24 changed files with 485 additions and 432 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,20 +1,5 @@
 {
  "nodes": {
    "catppuccin": {
      "locked": {
        "lastModified": 1717070887,
        "narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=",
        "owner": "catppuccin",
        "repo": "nix",
        "rev": "2c7661c9fa26a920b8088300ef87d14179c71a27",
        "type": "github"
      },
      "original": {
        "owner": "catppuccin",
        "repo": "nix",
        "type": "github"
      }
    },
    "colmena": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -29,11 +14,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1711386353,
+        "lastModified": 1706509311,
-        "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
+        "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=",
        "owner": "zhaofengli",
        "repo": "colmena",
-        "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
+        "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd",
        "type": "github"
      },
      "original": {
@ -61,11 +46,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1673956053,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
@ -79,11 +64,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1709126324,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
        "type": "github"
      },
      "original": {
@ -99,11 +84,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717052710,
+        "lastModified": 1709764752,
-        "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=",
+        "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae",
+        "rev": "cf111d1a849ddfc38e9155be029519b0e2329615",
        "type": "github"
      },
      "original": {
@ -119,11 +104,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716772633,
+        "lastModified": 1709708644,
-        "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
+        "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
+        "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b",
        "type": "github"
      },
      "original": {
@ -143,11 +128,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717032429,
+        "lastModified": 1709773506,
-        "narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=",
+        "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55",
+        "rev": "a17ea69caec11561e73c985360fb596c25f74131",
        "type": "github"
      },
      "original": {
@ -156,13 +141,36 @@
        "type": "github"
      }
    },
    "nixos-cn": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682818384,
        "narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=",
        "owner": "nixos-cn",
        "repo": "flakes",
        "rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b",
        "type": "github"
      },
      "original": {
        "owner": "nixos-cn",
        "repo": "flakes",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1716987116,
+        "lastModified": 1709410583,
-        "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=",
+        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "8251761f93d6f5b91cee45ac09edb6e382641009",
+        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
        "type": "github"
      },
      "original": {
@ -174,11 +182,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1716948383,
+        "lastModified": 1709479366,
-        "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
+        "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
+        "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973",
        "type": "github"
      },
      "original": {
@ -206,11 +214,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1716655032,
+        "lastModified": 1709428628,
-        "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
+        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
+        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
        "type": "github"
      },
      "original": {
@ -222,11 +230,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1717079713,
+        "lastModified": 1709780742,
-        "narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=",
+        "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "1a7bbb238afcada295aabc758941ce82e6b1d292",
+        "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2",
        "type": "github"
      },
      "original": {
@ -237,12 +245,12 @@
    },
    "root": {
      "inputs": {
        "catppuccin": "catppuccin",
        "colmena": "colmena",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "nix-index-database": "nix-index-database",
        "nix-vscode-extensions": "nix-vscode-extensions",
        "nixos-cn": "nixos-cn",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable",
@ -258,11 +266,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1716692524,
+        "lastModified": 1709711091,
-        "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
+        "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "962797a8d7f15ed7033031731d0bb77244839960",
+        "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -15,6 +15,12 @@
      inputs.flake-utils.follows = "flake-utils";
    };
    nixos-cn = {
      url = "github:nixos-cn/flakes";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    nur = {
      url = "github:nix-community/NUR";
    };
@ -43,47 +49,38 @@
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    catppuccin.url = "github:catppuccin/nix";
  };
-  outputs =
+  outputs = { self, ... }@inputs:
-    { self
+    with inputs;
    , home-manager
    , nixpkgs
    , nixos-hardware
    , flake-utils
    , nur
    , catppuccin
    , ... }@inputs:
    let
-      sharedHmModules = [
+      homeConfigurations = import ./home;
-        inputs.nix-index-database.hmModules.nix-index
+      sharedModules = [
        catppuccin.homeManagerModules.catppuccin
        self.homeManagerModules
        inputs.nix-index-database.hmModules.nix-index
      ];
-      mkHome = user: host: { ... }: {
+      mkHome = user: host: { config, system, ... }: {
        imports = [
          home-manager.nixosModules.home-manager
          {
            home-manager = {
-              sharedModules = sharedHmModules;
+              inherit sharedModules;
              useGlobalPkgs = true;
              useUserPackages = true;
              extraSpecialArgs = { inherit inputs; };
            };
-            home-manager.users.${user} = (import ./home).${user}.${host};
+            home-manager.users.${user} = homeConfigurations.${user}.${host};
          }
        ];
      };
-      mkHomeConfiguration = user: host: {
+      mkHomeConfiguration = user: settings: {
        name = user;
        value = home-manager.lib.homeManagerConfiguration {
          pkgs = import nixpkgs { system = "x86_64-linux"; };
          modules = [
-            (import ./home).${user}.${host}
+            self.homeManagerModules
-          ] ++ sharedHmModules;
+          ] ++ sharedModules;
          extraSpecialArgs = {
            inherit inputs;
          };
@ -95,9 +92,9 @@
        modules = [
          self.nixosModules.default
          nur.nixosModules.nur
          ./overlays
        ] ++ modules;
      };
      evalSecrets = import ./eval_secrets.nix;
    in
    {
      nixosModules.default = import ./modules/nixos;
@ -110,12 +107,12 @@
          deploymentModule = {
            deployment.targetUser = "xin";
          };
-          sharedColmenaModules = [
+          sharedModules = [
            self.nixosModules.default
            deploymentModule
          ];
        in
-        inputs.colmena.lib.makeHive {
+        colmena.lib.makeHive {
          meta = {
            nixpkgs = import nixpkgs {
              system = "x86_64-linux";
@ -126,20 +123,34 @@
            };
          };
-          massicot = { ... }: {
+          massicot = { name, nodes, pkgs, ... }: with inputs; {
            deployment.targetHost = "49.13.13.122";
            deployment.buildOnTarget = true;
            imports = [
              { nixpkgs.system = "aarch64-linux"; }
              machines/massicot
-            ] ++ sharedColmenaModules;
+            ] ++ sharedModules;
          };
-          tok-00 = { ... }: {
+          sgp-00 = { name, nodes, pkgs, ... }: with inputs; {
            imports = [
              machines/dolomite
-            ] ++ sharedColmenaModules;
+            ] ++ sharedModules;
            nixpkgs.system = "x86_64-linux";
            networking.hostName = "sgp-00";
            system.stateVersion = "23.11";
            deployment = {
              targetHost = "video.namely.icu";
              buildOnTarget = false;
              tags = [ "proxy" ];
            };
          };
          tok-00 = { name, nodes, pkgs, ... }: with inputs; {
            imports = [
              machines/dolomite
            ] ++ sharedModules;
            nixpkgs.system = "x86_64-linux";
            networking.hostName = "tok-00";
            system.stateVersion = "23.11";
@ -149,33 +160,6 @@
              tags = [ "proxy" ];
            };
          };
          la-00 = { ... }: {
            imports = [
              machines/dolomite
            ] ++ sharedColmenaModules;
            nixpkgs.system = "x86_64-linux";
            networking.hostName = "la-00";
            system.stateVersion = "21.05";
            deployment = {
              targetHost = "la-00.video.namely.icu";
              buildOnTarget = false;
              tags = [ "proxy" ];
            };
          };
          raspite = { ... }: {
            deployment = {
              targetHost = "raspite.local";
              buildOnTarget = false;
            };
            nixpkgs.system = "aarch64-linux";
            imports = [
              "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
              nixos-hardware.nixosModules.raspberry-pi-4
              machines/raspite/configuration.nix
            ] ++ sharedColmenaModules;
          };
        };
      nixosConfigurations = {
@ -185,16 +169,38 @@
            nixos-hardware.nixosModules.asus-zephyrus-ga401
            machines/calcite/configuration.nix
            (mkHome "xin" "calcite")
            (./overlays)
          ];
        };
        raspite = mkNixos {
          system = "aarch64-linux";
          modules = [
            nixos-hardware.nixosModules.raspberry-pi-4
            machines/raspite/configuration.nix
            (mkHome "xin" "raspite")
          ];
        };
      } // self.colmenaHive.nodes;
      images.raspite = (mkNixos {
        system = "aarch64-linux";
        modules = [
          "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
          nixos-hardware.nixosModules.raspberry-pi-4
          machines/raspite/configuration.nix
          {
            nixpkgs.config.allowUnsupportedSystem = true;
            nixpkgs.hostPlatform.system = "aarch64-linux";
            nixpkgs.buildPlatform.system = "x86_64-linux";
          }
        ];
      }).config.system.build.sdImage;
    } // flake-utils.lib.eachDefaultSystem (system:
      let pkgs = nixpkgs.legacyPackages.${system}; in
      {
        devShells = {
          default = pkgs.mkShell {
-            packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
+            packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ];
          };
        };
      }
--- a/home/xin/calcite.nix
+++ b/home/xin/calcite.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }@inputs:
+{ config, pkgs, ... }:
 {
  imports = [
    ./common
@ -17,7 +17,6 @@
    primary = true;
    address = "lixinyang411@gmail.com";
    flavor = "gmail.com";
    realName = "Xinyang Li";
  };
  accounts.email.accounts.whu = {
@ -33,25 +32,13 @@
    remmina
  ];
  # Theme
  catppuccin = {
    enable = true;
    flavor = "mocha";
  };
  xdg.enable = true;
  i18n.inputMethod = {
    enabled = "fcitx5";
    fcitx5.addons = with pkgs; [ fcitx5-rime ];
  };
  custom-hm = {
    alacritty = { enable = true; };
    direnv = { enable = true; };
    fish = { enable = true; };
    git = { enable = true; signing.enable = true; };
    neovim = { enable = true; };
-    vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; };
+    vscode = { enable = true; };
    zellij = { enable = true; };
  };
 }
--- a/home/xin/common/default.nix
+++ b/home/xin/common/default.nix
@ -19,8 +19,4 @@
    inetutils
  ];
  nix.extraOptions = ''
    extra-substituters = https://nix-community.cachix.org
    extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
  '';
 }
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@ -66,6 +66,11 @@
    LC_TIME = "en_US.utf8";
  };
  i18n.inputMethod = {
    enabled = "fcitx5";
    fcitx5.addons = with pkgs; [ fcitx5-rime ];
  };
  # Enable the X11 windowing system.
  services.xserver.enable = true;
@ -73,7 +78,6 @@
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  # Configure keymap in X11
  services.xserver = {
    xkb.layout = "us";
@ -128,8 +132,8 @@
  };
  # Enable automatic login for the user.
-  services.displayManager.autoLogin.enable = true;
+  services.xserver.displayManager.autoLogin.enable = true;
-  services.displayManager.autoLogin.user = "xin";
+  services.xserver.displayManager.autoLogin.user = "xin";
  # Smart services
  services.smartd.enable = true;
@ -141,6 +145,10 @@
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.permittedInsecurePackages = [
    "openssl-1.1.1w"
    # For wechat-uos
    "electron-19.1.9"
    "electron-25.9.0"
  ];
  # List packages installed in system profile. To search, run:
  # $ nix search wget
@ -149,6 +157,10 @@
    owncloud-client
    nfs-utils
    winetricks
    wineWowPackages.waylandFull
    faudio
    # tesseract5 # ocr
    ocrmypdf # pdfocr
@ -162,7 +174,6 @@
          requests
          numpy
          pyyaml
          setuptools
        ];
        python-with-my-packages = python3.withPackages my-python-packages;
      in
@ -174,11 +185,9 @@
    # Gnome tweaks
    gnomeExtensions.paperwm
    gnomeExtensions.search-light
-    gnomeExtensions.appindicator
+    gnomeExtensions.tray-icons-reloaded
    gnome.gnome-tweaks
    gnome.gnome-themes-extra
    gnome.gnome-remote-desktop
    bibata-cursors
    gthumb
    oculante
@ -186,29 +195,29 @@
    vlc
    obs-studio
    spotify
    rawtherapee
    digikam
    # IM
    element-desktop
    tdesktop
    qq
    wechat-uos
    # Password manager
    bitwarden
    # Browser
    firefox
-    (chromium.override {
+    chromium
      commandLineArgs = [
        "--ozone-platform-hint=auto"
        "--enable-wayland-ime"
      ];
    })
    brave
    # Writting
    obsidian
    zotero
-    # onlyoffice-bin
+    onlyoffice-bin
    wpsoffice
    zed-editor
    config.nur.repos.linyinfeng.wemeet
--- a/machines/calcite/hardware-configuration.nix
+++ b/machines/calcite/hardware-configuration.nix
@ -10,16 +10,12 @@
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ];
  boot.initrd.kernelModules = [ ];
  boot.initrd.luks.devices.cryptroot = {
    device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
  };
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { # device = "/dev/disk/by-label/NIXROOT";
+    { device = "/dev/disk/by-label/NIXROOT";
-      device = "/dev/mapper/cryptroot";
+      fsType = "ext4";
      fsType = "btrfs";
    };
  fileSystems."/boot/efi" =
--- a/machines/calcite/network.nix
+++ b/machines/calcite/network.nix
@ -19,11 +19,8 @@
  services.tailscale.enable = true;
  # services.tailscale.useRoutingFeatures = "both";
  services.dae.enable = true;
  services.dae.configFile = "/var/lib/dae/config.dae";
  custom.sing-box = {
-    enable = false;
+    enable = true;
    configFile = {
      urlFile = config.sops.secrets.sing_box_url.path;
      hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588";
--- a/machines/calcite/secrets.yaml
+++ b/machines/calcite/secrets.yaml
@ -1,7 +1,7 @@
 restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
 restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
 sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
-gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str]
+gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -26,8 +26,8 @@ sops:
            WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
            FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-05T04:32:32Z"
+    lastmodified: "2024-03-25T13:44:27Z"
-    mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str]
+    mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/machines/dolomite/bandwagon.nix
+++ b/machines/dolomite/bandwagon.nix
@ -10,7 +10,7 @@ in
    isBandwagon = lib.mkEnableOption "Bandwagon instance";
  };
-  config = lib.mkIf cfg {
+  config = lib.mkIf cfg.isBandwagon {
    boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
    boot.initrd.kernelModules = [ ];
    boot.kernelModules = [ ];
@ -28,8 +28,9 @@ in
    swapDevices = [ ];
-    boot.loader.grub.enable = true;
+    boot.loader.grub.enable = lib.mkForce true;
-    boot.loader.grub.device = "/dev/sda";
+    boot.loader.grub.version = lib.mkForce 2;
    boot.loader.grub.device = lib.mkForce "/dev/sda";
    networking.useDHCP = false;
    networking.interfaces.ens18.useDHCP = true;
    networking.interfaces.ens19.useDHCP = true;
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@ -1,13 +1,13 @@
-{ config, lib, ... }:
+{ inputs, config, pkgs, lib, modulesPath, ... }:
 let
-  awsHosts = [ "tok-00 "];
+  awsHosts = [ "sgp-00" "tok-00 "];
  bwgHosts = [ "la-00" ];
 in
 {
  imports = [
    ../sops.nix
-    ./bandwagon.nix
+   ./bandwagon.nix
-    ./lightsail.nix
+   ./lightsail.nix
  ];
--- a/machines/dolomite/lightsail.nix
+++ b/machines/dolomite/lightsail.nix
@ -1,106 +1,13 @@
 { config, lib, pkgs, modulesPath, ... }:
 with lib;
 let
-  cfg = config.ec2;
+  cfg = config.isLightsail;
 in
 {
-  imports = [ 
+  imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
    "${modulesPath}/profiles/headless.nix"
    # Note: While we do use the headless profile, we also explicitly
    # turn on the serial console on ttyS0 below. This is because
    # AWS does support accessing the serial console:
    # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
    "${modulesPath}/virtualisation/ec2-data.nix"
    "${modulesPath}/virtualisation/amazon-init.nix"
  ];
  options = {
-    isLightsail = mkEnableOption "Lightsail instance";
+    isLightsail = lib.mkEnableOption "Lightsail instance";
  };
-
+  config = lib.mkIf cfg.isLightsail{
-  config = mkIf config.isLightsail {
+    boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
    boot.loader.grub.device = "/dev/nvme0n1";
    # from nixpkgs amazon-image.nix
    assertions = [ ];
    boot.growPartition = true;
    fileSystems."/" = mkIf (!cfg.zfs.enable) {
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
      autoResize = true;
    };
    fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) {
      # The ZFS image uses a partition labeled ESP whether or not we're
      # booting with EFI.
      device = "/dev/disk/by-label/ESP";
      fsType = "vfat";
    };
    services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all";
    boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/";
    boot.extraModulePackages = [
      config.boot.kernelPackages.ena
    ];
    boot.initrd.kernelModules = [ "xen-blkfront" ];
    boot.initrd.availableKernelModules = [ "nvme" ];
    boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
    # Prevent the nouveau kernel module from being loaded, as it
    # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
    # Also blacklist xen_fbfront to prevent a 30 second delay during
    # boot.
    boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
    boot.loader.grub.efiSupport = cfg.efi;
    boot.loader.grub.efiInstallAsRemovable = cfg.efi;
    boot.loader.timeout = 1;
    boot.loader.grub.extraConfig = ''
      serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
      terminal_output console serial
      terminal_input console serial
    '';
    systemd.services.fetch-ec2-metadata = {
      wantedBy = [ "multi-user.target" ];
      wants = [ "network-online.target" ];
      after = ["network-online.target"];
      path = [ pkgs.curl ];
      script = builtins.readFile ./ec2-metadata-fetcher.sh;
      serviceConfig.Type = "oneshot";
      serviceConfig.StandardOutput = "journal+console";
    };
    # Amazon-issued AMIs include the SSM Agent by default, so we do the same.
    # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
    services.amazon-ssm-agent.enable = true;
    # Allow root logins only using the SSH key that the user specified
    # at instance creation time.
    services.openssh.enable = true;
    services.openssh.settings.PermitRootLogin = "prohibit-password";
    # Enable the serial console on ttyS0
    systemd.services."serial-getty@ttyS0".enable = true;
    # Creates symlinks for block device names.
    services.udev.packages = [ pkgs.amazon-ec2-utils ];
    # Force getting the hostname from EC2.
    # networking.hostName = mkDefault "";
    # Always include cryptsetup so that Charon can use it.
    environment.systemPackages = [ pkgs.cryptsetup ];
    # EC2 has its own NTP server provided by the hypervisor
    networking.timeServers = [ "169.254.169.123" ];
    # udisks has become too bloated to have in a headless system
    # (e.g. it depends on GTK).
    services.udisks2.enable = false;
  };
 }
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -35,23 +35,18 @@ in
    };
  };
-  systemd.mounts = map (share: {
+  fileSystems = builtins.listToAttrs (map (share: {
-    what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
+    name = "/mnt/storage/${share}";
-    where = "/mnt/storage/${share}";
+    value = { 
-    type = "cifs";
+      device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
-    options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
+      fsType = "cifs";
-    before = [ "${share}.service" ];
+      options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"];
-    after = [ "cachefilesd.service" ];
+    };
-    wantedBy = [ "${share}.service" ];
+  }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] );
  }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];
  services.cachefilesd.enable = true;
  system.activationScripts = {
    conduit-media-link.text = ''
-      mkdir -m 700 -p /var/lib/private/matrix-conduit/media
+      ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
      chown conduit:conduit /var/lib/private/matrix-conduit/media
      mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
    '';
  };
  security.acme = {
@ -81,8 +76,6 @@ in
      server_name = "xinyang.life";
      port = 6167;
      # database_path = "/var/lib/matrix-conduit/";
      max_concurrent_requests = 100;
      log = "info";
      database_backend = "rocksdb";
      allow_registration = false;
    };
@ -160,24 +153,22 @@ in
    virtualHosts."xinyang.life:443".extraConfig = ''
      tls internal
      encode zstd gzip
      reverse_proxy /_matrix/* localhost:6167
      handle_path /.well-known/matrix/client {
          header Content-Type "application/json"
          header Access-Control-Allow-Origin "*"
          header Content-Disposition attachment; filename="client"
-          respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}`
+          respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}`
      }
      handle_path /.well-known/matrix/server {
          header Content-Type "application/json"
          header Access-Control-Allow-Origin "*"
-          respond `{"m.server": "msg.xinyang.life:443"}`
+          respond `{"m.server": "xinyang.life:443"}`
      }
      reverse_proxy * http://localhost:8080 {
          flush_interval -1
      }
    '';
    virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
      reverse_proxy /_matrix/* localhost:6167
    '';
    virtualHosts."https://git.xinyang.life:443".extraConfig = ''
      reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
    '';
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@ -1,9 +1,6 @@
-{ config, lib, pkgs, ... }:
+{ config, libs, pkgs, ... }:
 {
  imports = [
    ./hass.nix
  ];
  nixpkgs.overlays = [
    # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
    (final: super: {
@ -12,20 +9,28 @@
    })
  ];
  imports = [
    ../sops.nix
  ];
  environment.systemPackages = with pkgs; [
    git
    libraspberrypi
    raspberrypi-eeprom
  ];
  # Use mirror for binary cache
  nix.settings.substituters = [
    "https://mirrors.bfsu.edu.cn/nix-channels/store"
    "https://mirrors.ustc.edu.cn/nix-channels/store"
    "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
  ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  system.stateVersion = "24.05";
+  sops = {
    secrets.password = {
      sopsFile = ./secrets.yaml;
    };
  };
  system.stateVersion = "22.11";
  networking = {
    hostName = "raspite";
@ -33,31 +38,23 @@
    interfaces.eth0.useDHCP = true;
  };
-  # boot.kernelPackages = pkgs.linuxPackages_stable;
+  networking.proxy = {
    default = "http://127.0.0.1:7890/";
    noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net";
  };
-  custom.kanidm-client = {
+  services.openssh = {
    enable = true;
    uri = "https://auth.xinyang.life";
    asSSHAuth = {
      enable = true;
      allowedGroups = [ "linux_users" ];
      hardening = true;
    };
    sudoers = [ "xin@auth.xinyang.life" ];
  };
-  security.sudo = {
+  systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
-    execWheelOnly = true;
+  
-    wheelNeedsPassword = false;
+  users.users.xin = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" ];
    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ];
    # passwordFile = config.sops.secrets.password.path;
    hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4";
  };
  nix.settings = {
    trusted-users = [ "@wheel" ];
  };
  # fileSystems."/".fsType = lib.mkForce "btrfs";
  boot.supportedFilesystems.zfs = lib.mkForce false;
  services.dae.enable = false;
  services.dae.configFile = "/var/lib/dae/config.dae";
 }
--- a/machines/raspite/hass.nix
+++ b/machines/raspite/hass.nix
@ -1,50 +0,0 @@
 { config, pkgs, ... }: {
  services.home-assistant = {
    enable = true;
    extraComponents = [
      "default_config"
      "esphome"
      "met"
      "radio_browser"
    ];
    openFirewall = false;
    config = {
      default_config = {};
      http = {
        server_host = "::1";
        base_url = "raspite.local:1000";
        use_x_forward_for = true;
        trusted_proxies = [
          "::1"
        ];
      };
    };
  };
  services.esphome = {
    enable = true;
    openFirewall = false;
  };
  users.groups.dialout.members = config.users.groups.wheel.members;
  environment.systemPackages = with pkgs; [
    zigbee2mqtt
  ];
  networking.firewall.allowedTCPPorts = [ 1000 1001 ];
  services.caddy = {
    enable = true; 
    virtualHosts = {
        # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
      "raspite.local:1000".extraConfig = ''
        reverse_proxy http://[::1]:8123
      '';
      "raspite.local:1001".extraConfig = ''
        reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port}
      '';
    };
  };
 }
--- a/machines/secrets.yaml
+++ b/machines/secrets.yaml
@ -17,65 +17,56 @@ sops:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdjlhNVZpUjYzRTVXNG9Y
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK
-            S0lEUVdoM003YVZoeXYyOXdwY3Rla3VJSkZvCkl0a3FPeVpMY1JTWkdCb3NaeVBQ
+            VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w
-            dHVSVzg1cDNIS3JnMmYxbUlzbjFicG8KLS0tIHFENDNaZENzSzJQZDVLSVJ5VHBP
+            WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI
-            aVpJN1dkbEQ2djQyWVdRTUx4NGdaaTgKgfcGovmMgVFHkPLHT7C5bg75LXg8MFK0
+            N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE
-            s8IL8qhHif4uzMuFjdw9MzyuQc1bqGzazX5YC1MYLYCOWHRlLq9mXw==
+            a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQXdMdzMxNzE3SHpZR09w
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz
-            OTFtNzJLdVk5bWlyNGl4RzA4NWFUQTlvbUQ4ClhGZHI3ekJWYnNwamJXWWVtc3do
+            emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2
-            TXpoWERqT24rMjRtQUJUb2RKSm9BUjQKLS0tIHd6QXUrWVJ5aU52VEtDL01Kd2d2
+            eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O
-            V3U4cTNoVzYzdmt5YkpNUmsyUWtCaEkKhxEQVVt2zvVGFGtlfPr0sQ7b0yUDRDOV
+            SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7
-            CN8nxyO0NiuvEKSkw+KCkcNWNQZDnHTQ3pwWyAohRZk3vB/RSuApCg==
+            kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlh1Kyt4KzlFR2RkTmFo
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S
-            S00zK1RDNnJwVzQ4Um93TDBEcnJZUjJLUG00CjloMFdaNm5LU2lRRVpnM0RpN3BR
+            bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1
-            Ly9pUkxuZHd3NHJRSG1Ha3ZVcE50RkUKLS0tIDN1K0xnb01EL2Q3aG5RV0grdmdl
+            UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW
-            TWh3ZStZQ3lNYkh2cjJ1RWhLRDJ0KzQK/+R6hFg8ErtT/rkSOCwRdArTPIE/J9Yv
+            cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU
-            2qZmREM7q99L5w6lEBTn9SRekowk0ncwIoTxRfn576wyl++b8gBv9Q==
+            4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelptN09Oa0NRdTFER2du
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv
-            clZGM09uMlhpMlZDQ2VvTTZOZ09VWGNwaWpjCmRuMjM3VTRpT3hRaWpEYW5HaWRr
+            bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0
-            K2pEM3dLYjhSS25hSUtrYkRvYXpCd2MKLS0tIHU2eDlXdVBlZUFTMjYxRTladVJV
+            RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw
-            cjZ0dGtmM29YdXI5Z1RpVVdRSktBU2MKdR5d6fb2EHX5j51qE5gg0GXKjy4fCpT0
+            U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay
-            Q+fZslCPDZqaOX/9kGT874TuW4CC1wttpsCDNIEzrX54SvIGfsVPgg==
+            Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRUhOaVhSMFJFcC9qYytK
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4
-            dHJ1ZUg1SWRBeTVSeFhDRW1VbG1HWUJaUEhvCnBOaENFUXlJWHAxQ0ZGVGFxQkpC
+            WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri
-            b3dwb0VJVTR1MUNDT3VQR0tsNE5vUDQKLS0tIEJkbWN5MWRtKzRveldvT2dMR2k1
+            K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm
-            djdBQzNvSFNPRDZwN1B1dG5sUzlRdzgK35bNxRGDQw+dtnXcXSXk67kJFce52vqn
+            SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0
-            srABR9FOYmSfesLKXOdKItLAGffkfB7kuiXO7CvyVTkgJOjBgK6Tnw==
+            EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2JOOUlGL1pCVXVYZk1j
            cWg0NE13WnBUWDA4VTNRdlNmWktRN0lJbkVBCkpHTklwbnFsd0NBOTY5V0JCTVJN
            alVFeW41ajlZR2dHZDlrL2FtazB6QU0KLS0tIDhoTXppS0lnZmFJY1lhSDBudVB4
            NHFLdnorOUtJSzVPWldYakppZFJwdlEKbZnT7m6R7H/yLG+tDbQECgQVGX0xT4jC
            67z8k6xbnsT2srhhXk/NHi+/j7AcHhPG6cTO1z8MrxkMikk8ihU1Iw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaHFOa1ArRW5xWFAyWXlh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR
-            enpQUzZKbFFFUzN1cisrd2JGelpXSWppRnhvCmY5VDlSTFhJakt3aU8zYjRrZXVQ
+            WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2
-            b3o2NlpCeGZZU1ROeW5XOFVpdEZnZXcKLS0tIGZ5M2IxNHp0Qm8rckROdy96a0pG
+            SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG
-            NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA
+            c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1
-            6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg==
+            P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-07T13:13:50Z"
    mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str]
--- a/modules/home-manager/alacritty.nix
+++ b/modules/home-manager/alacritty.nix
@ -18,7 +18,6 @@ in
          args = [
            "attach"
            "-c"
            "alacritty-zellij"
          ];
        };
        font.size = 10.0;
@ -26,7 +25,14 @@ in
          resize_increments = true;
          dynamic_padding = true;
        };
        import = [
          "${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml"
        ];
      };
    };
    xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl {
      url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml";
      sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv";
    };
  };
 }
--- a/modules/home-manager/git.nix
+++ b/modules/home-manager/git.nix
@ -36,6 +36,7 @@ in
        signByDefault = true;
        key = cfg.signing.keyFile;
      };
      extraConfig.user = mkIf cfg.signing.enable {
        signingkey = cfg.signing.keyFile;
      };
--- a/modules/home-manager/vscode.nix
+++ b/modules/home-manager/vscode.nix
@ -22,13 +22,11 @@ let
        llvm-vs-code-extensions.vscode-clangd
        (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
        twxs.cmake
        ms-vscode.cpptools
      ];
      settings = {
        "cmake.configureOnEdit" = false;
        "cmake.showOptionsMovedNotification" = false;
        "cmake.showNotAllDocumentsSavedQuestion" = false;
        "C_Cpp.intelliSenseEngine" = "Disabled";
      };
    };
    pythonPackages = {
@ -39,7 +37,7 @@ let
      settings = { };
    };
    scalaPackages = {
-      systemPackages = with pkgs; [ coursier ];
+      systemPackages = with pkgs; [ ];
      extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
        scala-lang.scala
        scalameta.metals
@ -56,7 +54,7 @@ let
        "latex-workshop.latex.tools" = [
          { "name" = "xelatex";
            "command" = "xelatex";
-            "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
+            "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ];
          }
          { "name" = "pdflatex";
            "command" = "pdflatex";
@ -106,7 +104,6 @@ in
    ] ++ zipAttrsWithLanguageOption "systemPackages");
    programs.vscode = {
      enable = true;
      package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; };
      enableUpdateCheck = false;
      enableExtensionUpdateCheck = false;
      mutableExtensionsDir = false;
@ -134,6 +131,7 @@ in
          catppuccin.catppuccin-vsc
          # Rust
          rust-lang.rust-analyzer
        # ]) ++ ;
        ])
      ] ++ zipAttrsWithLanguageOption "extension");
      userSettings = lib.mkMerge ([
--- a/modules/home-manager/zellij.nix
+++ b/modules/home-manager/zellij.nix
@ -20,6 +20,7 @@ in
            "Ctrl n"
          ];
        };
        theme = "catppuccin-macchiato";
      };
    };
  };
--- a/modules/nixos/kanidm-client.nix
+++ b/modules/nixos/kanidm-client.nix
@ -16,10 +16,6 @@ in
              type = types.listOf types.str;
              example = [ "linux_users" ];
            };
            hardening = mkOption {
              type = types.bool;
              default = false;
            };
          };
        };
      };
@ -52,15 +48,7 @@ in
      enable = true;
      authorizedKeysCommand = "/etc/ssh/auth %u";
      authorizedKeysCommandUser = "kanidm-ssh-runner"; 
      settings = mkIf cfg.asSSHAuth.enable {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = lib.mkForce "no";
        GSSAPIAuthentication = "no";
        KerberosAuthentication = "no";
      };
    };
    environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
      mode = "0555";
      text = ''
@ -71,7 +59,6 @@ in
    users.groups.wheel.members = cfg.sudoers;
    users.groups.kanidm-ssh-runner = { };
    users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
  };
 }
--- a/oci-images/nix-ci-base/flake.nix
+++ b/oci-images/nix-ci-base/flake.nix
@ -29,13 +29,6 @@
          extraPkgs = with pkgs; [
            nodejs_20 # nodejs is needed for running most 3rdparty actions
            # add any other pre-installed packages here
            curl
            xz
            openssl
            coreutils-full
            cmake
            gnumake
            gcc
          ];
          # change this is you want 
          channelURL = "https://nixos.org/channels/nixpkgs-23.11";
--- a/overlays/add-ime-electron.nix
+++ b/overlays/add-ime-electron.nix
@ -1,9 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  nixpkgs.overlays = [
    (self: super: { 
      element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; };
    })
  ];
 }
--- a/overlays/add-pkgs.nix
+++ b/overlays/add-pkgs.nix
@ -4,6 +4,7 @@
  nixpkgs.overlays = [
    (self: super: { 
      ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { };
      wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { };
    })
  ];
 }
--- a/overlays/pkgs/wechat-uos.nix
+++ b/overlays/pkgs/wechat-uos.nix
@ -0,0 +1,239 @@
 { stdenvNoCC
 , stdenv
 , lib
 , fetchurl
 , requireFile
 , dpkg
 , nss
 , nspr
 , xorg
 , pango
 , zlib
 , atkmm
 , libdrm
 , libxkbcommon
 , xcbutilwm
 , xcbutilimage
 , xcbutilkeysyms
 , xcbutilrenderutil
 , mesa
 , alsa-lib
 , wayland
 , openssl_1_1
 , atk
 , qt6
 , at-spi2-atk
 , at-spi2-core
 , dbus
 , cups
 , gtk3
 , libxml2
 , cairo
 , freetype
 , fontconfig
 , vulkan-loader
 , gdk-pixbuf
 , libexif
 , ffmpeg
 , pulseaudio
 , systemd
 , libuuid
 , expat
 , bzip2
 , glib
 , libva
 , libGL
 , libnotify
 , buildFHSEnv
 , writeShellScript
 , /**
  License for wechat-uos, packed in a gz archive named "license.tar.gz".
  It should have the following files:
  license.tar.gz
  ├── etc
  │   ├── lsb-release
  │   └── os-release
  └── var
      ├── lib
      │   └── uos-license
      │       └── .license.json
      └── uos
          └── .license.key
  */
  uosLicense ? requireFile {
    name = "license.tar.gz";
    url = "https://www.uniontech.com";
    sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69";
  }
 }:
 let
  wechat-uos-env = stdenvNoCC.mkDerivation {
    meta.priority = 1;
    name = "wechat-uos-env";
    buildCommand = ''
      mkdir -p $out/etc
      mkdir -p $out/lib/license
      mkdir -p $out/usr/bin
      mkdir -p $out/usr/share
      mkdir -p $out/opt
      mkdir -p $out/var
      ln -s ${wechat}/opt/* $out/opt/
      ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release  $out/etc/os-release
      ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release  $out/etc/lsb-release
      ln -s ${wechat}/usr/lib/wechat-uos/license/var/*  $out/var/
      ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/
    '';
    preferLocalBuild = true;
  };
  wechat-uos-runtime = with xorg; [
    stdenv.cc.cc
    stdenv.cc.libc
    pango
    zlib
    xcbutilwm
    xcbutilimage
    xcbutilkeysyms
    xcbutilrenderutil
    libX11
    libXt
    libXext
    libSM
    libICE
    libxcb
    libxkbcommon
    libxshmfence
    libXi
    libXft
    libXcursor
    libXfixes
    libXScrnSaver
    libXcomposite
    libXdamage
    libXtst
    libXrandr
    libnotify
    atk
    atkmm
    cairo
    at-spi2-atk
    at-spi2-core
    alsa-lib
    dbus
    cups
    gtk3
    gdk-pixbuf
    libexif
    ffmpeg
    libva
    freetype
    fontconfig
    libXrender
    libuuid
    expat
    glib
    nss
    nspr
    libGL
    libxml2
    pango
    libdrm
    mesa
    vulkan-loader
    systemd
    wayland
    pulseaudio
    qt6.qt5compat
    openssl_1_1
    bzip2
  ];
  wechat = stdenvNoCC.mkDerivation
    rec {
      pname = "wechat-uos";
      version = "1.0.0.238";
      src = {
        x86_64-linux = fetchurl {
          url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb";
          hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs=";
        };
        aarch64-linux = fetchurl {
          url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb";
          hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE=";
        };
        loongarch64-linux = fetchurl {
          url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb";
          hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE=";
        };
      }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
      # Don't blame about this. WeChat requires some binary from here to work properly
      uosSrc = {
        x86_64-linux = fetchurl {
          url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb";
          hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE=";
        };
        aarch64-linux = fetchurl {
          url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb";
          hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI=";
        };
        loongarch64-linux = fetchurl {
          url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb";
          hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s=";
        };
      }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
      inherit uosLicense;
      nativeBuildInputs = [ dpkg ];
      unpackPhase = ''
        runHook preUnpack
        dpkg -x $src ./wechat-uos
        dpkg -x $uosSrc ./wechat-uos-old-source
        tar -xvf $uosLicense
        runHook postUnpack
      '';
      installPhase = ''
        runHook preInstall
        mkdir -p $out
        cp -r wechat-uos/* $out
        mkdir -pv $out/usr/lib/wechat-uos/license
        cp -r license/* $out/usr/lib/wechat-uos/license
        cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/
        runHook postInstall
      '';
      meta = with lib; {
        description = "Messaging app";
        homepage = "https://weixin.qq.com/";
        license = licenses.unfree;
        platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ];
        sourceProvenance = with sourceTypes; [ binaryNativeCode ];
        maintainers = with maintainers; [ pokon548 ];
        mainProgram = "wechat-uos";
      };
    };
 in
 buildFHSEnv {
  inherit (wechat) name meta;
  runScript = writeShellScript "wechat-uos-launcher" ''
    export QT_QPA_PLATFORM=xcb
    export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime}
    ${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat
  '';
  extraInstallCommands = ''
    mkdir -p $out/share/applications
    mkdir -p $out/share/icons
    cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications
    cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/
    mv $out/bin/$name $out/bin/wechat-uos
    substituteInPlace $out/share/applications/com.tencent.wechat.desktop \
      --replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --"
  '';
  targetPkgs = pkgs: [ wechat-uos-env ];
  extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ];
 }