feat: install nixos on orange pi 5 plus with edk2-rk3588(uefi)

2026-04-24 17:58:30 +02:00 · 2024-03-05 20:38:31 +08:00
parent efcee11839
commit 4d0741c841
20 changed files with 560 additions and 29 deletions
--- a/14
+++ b/14
@@ -202,10 +202,18 @@ aarch:
  colmena apply --on '@aarch' --verbose --show-trace
 suzu:
-  colmena apply --on '@suzu' --verbose --show-trace
+  colmena apply --on '@suzu' --build-on-target --verbose --show-trace
-suzu-debug:
+suzu-local mode="default":
-  colmena apply --on '@suzu' --verbose --show-trace
+  use utils.nu *; \
  nixos-switch suzu {{mode}}
 rakushun:
  colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
 rakushun-local mode="default":
  use utils.nu *; \
  nixos-switch rakushun {{mode}}
 ############################################################################
 #
--- a/flake.lock
+++ b/flake.lock
@@ -773,6 +773,21 @@
        "type": "github"
      }
    },
    "nixlib_2": {
      "locked": {
        "lastModified": 1709426687,
        "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
@@ -794,6 +809,28 @@
        "type": "github"
      }
    },
    "nixos-generators_2": {
      "inputs": {
        "nixlib": "nixlib_2",
        "nixpkgs": [
          "nixos-rk3588",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709557527,
        "narHash": "sha256-PV8oYqhTHX6FGZMQ1m5dhRuS914AhofPwgnAMhUZtwE=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "d048d6fc4bada612ff08d4b9d5edc48d45389431",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1707842204,
@@ -831,15 +868,16 @@
    "nixos-rk3588": {
      "inputs": {
        "flake-utils": "flake-utils_5",
        "nixos-generators": "nixos-generators_2",
        "nixpkgs": "nixpkgs_5",
        "pre-commit-hooks": "pre-commit-hooks_2"
      },
      "locked": {
-        "lastModified": 1709478567,
+        "lastModified": 1709742375,
-        "narHash": "sha256-cfY5vuB9B5KdiVIzdHelldxfOcag/wPPTcbERQpzULs=",
+        "narHash": "sha256-UxXWq1k5KLKZJjCz34yMZt69Tlpz41fIxLTHLL1GVN4=",
        "owner": "ryan4yin",
        "repo": "nixos-rk3588",
-        "rev": "0eea4e4cf05f997833e5cd7c48847c83e0c5b193",
+        "rev": "3a492b825532656b5f1b9f26cc9668ecd64c0189",
        "type": "github"
      },
      "original": {
--- a/hosts/12kingdoms_rakushun/README.md
+++ b/hosts/12kingdoms_rakushun/README.md
@@ -0,0 +1,54 @@
 # Rakushun - Orange Pi 5 Plus
 LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
 ## How to install NixOS on Orange Pi 5 Plus
 ### 1. Prepare a USB LUKS key
 Generate LUKS keyfile to encrypt the root partition, it's used by disko.
 ```bash
 # partition the usb stick
 DEV=/dev/sdX
 parted ${DEV} -- mklabel gpt
 parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
 mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
 # Generate a keyfile from the true random number generator
 KEYFILE=./orangepi5plus-luks-keyfile
 dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
 # copy the keyfile and token to the usb stick
 KEYFILE=./orangepi5plus-luks-keyfile
 DEVICE=/dev/disk/by-label/OPI5P_DSC
 # seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
 dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
 ```
 ### 2. Partition the SSD & install NixOS via disko
 First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
 Then, run the following commands:
 ```bash
 # transfer the nix-config to the target machine
 rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
 # login via ssh
 ssh rk@<ip-addr>
 cd ~/nix-config/hosts/12kingdoms_rakushun
 # 1. change the disk device path in ./disko-fs.nix to the disk you want to use
 # 2. partition & format the disk via disko
 sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
 cd ~/nix-config
 # install nixos
 # NOTE: the root password you set here will be discarded when reboot
 sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
 ```
--- a/hosts/12kingdoms_rakushun/default.nix
+++ b/hosts/12kingdoms_rakushun/default.nix
@@ -0,0 +1,48 @@
 {
  disko,
  nixos-rk3588,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #############################################################
 let
  hostName = "rakushun"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
    nixos-rk3588.nixosModules.orangepi5plus.core
    disko.nixosModules.default
    ./disko-fs.nix
    ./hardware-configuration.nix
  ];
  networking = {
    inherit hostName;
    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    # RJ45 port 1
    interfaces.enP4p65s0 = {
      useDHCP = false;
      ipv4.addresses = [hostAddress];
    };
    # RJ45 port 2
    # interfaces.enP3p49s0 = {
    # useDHCP = false;
    # ipv4.addresses = [hostAddress];
    # };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/12kingdoms_rakushun/disko-fs.nix
+++ b/hosts/12kingdoms_rakushun/disko-fs.nix
@@ -0,0 +1,98 @@
 {
  disko.devices = {
    # TODO: rename to nvme0n1
    disk.sda = {
      type = "disk";
      # When using disko-install, we will overwrite this value from the commandline
      device = "/dev/nvme0n1"; # The device to partition
      content = {
        type = "gpt";
        partitions = {
          # The EFI & Boot partition
          ESP = {
            size = "630M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [
                "defaults"
              ];
            };
          };
          # The root partition
          luks = {
            size = "100%";
            content = {
              type = "luks";
              name = "crypted";
              settings = {
                keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
                # The maxium size of the keyfile is 8192 bytes
                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                fallbackToPassword = true;
                allowDiscards = true;
              };
              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
              initrdUnlock = true;
              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
              # cryptsetup luksFormat
              extraFormatArgs = [
                "--type luks2"
                "--cipher aes-xts-plain64"
                "--hash sha512"
                "--iter-time 5000"
                "--key-size 256"
                "--pbkdf argon2id"
                # use true random data from /dev/random, will block until enough entropy is available
                "--use-random"
              ];
              extraOpenArgs = [
                "--timeout 10"
              ];
              content = {
                type = "btrfs";
                extraArgs = ["-f"];
                subvolumes = {
                  # TODO: tmpfs on root
                  "@root" = {
                    mountpoint = "/";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@home" = {
                    mountpoint = "/home";
                    mountOptions = ["compress-force=zstd:1"];
                  };
                  "@lib" = {
                    mountpoint = "/var/lib";
                    mountOptions = ["compress-force=zstd:1"];
                  };
                  "@nix" = {
                    mountpoint = "/nix";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@tmp" = {
                    mountpoint = "/tmp";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@snapshots" = {
                    mountpoint = "/snapshots";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@swap" = {
                    mountpoint = "/swap";
                    swap.swapfile.size = "16384M";
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/12kingdoms_rakushun/hardware-configuration.nix
+++ b/hosts/12kingdoms_rakushun/hardware-configuration.nix
@@ -0,0 +1,39 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.loader = {
    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
    efi.efiSysMountPoint = "/boot/";
    efi.canTouchEfiVariables = true;
    # do not use systemd-boot here, it has problems when running `nixos-install`
    grub = {
      device = "nodev";
      efiSupport = true;
    };
  };
  # clear /tmp on boot to get a stateless /tmp directory.
  boot.tmp.cleanOnBoot = true;
  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/hosts/12kingdoms_suzu/README.md
+++ b/hosts/12kingdoms_suzu/README.md
@@ -0,0 +1,54 @@
 # Suzu - Orange Pi 5
 LUKS encrypted SSD for NixOS, on Orange Pi 5.
 ## How to install NixOS on Orange Pi 5 
 ### 1. Prepare a USB LUKS key
 Generate LUKS keyfile to encrypt the root partition, it's used by disko.
 ```bash
 # partition the usb stick
 DEV=/dev/sdX
 parted ${DEV} -- mklabel gpt
 parted ${DEV} -- mkpart primary 2M 512MB
 mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
 # Generate a keyfile from the true random number generator
 KEYFILE=./orangepi5-luks-keyfile
 dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
 # copy the keyfile and token to the usb stick
 KEYFILE=./orangepi5-luks-keyfile
 DEVICE=/dev/disk/by-label/OPI5_DSC
 # seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
 dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
 ```
 ### 2. Partition the SSD & install NixOS via disko
 First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
 Then, run the following commands:
 ```bash
 # login via ssh
 ssh rk@<ip-addr>
 git clone https://github.com/ryan4yin/nix-config.git
 cd ~/nix-config/hosts/12kingdoms_suzu
 # 1. change the disk device path in ./disko-fs.nix to the disk you want to use
 # 2. partition & format the disk via disko
 sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
 cd ~/nix-config
 # install nixos
 # NOTE: the root password you set here will be discarded when reboot
 sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
 ```
--- a/hosts/12kingdoms_suzu/default.nix
+++ b/hosts/12kingdoms_suzu/default.nix
@@ -1,11 +1,12 @@
 {
  disko,
  nixos-rk3588,
  vars_networking,
  ...
 }:
 #############################################################
 #
-#  Suzu - Orange Pi 5, RK3588s
+#  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #############################################################
 let
@@ -14,7 +15,10 @@ let
 in {
  imports = [
    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
-    nixos-rk3588.nixosModules.orangepi5
+    nixos-rk3588.nixosModules.orangepi5plus.core
    disko.nixosModules.default
    ./disko-fs.nix
    ./hardware-configuration.nix
  ];
  networking = {
--- a/hosts/12kingdoms_suzu/disko-fs.nix
+++ b/hosts/12kingdoms_suzu/disko-fs.nix
@@ -0,0 +1,98 @@
 {
  disko.devices = {
    # TODO: rename to nvme0n1
    disk.sda = {
      type = "disk";
      # When using disko-install, we will overwrite this value from the commandline
      device = "/dev/nvme0n1"; # The device to partition
      content = {
        type = "gpt";
        partitions = {
          # The EFI & Boot partition
          ESP = {
            size = "630M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [
                "defaults"
              ];
            };
          };
          # The root partition
          luks = {
            size = "100%";
            content = {
              type = "luks";
              name = "crypted";
              settings = {
                keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick
                # The maxium size of the keyfile is 8192 bytes
                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                fallbackToPassword = true;
                allowDiscards = true;
              };
              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
              initrdUnlock = true;
              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
              # cryptsetup luksFormat
              extraFormatArgs = [
                "--type luks2"
                "--cipher aes-xts-plain64"
                "--hash sha512"
                "--iter-time 5000"
                "--key-size 256"
                "--pbkdf argon2id"
                # use true random data from /dev/random, will block until enough entropy is available
                "--use-random"
              ];
              extraOpenArgs = [
                "--timeout 10"
              ];
              content = {
                type = "btrfs";
                extraArgs = ["-f"];
                subvolumes = {
                  # TODO: tmpfs on root
                  "@root" = {
                    mountpoint = "/";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@home" = {
                    mountpoint = "/home";
                    mountOptions = ["compress-force=zstd:1"];
                  };
                  "@lib" = {
                    mountpoint = "/var/lib";
                    mountOptions = ["compress-force=zstd:1"];
                  };
                  "@nix" = {
                    mountpoint = "/nix";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@tmp" = {
                    mountpoint = "/tmp";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@snapshots" = {
                    mountpoint = "/snapshots";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@swap" = {
                    mountpoint = "/swap";
                    swap.swapfile.size = "8192M";
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/12kingdoms_suzu/hardware-configuration.nix
+++ b/hosts/12kingdoms_suzu/hardware-configuration.nix
@@ -0,0 +1,39 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.loader = {
    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
    efi.efiSysMountPoint = "/boot/";
    efi.canTouchEfiVariables = true;
    # do not use systemd-boot here, it has problems when running `nixos-install`
    grub = {
      device = "nodev";
      efiSupport = true;
    };
  };
  # clear /tmp on boot to get a stateless /tmp directory.
  boot.tmp.cleanOnBoot = true;
  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/hosts/README.md
+++ b/hosts/README.md
@@ -6,17 +6,18 @@
 2. `idols`
   1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
   2. `aquamarine`: My NixOS virtual machine as a router(IPv4 only) with a tranparent proxy to bypass the G|F|W.
-   4. `ruby`: Another NixOS VM running operation and maintenance related services, such as prometheus, grafana, restic, etc.
+   3. `ruby`: Another NixOS VM running operation and maintenance related services, such as prometheus, grafana, restic, etc.
-   3. `kana`: Yet another NixOS VM running some common applications, such as hompage, file browser, torrent downloader, etc.
+   4. `kana`: Yet another NixOS VM running some common applications, such as hompage, file browser, torrent downloader, etc.
 3. Homelab:
   1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
 4. `rolling_girls`: My RISCV64 hosts.
   1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 8GB RAM + 32G eMMC + 64G SD Card.
   2. `yukina`: Lichee Pi 4A(Internal Test Version), TH1520(4xC910@2.0G), 8GB RAM + 8G eMMC + 128G SD Card.
   3. `chiaya`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card.
-5. `12kingdoms`: 
+5. `12kingdoms`:
   1. `shoukei`: NixOS on Macbook Pro 2020 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
   1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD.
   1. `rakushun`: Orange Pi 5 Plus, RK3588(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 16G RAM + 2T SSD.
 6. `kubernetes`: My Kubernetes Cluster
 ## idols - Oshi no Ko
@@ -29,7 +30,6 @@ My All RISCV64 hosts.
 ![](/_img/nixos-riscv-cluster.webp)
 ## Distributed Building
 I usually run the build command on `Ai` and nix will distribute the build to other NixOS machines, which is convenient and fast.
@@ -40,7 +40,6 @@ When building some packages for riscv64 or aarch64, I often have no cache availa
 ![](/_img/nix-distributed-building-log.webp)
 ## References
 [Oshi no Ko 【推しの子】 - Wikipedia](https://en.wikipedia.org/wiki/Oshi_no_Ko):
--- a/modules/nixos/base/packages.nix
+++ b/modules/nixos/base/packages.nix
@@ -18,6 +18,7 @@
    iftop
    btop
    nmon
    sysbench
    # system tools
    psmisc # killall/pstree/prtstat/fuser/...
--- a/modules/nixos/server/server-aarch64.nix
+++ b/modules/nixos/server/server-aarch64.nix
@@ -15,6 +15,7 @@
    ../../base.nix
  ];
  boot.loader.timeout = lib.mkForce 3; # wait for 3 seconds to select the boot entry
  # Fix: jasper is marked as broken, refusing to evaluate.
  environment.enableAllTerminfo = lib.mkForce false;
 }
--- a/modules/nixos/server/server-riscv64.nix
+++ b/modules/nixos/server/server-riscv64.nix
@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{lib, ...}: {
  # =========================================================================
  #      Base NixOS Configuration
  # =========================================================================
@@ -14,4 +14,6 @@
    ../../base.nix
  ];
  boot.loader.timeout = lib.mkForce 3; # wait for 3 seconds to select the boot entry
 }
--- a/nixos-installer/README.md
+++ b/nixos-installer/README.md
@@ -200,11 +200,11 @@ rm -rf /mnt/etc
 # install nixos
 # NOTE: the root password you set here will be discarded when reboot
-nixos-install --root /mnt --flake .#ai --no-root-password --show-trace # instlall-1
+nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --verbose # instlall-1
 # if you want to use a cache mirror, run this command instead
 # replace the mirror url with your own
-nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store"  # install-2
+nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --verbose --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store"  # install-2
 # enter into the installed system, check password & users
 # `su ryan` => `sudo -i` => enter ryan's password => successfully login
--- a/nixos-installer/README.shoukei.md
+++ b/nixos-installer/README.shoukei.md
@@ -180,11 +180,11 @@ rm -rf /mnt/etc
 # install nixos
 # NOTE: the root password you set here will be discarded when reboot
-nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace # install-1
+nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose # install-1
 # if you want to use a cache mirror, run this command instead
 # replace the mirror url with your own
-nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store" # install-2
+nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirror.ustc.edu.cn/nix-channels/store" # install-2
 # enter into the installed system, check password & users
 # `su ryan` => `sudo -i` => enter ryan's password => successfully login
--- a/systems/colmena.nix
+++ b/systems/colmena.nix
@@ -27,14 +27,22 @@ with allSystemAttrs; let
  };
  # aarch64 related
-  # using the same nixpkgs as nixos-rk3588 to utilize the cross-compilation cache.
+  rk3588_pkgs = import nixos-rk3588.inputs.nixpkgs {system = aarch64_system;};
-  rk3588_pkgs = import nixos-rk3588.inputs.nixpkgs {system = x64_system;};
+  # aarch64 related
-  rk3588_specialArgs = {
+  rk3588_specialArgs = let
-    inherit username userfullname useremail;
+    # using the same nixpkgs as nixos-rk3588
    inherit (nixos-rk3588.inputs) nixpkgs;
-    # Provide rk3588 inputs as special argument
+    # use aarch64-linux's native toolchain
-    rk3588 = nixos-rk3588.inputs;
+    pkgsKernel = import nixpkgs {
-  };
+      system = aarch64_system;
    };
  in
    allSystemSpecialArgs.aarch64_system
    // {
      inherit nixpkgs;
      # Provide rk3588 inputs as special argument
      rk3588 = {inherit nixpkgs pkgsKernel;};
    };
  rk3588_base_args = {
    inherit home-manager;
    inherit (nixos-rk3588.inputs) nixpkgs; # or nixpkgs-unstable
@@ -55,6 +63,7 @@ in {
        # aarch64 SBCs
        suzu = rk3588_specialArgs;
        rakushun = rk3588_specialArgs;
      };
      nodeNixpkgs = {
        nozomi = lpi4a_pkgs;
@@ -62,6 +71,7 @@ in {
        # aarch64 SBCs
        suzu = rk3588_pkgs;
        rakushun = rk3588_pkgs;
      };
    };
@@ -137,5 +147,10 @@ in {
      _12kingdoms_suzu_modules
      {host_tags = _12kingdoms_suzu_tags;}
    ]);
    rakushun = colmenaSystem (attrs.mergeAttrsList [
      rk3588_base_args
      _12kingdoms_rakushun_modules
      {host_tags = _12kingdoms_rakushun_tags;}
    ]);
  };
 }
--- a/systems/nixos.nix
+++ b/systems/nixos.nix
@@ -8,6 +8,28 @@ with allSystemAttrs; let
    system = x64_system;
    specialArgs = allSystemSpecialArgs.x64_system;
  };
  # aarch64 related
  rk3588_specialArgs = let
    # using the same nixpkgs as nixos-rk3588
    inherit (nixos-rk3588.inputs) nixpkgs;
    # use aarch64-linux's native toolchain
    pkgsKernel = import nixpkgs {
      system = aarch64_system;
    };
  in
    allSystemSpecialArgs.aarch64_system
    // {
      inherit nixpkgs;
      # Provide rk3588 inputs as special argument
      rk3588 = {inherit nixpkgs pkgsKernel;};
    };
  rk3588_base_args = {
    inherit home-manager nixos-generators;
    inherit (nixos-rk3588.inputs) nixpkgs; # or nixpkgs-unstable
    system = aarch64_system;
    specialArgs = rk3588_specialArgs;
  };
 in {
  nixosConfigurations = {
    # ai with i3 window manager
@@ -32,9 +54,12 @@ in {
    k3s_prod_1_worker_3 = nixosSystem (k3s_prod_1_worker_3_modules // base_args);
    tailscale_gw = nixosSystem (homelab_tailscale_gw_modules // base_args);
    # aarch64 hosts
    suzu = nixosSystem (_12kingdoms_suzu_modules // rk3588_base_args);
    rakushun = nixosSystem (_12kingdoms_rakushun_modules // rk3588_base_args);
  };
  # take system images for idols
  # https://github.com/nix-community/nixos-generators
  packages."${x64_system}" = attrs.mergeAttrsList [
    (
--- a/systems/vars.nix
+++ b/systems/vars.nix
@@ -246,14 +246,21 @@ in {
    nixos-modules = [
      ../hosts/12kingdoms_suzu
      ../modules/nixos/server/server-aarch64.nix
      # cross-compilation this flake.
      {nixpkgs.crossSystem.config = "aarch64-unknown-linux-gnu";}
    ];
    # home-module.imports = [];
  };
  _12kingdoms_suzu_tags = ["aarch" "suzu"];
  # 楽俊, Rakushun
  _12kingdoms_rakushun_modules = {
    nixos-modules = [
      ../hosts/12kingdoms_rakushun
      ../modules/nixos/server/server-aarch64.nix
    ];
    # home-module.imports = [];
  };
  _12kingdoms_rakushun_tags = ["aarch" "rakushun"];
  # Shoukei (祥瓊, Shōkei)
  _12kingdoms_shoukei_modules_i3 = {
    nixos-modules =
--- a/systems/vars_networking.nix
+++ b/systems/vars_networking.nix
@@ -28,6 +28,7 @@
      "kubevirt-shoryu" = "192.168.5.176";
      "kubevirt-shushou" = "192.168.5.177";
      "kubevirt-youko" = "192.168.5.178";
      "rakushun" = "192.168.5.179";
      "tailscale-gw" = "192.168.5.192";
    };