chore: clean up flake.nix, remove inputs from specialArgs

flake.lock

@@ -513,11 +513,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1731815985,
+        "lastModified": 1731819057,
-        "narHash": "sha256-PgX3UFz1YESfEeGmp2HYYBc/3Vp59bPbBLtNN4VMIgI=",
+        "narHash": "sha256-nfqKsQhFCakM+eIKGf/JWu/g56rOPoGny10EZN8q7R0=",
         "owner": "xinyangli",
         "repo": "nixpkgs",
-        "rev": "5ddf4ef59567ff1e43adacde9f677f2cbd958287",
+        "rev": "b2644ed7258502987ad4a70cf8959bf5a26ce26d",
         "type": "github"
       },
       "original": {
@@ -555,11 +555,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1731815686,
+        "lastModified": 1731819675,
-        "narHash": "sha256-6HPZVrwQOZzeaW5QseyXnghK76a3aDnRoQf+L+cpNms=",
+        "narHash": "sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "4cde5b2ea07d8c05570d7305738a9870b1a14700",
+        "rev": "59740d792bea5caa547c9bc7ce366802ecfafb7f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -58,35 +58,56 @@
       home-manager,
       nixpkgs,
       nixos-hardware,
+      sops-nix,
       flake-utils,
       nur,
       catppuccin,
       my-nixvim,
+      nix-vscode-extensions,
+      colmena,
+      nix-index-database,
       ...
-    }@inputs:
+    }:
     let
-      nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; });
+      editorOverlay = (
+        final: prev: {
+          inherit (nix-vscode-extensions.extensions.${prev.stdenv.system}) vscode-marketplace;
+          inherit (self.packages.${prev.stdenv.system}) nixvim;
+        }
+      );
       overlayModule =
         { ... }:
         {
           nixpkgs.overlays = [
-            nixvimOverlay
+            editorOverlay
             (import ./overlays/add-pkgs.nix)
           ];
         };
       deploymentModule = {
         deployment.targetUser = "xin";
       };
-      sharedColmenaModules = [
-        self.nixosModules.default
-        deploymentModule
-      ];
       sharedHmModules = [
-        inputs.sops-nix.homeManagerModules.sops
+        self.homeManagerModules.default
-        inputs.nix-index-database.hmModules.nix-index
+        sops-nix.homeManagerModules.sops
+        nix-index-database.hmModules.nix-index
         catppuccin.homeManagerModules.catppuccin
-        self.homeManagerModules
       ];
+      sharedNixosModules = [
+        self.nixosModules.default
+        sops-nix.nixosModules.sops
+      ];
+      nodeNixosModules = {
+        calcite = [
+          nixos-hardware.nixosModules.asus-zephyrus-ga401
+          nur.nixosModules.nur
+          catppuccin.nixosModules.catppuccin
+          machines/calcite/configuration.nix
+          (mkHome "xin" "calcite")
+        ];
+      };
+      sharedColmenaModules = [
+        deploymentModule
+      ] ++ sharedNixosModules;
       mkHome =
         user: host:
         { ... }:
@@ -98,43 +119,29 @@
                 sharedModules = sharedHmModules;
                 useGlobalPkgs = true;
                 useUserPackages = true;
-                extraSpecialArgs = {
-                  inherit inputs;
-                };
               };
               home-manager.users.${user} = (import ./home).${user}.${host};
             }
           ];
         };
-      mkHomeConfiguration = user: host: {
-        name = user;
-        value = home-manager.lib.homeManagerConfiguration {
-          pkgs = import nixpkgs { system = "x86_64-linux"; };
-          modules = [
-            (import ./home).${user}.${host}
-            overlayModule
-          ] ++ sharedHmModules;
-          extraSpecialArgs = {
-            inherit inputs;
-          };
-        };
-      };
       mkNixos =
         {
-          system,
+          hostname,
-          modules,
+          system ? null,
-          specialArgs ? { },
         }:
         nixpkgs.lib.nixosSystem {
-          inherit system;
+          modules = sharedNixosModules ++ nodeNixosModules.${hostname};
-          specialArgs = specialArgs // {
+        };
-            inherit inputs system;
+      # TODO:
+      mkColmenaHive =
+        {
+          hostname,
+        }:
+        colmena.lib.makeHive {
+          meta = {
+            # FIXME:
+            nixpkgs = import nixpkgs { system = "x86_64-linux"; };
           };
-          modules = [
-            self.nixosModules.default
-            nur.nixosModules.nur
-            catppuccin.nixosModules.catppuccin
-          ] ++ modules;
         };
     in
     {
@@ -145,16 +152,12 @@
           overlayModule
         ];
       };
-      homeManagerModules = import ./modules/home-manager;
+      homeManagerModules.default = import ./modules/home-manager;
 
-      homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
+      colmenaHive = colmena.lib.makeHive {
-
-      colmenaHive = inputs.colmena.lib.makeHive {
         meta = {
+          # FIXME:
           nixpkgs = import nixpkgs { system = "x86_64-linux"; };
-          specialArgs = {
-            inherit inputs;
-          };
         };
 
         massicot =
@@ -241,12 +244,7 @@
 
       nixosConfigurations = {
         calcite = mkNixos {
-          system = "x86_64-linux";
+          hostname = "calcite";
-          modules = [
-            nixos-hardware.nixosModules.asus-zephyrus-ga401
-            machines/calcite/configuration.nix
-            (mkHome "xin" "calcite")
-          ];
         };
       } // self.colmenaHive.nodes;
 
@@ -255,6 +253,17 @@
       system:
       let
         pkgs = nixpkgs.legacyPackages.${system};
+
+        mkHomeConfiguration = user: host: {
+          name = user;
+          value = home-manager.lib.homeManagerConfiguration {
+            inherit pkgs;
+            modules = [
+              (import ./home).${user}.${host}
+              overlayModule
+            ] ++ sharedHmModules;
+          };
+        };
       in
       {
         devShells = {
@@ -262,16 +271,19 @@
             packages = with pkgs; [
               nix
               git
-              inputs.colmena.packages.${system}.colmena
+              colmena.packages.${system}.colmena
               sops
               nix-output-monitor
               nil
               nvd
               nh
+              (python3.withPackages (ps: with ps; [ requests ]))
             ];
           };
         };
 
+        homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
+
         packages = {
           nixvim = my-nixvim.packages.${system}.default;
         };

home/xin/calcite.nix

@@ -38,6 +38,8 @@ in
     remmina
     qq
     wechat-uos
+    wpsoffice
+    ttf-wps-fonts
   ];
 
   # Theme

machines/calcite/configuration.nix

@@ -16,6 +16,7 @@ in
   ];
 
   commonSettings = {
+    auth.enable = true;
     nix = {
       enableMirrors = true;
       signing.enable = true;
@@ -35,6 +36,11 @@ in
   boot.supportedFilesystems = [ "ntfs" ];
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
+  documentation = {
+    nixos.enable = false;
+    man.enable = false;
+  };
+
   security.tpm2 = {
     enable = true;
     # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
@@ -114,13 +120,15 @@ in
   xdg.portal = {
     enable = true;
     extraPortals = [
-      pkgs.xdg-desktop-portal-gtk
       pkgs.xdg-desktop-portal-gnome
+      pkgs.xdg-desktop-portal-gtk
     ];
     configPackages = [ pkgs.niri ];
   };
 
   systemd.user.services.xdg-desktop-portal-gtk.after = [ "graphical-session.target" ];
+  systemd.user.services.xdg-desktop-portal-gnome.after = [ "graphical-session.target" ];
+  systemd.user.services.xdg-desktop-portal-gnome.wantedBy = [ "graphical-session.target" ];
 
   services.greetd =
     let
@@ -156,6 +164,15 @@ in
           };
         };
       };
+      "logiM720" = {
+        ids = [ "046d:b015" ];
+        settings = {
+          main = {
+            mouse2 = "leftmeta";
+            # leftalt = "mouse1";
+          };
+        };
+      };
     };
   };
 
@@ -202,6 +219,7 @@ in
   services.smartd.enable = true;
 
   # Allow unfree packages
+  nixpkgs.system = "x86_64-linux";
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1w"
@@ -281,7 +299,6 @@ in
     # Writting
     zotero
     # onlyoffice-bin
-    wpsoffice
 
     config.nur.repos.linyinfeng.wemeet
 

machines/dolomite/default.nix

@@ -58,31 +58,8 @@ in
       exporters.blackbox.enable = true;
     };
 
-    custom.kanidm-client = {
+    custom.commonSettings = {
-      enable = true;
+      auth.enable = true;
-      uri = "https://auth.xinyang.life/";
-      asSSHAuth = {
-        enable = true;
-        allowedGroups = [ "linux_users" ];
-      };
-      sudoers = [ "xin@auth.xinyang.life" ];
-    };
-
-    services.openssh = {
-      settings = {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = lib.mkForce "no";
-        GSSAPIAuthentication = "no";
-        KerberosAuthentication = "no";
-      };
-    };
-    services.fail2ban.enable = true;
-    programs.mosh.enable = true;
-
-    security.sudo = {
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
     };
 
     services.sing-box =

machines/massicot/default.nix

@@ -1,12 +1,10 @@
 {
-  inputs,
   pkgs,
   ...
 }:
 
 {
   imports = [
-    inputs.sops-nix.nixosModules.sops
     ./hardware-configuration.nix
     ./networking.nix
     ./services.nix

machines/massicot/services.nix

@@ -101,7 +101,6 @@ in
 
   services.matrix-conduit = {
     enable = true;
-    # package = inputs.conduit.packages.${pkgs.system}.default;
     package = pkgs.matrix-conduit;
     settings.global = {
       server_name = "xinyang.life";

machines/sops.nix

@@ -1,11 +1,9 @@
 {
-  inputs,
   config,
   lib,
   ...
 }:
 {
-  imports = [ inputs.sops-nix.nixosModules.sops ];
   config = {
     sops = {
       defaultSopsFile = ./secrets.yaml;

machines/weilite/default.nix

@@ -1,14 +1,13 @@
 {
-  inputs,
   config,
   pkgs,
+  lib,
   modulesPath,
   ...
 }:
 
 {
   imports = [
-    inputs.sops-nix.nixosModules.sops
     (modulesPath + "/profiles/qemu-guest.nix")
     ./services
   ];
@@ -150,6 +149,15 @@
       permitCertUid = "caddy";
     };
 
+    services.tailscale.derper = {
+      enable = true;
+      domain = "derper00.namely.icu";
+      openFirewall = true;
+      verifyClients = true;
+    };
+    # tailscale derper module use nginx for reverse proxy
+    services.nginx.enable = lib.mkForce false;
+
     services.caddy = {
       enable = true;
       package = pkgs.caddy.withPlugins {
@@ -165,6 +173,9 @@
         ];
         vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
       };
+      virtualHosts."derper00.namely.icu:8443".extraConfig = ''
+        reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
+      '';
       virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
         reverse_proxy 127.0.0.1:${toString config.services.immich.port}
       '';

machines/weilite/services/default.nix

@@ -2,5 +2,6 @@
   imports = [
     ./ocis.nix
     ./restic.nix
+    ./media-download.nix
   ];
 }

machines/weilite/services/media-download.nix

@@ -0,0 +1,6 @@
+{
+  services.jackett = {
+    enable = true;
+    openFirewall = false;
+  };
+}

modules/home-manager/gui/niri.nix

@@ -84,8 +84,12 @@ in
         enable = true;
         timeouts = [
           {
-            timeout = 900;
+            timeout = 600;
-            command = "/run/current-system/systemd/bin/systemctl suspend";
+            command = ''[ "$(${pkgs.tlp}/bin/tlp-stat -m)" == "battery" ] && /run/current-system/systemd/bin/systemctl suspend'';
+          }
+          {
+            timeout = 1200;
+            command = ''${getExe pkgs.niri} msg action power-off-monitors'';
           }
         ];
         events = [

modules/home-manager/vscode.nix

@@ -1,5 +1,4 @@
 {
-  inputs,
   config,
   lib,
   pkgs,
@@ -16,7 +15,7 @@ let
         nixd
         nixpkgs-fmt
       ];
-      extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
+      extension = with pkgs.vscode-marketplace; [
         jnoortheen.nix-ide
       ];
       settings = {
@@ -30,13 +29,16 @@ let
         clang-tools
         cmake-format
       ];
-      extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
+      extension =
-        llvm-vs-code-extensions.vscode-clangd
+        with pkgs.vscode-marketplace;
-        (ms-vscode.cmake-tools.overrideAttrs (_: {
+        [
-          sourceRoot = "extension";
+          llvm-vs-code-extensions.vscode-clangd
-        }))
+          (ms-vscode.cmake-tools.overrideAttrs (_: {
-        twxs.cmake
+            sourceRoot = "extension";
-      ] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
+          }))
+          twxs.cmake
+        ]
+        ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
       settings = {
         "cmake.configureOnEdit" = false;
         "cmake.showOptionsMovedNotification" = false;
@@ -50,7 +52,7 @@ let
     };
     pythonPackages = {
       systemPackages = with pkgs; [ ];
-      extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
+      extension = with pkgs.vscode-marketplace; [
         ms-python.python
       ];
       settings = { };
@@ -60,7 +62,7 @@ let
         coursier
         metals
       ];
-      extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
+      extension = with pkgs.vscode-marketplace; [
         scala-lang.scala
         scalameta.metals
       ];
@@ -68,7 +70,7 @@ let
     };
     latexPackages = {
       systemPackages = with pkgs; [ texliveSmall ];
-      extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
+      extension = with pkgs.vscode-marketplace; [
         james-yu.latex-workshop
       ];
       settings = {
@@ -184,7 +186,7 @@ in
       mutableExtensionsDir = false;
       extensions = lib.mkMerge (
         [
-          (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
+          (with pkgs.vscode-marketplace; [
             mkhl.direnv
 
             ms-azuretools.vscode-docker

modules/home-manager/xdg-autostart.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.xdg.autoStart;
+  inherit (lib) hm types;
+in
+{
+
+  options.xdg.autoStart = {
+
+    packages = lib.mkOption {
+      description = ''
+        List of packages which should be autostarted.
+
+        This module tries to select the package’s default desktop file,
+        which is either described by its .desktopItem attribute
+        or by its first entry of its .desktopItems attribute.
+
+        Users who want to specifically select a certain desktop file
+        or who want to write their own
+        can make use of the {option}`xdg.autoStart.desktopItems` option.
+      '';
+
+      type = types.listOf types.package;
+      default = [ ];
+      example = lib.literalExpression ''
+        with pkgs; [
+          pkgs.trilium-desktop
+        ]
+      '';
+    };
+
+    desktopItems = lib.mkOption {
+      description = ''
+        List of desktop files which should be autostarted.
+
+        Users should prefer to use {option}`xdg.autoStart.packages`
+        and only use this option in case
+        they want to specifically
+        select a package’s desktop item
+        or want to create their own desktop item.
+
+        Be warned, this may shadow entries of {option}`xdg.autoStart.packages`.
+      '';
+
+      type = types.attrsOf (types.unspecified); # TODO replace unspecified
+      default = { };
+      # TODO improve example, take one where it would make sense to use this option
+      example = lib.literalExpression ''
+        {
+          discord = pkgs.discord.desktopItem
+          firefox-custom = makeDesktopItem {
+            exec = "firefox -P custom";
+          };
+        }
+      '';
+    };
+
+  };
+
+  config =
+    let
+      # helpers
+      retrieveDesktopItem = (
+        pkg:
+        if pkg ? desktopItem then
+          pkg.desktopItem
+        else if pkg ? desktopItems && pkg.desktopItems != [ ] then
+          builtins.head pkg.desktopItems
+        else
+          abort "package '${pkg.pname}' is missing a desktop file"
+      );
+      emulateDesktopItem = (pkg: lib.nameValuePair pkg.pname (retrieveDesktopItem pkg));
+      embedDesktopItem = (
+        name: deskItem:
+        lib.nameValuePair "autostart/${name}.desktop" {
+          source = "${deskItem}/share/applications/${deskItem.name}";
+        }
+      );
+      # parse opts
+      desktopItemsPackages = builtins.listToAttrs (map emulateDesktopItem cfg.packages);
+      desktopItems = desktopItemsPackages // cfg.desktopItems;
+    in
+    {
+      assertions = [
+        (hm.assertions.assertPlatform "xdg.autoStart" pkgs lib.platforms.linux)
+      ];
+
+      xdg.configFile = lib.attrsets.mapAttrs' embedDesktopItem desktopItems;
+    };
+
+}

modules/home-manager/zellij.nix

@@ -26,10 +26,9 @@ in
             bind "Ctrl l" { MoveFocusOrTab "Right"; }
             bind "Ctrl j" { MoveFocus "Down"; }
             bind "Ctrl k" { MoveFocus "Up"; }
-            unbind "Alt h" "Alt l" "Alt j" "Alt k"
+            unbind "Alt h" "Alt l" "Alt j" "Alt k" "Alt f"
           }
           unbind "Ctrl p" "Ctrl n"
-          unbind "Alt f"
       }
     '';
   };

modules/nixos/common-settings/proxy-server.nix

@@ -0,0 +1,165 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    ;
+
+  cfg = config.commonSettings.proxyServer;
+
+  singTls = {
+    enabled = true;
+    server_name = config.deployment.targetHost;
+    key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
+    certificate_path =
+      config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
+  };
+
+  mkSingConfig =
+    { uuid, password, ... }:
+    {
+      inbounds =
+        [
+          {
+            tag = "sg0";
+            type = "trojan";
+            listen = "::";
+            listen_port = 8080;
+            users = [
+              {
+                name = "proxy";
+                password = password;
+              }
+            ];
+            tls = singTls;
+          }
+        ]
+        ++ lib.forEach (lib.range 6311 6314) (port: {
+          tag = "sg" + toString (port - 6310);
+          type = "tuic";
+          listen = "::";
+          listen_port = port;
+          congestion_control = "bbr";
+          users = [
+            {
+              name = "proxy";
+              uuid = uuid;
+              password = password;
+            }
+          ];
+          tls = singTls;
+        });
+      outbounds = [
+        {
+          type = "wireguard";
+          tag = "wg-out";
+          private_key = {
+            _secret = config.sops.secrets.wg_private_key.path;
+          };
+          local_address = [
+            "172.16.0.2/32"
+            { _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
+          ];
+          peers = [
+            {
+              public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
+              allowed_ips = [
+                "0.0.0.0/0"
+                "::/0"
+              ];
+              server = "162.159.192.1";
+              server_port = 500;
+            }
+          ];
+        }
+        {
+          type = "direct";
+          tag = "direct";
+        }
+      ];
+      route = {
+        rules = [
+          {
+            inbound = "sg0";
+            outbound = "direct";
+          }
+          {
+            inbound = "sg4";
+            outbound = "direct";
+          }
+        ];
+      };
+    };
+in
+{
+  options.commonSettings.proxyServer = {
+    enable = mkEnableOption "sing-box as a server";
+    uuidFile = mkOption {
+      type = types.path;
+    };
+    passwordFile = mkOption {
+      type = types.path;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };
+
+    networking.firewall.trustedInterfaces = [ "tun0" ];
+
+    sops = {
+      secrets = {
+        wg_private_key = {
+          owner = "root";
+          sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
+        };
+        wg_ipv6_local_addr = {
+          owner = "root";
+          sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
+        };
+      };
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      certs.${config.deployment.targetHost} = {
+        email = "me@namely.icu";
+        # Avoid port conflict
+        listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
+      };
+    };
+    services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
+      reverse_proxy 127.0.0.1:30310
+    '';
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      8080
+    ];
+    networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
+
+    custom.prometheus = {
+      enable = true;
+      exporters.blackbox.enable = true;
+    };
+
+    services.sing-box = {
+      enable = true;
+      settings = mkSingConfig {
+        uuid = cfg.uuidFile;
+        password = cfg.passwordFile;
+      };
+    };
+  };
+}

overlays/add-pkgs.nix

@@ -1,3 +1,5 @@
-(final: prev: {
+(
-  oidc-agent = prev.callPackage ./pkgs/oidc-agent { };
+  final: prev:
-})
+  {
+  }
+)