:str]
+    #ENC[AES256_GCM,data:4CsCDEg/UChs,iv:ENErjaF65B1dCuD56/DCqe37WSCu1q28s2khMyF7I8E=,tag:q9mxHCAsuDGygseYU0pRDg==,type:comment]
+    zem: ENC[AES256_GCM,data:cPDlicY4vrQ5VTyfCVN0zH5EIV8kH2xqlFEUkmwO3TmKV69Qx0nE+6yiUhENKR72zY3p5w4ZFEtF7maqqklWvThkeSs059aFpA==,iv:g+nASIzOUZuyX5MCFcKOJKsKTQhcpSY4sIKArlVZh8o=,tag:WaAYcxHmFs6/EG3oy56xJA==,type:str]
+    #ENC[AES256_GCM,data:fu6KBkGEtzD/,iv:OzClxptcUbrbgmYYoQYcInG5Tl6HrjSRVrt3iIaSrqI=,tag:kc+AxJ7UI45j6eW69CiBkA==,type:comment]
+    yjq: ENC[AES256_GCM,data:QGpjtIrtio3Jc4kGam5cjqCHZJl2c0wWQAD8BXXhiWfwbQF+sQSTk2V3FbvOlHjqcT92ab8qWCCFjIqBH4DJUq+z/eleX6Y4wQ==,iv:aky2Q2kpEf2EhcR9UXIAyf+BSW9CIZCGbyZCp0l3X4c=,tag:RHLILdrK3duFA2iZDDigEw==,type:str]
+    #ENC[AES256_GCM,data:YUQ73+HZk69O,iv:wY5da+RRnPpXOD5+HdKkyYZ04ZpB3NBtRjRq5Utzlvw=,tag:BE8MhvbxTkn3rG4Pe/zitw==,type:comment]
+    gb: ENC[AES256_GCM,data:AkPFt/GGyeKdYtY/cW774Yi4rrxhTFRzXe/hf0rbwFESwf4pwgfdcr9e3bp6mfmNy86CCDMsUVPtg49q+DV+9CwHU1ETe1vIbg==,iv:L/kLfEjt3WEQmgAXjOAsnE2Sp45DQP9LLKcZe1FjnVs=,tag:HluImuMHEhiE8yAw3fjNQg==,type:str]
+    #ENC[AES256_GCM,data:WCkGncBugE2H,iv:ZN3edJuEDKrHo9OZs0jbU1ATI5+WpfVul5i7SK51ME0=,tag:rgxwqwPJcdDNMnRFlxNplA==,type:comment]
+    wp: ENC[AES256_GCM,data:n7S4got9Q/7s7rZQldnB1wJlB36uqjremc1UDeUmzs6I9Gp9YPj7dJBDAHBNzWruo83ciP6PygHcCmHzBojISgW/HdD5j9cgJw==,iv:ymjB5YWxJJXBA80a2MPYHXBV+bNxUhroPWu+1GJo4XY=,tag:GGVz7kzBrSomBityyZBdvg==,type:str]
+    #ENC[AES256_GCM,data:2aKW2wBhF2oG,iv:wXRX5ZAr5O0c/H1WvzK1+kG1NbZU92h89NgXB8lHfMk=,tag:gAW2oQxz2dUthyNvMlmxcA==,type:comment]
+    hjp: ENC[AES256_GCM,data:+9MKYP96nBdLFVcTkpSS/hiTLdTOf5+Rs3dpUus/ym7gl2+aA2rGtlGS+ozALeUV1seNlVAuyhclZG2dH9uhaudlQvQw5ntAzQ==,iv:eobXw5ahEl9I2HlXD+y3NtGFOlPulk+aKVFxuCRe2+g=,tag:zt6MveyltO2xxThG9grZqQ==,type:str]
+    #ENC[AES256_GCM,data:WLU7JBd7ZNES,iv:GkmmM1n0Squ0rundsz4Q+1dkF9BcCaV1hID8bt/gmxI=,tag:MMukyZlOeE0CcnI51VYPWg==,type:comment]
+    zzn: ENC[AES256_GCM,data:5uNrzv43K/TQlGDldxqUYscDoEduTJdRz0jgd5dBh3N3bMNHulZbD95IVAj87OkLgdOtlDPZz3DfB5oxKBVcV0XE/E7GwJKILg==,iv:SB/uOB1SdhC5zGCY/OzBRY6wgGQLwKYuFgekxZpX1Y4=,tag:ckOxmdXvhQjGMPssoLeMPQ==,type:str]
+    #ENC[AES256_GCM,data:xLPmYdIcIUz7,iv:NqaKJJgyMwfVfAYgEAMHXo1qLYfyOHhIcV++lseKcNQ=,tag:qXDuROf4A9T2H61KtrQUpQ==,type:comment]
+    GROUPIII-1: ENC[AES256_GCM,data:izqFF2JD0ZEeNlqrQ9sJcEcrnp/WmyJL46jszmR4fLwrFGcMoekSfOTkzjO8upogY5fIDsn02dwh4mLX74vA8DjeRTaDKZyyfw==,iv:lknYrGgDFQen2w8mtLNHewQXara1ikWvGdvVA8a6Fyg=,tag:EiiMBUhF6YOafD7MCIMA5A==,type:str]
+    #ENC[AES256_GCM,data:Zt6KCQ3chnLi,iv:RpMBGf2zDVWN13PpTr0Zj18ORdIZT2u34BestCjyLsU=,tag:aBuN2QGhxgnOXPC1NOoROQ==,type:comment]
+    GROUPIII-2: ENC[AES256_GCM,data:fAczfnHue47oHJm/8Hcu8iC+scxUQRNZlJWSCFnmtn8PzbOtPXGVLYaZJs3SRE0F7yYsOUZlHnEPaK5bFjCHioindbS0oimBfQ==,iv:F14TVM+UxXm0UbAgLmQpkI4v+jhQ84a4G8IuWRw1k/o=,tag:R+r0be31nLC0T6Isl9/sdA==,type:str]
+    #ENC[AES256_GCM,data:xccChTyxO80R,iv:tSxhbmVwhwD1IbXRNglS+WWMXfzUDaoJfCNqfKWqVko=,tag:XrFTahck6EKRf79NNeMRfg==,type:comment]
+    GROUPIII-3: ENC[AES256_GCM,data:LQAAYOKBVKRsVfwRJOr4jBCqnHKG60euQMngfuI82Dewwtnt4fKZ/iDg6otJIXwdMdiYI4ytr573GaAPyadt/UdDv+EqrLQ3qA==,iv:dD7djoiEBjrZCQCKkjzsVD+IK7T9sL02zxRG3b1uwQ8=,tag:sqJ0Q665aXVnPHWlTS0Rag==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +43,8 @@ sops:
             bHQzK1EvVEhvZFI5MjVxL0Q5UVZYdGsKJl2M3eOB0lRyu2VO1qDjW1pNJ9HhwAS6
             g5yOa2fxLJn4bvmQAJYeNJ1Wi6sYaBvkbeOegjaKjW4ZvwhP5kWqRA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T06:02:54Z"
-    mac: ENC[AES256_GCM,data:OQYaHF7lMspMaXjK64fZhdd6w9EHWzvjYsJdGEEaSwj6nfgb8EPxn73hn8NMgubXnqxonqbrpwgUuI+u297ItEEsksWQGGe//UrLlAJlhPvgezOpeeBfT4iWUrbazam4Uakh457N9W0AX390D2VmDtSBMw60fqnIeSnJF6Jv5Gs=,iv:O0h2sKf4KibuP5ZfRWF8tEVnLyyZtwst66frYUC4Awo=,tag:y94K0y/nF4y1sfh+P/hWrA==,type:str]
+    lastmodified: "2024-09-29T06:38:50Z"
+    mac: ENC[AES256_GCM,data:pQDphBruG5s5trIOY1fvcCAnLDx+NcVJ6cEP48u92JRnM5cojYXbiFt6Mlq+bYLxkXb2PoKMBoohRbsNdYLRgz3BGAY//Kc5OHGWzi7r9t4/iuhcouZsV/6wHGnrJ0yECS2+LPkT+/JXnYv1ZJTpUR0TSmTvnCgJI6xpWt8HDSA=,iv:Oyn7UESWVDqh3kDFAX3opbC/XEYOa1s3wmGolc1uhTM=,tag:aasXTc9+bgLgCaLDNfbJGA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

devices/surface/default.nix

@@ -1,67 +0,0 @@
-inputs:
-{
-  imports = inputs.localLib.mkModules [ inputs.topInputs.nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
-            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          decrypt.auto =
-          {
-            "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
-            "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };
-          };
-          swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "skylake";
-        nix = { substituters = [ "https://nix-store.chn.moe?priority=100" ]; githubToken.enable = true; };
-        kernel = { variant = "xanmod-lts"; patches = [ "surface" "hibernate-progress" ]; };
-        gui.enable = true;
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
-      services =
-      {
-        snapper.enable = true;
-        sshd = {};
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.hosts = builtins.listToAttrs (builtins.map
-            (name: { inherit name; value = "0.0.0.0"; })
-            [
-              "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com"
-              "dispatchcnglobal.yuanshen.com"
-            ]);
-        };
-        wireguard =
-        {
-          enable = true;
-          peers = [ "vps6" ];
-          publicKey = "j7qEeODVMH31afKUQAmKRGLuqg8Bxd0dIPbo17LHqAo=";
-          wireguardIp = "192.168.83.5";
-        };
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
-        waydroid = {};
-        docker = {};
-      };
-      bugs = [ "xmunet" "suspend-hibernate-no-platform" ];
-      packages.vasp = null;
-    };
-    powerManagement.resumeCommands = ''${inputs.pkgs.systemd}/bin/systemctl restart iptsd'';
-    services.iptsd.config =
-    {
-      Touch = { DisableOnPalm = true; DisableOnStylus = true; Overshoot = 0.5; };
-      Contacts = { Neutral = "Average"; NeutralValue = 10; };
-    };
-  };
-}

devices/surface/secrets.yaml

@@ -1,36 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str]
-wireguard:
-    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
-github:
-    token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str]
-age: ENC[AES256_GCM,data:KEaMrk9eldR6oCqNqSpwhbJKj+JrN1KBkDL5p9itaszGf4tnDRidcleCQi1Ae17osYXIEh4+OxX/d6RKb9TP6JMLJe0iq6c9sC8=,iv:ztiP2Vz4AFZkd8ZG7xYlqYrV3JZYvmX07Ez6GtJ6yp0=,tag:PS8oSkkrrpgYYVfjbTtkaQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzV1pvWkVGSFg5TVAvRlhu
-            TnFnMEszcDRWWHlQanAyRkRpQWdqQkdhTzFvCjBqUG4xNFBiRnlSeTNQSmdkVkdD
-            UlVCQjRFVExuZHdrSnViajZGZ3c2dWsKLS0tIHlQYU5VeGpEQzllMmxLSnJZZzZx
-            N1R3Mkhxa0dOVlJiU0V2OEZVVzZVMFkKae3c1axl22uxh9wMygAHs6q1WA5ImOS8
-            uzKSthWSqtC7DMqgUFaaSjBYM2TN3l402syx71xVFyyAmCcGZbbJcg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHJVRGIwQUFpVER5SWxq
-            YjJOT0lXN3dFOFpjMFlWV3JCbmZFN0hnNEJBClpQUEczK2RWTGlVTmJRbVZaUC8y
-            bEFrL1RjTTNlYVNnRVRBZlRjaTlnUEEKLS0tIE5GM01pTGFFcWVVSWEvUHE3Z08r
-            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
-            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-01T15:22:09Z"
-    mac: ENC[AES256_GCM,data:Br2+miNeZI41QyTXdhJ5Mdwq5no/d4kJgESwiltcRZV/Pax8R+GFeLDg/AQFoh1fLHU6bTX45SN0wnIrIeCnkoXV0U2RiT7bdtBaDrGxqnFvjMVE0VaUrj9bpagta13tahsEfI17cyUq4BqwS4BXx60RXvbvs9jZ5/dfpYunGsc=,iv:FfWYfS40XcFgF8lEYK4IHypLzz7svFxPL+WuudQm3oA=,tag:0KDBdf7w6BdcQ8Qt3k1isg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/vps4/default.nix

@@ -1,47 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            btrfs =
-            {
-              "/dev/disk/by-uuid/403fe853-8648-4c16-b2b5-3dfa88aee351"."/boot" = "/boot";
-              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-            };
-          };
-          decrypt.manual =
-          {
-            enable = true;
-            devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
-            delayedMount = [ "/" ];
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
-        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        initrd.sshd.enable = true;
-        networking.networkd = {};
-        kernel.variant = "xanmod-latest";
-        nix-ld = null;
-        binfmt = null;
-      };
-      services =
-      {
-        snapper.enable = true;
-        sshd = {};
-        fail2ban = {};
-        beesd.instances.root = { device = "/"; hashTableSizeMB = 64; };
-        xray.server = { serverName = "xserver.vps4.chn.moe"; userNumber = 4; };
-      };
-    };
-  };
-}

devices/vps4/secrets.yaml

@@ -1,51 +0,0 @@
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:d7cv,iv:RHzGIDLuuKejCTQ5YlNNITkCS3VoprsqH/kHckdpAv0=,tag:3cYw7uyUmXALo3v7SiqLJA==,type:comment]
-        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
-        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
-        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
-        #ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
-        user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
-        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
-        user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
-    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
-        led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
-        chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
-    maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
-telegram:
-    token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
-    chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNamN1TytweDd3blJsR2ZH
-            ZmlocFZjT3ZaUjlVbG1vVSt4a2s2SjJIaGtRCjRneDV6cHYwdGJOY1BDVS9DeDVC
-            cDdNbUdtSGRHNU1yZFpPc1MzRS92ME0KLS0tIFpmamNmTFYrRGRqbTFVSzBhUlNa
-            VllXdzZ3bEc3UFY0YjZRKzBUcGgyVkUKqI1ojiLbF87alAkEwyrm8wuW2fLbmj8d
-            YBIpoDCZ7AwR5uHWQAtl7BWJV1zab+rA3zvaf2BsrVA1A+RWOtYT/Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWitsSnRVSzJDZG9ZSE5I
-            bmt2NEFDanR3aFJyYVNnU1NlUldRb2RUVXhNClQrTkgzR1dPNWp3endZTUl5SmRs
-            dEtkSWk4aWJEc2hhbWlXZkxpNGhacFUKLS0tIGZNSG43R0NKYmdFMzdXbmJjSExJ
-            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
-            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:19:55Z"
-    mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

devices/vps6/default.nix

@@ -16,7 +16,7 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
@@ -28,15 +28,15 @@ inputs:
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "sandybridge";
         nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        initrd.sshd.enable = true;
-        networking.networkd = {};
+        initrd.sshd = {};
+        networking = {};
         # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
       };
       services =
       {
         snapper.enable = true;
         sshd = {};
-        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 21; };
+        xray.server = { serverName = "vps6.xserver.chn.moe"; userNumber = 22; };
         frpServer = { enable = true; serverName = "frp.chn.moe"; };
         nginx =
         {
@@ -52,8 +52,13 @@ inputs:
           // (builtins.listToAttrs (builtins.map
             (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
             [
-              "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
-              "send" "kkmeeting" "api" "git" "grafana" "vikunja" "write" "blog"
+              "xn--s8w913fdga" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
+              "send" "api" "git" "grafana" "peertube"
+            ]))
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.nas.chn.moe"; })
+            [
+              "misskey"
             ]));
           applications =
           {
@@ -62,6 +67,8 @@ inputs:
             catalog.enable = true;
             main.enable = true;
             nekomia.enable = true;
+            blog = {};
+            sticker = {};
           };
         };
         coturn = {};
@@ -71,7 +78,7 @@ inputs:
         wireguard =
         {
           enable = true;
-          peers = [ "pc" "nas" "vps7" "surface" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ];
+          peers = [ "pc" "nas" "one" "vps7" "xmupc1" "xmupc2" "pi3b" "srv1-node0" ];
           publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
           wireguardIp = "192.168.83.1";
           listenIp = "74.211.99.69";

devices/vps6/secrets.yaml

@@ -14,7 +14,7 @@ xray-server:
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
         user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
-        #ENC[AES256_GCM,data:PTYBkBHs16U=,iv:qr3u7OveM1CmTBIf9gZK4fTRuLCpcZCwf8jmnd1L3Co=,tag:w3O41NG7yCwCVqPGh/6SXA==,type:comment]
+        #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
         #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
         user6: ENC[AES256_GCM,data:YzLlf37SxKmU1/QA7gUIJsGid3KZNoAGOew8xR7cmw5l8ZmX,iv:SfKubo2jfjtxKn9odDiokMEZyPFfYZ/wwyYtBrgvgmM=,tag:+hxwIU5uBhzQyrKX4r3oiw==,type:str]
@@ -46,6 +46,8 @@ xray-server:
         user19: ENC[AES256_GCM,data:+Mh15DR9xvFAwks86iuHEA9FpObKWTSuVOEzUDpBUS/h0hOz,iv:zYIkic2bibvwCBpomnJ9465mda1rbm3RERBZY9twXuc=,tag:bwdL6DAGgkGYhYFI2C4A+A==,type:str]
         #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
         user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
+        #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
+        user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
     private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 nginx:
     #ENC[AES256_GCM,data:85LrqdTMIhSa,iv:mIQPYz8VPd5AxeMCQEdTGMD0Iqa5QEAa5+8JVFaj3JM=,tag:TcZd7S3WRPpEV9lHI1fzbw==,type:comment]
@@ -89,8 +91,8 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-15T03:48:21Z"
-    mac: ENC[AES256_GCM,data:kZDIr2NHVew+BsreAoYNAcP/3i2A7U1RGIiA6qok1EsXLcunO+vfjIZl3L/0CEEH4+u6PEXQ51atzufqOGpoq9XqorBMRDEdlhitZZIUZm8Cji9BJxixeTUQ+KmFEbdw8H1XDIPWOQJCmTUbkOElMzHO4BNtTpdjE4u1IZ0bUiY=,iv:cCjln5wrScDz7A5/OHVoAj671VtkBmK7H0pnpKLsjD8=,tag:rohzoGp2V1sS03W0z5hM/A==,type:str]
+    lastmodified: "2024-12-09T04:05:38Z"
+    mac: ENC[AES256_GCM,data:ViclEjB/F9dS2fdtKPlegQPdPY9GeHW6AqnBcf18RlG9V+jnyym0RgkrmOiNokbD4WZSO+o/Y//hFzSeiqINHuNs5SvoslXy23bnThrnf8pDeoowJITV3eQZgNw78qKqJxoXft4b79xetSdZasI1W4YxE/PCjdpkOtgJZ7I5oTI=,iv:se5pq320AEnRuZAA3hO7H2LarCJwnK2sTmZU+s4DYBg=,tag:g4aS5C8PWj+mzbSSK61Z3g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

devices/vps7/default.nix

@@ -16,7 +16,7 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
@@ -28,22 +28,19 @@ inputs:
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "znver2";
         nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        initrd.sshd.enable = true;
-        networking.networkd = {};
-        kernel.variant = "xanmod-lts";
+        initrd.sshd = {};
+        networking = {};
       };
       services =
       {
         snapper.enable = true;
         sshd = {};
         rsshub.enable = true;
-        wallabag.enable = true;
-        misskey.instances =
-          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
+        misskey.instances.misskey.hostname = "xn--s8w913fdga.chn.moe";
         synapse.instances =
         {
           synapse.matrixHostname = "synapse.chn.moe";
-          matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
+          matrix = { port = 8009; redisPort = 6380; };
         };
         vaultwarden.enable = true;
         beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };
@@ -53,7 +50,6 @@ inputs:
         send.enable = true;
         huginn.enable = true;
         fz-new-order = {};
-        nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; blog = {}; };
         httpapi.enable = true;
         gitea = { enable = true; ssh = {}; };
         grafana.enable = true;
@@ -66,11 +62,10 @@ inputs:
           wireguardIp = "192.168.83.2";
           listenIp = "144.126.144.62";
         };
-        vikunja.enable = true;
-        chatgpt = {};
         xray.server = { serverName = "xserver.vps7.chn.moe"; userNumber = 4; };
-        writefreely = {};
         docker = {};
+        peertube = {};
+        nginx.applications.webdav.instances."webdav.chn.moe" = {};
       };
     };
     specialisation.generic.configuration =

devices/vps7/secrets.yaml

@@ -4,31 +4,24 @@ nginx:
     detectAuth:
         chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
         led: ENC[AES256_GCM,data:Owax7cyp,iv:NCEKyicVCYZNgxJzlO90heUmwPjfXbZEcyXX09XQKI4=,tag:WMTCVMVCD9sJgAhRUsqvYg==,type:str]
-        chat: ENC[AES256_GCM,data:1HJiO1zU5SX4G56oWxv5zqGyUqnBWByrtSnQ01wvmZ7PmRkrV+DV6StMg5DtJR9HhkWYnbXlbnBHzP+poPUMag==,iv:sfwI62nwGSnsdj1RyADWgXvp5AY+9RQdtSooxbKFWTs=,tag:pN/LF0mo7RXWoIPPzzs8qw==,type:str]
     maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
 redis:
     rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
-    wallabag: ENC[AES256_GCM,data:WkiqS9TOHxYalDp7Ssgg2x7vj4D58psQ5au4a0e3LZBecERwzUKmrhbVKRuDvNTwWbYxSds9SAca0wN+pWmrmA==,iv:QqHlzSXG1I4+p8wd58lcQs8TqAF3foxiYVdgL8L3IpA=,tag:CPtFgIeFL5W25gtd6NFkrg==,type:str]
     misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
-    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
     nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
     send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
-    mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
     synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
     synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
+    peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
 postgresql:
-    wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
     misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
-    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
     synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
     vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
     nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
-    mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
     gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
     grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
-    akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
     synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
-    vikunja: ENC[AES256_GCM,data:syb4NYBxL3DdmZmcC+em0klmm6bkkIL/DH/gnzShYRiaezRFskT+yay9govn++SpbuvkoCJq/GYAFxNL+hcVtw==,iv:TQUgdzYQ0gqsAmux9v3BAQFNzHnCTZ+X/OC0b9Bfya8=,tag:b1AsiAW5XzA3DzGdf8J03g==,type:str]
+    peertube: ENC[AES256_GCM,data:dLzOez3dTy0NqHED1Oc43Ox2AFuH196kxwOSuR6RejUw3iJuzEQCdmA/i+70zHoveAYBdPCGpM8cz0y2M+usjw==,iv:KxDqmbNBkJ6Nw0M3060L9ESDf2qAur7umlejcDyRmwA=,tag:RScP7Cny8b1Z1/REpk+daA==,type:str]
 rsshub:
     pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
     youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
@@ -38,7 +31,6 @@ rsshub:
     twitter-auth-token: ENC[AES256_GCM,data:65SbHggbYtfSfaaxJxRgD6+HpOX4vIfjnVZmOAZ9illPMYOu9MIchQ==,iv:49UuC8n6AGj1skuHzQX39Q/QuKlB9IxogIfiiy1GBnw=,tag:Rq6b0H9UFVZ19tU8ZeelRg==,type:str]
     bilibili-cookie: ENC[AES256_GCM,data:58nO7ADu2oH/OgLJNYrEEzhf1J0zt8EpuygnSANkGXJju5oSmtM7WLnaMEjC96q14OTTA9QLiFVsbxiFY1eUnraA5W7g7+6CYRXVRZaxz91D/dhKzHGTMjB/LynnNqEIc6liONlcHbyjZNQ+WIqPtjVpCKMN7Mi8cv81/cFX/1GqAwncgDD2oXh1hMPOVY4dYcGKuOG0GjlY6RgOgTPqU3HawQjnoWQjPF+lq2rnWD5HP9ZTxOYa7hm2GgPrxkq1fkRrq+kKYeDh+6M7VLDcm5Fpf+biq6F8fZWzmw4NlVZT9BG0vJFa,iv:vxYXg9Yg9qIWFQXtwTYa4Ds0KSxZYg3M6xdtXKbdaig=,tag:TzCPehk9w+BL4wwgDc1CPg==,type:str]
 mail:
-    bot-encoded: ENC[AES256_GCM,data:HstqDfhKoLqDip9O+mwYGbNlNQ==,iv:CZSTfxJHhI6nG7501cQdJiZ9l3uKS7d5YsA8iVTUuoE=,tag:Rj3rvXJzDp8XzODV/gABog==,type:str]
     bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
 synapse:
     synapse:
@@ -47,14 +39,12 @@ synapse:
         macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
         form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
         signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
-        sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
     matrix:
         coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
         registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
         macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
         form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
         signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
-        sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
 vaultwarden:
     #ENC[AES256_GCM,data:yFDD8GHjZWHN/Yh53DseevKAhDVwrHX60e8sGZnF4BUsUuPA/4S2PRzj7CtlpFzUH3kb0i+HkLKRvbchg93U3as=,iv:JGG7daEKs0oMKTNVi9GS7PrXn/8rFtVkHknACsEQR+g=,tag:RSN6fojLsI4dcuPu2eTiWA==,type:comment]
     admin_token: ENC[AES256_GCM,data:OpjREmxJSRj+aGVoP8KKRE7ClNqRtaV8va4WLVmpl1AO6D0q/GapJvhORHQb5s5ZjIAgvWTz1w+fh050Q9sPwRsNUke3FIcyeNy7k0PHgnnVIdxnU1Vn9KMz/SovjQ0/qEQ7tArvW/EXtKfwnP9lsz9m94VBvA==,iv:9AvDqMa2PeQOSrP2th3YBgA2RxPl3oKZTyUzi/yjRTM=,tag:HYFTQDgWvBsHQk8IZxWkfw==,type:str]
@@ -62,7 +52,6 @@ mariadb:
     photoprism: ENC[AES256_GCM,data:TF1SZVFnvzyE+7vrHYYUS4Juqhbiw9QcJx7p3Xj88xyBFcTqS1YjzAKs/9GQ1PuzdBrt6hXm/XtJILHiuktnSg==,iv:sd9sQEuIePL6LzUYbFtmdecJ57sMrkF0coalBf8KFqQ=,tag:P/knaKYTJ+aXu4l6IixISA==,type:str]
     freshrss: ENC[AES256_GCM,data:ydqCbj3UbsLC1e++p5ixb5Kpmk2BsYd0urcfw8T51Is5N1/gQ7P0zgR33AOteAxw2oj85WQZhxu3eAN7BCXV5A==,iv:1oiMo1wwFNXiTZLsf4UPZSJfKFIWLI3h947TC06CVy4=,tag:Otq1oeKBnWXhqNilfsywPQ==,type:str]
     huginn: ENC[AES256_GCM,data:1Tdg1WDwGgFSXdChgif8knWS24BIFYnmaiSjJXxs5uj/v/5fJ1alb4K4XHW/kFRjQbuAOFfJiJ9ogJ1KAyk17A==,iv:qLMaQpVaKrjP7g2lWzhaNLghxwiV4YJmyYY1hrpu5I8=,tag:566JCENvOxgwD7tM3aQBiw==,type:str]
-    writefreely: ENC[AES256_GCM,data:+5jsON4SpeWKWZWlbn233XuQ/6HDzaS3XxUxDbUqAp8S/XGmn/QuFK2f375QJEiyZsnrIYkbN/CiOjdTw+nNzg==,iv:8mKqWegyxrT6908P5G0olVZzpP+BwpE7SYODEry7F3A=,tag:HeYoT0RFJGzX6DWcBQy7Jg==,type:str]
 photoprism:
     adminPassword: ENC[AES256_GCM,data:gB81joOfS8h05BNy2YmD/N0cpLPa/vAduDcQBeHiY/WkcnvqSXnXsOfnvbP74KQfoP4W35oFkfyGVPUBSB83tg==,iv:AkN2NoqMXVHQA9fHTTR7xbEapEqy/D61mHn7O23hyYk=,tag:WV+siDA3VnRkOYnP4Z9Qhw==,type:str]
 nextcloud:
@@ -92,20 +81,11 @@ fz-new-order:
         username: ENC[AES256_GCM,data:xWP1cesh,iv:11KFZ/J9PScz/oW2+H5BWgw0+ETkCXlcYOMuPpgjEs0=,tag:HswEVzm6ElRjIDsZyEfZcA==,type:str]
         password: ENC[AES256_GCM,data:Da/E7ZeZ,iv:gIoheXeTErV3+CtZSEDsX7pGzRahHWlKYQ6QZ6W2eu8=,tag:0oQzQ5DJiS2hqMQfU6JRWw==,type:str]
         comment: ENC[AES256_GCM,data:etfZKwbh,iv:XqqF3D0PpCPd2Q/CCu/PAH4SrvXAOu+lIXvSht/KfKk=,tag:7jyG33foxneRK2wvI/5uBg==,type:str]
-gitlab:
-    secret: ENC[AES256_GCM,data:hBax7ClSuttBacykKw42pvrvowZW8OeTry/0rkmy5BHyLM7HllNYCOw+tupIOdhVEfgJPWQeBeGuyFHt7lPRWQ==,iv:zOM+eMW04Z9QkTchkAXWYHg2eWTQmGEs/dHtUnvNVd8=,tag:RzLyecuASl9CcmQSuabN6w==,type:str]
-    otp: ENC[AES256_GCM,data:Hgq5Tyq+BUTsexVsjFWf07fY0znPL50+qIm+fhuVljlauXBZouQjJKMhqTs9zhLECOktYUtp0wrNa++nO1Ys9A==,iv:Am51j8QjDtldtsZL8uCu0I3pr/SQ6R8KUQinznZjClg=,tag:hbtrlG0MGNL3VcbQUG/irQ==,type:str]
-    dbFile: ENC[AES256_GCM,data:AKxE/Z4jooDlkIl3WpQZIlN+MLxlZ7SEWVF12/8f9aq7LtVl5B0RDA6bZbeM0PU8h4eGcSX9feSpLIVpvBAQxQ==,iv:li6hBLw9filwVVXa01oICtvY9UJsMgB+3XYOgZyCTnY=,tag:wC18TzVMM+dcpIi8wwCcIw==,type:str]
-    root: ENC[AES256_GCM,data:nPO4MT7BWuCHnWkbHPRYygMpieGsni4+BQs6HVwxBqH5KuD0O7I3PQlcgntxb4kWbqvyWstYW+k9LdscSEzgXg==,iv:fgfW8BljGlOIQzGK+UiEFcT6Hp5ieA8C86kwT8xRlO4=,tag:eSWPda0NYBe47uVYCOUiLg==,type:str]
 grafana:
     secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
     chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
 wireguard:
     privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
-vikunja:
-    jwtsecret: ENC[AES256_GCM,data:p6e22qPJzTGB21oWhSr8AA4bfrele9ZOHVtZ8BHgX21IhoKdm58coGtSX1CGXR7J6+1/74RdLY9K88nGrM1F1w==,iv:DGUO8rhf7Lg9dTqSmzlR/Jd2K4oUjO8w9E5bihwsykI=,tag:SpX6UI0QIju/tC1fIL9CCg==,type:str]
-chatgpt:
-    key: ENC[AES256_GCM,data:bkLxKUqkjwpUeqeAZCaAgKiOse8QtZ0zOn9TQNA84+B3rxNiTFPisI8=,iv:Zd5dO5Sdt4HCvNZgS2K0FjJAzti6oE22vahYQl99TrI=,tag:E3o+X84tRsIEGU9Jfb85JQ==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:Mr6KrAzYoDXA+dPT3oXqK2wm9ahTjZ5GVE/iRPsmcM+S2MABT+8ramyHz9oIFw==,iv:nIZ8rpSxz2GwMbDQFfG3xauMQjiriZ1oxFMrEQeH7sQ=,tag:y5U1T1vV/mmdE/CeaeTR8g==,type:str]
     chat: ENC[AES256_GCM,data:8w/0EI64a1dC,iv:dHu9JHcUY7QPd9YBKXnrRXQB2K6jpnLrSFs+1IJmkio=,tag:3ucN3uNnBxxRF+cbLsa1nQ==,type:str]
@@ -120,8 +100,9 @@ xray-server:
         #ENC[AES256_GCM,data:j83rYg==,iv:3oEdAoVz7aMcezcy2chTO0LQTtKpTrJJoQZx3PC03BU=,tag:ABteEIyr2Y6MbGQhmrQySQ==,type:comment]
         user3: ENC[AES256_GCM,data:Uk0Ax9FVzmmYs+ggWy7z6FEkuj2tppGlvnQdoW6PDI1VA9oI,iv:wSxigXleRUalQR1/TzKfdUVrdyEUuq+Wg42gSv1QMAI=,tag:qn6nBWv6MlGhMarCfI13BA==,type:str]
     private-key: ENC[AES256_GCM,data:TarrinCFzWkB5zCc7i7f3B3tFfxrF+cGnrg4bw9CAGKWBazSJHCviY8Imw==,iv:azHdrc6AlgS9RPwGVsYRb8bBeC/askCdut1rnv9TA3I=,tag:AT2lLraKVgbp9GmlLJiI+w==,type:str]
-writefreely:
-    chn: ENC[AES256_GCM,data:YvhPa69sVdiljm9Ix6yQh6YCEpFvC9iw5Yx72MBcGr7+swdbvWDAfMmGFY066mAPvhpwZX/IEivKvrS0t/OSnw==,iv:7s2yEb30YaCAtNeevbur0HL28nXHVIqmCx6Bngh+HWk=,tag:yx0JK8RNQMVcYLBSxNj+uw==,type:str]
+peertube:
+    secrets: ENC[AES256_GCM,data:DAlig4wYCridlfS00YOqH++/4Rkssq2bkJ1bhERrsgeqdccwwnk6ADKpN2UBGANNYiTj2VUHsHT6mIWxPRcJvQ==,iv:kOedA1gAD7el6JbP8MujSCSfkkHM6CDDMSs2LwPmsGU=,tag:ZDS+LGX2hNXHw15Js2sBkQ==,type:str]
+    password: ENC[AES256_GCM,data:jmKmQlFqHSmImfym2M3/+ItbPxx1GwgrLRZwk7KxqXGHFvqZ1ybCnfZCN8jmA1gVJLuPLTrYA9ggHwdKgVrknw==,iv:cBSb5PJsjHBAMgrxlZaVtw1aP39AXMtdk5pnnCyyZbQ=,tag:6TLoDRY6305lm4HVapT4yQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -146,8 +127,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-02T23:57:33Z"
-    mac: ENC[AES256_GCM,data:Tp7uSF3G1WALzv7jPSXGyIJbwYLHz4sF73NUoAI6KPboLs3juhDiZjJfkBkIIv4BawWNTvvAQfBL6hbpPbn3bLpkTvU8TiHyP9yiY5kJkid37I2s8KOHHaxKSu4CXlkAeXdZX0I1iujAOsKYUd2GnN19V07K0qwCtZOVvZXvjsk=,iv:fcsE7qXrcoaRdTv0C4nmfNvIDXtTXiKyF7TCfnkvRPg=,tag:Dgdq4gT2lzhkXZ10uUCwwQ==,type:str]
+    lastmodified: "2024-11-13T03:06:27Z"
+    mac: ENC[AES256_GCM,data:aIgKGuyrNWt2etXCtqHXxXwLSTkGhX3wk9NcHXv4u/rkZ3wUz8iJv24whMIN+ZFhQmNV1TLuPncd/O6bYra1YmG0FXSyBkgfQdVbCAR7ys1yXpdz00zcC7zMqm3CeNui89DZH27P5z6cDtNG4Z/dLz6lpln/ummYcdcb+/7KbZQ=,iv:Gl8turVRflUOB3PWqLfwU4JPoy0k9zLKir4CKB9628s=,tag:aJ8PDOfn/XBeklIlSkC2vg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

devices/xmupc1/default.nix

@@ -4,6 +4,7 @@ inputs:
   {
     nixos =
     {
+      model.type = "server";
       system =
       {
         fileSystems =
@@ -47,7 +48,6 @@ inputs:
             forwardCompat = false;
           };
         };
-        gui = { enable = true; preferred = false; autoStart = true; };
         nix.remote.slave.enable = true;
       };
       hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; };
@@ -96,7 +96,7 @@ inputs:
         docker = {};
       };
       bugs = [ "xmunet" "amdpstate" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" ];
     };
     services.hardware.bolt.enable = true;
   };

devices/xmupc1/secrets/default.yaml

@@ -21,6 +21,8 @@ users:
     hjp: ENC[AES256_GCM,data:Ii4P9ZsUOEh3cqt3AKWlgUH1CMNnmHln9QNWdTRR3vZXkkR5j5qKAIrAltml/i3xFlt4hftYNufnupog4UlAVWQJhYBlhCSE4g==,iv:eKWmUcKItjd1dsvVP1se5CAhIFqV/eVH03gPJhBau1E=,tag:ZTE0BTSoDpJGqECklGjs2g==,type:str]
     #ENC[AES256_GCM,data:hCgqHfpmeJ1Z,iv:pEKUNxhUyNAVtniTIQ2IpMPmXr2O+twq2/3Y2lIoqdw=,tag:RTqcI0XCoOymQD3r4+yS9Q==,type:comment]
     zzn: ENC[AES256_GCM,data:/CSffToFJiBotXZ5rPkz0UNgI/iC0ftusPF2Ce6Of3XckjpCcikWj6n3ahJ24XsWQjp3EvacOiBorh+Kg16LjCEl0P2RMIitTQ==,iv:u9IFdp/jw7ehTshPzQVssLeh33iBYCPjSyJSLsc5EVo=,tag:/KXgmU7dcTKG8C4Y7NcMhw==,type:str]
+    #ENC[AES256_GCM,data:TN/ycWtGSCNY,iv:pSilXx4zKs53XX/L0+QFbwv13rutQG11sU0EgVhaJEA=,tag:L+MpcYYlsMnSpS1JQdnwIQ==,type:comment]
+    lly: ENC[AES256_GCM,data:XkRaNI0SqooptH/OexBCzZ4RYvA3s7qXbpCtLVidJ4pZU/o7EHlIcvMbeRxqdujhXNQ+vbS3o7CmhwJK2JVVPCCVsd6k0gMDdw==,iv:v/2mgDuR+/lb8mtyv6sn4Z9XXnuDoXkT0DeNQ7850fU=,tag:T8xxo9C7kFSNlLDjEaZK0Q==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:qQMD8SKNmxb3PdScXNqppF9zkX7dV5i7rvljvZuhiI5zLnu77qYCHBW6ymh0mrY14N9NjxmQZhZWX/H8TvBlcg==,iv:J5N3LjCYW3QmuEkMBpl7qvPFW1Z9ZoPLkj45jKcIW9U=,tag:Tl+ld07+lVkmzt7f/f2MqQ==,type:str]
 hpcstat:
@@ -52,8 +54,8 @@ sops:
             ZDNHUjE2QVlCV3p0NHdKYW5IMHVBZzQKkZtfyvfroOntg3yRjMw4jQHiQj8eaB2h
             IeIHfW4y01mmVT2ofbtB0xYpjcl4gtUlQ8X3tn5iJ9P8gcVo0G598A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-31T15:59:56Z"
-    mac: ENC[AES256_GCM,data:zd3ivzjgdbwGZpZssHeIwwkKFfHDxo/dzvb8ptw9noZ4hDVoC5RL9M/OLN6GrRM0wtpNFZJDs7Zz0i1zMascXdVu6mou/0il6/96r+FkQVBJWbrkY36Lk7ntDAcQmZKWxSUfSF0JPHx1rbkIQSVtsLQrpui9UDxaY5DP23xjLQg=,iv:+ouEpSlo0EovK0Qh27tm7NXSYncbjEc/EMWfWHIrCqE=,tag:4CHXmsJ4LhFBmbep3Wil3w==,type:str]
+    lastmodified: "2024-10-26T12:26:52Z"
+    mac: ENC[AES256_GCM,data:TiF/QAh6Y8Xn+3B1rlg+FvZFJ4fGP+szvvopbiEzO6AWBYp8dcD6MmaZstVzJL1BrRIQ3GENcq7EVyfZMWQlW8aRsVF/RrWOSpAKI1tiWDl+10Ov3zjr+Q8sFYTfblWXYH7Tq9pcWBChj1Kj88Ri5xRRfJTuelQoL0igHQBwfFM=,iv:ikzexH8P3CYu7SrRXwWd1Ar3+PEXSSjSVj5E3jwcZyQ=,tag:i5/F33/KcDJVQ4ceYtRErQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

devices/xmupc2/default.nix

@@ -4,6 +4,7 @@ inputs:
   {
     nixos =
     {
+      model.type = "server";
       system =
       {
         fileSystems =
@@ -40,7 +41,6 @@ inputs:
             forwardCompat = false;
           };
         };
-        gui = { enable = true; preferred = false; autoStart = true; };
         nix =
         {
           marches =
@@ -89,7 +89,7 @@ inputs:
         docker = {};
       };
       bugs = [ "xmunet" ];
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" ];
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" ];
     };
   };
 }

devices/xmupc2/secrets/default.yaml

@@ -19,6 +19,8 @@ users:
     wp: ENC[AES256_GCM,data:yjMDez28pJUo6riIHypQQgjGFbuLwy87eG4ek/+Li2w8b4Cm5JckRvs26o+S0blfICc8WqIqEJGakT2wVBE5O1jGfniKn3PhTA==,iv:dOA318XRd2EXxmTIlk6GhlAR/FBpbKkbPJJCXTwFCxM=,tag:9MkXNUuAoplAzE+4eJpr0w==,type:str]
     #ENC[AES256_GCM,data:YGcTkNCeu3m7,iv:jYmVrfRFwQoX1XxeSzS23wRMAD/AnzYBXQjI76Ke2FE=,tag:WJfSmjdggzPojDcJ6GzP+A==,type:comment]
     hjp: ENC[AES256_GCM,data:0R5SfBFKuLGurwINnTj31FOrwwfY9bqVS1rG/a0HqIYd+Ui8/2ffFBx0Et+tYIqcxXEJpGbvse43V0naNKmFKlLanfcy9YV/Hg==,iv:mpAUmcVHWWLoreEsG9ha09jxte8mQCLt/A7nm04iX9Y=,tag:bia9pjL0MAcs9vj1gKCVCQ==,type:str]
+    #ENC[AES256_GCM,data:Q3TFPjvcDmKh,iv:eZ1NXGQr9HogxWa46T26WL63nvqho2/KSji8Dgse76o=,tag:iSGPRMCMolp7LVFjJGPotg==,type:comment]
+    lly: ENC[AES256_GCM,data:tP/NtJcMUtZPvuAqoM6KhCMybhsTxKSq4WWW3SBzQ/O0FmUXhECQc5CQnI4J9PlalP7Ug+uUQzeBMnHN84pkKNIeHVJhqjU8Zw==,iv:7TPPuSfXypSRnnhuy8LJSXIB+KB+3vWV0G7AbCZpB6s=,tag:iSLgRxOHgUolByFyvwltNQ==,type:str]
 mariadb:
     slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
 sops:
@@ -45,8 +47,8 @@ sops:
             M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
             LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-30T06:31:36Z"
-    mac: ENC[AES256_GCM,data:UUzv3IewuF4rhbrL2haJ0495p1d4wXA7LHa5ogc5TSv+ZAYuN/HL3VCXQzzKQrzqD3LtgC3DrGgmMNGVyAIzqVFYYxVuAwb03ov+lOp3SHvLTCMqkETbcE525aAIVWNqBXp7RBn7tKC4AD4y7AQihSYhBXO8VF1PeccjaCnN7R8=,iv:G0s8qchlgcm5HVshTKnGyt8nk+D4QYyP7n+5R0TOb8A=,tag:DspvfLf1pBs+/ol8GzT7Xw==,type:str]
+    lastmodified: "2024-10-26T12:27:03Z"
+    mac: ENC[AES256_GCM,data:q1EihAxiS23XoKWt4ogBo34pP7J6i/yFglmmvFIdWKIgwaoXWFexKrdu1oRZBIxISW+3b/NzkuUm1anu3sGFGiirDpllg8wu8ezXJJODb8yTU0HJpZ/9vjBPm+ZBt5zFzGky7kmW+qOFfUsZkr8dCiJil/Z0HrXrY2d59ksxhto=,iv:7b6ePa4xXdjrj8O2JWAptsONz8gPApS3roYMuRyrztU=,tag:uzOcc8H2W6VvGDkrex5M6A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

flake.nix

@@ -3,18 +3,11 @@
 
   inputs =
   {
-    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-24.11";
     "nixpkgs-23.11".url = "github:CHN-beta/nixpkgs/nixos-23.11";
     "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    "nixpkgs-22.11".url = "github:NixOS/nixpkgs/nixos-22.11";
-    "nixpkgs-22.05".url = "github:NixOS/nixpkgs/nixos-22.05";
-    home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; };
-    sops-nix =
-    {
-      url = "github:Mic92/sops-nix";
-      inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
-    };
-    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    home-manager = { url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
     nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
@@ -26,9 +19,7 @@
       inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
     };
     nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nixos-hardware.url = "github:CHN-beta/nixos-hardware";
     envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-fast-build = { url = "github:/Mic92/nix-fast-build"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-flatpak.url = "github:gmodena/nix-flatpak";
     chaotic =
     {
@@ -38,7 +29,9 @@
     gricad = { url = "github:Gricad/nur-packages"; flake = false; };
     catppuccin.url = "github:catppuccin/nix";
     bscpkgs = { url = "git+https://git.chn.moe/chn/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
-    poetry2nix = { url = "github:CHN-beta/poetry2nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    poetry2nix = { url = "github:nix-community/poetry2nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -49,19 +42,14 @@
     eigen = { url = "gitlab:libeigen/eigen"; flake = false; };
     matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
     nameof = { url = "github:Neargye/nameof"; flake = false; };
-    nodesoup = { url = "github:olvb/nodesoup"; flake = false; };
     tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
-    v-sim = { url = "gitlab:l_sim/v_sim"; flake = false; };
+    v-sim = { url = "gitlab:l_sim/v_sim/master"; flake = false; };
     rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
     blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
     slate = { url = "github:TheBigWazz/Slate"; flake = false; };
-    linux-surface = { url = "github:linux-surface/linux-surface"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
     lmod = { url = "github:TACC/Lmod"; flake = false; };
     mumax = { url = "github:CHN-beta/mumax"; flake = false; };
-    kylin-virtual-keyboard = { url = "git+https://gitee.com/openkylin/kylin-virtual-keyboard.git"; flake = false; };
-    cjktty = { url = "github:CHN-beta/cjktty-patches"; flake = false; };
-    zxorm = { url = "github:CHN-beta/zxorm"; flake = false; };
     openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
     sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
     sockpp = { url = "github:fpagliughi/sockpp"; flake = false; };
@@ -70,11 +58,14 @@
     hextra = { url = "github:imfing/hextra"; flake = false; };
     nu-scripts = { url = "github:nushell/nu_scripts"; flake = false; };
     py4vasp = { url = "github:vasp-dev/py4vasp"; flake = false; };
-    pocketfft = { url = "github:/mreineck/pocketfft"; flake = false; };
-    blog = { url = "git+https://git.chn.moe/chn/blog.git"; flake = false; };
-
-    # does not support lfs yet
-    # nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
+    pocketfft = { url = "github:mreineck/pocketfft"; flake = false; };
+    blog = { url = "git+https://git.chn.moe/chn/blog-public.git"; flake = false; };
+    nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; };
+    spectroscopy = { url = "github:skelton-group/Phonopy-Spectroscopy"; flake = false; };
+    vaspberry = { url = "github:Infant83/VASPBERRY"; flake = false; };
+    ufo = { url = "git+https://git.chn.moe/chn/ufo.git"; flake = false; };
+    highfive = { url = "git+https://github.com/CHN-beta/HighFive?submodules=1"; flake = false; };
+    stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
   };
 
   outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

flake/dev.nix

@@ -5,24 +5,28 @@
     inputsFrom = [ pkgs.localPackages.biu ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   hpcstat = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ (pkgs.localPackages.hpcstat.override { version = null; }) ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   sbatch-tui = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.sbatch-tui ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   ufo = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.ufo ];
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
   };
   chn-bsub = pkgs.mkShell
   {
@@ -38,4 +42,10 @@
       packages = [ clang-tools_18 ];
       CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     };
+  mirism = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.mirism ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+  };
 }

flake/nixos.nix

@@ -15,7 +15,7 @@ builtins.listToAttrs
             config =
             {
               nixpkgs.overlays = [ inputs.self.overlays.default ];
-              nixos.system.networking.hostname = system;
+              nixos.model.hostname = system;
             };
           }
           ../modules
@@ -23,7 +23,7 @@ builtins.listToAttrs
         ];
       };
     })
-    [ "nas" "pc" "pi3b" "surface" "vps4" "vps6" "vps7" "xmupc1" "xmupc2" ])
+    [ "nas" "pc" "pi3b" "vps6" "vps7" "xmupc1" "xmupc2" "one" ])
   ++ (builtins.map
     (node:
     {
@@ -38,7 +38,7 @@ builtins.listToAttrs
             config =
             {
               nixpkgs.overlays = [ inputs.self.overlays.default ];
-              nixos.system.cluster = { clusterName = "srv1"; nodeName = node; };
+              nixos.model.cluster = { clusterName = "srv1"; nodeName = node; };
             };
           }
           ../modules

flake/packages.nix

@@ -11,10 +11,23 @@
       openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
         (prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
       duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
+      # pkgsStatic.clangStdenv have a bug
+      # https://github.com/NixOS/nixpkgs/issues/177129
+      biu = pkgs.pkgsStatic.localPackages.biu.override { stdenv = pkgs.pkgsStatic.gcc14Stdenv; };
     in pkgs.pkgsStatic.localPackages.hpcstat.override
-      { inherit openssh duc; standalone = true; version = inputs.self.rev or "dirty"; };
+    {
+      inherit openssh duc biu;
+      standalone = true;
+      version = inputs.self.rev or "dirty";
+      stdenv = pkgs.pkgsStatic.gcc14Stdenv;
+    };
   chn-bsub = pkgs.pkgsStatic.localPackages.chn-bsub;
   blog = pkgs.callPackage inputs.blog { inherit (inputs) hextra; };
+  vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
+  {
+    gfortran = pkgs.pkgsStatic.gfortran;
+    lapack = pkgs.pkgsStatic.openblas;
+  };
 }
 // (builtins.listToAttrs (builtins.map
   (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

flake/src.nix

@@ -1,10 +1,10 @@
 { inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
 {
-  nixos-wallpaper = pkgs.fetchgit
+  git-lfs-transfer = "sha256-V2cnWCyzxwxlOXXTB8Kz4X4VHvu0H/SqHBzPFwlp73o=";
+  iso = pkgs.fetchurl
   {
-    url = "https://git.chn.moe/chn/nixos-wallpaper.git";
-    rev = "1ad78b20b21c9f4f7ba5f4c897f74276763317eb";
-    sha256 = "0faahbzsr44bjmwr6508wi5hg59dfb57fzh5x6jh7zwmv4pzhqlb";
-    fetchLFS = true;
+    url = "https://releases.nixos.org/nixos/24.11/nixos-24.11beta709057.0c582677378f"
+      + "/nixos-plasma6-24.11beta709057.0c582677378f-x86_64-linux.iso";
+    sha256 = "000wmfn6k5awqwsx9qldhdgahv4k09w4yzmvf0djs51qjdpha082";
   };
 }

modules/bugs/default.nix

@@ -14,32 +14,8 @@ inputs:
       # xmunet use old encryption
       xmunet.nixpkgs.config.packageOverrides = pkgs: { wpa_supplicant = pkgs.wpa_supplicant.overrideAttrs
         (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
-      suspend-hibernate-waydroid.systemd.services =
-        let
-          systemctl = "${inputs.pkgs.systemd}/bin/systemctl";
-        in
-        {
-          "waydroid-hibernate" =
-          {
-            description = "waydroid hibernate";
-            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            before = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            serviceConfig.Type = "oneshot";
-            script = "${systemctl} stop waydroid-container";
-          };
-          "waydroid-resume" =
-          {
-            description = "waydroid resume";
-            wantedBy = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            after = [ "systemd-hibernate.service" "systemd-suspend.service" ];
-            serviceConfig.Type = "oneshot";
-            script = "${systemctl} start waydroid-container";
-          };
-        };
       backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
       amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
-      hibernate-mt7921e.powerManagement.resumeCommands =
-        let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in "${modprobe} -r -w 3000 mt7921e && ${modprobe} mt7921e";
     };
   in
     {

modules/default.nix

@@ -8,7 +8,6 @@ inputs:
     [
       topInputs.home-manager.nixosModules.home-manager
       topInputs.sops-nix.nixosModules.sops
-      topInputs.aagl.nixosModules.default
       topInputs.nix-index-database.nixosModules.nix-index
       topInputs.nur-xddxdd.nixosModules.setupOverlay
       topInputs.impermanence.nixosModules.impermanence
@@ -16,6 +15,7 @@ inputs:
       topInputs.chaotic.nixosModules.default
       { config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
       topInputs.catppuccin.nixosModules.catppuccin
+      topInputs.aagl.nixosModules.default
       (inputs:
       {
         config =
@@ -23,9 +23,9 @@ inputs:
           nixpkgs.overlays =
           [
             topInputs.qchem.overlays.default
-            topInputs.aagl.overlays.default
             topInputs.bscpkgs.overlays.default
             topInputs.poetry2nix.overlays.default
+            topInputs.aagl.overlays.default
             (final: prev:
             {
               nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
@@ -42,6 +42,6 @@ inputs:
           ];
         };
       })
-      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user
+      ./hardware ./packages ./system ./virtualization ./services ./bugs ./user ./model.nix
     ];
   }

modules/hardware/default.nix

@@ -4,18 +4,15 @@ inputs:
   options.nixos.hardware =
     let
       inherit (inputs.lib) mkOption types;
-      default = if inputs.config.nixos.system.gui.enable then {} else null;
+      default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
     in
     {
-      bluetooth = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
       joystick = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
       printer = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
       sound = mkOption { type = types.nullOr (types.submodule {}); inherit default; };
     };
   config = let inherit (inputs.config.nixos) hardware; in inputs.lib.mkMerge
   [
-    # bluetooth
-    (inputs.lib.mkIf (hardware.bluetooth != null) { hardware.bluetooth.enable = true; })
     # joystick
     (inputs.lib.mkIf (hardware.joystick != null) { hardware = { xone.enable = true; xpadneo.enable = true; }; })
     # printer
@@ -28,6 +25,8 @@ inputs:
           {
             enable = true;
             drivers = inputs.lib.mkIf (inputs.config.nixos.system.nixpkgs.arch == "x86_64") [ inputs.pkgs.cnijfilter2 ];
+            # TODO: remove in next update
+            browsed.enable = false;
           };
           avahi = { enable = true; nssmdns4 = true; openFirewall = true; };
         };

modules/hardware/gpu.nix

@@ -46,6 +46,8 @@ inputs:
             extraPackages =
               let packages = with inputs.pkgs;
               {
+                # TODO: import from nixos-hardware instead
+                # enableHybridCodec is only needed for some old intel gpus (Atom, Nxxx, etc)
                 intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
                 nvidia = [ vaapiVdpau ];
                 amd = [];
@@ -64,10 +66,6 @@ inputs:
           };
         };
         boot.blacklistedKernelModules = [ "nouveau" ];
-        environment.variables =
-          if builtins.elem "nvidia" gpus then { VDPAU_DRIVER = "nvidia"; }
-          else if builtins.elem "intel" gpus then { VDPAU_DRIVER = "va_gl"; }
-          else {};
         services.xserver.videoDrivers =
           let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
           in builtins.map (gpu: driver.${gpu}) gpus;

modules/model.nix

@@ -0,0 +1,32 @@
+inputs:
+{
+  options.nixos.model = let inherit (inputs.lib) mkOption types; in
+  {
+    hostname = mkOption { type = types.nonEmptyStr; };
+    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
+    private = mkOption { type = types.bool; default = false; };
+    cluster = mkOption
+    {
+      type = types.nullOr (types.submodule { options =
+      {
+        clusterName = mkOption { type = types.nonEmptyStr; };
+        nodeName = mkOption { type = types.nonEmptyStr; };
+        nodeType = mkOption { type = types.enum [ "master" "worker" ]; default = "worker"; };
+      };});
+      default = null;
+    };
+  };
+  config = let inherit (inputs.config.nixos) model; in inputs.lib.mkMerge
+  [
+    { networking.hostName = model.hostname; }
+    (inputs.lib.mkIf (model.cluster != null)
+      { nixos.model.hostname = "${model.cluster.clusterName}-${model.cluster.nodeName}"; })
+    # TODO: remove it
+    {
+      systemd.services = inputs.lib.mkIf (model.cluster.nodeType or null == "worker") (builtins.listToAttrs
+        (builtins.map
+          (user: { name = "home-manager-${inputs.utils.escapeSystemdPath user}"; value.enable = false; })
+          inputs.config.nixos.user.users));
+    }
+  ];
+}

modules/packages/android-studio.nix

@@ -0,0 +1,12 @@
+inputs:
+{
+  options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
+  {
+    nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];
+  };
+}

modules/packages/chromium.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
   {

modules/packages/default.nix

@@ -12,133 +12,25 @@ inputs:
     _packages = mkOption { type = types.listOf types.unspecified; default = []; };
     _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
     _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+    _pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+    _vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
   };
   config =
   {
     environment.systemPackages = with inputs.config.nixos.packages.packages;
       (inputs.lib.lists.subtractLists excludePackages (_packages ++ extraPackages))
       ++ [
-        (inputs.pkgs.python3.withPackages (pythonPackages:
-          inputs.lib.lists.subtractLists
-            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
-              excludePythonPackages))
-            (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
-              (_pythonPackages ++ extraPythonPackages)))))
-        (inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
-        {
-          name = "prebuild-packages";
-          propagateBuildInputs = inputs.lib.lists.subtractLists excludePrebuildPackages
-            (_prebuildPackages ++ extraPrebuildPackages);
-          phases = [ "installPhase" ];
-          installPhase =
-          ''
-            runHook preInstall
-            mkdir -p $out
-            runHook postInstall
-          '';
-        }) {})
+        (
+          (inputs.pkgs.python3.withPackages (pythonPackages:
+            inputs.lib.lists.subtractLists
+              (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
+                excludePythonPackages))
+              (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
+                (_pythonPackages ++ extraPythonPackages)))))
+          .override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
+        (inputs.pkgs.writeTextDir "share/prebuild-packages"
+          (builtins.concatStringsSep "\n" (builtins.map builtins.toString
+            (inputs.lib.lists.subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages)))))
       ];
   };
 }
-
-    # programs.firejail =
-    # {
-    #   enable = true;
-    #   wrappedBinaries =
-    #   {
-    #     qq =
-    #     {
-    #       executable = "${inputs.pkgs.qq}/bin/qq";
-    #       profile = "${inputs.pkgs.firejail}/etc/firejail/linuxqq.profile";
-    #     };
-    #   };
-    # };
-
-# config.nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-  # only replace stdenv for large and tested packages
-  # config.programs.ccache.packageNames = [ "webkitgtk" "libreoffice" "tensorflow" "linux" "chromium" ];
-  # config.nixpkgs.overlays = [(final: prev:
-  # {
-  #   libreoffice-qt = prev.libreoffice-qt.override (prev: { unwrapped = prev.unwrapped.override
-  #     (prev: { stdenv = final.ccacheStdenv.override { stdenv = prev.stdenv; }; }); });
-  #   python3 = prev.python3.override { packageOverrides = python-final: python-prev:
-  #     {
-  #       tensorflow = python-prev.tensorflow.override
-  #         { stdenv = final.ccacheStdenv.override { stdenv = python-prev.tensorflow.stdenv; }; };
-  #     };};
-  #   # webkitgtk = prev.webkitgtk.override (prev:
-  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.stdenv; }; enableUnifiedBuilds = false; });
-  #   wxGTK31 = prev.wxGTK31.override { stdenv = final.ccacheStdenv.override { stdenv = prev.wxGTK31.stdenv; }; };
-  #   wxGTK32 = prev.wxGTK32.override { stdenv = final.ccacheStdenv.override { stdenv = prev.wxGTK32.stdenv; }; };
-  #   # firefox-unwrapped = prev.firefox-unwrapped.override
-  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.firefox-unwrapped.stdenv; }; };
-  #   # chromium = prev.chromium.override
-  #   #   { stdenv = final.ccacheStdenv.override { stdenv = prev.chromium.stdenv; }; };
-  #   # linuxPackages_xanmod_latest = prev.linuxPackages_xanmod_latest.override
-  #   # {
-  #   #   kernel = prev.linuxPackages_xanmod_latest.kernel.override
-  #   #   {
-  #   #     stdenv = final.ccacheStdenv.override { stdenv = prev.linuxPackages_xanmod_latest.kernel.stdenv; };
-  #   #     buildPackages = prev.linuxPackages_xanmod_latest.kernel.buildPackages //
-  #   #       { stdenv = prev.linuxPackages_xanmod_latest.kernel.buildPackages.stdenv; };
-  #   #   };
-  #   # };
-  # })];
-  # config.programs.ccache.packageNames = [ "libreoffice-unwrapped" ];
-
-# cross-x86_64-pc-linux-musl/gcc
-# dev-cpp/cpp-httplib ? how to use
-# dev-cpp/cppcoro
-# dev-cpp/date
-# dev-cpp/nameof
-# dev-cpp/scnlib
-# dev-cpp/tgbot-cpp
-# dev-libs/pocketfft
-# dev-util/intel-hpckit
-# dev-util/nvhpc
-# kde-misc/wallpaper-engine-kde-plugin
-# media-fonts/arphicfonts
-# media-fonts/sarasa-gothic
-# media-gfx/flameshot
-# media-libs/libva-intel-driver
-# media-libs/libva-intel-media-driver
-# media-sound/netease-cloud-music
-# net-vpn/frp
-# net-wireless/bluez-tools
-# sci-libs/mkl
-# sci-libs/openblas
-# sci-libs/pfft
-# sci-libs/scalapack
-# sci-libs/wannier90
-# sci-mathematics/ginac
-# sci-mathematics/mathematica
-# sci-mathematics/octave
-# sci-physics/lammps::touchfish-os
-# sci-physics/vsim
-# sci-visualization/scidavis
-# sys-apps/flatpak
-# sys-cluster/modules
-# sys-devel/distcc
-# sys-fs/btrfs-progs
-# sys-fs/compsize
-# sys-fs/dosfstools
-# sys-fs/duperemove
-# sys-fs/exfatprogs
-# sys-fs/mdadm
-# sys-fs/ntfs3g
-# sys-kernel/dracut
-# sys-kernel/linux-firmware
-# sys-kernel/xanmod-sources
-# sys-kernel/xanmod-sources:6.1.12
-# sys-kernel/xanmod-sources::touchfish-os
-# sys-libs/libbacktrace
-# sys-libs/libselinux
-# x11-apps/xinput
-# x11-base/xorg-apps
-# x11-base/xorg-fonts
-# x11-base/xorg-server
-# x11-misc/imwheel
-# x11-misc/optimus-manager
-# x11-misc/unclutter-xfixes
-
-#   ++ ( with inputs.pkgs.pkgsCross.mingwW64.buildPackages; [ gcc ] );

modules/packages/desktop/default.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
   {
@@ -16,7 +16,7 @@ inputs:
           # system management
           # TODO: module should add yubikey-touch-detector into path
           gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
-          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror # inputs.pkgs."pkgs-23.11".etcher
+          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror geekbench xpra
           (
             writeShellScriptBin "xclip"
             ''
@@ -33,24 +33,22 @@ inputs:
           # networking
           remmina putty mtr-gui
           # media
-          mpv nomacs spotify yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc obs-studio
-          waifu2x-converter-cpp inkscape blender whalebird paraview
+          mpv nomacs yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk qcm
+          waifu2x-converter-cpp inkscape blender paraview vlc whalebird spotify obs-studio
           # themes
+          klassy localPackages.slate localPackages.blurred-wallpaper tela-circle-icon-theme
           catppuccin catppuccin-sddm catppuccin-cursors catppuccinifier-gui catppuccinifier-cli catppuccin-plymouth
           (catppuccin-kde.override { flavour = [ "latte" ]; }) (catppuccin-kvantum.override { variant = "latte"; })
-          klassy
-          localPackages.slate localPackages.blurred-wallpaper tela-circle-icon-theme
           # terminal
           warp-terminal
           # development
-          adb-sync scrcpy weston cage openbox krita jetbrains.clion android-studio dbeaver-bin cling fprettify
-          aircrack-ng
+          adb-sync scrcpy dbeaver-bin cling aircrack-ng
+          weston cage openbox krita jetbrains.clion fprettify
           # desktop sharing
           rustdesk-flutter
           # password and key management
-          yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden electrum
-          jabref
-          john crunch hashcat
+          yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
+          electrum jabref john crunch
           # download
           qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
           # editor
@@ -61,21 +59,22 @@ inputs:
           nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
           nix-template nil pnpm-lock-export bundix
           # instant messager
-          element-desktop telegram-desktop discord fluffychat zoom-us signal-desktop slack nur-linyinfeng.wemeet
-          nheko # qq nur-xddxdd.wechat-uos TODO: cinny-desktop
+          element-desktop telegram-desktop discord zoom-us slack nur-linyinfeng.wemeet nheko
+          fluffychat signal-desktop qq nur-xddxdd.wechat-uos cinny-desktop
           # browser
           google-chrome tor-browser microsoft-edge
           # office
-          crow-translate zotero pandoc ydict libreoffice-qt texstudio poppler_utils pdftk pdfchain hdfview
-          davinci-resolve texliveFull
+          crow-translate zotero pandoc libreoffice-qt texliveFull poppler_utils pdftk pdfchain davinci-resolve
+          ydict texstudio panoply pspp
           # matplot++ needs old gnuplot
           inputs.pkgs."pkgs-23.11".gnuplot
           # math, physics and chemistry
-          octaveFull root ovito localPackages.vesta localPackages.v-sim
-          (mathematica.overrideAttrs (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; }))
-          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14; }) jmol mpi localPackages.ufo
+          octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
+          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14;
+            wannier90 = inputs.pkgs.wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; }; })
+          inputs.pkgs."pkgs-23.11".hdfview
           # virtualization
-          wineWowPackages.stagingFull virt-viewer bottles genymotion playonlinux
+          virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
           # media
           nur-xddxdd.svp
           # for kdenlive auto subtitle
@@ -85,8 +84,10 @@ inputs:
             (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
         _pythonPackages = [(pythonPackages: with pythonPackages;
         [
-          phonopy scipy scikit-learn jupyterlab autograd # localPackages.pix2tex
+          phonopy scipy scikit-learn jupyterlab autograd
           # TODO: broken on python 3.12 tensorflow keras
+          # for phonopy
+          inputs.pkgs.localPackages.spectroscopy numpy
         ])];
       };
       user.sharedModules =
@@ -102,7 +103,7 @@ inputs:
               baloofilerc."Basic Settings".Indexing-Enabled.value = false;
               plasmarc.Wallpapers.usersWallpapers.value =
                 let
-                  inherit (inputs.topInputs.self.src) nixos-wallpaper;
+                  inherit (inputs.topInputs) nixos-wallpaper;
                   isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
                     [ "png" "jpg" "jpeg" "webp" ];
                 in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")
@@ -140,10 +141,13 @@ inputs:
     };
     nixpkgs.overlays = [(final: prev:
     {
-      telegram-desktop = prev.telegram-desktop.overrideAttrs (attrs:
+      telegram-desktop = prev.telegram-desktop.override
       {
-        patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
-      });
+        unwrapped = prev.telegram-desktop.unwrapped.overrideAttrs (prev:
+        {
+          patches = prev.patches or [] ++ [ ./telegram.patch ];
+        });
+      };
     })];
     services.pcscd.enable = true;
   };

modules/packages/desktop/telegram.patch

@@ -1,12 +1,12 @@
-diff --color -ur a/Telegram/SourceFiles/data/components/sponsored_messages.cpp b/Telegram/SourceFiles/data/components/sponsored_messages.cpp
---- a/Telegram/SourceFiles/data/components/sponsored_messages.cpp	1970-01-01 08:00:01.000000000 +0800
-+++ b/Telegram/SourceFiles/data/components/sponsored_messages.cpp	2024-05-21 20:41:12.849951324 +0800
-@@ -193,7 +193,7 @@
+diff --git a/Telegram/SourceFiles/data/components/sponsored_messages.cpp b/Telegram/SourceFiles/data/components/sponsored_messages.cpp
+index d2746ad9..f46b51fb 100644
+--- a/Telegram/SourceFiles/data/components/sponsored_messages.cpp
++++ b/Telegram/SourceFiles/data/components/sponsored_messages.cpp
+@@ -195,6 +195,7 @@ void SponsoredMessages::inject(
  }
  
  bool SponsoredMessages::canHaveFor(not_null<History*> history) const {
--	return history->peer->isChannel();
 +	return false;
- }
- 
- void SponsoredMessages::request(not_null<History*> history, Fn<void()> done) {
+ 	if (history->peer->isChannel()) {
+ 		return true;
+ 	} else if (const auto user = history->peer->asUser()) {

modules/packages/firefox.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
   {
@@ -24,7 +24,8 @@ inputs:
           programs.firefox =
           {
             enable = true;
-            nativeMessagingHosts = with inputs.pkgs; [ plasma-browser-integration uget-integrator firefoxpwa ];
+            nativeMessagingHosts = with inputs.pkgs;
+              [ kdePackages.plasma-browser-integration uget-integrator firefoxpwa ];
             # TODO: use fixed-version of plugins
             policies.DefaultDownloadDirectory = "\${home}/Downloads";
             profiles.default =

modules/packages/flatpak.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.flatpak = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) flatpak; in inputs.lib.mkIf (flatpak != null)
   {

modules/packages/helix.nix

@@ -0,0 +1,21 @@
+inputs:
+{
+  options.nixos.packages.helix = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = {}; };
+  config = let inherit (inputs.config.nixos.packages) helix; in inputs.lib.mkIf (helix != null)
+  {
+    nixos =
+    {
+      user.sharedModules =
+      [{
+        config.programs.helix =
+        {
+          enable = true;
+          defaultEditor = true;
+          settings.theme = "catppuccin_latte";
+        };
+      }];
+      packages.packages._packages = [ inputs.pkgs.helix ];
+    };
+  };
+}

modules/packages/lammps.nix

@@ -0,0 +1,22 @@
+inputs:
+{
+  options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
+  {
+    nixos.packages.packages._packages =
+      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null;
+      in
+        if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
+          .overrideAttrs (prev:
+          {
+            cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
+            nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
+            buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
+          }))]
+        else [ inputs.pkgs.lammps-mpi ];
+  };
+}

modules/packages/mathematica.nix

@@ -0,0 +1,13 @@
+inputs:
+{
+  options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
+  {
+    nixos.packages.packages._packages = [ (inputs.pkgs.mathematica.overrideAttrs
+      (prev: { postInstall = (prev.postInstall or "") + "ln -s ${prev.src} $out/src"; })) ];
+  };
+}

modules/packages/mumax.nix

@@ -4,7 +4,7 @@ inputs:
   {
     type = types.nullOr (types.submodule {});
     default =
-      if inputs.config.nixos.system.gui.enable
+      if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
         && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
       then {}
       else null;

modules/packages/root.nix

@@ -0,0 +1,40 @@
+inputs:
+{
+  options.nixos.packages.root = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = {}; };
+  config = let inherit (inputs.config.nixos.packages) root; in inputs.lib.mkIf (root != null)
+  {
+    nixos.packages.packages =
+      let
+        root = inputs.pkgs.root.overrideAttrs rec
+        {
+          version = "6.34.00-rc1";
+          src = inputs.pkgs.fetchurl
+          {
+            url = "https://root.cern/download/root_v${version}.source.tar.gz";
+            sha256 = "1fx6nyv3drcb16a36np7h3vmjlm937j6y9vxkv0sny0grrxcj9lw";
+          };
+          patches = [];
+        };
+        jupyterPath = inputs.pkgs.jupyter-kernel.create { definitions.root = rec
+        {
+          displayName = "ROOT";
+          language = "c++";
+          argv = [ "/run/current-system/sw/bin/python3" "-m" "JupyROOT.kernel.rootkernel" "-f" "{connection_file}" ];
+          logo64 = "${root}/etc/root/notebook/kernels/root/logo-64x64.png";
+          logo32 = inputs.pkgs.runCommand "logo-32x32.png" {}
+            "${inputs.pkgs.imagemagick}/bin/convert ${logo64} -resize 32x32 $out";
+        };};
+      in
+      {
+        _packages = [ root ];
+        _pythonPackages = [(pythonPackages: with pythonPackages; [ metakernel notebook ])];
+        _pythonEnvFlags =
+        [
+          "--prefix JUPYTER_PATH : ${jupyterPath}"
+          "--suffix NIX_PYTHONPATH : ${root}/lib"
+        ];
+        _vscodeEnvFlags = [ "--prefix JUPYTER_PATH : ${jupyterPath}" ];
+      };
+  };
+}

modules/packages/server.nix

@@ -9,10 +9,10 @@ inputs:
       _packages = with inputs.pkgs;
       [
         # basic tools
-        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij ipfetch localPackages.pslist
+        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq zellij ipfetch localPackages.pslist
         fastfetch reptyr duc ncdu progress libva-utils ksh neofetch
         # lsxx
-        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors
+        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools
         # top
         iotop iftop htop btop powertop s-tui
         # editor
@@ -32,13 +32,13 @@ inputs:
         # networking
         ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
         # nix tools
-        nix-output-monitor nix-tree ssh-to-age (callPackage "${inputs.topInputs.nix-fast-build}" {}) nix-inspect
+        nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
         gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
         # stupid things
-        toilet lolcat
+        toilet lolcat localPackages.stickerpicker graph-easy
         # office
-        todo-txt-cli pdfgrep ffmpeg-full
+        pdfgrep ffmpeg-full # todo-txt-cli 
       ]
         ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
         ++ (inputs.lib.optional (inputs.config.nixos.system.nixpkgs.arch == "x86_64") rar);
@@ -63,7 +63,12 @@ inputs:
     services =
     {
       udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
-      fwupd.enable = true;
+      fwupd =
+      {
+        enable = true;
+        # allow fwupd install firmware from any source (e.g. manually extracted from msi)
+        daemonSettings.OnlyTrusted = false;
+      };
     };
     home-manager = { useGlobalPkgs = true; useUserPackages = true; };
     # allow everyone run compsize

modules/packages/ssh.nix

@@ -7,16 +7,6 @@ inputs:
     services.openssh.knownHosts =
       let servers =
       {
-        vps4 =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIF7Y0tjt1XLPjqJ8HEB26W9jVfJafRQ3pv5AbPaxEc/Z";
-          hostnames = [ "vps4.chn.moe" "104.234.37.61" ];
-        };
-        "initrd.vps4" =
-        {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIJkOPTFvX9f+Fn/KHOIvUgoRiJfq02T42lVGQhpMUGJq";
-          hostnames = [ "initrd.vps4.chn.moe" "104.234.37.61" ];
-        };
         vps6 =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
@@ -47,15 +37,15 @@ inputs:
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
           hostnames = [ "initrd.nas.chn.moe" "192.168.1.2" ];
         };
-        surface =
+        one =
         {
-          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIFdm3DcfHdcLP0oSpVrWwIZ/b9lZuakBSPwCFz2BdTJ7";
-          hostnames = [ "192.168.1.4" "wireguard.surface.chn.moe" "192.168.83.5" ];
+          ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
+          hostnames = [ "wireguard.one.chn.moe" "192.168.1.4" "192.168.83.5" ];
         };
         pc =
         {
           ed25519 = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
-          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.105" "192.168.83.3" ];
+          hostnames = [ "wireguard.pc.chn.moe" "[office.chn.moe]:3673" "192.168.1.3" "192.168.83.3" ];
         };
         hpc =
         {
@@ -111,6 +101,8 @@ inputs:
         (inputs.localLib.attrsToList servers));
     programs.ssh =
     {
+      # maybe better network performance
+      package = inputs.pkgs.openssh_hpn;
       startAgent = true;
       enableAskPassword = true;
       askPassword = "${inputs.pkgs.systemd}/bin/systemd-ask-password";
@@ -129,10 +121,10 @@ inputs:
         (
           (builtins.map
             (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
-            [ "vps4" "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" ])
+            [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.nas" "wireguard.one" ])
           ++ (builtins.map
             (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; forwardX11 = true; }; })
-            [ "wireguard.pc" "wireguard.surface" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ])
+            [ "wireguard.pc" "wireguard.xmupc1" "wireguard.xmupc2" "srv1" "wireguard.srv1" ])
           ++ (builtins.map
             (host:
             {
@@ -152,7 +144,7 @@ inputs:
           xmupc2 = { host = "xmupc2"; hostname = "xmupc2.chn.moe"; port = 6394; forwardX11 = true; };
           nas = { host = "nas"; hostname = "192.168.1.2"; forwardX11 = true; };
           pc = { host = "pc"; hostname = "192.168.1.3"; forwardX11 = true; };
-          surface = { host = "surface"; hostname = "192.168.1.4"; forwardX11 = true; };
+          one = { host = "one"; hostname = "192.168.1.4"; forwardX11 = true; };
           gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
           jykang =
           {

modules/packages/steam.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
   {
@@ -12,7 +12,7 @@ inputs:
       enable = true;
       package = inputs.pkgs.steam.override (prev:
       {
-        steam = prev.steam.overrideAttrs (prev:
+        steam-unwrapped = prev.steam-unwrapped.overrideAttrs (prev:
         {
           postInstall = prev.postInstall +
           ''

modules/packages/vasp.nix

@@ -3,15 +3,17 @@ inputs:
   options.nixos.packages.vasp = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   # TODO: add more options to correctly configure VASP
   config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
   {
-    nixos.packages.packages._packages = (with inputs.pkgs.localPackages.vasp; [ intel vtstscripts ])
-      ++ (with inputs.pkgs.localPackages; [ py4vasp vaspkit ])
-      ++ (inputs.lib.optional
-        (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
-        inputs.pkgs.localPackages.vasp.nvidia);
+    nixos.packages.packages._packages = with inputs.pkgs;
+    (
+      [ localPackages.vasp.intel localPackages.vasp.vtstscripts localPackages.py4vasp localPackages.vaspkit wannier90 ]
+        ++ (inputs.lib.optional
+          (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.enable && cuda.capabilities != null)
+          localPackages.vasp.nvidia)
+    );
   };
 }

modules/packages/vim.nix

@@ -9,7 +9,7 @@ inputs:
       config.programs.vim =
       {
         enable = true;
-        defaultEditor = true;
+        defaultEditor = false;
         packageConfigurable = inputs.config.programs.vim.package;
         settings =
         {

modules/packages/vscode.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
   {
@@ -18,12 +18,15 @@ inputs:
               (set:
               {
                 name = set;
-                value = nix-vscode-extensions.vscode-marketplace.${set} // vscode-extensions.${set} or {};
+                value = vscode-extensions.${set} or {}
+                  // nix-vscode-extensions.vscode-marketplace.${set}
+                  // nix-vscode-extensions.vscode-marketplace-release.${set} or {};
               })
               (inputs.lib.unique
               (
-                (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
-                ++ (builtins.attrNames vscode-extensions)
+                (builtins.attrNames vscode-extensions)
+                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
+                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace-release)
               )));
             in with extensions;
               (with github; [ copilot github-vscode-theme ])
@@ -51,7 +54,12 @@ inputs:
                 ms-python.python
                 # theme
                 pkief.material-icon-theme
-              ];
+              ]
+              # jupyter
+              # TODO: use last release
+              ++ (with vscode-extensions.ms-toolsai;
+                [ jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow ]);
+          extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
         }
       )];
     };

modules/packages/winapps/default.nix

@@ -0,0 +1,47 @@
+inputs:
+{
+  options.nixos.packages.winapps = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+  };
+  config = let inherit (inputs.config.nixos.packages) winapps; in inputs.lib.mkIf (winapps != null)
+  {
+    nixos.packages.packages._packages =
+    [
+      (inputs.pkgs.callPackage "${inputs.topInputs.winapps}/packages/winapps" {})
+      (inputs.pkgs.runCommand "winapps-windows" {}
+      ''
+        mkdir -p $out/share/applications
+        cp ${inputs.pkgs.substituteAll { src = ./windows.desktop; path = inputs.topInputs.winapps; }} \
+          $out/share/applications/windows.desktop
+      '')
+    ]
+      ++ builtins.map
+        (p: inputs.pkgs.runCommand "winapps-${p}" {}
+        ''
+          mkdir -p $out/share/applications
+          source ${inputs.topInputs.winapps}/apps/${p}/info
+          # replace \ with \\
+          WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/\\/\\\\/g')
+          # replace space with \s
+          WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/ /\\s/g')
+          cat > $out/share/applications/${p}.desktop << EOF
+          [Desktop Entry]
+          Name=$NAME
+          Exec=winapps manual "$WIN_EXECUTABLE" %F
+          Terminal=false
+          Type=Application
+          Icon=${inputs.topInputs.winapps}/apps/${p}/icon.svg
+          StartupWMClass=$FULL_NAME
+          Comment=$FULL_NAME
+          Categories=$CATEGORIES
+          MimeType=$MIME_TYPES
+          EOF
+        '')
+        [
+          "access-o365" "acrobat-x-pro" "cmd" "excel-o365" "explorer" "illustrator-cc" "powerpoint-o365"
+          "visual-studio-comm" "word-o365"
+        ];
+  };
+}

modules/packages/winapps/windows.desktop

@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=Windows
+Exec=winapps windows %F
+Terminal=false
+Type=Application
+Icon=@path@/icons/windows.svg
+StartupWMClass=Micorosoft Windows
+Comment=Micorosoft Windows
+Categories=Windows

modules/services/akkoma.nix

@@ -1,51 +0,0 @@
-inputs:
-{
-  options.nixos.services.akkoma = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "akkoma.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) akkoma;
-      inherit (inputs.lib) mkIf;
-    in mkIf akkoma.enable
-    {
-      services.akkoma =
-      {
-        enable = true;
-        config.":pleroma" =
-        {
-          "Pleroma.Web.Endpoint".url.host = akkoma.hostname;
-          "Pleroma.Repo" =
-          {
-            adapter = (inputs.pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
-            hostname = "127.0.0.1";
-            username = "akkoma";
-            password._secret = inputs.config.sops.secrets."akkoma/db".path;
-            database = "akkoma";
-          };
-          ":instance" =
-          {
-            name = "艹";
-            email = "grass@grass.squre";
-            description = "艹艹艹艹艹";
-          };
-        };
-      };
-      nixos.services =
-      {
-        nginx =
-        {
-          enable = true;
-          https."${akkoma.hostname}" =
-          {
-            global.tlsCert = "/var/lib/akkoma";
-            location."/".proxy = { upstream = "http://127.0.0.1:4000"; websocket = true; };
-          };
-        };
-        postgresql.instances.akkoma = {};
-      };
-      sops.secrets."akkoma/db" = { owner = "akkoma"; key = "postgresql/akkoma"; };
-    };
-}

modules/services/ananicy.nix

@@ -0,0 +1,15 @@
+inputs:
+{
+  options.nixos.services.ananicy = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) ananicy; in inputs.lib.mkIf (ananicy != null)
+  {
+    services.ananicy =
+    {
+      enable = true;
+      package = inputs.pkgs.ananicy-cpp;
+      rulesProvider = inputs.pkgs.ananicy-rules-cachyos;
+      extraRules = [{ name = "YuanShen.exe"; type = "Game"; }];
+    };
+  };
+}

modules/services/chatgpt.nix

@@ -1,44 +0,0 @@
-inputs:
-{
-  options.nixos.services.chatgpt = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule { options =
-    {
-      hostname = mkOption { type = types.str; default = "chat.chn.moe"; };
-    };});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.services) chatgpt; in inputs.lib.mkIf (chatgpt != null)
-  {
-    virtualisation.oci-containers.containers.chatgpt =
-    {
-      image = "yidadaa/chatgpt-next-web:v2.11.3";
-      imageFile = inputs.pkgs.dockerTools.pullImage
-      {
-        imageName = "yidadaa/chatgpt-next-web";
-        imageDigest = "sha256:622462a7958f82e128a0e1ebd07b96e837f3d457b912fb246b550fb730b538a7";
-        sha256 = "00qwh1kjdchf1nhaz18s2yly2xhvpaa83ym5x4wy3z0y3vc1zwxx";
-        finalImageName = "yidadaa/chatgpt-next-web";
-        finalImageTag = "v2.11.3";
-      };
-      ports = [ "127.0.0.1:6184:3000/tcp" ];
-      extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
-      environmentFiles = [ inputs.config.sops.templates."chatgpt/env".path ];
-    };
-    sops =
-    {
-      templates."chatgpt/env".content =
-      ''
-        OPENAI_API_KEY=${inputs.config.sops.placeholder."chatgpt/key"}
-        BASE_URL=https://oa.api2d.net
-      '';
-      secrets."chatgpt/key" = {};
-    };
-    nixos.services.nginx =
-    {
-      enable = true;
-      https."${chatgpt.hostname}".location."/".proxy =
-        { upstream = "http://127.0.0.1:6184"; detectAuth.users = [ "chat" ]; };
-    };
-  };
-}

modules/services/default.nix

@@ -4,8 +4,7 @@ inputs:
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
   {
     smartd.enable = mkOption { type = types.bool; default = false; };
-    wallabag.enable = mkOption { type = types.bool; default = false; };
-    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
+    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.model.type == "desktop"; };
   };
   config =
     let
@@ -16,61 +15,6 @@ inputs:
     in mkMerge
     [
       (mkIf services.smartd.enable { services.smartd.enable = true; })
-      (
-        mkIf services.wallabag.enable
-        {
-          virtualisation.oci-containers.containers.wallabag =
-          {
-            image = "wallabag/wallabag:2.6.2";
-            imageFile = inputs.pkgs.dockerTools.pullImage
-            {
-              imageName = "wallabag/wallabag";
-              imageDigest = "sha256:241e5c71f674ee3f383f428e8a10525cbd226d04af58a40ce9363ed47e0f1de9";
-              sha256 = "0zflrhgg502w3np7kqmxij8v44y491ar2qbk7qw981fysia5ix09";
-              finalImageName = "wallabag/wallabag";
-              finalImageTag = "2.6.2";
-            };
-            ports = [ "127.0.0.1:4398:80/tcp" ];
-            extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
-            environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
-          };
-          sops =
-          {
-            templates."wallabag/env".content =
-              let
-                placeholder = inputs.config.sops.placeholder;
-              in
-              ''
-                SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
-                SYMFONY__ENV__DATABASE_HOST=host.docker.internal
-                SYMFONY__ENV__DATABASE_PORT=5432
-                SYMFONY__ENV__DATABASE_NAME=wallabag
-                SYMFONY__ENV__DATABASE_USER=wallabag
-                SYMFONY__ENV__DATABASE_PASSWORD=${placeholder."postgresql/wallabag"}
-                SYMFONY__ENV__REDIS_HOST=host.docker.internal
-                SYMFONY__ENV__REDIS_PORT=8790
-                SYMFONY__ENV__REDIS_PASSWORD=${placeholder."redis/wallabag"}
-                SYMFONY__ENV__SERVER_NAME=wallabag.chn.moe
-                SYMFONY__ENV__DOMAIN_NAME=https://wallabag.chn.moe
-                SYMFONY__ENV__TWOFACTOR_AUTH=false
-              '';
-              # SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
-              # SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
-              # SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
-            secrets."mail/bot-encoded" = {};
-          };
-          nixos.services =
-          {
-            nginx =
-            {
-              enable = true;
-              https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
-            };
-            postgresql.instances.wallabag = {};
-            redis.instances.wallabag = { user = "root"; port = 8790; };
-          };
-        }
-      )
       (mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })
     ];
 }

modules/services/docker.nix

@@ -7,19 +7,21 @@ inputs:
     (
       inputs.lib.mkIf (docker != null)
       {
-        # system-wide docker is not needed
-        # virtualisation.docker.enable = true;
-        virtualisation.docker.rootless =
+        virtualisation.docker =
         {
           enable = true;
-          setSocketVariable = true;
-          daemon.settings =
+          rootless =
           {
-            features.buildkit = true;
-            # dns 127.0.0.1 make docker not work
-            dns = [ "1.1.1.1" ];
-            # prevent create btrfs subvol
-            storage-driver = "overlay2";
+            enable = true;
+            setSocketVariable = true;
+            daemon.settings =
+            {
+              features.buildkit = true;
+              # dns 127.0.0.1 make docker not work
+              dns = [ "1.1.1.1" ];
+              # prevent create btrfs subvol
+              storage-driver = "overlay2";
+            };
           };
         };
       }

modules/services/gitea.nix

@@ -48,7 +48,27 @@ inputs:
     };
     nixos.services =
     {
-      nginx = { enable = true; https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3002"; };
+      nginx =
+      {
+        enable = true;
+        https."${gitea.hostname}".location =
+        {
+          "/".proxy.upstream = "http://127.0.0.1:3002";
+          "/robots.txt".static.root =
+            let
+              robotsFile = inputs.pkgs.fetchurl
+              {
+                url = "https://gitea.com/robots.txt";
+                sha256 = "144c5s3la4a85c9lygcnxhbxs3w5y23bkhhqx69fbp9yiqyxdkk2";
+              };
+              robotsDir = inputs.pkgs.runCommand "robots.txt" {}
+              ''
+                mkdir -p $out
+                cp ${robotsFile} $out/robots.txt
+              '';
+            in "${robotsDir}";
+        };
+      };
       postgresql.instances.gitea = {};
     };
     sops.secrets =

modules/services/keyd.nix

@@ -0,0 +1,21 @@
+inputs:
+{
+  options.nixos.services.keyd = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) keyd; in inputs.lib.mkIf (keyd != null)
+  {
+    services.keyd =
+    {
+      enable = true;
+      keyboards.default =
+      {
+        ids = [ "*" ];
+        settings =
+        {
+          main.rightcontrol = "overload(r_ctrl, rightcontrol)";
+          "r_ctrl:C" = { left = "home"; right = "end"; up = "pageup"; down = "pagedown"; };
+        };
+      };
+    };
+  };
+}

modules/services/kmscon.nix

@@ -1,19 +0,0 @@
-inputs:
-{
-  options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-  };
-  config =
-    let
-      inherit (inputs.lib) mkIf;
-      inherit (inputs.config.nixos.services) kmscon;
-    in mkIf kmscon.enable
-    {
-      services.kmscon =
-      {
-        enable = true;
-        fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
-      };
-    };
-}

modules/services/mariadb.nix

@@ -49,11 +49,7 @@ inputs:
     sops.secrets = builtins.listToAttrs (builtins.map
       (db: { name = "mariadb/${db.value.user}"; value.owner = inputs.config.users.users.mysql.name; })
       (builtins.filter (db: db.value.passwordFile == null) (inputs.localLib.attrsToList mariadb.instances)));
-    environment.persistence =
-      let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
-      {
-        "${impermanence.nodatacow}".directories = let user = "mysql"; in
-          [{ directory = "/var/lib/mysql"; inherit user; group = user; mode = "0750"; }];
-      };
+    environment.persistence."/nix/nodatacow".directories =
+      [{ directory = "/var/lib/mysql"; user = "mysql"; group = "mysql"; mode = "0750"; }];
   };
 }

modules/services/mastodon.nix

@@ -1,83 +0,0 @@
-inputs:
-{
-  options.nixos.services.mastodon = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "dudu.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) mastodon;
-      inherit (inputs.lib) mkIf;
-      inherit (builtins) toString;
-    in mkIf mastodon.enable
-    {
-      services.mastodon =
-      {
-        enable = true;
-        streamingProcesses = 1;
-        enableUnixSocket = false;
-        localDomain = mastodon.hostname;
-        database =
-        {
-          createLocally = false;
-          host = "127.0.0.1";
-          passwordFile = inputs.config.sops.secrets."mastodon/postgresql".path;
-        };
-        redis.createLocally = false;
-        smtp =
-        {
-          createLocally = false;
-          user = "bot@chn.moe";
-          port = 465;
-          passwordFile = inputs.config.sops.secrets."mastodon/mail".path;
-          host = "mail.chn.moe";
-          fromAddress = "bot@chn.moe";
-          authenticate = true;
-        };
-        extraEnvFiles = [ inputs.config.sops.templates."mastodon/env".path ];
-      };
-      nixos.services =
-      {
-        postgresql.instances.mastodon = {};
-        redis.instances.mastodon.port = inputs.config.services.mastodon.redis.port;
-        nginx =
-        {
-          enable = true;
-          https."${mastodon.hostname}".location =
-          {
-            "/system/".alias.path = "/var/lib/mastodon/public-system/";
-            "/".static =
-              { root = "${inputs.config.services.mastodon.package}/public"; tryFiles = [ "$uri" "@proxy" ]; };
-            "@proxy".proxy =
-              { upstream = "http://127.0.0.1:${toString inputs.config.services.mastodon.webPort}"; websocket = true; };
-            "/api/v1/streaming/".proxy =
-            {
-              upstream = "http://unix:/run/mastodon-streaming/streaming-1.socket";
-              websocket = true;
-            };
-          };
-        };
-      };
-      sops =
-      {
-        secrets =
-        {
-          "mastodon/mail" = { owner = "mastodon"; key = "mail/bot"; };
-          "mastodon/postgresql" = { owner = "mastodon"; key = "postgresql/mastodon"; };
-        };
-        templates."mastodon/env" =
-        {
-          owner = "mastodon";
-          content =
-          ''
-            REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/mastodon"}
-            SMTP_SSL=true
-            SMTP_AUTH_METHOD=plain
-          '';
-        };
-      };
-      environment.systemPackages = [ inputs.config.services.mastodon.package ];
-      # sudo -u mastodon mastodon-tootctl accounts modify chn --role Owner
-    };
-}

modules/services/meilisearch.nix

@@ -1,113 +0,0 @@
-inputs:
-{
-  options.nixos.services.meilisearch = let inherit (inputs.lib) mkOption types; in
-  {
-    instances = mkOption
-    {
-      type = types.attrsOf (types.submodule (submoduleInputs: { options =
-      {
-        user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
-        port = mkOption { type = types.ints.unsigned; };
-      };}));
-      default = {};
-    };
-    ioLimitDevice = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
-  };
-  config = let inherit (inputs.config.nixos.services) meilisearch; in
-  {
-    systemd =
-    {
-      services = builtins.listToAttrs (builtins.map
-        (instance:
-        {
-          name = "meilisearch-${instance.name}";
-          value =
-          {
-            description = "meiliSearch ${instance.name}";
-            wantedBy = [ "multi-user.target" ];
-            after = [ "network.target" ];
-            # environment.RUST_BACKTRACE = "full";
-            serviceConfig =
-            {
-              User = instance.value.user;
-              Group = inputs.config.users.users.${instance.value.user}.group;
-              ExecStart =
-                let
-                  meilisearch = inputs.pkgs.meilisearch.overrideAttrs (prev:
-                  {
-                    RUSTFLAGS = prev.RUSTFLAGS or [] ++ [ "-Clto=true" "-Cpanic=abort" "-Cembed-bitcode=yes"]
-                      ++ (
-                        let inherit (inputs.config.nixos.system.nixpkgs) march;
-                        in (if march != null then [ "-Ctarget-cpu=${march}" ] else [])
-                      );
-                  });
-                  config = inputs.config.sops.templates."meilisearch-${instance.name}.toml".path;
-                in
-                  "${meilisearch}/bin/meilisearch --config-file-path ${config}";
-              Restart = "always";
-              StartLimitBurst = 3;
-              LimitNOFILE = "infinity";
-              LimitNPROC = "infinity";
-              LimitCORE = "infinity";
-              CPUSchedulingPolicy = "idle";
-              IOSchedulingClass = "idle";
-              IOSchedulingPriority = 4;
-              IOAccounting = true;
-              IOWeight = 1;
-              Nice = 19;
-              Slice = "-.slice";
-            }
-            // (if meilisearch.ioLimitDevice != null then
-            {
-              IOReadBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
-              IOWriteBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
-              # iostat -dx 1
-              IOReadIOPSMax = "${meilisearch.ioLimitDevice} 100";
-              IOWriteIOPSMax = "${meilisearch.ioLimitDevice} 100";
-            } else {});
-          };
-        })
-        (inputs.localLib.attrsToList meilisearch.instances));
-      tmpfiles.rules = builtins.concatLists (builtins.map
-        (instance:
-          let
-            user = instance.value.user;
-            group = inputs.config.users.users.${instance.value.user}.group;
-            dir = "/var/lib/meilisearch/${instance.name}";
-          in
-            [ "d ${dir} 0700 ${user} ${group}" "Z ${dir} - ${user} ${group}" ])
-        (inputs.localLib.attrsToList meilisearch.instances));
-    };
-    sops =
-    {
-      templates = builtins.listToAttrs (builtins.map
-        (instance:
-        {
-          name = "meilisearch-${instance.name}.toml";
-          value =
-          {
-            content =
-            ''
-              db_path = "/var/lib/meilisearch/${instance.name}"
-              http_addr = "0.0.0.0:${builtins.toString instance.value.port}"
-              master_key = "${inputs.config.sops.placeholder."meilisearch/${instance.name}"}"
-              env = "production"
-              dump_dir = "/var/lib/meilisearch/${instance.name}/dumps"
-              log_level = "INFO"
-              max_indexing_memory = "16Gb"
-              max_indexing_threads = 1
-            '';
-            owner = instance.value.user;
-          };
-        })
-        (inputs.localLib.attrsToList meilisearch.instances));
-      secrets = builtins.listToAttrs (builtins.map
-        (instance: { name = "meilisearch/${instance.name}"; value = {}; })
-        (inputs.localLib.attrsToList meilisearch.instances));
-    };
-    environment.persistence =
-      let inherit (inputs.config.nixos.system) impermanence;
-      in inputs.lib.mkIf (impermanence.enable && meilisearch.instances != {})
-        { "${impermanence.nodatacow}".directories = [ "/var/lib/meilisearch" ]; };
-  };
-}

modules/services/mirism.nix

@@ -31,7 +31,7 @@ inputs:
               {
                 User = inputs.config.users.users.mirism.name;
                 Group = inputs.config.users.users.mirism.group;
-                ExecStart = "${inputs.pkgs.localPackages.mirism}/bin/${instance}";
+                ExecStart = "${inputs.pkgs.localPackages.mirism-old}/bin/${instance}";
                 RuntimeMaxSec = "1d";
                 Restart = "always";
               };

modules/services/misskey.nix

@@ -8,11 +8,6 @@ inputs:
       port = mkOption { type = types.ints.unsigned; default = 9726; };
       redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
       hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
-      meilisearch =
-      {
-        enable = mkOption { type = types.bool; default = false; };
-        port = mkOption { type = types.ints.unsigned; default = 7700; };
-      };
     };});
     default = {};
   };
@@ -31,9 +26,7 @@ inputs:
           {
             enable = instance.value.autoStart;
             description = "misskey ${instance.name}";
-            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ]
-              ++ (if instance.value.meilisearch.enable then [ "meilisearch-misskey-${instance.name}.service" ]
-                else []);
+            after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
             requires = after;
             wantedBy = [ "multi-user.target" ];
             environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
@@ -77,7 +70,6 @@ inputs:
               let
                 placeholder = inputs.config.sops.placeholder;
                 redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
-                meilisearch = inputs.config.nixos.services.meilisearch.instances."misskey-${instance.name}";
               in
               ''
                 url: https://${instance.value.hostname}/
@@ -105,17 +97,7 @@ inputs:
                 proxyRemoteFiles: true
                 signToActivityPubGet: true
                 maxFileSize: 1073741824
-              ''
-              + (if instance.value.meilisearch.enable then
-              ''
-                meilisearch:
-                  host: 127.0.0.1
-                  port: ${toString meilisearch.port}
-                  apiKey: ${placeholder."meilisearch/misskey-${instance.name}"}
-                  ssl: false
-                  index: misskey
-                  scope: global
-              '' else "");
+              '';
             owner = inputs.config.users.users."misskey-${instance.name}".name;
           };
         })
@@ -142,19 +124,6 @@ inputs:
         postgresql.instances = listToAttrs (map
           (instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
           (attrsToList misskey.instances));
-        meilisearch.instances =
-          let instances = filter (instance: instance.value.meilisearch.enable) (attrsToList misskey.instances);
-          in listToAttrs (map
-            (instance:
-            {
-              name = "misskey-${instance.name}";
-              value =
-              {
-                user = inputs.config.users.users."misskey-${instance.name}".name;
-                port = instance.value.meilisearch.port;
-              };
-            })
-            instances);
         nginx =
         {
           enable = mkIf (misskey.instances != {}) true;

modules/services/nextcloud.nix

@@ -16,7 +16,7 @@ inputs:
       hostName = nextcloud.hostname;
       appstoreEnable = false;
       https = true;
-      package = inputs.pkgs.nextcloud29;
+      package = inputs.pkgs.nextcloud30;
       maxUploadSize = "10G";
       config =
       {

modules/services/nfs.nix

@@ -0,0 +1,29 @@
+inputs:
+{
+  options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      root = mkOption { type = types.nonEmptyStr; };
+      exports = mkOption { type = types.listOf types.nonEmptyStr; };
+      accessLimit = mkOption { type = types.nonEmptyStr; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != null)
+  {
+    services =
+    {
+      rpcbind.enable = true;
+      nfs.server =
+      {
+        enable = true;
+        exports = "${nfs.root} ${nfs.accessLimit}(rw,no_root_squash,fsid=0,sync,crossmnt)\n"
+          + builtins.concatStringsSep "\n" (builtins.map
+            (export: "${export} ${nfs.accessLimit}(rw,no_root_squash,sync,crossmnt)")
+            nfs.exports);
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 2049 ];
+  };
+}

modules/services/nginx/applications/kkmeeting.nix

@@ -1,18 +0,0 @@
-inputs:
-{
-  options.nixos.services.nginx.applications.kkmeeting = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.nonEmptyStr; default = "kkmeeting.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services.nginx.applications) kkmeeting;
-      inherit (inputs.lib) mkIf;
-    in mkIf kkmeeting.enable
-    {
-      nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
-        { root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
-      systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" "Z /srv/kkmeeting - nginx nginx" ];
-    };
-}

modules/services/nginx/applications/sticker/.gitignore

@@ -0,0 +1 @@
+/config.json

modules/services/nginx/applications/sticker/default.nix

@@ -0,0 +1,22 @@
+inputs:
+{
+  options.nixos.services.nginx.applications.sticker = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule {});
+    default = {};
+  };
+  config = let inherit (inputs.config.nixos.services.nginx.applications) sticker; in inputs.lib.mkIf (sticker != null)
+  {
+    nixos.services.nginx.https."sticker.chn.moe".location."/".static =
+    {
+      root = builtins.toString (inputs.pkgs.runCommand "web" {}
+      ''
+        mkdir -p $out
+        cp -r ${inputs.topInputs.stickerpicker}/web/* $out
+        chmod -R +w $out
+        cp -r ${./web}/* $out
+      '');
+      index = [ "index.html" ];
+    };
+  };
+}

modules/services/nginx/applications/sticker/web/packs/index.json

@@ -0,0 +1,7 @@
+{
+  "packs": [
+    "Mare_by_WuMingv2Bot.json",
+    "line_191054124446_by_moe_sticker_bot.json"
+  ],
+  "homeserver_url": "https://matrix.chn.moe"
+}

modules/services/nginx/default.nix

@@ -247,6 +247,12 @@ inputs:
               proxy_ssl_server_name on;
               proxy_ssl_session_reuse off;
               send_timeout 1d;
+              # nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
+              # this make it redirect to /docs/ without hostname
+              absolute_redirect off;
+              # allow realip module to set ip
+              set_real_ip_from 0.0.0.0/0;
+              real_ip_header proxy_protocol;
             '';
             proxyTimeout = "1d";
             recommendedZstdSettings = true;
@@ -333,7 +339,7 @@ inputs:
           let
             ipset = "${inputs.pkgs.ipset}/bin/ipset";
             iptables = "${inputs.pkgs.iptables}/bin/iptables";
-            ip = "${inputs.pkgs.iproute}/bin/ip";
+            ip = "${inputs.pkgs.iproute2}/bin/ip";
             start = inputs.pkgs.writeShellScript "nginx-proxy.start"
             (
               ''

modules/services/nixseperatedebuginfo.nix

@@ -3,17 +3,18 @@ inputs:
   options.nixos.services.nixseparatedebuginfo = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if inputs.config.nixos.system.gui.enable then {} else null;
+    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
   };
   config =
     let inherit (inputs.config.nixos.services) nixseparatedebuginfo; in inputs.lib.mkIf (nixseparatedebuginfo != {})
     {
       services.nixseparatedebuginfod.enable = true;
-      environment.persistence =
-        let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
-        {
-          "${impermanence.nodatacow}".directories = let user = "nixseparatedebuginfod"; in
-          [{ directory = "/var/cache/nixseparatedebuginfod"; inherit user; group = user; mode = "0755"; }];
-        };
+      environment.persistence."/nix/nodatacow".directories =
+      [{
+        directory = "/var/cache/nixseparatedebuginfod";
+        user = "nixseparatedebuginfod";
+        group = "nixseparatedebuginfod";
+        mode = "0755";
+      }];
     };
 }

modules/services/peertube.nix

@@ -0,0 +1,65 @@
+inputs:
+{
+  options.nixos.services.peertube = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.submodule { options =
+    {
+      hostname = mkOption { type = types.nonEmptyStr; default = "peertube.chn.moe"; };
+    };});
+    default = null;
+  };
+  config = let inherit (inputs.config.nixos.services) peertube; in inputs.lib.mkIf (peertube != null)
+  {
+    services.peertube =
+    {
+      enable = true;
+      localDomain = peertube.hostname;
+      listenHttp = 5046;
+      listenWeb = 443;
+      enableWebHttps = true;
+      serviceEnvironmentFile = inputs.config.sops.templates."peertube/env".path;
+      secrets.secretsFile = inputs.config.sops.secrets."peertube/secrets".path;
+      configureNginx = true;
+      database =
+      {
+        createLocally = true;
+        host = "127.0.0.1";
+        passwordFile = inputs.config.sops.secrets."peertube/postgresql".path;
+      };
+      redis =
+      {
+        host = "127.0.0.1";
+        port = 7599;
+        passwordFile = inputs.config.sops.secrets."redis/peertube".path;
+      };
+      smtp.passwordFile = inputs.config.sops.secrets."peertube/smtp".path;
+      settings.smtp =
+      {
+        host = "mail.chn.moe";
+        username = "bot@chn.moe";
+        from_address = "bot@chn.moe";
+      };
+    };
+    sops =
+    {
+      templates."peertube/env".content =
+      ''
+        PT_INITIAL_ROOT_PASSWORD=${inputs.config.sops.placeholder."peertube/password"}
+      '';
+      secrets =
+      {
+        "peertube/postgresql" = { owner = inputs.config.services.peertube.user; key = "postgresql/peertube"; };
+        "peertube/password" = {};
+        "peertube/secrets".owner = inputs.config.services.peertube.user;
+        "peertube/smtp" = { owner = inputs.config.services.peertube.user; key = "mail/bot"; };
+      };
+    };
+    nixos.services =
+    {
+      nginx = { enable = true; https.${peertube.hostname}.global.configName = peertube.hostname; };
+      postgresql.instances.peertube = {};
+      redis.instances.peertube.port = 7599;
+    };
+    systemd.services.peertube.after = [ "redis-peertube.service" ];
+  };
+}

modules/services/postgresql.nix

@@ -86,11 +86,7 @@ inputs:
     sops.secrets = builtins.listToAttrs (builtins.map
       (db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })
       (builtins.filter (db: db.value.passwordFile == null) (inputs.localLib.attrsToList postgresql.instances)));
-    environment.persistence =
-      let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
-      {
-        "${impermanence.nodatacow}".directories = let user = "postgres"; in
-          [{ directory = "/var/lib/postgresql"; inherit user; group = user; mode = "0750"; }];
-      };
+    environment.persistence."/nix/nodatacow".directories =
+      [{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }];
   };
 }

modules/services/samba.nix

@@ -33,18 +33,7 @@ inputs:
           enable = true;
           # TCP 139 445 UDP 137 138
           openFirewall = !samba.private;
-          securityType = "user";
-          extraConfig =
-          ''
-            workgroup = WORKGROUP
-            server string = Samba Server
-            server role = standalone server
-            hosts allow = ${samba.hostsAllowed}
-            dns proxy = no
-          '';
-          #  obey pam restrictions = yes
-          #  encrypt passwords = no
-          shares = listToAttrs (map
+          settings = listToAttrs (map
             (share:
             {
               name = share.name;
@@ -60,7 +49,8 @@ inputs:
                 "force directory mode" = "2755";
               };
             })
-            (attrsToList samba.shares));
+            (attrsToList samba.shares))
+            // { global."hosts allow" = "${samba.hostsAllowed}"; };
         };
       };
       nixos.services.xray.client.v2ray-forwarder =

modules/services/slurm.nix

@@ -4,7 +4,7 @@ inputs:
   {
     enable = mkOption { type = types.bool; default = false; };
     # 本机是否为控制节点，如果不是，填写控制节点的主机名
-    master = mkOption { type = types.nonEmptyStr; default = inputs.config.nixos.system.networking.hostname; };
+    master = mkOption { type = types.nonEmptyStr; default = inputs.config.nixos.model.hostname; };
     node = mkOption { type = types.attrsOf (types.submodule (submoduleInputs: { options =
     {
       # slurm 中使用的节点名称
@@ -27,7 +27,7 @@ inputs:
     {
       cpuMpiThreads = mkOption { type = types.ints.unsigned; default = 1; };
       cpuOpenmpThreads = mkOption { type = types.ints.unsigned; default = 1; };
-      gpus = mkOption { type = types.nullOr (types.attrsOf types.ints.unsigned); default = null; };
+      gpus = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
     };
     # 是否打开防火墙相应端口，对于多节点部署需要打开
     setupFirewall = mkOption { type = types.bool; default = false; };
@@ -52,6 +52,15 @@ inputs:
                 buildInputs = prev.buildInputs or [] ++ additionalInputs;
                 LDFLAGS = prev.LDFLAGS or [] ++ additionalFlags;
                 nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.wrapGAppsHook ];
+                postInstall =
+                ''
+                  pushd contribs/pmi2
+                  make install
+                  popd
+                  pushd contribs/pmi
+                  make install
+                  popd
+                '' + prev.postInstall;
               }
             );
           client.enable = true;
@@ -113,9 +122,12 @@ inputs:
 
             # automatically resume node after drain
             ReturnToService=2
+
+            # enable task plugins
+            TaskPlugin=task/affinity,task/cgroup
           '';
           extraConfigPaths =
-            let gpus = slurm.node.${inputs.config.nixos.system.networking.hostname}.gpus or null;
+            let gpus = slurm.node.${inputs.config.nixos.model.hostname}.gpus or null;
             in inputs.lib.mkIf (gpus != null)
             (
               let gpuString = builtins.concatStringsSep "\n" (builtins.map
@@ -129,7 +141,7 @@ inputs:
       systemd =
       {
         services.slurmd.environment =
-          let gpus = slurm.node.${inputs.config.nixos.system.networking.hostname}.gpus or null;
+          let gpus = slurm.node.${inputs.config.nixos.model.hostname}.gpus or null;
           in inputs.lib.mkIf (gpus != null)
           {
             CUDA_PATH = "${inputs.pkgs.cudatoolkit}";
@@ -147,7 +159,7 @@ inputs:
         in { allowedTCPPorts = config; allowedUDPPorts = config; };
     }
     # master 配置
-    (inputs.lib.mkIf (slurm.master == inputs.config.nixos.system.networking.hostname)
+    (inputs.lib.mkIf (slurm.master == inputs.config.nixos.model.hostname)
     {
       services.slurm =
       {

modules/services/synapse.nix

@@ -8,18 +8,12 @@ inputs:
       autoStart = mkOption { type = types.bool; default = true; };
       port = mkOption { type = types.ints.unsigned; default = 8008; };
       redisPort = mkOption { type = types.ints.unsigned; default = 6379; };
-      slidingSyncPort = mkOption { type = types.ints.unsigned; default = 9000; };
       hostname = mkOption
       {
         type = types.nonEmptyStr;
         default = "${submoduleInputs.config._module.args.name}.chn.moe";
       };
       matrixHostname = mkOption { type = types.nonEmptyStr; default = "chn.moe"; };
-      slidingSyncHostname = mkOption
-      {
-        type = types.nonEmptyStr;
-        default = "syncv3.${submoduleInputs.config.hostname}";
-      };
       # , synapse_homeserver --config-path homeserver.yaml --generate-config --report-stats=yes --server-name xxx
     };}));
     default = {};
@@ -50,263 +44,203 @@ inputs:
       systemd = mkMerge (map
         (instance: let workdir = "/var/lib/synapse/${instance.name}"; in
         {
-          services =
-          {
-            "synapse-${instance.name}" =
-              let
-                package = inputs.pkgs.matrix-synapse.override
-                  { extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
-                config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
-                homeserver = "${package}/bin/synapse_homeserver";
-              in
-              {
-                description = "synapse-${instance.name}";
-                enable = instance.value.autoStart;
-                after = [ "network-online.target" "postgresql.service" ];
-                requires = [ "network-online.target" "postgresql.service" ];
-                wantedBy = [ "multi-user.target" ];
-                serviceConfig =
-                {
-                  ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
-                  Type = "notify";
-                  User = "synapse-${instance.name}";
-                  Group = "synapse-${instance.name}";
-                  WorkingDirectory = workdir;
-                  ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
-                  Restart = "on-failure";
-                  UMask = "0077";
-                  CapabilityBoundingSet = [ "" ];
-
-                  # hardening
-                  LockPersonality = true;
-                  NoNewPrivileges = true;
-                  PrivateDevices = true;
-                  PrivateTmp = true;
-                  PrivateUsers = true;
-                  ProcSubset = "pid";
-                  ProtectClock = true;
-                  ProtectControlGroups = true;
-                  ProtectHome = true;
-                  ProtectHostname = true;
-                  ProtectKernelLogs = true;
-                  ProtectKernelModules = true;
-                  ProtectKernelTunables = true;
-                  ProtectProc = "invisible";
-                  ProtectSystem = "strict";
-                  ReadWritePaths = [ workdir ];
-                  RemoveIPC = true;
-                  RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
-                  RestrictNamespaces = true;
-                  RestrictRealtime = true;
-                  RestrictSUIDSGID = true;
-                  SystemCallArchitectures = "native";
-                  SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
-                };
-              };
-            "synapse-sliding-sync-${instance.name}" =
+          services."synapse-${instance.name}" =
+            let
+              package = inputs.pkgs.matrix-synapse.override
+                { extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
+              config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
+              homeserver = "${package}/bin/synapse_homeserver";
+            in
             {
-              after = [ "synapse-${instance.name}.service" ];
-              wants = [ "synapse-${instance.name}.service" ];
+              description = "synapse-${instance.name}";
+              enable = instance.value.autoStart;
+              after = [ "network-online.target" "postgresql.service" ];
+              requires = [ "network-online.target" "postgresql.service" ];
               wantedBy = [ "multi-user.target" ];
               serviceConfig =
               {
+                ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
+                Type = "notify";
                 User = "synapse-${instance.name}";
                 Group = "synapse-${instance.name}";
-                EnvironmentFile = inputs.config.sops.templates."synapse/${instance.name}-sliding-sync/env".path;
-                ExecStart = inputs.lib.getExe inputs.pkgs.matrix-sliding-sync;
-                WorkingDirectory = workdir + "-sliding-sync";
+                WorkingDirectory = workdir;
+                ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
                 Restart = "on-failure";
-                RestartSec = "1s";
+                UMask = "0077";
+                CapabilityBoundingSet = [ "" ];
+
+                # hardening
+                LockPersonality = true;
+                NoNewPrivileges = true;
+                PrivateDevices = true;
+                PrivateTmp = true;
+                PrivateUsers = true;
+                ProcSubset = "pid";
+                ProtectClock = true;
+                ProtectControlGroups = true;
+                ProtectHome = true;
+                ProtectHostname = true;
+                ProtectKernelLogs = true;
+                ProtectKernelModules = true;
+                ProtectKernelTunables = true;
+                ProtectProc = "invisible";
+                ProtectSystem = "strict";
+                ReadWritePaths = [ workdir ];
+                RemoveIPC = true;
+                RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+                RestrictNamespaces = true;
+                RestrictRealtime = true;
+                RestrictSUIDSGID = true;
+                SystemCallArchitectures = "native";
+                SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
               };
             };
-          };
           tmpfiles.rules =
           [
             "d /var/lib/synapse 0755 root root"
             "d ${workdir} 0700 synapse-${instance.name} synapse-${instance.name}"
             "Z ${workdir} - synapse-${instance.name} synapse-${instance.name}"
-            "d ${workdir}-sliding-sync 0700 synapse-${instance.name} synapse-${instance.name}"
-            "Z ${workdir}-sliding-sync - synapse-${instance.name} synapse-${instance.name}"
           ];
         })
         (attrsToList synapse.instances));
       sops = mkMerge (map
         (instance:
         {
-          templates =
+          templates."synapse/${instance.name}/config.yaml" =
           {
-            "synapse/${instance.name}/config.yaml" =
-            {
-              owner = "synapse-${instance.name}";
-              group = "synapse-${instance.name}";
-              content =
-                let
-                  inherit (inputs.config.sops) placeholder;
-                in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
+            owner = "synapse-${instance.name}";
+            group = "synapse-${instance.name}";
+            content =
+              let
+                inherit (inputs.config.sops) placeholder;
+              in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
+              {
+                server_name = instance.value.matrixHostname;
+                public_baseurl = "https://${instance.value.hostname}/";
+                listeners =
+                [{
+                  bind_addresses = [ "127.0.0.1" ];
+                  inherit (instance.value) port;
+                  resources = [{ names = [ "client" "federation" ]; compress = false; }];
+                  tls = false;
+                  type = "http";
+                  x_forwarded = true;
+                }];
+                database =
                 {
-                  server_name = instance.value.matrixHostname;
-                  public_baseurl = "https://${instance.value.hostname}/";
-                  listeners =
-                  [{
-                    bind_addresses = [ "127.0.0.1" ];
-                    inherit (instance.value) port;
-                    resources = [{ names = [ "client" "federation" ]; compress = false; }];
-                    tls = false;
-                    type = "http";
-                    x_forwarded = true;
-                  }];
-                  database =
+                  name = "psycopg2";
+                  args =
                   {
-                    name = "psycopg2";
-                    args =
-                    {
-                      user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
-                      password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
-                      database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
-                      host = "127.0.0.1";
-                      port = "5432";
-                    };
-                    allow_unsafe_locale = true;
+                    user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                    password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                    database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+                    host = "127.0.0.1";
+                    port = "5432";
                   };
-                  redis =
-                  {
-                    enabled = true;
-                    port = instance.value.redisPort;
-                    password = placeholder."redis/synapse-${instance.name}";
-                  };
-                  turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
-                  registration_shared_secret = placeholder."synapse/${instance.name}/registration";
-                  macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
-                  form_secret = placeholder."synapse/${instance.name}/form";
-                  signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
-                  email =
-                  {
-                    smtp_host = "mail.chn.moe";
-                    smtp_port = 25;
-                    smtp_user = "bot@chn.moe";
-                    smtp_pass = placeholder."mail/bot";
-                    require_transport_security = true;
-                    notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
-                    app_name = "Haonan Chen's synapse";
-                  };
-                  admin_contact = "mailto:chn@chn.moe";
-                  enable_registration = true;
-                  registrations_require_3pid = [ "email" ];
-                  registration_requires_token = true;
-                  turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
-                  max_upload_size = "1024M";
-                  web_client_location = "https://element.chn.moe/";
-                  extra_well_known_client_content."org.matrix.msc3575.proxy".url =
-                    "https://${instance.value.slidingSyncHostname}";
-                  report_stats = true;
-                  trusted_key_servers =
-                  [{
-                    server_name = "matrix.org";
-                    verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-                  }];
-                  suppress_key_server_warning = true;
-                  log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
-                  {
-                    version = 1;
-                    formatters.precise.format =
-                      "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
-                    handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
-                    root = { level = "INFO"; handlers = [ "console" ]; };
-                    disable_existing_loggers = true;
-                  };
-                  pid_file = "/run/synapse-${instance.name}.pid";
-                  media_store_path = "/var/lib/synapse/${instance.name}/media_store";
-                  presence.enabled = true;
-                  url_preview_enabled = true;
-                  url_preview_ip_range_blacklist =
-                  [
-                    "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
-                    "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
-                    "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
-                  ];
-                  max_image_pixels = "32M";
-                  dynamic_thumbnails = false;
-                });
-            };
-            "synapse/${instance.name}-sliding-sync/env" =
-            {
-              owner = "synapse-${instance.name}";
-              group = "synapse-${instance.name}";
-              content =
-                let
-                  inherit (inputs.config.sops) placeholder;
-                  pgString = "postgresql://"
-                    + "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"
-                    + ":${placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"}"
-                    + "@127.0.0.1:5432"
-                    + "/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync"
-                    + "?sslmode=disable";
-                in
-                ''
-                  SYNCV3_SERVER=https://${instance.value.hostname}
-                  SYNCV3_DB=${pgString}
-                  SYNCV3_SECRET=${placeholder."synapse/${instance.name}/sliding-sync"}
-                  SYNCV3_BINDADDR=127.0.0.1:${toString instance.value.slidingSyncPort}
-                '';
-            };
+                  allow_unsafe_locale = true;
+                };
+                redis =
+                {
+                  enabled = true;
+                  port = instance.value.redisPort;
+                  password = placeholder."redis/synapse-${instance.name}";
+                };
+                turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
+                registration_shared_secret = placeholder."synapse/${instance.name}/registration";
+                macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
+                form_secret = placeholder."synapse/${instance.name}/form";
+                signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
+                email =
+                {
+                  smtp_host = "mail.chn.moe";
+                  smtp_port = 25;
+                  smtp_user = "bot@chn.moe";
+                  smtp_pass = placeholder."mail/bot";
+                  require_transport_security = true;
+                  notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
+                  app_name = "Haonan Chen's synapse";
+                };
+                admin_contact = "mailto:chn@chn.moe";
+                enable_registration = true;
+                registrations_require_3pid = [ "email" ];
+                registration_requires_token = true;
+                turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
+                max_upload_size = "1024M";
+                web_client_location = "https://element.chn.moe/";
+                report_stats = true;
+                trusted_key_servers =
+                [{
+                  server_name = "matrix.org";
+                  verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+                }];
+                suppress_key_server_warning = true;
+                log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
+                {
+                  version = 1;
+                  formatters.precise.format =
+                    "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
+                  handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
+                  root = { level = "INFO"; handlers = [ "console" ]; };
+                  disable_existing_loggers = true;
+                };
+                pid_file = "/run/synapse-${instance.name}.pid";
+                media_store_path = "/var/lib/synapse/${instance.name}/media_store";
+                presence.enabled = true;
+                url_preview_enabled = true;
+                url_preview_ip_range_blacklist =
+                [
+                  "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
+                  "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
+                  "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
+                ];
+                max_image_pixels = "32M";
+                dynamic_thumbnails = false;
+              });
           };
           secrets = (listToAttrs (map
             (secret: { name = "synapse/${instance.name}/${secret}"; value = {}; })
-            [ "coturn" "registration" "macaroon" "form" "sliding-sync" ]))
+            [ "coturn" "registration" "macaroon" "form" ]))
             // { "synapse/${instance.name}/signing-key".owner = "synapse-${instance.name}"; }
             // { "mail/bot" = {}; };
         })
         (attrsToList synapse.instances));
       nixos.services =
       {
-        postgresql.instances = listToAttrs (concatLists (map
+        postgresql.instances = listToAttrs (map
           (instance:
-          [
-            {
-              name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
-              value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
-            }
-            {
-              name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync";
-              value.user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
-            }
-          ])
-          (attrsToList synapse.instances)));
+          {
+            name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
+            value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
+          })
+          (attrsToList synapse.instances));
         redis.instances = listToAttrs (map
           (instance: { name = "synapse-${instance.name}"; value.port = instance.value.redisPort; })
           (attrsToList synapse.instances));
         nginx =
         {
           enable = mkIf (synapse.instances != {}) true;
-          https = listToAttrs (concatLists (map
+          https = listToAttrs (map
             (instance: with instance.value;
-            [
+            {
+              name = hostname;
+              value.location =
               {
-                name = hostname;
-                value.location =
+                "/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
+                "/.well-known/matrix/server".static =
                 {
-                  "/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
-                  "/.well-known/matrix/server".static =
+                  root = builtins.toString (inputs.pkgs.writeTextFile
                   {
-                    root = builtins.toString (inputs.pkgs.writeTextFile
+                    name = "server";
+                    text = builtins.toJSON
                     {
-                      name = "server";
-                      text = builtins.toJSON
-                      {
-                        "m.server" = "${hostname}:443";
-                      };
-                      destination = "/.well-known/matrix/server";
-                    });
-                  };
+                      "m.server" = "${hostname}:443";
+                    };
+                    destination = "/.well-known/matrix/server";
+                  });
                 };
-              }
-              {
-                name = slidingSyncHostname;
-                value.location."/".proxy =
-                  { upstream = "http://127.0.0.1:${toString slidingSyncPort}"; websocket = true; };
-              }
-            ])
-            (attrsToList synapse.instances)));
+              };
+            })
+            (attrsToList synapse.instances));
         };
       };
     };

modules/services/vikunja.nix

@@ -1,48 +0,0 @@
-inputs:
-{
-  options.nixos.services.vikunja = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    autoStart = mkOption { type = types.bool; default = true; };
-    port = mkOption { type = types.ints.unsigned; default = 3456; };
-    hostname = mkOption { type = types.nonEmptyStr; default = "vikunja.chn.moe"; };
-  };
-  config = let inherit (inputs.config.nixos.services) vikunja; in inputs.lib.mkIf vikunja.enable
-  {
-    services.vikunja =
-    {
-      enable = true;
-      environmentFiles = [ inputs.config.sops.templates."vikunja.env".path ];
-      settings =
-      {
-        service.timezone = "Asia/Shanghai";
-        mailer = { enable = true; host = "mail.chn.moe"; username = "bot@chn.moe"; fromemail = "bot@chn.moe"; };
-        defaultsettings.discoverable_by_email = true;
-      };
-      inherit (vikunja) port;
-      frontendScheme = "https";
-      frontendHostname = vikunja.hostname;
-      database.type = "postgres";
-    };
-    sops =
-    {
-      templates."vikunja.env".content = let placeholder = inputs.config.sops.placeholder; in
-      ''
-        VIKUNJA_SERVICE_JWTSECRET=${placeholder."vikunja/jwtsecret"}
-        VIKUNJA_DATABASE_PASSWORD=${placeholder."postgresql/vikunja"}
-        VIKUNJA_MAILER_PASSWORD=${placeholder."mail/bot"}
-      '';
-      secrets = { "vikunja/jwtsecret" = {}; "mail/bot" = {}; };
-    };
-    systemd.services.vikunja-api.enable = vikunja.autoStart;
-    nixos.services =
-    {
-      postgresql.instances.vikunja = {};
-      nginx =
-      {
-        enable = true;
-        https.${vikunja.hostname}.location."/".proxy.upstream = "http://127.0.0.1:${builtins.toString vikunja.port}";
-      };
-    };
-  };
-}

modules/services/wechat2tg.nix

@@ -0,0 +1,48 @@
+inputs:
+{
+  options.nixos.services.wechat2tg = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.services) wechat2tg; in inputs.lib.mkIf (wechat2tg != null)
+  {
+    virtualisation.oci-containers.containers.wechat2tg =
+    {
+      image = "finalpi/wechat2tg:v1.3.3";
+      imageFile = inputs.pkgs.dockerTools.pullImage
+      {
+        imageName = "finalpi/wechat2tg";
+        imageDigest = "sha256:48e3aff3f501847f063318b41ca34af7d83278847d2eee40d7ffbf439ee4c194";
+        sha256 = "04hq577d981mdfz0xwklhj9ifgnpbv91d6zkf37awfrbsiqfkrr6";
+        finalImageName = "finalpi/wechat2tg";
+        finalImageTag = "v1.3.3";
+      };
+      volumes = [ "wechat2tg-config:/app/storage" "wechat2tg-files:/app/save-files" ];
+      environmentFiles = [ inputs.config.sops.templates."wechat2tg/env".path ];
+    };
+    sops =
+    {
+      templates."wechat2tg/env".content = let placeholder = inputs.config.sops.placeholder; in
+      ''
+        BOT_TOKEN=${placeholder."wechat2tg/token"}
+        # PROXY_HOST: ""
+        # PROXY_PORT: ""
+        # Proxy type: socks5, http, https
+        # PROXY_PROTOCOL: 'socks5'
+        # Optional username and password
+        # PROXY_USERNAME: ""
+        # PROXY_PASSWORD: ""
+        # API_ID: ""
+        # API_HASH: ""
+        ROOM_MESSAGE='<i>🌐#[topic]</i> ---- <b>👤#[(alias)] #[name]: </b>'
+        OFFICIAL_MESSAGE='<b>📣#[name]: </b>'
+        CONTACT_MESSAGE='<b>👤#[alias_first]: </b>'
+        ROOM_MESSAGE_GROUP='<b>👤#[(alias)] #[name]: </b>'
+        OFFICIAL_MESSAGE_GROUP='<b>📣#[name]: </b>'
+        CONTACT_MESSAGE_GROUP='<b>👤#[alias_first]: </b>'
+        CREATE_ROOM_NAME='#[topic]'
+        CREATE_CONTACT_NAME='#[alias]#[[name]]'
+        MESSAGE_DISPLAY='#[identity]#[br]#[body]'
+      '';
+      secrets."wechat2tg/token" = {};
+    };
+  };
+}

modules/services/wireguard.nix

@@ -41,6 +41,7 @@ inputs:
           firewall =
           {
             allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
+            trustedInterfaces = [ "wireguard" ];
           };
           wireguard.interfaces.wireguard =
           {

modules/services/writefreely.nix

@@ -1,38 +0,0 @@
-inputs:
-{
-  options.nixos.services.writefreely = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule (submoduleInputs: { options =
-    {
-      hostname = mkOption { type = types.nonEmptyStr; default = "write.chn.moe"; };
-    };}));
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.services) writefreely; in inputs.lib.mkIf (writefreely != null)
-  {
-    services.writefreely =
-    {
-      enable = true;
-      settings = { server.port = 7264; app = { host = "https://${writefreely.hostname}"; federation = true; }; };
-      host = writefreely.hostname;
-      database = { type = "mysql"; passwordFile = inputs.config.sops.secrets."writefreely/mariadb".path; };
-      admin = { name = "chn"; initialPasswordFile = inputs.config.sops.secrets."writefreely/chn".path; };
-    };
-    systemd.services = { writefreely.after = [ "mysql.service" ]; writefreely-mysql-init.after = [ "mysql.service" ]; };
-    sops.secrets =
-    {
-      "writefreely/chn".owner = "writefreely";
-      "writefreely/mariadb" = { owner = "writefreely"; key = "mariadb/writefreely"; };
-    };
-    nixos.services =
-    {
-      mariadb.instances.writefreely = {};
-      nginx =
-      {
-        enable = true;
-        https.${writefreely.hostname}.location."/".proxy.upstream =
-          "http://127.0.0.1:${builtins.toString inputs.config.services.writefreely.settings.server.port}";
-      };
-    };
-  };
-}

modules/services/xray.nix

@@ -56,8 +56,6 @@ inputs:
           {
             enable = true;
             settingsFile = inputs.config.sops.templates."xray-client.json".path;
-            package = inputs.pkgs.xray.overrideAttrs
-              (prev: { patches = prev.patches or [] ++ [ ./disable-splice.patch ];});
           };
           dnsmasq =
           {
@@ -235,7 +233,7 @@ inputs:
               let
                 ipset = "${inputs.pkgs.ipset}/bin/ipset";
                 iptables = "${inputs.pkgs.iptables}/bin/iptables";
-                ip = "${inputs.pkgs.iproute}/bin/ip";
+                ip = "${inputs.pkgs.iproute2}/bin/ip";
                 autoPort = "10880";
                 xmuPort = "10881";
                 proxyPort = "10883";
@@ -347,8 +345,6 @@ inputs:
         {
           enable = true;
           settingsFile = inputs.config.sops.templates."xray-server.json".path;
-          package = inputs.pkgs.xray.overrideAttrs
-            (prev: { patches = prev.patches or [] ++ [ ./disable-splice.patch ];});
         };
         sops =
         {
@@ -497,7 +493,7 @@ inputs:
                   chat = inputs.config.sops.secrets."telegram/chat".path;
                 in
                 ''
-                  message='${inputs.config.nixos.system.networking.hostname} xray:\n'
+                  message='${inputs.config.nixos.model.hostname} xray:\n'
                   for i in {0..${toString ((builtins.length userList) - 1)}}
                   do
                     upload_bytes=$(${xray} api stats --server=127.0.0.1:6149 \

modules/services/xray/disable-splice.patch

@@ -1,14 +0,0 @@
-diff --git a/proxy/proxy.go b/proxy/proxy.go
-index db92051..54d36b4 100644
---- a/proxy/proxy.go
-+++ b/proxy/proxy.go
-@@ -504,7 +504,8 @@ func CopyRawConnIfExist(ctx context.Context, readerConn net.Conn, writerConn net
- 				splice = false
- 			}
- 		}
--		if splice {
-+		_ = splice
-+		if false {
- 			newError("CopyRawConn splice").WriteToLog(session.ExportIDToError(ctx))
- 			statWriter, _ := writer.(*dispatcher.SizeStatWriter)
- 			//runtime.Gosched() // necessary

modules/system/binfmt.nix

@@ -1,8 +1,6 @@
 inputs:
 {
-  options.nixos.system.binfmt = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.system) binfmt; in inputs.lib.mkIf (binfmt != null)
+  config =
   {
     programs.java = { enable = true; binfmt = true; };
     boot.binfmt.emulatedSystems = [ "aarch64-linux" "x86_64-windows" ];

modules/system/cluster.nix

@@ -1,21 +0,0 @@
-inputs:
-{
-  options.nixos.system.cluster = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule { options =
-    {
-      clusterName = mkOption { type = types.nonEmptyStr; };
-      nodeName = mkOption { type = types.nonEmptyStr; };
-      nodeType = mkOption { type = types.enum [ "master" "worker" ]; default = "worker"; };
-    };});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.system) cluster; in inputs.lib.mkIf (cluster != null)
-  {
-    nixos.system.networking.hostname = "${cluster.clusterName}-${cluster.nodeName}";
-    # 作为从机时，home-manager 需要被禁用
-    systemd.services = inputs.lib.mkIf (cluster.nodeType == "worker") (builtins.listToAttrs (builtins.map
-      (user: { name = "home-manager-${user}"; value.enable = false; })
-      inputs.config.nixos.user.users));
-  };
-}

modules/system/default.nix

@@ -17,7 +17,7 @@ inputs:
       supportedFilesystems = [ "ntfs" "nfs" "nfsv4" ];
       # consoleLogLevel = 7;
     };
-    hardware.enableAllFirmware = true;
+    hardware = { enableAllFirmware = true; bluetooth.enable = true; sensor.iio.enable = true; };
     environment =
     {
       sessionVariables = rec