Merge branch 'production' into blas

This reverts commit 54bfa1c8ac.

.gitattributes

@@ -0,0 +1,2 @@
+*.png filter=lfs diff=lfs merge=lfs -text
+*.icm filter=lfs diff=lfs merge=lfs -text

.sops.yaml

@@ -3,45 +3,37 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
   - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-  - &yoga age1qrea4twxdhd7fnvlq5v45528c90qy6hp2wa55kghsxzgut6n6fxs7w6u42
-  - &pe age1cahahn9hp265dkhduaec65vugk8fct2vt9ur6y54m4mgmyx4v4fq0etjhv
+  - &surface age1ck5vzs0xqx0jplmuksrkh45xwmkm2t05m2wyq5k2w2mnkmn79fxs6tvl3l
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+  - &xmupc1 age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
 creation_rules:
-  - path_regex: secrets/pc\.yaml$
+  - path_regex: secrets/pc/.*$
     key_groups:
     - age:
       - *chn
       - *pc
-  - path_regex: secrets/vps6\.yaml$
+  - path_regex: secrets/vps6/.*$
     key_groups:
     - age:
       - *chn
       - *vps6
-  - path_regex: secrets/vps4\.yaml$
-    key_groups:
-    - age:
-      - *chn
-  - path_regex: secrets/vps7\.yaml$
+  - path_regex: secrets/vps7/.*$
     key_groups:
     - age:
       - *chn
       - *vps7
-  - path_regex: secrets/nas\.yaml$
+  - path_regex: secrets/nas/.*$
     key_groups:
     - age:
       - *chn
       - *nas
-  - path_regex: secrets/xmupc1\.yaml$
+  - path_regex: secrets/surface/.*$
     key_groups:
     - age:
       - *chn
-  - path_regex: secrets/yoga\.yaml$
+      - *surface
+  - path_regex: secrets/xmupc1/.*$
     key_groups:
     - age:
       - *chn
-      - *yoga
-  - path_regex: secrets/pe\.yaml$
-    key_groups:
-    - age:
-      - *chn
-      - *pe
+      - *xmupc1

devices/nas/default.nix

@@ -0,0 +1,101 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/13BC-F0C9" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/0e184f3b-af6c-4f5d-926a-2559f2dc3063"."/boot" = "/boot";
+              "/dev/mapper/nix"."/nix" = "/nix";
+              "/dev/mapper/root1" =
+              {
+                "/nix/rootfs" = "/nix/rootfs";
+                "/nix/persistent" = "/nix/persistent";
+                "/nix/nodatacow" = "/nix/nodatacow";
+                "/nix/rootfs/current" = "/";
+                "/nix/backup" = "/nix/backup";
+              };
+            };
+          };
+          decrypt.manual =
+          {
+            enable = true;
+            devices =
+            {
+              "/dev/disk/by-uuid/5cf1d19d-b4a5-4e67-8e10-f63f0d5bb649".mapper = "root1";
+              "/dev/disk/by-uuid/aa684baf-fd8a-459c-99ba-11eb7636cb0d".mapper = "root2";
+              "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
+            };
+            delayedMount = [ "/" "/nix" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
+        };
+        initrd.sshd.enable = true;
+        grub.installDevice = "efi";
+        nixpkgs.march = "silvermont";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        kernel.patches = [ "cjktty" ];
+        networking.hostname = "nas";
+        gui.preferred = false;
+      };
+      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      packages.packageSet = "desktop-fat";
+      services =
+      {
+        snapper.enable = false;
+        fontconfig.enable = true;
+        samba =
+        {
+          enable = true;
+          hostsAllowed = "192.168. 127.";
+          shares = { home.path = "/home"; root.path = "/"; };
+        };
+        sshd = { enable = true; passwordAuthentication = true; };
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns.extraInterfaces = [ "docker0" ];
+        };
+        xrdp = { enable = true; hostname = [ "nas.chn.moe" "office.chn.moe" ]; };
+        groupshare.enable = true;
+        smartd.enable = true;
+        beesd =
+        {
+          enable = true;
+          instances =
+          {
+            root = { device = "/"; hashTableSizeMB = 2048; };
+            nix = { device = "/nix"; hashTableSizeMB = 128; };
+          };
+        };
+        frpClient =
+        {
+          enable = true;
+          serverName = "frp.chn.moe";
+          user = "nas";
+          stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
+        };
+        nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
+          wireguardIp = "192.168.83.4";
+        };
+      };
+      users.users = [ "chn" "xll" "zem" "yjq" "yxy" ];
+    };
+  };
+}

devices/pc/default.nix

@@ -0,0 +1,162 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.auto =
+          {
+            "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
+            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
+              { mapper = "swap"; ssd = true; before = [ "root" ]; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          resume = "/dev/mapper/swap";
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub =
+        {
+          # TODO: install windows
+          # windowsEntries = { "7317-1DB6" = "Windows"; "7321-FA9C" = "Windows for malware"; };
+          installDevice = "efi";
+        };
+        nix =
+        {
+          marches =
+          [
+            "znver2" "znver3" "znver4"
+            # FXSR SAHF XSAVE
+            "sandybridge"
+            # FXSR PREFETCHW RDRND SAHF
+            "silvermont"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
+            "broadwell"
+            # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
+            "skylake"
+            # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+            # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
+            "alderlake"
+          ];
+        };
+        nixpkgs =
+          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
+        kernel.patches = [ "cjktty" "lantian" "hibernate-progress" ];
+        networking.hostname = "pc";
+        sysctl.laptop-mode = 5;
+      };
+      hardware =
+      {
+        cpus = [ "amd" ];
+        gpu = { type = "amd+nvidia"; prime.busId = { amd = "8:0:0"; nvidia = "1:0:0"; }; };
+        # gpu.type = "amd";
+        bluetooth.enable = true;
+        joystick.enable = true;
+        printer.enable = true;
+        sound.enable = true;
+        legion.enable = true;
+      };
+      packages.packageSet = "workstation";
+      virtualization =
+      {
+        waydroid.enable = true;
+        docker.enable = true;
+        kvmHost = { enable = true; gui = true; autoSuspend = [ "win10" "hardconnect" ]; };
+        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
+      };
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        samba =
+        {
+          enable = true;
+          private = true;
+          hostsAllowed = "192.168. 127.";
+          shares =
+          {
+            media.path = "/run/media/chn";
+            home.path = "/home/chn";
+            mnt.path = "/mnt";
+            share.path = "/home/chn/share";
+          };
+        };
+        sshd.enable = true;
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns =
+          {
+            extraInterfaces = [ "docker0" ];
+            hosts =
+            {
+              "mirism.one" = "74.211.99.69";
+              "beta.mirism.one" = "74.211.99.69";
+              "ng01.mirism.one" = "74.211.99.69";
+              "debug.mirism.one" = "127.0.0.1";
+              "initrd.vps6.chn.moe" = "74.211.99.69";
+              "nix-store.chn.moe" = "127.0.0.1";
+              "initrd.nas.chn.moe" = "192.168.1.185";
+            };
+          };
+        };
+        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
+        acme = { enable = true; cert."debug.mirism.one" = {}; };
+        frpClient =
+        {
+          enable = true;
+          serverName = "frp.chn.moe";
+          user = "pc";
+          stcpVisitor."yy.vnc".localPort = 6187;
+        };
+        nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
+        smartd.enable = true;
+        misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; threads = 4; }; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
+          wireguardIp = "192.168.83.3";
+        };
+        gamemode = { enable = true; drmDevice = 1; };
+      };
+      bugs = [ "xmunet" "backlight" "amdpstate" ];
+    };
+    virtualisation.virtualbox.host = { enable = true; enableExtensionPack = true; };
+    home-manager.users.chn.config.programs.plasma.startup.autoStartScript.xcalib.text =
+      "${inputs.pkgs.xcalib}/bin/xcalib -d :0 ${./color/TPLCD_161B_Default.icm}";
+    nixpkgs.overlays = [(final: prev: rec
+    {
+      blas = prev.blas.override { blasProvider = final.amd-blis; };
+      lapack = prev.lapack.override { lapackProvider = final.amd-libflame; };
+    })];
+    services.xserver.displayManager.defaultSession = inputs.lib.mkForce "plasma";
+    powerManagement.resumeCommands =
+    ''
+      ${inputs.pkgs.kmod}/bin/modprobe -r mt7921e
+      ${inputs.pkgs.kmod}/bin/modprobe mt7921e
+    '';
+    specialisation.nvidia.configuration =
+    {
+      system.nixos.tags = [ "discreate-graphic" ];
+      nixos.hardware.gpu.type = inputs.lib.mkForce "nvidia";
+      hardware.nvidia.forceFullCompositionPipeline = true;
+    };
+  };
+}

devices/surface/default.nix

@@ -0,0 +1,66 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ inputs.topInputs.nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/7179-9C69" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/c6d35075-85fe-4129-aaa8-f436ab85ce43"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.auto =
+          {
+            "/dev/disk/by-uuid/4f7420f9-ea19-4713-b084-2ac8f0a963ac" = { mapper = "root"; ssd = true; };
+            "/dev/disk/by-uuid/88bd9d44-928b-40a2-8f3d-6dcd257c4601" =
+              { mapper = "swap"; ssd = true; before = [ "root" ]; };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          resume = "/dev/mapper/swap";
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        nixpkgs.march = "skylake";
+        grub.installDevice = "efi";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        kernel.patches = [ "cjktty" "lantian" "surface" ];
+        networking.hostname = "surface";
+      };
+      hardware =
+      {
+        cpus = [ "intel" ];
+        gpu.type = "intel";
+        bluetooth.enable = true;
+        joystick.enable = true;
+        printer.enable = true;
+        sound.enable = true;
+      };
+      packages.packageSet = "desktop-fat";
+      virtualization = { docker.enable = true; waydroid.enable = true; };
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        sshd.enable = true;
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns.extraInterfaces = [ "docker0" ];
+        };
+        firewall.trustedInterfaces = [ "virbr0" ];
+      };
+      bugs = [ "xmunet" ];
+    };
+    environment.systemPackages = with inputs.pkgs; [ maliit-keyboard maliit-framework ];
+  };
+}

devices/vps6/default.nix

@@ -0,0 +1,83 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-uuid/24577c0e-d56b-45ba-8b36-95a848228600"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.manual =
+          {
+            enable = true;
+            devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
+            delayedMount = [ "/" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
+        nixpkgs.march = "sandybridge";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        initrd.sshd.enable = true;
+        networking.hostname = "vps6";
+      };
+      packages.packageSet = "server";
+      services =
+      {
+        snapper.enable = true;
+        sshd.enable = true;
+        xray.server = { enable = true; serverName = "vps6.xserver.chn.moe"; };
+        frpServer = { enable = true; serverName = "frp.chn.moe"; };
+        nginx =
+        {
+          streamProxy.map =
+          {
+            "anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
+            "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
+            "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
+          }
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.pc.chn.moe"; })
+            [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
+          // (builtins.listToAttrs (builtins.map
+            (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
+            [
+              "xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
+              "send" "kkmeeting" "api" "git" "grafana"
+            ]));
+          applications =
+          {
+            element.instances."element.chn.moe" = {};
+            synapse-admin.instances."synapse-admin.chn.moe" = {};
+            catalog.enable = true;
+            blog.enable = true;
+            main.enable = true;
+          };
+        };
+        coturn.enable = true;
+        httpua.enable = true;
+        mirism.enable = true;
+        fail2ban.enable = true;
+        wireguard =
+        {
+          enable = true;
+          peers = [ "pc" "nas" "vps7" ];
+          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
+          wireguardIp = "192.168.83.1";
+          listenIp = "74.211.99.69";
+          lighthouse = true;
+        };
+      };
+    };
+  };
+}

devices/vps7/default.nix

@@ -0,0 +1,78 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-uuid/e36287f7-7321-45fa-ba1e-d126717a65f0"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          decrypt.manual =
+          {
+            enable = true;
+            devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
+            delayedMount = [ "/" ];
+          };
+          swap = [ "/nix/swap/swap" ];
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
+        nixpkgs.march = "broadwell";
+        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        initrd.sshd.enable = true;
+        networking.hostname = "vps7";
+        gui.preferred = false;
+      };
+      packages.packageSet = "desktop";
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        sshd.enable = true;
+        rsshub.enable = true;
+        wallabag.enable = true;
+        misskey.instances =
+        {
+          misskey.hostname = "xn--s8w913fdga.chn.moe";
+          misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
+        };
+        synapse.instances =
+        {
+          synapse.matrixHostname = "synapse.chn.moe";
+          matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
+        };
+        xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
+        vaultwarden.enable = true;
+        beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
+        photoprism.enable = true;
+        nextcloud.enable = true;
+        freshrss.enable = true;
+        send.enable = true;
+        huginn.enable = true;
+        fz-new-order.enable = true;
+        nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
+        httpapi.enable = true;
+        gitea.enable = true;
+        grafana.enable = true;
+        fail2ban.enable = true;
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
+          wireguardIp = "192.168.83.2";
+          listenIp = "95.111.228.40";
+        };
+      };
+    };
+  };
+}

devices/xmupc1/default.nix

@@ -0,0 +1,99 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
+            btrfs =
+            {
+              "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          swap = [ "/dev/mapper/swap" ];
+          resume = "/dev/mapper/swap";
+          rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
+        };
+        grub.installDevice = "efi";
+        nixpkgs =
+        {
+          march = "znver3";
+          cuda =
+          {
+            enable = true;
+            capabilities =
+            [
+              # 2080 Ti
+              "7.5"
+              # 3090
+              "8.6"
+              # 4090
+              "8.9"
+            ];
+            forwardCompat = false;
+          };
+        };
+        gui.preferred = false;
+        kernel.patches = [ "cjktty" ];
+        networking.hostname = "xmupc1";
+      };
+      hardware =
+      {
+        cpus = [ "amd" ];
+        # gpus = [ "nvidia" ];
+        bluetooth.enable = true;
+        joystick.enable = true;
+        printer.enable = true;
+        sound.enable = true;
+        # gamemode.drmDevice = 1;
+      };
+      packages.packageSet = "workstation";
+      virtualization = { docker.enable = true; kvmHost = { enable = true; gui = true; }; };
+      services =
+      {
+        snapper.enable = true;
+        fontconfig.enable = true;
+        samba =
+        {
+          enable = true;
+          private = true;
+          hostsAllowed = "192.168. 127.";
+          shares =
+          {
+            media.path = "/run/media/chn";
+            home.path = "/home/chn";
+            mnt.path = "/mnt";
+            share.path = "/home/chn/share";
+          };
+        };
+        sshd.enable = true;
+        xray.client =
+        {
+          enable = true;
+          serverAddress = "74.211.99.69";
+          serverName = "vps6.xserver.chn.moe";
+          dns.extraInterfaces = [ "docker0" ];
+        };
+        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
+        acme = { enable = true; cert."debug.mirism.one" = {}; };
+        smartd.enable = true;
+        beesd = { enable = true; instances.root = { device = "/nix/persistent"; hashTableSizeMB = 2048; }; };
+        wireguard =
+        {
+          enable = true;
+          peers = [ "vps6" ];
+          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
+          wireguardIp = "192.168.83.5";
+        };
+      };
+      bugs = [ "xmunet" "firefox" ];
+    };
+  };
+}

flake.nix

@@ -3,35 +3,69 @@
 
   inputs =
   {
-    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
-    home-manager = { url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.11";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-2305.url = "github:CHN-beta/nixpkgs/nixos-23.05";
+    home-manager = { url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; };
     sops-nix =
     {
       url = "github:Mic92/sops-nix";
       inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
     };
-    touchix = { url = "github:CHN-beta/touchix"; inputs.nixpkgs.follows = "nixpkgs"; };
     aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs-unstable"; };
     nur.url = "github:nix-community/NUR";
     nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; };
     nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-vscode-extensions =
+    nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-alien =
     {
-      url = "github:nix-community/nix-vscode-extensions?rev=50c4bce16b93e7ca8565d51fafabc05e9f0515da";
-      inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:thiagokokada/nix-alien";
+      inputs = { nixpkgs.follows = "nixpkgs"; nix-index-database.follows = "nix-index-database"; };
     };
-    nix-alien = { url = "github:thiagokokada/nix-alien"; inputs.nix-index-database.follows = "nix-index-database"; };
     impermanence.url = "github:nix-community/impermanence";
-    qchem = { url = "github:Nix-QChem/NixOS-QChem"; inputs.nixpkgs.follows = "nixpkgs"; };
+    qchem = { url = "github:Nix-QChem/NixOS-QChem/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; };
     nixd = { url = "github:nix-community/nixd"; inputs.nixpkgs.follows = "nixpkgs"; };
     napalm = { url = "github:nix-community/napalm"; inputs.nixpkgs.follows = "nixpkgs"; };
     nixpak = { url = "github:nixpak/nixpak"; inputs.nixpkgs.follows = "nixpkgs"; };
     deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; };
     pnpm2nix-nzbr = { url = "github:CHN-beta/pnpm2nix-nzbr"; inputs.nixpkgs.follows = "nixpkgs"; };
+    # oneapi
     lmix = { url = "github:CHN-beta/lmix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    # nvhpc
     dguibert-nur-packages = { url = "github:CHN-beta/dguibert-nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    plasma-manager =
+    {
+      url = "github:pjones/plasma-manager";
+      inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
+    };
+    nix-doom-emacs = { url = "github:nix-community/nix-doom-emacs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixos-hardware.url = "github:CHN-beta/nixos-hardware";
+    envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix-fast-build = { url = "github:/Mic92/nix-fast-build"; inputs.nixpkgs.follows = "nixpkgs"; };
+
+    misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
+    rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
+    zpp-bits = { url = "github:eyalz800/zpp_bits"; flake = false; };
+    citation-style-language = { url = "git+https://github.com/zepinglee/citeproc-lua?submodules=1"; flake = false; };
+    concurrencpp = { url = "github:David-Haim/concurrencpp"; flake = false; };
+    cppcoro = { url = "github:Garcia6l20/cppcoro"; flake = false; };
+    date = { url = "github:HowardHinnant/date"; flake = false; };
+    eigen = { url = "gitlab:libeigen/eigen"; flake = false; };
+    matplotplusplus = { url = "github:alandefreitas/matplotplusplus"; flake = false; };
+    nameof = { url = "github:Neargye/nameof"; flake = false; };
+    nodesoup = { url = "github:olvb/nodesoup"; flake = false; };
+    tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
+    v-sim = { url = "gitlab:l_sim/v_sim"; flake = false; };
+    win11os-kde = { url = "github:yeyushengfan258/Win11OS-kde"; flake = false; };
+    fluent-kde = { url = "github:vinceliuice/Fluent-kde"; flake = false; };
+    rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
+    cascade = { url = "github:CHN-beta/cascade"; flake = false; };
+    blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
+    slate = { url = "github:TheBigWazz/Slate"; flake = false; };
+    linux-surface = { url = "github:linux-surface/linux-surface"; flake = false; };
+    lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
   };
 
   outputs = inputs:
@@ -44,7 +78,7 @@
         default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
           (builtins.concatStringsSep "\n" (builtins.map
             (system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
-            [ "pc" "vps6" "vps7" "nas" "yoga" ]));
+            [ "pc" "vps6" "vps7" "nas" "surface" ]));
       }
       // (
         builtins.listToAttrs (builtins.map
@@ -53,633 +87,32 @@
             name = system;
             value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
           })
-          [ "pc" "vps6" "vps7" "nas" "yoga" ])
+          [ "pc" "vps6" "vps7" "nas" "surface" "xmupc1" ])
       );
+      # ssh-keygen -t rsa -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_rsa_key
+      # ssh-keygen -t ed25519 -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_ed25519_key
+      # systemd-machine-id-setup --root=/mnt/nix/persistent
       nixosConfigurations = builtins.listToAttrs (builtins.map
         (system:
         {
-          name = system.name;
+          name = system;
           value = inputs.nixpkgs.lib.nixosSystem
           {
             system = "x86_64-linux";
             specialArgs = { topInputs = inputs; inherit localLib; };
             modules = localLib.mkModules
-            (
-              [
-                (inputs: { config.nixpkgs.overlays = [(final: prev:
-                  { localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
-                ./modules
-              ]
-              ++ system.value
-            );
+            [
+              (moduleInputs:
+              {
+                config.nixpkgs.overlays = [(final: prev: { localPackages =
+                  import ./local/pkgs { inherit (moduleInputs) lib; pkgs = final; topInputs = inputs; };})];
+              })
+              ./modules
+              ./devices/${system}
+            ];
           };
         })
-        (localLib.attrsToList
-        {
-          "pc" =
-          [
-            (inputs: { config.nixos =
-            {
-              system =
-              {
-                fileSystems =
-                {
-                  mount =
-                  {
-                    vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
-                    btrfs =
-                    {
-                      "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
-                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-                    };
-                  };
-                  decrypt.auto =
-                  {
-                    "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
-                    "/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
-                  };
-                  mdadm =
-                    "ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
-                  swap = [ "/dev/mapper/swap" ];
-                  resume = "/dev/mapper/swap";
-                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
-                };
-                grub =
-                {
-                  windowsEntries = { "7317-1DB6" = "Windows"; "7321-FA9C" = "Windows for malware"; };
-                  installDevice = "efi";
-                };
-                nix =
-                {
-                  marches =
-                  [
-                    "alderlake"
-                    # CX16
-                    "sandybridge"
-                    # CX16 SAHF FXSR
-                    "silvermont"
-                    # RDSEED MWAITX SHA CLZERO CX16 SSE4A ABM CLFLUSHOPT WBNOINVD
-                    "znver2" "znver3"
-                    # CX16 SAHF FXSR HLE RDSEED
-                    "broadwell"
-                  ];
-                  keepOutputs = true;
-                };
-                nixpkgs = { march = "alderlake"; cudaSupport = true; };
-                gui = { enable = true; preferred = true; };
-                kernel =
-                {
-                  useLts = true;
-                  patches = [ "cjktty" "preempt" ];
-                  modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
-                };
-                impermanence.enable = true;
-                networking =
-                  { hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
-                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
-              };
-              hardware =
-              {
-                cpus = [ "intel" ];
-                gpus = [ "intel" "nvidia" ];
-                bluetooth.enable = true;
-                joystick.enable = true;
-                printer.enable = true;
-                sound.enable = true;
-                prime =
-                  { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
-                gamemode.drmDevice = 1;
-              };
-              packages =
-              {
-                packageSet = "workstation";
-                extraPrebuildPackages = with inputs.pkgs; [ llvmPackages_git.stdenv ];
-                extraPythonPackages = [(pythonPackages:
-                  [ inputs.pkgs.localPackages.upho inputs.pkgs.localPackages.spectral ])];
-              };
-              virtualization =
-              {
-                waydroid.enable = true;
-                docker.enable = true;
-                kvmHost = { enable = true; gui = true; autoSuspend = [ "win10" "hardconnect" ]; };
-                # kvmGuest.enable = true;
-                nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
-              };
-              services =
-              {
-                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
-                fontconfig.enable = true;
-                samba =
-                {
-                  enable = true;
-                  private = true;
-                  hostsAllowed = "192.168. 127.";
-                  shares =
-                  {
-                    media.path = "/run/media/chn";
-                    home.path = "/home/chn";
-                    mnt.path = "/mnt";
-                    share.path = "/home/chn/share";
-                  };
-                };
-                sshd.enable = true;
-                xrayClient =
-                {
-                  enable = true;
-                  serverAddress = "74.211.99.69";
-                  serverName = "vps6.xserver.chn.moe";
-                  dns =
-                  {
-                    extraInterfaces = [ "docker0" ];
-                    hosts =
-                    {
-                      "mirism.one" = "216.24.188.24";
-                      "beta.mirism.one" = "216.24.188.24";
-                      "ng01.mirism.one" = "216.24.188.24";
-                      "debug.mirism.one" = "127.0.0.1";
-                      "initrd.vps6.chn.moe" = "74.211.99.69";
-                      "nix-store.chn.moe" = "127.0.0.1";
-                      "initrd.nas.chn.moe" = "192.168.1.185";
-                    };
-                  };
-                };
-                firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
-                acme = { enable = true; certs = [ "debug.mirism.one" ]; };
-                frpClient =
-                {
-                  enable = true;
-                  serverName = "frp.chn.moe";
-                  user = "pc";
-                  tcp.store = { localPort = 443; remotePort = 7676; };
-                };
-                nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
-                smartd.enable = true;
-                nginx =
-                {
-                  enable = true;
-                  transparentProxy.externalIp = [ "192.168.82.3" ];
-                  applications.misskey.instances."xn--qbtm095lrg0bfka60z.chn.moe" = {};
-                };
-                misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
-                beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
-              };
-              bugs =
-              [
-                "intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
-                "suspend-hibernate-waydroid" "embree" "nvme"
-              ];
-            };})
-          ];
-          "vps6" = 
-          [
-            (inputs: { config.nixos =
-            {
-              system =
-              {
-                fileSystems =
-                {
-                  mount =
-                  {
-                    btrfs =
-                    {
-                      "/dev/disk/by-uuid/24577c0e-d56b-45ba-8b36-95a848228600"."/boot" = "/boot";
-                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-                    };
-                  };
-                  decrypt.manual =
-                  {
-                    enable = true;
-                    devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };
-                    delayedMount = [ "/" ];
-                  };
-                  swap = [ "/nix/swap/swap" ];
-                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
-                };
-                grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
-                nixpkgs.march = "sandybridge";
-                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-                initrd =
-                {
-                  network.enable = true;
-                  sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
-                };
-                kernel.patches = [ "preempt" ];
-                impermanence.enable = true;
-                networking = { hostname = "vps6"; nebula.enable = true; };
-                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
-              };
-              packages.packageSet = "server";
-              services =
-              {
-                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
-                sshd.enable = true;
-                xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; };
-                frpServer = { enable = true; serverName = "frp.chn.moe"; };
-                nginx =
-                {
-                  enable = true;
-                  transparentProxy =
-                  {
-                    externalIp = [ "74.211.99.69" "192.168.82.1" ];
-                    map =
-                    {
-                      "ng01.mirism.one" = 7411;
-                      "beta.mirism.one" = 9114;
-                    };
-                  };
-                  streamProxy =
-                  {
-                    enable = true;
-                    map =
-                    {
-                      "nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
-                      "anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
-                      "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
-                      "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; };
-                    };
-                  };
-                  applications =
-                  {
-                    misskey.instances =
-                    {
-                      "xn--qbtm095lrg0bfka60z.chn.moe".upstream.address = "internal.pc.chn.moe";
-                      "xn--s8w913fdga.chn.moe".upstream.address = "internal.vps7.chn.moe";
-                      "misskey.chn.moe".upstream = "internal.vps7.chn.moe:9727";
-                    };
-                    synapse.instances."synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
-                    vaultwarden = { enable = true; upstream.address = "internal.vps7.chn.moe"; };
-                    element.instances."element.chn.moe" = {};
-                    photoprism.instances."photoprism.chn.moe".upstream.address = "internal.vps7.chn.moe";
-                    nextcloud.proxy = { enable = true; upstream = "internal.vps7.chn.moe"; };
-                  };
-                };
-                coturn.enable = true;
-                beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 16; }; };
-              };
-            };})
-          ];
-          "vps7" =
-          [
-            (inputs: { config.nixos =
-            {
-              system =
-              {
-                fileSystems =
-                {
-                  mount =
-                  {
-                    btrfs =
-                    {
-                      "/dev/disk/by-uuid/e36287f7-7321-45fa-ba1e-d126717a65f0"."/boot" = "/boot";
-                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-                    };
-                  };
-                  decrypt.manual =
-                  {
-                    enable = true;
-                    devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
-                    delayedMount = [ "/" ];
-                  };
-                  swap = [ "/nix/swap/swap" ];
-                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
-                };
-                grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
-                nixpkgs.march = "broadwell";
-                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-                initrd =
-                {
-                  network.enable = true;
-                  sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
-                };
-                kernel.patches = [ "preempt" ];
-                impermanence.enable = true;
-                networking = { hostname = "vps7"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; }; };
-                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
-                gui.enable = true;
-              };
-              packages =
-              {
-                packageSet = "desktop";
-              };
-              services =
-              {
-                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
-                fontconfig.enable = true;
-                sshd.enable = true;
-                rsshub.enable = true;
-                nginx =
-                {
-                  enable = true;
-                  transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
-                  applications =
-                  {
-                    misskey.instances =
-                    {
-                      "xn--s8w913fdga.chn.moe" = {};
-                      "misskey.chn.moe".upstream.port = 9727;
-                    };
-                    synapse.instances."synapse.chn.moe" = {};
-                    vaultwarden.enable = true;
-                    photoprism.instances."photoprism.chn.moe" = {};
-                    nextcloud.instance.enable = true;
-                  };
-                };
-                wallabag.enable = true;
-                misskey.instances =
-                {
-                  misskey.hostname = "xn--s8w913fdga.chn.moe";
-                  misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
-                };
-                synapse.enable = true;
-                xrdp = { enable = true; hostname = "vps7.chn.moe"; };
-                vaultwarden.enable = true;
-                beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
-                photoprism.enable = true;
-                nextcloud.enable = true;
-              };
-            };})
-          ];
-          "nas" =
-          [
-            (inputs: { config.nixos =
-            {
-              system =
-              {
-                fileSystems =
-                {
-                  mount =
-                  {
-                    vfat."/dev/disk/by-uuid/13BC-F0C9" = "/boot/efi";
-                    btrfs =
-                    {
-                      "/dev/disk/by-uuid/0e184f3b-af6c-4f5d-926a-2559f2dc3063"."/boot" = "/boot";
-                      "/dev/mapper/nix"."/nix" = "/nix";
-                      "/dev/mapper/root1" =
-                      {
-                        "/nix/rootfs" = "/nix/rootfs";
-                        "/nix/persistent" = "/nix/persistent";
-                        "/nix/nodatacow" = "/nix/nodatacow";
-                        "/nix/rootfs/current" = "/";
-                      };
-                    };
-                  };
-                  decrypt.manual =
-                  {
-                    enable = true;
-                    devices =
-                    {
-                      "/dev/disk/by-uuid/5cf1d19d-b4a5-4e67-8e10-f63f0d5bb649".mapper = "root1";
-                      "/dev/disk/by-uuid/aa684baf-fd8a-459c-99ba-11eb7636cb0d".mapper = "root2";
-                      "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
-                    };
-                    delayedMount = [ "/" "/nix" ];
-                  };
-                  swap = [ "/nix/swap/swap" ];
-                  rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
-                };
-                initrd =
-                {
-                  network.enable = true;
-                  sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
-                };
-                grub.installDevice = "efi";
-                nixpkgs.march = "silvermont";
-                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-                kernel.patches = [ "cjktty" "preempt" ];
-                impermanence.enable = true;
-                networking =
-                  { hostname = "nas"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
-                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
-                gui.enable = true;
-              };
-              hardware =
-              {
-                cpus = [ "intel" ];
-                gpus = [ "intel" ];
-              };
-              packages.packageSet = "desktop";
-              services =
-              {
-                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
-                fontconfig.enable = true;
-                samba =
-                {
-                  enable = true;
-                  hostsAllowed = "192.168. 127.";
-                  shares =
-                  {
-                    home.path = "/home";
-                    root.path = "/";
-                  };
-                };
-                sshd = { enable = true; passwordAuthentication = true; };
-                xrayClient =
-                {
-                  enable = true;
-                  serverAddress = "74.211.99.69";
-                  serverName = "vps6.xserver.chn.moe";
-                  dns.extraInterfaces = [ "docker0" ];
-                };
-                xrdp = { enable = true; hostname = [ "nas.chn.moe" "office.chn.moe" ]; };
-                groupshare.enable = true;
-                smartd.enable = true;
-                beesd =
-                {
-                  enable = true;
-                  instances =
-                  {
-                    root = { device = "/"; hashTableSizeMB = 2048; };
-                    nix = { device = "/nix"; hashTableSizeMB = 128; };
-                  };
-                };
-              };
-              users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
-            };})
-          ];
-          "xmupc1" =
-          [
-            (inputs: { config.nixos =
-            {
-              system =
-              {
-                fileSystems =
-                {
-                  mount =
-                  {
-                    vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
-                    btrfs =
-                    {
-                      "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
-                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-                    };
-                  };
-                  decrypt.auto =
-                  {
-                    "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
-                    "/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
-                  };
-                  mdadm =
-                    "ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
-                  swap = [ "/dev/mapper/swap" ];
-                  resume = "/dev/mapper/swap";
-                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
-                };
-                grub.installDevice = "efi";
-                nixpkgs = { march = "znver3"; cudaSupport = true; };
-                nix =
-                {
-                  marches =
-                  [
-                    "znver3" "znver2"
-                    # PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT
-                    # PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI
-                    "alderlake"
-                    # SAHF FXSR XSAVE
-                    "sandybridge"
-                    # SAHF FXSR PREFETCHW RDRND
-                    "silvermont"
-                  ];
-                  substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-                };
-                gui.enable = true;
-                kernel =
-                {
-                  patches = [ "cjktty" "preempt" ];
-                  modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
-                };
-                impermanence.enable = true;
-                networking.hostname = "xmupc1";
-                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
-              };
-              hardware =
-              {
-                cpus = [ "intel" ];
-                gpus = [ "intel" "nvidia" ];
-                bluetooth.enable = true;
-                joystick.enable = true;
-                printer.enable = true;
-                sound.enable = true;
-                prime =
-                  { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
-              };
-              packages.packageSet = "workstation";
-              virtualization =
-              {
-                docker.enable = true;
-                kvmHost = { enable = true; gui = true; };
-              };
-              services =
-              {
-                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
-                fontconfig.enable = true;
-                samba =
-                {
-                  enable = true;
-                  hostsAllowed = "192.168. 127.";
-                  shares =
-                  {
-                    media.path = "/run/media/chn";
-                    home.path = "/home/chn";
-                    mnt.path = "/mnt";
-                    share.path = "/home/chn/share";
-                  };
-                };
-                sshd.enable = true;
-                xrayClient =
-                {
-                  enable = true;
-                  serverAddress = "74.211.99.69";
-                  serverName = "vps6.xserver.chn.moe";
-                  dns =
-                  {
-                    extraInterfaces = [ "docker0" ];
-                    hosts =
-                    {
-                      "mirism.one" = "216.24.188.24";
-                      "beta.mirism.one" = "216.24.188.24";
-                      "ng01.mirism.one" = "216.24.188.24";
-                      "debug.mirism.one" = "127.0.0.1";
-                      "initrd.vps6.chn.moe" = "74.211.99.69";
-                      "nix-store.chn.moe" = "127.0.0.1";
-                    };
-                  };
-                };
-                firewall.trustedInterfaces = [ "virbr0" ];
-                frpClient =
-                {
-                  enable = true;
-                  serverName = "frp.chn.moe";
-                  user = "xmupc1";
-                  tcp.store = { localPort = 443; remotePort = 7676; };
-                };
-                smartd.enable = true;
-                nginx = { enable = true; transparentProxy.enable = false; };
-                postgresql.enable = true;
-              };
-              bugs = [ "xmunet" "firefox" "embree" ];
-            };})
-          ];
-          "yoga" =
-          [
-            (inputs: { config.nixos =
-            {
-              system =
-              {
-                fileSystems =
-                {
-                  mount =
-                  {
-                    vfat."/dev/disk/by-uuid/86B8-CF80" = "/boot/efi";
-                    btrfs =
-                    {
-                      "/dev/disk/by-uuid/e252f81d-b4b3-479f-8664-380a9b73cf83"."/boot" = "/boot";
-                      "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-                    };
-                  };
-                  decrypt.auto."/dev/disk/by-uuid/8186d34e-005c-4461-94c7-1003a5bd86c0" =
-                    { mapper = "root"; ssd = true; };
-                  swap = [ "/nix/swap/swap" ];
-                  rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
-                };
-                nixpkgs.march = "silvermont";
-                gui.enable = true;
-                grub.installDevice = "efi";
-                nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
-                kernel.patches = [ "cjktty" "preempt" ];
-                impermanence.enable = true;
-                networking.hostname = "yoga";
-                sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
-              };
-              hardware =
-              {
-                cpus = [ "intel" ];
-                gpus = [ "intel" ];
-                bluetooth.enable = true;
-                joystick.enable = true;
-                printer.enable = true;
-                sound.enable = true;
-                halo-keyboard.enable = true;
-              };
-              packages.packageSet = "desktop";
-              virtualization.docker.enable = true;
-              services =
-              {
-                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
-                fontconfig.enable = true;
-                sshd.enable = true;
-                xrayClient =
-                {
-                  enable = true;
-                  serverAddress = "74.211.99.69";
-                  serverName = "vps6.xserver.chn.moe";
-                  dns.extraInterfaces = [ "docker0" ];
-                };
-                firewall.trustedInterfaces = [ "virbr0" ];
-              };
-              bugs = [ "xmunet" "firmware-unstable" ];
-            };})
-          ];
-        }));
+        [ "pc" "vps6" "vps7" "nas" "surface" "xmupc1" ]);
       # sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont
       # nix-serve -p 5000
       # nix copy --substitute-on-destination --to ssh://server /run/current-system
@@ -712,13 +145,14 @@
             {
               hostname = node;
               profiles.system.path = inputs.self.nixosConfigurations.${node}.pkgs.deploy-rs.lib.activate.nixos
-                  inputs.self.nixosConfigurations.${node};
+                inputs.self.nixosConfigurations.${node};
             };
           })
-          [ "vps6" "vps7" "nas" "yoga" ]);
+          [ "vps6" "vps7" "nas" "surface" ]);
       };
       checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
       overlays.default = final: prev:
         { localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); };
+      config.archive = false;
     };
 }

local/lib/default.nix

@@ -1,6 +1,6 @@
 lib:
 {
-  attrsToList = Attrs: builtins.map ( name: { inherit name; value = Attrs.${name}; } ) ( builtins.attrNames Attrs );
+  attrsToList = attrs: builtins.map (name: { inherit name; value = attrs.${name}; }) (builtins.attrNames attrs);
   mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
     mkMerge [ ( mkIf condition trueResult ) ( mkIf (!condition) falseResult ) ];
 
@@ -32,4 +32,9 @@ lib:
     in
       # Split into lines. Strip leading tabs. Concat back to string.
       builtins.concatStringsSep "\n" (stripTabs (lib.strings.splitString "\n" text));
+  
+  # find an element in a list, return the index
+  findIndex = e: list:
+    let findIndex_ = i: list: if (builtins.elemAt list i) == e then i else findIndex_ (i + 1) list;
+    in findIndex_ 0 list;
 }

local/pkgs/12to11/default.nix

@@ -1,29 +0,0 @@
-{
-  lib, stdenv, fetchsvn, xorg, libdrm
-}:
-
-stdenv.mkDerivation rec
-{
-  pname = "12to11";
-  version = "193";
-  src = fetchsvn
-  {
-    url = "svn://svn.code.sf.net/p/twelveto11/code";
-    rev = version;
-    sha256 = "12csy55f2xxj03c5b60dvip68mz8cggic6751y3hvj22ar4ncaaj";
-  };
-  postPatch =
-  ''
-    for i in *.c
-    do
-      sed -i -e "s|#include <drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
-    done
-    for i in tests/*.c
-    do
-      sed -i -e "s|#include <drm/drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
-    done
-  '';
-
-  nativeBuildInputs = [  ];
-  buildInputs = [ xorg.imake libdrm.dev ];
-}

local/pkgs/blurred-wallpaper/default.nix

@@ -0,0 +1,11 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  name = "blurred-wallpaper";
+  inherit src;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    mkdir -p $out/share/plasma/wallpapers/a2n.blur
+    cp -r $src/* $out/share/plasma/wallpapers/a2n.blur
+  '';
+}

local/pkgs/citation-style-language/default.nix

@@ -0,0 +1,22 @@
+{ stdenvNoCC, texlive, src }: stdenvNoCC.mkDerivation (finalAttrs:
+{
+  name = "citation-style-language";
+  inherit src;
+  passthru =
+  {
+    pkgs = [ finalAttrs.finalPackage ];
+    tlDeps = with texlive; [ latex ];
+    tlType = "run";
+  };
+
+  nativeBuildInputs = [ texlive.combined.scheme-full ];
+  dontConfigure = true;
+  dontBuild = true;
+  installPhase =
+  ''
+    runHook preInstall
+    export TEXMFHOME=$out
+    l3build install
+    runHook postInstall
+  '';
+})

local/pkgs/concurrencpp/default.nix

@@ -1,13 +1,6 @@
-{ stdenv, fetchFromGitHub, cmake }: stdenv.mkDerivation rec
+{ stdenv, cmake, src }: stdenv.mkDerivation
 {
-  pname = "concurrencpp";
-  version = "0.1.7";
-  src = fetchFromGitHub
-  {
-    owner = "David-Haim";
-    repo = "concurrencpp";
-    rev = "v.${version}";
-    sha256 = "4qT29YVjKEWcMrI5R5Ps8aD4grAAgz5VOxANjpp1oTo=";
-  };
+  name = "concurrencpp";
+  inherit src;
   nativeBuildInputs = [ cmake ];
 }

local/pkgs/cppcoro/cppcoro-include-utility.patch

@@ -0,0 +1,12 @@
+diff --git a/lib/static_thread_pool.cpp b/lib/static_thread_pool.cpp
+index 989a6a9..0b91b9c 100644
+--- a/lib/static_thread_pool.cpp
++++ b/lib/static_thread_pool.cpp
+@@ -12,6 +12,7 @@
+ #include <cassert>
+ #include <mutex>
+ #include <chrono>
++#include <utility>
+ 
+ namespace
+ {

local/pkgs/cppcoro/default.nix

@@ -0,0 +1,7 @@
+{ stdenv, cmake, src }: stdenv.mkDerivation
+{
+  name = "cppcoro";
+  inherit src;
+  nativeBuildInputs = [ cmake ];
+  patches = [ ./cppcoro-include-utility.patch ];
+}

local/pkgs/date/default.nix

@@ -0,0 +1,13 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  name = "date";
+  inherit src;
+  phases = [ "installPhase" ];
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out
+    cp -r $src/{include,src} $out
+    runHook postInstall
+  '';
+}

local/pkgs/default.nix

@@ -1,15 +1,11 @@
-{ lib, pkgs }: with pkgs; rec
+{ lib, pkgs, topInputs }: with pkgs; rec
 {
   typora = callPackage ./typora {};
-  upho = python3Packages.callPackage ./upho {};
-  spectral = python3Packages.callPackage ./spectral {};
   vesta = callPackage ./vesta {};
   oneapi = callPackage ./oneapi {};
-  send = callPackage ./send {};
-  rsshub = callPackage ./rsshub {};
-  misskey = callPackage ./misskey { vips = unstablePackages.vips; };
+  rsshub = callPackage ./rsshub { src = topInputs.rsshub; };
+  misskey = callPackage ./misskey { nodejs = nodejs_21; src = topInputs.misskey; };
   mk-meili-mgn = callPackage ./mk-meili-mgn {};
-  phonon-unfolding = callPackage ./phonon-unfolding {};
   # vasp = callPackage ./vasp
   # {
   #   stdenv = pkgs.lmix-pkgs.intel21Stdenv;
@@ -22,20 +18,35 @@
     openmpi = pkgs.openmpi.override { cudaSupport = false; };
   };
   vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; };
-  # "12to11" = callPackage ./12to11 {};
-  huginn = callPackage ./huginn {};
-  v_sim = callPackage ./v_sim {};
-  concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; };
+  v-sim = callPackage ./v-sim { src = topInputs.v-sim; };
+  concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; src = topInputs.concurrencpp; };
   eigengdb = python3Packages.callPackage ./eigengdb {};
-  nodesoup = callPackage ./nodesoup {};
-  matplotplusplus = callPackage ./matplotplusplus { inherit nodesoup glad; };
-  zpp-bits = callPackage ./zpp-bits {};
-  eigen = callPackage ./eigen {};
-  nameof = callPackage ./nameof {};
+  nodesoup = callPackage ./nodesoup { src = topInputs.nodesoup; };
+  matplotplusplus = callPackage ./matplotplusplus { inherit nodesoup glad; src = topInputs.matplotplusplus; };
+  zpp-bits = callPackage ./zpp-bits { src = topInputs.zpp-bits; };
+  eigen = callPackage ./eigen { src = topInputs.eigen; };
+  nameof = callPackage ./nameof { src = topInputs.nameof; };
   pslist = callPackage ./pslist {};
   glad = callPackage ./glad {};
   chromiumos-touch-keyboard = callPackage ./chromiumos-touch-keyboard {};
   yoga-support = callPackage ./yoga-support {};
-  tgbot-cpp = callPackage ./tgbot-cpp {};
+  tgbot-cpp = callPackage ./tgbot-cpp { src = topInputs.tgbot-cpp; };
   biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
+  citation-style-language = callPackage ./citation-style-language { src = topInputs.citation-style-language; };
+  mirism = callPackage ./mirism
+  {
+    inherit cppcoro nameof tgbot-cpp date;
+    nghttp2 = nghttp2-2305.override { enableAsioLib = true; };
+  };
+  cppcoro = callPackage ./cppcoro { src = topInputs.cppcoro; };
+  date = callPackage ./date { src = topInputs.date; };
+  esbonio = python3Packages.callPackage ./esbonio {};
+  pix2tex = python3Packages.callPackage ./pix2tex {};
+  pyreadline3 = python3Packages.callPackage ./pyreadline3 {};
+  torchdata = python3Packages.callPackage ./torchdata {};
+  torchtext = python3Packages.callPackage ./torchtext { inherit torchdata; };
+  win11os-kde = callPackage ./win11os-kde { src = topInputs.win11os-kde; };
+  fluent-kde = callPackage ./fluent-kde { src = topInputs.fluent-kde; };
+  blurred-wallpaper = callPackage ./blurred-wallpaper { src = topInputs.blurred-wallpaper; };
+  slate = callPackage ./slate { src = topInputs.slate; };
 }

local/pkgs/eigen/default.nix

@@ -1,12 +1,6 @@
-{ lib, stdenv, fetchFromGitLab, cmake }: stdenv.mkDerivation rec
+{ lib, stdenv, cmake, src }: stdenv.mkDerivation
 {
   name = "eigen";
-  src = fetchFromGitLab
-  {
-    owner = "libeigen";
-    repo = name;
-    rev = "6d829e766ff1b1ab867d93631163cbc63ed5798f";
-    sha256 = "BXUnizcRPrOyiPpoyYJ4VVOjlG49aj80mgzPKmEYPKU=";
-  };
+  inherit src;
   nativeBuildInputs = [ cmake ];
 }

local/pkgs/esbonio/default.nix

@@ -0,0 +1,11 @@
+{ lib, fetchPypi, buildPythonPackage }: buildPythonPackage rec
+{
+  pname = "esbonio";
+  version = "0.16.4";
+  src = fetchPypi
+  {
+    inherit pname version;
+    sha256 = "1MBNBLCEBD6HtlxEASc4iZaXYyNdih2MIHoxK84jMdI=";
+  };
+  doCheck = false;
+}

local/pkgs/fluent-kde/default.nix

@@ -0,0 +1,22 @@
+{ lib, stdenv, src }: stdenv.mkDerivation
+{
+  name = "fluent-kde";
+  inherit src;
+  installPhase =
+  ''
+    mkdir -p $out/share/aurorae/themes
+    cp -r $src/aurorae/* $out/share/aurorae/themes
+    mkdir -p $out/share/color-schemes
+    cp -r $src/color-schemes/*.colors $out/share/color-schemes
+    mkdir -p $out/share/Kvantum
+    cp -r $src/Kvantum/Fluent* $out/share/Kvantum
+    mkdir -p $out/share/plasma/desktoptheme
+    cp -r $src/plasma/desktoptheme/* $out/share/plasma/desktoptheme
+    mkdir -p $out/share/plasma/layout-templates
+    cp -r $src/plasma/layout-templates/* $out/share/plasma/layout-templates
+    mkdir -p $out/share/plasma/look-and-feel
+    cp -r $src/plasma/look-and-feel/com.github.vinceliuice.Fluent* $out/share/plasma/look-and-feel
+    mkdir -p $out/share/wallpapers
+    cp -r $src/wallpaper/* $out/share/wallpapers
+  '';
+}

local/pkgs/huginn/default.nix

@@ -1,29 +0,0 @@
-{ lib, stdenv, bundlerEnv, fetchFromGitHub }:
-let
-  pname = "huginn";
-  version = "20230723";
-  src = fetchFromGitHub
-  {
-    owner = "CHN-beta";
-    repo = "huginn";
-    rev = "a02977ad420a01b6460634af19f714db4a8f8f36";
-    hash = "sha256-Ty2EDCIjbvcf3PzPupcV4s7ZfAFTuYEjSfy0m+Yt3j4=";
-  };
-  gems = bundlerEnv
-  {
-    name = "${pname}-${version}-gems";
-    gemdir  = "${src}";
-    gemfile = "${src}/Gemfile";
-    lockfile = "${src}/Gemfile.lock";
-    gemset  = "${src}/gemset.nix";
-    copyGemFiles = true;
-  };
-in stdenv.mkDerivation
-{
-  inherit pname version src;
-  buildInputs = [ gems gems.wrappedRuby ];
-  installPhase =
-  ''
-    false
-  '';
-}

local/pkgs/matplotplusplus/default.nix

@@ -1,17 +1,10 @@
 {
-  stdenv, fetchFromGitHub, cmake, pkg-config, substituteAll,
+  stdenv, src, cmake, pkg-config, substituteAll,
   gnuplot, libjpeg, libtiff, zlib, libpng, lapack, blas, fftw, opencv, nodesoup, cimg, glfw, libGL, python3, glad
 }: stdenv.mkDerivation
 {
-  pname = "matplotplusplus";
-  version = "1.2.0";
-  src = fetchFromGitHub
-  {
-    owner = "alandefreitas";
-    repo = "matplotplusplus";
-    rev = "a40344efa9dc5ea0c312e6e9ef4eb7238d98dc12";
-    sha256 = "6/dH/Rl2aAb8b+Ji5LwzkC+GWPOCBnYCrjy0qk8u/+I=";
-  };
+  name = "matplotplusplus";
+  inherit src;
   cmakeFlags =
   [
     "-DBUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_EXAMPLES=OFF"

local/pkgs/mirism/default.nix

@@ -0,0 +1,29 @@
+{
+  lib, stdenv, requireFile,
+  boost, nghttp2, brotli, nameof, cppcoro, tgbot-cpp, libbacktrace, fmt, date
+}: stdenv.mkDerivation rec
+{
+  name = "mirism";
+  # nix-store --query --hash $(nix store add-path . --name 'mirism')
+  src = requireFile
+  {
+    inherit name;
+    sha256 = "0f50pvdafhlmrlbf341mkp9q50v4ld5pbx92d2w1633f18zghbzf";
+    hashMode = "recursive";
+    message = "Source file not found.";
+  };
+  buildInputs = [ boost nghttp2.dev brotli nameof cppcoro tgbot-cpp libbacktrace fmt date ];
+  buildPhase =
+  ''
+    runHook preBuild
+    make ng01 beta
+    runHook postBuild
+  '';
+  installPhase =
+  ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp build/{ng01,beta} $out/bin
+    runHook postInstall
+  '';
+}

local/pkgs/misskey/default.nix

@@ -1,95 +1,36 @@
 {
-  lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs_20, writeShellScript, buildFHSEnv,
-  bash, cypress, vips, pkg-config
+  lib, stdenv, mkPnpmPackage, fetchurl, nodejs, writeShellScript, buildFHSEnv,
+  bash, cypress, vips, pkg-config, src
 }:
 let
-  pname = "misskey";
-  version = "2023.10.2";
-  src = fetchFromGitHub
-  {
-    owner = "CHN-beta";
-    repo = "misskey";
-    rev = "3f813d9808ebc1774457e02add8fe9c7a6937ff7";
-    sha256 = "63ZIil28jcMiL+c9FMj7m1OeCrLwsQZNHib+j8ar66s=";
-    fetchSubmodules = true;
-  };
+  name = "misskey";
   originalPnpmPackage = mkPnpmPackage
   {
-    inherit pname version src;
-    nodejs = nodejs_20;
+    inherit name src nodejs;
     copyPnpmStore = true;
   };
   startScript = writeShellScript "misskey"
   ''
-    export PATH=${lib.makeBinPath [ bash nodejs_20 nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress ]}:$PATH
+    export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress ]}:$PATH
     export CYPRESS_RUN_BINARY="${cypress}/bin/Cypress"
     export NODE_ENV=production
     pnpm run migrateandstart
   '';
-  re2 = stdenv.mkDerivation rec
-  {
-    pname = "re2";
-    version = "1.20.3";
-    srcs =
-    [
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.br";
-        sha256 = "0g2k0bki0zm0vaqpz25ww119qcs1flv63h6s5ib3103arpnzmb6d";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.gz";
-        sha256 = "1dr9zzzm67jknzvla1l5178lzmj6cfh8i1vsp5r4gkwdwbfh3ip0";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.br";
-        sha256 = "0wby987byhshb20np1gglj6y9ji7m7jza5jwa4hyxfxs1pkkmg1n";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.gz";
-        sha256 = "0q3dyxm63d2x0wxx23gdwym7r2gmaw4ahvmd35dgrj179ik290pi";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.br";
-        sha256 = "1wjmdni24353ppwfiyrv1zl9ci4g2habk0g2nz6b0sijagcy7bv3";
-      })
-      (fetchurl
-      {
-        url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.gz";
-        sha256 = "0rgkryjh412g2m7rfrl2krsb9137prkk2y9ga8akn7qp1bqsbq1i";
-      })
-    ];
-    phases = [ "installPhase" ];
-    installPhase =
-    ''
-      mkdir -p $out/${version}
-      for i in $srcs
-      do
-        cp $i $out/${version}/''${i#*-}
-      done
-    '';
-  };
 in
   stdenv.mkDerivation rec
   {
-    inherit version src pname;
+    inherit src name;
     buildInputs =
     [
-      bash nodejs_20 nodejs_20.pkgs.typescript nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress vips pkg-config
+      bash nodejs nodejs.pkgs.typescript nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress vips pkg-config
     ];
     nativeBuildInputs = buildInputs;
     CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress";
     NODE_ENV = "production";
-    RE2_DOWNLOAD_MIRROR = "${re2}";
-    RE2_DOWNLOAD_SKIP_PATH = "true";
     configurePhase =
     ''
       export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
-      export npm_config_nodedir=${nodejs_20}
+      export npm_config_nodedir=${nodejs}
 
       runHook preConfigure
 
@@ -121,6 +62,6 @@ in
     '';
     passthru =
     {
-      inherit originalPnpmPackage startScript re2;
+      inherit originalPnpmPackage startScript;
     };
   }

local/pkgs/nameof/default.nix

@@ -1,14 +1,7 @@
-{ lib, stdenv, fetchFromGitHub }: stdenv.mkDerivation rec
+{ lib, stdenv, src }: stdenv.mkDerivation
 {
-  pname = "nameof";
-  version = "0.10.3";
-  src = fetchFromGitHub
-  {
-    owner = "Neargye";
-    repo = pname;
-    rev = "v${version}";
-    sha256 = "eHG0Y/BQGbwTrBHjq9SeSiIXaVqWp7PxIq7vCIECYPk=";
-  };
+  name = "nameof";
+  inherit src;
   phases = [ "installPhase" ];
   installPhase =
   ''

local/pkgs/nodesoup/default.nix

@@ -1,13 +1,7 @@
-{ stdenv, fetchFromGitHub, cmake, pkg-config, cairo, pcre2, xorg }: stdenv.mkDerivation rec
+{ stdenv, src, cmake, pkg-config, cairo, pcre2, xorg }: stdenv.mkDerivation
 {
   name = "nodesoup";
-  src = fetchFromGitHub
-  {
-    owner = "olvb";
-    repo = "nodesoup";
-    rev = "3158ad082bb0cd1abee75418b12b35522dbca74f";
-    sha256 = "tFLq6QC3U3uvcuWsdRy2wnwcmAfH2MkI2oMcAiUBHSo=";
-  };
+  inherit src;
   buildInputs = [ cairo pcre2.dev xorg.libXdmcp.dev ];
   nativeBuildInputs = [ cmake pkg-config ];
 }

local/pkgs/phonon-unfolding/default.nix

@@ -1,28 +0,0 @@
-{
-  stdenv, fetchFromGitHub, gfortran, blas
-}:
-stdenv.mkDerivation
-{
-  pname = "phonon-unfolding";
-  version = "0";
-  src = fetchFromGitHub
-  {
-    owner = "CHN-beta";
-    repo = "phonon_unfolding";
-    rev = "ec363ef2bad0ee18a0839a1681ea9915c0b72e1d";
-    hash = "sha256-zDTbtYk5OXf//6eS4gEF7IvrpWcRAz18ue48IDZnfSk=";
-  };
-  buildInputs = [ blas ];
-  nativeBuildInputs = [ gfortran ];
-  buildPhase =
-  ''
-    gfortran PhononUnfoldingModule.f90 -o PhononUnfoldingModule.mod -c
-    gfortran PhononUnfolding.f90 -c -o PhononUnfolding.mod
-    gfortran PhononUnfolding.mod PhononUnfoldingModule.mod -o PhononUnfolding -lblas
-  '';
-  installPhase =
-  ''
-    mkdir -p $out/bin
-    cp PhononUnfolding $out/bin
-  '';
-}

local/pkgs/pix2tex/default.nix

@@ -0,0 +1,32 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage,
+  # general dependencies:
+  tqdm, munch, torch, opencv, requests, einops, transformers, tokenizers, numpy, pillow, pyyaml, pandas, timm,
+  albumentations,
+  # gui
+  pyqt6, pyqt6-webengine, pyside6, pynput, screeninfo,
+  # api
+  streamlit, fastapi, uvicorn, python-multipart,
+  # training
+  # python-Levenshtein, torchtext, imagesize
+  # highlight
+  pygments
+}: buildPythonPackage
+{
+  name = "pix2tex";
+  src = fetchFromGitHub
+  {
+    owner = "lukas-blecher";
+    repo = "LaTeX-OCR";
+    rev = "1781514fb8c92ea9f94057295fdae0e683f4648e";
+    hash = "sha256-I3B8eH7zV2zIogDt9znkEzp4EeBjY6NfI4jsl+v/8aM=";
+  };
+  patches = [ ./remove-version-requires.patch ];
+  propagatedBuildInputs =
+  [
+    tqdm munch torch opencv requests einops transformers tokenizers numpy pillow pyyaml pandas timm albumentations
+    pyqt6 pyqt6-webengine pyside6 pynput screeninfo
+    streamlit fastapi uvicorn python-multipart
+    pygments
+  ];
+}

local/pkgs/pix2tex/remove-version-requires.patch

@@ -0,0 +1,13 @@
+diff --git a/setup.py b/setup.py
+index 29b26cb..511012f 100644
+--- a/setup.py
++++ b/setup.py
+@@ -64,7 +64,7 @@ setuptools.setup(
+         'Pillow>=9.1.0',
+         'PyYAML>=5.4.1',
+         'pandas>=1.0.0',
+-        'timm==0.5.4',
++        'timm>=0.5.4',
+         'albumentations>=0.5.2',
+         'pyreadline3>=3.4.1; platform_system=="Windows"',
+     ],

local/pkgs/pyreadline3/default.nix

@@ -0,0 +1,14 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage
+}: buildPythonPackage rec
+{
+  pname = "pyreadline3";
+  version = "3.4.1";
+  src = fetchFromGitHub
+  {
+    owner = "pyreadline3";
+    repo = "pyreadline3";
+    rev = "v${version}";
+    hash = "sha256-02/gkx955NupVKXSu/xBQQtY4SEP4zxbNQYg1oQ/nGY=";
+  };
+}

local/pkgs/rsshub/default.nix

@@ -1,16 +1,9 @@
 {
-  lib, stdenv, mkPnpmPackage, fetchFromGitHub, nodejs, writeShellScript,
-  chromium, bash
+  lib, stdenv, mkPnpmPackage, nodejs, writeShellScript,
+  chromium, bash, src
 }:
 let
   name = "rsshub";
-  src = fetchFromGitHub
-  {
-    owner = "DIYgod";
-    repo = "RSSHub";
-    rev = "67d4a7ed3f877a8ceac6caebe874c4ce5c210bd8";
-    sha256 = "baJQWGrr1RdZoI2uAGp2uJO9epbjAUjks76knJSwVdE=";
-  };
   originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; };
   nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };
   rsshub-unwrapped = stdenv.mkDerivation

local/pkgs/send/default.nix

@@ -1,15 +0,0 @@
-{ buildNpmPackage, fetchFromGitHub, nodejs-16_x }:
-buildNpmPackage.override { nodejs = nodejs-16_x; }
-{
-  pname = "send";
-  version = "3.4.23";
-  src = fetchFromGitHub
-  {
-    owner = "timvisee";
-    repo = "send";
-    rev = "6ad2885a168148fb996d3983457bc39527c7c8e5";
-    hash = "sha256-/w9KhktDVSAmp6EVIRHFM63mppsIzYSm5F7CQQd/2+E=";
-  };
-  npmDepsHash = "sha256-r1iaurKuhpP0sevB5pFdtv9j1ikM1fKL7Jgakh4FzTI=";
-  makeCacheWritable = true;
-}

local/pkgs/slate/default.nix

@@ -0,0 +1,10 @@
+{ stdenv, src }: stdenv.mkDerivation
+{
+  name = "slate";
+  src = "${src}/Slate.tar.gz";
+  installPhase =
+  ''
+    mkdir -p $out/share/yakuake/skins/Slate
+    cp -r * $out/share/yakuake/skins/Slate
+  '';
+}

local/pkgs/spectral/default.nix

@@ -1,15 +0,0 @@
-{
-  lib, fetchPypi, buildPythonPackage,
-  numpy, pillow, wxPython_4_2, matplotlib, ipython, pyopengl
-}: buildPythonPackage rec
-{
-  pname = "spectral";
-  version = "0.23.1";
-  src = fetchPypi
-  {
-    inherit pname version;
-    sha256 = "sha256-4YIic1Je81g7J6lmIm1Vr+CefSmnI2z82LwN+x+Wj8I=";
-  };
-  doCheck = false;
-  propagatedBuildInputs = [ numpy pillow wxPython_4_2 matplotlib ipython pyopengl ];
-}

local/pkgs/tgbot-cpp/default.nix

@@ -1,14 +1,7 @@
-{ stdenv, fetchFromGitHub, cmake, pkg-config, boost, openssl, zlib, curl }: stdenv.mkDerivation rec
+{ stdenv, src, cmake, pkg-config, boost, openssl, zlib, curl }: stdenv.mkDerivation rec
 {
-  pname = "tgbot-cpp";
-  version = "1.7.2";
-  src = fetchFromGitHub
-  {
-    owner = "reo7sp";
-    repo = "tgbot-cpp";
-    rev = "v${version}";
-    sha256 = "TKirSxEUqFB1WtzNEfU4EJK3p7V5xcFIvA2+QVX7TlA=";
-  };
+  name = "tgbot-cpp";
+  inherit src;
   nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ boost openssl zlib curl.dev ];
   propagatedBuildInputs = buildInputs;

local/pkgs/torchdata/default.nix

@@ -0,0 +1,20 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage,
+  torch, urllib3, requests, cmake, pkg-config, ninja
+}: buildPythonPackage rec
+{
+  pname = "torchdata";
+  version = "0.7.1";
+  src = fetchFromGitHub
+  {
+    owner = "pytorch";
+    repo = "data";
+    rev = "v${version}";
+    hash = "sha256-SOeu+mI4p2tHX0YyctrDBcrz2/zYcwH9GGJ+6ytRmjQ=";
+    fetchSubmodules = true;
+  };
+  dontUseCmakeConfigure = true;
+  pyproject = true;
+  propagatedBuildInputs = [ torch urllib3 requests ];
+  nativeBuildInputs = [ cmake pkg-config ninja ];
+}

local/pkgs/torchtext/default.nix

@@ -0,0 +1,20 @@
+{
+  lib, fetchFromGitHub, buildPythonPackage,
+  tqdm, requests, torch, numpy, torchdata, cmake
+}: buildPythonPackage rec
+{
+  pname = "torchtext";
+  version = "0.16.1";
+  src = fetchFromGitHub
+  {
+    owner = "pytorch";
+    repo = "text";
+    rev = "v${version}";
+    hash = "sha256-4a33AWdd1VZwRL5vTawo0yplpw+qcNMetbfE1h1kafE=";
+    fetchSubmodules = true;
+  };
+  dontUseCmakeConfigure = true;
+  pyproject = true;
+  propagatedBuildInputs = [ tqdm requests torch numpy torchdata ];
+  nativeBuildInputs = [ cmake ];
+}

local/pkgs/typora/default.nix

@@ -3,11 +3,11 @@ let
   typora-dist = stdenv.mkDerivation rec
   {
     pname = "typora-dist";
-    version = "1.6.6";
+    version = "1.8.2-dev";
     src = fetchurl
     {
       url = "https://download.typora.io/linux/typora_${version}_amd64.deb";
-      sha256 = "sha256-77mCgmsROLhfuOmOOyl2C5Ug2NfqEvcD+kMA3aiAQtA=";
+      sha256 = "0abi9m8h8k0228ajag26lxk756a7aqqixg608k85gnkdmibnq6mv";
     };
 
     dontFixup = true;

local/pkgs/upho/default.nix

@@ -1,14 +0,0 @@
-{ lib, fetchFromGitHub, buildPythonPackage, numpy, h5py, phonopy }: buildPythonPackage rec
-{
-  pname = "upho";
-  version = "0.6.6";
-  src = fetchFromGitHub
-  {
-    owner = "CHN-beta";
-    repo = "upho";
-    rev = "0f27ac6918e8972c70692816438e4ac37ec6b348";
-    sha256 = "sha256-NvoV+AUH9MmGT4ohrLAAvpLs8APP2DOKYlZVliHrVRM=";
-  };
-  doCheck = false;
-  propagatedBuildInputs = [ numpy h5py phonopy ];
-}

local/pkgs/v-sim/default.nix

@@ -1,19 +1,12 @@
 {
-  stdenv, lib, fetchFromGitLab,
+  stdenv, lib, src,
   wrapGAppsHook, autoreconfHook, autoconf, libtool, intltool, gettext, automake, gtk-doc, pkg-config, gfortran, libxslt,
   glib, gtk3, epoxy, libyaml
 }:
 stdenv.mkDerivation
 {
-  pname = "v_sim";
-  version = "3.8.0_p20230824";
-  src = fetchFromGitLab
-  {
-    owner = "l_sim";
-    repo = "v_sim";
-    rev = "8abc67b56795c19a8e2357d442b556c71d2441cb";
-    sha256 = "KQNd3BGvkZVsfIPVLEEMBptiFQYeCbWGR28ds2Y+w2Y=";
-  };
+  name = "v-sim";
+  inherit src;
   buildInputs = [ glib gtk3 epoxy libyaml ];
   nativeBuildInputs =
   [

local/pkgs/win11os-kde/default.nix

@@ -0,0 +1,20 @@
+{ lib, stdenv, src }: stdenv.mkDerivation
+{
+  name = "win11os-kde";
+  inherit src;
+  installPhase =
+  ''
+    mkdir -p $out/share/aurorae/themes
+    cp -r $src/aurorae/* $out/share/aurorae/themes
+    mkdir -p $out/share/color-schemes
+    cp -r $src/color-schemes/*.colors $out/share/color-schemes
+    mkdir -p $out/share/Kvantum
+    cp -r $src/Kvantum/* $out/share/Kvantum
+    mkdir -p $out/share/plasma/desktoptheme
+    cp -r $src/plasma/desktoptheme/* $out/share/plasma/desktoptheme
+    mkdir -p $out/share/plasma/look-and-feel
+    cp -r $src/plasma/look-and-feel/* $out/share/plasma/look-and-feel
+    mkdir -p $out/share/wallpapers
+    cp -r $src/wallpaper/* $out/share/wallpapers
+  '';
+}

local/pkgs/zpp-bits/default.nix

@@ -1,14 +1,7 @@
-{ stdenv, fetchFromGitHub }: stdenv.mkDerivation rec
+{ stdenv, src }: stdenv.mkDerivation
 {
-  pname = "zpp-bits";
-  version = "4.4.19";
-  src = fetchFromGitHub
-  {
-    owner = "eyalz800";
-    repo = "zpp_bits";
-    rev = "v${version}";
-    sha256 = "ejIwrvCFALuBQbQhTfzjBb11oMR/akKnboB60GWbjlQ=";
-  };
+  inherit src;
+  name = "zpp-bits";
   phases = [ "installPhase" ];
   installPhase =
   ''

modules/bugs/default.nix

@@ -5,8 +5,6 @@ inputs:
     inherit (inputs.lib) mkMerge mkIf mkOption types;
     bugs =
     {
-      # intel i915 hdmi
-      intel-hdmi.boot.kernelPatches = [{ name = "intel-hdmi"; patch = ./intel-hdmi.patch; }];
       # suspend & hibernate do not use platform
       suspend-hibernate-no-platform.systemd.sleep.extraConfig =
       ''
@@ -14,18 +12,23 @@ inputs:
         HibernateMode=shutdown
       '';
       # reload iwlwifi after resume from hibernate
-      hibernate-iwlwifi.systemd.services.reload-iwlwifi-after-hibernate =
+      hibernate-iwlwifi =
       {
-        description = "reload iwlwifi after resume from hibernate";
-        after = [ "systemd-hibernate.service" ];
-        serviceConfig.Type = "oneshot";
-        script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
-        ''
-          ${modprobe} -r iwlwifi
-          ${modprobe} iwlwifi
-          echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
-        '';
-        wantedBy = [ "systemd-hibernate.service" ];
+        systemd.services.reload-iwlwifi-after-hibernate =
+        {
+          description = "reload iwlwifi after resume from hibernate";
+          after = [ "systemd-hibernate.service" ];
+          serviceConfig.Type = "oneshot";
+          script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
+          ''
+            ${modprobe} -r iwlwifi
+            ${modprobe} iwlwifi
+            echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
+          '';
+          wantedBy = [ "systemd-hibernate.service" ];
+        };
+        nixos.system.kernel.modules.modprobeConfig =
+          [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
       };
       # disable wakeup on lid open
       suspend-lid-no-wakeup.systemd.services.lid-no-wakeup =
@@ -42,6 +45,10 @@ inputs:
             then
               echo LID0 > /proc/acpi/wakeup
             fi
+            if ${cat} /proc/acpi/wakeup | ${grep} XHCI | ${grep} -q enabled
+            then
+              echo XHCI > /proc/acpi/wakeup
+            fi
           '';
         wantedBy = [ "multi-user.target" ];
       };
@@ -71,11 +78,9 @@ inputs:
           };
         };
       firefox.programs.firefox.enable = inputs.lib.mkForce false;
-      embree.nixpkgs.overlays =
-        [(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
-      nvme.boot.kernelParams = [ "nvme_core.default_ps_max_latency_us=0" "iommu=soft" "pcie_aspm=off" ];
-      firmware-unstable.nixpkgs.overlays =
-        [ (final: prev: { linux-firmware = final.unstablePackages.linux-firmware; }) ];
+      power.boot.kernelParams = [ "cpufreq.default_governor=powersave" ];
+      backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
+      amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
     };
   in
     {

modules/bugs/intel-hdmi.patch

@@ -1,14 +0,0 @@
-diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
-index 55544d484318..d6f257f8fd14 100644
---- a/drivers/gpu/drm/i915/display/intel_bios.c
-+++ b/drivers/gpu/drm/i915/display/intel_bios.c
-@@ -2708,7 +2708,7 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
- 	if (i915->display.vbt.ports[port]) {
- 		drm_dbg_kms(&i915->drm,
- 			    "More than one child device for port %c in VBT, using the first.\n",
- 			    port_name(port));
--		return;
-+		// return;
- 	}
- 
- 	sanitize_device_type(devdata, port);

modules/default.nix

@@ -13,24 +13,40 @@ inputs:
       topInputs.nur.nixosModules.nur
       topInputs.nur-xddxdd.nixosModules.setupOverlay
       topInputs.impermanence.nixosModules.impermanence
-      (inputs: { config.nixpkgs.overlays =
-      [
-        topInputs.qchem.overlays.default
-        topInputs.nixd.overlays.default
-        topInputs.nix-alien.overlays.default
-        topInputs.napalm.overlays.default
-        topInputs.pnpm2nix-nzbr.overlays.default
-        topInputs.lmix.overlays.default
-        (final: prev: topInputs.aagl.overlays.default {} final.unstablePackages)
-        (import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
-        (final: prev:
+      (inputs:
+      {
+        config =
         {
-          touchix = topInputs.touchix.packages."${prev.system}";
-          nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
-          nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
-          deploy-rs = { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
-        })
-      ];})
+          nixpkgs.overlays =
+          [
+            topInputs.qchem.overlays.default
+            topInputs.nixd.overlays.default
+            topInputs.nix-alien.overlays.default
+            topInputs.napalm.overlays.default
+            topInputs.pnpm2nix-nzbr.overlays.default
+            topInputs.lmix.overlays.default
+            topInputs.aagl.overlays.default
+            (import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
+            (final: prev:
+            {
+              nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
+              nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
+              nur-linyinfeng = (topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
+              deploy-rs =
+                { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
+              # needed by mirism
+              nghttp2-2305 =
+                inputs.pkgs.callPackage "${inputs.topInputs.nixpkgs-2305}/pkgs/development/libraries/nghttp2" {};
+              firefox-addons = (import "${topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
+            })
+          ];
+          home-manager.sharedModules =
+          [
+            topInputs.plasma-manager.homeManagerModules.plasma-manager
+            topInputs.nix-doom-emacs.hmModule
+          ];
+        };
+      })
       ./hardware ./packages ./system ./virtualization ./services ./bugs ./users
     ];
   }

modules/hardware/default.nix

@@ -1,5 +1,6 @@
 inputs:
 {
+  imports = inputs.localLib.mkModules [ ./gpu.nix ./legion.nix ];
   options.nixos.hardware = let inherit (inputs.lib) mkOption types; in
   {
     bluetooth.enable = mkOption { type = types.bool; default = false; };
@@ -7,14 +8,6 @@ inputs:
     printer.enable = mkOption { type = types.bool; default = false; };
     sound.enable = mkOption { type = types.bool; default = false; };
     cpus = mkOption { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
-    gpus = mkOption { type = types.listOf (types.enum [ "intel" "nvidia" ]); default = []; };
-    prime =
-    {
-      enable = mkOption { type = types.bool; default = false; };
-      mode = mkOption { type = types.enum [ "offload" "sync" ]; default = "offload"; };
-      busId = mkOption { type = types.attrsOf types.str; default = {}; };
-    };
-    gamemode.drmDevice = mkOption { type = types.int; default = 0; };
     halo-keyboard.enable = mkOption { type = types.bool; default = false; };
   };
   config =
@@ -71,78 +64,16 @@ inputs:
             let
               modules =
               {
-                intel = [ "intel_cstate" "aesni_intel" ];
+                intel =
+                [
+                  "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
+                ];
                 amd = [];
               };
             in
               concatLists (map (cpu: modules.${cpu}) hardware.cpus);
         }
       )
-      # gpus
-      (
-        mkIf (hardware.gpus != [])
-        {
-          boot.initrd.availableKernelModules =
-            let
-              modules =
-              {
-                intel = [ "i915" ];
-                nvidia = [ "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" ];
-              };
-            in
-              concatLists (map (gpu: modules.${gpu}) hardware.gpus);
-          hardware =
-          {
-            opengl =
-            {
-              enable = true;
-              driSupport = true;
-              extraPackages =
-                with inputs.pkgs;
-                let
-                  packages =
-                  {
-                    intel = [ intel-compute-runtime intel-media-driver libvdpau-va-gl ]; # intel-vaapi-driver
-                    nvidia = [ vaapiVdpau ];
-                  };
-                in
-                  concatLists (map (gpu: packages.${gpu}) hardware.gpus);
-              driSupport32Bit = true;
-            };
-            nvidia.nvidiaSettings = builtins.elem "nvidia" hardware.gpus;
-          };
-        }
-      )
-      (mkIf (builtins.elem "intel" hardware.gpus) { services.xserver.deviceSection = ''Driver "modesetting"''; })
-      # prime
-      (
-        mkIf hardware.prime.enable
-        {
-          hardware.nvidia = mkMerge
-          [
-            (
-              mkIf (hardware.prime.mode == "offload")
-              {
-                prime.offload = { enable = true; enableOffloadCmd = true; };
-                powerManagement = { finegrained = true; enable = true; };
-              }
-            )
-            (
-              mkIf (hardware.prime.mode == "sync")
-              {
-                prime = { sync.enable = true; };
-                # prime.forceFullCompositionPipeline = true;
-              }
-            )
-            {
-              prime = listToAttrs
-                (map (gpu: { inherit (gpu) value; name = "${gpu.name}BusId"; }) (attrsToList hardware.prime.busId));
-            }
-            
-          ];
-        }
-      )
-      { programs.gamemode.settings.gpu.gpu_device = "${toString hardware.gamemode.drmDevice}"; }
       # halo-keyboard
       (mkIf hardware.halo-keyboard.enable
       (
@@ -158,23 +89,13 @@ inputs:
             {
               Type = "simple";
               WorkingDirectory = "/etc/touch_keyboard";
-              # ExecStartPre = let sh = "${inputs.pkgs.bash}/bin/sh"; in
-              # [
-              #   ''-${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/export"''
-              #   ''${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/pwm0/enable"''
-              #   ''${sh} -c "echo 1 > /sys/class/pwm/pwmchip1/pwm0/enable"''
-              # ];
               ExecStart = "${keyboard}/bin/touch_keyboard_handler";
             };
-            yogabook-modes-handler =
+            yogabook-modes-handler.serviceConfig =
             {
-              wantedBy = [ "default.target" ];
-              serviceConfig =
-              {
-                Type = "simple";
-                ExecStart = "${support}/bin/yogabook-modes-handler";
-                StandardOutput = "journal";
-              };
+              Type = "simple";
+              ExecStart = "${support}/bin/yogabook-modes-handler";
+              StandardOutput = "journal";
             };
             monitor-sensor =
             {
@@ -187,6 +108,38 @@ inputs:
             };
           };
           environment.etc."touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
+          boot.initrd =
+          {
+            services.udev.packages = [ keyboard support ];
+            systemd =
+            {
+              extraBin =
+              {
+                touch_keyboard_handler = "${keyboard}/bin/touch_keyboard_handler";
+                yogabook-modes-handler = "${support}/bin/yogabook-modes-handler";
+              };
+              services =
+              {
+                touch-keyboard-handler =
+                {
+                  serviceConfig =
+                  {
+                    Type = "simple";
+                    WorkingDirectory = "/etc/touch_keyboard";
+                    ExecStart = "${keyboard}/bin/touch_keyboard_handler";
+                  };
+                };
+                yogabook-modes-handler.serviceConfig =
+                {
+                  Type = "simple";
+                  ExecStart = "${support}/bin/yogabook-modes-handler";
+                  StandardOutput = "journal";
+                };
+              };
+
+            };
+            extraFiles."/etc/touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
+          };
         }
       ))
     ];

modules/hardware/gpu.nix

@@ -0,0 +1,84 @@
+inputs:
+{
+  options.nixos.hardware.gpu = let inherit (inputs.lib) mkOption types; in
+  {
+    type = mkOption
+    {
+      type = types.nullOr (types.enum
+      [
+        # single gpu
+        "intel" "nvidia" "amd"
+        # hibrid gpu: use nvidia prime offload mode
+        "intel+nvidia" "amd+nvidia"
+      ]);
+      default = null;
+    };
+    prime.busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
+  };
+  config = let inherit (inputs.config.nixos.hardware) gpu; in inputs.lib.mkIf (gpu.type != null) (inputs.lib.mkMerge
+  [
+    # generic settings
+    (
+      let gpus = inputs.lib.strings.splitString "+" gpu.type; in
+      {
+        boot.initrd.availableKernelModules =
+          let modules =
+          {
+            intel = [ "i915" ];
+            nvidia = [ "nvidia" "nvidia_drm" "nvidia_modeset" ]; # nvidia-uvm should not be loaded
+            amd = [ "amdgpu" ];
+          };
+          in builtins.concatLists (builtins.map (gpu: modules.${gpu}) gpus);
+        hardware =
+        {
+          opengl =
+          {
+            enable = true;
+            driSupport = true;
+            driSupport32Bit = true;
+            extraPackages =
+              let packages = with inputs.pkgs;
+              {
+                intel = [ intel-vaapi-driver libvdpau-va-gl intel-media-driver ];
+                nvidia = [ vaapiVdpau ];
+                amd = [ amdvlk rocmPackages.clr rocmPackages.clr.icd ];
+              };
+              in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
+            extraPackages32 =
+              let packages = { intel = []; nvidia = []; amd = [ inputs.pkgs.driversi686Linux.amdvlk ]; };
+              in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
+          };
+          nvidia = inputs.lib.mkIf (builtins.elem "nvidia" gpus)
+          {
+            modesetting.enable = true;
+            powerManagement.enable = true;
+            dynamicBoost.enable = true;
+            nvidiaSettings = true;
+            # package = inputs.config.boot.kernelPackages.nvidiaPackages.production;
+          };
+        };
+        boot =
+        {
+          kernelParams = inputs.lib.mkIf (builtins.elem "amd" gpus)
+            [ "radeon.cik_support=0" "amdgpu.cik_support=1" "radeon.si_support=0" "amdgpu.si_support=1" "iommu=pt" ];
+          blacklistedKernelModules = [ "nouveau" ];
+        };
+        environment.variables.VDPAU_DRIVER = inputs.lib.mkIf (builtins.elem "intel" gpus) "va_gl";
+        services.xserver.videoDrivers =
+          let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
+          in builtins.map (gpu: driver.${gpu}) gpus;
+      }
+    )
+    # nvidia prime offload
+    (
+      inputs.lib.mkIf (inputs.lib.strings.hasSuffix "+nvidia" gpu.type) { hardware.nvidia =
+      {
+        prime = { offload = { enable = true; enableOffloadCmd = true; }; }
+          // builtins.listToAttrs (builtins.map
+            (gpu: { name = "${if gpu.name == "amd" then "amdgpu" else gpu.name}BusId"; value = "PCI:${gpu.value}"; })
+            (inputs.localLib.attrsToList gpu.prime.busId));
+        powerManagement.finegrained = true;
+      };}
+    )
+  ]);
+}

modules/hardware/legion.nix

@@ -0,0 +1,16 @@
+inputs:
+{
+  options.nixos.hardware.legion = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.hardware) legion;
+    in mkIf legion.enable
+    {
+      environment.systemPackages = [ inputs.pkgs.lenovo-legion ];
+      boot.extraModulePackages = [ inputs.config.boot.kernelPackages.lenovo-legion-module ];
+    };
+}

modules/packages/default.nix

@@ -1,588 +1,72 @@
 inputs:
 {
-  options.nixos.packages = let inherit (inputs.lib) mkOption types; in
-  {
-    packageSet = mkOption
-    {
-      type = types.enum
+  imports = inputs.localLib.mkModules
+  [
+    ./server
+    ./desktop
+    ./desktop-fat
+    ./workstation
+  ];
+  options.nixos.packages =
+    let
+      inherit (inputs.lib) mkOption types;
+      packageSets =
       [
         # no gui, only used for specific purpose
         "server"
         # gui, for daily use, but not install large programs such as matlab
         "desktop"
+        "desktop-fat"
         # nearly everything
         "workstation"
       ];
-      default = "server";
+    in
+    {
+      packageSet = mkOption { type = types.enum packageSets; default = "server"; };
+      extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      _packageSets = mkOption
+      {
+        type = types.listOf types.nonEmptyStr;
+        readOnly = true;
+        default = builtins.genList (i: builtins.elemAt packageSets i)
+          ((inputs.localLib.findIndex inputs.config.nixos.packages.packageSet packageSets) + 1);
+      };
+      _packages = mkOption { type = types.listOf types.unspecified; default = []; };
+      _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+      _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
     };
-    extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _packages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-  };
   config =
     let
-      inherit (inputs.lib) mkMerge mkIf;
-      inherit (builtins) concatLists map listToAttrs;
-      inherit (inputs.localLib) attrsToList;
-    in mkMerge
-    [
-      # >= server
-      {
-        nixos =
-        {
-          packages = with inputs.pkgs;
+      inherit (builtins) concatLists map;
+    in
+    {
+      environment.systemPackages = let inherit (inputs.lib.lists) subtractLists; in with inputs.config.nixos.packages;
+        (subtractLists excludePackages (_packages ++ extraPackages))
+        ++ [
+          (inputs.pkgs.python3.withPackages (pythonPackages:
+            subtractLists
+              (concatLists (map (packageFunction: packageFunction pythonPackages) excludePythonPackages))
+              (concatLists (map (packageFunction: packageFunction pythonPackages)
+                (_pythonPackages ++ extraPythonPackages)))))
+          (inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
           {
-            _packages = 
-            [
-              # shell
-              ksh
-              # basic tools
-              beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist
-              unstablePackages.fastfetch
-              # lsxx
-              pciutils usbutils lshw util-linux lsof
-              # top
-              iotop iftop htop btop powertop s-tui
-              # editor
-              nano bat
-              # downloader
-              wget aria2 curl
-              # file manager
-              tree exa trash-cli lsd broot file xdg-ninja mlocate
-              # compress
-              pigz rar upx unzip zip lzip p7zip
-              # file system management
-              sshfs e2fsprogs adb-sync duperemove compsize
-              # disk management
-              smartmontools hdparm
-              # encryption and authentication
-              apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
-              # networking
-              ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
-              # nix tools
-              nix-output-monitor nix-tree
-              # office
-              todo-txt-cli
-              # development
-              gdb unstablePackages.try
-            ] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
-            _pythonPackages = [(pythonPackages: with pythonPackages;
-            [
-              inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
-              certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
-            ])];
-          };
-          users.sharedModules = [(home-inputs:
-          {
-            config.programs =
-            {
-              zsh =
-              {
-                enable = true;
-                initExtraBeforeCompInit =
-                ''
-                  # p10k instant prompt
-                  P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-                  [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-                  HYPHEN_INSENSITIVE="true"
-                  export PATH=~/bin:$PATH
-                  function br
-                  {
-                    local cmd cmd_file code
-                    cmd_file=$(mktemp)
-                    if broot --outcmd "$cmd_file" "$@"; then
-                      cmd=$(<"$cmd_file")
-                      command rm -f "$cmd_file"
-                      eval "$cmd"
-                    else
-                      code=$?
-                      command rm -f "$cmd_file"
-                      return "$code"
-                    fi
-                  }
-                  alias todo="todo.sh"
-                '';
-                plugins =
-                [
-                  {
-                    file = "powerlevel10k.zsh-theme";
-                    name = "powerlevel10k";
-                    src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-                  }
-                  {
-                    file = "p10k.zsh";
-                    name = "powerlevel10k-config";
-                    src = ./p10k-config;
-                  }
-                  {
-                    name = "zsh-lsd";
-                    src = inputs.pkgs.fetchFromGitHub
-                    {
-                      owner = "z-shell";
-                      repo = "zsh-lsd";
-                      rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
-                      sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
-                    };
-                  }
-                ];
-                history =
-                {
-                  path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
-                  extended = true;
-                  save = 100000000;
-                  size = 100000000;
-                  share = true;
-                };
-              };
-              direnv = { enable = true; nix-direnv.enable = true; };
-              git =
-              {
-                enable = true;
-                lfs.enable = true;
-                extraConfig =
-                {
-                  core.editor = if inputs.config.nixos.system.gui.preferred then "code --wait" else "vim";
-                  advice.detachedHead = false;
-                  merge.conflictstyle = "diff3";
-                  diff.colorMoved = "default";
-                };
-                package = inputs.pkgs.gitFull;
-                delta =
-                {
-                  enable = true;
-                  options =
-                  {
-                    side-by-side = true;
-                    navigate = true;
-                    syntax-theme = "GitHub";
-                    light = true;
-                    zero-style = "syntax white";
-                    line-numbers-zero-style = "#ffffff";
-                  };
-                };
-              };
-              ssh =
-              {
-                enable = true;
-                controlMaster = "auto";
-                controlPersist = "1m";
-                compression = true;
-              };
-              vim =
-              {
-                enable = true;
-                defaultEditor = true;
-                packageConfigurable = inputs.config.programs.vim.package;
-                settings =
-                {
-                  number = true;
-                  expandtab = false;
-                  shiftwidth = 2;
-                  tabstop = 2;
-                };
-                extraConfig =
-                ''
-                  set clipboard=unnamedplus
-                  colorscheme evening
-                '';
-              };
-            };
-          })];
-        };
-        programs =
-        {
-          nix-index-database.comma.enable = true;
-          nix-index.enable = true;
-          zsh =
-          {
-            enable = true;
-            syntaxHighlighting.enable = true;
-            autosuggestions.enable = true;
-            enableCompletion = true;
-            ohMyZsh =
-            {
-              enable = true;
-              plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
-              customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
-            };
-          };
-          ccache.enable = true;
-          command-not-found.enable = false;
-          adb.enable = true;
-          gnupg.agent = { enable = true; enableSSHSupport = true; };
-          autojump.enable = true;
-          git =
-          {
-            enable = true;
-            package = inputs.pkgs.gitFull;
-            lfs.enable = true;
-            config =
-            {
-              init.defaultBranch = "main";
-              core = { quotepath = false; editor = "vim"; };
-            };
-          };
-        };
-        services =
-        {
-          fwupd.enable = true;
-          udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
-          openssh.knownHosts =
-            let
-              servers =
-              {
-                vps6 =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
-                  hostnames = [ "vps6.chn.moe" "74.211.99.69" "192.168.82.1" ];
-                };
-                "initrd.vps6" =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
-                  hostnames = [ "initrd.vps6.chn.moe" "74.211.99.69" ];
-                };
-                vps7 =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
-                  hostnames = [ "vps7.chn.moe" "95.111.228.40" "192.168.82.2" ];
-                };
-                "initrd.vps7" =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
-                  hostnames = [ "initrd.vps7.chn.moe" "95.111.228.40" ];
-                };
-                nas =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
-                  hostnames = [ "[office.chn.moe]:5440" "192.168.82.4" ];
-                };
-                "initrd.nas" =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
-                  hostnames = [ "[office.chn.moe]:5440" ];
-                };
-                pc =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
-                  hostnames = [ "192.168.8.2.3" ];
-                };
-                hpc =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
-                  hostnames = [ "hpc.xmu.edu.cn" ];
-                };
-                github =
-                {
-                  ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-                  hostnames = [ "github.com" ];
-                };
-              };
-            in listToAttrs (concatLists (map
-              (server:
-              (
-                if builtins.pathExists ./ssh/${server.name}_rsa.pub then
-                [{
-                  name = "${server.name}-rsa";
-                  value =
-                  {
-                    publicKey = builtins.readFile ./ssh/${server.name}_rsa.pub;
-                    hostNames = server.value.hostnames;
-                  };
-                }]
-                else []
-              )
-              ++ (
-                if builtins.pathExists ./ssh/${server.name}_ecdsa.pub then
-                [{
-                  name = "${server.name}-ecdsa";
-                  value =
-                  {
-                    publicKey = builtins.readFile ./ssh/${server.name}_ecdsa.pub;
-                    hostNames = server.value.hostnames;
-                  };
-                }]
-                else []
-              )
-              ++ (
-                if server.value ? ed25519 then
-                [{
-                  name = "${server.name}-ed25519";
-                  value =
-                  {
-                    publicKey = server.value.ed25519;
-                    hostNames = server.value.hostnames;
-                  };
-                }]
-                else []
-              ))
-              (attrsToList servers)));
-        };
-        nix.settings.extra-sandbox-paths = [ inputs.config.programs.ccache.cacheDir ];
-        nixpkgs.config =
-        {
-          permittedInsecurePackages = with inputs.pkgs;
-          [
-            openssl_1_1.name electron_19.name nodejs-16_x.name python2.name electron_12.name
-          ];
-          allowUnfree = true;
-        };
-        home-manager =
-        {
-          useGlobalPkgs = true;
-          useUserPackages = true;
-        };
-      }
-      # >= desktop
-      (
-        mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "workstation" ] )
-        {
-          nixos =
-          {
-            packages = with inputs.pkgs;
-            {
-              _packages =
-              [
-                # system management
-                gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
-                wayland-utils clinfo glxinfo vulkan-tools dracut etcher unstablePackages.btrfs-assistant
-                # nix tools
-                ssh-to-age deploy-rs.deploy-rs nixpkgs-fmt
-                # instant messager
-                element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
-                cinny-desktop # nur-xddxdd.wine-wechat thunder
-                # browser
-                google-chrome
-                # networking
-                remmina putty mtr-gui
-                # password and key management
-                bitwarden yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui
-                # download
-                qbittorrent yt-dlp nur-xddxdd.baidupcs-go wgetpaste
-                # office
-                unstablePackages.crow-translate zotero pandoc ydict
-                # development
-                scrcpy
-                # media
-                spotify yesplaymusic mpv nomacs simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
-                # text editor
-                localPackages.typora
-                # themes
-                orchis-theme tela-circle-icon-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme
-                arc-kde-theme materia-theme
-                # news
-                fluent-reader rssguard
-                # davinci-resolve playonlinux
-                weston cage openbox krita
-                genymotion hdfview electrum
-                (
-                  vscode-with-extensions.override
-                  {
-                    vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
-                      (with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
-                      ++ (with github; [ copilot copilot-chat copilot-labs github-vscode-theme ])
-                      ++ (with intellsmi; [ comment-translate deepl-translate ])
-                      ++ (with ms-python; [ isort python vscode-pylance ])
-                      ++ (with ms-toolsai;
-                      [
-                        jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
-                      ])
-                      ++ (with ms-vscode;
-                      [
-                        cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
-                        test-adapter-converter
-                      ])
-                      ++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
-                      ++ [
-                        donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
-                        llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
-                        oderwat.indent-rainbow
-                        twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
-                        james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
-                        yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
-                        redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
-                        hbenl.vscode-test-explorer
-                        jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
-                        hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
-                        feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
-                        njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
-                        gruntfuggly.todo-tree
-                      ];
-                  }
-                )
-              ] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
-            };
-            users.sharedModules =
-            [{
-              config =
-              {
-                programs =
-                {
-                  chromium =
-                  {
-                    enable = true;
-                    extensions =
-                    [
-                      { id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
-                      { id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
-                      { id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
-                      { id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
-                      { id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
-                      { id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
-                      { id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
-                      { id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
-                      { id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
-                      { id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
-                      { id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
-                      { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
-                      { id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
-                      { id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
-                      { id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
-                      { id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
-                      { id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
-                      { id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
-                      { id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
-                    ];
-                  };
-                  obs-studio =
-                  {
-                    enable = true;
-                    plugins = with inputs.pkgs.obs-studio-plugins;
-                      [ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
-                  };
-                };
-                home.file.".config/baloofilerc".text =
-                ''
-                  [Basic Settings]
-                  Indexing-Enabled=false
-                '';
-              };
-            }];
-          };
-          programs =
-          {
-            steam.enable = true;
-            kdeconnect.enable = true;
-            wireshark = { enable = true; package = inputs.pkgs.wireshark; };
-            firefox =
-            {
-              enable = true;
-              languagePacks = [ "zh-CN" "en-US" ];
-              nativeMessagingHosts.firefoxpwa = true;
-            };
-            vim.package = inputs.pkgs.genericPackages.vim-full;
-          };
-          nixpkgs.config.packageOverrides = pkgs: 
-          {
-            telegram-desktop = pkgs.telegram-desktop.overrideAttrs (attrs:
-            {
-              patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
-            });
-          };
-          services.pcscd.enable = true;
-        }
-      )
-      # >= workstation
-      (
-        mkIf (inputs.config.nixos.packages.packageSet == "workstation")
-        {
-          nixos.packages = with inputs.pkgs;
-          {
-            _packages =
-            [
-              # nix tools
-              nix-template appimage-run nil nixd nix-alien nix-serve node2nix nix-prefetch-github prefetch-npm-deps
-              nix-prefetch-docker pnpm-lock-export bundix
-              # instant messager
-              zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack # jail
-              # office
-              libreoffice-qt texlive.combined.scheme-full texstudio poppler_utils pdftk gnuplot pdfchain
-              # development
-              jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify
-              # media
-              nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
-              # virtualization
-              wineWowPackages.stagingFull virt-viewer bottles # wine64
-              # text editor
-              appflowy notion-app-enhanced joplin-desktop standardnotes
-              # math, physics and chemistry
-              mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
-              localPackages.vasp localPackages.phonon-unfolding localPackages.vaspkit jmol localPackages.v_sim
-              # news
-              newsflash newsboat
-            ];
-            _pythonPackages = [(pythonPackages: with pythonPackages;
-            [
-              phonopy tensorflow keras openai scipy scikit-learn jupyterlab
-            ])];
-            _prebuildPackages =
-            [
-              httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
-              unstablePackages.gcc13Stdenv
-            ];
-          };
-          programs =
-          {
-            anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
-            honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
-            nix-ld.enable = true;
-            gamemode =
-            {
-              enable = true;
-              settings =
-              {
-                general.renice = 10;
-                gpu =
-                {
-                  apply_gpu_optimisations = "accept-responsibility";
-                  nv_powermizer_mode = 1;
-                };
-                custom = let notify-send = "${inputs.pkgs.libnotify}/bin/notify-send"; in
-                {
-                  start = "${notify-send} 'GameMode started'";
-                  end = "${notify-send} 'GameMode ended'";
-                };
-              };
-            };
-            chromium =
-            {
-              enable = true;
-              extraOpts.PasswordManagerEnabled = false;
-            };
-          };
-        }
-      )
-      # apply package configs
-      {
-        environment.systemPackages = let inherit (inputs.lib.lists) subtractLists; in with inputs.config.nixos.packages;
-          (subtractLists excludePackages (_packages ++ extraPackages))
-          ++ [
-            (inputs.pkgs.python3.withPackages (pythonPackages:
-              subtractLists
-                (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
-                  excludePythonPackages))
-                (builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
-                  (_pythonPackages ++ extraPythonPackages)))))
-            (inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
-            {
-              name = "prebuild-packages";
-              propagateBuildInputs = subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages);
-              phases = [ "installPhase" ];
-              installPhase =
-              ''
-                runHook preInstall
-                mkdir -p $out
-                runHook postInstall
-              '';
-            }) {})
-          ];
-      }
-    ];
+            name = "prebuild-packages";
+            propagateBuildInputs = subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages);
+            phases = [ "installPhase" ];
+            installPhase =
+            ''
+              runHook preInstall
+              mkdir -p $out
+              runHook postInstall
+            '';
+          }) {})
+        ];
+    };
 }
 
     # programs.firejail =

modules/packages/desktop-fat/chromium.nix

@@ -0,0 +1,39 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
+    {
+      nixos.users.sharedModules =
+      [{
+        config.programs.chromium =
+        {
+          enable = true;
+          extensions =
+          [
+            { id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
+            { id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
+            { id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
+            { id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
+            { id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
+            { id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
+            { id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
+            { id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
+            { id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
+            { id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
+            { id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
+            { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
+            { id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
+            { id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
+            { id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
+            { id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
+            { id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
+            { id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
+            { id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
+            { id = "bpoadfkcbjbfhfodiogcnhhhpibjhbnh"; } # 沉浸式翻译
+          ];
+        };
+      }];
+    };
+}

modules/packages/desktop-fat/default.nix

@@ -0,0 +1,53 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules
+  [
+    ./chromium.nix
+    ./steam.nix
+  ];
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
+    {
+      nixos =
+      {
+        packages = with inputs.pkgs;
+        {
+          _packages =
+          [
+            # system management
+            etcher btrfs-assistant snapper-gui libsForQt5.qtstyleplugin-kvantum ventoy-full
+            # password and key management
+            yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden
+            # download
+            qbittorrent nur-xddxdd.baidupcs-go wgetpaste
+            # development
+            scrcpy weston cage openbox krita
+            # media
+            spotify yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc obs-studio
+            waifu2x-converter-cpp inkscape blender
+            # editor
+            localPackages.typora
+            # themes
+            orchis-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme arc-kde-theme materia-theme
+            # news
+            fluent-reader
+            # nix tools
+            deploy-rs.deploy-rs nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps
+            nix-prefetch-docker
+            # instant messager
+            element-desktop telegram-desktop discord fluffychat zoom-us signal-desktop slack nur-linyinfeng.wemeet
+            # browser
+            google-chrome
+            # office
+            crow-translate zotero pandoc ydict libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain hdfview
+            (texlive.combine { inherit (texlive) scheme-full; inherit (localPackages) citation-style-language; })
+            # math, physics and chemistry
+            octaveFull root ovito localPackages.vesta localPackages.vaspkit localPackages.v-sim
+          ] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
+        };
+      };
+      programs.kdeconnect.enable = true;
+    };
+}

modules/packages/desktop-fat/steam.nix

@@ -0,0 +1,23 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
+    {
+      programs.steam =
+      {
+        enable = true;
+        package = inputs.pkgs.steam.override (prev:
+        {
+          steam = prev.steam.overrideAttrs (prev:
+          {
+            postInstall = prev.postInstall +
+            ''
+              sed -i 's#Comment\[zh_CN\]=.*$#Comment\[zh_CN\]=思题慕®学习平台#' $out/share/applications/steam.desktop
+            '';
+          });
+        });
+      };
+    };
+}

modules/packages/desktop/default.nix

@@ -0,0 +1,65 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules [ ./vscode.nix ./firefox.nix ];
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
+    {
+      nixos =
+      {
+        packages._packages = with inputs.pkgs;
+        [
+          # system management
+          gparted kio-fuse wayland-utils clinfo glxinfo vulkan-tools dracut
+          (
+            writeShellScriptBin "xclip"
+            ''
+              #!${bash}/bin/bash
+              if [ "$XDG_SESSION_TYPE" = "x11" ]; then
+                exec ${xclip}/bin/xclip "$@"
+              else
+                exec ${wl-clipboard-x11}/bin/xclip "$@"
+              fi
+            ''
+          )
+          # color management
+          argyllcms xcalib
+          # networking
+          remmina putty mtr-gui
+          # media
+          mpv nomacs
+          # themes
+          tela-circle-icon-theme localPackages.win11os-kde localPackages.fluent-kde localPackages.blurred-wallpaper
+          localPackages.slate utterly-nord-plasma
+        ];
+        users.sharedModules =
+        [(homeInputs: {
+          config.home.file = mkIf (!homeInputs.config.programs.plasma.enable)
+          {
+            ".config/baloofilerc".text =
+            ''
+              [Basic Settings]
+              Indexing-Enabled=false
+            '';
+          };
+        })];
+      };
+      programs =
+      {
+        adb.enable = true;
+        wireshark = { enable = true; package = inputs.pkgs.wireshark; };
+        vim.package = inputs.pkgs.vim-full;
+        yubikey-touch-detector.enable = true;
+      };
+      nixpkgs.config.packageOverrides = pkgs: 
+      {
+        telegram-desktop = pkgs.telegram-desktop.overrideAttrs (attrs:
+        {
+          patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
+        });
+      };
+      services.pcscd.enable = true;
+    };
+}
+

modules/packages/desktop/firefox.nix

@@ -0,0 +1,58 @@
+inputs:
+{
+  config = inputs.lib.mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
+  {
+    nixos.users.sharedModules = [{ config =
+    {
+      programs.firefox =
+      {
+        enable = true;
+        # TODO: switch to 24.05
+        # nativeMessagingHosts = [ inputs.pkgs.plasma-browser-integration ];
+        package = inputs.pkgs.firefox.override { nativeMessagingHosts = [ inputs.pkgs.plasma-browser-integration ]; };
+        policies.DefaultDownloadDirectory = "\${home}/Downloads";
+        profiles.default =
+        {
+          extensions = with inputs.pkgs.firefox-addons;
+          [
+            immersive-translate tampermonkey bitwarden cookies-txt dualsub firefox-color i-dont-care-about-cookies
+            metamask pakkujs switchyomega rsshub-radar rsspreview tabliss tree-style-tab ublock-origin wallabagger
+            wappalyzer grammarly
+            (
+              buildFirefoxXpiAddon
+              {
+                pname = "zotero-connector";
+                version = "5.0.114";
+                addonId = "zotero@chnm.gmu.edu";
+                url = "https://download.zotero.org/connector/firefox/release/Zotero_Connector-5.0.114.xpi";
+                sha256 = "1g9d991m4vfj5x6r86sw754bx7r4qi8g5ddlqp7rcw6wrgydhrhw";
+                meta = {};
+              }
+            )
+          ];
+          search = { default = "Google"; force = true; };
+          userChrome = builtins.readFile "${inputs.topInputs.lepton}/userChrome.css";
+          userContent = builtins.readFile "${inputs.topInputs.lepton}/userContent.css";
+          extraConfig = builtins.readFile "${inputs.topInputs.lepton}/user.js";
+          settings =
+          {
+            # general
+            "browser.search.region" = "CN";
+            "intl.locale.requested" = "zh-CN,en-US";
+            "browser.aboutConfig.showWarning" = false;
+            "browser.bookmarks.showMobileBookmarks" = true;
+            "browser.download.panel.shown" = true;
+            "browser.download.useDownloadDir" = true;
+            "browser.newtab.extensionControlled" = true;
+            "browser.toolbars.bookmarks.visibility" = "never";
+            # allow to apply userChrome.css
+            "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+          };
+        };
+      };
+      home.file.".mozilla/firefox/profiles.ini".force = true;
+    };}];
+    # still enable global firefox, to install language packs
+    programs.firefox = { enable = true; languagePacks = [ "zh-CN" "en-US" ]; };
+  };
+}

modules/packages/desktop/vscode.nix

@@ -0,0 +1,59 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
+    {
+      nixos.packages = with inputs.pkgs;
+      {
+        _packages =
+        [(
+          vscode-with-extensions.override
+          {
+            vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
+              (with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
+              ++ (with github; [ copilot copilot-chat github-vscode-theme ])
+              ++ (with intellsmi; [ comment-translate deepl-translate ])
+              ++ (with ms-python; [ isort python vscode-pylance ])
+              ++ (with ms-toolsai;
+              [
+                jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
+              ])
+              ++ (with ms-vscode;
+              [
+                cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
+                test-adapter-converter
+              ])
+              ++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
+              ++ [
+                donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
+                llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
+                oderwat.indent-rainbow
+                twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
+                james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
+                yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
+                redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
+                hbenl.vscode-test-explorer
+                jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
+                hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
+                feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
+                njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
+                gruntfuggly.todo-tree
+                # restrctured text
+                lextudio.restructuredtext trond-snekvik.simple-rst
+                # markdown
+                shd101wyy.markdown-preview-enhanced
+                # vasp
+                mystery.vasp-support
+              ];
+          }
+        )];
+        _pythonPackages = [(pythonPackages: with pythonPackages;
+        [
+          # required by vscode extensions restrucuredtext
+          localPackages.esbonio
+        ])];
+      };
+    };
+}

modules/packages/server/default.nix

@@ -0,0 +1,139 @@
+inputs:
+{
+  imports = inputs.localLib.mkModules
+  [
+    ./ssh
+    ./zsh
+    ./gpg.nix
+  ];
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) concatLists map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
+    in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
+    {
+      nixos =
+      {
+        packages = with inputs.pkgs;
+        {
+          _packages =
+          [
+            # shell
+            ksh
+            # basic tools
+            beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist
+            fastfetch reptyr
+            # lsxx
+            pciutils usbutils lshw util-linux lsof dmidecode
+            # top
+            iotop iftop htop btop powertop s-tui
+            # editor
+            nano bat
+            # downloader
+            wget aria2 curl yt-dlp
+            # file manager
+            tree eza trash-cli lsd broot file xdg-ninja mlocate
+            # compress
+            pigz rar upx unzip zip lzip p7zip
+            # file system management
+            sshfs e2fsprogs adb-sync duperemove compsize exfatprogs
+            # disk management
+            smartmontools hdparm
+            # encryption and authentication
+            apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
+            # networking
+            ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
+            # nix tools
+            nix-output-monitor nix-tree ssh-to-age (callPackage "${inputs.topInputs.nix-fast-build}" {})
+            # office
+            todo-txt-cli
+            # development
+            gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix hexo-cli
+          ] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
+          _pythonPackages = [(pythonPackages: with pythonPackages;
+          [
+            openai python-telegram-bot fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
+            certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm
+          ])];
+        };
+        users.sharedModules = [(home-inputs:
+        {
+          config.programs =
+          {
+            direnv = { enable = true; nix-direnv.enable = true; };
+            git =
+            {
+              enable = true;
+              lfs.enable = true;
+              extraConfig =
+              {
+                core.editor = if inputs.config.nixos.system.gui.preferred then "code --wait" else "vim";
+                advice.detachedHead = false;
+                merge.conflictstyle = "diff3";
+                diff.colorMoved = "default";
+              };
+              package = inputs.pkgs.gitFull;
+              delta =
+              {
+                enable = true;
+                options =
+                {
+                  side-by-side = true;
+                  navigate = true;
+                  syntax-theme = "GitHub";
+                  light = true;
+                  zero-style = "syntax white";
+                  line-numbers-zero-style = "#ffffff";
+                };
+              };
+            };
+            vim =
+            {
+              enable = true;
+              defaultEditor = true;
+              packageConfigurable = inputs.config.programs.vim.package;
+              settings =
+              {
+                number = true;
+                expandtab = false;
+                shiftwidth = 2;
+                tabstop = 2;
+              };
+              extraConfig =
+              ''
+                set clipboard=unnamedplus
+                colorscheme evening
+              '';
+            };
+          };
+        })];
+      };
+      programs =
+      {
+        nix-index-database.comma.enable = true;
+        nix-index.enable = true;
+        command-not-found.enable = false;
+        autojump.enable = true;
+        git =
+        {
+          enable = true;
+          package = inputs.pkgs.gitFull;
+          lfs.enable = true;
+          config =
+          {
+            init.defaultBranch = "main";
+            core = { quotepath = false; editor = "vim"; };
+          };
+        };
+        yazi.enable = true;
+        mosh.enable = true;
+      };
+      services =
+      {
+        fwupd.enable = true;
+        udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
+      };
+      home-manager = { useGlobalPkgs = true; useUserPackages = true; };
+    };
+}

modules/packages/server/gpg.nix

@@ -0,0 +1,10 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
+    {
+      programs.gnupg.agent = { enable = true; pinentryFlavor = "tty"; };
+    };
+}

modules/packages/server/ssh/default.nix

@@ -0,0 +1,175 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) concatLists map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
+    in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
+    {
+      services.openssh.knownHosts =
+        let
+          servers =
+          {
+            vps6 =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
+              hostnames = [ "vps6.chn.moe" "wireguard.vps6.chn.moe" "74.211.99.69" "192.168.83.1" ];
+            };
+            "initrd.vps6" =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
+              hostnames = [ "initrd.vps6.chn.moe" "74.211.99.69" ];
+            };
+            vps7 =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
+              hostnames = [ "vps7.chn.moe" "wireguard.vps7.chn.moe" "ssh.git.chn.moe" "95.111.228.40" "192.168.83.2" ];
+            };
+            "initrd.vps7" =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
+              hostnames = [ "initrd.vps7.chn.moe" "95.111.228.40" ];
+            };
+            nas =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
+              hostnames = [ "wireguard.nas.chn.moe" "[office.chn.moe]:5440" "192.168.1.185" "192.168.83.4" ];
+            };
+            "initrd.nas" =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
+              hostnames = [ "initrd.nas.chn.moe" "[office.chn.moe]:5440" "192.168.1.185" ];
+            };
+            surface =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdm3DcfHdcLP0oSpVrWwIZ/b9lZuakBSPwCFz2BdTJ7";
+              hostnames = [ "192.168.1.166" ];
+            };
+            pc =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
+              hostnames = [ "wireguard.pc.chn.moe" "192.168.83.3" ];
+            };
+            hpc =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
+              hostnames = [ "hpc.xmu.edu.cn" ];
+            };
+            github =
+            {
+              ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+              hostnames = [ "github.com" ];
+            };
+          };
+        in listToAttrs (concatLists (map
+          (server:
+          (
+            if builtins.pathExists ./ssh/${server.name}_rsa.pub then
+            [{
+              name = "${server.name}-rsa";
+              value =
+              {
+                publicKey = builtins.readFile ./ssh/${server.name}_rsa.pub;
+                hostNames = server.value.hostnames;
+              };
+            }]
+            else []
+          )
+          ++ (
+            if builtins.pathExists ./ssh/${server.name}_ecdsa.pub then
+            [{
+              name = "${server.name}-ecdsa";
+              value =
+              {
+                publicKey = builtins.readFile ./ssh/${server.name}_ecdsa.pub;
+                hostNames = server.value.hostnames;
+              };
+            }]
+            else []
+          )
+          ++ (
+            if server.value ? ed25519 then
+            [{
+              name = "${server.name}-ed25519";
+              value =
+              {
+                publicKey = server.value.ed25519;
+                hostNames = server.value.hostnames;
+              };
+            }]
+            else []
+          ))
+          (attrsToList servers)));
+      programs.ssh =
+      {
+        startAgent = true;
+        enableAskPassword = true;
+        askPassword = "${inputs.pkgs.systemd}/bin/systemd-ask-password";
+        extraConfig = "AddKeysToAgent yes";
+      };
+      environment.sessionVariables.SSH_ASKPASS_REQUIRE = "prefer";
+      nixos.users.sharedModules =
+      [(hmInputs: {
+        config.programs.ssh =
+        {
+          enable = true;
+          controlMaster = "auto";
+          controlPersist = "1m";
+          compression = true;
+          matchBlocks = builtins.listToAttrs
+          (
+            (builtins.map
+              (host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
+              [ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "wireguard.nas" ])
+            ++ (builtins.map
+              (host:
+              {
+                name = host;
+                value =
+                {
+                  host = host;
+                  hostname = "hpc.xmu.edu.cn";
+                  user = host;
+                  extraOptions =
+                  {
+                    PubkeyAcceptedAlgorithms = "+ssh-rsa";
+                    HostkeyAlgorithms = "+ssh-rsa";
+                    SetEnv =
+                      let
+                        usernameMap =
+                        {
+                          chn = "linwei/chn";
+                        };
+                        cdString =
+                          if host == "jykang" && (usernameMap ? ${hmInputs.config.home.username}) then
+                            ":chn_cd:${usernameMap.${hmInputs.config.home.username}}"
+                          else "";
+                      in "TERM=chn_unset_ls_colors${cdString}:xterm-256color";
+                    # in .bash_profile:
+                    # if [[ $TERM == chn_unset_ls_colors* ]]; then
+                    #   export TERM=${TERM#*:}
+                    #   export CHN_LS_USE_COLOR=1
+                    # fi
+                    # if [[ $TERM == chn_cd* ]]; then
+                    #   export TERM=${TERM#*:}
+                    #   cd ~/${TERM%%:*}
+                    #   export TERM=${TERM#*:}
+                    # fi
+                    # in .bashrc
+                    # [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
+                  };
+                };
+              })
+              [ "wlin" "jykang" "hwang" ])
+          )
+          // {
+            xmupc1 = { host = "xmupc1"; hostname = "office.chn.moe"; port = 6007; };
+            nas = { host = "nas"; hostname = "office.chn.moe"; port = 5440; };
+            surface = { host = "surface"; hostname = "192.168.1.166"; };
+            gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
+          };
+        };
+      })];
+    };
+}

modules/packages/server/ssh/surface_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJAyDl52UVGFPTV/rXFERrXAMY5qZ3g+tpg9HOGdw86G4Nr8Xp/cTxZjF4kSfIkSrGblAV9Lm4US0fW3pGOQu5qQrSAENxqHxdlEyzt7izyF2CklDUeTjs3KHOIZMvSli4z014NPcswBbjwB9Lyrw0fCQ9P1vYkrUHEzL2SMxdack1EQPcMF4MxblDqc+eQhdMCkKE8T1Cb1ZqxeLVMPn9CwjG18JoxL+/xs+MjcsSXYWcoqYTfgfhguMbh0D4Eo32MHS/IzRSxnOHJxhG5xYePcyBlb/CxQuYA+RTqKNE85j7GcL2oEmeZ1b++/9qFT9grwVh+UOBRO2xiMzKDF24nXPJ+eLyd6Z/3swGT4rTVDnrXV5eZUkWLHN093IdLJCTtPVrKV9OxEKr5sU2W0edpirNrlGq7/MYkJX9EbQctDFA69XfQkZlGK9xGutqSgEaVlY54fS0Due+NDrNBPfMKJ9MTmFDOY+NYn05El2rMD39OKbGbCR5ASwSSBlcQeE=

modules/packages/server/zsh/default.nix

@@ -0,0 +1,78 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
+    {
+      nixos.users.sharedModules = [(home-inputs: { config.programs.zsh =
+      {
+        enable = true;
+        initExtraBeforeCompInit =
+        ''
+          # p10k instant prompt
+          P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+          [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+          HYPHEN_INSENSITIVE="true"
+          export PATH=~/bin:$PATH
+          function br
+          {
+            local cmd cmd_file code
+            cmd_file=$(mktemp)
+            if broot --outcmd "$cmd_file" "$@"; then
+              cmd=$(<"$cmd_file")
+              command rm -f "$cmd_file"
+              eval "$cmd"
+            else
+              code=$?
+              command rm -f "$cmd_file"
+              return "$code"
+            fi
+          }
+          alias todo="todo.sh"
+        '';
+        plugins =
+        [
+          {
+            file = "powerlevel10k.zsh-theme";
+            name = "powerlevel10k";
+            src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+          }
+          {
+            file = "p10k.zsh";
+            name = "powerlevel10k-config";
+            src = ./p10k-config;
+          }
+          {
+            name = "zsh-lsd";
+            src = inputs.pkgs.fetchFromGitHub
+            {
+              owner = "z-shell";
+              repo = "zsh-lsd";
+              rev = "65bb5ac49190beda263aae552a9369127961632d";
+              hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
+            };
+          }
+        ];
+        history =
+        {
+          path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+          extended = true;
+          save = 100000000;
+          size = 100000000;
+        };
+      };})];
+      programs.zsh =
+      {
+        enable = true;
+        syntaxHighlighting.enable = true;
+        autosuggestions.enable = true;
+        enableCompletion = true;
+        ohMyZsh =
+        {
+          enable = true;
+          plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
+        };
+      };
+    };
+}

modules/packages/server/zsh/p10k-config/p10k.zsh

@@ -855,7 +855,7 @@
   #
   # These variables correspond to the last line of the output of `todo.sh -p ls`:
   #
-  #   TODO: 24 of 42 tasks shown
+  #   TO DO: 24 of 42 tasks shown
   #
   # Here 24 is P9K_TODO_FILTERED_TASK_COUNT and 42 is P9K_TODO_TOTAL_TASK_COUNT.
   #

modules/packages/workstation/default.nix

@@ -0,0 +1,74 @@
+inputs:
+{
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+    in mkIf (builtins.elem "workstation" inputs.config.nixos.packages._packageSets)
+    {
+      nixos =
+      {
+        packages = with inputs.pkgs;
+        {
+          _packages =
+          [
+            # password and key management
+            electrum jabref
+            # system management
+            wl-mirror
+            # nix tools
+            nix-template nil nix-alien pnpm-lock-export bundix
+            # instant messager
+            qq nur-xddxdd.wechat-uos cinny-desktop nheko
+            # development
+            jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify aircrack-ng
+            # media
+            nur-xddxdd.svp
+            # virtualization
+            wineWowPackages.stagingFull virt-viewer bottles # wine64
+            # text editor
+            appflowy notion-app-enhanced joplin-desktop standardnotes logseq
+            # math, physics and chemistry
+            mathematica paraview localPackages.vasp jmol # qchem.quantum-espresso
+            # encryption and password management
+            john crunch hashcat
+            # container and vm
+            genymotion # davinci-resolve playonlinux
+            # browser
+            microsoft-edge
+            # news
+            rssguard newsflash newsboat
+            yuzu-early-access
+          ];
+          _pythonPackages = [(pythonPackages: with pythonPackages;
+          [
+            phonopy tensorflow keras scipy scikit-learn jupyterlab autograd # localPackages.pix2tex
+          ])];
+          _prebuildPackages =
+          [
+            httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
+            gcc13Stdenv
+          ];
+        };
+        users.sharedModules =
+        [{
+          config.programs =
+          {
+            obs-studio =
+            {
+              enable = true;
+              plugins = with inputs.pkgs.obs-studio-plugins;
+                [ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
+            };
+            doom-emacs = { enable = true; doomPrivateDir = ./doom.d; };
+          };
+        }];
+      };
+      programs =
+      {
+        anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
+        honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
+        nix-ld.enable = true;
+        chromium = { enable = true; extraOpts.PasswordManagerEnabled = false; };
+      };
+    };
+}

modules/packages/workstation/doom.d/init.el

@@ -0,0 +1,191 @@
+;;; init.el -*- lexical-binding: t; -*-
+
+;; This file controls what Doom modules are enabled and what order they load
+;; in. Remember to run 'doom sync' after modifying it!
+
+;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's
+;;      documentation. There you'll find a "Module Index" link where you'll find
+;;      a comprehensive list of Doom's modules and what flags they support.
+
+;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or
+;;      'C-c c k' for non-vim users) to view its documentation. This works on
+;;      flags as well (those symbols that start with a plus).
+;;
+;;      Alternatively, press 'gd' (or 'C-c c d') on a module to browse its
+;;      directory (for easy access to its source code).
+
+(doom! :input
+       ;;chinese
+       ;;japanese
+       ;;layout            ; auie,ctsrnm is the superior home row
+
+       :completion
+       company           ; the ultimate code completion backend
+       ;;helm              ; the *other* search engine for love and life
+       ;;ido               ; the other *other* search engine...
+       ;;ivy               ; a search engine for love and life
+       vertico           ; the search engine of the future
+
+       :ui
+       ;;deft              ; notational velocity for Emacs
+       doom              ; what makes DOOM look the way it does
+       doom-dashboard    ; a nifty splash screen for Emacs
+       doom-quit         ; DOOM quit-message prompts when you quit Emacs
+       ;;(emoji +unicode)  ; 🙂
+       hl-todo           ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
+       ;;hydra
+       ;;indent-guides     ; highlighted indent columns
+       ;;ligatures         ; ligatures and symbols to make your code pretty again
+       ;;minimap           ; show a map of the code on the side
+       modeline          ; snazzy, Atom-inspired modeline, plus API
+       ;;nav-flash         ; blink cursor line after big motions
+       ;;neotree           ; a project drawer, like NERDTree for vim
+       ophints           ; highlight the region an operation acts on
+       (popup +defaults)   ; tame sudden yet inevitable temporary windows
+       ;;tabs              ; a tab bar for Emacs
+       ;;treemacs          ; a project drawer, like neotree but cooler
+       ;;unicode           ; extended unicode support for various languages
+       vc-gutter         ; vcs diff in the fringe
+       vi-tilde-fringe   ; fringe tildes to mark beyond EOB
+       ;;window-select     ; visually switch windows
+       workspaces        ; tab emulation, persistence & separate workspaces
+       ;;zen               ; distraction-free coding or writing
+
+       :editor
+       (evil +everywhere); come to the dark side, we have cookies
+       file-templates    ; auto-snippets for empty files
+       fold              ; (nigh) universal code folding
+       ;;(format +onsave)  ; automated prettiness
+       ;;god               ; run Emacs commands without modifier keys
+       ;;lispy             ; vim for lisp, for people who don't like vim
+       ;;multiple-cursors  ; editing in many places at once
+       ;;objed             ; text object editing for the innocent
+       ;;parinfer          ; turn lisp into python, sort of
+       ;;rotate-text       ; cycle region at point between text candidates
+       snippets          ; my elves. They type so I don't have to
+       ;;word-wrap         ; soft wrapping with language-aware indent
+
+       :emacs
+       dired             ; making dired pretty [functional]
+       electric          ; smarter, keyword-based electric-indent
+       ;;ibuffer         ; interactive buffer management
+       undo              ; persistent, smarter undo for your inevitable mistakes
+       vc                ; version-control and Emacs, sitting in a tree
+
+       :term
+       ;;eshell            ; the elisp shell that works everywhere
+       ;;shell             ; simple shell REPL for Emacs
+       ;;term              ; basic terminal emulator for Emacs
+       ;;vterm             ; the best terminal emulation in Emacs
+
+       :checkers
+       syntax              ; tasing you for every semicolon you forget
+       ;;(spell +flyspell) ; tasing you for misspelling mispelling
+       ;;grammar           ; tasing grammar mistake every you make
+
+       :tools
+       ;;ansible
+       ;;biblio            ; Writes a PhD for you (citation needed)
+       ;;debugger          ; FIXME stepping through code, to help you add bugs
+       ;;direnv
+       ;;docker
+       ;;editorconfig      ; let someone else argue about tabs vs spaces
+       ;;ein               ; tame Jupyter notebooks with emacs
+       (eval +overlay)     ; run code, run (also, repls)
+       ;;gist              ; interacting with github gists
+       lookup              ; navigate your code and its documentation
+       ;;lsp               ; M-x vscode
+       magit             ; a git porcelain for Emacs
+       ;;make              ; run make tasks from Emacs
+       ;;pass              ; password manager for nerds
+       ;;pdf               ; pdf enhancements
+       ;;prodigy           ; FIXME managing external services & code builders
+       ;;rgb               ; creating color strings
+       ;;taskrunner        ; taskrunner for all your projects
+       ;;terraform         ; infrastructure as code
+       ;;tmux              ; an API for interacting with tmux
+       ;;upload            ; map local to remote projects via ssh/ftp
+
+       :os
+       (:if IS-MAC macos)  ; improve compatibility with macOS
+       ;;tty               ; improve the terminal Emacs experience
+
+       :lang
+       ;;agda              ; types of types of types of types...
+       ;;beancount         ; mind the GAAP
+       ;;cc                ; C > C++ == 1
+       ;;clojure           ; java with a lisp
+       ;;common-lisp       ; if you've seen one lisp, you've seen them all
+       ;;coq               ; proofs-as-programs
+       ;;crystal           ; ruby at the speed of c
+       ;;csharp            ; unity, .NET, and mono shenanigans
+       ;;data              ; config/data formats
+       ;;(dart +flutter)   ; paint ui and not much else
+       ;;dhall
+       ;;elixir            ; erlang done right
+       ;;elm               ; care for a cup of TEA?
+       emacs-lisp        ; drown in parentheses
+       ;;erlang            ; an elegant language for a more civilized age
+       ;;ess               ; emacs speaks statistics
+       ;;factor
+       ;;faust             ; dsp, but you get to keep your soul
+       ;;fortran           ; in FORTRAN, GOD is REAL (unless declared INTEGER)
+       ;;fsharp            ; ML stands for Microsoft's Language
+       ;;fstar             ; (dependent) types and (monadic) effects and Z3
+       ;;gdscript          ; the language you waited for
+       ;;(go +lsp)         ; the hipster dialect
+       ;;(haskell +lsp)    ; a language that's lazier than I am
+       ;;hy                ; readability of scheme w/ speed of python
+       ;;idris             ; a language you can depend on
+       ;;json              ; At least it ain't XML
+       ;;(java +meghanada) ; the poster child for carpal tunnel syndrome
+       ;;javascript        ; all(hope(abandon(ye(who(enter(here))))))
+       ;;julia             ; a better, faster MATLAB
+       ;;kotlin            ; a better, slicker Java(Script)
+       ;;latex             ; writing papers in Emacs has never been so fun
+       ;;lean              ; for folks with too much to prove
+       ;;ledger            ; be audit you can be
+       ;;lua               ; one-based indices? one-based indices
+       markdown          ; writing docs for people to ignore
+       ;;nim               ; python + lisp at the speed of c
+       ;;nix               ; I hereby declare "nix geht mehr!"
+       ;;ocaml             ; an objective camel
+       org               ; organize your plain life in plain text
+       ;;php               ; perl's insecure younger brother
+       ;;plantuml          ; diagrams for confusing people more
+       ;;purescript        ; javascript, but functional
+       ;;python            ; beautiful is better than ugly
+       ;;qt                ; the 'cutest' gui framework ever
+       ;;racket            ; a DSL for DSLs
+       ;;raku              ; the artist formerly known as perl6
+       ;;rest              ; Emacs as a REST client
+       ;;rst               ; ReST in peace
+       ;;(ruby +rails)     ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
+       ;;rust              ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
+       ;;scala             ; java, but good
+       ;;(scheme +guile)   ; a fully conniving family of lisps
+       sh                ; she sells {ba,z,fi}sh shells on the C xor
+       ;;sml
+       ;;solidity          ; do you need a blockchain? No.
+       ;;swift             ; who asked for emoji variables?
+       ;;terra             ; Earth and Moon in alignment for performance.
+       ;;web               ; the tubes
+       ;;yaml              ; JSON, but readable
+       ;;zig               ; C, but simpler
+
+       :email
+       ;;(mu4e +org +gmail)
+       ;;notmuch
+       ;;(wanderlust +gmail)
+
+       :app
+       ;;calendar
+       ;;emms
+       ;;everywhere        ; *leave* Emacs!? You must be joking
+       ;;irc               ; how neckbeards socialize
+       ;;(rss +org)        ; emacs as an RSS reader
+       ;;twitter           ; twitter client https://twitter.com/vnought
+
+       :config
+       ;;literate
+       (default +bindings +smartparens))

modules/services/acme.nix

@@ -3,10 +3,15 @@ inputs:
   options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
   {
     enable = mkOption { type = types.bool; default = false; };
-    certs = mkOption
+    cert = mkOption
     {
-      type = types.listOf (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
-      default = [];
+      type = types.attrsOf (types.submodule (submoduleInputs: { options =
+      {
+        domains = mkOption
+          { type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
+        group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+      };}));
+      default = {};
     };
   };
   config =
@@ -14,6 +19,7 @@ inputs:
       inherit (inputs.lib) mkIf;
       inherit (inputs.config.nixos.services) acme;
       inherit (builtins) map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
     in mkIf acme.enable
     {
       security.acme =
@@ -23,16 +29,17 @@ inputs:
         certs = listToAttrs (map
           (cert:
           {
-            name = if builtins.typeOf cert == "string" then cert else builtins.elemAt cert 0;
+            name = builtins.elemAt cert.value.domains 0;
             value =
             {
               dnsResolver = "8.8.8.8";
               dnsProvider = "cloudflare";
               credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
-              extraDomainNames = if builtins.typeOf cert == "string" then [] else builtins.tail cert;
+              extraDomainNames = builtins.tail cert.value.domains;
+              group = mkIf (cert.value.group != null) cert.value.group;
             };
           })
-          acme.certs);
+          (attrsToList acme.cert));
       };
       sops.secrets."acme/cloudflare.ini" = {};
     };

modules/services/akkoma.nix

@@ -0,0 +1,51 @@
+inputs:
+{
+  options.nixos.services.akkoma = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "akkoma.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) akkoma;
+      inherit (inputs.lib) mkIf;
+    in mkIf akkoma.enable
+    {
+      services.akkoma =
+      {
+        enable = true;
+        config.":pleroma" =
+        {
+          "Pleroma.Web.Endpoint".url.host = akkoma.hostname;
+          "Pleroma.Repo" =
+          {
+            adapter = (inputs.pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
+            hostname = "127.0.0.1";
+            username = "akkoma";
+            password._secret = inputs.config.sops.secrets."akkoma/db".path;
+            database = "akkoma";
+          };
+          ":instance" =
+          {
+            name = "艹";
+            email = "grass@grass.squre";
+            description = "艹艹艹艹艹";
+          };
+        };
+      };
+      nixos.services =
+      {
+        nginx =
+        {
+          enable = true;
+          https."${akkoma.hostname}" =
+          {
+            global.tlsCert = "/var/lib/akkoma";
+            location."/".proxy = { upstream = "http://127.0.0.1:4000"; websocket = true; };
+          };
+        };
+        postgresql.instances.akkoma = {};
+      };
+      sops.secrets."akkoma/db" = { owner = "akkoma"; key = "postgresql/akkoma"; };
+    };
+}

modules/services/beesd.nix

@@ -8,11 +8,14 @@ inputs:
       type = types.attrsOf (types.oneOf
       [
         types.nonEmptyStr
-        (types.submodule { options =
+        (types.submodule
         {
-          device = mkOption { type = types.nonEmptyStr; };
-          hashTableSizeMB = mkOption { type = types.int; };
-        };})
+          options =
+          {
+            device = mkOption { type = types.nonEmptyStr; };
+            hashTableSizeMB = mkOption { type = types.ints.unsigned; default = 1024; };
+            threads = mkOption { type = types.ints.unsigned; default = 1; };
+          };})
       ]);
       default = {};
     };
@@ -33,7 +36,7 @@ inputs:
             {
               spec = instance.value.device or instance.value;
               hashTableSizeMB = instance.value.hashTableSizeMB or 1024;
-              extraOptions = [ "--thread-count" "1" "--scan-mode" "3" ];
+              extraOptions = [ "--thread-count" "${toString instance.value.threads or 1}" "--scan-mode" "3" ];
             };
           })
           (attrsToList beesd.instances));

modules/services/coturn.nix

@@ -11,22 +11,22 @@ inputs:
       inherit (inputs.lib) mkIf;
     in mkIf coturn.enable
       {
-        services.coturn =
-          let
-            keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory;
-          in
-          {
-            enable = true;
-            use-auth-secret = true;
-            static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
-            realm = coturn.hostname;
-            cert = "${keydir}/full.pem";
-            pkey = "${keydir}/key.pem";
-            no-cli = true;
-          };
+        services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
+        {
+          enable = true;
+          use-auth-secret = true;
+          static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
+          realm = coturn.hostname;
+          cert = "${keydir}/full.pem";
+          pkey = "${keydir}/key.pem";
+          no-cli = true;
+        };
         sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
-        nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; };
-        security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
+        nixos.services.acme =
+        {
+          enable = true;
+          cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
+        };
         networking.firewall = with inputs.config.services.coturn;
         {
           allowedUDPPorts = [ listening-port tls-listening-port ];

modules/services/default.nix

@@ -25,20 +25,29 @@ inputs:
     ./photoprism.nix
     ./nextcloud.nix
     ./freshrss.nix
+    ./kmscon.nix
+    ./fontconfig.nix
+    ./nix-serve.nix
+    ./send.nix
+    ./huginn.nix
+    ./httpua
+    ./fz-new-order
+    ./httpapi.nix
+    ./mirism.nix
+    ./mastodon.nix
+    ./gitea.nix
+    ./grafana.nix
+    ./fail2ban.nix
+    ./wireguard.nix
+    ./akkoma.nix
+    ./gamemode.nix
   ];
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
   {
-    kmscon.enable = mkOption { type = types.bool; default = false; };
-    fontconfig.enable = mkOption { type = types.bool; default = false; };
     firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-    nix-serve =
-    {
-      enable = mkOption { type = types.bool; default = false; };
-      hostname = mkOption { type = types.nonEmptyStr; };
-    };
     smartd.enable = mkOption { type = types.bool; default = false; };
-    fileshelter.enable = mkOption { type = types.bool; default = false; };
     wallabag.enable = mkOption { type = types.bool; default = false; };
+    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
   };
   config =
     let
@@ -48,49 +57,7 @@ inputs:
       inherit (builtins) map listToAttrs toString;
     in mkMerge
     [
-      (
-        mkIf services.kmscon.enable
-        {
-          services.kmscon =
-          {
-            enable = true;
-            fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
-          };
-        }
-      )
-      (
-        mkIf services.fontconfig.enable
-        {
-          fonts =
-          {
-            fontDir.enable = true;
-            fonts = with inputs.pkgs;
-              [ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
-            fontconfig.defaultFonts =
-            {
-              emoji = [ "Noto Color Emoji" ];
-              monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
-              sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
-              serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
-            };
-          };
-        }
-      )
       { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
-      (
-        mkIf services.nix-serve.enable
-        {
-          services.nix-serve =
-          {
-            enable = true;
-            openFirewall = true;
-            secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
-          };
-          sops.secrets."store/signingKey" = {};
-          nixos.services.nginx.http.${services.nix-serve.hostname} =
-            { rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; };
-        }
-      )
       (mkIf services.smartd.enable { services.smartd.enable = true; })
       (
         mkIf services.wallabag.enable
@@ -110,11 +77,6 @@ inputs:
             extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
             environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
           };
-          # systemd.services.docker-wallabag.serviceConfig =
-          # {
-          #   User = "wallabag";
-          #   Group = "wallabag";
-          # };
           sops =
           {
             templates."wallabag/env".content =
@@ -138,33 +100,7 @@ inputs:
               # SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
               # SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
               # SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
-            secrets =
-            {
-              "redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
-              "postgresql/wallabag" = {};
-              "mail/bot-encoded" = {};
-            };
-          };
-          services =
-          {
-            redis.servers.wallabag =
-            {
-              enable = true;
-              bind = null;
-              port = 8790;
-              requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
-            };
-            postgresql =
-            {
-              ensureDatabases = [ "wallabag" ];
-              ensureUsers =
-              [{
-                name = "wallabag";
-                ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
-              }];
-              # ALTER DATABASE db_name OWNER TO new_owner_name
-              # sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
-            };
+            secrets."mail/bot-encoded" = {};
           };
           nixos =
           {
@@ -173,22 +109,15 @@ inputs:
               nginx =
               {
                 enable = true;
-                http."wallabag.chn.moe" =
-                {
-                  rewriteHttps = true;
-                  locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
-                };
+                https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
               };
-              postgresql.enable = true;
+              postgresql = { enable = true; instances.wallabag = {}; };
+              redis.instances.wallabag = { user = "root"; port = 8790; };
             };
             virtualization.docker.enable = true;
           };
-          # users =
-          # {
-          #   users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
-          #   groups.wallabag = {};
-          # };
         }
       )
+      (mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })
     ];
 }

modules/services/fail2ban.nix

@@ -0,0 +1,19 @@
+inputs:
+{
+  options.nixos.services.fail2ban = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) fail2ban;
+      inherit (inputs.lib) mkIf;
+    in mkIf fail2ban.enable
+    {
+      services.fail2ban =
+      {
+        enable = true;
+        ignoreIP = [ "127.0.0.0/8" "192.168.0.0/16" "vps6.chn.moe" ];
+      };
+    };
+}

modules/services/fontconfig.nix

@@ -0,0 +1,28 @@
+inputs:
+{
+  options.nixos.services.fontconfig = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) fontconfig;
+    in mkIf fontconfig.enable
+    {
+      fonts =
+      {
+        fontDir.enable = true;
+        packages = with inputs.pkgs;
+          [ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
+        fontconfig.defaultFonts =
+        {
+          emoji = [ "Noto Color Emoji" ];
+          monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
+          sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
+          serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
+        };
+      };
+      nixos.users.sharedModules = [{ config.xdg.configFile."fontconfig/conf.d/10-hm-fonts.conf".force = true; }];
+    };
+}

modules/services/freshrss.nix

@@ -17,21 +17,36 @@ inputs:
         baseUrl = "https://${freshrss.hostname}";
         defaultUser = "chn";
         passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
-        database =
-        {
-          type = "mysql";
-          passFile = inputs.config.sops.secrets."freshrss/mysql".path;
-        };
+        database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
+        virtualHost = null;
       };
       sops.secrets =
       {
         "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
-        "freshrss/db" =
+        "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
+      };
+      systemd.services.freshrss-config.after = [ "mysql.service" ];
+      nixos.services =
+      {
+        mariadb = { enable = true; instances.freshrss = {}; };
+        nginx.https.${freshrss.hostname} =
         {
-          owner = inputs.config.users.users.freshrss.name;
-          key = "mariadb/freshrss";
+          location =
+          {
+            "/".static =
+            {
+              root = "${inputs.pkgs.freshrss}/p";
+              index = [ "index.php" ];
+              tryFiles = [ "$uri" "$uri/" "$uri/index.php" ];
+            };
+            "~ ^.+?\.php(/.*)?$".php =
+            {
+              root = "${inputs.pkgs.freshrss}/p";
+              fastcgiPass =
+                "unix:${inputs.config.services.phpfpm.pools.${inputs.config.services.freshrss.pool}.socket}";
+            };
+          };
         };
       };
-      nixos.mariadb = { enable = true; instances.freshrss = {}; };
     };
 }

modules/services/frp.nix

@@ -21,6 +21,30 @@ inputs:
         }));
         default = {};
       };
+      stcp = mkOption
+      {
+        type = types.attrsOf (types.submodule (inputs:
+        {
+          options =
+          {
+            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+            localPort = mkOption { type = types.ints.unsigned; };
+          };
+        }));
+        default = {};
+      };
+      stcpVisitor = mkOption
+      {
+        type = types.attrsOf (types.submodule (inputs:
+        {
+          options =
+          {
+            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+            localPort = mkOption { type = types.ints.unsigned; };
+          };
+        }));
+        default = {};
+      };
     };
     frpServer =
     {
@@ -31,6 +55,7 @@ inputs:
   config =
     let
       inherit (inputs.lib) mkMerge mkIf;
+      inherit (inputs.lib.strings) splitString;
       inherit (inputs.localLib) attrsToList;
       inherit (inputs.config.nixos.services) frpClient frpServer;
       inherit (builtins) map listToAttrs;
@@ -42,7 +67,7 @@ inputs:
           systemd.services.frpc =
             let
               frpc = "${inputs.pkgs.frp}/bin/frpc";
-              config = inputs.config.sops.templates."frpc.ini";
+              config = inputs.config.sops.templates."frpc.json";
             in
             {
               description = "Frp Client Service";
@@ -61,42 +86,65 @@ inputs:
             };
           sops =
           {
-            templates."frpc.ini" =
+            templates."frpc.json" =
             {
               owner = inputs.config.users.users.frp.name;
               group = inputs.config.users.users.frp.group;
-              content = inputs.lib.generators.toINI {}
-              (
-                {
-                  common =
-                  {
-                    server_addr = frpClient.serverName;
-                    server_port = 7000;
-                    token = inputs.config.sops.placeholder."frp/token";
-                    user = frpClient.user;
-                    tls_enable = true;
-                  };
-                }
-                // (listToAttrs (map
+              content = builtins.toJSON
+              {
+                auth.token = inputs.config.sops.placeholder."frp/token";
+                user = frpClient.user;
+                serverAddr = frpClient.serverName;
+                serverPort = 7000;
+                proxies =
+                (map
                   (tcp:
                   {
                     name = tcp.name;
-                    value =
-                    {
-                      type = "tcp";
-                      local_ip = tcp.value.localIp;
-                      local_port = tcp.value.localPort;
-                      remote_port = tcp.value.remotePort;
-                      use_compression = true;
-                    };
+                    type = "tcp";
+                    transport.useCompression = true;
+                    inherit (tcp.value) localIp localPort remotePort;
                   })
                   (attrsToList frpClient.tcp))
-                )
-              );
+                ++ (map
+                  (stcp:
+                  {
+                    name = stcp.name;
+                    type = "stcp";
+                    transport.useCompression = true;
+                    secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
+                    allowUsers = [ "*" ];
+                    inherit (stcp.value) localIp localPort;
+                  })
+                  (attrsToList frpClient.stcp));
+                visitors = map
+                  (stcp:
+                  {
+                    name = stcp.name;
+                    type = "stcp";
+                    transport = { useCompression = true; tls.enable = true; };
+                    secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
+                    serverUser = builtins.elemAt (splitString "." stcp.name) 0;
+                    serverName = builtins.elemAt (splitString "." stcp.name) 1;
+                    bindAddr = stcp.value.localIp;
+                    bindPort = stcp.value.localPort;
+                  })
+                  (attrsToList frpClient.stcpVisitor);
+              };
             };
-            secrets."frp/token" = {};
+            secrets = listToAttrs
+            (
+              [{ name = "frp/token"; value = {}; }]
+              ++ (map
+                (stcp: { name = "frp/stcp/${stcp.name}"; value = {}; })
+                (attrsToList (with frpClient; stcp // stcpVisitor)))
+            );
+          };
+          users =
+          {
+            users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
+            groups.frp.gid = inputs.config.nixos.system.user.group.frp;
           };
-          users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
         }
       )
       (
@@ -105,7 +153,7 @@ inputs:
           systemd.services.frps =
             let
               frps = "${inputs.pkgs.frp}/bin/frps";
-              config = inputs.config.sops.templates."frps.ini";
+              config = inputs.config.sops.templates."frps.json";
             in
             {
               description = "Frp Server Service";
@@ -124,29 +172,30 @@ inputs:
             };
           sops =
           {
-            templates."frps.ini" =
+            templates."frps.json" =
             {
               owner = inputs.config.users.users.frp.name;
               group = inputs.config.users.users.frp.group;
-              content = inputs.lib.generators.toINI {}
+              content = builtins.toJSON
               {
-                common = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
+                auth.token = inputs.config.sops.placeholder."frp/token";
+                transport.tls = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
                 {
-                  bind_port = 7000;
-                  bind_udp_port = 7000;
-                  token = inputs.config.sops.placeholder."frp/token";
-                  tls_cert_file = "${cert}/full.pem";
-                  tls_key_file = "${cert}/key.pem";
-                  tls_only = true;
-                  user_conn_timeout = 30;
+                  force = true;
+                  certFile = "${cert}/full.pem";
+                  keyFile = "${cert}/key.pem";
+                  serverName = frpServer.serverName;
                 };
               };
             };
             secrets."frp/token" = {};
           };
-          nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
-          security.acme.certs.${frpServer.serverName}.group = "frp";
-          users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
+          nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
+          users =
+          {
+            users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
+            groups.frp.gid = inputs.config.nixos.system.user.group.frp;
+          };
           networking.firewall.allowedTCPPorts = [ 7000 ];
         }
       )

modules/services/fz-new-order/default.nix

@@ -0,0 +1,115 @@
+inputs:
+{
+  options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) fz-new-order;
+      inherit (inputs.localLib) attrsToList;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) map listToAttrs toString concatLists;
+    in mkIf fz-new-order.enable
+    {
+      users =
+      {
+        users.fz-new-order =
+        {
+          uid = inputs.config.nixos.system.user.user.fz-new-order;
+          group = "fz-new-order";
+          home = "/var/lib/fz-new-order";
+          createHome = true;
+          isSystemUser = true;
+        };
+        groups.fz-new-order.gid = inputs.config.nixos.system.user.group.fz-new-order;
+      };
+      systemd =
+      {
+        timers.fz-new-order =
+        {
+          wantedBy = [ "timers.target" ];
+          timerConfig =
+          {
+            OnBootSec = "10m";
+            OnUnitActiveSec = "10m";
+            Unit = "fz-new-order.service";
+          };
+        };
+        services.fz-new-order = rec
+        {
+          description = "fz-new-order";
+          after = [ "network.target" ];
+          requires = after;
+          serviceConfig =
+          {
+            User = inputs.config.users.users."fz-new-order".name;
+            Group = inputs.config.users.users."fz-new-order".group;
+            WorkingDirectory = "/var/lib/fz-new-order";
+            ExecStart =
+              let
+                src = inputs.pkgs.substituteAll
+                {
+                  src = ./main.cpp;
+                  config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
+                };
+                binary = inputs.pkgs.stdenv.mkDerivation
+                {
+                  name = "fz-new-order";
+                  inherit src;
+                  buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
+                  dontUnpack = true;
+                  buildPhase =
+                  ''
+                    runHook preBuild
+                    g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
+                    runHook postBuild
+                  '';
+                  installPhase =
+                  ''
+                    runHook preInstall
+                    mkdir -p $out/bin
+                    cp fz-new-order $out/bin/fz-new-order
+                    runHook postInstall
+                  '';
+                };
+              in "${binary}/bin/fz-new-order";
+          };
+        };
+        tmpfiles.rules =
+        [
+          "d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
+          "Z /var/lib/fz-new-order - fz-new-order fz-new-order"
+        ];
+      };
+      sops = let userNum = 6; configNum = 2; in
+      {
+        templates."fz-new-order/config.json" =
+        {
+          owner = inputs.config.users.users."fz-new-order".name;
+          group = inputs.config.users.users."fz-new-order".group;
+          content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
+          {
+            manager = placeholder."fz-new-order/manager";
+            token = placeholder."fz-new-order/token";
+            uids = map (j: placeholder."fz-new-order/uids/user${toString j}") (builtins.genList (n: n) userNum);
+            config = map
+              (i: listToAttrs (map
+                (attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
+                [ "username" "password" "comment" ]))
+              (builtins.genList (n: n) configNum);
+          };
+        };
+        secrets =
+          { "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
+          // (listToAttrs (map
+            (i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
+            (builtins.genList (n: n) userNum)))
+          // (listToAttrs (concatLists (map
+            (i: map
+              (attrName: { name = "fz-new-order/config${toString i}/${attrName}"; value = {}; })
+              [ "username" "password" "comment" ])
+            (builtins.genList (n: n) configNum))));
+      };
+    };
+}

modules/services/fz-new-order/main.cpp

@@ -0,0 +1,254 @@
+# include <iostream>
+# include <set>
+# include <sstream>
+# include <filesystem>
+# include <cereal/types/set.hpp>
+# include <cereal/archives/json.hpp>
+# include <fmt/format.h>
+# include <fmt/ranges.h>
+# include <httplib.h>
+# include <json/json.h>
+
+std::string urlencode(std::string s)
+{
+  auto hexchar = [](unsigned char c, unsigned char &hex1, unsigned char &hex2)
+  {
+    hex1 = c / 16;
+    hex2 = c % 16;
+    hex1 += hex1 <= 9 ? '0' : 'a' - 10;
+    hex2 += hex2 <= 9 ? '0' : 'a' - 10;
+  };
+  const char *str = s.c_str();
+  std::vector<char> v(s.size());
+  v.clear();
+  for (std::size_t i = 0, l = s.size(); i < l; i++)
+  {
+    char c = str[i];
+    if
+    (
+      (c >= '0' && c <= '9')
+        || (c >= 'a' && c <= 'z')
+        || (c >= 'A' && c <= 'Z')
+        || c == '-' || c == '_' || c == '.' || c == '!' || c == '~'
+        || c == '*' || c == '\'' || c == '(' || c == ')'
+    )
+      v.push_back(c);
+    else
+    {
+      v.push_back('%');
+      unsigned char d1, d2;
+      hexchar(c, d1, d2);
+      v.push_back(d1);
+      v.push_back(d2);
+    }
+  }
+  return std::string(v.cbegin(), v.cend());
+}
+
+void oneshot
+(
+  const std::string& username, const std::string& password, const std::string& comment,
+  const std::set<std::string>& wxuser, const std::set<std::string>& manager, const std::string& token
+)
+{
+  httplib::Client fzclient("http://scmv9.fengzhansy.com:8882");
+  httplib::Client wxclient("http://wxpusher.zjiecode.com");
+  auto& log = std::clog;
+
+  try
+  {
+    // get JSESSIONID
+    auto cookie_jsessionid = [&]() -> std::string
+    {
+      log << "get /scmv9/login.jsp\n";
+      auto result = fzclient.Get("/scmv9/login.jsp");
+      if (result.error() != httplib::Error::Success)
+        throw std::runtime_error("request failed");
+      auto it = result.value().headers.find("Set-Cookie");
+      if (it == result.value().headers.end() || it->first != "Set-Cookie")
+        throw std::runtime_error("find cookie failed");
+      log << fmt::format("set_cookie JSESSIONID {}\n", it->second.substr(0, it->second.find(';')));
+      return it->second.substr(0, it->second.find(';'));
+    }();
+
+    // login
+    auto cookie_pppp = [&]() -> std::string
+    {
+      auto body = fmt::format("method=dologinajax&rand=1234&userc={}&mdid=P&passw={}", username, password);
+      httplib::Headers headers =
+      {
+        { "X-Requested-With", "XMLHttpRequest" },
+        {
+          "User-Agent",
+          "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
+        },
+        { "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
+        { "Origin", "http://scmv9.fengzhansy.com:8882" },
+        { "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/login.jsp" },
+        { "Cookie", cookie_jsessionid }
+      };
+      log << "post /scmv9/data.jsp\n";
+      auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
+      if (result.error() != httplib::Error::Success)
+        throw std::runtime_error("request failed");
+      log << fmt::format("set_cookie pppp {}\n", fmt::format("pppp={}%40{}", username, password));
+      return fmt::format("pppp={}%40{}", username, password);
+    }();
+
+    // get order list
+    auto order_list = [&]() -> std::map<std::string, std::pair<std::string, std::string>>
+    {
+      auto body = fmt::format("method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=dd_qry&nv%5B%5D=bill&nv%5B%5D=&nv%5B%5D=storeid&nv%5B%5D=&nv%5B%5D=vendorid&nv%5B%5D={}&nv%5B%5D=qr_status&nv%5B%5D=&nv%5B%5D=ddprt&nv%5B%5D=%25&nv%5B%5D=fdate&nv%5B%5D=&nv%5B%5D=tdate&nv%5B%5D=&nv%5B%5D=shfdate&nv%5B%5D=&nv%5B%5D=shtdate&nv%5B%5D=&nv%5B%5D=fy_pno&nv%5B%5D=1&nv%5B%5D=fy_psize&nv%5B%5D=10", username);
+      httplib::Headers headers =
+      {
+        { "X-Requested-With", "XMLHttpRequest" },
+        {
+          "User-Agent",
+          "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
+        },
+        { "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
+        { "Origin", "http://scmv9.fengzhansy.com:8882"
+        },
+        { "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
+        { "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
+      };
+      log << "post /scmv9/data.jsp\n";
+      auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
+      if (result.error() != httplib::Error::Success)
+        throw std::runtime_error("request failed");
+      log << fmt::format("get result {}\n", result.value().body);
+      std::stringstream result_body(result.value().body);
+      Json::Value root;
+      result_body >> root;
+      std::map<std::string, std::pair<std::string, std::string>> orders;
+      for (unsigned i = 0; i < root["dt"][1].size(); i++)
+      {
+        log << fmt::format
+        (
+          "insert order {} {} {}\n", root["dt"][1][i].asString(), root["dt"][2][i].asString(),
+          root["dt"][4][i].asString()
+        );
+        orders.insert({root["dt"][1][i].asString(), {root["dt"][2][i].asString(), root["dt"][4][i].asString()}});
+      }
+      return orders;
+    }();
+
+    // read order old
+    auto order_old = [&]() -> std::set<std::string>
+    {
+      if (!std::filesystem::exists("orders.json"))
+        return {};
+      else
+      {
+        std::ifstream ins("orders.json");
+        cereal::JSONInputArchive ina(ins);
+        std::set<std::string> data;
+        cereal::load(ina, data);
+        return data;
+      }
+    }();
+
+    // push new order info
+    for (const auto& order : order_list)
+      if (!order_old.contains(order.first))
+      {
+        for (const auto& user : manager)
+        {
+          auto path = fmt::format
+          (
+            "/api/send/message/?appToken={}&content={}&uid={}",
+            token, urlencode(fmt::format("push {}", order.first)), user
+          );
+          auto wxresult = wxclient.Get(path.c_str());
+        }
+
+        auto body = fmt::format
+        (
+          "method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=ddsp_qry&nv%5B%5D=bill&nv%5B%5D={}",
+          order.first
+        );
+        httplib::Headers headers =
+        {
+          { "X-Requested-With", "XMLHttpRequest" },
+          {
+            "User-Agent",
+            "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
+          },
+          { "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
+          { "Origin", "http://scmv9.fengzhansy.com:8882" },
+          { "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
+          { "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
+        };
+        log << "post /scmv9/data.jsp\n";
+        auto result = fzclient.Post
+          ("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
+        if (result.error() != httplib::Error::Success)
+          throw std::runtime_error("request failed");
+        log << fmt::format("get result {}\n", result.value().body);
+        std::stringstream result_body(result.value().body);
+        Json::Value root;
+        result_body >> root;
+
+        std::stringstream push_body;
+        double all_cost = 0;
+        push_body << fmt::format
+        (
+          "{} {} {}店\n", comment, order.second.second.substr(order.second.second.find('-') + 1),
+          order.second.first.substr(1, 2)
+        );
+        for (unsigned i = 0; i < root["dt"][6].size(); i++)
+        {
+          push_body << fmt::format
+          (
+            "{} {}{}\n", root["dt"][6][i].asString().substr(root["dt"][6][i].asString().length() - 4),
+            root["dt"][7][i].asString(), root["dt"][5][i].asString()
+          );
+          // 订货金额 maybe empty ???
+          if (root["dt"][10][i].asString() != "")
+            all_cost += std::stod(root["dt"][10][i].asString());
+        }
+        push_body << fmt::format("共{:.2f}元\n", all_cost);
+        log << fmt::format("push to wx {}\n", push_body.str());
+        auto encoded = urlencode(push_body.str());
+            
+        for (const auto& wxu : wxuser)
+        {
+          auto path = fmt::format
+            ("/api/send/message/?appToken={}&content={}&uid={}", token, encoded, wxu);
+          auto wxresult = wxclient.Get(path.c_str());
+        }
+      }
+
+    // save data
+    {
+      for (const auto& order : order_list)
+        if (!order_old.contains(order.first))
+          order_old.insert(order.first);
+      std::ofstream os("orders.json");
+      cereal::JSONOutputArchive oa(os);
+      cereal::save(oa, order_old);
+    }
+  }
+  catch (const std::exception& ex)
+  {
+    log << ex.what() << "\n" << std::flush;
+    std::terminate();
+  }
+}
+
+int main(int argc, char** argv)
+{
+  Json::Value configs;
+  std::ifstream("@config_file@") >> configs;
+  auto config_uids = configs["uids"];
+  std::set<std::string> uids;
+  for (auto& uid : config_uids)
+    uids.insert(uid.asString());
+  for (auto& config : configs["config"])
+    oneshot
+    (
+      config["username"].asString(), config["password"].asString(), config["comment"].asString(),
+      uids, { configs["manager"].asString() }, configs["token"].asString()
+    );
+}
+

modules/services/gamemode.nix

@@ -0,0 +1,30 @@
+inputs:
+{
+  options.nixos.services.gamemode = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    drmDevice = mkOption { type = types.int; };
+  };
+  config = let inherit (inputs.config.nixos.services) gamemode; in inputs.lib.mkIf gamemode.enable
+  {
+    programs.gamemode =
+    {
+      enable = true;
+      settings =
+      {
+        general.renice = 10;
+        gpu =
+        {
+          apply_gpu_optimisations = "accept-responsibility";
+          nv_powermizer_mode = 1;
+          gpu_device = builtins.toString gamemode.drmDevice;
+        };
+        custom = let notify-send = "${inputs.pkgs.libnotify}/bin/notify-send"; in
+        {
+          start = "${notify-send} 'GameMode started'";
+          end = "${notify-send} 'GameMode ended'";
+        };
+      };
+    };
+  };
+}

modules/services/gitea.nix

@@ -0,0 +1,54 @@
+inputs:
+{
+  options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "git.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) gitea;
+      inherit (inputs.lib) mkIf;
+    in mkIf gitea.enable
+    {
+      services.gitea =
+      {
+        enable = true;
+        lfs.enable = true;
+        mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path;
+        database =
+          { createDatabase = false; type = "postgres"; passwordFile = inputs.config.sops.secrets."gitea/db".path; };
+        settings =
+        {
+          session.COOKIE_SECURE = true;
+          server =
+          {
+            ROOT_URL = "https://${gitea.hostname}";
+            DOMAIN = gitea.hostname;
+            HTTP_PORT = 3002;
+            SSH_DOMAIN = "ssh.${gitea.hostname}";
+          };
+          mailer =
+          {
+            ENABLED = true;
+            FROM = "bot@chn.moe";
+            PROTOCOL = "smtps";
+            SMTP_ADDR = "mail.chn.moe";
+            SMTP_PORT = 465;
+            USER = "bot@chn.moe";
+          };
+        };
+      };
+      nixos.services =
+      {
+        nginx = { enable = true; https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3002"; };
+        postgresql.instances.gitea = {};
+      };
+      sops.secrets =
+      {
+        "gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
+        "gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
+        "mail/bot" = {};
+      };
+    };
+}

modules/services/grafana.nix

@@ -0,0 +1,67 @@
+inputs:
+{
+  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) grafana;
+      inherit (inputs.lib) mkIf;
+    in mkIf grafana.enable
+    {
+      services.grafana =
+      {
+        enable = true;
+        declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
+        settings =
+        {
+          users = { verify_email_enabled = true; default_language = "zh-CN"; allow_sign_up = true; };
+          smtp =
+          {
+            enabled = true;
+            host = "mail.chn.moe";
+            user = "bot@chn.moe";
+            password = "$__file{${inputs.config.sops.secrets."grafana/mail".path}}";
+            from_address = "bot@chn.moe";
+            ehlo_identity = grafana.hostname;
+            startTLS_policy = "MandatoryStartTLS";
+          };
+          server = { root_url = "https://${grafana.hostname}"; http_port = 3001; enable_gzip = true; };
+          security =
+          {
+            secret_key = "$__file{${inputs.config.sops.secrets."grafana/secret".path}}";
+            admin_user = "chn";
+            admin_password = "$__file{${inputs.config.sops.secrets."grafana/chn".path}}";
+            admin_email = "chn@chn.moe";
+          };
+          database =
+          {
+            type = "postgres";
+            host = "127.0.0.1:5432";
+            user = "grafana";
+            password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
+          };
+        };
+      };
+      nixos.services =
+      {
+        nginx =
+        {
+          enable = true;
+          https."${grafana.hostname}".location."/".proxy =
+            { upstream = "http://127.0.0.1:3001"; websocket = true; };
+        };
+        postgresql.instances.grafana = {};
+      };
+      sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+      {
+        "grafana/mail" = { owner = owner; key = "mail/bot"; };
+        "grafana/secret".owner = owner;
+        "grafana/chn".owner = owner;
+        "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
+        "mail/bot" = {};
+      };
+    };
+}

modules/services/groupshare.nix

@@ -9,28 +9,37 @@ inputs:
   config =
     let
       inherit (inputs.lib) mkIf;
-      inherit (builtins) listToAttrs map concatLists;
+      inherit (builtins) listToAttrs map concatLists concatStringsSep;
       inherit (inputs.config.nixos.services) groupshare;
       users = inputs.config.users.groups.groupshare.members;
     in mkIf groupshare.enable
     {
-      users.groups.groupshare = {};
+      users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare;
       systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
         ++ (concatLists (map
           (user:
           [
             "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
-            # systemd 253 does not support 'X' bit, it should be manually set
-            # sudo setfacl -m 'xxx' dir
-            # ("a /var/lib/groupshare/${user} - - - - "
-            #   + "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
+            "Z /var/lib/groupshare/${user} - ${user} groupshare"
+            ("A /var/lib/groupshare/${user} - - - - "
+              # d 指 default, 即目录下新创建的文件和目录的权限
+              # 大写 X 指仅给目录执行权限
+              # m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限
+              + (concatStringsSep "," (concatLists (map
+                (perm: [ "d:${perm}" perm ])
+                [ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ]))))
           ])
           users));
       fileSystems = listToAttrs (map
         (mountPoint:
         {
           name = mountPoint;
-          value = { device = "/var/lib/groupshare"; options = [ "bind" ]; depends = [ "/home" "/var/lib" ]; };
+          value =
+          {
+            device = "/var/lib/groupshare";
+            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
+            depends = [ "/home" "/var/lib" ];
+          };
         })
         groupshare.mountPoints);
     };

modules/services/httpapi.nix

@@ -0,0 +1,45 @@
+inputs:
+{
+  options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) httpapi;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) toString map;
+    in mkIf httpapi.enable
+    {
+      nixos.services =
+      {
+        phpfpm.instances.httpapi = {};
+        nginx.https.${httpapi.hostname}.location =
+        {
+          "/files".static.root = "/srv/api";
+          "/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
+          "/notify.php".php =
+          {
+            root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
+            fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
+          };
+        };
+      };
+      sops =
+      {
+        templates."httpapi/notify.php" =
+        {
+          owner = inputs.config.users.users.httpapi.name;
+          group = inputs.config.users.users.httpapi.group;
+          content =
+            let
+              placeholder = inputs.config.sops.placeholder;
+              request = "https://api.telegram.org/${placeholder."httpapi/token"}/sendMessage?chat_id=861886506&text=";
+            in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
+        };
+        secrets."httpapi/token" = {};
+      };
+      systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
+    };
+}

modules/services/httpua/default.nix

@@ -0,0 +1,25 @@
+inputs:
+{
+  options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) httpua;
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) toString;
+    in mkIf httpua.enable
+    {
+      nixos.services =
+      {
+        phpfpm.instances.httpua = {};
+        nginx.http.${httpua.hostname}.php =
+        {
+          root = toString ./.;
+          fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
+        };
+      };
+    };
+}

modules/services/httpua/index.php

@@ -0,0 +1 @@
+<?php echo $_SERVER['HTTP_USER_AGENT']; ?>

modules/services/huginn.nix

@@ -0,0 +1,66 @@
+inputs:
+{
+  options.nixos.services.huginn = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.nonEmptyStr; default = "huginn.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) huginn;
+    in mkIf huginn.enable
+    {
+      virtualisation.oci-containers.containers.huginn =
+      {
+        image = "huginn/huginn:2d5fcafc507da3e8c115c3479e9116a0758c5375";
+        imageFile = inputs.pkgs.dockerTools.pullImage
+        {
+          imageName = "ghcr.io/huginn/huginn";
+          imageDigest = "sha256:aa694519b196485c6c31582dde007859fc8b8bbe9b1d4d94c6db8558843d0458";
+          sha256 = "0471v20d7ilwx81kyrxjcb90nnmqyyi9mwazbpy3z4rhnzv7pz76";
+          finalImageName = "huginn/huginn";
+          finalImageTag = "2d5fcafc507da3e8c115c3479e9116a0758c5375";
+        };
+        ports = [ "127.0.0.1:3000:3000/tcp" ];
+        extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
+        environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
+      };
+      sops =
+      {
+        templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
+        ''
+          MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
+          HUGINN_DATABASE_NAME=huginn
+          HUGINN_DATABASE_USERNAME=huginn
+          HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
+          DOMAIN=${huginn.hostname}
+          RAILS_ENV=production
+          FORCE_SSL=true
+          INVITATION_CODE=${placeholder."huginn/invitationCode"}
+          SMTP_DOMAIN=mail.chn.moe
+          SMTP_USER_NAME=bot@chn.moe
+          SMTP_PASSWORD="${placeholder."mail/bot"}"
+          SMTP_SERVER=mail.chn.moe
+          SMTP_SSL=true
+          EMAIL_FROM_ADDRESS=bot@chn.moe
+          TIMEZONE=Beijing
+          DO_NOT_CREATE_DATABASE=true
+        '';
+        secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
+      };
+      nixos =
+      {
+        services =
+        {
+          nginx =
+          {
+            enable = true;
+            https."${huginn.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
+          };
+          mariadb.instances.huginn = {};
+        };
+        virtualization.docker.enable = true;
+      };
+    };
+}