feat: fcitx5 - add korean

https://github.com/noctalia-dev/noctalia-shell/issues/1281

.github/workflows/flake_evaltests.yml

@@ -25,9 +25,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Install nix
-        uses: cachix/install-nix-action@v24
+        uses: cachix/install-nix-action@v31
         with:
           install_url: https://nixos.org/nix/install
           extra_nix_config: |

.gitignore

@@ -8,3 +8,4 @@ logs/
 core*
 !core/
 !core.nix
+!coredns*

.typos.toml

@@ -1,10 +1,21 @@
 [files]
+# Respect .ignore files.
 ignore-dot = true
+# Respect ignore files.
 ignore-files = true
-extend-exclude = ["themes/", "data/", "static-surprises/", "resources/"]
+# Typos-specific ignore globs (gitignore syntax).
+# NOTE: This setting is ignored when you pass the path directly on the command line, as cachix/git-hooks.nix does.
+# To ignore those files, you must also exclude those directories via git-hooks.hooks.typos.settings.exclude.
+extend-exclude = [
+  "data/",
+  "rime-data/",
+]
 
 [default]
+# Check binary files as text.
 binary = false
+# Verify spelling in file names.
+check-filename = true
 # ignore some special identifiers(sha256, mac address, crypto keys, etc)
 extend-ignore-re = [
   "iterm2",

Justfile

@@ -100,7 +100,12 @@ repair-store *paths:
 # Update all Nixpkgs inputs
 [group('nix')]
 up-nix:
-  nix flake update nixpkgs nixpkgs-stable nixpkgs-unstable nixpkgs-darwin nixpkgs-ollama
+  nix flake update --commit-lock-file nixpkgs-stable nixpkgs-master nixpkgs-darwin nixpkgs-patched
+
+# override nixpkgs's commit hash
+[group('nix')]
+override-pkgs hash:
+  nix flake update --commit-lock-file nixpkgs --override-input nixpkgs github:NixOS/nixpkgs/{{hash}}
 
 ############################################################################
 #
@@ -116,14 +121,6 @@ local mode="default":
   use {{utils_nu}} *;
   nixos-switch (hostname) {{mode}}
 
-# Deploy the hyprland nixosConfiguration by hostname match
-[linux]
-[group('desktop')]
-hypr mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *;
-  nixos-switch $"(hostname)-hyprland" {{mode}}
-
 # Deploy the niri nixosConfiguration by hostname match
 [linux]
 [group('desktop')]
@@ -336,6 +333,11 @@ list-systemd:
 #
 # =================================================
 
+[linux]
+[group('nixpkgs')]
+gh-login:
+  gh auth login -h github.com --skip-ssh-key --git-protocol ssh --web
+
 # Run nixpkgs-review for PR
 [linux]
 [group('nixpkgs')]

README.md

@@ -8,9 +8,9 @@
 	<a href="https://github.com/ryan4yin/nix-config/stargazers">
 		<img alt="Stargazers" src="https://img.shields.io/github/stars/ryan4yin/nix-config?style=for-the-badge&logo=starship&color=C9CBFF&logoColor=D9E0EE&labelColor=302D41"></a>
     <a href="https://nixos.org/">
-        <img src="https://img.shields.io/badge/NixOS-25.05-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
+        <img src="https://img.shields.io/badge/NixOS-25.11-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
     <a href="https://github.com/ryan4yin/nixos-and-flakes-book">
-        <img src="https://img.shields.io/static/v1?label=Nix Flakes&message=learning&style=for-the-badge&logo=nixos&color=DDB6F2&logoColor=D9E0EE&labelColor=302D41"></a>
+        <img src="https://img.shields.io/badge/Nix%20Flakes-learning-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
   </a>
 </p>
 
@@ -23,7 +23,7 @@
 
 This repository is home to the nix code that builds my systems:
 
-1. NixOS Desktops: NixOS with home-manager, hyprland, agenix, etc.
+1. NixOS Desktops: NixOS with home-manager, niri, agenix, etc.
 2. macOS Desktops: nix-darwin with home-manager, share the same home-manager configuration with
    NixOS Desktops.
 3. NixOS Servers: virtual machines running on Proxmox/KubeVirt, with various services, such as
@@ -54,36 +54,36 @@ You don't have to go through the pain I've experienced again! Check out my
 
 ## Components
 
-|                             | NixOS(Wayland)                                                                                                      |
-| --------------------------- | ------------------------------------------------------------------------------------------------------------------- |
-| **Window Manager**          | [Hyprland][Hyprland] / [Niri][Niri]                                                                                 |
-| **Terminal Emulator**       | [Zellij][Zellij] + [Kitty][Kitty]                                                                                   |
-| **Bar**                     | [Waybar][Waybar]                                                                                                    |
-| **Application Launcher**    | [anyrun][anyrun]                                                                                                    |
-| **Notification Daemon**     | [Mako][Mako]                                                                                                        |
-| **Display Manager**         | [GDM][GDM]                                                                                                          |
-| **Color Scheme**            | [Catppuccin][Catppuccin]                                                                                            |
-| **network management tool** | [NetworkManager][NetworkManager]                                                                                    |
-| **Input method framework**  | [Fcitx5][Fcitx5]                                                                                                    |
-| **System resource monitor** | [Btop][Btop]                                                                                                        |
-| **File Manager**            | [Yazi][Yazi] + [thunar][thunar]                                                                                     |
-| **Shell**                   | [Nushell][Nushell] + [Starship][Starship]                                                                           |
-| **Media Player**            | [mpv][mpv]                                                                                                          |
-| **Text Editor**             | [Neovim][Neovim]                                                                                                    |
-| **Fonts**                   | [Nerd fonts][Nerd fonts]                                                                                            |
-| **Image Viewer**            | [imv][imv]                                                                                                          |
-| **Screenshot Software**     | [hyprshot][hyprshot]                                                                                                |
-| **Screen Recording**        | [OBS][OBS]                                                                                                          |
-| **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
-| **Secure Boot**             | [lanzaboote][lanzaboote]                                                                                            |
+|                                                                | NixOS(Wayland)                                                                                                      |
+| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
+| **Window Manager**                                             | [Niri][Niri]                                                                                                        |
+| **Terminal Emulator**                                          | [Zellij][Zellij] + [foot][foot]/[Kitty][Kitty]/[Alacritty][Alacritty]/[Ghostty][Ghostty]                            |
+| **Status Bar** / **Notifier** / **Launcher** / **lockscreens** | [noctalia-shell][noctalia-shell]                                                                                    |
+| **Display Manager**                                            | [tuigreet][tuigreet]                                                                                                |
+| **Color Scheme**                                               | [catppuccin-nix][catppuccin-nix]                                                                                    |
+| **network management tool**                                    | [NetworkManager][NetworkManager]                                                                                    |
+| **Input method framework**                                     | [Fcitx5][Fcitx5] + [rime][rime] + [小鹤音形 flypy][flypy]                                                           |
+| **System resource monitor**                                    | [Btop][Btop]                                                                                                        |
+| **File Manager**                                               | [Yazi][Yazi] + [thunar][thunar]                                                                                     |
+| **Shell**                                                      | [Nushell][Nushell] + [Starship][Starship]                                                                           |
+| **Media Player**                                               | [mpv][mpv]                                                                                                          |
+| **Text Editor**                                                | [Neovim][Neovim]                                                                                                    |
+| **Fonts**                                                      | [Nerd fonts][Nerd fonts]                                                                                            |
+| **Image Viewer**                                               | [imv][imv]                                                                                                          |
+| **Screenshot Software**                                        | Niri's builtin function                                                                                             |
+| **Screen Recording**                                           | [OBS][OBS]                                                                                                          |
+| **Filesystem & Encryption**                                    | tmpfs as `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
+| **Secure Boot**                                                | [lanzaboote][lanzaboote]                                                                                            |
 
 Wallpapers: https://github.com/ryan4yin/wallpapers
 
-## Hyprland + AstroNvim
+## Screenshots
 
-![](./_img/hyprland_2023-07-29_1.webp)
+![desktop](./_img/2026-01-05_niri-noctalia_desktop.webp)
 
-![](./_img/hyprland_2023-07-29_2.webp)
+![overview](./_img/2026-01-04_niri-noctalia_overview.webp)
+
+![nvim](./_img/2026-01-04_niri-noctalia_nvim.webp)
 
 ## Neovim
 
@@ -109,18 +109,15 @@ For NixOS:
 > To deploy this flake from NixOS's official ISO image (purest installation method), please refer to
 > [./nixos-installer/](./nixos-installer/)
 
-> Need to restart the machine when switching between `wayland` and `xorg`.
-
 ```bash
 # deploy one of the configuration based on the hostname
-sudo nixos-rebuild switch --flake .#ai-hyprland
+sudo nixos-rebuild switch --flake .#ai-niri
 
-# deploy via `just`(a command runner with similar syntax to make) & Justfile
-# Deploy the hyprland nixosConfiguration by hostname match
-just hypr
+# Deploy the niri nixosConfiguration by hostname match
+just niri
 
 # or we can deploy with details
-just hypr debug
+just niri debug
 ```
 
 For macOS:
@@ -156,53 +153,43 @@ Other dotfiles that inspired me:
   - [davidtwco/veritas](https://github.com/davidtwco/veritas)
   - [gvolpe/nix-config](https://github.com/gvolpe/nix-config)
   - [Ruixi-rebirth/flakes](https://github.com/Ruixi-rebirth/flakes)
-  - [fufexan/dotfiles](https://github.com/fufexan/dotfiles): gtk theme, xdg, git, media, anyrun,
-    etc.
+  - [fufexan/dotfiles](https://github.com/fufexan/dotfiles): gtk theme, xdg, git, media, etc.
   - [nix-community/srvos](https://github.com/nix-community/srvos): a collection of opinionated and
     sharable NixOS configurations for servers
 - Modularized NixOS Configuration
   - [hlissner/dotfiles](https://github.com/hlissner/dotfiles)
   - [viperML/dotfiles](https://github.com/viperML/dotfiles)
-- Hyprland(wayland)
-  - [notwidow/hyprland](https://github.com/notwidow/hyprland): This is where I start my hyprland
-    journey.
-  - [HeinzDev/Hyprland-dotfiles](https://github.com/HeinzDev/Hyprland-dotfiles): Refer to the waybar
-    configuration here.
-  - [Zeioth/zeioth-hyprland-config](https://github.com/Zeioth/zeioth-hyprland-config)
-  - [linuxmobile/kaku](https://github.com/linuxmobile/kaku)
 - Neovim/AstroNvim
   - [maxbrunet/dotfiles](https://github.com/maxbrunet/dotfiles): astronvim with nix flakes.
 - Misc
   - [1amSimp1e/dots](https://github.com/1amSimp1e/dots)
 
-[Hyprland]: https://github.com/hyprwm/Hyprland
 [Niri]: https://github.com/YaLTeR/niri
 [Kitty]: https://github.com/kovidgoyal/kitty
+[foot]: https://codeberg.org/dnkl/foot
+[Alacritty]: https://github.com/alacritty/alacritty
+[Ghostty]: https://github.com/ghostty-org/ghostty
 [Nushell]: https://github.com/nushell/nushell
 [Starship]: https://github.com/starship/starship
-[Waybar]: https://github.com/Alexays/Waybar
-[polybar]: https://github.com/polybar/polybar
-[rofi]: https://github.com/davatorium/rofi
-[anyrun]: https://github.com/Kirottu/anyrun
-[Dunst]: https://github.com/dunst-project/dunst
 [Fcitx5]: https://github.com/fcitx/fcitx5
+[rime]: https://wiki.archlinux.org/title/Rime
+[flypy]: https://flypy.cc/
 [Btop]: https://github.com/aristocratos/btop
 [mpv]: https://github.com/mpv-player/mpv
 [Zellij]: https://github.com/zellij-org/zellij
 [Neovim]: https://github.com/neovim/neovim
 [AstroNvim]: https://github.com/AstroNvim/AstroNvim
-[Hyprshot]: https://github.com/Gustash/Hyprshot
 [imv]: https://sr.ht/~exec64/imv/
 [OBS]: https://obsproject.com
-[Mako]: https://github.com/emersion/mako
 [Nerd fonts]: https://github.com/ryanoasis/nerd-fonts
-[catppuccin]: https://github.com/catppuccin/catppuccin
+[catppuccin-nix]: https://github.com/catppuccin/nix
 [NetworkManager]: https://wiki.gnome.org/Projects/NetworkManager
 [wl-clipboard]: https://github.com/bugaevc/wl-clipboard
-[GDM]: https://wiki.archlinux.org/title/GDM
+[tuigreet]: https://github.com/apognu/tuigreet
 [thunar]: https://gitlab.xfce.org/xfce/thunar
 [Yazi]: https://github.com/sxyazi/yazi
 [Catppuccin]: https://github.com/catppuccin/catppuccin
 [Btrfs]: https://btrfs.readthedocs.io
 [LUKS]: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
 [lanzaboote]: https://github.com/nix-community/lanzaboote
+[noctalia-shell]: https://github.com/noctalia-dev/noctalia-shell

certs/README.md

@@ -3,5 +3,21 @@
 This is my private Private Key Infrastructure (PKI) / Certificate Authority (CA) for my personal
 use. It is used to issue certificates for my own servers and services.
 
-All the private keys are ignored by git, and will be stored in my private secrets repo
-[../secrets](../secrets/)
+## Current Structure
+
+- **ecc-ca.crt** - ECC CA certificate file
+- **ecc-ca.srl** - CA serial number file for certificate tracking
+- **ecc-csr.conf** - OpenSSL configuration file for certificate signing requests
+- **ecc-server.crt** - Server certificate signed by the ECC CA
+- **gen-certs.sh** - Shell script to generate certificates automatically
+
+## Security Notes
+
+All private keys (`.key` files) are ignored by git and stored in a private secrets repository. The
+public certificates and configuration files are committed to this repository for reference.
+
+## Usage
+
+Run `./gen-certs.sh` to generate new certificates using the ECC CA configuration.
+
+See [../secrets](../secrets/) for the corresponding private key management.

flake.nix

@@ -16,14 +16,14 @@
   nixConfig = {
     # substituers will be appended to the default substituters when fetching packages
     extra-substituters = [
-      "https://anyrun.cachix.org"
       # "https://nix-gaming.cachix.org"
       # "https://nixpkgs-wayland.cachix.org"
+      # "https://install.determinate.systems"
     ];
     extra-trusted-public-keys = [
-      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
       # "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
       # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+      # "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
     ];
   };
 
@@ -34,15 +34,20 @@
     # which represents the GitHub repository URL + branch/commit-id/tag.
 
     # Official NixOS package source, using nixos's unstable branch by default
+    # Find git commit hash with build status here(3 jobs per day):
+    # https://hydra.nixos.org/jobset/nixpkgs/unstable
+    # update via nix flake update nixpkgs --override-input nixpkgs github:NixOS/nixpkgs/<commit-hash>
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    # nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
+    nixpkgs-2505.url = "github:nixos/nixpkgs/nixos-25.05";
 
-    nixpkgs-ollama.url = "github:nixos/nixpkgs/nixos-unstable";
+    # nixpkgs with some custom patches
+    nixpkgs-patched.url = "github:ryan4yin/nixpkgs/nixos-unstable-patched";
+    # get some latest packages from the master branch
+    nixpkgs-master.url = "github:nixos/nixpkgs/master";
 
     # for macos
-    # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.05-darwin";
+    # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.11-darwin";
     nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     nix-darwin = {
       url = "github:lnl7/nix-darwin";
@@ -52,7 +57,7 @@
     # home-manager, used for managing user configuration
     home-manager = {
       url = "github:nix-community/home-manager/master";
-      # url = "github:nix-community/home-manager/release-25.05";
+      # url = "github:nix-community/home-manager/release-25.11";
 
       # The `follows` keyword in inputs is used for inheritance.
       # Here, `inputs.nixpkgs` of home-manager is kept consistent with the `inputs.nixpkgs` of the current flake,
@@ -67,7 +72,7 @@
     };
 
     lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
+      url = "github:nix-community/lanzaboote/v0.4.3";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -75,14 +80,6 @@
       url = "github:nix-community/preservation";
     };
 
-    # community wayland nixpkgs
-    # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
-    # anyrun - a wayland launcher
-    anyrun = {
-      url = "github:Kirottu/anyrun";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     # generate iso/qcow2/docker/... image from nixos configuration
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
@@ -97,11 +94,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nix-gaming = {
-      url = "github:fufexan/nix-gaming";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     disko = {
       url = "github:nix-community/disko/v1.11.0";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -129,7 +121,7 @@
     };
 
     ghostty = {
-      url = "github:ghostty-org/ghostty";
+      url = "github:ghostty-org/ghostty/tip"; # Latest Continuous Release
     };
 
     blender-bin = {
@@ -138,17 +130,33 @@
     };
 
     nixos-apple-silicon = {
-      # 2025-07-04
-      url = "github:nix-community/nixos-apple-silicon/release-2025-08-10";
+      # asahi-6.17.7-2
+      url = "github:nix-community/nixos-apple-silicon";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    niri.url = "github:sodiboo/niri-flake";
+    helix = {
+      # Helix with steel as plugin system
+      # https://github.com/helix-editor/helix/pull/8675
+      url = "github:mattwparas/helix/steel-event-system";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # -------------- Gaming ---------------------
+
+    nix-gaming = {
+      url = "github:fufexan/nix-gaming";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    aagl = {
+      url = "github:ezKEa/aagl-gtk-on-nix/release-25.11";
+      # inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     ########################  Some non-flake repositories  #########################################
 
-    polybar-themes = {
-      url = "github:adi1090x/polybar-themes";
+    nu_scripts = {
+      url = "github:ryan4yin/nu_scripts";
       flake = false;
     };
 

hardening/README.md

@@ -12,14 +12,53 @@
   1. Accessing the network when they don't need to.
   1. Accessing hardware devices they don't need.
 
-## Current Status
+## Current Structure
 
-1. **System Level**:
-   - [ ] AppArmor
-   - [ ] Kernel & System Hardening
-1. **Per-App Level**:
-   - Nixpak (Bubblewrap, running at user-level)
-   - Firejail (a SUID program, meaning it's running as root)
+### 1. **System Level**
+
+- **AppArmor** (`apparmor/`): AppArmor profiles and configuration
+- **Kernel & System Hardening** (`profiles/`): System-wide hardening profiles
+
+### 2. **Per-App Level**
+
+- **Nixpak** (`nixpaks/`): Bubblewrap-based sandboxing for applications
+  - Firefox configuration
+  - QQ (Chinese messaging app) configuration
+  - Modular system with reusable components
+- **Firejail** (legacy): SUID-based sandboxing (not used)
+- **Bubblewrap** (`bwraps/`): Direct bubblewrap configurations
+  - WeChat sandboxing configuration
+
+## Current Implementation Status
+
+| Component         | Status    | Notes                          |
+| ----------------- | --------- | ------------------------------ |
+| AppArmor Profiles | 🚧 WIP    | Basic structure in place       |
+| Nixpak Firefox    | ✅ Active | Firefox sandboxing via nixpak  |
+| Nixpak QQ         | ✅ Active | QQ application sandboxing      |
+| Bubblewrap WeChat | ✅ Active | WeChat specific sandboxing     |
+| System Profiles   | 🚧 WIP    | Hardened system configurations |
+
+## Directory Structure
+
+```
+hardening/
+├── README.md
+├── apparmor/           # AppArmor security profiles
+│   └── default.nix
+├── bwraps/            # Direct bubblewrap configurations
+│   ├── default.nix
+│   └── wechat.nix
+├── nixpaks/           # Nixpak application sandboxing
+│   ├── default.nix
+│   ├── firefox.nix
+│   ├── qq.nix
+│   └── modules/       # Reusable nixpak modules
+│       ├── gui-base.nix
+│       └── network.nix
+└── profiles/          # System hardening profiles
+    └── default.nix
+```
 
 ## Kernel Hardening
 
@@ -69,13 +108,6 @@ provide a much higher level of security.
 - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
 - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
   hardening.
-- nixpak configs:
-  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
-  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
-  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
-  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
-- firejail configs:
-  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
 - apparmor configs:
   - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
   - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening

hardening/bwraps/wechat.nix

@@ -16,17 +16,19 @@ let
   # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat/package.nix
   sources = {
     aarch64-linux = {
-      version = "4.0.1.11";
+      version = "4.1.0.13";
       src = fetchurl {
-        url = "https://web.archive.org/web/20250512112413if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
-        hash = "sha256-Rg+FWNgOPC02ILUskQqQmlz1qNb9AMdvLcRWv7NQhGk=";
+        # url = "https://web.archive.org/web/20251209092116if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
+        url = "https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
+        hash = "sha256-/d5crM6IGd0k0fSlBSQx4TpIVX/8iib+an0VMkWMNdw=";
       };
     };
     x86_64-linux = {
-      version = "4.0.1.11";
+      version = "4.1.0.13";
       src = fetchurl {
-        url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
-        hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo=";
+        # url = "https://web.archive.org/web/20251219062558if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
+        url = "https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
+        hash = "sha256-+r5Ebu40GVGG2m2lmCFQ/JkiDsN/u7XEtnLrB98602w=";
       };
     };
   };

hardening/nixpaks/default.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  pkgs-master,
   nixpak,
   ...
 }:
@@ -14,21 +15,16 @@ let
       (sloth.concat' sloth.homeDir mapdir)
     ];
   };
-  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script;
+  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs);
 in
 {
   # Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules
   nixpkgs.overlays = [
     (_: super: {
       nixpaks = {
-        qq = wrapper super ./qq.nix;
-        qq-desktop-item = super.callPackage ./qq-desktop-item.nix { };
-
-        wechat = wrapper super ./wechat.nix;
-        wechat-desktop-item = super.callPackage ./wechat-desktop-item.nix { };
-
+        qq = wrapper pkgs-master ./qq.nix;
+        telegram-desktop = wrapper super ./telegram-desktop.nix;
         firefox = wrapper super ./firefox.nix;
-        firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix { };
       };
     })
   ];

hardening/nixpaks/firefox-desktop-item.nix

@@ -1,11 +0,0 @@
-{ makeDesktopItem }:
-makeDesktopItem {
-  name = "firefox";
-  desktopName = "firefox";
-  exec = "firefox %U";
-  terminal = false;
-  icon = "firefox";
-  type = "Application";
-  categories = [ "Network" ];
-  comment = "firefox boxed";
-}

hardening/nixpaks/firefox.nix

@@ -5,84 +5,123 @@
 # - Firefox's flatpak manifest: https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-flatpak/runme.sh#l151
 {
   lib,
-  pkgs,
+  firefox,
   mkNixPak,
+  buildEnv,
+  makeDesktopItem,
   ...
 }:
-mkNixPak {
-  config =
-    {
-      config,
-      sloth,
-      ...
-    }:
-    {
-      app = {
-        package = pkgs.firefox-wayland;
-        binPath = "bin/firefox";
-      };
-      flatpak.appId = "org.mozilla.firefox";
 
-      imports = [
-        ./modules/gui-base.nix
-        ./modules/network.nix
-      ];
+let
+  appId = "org.mozilla.firefox";
+  wrapped = mkNixPak {
+    config =
+      {
+        config,
+        sloth,
+        ...
+      }:
+      {
+        app = {
+          package = firefox;
+          binPath = "bin/firefox";
+        };
+        flatpak.appId = appId;
 
-      # list all dbus services:
-      #   ls -al /run/current-system/sw/share/dbus-1/services/
-      #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-      dbus.policies = {
-        "org.mozilla.firefox.*" = "own"; # firefox
-        "org.mozilla.firefox_beta.*" = "own"; # firefox beta
-        "org.mpris.MediaPlayer2.firefox.*" = "own";
-        "org.freedesktop.NetworkManager" = "talk";
-
-        "org.gnome.Shell.Screencast" = "talk";
-        # System tray icon
-        "org.freedesktop.Notifications" = "talk";
-        "org.kde.StatusNotifierWatcher" = "talk";
-        # File Manager
-        "org.freedesktop.FileManager1" = "talk";
-        # Uses legacy StatusNotifier implementation
-        "org.kde.*" = "own";
-      };
-
-      bubblewrap = {
-        # To trace all the home files QQ accesses, you can use the following nushell command:
-        #   just trace-access firefox
-        # See the Justfile in the root of this repository for more information.
-        bind.rw = [
-          # given the read write permission to the following directories.
-          # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-          (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
-
-          sloth.xdgDocumentsDir
-          sloth.xdgDownloadDir
-          sloth.xdgMusicDir
-          sloth.xdgVideosDir
-        ];
-        bind.ro = [
-          "/sys/bus/pci"
-          [
-            "${config.app.package}/lib/firefox"
-            "/app/etc/firefox"
-          ]
-
-          # ================ for browserpass extension ===============================
-          "/etc/gnupg"
-          (sloth.concat' sloth.homeDir "/.gnupg") # gpg's config
-          (sloth.concat' sloth.homeDir "/.local/share/password-store") # my secrets
-          (sloth.concat' sloth.runtimeDir "/gnupg") # for access gpg-agent socket
-
-          # Unsure
-          (sloth.concat' sloth.xdgConfigHome "/dconf")
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
         ];
 
-        sockets = {
-          x11 = false;
-          wayland = true;
-          pipewire = true;
+        bubblewrap = {
+          # To trace all the home files Firefox accesses, you can use the following nushell command:
+          #   just trace-access firefox
+          # See the Justfile in the root of this repository for more information.
+          bind.rw = [
+            # given the read write permission to the following directories.
+            # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+            (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
+
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+            sloth.xdgPicturesDir
+          ];
+          bind.ro = [
+            "/sys/bus/pci"
+            [
+              "${config.app.package}/lib/firefox"
+              "/app/etc/firefox"
+            ]
+
+            # ================ for browserpass extension ===============================
+            "/etc/gnupg"
+            (sloth.concat' sloth.homeDir "/.gnupg") # gpg's config
+            (sloth.concat' sloth.homeDir "/.local/share/password-store") # my secrets
+            (sloth.concat' sloth.runtimeDir "/gnupg") # for access gpg-agent socket
+
+            # Unsure
+            (sloth.concat' sloth.xdgConfigHome "/dconf")
+          ];
+
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
         };
       };
-    };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Firefox";
+      genericName = "Firefox Boxed";
+      comment = "Firefox Browser";
+      exec = "${exePath} %U";
+      terminal = false;
+      icon = "firefox";
+      startupNotify = true;
+      startupWMClass = "firefox";
+      type = "Application";
+      categories = [
+        "Network"
+        "WebBrowser"
+      ];
+      mimeTypes = [
+        "text/html"
+        "text/xml"
+        "application/xhtml+xml"
+        "application/vnd.mozilla.xul+xml"
+        "x-scheme-handler/http"
+        "x-scheme-handler/https"
+      ];
+
+      actions = {
+        new-private-window = {
+          name = "New Private Window";
+          exec = "${exePath} --private-window %U";
+        };
+        new-window = {
+          name = "New Window";
+          exec = "${exePath} --new-window %U";
+        };
+        profile-manager-window = {
+          name = "Profile Manager";
+          exec = "${exePath} --ProfileManager";
+        };
+      };
+
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
 }

hardening/nixpaks/modules/common.nix

@@ -0,0 +1,234 @@
+# https://github.com/mnixry/nixos-config/blob/74913c2b90d06e31170bbbaa0074f915721da224/desktop/packages/nixpaks-common.nix
+# https://github.com/Kraftland/portable/blob/09c4a4227538a3f42de208a6ecbdc938ac9c00dd/portable.sh
+# https://flatpak.github.io/xdg-desktop-portal/docs/api-reference.html
+{
+  lib,
+  sloth,
+  config,
+  ...
+}:
+let
+  inherit (config.flatpak) appId;
+in
+{
+  config = {
+    # list all dbus services:
+    #   ls -al /run/current-system/sw/share/dbus-1/services/
+    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
+    dbus = {
+      # `--see`: The bus name can be enumerated by the application.
+      # `--talk`: The application can send messages to, and receive replies and signals from, the bus name.
+      # `--own`: The application can own the bus name
+      policies = {
+        "${appId}" = "own";
+        "${appId}.*" = "own";
+        "org.freedesktop.DBus" = "talk";
+        "ca.desrt.dconf" = "talk";
+        "org.freedesktop.appearance" = "talk";
+        "org.freedesktop.appearance.*" = "talk";
+      }
+      // (builtins.listToAttrs (
+        map (id: lib.nameValuePair "org.kde.StatusNotifierItem-${toString id}-1" "own") (
+          lib.lists.range 2 29
+        )
+      ))
+      // {
+        # --- MPRIS Media Control ---
+        # Allows the app to register as a media player. These are derived from the appID.
+        "org.mpris.MediaPlayer2.${appId}" = "own";
+        "org.mpris.MediaPlayer2.${appId}.*" = "own";
+        "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}" = "own";
+        "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}.*" = "own";
+
+        # --- General Desktop Integration ---
+        "com.canonical.AppMenu.Registrar" = "talk"; # For Ubuntu AppMenu
+        "org.freedesktop.FileManager1" = "talk";
+        "org.freedesktop.Notifications" = "talk";
+        "org.kde.StatusNotifierWatcher" = "talk";
+        "org.gnome.Shell.Screencast" = "talk";
+
+        # --- Accessibility (a11y) 无障碍服务 ---
+        "org.a11y.Bus" = "see";
+
+        # --- Portal Access ---
+        # "org.freedesktop.portal.*" = "talk";
+        "org.freedesktop.portal.Documents" = "talk";
+        "org.freedesktop.portal.FileTransfer" = "talk";
+        "org.freedesktop.portal.FileTransfer.*" = "talk";
+        "org.freedesktop.portal.Notification" = "talk";
+        "org.freedesktop.portal.OpenURI" = "talk";
+        "org.freedesktop.portal.OpenURI.OpenFile" = "talk";
+        "org.freedesktop.portal.OpenURI.OpenURI" = "talk";
+        "org.freedesktop.portal.Print" = "talk";
+        "org.freedesktop.portal.Request" = "see";
+
+        # --- Input Method Portals ---
+        "org.freedesktop.portal.Fcitx" = "talk";
+        "org.freedesktop.portal.Fcitx.*" = "talk";
+        "org.freedesktop.portal.IBus" = "talk";
+        "org.freedesktop.portal.IBus.*" = "talk";
+      };
+      # '--call' rules permit specific method calls on D-Bus interfaces.
+      rules.call = {
+        # --- Accessibility (a11y) 无障碍服务 ---
+        "org.a11y.Bus" = [
+          "org.a11y.Bus.GetAddress@/org/a11y/bus"
+          "org.freedesktop.DBus.Properties.Get@/org/a11y/bus"
+        ];
+
+        # --- General Portal Rules ---
+        "org.freedesktop.FileManager1" = [ "*" ];
+        "org.freedesktop.Notifications.*" = [ "*" ];
+        "org.freedesktop.portal.Documents" = [ "*" ];
+        "org.freedesktop.portal.FileTransfer" = [ "*" ];
+        "org.freedesktop.portal.FileTransfer.*" = [ "*" ];
+        "org.freedesktop.portal.Fcitx" = [ "*" ];
+        "org.freedesktop.portal.Fcitx.*" = [ "*" ];
+        "org.freedesktop.portal.IBus" = [ "*" ];
+        "org.freedesktop.portal.IBus.*" = [ "*" ];
+        "org.freedesktop.portal.Notification" = [ "*" ];
+        "org.freedesktop.portal.OpenURI" = [ "*" ];
+        "org.freedesktop.portal.OpenURI.OpenFile" = [ "*" ];
+        "org.freedesktop.portal.OpenURI.OpenURI" = [ "*" ];
+        "org.freedesktop.portal.Print" = [ "*" ];
+        "org.freedesktop.portal.Request" = [ "*" ];
+
+        # --- Main Desktop Portal Interface ---
+        # A comprehensive list of permissions for interacting with the desktop environment.
+        "org.freedesktop.portal.Desktop" = [
+          # Properties & Settings
+          "org.freedesktop.DBus.Properties.GetAll"
+          "org.freedesktop.DBus.Properties.Get@/org/freedesktop/portal/desktop"
+          "org.freedesktop.portal.Session.Close"
+          "org.freedesktop.portal.Settings.ReadAll"
+          "org.freedesktop.portal.Settings.Read"
+          "org.freedesktop.portal.Account.GetUserInformation"
+
+          # Network & Proxy
+          "org.freedesktop.portal.NetworkMonitor"
+          "org.freedesktop.portal.NetworkMonitor.*"
+          "org.freedesktop.portal.ProxyResolver.Lookup"
+          "org.freedesktop.portal.ProxyResolver.Lookup.*"
+
+          # Screenshot / Screen Capture & Sharing
+          "org.freedesktop.portal.ScreenCast"
+          "org.freedesktop.portal.ScreenCast.*"
+          "org.freedesktop.portal.Screenshot"
+          "org.freedesktop.portal.Screenshot.Screenshot"
+
+          # Device Access(Camera / USB)
+          "org.freedesktop.portal.Camera"
+          "org.freedesktop.portal.Camera.*"
+          "org.freedesktop.portal.Usb"
+          "org.freedesktop.portal.Usb.*"
+
+          # Remote Desktop
+          "org.freedesktop.portal.RemoteDesktop"
+          "org.freedesktop.portal.RemoteDesktop.*"
+
+          # File Operations
+          "org.freedesktop.portal.Documents"
+          "org.freedesktop.portal.Documents.*"
+          "org.freedesktop.portal.FileChooser"
+          "org.freedesktop.portal.FileChooser.*"
+          "org.freedesktop.portal.FileTransfer"
+          "org.freedesktop.portal.FileTransfer.*"
+
+          # Notifications & Printing
+          "org.freedesktop.portal.Notification"
+          "org.freedesktop.portal.Notification.*"
+          "org.freedesktop.portal.Print"
+          "org.freedesktop.portal.Print.*"
+
+          # Open/Launch Handlers
+          "org.freedesktop.portal.OpenURI"
+          "org.freedesktop.portal.OpenURI.*"
+          "org.freedesktop.portal.Email.ComposeEmail"
+
+          # Input Methods
+          "org.freedesktop.portal.Fcitx"
+          "org.freedesktop.portal.Fcitx.*"
+          "org.freedesktop.portal.IBus"
+          "org.freedesktop.portal.IBus.*"
+
+          # Secrets (Keyring)
+          "org.freedesktop.portal.Secret"
+          "org.freedesktop.portal.Secret.RetrieveSecret"
+
+          # Get/Update GlobalShortcuts
+          # "org.freedesktop.portal.GlobalShortcuts"
+          # "org.freedesktop.portal.GlobalShortcuts.*"
+
+          # -- get the user's location
+          # "org.freedesktop.portal.Location"
+          # "org.freedesktop.portal.Location.*"
+
+          # -- inhibit the user session from ending, suspending, idling or getting switched away.
+          "org.freedesktop.portal.Inhibit"
+          "org.freedesktop.portal.Inhibit.*"
+
+          # Generic Request Fallback
+          "org.freedesktop.portal.Request"
+        ];
+      };
+
+      # 'broadcast' rules permit receiving signals from D-Bus names.
+      rules.broadcast = {
+        "org.freedesktop.portal.*" = [ "@/org/freedesktop/portal/*" ];
+      };
+      args = [
+        "--filter"
+        "--sloppy-names"
+        "--log"
+      ];
+    };
+
+    etc.sslCertificates.enable = true;
+    bubblewrap = {
+      network = lib.mkDefault true;
+      sockets = {
+        wayland = true;
+        pulse = true;
+      };
+
+      bind.rw = with sloth; [
+        [
+          (mkdir appDataDir)
+          xdgDataHome
+        ]
+        [
+          (mkdir appConfigDir)
+          xdgConfigHome
+        ]
+        [
+          (mkdir appCacheDir)
+          xdgCacheHome
+        ]
+
+        (sloth.concat [
+          sloth.runtimeDir
+          "/"
+          (sloth.envOr "WAYLAND_DISPLAY" "no")
+        ])
+        (sloth.concat' sloth.runtimeDir "/at-spi/bus")
+        (sloth.concat' sloth.runtimeDir "/gvfsd")
+        (sloth.concat' sloth.runtimeDir "/dconf")
+
+        (sloth.concat' sloth.xdgCacheHome "/fontconfig")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache_db")
+        (sloth.concat' sloth.xdgCacheHome "/radv_builtin_shaders")
+      ];
+      bind.ro = [
+        (sloth.concat' sloth.runtimeDir "/doc")
+        (sloth.concat' sloth.xdgConfigHome "/kdeglobals")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-2.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-4.0")
+        (sloth.concat' sloth.xdgConfigHome "/fontconfig")
+        (sloth.concat' sloth.xdgConfigHome "/dconf")
+      ];
+      bind.dev = [ "/dev/shm" ] ++ (map (id: "/dev/video${toString id}") (lib.lists.range 0 9));
+    };
+  };
+}

hardening/nixpaks/modules/gui-base.nix

@@ -16,15 +16,7 @@ in
   config = {
     dbus.policies = {
       "${config.flatpak.appId}" = "own";
-      "org.freedesktop.DBus" = "talk";
-      "org.gtk.vfs.*" = "talk";
-      "org.gtk.vfs" = "talk";
-      "ca.desrt.dconf" = "talk";
-      "org.a11y.Bus" = "talk";
-
-      # for default portal & gtk/hyprland's portal
-      "org.freedesktop.portal.*" = "talk";
-      "org.freedesktop.impl.portal.desktop.*" = "talk";
+      # we add other policies in ./common.nix
     };
     # https://github.com/nixpak/nixpak/blob/master/modules/gpu.nix
     # 1. bind readonly - /run/opengl-driver
@@ -69,8 +61,8 @@ in
         (sloth.concat' sloth.xdgConfigHome "/fontconfig")
 
         "/etc/fonts" # for fontconfig
-        "/etc/machine-id"
-        "/etc/localtime"
+        "/etc/localtime" # this is a symlink to /etc/zoneinfo/xxx
+        "/etc/zoneinfo"
 
         # Fix: libEGL warning: egl: failed to create dri2 screen
         "/etc/egl"

hardening/nixpaks/qq-desktop-item.nix

@@ -1,17 +0,0 @@
-{
-  makeDesktopItem,
-  qq,
-}:
-makeDesktopItem {
-  name = "qq";
-  desktopName = "QQ";
-  exec = "${qq}/bin/qq %U";
-  terminal = false;
-  # To find the icon name(nushell):
-  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'
-  #   tree $"($p)/share/icons"
-  icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
-  type = "Application";
-  categories = [ "Network" ];
-  comment = "QQ boxed";
-}

hardening/nixpaks/qq.nix

@@ -5,65 +5,75 @@
 # - QQ's flatpak manifest: https://github.com/flathub/com.qq.QQ/blob/master/com.qq.QQ.yaml
 {
   lib,
-  pkgs,
+  qq,
   mkNixPak,
+  buildEnv,
+  makeDesktopItem,
   ...
 }:
-mkNixPak {
-  config =
-    { sloth, ... }:
-    {
-      app = {
-        package = pkgs.qq.override {
-          # fix fcitx5 input method
-          commandLineArgs = lib.concatStringsSep " " [ "--enable-wayland-ime" ];
+
+let
+  appId = "com.qq.QQ";
+
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        app = {
+          package = qq;
+          binPath = "bin/qq";
         };
-        binPath = "bin/qq";
-      };
-      flatpak.appId = "com.tencent.qq";
+        flatpak.appId = appId;
 
-      imports = [
-        ./modules/gui-base.nix
-        ./modules/network.nix
-      ];
-
-      # list all dbus services:
-      #   ls -al /run/current-system/sw/share/dbus-1/services/
-      #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-      dbus.policies = {
-        "org.gnome.Shell.Screencast" = "talk";
-        # System tray icon
-        "org.freedesktop.Notifications" = "talk";
-        "org.kde.StatusNotifierWatcher" = "talk";
-        # File Manager
-        "org.freedesktop.FileManager1" = "talk";
-        # Uses legacy StatusNotifier implementation
-        "org.kde.*" = "own";
-      };
-      bubblewrap = {
-        # To trace all the home files QQ accesses, you can use the following nushell command:
-        #   just trace-access qq
-        # See the Justfile in the root of this repository for more information.
-        bind.rw = [
-          # given the read write permission to the following directories.
-          # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-          (sloth.mkdir (
-            sloth.concat [
-              sloth.xdgConfigHome
-              "/QQ"
-            ]
-          ))
-
-          sloth.xdgDocumentsDir
-          sloth.xdgDownloadDir
-          sloth.xdgMusicDir
-          sloth.xdgVideosDir
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
         ];
-        sockets = {
-          x11 = false;
-          wayland = true;
-          pipewire = true;
+
+        bubblewrap = {
+          # To trace all the home files QQ accesses, you can use the following nushell command:
+          #   just trace-access qq
+          # See the Justfile in the root of this repository for more information.
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+            sloth.xdgPicturesDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
         };
       };
-    };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "QQ";
+      genericName = "QQ Boxed";
+      comment = "Tencent QQ, also known as QQ, is an instant messaging software service and web portal developed by the Chinese technology company Tencent.";
+      exec = "${exePath} %U";
+      terminal = false;
+      icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
+      startupNotify = true;
+      startupWMClass = "QQ";
+      type = "Application";
+      categories = [
+        "InstantMessaging"
+        "Network"
+      ];
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
 }

hardening/nixpaks/telegram-desktop.nix

@@ -0,0 +1,101 @@
+{
+  lib,
+  telegram-desktop,
+  buildEnv,
+  mkNixPak,
+  makeDesktopItem,
+  ...
+}:
+let
+  appId = "org.telegram.desktop";
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];
+        app.package = telegram-desktop;
+        flatpak = {
+          appId = appId;
+        };
+        dbus = {
+          enable = true;
+          policies = {
+            "com.canonical.indicator.application" = "talk";
+            "org.ayatana.indicator.application" = "talk";
+            "org.sigxcpu.Feedback" = "talk";
+          };
+        };
+
+        bubblewrap = {
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+            sloth.xdgPicturesDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
+      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Telegram";
+      comment = "New era of messaging";
+      tryExec = "${exePath}";
+      exec = "${exePath} -- %u";
+      icon = appId;
+      startupNotify = true;
+      startupWMClass = appId;
+      terminal = false;
+      type = "Application";
+      categories = [
+        "Chat"
+        "Network"
+        "InstantMessaging"
+        "Qt"
+      ];
+      mimeTypes = [
+        "x-scheme-handler/tg"
+        "x-scheme-handler/tonsite"
+      ];
+      keywords = [
+        "tg"
+        "chat"
+        "im"
+        "messaging"
+        "messenger"
+        "sms"
+        "tdesktop"
+      ];
+      actions = {
+        quit = {
+          name = "Quit Telegram";
+          exec = "${exePath} -quit";
+          icon = "application-exit";
+        };
+      };
+      extraConfig = {
+        X-Flatpak = appId;
+        DBusActivatable = "true";
+        SingleMainWindow = "true";
+        X-GNOME-UsesNotifications = "true";
+        X-GNOME-SingleWindow = "true";
+      };
+    })
+  ];
+}

home/README.md

@@ -1,5 +1,48 @@
 # Home Manager's Submodules
 
-1. `base`: The base module that is suitable for both Linux and macOS.
-2. `linux`: Linux-specific configuration.
-3. `darwin`: macOS-specific configuration.
+This directory contains all Home Manager configurations organized by platform and functionality.
+
+## Current Structure
+
+```
+home/
+├── base/              # Cross-platform home manager configurations
+│   ├── core/          # Essential applications and settings
+│   │   ├── editors/   # Editor configurations (Neovim, Helix)
+│   │   ├── shells/    # Shell configurations (Nushell, Zellij)
+│   │   └── ...
+│   ├── gui/           # GUI applications and desktop settings
+│   │   ├── terminal/  # Terminal emulators (Kitty, Alacritty, etc.)
+│   │   └── ...
+│   ├── tui/           # Terminal/TUI applications
+│   │   ├── editors/   # TUI editors and related tools
+│   │   ├── encryption/ # GPG, password-store, etc.
+│   │   └── ...
+│   └── home.nix       # Main home manager entry point
+├── linux/             # Linux-specific home manager configurations
+│   ├── base/          # Linux base configurations
+│   ├── gui/           # Linux GUI applications
+│   │   ├── niri/      # Niri window manager
+│   │   └── ...
+│   ├── editors/       # Linux-specific editors
+│   └── ...
+└── darwin/            # macOS-specific home manager configurations
+    ├── aerospace/     # macOS window manager
+    ├── proxy/         # Proxy configurations
+    └── ...
+```
+
+## Module Overview
+
+1. **base**: The base module suitable for both Linux and macOS
+   - Cross-platform applications and settings
+   - Shared configurations for editors, shells, and essential tools
+
+2. **linux**: Linux-specific configuration
+   - Desktop environments (Noctalia Shell, Niri compositor)
+   - Linux-specific GUI applications
+   - System integration tools
+
+3. **darwin**: macOS-specific configuration
+   - macOS applications and services
+   - Platform-specific integrations (Aerospace, Squirrel, etc.)

home/base/README.md

@@ -1,5 +1,66 @@
 # Home Manager's Base Submodules
 
-1. `server`: Configuration which is suitable for both servers and desktops.
-1. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
-1. `core.nix`: Minimal home-manager's config
+This directory contains cross-platform base configurations that are shared between Linux and Darwin
+systems.
+
+## Configuration Structure
+
+### Core System
+
+- **core/**: Essential cross-platform configurations
+  - **core.nix**: Minimal home-manager configuration
+  - **shells/**: Shell configurations (bash, zsh, fish, nu)
+  - **editors/**: Text editor configurations
+    - **neovim/**: Neovim with custom plugins and settings
+    - **helix/**: Helix editor configuration
+  - **btop.nix**: System monitoring tools
+  - **git.nix**: Git configuration and aliases
+  - **npm.nix**: Node.js package management
+  - **pip.nix**: Python package management
+  - **starship.nix**: Cross-shell prompt configuration
+  - **theme.nix**: Color schemes and theming
+  - **yazi.nix**: Terminal file manager configuration
+  - **zellij/**: Terminal multiplexer with custom layouts
+
+### Desktop Environment
+
+- **gui/**: Cross-platform GUI applications and configurations
+  - **dev-tools.nix**: Development tools and IDEs
+  - **media.nix**: Media players and utilities
+  - **terminal/**: Terminal emulator configurations
+    - **alacritty/**: Alacritty terminal
+    - **kitty/**: Kitty terminal
+    - **foot/**: Foot terminal (Linux)
+    - **ghostty/**: Ghostty terminal
+
+### Terminal Interface
+
+- **tui/**: Terminal-based interface configurations
+  - **cloud/**: Cloud development tools (Terraform, etc.)
+  - **container.nix**: Container tools (Docker, Podman)
+  - **dev-tools.nix**: Terminal-based development tools
+  - **editors/**: Terminal editor configurations
+  - **encryption/**: Encryption and security tools
+  - **gpg/**: GPG key management
+  - **password-store/**: Password management with pass
+  - **shell.nix**: Shell environment configurations
+  - **ssh/**: SSH configuration and management
+  - **zellij/**: Terminal workspace management
+
+### System Management
+
+- **home.nix**: Main home manager configuration file
+
+## Platform Compatibility
+
+All configurations in this directory are designed to work across:
+
+- **Linux**: All distributions with Nix and Home Manager
+- **macOS**: Darwin systems with Home Manager
+- **WSL**: Windows Subsystem for Linux
+
+## Usage
+
+These base configurations provide the foundation for both Linux and Darwin systems, ensuring
+consistent environments across different platforms while allowing for platform-specific
+customizations.

home/base/core/core.nix

@@ -1,34 +1,6 @@
 { pkgs, ... }:
 {
   home.packages = with pkgs; [
-    # Misc
-    cowsay
-    gnupg
-    gnumake
-
-    # Modern cli tools, replacement of grep/sed/...
-
-    # Interactively filter its input using fuzzy searching, not limit to filenames.
-    fzf
-    # search for files by name, faster than find
-    fd
-    # search for files by its content, replacement of grep
-    (ripgrep.override { withPCRE2 = true; })
-
-    # A fast and polyglot tool for code searching, linting, rewriting at large scale
-    # supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
-    ast-grep
-
-    sad # CLI search and replace, just like sed, but with diff preview.
-    yq-go # yaml processor https://github.com/mikefarah/yq
-    just # a command runner like make, but simpler
-    hyperfine # command-line benchmarking tool
-    gping # ping, but with a graph(TUI)
-    doggo # DNS client for humans
-    duf # Disk Usage/Free Utility - a better 'df' alternative
-    du-dust # A more intuitive version of `du` in rust
-    gdu # disk usage analyzer(replacement of `du`)
-
     # nix related
     #
     # it provides the command `nom` works just like `nix
@@ -42,10 +14,15 @@
     # https://github.com/utdemir/nix-tree
     nix-tree # A TUI to visualize the dependency graph of a nix derivation
 
-    # productivity
+    # misc
+    cowsay
+    gnupg
     caddy # A webserver with automatic HTTPS via Let's Encrypt(replacement of nginx)
-    croc # File transfer between computers securely and easily
-    ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
+    # A fast and polyglot tool for code searching, linting, rewriting at large scale
+    # supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
+    ast-grep
+
+    # other core cli tools are installed at system-level
   ];
 
   # A modern replacement for ‘ls’

home/base/core/editors/README.md

@@ -1,3 +1,10 @@
 # Editors
 
-See [desktop/editors/](../../desktop/editors/) for more details.
+This directory contains editor configurations that are shared across different environments.
+
+## Available Editors
+
+- **neovim/**: Neovim configuration with AstroNvim
+- **helix/**: Helix editor configuration
+
+These configurations are designed to work across both terminal and GUI environments.

home/base/core/editors/helix/default.nix

@@ -1,6 +1,4 @@
 { pkgs, ... }:
 {
-  programs.helix = {
-    enable = true;
-  };
+  programs.helix.enable = true;
 }

home/base/core/git.nix

@@ -40,18 +40,27 @@
     enable = true;
     lfs.enable = true;
 
-    userName = myvars.userfullname;
-    userEmail = myvars.useremail;
+    # signing = {
+    #   key = "xxx";
+    #   signByDefault = true;
+    # };
 
     includes = [
       {
-        # use different email & name for work
+        # use different email & name for work:
+        #
+        # [user]
+        #   email = "xxx@xxx.com"
+        #   name = "Ryan Yin"
         path = "~/work/.gitconfig";
         condition = "gitdir:~/work/";
       }
     ];
 
-    extraConfig = {
+    settings = {
+      user.email = myvars.useremail;
+      user.name = myvars.userfullname;
+
       init.defaultBranch = "main";
       trim.bases = "develop,master,main"; # for git-trim
       push.autoSetupRemote = true;
@@ -63,58 +72,51 @@
         "ssh://git@github.com/ryan4yin" = {
           insteadOf = "https://github.com/ryan4yin";
         };
-        # "ssh://git@gitlab.com/" = {
-        #   insteadOf = "https://gitlab.com/";
-        # };
-        # "ssh://git@bitbucket.com/" = {
-        #   insteadOf = "https://bitbucket.com/";
+        # "ssh://git@bitbucket.com/ryan4yin" = {
+        #   insteadOf = "https://bitbucket.com/ryan4yin";
         # };
       };
-    };
 
-    # signing = {
-    #   key = "xxx";
-    #   signByDefault = true;
-    # };
+      alias = {
+        # common aliases
+        br = "branch";
+        co = "checkout";
+        st = "status";
+        ls = "log --pretty=format:\"%C(yellow)%h%Cred%d\\\\ %Creset%s%Cblue\\\\ [%cn]\" --decorate";
+        ll = "log --pretty=format:\"%C(yellow)%h%Cred%d\\\\ %Creset%s%Cblue\\\\ [%cn]\" --decorate --numstat";
+        cm = "commit -m"; # commit via `git cm <message>`
+        ca = "commit -am"; # commit all changes via `git ca <message>`
+        dc = "diff --cached";
 
-    # A syntax-highlighting pager for git, diff, grep, and blame output
-    delta = {
-      enable = true;
-      options = {
-        diff-so-fancy = true;
-        line-numbers = true;
-        true-color = "always";
-        # features => named groups of settings, used to keep related settings organized
-        # features = "";
+        amend = "commit --amend -m"; # amend commit message via `git amend <message>`
+        unstage = "reset HEAD --"; # unstage file via `git unstage <file>`
+        merged = "branch --merged"; # list merged(into HEAD) branches via `git merged`
+        unmerged = "branch --no-merged"; # list unmerged(into HEAD) branches via `git unmerged`
+        nonexist = "remote prune origin --dry-run"; # list non-exist(remote) branches via `git nonexist`
+
+        # delete merged branches except master & dev & staging
+        #  `!` indicates it's a shell script, not a git subcommand
+        delmerged = ''! git branch --merged | egrep -v "(^\*|main|master|dev|staging)" | xargs git branch -d'';
+        # delete non-exist(remote) branches
+        delnonexist = "remote prune origin";
+
+        # aliases for submodule
+        update = "submodule update --init --recursive";
+        foreach = "submodule foreach";
       };
     };
+  };
 
-    aliases = {
-      # common aliases
-      br = "branch";
-      co = "checkout";
-      st = "status";
-      ls = "log --pretty=format:\"%C(yellow)%h%Cred%d\\\\ %Creset%s%Cblue\\\\ [%cn]\" --decorate";
-      ll = "log --pretty=format:\"%C(yellow)%h%Cred%d\\\\ %Creset%s%Cblue\\\\ [%cn]\" --decorate --numstat";
-      cm = "commit -m"; # commit via `git cm <message>`
-      ca = "commit -am"; # commit all changes via `git ca <message>`
-      dc = "diff --cached";
-
-      amend = "commit --amend -m"; # amend commit message via `git amend <message>`
-      unstage = "reset HEAD --"; # unstage file via `git unstage <file>`
-      merged = "branch --merged"; # list merged(into HEAD) branches via `git merged`
-      unmerged = "branch --no-merged"; # list unmerged(into HEAD) branches via `git unmerged`
-      nonexist = "remote prune origin --dry-run"; # list non-exist(remote) branches via `git nonexist`
-
-      # delete merged branches except master & dev & staging
-      #  `!` indicates it's a shell script, not a git subcommand
-      delmerged = ''! git branch --merged | egrep -v "(^\*|main|master|dev|staging)" | xargs git branch -d'';
-      # delete non-exist(remote) branches
-      delnonexist = "remote prune origin";
-
-      # aliases for submodule
-      update = "submodule update --init --recursive";
-      foreach = "submodule foreach";
+  # A syntax-highlighting pager for git, diff, grep, and blame output
+  programs.delta = {
+    enable = true;
+    enableGitIntegration = true;
+    options = {
+      diff-so-fancy = true;
+      line-numbers = true;
+      true-color = "always";
+      # features => named groups of settings, used to keep related settings organized
+      # features = "";
     };
   };
 
@@ -122,5 +124,5 @@
   programs.lazygit.enable = true;
 
   # Yet another Git TUI (written in rust).
-  programs.gitui.enable = true;
+  programs.gitui.enable = false;
 }

home/base/core/shells/default.nix

@@ -27,7 +27,6 @@ in
   # NOTE: nushell will be launched in bash, so it can inherit all the eenvironment variables.
   programs.nushell = {
     enable = true;
-    # package = pkgs-unstable.nushell;
     configFile.source = ./config.nu;
     inherit shellAliases;
   };

home/base/core/starship.nix

@@ -6,20 +6,24 @@
     enableZshIntegration = true;
     enableNushellIntegration = true;
 
+    # https://starship.rs/config/
     settings = {
+      # Get editor completions based on the config schema
+      "$schema" = "https://starship.rs/config-schema.json";
       character = {
-        success_symbol = "[›](bold green)";
-        error_symbol = "[›](bold red)";
+        success_symbol = "[➜](bold green)";
+        error_symbol = "[➜](bold red)";
       };
-      aws = {
-        symbol = "🅰 ";
-      };
-      gcloud = {
-        # do not show the account/project's info
-        # to avoid the leak of sensitive information when sharing the terminal
-        format = "on [$symbol$active(\($region\))]($style) ";
-        symbol = "🅶 ️";
+      # I never rely on the defaults, so this module is useless to me—disabled.
+      # I prefer adding --project, --region to very gcloud/aws command.
+      aws.disabled = true;
+      gcloud.disabled = true;
+
+      kubernetes = {
+        symbol = "⛵";
+        disabled = false;
       };
+      os.disabled = false;
     };
   };
 }

home/base/core/yazi.nix

@@ -8,7 +8,7 @@
     enableBashIntegration = true;
     enableNushellIntegration = true;
     settings = {
-      manager = {
+      mgr = {
         show_hidden = true;
         sort_dir_first = true;
       };

home/base/gui/terminal/README.md

@@ -52,7 +52,7 @@ Error opening terminal: xterm-kitty.
 
 NixOS preserve the `TERMINFO` and `TERMINFO_DIRS` environment variables, for `root` and the `wheel`
 group:
-[nixpkgs/nixos/modules/config/terminfo.nix](https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/config/terminfo.nix#L18)
+[nixpkgs/nixos/modules/config/terminfo.nix](https://github.com/NixOS/nixpkgs/blob/nixos-25.11/nixos/modules/config/terminfo.nix#L18)
 
 For nix-darwin, take a look at <https://github.com/LnL7/nix-darwin/wiki/Terminfo-issues>
 

home/base/gui/terminal/alacritty/default.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  pkgs-unstable,
   ...
 }:
 ###########################################################
@@ -26,7 +25,6 @@
 {
   programs.alacritty = {
     enable = true;
-    # package = pkgs-unstable.alacritty;
     # https://alacritty.org/config-alacritty.html
     settings = {
       window = {
@@ -52,7 +50,7 @@
         bold_italic = {
           family = "Maple Mono NF CN";
         };
-        size = if pkgs.stdenv.isDarwin then 14 else 13;
+        size = 13;
       };
       terminal = {
         # Spawn a nushell in login mode via `bash`

home/base/gui/terminal/foot.nix

@@ -17,8 +17,9 @@
     settings = {
       main = {
         term = "foot"; # or "xterm-256color" for maximum compatibility
-        font = "Maple Mono NF CN:size=14";
+        font = "Maple Mono NF CN:size=13";
         dpi-aware = "no"; # scale via window manager instead
+        resize-keep-grid = "no"; # do not resize the window on font resizing
 
         # Spawn a nushell in login mode via `bash`
         shell = "${pkgs.bash}/bin/bash --login -c 'nu --login --interactive'";

home/base/gui/terminal/ghostty.nix

@@ -16,7 +16,7 @@
         pkgs.hello # pkgs.ghostty is currently broken on darwin
       else
         pkgs.ghostty; # the stable version
-    # package = ghostty.packages.${pkgs.system}.default; # the latest version
+    # package = ghostty.packages.${pkgs.stdenv.hostPlatform.system}.default; # the latest version
     enableBashIntegration = false;
     installBatSyntax = false;
     # installVimSyntax = true;

home/base/gui/terminal/kitty.nix

@@ -19,7 +19,7 @@
     font = {
       name = "Maple Mono NF CN";
       # use different font size on macOS
-      size = if pkgs.stdenv.isDarwin then 14 else 13;
+      size = 13;
     };
 
     # consistent with other terminal emulators

home/base/tui/container.nix

@@ -1,6 +1,6 @@
 {
   pkgs,
-  pkgs-unstable,
+  pkgs-2505,
   nur-ryan4yin,
   ...
 }:
@@ -14,6 +14,7 @@
 
     kubectl
     kubectx # kubectx & kubens
+    kubie # same as kubectl-ctx, but per-shell (won’t touch kubeconfig).
     kubectl-view-secret # kubectl view-secret
     kubectl-tree # kubectl tree
     kubectl-node-shell # exec into node
@@ -24,7 +25,7 @@
     istioctl
     clusterctl # for kubernetes cluster-api
     kubevirt # virtctl
-    kubernetes-helm
+    pkgs-2505.kubernetes-helm
     fluxcd
     argocd
 

home/base/tui/dev-tools.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  pkgs-unstable,
   ...
 }:
 {
@@ -18,6 +17,8 @@
   home.packages = with pkgs; [
     colmena # nixos's remote deployment tool
 
+    tokei # count lines of code, alternative to cloc
+
     # db related
     mycli
     pgcli
@@ -34,7 +35,6 @@
     devbox
     bfg-repo-cleaner # remove large files from git history
     k6 # load testing tool
-    protobuf # protocol buffer compiler
 
     # solve coding extercises - learn by doing
     exercism

home/base/tui/editors/helix/default.nix

@@ -1,8 +1,29 @@
-{ pkgs, ... }:
 {
+  config,
+  pkgs,
+  helix,
+  ...
+}:
+
+let
+  helixPackages = helix.packages.${pkgs.stdenv.hostPlatform.system};
+in
+{
+  # to make steel work, we need to git clone this repo to your home directory.
+  home.sessionVariables.HELIX_STEEL_CONFIG = "${config.home.homeDirectory}/nix-config/home/base/tui/editors/helix/steel";
+
+  home.packages = with pkgs; [
+    steel
+  ];
+
   programs.helix = {
     enable = true;
-    package = pkgs.helix;
+    # enable steel as the plugin system
+    # https://github.com/helix-editor/helix/pull/8675
+    # https://github.com/mattwparas/helix/blob/steel-event-system/STEEL.md
+    package = helixPackages.default.overrideAttrs (prevAttrs: {
+      cargoBuildFeatures = prevAttrs.cargoBuildFeatures or [ ] ++ [ "steel" ];
+    });
     settings = {
       editor = {
         line-number = "relative";

home/base/tui/editors/helix/steel/helix.scm

@@ -0,0 +1,40 @@
+;; The helix.scm module will be loaded first before anything else, 
+;; the runtime will require this module, and any functions exported
+;; will now be available to be used as typed commands, e.g. :git-add :open-helix-scm
+
+(require "helix/editor.scm")
+(require (prefix-in helix. "helix/commands.scm"))
+(require (prefix-in helix.static. "helix/static.scm"))
+
+(provide shell git-add open-helix-scm open-init-scm)
+
+(define (current-path)
+  (let* ([focus (editor-focus)]
+         [focus-doc-id (editor->doc-id focus)])
+    (editor-document->path focus-doc-id)))
+
+;;@doc
+;; Specialized shell implementation, where % is a wildcard for the current file
+(define (shell . args)
+  (helix.run-shell-command
+    (string-join
+      ;; Replace the % with the current file
+      (map (lambda (x) (if (equal? x "%") (current-path) x)) args)
+      " ")))
+
+;;@doc
+;; Adds the current file to git	
+(define (git-add)
+  (shell "git" "add" "%"))
+
+;;@doc
+;; Open the helix.scm file
+(define (open-helix-scm)
+  (helix.open (helix.static.get-helix-scm-path)))
+
+;;@doc
+;; Opens the init.scm file
+(define (open-init-scm)
+  (helix.open (helix.static.get-init-scm-path)))
+  
+  

home/base/tui/editors/helix/steel/init.scm

@@ -0,0 +1,24 @@
+;; The init.scm file is run at the top level, immediately after the helix.scm module is required.
+;; The helix context is available here, so you can interact with the editor.
+
+;; configure the LSP for steel
+(require "helix/configuration.scm")
+(define-lsp "steel-language-server" (command "steel-language-server") (args '()))
+(define-language "scheme"
+                 (language-servers '("steel-language-server")))
+
+;; show splash screen - when you open with no argument
+(require "mattwparas-helix-package/splash.scm")
+(when (equal? (command-line) '("hx"))
+  (show-splash))
+
+;; Terminal & shell
+(require "steel-pty/term.scm")
+(set-default-shell! "nu")
+
+;; File Watcher
+(require "helix-file-watcher/file-watcher.scm")
+(spawn-watcher)
+
+;; File Tree
+(require "mattwparas-helix-package/cogs/file-tree.scm")

home/base/tui/editors/neovim/default.nix

@@ -2,7 +2,6 @@
   config,
   lib,
   pkgs,
-  pkgs-unstable,
   ...
 }:
 ###############################################################################
@@ -29,7 +28,7 @@ in
 
   programs.neovim = {
     enable = true;
-    package = pkgs-unstable.neovim-unwrapped;
+    package = pkgs.neovim-unwrapped;
 
     # defaultEditor = true; # set EDITOR at system-wide level
     viAlias = true;

home/base/tui/editors/packages.nix

@@ -1,6 +1,6 @@
 {
   pkgs,
-  pkgs-unstable,
+  pkgs-master,
   ...
 }:
 {
@@ -30,13 +30,13 @@
 
         #-- dockerfile
         hadolint # Dockerfile linter
-        nodePackages.dockerfile-language-server-nodejs
+        dockerfile-language-server
 
         #-- markdown
         marksman # language server for markdown
         glow # markdown previewer
         pandoc # document converter
-        pkgs-unstable.hugo # static site generator
+        pkgs-master.hugo # static site generator
 
         #-- sql
         sqlfluff
@@ -63,14 +63,15 @@
           vscode-extensions.vadimcn.vscode-lldb.adapter # codelldb - debugger
 
           #-- python
-          pipx # Install and Run Python Applications in Isolated Environments
-          uv # python project package manager
-          pyright # python language server
           (python313.withPackages (
             ps: with ps; [
+              # python language server
+              pyright
               ruff
+
+              pipx # Install and Run Python Applications in Isolated Environments
               black # python formatter
-              # debugpy
+              uv # python project package manager
 
               # my commonly used python packages
               jupyter
@@ -80,16 +81,20 @@
               pyquery
               pyyaml
               boto3
+
+              # misc
+              protobuf # protocol buffer compiler
+              numpy
             ]
           ))
 
           #-- rust
           # we'd better use the rust-overlays for rust development
-          pkgs-unstable.rustc
-          pkgs-unstable.rust-analyzer
-          pkgs-unstable.cargo # rust package manager
-          pkgs-unstable.rustfmt
-          pkgs-unstable.clippy # rust linter
+          pkgs-master.rustc
+          pkgs-master.rust-analyzer
+          pkgs-master.cargo # rust package manager
+          pkgs-master.rustfmt
+          pkgs-master.clippy # rust linter
 
           #-- golang
           go
@@ -136,7 +141,7 @@
       #   fnlfmt # fennel
       #   (
       #     if pkgs.stdenv.isLinux && pkgs.stdenv.isx86
-      #     then pkgs-unstable.akkuPackages.scheme-langserver
+      #     then pkgs-master.akkuPackages.scheme-langserver
       #     else pkgs.emptyDirectory
       #   )
       # ]

home/base/tui/encryption/default.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  pkgs-unstable,
   ...
 }:
 {

home/base/tui/shell.nix

@@ -1,53 +0,0 @@
-{
-  config,
-  pkgs-unstable,
-  ...
-}:
-let
-  inherit (pkgs-unstable) nu_scripts;
-in
-{
-  programs.nushell = {
-    # load the alias file for work
-    # the file must exist, otherwise nushell will complain about it!
-    #
-    # currently, nushell does not support conditional sourcing of files
-    # https://github.com/nushell/nushell/issues/8214
-    extraConfig = ''
-      source /etc/agenix/alias-for-work.nushell
-
-      # using claude-code with kimi k2
-      $env.ANTHROPIC_BASE_URL = "https://api.moonshot.cn/anthropic/"
-      $env.ANTHROPIC_API_KEY = $env.MOONSHOT_API_KEY
-
-      # Directories in this constant are searched by the
-      # `use` and `source` commands.
-      const NU_LIB_DIRS = $NU_LIB_DIRS ++ ['${nu_scripts}/share/nu_scripts']
-
-      # completion
-      use custom-completions/cargo/cargo-completions.nu *
-      use custom-completions/curl/curl-completions.nu *
-      use custom-completions/git/git-completions.nu *
-      use custom-completions/glow/glow-completions.nu *
-      use custom-completions/just/just-completions.nu *
-      use custom-completions/make/make-completions.nu *
-      use custom-completions/man/man-completions.nu *
-      use custom-completions/nix/nix-completions.nu *
-      use custom-completions/ssh/ssh-completions.nu *
-      use custom-completions/tar/tar-completions.nu *
-      use custom-completions/tcpdump/tcpdump-completions.nu *
-      use custom-completions/zellij/zellij-completions.nu *
-      # use custom-completions/zoxide/zoxide-completions.nu *
-
-      # alias
-      # use aliases/git/git-aliases.nu *
-      use aliases/eza/eza-aliases.nu *
-      use aliases/bat/bat-aliases.nu *
-
-      # modules
-      use modules/argx *
-      use modules/lg *
-      use modules/kubernetes *
-    '';
-  };
-}

home/base/tui/shell/aliases/gcloud.nu

@@ -0,0 +1,39 @@
+# Google Cloud CLI aliases
+# Based on https://cloud.google.com/sdk/docs/configurations
+# Note: Avoided conflicts with common git aliases (gc, gca, gcl, gcs, gcu, gs, etc.)
+
+# Configuration management
+export alias gccfg = gcloud config configurations create
+export alias gcact = gcloud config configurations activate
+export alias gclist = gcloud config configurations list
+export alias gcdel = gcloud config configurations delete
+export alias gcset = gcloud config set
+export alias gcunset = gcloud config unset
+export alias gcconfig = gcloud config list
+ 
+# Authentication
+export alias gclogin = gcloud auth login
+export alias gcauth = gcloud auth list
+export alias gcapp = gcloud auth application-default login
+ 
+# Project management
+export alias gcproj = gcloud config set project
+export alias gcget = gcloud config get-value project
+ 
+# Compute Engine
+export alias gcinst = gcloud compute instances list
+export alias gccreate = gcloud compute instances create
+export alias gcdelete = gcloud compute instances delete
+export alias gcssh = gcloud compute ssh
+export alias gck8sget = gcloud container clusters get-credentials
+ 
+# Storage
+export alias gcst = gcloud storage
+export alias gcstls = gcloud storage ls
+export alias gcstcp = gcloud storage cp
+export alias gcstrm = gcloud storage rm
+ 
+# General shortcuts
+export alias gcloud = gcloud
+export alias gcinfo = gcloud info
+export alias gcver = gcloud version

home/base/tui/shell/default.nix

@@ -0,0 +1,72 @@
+{
+  nu_scripts,
+  ...
+}:
+{
+  programs.nushell = {
+    # load the alias file for work
+    # the file must exist, otherwise nushell will complain about it!
+    #
+    # currently, nushell does not support conditional sourcing of files
+    # https://github.com/nushell/nushell/issues/8214
+    extraConfig = ''
+      source /etc/agenix/alias-for-work.nushell
+
+      $env.CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC = "1"
+      # using claude-code with kimi k2
+      # https://platform.moonshot.cn/docs/guide/agent-support
+      # $env.ANTHROPIC_BASE_URL = "https://api.moonshot.cn/anthropic/"
+      # $env.ANTHROPIC_AUTH_TOKEN = $env.MOONSHOT_API_KEY
+      # $env.ANTHROPIC_MODEL = "kimi-k2-thinking"
+      # $env.ANTHROPIC_DEFAULT_HAIKU_MODEL = "kimi-k2-thinking-turbo"
+
+      # using claude-code with glm llm
+      # https://docs.bigmodel.cn/cn/coding-plan/tool/claude
+      $env.ANTHROPIC_BASE_URL = "https://open.bigmodel.cn/api/anthropic"
+      $env.ANTHROPIC_AUTH_TOKEN = $env.ZAI_API_KEY
+      $env.ANTHROPIC_MODEL = "glm-4.7"
+      $env.ANTHROPIC_DEFAULT_HAIKU_MODEL = "glm-4.5-air"
+
+      # using claude-code with qwen llm
+      # https://bailian.console.aliyun.com/?tab=doc#/doc/?type=model&url=2949529
+      # $env.ANTHROPIC_BASE_URL = "https://dashscope.aliyuncs.com/apps/anthropic"
+      # $env.ANTHROPIC_AUTH_TOKEN = $env.DASHSCOPE_API_KEY
+      # $env.ANTHROPIC_MODEL = "qwen-plus" # 千万别用 qwen-max, 价格
+      # $env.ANTHROPIC_DEFAULT_HAIKU_MODEL = "qwen-turbo"
+
+      # Directories in this constant are searched by the
+      # `use` and `source` commands.
+      const NU_LIB_DIRS = $NU_LIB_DIRS ++ ['${nu_scripts}']
+
+      # -*- completion -*-
+      use custom-completions/cargo/cargo-completions.nu *
+      use custom-completions/curl/curl-completions.nu *
+      use custom-completions/git/git-completions.nu *
+      use custom-completions/glow/glow-completions.nu *
+      use custom-completions/just/just-completions.nu *
+      use custom-completions/make/make-completions.nu *
+      use custom-completions/man/man-completions.nu *
+      use custom-completions/nix/nix-completions.nu *
+      use custom-completions/ssh/ssh-completions.nu *
+      use custom-completions/tar/tar-completions.nu *
+      use custom-completions/tcpdump/tcpdump-completions.nu *
+      use custom-completions/zellij/zellij-completions.nu *
+      use custom-completions/zoxide/zoxide-completions.nu *
+
+      # -*- alias -*-
+      use aliases/git/git-aliases.nu *
+      use aliases/eza/eza-aliases.nu *
+      use aliases/bat/bat-aliases.nu *
+      use ${./aliases/gcloud.nu} *
+
+      # -*- modules -*-
+      # argx & lg is required by the kubernetes module
+      use modules/argx *
+      use modules/lg *
+      # k8s/helm aliases, completions, 
+      use modules/kubernetes *
+      # a wrapper around the jc cli tool, convert cli outputs to nushell tables
+      # use modules/jc
+    '';
+  };
+}

home/base/tui/ssh.nix

@@ -9,8 +9,21 @@
   programs.ssh = {
     enable = true;
 
-    # "a private key that is used during authentication will be added to ssh-agent if it is running"
-    addKeysToAgent = "yes";
+    # default config
+    enableDefaultConfig = false;
+    matchBlocks."*" = {
+      forwardAgent = false;
+      # "a private key that is used during authentication will be added to ssh-agent if it is running"
+      addKeysToAgent = "yes";
+      compression = true;
+      serverAliveInterval = 0;
+      serverAliveCountMax = 3;
+      hashKnownHosts = false;
+      userKnownHostsFile = "~/.ssh/known_hosts";
+      controlMaster = "no";
+      controlPath = "~/.ssh/master-%r@%n:%p";
+      controlPersist = "no";
+    };
 
     matchBlocks = {
       "github.com" = {

home/darwin/README.md

@@ -1,6 +1,33 @@
 # Home Manager's Darwin Submodules
 
-1. `core.nix`: some basic configuration.
-2. `shell.nix`: shell related.
-3. `rime-squirrel.nix`: [rime-squirrel](https://github.com/rime/squirrel)'s configuration.
-4. `default.nix`: the entrypoint of darwin's configuration, it import all the submodules above.
+This directory contains macOS-specific Home Manager configurations for Darwin systems.
+
+## Configuration Modules
+
+### Core Configurations
+
+- **default.nix**: Entry point that imports all Darwin configurations
+- **shell.nix**: Shell configurations and environment settings
+- **rime-squirrel.nix**: [Rime Squirrel](https://github.com/rime/squirrel) input method
+  configuration
+
+### Window Management
+
+- **aerospace/**: [Aerospace](https://github.com/nikitabobko/AeroSpace) tiling window manager
+  configuration
+  - Custom keybindings and workspace management
+  - Application-specific window rules
+
+### Network Configuration
+
+- **proxy/**: Network proxy configurations
+  - `proxychains.conf`: Proxy chains configuration for network routing
+  - Proxy settings for development tools and applications
+
+## Features
+
+- macOS-specific package installations and configurations
+- Native macOS applications and utilities
+- Touch ID and system integration
+- Homebrew integration for additional packages
+- macOS-specific shell configurations and aliases

home/darwin/aerospace/aerospace.toml

@@ -130,8 +130,8 @@ alt-3 = 'workspace 3Work'
 alt-4 = 'workspace 4Firefox'
 alt-5 = 'workspace 5Chrome'
 alt-6 = 'workspace 6Chat'
-alt-7 = 'workspace 7Music'
-alt-8 = 'workspace 8Mail'
+alt-7 = 'workspace 7Work'
+alt-8 = 'workspace 8Music'
 alt-9 = 'workspace 9File'
 alt-0 = 'workspace 0Other'
 alt-a = 'workspace A'          # In your config, you can drop workspace bindings that you don't need
@@ -146,8 +146,8 @@ alt-shift-3 = 'move-node-to-workspace 3Work'
 alt-shift-4 = 'move-node-to-workspace 4Firefox'
 alt-shift-5 = 'move-node-to-workspace 5Chrome'
 alt-shift-6 = 'move-node-to-workspace 6Chat'
-alt-shift-7 = 'move-node-to-workspace 7Music'
-alt-shift-8 = 'move-node-to-workspace 8Mail'
+alt-shift-7 = 'move-node-to-workspace 7Work'
+alt-shift-8 = 'move-node-to-workspace 8Music'
 alt-shift-9 = 'move-node-to-workspace 9File'
 alt-shift-0 = 'move-node-to-workspace 0Other'
 alt-shift-a = 'move-node-to-workspace A'
@@ -246,22 +246,22 @@ run = 'move-node-to-workspace 6Chat'
 if.app-id = 'com.tencent.qq'
 run = 'move-node-to-workspace 6Chat'
 
-[[on-window-detected]]
-if.app-id = 'com.tencent.QQMusicMac'
-run = 'move-node-to-workspace 7Music'
-
-[[on-window-detected]]
-if.app-id = 'com.netease.163music'
-run = 'move-node-to-workspace 7Music'
-
 [[on-window-detected]]
 if.app-id = 'com.apple.mail'
-run = 'move-node-to-workspace 8Mail'
+run = 'move-node-to-workspace 7Work'
 
 # calendar
 [[on-window-detected]]
 if.app-id = 'com.apple.iCal'
-run = 'move-node-to-workspace 8Mail'
+run = 'move-node-to-workspace 7Work'
+
+[[on-window-detected]]
+if.app-id = 'com.tencent.QQMusicMac'
+run = 'move-node-to-workspace 8Music'
+
+[[on-window-detected]]
+if.app-id = 'com.netease.163music'
+run = 'move-node-to-workspace 8Music'
 
 [[on-window-detected]]
 if.app-id = 'com.apple.finder'
@@ -296,6 +296,11 @@ run = ['layout floating', 'move-node-to-workspace 0Other']
 if.app-id = 'ai.elementlabs.lmstudio'
 run = ['layout floating', 'move-node-to-workspace 0Other']
 
+# Clash Verge - has problem with floating
+[[on-window-detected]]
+if.app-id = 'io.github.clash-verge-rev.clash-verge-rev'
+run = ['move-node-to-workspace 0Other']
+
 [[on-window-detected]]
 if.app-id = 'us.zoom.xos'
 run = 'move-node-to-workspace 0Other'
@@ -310,11 +315,6 @@ run = ['layout floating']
 if.app-id = 'com.apple.systempreferences'
 run = ['layout floating']
 
-# Clash Verge - has problem with floating
-[[on-window-detected]]
-if.app-id = 'io.github.clash-verge-rev.clash-verge-rev'
-run = ['move-node-to-workspace 0Other']
-
 # Make all windows float by default
 [[on-window-detected]]
 check-further-callbacks = true
@@ -331,7 +331,7 @@ run = ['layout floating']
 4Firefox = ['main']
 5Chrome = ['main']
 6Chat = ['built-in']
-7Music = ['built-in']
-8Mail = ['main']
+7Work = ['main']
+8Music = ['built-in']
 9File = ['main']
 0Other = ['main']

home/darwin/terminal.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+let
+  fontSize = 15;
+in
+{
+  programs.alacritty.settings.font.size = lib.mkForce fontSize;
+  programs.ghostty.settings.font-size = lib.mkForce fontSize;
+  programs.kitty.font.size = lib.mkForce fontSize;
+}

home/linux/README.md

@@ -1,10 +1,32 @@
 # Home Manager's Linux Submodules
 
-1. `base`: The base module that is suitable for any NixOS environment.
-2. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
-3. `server.nix`: Configuration which is suitable for both servers and desktops. It import only
-   `base` as its submodule.
-   1. used by all my nixos servers.
-4. `desktop.nix`: the entrypoint of desktop's configuration, it import both `base` and `desktop` as
-   its submodules.
-   1. used by all my nixos desktops.
+This directory contains Linux-specific Home Manager configurations organized for different use
+cases.
+
+## Configuration Modules
+
+### Core Configurations
+
+- **core.nix**: Essential Linux-specific configurations and settings
+- **base/**: Base Linux configurations including shell, tools, and utilities
+  - `shell.nix`: Shell configurations and aliases
+  - `tools.nix`: Essential command-line tools and utilities
+
+### Desktop Configurations
+
+- **gui/**: Desktop environment configurations
+  - **niri/**: Niri compositor configuration
+  - **base/**: Common desktop applications and services
+  - **editors/**: Text editor configurations for desktop environments
+
+### Available Entry Points
+
+- **core.nix**: Core Linux configuration, suitable for basic setups
+- **tui.nix**: Terminal-based interface configuration for lightweight environments
+- **gui.nix**: Graphical user interface configuration entry point, imports desktop environments
+
+## Usage
+
+- **Lightweight/Terminal**: Use `core.nix` or `tui.nix` for terminal-focused setups
+- **Desktops**: Use `gui.nix` for full desktop environments with Noctalia Shell and Niri compositor
+- **Custom**: Mix and match configurations as needed for your specific use case

home/linux/gui/README.md

@@ -1,17 +1,46 @@
-# Desktop Related
+# Desktop Environment Configurations
 
-3. `base`: all common configurations for all desktops.
-4. `hyprland`: Hyprland's configuration.
+This directory contains desktop environment and window manager configurations managed by Home
+Manager.
 
-## Why install I3/Hyprland in Home Manager instead of a NixOS Module?
+## Available Configurations
 
-1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home
-   Manager.
-2. I have many user-specific systemd services, such gammastep, wallpaper-switcher, etc. Which can be
-   easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level
-   services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can
-   control their systemd service's dependent order more easily, so we can avoid issues like this.
-3. By install packages as less as possible in NixOS Module, we can:
-   1. Make the NixOS system more secure and stable.
-   2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on
-      any Linux system.
+### Window Managers
+
+- **niri**: Niri compositor configuration with custom settings, keybindings, spawn-at-startup rules,
+  and window rules
+
+### Base Desktop Environment
+
+- **base**: Common desktop configurations shared across all environments, including:
+  - **Noctalia Shell**: All-in-one Wayland desktop shell (replaces gammastep, swaylock, anyrun,
+    mako, waybar, wallpaper-switcher, wlogout, and other desktop tools)
+  - Creative tools and media applications
+  - Development tools
+  - Fcitx5 input method framework
+  - Games and gaming utilities
+  - GTK theme configurations
+  - Immutable file handling
+  - Note-taking applications
+  - Wayland applications
+  - XDG desktop configurations
+
+### Editor Configurations
+
+- **editors**: Text editor configurations and integrations
+
+## Why install Desktop Environments in Home Manager instead of NixOS Module?
+
+1. **Configuration Location**: Desktop environment configuration files are located in `~/.config`,
+   which can be easily managed by Home Manager.
+
+2. **User-specific Services**: User-specific systemd services (noctalia-shell, fcitx5, hypridle,
+   etc.) can be easily managed by Home Manager. If desktop environments were configured via NixOS
+   Module, these user-level services might fail to start automatically. With Home Manager modules,
+   we can control systemd service dependency order more effectively.
+
+3. **System Benefits**: By minimizing package installation through NixOS Module:
+   - Makes the NixOS system more secure and stable
+   - Increases portability to non-NixOS systems, as Home Manager can be installed on any Linux
+     system
+   - Allows for easier switching between different window managers without system-level changes

home/linux/gui/base/README.md

@@ -0,0 +1,84 @@
+# Base Desktop Environment Configuration
+
+This directory contains base configurations for Linux desktop environments, providing essential
+components for a complete Wayland desktop experience.
+
+## Overview
+
+The configuration is organized into modular components that can be selectively enabled:
+
+- **Desktop Shell**: Noctalia Shell for unified desktop environment
+- **Applications**: Desktop tools, browsers, editors, media players, etc.
+- **Development Tools**: IDEs and development utilities
+- **System Integration**: Input methods, theming, XDG specifications, GPU settings
+
+## Noctalia Shell
+
+**Noctalia Shell** is an all-in-one Wayland desktop shell that replaces multiple separate tools with
+a single, unified solution. It provides:
+
+- **Unified Configuration**: All components configured in a single `settings.json` file
+- **Consistent Experience**: Cohesive visual design and interaction patterns
+- **Reduced Complexity**: No need to maintain multiple separate config files
+
+### Component Replacement
+
+Noctalia Shell consolidates functionality that previously required multiple tools:
+
+| Traditional Component  | Purpose              | Noctalia Replacement           |
+| ---------------------- | -------------------- | ------------------------------ |
+| **gammastep**          | Blue light filter    | `nightLight` configuration     |
+| **swaylock**           | Screen locker        | Built-in lock screen           |
+| **anyrun**             | Application launcher | `appLauncher`                  |
+| **mako**               | Notification daemon  | `notifications`                |
+| **waybar**             | Status bar           | `bar` (with widgets)           |
+| **wallpaper-switcher** | Wallpaper management | `wallpaper` (with transitions) |
+| **wlogout**            | Session menu         | `sessionMenu`                  |
+| **wl-clipboard**       | Clipboard management | Built-in clipboard manager     |
+
+## Configuration Modules
+
+### Desktop Shell
+
+- **[`noctalia/default.nix`](./noctalia/default.nix)**: Package installation and systemd service
+- **[`noctalia/settings.json`](./noctalia/settings.json)**: Main configuration with all settings
+
+  Key features: bar, control center, night light, wallpaper, session menu, system monitor,
+  audio/volume, brightness, screen recorder, calendar, color schemes, dock, notifications, OSD, and
+  more.
+
+- **[`hypridle/`](./hypridle/)**: Idle management
+
+### Desktop Environment
+
+- **[`gtk.nix`](./gtk.nix)**: GTK theme configuration
+- **[`xdg.nix`](./xdg.nix)**: XDG specifications
+- **[`nvidia.nix`](./nvidia.nix)**: NVIDIA GPU settings
+
+### Input & Localization
+
+- **[`fcitx5/`](./fcitx5/)**: Fcitx5 input method with Mozc (Japanese input)
+
+### Applications
+
+- **[`desktop-tools.nix`](./desktop-tools.nix)**: Daily GUI apps (foliate, remmina, messaging)
+- **[`browsers.nix`](./browsers.nix)**: Web browsers
+- **[`editors.nix`](./editors.nix)**: Desktop text editors
+- **[`media.nix`](./media.nix)**: Media players
+- **[`gaming.nix`](./gaming.nix)**: Gaming applications
+- **[`creative.nix`](./creative.nix)**: Creative software
+- **[`note-taking.nix`](./note-taking.nix)**: Note-taking apps
+
+### Development
+
+- **[`dev-tools.nix`](./dev-tools.nix)**: Development tools and IDEs
+
+### System Utilities
+
+- **[`misc.nix`](./misc.nix)**: Wayland tools (screenshots, screen recording, color picker, audio)
+- **[`immutable-file.nix`](./immutable-file.nix)**: Immutable file handling
+
+## Related Documentation
+
+- Noctalia Shell: https://docs.noctalia.dev/docs
+- Parent: [`../README.md`](../README.md)

home/linux/gui/base/browsers.nix

@@ -0,0 +1,15 @@
+{
+  pkgs,
+  ...
+}:
+{
+  home.packages = with pkgs; [
+    nixpaks.firefox
+  ];
+
+  # source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix
+  programs.google-chrome = {
+    enable = true;
+    package = if pkgs.stdenv.isAarch64 then pkgs.chromium else pkgs.google-chrome;
+  };
+}

home/linux/gui/base/creative.nix

@@ -1,9 +1,6 @@
 {
   lib,
   pkgs,
-  pkgs-unstable,
-  # pkgs-stable,
-  nur-ryan4yin,
   blender-bin,
   ...
 }:
@@ -23,56 +20,52 @@
       # aseprite # Animated sprite editor & pixel art tool
 
       # this app consumes a lot of storage, so do not install it currently
-      # kicad     # 3d printing, eletrical engineering
+      # kicad     # 3d printing, electrical engineering
     ]
     ++ (lib.optionals pkgs.stdenv.isx86_64 [
       # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
-      blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling
+      blender-bin.packages.${pkgs.stdenv.hostPlatform.system}.blender_4_2 # 3d modeling
 
       ldtk # A modern, versatile 2D level editor
 
       # fpga
-      python313Packages.apycula # gowin fpga
-      yosys # fpga synthesis
-      nextpnr # fpga place and route
-      openfpgaloader # fpga programming
-      # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
+      # python313Packages.apycula # gowin fpga
+      # yosys # fpga synthesis
+      # nextpnr # fpga place and route
+      # openfpgaloader # fpga programming
+      # nur-ryan4yin.packages.${pkgs.stdenv.hostPlatform.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
     ]);
 
   programs = {
     # live streaming
     obs-studio = {
       enable = pkgs.stdenv.isx86_64;
-      plugins =
-        with pkgs.obs-studio-plugins;
-        [
-          # screen capture
-          wlrobs
-          # obs-ndi
-          # obs-nvfbc
-          obs-teleport
-          # obs-hyperion
-          droidcam-obs
-          obs-vkcapture
-          obs-gstreamer
-          input-overlay
-          obs-multi-rtmp
-          obs-source-clone
-          obs-shaderfilter
-          obs-source-record
-          obs-livesplit-one
-          looking-glass-obs
-          obs-vintage-filter
-          obs-command-source
-          obs-move-transition
-          obs-backgroundremoval
-          # advanced-scene-switcher
-          obs-pipewire-audio-capture
-        ]
-        ++ (lib.optionals pkgs.stdenv.isx86_64 [
-          obs-vaapi
-          obs-3d-effect
-        ]);
+      plugins = with pkgs.obs-studio-plugins; [
+        # screen capture
+        wlrobs
+        # obs-ndi
+        # obs-nvfbc
+        obs-teleport
+        # obs-hyperion
+        droidcam-obs
+        obs-vkcapture
+        obs-gstreamer
+        input-overlay
+        obs-multi-rtmp
+        obs-source-clone
+        obs-shaderfilter
+        obs-source-record
+        obs-livesplit-one
+        looking-glass-obs
+        obs-vintage-filter
+        obs-command-source
+        obs-move-transition
+        obs-backgroundremoval
+        # advanced-scene-switcher
+        obs-pipewire-audio-capture
+        obs-vaapi
+        obs-3d-effect
+      ];
     };
   };
 }

home/linux/gui/base/desktop-tools.nix

@@ -1,14 +1,5 @@
+{ mylib, pkgs, ... }:
 {
-  config,
-  pkgs,
-  ...
-}:
-{
-  imports = [
-    ./anyrun.nix
-    ./nvidia.nix
-  ];
-
   # wayland related
   home.sessionVariables = {
     "NIXOS_OZONE_WL" = "1"; # for any ozone-based browser & electron apps to run on wayland
@@ -30,44 +21,18 @@
     wl-clipboard # copying and pasting
     hyprpicker # color picker
     brightnessctl
-    hyprshot # screen shot
-    wf-recorder # screen recording
     # audio
     alsa-utils # provides amixer/alsamixer/...
     networkmanagerapplet # provide GUI app: nm-connection-editor
+    # screenshot/screencast
+    flameshot
+    hyprshot # screen shot
+    wf-recorder # screen recording
   ];
 
-  xdg.configFile =
-    let
-      mkSymlink = config.lib.file.mkOutOfStoreSymlink;
-      confPath = "${config.home.homeDirectory}/nix-config/home/linux/gui/base/desktop/conf";
-    in
-    {
-      "mako".source = mkSymlink "${confPath}/mako";
-      "waybar".source = mkSymlink "${confPath}/waybar";
-      "wlogout".source = mkSymlink "${confPath}/wlogout";
-      "hypr/hypridle.conf".source = mkSymlink "${confPath}/hypridle.conf";
-    };
-
-  # status bar
-  programs.waybar = {
-    enable = true;
-    systemd.enable = true;
-  };
-  # Disable catppuccin to avoid conflict with my non-nix config.
-  catppuccin.waybar.enable = false;
-
   # screen locker
   programs.swaylock.enable = true;
 
   # Logout Menu
   programs.wlogout.enable = true;
-  catppuccin.wlogout.enable = false;
-
-  # Hyprland idle daemon
-  services.hypridle.enable = true;
-
-  # notification daemon, the same as dunst
-  services.mako.enable = true;
-  catppuccin.mako.enable = false;
 }

home/linux/gui/base/desktop/anyrun.nix

@@ -1,85 +0,0 @@
-{
-  pkgs,
-  anyrun,
-  ...
-}:
-{
-  programs.anyrun = {
-    enable = true;
-    config = {
-      plugins = with anyrun.packages.${pkgs.system}; [
-        applications
-        randr
-        rink
-        shell
-        symbols
-        translate
-      ];
-
-      width.fraction = 0.3;
-      y.absolute = 15;
-      hidePluginInfo = true;
-      closeOnClick = true;
-    };
-
-    # custom css for anyrun, based on catppuccin-mocha
-    extraCss = ''
-      @define-color bg-col  rgba(30, 30, 46, 0.7);
-      @define-color bg-col-light rgba(150, 220, 235, 0.7);
-      @define-color border-col rgba(30, 30, 46, 0.7);
-      @define-color selected-col rgba(150, 205, 251, 0.7);
-      @define-color fg-col #D9E0EE;
-      @define-color fg-col2 #F28FAD;
-
-      * {
-        transition: 200ms ease;
-        font-family: "Maple Mono NF CN";
-        font-size: 1.3rem;
-      }
-
-      #window {
-        background: transparent;
-      }
-
-      #plugin,
-      #main {
-        border: 3px solid @border-col;
-        color: @fg-col;
-        background-color: @bg-col;
-      }
-      /* anyrun's input window - Text */
-      #entry {
-        color: @fg-col;
-        background-color: @bg-col;
-      }
-
-      /* anyrun's output matches entries - Base */
-      #match {
-        color: @fg-col;
-        background: @bg-col;
-      }
-
-      /* anyrun's selected entry - Red */
-      #match:selected {
-        color: @fg-col2;
-        background: @selected-col;
-      }
-
-      #match {
-        padding: 3px;
-        border-radius: 16px;
-      }
-
-      #entry, #plugin:hover {
-        border-radius: 16px;
-      }
-
-      box#main {
-        background: rgba(30, 30, 46, 0.7);
-        border: 1px solid @border-col;
-        border-radius: 15px;
-        padding: 5px;
-      }
-    '';
-  };
-}

home/linux/gui/base/desktop/conf/mako/config

@@ -1,51 +0,0 @@
-## Mako configuration file
-
-# GLOBAL CONFIGURATION OPTIONS
-max-history=100
-sort=-time
-
-# BINDING OPTIONS
-on-button-left=dismiss
-on-button-middle=none
-on-button-right=dismiss-all
-on-touch=dismiss
-on-notify=exec mpv /usr/share/sounds/freedesktop/stereo/message.oga
-
-# STYLE OPTIONS
-font=Maple Mono NF CN
-width=300
-height=100
-margin=10
-padding=15
-border-size=2
-border-radius=0
-icons=1
-max-icon-size=48
-icon-location=left
-markup=1
-actions=1
-history=1
-text-alignment=left
-default-timeout=5000
-ignore-timeout=0
-max-visible=5
-layer=overlay
-anchor=top-right
-
-background-color=#1e1e2e
-text-color=#d9e0ee
-border-color=#313244
-progress-color=over #89b4fa
-
-[urgency=low]
-border-color=#313244
-default-timeout=2000
-
-[urgency=normal]
-border-color=#313244
-default-timeout=5000
-
-[urgency=high]
-border-color=#f38ba8
-text-color=#f38ba8
-default-timeout=0

home/linux/gui/base/desktop/conf/waybar/config.jsonc

@@ -1,156 +0,0 @@
-{
-  "position": "top",
-  "layer": "top",
-
-  "modules-left": ["custom/launcher", "temperature", "backlight", "hyprland/workspaces"],
-  "modules-center": ["custom/playerctl"],
-  "modules-right": [
-    "pulseaudio",
-    "memory",
-    "cpu",
-    "network",
-    "battery",
-    "clock",
-    "idle_inhibitor",
-    "custom/powermenu",
-    "tray",
-  ],
-  "hyprland/workspaces": {
-    "format": "{icon}",
-    "on-click": "activate",
-    "format-icons": {
-      "1": "",
-      "2": "",
-      "3": "",
-      "4": "",
-      "5": "",
-      "6": "",
-      "7": "",
-      "8": "",
-      "9": "",
-      "10": "〇",
-      "focused": "",
-      "default": "",
-    },
-  },
-
-  "clock": {
-    "interval": 60,
-    "align": 0,
-    "rotate": 0,
-    "tooltip-format": "<big>{:%B %Y}</big>\n<tt><small>{calendar}</small></tt>",
-    "format": " {:%H:%M}",
-    "format-alt": " {:%a %b %d, %G}",
-  },
-  "cpu": {
-    "format": "CPU {usage}%",
-    "interval": 1,
-    "on-click-middle": "foot btop",
-    "on-click-right": "foot btop",
-  },
-  "memory": {
-    "format": "MEM {percentage}%",
-    "interval": 1,
-    "states": {
-      "warning": 85,
-    },
-  },
-  "custom/launcher": {
-    "format": "\uf313 ",
-    "on-click": "anyrun",
-    "on-click-middle": "exec default_wall",
-    "on-click-right": "exec wallpaper_random",
-    "tooltip": false,
-  },
-  "custom/powermenu": {
-    "format": "\uf011",
-    "on-click": "wlogout",
-    "tooltip": false,
-  },
-  "idle_inhibitor": {
-    "format": "{icon}",
-    "format-icons": {
-      "activated": "\uf06e",
-      "deactivated": "\uf070",
-    },
-    "tooltip": false,
-  },
-  "custom/playerctl": {
-    "format": "{icon}  <span>{}</span>",
-    "return-type": "json",
-    "max-length": 55,
-    "exec": "playerctl -a metadata --format '{\"text\": \"  {{markup_escape(title)}}\", \"tooltip\": \"{{playerName}} : {{markup_escape(title)}}\", \"alt\": \"{{status}}\", \"class\": \"{{status}}\"}' -F",
-    "on-click-middle": "playerctl previous",
-    "on-click": "playerctl play-pause",
-    "on-click-right": "playerctl next",
-    "format-icons": {
-      "Paused": "<span foreground='#6dd9d9'></span>",
-      "Playing": "<span foreground='#82db97'></span>",
-    },
-  },
-  "network": {
-    "interval": 5,
-    "format": "{ifname}",
-    "format-wifi": "  {signalStrength}% Down: {bandwidthDownBytes} Up: {bandwidthUpBytes} {essid}",
-    "format-ethernet": "  {ifname} Down: {bandwidthDownBytes} Up: {bandwidthUpBytes}",
-    "format-disconnected": "Disconnected ⚠",
-    "tooltip-format": " {ifname} via {gwaddri}",
-    "tooltip-format-wifi": "  {ifname} @ {essid}\nIP: {ipaddr}\nStrength: {signalStrength}%\nFreq: {frequency}MHz\nDown: {bandwidthDownBytes} Up: {bandwidthUpBytes}",
-    "tooltip-format-ethernet": " {ifname}\nIP: {ipaddr}\n Down: {bandwidthDownBytes} Up: {bandwidthUpBytes}",
-    "tooltip-format-disconnected": "Disconnected",
-    "max-length": 50,
-    "on-click-middle": "nm-connection-editor",
-    "on-click-right": "foot nmtui",
-  },
-  "pulseaudio": {
-    //"format": "{volume}% {icon} {format_source}",
-    "format": "{icon} {volume}%",
-    "format-muted": " Mute",
-    "format-bluetooth": " {volume}% {format_source}",
-    "format-bluetooth-muted": " Mute",
-    "format-source": " {volume}%",
-    "format-source-muted": "",
-    "format-icons": {
-      "headphone": "",
-      "hands-free": "",
-      "headset": "",
-      "phone": "",
-      "portable": "",
-      "car": "",
-      "default": ["", "", ""],
-    },
-    "scroll-step": 5.0,
-    // Commands to execute on events
-    "on-click": "amixer set Master toggle",
-    "on-click-right": "GSK_RENDERER=opengl pavucontrol",
-    "smooth-scrolling-threshold": 1,
-  },
-  "temperature": {
-    "format": "\uf2c9 {temperatureC}\u00b0C",
-    "tooltip": false,
-  },
-  "backlight": {
-    "format": "{icon} {percent}%",
-    "format-icons": ["", "", "", "", "", "", "", "", ""],
-  },
-  "tray": {
-    "icon-size": 15,
-    "spacing": 5,
-  },
-  "battery": {
-    "interval": 60,
-    "states": {
-      "warning": 30,
-      "critical": 15,
-    },
-    "max-length": 20,
-    "format": "{icon} {capacity}%",
-    "format-warning": "{icon} {capacity}%",
-    "format-critical": "{icon} {capacity}%",
-    "format-charging": "<span font-family='Font Awesome 6 Free'></span> {capacity}%",
-    "format-plugged": " {capacity}%",
-    "format-alt": "{icon} {time}",
-    "format-full": " {capacity}%",
-    "format-icons": [" ", " ", " ", " ", " "],
-  },
-}

home/linux/gui/base/desktop/conf/waybar/mocha.css

@@ -1,38 +0,0 @@
-/*
-* https://github.com/catppuccin/waybar/blob/main/themes/mocha.css
-*
-* Catppuccin Mocha palette
-* Maintainer: rubyowo
-*
-*/
-
-@define-color base   #1e1e2e;
-@define-color mantle #181825;
-@define-color crust  #11111b;
-
-@define-color text     #cdd6f4;
-@define-color subtext0 #a6adc8;
-@define-color subtext1 #bac2de;
-
-@define-color surface0 #313244;
-@define-color surface1 #45475a;
-@define-color surface2 #585b70;
-
-@define-color overlay0 #6c7086;
-@define-color overlay1 #7f849c;
-@define-color overlay2 #9399b2;
-
-@define-color blue      #89b4fa;
-@define-color lavender  #b4befe;
-@define-color sapphire  #74c7ec;
-@define-color sky       #89dceb;
-@define-color teal      #94e2d5;
-@define-color green     #a6e3a1;
-@define-color yellow    #f9e2af;
-@define-color peach     #fab387;
-@define-color maroon    #eba0ac;
-@define-color red       #f38ba8;
-@define-color mauve     #cba6f7;
-@define-color pink      #f5c2e7;
-@define-color flamingo  #f2cdcd;
-@define-color rosewater #f5e0dc;

home/linux/gui/base/desktop/conf/waybar/style.css

@@ -1,151 +0,0 @@
-@import "mocha.css";
-
-* {
-  /* https://docs.gtk.org/gtk3/css-overview.html#colors */
-  color: @text;
-  font-family: "Maple Mono NF CN";
-  font-size: 12pt;
-  font-weight: bold;
-  border-radius: 8px;
-  transition-property: background-color;
-  transition-duration: 0.5s;
-}
-@keyframes blink_red {
-  to {
-    background-color: rgb(242, 143, 173);
-    color: rgb(26, 24, 38);
-  }
-}
-.warning,
-.critical,
-.urgent {
-  animation-name: blink_red;
-  animation-duration: 1s;
-  animation-timing-function: linear;
-  animation-iteration-count: infinite;
-  animation-direction: alternate;
-}
-window#waybar {
-  background-color: transparent;
-  border: 2px solid alpha(@crust, 0.3);
-}
-window > box {
-  margin-left: 5px;
-  margin-right: 5px;
-  margin-top: 5px;
-  background-color: shade(@base, 0.9);
-  padding: 3px;
-  padding-left: 8px;
-  border: 2px none #33ccff;
-}
-#workspaces {
-  padding-left: 0px;
-  padding-right: 4px;
-}
-#workspaces button {
-  padding-top: 5px;
-  padding-bottom: 5px;
-  padding-left: 6px;
-  padding-right: 6px;
-}
-#workspaces button.active {
-  background-color: rgb(181, 232, 224);
-  color: rgb(26, 24, 38);
-}
-#workspaces button.urgent {
-  color: rgb(26, 24, 38);
-}
-#workspaces button:hover {
-  background-color: rgb(248, 189, 150);
-  color: rgb(26, 24, 38);
-}
-tooltip {
-  background: rgb(48, 45, 65);
-}
-tooltip label {
-  color: rgb(217, 224, 238);
-}
-#custom-launcher {
-  font-size: 20px;
-  padding-left: 8px;
-  padding-right: 6px;
-  color: #7ebae4;
-}
-#mode,
-#clock,
-#memory,
-#temperature,
-#cpu,
-#custom-wall,
-#temperature,
-#backlight,
-#pulseaudio,
-#network,
-#battery,
-#custom-powermenu {
-  padding-left: 10px;
-  padding-right: 10px;
-}
-
-/* #mode { */
-/* 	margin-left: 10px; */
-/* 	background-color: rgb(248, 189, 150); */
-/*     color: rgb(26, 24, 38); */
-/* } */
-#memory {
-  color: rgb(181, 232, 224);
-}
-#cpu {
-  color: rgb(245, 194, 231);
-}
-#clock {
-  color: rgb(217, 224, 238);
-}
-
-#idle_inhibitor {
-  color: rgb(221, 182, 242);
-  padding-right: 8px;
-}
-#battery {
-  min-width: 55px;
-  color: rgb(126, 186, 244);
-}
-#battery.charging,
-#battery.full,
-#battery.plugged {
-  color: #26a65b;
-}
-#battery.critical:not(.charging) {
-  color: #f53c3c;
-  animation-name: blink;
-  animation-duration: 0.5s;
-  animation-timing-function: linear;
-  animation-iteration-count: infinite;
-  animation-direction: alternate;
-}
-#custom-wall {
-  color: #33ccff;
-}
-#temperature {
-  color: rgb(150, 205, 251);
-}
-#backlight {
-  color: rgb(248, 189, 150);
-}
-#pulseaudio {
-  color: rgb(245, 224, 220);
-}
-#network {
-  color: #abe9b3;
-}
-#network.disconnected {
-  color: rgb(255, 255, 255);
-}
-#custom-powermenu {
-  color: rgb(242, 143, 173);
-  padding-right: 8px;
-}
-#tray {
-  padding-right: 8px;
-  padding-left: 10px;
-}

home/linux/gui/base/desktop/conf/wlogout/layout

@@ -1,36 +0,0 @@
-{
-    "label" : "lock",
-    "action" : "~/.config/hypr/scripts/lockscreen",
-    "text" : "Lock",
-    "keybind" : "l"
-}
-{
-    "label" : "hibernate",
-    "action" : "systemctl hibernate",
-    "text" : "Hibernate",
-    "keybind" : "h"
-}
-{
-    "label" : "logout",
-    "action" : "loginctl terminate-user $USER",
-    "text" : "Logout",
-    "keybind" : "e"
-}
-{
-    "label" : "shutdown",
-    "action" : "systemctl poweroff",
-    "text" : "Shutdown",
-    "keybind" : "s"
-}
-{
-    "label" : "suspend",
-    "action" : "systemctl suspend",
-    "text" : "Suspend",
-    "keybind" : "u"
-}
-{
-    "label" : "reboot",
-    "action" : "systemctl reboot",
-    "text" : "Reboot",
-    "keybind" : "r"
-}

home/linux/gui/base/desktop/conf/wlogout/style.css

@@ -1,57 +0,0 @@
-/** ********** Fonts ********** **/
-* {
-  font-family: "Maple Mono NF CN", sans-serif;
-  font-size: 14px;
-  font-weight: bold;
-}
-
-/** ********** Main Window ********** **/
-window {
-  background-color: #1e1e2e;
-}
-
-/** ********** Buttons ********** **/
-button {
-  background-color: #242434;
-  color: #ffffff;
-  border: 2px solid #282838;
-  border-radius: 20px;
-  background-repeat: no-repeat;
-  background-position: center;
-  background-size: 35%;
-}
-
-button:focus,
-button:active,
-button:hover {
-  background-color: #89b4fa;
-  outline-style: none;
-}
-
-/** ********** Icons ********** **/
-#lock {
-  background-image: image(url("icons/lock.png"), url("/usr/share/wlogout/icons/lock.png"));
-}
-
-#logout {
-  background-image: image(url("icons/logout.png"), url("/usr/share/wlogout/icons/logout.png"));
-}
-
-#suspend {
-  background-image: image(url("icons/suspend.png"), url("/usr/share/wlogout/icons/suspend.png"));
-}
-
-#hibernate {
-  background-image: image(
-    url("icons/hibernate.png"),
-    url("/usr/share/wlogout/icons/hibernate.png")
-  );
-}
-
-#shutdown {
-  background-image: image(url("icons/shutdown.png"), url("/usr/share/wlogout/icons/shutdown.png"));
-}
-
-#reboot {
-  background-image: image(url("icons/reboot.png"), url("/usr/share/wlogout/icons/reboot.png"));
-}

home/linux/gui/base/editors.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  pkgs,
+  pkgs-master,
+  ...
+}:
+
+let
+  vscodeCliArgs = [
+    # https://code.visualstudio.com/docs/configure/settings-sync#_recommended-configure-the-keyring-to-use-with-vs-code
+    # For use with any package that implements the Secret Service API
+    # (for example gnome-keyring, kwallet5, KeepassXC)
+    "--password-store=gnome-libsecret"
+  ];
+
+  code-cursor = pkgs-master.code-cursor;
+  # (pkgs-master.code-cursor.override {
+  #   commandLineArgs = lib.concatStringsSep " " vscodeCliArgs;
+  # }).overrideAttrs
+  #   (oldAttrs: rec {
+  #     pname = "cursor";
+  #     version = "2.1.36";
+  #     src =
+  #       with pkgs-master;
+  #       appimageTools.extract {
+  #         inherit pname version;
+  #         src =
+  #           let
+  #             sources = {
+  #               x86_64-linux = fetchurl {
+  #                 # curl -s https://api2.cursor.sh/updates/api/download/stable/linux-x64/cursor | jq
+  #                 url = "https://downloads.cursor.com/production/9cd7c8b6cebcbccc1242df211dee45a4b6fe15e4/linux/x64/Cursor-2.1.36-x86_64.AppImage";
+  #                 hash = "sha256-aaprRB2BAaUCHj7m5aGacCBHisjN2pVZ+Ca3u1ifxBA=";
+  #               };
+  #               aarch64-linux = fetchurl {
+  #                 # curl -s https://api2.cursor.sh/updates/api/download/stable/linux-arm64/cursor | jq
+  #                 url = "https://downloads.cursor.com/production/9cd7c8b6cebcbccc1242df211dee45a4b6fe15e4/linux/arm64/Cursor-2.1.36-aarch64.AppImage";
+  #                 hash = "sha256-S2vFYBI6m0zjBJEDbk7gc6/zFiKWyhM73OUm1xsNx6Q=";
+  #               };
+  #             };
+  #           in
+  #           sources.${stdenv.hostPlatform.system};
+  #       };
+  #     sourceRoot = "${pname}-${version}-extracted/usr/share/cursor";
+  #   });
+in
+{
+  home.packages = [
+    pkgs.zed-editor
+    pkgs-master.code-cursor
+    pkgs-master.antigravity-fhs
+  ];
+
+  programs.vscode = {
+    enable = true;
+    package = pkgs-master.vscode.override {
+      commandLineArgs = vscodeCliArgs;
+    };
+  };
+}

home/linux/gui/base/eye-protection.nix

@@ -1,49 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-{
-  # Adjust the color temperature(& brightness) of your screen according to
-  # your surroundings. This may help your eyes hurt less if you are
-  # working in front of the screen at night.
-  #
-  # works fine with both x11 & wayland(hyprland)
-  #
-  # https://gitlab.com/chinstrap/gammastep
-  services.gammastep = {
-    enable = true;
-    # add a gammastep icon in the system tray
-    # has problem with wayland, so disable it
-    tray = false;
-    temperature = {
-      day = 6000;
-      night = 4500;
-    };
-    # https://gitlab.com/chinstrap/gammastep/-/blob/master/gammastep.conf.sample?ref_type=heads
-    settings = {
-      general = {
-        fade = "1"; # gradually apply the new screen temperature/brightness over a couple of seconds.
-
-        # it is a fake brightness adjustment obtained by manipulating the gamma ramps,
-        # which means that it does not reduce the backlight　of the screen.
-        # Preferably only use it if your normal backlight adjustment is too coarse-grained.
-        #
-        # brightness-day = "1.3";
-        # brightness-night = "1";
-
-        location-provider = "manual";
-
-        # by default, Redshift will use the current elevation of the sun
-        # to determine whether it is daytime, night or in transition (dawn/dusk).
-        # dawn-time = "6:00-8:45";
-        # dusk-time = "18:35-20:15";
-      };
-      manual = {
-        # China, Shenzhen
-        lat = "22.5"; # latitude
-        lon = "114.1"; # longitude
-      };
-    };
-  };
-}

home/linux/gui/base/fcitx5/README.md

@@ -0,0 +1,8 @@
+# fcitx5 - IME
+
+## Available Configurations
+
+- `profile` → Symlink will be created at: `~/.config/fcitx5/profile`
+- `config1.db` (Mozc config) → Symlink will be created at: `~/.config/mozc/config1.db`
+  - Main changes from the defaults: use half-width for all alphabets, numbers, and punctuation.
+  - https://github.com/google/mozc/blob/2.30.5544.102/docs/configurations.md

home/linux/gui/base/fcitx5/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   xdg.configFile = {
     "fcitx5/profile" = {
@@ -7,6 +7,8 @@
       # so we need to force replace it in every rebuild to avoid file conflict.
       force = true;
     };
+    "mozc/config1.db".source =
+      config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/nix-config/home/linux/gui/base/fcitx5/mozc-config1.db";
   };
 
   i18n.inputMethod = {
@@ -14,13 +16,20 @@
     type = "fcitx5";
     fcitx5.waylandFrontend = true;
     fcitx5.addons = with pkgs; [
-      # for flypy chinese input method
-      fcitx5-rime
-      # needed enable rime using configtool after installed
-      fcitx5-configtool
-      fcitx5-chinese-addons
-      # fcitx5-mozc    # japanese input method
+      qt6Packages.fcitx5-configtool # GUI for fcitx5
       fcitx5-gtk # gtk im module
+
+      # Chinese
+      fcitx5-rime # for flypy chinese input method
+      # fcitx5-chinese-addons # we use rime instead
+
+      # Japanese
+      # ctrl-i / F7 - convert to takakana
+      # ctrl-u / F6 - convert to hiragana
+      fcitx5-mozc-ut # Moze with UT dictionary
+
+      # Korean
+      fcitx5-hangul
     ];
   };
 }

home/linux/gui/base/fcitx5/profile

@@ -1,10 +1,10 @@
 [Groups/0]
 # Group Name
-Name=Default
+Name=Intl
 # Layout
 Default Layout=us
 # Default Input Method
-DefaultIM=rime
+DefaultIM=keyboard-us-altgr-intl
 
 [Groups/0/Items/0]
 # Name
@@ -14,10 +14,49 @@ Layout=
 
 [Groups/0/Items/1]
 # Name
+Name=keyboard-us-intl
+# Layout
+Layout=
+
+[Groups/0/Items/2]
+# Name
+Name=keyboard-us-altgr-intl
+# Layout
+Layout=
+
+[Groups/1]
+# Group Name
+Name=Default
+# Layout
+Default Layout=us
+# Default Input Method
+DefaultIM=rime
+
+[Groups/1/Items/0]
+# Name
+Name=keyboard-us
+# Layout
+Layout=
+
+[Groups/1/Items/1]
+# Name
 Name=rime
 # Layout
 Layout=
 
+[Groups/1/Items/2]
+# Name
+Name=mozc
+# Layout
+Layout=
+
+[Groups/1/Items/3]
+# Name
+Name=hangul
+# Layout
+Layout=
+
 [GroupOrder]
 0=Default
+1=Intl
 

home/linux/gui/base/games.nix

@@ -1,13 +0,0 @@
-{
-  pkgs,
-  nix-gaming,
-  ...
-}:
-{
-  home.packages = with pkgs; [
-    # nix-gaming.packages.${pkgs.system}.osu-laser-bin
-    gamescope # SteamOS session compositing window manager
-    prismlauncher # A free, open source launcher for Minecraft
-    winetricks # A script to install DLLs needed to work around problems in Wine
-  ];
-}

home/linux/gui/base/gaming.nix

@@ -0,0 +1,76 @@
+{
+  pkgs,
+  pkgs-x64,
+  osConfig,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.modules.desktop.gaming;
+in
+{
+  options.modules.desktop = {
+    gaming = {
+      enable = mkEnableOption "Install Game Suite(steam, lutris, etc)";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # ==========================================================================
+    # Other Optimizations
+    # Usage:
+    #  Lutris - enable advanced options, go to the System options -> Command prefix, add: `mangohud`
+    #  Steam  - add this as a launch option: `mangohud %command%` / `gamemoderun %command%`
+    # ==========================================================================
+
+    home.packages =
+      (with pkgs; [
+        # https://github.com/flightlessmango/MangoHud
+        # a simple overlay program for monitoring FPS, temperature, CPU and GPU load, and more.
+        mangohud
+
+        # GUI for installing custom Proton versions like GE_Proton
+        # proton - a Wine distribution aimed at gaming
+        protonplus
+        # Script to install various redistributable runtime libraries in Wine.
+        winetricks
+        # https://github.com/Open-Wine-Components/umu-launcher
+        # a unified launcher for Windows games on Linux
+        umu-launcher
+
+        # Sed-like editor for binary files
+        # required by some games to fix problems
+        bbe
+      ])
+      ++ (with pkgs-x64; [
+        # a game launcher - great for epic games and gog games
+        (heroic.override {
+          extraPkgs = _pkgs: [
+            pkgs.gamescope # aarch64
+          ];
+        })
+      ]);
+
+    # a GUI game launcher for Steam/GoG/Epic
+    # https://lutris.net/games?ordering=-popularity
+    programs.lutris = {
+      enable = true;
+      defaultWinePackage = pkgs-x64.proton-ge-bin;
+      steamPackage = osConfig.programs.steam.package;
+      protonPackages = [ pkgs-x64.proton-ge-bin ];
+      winePackages = with pkgs-x64; [
+        wineWow64Packages.full
+        wineWowPackages.stagingFull
+      ];
+      extraPackages = with pkgs; [
+        winetricks
+        gamescope
+        gamemode
+        mangohud
+        umu-launcher
+      ];
+    };
+  };
+}

home/linux/gui/base/hypridle/default.nix

@@ -0,0 +1,9 @@
+{
+  ...
+}:
+{
+  xdg.configFile."hypr/hypridle.conf".source = ./hypridle.conf;
+
+  # Hyprland idle daemon
+  services.hypridle.enable = true;
+}

home/linux/gui/base/hypridle/hypridle.conf

@@ -1,7 +1,7 @@
 general {
-    lock_cmd = pidof swaylock || swaylock              # avoid starting multiple instances
+    lock_cmd = noctalia-shell ipc call lockScreen lock              # avoid starting multiple instances
     before_sleep_cmd = loginctl lock-session          # lock before suspend
-    after_sleep_cmd = hyprctl dispatch dpms on        # resume dpms after suspend
+    # after_sleep_cmd = hyprctl dispatch dpms on        # resume dpms after suspend
     ignore_dbus_inhibit = false                       # whether to ignore dbus-sent idle-inhibit requests
 }
 
@@ -20,16 +20,14 @@ listener {
 # }
 
 listener {
-    timeout = 1600                                     # 20 minutes
-    on-timeout = pidof swaylock || swaylock           # lock screen
-    on-resume = hyprctl dispatch dpms on              # monitor wake up
+    timeout = 1200                                     # 20 minutes
+    on-timeout = noctalia-shell ipc call lockScreen lock           # lock screen
 }
 
-listener {
-    timeout = 1660                                             # 31 minutes
-    on-timeout = hyprctl dispatch dpms off                     # screen off
-    on-resume = hyprctl dispatch dpms on && brightnessctl -r   # monitor wake up & screen on
-}
+# listener {
+#     timeout = 1660                                             # 31 minutes
+#     on-resume = brightnessctl -r   # monitor wake up & screen on
+# }
 
 # listener {
 #     timeout = 1800                                # 30min