Merge branch 'edge' into rocm

This reverts commit 7dba94af81.

.gitattributes

@@ -1,6 +1 @@
-*.png filter=lfs diff=lfs merge=lfs -text
-*.icm filter=lfs diff=lfs merge=lfs -text
-*.jpg filter=lfs diff=lfs merge=lfs -text
-*.webp filter=lfs diff=lfs merge=lfs -text
-*.efi filter=lfs diff=lfs merge=lfs -text
 flake/branch.nix merge=ours

.sops.yaml

@@ -1,27 +1,26 @@
 keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   - &chn age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
   - &pc age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+  - &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
   - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
-  - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
   - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
-  - &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
   - &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
   - &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
   - &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
   - &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
   - &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
-  - &srv3 age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+  - &test age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
+  - &test-pc age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
+  - &test-pc-vm age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
 creation_rules:
   - path_regex: devices/pc/.*$
     key_groups: [{ age: [ *chn, *pc ] }]
+  - path_regex: devices/vps4/.*$
+    key_groups: [{ age: [ *chn, *vps4 ] }]
   - path_regex: devices/vps6/.*$
     key_groups: [{ age: [ *chn, *vps6 ] }]
-  - path_regex: devices/vps7/.*$
-    key_groups: [{ age: [ *chn, *vps7 ] }]
   - path_regex: devices/nas/.*$
     key_groups: [{ age: [ *chn, *nas ] }]
-  - path_regex: devices/one/.*$
-    key_groups: [{ age: [ *chn, *one ] }]
   - path_regex: devices/srv1/secrets/.*$
     key_groups: [{ age: [ *chn, *srv1-node0, *srv1-node1, *srv1-node2 ] }]
   - path_regex: devices/srv1/node0/.*$
@@ -36,12 +35,16 @@ creation_rules:
     key_groups: [{ age: [ *chn, *srv2-node0 ] }]
   - path_regex: devices/srv2/node1/.*$
     key_groups: [{ age: [ *chn, *srv2-node1 ] }]
-  - path_regex: devices/srv3/.*$
-    key_groups: [{ age: [ *chn, *srv3 ] }]
+  - path_regex: devices/test/.*$
+    key_groups: [{ age: [ *chn, *test ] }]
+  - path_regex: devices/test-pc/.*$
+    key_groups: [{ age: [ *chn, *test-pc ] }]
+  - path_regex: devices/test-pc-vm/.*$
+    key_groups: [{ age: [ *chn, *test-pc-vm ] }]
   - path_regex: devices/cross/secrets/default.yaml$
     key_groups:
-    - age: [ *chn, *pc, *vps6, *vps7, *nas, *one, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
-        *srv3 ]
+    - age: [ *chn, *pc, *vps4, *vps6, *nas, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
+      *test, *test-pc, *test-pc-vm]
   - path_regex: devices/cross/secrets/chn.yaml$
     key_groups:
-    - age: [ *chn, *pc, *one, *nas ]
+    - age: [ *chn, *pc, *nas ]

devices/cross/luks-manual/default.nix

@@ -3,17 +3,16 @@ let devices =
 {
   nas =
   {
-    "/dev/disk/by-uuid/a47f06e1-dc90-40a4-89ea-7c74226a5449".mapper = "root3";
-    "/dev/disk/by-uuid/b3408fb5-68de-405b-9587-5e6fbd459ea2".mapper = "root4";
-    "/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-root1".mapper = "root1";
+    "/dev/disk/by-partlabel/nas-root2".mapper = "root2";
+    "/dev/disk/by-partlabel/nas-root3" = { mapper = "root3"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-root4" = { mapper = "root4"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-swap" = { mapper = "swap"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-ssd1" = { mapper = "ssd1"; ssd = true; };
+    "/dev/disk/by-partlabel/nas-ssd2" = { mapper = "ssd2"; ssd = true; };
   };
+  vps4."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
   vps6."/dev/disk/by-uuid/961d75f0-b4ad-4591-a225-37b385131060" = { mapper = "root"; ssd = true; };
-  vps7."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };
-  srv3 =
-  {
-    "/dev/disk/by-partlabel/srv3-root1" = { mapper = "root1"; ssd = true; };
-    "/dev/disk/by-partlabel/srv3-swap" = { mapper = "swap"; ssd = true; };
-  };
 };
 in
 {

devices/cross/secrets/default.yaml

@@ -21,132 +21,155 @@ users:
     GROUPIII-3: ENC[AES256_GCM,data:c+HRdDZPugIVI2vmuOlorhjZzxS11c6CJiZ3ZEwFFHfIoIUmGsXoRPGraJ0BjI3W+XZbI6qk211yufTgXLVj7nOVi0PW/9mteg==,iv:H8DlkTjkL/f6Oa2LG3dHRsJuWkEqokUJ/mjMyDnEAc4=,tag:0QmUyfAbYnn7vs4AdwQtYw==,type:str]
     #ENC[AES256_GCM,data:F347rPlEQZyz,iv:VlbVlc/tFmmoe8lVDza7ZJgHavZ/1NM9mK3KZNVrpbk=,tag:iRdvv0ajtgrJgMe87vBFfA==,type:comment]
     zzn: ENC[AES256_GCM,data:P76cGOGJK3B7Z3nxZ9BlvvyegJ+4JX25kax7/Bj/0VKsH1cGEfyvNbPH8qYUZqm+zUvqEoFNZKWM4+IQKO7Zo9IXCJhGItL1Nw==,iv:e9lnHecgzSrHJkxumRpKGHzGlYbM5Yov4F4Dd4fIqrc=,tag:G7Cr7d1KZfldzYNRL1eSpA==,type:str]
-    aleksana: ENC[AES256_GCM,data:xRqQLPpcv0Ymz7wV0jDDz1i6eKIZKEXvqofO58VSHEC9aVSTLV7aXLw2kQ8PrAPo4FAkne2F6MYQGRwZFIHOjxfhw+ncXVDHxg==,iv:OSbT/f2LRUFY3DEyCCbWkPzwsrsNdVz6ah5ITRt+Kjc=,tag:00z36RTe76p1uxFCchGcpg==,type:str]
+    #ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
+    zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
+    zgq: ENC[AES256_GCM,data:cHYFToQ5ulEcb741Gg3X4lKj8ZJy1zcLHpkVQjQXt5hRAQtPsiPlegi2a1nUIAUb6sI//4ffcytlXpdK2sXewFe3ZiIXy3UVjQ==,iv:fKaPxpfh5ssOwAbmEsAPaQ45KrNtkHZb96IzWc6pD9s=,tag:Vt91B77SjxYaZ/HvWVBufA==,type:str]
 telegram:
     token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
     user:
         chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
         hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
+maxmind: ENC[AES256_GCM,data:KfTXvxX4zzXBfNMPmZY1z5jTHTByGfH9qEo6EUAQqZ1JOtNUomOWNQ==,iv:KcexOWAXFhWfli6bAMZ+61x960trZ3iE9UYMuOtJNms=,tag:reuuIe6MkONpeT44U6yUjQ==,type:str]
 acme:
-    token: ENC[AES256_GCM,data:M8/R019chds8zr2BqnRnKP40NZxwq4fz06NaOeOOFYecLyDjIOq5mg==,iv:VPr4XD0Y+6G1P1xwMDyrWPiTvCYdiMV0nPcmqCvIA3Y=,tag:KEyCIHRmRkNviA4bMTMybg==,type:str]
-nginx:
-    maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
+    token: ENC[AES256_GCM,data:DrNdcyf2tiZ5nmjYmsG13V63ZuZhNG1c/kkGM7eXQWvRvDbu37nKWA==,iv:xc4gtNvZ/BYG+KmT1XgFfG3Z17bBLURazG8tz4/laxE=,tag:khnYVQWjiiaQC9VsJyLV6A==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RzdocjRWTTFGWVdqb2JE
-            RDBiWjVNOHBSMlFNMHZOOFYxRzlVZmhKQ2w0CkpGbHRnNTY2NGdzVGx5QmprblNZ
-            YmxCd2Q2VW1SOVZIeDk3Q09LdHdheG8KLS0tIFl5WThUOGozc0xBYVBVVEVFdU4v
-            N2NKcnAwUE8zMDJhaWhqWTljNHppSjgKp4cb4FLsULkDS1VPZT9TLe8z8IH5Jt4d
-            nCqerHvO5j8yo3tPs0BXS675i2HAnup0KQZay7NV7bztbRhWtTiF/A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR09MUytUL2h3cWlIanNF
+            VWd6SVNWOGVlVVpGbGtyQWxnZlk0cEx2TFJzCmhtbGRFcDdlWDAxU3NneXloSS9U
+            WXBtQmg4dFhOb3J3bThCUDliUmJ4NVUKLS0tIG1uQjdiODdHWVVrVGIwb2lPN1V1
+            QjVyWFAzQTRDWXMyMXdUNytKcy9abmsKZ6maa6DoKPkDAYXGLVoLWIi3fzzs1SVF
+            C/9y2PG/j7F8Pd4hUHl7ILWN/VNbYKQwGYp59+kKeAzeSHkJeTTKyg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMnJuVVJjTWRIdzdiYlVS
-            RHo1OEx3Y29yL3NuVmduN1loaTgxR01kVXowCjl0ZVhVd1liUnJSWEVRNlR5MzdY
-            R29Pc0dJSXJvb2FjTDAwRW9xUCtQT2MKLS0tIFRUdHovemMvQkhUbkYzSVZyWmkv
-            ZGlKUHAySWVlKytIUThXQlNPSERadEkK8L3GpqrTiuRaFtICkQmc8RSxBz2XykMZ
-            irVZmqwE3787Ku3obqdBNPyB6w6tBGuf2g13PBpbctlYEioz9k5gKQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaitpVkkvNEFOMEZXK2s0
+            Z1o0UTZ4NFRrd2NqNzhNVWhncmdWWDlzZ2swCkthMU50WldYajN1eEZCRVRUZ2d6
+            TU8za1R0aUdCV3hZaVlIRE01UHdYc2MKLS0tIFNWcFdVWGc5dUVtWnVVbGh1WFVU
+            UzFsYS9tL0xNeDBmQWIrTVB2MkVtdVUKjMADWap5h4NGj3ESamUHz3+8AtO2sOL6
+            wFm/sTfEuhFqO8bodtBXB/veQOrr97Dw8PhO/6CO5JdGTEyFIZ3DoQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOFprRWZQaVpMQkxJN2Vw
+            RVB6QXN6bDJPcEt3YURaby9PZm1FZHhDRmtZClBiV0JobHZRejhWVzhOZThRTTJ1
+            UE91bzdWMjJvYllIWXBmQkNReThIc00KLS0tIGRLa0V1b3ZWSVQzc01sUlBMVzBz
+            blZyM0FpelBoTE5Ia2J3S2c0WE5FcVEKKTJ5jzNLkLixv+8DlcTrR9sWs6GihPG6
+            x9w/Zu5H4DK9EVFyksTujRZZMI6o4lHzl2VIrgkTNQUwIPtsqo5KMQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWDViT3JyRktZYldxN3Z0
-            V3RWSXlOT0JEd0xJWlk3TzUyRFpFRytSRmtzCk4vNUk0UFN3bkRaaGdzenFwK3Ez
-            WjdDVi80RGdENmp3TzBuRElFQmVwMmMKLS0tIHpsZU1XQ3p5N3FwNjJmRHMrSFVI
-            TE9odnJrWGx6UFltTjN3WHNobTlqa3cKifobNMMKnEckbPp+mfeQVDldbLzvGM4/
-            y6oSeXQzRKQwFOIH6z4nQjMiMKvpHDEcIbTzCrQ0QCxGKywH6PzmuQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS1lrQmkyRVNkWFFhWEpm
-            MXhOOEVWTTZQdkp6ajlFVGEvdmd1QlVQQXlBCjc5a1RobjhOb0ZXL2ZlSFVxV2hP
-            OXVVMXpqN2hGQnZOcmVVbzBQT3QvYTQKLS0tIE1KSm5RRDBabTBTaDl4d29Fb1o3
-            Wk5MNy9hQ1E1eTdzdG1Yb3Z2NlNTZlkKivBHX1XApj7EGG4k2N/5quJ2bINNt5lF
-            DTFZfjfZY5TKMxq+/LoxMB9i/eRXxcUNUA9Bkex0HhE+VZS2AcTgAw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQWwvbXZoNHFxM1Y3L0pO
+            cDlML1ZWWXppeWxaZjZwOFVvbHNubmxEYUI4ClB6Wm00dTRFUE8xTFNlUmdacjFU
+            VGNiMFk1SHpOVnJ6RWdyVXk3WGkxZm8KLS0tIDFnamZqa1VqdUVXWFN5YW5CNGhh
+            UHc5bCsvVFV2eDlLR2Q3STFCQXpZRzgKSVvG8HcDtBJAh8iNrQd+UKbgs/k5Yf2t
+            KqMdODturfudk8QJn3pR97essszrsK/HS4yptp71bBSj3qK50Lp/rg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpKy8yRHphTTcwc0dhYWFV
-            SnNEZWQ4d1d6Qmx1VGJ3aVdJRms3SDZ1NkdzCjVpYUx0bW0vb1NMKzlQOWU5YWdT
-            VlhXdEk0bGMvR0hjOFNBMWJuS2NUNlEKLS0tIENQWDZROFRuODh0N3h2RzVSVDZE
-            c25adTFUVUh4NThIb0F4aStlUVJGaFkKirqc9ny+BYJgNuGlwLxdpTSPVe3V69oO
-            qGN+m/nWfoPGO1hWZ55qR08P94VcP7KW0eK9r+TdrwQp9T1rOtHWZA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Rkc2MVhUc0tTUkNsenQ2
+            aVM1dG9MSVpwaFloU1ZRWmVsaEtYVGY3NlFnCm5PM0VpWVFKdExJbExIMnZ0Tmw1
+            eCtVdkRpVW9lcFA5bWwwbWNaYTMzejQKLS0tIHA4MTd1anM4NWtmQUx1cVlsWFVQ
+            bk5iV2xRazdoZnY1dGhKSGFFdUFWY3MKGoxBih7fDQoZFxj8JjiRAl8D3/8xWBeq
+            RS/8C6v+/V+Afnv9QN6uYt0l4YeGn8tv1TRNWXHZl0A6DFjzouwhZw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaWpFOUV1S2lGREdZak45
-            OVhCSk40OTMwMVhKZWJibmFsY0o1aE1PQWk4Cit6emhXU1QzV0ZueWs5R3VTRUg4
-            TjZrK2RIOUN1ZU12THZqR09YeWtyMjQKLS0tIFR4SUlCYk1rd2U4SlkvRi9SODR6
-            Nk5KamEzUTJkNi9lOFN3VXlEME5LN0kKwjcReB2V8kpavQTXift2KmHm603zTzw9
-            Cx+UO+hkOQGsOLg+Q9A8t850vuqwuq28XHFQFJ7Ac5owhxCpriH9uA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzN2hsZGExRnFaclpUNEdr
+            bkJJM2gySmtzUlVmZWoxZ3pST2l2dGtCdnhnClNWeVZqWTJ1Mk1pMGZCaXppU0lY
+            RUtlT3YrQmZuVTZ3TjJYMlhGMTVMMncKLS0tIDJsaVQ3aHZIWHhXOFJ1WmpQUDNk
+            SjBSRm4wWjhpUzFmVUtwdGUvbmVIV0EKzgfa9i+VJLPvBRrFbNavZtG1hK6jazoD
+            WHkWedx4AUUJQQlp12Wetj/0yY9jF3BLv/wvEAusq6Z4dO2aHr3sRA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUm5INDhONE9hZjU5MGRn
-            ZzZLdUNPeHNSSHUrZzRxbTdjRGxhd2wyRWgwCjMzc2UrUEVOUTJqckR6WXpRR1p5
-            TlA5MUtFRXBjazBhc3Rzc3MraFl1dzQKLS0tIFpYajU3Q2hPajhFbURSaXZ3MURT
-            UXduR3Vvam54RmhoQkdrN1N2ejdEVmsKeC/robT8ijuPAQt75xnLFi+cz9i0idfU
-            xCgD6JpqaIMwalpIAuVh6KD/tE9mwWIZSeNk2InGX7/bWmMEB8Dcgw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcWFOcXAyYjNoSEhLdEtC
+            ang3bHJ2RmtaL2RManE0K3B0elg4aHJmODB3ClZLSXA5MmhVT2ZZSm9KSUlod3BB
+            V05lT3h0a3NQZnMrNERwNk1LTHRiVlkKLS0tIElESTNEVUpZbk93WFpXNnRTYzY5
+            K2tkMlVCRnBKdVRzWk9aQy9kUUx3L1kKNO9LsaJDfF0v/XCMYV0lmHLFakbVjj+H
+            wGJZQYgu/sETDZQVMeu42fQ++IKElmpfq2/o6+gM7aI0RxLqnBryfw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUENVYm1DQ2h1aUxQaE5u
-            VlBIcU8rdzNaZk5wWHpPNnhPUlVIWGtucjFFCmY4dWdSMy9WSWhBWmZUZGVnWlNP
-            K0lFK1NLcGpzSDRXSG5SaUdxamgxekkKLS0tIGJWR0dTZ3kyd0dZSVRQVE93Rytl
-            R1pKVklVbUlZZk1IaUpYVzlQUkplV1kKKN8vFbUrnsxgw5ViYoMBoyxqUOxnpmaQ
-            YqMYedsrnvWvCx9xyu3Kj/MJ88zQchJzdVfg0dUcbY6KRz51m9HE2Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYnBzd1k5UEhXZ0wxSU02
+            elZkYlhDWC9CbWFkRlM2bCs2dzNTSlk4TUJnCm1WVnVxaUYwZ1QvNHJRb29ER21P
+            UWhOb2tETWRJR09Sb0l6VXRMaU5KZlkKLS0tIFA3TldTUmJ0Y0xJemJPS0wwK05D
+            SHVXTGUraDE4anJOZFFuaHBKV1lMSWMKemZfKWbI0YR4QuR5zqvGKSnU3HzwZHvo
+            DJ9u2eq7R7OwtDscn9qCwPThORxLMWdI3n+3+XVwAysqW2efrvnGgA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTmhtaXFZL1dTV1FZVktv
-            VUFMc2o3U2pubTgvbmNZMVIvcGVOZ0UrNGlrCnRwMENSUi80aWxjZ0xpQTVaU2Qr
-            OVUzYVdVTFpxWVB0WXZKTkV0akwxK0EKLS0tIEovQkZzMUFlM210MFZuMHdqVi8r
-            ZTR1VVB5akRxeWVtaUxoYUxKOEpSUzQK5sh8HyaZY1ww5vcoIktuVs/XUF88HYAO
-            tmJiqZniKeOJT4xpBCQoelJ++oVzSqEAg4h5jgCXWN6dstrc71oVrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOFZQZmRHVUdjTXpDbFFm
+            SGt1d2lmYXVZa21iSFhMOTUzMmRIU3BIOUI4CmFvT1BMZmE1eC9tV3dJbVJ4ME8z
+            N25hc0NyZmtMbGFxYmtPSkFkSGZ4bFEKLS0tIE5sUFBTanJONjhtR3BnYjVYdlYr
+            NVZNeDFJOGJIdFlacE9LMmFuakZYUkUKmuK+ogCs3WH9TiGiUfRZ9L98aqRli91A
+            1xHYMJOc5FwI+jaHp1m7nkn+egIOmKvyyejI2ZHQ84tItS+aoiI0bw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSWdybjBIZ2dieFZUbXY0
-            RjNZc200SXBrMkM2b2NQY01vQ2dUQ3RYWURZCnY1bUJ5TjZkdllxRkhRc1VkbVpR
-            cU5YU2V0RUhuaVFHNXhTd0JGNzVZVk0KLS0tIEc1L1dqYkZsN2xNMnlhKzgyeXRC
-            Z0YybnhlK0tNQWw0UXNsY0hzcFVTVncKXXjQiIi4TAdDbeoL7uN0IQmjd1koP0OX
-            2CVpK81DSNGPhS9wvrwE8QHkY10q07CHPWl7qr45ksD1XNG4PoTTFA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRHdHMFAvRFRCNmNES2R0
+            Q3ptRDVrQ3JHaXBxSUlldVd5WUNFc1ZQeDBFCnNiMFErODJhbk5LQ1VGd01oU1N2
+            eXk4Q3VRcUNNWURDUitUMWNOQlJaeWsKLS0tIDRKQ2M1Rnpla3o1NTlCeC9wbGJo
+            cGZxcDUyYzZBMXRpbi94RkcvQXc5aDAKrHpvCDpECN5HS1qeNoiOwKWpT46bLQBd
+            404XgHar20AswgDIjAMp5KJ1pkluQ9j5pVKNFjqJ+9sb3RLYM7Z06Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbi9wUEpGdjBYOE94NG1B
-            SXB5clBwdDl1OTZPcjdMMmU4ODlUQndBejI4CldtWDFlNjl6bG5IcUErZVE0OENx
-            QlBQYThrdzA5eDBMbk5acXYzb3BxVlUKLS0tIEJEc2MrejlSS0RVUkh2R2x0cjU5
-            QUVaU2I4eHc3MGxaTzd2VW5hN3RscW8KzzdxiJ2BLDUEKAq+a1dVzJp3uAD39hUV
-            gMsCnltQoWjGOFHWIXVWSOCB5HQ8MxeZpt8N/ZYKM1UnfhBFDfXRWw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR3RhUHBORW1BNFh5M1c0
+            QlhmUDY1T0ZmN2dGaUhLOVkxN2NiUklBU1hVCjY0MXBoNmw0ekpQYlMzdFZhNFA5
+            NE9XdnlaaGdiSU1BYkRvcThaYmpVcTAKLS0tIGk4UHMwK20yQ2w0N0hoQnZYK2Fk
+            czU0M2dQbU8rMkZJbEJaZ1NhcE1yZFEKUWe5IaDuPjfQ/m76m6DdvF8HWmDiVH1k
+            IQk6sIJfbcINGOVP+JYGJPWgq6LGg1EdW4ONctosVk6kxRO30N0rVQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdVFHbnpZWjZDRWh5Z24y
-            WmFWUGJ3bi9tbW9OYWJaOFQxdWtQYms0dUU4CmpRUnlLbTliY0FqS2JwMGpLNTgw
-            cGN4MUVJeEI4WEhYcjRDSDIxS2NKWGcKLS0tIExQc0xvd0pFK25IWml0RDgxVlpU
-            ZGsrNGpmYXFUUEEvVktjbnF5RHJ0eVkKJ6n4gnl0zcq9mHTWL+5bxJeLE1qKqAKV
-            3ycuAffiQ0Oxv1tSOXjt6ODSds7jDS3Kq2I7q4nG5eqZLiwFXCh25Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YXF5aGRobkFVdFQzRFBp
+            NnhvdWtxU2dxa2s4d2FiYnBrdmMvakU1cFhvCnJ4NWVCc0t2ajFpdWVMM25XUnE4
+            a3E3N0laOEYwNDBNdTc4WjdZR2R3M1EKLS0tIC9WRGpJSUhhM0JGZVJWaHlvSkRH
+            bXErdTlYQWh3cmZITWxIeDYzaklWbmcKKG08GymtessnDUfg/AgmQh9eyJx25Y+c
+            RyhAdNl6Lu2Hv7e/oqr23SmwFuhzgPl6eL8t1Nz3s1KraShZazjpQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-18T10:27:14Z"
-    mac: ENC[AES256_GCM,data:8lg6FxBT/mxCw6rbK/hm/yEnso6p81pC0BYtxrzFjVA5nXkvFYtXAsD9yxguyKavMoBOts2q48yvmwHJBR7v7werS3K3C8/pXbzO3ucDV2GKzhkXVzQqskRYOxYtE2doTTXbhbaeWlcqJ2CMnEzJKatW2G2Upxjw0EsuV/ej9SQ=,iv:NaDexdNX6JuUFAXY+pFevsLk2bizmIc2RUadayIRenU=,tag:KJR5SL1zIRKLJLf5PtEdsQ==,type:str]
-    pgp: []
+        - recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSK2tkZXZkYWZWcEFhS1h2
+            YTk2N3F4L3AzNzdmZXhLRXpOLzlRa1NNSXlnCjRNL3paejlRUTZrVEFwdWdzRzVp
+            NVFReGwrZk9IdVhQSnFzK3lVMWRPOTgKLS0tIGs2azNoQm51ZDZrOEJDbEhRVTFu
+            aVdEZ0s4SjljZFc5ZTJwK3ZON3VlRVkKB1apktkRqW0R/Epn3bZf/Aym5evUmxm+
+            TLkJxTT6TVcgjobcpFvMmI+pqRWfh5Opj9a9lSe5QvsXxdgOs0mvzg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWlhIdTdtNkpZU3Y5T1Vl
+            WjZXLzJYVDdweFpITEh6cmszOVYrZWI5eTM0CmNSTnd4T3g0dFNiTDNCM2hEOTVo
+            OS85R0VqdEZkTlhGWFNRZFpXZGlWTFEKLS0tIHQ1YWJrZERJUlZwZnU3RThucVRL
+            NHdwcGl2Wk11TFdCd25OTE1nVDNYd2MKOxa2f7bFgFE2zCR1kKtC6giQhr1P79W0
+            MKxil/x2T8rBNkK6sN0PjkphKdg9LVit86ilHPwTgnkl9oz8Cs6X5A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmL1ZjRzJNQVFNekFUVlQv
+            SmJWMDRZMXNDaTNNd093b25kSk5nTDg0K244CmVLK08xKzlleXpWblRkbGZVMENi
+            U0NGVVhycUN6OEZDNjFBUndSdnRLdE0KLS0tIHJEeTVIY2xwZWdqdG9JRVhsRENq
+            UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
+            +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-06T01:03:09Z"
+    mac: ENC[AES256_GCM,data:9pJpUNzMogdijzFpjkCw4wEuOGn8B6Q/sKqzA6Pq73fp42t59BbdtK6ClTWqDRUG5MMmLVXYqdlrjPeHeRtXuQ0USNNFY6jC/p35/gB/+Gh+qqLY48YtBPjsV7aYkF8bVhC8EeDZPXvw6Hz5r+e1crVxcbOjk1uFXFVdoDGgsuQ=,iv:0QKuxk9WvCgLMJCNkX0/S/YonY/bmTvvN27DKcZGzv4=,tag:S9S/J57/GHjmVLJhtLDqDw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/cross/ssh.nix

@@ -2,25 +2,23 @@ inputs:
 let
   devices =
   {
+    vps4 =
+    {
+      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIF7Y0tjt1XLPjqJ8HEB26W9jVfJafRQ3pv5AbPaxEc/Z";
+      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIJkOPTFvX9f+Fn/KHOIvUgoRiJfq02T42lVGQhpMUGJq";
+    };
     vps6 =
     {
       publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
       # 通过 initrd.xxx.chn.moe 访问
       initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
     };
-    vps7 =
-    {
-      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
-      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
-      # 默认仅包括wireguard访问的域名和直接访问的域名，这里写额外的域名
-      extraAccess = [ "ssh.git" ];
-    };
     nas =
     {
       publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
       initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
+      extraAccess = [ "ssh.git" ];
     };
-    one.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
     pc.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
     srv1-node0 =
       { publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs"; extraAccess = [ "srv1" ]; };
@@ -42,11 +40,6 @@ let
       publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
       proxyJump = "srv2";
     };
-    srv3 =
-    {
-      publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIg2wuwWqIOWNx1kVmreF6xTrGaW7rIaXsEPfCMe+5P9";
-      initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIPW7XPhNsIV0ZllaueVMHIRND97cHb6hE9O21oLaEdCX";
-    };
   };
 in
 {

devices/cross/wireguard.nix

@@ -2,252 +2,212 @@ inputs:
 let
   publicKey =
   {
+    vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
     vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
-    vps7 = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
     pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
     nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
-    one = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
     srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
     srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww=";
     srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo=";
     srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
     srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc=";
-    srv3 = "a1pUi12SN6fIFiHA9W0N1ycuSz1fWUSpZnjz20OPaBk=";
   };
   dns = inputs.topInputs.self.config.dns.wireguard;
-  networks = # 对于每个网络，只需要设置每个设备的 listenPort，以及每个设备的每个 peer 的 publicKey endpoint allowedIPs
+  inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
+  listenPort =
   {
-    # 星形网络，所有流量通过 vps6 中转
-    wg0 = let vps6ListenIp = "144.34.225.59"; in
-    {
-      devices =
-      {
-        vps6 =
-        {
-          listenPort = 51820;
-          peer = builtins.listToAttrs (builtins.map
-            (peerName:
-            {
-              name = peerName;
-              value =
-              {
-                publicKey = publicKey.${peerName};
-                allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.${builtins.toString dns.peer.${peerName}}" ];
-              };
-            })
-            (inputs.lib.remove "vps6" (builtins.attrNames publicKey)));
-        };
-      }
-      // (builtins.listToAttrs (builtins.map
-        (deviceName:
-        {
-          name = deviceName;
-          value.peer.vps6 =
-          {
-            publicKey = publicKey.vps6;
-            endpoint = "${vps6ListenIp}:51820";
-            allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.0/24" ];
-          };
-        })
-        (inputs.lib.remove "vps6" (builtins.attrNames publicKey))));
-    };
-    # 两两互连
+    wg0 = builtins.listToAttrs (builtins.map
+      (name: inputs.lib.nameValuePair name 51820)
+      (builtins.attrNames publicKey));
+    wg1 = builtins.listToAttrs (builtins.map
+      (name: inputs.lib.nameValuePair name (51820 + dns.peer.${name}))
+      (builtins.attrNames publicKey));
+  };
+  subnet = # 设备之间可以直接连接的子网。若一个设备可以主动接受连接，则设置它接受连接的 ip；否则设置为 null
+  {
+    wg0 =
+    [
+      # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
+      (builtins.listToAttrs
+      (
+        (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ])
+          ++ (builtins.map
+            (n: { name = n; value = null; })
+            (inputs.lib.subtractLists [ "vps4" "vps6" ] (builtins.attrNames publicKey)))
+      ))
+    ];
     wg1 =
-      let
-        # 查询域名对应的 ip
-        getAddress = deviceName:
-          let
-            dns = inputs.topInputs.self.config.dns."chn.moe";
-            f = domain:
-              if dns.${domain}.type == "A" then dns.${domain}.value
-              else if dns.${domain}.type == "CNAME" then f (inputs.lib.removeSuffix ".chn.moe." dns.${domain}.value)
-              else throw "Not found ${domain}";
-          in f deviceName;
-        # 设备之间可以直接连接的子网
-        # 若一个设备可以主动接受连接，则设置它接受连接的 ip；否则设置为 null
-        subnet =
-        [
-          # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
-          (builtins.listToAttrs
-          (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "vps6" "vps7" "srv3" ])
-              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
-          ))
-          # 校内网络
-          (builtins.listToAttrs
-          (
-            (builtins.map (n: { name = n; value = getAddress n; }) [ "srv1-node0" "srv2-node0" ])
-              ++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" ])
-          ))
-          # 办公室或者宿舍局域网
-          (builtins.listToAttrs (builtins.map (n: { name = n; value = getAddress n; }) [ "pc" "nas" "one" ]))
-          # 集群内部网络
-          (builtins.listToAttrs (builtins.map
-            (n: { name = "srv1-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
-            (builtins.genList (n: n) 3)))
-          (builtins.listToAttrs (builtins.map
-            (n: { name = "srv2-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
-            (builtins.genList (n: n) 2)))
-        ];
-        # 给定起止点，返回最短路径的第一跳的目的地
-        # 如果两个设备不能连接，返回 null; 
-        # 如果可以直接、主动连接，返回 { ip = 地址; }；如果可以直接连接但是被动连接，返回 { ip = null; }；
-        # 如果需要中转，返回 { jump = 下一跳; }
-        connection =
-          let
-            # 将给定子网翻译成一列边，返回 [{ dev1 = null or ip; dev2 = null or ip; }]
-            netToEdges = subnet:
-              let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
-              in inputs.lib.unique (builtins.concatLists (builtins.map
-                (dev1: builtins.map
-                  (dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
-                  (inputs.lib.remove dev1 (builtins.attrNames subnet)))
-                devWithAddress));
-            # 在一个图中加入一个边，current 的结构是：from.to = null or { ip = "" or null; length = l; jump = ""; }
-            addEdge = current: newEdge: builtins.mapAttrs
-              (nameFrom: valueFrom: builtins.mapAttrs
-                (nameTo: valueTo:
-                  # 忽略自己到自己的路
-                  if nameFrom == nameTo then null
-                  # 如果要加入的边包含起点
-                  else if newEdge ? "${nameFrom}" then
-                    # 如果要加入的边包含终点，那么这两个点可以直连
-                    if newEdge ? "${nameTo}" then { ip = newEdge.${nameTo}; length = 1; }
-                    else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
-                      # 如果边的另外一个点到终点可以连接
-                      if current.${edgePoint2}.${nameTo} != null then
-                        # 如果之前不能连接，则使用新的连接
-                        if current.${nameFrom}.${nameTo} == null then
-                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
-                        # 如果之前可以连接，且新连接更短，同样更新连接
-                        else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
-                          { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
-                        # 否则，不更新连接
-                        else current.${nameFrom}.${nameTo}
-                      # 否则，不更新连接
-                      else current.${nameFrom}.${nameTo}
-                  # 如果要加入的边包不包含起点但包含终点
-                  else if newEdge ? "${nameTo}" then
-                    let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
-                    # 如果起点与另外一个点可以相连
-                    if current.${nameFrom}.${edgePoint2} != null then
-                      # 如果之前不能连接，则使用新的连接
-                      if current.${nameFrom}.${nameTo} == null then
-                      {
-                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
-                        length = current.${nameFrom}.${edgePoint2}.length + 1;
-                      }
-                      # 如果之前可以连接，且新连接更短，同样更新连接
-                      else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
-                      {
-                        jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
-                        length = current.${nameFrom}.${edgePoint2}.length + 1;
-                      }
-                      # 否则，不更新连接
-                      else current.${nameFrom}.${nameTo}
-                    # 如果起点与另外一个点不可以相连，则不改变连接
+    [
+      # 所有设备都可以连接到公网，但只有有公网 ip 的设备可以接受连接
+      (builtins.listToAttrs
+      (
+        (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ])
+          ++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" "srv1-node0" "srv2-node0" ])
+      ))
+      # 校内网络
+      (builtins.listToAttrs
+      (
+        (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "srv1-node0" "srv2-node0" ])
+          ++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" ])
+      ))
+      # 办公室或者宿舍局域网
+      (builtins.listToAttrs (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "pc" "nas" ]))
+      # 集群内部网络
+      (builtins.listToAttrs (builtins.map
+        (n: inputs.lib.nameValuePair "srv1-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}")
+        (builtins.genList (n: n) 3)))
+      (builtins.listToAttrs (builtins.map
+        (n: inputs.lib.nameValuePair "srv2-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}")
+        (builtins.genList (n: n) 2)))
+    ];
+  };
+  # 给定起止点，返回最短路径的第一跳的目的地
+  # 如果两个设备不能连接，返回 null;
+  # 如果可以直接、主动连接，返回 { address = xx; port = xx; }；如果可以直接连接但是被动连接，返回 { address = null; }；
+  # 如果需要中转，返回 { jump = 下一跳; }
+  connection =
+    let
+      # 将给定子网翻译成一列边，返回 [{ dev1 = null or ip; dev2 = null or ip; }]
+      # 边中至少有一个端点是可以接受连接的
+      netToEdges = subnet:
+        let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
+        in inputs.lib.unique (builtins.concatLists (builtins.map
+          (dev1: builtins.map
+            (dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
+            (inputs.lib.remove dev1 (builtins.attrNames subnet)))
+          devWithAddress));
+      # 在一个图中加入一个边
+      # current 的结构是：from.to = null or { address = xxx or null; length = l; jump = ""; }
+      addEdge = current: newEdge: builtins.mapAttrs
+        (nameFrom: valueFrom: builtins.mapAttrs
+          (nameTo: valueTo:
+            # 不处理自己到自己的路
+            if nameFrom == nameTo then null
+            # 如果要加入的边包含起点
+            else if newEdge ? "${nameFrom}" then
+              # 如果要加入的边包含终点，那么这两个点可以直连
+              if newEdge ? "${nameTo}"
+                then { address = newEdge.${nameTo}; length = 1; }
+                else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
+                  # 如果边的另外一个点到终点可以连接
+                  if current.${edgePoint2}.${nameTo} != null then
+                    # 如果之前不能连接，则使用新的连接
+                    if current.${nameFrom}.${nameTo} == null then
+                      { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
+                    # 如果之前可以连接，且新连接更短，同样更新连接
+                    else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
+                      { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
+                    # 否则，不更新连接
                     else current.${nameFrom}.${nameTo}
-                  # 如果要加入的边不包含起点和终点
-                  else
-                    let
-                      edgePoints = builtins.attrNames newEdge;
-                      p1 = builtins.elemAt edgePoints 0;
-                      p2 = builtins.elemAt edgePoints 1;
-                    in
-                      # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
-                      if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
-                        # 如果之前不能连接，则新连接必然是唯一的连接，使用新连接
-                        if current.${nameFrom}.${nameTo} == null then
-                        {
-                          jump = current.${nameFrom}.${p1}.jump or p1;
-                          length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
-                        }
-                        # 如果之前可以连接，那么反过来一定也能连接，选取三种连接中最短的
-                        else builtins.head (inputs.lib.sort
-                          (a: b: if a == null then false else if b == null then true else a.length < b.length)
-                          [
-                            # 原先的连接
-                            current.${nameFrom}.${nameTo}
-                            # 正着连接
-                            {
-                              jump = current.${nameFrom}.${p1}.jump or p1;
-                              length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
-                            }
-                            # 反着连接
-                            {
-                              jump = current.${nameFrom}.${p2}.jump or p2;
-                              length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
-                            }
-                          ])
-                      # 如果正着不能连接、反过来可以连接，那么反过来连接一定是唯一的通路，使用反向的连接
-                      else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
+                  # 否则，不更新连接
+                  else current.${nameFrom}.${nameTo}
+            # 如果要加入的边包不包含起点但包含终点
+            else if newEdge ? "${nameTo}" then
+              let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
+              # 如果起点与另外一个点可以相连
+              if current.${nameFrom}.${edgePoint2} != null then
+                # 如果之前不能连接，则使用新的连接
+                if current.${nameFrom}.${nameTo} == null then
+                {
+                  jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
+                  length = current.${nameFrom}.${edgePoint2}.length + 1;
+                }
+                # 如果之前可以连接，且新连接更短，同样更新连接
+                else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
+                {
+                  jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
+                  length = current.${nameFrom}.${edgePoint2}.length + 1;
+                }
+                # 否则，不更新连接
+                else current.${nameFrom}.${nameTo}
+              # 如果起点与另外一个点不可以相连，则不改变连接
+              else current.${nameFrom}.${nameTo}
+            # 如果要加入的边不包含起点和终点
+            else
+              let
+                edgePoints = builtins.attrNames newEdge;
+                p1 = builtins.elemAt edgePoints 0;
+                p2 = builtins.elemAt edgePoints 1;
+              in
+                # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
+                if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
+                  # 如果之前不能连接，则新连接必然是唯一的连接，使用新连接
+                  if current.${nameFrom}.${nameTo} == null then
+                  {
+                    jump = current.${nameFrom}.${p1}.jump or p1;
+                    length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
+                  }
+                  # 如果之前可以连接，那么反过来一定也能连接，选取三种连接中最短的
+                  else builtins.head (inputs.lib.sort
+                    (a: b: if a == null then false else if b == null then true else a.length < b.length)
+                    [
+                      # 原先的连接
+                      current.${nameFrom}.${nameTo}
+                      # 正着连接
+                      {
+                        jump = current.${nameFrom}.${p1}.jump or p1;
+                        length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
+                      }
+                      # 反着连接
                       {
                         jump = current.${nameFrom}.${p2}.jump or p2;
                         length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
                       }
-                      # 如果正着连接、反向连接都不行，那么就不更新连接
-                      else current.${nameFrom}.${nameTo})
-                valueFrom)
-              current;
-            # 初始时，所有点之间都不连接
-            init = builtins.listToAttrs (builtins.map
-              (dev1:
-              {
-                name = dev1;
-                value = builtins.listToAttrs (builtins.map
-                  (dev2: { name = dev2; value = null; })
-                  (builtins.attrNames publicKey));
-              })
-              (builtins.attrNames publicKey));
-          in builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges subnet));
-      in
+                    ])
+                # 如果正着不能连接、反过来可以连接，那么反过来连接一定是唯一的通路，使用反向的连接
+                else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
+                {
+                  jump = current.${nameFrom}.${p2}.jump or p2;
+                  length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
+                }
+                # 如果正着连接、反向连接都不行，那么就不更新连接
+                else current.${nameFrom}.${nameTo})
+          valueFrom)
+        current;
+      # 初始时，所有点之间都不连接
+      init = builtins.listToAttrs (builtins.map
+        (dev1:
+        {
+          name = dev1;
+          value = builtins.listToAttrs (builtins.map
+            (dev2: { name = dev2; value = null; })
+            (builtins.attrNames publicKey));
+        })
+        (builtins.attrNames publicKey));
+    in builtins.mapAttrs (_: v: builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges v))) subnet;
+  networks = builtins.mapAttrs
+    (n: v: builtins.listToAttrs (builtins.map
+      (deviceName: inputs.lib.nameValuePair deviceName
       {
-        devices = builtins.listToAttrs (builtins.map
-          (deviceName:
-          {
-            name = deviceName;
-            value =
-            {
-              listenPort = 51820 + dns.peer.${deviceName};
-              peer = builtins.listToAttrs (builtins.concatLists (builtins.map
-                (peerName:
-                  # 如果不能直连，就不用加 peer
-                  inputs.lib.optionals (connection.${deviceName}.${peerName} ? ip)
-                  [{
-                    name = peerName;
-                    value =
-                    {
-                      publicKey = publicKey.${peerName};
-                      allowedIPs =
-                        [ "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${peerName}}" ]
-                        ++ builtins.map
-                          (destination:
-                            "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${destination}}")
-                          (builtins.filter
-                            (destination: connection.${deviceName}.${destination}.jump or null == peerName)
-                            (builtins.attrNames publicKey));
-                    }
-                      // inputs.lib.optionalAttrs (connection.${deviceName}.${peerName}.ip != null)
-                      {
-                        endpoint = "${connection.${deviceName}.${peerName}.ip}:"
-                          + builtins.toString (51820 + dns.peer.${peerName});
-                      };
-                  }])
-                (inputs.lib.remove deviceName (builtins.attrNames publicKey))));
-            };
-          })
-          (builtins.attrNames publicKey));
-      };
-  };
-in
-{
-  config.nixos.services.wireguard = inputs.lib.mkMerge (builtins.map
-    (network:
-      let inherit (inputs.config.nixos.model) hostname;
-      in inputs.lib.optionalAttrs (network.value.devices ? ${hostname}) { ${network.name} =
-        network.value.devices.${hostname}
-        // {
-          ip = "192.168.${builtins.toString dns.net.${network.name}}.${builtins.toString dns.peer.${hostname}}";
-        };})
-    (inputs.localLib.attrsToList networks));
-}
+        ip = "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${deviceName}}";
+        listenPort = listenPort.${n}.${deviceName};
+        peer = builtins.listToAttrs (builtins.concatLists (builtins.map
+          (peerName:
+            # 如果不能直连，就不用加 peer
+            inputs.lib.optionals (v.${deviceName}.${peerName} ? address)
+            [{
+              name = peerName;
+              value =
+              {
+                publicKey = publicKey.${peerName};
+                allowedIPs =
+                  [ "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${peerName}}" ]
+                  ++ builtins.map
+                    (destination:
+                      "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${destination}}")
+                    (builtins.filter
+                      (destination: v.${deviceName}.${destination}.jump or null == peerName)
+                      (builtins.attrNames publicKey));
+              }
+                // inputs.lib.optionalAttrs (v.${deviceName}.${peerName}.address != null)
+                {
+                  endpoint = "${v.${deviceName}.${peerName}.address}:"
+                    + builtins.toString (listenPort.${n}.${peerName});
+                };
+            }])
+          (inputs.lib.remove deviceName (builtins.attrNames publicKey))));
+      })
+      (builtins.attrNames publicKey))
+    )
+    connection;
+in { config.nixos.services.wireguard = builtins.mapAttrs (_: v: v.${inputs.config.nixos.model.hostname}) networks; }

devices/jykang.xmuhpc/default.nix

@@ -1,15 +1,24 @@
-# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' .#jykang
-# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' -qR ./result | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&real=/nix/store' --export > data.nar
-# cat data.nar  | nix-store --import
-inputs:
-let pkgs = import inputs.nixpkgs (import ../../modules/system/nixpkgs/buildNixpkgsConfig.nix
-{
-  inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
-  nixpkgs = { march = null; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; };
-});
+# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
+# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | grep -Fxv -f <(ssh jykang find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export | xz -T0 | pv > jykang.nar.xz
+# cat data.nar | nix-store --import
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = "haswell"; nixRoot = "/data/gpfs01/jykang/.nix"; nixos = false; };
+  });
+  python-lyj =
+    let python = pkgs.pkgs-2411.python310.withPackages (_: [ pkgs.localPackages.pybinding ]);
+    in pkgs.runCommand "python-lyj" { }
+    ''
+      mkdir -p $out/bin
+      ln -s ${python}/bin/python3 $out/bin/python-lyj
+    '';
 in pkgs.symlinkJoin
 {
   name = "jykang";
-  paths = with pkgs; [ hello iotop gnuplot ];
+  paths = with pkgs; [ gnuplot localPackages.vaspkit pv python-lyj ];
   postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs; };
 }

devices/jykang.xmuhpc/files/.bashrc

@@ -35,7 +35,7 @@ if [ -f /etc/bashrc ]; then
 fi
 
 if [ -z "${BASHRC_SOURCED-}" ]; then
-	export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts:$HOME/.nix/state/gcroots/current/bin
+	export PATH=$HOME/.nix/state/gcroots/current/bin:$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
 	export BASHRC_SOURCED=1
 	if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
 		export PATH=$HOME/wuyaping/lyj/bin:$PATH

devices/jykang.xmuhpc/files/.config/nix/nix.conf

@@ -0,0 +1,2 @@
+store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log
+experimental-features = flakes nix-command

devices/jykang.xmuhpc/files/.ssh/authorized_keys

@@ -10,6 +10,7 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlBxisj3sU9QC8UC5gX6sakf7G03ybbkmHtD2cybuZA qmx
 
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc

devices/nas/default.nix

@@ -4,42 +4,77 @@ inputs:
   {
     nixos =
     {
-      model = { type = "desktop"; private = true; };
+      model = { type = "server"; private = true; };
       system =
       {
         fileSystems =
         {
           mount =
           {
-            vfat."/dev/disk/by-uuid/627D-1FAA" = "/boot";
+            vfat."/dev/disk/by-partlabel/nas-boot" = "/boot";
             btrfs =
             {
-              "/dev/mapper/nix"."/nix" = "/nix";
-              "/dev/mapper/root3" =
-              {
-                "/nix/rootfs" = "/nix/rootfs";
-                "/nix/persistent" = "/nix/persistent";
-                "/nix/nodatacow" = "/nix/nodatacow";
-                "/nix/rootfs/current" = "/";
-                "/nix/backup" = "/nix/backup";
-              };
+              "/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+              "/dev/mapper/ssd1"."/nix/ssd" = "/nix/ssd";
             };
           };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
+          swap = [ "/dev/mapper/swap" ];
+          # TODO: snapshot should take place just before switching root
+          rollingRootfs.waitDevices =
+            [ "/dev/mapper/root2" "/dev/mapper/root3" "/dev/mapper/root4" "/dev/mapper/ssd1" "/dev/mapper/ssd2" ];
         };
         initrd.sshd = {};
-        nixpkgs.march = "silvermont";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        networking = {};
+        nixpkgs.march = "alderlake";
+        network =
+        {
+          bridge.nixvirt.interfaces = [ "enp3s0" ];
+          static.nixvirt = { ip = "192.168.1.2"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; }; 
+        };
+        kernel.patches = [ "btrfs" ];
       };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
+      hardware.gpu.type = "intel";
       services =
       {
         sshd = {};
-        xray.client = { enable = true; dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1"; };
-        beesd = { "/" = { hashTableSizeMB = 10 * 128; threads = 4; }; "/nix" = {}; };
+        xray =
+        {
+          client =
+          {
+            xray.serverName = "xserver2.vps4.chn.moe";
+            dnsmasq = { extraInterfaces = [ "enp3s0" ]; hosts."git.chn.moe" = "127.0.0.1"; };
+          };
+          xmuServer = {};
+          server.serverName = "xservernas.chn.moe";
+        };
+        beesd."/" = { hashTableSizeMB = 10 * 128; threads = 4; };
+        nix-serve.hostname = "nix-store.nas.chn.moe";
+        postgresql.mountFrom = "ssd";
+        mariadb.mountFrom = "ssd";
+        rsshub = {};
+        misskey.instances =
+          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
+        synapse.instances =
+        {
+          synapse.matrixHostname = "synapse.chn.moe";
+          matrix = { port = 8009; redisPort = 6380; };
+        };
+        vaultwarden = {};
+        photoprism = {};
+        nextcloud = {};
+        freshrss = {};
+        send = {};
+        huginn = {};
+        httpapi = {};
+        gitea = {};
+        grafana = {};
+        podman = {};
+        peertube = {};
+        nginx.applications.webdav.instances."webdav.chn.moe" = {};
+        # open-webui.ollamaHost = "192.168.83.3";
+        nixvirt = {};
       };
     };
+    systemd.tmpfiles.rules =
+      [ "w /sys/class/powercap/intel-rapl/intel-rapl:0/constraint_0_power_limit_uw - - - - 10000000" ];
   };
 }

devices/nas/secrets.yaml

@@ -1,14 +1,88 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
 wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
-wireless:
-    #ENC[AES256_GCM,data:wjStmDz44D13rg==,iv:7Qdqk/3VfS6kZNMSD6P4zyuRkzgIb1PcH56rWBhuD80=,tag:RVfRu9zMAenZBk3+RFC9wg==,type:comment]
-    "457": ENC[AES256_GCM,data:at6sfLdZUj7JTkumDLzoBoM6rNH3SGXvzso2ryYEXiFzy24e8cMKql2Sw3CHqWH9+cS6+rzuRLLeLJQMDN3dHw==,iv:nHEdqAIF7WK6kPkm01LoDmypvkHOhIR+tf9cAlv+1hs=,tag:3lMuOZ4qatv1LOSMwMiEoQ==,type:str]
+xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str]
+xray-server:
+    clients:
+        #ENC[AES256_GCM,data:gToh4rgMOQ==,iv:A14sSC7ExbSZNOzzz6mOmWalSz9K6ROoSYgCqdF7j4U=,tag:1Jr2FfVQ9L2w+bWHh/NekQ==,type:comment]
+        user4: ENC[AES256_GCM,data:/ZrgvlpwDlKhcHqkBRsdqqJsNUxtb3ZnC36mc8qlJ+HP4mY3,iv:R5QzXY0mC72TDB0OcF4fJt3bc5L1Z96Q+n9kNbZP7m4=,tag:tjWSEcsG0udvQZZJ/RMTJw==,type:str]
+    private-key: ENC[AES256_GCM,data:34FOslwr3AZNDg4YrS95S20agGXwGJRNGnpogMR7utbt1ELUxfQkiAU1qw==,iv:4fiJCi6TJM+NIlfI1qFX/eCNhcVaCWGsLA7iMjQpATw=,tag:eLz8HlQMprQNryk5saqyVQ==,type:str]
+store:
+    signingKey: ENC[AES256_GCM,data:zr02XBgQ4H5jRnjpLtp9rjcysXP9qI7McOiBwaWhdylu5GevKmxlCd4h3pEUO74k+gJT88BzJ+S59P+6DS76Y5nlKqextGMzGjdq5XPkdDkSkKZBai2kkqBSyko=,iv:hyhroaDazMLFeLMGruiFeokZ2Tz3xKj+xCsiEUJ5faQ=,tag:w3805eqo6Y1pw65mjoRgOg==,type:str]
+nginx:
+    detectAuth:
+        chn: ENC[AES256_GCM,data:5kGvlFB332xf+PQCDmJ+EA==,iv:/BQI83lMdzmycQCe0k6Y8bwqV4Ma9vqgvgPWWqVAr1g=,tag:61AhVVNUx8+b55DkIjVifQ==,type:str]
+        led: ENC[AES256_GCM,data:XFlK2jjo,iv:rTCHmoFU4S++eBywCa7NXsAmSqcSgCFXxnW0RyFA2a0=,tag:aK5IejgS060FrxQfmdxohw==,type:str]
+redis:
+    rsshub: ENC[AES256_GCM,data:r2O88tXccKZw68Jg5tvUcpwf6y8Vs1kcZ7XbAReJ7aGyGH4MH3jTO72Hs7vh7185IUygXri0M2C6Ko2CY3gaLg==,iv:ZYbSqlcnga+JnC5Dxt2cTHiGTlkndSAB550ilSO+P1U=,tag:PgrW6H276sSvYe3NA6o/vA==,type:str]
+    misskey-misskey: ENC[AES256_GCM,data:Up0Q/4MjyCdXyL1EVoXbmW0J3QJCx1PlhClXSc2WpBNwpSfgmoJceLoXRbIs009JVjhn5tt7LO6EmwKiNc6yTA==,iv:myWj8+exXtg+t7Fs+ZPOLJXWtKEu0PyhTw68i7rnuTQ=,tag:WMpj06Swj3pMbSXgM0bNuQ==,type:str]
+    misskey-misskey-old: ENC[AES256_GCM,data:yLVCQaElMWBdVnKa9hBNEnSxfOx/582SoCDpQM9QjEgWzYOmPIVoRsTAs10Gsw3PezJW54S+AUrNg1mV0f8Nwg==,iv:xYXQt2CsZyymdKMIoqKLzLeTMNff7RwGzBGDfBOoxlM=,tag:L3V+AZZyOJow/Sf1RzD38A==,type:str]
+    nextcloud: ENC[AES256_GCM,data:/wv5hG7cmHz8S3d411cGxFY87MNmo/6V/vXJsWqYr4afoVLMlqUgpf6ZkSPcj2PKBmB/X+RR1s/Mus9RIJKpzw==,iv:WMdKp63LsMyOGheurm6bM4qUUNVe3/WmkvCQ8PWxqoo=,tag:PHjeJ052LtCqerED4bgACQ==,type:str]
+    send: ENC[AES256_GCM,data:5y0GGNdmVzl1Ro4bv8rab9dgmIOgNQBPPF02HfpOn/ctbSBzi9c96TJeIbDJVS2tN4P2+hSgP/XOR+hoM9prxw==,iv:4xf0b1/1f9vyVlQtIGmX5Ea/xNPyjXmA5/vazf5sOZA=,tag:b2211wLiDTvPKqRA3IpzOA==,type:str]
+    synapse-synapse: ENC[AES256_GCM,data:3lSmLz+sO9fwomeb/NCTlSRwpbegH6g1vp0qKg4G/hnWsKCu2mK6TDhQbLCSDQEagw4oBDN68yEBQ0C0tvmd3w==,iv:9rrv3XvB4ELcZhdi2KNxnYFw+XH96U4SM0X9ZSGp0KA=,tag:Qn8FdMMOaDeB9Wb11F44xA==,type:str]
+    synapse-matrix: ENC[AES256_GCM,data:NqDKomSPI6UcRDAjqVapBlmXXFHdHYS0w3jvJ4oQCvoeqYvNalkD009A6E6Br3w0/FGEKJQeTBI2MkYLlHAWcg==,iv:o8TDqzRDQCi4+Kv82BSTRyB4Y7mKhxM3c49hEbQuQmw=,tag:6RCKWwxC5Fw5N1QD/5UktQ==,type:str]
+    peertube: ENC[AES256_GCM,data:zzRRyCbXsqVVxDvS8kpBbOyozqi24d6G9K++/ToLQyt3TumefTssNehljNsb0oqsmZBLgLhND0T4WDhMf9//Ng==,iv:yDM/LREKnBW8noRzHPIdqg0TvmWAfxmVOplZkY8MSro=,tag:19uoxbEdGPOIzcQqm31H5Q==,type:str]
+postgresql:
+    misskey_misskey: ENC[AES256_GCM,data:mcJM5hgd6Y6MjphFuH20QHU1zxPVnrd5CG3rwX3CekxpM4NzElhkD0pcWM0eTxbNQCM4V+lmjAvaQzBS8T9Mzg==,iv:eC2/GyNcZK31jxLYfRRw4l0aNhz1kcsjE/w4Y/P6ydQ=,tag:hNC2Fj327+O8/4/5/riTYw==,type:str]
+    misskey_misskey_old: ENC[AES256_GCM,data:z4C8J2dAu6OhtRzkHGLb1u3pUGeRuTF1EHzjduO45zF9cpMufIs52u8vhzwmrEXm7bJP2lomyFtQRWNPqtPkVw==,iv:QA56d2wcAseFuhI+lgR5Op0TbKrzs+1Cd5v8/0i8/gE=,tag:Df63HfuHZhDn/0SL2/6fdA==,type:str]
+    synapse_synapse: ENC[AES256_GCM,data:4Em7JbATF0Rs8pLjrVT9ZIxPaqecqxCGUtQPie69XWZIVuB/4AsmhPe4WmyJ2jPPmHBdzPHHLwQbd3ryusMzsg==,iv:49JsSMnsZzROuH5mXxMVEbkFOp0uf8gsps02vAH1Ovo=,tag:63LjUCFcnhqUsWqn/hDijQ==,type:str]
+    vaultwarden: ENC[AES256_GCM,data:qP5i100QGGHbYLbmgI29eU1vjx3S9zAAJ6SuahykqehFcowJMG/x9L4VCfw8nMmvoDZDUDvOKsE/8XH6tJ8c8g==,iv:f+yahEvIwdchADrtQsX0EllR6jGzqLA5zwnnAaUjnck=,tag:Iy5JbgktJSoUPszcinb9vQ==,type:str]
+    nextcloud: ENC[AES256_GCM,data:XBsqWgTwAMMQ+aZVf91w343yqL7a1xEswc8CeC0NWsM/ZwabQfYeToVDKlQEGnItuyBRZfhSzH+EUsF7pXDB9Q==,iv:OEoqECAOuyJ0wjsaof8GFYaftEv8z7vH64RWlGHU9XI=,tag:nFoMasHkPawFxiLvclsP6w==,type:str]
+    gitea: ENC[AES256_GCM,data:7afp3qF0jU+aGOktymlk4iDaK2EuYjLD0QcMQA2Nkxf+ac4PQFb1g4rsaPcxuNLn5ZFueq6QXCVUTPNdEeCJNA==,iv:OjNWbhRoi5fvVY8dtkoHWIPO1frXsmI8cuBxKgDHPmo=,tag:1s3+L08McDetU2BTMXWP+g==,type:str]
+    grafana: ENC[AES256_GCM,data:jsKB0+FFRGDfCG/alFwQF1fvI+TOFAUN6gc3zraMkCsRzn6SBzPsyuOiDthTCyS2dx0+arwmn93TzX1fm/vKuQ==,iv:Vl7IsQRuP8TBTDfwJSU/QrHTSowukXtGPG38fu3QcnA=,tag:L5G8sN6ZcOWyoeQgvTYGrg==,type:str]
+    synapse_matrix: ENC[AES256_GCM,data:uyV13dMgUzPLGmSGN3Hoi6u1tY9rMU186VUSl7HspZXFqhs+OmRGL86cf91o/owvz15WijIw4wuAP++T8MY4LA==,iv:TG7Fi3ETAvmrOxv8ZahnrOR7Z90Vf5YgHcOtPkzueJI=,tag:uH10mk1m0q3a0fGcDbH9HQ==,type:str]
+    peertube: ENC[AES256_GCM,data:J/qNYYuOhENTVFU+6Iz9P8Cy1FcHlD6xpPADDzdYDZuce9DEsnFq28d+tTJ7Z71IvOKvNySly7ru/R+Tu7rqpQ==,iv:sV34o2Zf7yLUovdVND7wh+rcoGglz4llc3xfSEllHNM=,tag:c9wzEAlWMINTN8TEZhDIRw==,type:str]
+rsshub:
+    pixiv-refreshtoken: ENC[AES256_GCM,data:PVWacd0SAg2n76ExpQy5Hdg2WK2IdokhnZ0PoY7rNz7pLkBjlrMjbtCenQ==,iv:wPCVw0VVL4b/9TLvGd3fU+dDr/gIlSyUOO5pKF3CuzM=,tag:HgUrPEOCZK9DYsyowi55Ag==,type:str]
+    youtube-key: ENC[AES256_GCM,data:XOPAZPIE8Hd3vKWAR8tlaXQp/FGeH2pIBmwym8h7TXUf+MGTGQko,iv:mv1csjmeKi/ZQIiuhzPIr3DPyygjWevhFGSK+URaQiA=,tag:yh4Zr9MpINU8O0eeH9+z3A==,type:str]
+    youtube-client-id: ENC[AES256_GCM,data:HEJQeFtoyXaSQqprbpGY7qvYYsq1u23CMM5kGvgGsoP1xvEMcwRa3Lza8OhL/lk0MtKH0krojDyUMzWPZtohG9U3ad/t18YQPg==,iv:vT4V3VZU4lJx2djtjIOow/xuER2LQ4reQUOgCPeW+9Y=,tag:MFvBv/3hs2H6BQWGU9eeFg==,type:str]
+    youtube-client-secret: ENC[AES256_GCM,data:7++nVoYfFxv304u9fxmk5W+38tP6Z+mMS/nh7adolhyfDXI=,iv:WlYBfwCz7//qM02ljM1prc/YnBwLOb60ATcUlnBK9ik=,tag:erwi1hRaSaUQ2cLp+S9QOw==,type:str]
+    youtube-refresh-token: ENC[AES256_GCM,data:o9KEBZ18h+taPc3WoQ4EsbR/WbFn3wRhgdvLAz7dmM05Cktf9pgZ8iI1idWQZCJ0ehYL5VyizNhHrmkocXsHzCJ6i79J3uBl5vggWZ4v6/5cUBtNZXq5DYYG/EVN2RXjOdrkzYZnQA==,iv:CQzgvwhofMljnhNXYh+t6BkPJ3OO4GRPOSFZOVXe7TY=,tag:/1i73kP+RrkP76Tho27wkA==,type:str]
+    twitter-auth-token: ENC[AES256_GCM,data:2OM7aZZYuE1A3aQMsDia5yy2cGVmaT7L3QljZ3J8IixA9zaJdFwu6w==,iv:vcc80V5PMqZk7lcvoyfl+XtoIhZ7g951OSRnXPywtao=,tag:EVL2NIiDTS5EHU8MxIZjpA==,type:str]
+    bilibili-cookie: ENC[AES256_GCM,data:PoylF8gAs3dpRSdV6ClpaV9J6jRqRIsAYPlv1NiWy43hHmvEQac1tVrQfm0WHsxV3SfEaphyVH18bgwAcWnkWHbMTzKTWtzsJ74WrihRgksPiuttUm0JkTTr16g0jUtF8kSJiajQfDKmL0pEY9k3mnGnLltjIfntnqbH6dM11FRFy0Ixg0USUPiPz+uFMpJ7x6RHp+ypfhvMYsi5uuCiloCYMV4cUcr65gGym7a72S74vPdPQRzuGoz9fsJn/aPGPlhZR9L2k98TzQjp2jz5lbbGLEH6O1AH/aW9QlDuooF1ki9SvanQ,iv:nO6Adc002Twmw4Qov+EkhVu2TBN0NUEgaCoWOaTu7hE=,tag:cHG00fvDaTR7kAYIMPsICw==,type:str]
+    zhihu-cookies: ENC[AES256_GCM,data:88obR6OzMhO07UM4Mqr928ik/LY8wjjuYRVJdFFJNwiq+q05DfKprrX0oh5barTBqWduZ/PZZzOswh8OgzyeVpRZwBLIz63AJSv+Zui6wV/KODITZs/iDC+UiEnGkh0kf93p3g/TUvxWDGwe7beydGiDXUZrvaQ2nKB7NBGAoohdsx3cXb+TPruj0U8G1GaqRscSjqoYJFhj30EJBH7Jqb687/Zms0oetgXi6KZ8Mw==,iv:tYjHMC7FVxQJ4mhst6pttxivCoSxVyv8qUPmXXDoqzs=,tag:c3UHpyGKvD48qi0rBlfyjA==,type:str]
+mail:
+    bot: ENC[AES256_GCM,data:redeWqYAJlHVivVtywOD+Q==,iv:mDZ+4K4aj+05/KRij0oH+v7/JiBxs7y/x08Nz7U1sSQ=,tag:2FRwDxmN/mIuBjE39jl/Ng==,type:str]
+synapse:
+    synapse:
+        coturn: ENC[AES256_GCM,data:IAgJ3Lni1s/AGQxz2Tt0EpFoIwRZ7Y9TtDHsm7fyCcfDLNvwhNorTod5MSgiqFtHhWLzXf/iqh3/cWitIeuxAg==,iv:QUGCkeFMO+CA3tAXbM8h4KALFic6XbnW5pCxtPtJyb8=,tag:dq6qECRfcyUvJX5EwCPDvQ==,type:str]
+        registration: ENC[AES256_GCM,data:HV4DXfW6h1Z/OaW73jXJ4oXs/FOJf4EXWrWlXsnqbOJyzhCszBOiGFAw/i+wx9sSB+k=,iv:8VIXG3Xqug8dYaw2Log9IrGpxqAXwXFk4MJ4JuzQsBY=,tag:3Ra69sIFOxtX4Wzehvz+lQ==,type:str]
+        macaroon: ENC[AES256_GCM,data:ilCgbQjqIALJd+rz0XmEo6TLqO44NCBBG2vKv8QITLntZ80bgedKACXZogfMVCv7pTI=,iv:LQG1/agu05i7kFL2vWFnSCttivD7yyDijhWFfq50Xq4=,tag:2VfNhZA5OogXI/RaWohDag==,type:str]
+        form: ENC[AES256_GCM,data:0NdGdzjSF1/Xo7jz+Y3sGK/szDlhgg6kWLCoBiqDmBSARZX8SnW9W5zlPKM4Xa0sG+o=,iv:XVxnFBK2f2tvhIshzQLqLeUMcO28MyLrrF5QZMUeUr8=,tag:5frMH5KQt1hL1u2ltDpApw==,type:str]
+        signing-key: ENC[AES256_GCM,data:JPjrh78ySJwmfL7l5C2OT6pelzMfqaWRQK7MoMv3lQ3VXcWKrVsJZlfRQaTJbaEgK+qSiHh0T99LGA==,iv:DFefjxW8U9YK3kCQUPyxOHsh+ZhUYEj5DfOlKVZePxA=,tag:u7oyKnuVDqkyvzwvsyfV/A==,type:str]
+    matrix:
+        coturn: ENC[AES256_GCM,data:ecDAOVKq9+tJklCJK3ktiWQ6Ky+O5fjr9zS3b3PjwJUyCpIADvVhWBTmFeaVy2ApfuWbugGw8d5wCscpOOy/aw==,iv:p9l9X0UBK2mDpkR9+OX/j+ETYxMdzZhjowzOvA6Uk/Q=,tag:5IC3IsfXg4JmJ+m9F4ehPA==,type:str]
+        registration: ENC[AES256_GCM,data:YnDk7rqVPi3uyzNSBvWLQPb2ZaayNzgubs4Hf0i/CN0hW4ha49AZtkcNka/hVtwTGMI=,iv:Zs7SpAecN8r2Sg7Ih190SUlbH5SLu19BDCUPX9ywYzw=,tag:RLZ6jIgOeFCDwzAu0008yA==,type:str]
+        macaroon: ENC[AES256_GCM,data:YmEJKAZ6dyjBVyvK3Xi68TZtJHUuljAQMhlR6I8vNUOxuP766XYkU/z/YaH3R2rVv9Y=,iv:1/C8Fm2CIpo6Y+YnE80EtWvHfG6cQu/mYd10XjagJdg=,tag:QmtfqZ/3as+4gdF/b2OuxA==,type:str]
+        form: ENC[AES256_GCM,data:rGLJQUMVpOBTCQEqQtiUk3SWitLL1tijBFqVDbohrUspUhTXgRmCQ/0eodhku3RiwcA=,iv:GSxZtwo4/FDRn/dA+L/NQFWcj45KEUSaV2sUL09vqe0=,tag:4dvt57c3Q73B6O/9/UsbNQ==,type:str]
+        signing-key: ENC[AES256_GCM,data:mUY9Fn7TcBPs4HhSpRkj1weFezAzr5ld1xYE8kZcjRNU05MCGLTbPa+av6pYr0HoAaSyzBXmKBBZMQ==,iv:wX092d4eAJ2jLce6Y1EfewxGZsLnwOSce5RJoikCiRg=,tag:Uegzv54CvAI8d0NTz3UesQ==,type:str]
+vaultwarden:
+    #ENC[AES256_GCM,data:wbKsGwBKrJYagX1AvY0o5FHXxOhrfjZ/+crasAh52uOFYGd0P8A7NnyF6JvNgH749dAT9H47DXRKBAclVVSqWPc=,iv:TZgJ7pwyGBpf7S4g7CL2dync2sGNzQ9369atAvLwFJ8=,tag:sxtkPHOmrjUb13zeWPBdng==,type:comment]
+    admin_token: ENC[AES256_GCM,data:TrgqQwXBoCdsLeWQYkur4zS+Z4nCoDDoePnN5vm+AIcgYXVwjxcf/0AwXQIxVNEypYysPpoHKOigwhkf5kLazAMiBZ0goAflJT/S4nOLo90s+9kDCADXWnCeHNhBUg8fUulNPBbpqdfFKCJgJCD2WTI+V5yFLQ==,iv:maKU6pcxis7Cyrx9x26cUTBzA6ZKcKJWSP23w+MDehw=,tag:GYpPHp2slC6V8aKA1FHFAg==,type:str]
+mariadb:
+    photoprism: ENC[AES256_GCM,data:h7TQh5ScGM30e42VSEg6AynwRUPHMRHddJcJotQtDbkFVgmfjHmAHTY22U5jWqjq4KXPN5ItRETLOMw9k9yOgg==,iv:jFTPaXortmiU+8m/NBTYjAXRXHCpD+UE5oeveH7/znk=,tag:3OOUUyHLQJROh5rZcX8bAg==,type:str]
+    freshrss: ENC[AES256_GCM,data:Qjg5GIX13ccZi/DuqtWK0qzr2GK0GzzUdEZWXDhUhGxFWzgosADxDCc8wfOchItaJFefnVrpPxdAPvT+4TEH0g==,iv:oGii3o6sJYVc11kdQMh0Pa3GUbWqttFgjvSVEbTycZc=,tag:8GWWwuJjQBwDFl9pJvg90g==,type:str]
+    huginn: ENC[AES256_GCM,data:/hFQdG/RGrX75qd0+WgwhnwR7p/CEVx1vPksRSudxmc1m4VO/AVzgMCWAz4310ctTEnn4GZinvD6QGFta5IOSA==,iv:mrPDZA6Bnw+SPVDDe64tivvvQtHWvCsPJbEnPqm12g4=,tag:ihXbIJwwtQ0RfaNfcaop4Q==,type:str]
+photoprism:
+    adminPassword: ENC[AES256_GCM,data:QXrDNGSKdRZxc4mfwIhR5cmmmJysGV3cThSFlng3mEviaq0p+BvOa5Thtgw0CxQXdpgjrkui+837NJ/FxPUYvg==,iv:EkutxeDDWfSOVD9p1Ari/rkgf7EwTutDymZQ1uNm6FA=,tag:r3gXuefnIQ+5pPtGZajnZg==,type:str]
+nextcloud:
+    admin: ENC[AES256_GCM,data:DJK+u19VP9cFvq4/P0+f7erXxZkRWI4NRrX9HdHO96xy9wZMtB+hEDN3zLQnkTTtmd2ZLs9+c9BsUNXZperGDQ==,iv:zX8Nxt5+O/mGVt5l1j8IojBkgxg5oDae6KWTXYz0hRE=,tag:MRyMx0OXYTCmtaySP/umNw==,type:str]
+freshrss:
+    chn: ENC[AES256_GCM,data:wwHntnMeiGZ5v8CE7CGV,iv:snIdYdFpvv5HvcR5qucD2pZXXef3dhSU+2wK5SPrDjw=,tag:2RnujKKkQSoxvSNZPLS9Pg==,type:str]
+huginn:
+    invitationCode: ENC[AES256_GCM,data:E8rEdAfUQX9oJEnvxVF5PmYFMd9PN8+K,iv:gZtUf+AkICLHD4h2beHbEfyoL4bcoOv0sivDFDB3vVY=,tag:4tlsPuED6jCXNE0iOayXsg==,type:str]
+grafana:
+    secret: ENC[AES256_GCM,data:O2L0+R9QvOMJLKa941nxn+FeuZ5nOAm1iDlKW2vvk5Dyod0XLdGL1seWuYzpx+NL16qmC1u8jydDcBfUT+PAeA==,iv:Pqsr+POPAr8djdVMK5U4PiS1zUnZXLH3q588D/jOMys=,tag:QziP0kKT5oyI/RHaYHr2mw==,type:str]
+    chn: ENC[AES256_GCM,data:xMwWBYChRIxw5KDjgCYBJWkbRRo5FUtyhZ0+SVRIgjQ=,iv:EIjECQHx3/2t+oMC16B1Xfwa8guiST2pdIKM1hNcuFA=,tag:BP8ElnMevqF6urDgBP/UAg==,type:str]
+peertube:
+    secrets: ENC[AES256_GCM,data:9pm5hD8FdbmFIRZZX5+C0NyXn8qdt0OIlecu79xjVrWd8C6H7C01Uriw5M1qifTIJLDMvJC36Trci0/eniDsEA==,iv:iZ/KiwgFm5TyZBZxo8n9k3Lr3o3Vk+c4zFn9efPtJYw=,tag:HGgoRL1C3Nm/KTHGfq2Ejg==,type:str]
+    password: ENC[AES256_GCM,data:PNrcz2PnGF6WGa7vL5PBWiM03xsA2B2imPiwHpU0IMPN/CMh77eMVtwmoxtl6QkGl1UKb12975NJsfJwJPg9gg==,iv:vjFl6SFNqZhTHmmxRckYAj8nZ1IbFtTfTAxYkdSf/lI=,tag:K2PpVnu+919MddGl5qJn+w==,type:str]
+open-webui:
+    openai: ENC[AES256_GCM,data:E8/Szd4ZFat/R4UW6F4qVEvKmq55sT7mpY6hK274JDCYJgjfQdtJ3gY=,iv:Ryxy19pQsY9pFfz/E4SbBfxYx0N5BXqZtR/Kv9E+0uM=,tag:GEd5+N/ziOncF1UhrwgngQ==,type:str]
+    webui: ENC[AES256_GCM,data:6rpvA80i+HXkDQgYCDIHbXwDfxHq/5tXQRK4piI=,iv:vVIBHf/9LnY1z4zVZGB0ZRBRwLpdXKvNhsYWySxhsiY=,tag:JmbDJKlZ2dH13+drXyXXPg==,type:str]
+nixvirt:
+    yumieko: ENC[AES256_GCM,data:tO+67mdCFH8=,iv:vl+PLSBfMDk7rGmpjuZ8TnEC1B8tni2pphC7cTmxQU0=,tag:RVW5UaUD0g0HDpoGp2/mAA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -28,8 +102,7 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-10T10:43:51Z"
-    mac: ENC[AES256_GCM,data:vfsGxfHuVqPrrCYMrjuCS3jV4T5UjMkRGPskTPqbbouwG1i0wAofRHHxYmjC/oor1nllDTVkENAoxOfj56Tb1OQZl0frXhoc40vgqC3XEXouofYhDmIeEU1O/c9rBUYTaoHHgkHN38UuKXCVHhNh1LdEaExrE9XjOhNxoKz35wU=,iv:fHgbfvH2e/2iEa+dBzwhP3azFjhWep6RjXrRIUKtzG0=,tag:VjBBB3FUVgR5bFEPohBsDQ==,type:str]
-    pgp: []
+    lastmodified: "2025-09-07T00:23:06Z"
+    mac: ENC[AES256_GCM,data:Vmcv7Hof4ZR8uXOwbk8zeKSfVldCxJQ696m3mCe6ar5FKpGja0f2XbW8a7tpuYqfwNa5Z7OCovku40PZ/TSmq91hQlZ+zbXe66nPx3/ybbQUSu1rvujprv36kvp1BQwK5A2clLEX7Vo7fGsTq1jX1AFrNM7zTJABrET/7yqVdTE=,iv:IkODPE4AMMLpBNbgwbOpYLWpG7IkRPKVBiLfxKASmPs=,tag:9xfwdCvaWvVey24dLmkFSQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/one/default.nix

@@ -1,36 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model = { type = "desktop"; private = true; };
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
-            btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
-          swap = [ "/nix/swap/swap" ];
-          resume = { device = "/dev/mapper/root"; offset = 4728064; };
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "tigerlake";
-        kernel.variant = "cachyos-lts";
-      };
-      hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
-      services =
-      {
-        xray.client.enable = true;
-        beesd."/".hashTableSizeMB = 64;
-        sshd = {};
-        kvm = {};
-      };
-      bugs = [ "xmunet" ];
-    };
-  };
-}

devices/one/secrets.yaml

@@ -1,32 +0,0 @@
-xray-client:
-    uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
-wireguard: ENC[AES256_GCM,data:OuduClOu9y9adCcV1+U/NLp/t1yWPkuyptproTJv4beImptrLOVGbhb5fb8=,iv:qa1jpzAlUEhPBznZw6j4CYquTCpmNZ+uNbyHjH2qGy4=,tag:+5I2CRuyCAMSy74xVtdJGA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
-            ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
-            TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
-            eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
-            2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
-            OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
-            eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
-            ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
-            LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-10T10:44:01Z"
-    mac: ENC[AES256_GCM,data:Sso6g9UEH7faygbcrypsnB/4h8cIwveLdVI+YgDDfTHMC5nxXj+xtfFHhzao1pkyvF0avUVjsMVXLRcB48eDcbZdXwBvoNKg0mpL7VAeOnDuwElI6GGpRVTaOsZC9LT9d1kuGkmavMljCvmaA3sPLZsvW3Hqjdicj+suMoQJ/nE=,iv:DYf0m9PfJ1qx3gI/6T6ByxJWHrdVGgiNMCVhcBOrgBw=,tag:Ddw2HFuCmk6PFnxF4G13hQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

devices/pc/default.nix

@@ -11,49 +11,32 @@ inputs:
         {
           mount =
           {
-            vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
+            vfat."/dev/disk/by-partlabel/pc-boot" = "/boot";
             btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
-          luks.auto =
-          {
-            "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
-            "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
-              { mapper = "swap"; ssd = true; before = [ "root1" ]; };
-          };
-          swap = [ "/dev/mapper/swap" ];
-          resume = "/dev/mapper/swap";
-          rollingRootfs = {};
+          luks.auto."/dev/disk/by-partlabel/pc-root1" = { mapper = "root1"; ssd = true; };
+          swap = [ "/nix/swap/swap" ];
+          resume = { device = "/dev/mapper/root1"; offset = 131605760; };
         };
         grub.windowsEntries."08D3-10DE" = "Windows";
         nix.marches =
         [
-          "znver2" "znver3" "znver4"
-          # FXSR SAHF XSAVE
-          "sandybridge"
-          # FXSR PREFETCHW RDRND SAHF
-          "silvermont"
-          # SAHF FXSR XSAVE RDRND LZCNT HLE
-          "haswell"
+          "znver2" "znver3" "znver4" "znver5"
           # FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
           "broadwell"
           # FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
           "skylake" "cascadelake"
-          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
-          "tigerlake"
-          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
+          # AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT PCONFIG PREFETCHW PTWRITE RDRND
           # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
           "alderlake"
+          # SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX PCONFIG
+          "icelake-server"
         ];
-        nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
-        kernel.variant = "cachyos-lts";
+        nixpkgs = { march = "znver5"; rocm = true; };
         sysctl.laptop-mode = 5;
+        kernel = { variant = "cachyos"; patches = [ "btusb" ]; };
       };
-      hardware =
-      {
-        cpus = [ "amd" ];
-        gpu = { type = "nvidia"; nvidia = { dynamicBoost = true; driver = "beta"; }; };
-        legion = {};
-      };
+      hardware = { gpu.type = "amd"; asus = {};};
       services =
       {
         samba =
@@ -68,39 +51,19 @@ inputs:
           };
         };
         sshd = {};
-        xray.client =
+        xray.client.dnsmasq =
         {
-          enable = true;
-          dnsmasq.hosts = builtins.listToAttrs
+          hosts = builtins.listToAttrs
           (
             (builtins.map
               (name: { inherit name; value = "144.34.225.59"; })
               [ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
-            ++ (builtins.map
-              (name: { inherit name; value = "0.0.0.0"; })
-              [ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
-          )
-          // {
-            "4006024680.com" = "192.168.199.1";
-            "hpc.xmu.edu.cn" = "121.192.191.11";
-          };
+          );
+          extraInterfaces = [ "wlo1" ];
         };
-        acme.cert."debug.mirism.one" = {};
-        frpClient =
-        {
-          enable = true;
-          serverName = "frp.chn.moe";
-          user = "pc";
-          stcpVisitor =
-          {
-            "yy.vnc".localPort = 6187;
-            "temp.ssh".localPort = 6188;
-          };
-        };
-        nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
+        nix-serve = {};
         misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
         beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
-        gamemode = { enable = true; drmDevice = 0; };
         slurm =
         {
           enable = true;
@@ -110,60 +73,32 @@ inputs:
             name = "pc"; address = "127.0.0.1";
             cpu = { sockets = 2; cores = 8; threads = 2; };
             memoryGB = 80;
-            gpus."4060" = 1;
           };
           partitions.localhost = [ "pc" ];
-          tui =
-          {
-            cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
-            gpuQueues = [{ name = "localhost"; gpuIds = [ "4060" ]; }];
-          };
+          tui.cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
         };
         ollama = {};
-        docker = {};
+        podman = {};
         ananicy = {};
         keyd = {};
-        lumericalLicenseManager = {};
-        searx = {};
-        kvm = {};
-        nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
+        kvm.aarch64 = true;
+        peerBanHelper = {};
+        mariadb.mountFrom = "nodatacow";
+        lumericalLicenseManager.macAddress = "10:5f:ad:10:3e:ca";
+        waydroid = {};
       };
-      bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
-      packages = { android-studio = {}; mathematica = {}; };
+      bugs = [ "xmunet" "amdpstate" "iwlwifi" ];
+      packages = { mathematica = {}; vasp = {}; lumerical = {}; };
+      user.users = [ "chn" "xly" ];
     };
-    boot.loader.grub =
-    {
-      extraFiles =
-      {
-        "DisplayEngine.efi" = ./bios/DisplayEngine.efi;
-        "SetupBrowser.efi" = ./bios/SetupBrowser.efi;
-        "UiApp.efi" = ./bios/UiApp.efi;
-        "EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
-        "nixos.iso" = inputs.topInputs.self.src.iso.nixos;
-      };
-      extraEntries = 
-      ''
-        menuentry 'Advanced UEFI Firmware Settings' {
-          insmod fat
-          insmod chain
-          chainloader @bootRoot@/EFI/Boot/Bootx64.efi
-        }
-        menuentry 'Live ISO' {
-          set iso_path=@bootRoot@/nixos.iso
-          export iso_path
-          search --set=root --file "$iso_path"
-          loopback loop "$iso_path"
-          root=(loop)
-          configfile /boot/grub/loopback.cfg
-          loopback --delete loop
-        }
-      '';
-    };
-    # 禁止鼠标等在睡眠时唤醒
-    services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
     # 允许kvm读取物理硬盘
     users.users.qemu-libvirtd.extraGroups = [ "disk" ];
-    networking.extraHosts = "144.34.225.59 mirism.one beta.mirism.one ng01.mirism.one";
     services.colord.enable = true;
+     # 禁止鼠标等在睡眠时唤醒
+    services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
+    # 解决有时蓝牙不能使用的问题
+    boot.kernelParams = [ "mt7925e.disable_aspm=1" ];
+    specialisation.niri.configuration.nixos.system.gui.implementation = "niri";
+    nixos.services.xray.client.xray.serverName = "xserver2.vps4.chn.moe";
   };
 }

devices/pc/secrets/default.yaml

@@ -1,10 +1,5 @@
 xray-client:
     uuid: ENC[AES256_GCM,data:XU7/GZ8cJmDwNsrQfoFHrquZT5QkjvTPZfnghX3BLyvPLlrX,iv:e/BQkZ5ydWD4P/qT9OUloB8/cXImfkG3YZnuIeNLoTc=,tag:EW3ZBzGnyIrUfcMeJqm4aA==,type:str]
-frp:
-    token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
-    stcp:
-        yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
-        temp.ssh: ENC[AES256_GCM,data:XG9WpTR8Bw==,iv:XiMTPN8Gx1nNssf4r+VXTvUATiUNsOYJ2jeHjhDSyTs=,tag:JS3NlA4cs/6IA19PJYrStg==,type:str]
 store:
     signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
 postgresql:
@@ -16,15 +11,12 @@ mariadb:
     slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
 nix:
     remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
-wechat2tg:
-    token: ENC[AES256_GCM,data:PrZWR8WiZ7grkpTLqMxwbnkwZttl7n0e1lc1mdHJiFUWq/PqG2wNBC27C58jMg==,iv:02XHhfpN8YPix0REbJDnsBbvCwifbdwBwfuJ2glbvjo=,tag:6aWNqBfwulsjMbl+D6L9vw==,type:str]
 searx:
     secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str]
+xray-xmu-client:
+    uuid: ENC[AES256_GCM,data:XiUkReTJLAxZNWFVeD6EiOtUX5tsyPLFi6QyDBdHyB4v5/mD,iv:QppdtP2CFDEVhlrmDJKYBGc1zYGJvpGYxLfsBAMxDSI=,tag:jzMSFRit+aBzWMkaa3+5hA==,type:str]
+    cookie: ENC[AES256_GCM,data:0jqSEZloX2/c8Zg4WTKkLw==,iv:BKLm1KMoRrH0uO6hPMsv2a7sG0AwNRrdbpmABP4BszA=,tag:pBs+rQIhhNO4Qr6q1V3MUA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -44,8 +36,7 @@ sops:
             OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
             +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-13T05:59:15Z"
-    mac: ENC[AES256_GCM,data:/m/cioV71s7HJ7ObIDCr69wDLn2xk/lTRqmUCx46u7tzOwMsYqU6DghBsZuaUN1r22CbMi1wtmSziDisKStOGY27pswNe7IuEo4IhVz5sJNxcWCxpYo8ttrCUeaJ7Y0vFbseIn1l1UObfubhhvVdxDsE0RoxLK7Ka8hJW5aEksM=,iv:GKmlbRXFexMegBWBVx4vusA0ceZZnwGIN2FkSpGXMdY=,tag:yoCnH94Ph0AUjkN3CTg6wA==,type:str]
-    pgp: []
+    lastmodified: "2025-08-01T07:22:50Z"
+    mac: ENC[AES256_GCM,data:f4fultak/52Gq6nn1hJJYw3AMeuR3J6gcxtPDG/WKkNV+B+gtabWp5R8J8wLWFJ4C1ZsGHDYMTvTfSUlDVdm1dGpxJtFzdfoBBdajj8s2mju6nMQUFoNFRmHDZEQBdIzfXpob1+7Rsr+bBmg7HnFvjR0ozuaQP9QHsHEZxJVbnU=,iv:xh4OIom1TFgKralXw6rrOR/1xpD5SpY2tHfJUq6v41o=,tag:0QOtWN6DcGf3/gorusbXtQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/r2s/default.nix

@@ -0,0 +1,30 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      model.arch = "aarch64";
+      system =
+      {
+        fileSystems =
+        {
+          mount.btrfs."/dev/disk/by-partlabel/r2s-root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+          swap = [ "/nix/swap/swap" ];
+        };
+        network = {};
+        # uboot 起始位置 0x8000 字节，这个地方还在分区表内部；除此以外还需要预留一些空间，预留32M足够。
+        uboot.buildArgs =
+        {
+          defconfig = "nanopi-r2s-rk3328_defconfig";
+          filesToInstall = [ "u-boot-rockchip.bin" ];
+          env.BL31 = "${inputs.pkgs.armTrustedFirmwareRK3328}/bl31.elf";
+        };
+      };
+      services =
+      {
+        sshd = {};
+      };
+    };
+  };
+}

devices/srv1/default.nix

@@ -16,10 +16,8 @@ inputs:
               { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
         };
       };
-      hardware.cpus = [ "intel" ];
       services =
       {
         sshd.passwordAuthentication = true;
@@ -61,8 +59,10 @@ inputs:
             { name = "n1"; mpiThreads = 8; openmpThreads = 4; }
           ];
         };
+        mariadb.mountFrom = "nodatacow";
       };
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
+      packages.vasp = {};
+      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ];
     };
   };
 }

devices/srv1/node0/default.nix

@@ -8,26 +8,31 @@ inputs:
       system =
       {
         nixpkgs.march = "cascadelake";
-        networking.static =
+        network =
         {
-          eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
-          eno146 = { ip = "192.168.178.1"; mask = 24; };
+          static =
+          {
+            eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
+            eno146 = { ip = "192.168.178.1"; mask = 24; };
+          };
+          masquerade = [ "eno146" ];
+          trust = [ "eno146" ];
         };
       };
       services =
       {
-        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
+        sshd.motd = true;
+        xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
         beesd."/" = { hashTableSizeMB = 128; threads = 4; };
         xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
         samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
       };
-      packages.packages._prebuildPackages =
-        [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
+      packages =
+      {
+        desktop = {};
+        packages._prebuildPackages =
+          [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
+      };
     };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    # TODO: why?
-    networking.firewall.trustedInterfaces = [ "eno146" ];
   };
 }

devices/srv1/node1/default.nix

@@ -7,18 +7,14 @@ inputs:
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.static.eno2 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        network =
+        {
+          static.eno2 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "eno2" ];
+        };
       };
       services.beesd."/".threads = 4;
     };
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
-    };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
   };
 }

devices/srv1/node2/default.nix

@@ -7,31 +7,25 @@ inputs:
       system =
       {
         nixpkgs.march = "broadwell";
-        networking.static =
+        network =
         {
-          br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
-          eno2 = { ip = "192.168.178.3"; mask = 24; };
+          static =
+          {
+            br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
+            eno2 = { ip = "192.168.178.3"; mask = 24; };
+          };
+          trust = [ "eno2" ];
+          bridge.br0.interfaces = [ "eno1" ];
         };
         fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
           { "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
       };
       services =
       {
-        xray.client.enable = true;
+        xray.client = {};
         beesd."/".threads = 4;
-        kvm = {};
+        kvm.nodatacow = true;
       };
     };
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
-    };
-    boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "eno2" ];
-    # add a bridge for kvm
-    # 设置桥接之后，不能再给eno1配置ip，需要转而给 br0 配置ip
-    networking.bridges.br0.interfaces = [ "eno1" ];
   };
 }

devices/srv2/default.nix

@@ -7,16 +7,11 @@ inputs:
       model.type = "server";
       system =
       {
-        fileSystems =
+        fileSystems.mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
         {
-          mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
-          {
-            vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
-            btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
-              { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
+          vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
+          btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
+            { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
         };
         nixpkgs.cuda.capabilities =
         [
@@ -30,10 +25,10 @@ inputs:
           "8.9"
         ];
       };
-      hardware.gpu = { type = "nvidia"; nvidia.open = false; };
+      hardware.gpu.type = "nvidia";
       services =
       {
-        sshd = { passwordAuthentication = true; groupBanner = true; };
+        sshd = {};
         slurm =
         {
           enable = true;
@@ -77,8 +72,21 @@ inputs:
             ];
           };
         };
+        mariadb.mountFrom = "nodatacow";
       };
-      user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
+      packages = { vasp = {}; desktop = {}; lumerical = {}; };
+      user.users =
+      [
+        # 组内
+        "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "qmx" "xly"
+        # 组外
+        "yxf" # 小芳同志
+        "hss" # 还没见到本人
+        "zzn" # 张宗南
+        "zqq" # 庄芹芹
+        "zgq" # 希望能接好班
+        "lly" # 这谁？
+      ];
     };
   };
 }

devices/srv2/node0/default.nix

@@ -5,31 +5,39 @@ inputs:
     nixos =
     {
       model.cluster.nodeType = "master";
-      hardware.cpus = [ "intel" ];
       system =
       {
         nixpkgs.march = "skylake";
-        networking =
+        network =
         {
           static.eno2 = { ip = "192.168.178.1"; mask = 24; };
-          wireless = [ "457的5G" ];
+          masquerade = [ "eno2" ];
+          trust = [ "eno2" ];
+        };
+        nix.remote.slave = {};
+        fileSystems =
+        {
+          swap = [ "/dev/disk/by-partlabel/srv2-node0-swap" ];
+          mount.btrfs."/dev/disk/by-partlabel/srv2-node0-root1" =
+          {
+            "/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
+            "/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
+          };
         };
       };
       services =
       {
-        xray.client =
-          { enable = true; dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
+        xray.client.dnsmasq = { extraInterfaces = [ "eno1" "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
         beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
         xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
         samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
         groupshare = {};
         hpcstat = {};
         ollama = {};
+        sshd = { groupBanner = true; motd = true; };
+        speedtest = {};
+        lumericalLicenseManager.macAddress = "70:20:84:09:a3:52";
       };
     };
-    # allow other machine access network by this machine
-    systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
-    # without this, tproxy does not work
-    networking.firewall.trustedInterfaces = [ "eno2" ];
   };
 }

devices/srv2/node0/secrets.yaml

@@ -6,13 +6,9 @@ mariadb:
 hpcstat:
     key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
 wireless:
-    #ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
-    457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
+    #ENC[AES256_GCM,data:n9OPSJsB7yNk,iv:xQzKJxqPB7uT83m/B4UoOje6NQbPLhuHR7Hp93oNz8A=,tag:gtsTx6ALnS/7fIDd7VimOg==,type:comment]
+    409的5G: ENC[AES256_GCM,data:K9wm3zedoil7jHgTcb+VmbdbkG2dgrMdr3BmDRUHDVADqLANMvnUMSecggYTO4HaiI9q6uv2/BSkluanD5K4Dw==,iv:7dGET3ULKlnaDMVmkuXDek+hQPLZ2VUbPqvEOX+5jlQ=,tag:MBGmQ0NNNqX+T9EsBiWCaw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -32,8 +28,7 @@ sops:
             M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
             LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-10T10:44:43Z"
-    mac: ENC[AES256_GCM,data:6EeWT8IiCGyRdR/9WDoTTM8bBuhzf2LtP1kahCgfvFpU6g5HB+qG5O0eXaL0DMKg7OQJKHIS/wZVaEierVwno0CnP1WR7y9l6Rlab2nVG4YCNkEkwqZgIWFOUi0aZrZQc7WC3rUk1gxiJK38nEa4ebk8oqAbyHyKHsFAeUcMbqA=,iv:oqRLvYsXct+OwcymXslEH4o03vLNeV2eU/4zK8R+gKs=,tag:0d1DYjCGRewUd4aHPIpFSw==,type:str]
-    pgp: []
+    lastmodified: "2025-07-12T04:13:47Z"
+    mac: ENC[AES256_GCM,data:W+e5d1scvV24AdVdl7Pisp9HxsXQ/tPjN2NV/Bd0RXZNBRB7LNQrSfk1GadboBnihW0ctAQOFk66PZsxwE2czfFL2/yzFxm9Cf11Mc822ZL3BwjnQBK4uR9LJrbjL7x1lFUk9v0AIPhjrir8F6dcX8mq6++hHNN0wjGaH3J9E0Y=,iv:RK7e4Dxog+Qsgk6gxK0f8PN8oF9bjWIrTyYK67Cdras=,tag:QSKsETYXbhnvhhjavP4UiA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/srv2/node1/default.nix

@@ -4,23 +4,23 @@ inputs:
   {
     nixos =
     {
-      hardware.cpus = [ "amd" ];
       system =
       {
         nixpkgs.march = "znver3";
-        networking.static.enp58s0 =
-          { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+        network =
+        {
+          static.enp58s0 =
+            { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
+          trust = [ "enp58s0" ];
+        };
+        fileSystems.swap = [ "/nix/swap/swap" ];
+      };
+      services =
+      {
+        beesd."/".hashTableSizeMB = 64;
+        lumericalLicenseManager.macAddress = "04:42:1a:26:0c:07";
       };
-      services.beesd."/".hashTableSizeMB = 64;
     };
     services.hardware.bolt.enable = true;
-    specialisation.no-share-home.configuration =
-    {
-      nixos.system.fileSystems.mount.nfs = inputs.lib.mkForce null;
-      system.nixos.tags = [ "no-share-home" ];
-    };
-    boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
-    # make slurm sub process to be able to communicate with the master
-    networking.firewall.trustedInterfaces = [ "enp58s0" ];
   };
 }

devices/srv3/default.nix

@@ -1,53 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      model.type = "server";
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            vfat."/dev/disk/by-partlabel/srv3-boot" = "/boot";
-            btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-          };
-          swap = [ "/dev/mapper/swap" ];
-          rollingRootfs = {};
-        };
-        nixpkgs.march = "haswell";
-        initrd.sshd = {};
-        networking.static.eno1 =
-        {
-          ip = "23.135.236.216";
-          mask = 24;
-          gateway = "23.135.236.1";
-          dns = "8.8.8.8";
-        };
-      };
-      hardware.cpus = [ "intel" ];
-      services =
-      {
-        # 大部分空间用于存储虚拟机（nodatacow），其它内容不多
-        beesd."/".hashTableSizeMB = 32;
-        sshd = {};
-        nixvirt =
-        {
-          test =
-          {
-            uuid = "6cb275dc-19e5-4c8d-b705-5faab72aa3ee";
-            storage = "test";
-            memoryGB = 8;
-            cpus = 4;
-            vncPort = 15900;
-          };
-        };
-      };
-      user.users = [ "chn" "aleksana" ];
-    };
-    # TODO: use a generic way
-    boot.initrd.systemd.network.networks."10-eno1" = inputs.config.systemd.network.networks."10-eno1";
-  };
-}

devices/srv3/secrets.yaml

@@ -1,30 +0,0 @@
-wireguard: ENC[AES256_GCM,data:Coe4iIEnJVDb4a9KUVTRkXl4kng5Zo6x1Iyr0ErgR2b9bN287mvO6jPUPSc=,iv:fiNUUKobJjitcoxBemIah5Cl5+dSz2Q7sbiOT8bDrRM=,tag:rHfNeRGTxnyVYAu8P/2ewA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaURzWlFQNUpObmtvaUd2
-            bVc2UXRHajFPeXR5eTNqQnBhaWVOTXRDSEhVCjJVREN5MzF2MXhMSGIvNlM0endj
-            ZGVhTUFrTXVXRTlvYThaRVZBWmwxd2sKLS0tIDNTME1EaHFKY2J2SWxrRWFpaVJ4
-            Sm5xUlU2TXpyMUJQWVpoRUdlTnVjOFkKZErjPuX3nNFc3jFPBX462qs9hwguyxUD
-            POxmT4DMCPAaEz+lNB+Qa03P3TYFJ3LfqTsO7QXO2f9113wFqF2lFg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd2RzNEttTzk5cXVhc2RK
-            R3hxM1N4TmkyNGp0Z2ZwODZBL0RuMW1qNjFjCkI0N2FMUkd0eENPK0w4MWVJY2d4
-            NWlvUFdQbUh3SFIycDczZlg0ZEJMalkKLS0tIGs4dHlocTRseXRWYVFxMkdrV2x2
-            d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
-            eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-18T11:50:01Z"
-    mac: ENC[AES256_GCM,data:4e0OGsOFiLg4inOdsz1CuMymQLrqPO/kiSR6iuDz2WbTs/FKjrYh1EbcqgYwwsQzM2rf4X3vwzD1+oKYe94Ld2U+93JgVBhcxU856CTA3N+kbScqHwHeAY9gQSU0L3GwL1t7gKsRdNK5AJjDEFpHYxiWMrVlWVArWzbw3d9PGRs=,iv:1Pb0FWfC/nsLsOtBJa4YoNbERtuCq2nwL5qW0tX0syY=,tag:mmd+XnyduLoAz/pXZRwToA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

devices/vps4/default.nix

@@ -0,0 +1,40 @@
+inputs:
+{
+  config =
+  {
+    nixos =
+    {
+      system =
+      {
+        fileSystems =
+        {
+          mount =
+          {
+            btrfs =
+            {
+              "/dev/disk/by-uuid/403fe853-8648-4c16-b2b5-3dfa88aee351"."/boot" = "/boot";
+              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
+            };
+          };
+          swap = [ "/nix/swap/swap" ];
+        };
+        grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
+        nixpkgs.march = "znver2";
+        initrd.sshd = {};
+        network = {};
+      };
+      services =
+      {
+        sshd = {};
+        fail2ban = {};
+        xray.server.serverName = "xserver2.vps4.chn.moe";
+        nginx.streamProxy.map = builtins.listToAttrs (builtins.map
+          (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.nas.chn.moe"; })
+          [
+            "xn--s8w913fdga" "matrix" "send" "git" "grafana" "peertube" "rsshub" "misskey" "synapse" "vaultwarden"
+            "photoprism" "nextcloud" "freshrss" "huginn" "api" "webdav" "chat"
+          ]);
+      };
+    };
+  };
+}

devices/vps4/secrets.yaml

@@ -0,0 +1,66 @@
+xray-server:
+    clients:
+        #ENC[AES256_GCM,data:d7cv,iv:RHzGIDLuuKejCTQ5YlNNITkCS3VoprsqH/kHckdpAv0=,tag:3cYw7uyUmXALo3v7SiqLJA==,type:comment]
+        user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
+        #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
+        user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
+        #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
+        user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
+        #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
+        user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
+        #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
+        user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
+        #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
+        user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
+        #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
+        user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
+        #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
+        user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
+        #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
+        user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
+        #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
+        user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
+        #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
+        user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
+        #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
+        user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
+        #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
+        user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
+        #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
+        user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
+        #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
+        user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
+        #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
+        user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
+        #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
+        user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
+        #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
+        user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
+        #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
+        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
+    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
+wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNamN1TytweDd3blJsR2ZH
+            ZmlocFZjT3ZaUjlVbG1vVSt4a2s2SjJIaGtRCjRneDV6cHYwdGJOY1BDVS9DeDVC
+            cDdNbUdtSGRHNU1yZFpPc1MzRS92ME0KLS0tIFpmamNmTFYrRGRqbTFVSzBhUlNa
+            VllXdzZ3bEc3UFY0YjZRKzBUcGgyVkUKqI1ojiLbF87alAkEwyrm8wuW2fLbmj8d
+            YBIpoDCZ7AwR5uHWQAtl7BWJV1zab+rA3zvaf2BsrVA1A+RWOtYT/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWitsSnRVSzJDZG9ZSE5I
+            bmt2NEFDanR3aFJyYVNnU1NlUldRb2RUVXhNClQrTkgzR1dPNWp3endZTUl5SmRs
+            dEtkSWk4aWJEc2hhbWlXZkxpNGhacFUKLS0tIGZNSG43R0NKYmdFMzdXbmJjSExJ
+            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
+            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-09T07:42:38Z"
+    mac: ENC[AES256_GCM,data:fQm8aI6KdoJVxcl4MQP7Q6EZVqmmLFo9A3Hjo/tKZA+VOYvQWFBxIKwy5Cj0SBi4pWsSjwG6pJZ7m6Wh/dDK4KlgkoaXgAYj+efHtScOH5Gkb0sTpAkHNL+/CJ/cO1doXiXRGj47fn1QB9o9WBaomtOWQbzDts4eFs9pdm8TAq4=,iv:91Ilig4j0ELHEatTY7ALKwwr8AzYnRwhKbdWDcufZF4=,tag:UfwaudQTNKu+uryCZjo3mw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

devices/vps6/default.nix

@@ -17,20 +17,16 @@ inputs:
             };
           };
           swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
         };
         grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
         nixpkgs.march = "znver2";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
         initrd.sshd = {};
-        networking = {};
-        # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
+        network = {};
       };
       services =
       {
         sshd = {};
-        xray.server.serverName = "vps6.xserver.chn.moe";
-        frpServer = { enable = true; serverName = "frp.chn.moe"; };
+        xray = { server = {}; xmuPersist = {}; };
         nginx =
         {
           streamProxy.map =
@@ -38,19 +34,17 @@ inputs:
             "anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
             "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
             "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
+            "xservernas.chn.moe" = { upstream = "wg0.nas.chn.moe:443"; proxyProtocol = false; };
           }
           // (builtins.listToAttrs (builtins.map
             (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.pc.chn.moe"; })
-            [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
-          // (builtins.listToAttrs (builtins.map
-            (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.vps7.chn.moe"; })
-            [ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
+            [ "xn--qbtm095lrg0bfka60z" ]));
           applications =
           {
             element.instances."element.chn.moe" = {};
             synapse-admin.instances."synapse-admin.chn.moe" = {};
             catalog.enable = true;
-            main.enable = true;
+            main = {};
             nekomia.enable = true;
             blog = {};
             sticker = {};
@@ -59,15 +53,36 @@ inputs:
         };
         coturn = {};
         httpua = {};
-        mirism.enable = true;
+        mirism = {};
         fail2ban = {};
         beesd."/" = {};
+        # bind = {};
       };
     };
-    specialisation.generic.configuration =
+    networking.nftables.tables.forward =
     {
-      nixos.system.nixpkgs.march = inputs.lib.mkForce null;
-      system.nixos.tags = [ "generic" ];
+      family = "inet";
+      content =
+        let
+          srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0";
+        in
+        ''
+          chain prerouting {
+            type nat hook prerouting priority dstnat; policy accept;
+            tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+          }
+          chain output {
+            type nat hook output priority dstnat; policy accept;
+            # 需要忽略透明代理发出的流量（gid 不是 nginx）
+            meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+              tcp dport 7011 fib daddr type local \
+              counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+          }
+          chain postrouting {
+            type nat hook postrouting priority srcnat; policy accept;
+            oifname wg0 meta mark & 4 == 4 counter masquerade
+          }
+        '';
     };
   };
 }

devices/vps6/secrets.yaml

@@ -1,5 +1,3 @@
-frp:
-    token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
 xray-server:
     clients:
         #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment]
@@ -7,58 +5,48 @@ xray-server:
         #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
         user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
         #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
-        user2: ENC[AES256_GCM,data:e7ITe2ZouKr8dXT7SYATyzbzHaVeu6AKt1OcQKk3U0nsQgoa,iv:UbOOuojy6OAFEH8lGhKe5Hs+2K6FX5MZ8Br9AB007gs=,tag:5XeB4YngzTcHZvCpXe/ZXA==,type:str]
-        #ENC[AES256_GCM,data:93BxR0AEdQ==,iv:rf69GWpuxYt7fu1Fyv55pynuQDhi+TA5CwZK3cc3yBo=,tag:/hLy6atNMxLw6G3/qgMM4g==,type:comment]
+        user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
+        #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
         user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
         #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
-        user4: ENC[AES256_GCM,data:ujiml/r4aFiKOkSJkaD/KE8rKuBtLSnpZREBH3vRJUzDT0QM,iv:a3VFlXpMLNFihvFa7gloANtHmBLg4szTL5LTm8E2kNs=,tag:W9KZ1GAVx9IBKfda7Zedng==,type:str]
+        user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
         #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
         user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
-        #ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
-        user6: ENC[AES256_GCM,data:YzLlf37SxKmU1/QA7gUIJsGid3KZNoAGOew8xR7cmw5l8ZmX,iv:SfKubo2jfjtxKn9odDiokMEZyPFfYZ/wwyYtBrgvgmM=,tag:+hxwIU5uBhzQyrKX4r3oiw==,type:str]
         #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
         user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
         #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
-        user8: ENC[AES256_GCM,data:H1gPtqF8vryD0rVH7HYzpMuZ3lufOBYczKwaTr4PidQtTyQK,iv:wh7NwFc/1ogNrnTTpm5L9dBqDVkvWiIsJZelR2mtR4Q=,tag:oEFdMFZJ9UYhsSVdefJ4rg==,type:str]
+        user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
         #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
-        user9: ENC[AES256_GCM,data:HVK9KvGfOcwn1joc3VrkjBjE6hrxQPOBD5RTtQUgBPepToh6,iv:VK9aQ64L/GajpledBxC8PNB1BdNYEqwcdL3GKttgxvs=,tag:O/piztCYBARtAFxTMNXGaA==,type:str]
+        user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
         #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
-        user10: ENC[AES256_GCM,data:xjVkr/wy7OxRuNZKfQagfNxdVxTEyQP1ZhnR6jHy2gjBQ0RD,iv:G6iOBCHOqlvfEENY/ega/TUm81wgT2OOdZKZ6bPfg9o=,tag:p8AMa3bGsIl0hWQ09lSzgA==,type:str]
-        #ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
-        user11: ENC[AES256_GCM,data:BIZ2zRgGv5/9AexiZZvu+m4A62YUWtAkjWWMu89GteqpWMBq,iv:13IJcDf18LjoxJk7uoKnuFZT6Ihxrxsy7DBaAaiFqus=,tag:RN7wj+uPneCkqNlMRyYrXw==,type:str]
+        user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
         #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
-        user12: ENC[AES256_GCM,data:FAF9lXOzXW9CrZgnQ1a2+E8snZj2+JHqP5Gny92k09o/Wzga,iv:/qZuAtFmUQE7A9lMzJUoCvGx+3Sv9Ioh2ahch3puaC4=,tag:urwbLwGkSX3e85NCjyPhhg==,type:str]
+        user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
         #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
-        user13: ENC[AES256_GCM,data:ExbnvWDIBqga5+k2mpoT8AKBOXAvUNMjBTPXUKrmtWzz4l+L,iv:UI7CvSx2FHYGf6BEHS4e3iwHZZWkl2Zt5xg2WdKbLvY=,tag:ad0c7YW2Bxo+Dn+BoSZ0Ng==,type:str]
-        #ENC[AES256_GCM,data:R8lN5T0=,iv:FXLf8Vtjg+PkwNhxXWDViMKqwn7tFMaPhio9zhnudZw=,tag:34gxRH+P9lmkUxlOPKcYMg==,type:comment]
-        user14: ENC[AES256_GCM,data:dgNPPlJD5JOFPbKhlvlRHBLmUNKeDm/JAiawUVpBE7H07Box,iv:w+t9BkqYvlxVKr+x0MwtBz0/YSR/7z1OnZLIoPdW4gc=,tag:CR3GLbaO0jSQgA2HuwzRqg==,type:str]
-        #ENC[AES256_GCM,data:X80nhW5a/JQ1IQ==,iv:2UTsNLLDr4uBAEcPyvmep1fqH43JLUiHc/zqQWChfDk=,tag:DJEArs1nVnlcJgqM2uy17A==,type:comment]
-        user15: ENC[AES256_GCM,data:6AskiMLLl0HV6tm2rYpV46XW0jePQy+wme2oi3M7He7WsgVM,iv:lGfnFn69Vnjv5J3rp5sRazD5/B+8Nk8MNG7HIyf4HKA=,tag:Vbg82tdn3noOfhKVVx0Phg==,type:str]
+        user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
         #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
-        user16: ENC[AES256_GCM,data:fo6KJXlPDn7+FmxjEJQo9d79rDYemLFx6LanYZcJpKJR7Gxq,iv:yEUKPNZ9idrSqyVO9fhksP/7bjPMT/LzNK2VSq503/c=,tag:M87D44SIo9JzDB3ZyKu7fA==,type:str]
+        user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
         #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
-        user17: ENC[AES256_GCM,data:gQInIcNFxJuCSsMDGq4yTp5JdMMmJRy1tY3PGLoLuuIXWV0a,iv:ya4n9Z7T9/bxeHqi5QqwJprEzDMsT6X0BuEXRS67wWk=,tag:RcjQfAHv8uc3PgN5c4bySA==,type:str]
+        user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
         #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
-        user18: ENC[AES256_GCM,data:dssxPEv8srXydunolaaDAYYo+BOXhp2PoqidOWH3z6NYBpyB,iv:WCLcMMwQJiHZBwreQpaOZp2saXvjBwgYUqSf7HQhMgA=,tag:5jsAVcgAgO+7JhBINz6tzQ==,type:str]
+        user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
         #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
-        user19: ENC[AES256_GCM,data:+Mh15DR9xvFAwks86iuHEA9FpObKWTSuVOEzUDpBUS/h0hOz,iv:zYIkic2bibvwCBpomnJ9465mda1rbm3RERBZY9twXuc=,tag:bwdL6DAGgkGYhYFI2C4A+A==,type:str]
+        user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
         #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
         user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
         #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
         user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
         #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
-        user22: ENC[AES256_GCM,data:G+Ls2+bbcP4RmeYhPF44STdbqNiw0UZVxac6GQXJUyCehgjm,iv:vXbwtGWgBINUauS4rsDj+4yoropzZ4IHOZxF9/jLPTY=,tag:SN1BZbQTOfcAF6krXEXtjA==,type:str]
+        user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
     private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
 send:
     redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
 coturn:
     auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
 wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
+xray-xmu-client:
+    cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
           enc: |
@@ -78,8 +66,7 @@ sops:
             ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
             ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-16T14:15:31Z"
-    mac: ENC[AES256_GCM,data:XOG+e115arZG1uvFoLxCfAqr2pLI2ndS6bZKRyQlWaJK0Gti8RpQt1jVZ+Q3y5Ga8tpAvd7k5MYgRL0/H400ENCleM3vsh5s3VXjlSSxq4mfdkwhUH2E0t8OQyf8VXvs0SXZKhTOljETPu1pggB6iFUfEZ5e0kKRLRYWI4Tt94Y=,iv:mt60iMiKTcQP4b/f684j2IyFSWYzmq3XGK19CfZB53c=,tag:NyhQ0Lptv2E4jHuYAxcelA==,type:str]
-    pgp: []
+    lastmodified: "2025-08-01T05:54:47Z"
+    mac: ENC[AES256_GCM,data:OtHwr58A1UOfYxQR88ay76fWmAyWPl5YtNbAiv0LXPLZPRtLGBJKuTjMaHr17AMepFZ+u5IPV2r8z1AUDj0opLXlv3Ik/DJ2PCcQTOBH+/lnSgzJKWfdCip9/wFR6N3dT0PKKLuBiURB9ZCYmtnq6E5+Guadc6ATYDSEpwbENZQ=,iv:kXsYMGjAtUlv1UqFU8Xv0zagohnpHkzSI72mq5HKY7k=,tag:KR+1A8l2VvbzDZV/00hbJg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

devices/vps7/default.nix

@@ -1,59 +0,0 @@
-inputs:
-{
-  config =
-  {
-    nixos =
-    {
-      system =
-      {
-        fileSystems =
-        {
-          mount =
-          {
-            btrfs =
-            {
-              "/dev/disk/by-uuid/e36287f7-7321-45fa-ba1e-d126717a65f0"."/boot" = "/boot";
-              "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
-            };
-          };
-          swap = [ "/nix/swap/swap" ];
-          rollingRootfs = {};
-        };
-        grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
-        nixpkgs.march = "znver2";
-        nix.substituters = [ "https://nix-store.chn.moe?priority=100" ];
-        initrd.sshd = {};
-        networking = {};
-      };
-      services =
-      {
-        sshd = {};
-        rsshub = {};
-        misskey.instances =
-          { misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
-        synapse.instances =
-        {
-          synapse.matrixHostname = "synapse.chn.moe";
-          matrix = { port = 8009; redisPort = 6380; };
-        };
-        vaultwarden.enable = true;
-        beesd."/".hashTableSizeMB = 128;
-        photoprism.enable = true;
-        nextcloud = {};
-        freshrss.enable = true;
-        send = {};
-        huginn = {};
-        fz-new-order = {};
-        httpapi.enable = true;
-        gitea = { enable = true; ssh = {}; };
-        grafana = {};
-        fail2ban = {};
-        xray.server.serverName = "xserver.vps7.chn.moe";
-        docker = {};
-        peertube = {};
-        nginx.applications.webdav.instances."webdav.chn.moe" = {};
-        open-webui.ollamaHost = "192.168.83.3";
-      };
-    };
-  };
-}

devices/vps7/secrets.yaml

@@ -1,133 +0,0 @@
-nginx:
-    detectAuth:
-        chn: ENC[AES256_GCM,data:Gk0TTbnFcsvIgoDcen6B8w==,iv:kvyvygw9zDwaiTQ2vPFTHQex0EWDFg8M8U22AConQFM=,tag:ewAZ/nXxmTOhDAjW/A2OnA==,type:str]
-        led: ENC[AES256_GCM,data:Vb2p9v7U,iv:xJcKgvbc0KAP31uTpFiYlpvPoEHMWH3VkEqqyINKcyk=,tag:X2R+CHFj4N4i7cAK88IoSA==,type:str]
-redis:
-    rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
-    misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
-    misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
-    nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
-    send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
-    synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
-    synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
-    peertube: ENC[AES256_GCM,data:cN+cClNV1JD+Z1Wlp07MY7BmLr/EZYZZt04mxKKKN8RG1ZSMGykbc3hd00E14ubhCittJXSPbIWyO63lCGGEPg==,iv:3z1BR0j26LGfXwDDPYU/i8Qx/7529KKoar+xGZanirI=,tag:g/NSGDE1iEYJ1MStrV3rpg==,type:str]
-postgresql:
-    misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
-    misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
-    synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
-    vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
-    nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
-    gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
-    grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
-    synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
-    peertube: ENC[AES256_GCM,data:dLzOez3dTy0NqHED1Oc43Ox2AFuH196kxwOSuR6RejUw3iJuzEQCdmA/i+70zHoveAYBdPCGpM8cz0y2M+usjw==,iv:KxDqmbNBkJ6Nw0M3060L9ESDf2qAur7umlejcDyRmwA=,tag:RScP7Cny8b1Z1/REpk+daA==,type:str]
-rsshub:
-    pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
-    youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
-    youtube-client-id: ENC[AES256_GCM,data:dPo4+HsfXHdxrgF9F0qJmOGcSHDCn2KIkHx3ZYZU94iv8ImiPI9dTRfoz0zq8UIN7rwIKidQu9GxCRrg9aXk34pc35SXzEh8JQ==,iv:ROVHb0QjVsNae9eJevG6qc5dc4gkrGt+Y7S2QYrzmQ4=,tag:Advoh75OKPC7CnIeL4GFbA==,type:str]
-    youtube-client-secret: ENC[AES256_GCM,data:c/ALpo/4qJdccMgYiSLg9ZgG7ddaMYxHwJYZ/ogJN2ED21k=,iv:CkrIq+Vpuq28CsRNwdKRLnBq6L8NF37y4xhhnmHQHqQ=,tag:SKtHpm/QZWnGViDtSKlUUQ==,type:str]
-    youtube-refresh-token: ENC[AES256_GCM,data:pnXQ1euCdix2H7IxudmUUcpxc2OUhciKT8OcGV89c/EpoXHgx1+eLxwY5rRszroWwjge9M001RGHngvD/ny3phfWAwYmIzMJxun2f7JCPe7ybMesWmPSkiqVBss1Zfic1uB8mNM/yw==,iv:8p8/vATY8F3YuGA1TtjekiuaKOMnQyTMjrwDBJaK4VU=,tag:/jVg9FDOuLMNrupgrywpBQ==,type:str]
-    twitter-auth-token: ENC[AES256_GCM,data:65SbHggbYtfSfaaxJxRgD6+HpOX4vIfjnVZmOAZ9illPMYOu9MIchQ==,iv:49UuC8n6AGj1skuHzQX39Q/QuKlB9IxogIfiiy1GBnw=,tag:Rq6b0H9UFVZ19tU8ZeelRg==,type:str]
-    bilibili-cookie: ENC[AES256_GCM,data:58nO7ADu2oH/OgLJNYrEEzhf1J0zt8EpuygnSANkGXJju5oSmtM7WLnaMEjC96q14OTTA9QLiFVsbxiFY1eUnraA5W7g7+6CYRXVRZaxz91D/dhKzHGTMjB/LynnNqEIc6liONlcHbyjZNQ+WIqPtjVpCKMN7Mi8cv81/cFX/1GqAwncgDD2oXh1hMPOVY4dYcGKuOG0GjlY6RgOgTPqU3HawQjnoWQjPF+lq2rnWD5HP9ZTxOYa7hm2GgPrxkq1fkRrq+kKYeDh+6M7VLDcm5Fpf+biq6F8fZWzmw4NlVZT9BG0vJFa,iv:vxYXg9Yg9qIWFQXtwTYa4Ds0KSxZYg3M6xdtXKbdaig=,tag:TzCPehk9w+BL4wwgDc1CPg==,type:str]
-    zhihu-cookies: ENC[AES256_GCM,data:DgpvRB7IuRe1KuPFqhCbtyFrC02AUlaA9UWS+d8ix0nweItXwZrkqC03lXQY7nJr54H3SfKXNhtUp4nJmV2hqNQOqekrXVsKrG++UmcAr5Ciw1lTmilqM220igJ9YwiHxtsZrWgp4sTPlTTQIFu5xrGnvlSntBjXAjzStTk1R4XRmLV427QuKbNNQ5MjPXS1PYrtN0d4/qXLx74pNd9ZsNd9F4V0E75Zt6vKE8F7aA==,iv:5Lu/HD8Iw655pg84eFs2eEQS68QqA99uMBHlgelZvrI=,tag:Pnd7VWIAgNt+1vo+vyWDpQ==,type:str]
-mail:
-    bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
-synapse:
-    synapse:
-        coturn: ENC[AES256_GCM,data:9MDq0eXLHjJ8Cd2d1iogS1lnjI0A2+0ZK8OtLKRLqT16BVzQQJyhbkAYwkn1+9ppfrazsHFGrk7DVsA7PWjdmA==,iv:SOjwZIyzkMK9Q1fGkmBSr6nSIarNe/WeD91GPJRuZjg=,tag:1GljmXdK80NKTPSg6xJz0A==,type:str]
-        registration: ENC[AES256_GCM,data:MmRJ3el59XaTwFImuCsiAm2zXeGhgvyUyw9AIv7FvxR4N3YWnHKALcQJtG52N4bmLXU=,iv:vm2R7XGzGET0eTcD2trl3xD2I09NzYmx5NPIY4KK4xM=,tag:exm8/ehPufeqtp6j61ap0Q==,type:str]
-        macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
-        form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
-        signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
-    matrix:
-        coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
-        registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
-        macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
-        form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
-        signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
-vaultwarden:
-    #ENC[AES256_GCM,data:yFDD8GHjZWHN/Yh53DseevKAhDVwrHX60e8sGZnF4BUsUuPA/4S2PRzj7CtlpFzUH3kb0i+HkLKRvbchg93U3as=,iv:JGG7daEKs0oMKTNVi9GS7PrXn/8rFtVkHknACsEQR+g=,tag:RSN6fojLsI4dcuPu2eTiWA==,type:comment]
-    admin_token: ENC[AES256_GCM,data:OpjREmxJSRj+aGVoP8KKRE7ClNqRtaV8va4WLVmpl1AO6D0q/GapJvhORHQb5s5ZjIAgvWTz1w+fh050Q9sPwRsNUke3FIcyeNy7k0PHgnnVIdxnU1Vn9KMz/SovjQ0/qEQ7tArvW/EXtKfwnP9lsz9m94VBvA==,iv:9AvDqMa2PeQOSrP2th3YBgA2RxPl3oKZTyUzi/yjRTM=,tag:HYFTQDgWvBsHQk8IZxWkfw==,type:str]
-mariadb:
-    photoprism: ENC[AES256_GCM,data:TF1SZVFnvzyE+7vrHYYUS4Juqhbiw9QcJx7p3Xj88xyBFcTqS1YjzAKs/9GQ1PuzdBrt6hXm/XtJILHiuktnSg==,iv:sd9sQEuIePL6LzUYbFtmdecJ57sMrkF0coalBf8KFqQ=,tag:P/knaKYTJ+aXu4l6IixISA==,type:str]
-    freshrss: ENC[AES256_GCM,data:ydqCbj3UbsLC1e++p5ixb5Kpmk2BsYd0urcfw8T51Is5N1/gQ7P0zgR33AOteAxw2oj85WQZhxu3eAN7BCXV5A==,iv:1oiMo1wwFNXiTZLsf4UPZSJfKFIWLI3h947TC06CVy4=,tag:Otq1oeKBnWXhqNilfsywPQ==,type:str]
-    huginn: ENC[AES256_GCM,data:1Tdg1WDwGgFSXdChgif8knWS24BIFYnmaiSjJXxs5uj/v/5fJ1alb4K4XHW/kFRjQbuAOFfJiJ9ogJ1KAyk17A==,iv:qLMaQpVaKrjP7g2lWzhaNLghxwiV4YJmyYY1hrpu5I8=,tag:566JCENvOxgwD7tM3aQBiw==,type:str]
-photoprism:
-    adminPassword: ENC[AES256_GCM,data:gB81joOfS8h05BNy2YmD/N0cpLPa/vAduDcQBeHiY/WkcnvqSXnXsOfnvbP74KQfoP4W35oFkfyGVPUBSB83tg==,iv:AkN2NoqMXVHQA9fHTTR7xbEapEqy/D61mHn7O23hyYk=,tag:WV+siDA3VnRkOYnP4Z9Qhw==,type:str]
-nextcloud:
-    admin: ENC[AES256_GCM,data:1rglLrLtRf3yXQwfHDMZLewk8ueIbMFOC+1mtoAyLKnDmcQAoEQZ1vHw/hpKkFXJQ+QyX3sP8eUjRXuBEIVl3A==,iv:lfEGPEw9ybSdOYLDdaGCLXKgCvgRxn3k9eIy2DJHDYU=,tag:j4qRexbEAgK5HAGhr/wxfA==,type:str]
-freshrss:
-    chn: ENC[AES256_GCM,data:XGcgfuRozJ/xowtmFPSW,iv:yZ9LTuVE8dGyrtE3vxLA2jLErvmt67XC0jefl1njiOM=,tag:J5d+oGFWhfXEFwVOnsJ2iA==,type:str]
-huginn:
-    invitationCode: ENC[AES256_GCM,data:+m2AabRzUiCFy3MAKTB8d1IE05WHTcmZ,iv:ccdIPHl9N+bvPR/QCwZUwZOfWTeW6gWhhBjOpL85JRg=,tag:Ir2085K04XUGkAuoCG+7VQ==,type:str]
-fz-new-order:
-    token: ENC[AES256_GCM,data:qhwWRflJbW1QMOhiPfbTIrEdQJyVtfZ1QycCgstdKD1Nh40=,iv:GvZ8MJig64l34jkvuJbMMjyNaPT5yz0/pFCc6KEPTvA=,tag:cMXo/6F9thl8k2iAhT507Q==,type:str]
-    uids:
-        #ENC[AES256_GCM,data:O3DOE3jFCg==,iv:9shUoHCLXsJPKHELlyWdreouEcyOqhsfVI2KaqwC4CU=,tag:tYKVv+/DuesSijZwWGdrig==,type:comment]
-        user0: ENC[AES256_GCM,data:2sieulGmi7mCYrJH24djrrmHArrFbOHZ9wUuKvY4f2k=,iv:lb5ODFOeQQ+D9HZnMw48n/DGRB7L51U4frBVcPx1mvk=,tag:MwZua6u+G478uGOwtGu4fQ==,type:str]
-        #ENC[AES256_GCM,data:yeA9zF8Tug==,iv:VZuWLZnt1RBmkBWudKVvgJkYfqxIj/umEHVCfR6IG3k=,tag:1kj7HyjVT59n05VYJ1uP+w==,type:comment]
-        user1: ENC[AES256_GCM,data:Aw0ydspmf+PXKU27Pdzn4q/nY4sxXCADL1WGB7vm3eo=,iv:uTmVvGlW1HfdvoNbupSw3GyShsWTGVCoNrvVJ5BPUy0=,tag:k9KIoCWM6bSprwR8dmN+Hg==,type:str]
-        #ENC[AES256_GCM,data:4G7DyLVVgQ==,iv:Ht/exln1QtL2BxjCaOTIXHRPDiSFYP4zIa7VaeMCuhE=,tag:btVLXf+WS/YgzRFbVFoAfQ==,type:comment]
-        user2: ENC[AES256_GCM,data:P5gmhaQ+VOWVOjTrsx34zUS8dsqIkzCwOImIE8TIfUc=,iv:IoJIUcNJmaBTyr0Ut6R7BN/UqyK8p4HtiwbXUl171pE=,tag:k99PGSL1cEALTmFVWH1uSg==,type:str]
-        #ENC[AES256_GCM,data:TGrZBuCRgQ==,iv:9IOJ3Bkw9udS/y93TTtZ9o79aDq3Bb+DMEogJG77iqA=,tag:S/XcPX1f89IyfZnMoR9s/A==,type:comment]
-        user3: ENC[AES256_GCM,data:cAzf2X20rtQYyz1rLK6b4jo8utuUOdUHVYfCWdfPTDY=,iv:L5cg7aNdfnLTH2dKl4bWCqaujJ9tIvBJrJIoDIaBLwk=,tag:9Al6Wig4lz1my6hgozSsIA==,type:str]
-        #ENC[AES256_GCM,data:b4iJ73sUoQ==,iv:A2hmi7lCR15E5jVR8E71GQuHgF4TdjDuQadXOtBon6k=,tag:eopTJdjN16u7PtpZdhKymQ==,type:comment]
-        user4: ENC[AES256_GCM,data:nUJ0lPuFOUVGCtq0IRSh5dAkAna7hoow1YOtFEgSoZc=,iv:D8phoZxdbQ2/Zaeq8498eRb0a7SZD5WnVdKv+u2pBak=,tag:Obu01n34JjyAVnF0f3uKzg==,type:str]
-    config0:
-        username: ENC[AES256_GCM,data:p8+q8u1A,iv:9s52kS5yLB4vQuGVXNtA4amZqT3eHTTybsbsQZRiFnk=,tag:7SA4SEzMHpP9H/rwoE+UJQ==,type:str]
-        password: ENC[AES256_GCM,data:58+gFodT,iv:ohZlT1BwnzCYv84xHgFsLRkiPMpE8lB8QVHwr0QtDWc=,tag:XF047RnXs6IbKsTnsm0D6g==,type:str]
-        comment: ENC[AES256_GCM,data:T4XcbF1c,iv:hHdsMjU8rzPiduhT05v98pgDqxRW/Km5zmXCEZaT2AI=,tag:LWvwIEfbW2IuDELr4fEXKg==,type:str]
-    config1:
-        username: ENC[AES256_GCM,data:xWP1cesh,iv:11KFZ/J9PScz/oW2+H5BWgw0+ETkCXlcYOMuPpgjEs0=,tag:HswEVzm6ElRjIDsZyEfZcA==,type:str]
-        password: ENC[AES256_GCM,data:Da/E7ZeZ,iv:gIoheXeTErV3+CtZSEDsX7pGzRahHWlKYQ6QZ6W2eu8=,tag:0oQzQ5DJiS2hqMQfU6JRWw==,type:str]
-        comment: ENC[AES256_GCM,data:etfZKwbh,iv:XqqF3D0PpCPd2Q/CCu/PAH4SrvXAOu+lIXvSht/KfKk=,tag:7jyG33foxneRK2wvI/5uBg==,type:str]
-grafana:
-    secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
-    chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
-wireguard: ENC[AES256_GCM,data:rPZxIQ18KILFsCsriD0z649UqWPAl8M+49GI7bsEHr0t10rlYS8RiZFeKHk=,iv:rfS/PsX7y3ZBCs9YYPM4VoK9i7S2ShGHzcpBATx8Ots=,tag:i0spG0ZxB2Jm6XZwe19VDQ==,type:str]
-xray-server:
-    clients:
-        #ENC[AES256_GCM,data:aAZS,iv:Z+iJG7yC6HJeNdKCCpsZSc9Ny7kAt6GYfXUtZozMb4A=,tag:iMfwjqqmLvu5a8YpF7a0zQ==,type:comment]
-        user0: ENC[AES256_GCM,data:Q8MFrN/3SRgzSlwTx2GmpP/gvG1vpYiVgjsESzUoomsJaigP,iv:oLsf7AX3FE0tFOkJAbqrZVrCa6UxKjp450Sl1rs2Vs0=,tag:5w+AX0p4Or1GAQsEU3NxOQ==,type:str]
-        #ENC[AES256_GCM,data:j3zVwqHmag==,iv:8+ol60wNlbV2RzMBe47VxIrZuec8aXDUNcQvHcxKuiA=,tag:1AgCMfZf9vzWiWDS6hkw2Q==,type:comment]
-        user1: ENC[AES256_GCM,data:ucCiL7uoSafFUP9IiwKOjJqgwNxNLmuHxYXsLYl0fBgbCT3F,iv:RbNPwvSWibODQqySRc+YW65nUvRwaeXT0eDh02sfrwM=,tag:iE7GGrkBxljBT9HdPzDOfA==,type:str]
-        #ENC[AES256_GCM,data:x7dwVDe22M8=,iv:+fT7VUxZGd8SgS0PnEBqHLPLDuywu4s01iWB6TA/BKQ=,tag:CxfP7xSd4L9RBulSfViHaQ==,type:comment]
-        user2: ENC[AES256_GCM,data:e6PbRg30dzOJSXNmU6TML4AaFsSWEvZwN7MHAEX6fEW2p3hW,iv:Y+YYAO6hY9e/T8LSCr34M7riGmSzFIocmWwAwWjnZQs=,tag:LTkdGcRyrx7HqvbSYSsv4A==,type:str]
-        #ENC[AES256_GCM,data:j83rYg==,iv:3oEdAoVz7aMcezcy2chTO0LQTtKpTrJJoQZx3PC03BU=,tag:ABteEIyr2Y6MbGQhmrQySQ==,type:comment]
-        user3: ENC[AES256_GCM,data:Uk0Ax9FVzmmYs+ggWy7z6FEkuj2tppGlvnQdoW6PDI1VA9oI,iv:wSxigXleRUalQR1/TzKfdUVrdyEUuq+Wg42gSv1QMAI=,tag:qn6nBWv6MlGhMarCfI13BA==,type:str]
-    private-key: ENC[AES256_GCM,data:TarrinCFzWkB5zCc7i7f3B3tFfxrF+cGnrg4bw9CAGKWBazSJHCviY8Imw==,iv:azHdrc6AlgS9RPwGVsYRb8bBeC/askCdut1rnv9TA3I=,tag:AT2lLraKVgbp9GmlLJiI+w==,type:str]
-peertube:
-    secrets: ENC[AES256_GCM,data:DAlig4wYCridlfS00YOqH++/4Rkssq2bkJ1bhERrsgeqdccwwnk6ADKpN2UBGANNYiTj2VUHsHT6mIWxPRcJvQ==,iv:kOedA1gAD7el6JbP8MujSCSfkkHM6CDDMSs2LwPmsGU=,tag:ZDS+LGX2hNXHw15Js2sBkQ==,type:str]
-    password: ENC[AES256_GCM,data:jmKmQlFqHSmImfym2M3/+ItbPxx1GwgrLRZwk7KxqXGHFvqZ1ybCnfZCN8jmA1gVJLuPLTrYA9ggHwdKgVrknw==,iv:cBSb5PJsjHBAMgrxlZaVtw1aP39AXMtdk5pnnCyyZbQ=,tag:6TLoDRY6305lm4HVapT4yQ==,type:str]
-open-webui:
-    openai: ENC[AES256_GCM,data:wMSmoEMLcjbMkEOdzCt1CGbmGZ/iMOWk7PR4m452K+/gEQy00wa6B98=,iv:2hKpB1F0a/fz85RY2YNFXrw1Njbzd2pZ68ITp6b7mzA=,tag:0xUjiHszVXv8qfzV8z3Zhg==,type:str]
-    webui: ENC[AES256_GCM,data:+oEpNIyDEA1gH+Ax5P+ujKgXF8qleepYWwIVCuk=,iv:wmGy4T//UDAR8EC1w/j2vsCqi8dHOBnENLetp9+Ii/8=,tag:8OsFLn6xizQiTVJAEGPwWg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb0FWUkoxeWZ4K1lOb2k5
-            cUZXQktjSTY3djFZOEJyL1dWd0dmWHV4Y3dzClMvSWNiNk9YSzFoRmhQSG9wb1NG
-            ejRUeStyKy9qYWFwWHJraXFWREdhZFkKLS0tIExMb3VCWm13ZkJ3UXcrM3IrRGQv
-            ZjhMWlAyRUpUYkVjb2lidHZPNkg4SUEKctTzocxhVXJ56sHH4BO6QkS5Rn9k/y2U
-            IrZHT9b3nyyyZxhctOArjBXohwt1asNeAe7qsTypTtAMgKTRwggX9Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Vi8vRTFFTW5tNW9OdnNQ
-            MEpxeXY5MnRzTE9GUkRLMVl1cTRBcU1FSmhnCkdmY3RCcy9oS2lZOVJ0Ni9RL041
-            UWo0TkxMblRqSkZoaDVYZm9xRFBCeDgKLS0tIEFVVkl0bUdoN3FVcThVRHpmVEJk
-            SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
-            HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-12T09:08:37Z"
-    mac: ENC[AES256_GCM,data:cpstZVTMKxbUmB6UbkbaE8sUGVOuqWZre488eYv/7fR5si8amQ5rZ2S+F2UZNFpl598N8EQLPcHxxZYk12cOKB8rQxQsQeBu1N3AIfd/AmTAirYBqErzRVjGuR981PP1KoKi0O+8nMl0N6hnlFCUYrKD7mBF+l3TS4Fv98XFhZk=,iv:S7Kx5TszFPEWPQ3DY/rcDVkmcgFZr9GtmmiyHc/vWOg=,tag:7LuXtywrVNTvqmy1tWFI0Q==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

devices/xmuhk/README.md

@@ -0,0 +1,13 @@
+# install nix
+
+1. Build nix using `nix build github:NixOS/nixpkgs/nixos-24.11#nixStatic`, upload, create symlink `nix-store` `nix-build` etc. pointing to it.
+2. Upload `.config/nix/nix.conf`.
+
+# install or update packages
+
+1. On nixos, make sure `/public/home/xmuhk/.nix` is mounted correctly.
+2. Build using `sudo nix build --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' .#xmuhk` .
+3. Diff store using `sudo nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' -qR ./result | grep -Fxv -f <(ssh xmuhk find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' --export | xz -T0 | pv > xmuhk.nar.xz` .
+4. Upload `xmuhk.nar.xz` to hpc.
+5. On hpc, `pv xmuhk.nar.xz | xz -d | nix-store --import` .
+6. Create gcroot using `nix build /xxx-xmuhk -o .nix/state/gcroots/current`, where `/xxx-xmuhk` is the last path printed by `nix-store --import` .

devices/xmuhk/default.nix

@@ -0,0 +1,69 @@
+{ inputs, localLib }:
+let
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
+  {
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = null; nixRoot = "/public/home/xmuhk/.nix"; nixos = false; };
+  });
+  lumericalLicenseManager = 
+    let
+      ip = "${pkgs.iproute2}/bin/ip";
+      awk = "${pkgs.gawk}/bin/awk";
+      sed = "${pkgs.gnused}/bin/sed";
+      chmod = "${pkgs.coreutils}/bin/chmod";
+      sing = "/public/software/singularity/singularity-3.8.3/bin/singularity";
+    in pkgs.writeShellScriptBin "lumericalLicenseManager"
+    ''
+      echo "Cleaning up..."
+      ${sing} instance stop lumericalLicenseManager || true
+      [ -d /tmp/lumerical ] && chmod -R u+w /tmp/lumerical && rm -rf /tmp/lumerical || true
+      mkdir -p /tmp/lumerical
+      while true; do
+        if ! ss -tan | grep -q ".*TIME-WAIT .*:1084 "; then break; fi
+        sleep 10
+      done
+
+      echo "Extracting image..."
+      ${sing} build --sandbox /tmp/lumerical/lumericalLicenseManager \
+        ${inputs.self.src.lumerical.licenseManager.sifImageFile}
+      mkdir /tmp/lumerical/lumericalLicenseManager/public
+
+      echo 'Searching for en* interface...'
+      iface=$(${ip} -o link show | ${awk} -F': ' '/^[0-9]+: en/ {print $2; exit}')
+      if [ -n "$iface" ]; then
+        echo "Found interface: $iface"
+        echo 'Extracting MAC address...'
+        mac=$(${ip} link show "$iface" | ${awk} '/link\/ether/ {print $2}' | ${sed} 's/://g')
+        echo "Extracted MAC address: $mac"
+      else
+        echo "No interface starting with 'en' found." >&2
+        exit 1
+      fi
+
+      echo 'Creating license file...'
+      ${sed} -i "s|xxxxxxxxxxxxx|$mac|" \
+        /tmp/lumerical/lumericalLicenseManager/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
+      ${sed} -i 's|2022.1231|2035.1231|g' \
+        /tmp/lumerical/lumericalLicenseManager/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
+
+      echo "Starting license manager..."
+      ${sing} instance start --writable /tmp/lumerical/lumericalLicenseManager lumericalLicenseManager
+      ${sing} exec instance://lumericalLicenseManager /bin/sh -c \
+        "pushd /home/ansys_inc/shared_files/licensing; (./start_ansysli &); (./start_lmcenter &); tail -f /dev/null"
+
+      cleanup() {
+        echo "Stopping license manager..."
+        ${sing} instance stop lumericalLicenseManager
+        chmod -R u+w /tmp/lumerical && rm -rf /tmp/lumerical
+      }
+      trap cleanup SIGINT SIGTERM SIGHUP EXIT
+      tail -f /dev/null
+    '';
+in pkgs.symlinkJoin
+{
+  name = "xmuhk";
+  paths = (with pkgs; [ hello btop htop iotop pv localPackages.lumerical.lumerical.cmd ])
+    ++ [ lumericalLicenseManager ];
+  postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
+  passthru = { inherit pkgs; };
+}

devices/xmuhk/files/.config/nix/nix.conf

@@ -0,0 +1,2 @@
+store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log
+experimental-features = flakes nix-command

doc/branch.md

@@ -0,0 +1,2 @@
+* archive: archive
+* one-fprint: test fingerpint on one

doc/todo.md

@@ -1,6 +1,10 @@
-* 使用 wrap 好的 intel 编译器。
-* 在挂载根目录前（创建 rootfs 时），按用户复制需要的文件
-* 挑选一个好看的主题
-* 尝试一些别的计算软件
-* 解决 vscode 中的英语语法检查插件，尝试 valentjn.vscode-ltex
-* 调整 xmupc1 xmupc2 启动分区
+* 打包 intel 编译器
+* 切换到 niri，清理 plasma
+* 调整其它用户的 zsh 配置
+* 调整 motd
+* 找到 wg1 不能稳定工作的原因；确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
+* 清理 mariadb，移动到 persistent
+* 清理多余文件
+* 移动日志到 persistent
+* 准备单独一个的 archive
+* 测试透明代理代理其它机器的情况

doc/upgrade.md

@@ -0,0 +1,12 @@
+* merge upstream, update flake
+* update src
+* fix all build errors
+* update modules (synapse)
+* update postgresql nextcloud
+* update stateVersion
+* switch
+* fix disabled packages
+* upstream patches
+* merge upstream again
+* switch
+* build all

flake.nix

@@ -3,42 +3,37 @@
 
   inputs =
   {
-    self.lfs = true;
-    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-24.11";
-    "nixpkgs-23.11".url = "github:CHN-beta/nixpkgs/nixos-23.11";
-    "nixpkgs-23.05".url = "github:CHN-beta/nixpkgs/nixos-23.05";
-    nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
-    home-manager = { url = "github:CHN-beta/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-unstable";
+    nixpkgs-2505.url = "github:CHN-beta/nixpkgs/nixos-25.05";
+    nixpkgs-2411.url = "github:CHN-beta/nixpkgs/nixos-24.11";
+    nixpkgs-2311.url = "github:CHN-beta/nixpkgs/nixos-23.11";
+    nixpkgs-2305.url = "github:CHN-beta/nixpkgs/nixos-23.05";
+    home-manager = { url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; };
     sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
     nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    nix-vscode-extensions =
-    {
-      url = "github:nix-community/nix-vscode-extensions?rev=7aa26ebccf778efe880fda1290db9c1da56ffa4f";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     impermanence.url = "github:CHN-beta/impermanence";
-    qchem = { url = "github:Nix-QChem/NixOS-QChem/master"; inputs.nixpkgs.follows = "nixpkgs"; };
     plasma-manager =
     {
       url = "github:pjones/plasma-manager";
       inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
     };
     nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
-    envfs = { url = "github:Mic92/envfs"; inputs.nixpkgs.follows = "nixpkgs"; };
     nix-flatpak.url = "github:gmodena/nix-flatpak";
     chaotic =
     {
       url = "github:chaotic-cx/nyx";
       inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
     };
-    gricad = { url = "github:Gricad/nur-packages"; flake = false; };
-    catppuccin.url = "github:catppuccin/nix";
-    bscpkgs = { url = "git+https://git.chn.moe/chn/bscpkgs.git"; inputs.nixpkgs.follows = "nixpkgs"; };
+    catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
+    bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
+    aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
     winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
-    aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; };
-    cachyos-lts.url = "github:drakon64/nixos-cachyos-kernel";
     nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
+    buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };
+    niri = { url = "github:sodiboo/niri-flake"; inputs.nixpkgs.follows = "nixpkgs"; };
+    nix4vscode = { url = "github:nix-community/nix4vscode"; inputs.nixpkgs.follows = "nixpkgs"; };
+    dankmaterialshell = { url = "github:AvengeMedia/DankMaterialShell"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
     rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -51,33 +46,29 @@
     tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
     v-sim = { url = "gitlab:l_sim/v_sim/master"; flake = false; };
     rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
-    blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
-    slate = { url = "github:TheBigWazz/Slate"; flake = false; };
     lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
-    mumax = { url = "github:CHN-beta/mumax"; flake = false; };
+    mumax = { url = "github:mumax/3"; flake = false; };
     openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
     sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
-    sockpp = { url = "github:fpagliughi/sockpp"; flake = false; };
-    git-lfs-transfer = { url = "github:charmbracelet/git-lfs-transfer"; flake = false; };
     nc4nix = { url = "github:helsinki-systems/nc4nix"; flake = false; };
     hextra = { url = "github:imfing/hextra"; flake = false; };
     nu-scripts = { url = "github:nushell/nu_scripts"; flake = false; };
-    py4vasp = { url = "github:vasp-dev/py4vasp"; flake = false; };
+    py4vasp = { url = "github:vasp-dev/py4vasp?ref=v0.10.2"; flake = false; };
     pocketfft = { url = "github:mreineck/pocketfft"; flake = false; };
     blog = { url = "git+https://git.chn.moe/chn/blog-public.git?lfs=1"; flake = false; };
     nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git?lfs=1"; flake = false; };
-    spectroscopy = { url = "github:skelton-group/Phonopy-Spectroscopy"; flake = false; };
     vaspberry = { url = "github:Infant83/VASPBERRY"; flake = false; };
     ufo = { url = "git+https://git.chn.moe/chn/ufo.git?lfs=1"; flake = false; };
-    highfive = { url = "git+https://github.com/CHN-beta/HighFive?submodules=1"; flake = false; };
     stickerpicker = { url = "github:maunium/stickerpicker"; flake = false; };
     fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
-    octodns-cloudflare = { url = "github:octodns/octodns-cloudflare"; flake = false; };
     mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
-    phono3py = { url = "github:phonopy/phono3py/v3.14.1"; flake = false; };
+    phono3py = { url = "github:phonopy/phono3py/v3.15.1"; flake = false; };
+    sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
+    speedtest = { url = "github:librespeed/speedtest"; flake = false; };
+    pybinding = { url = "git+https://github.com/dean0x7d/pybinding?submodules=1"; flake = false; };
   };
 
-  outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in
+  outputs = inputs: let localLib = import ./flake/lib inputs.nixpkgs.lib; in
   {
     packages.x86_64-linux = import ./flake/packages.nix { inherit inputs localLib; };
     nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; };

flake/dev.nix

@@ -34,20 +34,6 @@
     packages = [ pkgs.clang-tools_18 ];
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
   };
-  winjob =
-    let inherit (pkgs) clang-tools_18; in let inherit (inputs.self.packages.x86_64-w64-mingw32) pkgs winjob;
-    in pkgs.mkShell.override { stdenv = pkgs.gcc14Stdenv; }
-    {
-      inputsFrom = [ winjob ];
-      packages = [ clang-tools_18 ];
-      CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-    };
-  mirism = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
-  {
-    inputsFrom = [ pkgs.localPackages.mirism ];
-    packages = [ pkgs.clang-tools_18 ];
-    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
-  };
   info = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
   {
     inputsFrom = [ pkgs.localPackages.info ];
@@ -55,4 +41,18 @@
     CMAKE_EXPORT_COMPILE_COMMANDS = "1";
     hardeningDisable = [ "all" ];
   };
+  vm = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.vm ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
+  xinli = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
+  {
+    inputsFrom = [ pkgs.localPackages.xinli ];
+    packages = [ pkgs.clang-tools_18 ];
+    CMAKE_EXPORT_COMPILE_COMMANDS = "1";
+    hardeningDisable = [ "all" ];
+  };
 }

flake/dns/config/chn.moe.nix

@@ -2,41 +2,44 @@ localLib:
 let
   cname =
   {
-    autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" "铜锣湾实验室" ];
-    pc = [ "internal.nix-store" ];
     nas = [ "initrd.nas" ];
-    office = [ "srv2-node0" ];
+    office = [ "srv2-node0" "xserverxmu" ];
+    vps4 =
+    [
+      "initrd.vps4" "xserver2.vps4"
+      # to nas
+      "git" "grafana" "matrix" "peertube" "send" "vikunja" "铜锣湾" "xservernas" "chat" "freshrss" "huginn" "nextcloud"
+      "photoprism" "rsshub" "vaultwarden" "webdav" "synapse" "misskey" "api"
+    ];
     vps6 =
     [
-      "blog" "catalog" "coturn" "element" "frp" "initrd.vps6" "misskey" "nix-store" "sticker" "synapse-admin" "tgapi"
-      "ua" "vps6.xserver"
-    ];
-    vps7 =
-    [
-      "chat" "freshrss" "huginn" "initrd.vps7" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
-      "xsession.vps7"
+      "blog" "catalog" "coturn" "element" "initrd.vps6" "sticker" "synapse-admin" "tgapi" "ua" "xserver2"
+      "xserver2.vps6"
+      # to pc
+      "铜锣湾实验室"
     ];
     "xlog.autoroute" = [ "xlog" ];
     "wg0.srv1-node0" = [ "wg0.srv1" ];
     "wg0.srv2-node0" = [ "wg0.srv2" ];
-    srv3 = [ "initrd.srv3" ];
     srv1-node0 = [ "srv1" ];
     srv2-node0 = [ "srv2" ];
+    "wg1.pc" = [ "nix-store" ];
+    "wg1.nas" = [ "nix-store.nas" ];
+    "wg0.nas" = [ "ssh.git" ];
   };
   a =
   {
     nas = "192.168.1.2";
     pc = "192.168.1.3";
-    one = "192.168.1.4";
-    office = "210.34.16.60";
+    office = "210.34.16.21";
     srv1-node0 = "59.77.36.250";
+    vps4 = "104.234.37.61";
     vps6 = "144.34.225.59";
-    vps7 = "144.126.144.62";
     search = "127.0.0.1";
-    srv3 = "23.135.236.216";
     srv1-node1 = "192.168.178.2";
     srv1-node2 = "192.168.178.3";
     srv2-node1 = "192.168.178.2";
+    "409test" = "192.168.1.5";
   };
   wireguard = import ./wireguard.nix;
 in
@@ -55,11 +58,7 @@ in
     { type = "TXT"; value = "v=spf1 include:mxlogin.com -all"; }
   ];
   "_xlog-challenge.xlog" = { type = "TXT"; value = "chn"; };
-  autoroute =
-  {
-    type = "NS";
-    values = builtins.map (suffix: "ns1.huaweicloud-dns.${suffix}.") [ "cn" "com" "net" "org" ];
-  };
+  autoroute = { type = "NS"; values = "vps6.chn.moe."; };
   "mail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
   "webmail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
   "x._domainkey" =

flake/dns/config/wireguard.nix

@@ -2,16 +2,14 @@
   net = { wg0 = 83; wg1 = 84; };
   peer =
   {
+    vps4 = 2;
     vps6 = 1;
-    vps7 = 2;
     pc = 3;
     nas = 4;
-    one = 5;
     srv1-node0 = 9;
     srv1-node1 = 6;
     srv1-node2 = 8;
     srv2-node0 = 7;
     srv2-node1 = 10;
-    srv3 = 11;
   };
 }

flake/dns/default.nix

@@ -13,7 +13,23 @@ let
       (domain: writeTextDir "${domain.name}.yaml" (builtins.toJSON (addTtl domain.value)))
       (localLib.attrsToList config);
   };
-in lib.addMetaAttrs { config = config // { wireguard = import ./config/wireguard.nix; }; } (writeShellScript "dns-push"
+  meta.config = config //
+  {
+    wireguard = import ./config/wireguard.nix;
+    "chn.moe" = config."chn.moe"
+      // {
+        # 查询域名对应的 ip
+        getAddress = deviceName:
+          let
+            dns = meta.config."chn.moe";
+            f = domain:
+              if dns.${domain}.type == "A" then dns.${domain}.value
+              else if dns.${domain}.type == "CNAME" then f (lib.removeSuffix ".chn.moe." dns.${domain}.value)
+              else throw "Not found ${domain}";
+          in f deviceName;
+      };
+  };
+in lib.addMetaAttrs meta (writeShellScript "dns-push"
 ''
   export OCTODNS_CONFIG=${configDir}
   export CLOUDFLARE_TOKEN=$(cat ${tokenPath})

flake/lib/buildNixpkgsConfig/boost188.patch

@@ -0,0 +1,13 @@
+diff --git a/boost/process/v2/stdio.hpp b/boost/process/v2/stdio.hpp
+index 01d0216..4084e46 100644
+--- a/boost/process/v2/stdio.hpp
++++ b/boost/process/v2/stdio.hpp
+@@ -184,7 +184,7 @@ struct process_io_binding
+   process_io_binding & operator=(const process_io_binding &) = delete;
+ 
+   process_io_binding(process_io_binding && other) noexcept
+-          : fd(other.fd), fd_needs_closing(other.fd), ec(other.ec)
++          : fd(other.fd), fd_needs_closing(other.fd_needs_closing), ec(other.ec)
+   {
+     other.fd = target;
+     other.fd_needs_closing = false;

flake/lib/buildNixpkgsConfig/default.nix

@@ -0,0 +1,177 @@
+# inputs = { lib, topInputs, ...}; nixpkgs = { march, cuda, nixRoot, nixos, arch, rocm };
+{ inputs, nixpkgs }:
+let
+  platformConfig =
+    if nixpkgs.march == null then { system = "${nixpkgs.arch or "x86_64"}-linux"; }
+    else
+    {
+      ${if nixpkgs.nixos then "hostPlatform" else "localSystem"} =
+        { system = "${nixpkgs.arch or "x86_64"}-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
+    };
+  cudaConfig = inputs.lib.optionalAttrs (nixpkgs.cuda or null != null)
+  (
+    { cudaSupport = true; }
+    // (inputs.lib.optionalAttrs (nixpkgs.cuda.capabilities != null)
+      { cudaCapabilities = nixpkgs.cuda.capabilities; })
+    // (inputs.lib.optionalAttrs (nixpkgs.cuda.forwardCompat != null)
+      { cudaForwardCompat = nixpkgs.cuda.forwardCompat; })
+  );
+  rocmConfig = inputs.lib.optionalAttrs (nixpkgs.rocm or false) { rocmSupport = true; };
+  allowInsecurePredicate = p: inputs.lib.warn "Allowing insecure package ${p.name or "${p.pname}-${p.version}"}" true;
+  config = cudaConfig // rocmConfig
+    // {
+      inherit allowInsecurePredicate;
+      allowUnfree = true;
+      android_sdk.accept_license = true;
+      allowBroken = true;
+    }
+    // (inputs.lib.optionalAttrs (nixpkgs.march != null)
+    {
+      oneapiArch = let match.znver5 = "znver4"; in match.${nixpkgs.march} or nixpkgs.march;
+      nvhpcArch = nixpkgs.march;
+      # contentAddressedByDefault = true;
+    })
+    // (inputs.lib.optionalAttrs (nixpkgs.nixRoot or null != null)
+      { nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/state"; }; });
+in platformConfig //
+{
+  inherit config;
+  overlays =
+  [
+    inputs.topInputs.aagl.overlays.default
+    inputs.topInputs.nur-xddxdd.overlays.inSubTree
+    inputs.topInputs.buildproxy.overlays.default
+    inputs.topInputs.nix4vscode.overlays.default
+    inputs.topInputs.bscpkgs.overlays.default
+    (final: prev:
+    {
+      nur-linyinfeng = (inputs.topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
+      firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
+    })
+    inputs.topInputs.self.overlays.default
+    (final: prev:
+      let
+        inherit (final) system;
+        genericPackages = import inputs.topInputs.nixpkgs
+          { inherit system; config = { allowUnfree = true; inherit allowInsecurePredicate; }; };
+      in
+      {
+        inherit genericPackages;
+        telegram-desktop = prev.telegram-desktop.override
+        {
+          unwrapped = prev.telegram-desktop.unwrapped.overrideAttrs
+            (prev: { patches = prev.patches or [] ++ [ ./telegram.patch ]; });
+        };
+        libvirt = (prev.libvirt.override { iptables = final.nftables; }).overrideAttrs
+          (prev: { patches = prev.patches or [] ++ [ ./libvirt.patch ]; });
+        root = prev.root.overrideAttrs (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ]; });
+        boost188 = prev.boost188.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./boost188.patch ]; });
+        chromium = prev.chromium.override (prev:
+          { commandLineArgs = prev.commandLineArgs or "" + " --disable-features=GlobalShortcutsPortal"; });
+        google-chrome = prev.google-chrome.override (prev:
+          { commandLineArgs = prev.commandLineArgs or "" + " --disable-features=GlobalShortcutsPortal"; });
+      }
+      // (
+        let
+          marchFilter = version:
+            # old version of nixpkgs does not recognize znver5, use znver4 instead
+            inputs.lib.optionalAttrs (inputs.lib.versionOlder version "25.05") { znver5 = "znver4"; };
+          source =
+          {
+            pkgs-2305 = "nixpkgs-2305";
+            pkgs-2311 = "nixpkgs-2311";
+            pkgs-2411 =
+            {
+              source = "nixpkgs-2411";
+              overlays =
+              [
+                (final: prev: inputs.lib.optionalAttrs (nixpkgs.march != null)
+                {
+                  pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
+                  {
+                    sphinx = prev.sphinx.overridePythonAttrs (prev:
+                      { disabledTests = prev.disabledTests or [] ++ [ "test_xml_warnings" ]; });
+                  })];
+                })
+              ];
+            };
+            # pkgs-unstable =
+            # {
+            #   source = "nixpkgs-unstable";
+            #   overlays =
+            #   [
+            #     inputs.topInputs.self.overlays.default
+            #     (_: _:
+            #     {
+            #       genericPackages = import inputs.topInputs.nixpkgs-unstable
+            #         { inherit system; config = { allowUnfree = true; inherit allowInsecurePredicate; }; };
+            #     })
+            #   ];
+            # };
+          };
+          packages = name:
+            let flakeSource = inputs.topInputs.${source.${name}.source or source.${name}};
+            in import flakeSource
+            {
+              localSystem =
+                if nixpkgs.march == null then { system = "${nixpkgs.arch or "x86_64"}-linux"; }
+                else
+                  let march = (marchFilter flakeSource.lib.version).${nixpkgs.march} or nixpkgs.march;
+                  in { system = "${nixpkgs.arch or "x86_64"}-linux"; gcc = { arch = march; tune = march; }; };
+              inherit config;
+              overlays = source.${name}.overlays or [(_: _: {})];
+            };
+        in builtins.listToAttrs (builtins.map
+          (name: { inherit name; value = packages name; }) (builtins.attrNames source))
+      )
+      // (inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx512Support)
+        { gsl = prev.gsl.overrideAttrs { doCheck = false; }; })
+      # // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx512Support)
+      #   { libhwy = prev.libhwy.override { stdenv = final.genericPackages.stdenv; }; })
+      // (inputs.lib.optionalAttrs (nixpkgs.march != null)
+      {
+        assimp = prev.assimp.override { stdenv = final.genericPackages.stdenv; };
+        redis = prev.redis.overrideAttrs (prev: { doCheck = false; });
+        wannier90 = prev.wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; };
+        xen = prev.xen.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./xen.patch ]; });
+      #   libinsane = prev.libinsane.overrideAttrs (prev:
+      #     { nativeCheckInputs = builtins.filter (p: p.pname != "valgrind") prev.nativeCheckInputs; });
+        lib2geom = prev.lib2geom.overrideAttrs (prev: { doCheck = false; });
+        libreoffice-qt6-fresh = prev.libreoffice-qt6-fresh.override (prev:
+          { unwrapped = prev.unwrapped.overrideAttrs (prev: { postPatch = prev.postPatch or "" +
+          ''
+            sed -i '/CPPUNIT_TEST.testDubiousArrayFormulasFODS/d' sc/qa/unit/functions_array.cxx
+          '';});});
+        opencolorio = prev.opencolorio.overrideAttrs (prev: { doCheck = false; });
+      #   openvswitch = prev.openvswitch.overrideAttrs (prev: { doCheck = false; });
+        rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
+      #   valkey = prev.valkey.overrideAttrs { doCheck = false; };
+        embree = prev.embree.override { stdenv = final.genericPackages.stdenv; };
+        simde = prev.simde.override { stdenv = final.genericPackages.stdenv; };
+      #   ctranslate2 = prev.ctranslate2.overrideAttrs (prev:
+      #     { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
+        pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
+        (
+          { picosvg = prev.picosvg.overridePythonAttrs { doCheck = false; }; }
+          # {
+          #   scipy = prev.scipy.overridePythonAttrs (prev:
+          #     { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
+          #   rich = prev.rich.overridePythonAttrs (prev:
+          #     { disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
+          # }
+          # // (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx2Support)
+          # {
+          #   numcodecs = prev.numcodecs.overridePythonAttrs (prev:
+          #   {
+          #     disabledTests = prev.disabledTests or []
+          #       ++ [ "test_encode_decode" "test_partial_decode" "test_blosc" ];
+          #   });
+          # })
+        ))];
+      #   inherit (final.pkgs-2411) intelPackages_2023;
+      })
+      # // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
+      #   { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
+      # // (inputs.lib.optionalAttrs (nixpkgs.arch or null == "aarch64") { nix = final.nixVersions.nix_2_29; })
+  )];
+}

flake/lib/buildNixpkgsConfig/libvirt.patch

@@ -0,0 +1,634 @@
+diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
+index e8da15426e..7b5080ae5f 100644
+--- a/src/network/network_iptables.c
++++ b/src/network/network_iptables.c
+@@ -744,13 +744,6 @@ iptablesForwardRejectIn(virFirewall *fw,
+                         const char *iface,
+                         iptablesAction action)
+ {
+-    virFirewallAddCmd(fw, layer,
+-                      "--table", "filter",
+-                      iptablesActionTypeToString(action),
+-                      VIR_IPTABLES_FWD_IN_CHAIN,
+-                      "--out-interface", iface,
+-                      "--jump", "REJECT",
+-                      NULL);
+ }
+ 
+ /**
+diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
+index f8b5ab665d..54ed0c6f29 100644
+--- a/src/network/network_nftables.c
++++ b/src/network/network_nftables.c
+@@ -504,13 +504,6 @@ nftablesAddForwardRejectIn(virFirewall *fw,
+                            virFirewallLayer layer,
+                            const char *iface)
+ {
+-    virFirewallAddCmd(fw, layer, "insert", "rule",
+-                      nftablesLayerTypeToString(layer),
+-                      VIR_NFTABLES_PRIVATE_TABLE,
+-                      VIR_NFTABLES_FWD_IN_CHAIN,
+-                      "oif", iface,
+-                      "counter", "reject",
+-                      NULL);
+ }
+ 
+ 
+diff --git a/tests/networkxml2firewalldata/forward-dev-linux.iptables b/tests/networkxml2firewalldata/forward-dev-linux.iptables
+index bc483c4512..98be4b76ad 100644
+--- a/tests/networkxml2firewalldata/forward-dev-linux.iptables
++++ b/tests/networkxml2firewalldata/forward-dev-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/forward-dev-linux.nftables b/tests/networkxml2firewalldata/forward-dev-linux.nftables
+index 8badb74beb..78c0110a32 100644
+--- a/tests/networkxml2firewalldata/forward-dev-linux.nftables
++++ b/tests/networkxml2firewalldata/forward-dev-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/isolated-linux.iptables b/tests/networkxml2firewalldata/isolated-linux.iptables
+index 135189ce41..d2d29933aa 100644
+--- a/tests/networkxml2firewalldata/isolated-linux.iptables
++++ b/tests/networkxml2firewalldata/isolated-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+@@ -90,12 +84,6 @@ ip6tables \
+ ip6tables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-ip6tables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/isolated-linux.nftables b/tests/networkxml2firewalldata/isolated-linux.nftables
+index d1b4dac178..3d72c1fb09 100644
+--- a/tests/networkxml2firewalldata/isolated-linux.nftables
++++ b/tests/networkxml2firewalldata/isolated-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+@@ -45,16 +35,6 @@ nft \
+ rule \
+ ip6 \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip6 \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-default-linux.iptables b/tests/networkxml2firewalldata/nat-default-linux.iptables
+index 3cfa61333c..5f401194ed 100644
+--- a/tests/networkxml2firewalldata/nat-default-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-default-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
+index 28508292f9..ef7b2b1bc8 100644
+--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
+index ce295cbc6d..127ed35826 100644
+--- a/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+@@ -90,12 +84,6 @@ ip6tables \
+ ip6tables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-ip6tables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+index d8a9ba706d..20e51e203c 100644
+--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+@@ -45,16 +35,6 @@ nft \
+ rule \
+ ip6 \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip6 \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
+index d78537dc5c..a87fe47480 100644
+--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+@@ -90,12 +84,6 @@ ip6tables \
+ ip6tables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-ip6tables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+index a7f09cda59..816a4a8cac 100644
+--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+@@ -45,16 +35,6 @@ nft \
+ rule \
+ ip6 \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip6 \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.iptables b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
+index ba7f234b82..9244705322 100644
+--- a/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+index b826fe6134..904f515f3d 100644
+--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
+index 1e5aa05231..b4f86a256f 100644
+--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+@@ -90,12 +84,6 @@ ip6tables \
+ ip6tables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-ip6tables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+index d8a9ba706d..20e51e203c 100644
+--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+@@ -45,16 +35,6 @@ nft \
+ rule \
+ ip6 \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip6 \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables
+index c2e845cc4f..139110d068 100644
+--- a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+@@ -90,12 +84,6 @@ ip6tables \
+ ip6tables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-ip6tables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
+index ceaed6fa40..6db8eddf6c 100644
+--- a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+@@ -45,16 +35,6 @@ nft \
+ rule \
+ ip6 \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip6 \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-linux.iptables
+index 8e5c2c8193..0e7686359d 100644
+--- a/tests/networkxml2firewalldata/nat-port-range-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-port-range-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+@@ -90,12 +84,6 @@ ip6tables \
+ ip6tables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-ip6tables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-linux.nftables
+index 1dc37a26ec..1d65869876 100644
+--- a/tests/networkxml2firewalldata/nat-port-range-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-port-range-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+@@ -45,16 +35,6 @@ nft \
+ rule \
+ ip6 \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip6 \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.iptables b/tests/networkxml2firewalldata/nat-tftp-linux.iptables
+index 565fff737c..3f2d1ccf5a 100644
+--- a/tests/networkxml2firewalldata/nat-tftp-linux.iptables
++++ b/tests/networkxml2firewalldata/nat-tftp-linux.iptables
+@@ -87,12 +87,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+index 28508292f9..ef7b2b1bc8 100644
+--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
++++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \
+diff --git a/tests/networkxml2firewalldata/route-default-linux.iptables b/tests/networkxml2firewalldata/route-default-linux.iptables
+index a7b969c077..866d65014e 100644
+--- a/tests/networkxml2firewalldata/route-default-linux.iptables
++++ b/tests/networkxml2firewalldata/route-default-linux.iptables
+@@ -71,12 +71,6 @@ iptables \
+ iptables \
+ -w \
+ --table filter \
+---insert LIBVIRT_FWI \
+---out-interface virbr0 \
+---jump REJECT
+-iptables \
+--w \
+---table filter \
+ --insert LIBVIRT_FWX \
+ --in-interface virbr0 \
+ --out-interface virbr0 \
+diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
+index 282c9542a5..fc742c9fea 100644
+--- a/tests/networkxml2firewalldata/route-default-linux.nftables
++++ b/tests/networkxml2firewalldata/route-default-linux.nftables
+@@ -13,16 +13,6 @@ nft \
+ rule \
+ ip \
+ libvirt_network \
+-guest_input \
+-oif \
+-virbr0 \
+-counter \
+-reject
+-nft \
+--ae insert \
+-rule \
+-ip \
+-libvirt_network \
+ guest_cross \
+ iif \
+ virbr0 \

flake/lib/buildNixpkgsConfig/xen.patch

@@ -0,0 +1,15 @@
+diff --git a/xen/arch/x86/boot/Makefile b/xen/arch/x86/boot/Makefile
+index d45787665907..80c32163fbbd 100644
+--- a/xen/arch/x86/boot/Makefile
++++ b/xen/arch/x86/boot/Makefile
+@@ -40,8 +40,8 @@ LD32 := $(LD) $(subst x86_64,i386,$(LDFLAGS_DIRECT))
+ # are affected by both text_diff and text_gap.  Ensure the sum of gap and diff
+ # is greater than 2^16 so that any 16bit relocations if present in the object
+ # file turns into a build-time error.
+-text_gap := 0x010200
+-text_diff := 0x408020
++text_gap := 0x010240
++text_diff := 0x608040
+ 
+ $(obj)/build32.base.lds: AFLAGS-y += -DGAP=$(text_gap) -DTEXT_DIFF=$(text_diff)
+ $(obj)/build32.offset.lds: AFLAGS-y += -DGAP=$(text_gap) -DTEXT_DIFF=$(text_diff) -DAPPLY_OFFSET

flake/lib/default.nix

@@ -1,6 +1,6 @@
 lib: rec
 {
-  attrsToList = attrs: builtins.map (name: { inherit name; value = attrs.${name}; }) (builtins.attrNames attrs);
+  inherit (lib) attrsToList;
   mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
     mkMerge [ ( mkIf condition trueResult ) ( mkIf (!condition) falseResult ) ];
 
@@ -86,4 +86,6 @@ lib: rec
       if (builtins.typeOf pattern) != "list" then throw "pattern should be a list"
       else if pattern == [] then origin
       else deepReplace (builtins.tail pattern) (replace ((builtins.head pattern) // { content = origin; }));
+  
+  buildNixpkgsConfig = import ./buildNixpkgsConfig;
 }

flake/nixos.nix

@@ -1,6 +1,6 @@
 { inputs, localLib }:
 let
-  singles = [ "nas" "pc" "vps6" "vps7" "one" "srv3" ];
+  singles = [ "nas" "pc" "vps4" "vps6" "r2s" ];
   cluster = { srv1 = 3; srv2 = 2; };
   deviceModules = builtins.listToAttrs
   (
@@ -25,9 +25,9 @@ let
       (localLib.attrsToList cluster)))
   );
 in builtins.mapAttrs
-  (_: v: inputs.nixpkgs.lib.nixosSystem
+  (n: v: inputs.nixpkgs.lib.nixosSystem
   {
-    system = "x86_64-linux";
+    system = null;
     specialArgs = { topInputs = inputs; inherit localLib; };
     modules = localLib.mkModules v;
   })

flake/packages.nix

@@ -1,17 +1,16 @@
 { inputs, localLib }: rec
 {
-  pkgs = (import inputs.nixpkgs
+  pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
   {
-    system = "x86_64-linux";
-    config.allowUnfree = true;
-    overlays = [ inputs.self.overlays.default ];
+    inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
+    nixpkgs = { march = null; nixos = false; };
   });
   hpcstat =
     let
       openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
         (prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
       duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
-      glaze = pkgs.pkgsStatic.glaze.overrideAttrs
+      glaze = pkgs.pkgs-2411.pkgsStatic.glaze.overrideAttrs
         (prev: { cmakeFlags = prev.cmakeFlags ++ [ "-Dglaze_ENABLE_FUZZING=OFF" ]; });
       # pkgsStatic.clangStdenv have a bug
       # https://github.com/NixOS/nixpkgs/issues/177129
@@ -23,28 +22,31 @@
       version = inputs.self.rev or "dirty";
       stdenv = pkgs.pkgsStatic.gcc14Stdenv;
     };
-  inherit (pkgs.localPackages) blog;
   inherit (pkgs.localPackages.pkgsStatic) chn-bsub;
   vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
   {
     gfortran = pkgs.pkgsStatic.gfortran;
     lapack = pkgs.pkgsStatic.openblas;
   };
-  jykang = import ../devices/jykang.xmuhpc inputs;
+  jykang = import ../devices/jykang.xmuhpc { inherit inputs localLib; };
+  xmuhk = import ../devices/xmuhk { inherit inputs localLib; };
   src =
     let getDrv = x:
       if pkgs.lib.isDerivation x then [ x ]
       else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
       else if builtins.isList x then builtins.concatMap getDrv x
       else [];
-    in pkgs.writeClosure (getDrv (inputs.self.outputs.src));
+    in pkgs.writeText "src" (builtins.concatStringsSep "\n" (getDrv inputs.self.outputs.src));
   dns-push = pkgs.callPackage ./dns
   {
     inherit localLib;
-    tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
-    octodns = pkgs.octodns.withProviders (_: [ pkgs.localPackages.octodns-cloudflare ]);
+    tokenPath = inputs.self.nixosConfigurations.pc.config.nixos.system.sops.secrets."acme/token".path;
+    octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
   };
+  archive = pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.concatLists
+  [
+    (inputs.nixpkgs.lib.mapAttrsToList (_: v: v.config.system.build.toplevel) inputs.self.outputs.nixosConfigurations)
+    [ src ]
+  ]));
 }
-// (builtins.listToAttrs (builtins.map
-  (system: { inherit (system) name; value = system.value.config.system.build.toplevel; })
-  (localLib.attrsToList inputs.self.outputs.nixosConfigurations)))
+// (builtins.mapAttrs (_: v: v.config.system.build.toplevel) inputs.self.outputs.nixosConfigurations)

flake/src.nix

@@ -1,23 +1,22 @@
 { inputs }: let inherit (inputs.self.packages.x86_64-linux) pkgs; in
 {
-  git-lfs-transfer = "sha256-qHQeBI2b8EmUinowixqEuR6iGwNYQy3pSc8iPVfJemE=";
   nvhpc =
   {
     src = pkgs.fetchurl
     {
-      url = "https://developer.download.nvidia.com/hpc-sdk/24.11/nvhpc_2024_2411_Linux_x86_64_cuda_12.6.tar.gz";
-      sha256 = "080rb89p2z98b75wqssvp3s8x6b5n0556d0zskh3cfapcb08lh1r";
+      url = "https://developer.download.nvidia.com/hpc-sdk/25.3/nvhpc_2025_253_Linux_x86_64_cuda_12.8.tar.gz";
+      sha256 = "11gxb099yxrsxg9i6vydi7znxqiwqqkhgmg90s74qwpjyriqpbsp";
     };
     mpi = pkgs.requireFile
     {
       name = "openmpi-gitclone.tar.gz";
-      # download from https://developer.nvidia.com/networking/hpc-x/eula?mrequest=downloads&mtype=hpc&mver=hpc-x&mname=v2.22/hpcx-v2.22-gcc-doca_ofed-ubuntu24.04-cuda12-x86_64.tbz
+      # download from https://content.mellanox.com/hpc/hpc-x/v2.23/hpcx-v2.23-gcc-doca_ofed-ubuntu24.04-cuda12-x86_64.tbz
       # nix-prefetch-url file://$(pwd)/openmpi-gitclone.tar.gz
-      sha256 = "05r5x6mgw2f2kcq9vhdkfj42panchzlbpns8qy57y4jsbmabwabi";
+      sha256 = "1lx5gld4ay9p327hdlqsi72911cfm6s5v3yabjlmwr7sb27y8151";
       message = "Source file not found.";
     };
-    version = "24.11";
-    cudaVersion = "12.6";
+    version = "25.3";
+    cudaVersion = "12.8";
   };
   iso =
   {
@@ -30,15 +29,9 @@
     netboot = pkgs.fetchurl
     {
       url = "https://boot.netboot.xyz/ipxe/netboot.xyz.iso";
-      sha256 = "01hlslbi2i3jkzjwn24drhd2lriaqiwr9hb83r0nib9y1jvr3k5p";
+      sha256 = "6GeOcugqElGPoPXeaWVpjcV5bCFxNLShGgN/sjsVzuI=";
     };
   };
-  nglview = pkgs.fetchPypi
-  {
-    pname = "nglview";
-    version = "3.1.2";
-    hash = "sha256-f2cu+itsoNs03paOW1dmsUsbPa3iEtL4oIPGAKETRc4=";
-  };
   vasp =
   {
     vasp = pkgs.requireFile
@@ -58,31 +51,19 @@
       script = pkgs.fetchzip
       {
         url = "http://theory.cm.utexas.edu/code/vtstscripts.tgz";
-        sha256 = "18gsw2850ig1mg4spp39i0ygfcwx0lqnamysn5whiax22m8d5z67";
+        sha256 = "0wz9sw72w5gydvavm6sbcfssvvdiw8gh8hs0d0p0b23839dw4w6j";
       };
     };
   };
   huginn = pkgs.dockerTools.pullImage
   {
     imageName = "ghcr.io/huginn/huginn";
-    imageDigest = "sha256:fdaa76b95534f3c3a799d527821681dd61b8b6fc24de0a7e109fc665b627f115";
-    sha256 = "062c18360asnzl610n11vd46621cvkj26ay21l82f16r12k4qzwy";
-    finalImageName = "huginn/huginn";
+    imageDigest = "sha256:68e2c7082cd51d417e5ce76fe123810e9d52f4ab2018569df5b74b913ed3bc64";
+    sha256 = "0jpdysdphy1lyj6zwx2b1kbgs6bfnpkkx85mf1b9ybh3is6gaz6s";
+    finalImageName = "ghcr.io/huginn/huginn";
     finalImageTag = "latest";
   };
-  misskey =
-  {
-    "https://github.com/aiscript-dev/aiscript-languageserver/releases/download/0.1.6/aiscript-dev-aiscript-languageserver-0.1.6.tgz" = "0092d5r67bhf4xkvrdn4a2rm1drjzy7b5sw8mi7hp4pqvpc20ylr";
-    "https://github.com/misskey-dev/tabler-icons/archive/refs/tags/3.30.0-mi.1932+ab127beee.tar.gz" = "09aa34a02rdpcvrhl6xddzy173pg7pi9i551s692ggc3pq7fmdhw";
-  };
-  xmuvpn = pkgs.dockerTools.pullImage
-  {
-    imageName = "hagb/docker-easyconnect";
-    imageDigest = "sha256:1c3a86e41c1d2425a4fd555d279deaec6ff1e3c2287853eb16d23c9cb6dc3409";
-    sha256 = "1jpk2y46lnk0mi6ir7hdx0p6378p0v6qjbh6jm9a4cv5abw0mb2k";
-    finalImageName = "hagb/docker-easyconnec";
-    finalImageTag = "7.6.7";
-  };
+  misskey = {};
   lumerical =
   {
     lumerical = pkgs.requireFile
@@ -92,20 +73,50 @@
       hashMode = "recursive";
       message = "Source not found.";
     };
-    licenseManagerImage = pkgs.requireFile
+    licenseManager =
     {
-      name = "lumericalLicenseManager.tar";
-      sha256 = "VOtYMnDRUP74O2lAqMqBDLnXtNS8AhbBhyZBj/2aVoE=";
-      message = "Source not found.";
+      crack = pkgs.requireFile
+      {
+        name = "crack";
+        sha256 = "1a1k3nlaidi0kk2xxamb4pm46iiz6k3sxynhd65y8riylrkck3md";
+        hashMode = "recursive";
+        message = "Source file not found.";
+      };
+      src = pkgs.requireFile
+      {
+        name = "src";
+        sha256 = "1h93r0bb37279dzghi3k2axf0b8g0mgacw0lcww5j3sx0sqjbg4l";
+        hashMode = "recursive";
+        message = "Source file not found.";
+      };
+      image = "6803f9562b941c23db81a2eae5914561f96fa748536199a010fe6f24922b2878";
+      imageFile = pkgs.requireFile
+      {
+        name = "lumericalLicenseManager.tar";
+        sha256 = "ftEZADv8Mgo5coNKs+gxPZPl/YTV3FMMgrF3wUIBEiQ=";
+        message = "Source not found.";
+      };
+      license = pkgs.requireFile
+      {
+        name = "license";
+        sha256 = "07rwin14py6pl1brka7krz7k2g9x41h7ks7dmp1lxdassan86484";
+        message = "Source file not found.";
+      };
+      sifImageFile = pkgs.requireFile
+      {
+        name = "lumericalLicenseManager.sif";
+        sha256 = "i0HGLiRWoKuQYYx44GBkDBbyUvFLbfFShi/hx7KBSuU=";
+        message = "Source file not found.";
+      };
     };
   };
-  vesta =
+  vesta = rec
   {
-    version = "3.90.0a";
+    version = "3.5.8";
     src = pkgs.fetchurl
     {
-      url = "https://jp-minerals.org/vesta/archives/testing/VESTA-gtk3-x86_64.tar.bz2";
-      sha256 = "0bsvfr3409g2v1wgnfixpkjz1yzl2j1nlrk5a5rkdfs94rrvxzaa";
+      url = "https://jp-minerals.org/vesta/archives/${version}/VESTA-gtk3.tar.bz2";
+      sha256 = "1y4dhqhk0jy7kbkkx2c6lsrm5lirn796mq67r5j1s7xkq8jz1gkq";
     };
     desktopFile = pkgs.fetchurl
     {
@@ -117,7 +128,7 @@
   mirism-old = pkgs.requireFile
   {
     name = "mirism";
-    sha256 = "0f50pvdafhlmrlbf341mkp9q50v4ld5pbx92d2w1633f18zghbzf";
+    sha256 = "1zhhzwi325g21kqdip7zzw1i9b354h1wpzd4zhzb1ql9kjdh87q3";
     hashMode = "recursive";
     message = "Source file not found.";
   };
@@ -126,7 +137,7 @@
     version = "1.4.0";
     src = pkgs.fetchzip
     {
-      url = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-4/pslist_1.4.0.orig.tar.xz";
+      url = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/pslist/1.4.0-6/pslist_1.4.0.orig.tar.xz";
       sha256 = "1sp1h7ccniz658ms331npffpa9iz8llig43d9mlysll420nb3xqv";
     };
   };
@@ -147,4 +158,62 @@
     };
   };
   mathematica = pkgs.mathematica.src;
+  oneapi =
+  {
+    src = pkgs.fetchurl
+    {
+      url = "https://registrationcenter-download.intel.com/akdlm/IRC_NAS/2cf9c083-82b5-4a8f-a515-c599b09dcefc/"
+        + "intel-oneapi-hpc-toolkit-2025.1.1.40_offline.sh";
+      sha256 = "1qjy9dsnskwqsk66fm99b3cch1wp3rl9dx7y884p3x5kwiqdma2x";
+    };
+    version = "2025.1";
+    fullVersion = "2025.1.1.40";
+    components =
+    [
+      "intel.oneapi.lin.dpcpp-cpp-common,v=2025.1.1+10"
+      "intel.oneapi.lin.dpcpp-cpp-common.runtime,v=2025.1.1+10"
+      "intel.oneapi.lin.ifort-compiler,v=2025.1.1+10"
+      "intel.oneapi.lin.compilers-common.runtime,v=2025.1.1+10"
+      "intel.oneapi.lin.mpi.runtime,v=2021.15.0+493"
+      "intel.oneapi.lin.umf,v=0.10.0+355"
+      "intel.oneapi.lin.tbb.runtime,v=2022.1.0+425"
+      "intel.oneapi.lin.compilers-common,v=2025.1.1+10"
+    ];
+  };
+  rsshub = pkgs.dockerTools.pullImage
+  {
+    imageName = "diygod/rsshub";
+    imageDigest = "sha256:1f9d97263033752bf5e20c66a75e134e6045b6d69ae843c1f6610add696f8c22";
+    hash = "sha256-zN47lhQc3EX28LmGF4N3rDUPqumwmhfGn1OpvBYd2Vw=";
+    finalImageName = "rsshub";
+    finalImageTag = "latest";
+  };
+  atat = pkgs.fetchurl
+  {
+    url = "https://axelvandewalle.github.io/www-avdw/atat/atat3_50.tar.gz";
+    sha256 = "14sblzqsi5bxfhsjbq256bc2gfd7zrxyf5za0iaw77b592ppjg3m";
+  };
+  atomkit = pkgs.fetchurl
+  {
+    url = "mirror://sourceforge/atomkit/Binaries/atomkit.0.9.0.linux.x64.tar.gz";
+    sha256 = "0y9z7wva7zikh83w9q431lgn3bqkh1v5w6iz90dwc75wqwk0w5jr";
+  };
+  guix = pkgs.fetchurl
+  {
+    url = "https://ci.guix.gnu.org/download/2857";
+    name = "guix.iso";
+    sha256 = "0xqabnay8wwqc1a96db8ix1a6bhvgm84s5is1q67rr432q7gqgd4";
+  };
+  peerBanHelper =
+  {
+    image = "ghostchu/peerbanhelper:v8.0.12";
+    imageFile = pkgs.dockerTools.pullImage
+    {
+      imageName = "ghostchu/peerbanhelper";
+      imageDigest = "sha256:fce7047795fe1e6d730ea2583b390ccc336e79eb2d8dae8114f4f63f00208879";
+      hash = "sha256-7Z2ewDpGFXyvCze9HZ7KwFwn9o9R6Y4pjJDcr5Wmy1g=";
+      finalImageName = "ghostchu/peerbanhelper";
+      finalImageTag = "v8.0.12";
+    };
+  };
 }

modules/bugs/default.nix

@@ -12,8 +12,12 @@ let bugs =
     (attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
   backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
   amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
-  iwlwifi.nixos.system.kernel.modules.modprobeConfig =
-    [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
+  iwlwifi.boot.extraModprobeConfig =
+  ''
+    options iwlwifi power_save=0
+    options iwlmvm power_scheme=1
+    options iwlwifi uapsd_disable=1
+  '';
 };
 in
 {

modules/default.nix

@@ -12,14 +12,17 @@ inputs: let inherit (inputs) topInputs; in
     topInputs.catppuccin.nixosModules.catppuccin
     topInputs.aagl.nixosModules.default
     topInputs.nixvirt.nixosModules.default
+    topInputs.niri.nixosModules.niri
+    { config.niri-flake.cache.enable = false; }
     (inputs:
     {
       config =
       {
         home-manager.sharedModules =
         [
-          topInputs.plasma-manager.homeManagerModules.plasma-manager
-          topInputs.catppuccin.homeManagerModules.catppuccin
+          topInputs.plasma-manager.homeModules.plasma-manager
+          topInputs.catppuccin.homeModules.catppuccin
+          topInputs.dankmaterialshell.homeModules.dankMaterialShell
         ];
       };
     })

modules/hardware/asus.nix

@@ -0,0 +1,10 @@
+inputs:
+{
+  options.nixos.hardware.asus = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.hardware) asus; in inputs.lib.mkIf (asus != null)
+  {
+    services.asusd = { enable = true; enableUserService = true; };
+    programs.rog-control-center.enable = true;
+  };
+}

modules/hardware/cpu.nix

@@ -0,0 +1,29 @@
+inputs:
+{
+  options.nixos.hardware.cpu = let inherit (inputs.lib) mkOption types; in mkOption
+  {
+    type = types.nullOr (types.enum [ "intel" "amd" ]);
+    default = let inherit (inputs.config.nixos.system.nixpkgs) march; in
+      if march == null then null
+      else if inputs.lib.hasPrefix "znver" march then "amd"
+      else if (inputs.lib.hasSuffix "lake" march)
+        || (builtins.elem march [ "sandybridge" "silvermont" "haswell" "broadwell" ])
+        then "intel"
+      else null;
+  };
+  config = let inherit (inputs.config.nixos.hardware) cpu; in inputs.lib.mkIf (cpu != null) (inputs.lib.mkMerge
+  [
+    (inputs.lib.mkIf (cpu == "intel")
+    {
+      hardware.cpu.intel.updateMicrocode = true;
+      boot.initrd.availableKernelModules =
+        [ "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp" ];
+    })
+    (inputs.lib.mkIf (cpu == "amd")
+    {
+      hardware.cpu.amd = { updateMicrocode = true; ryzen-smu.enable = true; };
+      environment.systemPackages = with inputs.pkgs; [ zenmonitor ];
+      programs.ryzen-monitor-ng.enable = true;
+    })
+  ]);
+}

modules/hardware/cpus.nix

@@ -1,26 +0,0 @@
-inputs:
-{
-  options.nixos.hardware.cpus = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
-  config = let inherit (inputs.config.nixos.hardware) cpus; in inputs.lib.mkIf (cpus != [])
-  {
-    hardware.cpu = builtins.listToAttrs
-      (builtins.map (name: { inherit name; value = { updateMicrocode = true; }; }) cpus);
-    boot =
-    {
-      initrd.availableKernelModules =
-        let modules =
-        {
-          intel =
-          [
-            "intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
-          ];
-          amd = [];
-        };
-        in builtins.concatLists (builtins.map (cpu: modules.${cpu}) cpus);
-    };
-    environment.systemPackages =
-      let packages = with inputs.pkgs; { intel = []; amd = [ zenmonitor ]; };
-      in builtins.concatLists (builtins.map (cpu: packages.${cpu}) cpus);
-  };
-}

modules/hardware/default.nix

@@ -21,13 +21,7 @@ inputs:
       {
         services =
         {
-          printing =
-          {
-            enable = true;
-            drivers = [ inputs.pkgs.cnijfilter2 ];
-            # TODO: remove in next update
-            browsed.enable = false;
-          };
+          printing = { enable = true; drivers = [ inputs.pkgs.cnijfilter2 ]; };
           avahi = { enable = true; nssmdns4 = true; openFirewall = true; };
         };
       }
@@ -36,7 +30,7 @@ inputs:
     (
       inputs.lib.mkIf (hardware.sound != null)
       {
-        hardware.pulseaudio.enable = false;
+        services.pulseaudio.enable = false;
         services.pipewire = { enable = true; alsa = { enable = true; support32Bit = true; }; pulse.enable = true; };
         security.rtkit.enable = true;
       }

modules/hardware/gpu.nix

@@ -2,25 +2,10 @@ inputs:
 {
   options.nixos.hardware.gpu = let inherit (inputs.lib) mkOption types; in
   {
-    type = mkOption
-    {
-      type = types.nullOr (types.enum
-      [
-        # single gpu
-        "intel" "nvidia" "amd"
-        # hibrid gpu: use nvidia prime offload mode
-        "intel+nvidia" "amd+nvidia"
-      ]);
-      default = null;
-    };
+    type = mkOption { type = types.nullOr (types.enum [ "intel" "nvidia" "amd" ]); default = null; };
     nvidia =
     {
       dynamicBoost = mkOption { type = types.bool; default = false; };
-      prime =
-      {
-        mode = mkOption { type = types.enum [ "offload" "sync" ]; default = "offload"; };
-        busId = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
-      };
       driver = mkOption { type = types.enum [ "production" "latest" "beta" ]; default = "production"; };
       open = mkOption { type = types.bool; default = true; };
     };
@@ -31,14 +16,16 @@ inputs:
     (
       let gpus = inputs.lib.strings.splitString "+" gpu.type; in
       {
-        boot.initrd.availableKernelModules =
-          let modules =
-          {
-            intel = [ "i915" ];
-            nvidia = []; # early loading breaks resume from hibernation
-            amd = [];
-          };
-          in builtins.concatLists (builtins.map (gpu: modules.${gpu}) gpus);
+        boot =
+        {
+          initrd.availableKernelModules =
+            {
+              intel = [ "i915" ];
+              nvidia = []; # early loading breaks resume from hibernation
+              amd = [];
+            }.${gpu.type};
+          blacklistedKernelModules = [ "nouveau" ];
+        };
         hardware =
         {
           graphics =
@@ -53,9 +40,9 @@ inputs:
                 nvidia = [ vaapiVdpau ];
                 amd = [];
               };
-              in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
+              in packages.${gpu.type};
           };
-          nvidia = inputs.lib.mkIf (builtins.elem "nvidia" gpus)
+          nvidia = inputs.lib.mkIf (gpu.type == "nvidia")
           {
             modesetting.enable = true;
             powerManagement.enable = true;
@@ -66,10 +53,9 @@ inputs:
             prime.allowExternalGpu = true;
           };
         };
-        boot.blacklistedKernelModules = [ "nouveau" ];
         services.xserver.videoDrivers =
           let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
-          in builtins.map (gpu: driver.${gpu}) gpus;
+          in [ driver.${gpu.type} ];
         nixos.packages.packages._packages =
           let packages = with inputs.pkgs;
           {
@@ -77,30 +63,23 @@ inputs:
             nvidia = [ nvtopPackages.full ];
             amd = [];
           };
-          in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
-      }
-    )
-    # nvidia prime offload
-    (
-      inputs.lib.mkIf (inputs.lib.strings.hasSuffix "+nvidia" gpu.type) { hardware.nvidia =
-      {
-        prime =
+          in packages.${gpu.type};
+        environment.etc."nvidia/nvidia-application-profiles-rc.d/vram" = inputs.lib.mkIf (gpu.type == "nvidia")
         {
-          offload = inputs.lib.mkIf (gpu.nvidia.prime.mode == "offload") { enable = true; enableOffloadCmd = true; };
-          sync = inputs.lib.mkIf (gpu.nvidia.prime.mode == "sync") { enable = true; };
-        }
-        // builtins.listToAttrs (builtins.map
-          (gpu: { name = "${if gpu.name == "amd" then "amdgpu" else gpu.name}BusId"; value = "PCI:${gpu.value}"; })
-          (inputs.localLib.attrsToList gpu.nvidia.prime.busId));
-        powerManagement.finegrained = inputs.lib.mkIf (gpu.nvidia.prime.mode == "offload") true;
-      };}
+          source = inputs.pkgs.writeText "save-vram" (builtins.toJSON
+          {
+            rules = [{ pattern = { feature = "true"; matches = ""; }; profile = "save-vram"; }];
+            profiles = [{ name = "save-vram"; settings = [{ key = "GLVidHeapReuseRatio"; value = 0; }]; }];
+          });
+        };
+      }
     )
     # amdgpu
     (
       inputs.lib.mkIf (inputs.lib.strings.hasPrefix "amd" gpu.type) { hardware.amdgpu =
       {
         opencl.enable = true;
-        initrd.enable = true; # needed for waydroid
+        initrd.enable = true;
         legacySupport.enable = true;
         amdvlk = { enable = true; support32Bit.enable = true; supportExperimental.enable = true; };
       };}

modules/hardware/legion.nix

@@ -1,10 +0,0 @@
-inputs:
-{
-  options.nixos.hardware.legion = let inherit (inputs.lib) mkOption types; in mkOption
-    { type = types.nullOr (types.submodule {}); default = null; };
-  config = let inherit (inputs.config.nixos.hardware) legion; in inputs.lib.mkIf (legion != null)
-  {
-    environment.systemPackages = [ inputs.pkgs.lenovo-legion ];
-    boot.extraModulePackages = [ inputs.config.boot.kernelPackages.lenovo-legion-module ];
-  };
-}

modules/model.nix

@@ -3,7 +3,8 @@ inputs:
   options.nixos.model = let inherit (inputs.lib) mkOption types; in
   {
     hostname = mkOption { type = types.nonEmptyStr; };
-    type = mkOption { type = types.enum [ "vps" "desktop" "server" ]; default = "vps"; };
+    arch = mkOption { type = types.nonEmptyStr; default = "x86_64"; };
+    type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
     private = mkOption { type = types.bool; default = false; };
     cluster = mkOption
     {

modules/packages/android-studio.nix

@@ -1,12 +0,0 @@
-inputs:
-{
-  options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
-  {
-    nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];
-  };
-}

modules/packages/bash.nix

@@ -0,0 +1,17 @@
+inputs:
+{
+  options.nixos.packages.bash = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = {}; };
+  config = let inherit (inputs.config.nixos.packages) bash; in inputs.lib.mkIf (bash != null)
+  {
+    nixos.user.sharedModules = [(homeInputs:
+    {
+      config =
+      {
+        # set bash history file path, avoid overwriting zsh history
+        programs.bash = { enable = true; historyFile =  "${homeInputs.config.xdg.dataHome}/bash/bash_history"; };
+        home.shell.enableBashIntegration = true;
+      };
+    })];
+  };
+}

modules/packages/chromium.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
   {

modules/packages/default.nix

@@ -1,25 +1,63 @@
 inputs:
 {
   imports = inputs.localLib.findModules ./.;
-  options.nixos.packages.packages = let inherit (inputs.lib) mkOption types; in
-  {
-    _packages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
-    _pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-    _vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-  };
-  config =
-  {
-    environment.systemPackages = with inputs.config.nixos.packages.packages;
-      _packages
-      ++ [
-        (
-          (inputs.pkgs.python3.withPackages (pythonPackages:
-            builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages) _pythonPackages)))
-          .override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
-        (inputs.pkgs.writeTextDir "share/prebuild-packages"
-          (builtins.concatStringsSep "\n" (builtins.map builtins.toString _prebuildPackages)))
-      ];
-  };
+  options.nixos.packages =
+    let
+      inherit (inputs.lib) mkOption types;
+      simpleSubmodule = mkOption { type = types.nullOr (types.submodule {}); default = null; };
+    in
+    {
+      packages =
+      {
+        _packages = mkOption { type = types.listOf types.unspecified; default = []; };
+        _pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+        _prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
+        _pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+        _vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+      };
+    }
+    // (builtins.listToAttrs (builtins.map (n: inputs.lib.nameValuePair n simpleSubmodule)
+      [ "vasp" "mathematica" "lumerical" "flatpak" "android-studio" ]));
+  config = inputs.lib.mkMerge
+  [
+    {
+      environment.systemPackages = with inputs.config.nixos.packages.packages;
+        _packages
+        ++ [
+          (
+            (inputs.pkgs.python3.withPackages (pythonPackages:
+              builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages) _pythonPackages)))
+            .override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
+          (inputs.pkgs.writeTextDir "share/prebuild-packages"
+            (builtins.concatStringsSep "\n" (builtins.map builtins.toString _prebuildPackages)))
+        ];
+    }
+    (inputs.lib.mkIf (inputs.config.nixos.packages.vasp != null)
+    {
+      nixos.packages.packages = with inputs.pkgs;
+      {
+        _packages =
+        [
+          localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90
+          (if inputs.config.nixos.system.nixpkgs.cuda != null then localPackages.vasp.nvidia else emptyDirectory)
+          localPackages.atomkit (inputs.lib.mkAfter localPackages.atat)
+        ];
+        _pythonPackages = [(_: [ localPackages.py4vasp ])];
+      };
+    })
+    (inputs.lib.mkIf (inputs.config.nixos.packages.mathematica != null)
+      { nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; })
+    (inputs.lib.mkIf (inputs.config.nixos.packages.lumerical != null)
+    {
+      nixos =
+      {
+        packages.packages._packages = [ inputs.pkgs.localPackages.lumerical.lumerical.cmd ];
+        services.lumericalLicenseManager = {};
+      };
+    })
+    (inputs.lib.mkIf (inputs.config.nixos.packages.flatpak != null)
+      { services.flatpak = { enable = true; uninstallUnmanaged = true; }; })
+    (inputs.lib.mkIf (inputs.config.nixos.packages.android-studio != null)
+      { nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ]; })
+  ];
 }

modules/packages/desktop.nix

@@ -3,7 +3,7 @@ inputs:
   options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
   {
@@ -16,7 +16,7 @@ inputs:
           # system management
           # TODO: module should add yubikey-touch-detector into path
           gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
-          kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror geekbench xpra
+          kdePackages.qtstyleplugin-kvantum cpu-x wl-mirror geekbench xpra
           (
             writeShellScriptBin "xclip"
             ''
@@ -27,75 +27,59 @@ inputs:
           # color management
           argyllcms xcalib
           # networking
-          pkgs-unstable.remmina putty mtr-gui
+          remmina putty mtr-gui
           # media
-          mpv nomacs yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk qcm
-          waifu2x-converter-cpp blender paraview vlc whalebird spotify obs-studio
+          mpv nomacs simplescreenrecorder imagemagick gimp-with-plugins netease-cloud-music-gtk qcm
+          waifu2x-converter-cpp blender paraview vlc whalebird spotify obs-studio subtitleeditor
           (inkscape-with-extensions.override { inkscapeExtensions = null; })
-          # themes
-          klassy localPackages.slate localPackages.blurred-wallpaper tela-circle-icon-theme
-          catppuccin catppuccin-sddm catppuccin-cursors catppuccinifier-gui catppuccinifier-cli catppuccin-plymouth
-          (catppuccin-kde.override { flavour = [ "latte" ]; }) (catppuccin-kvantum.override { variant = "latte"; })
-          # terminal
-          warp-terminal
           # development
           adb-sync scrcpy dbeaver-bin cling aircrack-ng
-          weston cage openbox krita jetbrains.clion fprettify
-          # desktop sharing
-          rustdesk-flutter
+          weston cage openbox krita fprettify # jetbrains.clion 
           # password and key management
-          yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
-          electrum jabref john crunch
+          yubikey-manager bitwarden hashcat yubikey-personalization
           # download
-          qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
+          qbittorrent
           # editor
-          typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq obsidian pkgs-unstable.code-cursor
+          typora standardnotes
           # news
-          fluent-reader rssguard newsflash newsboat follow
+          fluent-reader rssguard newsflash newsboat folo
           # nix tools
           nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
-          nix-template nil pnpm-lock-export bundix
+          nix-template nil bundix
           # instant messager
-          element-desktop telegram-desktop discord zoom-us slack nur-linyinfeng.wemeet nheko
-          fluffychat signal-desktop qq nur-xddxdd.wechat-uos-sandboxed cinny-desktop
+          element-desktop telegram-desktop discord zoom-us slack nheko
           # browser
-          google-chrome tor-browser microsoft-edge
+          google-chrome tor-browser
           # office
-          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain davinci-resolve
-          ydict texstudio panoply pspp paperwork libreoffice-qt6-fresh ocrmypdf
+          crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain
+          ydict texstudio panoply pspp libreoffice-qt6-fresh ocrmypdf typst # paperwork
+          # required by ltex-plus.vscode-ltex-plus
+          ltex-ls ltex-ls-plus
           # matplot++ needs old gnuplot
-          inputs.pkgs."pkgs-23.11".gnuplot
+          pkgs-2311.gnuplot
           # math, physics and chemistry
           octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
-          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14;
-            wannier90 = inputs.pkgs.wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; }; })
-          inputs.pkgs."pkgs-23.11".hdfview numbat qalculate-qt
+          (quantum-espresso.override { stdenv = gcc14Stdenv; gfortran = gfortran14; })
+          pkgs-2311.hdfview numbat qalculate-qt
           # virtualization
           virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
           # media
           nur-xddxdd.svp
           # for kdenlive auto subtitle
           openai-whisper
-          # TODO: remove on next release
-          # phonopy have some bug, we use the version from nixpkgs-unstable
-          (inputs.lib.hiPrio pkgs-unstable.python3Packages.phonopy)
-          (inputs.lib.hiPrio pkgs-unstable.localPackages.phono3py)
+          # daily management
+          activitywatch
         ]
           ++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
             (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
         _pythonPackages = [(pythonPackages: with pythonPackages;
-        [
-          phonopy scipy scikit-learn jupyterlab autograd
-          # TODO: broken on python 3.12 tensorflow keras
-          # for phonopy
-          inputs.pkgs.localPackages.spectroscopy numpy
-        ])];
+          [ phonopy scipy scikit-learn jupyterlab autograd inputs.pkgs.localPackages.phono3py numpy ])];
       };
       user.sharedModules =
       [{
         config.programs =
         {
-          plasma =
+          plasma = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde")
           {
             enable = true;
             configFile =
@@ -107,9 +91,15 @@ inputs:
                   inherit (inputs.topInputs) nixos-wallpaper;
                   isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
                     [ "png" "jpg" "jpeg" "webp" ];
+                  listDirRecursive =
+                    let listDir = dir:
+                      if dir.value == "directory" then builtins.concatLists
+                        (builtins.map (f: listDir f) (inputs.localLib.attrsToList (builtins.readDir dir.name)))
+                      else [ dir ];
+                    in dir: listDir { name = dir; value = "directory"; };
                 in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")
                   (builtins.filter (f: (isPicture f.name) && (f.value == "regular"))
-                    (inputs.localLib.attrsToList (builtins.readDir nixos-wallpaper))));
+                    (listDirRecursive nixos-wallpaper)));
             };
             powerdevil =
               let config =
@@ -125,7 +115,7 @@ inputs:
           obs-studio =
           {
             enable = true;
-            plugins = with inputs.pkgs.obs-studio-plugins; [ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
+            plugins = with inputs.pkgs.obs-studio-plugins; [ wlrobs obs-vaapi droidcam-obs obs-vkcapture ];
           };
         };
       }];
@@ -136,10 +126,16 @@ inputs:
       wireshark = { enable = true; package = inputs.pkgs.wireshark; };
       yubikey-touch-detector.enable = true;
       kdeconnect.enable = true;
-      anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
-      honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
-      sleepy-launcher = { enable = true; package = inputs.pkgs.sleepy-launcher; };
+      kde-pim = { enable = true; kmail = true; };
+      coolercontrol =
+      {
+        enable = true;
+        nvidiaSupport = if inputs.config.nixos.hardware.gpu.type == null then false
+          else inputs.lib.hasSuffix "nvidia" inputs.config.nixos.hardware.gpu.type;
+      };
+      alvr = { enable = true; openFirewall = true; };
+      localsend.enable = true;
     };
-    services.pcscd.enable = true;
+    services = { pcscd.enable = true; lact.enable = true; };
   };
 }

modules/packages/extra.nix

@@ -0,0 +1,25 @@
+inputs:
+{
+  options.nixos.packages.extra = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = null; };
+  config = let inherit (inputs.config.nixos.packages) extra; in inputs.lib.mkIf (extra != null)
+  {
+    nixos.packages.packages._packages = with inputs.pkgs;
+    [
+      ventoy-full
+      davinci-resolve
+      fluffychat signal-desktop qq nur-xddxdd.wechat-uos-sandboxed cinny-desktop hexchat halloy
+      appflowy notion-app-enhanced joplin-desktop logseq obsidian code-cursor
+      warp-terminal
+      rustdesk-flutter
+      yubikey-manager-qt yubikey-personalization-gui electrum jabref john crunch
+      nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
+    ];
+    programs =
+    {
+      anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
+      honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
+      sleepy-launcher = { enable = true; package = inputs.pkgs.sleepy-launcher; };
+    };
+  };
+}

modules/packages/firefox.nix

@@ -12,11 +12,10 @@ inputs:
     {
       enable = true;
       languagePacks = [ "zh-CN" "en-US" ];
-      nativeMessagingHosts.packages = with inputs.pkgs; [ uget-integrator firefoxpwa ];
+      nativeMessagingHosts.packages = with inputs.pkgs; [ uget-integrator ];
     };
     nixos =
     {
-      packages.packages._packages = [ inputs.pkgs.firefoxpwa ];
       user.sharedModules =
       [{
         config =
@@ -25,18 +24,23 @@ inputs:
           {
             enable = true;
             nativeMessagingHosts = with inputs.pkgs;
-              [ kdePackages.plasma-browser-integration uget-integrator firefoxpwa ];
+            (
+              [ uget-integrator ]
+              ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+                [ kdePackages.plasma-browser-integration ])
+            );
             # TODO: use fixed-version of plugins
             policies.DefaultDownloadDirectory = "\${home}/Downloads";
             profiles.default =
             {
-              extensions = with inputs.pkgs.firefox-addons;
+              extensions.packages = with inputs.pkgs.firefox-addons;
               [
                 tampermonkey bitwarden cookies-txt dualsub firefox-color i-dont-care-about-cookies
-                metamask pakkujs switchyomega rsshub-radar rsspreview tabliss tree-style-tab ublock-origin wallabagger
-                wappalyzer grammarly plasma-integration zotero-connector pwas-for-firefox smartproxy kiss-translator
-              ];
-              search = { default = "Google"; force = true; };
+                metamask pakkujs rsshub-radar rsspreview tabliss tree-style-tab ublock-origin
+                wappalyzer grammarly zotero-connector smartproxy kiss-translator
+              ] ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+                [ plasma-integration ]);
+              search = { default = "google"; force = true; };
               userChrome = builtins.readFile "${inputs.topInputs.lepton}/userChrome.css";
               userContent = builtins.readFile "${inputs.topInputs.lepton}/userContent.css";
               extraConfig = builtins.readFile "${inputs.topInputs.lepton}/user.js";

modules/packages/flatpak.nix

@@ -1,12 +0,0 @@
-inputs:
-{
-  options.nixos.packages.flatpak = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
-  };
-  config = let inherit (inputs.config.nixos.packages) flatpak; in inputs.lib.mkIf (flatpak != null)
-  {
-    services.flatpak = { enable = true; uninstallUnmanaged = true; };
-  };
-}

modules/packages/git.nix

@@ -7,16 +7,18 @@ inputs:
     programs.git =
     {
       enable = true;
-      package = inputs.pkgs.gitFull;
-      lfs.enable = true;
+      # do not use gitFull, otherwise it will use its own ssh
+      # package = inputs.pkgs.gitFull;
+      lfs = { enable = true; enablePureSSHTransfer = true; };
       config =
       {
         init.defaultBranch = "main";
         core.quotepath = false;
         lfs.ssh.automultiplex = false; # 避免 lfs 一直要求触摸 yubikey
         receive.denyCurrentBranch = "warn"; # 允许 push 到非 bare 的仓库
+        merge.ours.driver = true; # 允许 .gitattributes 中设置的 merge=ours 生效
+        advice.addIgnoredFile = false; # 关闭 add 忽略文件时的提示
       };
     };
-    nixos.packages.packages._packages = [ inputs.pkgs.localPackages.git-lfs-transfer ]; # make pure ssh lfs work
   };
 }

modules/packages/lammps.nix

@@ -1,22 +0,0 @@
-inputs:
-{
-  options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
-  };
-  config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
-  {
-    nixos.packages.packages._packages =
-      let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
-      in
-        if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
-          .overrideAttrs (prev:
-          {
-            cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
-            nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
-            buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
-          }))]
-        else [ inputs.pkgs.lammps-mpi ];
-  };
-}

modules/packages/mathematica.nix

@@ -1,10 +0,0 @@
-inputs:
-{
-  options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = null;
-  };
-  config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
-    { nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; };
-}

modules/packages/minimal.nix

@@ -1,18 +1,18 @@
 inputs:
 {
-  options.nixos.packages.server = let inherit (inputs.lib) mkOption types; in mkOption
+  options.nixos.packages.minimal = let inherit (inputs.lib) mkOption types; in mkOption
     { type = types.nullOr (types.submodule {}); default = {}; };
-  config = let inherit (inputs.config.nixos.packages) server; in inputs.lib.mkIf (server != null)
+  config = let inherit (inputs.config.nixos.packages) minimal; in inputs.lib.mkIf (minimal != null)
   {
     nixos.packages.packages =
     {
       _packages = with inputs.pkgs;
       [
         # basic tools
-        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq zellij ipfetch localPackages.pslist
-        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch dateutils kitty
+        beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq ipfetch localPackages.pslist
+        fastfetch reptyr duc ncdu progress libva-utils ksh neofetch dateutils kitty glib
         # lsxx
-        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools
+        pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools ethtool
         # top
         iotop iftop htop btop powertop s-tui
         # editor
@@ -22,30 +22,50 @@ inputs:
         # file manager
         tree eza trash-cli lsd broot file xdg-ninja mlocate
         # compress
-        pigz upx unzip zip lzip p7zip rar
+        pigz upx unzip zip lzip p7zip
+        (if inputs.pkgs.stdenv.hostPlatform.linuxArch == "x86_64" then rar else emptyDirectory)
         # file system management
-        sshfs e2fsprogs duperemove compsize exfatprogs
+        sshfs e2fsprogs compsize exfatprogs
         # disk management
-        smartmontools hdparm gptfdisk megacli
+        smartmontools hdparm gptfdisk
+        (if inputs.pkgs.stdenv.hostPlatform.linuxArch == "x86_64" then megacli else emptyDirectory)
         # encryption and authentication
         apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool libfido2
         # networking
-        ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
+        ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools openvpn
+        parted
         # nix tools
-        pkgs-unstable.nix-output-monitor nix-tree ssh-to-age nix-inspect
+        nix-output-monitor nix-tree ssh-to-age nix-inspect
         # development
-        gdb try inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix rr hexo-cli gh nix-init hugo
-        (octodns.withProviders (_: [ localPackages.octodns-cloudflare ]))
+        gdb try rr hexo-cli gh hugo
+        # build failed on aarch64
+        (if inputs.pkgs.stdenv.hostPlatform.linuxArch == "x86_64" then nix-init else emptyDirectory)
+        (octodns.withProviders (_: with octodns-providers; [ cloudflare ]))
         # stupid things
         toilet lolcat localPackages.stickerpicker graph-easy
         # office
-        pdfgrep ffmpeg-full hdf5 # todo-txt-cli 
+        pdfgrep ffmpeg-full hdf5
+        # scientific computing
+        (if inputs.config.nixos.system.nixpkgs.cuda != null then localPackages.mumax else emptyDirectory)
+        (if inputs.config.nixos.system.nixpkgs.cuda != null
+          then (lammps.override { stdenv = cudaPackages.backendStdenv; }).overrideAttrs (prev:
+          {
+            cmakeFlags = prev.cmakeFlags ++
+              [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
+            nativeBuildInputs = prev.nativeBuildInputs ++ [ cudaPackages.cudatoolkit ];
+            buildInputs = prev.buildInputs ++ [ mpi ];
+          })
+          else lammps-mpi)
       ]
-        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
+        ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
+        ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
+          [ inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix ]);
       _pythonPackages = [(pythonPackages: with pythonPackages;
       [
-        openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2
-        certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus odfpy
+        openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2 certifi 
+        charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus
+        # allow pandas read odf
+        odfpy
         # for vasp plot-workfunc.py
         ase
       ])];

modules/packages/mumax.nix

@@ -1,16 +0,0 @@
-inputs:
-{
-  options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default =
-      if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
-        && (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-      then {}
-      else null;
-  };
-  config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
-  {
-    nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];
-  };
-}

modules/packages/nushell.nix

@@ -1,10 +1,7 @@
 inputs:
 {
   options.nixos.packages.nushell = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = {};
-  };
+    { type = types.nullOr (types.submodule {}); default = {}; };
   config = let inherit (inputs.config.nixos.packages) nushell; in inputs.lib.mkIf (nushell != null)
   {
     nixos =

modules/packages/root.nix

@@ -6,17 +6,13 @@ inputs:
   {
     nixos.packages.packages =
       let
-        root = inputs.pkgs.root.overrideAttrs (prev:
-        {
-          patches = prev.patches or [] ++ [ ./17253.patch ./17273.patch ];
-          cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ];
-        });
+        inherit (inputs.pkgs) root;
         jupyterPath = inputs.pkgs.jupyter-kernel.create { definitions.root = rec
         {
           displayName = "ROOT";
           language = "c++";
           argv = [ "/run/current-system/sw/bin/python3" "-m" "JupyROOT.kernel.rootkernel" "-f" "{connection_file}" ];
-          logo64 = "${root}/etc/root/notebook/kernels/root/logo-64x64.png";
+          logo64 = "${root}/etc/notebook/kernels/root/logo-64x64.png";
           logo32 = inputs.pkgs.runCommand "logo-32x32.png" {}
             "${inputs.pkgs.imagemagick}/bin/convert ${logo64} -resize 32x32 $out";
         };};

modules/packages/root/17253.patch

@@ -1,151 +0,0 @@
-From 1d2acc921853825af02059183b683c35f5075302 Mon Sep 17 00:00:00 2001
-From: chn <chn@chn.moe>
-Date: Wed, 11 Dec 2024 22:33:40 +0800
-Subject: [PATCH] add C++23 support
-
----
- graf3d/eve7/inc/ROOT/REveCaloData.hxx             |  4 ++--
- graf3d/eve7/src/REveCaloData.cxx                  |  3 +++
- interpreter/cling/lib/Interpreter/CIFactory.cpp   | 15 +++++++++++----
- .../Interpreter/IncrementalCUDADeviceCompiler.cpp |  2 ++
- .../cling/tools/Jupyter/kernel/clingkernel.py     |  4 ++--
- .../inc/RooStats/HistFactory/HistRef.h            |  3 +--
- .../inc/RooFit/Detail/NormalizationHelpers.h      |  3 +--
- 7 files changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/graf3d/eve7/inc/ROOT/REveCaloData.hxx b/graf3d/eve7/inc/ROOT/REveCaloData.hxx
-index 79d2e7069504c..33152334730f4 100644
---- a/graf3d/eve7/inc/ROOT/REveCaloData.hxx
-+++ b/graf3d/eve7/inc/ROOT/REveCaloData.hxx
-@@ -174,7 +174,7 @@ protected:
- 
- public:
-    REveCaloData(const char* n="REveCaloData", const char* t="");
--   ~REveCaloData() override {}
-+   ~REveCaloData() override;
- 
-    void    FillImpliedSelectedSet(Set_t& impSelSet, const std::set<int>& sec_idcs) override;
- 
-@@ -220,7 +220,7 @@ public:
-    Bool_t   GetWrapTwoPi() const { return fWrapTwoPi; }
-    void     SetWrapTwoPi(Bool_t w) { fWrapTwoPi=w; }
- 
--   void     SetSelector(REveCaloDataSelector* iSelector) { fSelector.reset(iSelector); }
-+   void     SetSelector(REveCaloDataSelector* iSelector);
-    REveCaloDataSelector* GetSelector() { return fSelector.get(); }
- 
-    Int_t WriteCoreJson(nlohmann::json &j, Int_t rnr_offset) override;
-diff --git a/graf3d/eve7/src/REveCaloData.cxx b/graf3d/eve7/src/REveCaloData.cxx
-index a5248f3c51d39..dc19d7d1be4a4 100644
---- a/graf3d/eve7/src/REveCaloData.cxx
-+++ b/graf3d/eve7/src/REveCaloData.cxx
-@@ -129,6 +129,9 @@ REveCaloData::REveCaloData(const char* n, const char* t):
-    // Constructor.
- }
- 
-+REveCaloData::~REveCaloData() {}
-+void REveCaloData::SetSelector(REveCaloDataSelector* iSelector) { fSelector.reset(iSelector); }
-+
- ////////////////////////////////////////////////////////////////////////////////
- /// Process newly selected cells with given select-record.
- 
-diff --git a/interpreter/cling/lib/Interpreter/CIFactory.cpp b/interpreter/cling/lib/Interpreter/CIFactory.cpp
-index 385c03682575d..d33ce3a0039c5 100644
---- a/interpreter/cling/lib/Interpreter/CIFactory.cpp
-+++ b/interpreter/cling/lib/Interpreter/CIFactory.cpp
-@@ -61,14 +61,18 @@ using namespace cling;
- 
- namespace {
-   static constexpr unsigned CxxStdCompiledWith() {
-+    // The value of __cplusplus in GCC < 14 is 202100L when -std=c++2b or
-+    // -std=c++23 is specified, thus we relax the check to 202100L.
-+#if __cplusplus >= 202100L
-+    return 23;
-+#elif __cplusplus >  201703L
-+    return 20;
-+#elif __cplusplus > 201402L
-+    return 17;
-     // The value of __cplusplus in GCC < 5.0 (e.g. 4.9.3) when
-     // either -std=c++1y or -std=c++14 is specified is 201300L, which fails
-     // the test for C++14 or more (201402L) as previously specified.
-     // I would claim that the check should be relaxed to:
--#if __cplusplus >  201703L
--    return 20;
--#elif __cplusplus > 201402L
--    return 17;
- #elif __cplusplus > 201103L || (defined(_WIN32) && _MSC_VER >= 1900)
-     return 14;
- #elif __cplusplus >= 201103L
-@@ -941,6 +945,8 @@ namespace {
-     // Sanity check that clang delivered the language standard requested
-     if (CompilerOpts.DefaultLanguage(&LangOpts)) {
-       switch (CxxStdCompiledWith()) {
-+        case 23: assert(LangOpts.CPlusPlus23 && "Language version mismatch");
-+          LLVM_FALLTHROUGH;
-         case 20: assert(LangOpts.CPlusPlus20 && "Language version mismatch");
-           LLVM_FALLTHROUGH;
-         case 17: assert(LangOpts.CPlusPlus17 && "Language version mismatch");
-@@ -1343,6 +1349,7 @@ namespace {
-       // and by enforcing the std version now cling is telling clang what to
-       // do, rather than after clang has dedcuded a default.
-       switch (CxxStdCompiledWith()) {
-+        case 23: argvCompile.emplace_back("-std=c++23"); break;
-         case 20: argvCompile.emplace_back("-std=c++20"); break;
-         case 17: argvCompile.emplace_back("-std=c++17"); break;
-         case 14: argvCompile.emplace_back("-std=c++14"); break;
-diff --git a/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp b/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
-index ac6bd0e89444e..a492add8a01fc 100644
---- a/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
-+++ b/interpreter/cling/lib/Interpreter/IncrementalCUDADeviceCompiler.cpp
-@@ -117,6 +117,8 @@ namespace cling {
-       cppStdVersion = "-std=c++1z";
-     if (langOpts.CPlusPlus20)
-       cppStdVersion = "-std=c++20";
-+    if (langOpts.CPlusPlus23)
-+      cppStdVersion = "-std=c++23";
- 
-     if (cppStdVersion.empty())
-       llvm::errs()
-diff --git a/interpreter/cling/tools/Jupyter/kernel/clingkernel.py b/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
-index 17fcbd116ecc6..17b4d24f23d86 100644
---- a/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
-+++ b/interpreter/cling/tools/Jupyter/kernel/clingkernel.py
-@@ -90,8 +90,8 @@ def _banner_default(self):
-     flush_interval = Float(0.25, config=True)
- 
-     std = CaselessStrEnum(default_value='c++11',
--            values = ['c++11', 'c++14', 'c++1z', 'c++17', 'c++20', 'c++2b'],
--            help="C++ standard to use, either c++2b, c++20, c++17, c++1z, c++14 or c++11").tag(config=True);
-+            values = ['c++11', 'c++14', 'c++1z', 'c++17', 'c++20', 'c++2b', 'c++23' ],
-+            help="C++ standard to use, either c++23, c++2b, c++20, c++17, c++1z, c++14 or c++11").tag(config=True);
- 
-     def __init__(self, **kwargs):
-         super(ClingKernel, self).__init__(**kwargs)
-diff --git a/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h b/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
-index 7db9765004e0d..5b37542e6bdea 100644
---- a/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
-+++ b/roofit/histfactory/inc/RooStats/HistFactory/HistRef.h
-@@ -12,8 +12,7 @@
- #define HISTFACTORY_HISTREF_H
- 
- #include <memory>
--
--class TH1;
-+#include <TH1.h>
- 
- namespace RooStats{
- namespace HistFactory {
-diff --git a/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h b/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
-index c66954d0f0549..a849d7c2c8b4b 100644
---- a/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
-+++ b/roofit/roofitcore/inc/RooFit/Detail/NormalizationHelpers.h
-@@ -70,8 +70,7 @@ template <class T>
- std::unique_ptr<T> compileForNormSet(T const &arg, RooArgSet const &normSet)
- {
-    RooFit::Detail::CompileContext ctx{normSet};
--   std::unique_ptr<RooAbsArg> head = arg.compileForNormSet(normSet, ctx);
--   return std::unique_ptr<T>{static_cast<T *>(head.release())};
-+   return std::unique_ptr<T>{static_cast<T *>(arg.compileForNormSet(normSet, ctx).release())};
- }
- 
- } // namespace Detail

modules/packages/root/17273.patch

@@ -1,22 +0,0 @@
-From ab80270dd50f4ae08e452daa3fd0eccc7f9f96ee Mon Sep 17 00:00:00 2001
-From: Danilo Piparo <danilo.piparo@cern.ch>
-Date: Sat, 14 Dec 2024 07:45:22 +0100
-Subject: [PATCH 1/2] [CMake] Allow to process cxx23 option
-
----
- cmake/modules/CheckCompiler.cmake | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cmake/modules/CheckCompiler.cmake b/cmake/modules/CheckCompiler.cmake
-index 883bf0e2daed1..c2ac5df869797 100644
---- a/cmake/modules/CheckCompiler.cmake
-+++ b/cmake/modules/CheckCompiler.cmake
-@@ -161,7 +161,7 @@ set(CMAKE_CXX_STANDARD ${CXX_STANDARD_STRING} CACHE STRING "")
- set(CMAKE_CXX_STANDARD_REQUIRED TRUE)
- set(CMAKE_CXX_EXTENSIONS FALSE CACHE BOOL "")
- 
--if(NOT CMAKE_CXX_STANDARD MATCHES "17|20")
-+if(NOT CMAKE_CXX_STANDARD MATCHES "17|20|23")
-   message(FATAL_ERROR "Unsupported C++ standard: ${CMAKE_CXX_STANDARD}. Supported standards are: 17, 20.")
- endif()
- 

modules/packages/ssh.nix

@@ -37,9 +37,7 @@ inputs:
       config.programs.ssh =
       {
         enable = true;
-        controlMaster = "auto";
-        controlPersist = "1m";
-        compression = true;
+        enableDefaultConfig = false;
         matchBlocks = builtins.listToAttrs (builtins.map
           (host:
           {
@@ -64,6 +62,13 @@ inputs:
             extraOptions.AddKeysToAgent = "yes";
           };
           "wg0.jykang" = jykang // { host = "wg0.jykang"; proxyJump = "wg0.srv2"; };
+          "*" =
+          {
+            controlMaster = "auto";
+            controlPersist = "1m";
+            compression = true;
+            controlPath = "~/.ssh/master-%r@%n:%p";
+          };
         };
       };
     })];

modules/packages/vasp.nix

@@ -1,23 +0,0 @@
-inputs:
-{
-  options.nixos.packages.vasp = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
-  };
-  # TODO: add more options to correctly configure VASP
-  config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
-  {
-    nixos.packages.packages = with inputs.pkgs;
-    {
-      _packages =
-      (
-        [ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
-          ++ (inputs.lib.optional
-            (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
-            localPackages.vasp.nvidia)
-      );
-      _pythonPackages = [(_: [ localPackages.py4vasp ])];
-    };
-  };
-}

modules/packages/vscode.nix

@@ -3,71 +3,336 @@ inputs:
   options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
   {
     type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
+    default = if inputs.config.nixos.model.type == "desktop" then {} else null;
   };
   config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
   {
-    nixos.packages.packages = with inputs.pkgs;
-    {
-      _packages =
-      [(
-        vscode-with-extensions.override
+    nixos.user.sharedModules =
+    [(hmInputs: {
+      config.programs.vscode = inputs.lib.mkIf (hmInputs.config.home.username != "root")
+      {
+        enable = true;
+        package = inputs.pkgs.vscode.overrideAttrs (prev: { preFixup = prev.preFixup +
+        ''
+          gappsWrapperArgs+=(
+            ${builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags}
+          )
+        '';});
+        profiles.default =
         {
-          vscodeExtensions =
-            let extensions = builtins.listToAttrs (builtins.map
-              (set:
+          enableExtensionUpdateCheck = false;
+          enableUpdateCheck = false;
+          extensions = inputs.pkgs.nix4vscode.forVscode
+          [
+            "github.copilot" "github.copilot-chat" "github.github-vscode-theme"
+            "intellsmi.comment-translate"
+            "ms-vscode.cmake-tools" "ms-vscode.cpptools-extension-pack" "ms-vscode.hexeditor"
+            "ms-vscode.remote-explorer"
+            "ms-vscode-remote.remote-ssh"
+            "donjayamanne.githistory" "fabiospampinato.vscode-diff"
+            "llvm-vs-code-extensions.vscode-clangd" "ms-ceintl.vscode-language-pack-zh-hans"
+            "oderwat.indent-rainbow"
+            "guyutongxue.cpp-reference" "thfriedrich.lammps" "leetcode.vscode-leetcode" # "znck.grammarly"
+            "james-yu.latex-workshop" "bbenoist.nix" "jnoortheen.nix-ide" "ccls-project.ccls"
+            "brettm12345.nixfmt-vscode"
+            "gruntfuggly.todo-tree"
+            # restrctured text
+            "lextudio.restructuredtext" "trond-snekvik.simple-rst" "swyddfa.esbonio" "chrisjsewell.myst-tml-syntax"
+            # markdown
+            "yzhang.markdown-all-in-one" "shd101wyy.markdown-preview-enhanced"
+            # vasp
+            "mystery.vasp-support"
+            "yutengjing.open-in-external-app"
+            # git graph
+            "mhutchie.git-graph"
+            # python
+            "ms-python.python"
+            # theme
+            "pkief.material-icon-theme"
+            # direnv
+            "mkhl.direnv"
+            # svg viewer
+            "vitaliymaz.vscode-svg-previewer"
+            # draw
+            "pomdtr.excalidraw-editor"
+            # typst
+            "myriad-dreamin.tinymist"
+            # grammaly alternative
+            "ltex-plus.vscode-ltex-plus"
+            # jupyter
+            "ms-toolsai.jupyter" "ms-toolsai.jupyter-keymap" "ms-toolsai.jupyter-renderers"
+            "ms-toolsai.vscode-jupyter-cell-tags" "ms-toolsai.vscode-jupyter-slideshow"
+            "ms-toolsai.datawrangler"
+          ];
+          keybindings =
+          [
+            # use alt+a to complete inline suggestions, instead of tab or ctrl+enter
+            {
+              key = "alt+a";
+              command = "editor.action.inlineSuggest.commit";
+              when = "inlineSuggestionVisible";
+            }
+            {
+              key = "tab";
+              command = "-editor.action.inlineSuggest.commit";
+            }
+            {
+              key = "ctrl+enter";
+              command = "-editor.action.inlineSuggest.commit";
+            }
+            # use ctrl+j to jump to pdf in latex
+            {
+              key = "ctrl+alt+j";
+              command = "-latex-workshop.synctex";
+            }
+            {
+              key = "ctrl+j";
+              command = "-workbench.action.togglePanel";
+            }
+            {
+              key = "ctrl+j";
+              command = "latex-workshop.synctex";
+              when = "editorTextFocus && editorLangId == 'latex'";
+            }
+            {
+              key = "ctrl+l alt+j";
+              command = "-latex-workshop.synctex";
+            }
+            # use ctrl+j=b to build latex
+            {
+              key = "ctrl+b";
+              command = "-workbench.action.toggleSidebarVisibility";
+            }
+            {
+              key = "ctrl+b";
+              command = "latex-workshop.build";
+              when = "editorLangId =~ /^latex$|^latex-expl3$|^rsweave$|^jlweave$|^pweave$/";
+            }
+            {
+              key = "ctrl+l alt+b";
+              command = "-latex-workshop.build";
+            }
+            # use alt+t to cd to current dir
+            {
+              key = "alt+t";
+              command = "workbench.action.terminal.sendSequence";
+              args.text = "cd '\${fileDirname}'\n";
+            }
+          ];
+          userSettings =
+          {
+            "security.workspace.trust.enabled" = false;
+            "editor.fontFamily" = "'FiraCode Nerd Font Mono', 'Noto Sans Mono CJK SC', 'Droid Sans Mono', 'monospace', monospace, 'Droid Sans Fallback'";
+            "editor.fontLigatures" = true;
+            "workbench.iconTheme" = "material-icon-theme";
+            "cmake.configureOnOpen" = true;
+            "editor.mouseWheelZoom" = true;
+            "extensions.ignoreRecommendations" = true;
+            "editor.smoothScrolling" = true;
+            "editor.cursorSmoothCaretAnimation" = "on";
+            "workbench.list.smoothScrolling" = true;
+            "files.hotExit" = "off";
+            "editor.wordWrapColumn" = 120;
+            "window.restoreWindows" = "none";
+            "editor.inlineSuggest.enabled" = true;
+            "github.copilot.enable"."*" = true;
+            "editor.acceptSuggestionOnEnter" = "off";
+            "terminal.integrated.scrollback" = 10000;
+            "editor.rulers" = [ 120 ];
+            "indentRainbow.ignoreErrorLanguages" = [ "*" ];
+            "markdown.extension.completion.respectVscodeSearchExclude" = false;
+            "markdown.extension.print.absoluteImgPath" = false;
+            "editor.tabCompletion" = "on";
+            "workbench.colorTheme" = "GitHub Light";
+            "workbench.startupEditor" = "none";
+            "debug.toolBarLocation" = "docked";
+            "search.maxResults" = 100000;
+            "editor.action.inlineSuggest.commit" = "Ctrl+Space";
+            "window.dialogStyle" = "custom";
+            "redhat.telemetry.enabled" = true;
+            "[xml]"."editor.defaultFormatter" = "DotJoshJohnson.xml";
+            "git.ignoreLegacyWarning" = true;
+            "git.confirmSync" = false;
+            "cmake.configureArgs" = [ "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON" "-DCMAKE_EXPORT_COMPILE_COMMANDS=1" ];
+            "editor.wordWrap" = "wordWrapColumn";
+            "files.associations" = { "POSCAR" = "poscar"; "*.mod" = "lmps"; "*.vasp" = "poscar"; };
+            "editor.stickyScroll.enabled" = true;
+            "editor.minimap.showSlider" = "always";
+            "editor.unicodeHighlight.allowedLocales" = { "zh-hans" = true; "zh-hant" = true; };
+            "hexeditor.columnWidth" = 64;
+            "latex-workshop.synctex.afterBuild.enabled" = true;
+            "hexeditor.showDecodedText" = true;
+            "hexeditor.defaultEndianness" = "little";
+            "hexeditor.inspectorType" = "aside";
+            "commentTranslate.hover.concise" = true;
+            "commentTranslate.targetLanguage" = "en";
+            "[python]"."editor.formatOnType" = true;
+            "editor.minimap.renderCharacters" = false;
+            "update.mode" = "none";
+            "editor.tabSize" = 2;
+            "nix.enableLanguageServer" = true;
+            "nix.serverPath" = "nil";
+            "nix.formatterPath" = "nixpkgs-fmt";
+            "nix.serverSettings"."nil" =
+            {
+              "diagnostics"."ignored" = [ "unused_binding" "unused_with" ];
+              "formatting"."command" = [ "nixpkgs-fmt" ];
+            };
+            "xmake.envBehaviour" = "erase";
+            "git.openRepositoryInParentFolders" = "never";
+            "todo-tree.regex.regex" = "(//|#|<!--|;|/\\*|^|%|^[ \\t]*(-|\\d+.))\\s*($TAGS)";
+            "latex-workshop.latex.recipes" =
+            [
               {
-                name = set;
-                value = vscode-extensions.${set} or {}
-                  // nix-vscode-extensions.vscode-marketplace.${set}
-                  // nix-vscode-extensions.vscode-marketplace-release.${set} or {};
-              })
-              (inputs.lib.unique
-              (
-                (builtins.attrNames vscode-extensions)
-                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
-                  ++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace-release)
-              )));
-            in with extensions;
-              (with github; [ copilot github-vscode-theme ])
-              ++ (with intellsmi; [ comment-translate ])
-              ++ (with ms-vscode; [ cmake-tools cpptools-extension-pack hexeditor remote-explorer ])
-              ++ (with ms-vscode-remote; [ remote-ssh ])
-              ++ [
-                donjayamanne.githistory fabiospampinato.vscode-diff
-                llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
-                oderwat.indent-rainbow
-                twxs.cmake guyutongxue.cpp-reference thfriedrich.lammps leetcode.vscode-leetcode # znck.grammarly
-                james-yu.latex-workshop bbenoist.nix jnoortheen.nix-ide ccls-project.ccls
-                brettm12345.nixfmt-vscode
-                gruntfuggly.todo-tree
-                # restrctured text
-                lextudio.restructuredtext trond-snekvik.simple-rst swyddfa.esbonio chrisjsewell.myst-tml-syntax
-                # markdown
-                yzhang.markdown-all-in-one shd101wyy.markdown-preview-enhanced
-                # vasp
-                mystery.vasp-support
-                yutengjing.open-in-external-app
-                # git graph
-                mhutchie.git-graph
-                # python
-                ms-python.python
-                # theme
-                pkief.material-icon-theme
-                # direnv
-                mkhl.direnv
-                # svg viewer
-                vitaliymaz.vscode-svg-previewer
-                # draw
-                pomdtr.excalidraw-editor
-              ]
-              # jupyter
-              # TODO: use last release
-              ++ (with vscode-extensions.ms-toolsai;
-                [ jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow ]);
-          extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
-        }
-      )];
-    };
+                name = "xelatex";
+                tools = [ "xelatex" "bibtex" "xelatex" "xelatex" ];
+              }
+              {
+                name = "latexmk";
+                tools = [ "latexmk" ];
+              }
+              {
+                name = "latexmk (latexmkrc)";
+                tools = [ "latexmk_rconly" ];
+              }
+              {
+                name = "latexmk (lualatex)";
+                tools = [ "lualatexmk" ];
+              }
+              {
+                name = "latexmk (xelatex)";
+                tools = [ "xelatexmk" ];
+              }
+              {
+                name = "pdflatex -> bibtex -> pdflatex * 2";
+                tools = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ];
+              }
+            ];
+            "latex-workshop.latex.recipe.default" = "xelatex";
+            "latex-workshop.bind.altKeymap.enabled" = true;
+            "latex-workshop.latex.autoBuild.run" = "never";
+            "cmake.showOptionsMovedNotification" = false;
+            "markdown.extension.toc.plaintext" = true;
+            "markdown.extension.katex.macros" = {};
+            "markdown-preview-enhanced.mathRenderingOption" = "MathJax";
+            "mesonbuild.downloadLanguageServer" = false;
+            "genieai.openai.model" = "gpt-3.5-turbo-instruct";
+            "codeium.enableConfig" = { "*" = true; "Log" = true; };
+            "fortran.notifications.releaseNotes" = false;
+            "markdown-preview-enhanced.enablePreviewZenMode" = true;
+            "ccls.misc.compilationDatabaseDirectory" = "build";
+            "C_Cpp.intelliSenseEngine" = "disabled";
+            "clangd.arguments" = [ "-header-insertion=never" ];
+            "cmake.ctestDefaultArgs" = [ "-T" "test" "--output-on-failure" "--verbose" ];
+            "terminal.integrated.mouseWheelZoom" = true;
+            "notebook.lineNumbers" = "on";
+            "editor.codeActionsOnSave" = {};
+            "jupyter.notebookFileRoot" = "\${workspaceFolder}";
+            "svg.preview.transparencyGrid" = false;
+            "svg.preview.boundingBox" = false;
+            "latex-workshop.latex.tools" =
+            [
+              {
+                name = "xelatex";
+                command = "xelatex";
+                args = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOC%" ];
+                env = {};
+              }
+              {
+                name = "latexmk";
+                command = "latexmk";
+                args = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "-outdir=%OUTDIR%" "%DOC%" ];
+                env = {};
+              }
+              {
+                name = "lualatexmk";
+                command = "latexmk";
+                args =
+                  [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-lualatex" "-outdir=%OUTDIR%" "%DOC%" ];
+                env = {};
+              }
+              {
+                name = "xelatexmk";
+                command = "latexmk";
+                args =
+                  [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-xelatex" "-outdir=%OUTDIR%" "%DOC%" ];
+                env = {};
+              }
+              {
+                name = "latexmk_rconly";
+                command = "latexmk";
+                args = [ "%DOC%" ];
+                env = {};
+              }
+              {
+                name = "pdflatex";
+                command = "pdflatex";
+                args = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOC%" ];
+                env = {};
+              }
+              {
+                name = "bibtex";
+                command = "bibtex";
+                args = [ "%DOCFILE%" ];
+                env = {};
+              }
+              {
+                name = "rnw2tex";
+                command = "Rscript";
+                args = [ "-e" "knitr::opts_knit$set(concordance = TRUE); knitr::knit('%DOCFILE_EXT%')" ];
+                env = {};
+              }
+              {
+                name = "jnw2tex";
+                command = "julia";
+                args = [ "-e" "using Weave; weave(\"%DOC_EXT%\", doctype=\"tex\")" ];
+                env = {};
+              }
+              {
+                name = "jnw2texminted";
+                command = "julia";
+                args = [ "-e" "using Weave; weave(\"%DOC_EXT%\", doctype=\"texminted\")" ];
+                env = {};
+              }
+              {
+                name = "pnw2tex";
+                command = "pweave";
+                args = [ "-f" "tex" "%DOC_EXT%" ];
+                env = {};
+              }
+              {
+                name = "pnw2texminted";
+                command = "pweave";
+                args = [ "-f" "texminted" "%DOC_EXT%" ];
+                env = {};
+              }
+              {
+                name = "tectonic";
+                command = "tectonic";
+                args = [ "--synctex" "--keep-logs" "--print" "%DOC%.tex" ];
+                env = {};
+              }
+            ];
+            "todo-tree.general.tags" = [ "BUG" "HACK" "FIXME" "TODO" ];
+            "ltex.additionalRules.motherTongue" = "zh-CN";
+            "ltex.ltex-ls.path" = "/run/current-system/sw";
+            "cmake.ignoreCMakeListsMissing" = true;
+            "[nix]"."editor.defaultFormatter" = "jnoortheen.nix-ide";
+            "todo-tree.filtering.excludedWorkspaces" = [ "/nix/remote/**" ];
+            "dataWrangler.outputRenderer.enabledTypes" =
+            {
+              "numpy.ndarray" = true;
+              "builtins.list" = true;
+              "builtins.dict" = true;
+            };
+            "ltex.language" = "auto";
+            # maybe this could fix typst preview freezing on large project
+            "tinymist.preview.partialRendering" = false;
+            "tinymist.preview.refresh" = "onSave";
+            "workbench.secondarySideBar.defaultVisibility" = "hidden";
+          };
+        };
+      };
+    })];
   };
 }

modules/packages/winapps/default.nix

@@ -1,10 +1,7 @@
 inputs:
 {
   options.nixos.packages.winapps = let inherit (inputs.lib) mkOption types; in mkOption
-  {
-    type = types.nullOr (types.submodule {});
-    default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
-  };
+    { type = types.nullOr (types.submodule {}); default = null; };
   config = let inherit (inputs.config.nixos.packages) winapps; in inputs.lib.mkIf (winapps != null)
   {
     nixos.packages.packages._packages =
@@ -13,7 +10,7 @@ inputs:
       (inputs.pkgs.runCommand "winapps-windows" {}
       ''
         mkdir -p $out/share/applications
-        cp ${inputs.pkgs.substituteAll { src = ./windows.desktop; path = inputs.topInputs.winapps; }} \
+        cp ${inputs.pkgs.replaceVars ./windows.desktop { path = inputs.topInputs.winapps; }} \
           $out/share/applications/windows.desktop
       '')
     ]

modules/packages/zellij.nix

@@ -0,0 +1,17 @@
+inputs:
+{
+  options.nixos.packages.zellij = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule {}); default = {}; };
+  config = let inherit (inputs.config.nixos.packages) zellij; in inputs.lib.mkIf (zellij != null)
+  {
+    nixos =
+    {
+      packages.packages._packages = [ inputs.pkgs.zellij ];
+      user.sharedModules =
+      [{
+        config.programs.zellij =
+          { enable = true; settings = { show_startup_tips = false; show_release_notes = false; }; };
+      }];
+    };
+  };
+}

modules/packages/zsh/default.nix

@@ -4,85 +4,72 @@ inputs:
     { type = types.nullOr (types.submodule {}); default = {}; };
   config = let inherit (inputs.config.nixos.packages) zsh; in inputs.lib.mkIf (zsh != null)
   {
-    nixos.user.sharedModules = [(home-inputs: { config.programs = inputs.lib.mkMerge
-    [
-      # general config
-      {
-        zsh =
+    nixos.user.sharedModules = [(home-inputs:
+    {
+      config = inputs.lib.mkMerge
+      [
         {
-          enable = true;
-          history =
-          {
-            path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
-            extended = true;
-            save = 100000000;
-            size = 100000000;
-          };
-          syntaxHighlighting.enable = true;
-          autosuggestion.enable = true;
-          enableCompletion = true;
-          oh-my-zsh =
+          programs.zsh =
           {
             enable = true;
-            plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
-            theme = inputs.lib.mkDefault "clean";
+            history =
+            {
+              path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
+              extended = true;
+              save = 100000000;
+              size = 100000000;
+            };
+            syntaxHighlighting.enable = true;
+            autosuggestion.enable = true;
+            enableCompletion = true;
+            oh-my-zsh =
+            {
+              enable = true;
+              plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
+              theme = inputs.lib.mkDefault "clean";
+            };
+            # ensure ~/.zlogin exists
+            loginExtra = " ";
           };
-          # ensure ~/.zlogin exists
-          loginExtra = " ";
-        };
-        # set bash history file path, avoid overwriting zsh history
-        bash = { enable = true; historyFile =  "${home-inputs.config.xdg.dataHome}/bash/bash_history"; };
-      }
-      # config for root and chn
-      {
-        zsh = inputs.lib.mkIf (builtins.elem home-inputs.config.home.username [ "chn" "root" "aleksana" ])
+          home.shell.enableZshIntegration = true;
+        }
         {
-          plugins =
-          [
+          programs.zsh = inputs.lib.mkIf
+            (builtins.elem home-inputs.config.home.username [ "chn" "root" "aleksana" "alikia" "hjp" ])
             {
-              file = "powerlevel10k.zsh-theme";
-              name = "powerlevel10k";
-              src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
-            }
-            { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
-            {
-              name = "zsh-lsd";
-              src = inputs.pkgs.fetchFromGitHub
-              {
-                owner = "z-shell";
-                repo = "zsh-lsd";
-                rev = "65bb5ac49190beda263aae552a9369127961632d";
-                hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
-              };
-            }
-          ];
-          initExtraBeforeCompInit =
-          ''
-            # p10k instant prompt
-            P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
-            [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
-            HYPHEN_INSENSITIVE="true"
-            export PATH=~/bin:$PATH
-            function br
-            {
-              local cmd cmd_file code
-              cmd_file=$(mktemp)
-              if broot --outcmd "$cmd_file" "$@"; then
-                cmd=$(<"$cmd_file")
-                command rm -f "$cmd_file"
-                eval "$cmd"
-              else
-                code=$?
-                command rm -f "$cmd_file"
-                return "$code"
-              fi
-            }
-            alias todo="todo.sh"
-          '';
-          oh-my-zsh.theme = "";
-        };
-      }
-    ];})];
+              plugins =
+              [
+                {
+                  file = "powerlevel10k.zsh-theme";
+                  name = "powerlevel10k";
+                  src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
+                }
+                { file = "p10k.zsh"; name = "powerlevel10k-config"; src = ./p10k-config; }
+                {
+                  name = "zsh-lsd";
+                  src = inputs.pkgs.fetchFromGitHub
+                  {
+                    owner = "z-shell";
+                    repo = "zsh-lsd";
+                    rev = "65bb5ac49190beda263aae552a9369127961632d";
+                    hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
+                  };
+                }
+              ];
+              initContent = inputs.lib.mkOrder 550
+              ''
+                # p10k instant prompt
+                P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
+                [[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
+                HYPHEN_INSENSITIVE="true"
+                export PATH=~/bin:$PATH
+                zstyle ':vcs_info:*' disable-patterns "/nix/remote/*"
+              '';
+              oh-my-zsh.theme = "";
+            };
+        }
+      ];
+    })];
     environment.pathsToLink = [ "/share/zsh" ];
     programs.zsh.enable = true;
   };

modules/services/acme.nix

@@ -34,21 +34,21 @@ inputs:
           name = builtins.elemAt cert.value.domains 0;
           value =
           {
-            credentialsFile = inputs.config.sops.templates."acme/cloudflare.ini".path;
+            credentialsFile = inputs.config.nixos.system.sops.templates."acme/cloudflare.ini".path;
             extraDomainNames = builtins.tail cert.value.domains;
             group = inputs.lib.mkIf (cert.value.group != null) cert.value.group;
           };
         })
         (inputs.localLib.attrsToList acme.cert));
     };
-    sops =
+    nixos.system.sops =
     {
       templates."acme/cloudflare.ini".content =
       ''
-        CLOUDFLARE_DNS_API_TOKEN=${inputs.config.sops.placeholder."acme/token"}
+        CLOUDFLARE_DNS_API_TOKEN=${inputs.config.nixos.system.sops.placeholder."acme/token"}
         CLOUDFLARE_PROPAGATION_TIMEOUT=300
       '';
-      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
+      secrets."acme/token" = {};
     };
   };
 }

modules/services/beesd.nix

@@ -15,17 +15,15 @@ inputs:
   };
   config = let inherit (inputs.config.nixos.services) beesd; in inputs.lib.mkIf (beesd != null)
   {
-    services.beesd.filesystems = builtins.mapAttrs
-      (n: v:
+    services.beesd.filesystems = inputs.lib.mapAttrs'
+      (n: v: inputs.lib.nameValuePair (inputs.utils.escapeSystemdPath n)
       {
         spec = n;
         inherit (v) hashTableSizeMB;
         extraOptions =
         [
-          "--workaround-btrfs-send"
           "--thread-count" "${builtins.toString v.threads}"
           "--loadavg-target" "${builtins.toString v.loadAverage}"
-          "--scan-mode" "3"
           "--verbose" "4"
         ];
       })

modules/services/bind.nix

@@ -0,0 +1,82 @@
+inputs:
+{
+  options.nixos.services.bind = let inherit (inputs.lib) mkOption types; in mkOption
+    { type = types.nullOr (types.submodule (submoduleInputs: {})); default = null; };
+  config = let inherit (inputs.config.nixos.services) bind; in inputs.lib.mkIf (bind != null)
+  {
+    services.bind =
+      let
+        chinaZone = inputs.pkgs.writeText "autoroute.chn.moe.china.zone"
+        ''
+          $ORIGIN autoroute.chn.moe.
+          $TTL 3600
+          @ IN SOA vps6.chn.moe. chn.chn.moe. (
+            2024071301 ; serial
+            3600       ; refresh
+            600        ; retry
+            604800     ; expire
+            300        ; minimum
+          )
+          @ IN NS vps6.chn.moe.
+          @ IN A ${inputs.topInputs.self.config.dns."chn.moe".getAddress "vps6"}
+        '';
+        globalZone = inputs.pkgs.writeText "autoroute.chn.moe.zone"
+        ''
+          $ORIGIN autoroute.chn.moe.
+          $TTL 3600
+          @ IN SOA vps6.chn.moe. chn.chn.moe. (
+            2024071301 ; serial
+            3600       ; refresh
+            600        ; retry
+            604800     ; expire
+            300        ; minimum
+          )
+          @ IN NS vps6.chn.moe.
+          @ IN A ${inputs.topInputs.self.config.dns."chn.moe".getAddress "srv3"}
+        '';
+        nullZone = inputs.pkgs.writeText "null.zone" "";
+      in
+      {
+        enable = true;
+        package = inputs.pkgs.bind.overrideAttrs
+          (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
+        listenOn = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "vps6")];
+        extraOptions =
+        ''
+          recursion no;
+          geoip-directory "${inputs.config.services.geoipupdate.settings.DatabaseDirectory}";
+        '';
+        extraConfig =
+        ''
+          acl "china" {
+            geoip country CN;
+          };
+
+          view "china" {
+            match-clients { china; };
+            zone "autoroute.chn.moe" {
+              type master;
+              file "${chinaZone}";
+            };
+            zone "." {
+              type hint;
+              file "${nullZone}";
+            };
+          };
+          view "global" {
+            match-clients { any; };
+            zone "autoroute.chn.moe" {
+              type master;
+              file "${globalZone}";
+            };
+            zone "." {
+              type hint;
+              file "${nullZone}";
+            };
+          };
+        '';
+      };
+    nixos.services.geoipupdate = {};
+    networking.firewall.allowedUDPPorts = [ 53 ];
+  };
+}