Merge pull request #195 from ryan4yin/apple-silicon

feat: remove x86_64-darwin, add new nixos host on macbook pro m2
2026-04-25 02:08:29 +02:00 · 2025-07-13 10:53:43 +08:00
parent 77a792710a bccf7db486
commit 20685f8927
60 changed files with 565 additions and 518 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -179,6 +179,21 @@
      }
    },
    "flake-compat_3": {
      "locked": {
        "lastModified": 1688025799,
        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
        "owner": "nix-community",
        "repo": "flake-compat",
        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_4": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@@ -490,13 +505,30 @@
        "type": "github"
      }
    },
    "my-asahi-firmware": {
      "flake": false,
      "locked": {
        "lastModified": 1752336609,
        "narHash": "sha256-PeJXDQgKwmu6PEjEA+68I7nIOTTpwUUyO1b5PpQg4gc=",
        "ref": "refs/heads/main",
        "rev": "981583c8e101967ef6a66388ade54cab751f3a02",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/asahi-firmware.git"
      },
      "original": {
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/asahi-firmware.git"
      }
    },
    "mysecrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1749276041,
+        "lastModified": 1752342599,
-        "narHash": "sha256-K7+0mEQidqSilW9Q2vgZpEoK+a+oVlVP21aTui8GDjw=",
+        "narHash": "sha256-T447GS/UoNgqTsm286Fv3X5mpLFcx6SocoUn2OMOW08=",
        "ref": "refs/heads/main",
-        "rev": "6339faf0195d803c9ff4a2df6f6810be8101bf96",
+        "rev": "a914c8281a8ad1df332cfcaf9a1024ecb7ccd9d3",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -563,6 +595,28 @@
        "type": "github"
      }
    },
    "nixos-apple-silicon": {
      "inputs": {
        "flake-compat": "flake-compat_3",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1751622568,
        "narHash": "sha256-EE3NBsej517VRa1x+ylAghrvngftxf1KgfHlE9OYyXE=",
        "owner": "nix-community",
        "repo": "nixos-apple-silicon",
        "rev": "eba4b40c816e5aff8951ae231ac237e8aab8ec1d",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-apple-silicon",
        "rev": "eba4b40c816e5aff8951ae231ac237e8aab8ec1d",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
@@ -584,22 +638,6 @@
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1752048960,
        "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpak": {
      "inputs": {
        "flake-parts": "flake-parts_4",
@@ -805,7 +843,7 @@
    },
    "pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
        "gitignore": "gitignore_2",
        "nixpkgs": [
          "nixpkgs"
@@ -878,11 +916,12 @@
        "haumea": "haumea",
        "home-manager": "home-manager_2",
        "lanzaboote": "lanzaboote",
        "my-asahi-firmware": "my-asahi-firmware",
        "mysecrets": "mysecrets",
        "nix-darwin": "nix-darwin",
        "nix-gaming": "nix-gaming",
        "nixos-apple-silicon": "nixos-apple-silicon",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixpak": "nixpak",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-darwin": "nixpkgs-darwin",
--- a/flake.nix
+++ b/flake.nix
@@ -48,7 +48,6 @@
      url = "github:lnl7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs-darwin";
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    # home-manager, used for managing user configuration
    home-manager = {
@@ -138,6 +137,12 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-apple-silicon = {
      # 2025-07-04
      url = "github:nix-community/nixos-apple-silicon/eba4b40c816e5aff8951ae231ac237e8aab8ec1d";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ########################  Some non-flake repositories  #########################################
    polybar-themes = {
@@ -154,6 +159,11 @@
      flake = false;
    };
    my-asahi-firmware = {
      url = "git+ssh://git@github.com/ryan4yin/asahi-firmware.git?shallow=1";
      flake = false;
    };
    # my wallpapers
    wallpapers = {
      url = "github:ryan4yin/wallpapers";
--- a/hardening/bwraps/wechat.nix
+++ b/hardening/bwraps/wechat.nix
@@ -9,14 +9,30 @@
 {
  appimageTools,
  fetchurl,
  stdenvNoCC,
 }: let
  pname = "wechat";
  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat/package.nix
-  version = "4.0.1.11";
+  sources = {
-  src = fetchurl {
+    aarch64-linux = {
-    url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
+      version = "4.0.1.11";
-    hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo=";
+      src = fetchurl {
        url = "https://web.archive.org/web/20250512112413if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
        hash = "sha256-Rg+FWNgOPC02ILUskQqQmlz1qNb9AMdvLcRWv7NQhGk=";
      };
    };
    x86_64-linux = {
      version = "4.0.1.11";
      src = fetchurl {
        url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
        hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo=";
      };
    };
  };
  inherit (stdenvNoCC.hostPlatform) system;
  inherit (sources.${system} or (throw "Unsupported system: ${system}")) version src;
  # https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/we/wechat/linux.nix
  appimageContents = appimageTools.extract {
    inherit pname version src;
--- a/home/base/core/shells/default.nix
+++ b/home/base/core/shells/default.nix
@@ -19,7 +19,7 @@ in {
  programs.nushell = {
    enable = true;
-    package = pkgs-unstable.nushell;
+    # package = pkgs-unstable.nushell;
    configFile.source = ./config.nu;
    inherit shellAliases;
  };
--- a/home/base/gui/dev-tools.nix
+++ b/home/base/gui/dev-tools.nix
@@ -3,17 +3,20 @@
  nur-ryan4yin,
  ...
 }: {
-  home.packages = with pkgs; [
+  home.packages = with pkgs;
-    mitmproxy # http/https proxy tool
+    [
-    insomnia # REST client
+      mitmproxy # http/https proxy tool
-    wireshark # network analyzer
+      wireshark # network analyzer
-    # IDEs
+      # IDEs
-    # jetbrains.idea-community
+      # jetbrains.idea-community
-    # AI cli tools
+      # AI cli tools
-    nur-ryan4yin.packages.${pkgs.system}.gemini-cli
+      nur-ryan4yin.packages.${pkgs.system}.gemini-cli
-    k8sgpt
+      k8sgpt
-    kubectl-ai # an ai helper opensourced by google
+      kubectl-ai # an ai helper opensourced by google
-  ];
+    ]
    ++ (lib.optionals pkgs.stdenv.isx86_64 [
      insomnia # REST client
    ]);
 }
--- a/home/base/gui/terminal/alacritty/default.nix
+++ b/home/base/gui/terminal/alacritty/default.nix
@@ -26,7 +26,7 @@
 {
  programs.alacritty = {
    enable = true;
-    package = pkgs-unstable.alacritty;
+    # package = pkgs-unstable.alacritty;
    # https://alacritty.org/config-alacritty.html
    settings = {
      window = {
--- a/home/base/gui/terminal/foot.nix
+++ b/home/base/gui/terminal/foot.nix
@@ -17,7 +17,7 @@
      main = {
        term = "foot"; # or "xterm-256color" for maximum compatibility
        font = "Maple Mono NF CN:size=14";
-        dpi-aware = "yes";
+        dpi-aware = "no"; # scale via window manager instead
        # Spawn a nushell in login mode via `bash`
        shell = "${pkgs.bash}/bin/bash --login -c 'nu --login --interactive'";
--- a/home/base/tui/dev-tools.nix
+++ b/home/base/tui/dev-tools.nix
@@ -18,8 +18,8 @@
    colmena # nixos's remote deployment tool
    # db related
-    pkgs-unstable.mycli
+    mycli
-    pkgs-unstable.pgcli
+    pgcli
    mongosh
    sqlite
@@ -27,10 +27,10 @@
    minicom
    # ai related
-    pkgs-unstable.python313Packages.huggingface-hub # huggingface-cli
+    python313Packages.huggingface-hub # huggingface-cli
    # misc
-    pkgs-unstable.devbox
+    devbox
    bfg-repo-cleaner # remove large files from git history
    k6 # load testing tool
    protobuf # protocol buffer compiler
--- a/home/base/tui/encryption/default.nix
+++ b/home/base/tui/encryption/default.nix
@@ -5,7 +5,7 @@
 }: {
  home.packages = with pkgs; [
    age
-    pkgs-unstable.sops
+    sops
    rclone
  ];
 }
--- a/home/linux/gui/base/creative.nix
+++ b/home/linux/gui/base/creative.nix
@@ -1,4 +1,5 @@
 {
  lib,
  pkgs,
  pkgs-unstable,
  # pkgs-stable,
@@ -6,62 +7,69 @@
  blender-bin,
  ...
 }: {
-  home.packages = with pkgs; [
+  home.packages = with pkgs;
-    # creative
+    [
-    # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
+      # creative
-    blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling
+      # gimp      # image editing, I prefer using figma in browser instead of this one
-    # gimp      # image editing, I prefer using figma in browser instead of this one
+      inkscape # vector graphics
-    inkscape # vector graphics
+      krita # digital painting
-    krita # digital painting
+      musescore # music notation
-    musescore # music notation
+      # reaper # audio production
-    # reaper # audio production
+      # sonic-pi # music programming
    # sonic-pi # music programming
-    # 2d game design
+      # 2d game design
-    ldtk # A modern, versatile 2D level editor
+      # aseprite # Animated sprite editor & pixel art tool
    # aseprite # Animated sprite editor & pixel art tool
-    # this app consumes a lot of storage, so do not install it currently
+      # this app consumes a lot of storage, so do not install it currently
-    # kicad     # 3d printing, eletrical engineering
+      # kicad     # 3d printing, eletrical engineering
    ]
    ++ (lib.optionals pkgs.stdenv.isx86_64 [
      # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
      blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling
-    # fpga
+      ldtk # A modern, versatile 2D level editor
-    pkgs-unstable.python313Packages.apycula # gowin fpga
+
-    pkgs-unstable.yosys # fpga synthesis
+      # fpga
-    pkgs-unstable.nextpnr # fpga place and route
+      python313Packages.apycula # gowin fpga
-    pkgs-unstable.openfpgaloader # fpga programming
+      yosys # fpga synthesis
-    # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
+      nextpnr # fpga place and route
-  ];
+      openfpgaloader # fpga programming
      # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
    ]);
  programs = {
    # live streaming
    obs-studio = {
-      enable = true;
+      enable = pkgs.stdenv.isx86_64;
-      plugins = with pkgs.obs-studio-plugins; [
+      plugins = with pkgs.obs-studio-plugins;
-        # screen capture
+        [
-        wlrobs
+          # screen capture
-        # obs-ndi
+          wlrobs
-        obs-vaapi
+          # obs-ndi
-        # obs-nvfbc
+          # obs-nvfbc
-        obs-teleport
+          obs-teleport
-        # obs-hyperion
+          # obs-hyperion
-        droidcam-obs
+          droidcam-obs
-        obs-vkcapture
+          obs-vkcapture
-        obs-gstreamer
+          obs-gstreamer
-        obs-3d-effect
+          input-overlay
-        input-overlay
+          obs-multi-rtmp
-        obs-multi-rtmp
+          obs-source-clone
-        obs-source-clone
+          obs-shaderfilter
-        obs-shaderfilter
+          obs-source-record
-        obs-source-record
+          obs-livesplit-one
-        obs-livesplit-one
+          looking-glass-obs
-        looking-glass-obs
+          obs-vintage-filter
-        obs-vintage-filter
+          obs-command-source
-        obs-command-source
+          obs-move-transition
-        obs-move-transition
+          obs-backgroundremoval
-        obs-backgroundremoval
+          # advanced-scene-switcher
-        # advanced-scene-switcher
+          obs-pipewire-audio-capture
-        obs-pipewire-audio-capture
+        ]
-      ];
+        ++ (lib.optionals pkgs.stdenv.isx86_64 [
          obs-vaapi
          obs-3d-effect
        ]);
    };
  };
 }
--- a/home/linux/gui/base/media.nix
+++ b/home/linux/gui/base/media.nix
@@ -6,22 +6,24 @@
 }:
 # media - control and enjoy audio/video
 {
-  home.packages = with pkgs; [
+  home.packages = with pkgs;
-    # audio control
+    [
-    pavucontrol
+      # audio control
-    playerctl
+      pavucontrol
-    pulsemixer
+      playerctl
-    imv # simple image viewer
+      pulsemixer
      imv # simple image viewer
-    # video/audio tools
+      # video/audio tools
-    libva-utils
+      libva-utils
-    vdpauinfo
+      vdpauinfo
-    vulkan-tools
+      vulkan-tools
-    glxinfo
+      glxinfo
-    nvitop
+      nvitop
-
+    ]
-    (zoom-us.override {hyprlandXdgDesktopPortalSupport = true;})
+    ++ (lib.optionals pkgs.stdenv.isx86_64 [
-  ];
+      (zoom-us.override {hyprlandXdgDesktopPortalSupport = true;})
    ]);
  programs.mpv = {
    enable = true;
--- a/home/linux/gui/base/note-taking.nix
+++ b/home/linux/gui/base/note-taking.nix
@@ -1,7 +1,7 @@
-{pkgs-stable, ...}: {
+{pkgs, ...}: {
-  home.packages = with pkgs-stable; [
+  home.packages = with pkgs; (lib.optionals pkgs.stdenv.isx86_64 [
    # https://joplinapp.org/help/
    joplin # joplin-cli
    joplin-desktop
-  ];
+  ]);
 }
--- a/home/linux/gui/hyprland/values/wayland-apps.nix
+++ b/home/linux/gui/hyprland/values/wayland-apps.nix
@@ -12,7 +12,7 @@
  programs = {
    # source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix
    google-chrome = {
-      enable = true;
+      enable = pkgs.stdenv.isx86_64;
      package = pkgs-stable.google-chrome;
      # https://wiki.archlinux.org/title/Chromium#Native_Wayland_support
--- a/hosts/12kingdoms-shoukei/README.md
+++ b/hosts/12kingdoms-shoukei/README.md
@@ -1,16 +1,8 @@
 # Host - Shoukei
-This is NixOS's configuration for my Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
+This is NixOS's configuration for my Macbook Pro 2022 M2, 16G RAM.
 Related:
 - [/nixos-installer/README.shoukei.md](/nixos-installer/README.shoukei.md)
- <https://github.com/NixOS/nixos-hardware/tree/master/apple/t2>
+- https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md
 - <https://wiki.t2linux.org/distributions/nixos/installation/>
 TODOs:
 - [ ] Resume from suspend(close the lid) doesn't work
 - [ ] Show battery percentage in i3blocks/waybar
 - [ ] Touchbar unusable some times
  - It works on boot, but after a while it stops working
--- a/hosts/12kingdoms-shoukei/apple-set-os-loader.nix
+++ b/hosts/12kingdoms-shoukei/apple-set-os-loader.nix
@@ -1,61 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  t2Cfg = config.hardware.myapple-t2;
  efiPrefix = config.boot.loader.efi.efiSysMountPoint;
  apple-set-os-loader-installer = pkgs.stdenv.mkDerivation rec {
    name = "apple-set-os-loader-installer-1.0";
    src = pkgs.fetchFromGitHub {
      owner = "Redecorating";
      repo = "apple_set_os-loader";
      rev = "r33.9856dc4";
      sha256 = "hvwqfoF989PfDRrwU0BMi69nFjPeOmSaD6vR6jIRK2Y=";
    };
    buildInputs = [pkgs.gnu-efi];
    buildPhase = ''
      substituteInPlace Makefile --replace "/usr" '$(GNU_EFI)'
      export GNU_EFI=${pkgs.gnu-efi}
      make
    '';
    installPhase = ''
      install -D bootx64_silent.efi $out/bootx64.efi
    '';
  };
 in {
  options = {
    hardware.myapple-t2.enableAppleSetOsLoader = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = "Whether to enable the appleSetOsLoader activation script.";
    };
  };
  config = {
    # Activation script to install apple-set-os-loader in order to unlock the iGPU
    system.activationScripts.myappleSetOsLoader = lib.optionalString t2Cfg.enableAppleSetOsLoader ''
      if [[ -e ${efiPrefix}/efi/boot/bootx64_original.efi ]]; then
        true # It's already installed, no action required
      elif [[ -e ${efiPrefix}/efi/boot/bootx64.efi ]]; then
        # Copy the new bootloader to a temporary location
        cp ${apple-set-os-loader-installer}/bootx64.efi ${efiPrefix}/efi/boot/bootx64_temp.efi
        # Rename the original bootloader
        mv ${efiPrefix}/efi/boot/bootx64.efi ${efiPrefix}/efi/boot/bootx64_original.efi
        # Move the new bootloader to the final destination
        mv ${efiPrefix}/efi/boot/bootx64_temp.efi ${efiPrefix}/efi/boot/bootx64.efi
      else
        echo "Error: ${efiPrefix}/efi/boot/bootx64.efi is missing" >&2
      fi
    '';
    # Enable the iGPU by default if present
    environment.etc."modprobe.d/apple-gmux.conf".text = lib.optionalString t2Cfg.enableAppleSetOsLoader ''
      options apple-gmux force_igd=y
    '';
  };
 }
--- a/hosts/12kingdoms-shoukei/brcm-firmware/default.nix
+++ b/hosts/12kingdoms-shoukei/brcm-firmware/default.nix
@@ -1,10 +0,0 @@
 {pkgs, ...}:
 pkgs.stdenvNoCC.mkDerivation {
  name = "brcm-firmware";
  nativeBuildInputs = with pkgs; [gnutar xz];
  buildCommand = ''
    dir="$out/lib/"
    mkdir -p "$dir"
    tar -axvf ${./firmware.tar.xz} -C "$dir"
  '';
 }
--- a/hosts/12kingdoms-shoukei/brcm-firmware/firmware.tar.xz
+++ b/hosts/12kingdoms-shoukei/brcm-firmware/firmware.tar.xz
--- a/hosts/12kingdoms-shoukei/brcm-firmware/flake.lock
+++ b/hosts/12kingdoms-shoukei/brcm-firmware/flake.lock
@@ -1,27 +0,0 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1703068421,
        "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/hosts/12kingdoms-shoukei/brcm-firmware/flake.nix
+++ b/hosts/12kingdoms-shoukei/brcm-firmware/flake.nix
@@ -1,10 +0,0 @@
 {
  # a flake for testing
  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
  outputs = {nixpkgs, ...}: let
    system = "x86_64-linux";
    pkgs = import nixpkgs {inherit system;};
  in {
    packages."${system}".default = pkgs.callPackage ./default.nix {};
  };
 }
--- a/hosts/12kingdoms-shoukei/default.nix
+++ b/hosts/12kingdoms-shoukei/default.nix
@@ -1,32 +1,20 @@
-{
+{myvars, ...}:
  nixos-hardware,
  myvars,
  ...
 }:
 #############################################################
 #
-#  Shoukei - NixOS running on Macbook Pro 2020 I5 16G
+#  Shoukei - NixOS running on Macbook Pro 2022 M2 16G
 #   https://github.com/NixOS/nixos-hardware/tree/master/apple/t2
 #
 #############################################################
 let
  hostName = "shoukei"; # Define your hostname.
 in {
  imports = [
    nixos-hardware.nixosModules.apple-t2
    ./apple-set-os-loader.nix
    {hardware.myapple-t2.enableAppleSetOsLoader = true;}
    ./hardware-configuration.nix
    ../idols-ai/preservation.nix
  ];
  boot.kernelModules = ["kvm-amd"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
  networking = {
    inherit hostName;
-    inherit (myvars.networking) defaultGateway nameservers;
+    inherit (myvars.networking) nameservers;
    # configures the network interface(include wireless) via `nmcli` & `nmtui`
    networkmanager.enable = true;
@@ -38,5 +26,5 @@ in {
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "25.11"; # Did you read the comment?
 }
--- a/hosts/12kingdoms-shoukei/hardware-configuration.nix
+++ b/hosts/12kingdoms-shoukei/hardware-configuration.nix
@@ -6,29 +6,36 @@
  lib,
  pkgs,
  modulesPath,
  nixos-apple-silicon,
  my-asahi-firmware,
  ...
-}: {
+}: let
  device = "/dev/disk/by-uuid/c2e8b249-240e-4eef-bf4e-81e7dbbf4887";
 in {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    nixos-apple-silicon.nixosModules.default
  ];
-  hardware.firmware = [
+  # Specify path to peripheral firmware files.
-    (import ./brcm-firmware {inherit pkgs;})
+  hardware.asahi.peripheralFirmwareDirectory = "${my-asahi-firmware}/macbook-pro-m2-a2338";
  ];
-  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  networking.wireless.iwd = {
-  boot.initrd.kernelModules = [];
+    enable = true;
-  boot.kernelModules = ["kvm-intel"];
+    settings.General.EnableNetworkConfiguration = true;
-  boot.extraModulePackages = [];
+  };
-  # Use the EFI boot loader.
+  # Use the systemd-boot EFI boot loader.
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
  boot.loader.efi.efiSysMountPoint = "/boot";
  boot.loader.systemd-boot.enable = true;
-  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
+  # For ` to < and ~ to > (for those with US keyboards)
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
+  # boot.extraModprobeConfig = ''
  #   options hid_apple iso_layout=0
  # '';
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = lib.mkForce [
    "ext4"
@@ -45,7 +52,7 @@
  boot.initrd = {
    # unlocked luks devices via a keyfile or prompt a passphrase.
    luks.devices."crypted-nixos" = {
-      device = "/dev/nvme0n1p4";
+      device = "/dev/disk/by-uuid/1c37820e-2501-46e4-bec4-27c28691a5b4";
      # the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
      # if not specified, you will be prompted for a passphrase instead.
      #keyFile = "/root-part.key";
@@ -60,51 +67,77 @@
    };
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/01CE-1DFD";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
    ];
  };
  # equal to `mount -t tmpfs tmpfs /`
  fileSystems."/" = {
    device = "tmpfs";
    fsType = "tmpfs";
    # set mode to 755, otherwise systemd will set it to 777, which cause problems.
    # relatime: Update inode access times relative to modify or change time.
-    options = ["relatime" "mode=755"];
+    options = [
-  };
+      "relatime"
-
+      "mode=755"
-  fileSystems."/boot" = {
+    ];
    device = "/dev/nvme0n1p1";
    fsType = "vfat";
  };
  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    inherit device;
    fsType = "btrfs";
-    options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
+    options = [
      "subvol=@nix"
      "noatime"
      "compress-force=zstd:1"
    ];
  };
  fileSystems."/tmp" = {
-    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    inherit device;
    fsType = "btrfs";
-    options = ["subvol=@tmp" "noatime" "compress-force=zstd:1"];
+    options = [
      "subvol=@tmp"
      "noatime"
      "compress-force=zstd:1"
    ];
  };
  fileSystems."/persistent" = {
-    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    inherit device;
    fsType = "btrfs";
-    options = ["subvol=@persistent" "noatime" "compress-force=zstd:1"];
+    options = [
      "subvol=@persistent"
      "noatime"
      "compress-force=zstd:1"
    ];
    # preservation's data is required for booting.
    neededForBoot = true;
  };
  fileSystems."/snapshots" = {
-    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    inherit device;
    fsType = "btrfs";
-    options = ["subvol=@snapshots" "noatime" "compress-force=zstd:1"];
+    options = [
      "subvol=@snapshots"
      "noatime"
      "compress-force=zstd:1"
    ];
  };
  # mount swap subvolume in readonly mode.
  fileSystems."/swap" = {
-    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    inherit device;
    fsType = "btrfs";
-    options = ["subvol=@swap" "ro"];
+    options = [
      "subvol=@swap"
      "ro"
    ];
  };
  # remount swapfile in read-write mode
@@ -114,7 +147,10 @@
    device = "/swap/swapfile";
    fsType = "none";
-    options = ["bind" "rw"];
+    options = [
      "bind"
      "rw"
    ];
  };
  swapDevices = [
@@ -126,9 +162,7 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp230s0f1u1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp229s0.useDHCP = lib.mkDefault true;
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/12kingdoms-shoukei/home.nix
+++ b/hosts/12kingdoms-shoukei/home.nix
@@ -1,17 +1,15 @@
-{config, ...}: let
+{ config, ... }:
 let
  hostName = "shoukei"; # Define your hostname.
-in {
+in
 {
  modules.desktop.hyprland = {
    nvidia = false;
-    settings = {
+    settings.source = [
-      # Configure your Display resolution, offset, scale and Monitors here, use `hyprctl monitors` to get the info.
+      "${config.home.homeDirectory}/nix-config/hosts/12kingdoms-shoukei/hypr-hardware.conf"
-      #   highres:      get the best possible resolution
+    ];
      #   auto:         position automatically
      #   1.5:          scale to 1.5 times
      #   bitdepth,10:  enable 10 bit support
      monitor = "eDP-1,highres,auto,1.5,bitdepth,10";
    };
  };
-  programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
+  programs.ssh.matchBlocks."github.com".identityFile =
    "${config.home.homeDirectory}/.ssh/${hostName}";
 }
--- a/hosts/12kingdoms-shoukei/hypr-hardware.conf
+++ b/hosts/12kingdoms-shoukei/hypr-hardware.conf
@@ -0,0 +1,9 @@
 # https://wiki.hyprland.org/Configuring/Monitors/
 #
 # Configure your Display resolution, offset, scale and Monitors here, use `hyprctl monitors` to get the info.
 #   highres:      get the best possible resolution
 #   auto:         position automatically
 #   1.25:          scale to 1.25 times
 #   bitdepth,10:  enable 10 bit support
 monitor=eDP-1,      highres@highrr,  0x0,         1.25,  bitdepth,10
--- a/hosts/darwin-harmonica/default.nix
+++ b/hosts/darwin-harmonica/default.nix
@@ -1,13 +0,0 @@
 _:
 #############################################################
 #
 #  Harmonica - MacBook Pro 2020 13-inch i5 16G, mainly for personal use
 #
 #############################################################
 let
  hostname = "harmonica";
 in {
  networking.hostName = hostname;
  networking.computerName = hostname;
  system.defaults.smb.NetBIOSName = hostname;
 }
--- a/hosts/darwin-harmonica/home.nix
+++ b/hosts/darwin-harmonica/home.nix
@@ -1,2 +0,0 @@
 _: {
 }
--- a/hosts/idols-ai/preservation.nix
+++ b/hosts/idols-ai/preservation.nix
@@ -72,6 +72,7 @@ in {
      "/var/lib/tailscale"
      "/var/lib/bluetooth"
      "/var/lib/NetworkManager"
      "/var/lib/iwd"
    ];
    files = [
      # auto-generated machine ID
--- a/modules/base/nix.nix
+++ b/modules/base/nix.nix
@@ -39,8 +39,4 @@
    ];
    builders-use-substitutes = true;
  };
  nix.extraOptions = ''
    !include ${config.age.secrets.nix-access-tokens.path}
  '';
 }
--- a/modules/darwin/nix-core.nix
+++ b/modules/darwin/nix-core.nix
@@ -1,4 +1,4 @@
-{
+{config, ...}: {
  ###################################################################################
  #
  #  Core configuration for nix-darwin
@@ -24,4 +24,8 @@
  nix.gc.automatic = false;
  system.stateVersion = 5;
  nix.extraOptions = ''
    !include ${config.age.secrets.nix-access-tokens.path}
  '';
 }
--- a/modules/nixos/base/nix.nix
+++ b/modules/nixos/base/nix.nix
@@ -1,6 +1,6 @@
 {
  config,
  lib,
  nixpkgs,
  ...
 }: {
  # to install chrome, you need to enable unfree packages
@@ -18,4 +18,8 @@
  nix.settings.auto-optimise-store = true;
  nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
  nix.extraOptions = ''
    !include ${config.age.secrets.nix-access-tokens.path}
  '';
 }
--- a/modules/nixos/desktop/game/gamemode.nix
+++ b/modules/nixos/desktop/game/gamemode.nix
@@ -37,7 +37,7 @@ in {
  #   2. For others, launching the game through gamemoderun: `gamemoderun ./game`
  #   3. For steam: `gamemoderun steam-runtime`
  programs.gamemode = {
-    enable = true;
+    enable = pkgs.stdenv.isx86_64;
    settings = {
      general = {
        softrealtime = "auto";
--- a/modules/nixos/desktop/game/steam.nix
+++ b/modules/nixos/desktop/game/steam.nix
@@ -8,7 +8,7 @@
    #   ~/.local/share/Steam/steamapps/common - The default Game install location
    #   ~/.steam/root        - A symlink to ~/.local/share/Steam
    #   ~/.steam             - Some Symlinks & user info
-    enable = true;
+    enable = pkgs.stdenv.isx86_64;
    # https://github.com/ValveSoftware/gamescope
    # enables features such as resolution upscaling and stretched aspect ratios (such as 4:3)
    gamescopeSession.enable = true;
--- a/modules/nixos/desktop/misc.nix
+++ b/modules/nixos/desktop/misc.nix
@@ -10,7 +10,7 @@
  # add user's shell into /etc/shells
  environment.shells = with pkgs; [
    bashInteractive
-    pkgs-unstable.nushell
+    nushell
  ];
  # set user's default shell system-wide
  users.defaultUserShell = pkgs.bashInteractive;
--- a/modules/nixos/desktop/remote-desktop/default.nix
+++ b/modules/nixos/desktop/remote-desktop/default.nix
@@ -8,6 +8,5 @@
  environment.systemPackages = with pkgs; [
    waypipe
    moonlight-qt # moonlight client, for streaming games/desktop from a PC
    rustdesk # p2p remote desktop
  ];
 }
--- a/nixos-installer/.gitignore
+++ b/nixos-installer/.gitignore
@@ -1,2 +1,2 @@
-# generate lock file every time
+# ignore flake.lock here, generate a new one every time install a new host
 flake.lock
--- a/nixos-installer/README.md
+++ b/nixos-installer/README.md
@@ -179,8 +179,8 @@ Filename				Type		Size		Used		Priority
 Clone this repository:
 ```bash
-# enter an shell with git/vim/ssh-agent/gnumake available
+# enter an shell with git/vim/ssh-agent available
-nix-shell -p git vim gnumake
+nix-shell -p git vim just
 # clone this repository
 git clone https://github.com/ryan4yin/nix-config.git
@@ -211,7 +211,7 @@ nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --verbose
 # if you want to use a cache mirror, run this command instead
 # replace the mirror url with your own
-nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --verbose --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store"  # install-2
+nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store  https://cache.nixos.org/" # install-2
 # enter into the installed system, check password & users
 # `su ryan` => `sudo -i` => enter ryan's password => successfully login
--- a/nixos-installer/README.shoukei.md
+++ b/nixos-installer/README.shoukei.md
@@ -4,67 +4,118 @@
 > machine :exclamation: Please write your own configuration from scratch, and use my configuration
 > and documentation for reference only.**
 > https://wiki.t2linux.org/distributions/nixos/installation/
 > https://github.com/NixOS/nixos-hardware/tree/master/apple/t2
 This flake prepares a Nix environment for setting my desktop
-[/hosts/12kingdoms_shoukei](/hosts/12kingdoms_shoukei)(in main flake) up on a new machine.
+[/hosts/12kingdoms-shoukei](/hosts/12kingdoms-shoukei)(in main flake) up on a new machine.
 ## Steps to Deploying
-First, create a USB install medium from Apple T2's NixOS installer image:
+### 1. Prepare & boot into the nixos installer
 https://github.com/t2linux/nixos-t2-iso.git
-### 2. Connecting to the Internet
+Just follow this Guide:
-1. configure wifi: <https://wiki.t2linux.org/guides/wifi-bluetooth/#on-macos>
+- https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md
-2. copy wifi firmware to the NixOS installer:
+
 ### 2. Connect to WiFi & SSH
 If you have another machine, configure the new host through a SSH connection will be much
 comfortable than using the raw terminal of the nixos installer. So after booting into the nixos
 installer, let's configure WiFi in the installer using `iwctl` first:
 > This is copied from
 > <https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md#nixos-installation>
 ```bash
-sudo mkdir -p /lib
+nixos# iwctl
-sudo tar -axvf ../hosts/12kingdoms_shoukei/brcm-firmware/firmware.tar.gz -C /lib/
+NetworkConfigurationEnabled: enabled
-sudo modprobe -r brcmfmac && sudo modprobe brcmfmac
+StateDirectory: /var/lib/iwd
-
+Version: 2.4
-# check whether the wifi firmware is loaded
+[iwd]# station wlan0 scan
-dmesg | tail
+[iwd]# station wlan0 connect <SSID>
-
+Type the network passphrase for <SSID> psk.
-# now start wpa_supplicant
+Passphrase: <your passphrase>
-sudo systemctl start wpa_supplicant
+[iwd]# station wlan0 show
 [...]
 [iwd] exit
 ```
-connect to wifi via `wpa_cli`:
+And then set a password for the `root` user:
 ```bash
-wpa_cli -i wlan0
+# Switch to root
-> scan
+[nixos@nixos:~]$ sudo su
-> scan_results
+
-# add a new network, this command returns a network ID, which is 0 in this case.
+# Change the password
-> add_network
+[root@nixos:~]# passwd
-# associate the network with the network ID we just got
+New password:
-# NOTE: the quotes are required!
+Retype new password:
-> set_network 0 ssid "<wifi_name>"
+passwd: password updated successfully
-# for a WPA2 network, set the passphrase
+
-# NOTE: the quotes are required!
+# Get the IP address
-> set_network 0 psk "xxx"
+[root@nixos:~]# ip addr show wlan0
-# enable the network
+2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
-> enable_network 0
+    link/ether 9c:3e:53:6e:ef:8d brd ff:ff:ff:ff:ff:ff
-# save the configuration file
+    inet 192.168.5.13/24 brd 192.168.5.255 scope global dynamic noprefixroute wlan0
-> save_config
+
-# show the status
+# Change default router(if need)
-> status
+ip route del default via 192.168.5.1
 ip route add default via 192.168.5.178
 ```
-### 2. Encrypting with LUKS(everything except ESP)
+The nixos installer has sshd service enabled by default, so we can now connect to it via ssh
 directly.
 ### 3. Encrypting with LUKS(everything except ESP)
 Disk layout before installation:
-1. `/dev/nvme0n1p1`: EFI system partition, 300MB, contains macOS's bootloader.
+```bash
-2. `/dev/nvme0n1p2`: macOS's root partition.
+[root@nixos:~]# sudo parted /dev/nvme0n1 print free
-3. `/dev/nvme0n1p3`: transfer area, 10GB, used to transfer files between macOS and NixOS.
+Model: APPLE SSD AP0256Z (nvme)
-4. `/dev/nvme0n1p4`: Empty partition, used to install NixOS.
+Disk /dev/nvme0n1: 251GB
 Sector size (logical/physical): 4096B/4096B
 Partition Table: gpt
 Disk Flags:
-Now let's recreate the 4th partition via `fdisk`, and then encrypting the root partition:
+Number  Start   End     Size    File system  Name                  Flags
 1      24.6kB  524MB   524MB                iBootSystemContainer
 2      524MB   66.2GB  65.7GB
 3      66.2GB  68.7GB  2500MB
 4      68.7GB  69.2GB  500MB   fat32                              boot, esp
        69.2GB  246GB   176GB   Free Space
 5      246GB   251GB   5369MB               RecoveryOSContainer
 ```
 1. `/dev/nvme0n1p1`: "iBootSystemContainer" - system-wide boot data
 2. `/dev/nvme0n1p2`: macOS's root partition.
 3. `/dev/nvme0n1p4`: The EFI partition for NixOS.
 4. `/dev/nvme0n1p5`: "RecoveryOSContainer" - System RecoveryOS
 Now let's recreate the root partition via `sgdisk`:
 ```bash
 # Create the root partition to fill up the free space
 # --new=partnum:start:end - 0 means calculate it automatically
 [root@nixos:~]# sgdisk /dev/nvme0n1 --new=0:0:0 --change-name=0:"NixOS rootfs"
 The operation has completed successfully.
 [root@nixos:~]# sudo parted /dev/nvme0n1 print free
 Model: APPLE SSD AP0256Z (nvme)
 Disk /dev/nvme0n1: 251GB
 Sector size (logical/physical): 4096B/4096B
 Partition Table: gpt
 Disk Flags:
 Number  Start   End     Size    File system  Name                  Flags
 1      24.6kB  524MB   524MB                iBootSystemContainer
 2      524MB   66.2GB  65.7GB
 3      66.2GB  68.7GB  2500MB
 4      68.7GB  69.2GB  500MB   fat32                              boot, esp
 6      69.2GB  246GB   176GB                NixOS rootfs
 5      246GB   251GB   5369MB               RecoveryOSContainer
 ```
 And then encrypting the new partition via LUKS:
 ```bash
 lsblk
@@ -73,13 +124,13 @@ cryptsetup --help
 # NOTE: `cat shoukei.md | grep luks > format.sh` to generate this script
 # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
-cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 256 --pbkdf argon2id --use-random --verify-passphrase /dev/nvme0n1p4
+cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 256 --pbkdf argon2id --use-random --verify-passphrase /dev/nvme0n1p6
 # show status
-cryptsetup luksDump /dev/nvme0n1p4
+cryptsetup luksDump /dev/nvme0n1p6
 # open(unlock) the device with the passphrase you just set
-cryptsetup luksOpen /dev/nvme0n1p4 crypted-nixos
+cryptsetup luksOpen /dev/nvme0n1p6 crypted-nixos
 # show disk status
 lsblk
@@ -88,9 +139,13 @@ lsblk
 Formatting the root partition:
 ```bash
 # If btrfs is not included in the liveos, run this before formatting
 nix-shell -p btrfs-progs
 # NOTE: `cat shoukei.md | egrep "create-btrfs"  > create-btrfs.sh` to generate this script
 # format the root partition with btrfs and label it
-mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos  # create-btrfs
+# set sectorsize to match the CPU page size
 mkfs.btrfs --sectorsize 16384 -L crypted-nixos /dev/mapper/crypted-nixos  # create-btrfs
 # mount the root partition and create subvolumes
 mount /dev/mapper/crypted-nixos /mnt  # create-btrfs
 btrfs subvolume create /mnt/@nix  # create-btrfs
@@ -114,12 +169,13 @@ mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp
 mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap  # mount-1
 mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent   # mount-1
 mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots     # mount-1
-mount /dev/nvme0n1p1 /mnt/boot  # mount-1
+
 mount /dev/nvme0n1p4 /mnt/boot  # mount-1
 # create a swapfile on btrfs file system
 # This command will disable CoW / compression on the swap subvolume and then create a swapfile.
 # because the linux kernel requires that swapfile must not be compressed or have copy-on-write(CoW) enabled.
-btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile  # mount-1
+btrfs filesystem mkswapfile --size 16g --uuid clear /mnt/swap/swapfile  # mount-1
 # check whether the swap subvolume has CoW disabled
 # the output of `lsattr` for the swap subvolume should be:
@@ -128,27 +184,37 @@ btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile  # mount-
 lsattr /mnt/swap
 # mount the swapfile as swap area
-swapon /mnt/swap/swapfile  # mount-1
+swapon /mnt/swap/swapfile --fixpgsz  # mount-1
 ```
 Now, the disk status should be:
 ```bash
 # show disk status
-$ lsblk
+[nix-shell:~]# lsblk
-nvme0n1           259:0    0   1.8T  0 disk
+NAME              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
-├─nvme0n1p1       259:2    0   600M  0 part  /mnt/boot
+loop0               7:0    0 302.1M  1 loop  /nix/.ro-store
-└─nvme0n1p4       259:3    0   1.8T  0 part
+sda                 8:0    1     0B  0 disk
-  └─crypted-nixos 254:0    0   1.8T  0 crypt /mnt/swap
+sdb                 8:16   1  58.2G  0 disk  /iso
 nvme0n1           259:0    0 233.8G  0 disk
 ├─nvme0n1p1       259:1    0   500M  0 part
 ├─nvme0n1p2       259:2    0  61.2G  0 part
 ├─nvme0n1p3       259:3    0   2.3G  0 part
 ├─nvme0n1p4       259:4    0   477M  0 part  /mnt/boot
 ├─nvme0n1p5       259:5    0     5G  0 part
 └─nvme0n1p6       259:14   0 164.3G  0 part
  └─crypted-nixos 252:0    0 164.3G  0 crypt /mnt/snapshots
                                             /mnt/persistent
-                                             /mnt/snapshots
+                                             /mnt/swap
                                             /mnt/nix
                                             /mnt/tmp
                                             /mnt/nix
 nvme0n2           259:6    0     3M  0 disk
 nvme0n3           259:7    0   128M  0 disk
 # show swap status
-$ swapon -s
+[nix-shell:~]# swapon -s
-Filename				Type		Size		Used		Priority
+Filename                                Type            Size            Used            Priority
-/swap/swapfile                          file		100663292	0		-2
+/mnt/swap/swapfile                      file            16777200        0               -2
 ```
 ### 3. Generating the NixOS Configuration and Installing NixOS
@@ -157,7 +223,7 @@ Clone this repository:
 ```bash
 # enter an shell with git/vim/ssh-agent/gnumake available
-nix-shell -p git vim gnumake
+nix-shell -p git neovim --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store"
 # clone this repository
 git clone https://github.com/ryan4yin/nix-config.git
@@ -171,13 +237,13 @@ nixos-generate-config --root /mnt
 # we need to update our filesystem configs in old hardware-configuration.nix according to the generated one.
 cp /etc/nixos/hardware-configuration.nix ./nix-config/hosts/12kingdoms_shoukei/hardware-configuration-new.nix
-vim .
+vim ./nix-config
 ```
 Then, Install NixOS:
 ```bash
-cd ~/nix-config/hosts/12kingdoms_shoukei/nixos-installer/
+cd ~/nix-config/nixos-installer/
 # run this command if you're retrying to run nixos-install
 rm -rf /mnt/etc
@@ -188,7 +254,7 @@ nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --ve
 # if you want to use a cache mirror, run this command instead
 # replace the mirror url with your own
-nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirror.ustc.edu.cn/nix-channels/store" # install-2
+nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store  https://cache.nixos.org/" # install-2
 # enter into the installed system, check password & users
 # `su ryan` => `sudo -i` => enter ryan's password => successfully login
@@ -221,7 +287,7 @@ cp -r ../nix-config /mnt/etc/nixos
 # sync the disk, unmount the partitions, and close the encrypted device
 sync
 swapoff /mnt/swap/swapfile
-umount -R /mnt
+umount -R /mnt/{nix,tmp,swap,persistent,snapshots,boot}
 cryptsetup close /dev/mapper/crypted-nixos
 reboot
 ```
@@ -235,7 +301,7 @@ that the new machine can pull my private secrets repo:
 ```bash
 # 1. Generate a new SSH key with a strong passphrase
-ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/shoukei
+ssh-keygen -t ed25519 -a 256 -C "ryan@shoukei" -f ~/.ssh/shoukei
 # 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo.
 ssh-add ~/.ssh/shoukei
 ```
--- a/nixos-installer/configuration.nix
+++ b/nixos-installer/configuration.nix
@@ -16,7 +16,6 @@
  networking = {
    # configures the network interface(include wireless) via `nmcli` & `nmtui`
    networkmanager.enable = true;
    defaultGateway = "192.168.5.101";
  };
-  system.stateVersion = "25.05";
+  system.stateVersion = "25.11";
 }
--- a/nixos-installer/flake.nix
+++ b/nixos-installer/flake.nix
@@ -4,25 +4,38 @@
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
    preservation.url = "github:nix-community/preservation";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    nuenv.url = "github:DeterminateSystems/nuenv";
    nixos-apple-silicon = {
      url = "github:nix-community/nixos-apple-silicon/release-2025-05-30";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    my-asahi-firmware = {
      url = "git+ssh://git@github.com/ryan4yin/asahi-firmware.git?shallow=1";
      flake = false;
    };
  };
  outputs = inputs @ {
    nixpkgs,
-    nixos-hardware,
+    nixos-apple-silicon,
-    nuenv,
+    my-asahi-firmware,
    ...
-  }: {
+  }: let
    inherit (inputs.nixpkgs) lib;
    mylib = import ../lib {inherit lib;};
    myvars = import ../vars {inherit lib;};
  in {
    nixosConfigurations = {
      ai = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs =
          inputs
          // {
-            myvars.username = "ryan";
+            inherit mylib myvars;
            myvars.userfullname = "Ryan Yin";
          };
        modules = [
          {networking.hostName = "ai";}
@@ -31,7 +44,7 @@
          ../modules/base
          ../modules/nixos/base/i18n.nix
          ../modules/nixos/base/user-group.nix
-          ../modules/nixos/base/networking.nix
+          ../modules/nixos/base/ssh.nix
          ../hosts/idols-ai/hardware-configuration.nix
          ../hosts/idols-ai/preservation.nix
@@ -39,29 +52,22 @@
      };
      shoukei = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
+        system = "aarch64-linux";
        specialArgs =
          inputs
          // {
-            myvars.username = "ryan";
+            inherit mylib myvars my-asahi-firmware;
            myvars.userfullname = "Ryan Yin";
          };
        modules = [
-          # Building on a USB installer is buggy, lack of disk space, memory, trublesome to setup substituteers, etc.
+          {networking.hostName = "shoukei";}
          # so we disable apple-t2 module here to avoid build kernel during the initial installation, and enable it after the first boot.
          # nixos-hardware.nixosModules.apple-t2
          ({pkgs, ...}: {
            networking.hostName = "shoukei";
            boot.kernelPackages = pkgs.linuxPackages_latest; # Use latest kernel for the initial installation.
            # hardware.apple-t2.enableAppleSetOsLoader = true;
          })
          nixos-apple-silicon.nixosModules.default
          ./configuration.nix
          ../modules/base
          ../modules/nixos/base/i18n.nix
          ../modules/nixos/base/user-group.nix
-          ../modules/nixos/base/networking.nix
+          ../modules/nixos/base/ssh.nix
          ../hosts/12kingdoms-shoukei/hardware-configuration.nix
          ../hosts/idols-ai/preservation.nix
--- a/outputs/aarch64-darwin/tests/home-manager/expected.nix
+++ b/outputs/aarch64-darwin/tests/home-manager/expected.nix
@@ -5,6 +5,7 @@
  username = myvars.username;
  hosts = [
    "fern"
    "frieren"
  ];
 in
  lib.genAttrs hosts (_: "/Users/${username}")
--- a/outputs/aarch64-darwin/tests/home-manager/expr.nix
+++ b/outputs/aarch64-darwin/tests/home-manager/expr.nix
@@ -6,6 +6,7 @@
  username = myvars.username;
  hosts = [
    "fern"
    "frieren"
  ];
 in
  lib.genAttrs
--- a/outputs/aarch64-linux/default.nix
+++ b/outputs/aarch64-linux/default.nix
@@ -0,0 +1,37 @@
 {
  lib,
  inputs,
  ...
 } @ args: let
  inherit (inputs) haumea;
  # Contains all the flake outputs of this system architecture.
  data = haumea.lib.load {
    src = ./src;
    inputs = args;
  };
  # nix file names is redundant, so we remove it.
  dataWithoutPaths = builtins.attrValues data;
  # Merge all the machine's data into a single attribute set.
  outputs = {
    nixosConfigurations = lib.attrsets.mergeAttrsList (map (it: it.nixosConfigurations or {}) dataWithoutPaths);
    packages = lib.attrsets.mergeAttrsList (map (it: it.packages or {}) dataWithoutPaths);
    # colmena contains some meta info, which need to be merged carefully.
    colmenaMeta = {
      nodeNixpkgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeNixpkgs or {}) dataWithoutPaths);
      nodeSpecialArgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeSpecialArgs or {}) dataWithoutPaths);
    };
    colmena = lib.attrsets.mergeAttrsList (map (it: it.colmena or {}) dataWithoutPaths);
  };
 in
  outputs
  // {
    inherit data; # for debugging purposes
    # NixOS's unit tests.
    evalTests = haumea.lib.loadEvalTests {
      src = ./tests;
      inputs = args // {inherit outputs;};
    };
  }
--- a/outputs/aarch64-linux/src/12kingdoms-shoukei.nix
+++ b/outputs/aarch64-linux/src/12kingdoms-shoukei.nix
@@ -19,6 +19,10 @@
      "modules/nixos/desktop.nix"
      # host specific
      "hosts/12kingdoms-${name}"
      # nixos hardening
      # "hardening/profiles/default.nix"
      "hardening/nixpaks"
      "hardening/bwraps"
    ];
    home-modules = map mylib.relativeToRoot [
      # common
@@ -35,6 +39,9 @@
          modules.desktop.wayland.enable = true;
          modules.secrets.desktop.enable = true;
          modules.secrets.preservation.enable = true;
          # TODO: remove this option
          nixpkgs.config.allowUnsupportedSstem = true;
        }
      ]
      ++ base-modules.nixos-modules;
--- a/outputs/aarch64-linux/tests/home-manager/expected.nix
+++ b/outputs/aarch64-linux/tests/home-manager/expected.nix
@@ -4,7 +4,7 @@
 }: let
  username = myvars.username;
  hosts = [
-    "harmonica"
+    "shoukei-hyprland"
  ];
 in
-  lib.genAttrs hosts (_: "/Users/${username}")
+  lib.genAttrs hosts (_: "/home/${username}")
--- a/outputs/aarch64-linux/tests/home-manager/expr.nix
+++ b/outputs/aarch64-linux/tests/home-manager/expr.nix
@@ -0,0 +1,15 @@
 {
  myvars,
  lib,
  outputs,
 }: let
  username = myvars.username;
  hosts = [
    "shoukei-hyprland"
  ];
 in
  lib.genAttrs
  hosts
  (
    name: outputs.nixosConfigurations.${name}.config.home-manager.users.${username}.home.homeDirectory
  )
--- a/outputs/aarch64-linux/tests/hostname/expected.nix
+++ b/outputs/aarch64-linux/tests/hostname/expected.nix
@@ -0,0 +1,14 @@
 {
  lib,
  outputs,
 }: let
  specialExpected = {
    "shoukei-hyprland" = "shoukei";
  };
  specialHostNames = builtins.attrNames specialExpected;
  otherHosts = builtins.removeAttrs outputs.nixosConfigurations specialHostNames;
  otherHostsNames = builtins.attrNames otherHosts;
  # other hosts's hostName is the same as the nixosConfigurations name
  otherExpected = lib.genAttrs otherHostsNames (name: name);
 in (specialExpected // otherExpected)
--- a/outputs/aarch64-linux/tests/hostname/expr.nix
+++ b/outputs/aarch64-linux/tests/hostname/expr.nix
@@ -0,0 +1,9 @@
 {
  lib,
  outputs,
 }:
 lib.genAttrs
 (builtins.attrNames outputs.nixosConfigurations)
 (
  name: outputs.nixosConfigurations.${name}.config.networking.hostName
 )
--- a/outputs/aarch64-linux/tests/kernel/expected.nix
+++ b/outputs/aarch64-linux/tests/kernel/expected.nix
@@ -0,0 +1,8 @@
 {
  lib,
  outputs,
 }: let
  hostsNames = builtins.attrNames outputs.nixosConfigurations;
  expected = lib.genAttrs hostsNames (_: "aarch64-linux");
 in
  expected
--- a/outputs/aarch64-linux/tests/kernel/expr.nix
+++ b/outputs/aarch64-linux/tests/kernel/expr.nix
@@ -0,0 +1,9 @@
 {
  lib,
  outputs,
 }:
 lib.genAttrs
 (builtins.attrNames outputs.nixosConfigurations)
 (
  name: outputs.nixosConfigurations.${name}.config.boot.kernelPackages.kernel.system
 )
--- a/outputs/default.nix
+++ b/outputs/default.nix
@@ -34,12 +34,11 @@
  # modules for each supported system
  nixosSystems = {
    x86_64-linux = import ./x86_64-linux (args // {system = "x86_64-linux";});
-    # aarch64-linux = import ./aarch64-linux (args // {system = "aarch64-linux";});
+    aarch64-linux = import ./aarch64-linux (args // {system = "aarch64-linux";});
    # riscv64-linux = import ./riscv64-linux (args // {system = "riscv64-linux";});
  };
  darwinSystems = {
    aarch64-darwin = import ./aarch64-darwin (args // {system = "aarch64-darwin";});
    x86_64-darwin = import ./x86_64-darwin (args // {system = "x86_64-darwin";});
  };
  allSystems = nixosSystems // darwinSystems;
  allSystemNames = builtins.attrNames allSystems;
--- a/outputs/x86_64-darwin/default.nix
+++ b/outputs/x86_64-darwin/default.nix
@@ -1,30 +0,0 @@
 {
  lib,
  inputs,
  ...
 } @ args: let
  inherit (inputs) haumea;
  # Contains all the flake outputs of this system architecture.
  data = haumea.lib.load {
    src = ./src;
    inputs = args;
  };
  # nix file names is redundant, so we remove it.
  dataWithoutPaths = builtins.attrValues data;
  # Merge all the machine's data into a single attribute set.
  outputs = {
    darwinConfigurations = lib.attrsets.mergeAttrsList (map (it: it.darwinConfigurations or {}) dataWithoutPaths);
  };
 in
  outputs
  // {
    inherit data; # for debugging purposes
    # NixOS's unit tests.
    evalTests = haumea.lib.loadEvalTests {
      src = ./tests;
      inputs = args // {inherit outputs;};
    };
  }
--- a/outputs/x86_64-darwin/src/harnomica.nix
+++ b/outputs/x86_64-darwin/src/harnomica.nix
@@ -1,36 +0,0 @@
 {
  # NOTE: the args not used in this file CAN NOT be removed!
  # because haumea pass argument lazily,
  # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc.
  inputs,
  lib,
  mylib,
  myvars,
  system,
  genSpecialArgs,
  ...
 } @ args: let
  name = "harmonica";
  modules = {
    darwin-modules =
      (map mylib.relativeToRoot [
        # common
        "secrets/darwin.nix"
        "modules/darwin"
        # host specific
        "hosts/darwin-${name}"
      ])
      ++ [];
    home-modules = map mylib.relativeToRoot [
      "hosts/darwin-${name}/home.nix"
      "home/darwin"
    ];
  };
  systemArgs = modules // args;
 in {
  # macOS's configuration
  darwinConfigurations.${name} = mylib.macosSystem systemArgs;
 }
--- a/outputs/x86_64-darwin/tests/home-manager/expr.nix
+++ b/outputs/x86_64-darwin/tests/home-manager/expr.nix
@@ -1,15 +0,0 @@
 {
  myvars,
  lib,
  outputs,
 }: let
  username = myvars.username;
  hosts = [
    "harmonica"
  ];
 in
  lib.genAttrs
  hosts
  (
    name: outputs.darwinConfigurations.${name}.config.home-manager.users.${username}.home.homeDirectory
  )
--- a/outputs/x86_64-darwin/tests/hostname/expected.nix
+++ b/outputs/x86_64-darwin/tests/hostname/expected.nix
@@ -1,8 +0,0 @@
 {
  lib,
  outputs,
 }: let
  hostsNames = builtins.attrNames outputs.darwinConfigurations;
  expected = lib.genAttrs hostsNames (name: name);
 in
  expected
--- a/outputs/x86_64-darwin/tests/hostname/expr.nix
+++ b/outputs/x86_64-darwin/tests/hostname/expr.nix
@@ -1,9 +0,0 @@
 {
  lib,
  outputs,
 }:
 lib.genAttrs
 (builtins.attrNames outputs.darwinConfigurations)
 (
  name: outputs.darwinConfigurations.${name}.config.networking.hostName
 )
--- a/outputs/x86_64-linux/tests/home-manager/expected.nix
+++ b/outputs/x86_64-linux/tests/home-manager/expected.nix
@@ -5,7 +5,6 @@
  username = myvars.username;
  hosts = [
    "ai-hyprland"
    "shoukei-hyprland"
    "ruby"
    "k3s-prod-1-master-1"
  ];
--- a/outputs/x86_64-linux/tests/home-manager/expr.nix
+++ b/outputs/x86_64-linux/tests/home-manager/expr.nix
@@ -6,7 +6,6 @@
  username = myvars.username;
  hosts = [
    "ai-hyprland"
    "shoukei-hyprland"
    "ruby"
    "k3s-prod-1-master-1"
  ];
--- a/outputs/x86_64-linux/tests/hostname/expected.nix
+++ b/outputs/x86_64-linux/tests/hostname/expected.nix
@@ -4,7 +4,6 @@
 }: let
  specialExpected = {
    "ai-hyprland" = "ai";
    "shoukei-hyprland" = "shoukei";
  };
  specialHostNames = builtins.attrNames specialExpected;
--- a/secrets/README.md
+++ b/secrets/README.md
@@ -56,7 +56,6 @@ let
  # If you do not have this file, you can generate all the host keys by command:
  #    sudo ssh-keygen -A
  idol_ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHZtzeaQyXwuRMLzoOAuTu8P9bu5yc5MBwo5LI3iWBV root@ai";
  fern = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMokXUYcUy7tysH4tRR6pevFjyOP4cXMjpBSgBZggm9X root@fern";
  # A key for recovery purpose, generated by `ssh-keygen -t ed25519 -a 256 -C "ryan@agenix-recovery"` with a strong passphrase
  # and keeped it offline in a safe place.
--- a/templates/bevy/flake.nix
+++ b/templates/bevy/flake.nix
@@ -18,7 +18,6 @@
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "x86_64-darwin"
      "aarch64-darwin"
    ];
    # Helper function to generate a set of attributes for each system
--- a/vars/default.nix
+++ b/vars/default.nix
@@ -13,13 +13,12 @@
  #      ```bash
  #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
  #      # Passphrase: digits + letters + symbols, 12+ chars
-  #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
+  #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx
  #      ```
  #    2. Never leave the device and never sent over the network.
  # 2. Or just use hardware security keys like Yubikey/CanoKey.
  mainSshAuthorizedKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIznBmtZlMcVUL+uPFltLTNa8Y1J0aT1E36AXQV07su ryan@fern"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc1PNTXzzvd93E+e9LXvnEzqgUI5gMTEF/IitvzgmL+ ryan@frieren"
  ];
  secondaryAuthorizedKeys = [
`@@ -1,2 +1,2 @@`
	`# generate lock file every time`	`# ignore flake.lock here, generate a new one every time install a new host`
	`flake.lock`	`flake.lock`