feat: add TODO

.gitignore

@@ -1,3 +0,0 @@
-
-
-.smb_credentials

Makefile

@@ -0,0 +1,15 @@
+deploy: 
+	sudo nixos-rebuild switch --flake .
+
+debug:
+	sudo nixos-rebuild switch --flake . --show-trace --verbose
+
+update:
+	nix flake update
+
+history:
+	sudo nix-env --list-generations --profile /nix/var/nix/profiles/system
+
+gc:
+	sudo nix-collect-garbage --delete-older-than 14d
+

README.md

@@ -9,15 +9,18 @@ This repository is home to the nix code that builds my systems.
 
 ## TODO
 
-- [sops-nix](https://github.com/Mic92/sops-nix): secret management
-- [devShell](https://github.com/numtide/devshell): manage development environments
+- enable disk encryption to enhance data security
+- make fcitx5-rime work in vscode/chrome on wayland
 
 ## Why Nix?
 
 Nix allows for easy to manage, collaborative, reproducible deployments. This means that once something is setup and configured once, it works forever. If someone else shares their configuration, anyone can make use of it.
 
+Want to know Nix in details? Looking for a beginner-friendly tutorial? Check out [NixOS & Nix Flakes - A Guide for Beginners](https://thiscute.world/en/posts/nixos-and-flake-basics/)!
 
-## How to install Nix and Deploy this Flake?
+## How to Deploy this Flake?
+
+>Note: you should NOT deploy this flake directly on your machine, it contains my hardware information and personal information which is not suitable for you. You may use this repo as a reference to build your own configuration.
 
 After installed NixOS with `nix-command` & `flake` enabled, you can deploy this flake with the following command:
 
@@ -27,20 +30,40 @@ sudo nixos-rebuild switch --flake .#nixos-test
 
 
 # deploy my PC's configuration
-rm -rf ~/.config/fcitx5/profile ~/.config/mimeapps.list  # this file may be covered by fcitx5, so remove it first
 sudo nixos-rebuild switch --flake .#msi-rtx4090
+
+# or just deploy with hostname
+sudo nixos-rebuild switch
+
+# we can also deploy using make, which is defined in Makefile
+make deploy
+```
+
+## Install Apps from Flatpak
+
+We can install apps from flathub, which has a lot of apps that are not supported well in nixpkgs.
+
+```bash
+# Add the Flathub repository
+flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+
+# install apps from flathub
+flatpak install netease-cloud-music-gtk
+
+# or you can search apps from flathub
+flatpak search <keyword>
+# search on website is also supported: https://flathub.org/
 ```
 
 ## Other Interesting Dotfiles
 
 Other configurations from where I learned and copied:
 
-- https://github.com/notwidow/hyprland
-- https://github.com/notusknot/dotfiles-nix
+- [notwidow/hyprland](https://github.com/notwidow/hyprland): hyprland configuration
+- [notusknot/dotfiles-nix](https://github.com/notusknot/dotfiles-nix)
 - [xddxdd/nixos-config](https://github.com/xddxdd/nixos-config)
 - [bobbbay/dotfiles](https://github.com/bobbbay/dotfiles)
 - [gytis-ivaskevicius/nixfiles](https://github.com/gytis-ivaskevicius/nixfiles)
 - [fufexan/dotfiles](https://github.com/fufexan/dotfiles)
-- [davidak/nixos-config](https://codeberg.org/davidak/nixos-config)
 - [davidtwco/veritas](https://github.com/davidtwco/veritas)
 - [NixOS-CN/NixOS-CN-telegram](https://github.com/NixOS-CN/NixOS-CN-telegram)

flake.lock

@@ -1,6 +1,87 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1684153753,
+        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1684343812,
+        "narHash": "sha256-ZTEjiC8PDKeP8JRchuwcFXUNlMcyQ4U+DpyVZ3pB6Q4=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "dfbdabbb3e797334172094d4f6c0ffca8c791281",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "devenv": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2",
+        "pre-commit-hooks": "pre-commit-hooks"
+      },
+      "locked": {
+        "lastModified": 1678113758,
+        "narHash": "sha256-mD3SkN43b1s5CJ8Rx3l2oK3Dqgs+6Ze0FfWrdMcrrYk=",
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "6455f319fc90e0be2071327093c5458f9afc61bf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "v0.6.2",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "locked": {
         "lastModified": 1680531544,
         "narHash": "sha256-8qbiDTYb1kGaDADRXTItpcMKQ1TeQVkuof6oEwHUvVA=",
@@ -38,6 +119,21 @@
       }
     },
     "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
       "inputs": {
         "systems": "systems"
       },
@@ -55,18 +151,61 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "devenv",
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1684596126,
+        "narHash": "sha256-4RZZmygeEXpuBqEXGs38ZAcWjWKGwu13Iqbxub6wuJk=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "27ef11f0218d9018ebb2948d40133df2b1de622d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1683459775,
-        "narHash": "sha256-Ab1pIKOj7XRZbJAv4g9937ElhaZF7Pob3hqGTDKt5w8=",
+        "lastModified": 1684484967,
+        "narHash": "sha256-P3ftCqeJmDYS9LSr2gGC4XGGcp5vv8TOasJX6fVHWsw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6fc82e56971523acfe1a61dbcb20f4bb969b3990",
+        "rev": "b9a52ad20e58ebd003444915e35e3dd2c18fc715",
         "type": "github"
       },
       "original": {
@@ -78,20 +217,21 @@
     "hyprland": {
       "inputs": {
         "hyprland-protocols": "hyprland-protocols",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_3",
         "wlroots": "wlroots",
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1683414693,
-        "narHash": "sha256-TH7iHV4mcStMk0NzySOiKcUMY5tjmOM9VbdNHEanvSs=",
+        "lastModified": 1683130508,
+        "narHash": "sha256-Npf48UUfywneFYGEc7NQ59xudwvw7EJjwweT4tHguIY=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "a31dceb2c623c41565193328f98b50694917e0bf",
+        "rev": "f27873a6f06dc2f87600edb890f3c38298bfb55f",
         "type": "github"
       },
       "original": {
         "owner": "hyprwm",
+        "ref": "v0.25.0",
         "repo": "Hyprland",
         "type": "github"
       }
@@ -119,7 +259,7 @@
     },
     "lib-aggregate": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
@@ -136,10 +276,50 @@
         "type": "github"
       }
     },
+    "lowdown-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1633514407,
+        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "type": "github"
+      }
+    },
+    "nix": {
+      "inputs": {
+        "lowdown-src": "lowdown-src",
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1676545802,
+        "narHash": "sha256-EK4rZ+Hd5hsvXnzSzk2ikhStJnD63odF7SzsQ8CuSPU=",
+        "owner": "domenkozar",
+        "repo": "nix",
+        "rev": "7c91803598ffbcfe4a55c44ac6d49b2cf07a527f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "domenkozar",
+        "ref": "relaxed-flakes",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "nix-eval-jobs": {
       "inputs": {
         "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_5"
       },
       "locked": {
         "lastModified": 1682480188,
@@ -157,11 +337,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1683014792,
-        "narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=",
+        "lastModified": 1684570954,
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1a411f23ba299db155a5b45d5e145b85a7aafc42",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
@@ -186,13 +366,45 @@
         "type": "github"
       }
     },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1683383741,
-        "narHash": "sha256-rAQSBnFGNKNomUUyVl+7v0tnp45677t4Ovlh9f57k6Q=",
+        "lastModified": 1673800717,
+        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1684398685,
+        "narHash": "sha256-TRE62m91iZ5ArVMgA+uj22Yda8JoQuuhc9uwZ+NoX+0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "adc7c6f1bbaa73cda26be2323353b63a05b42f61",
+        "rev": "628d4bb6e9f4f0c30cfd9b23d3c1cdcec9d3cb5c",
         "type": "github"
       },
       "original": {
@@ -204,17 +416,17 @@
     },
     "nixpkgs-wayland": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "lib-aggregate": "lib-aggregate",
         "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1683454517,
-        "narHash": "sha256-T3ObyRj1BsR0MZfIqZ/y8dSqRBeRBulrnWYiFQaz98o=",
+        "lastModified": 1684592015,
+        "narHash": "sha256-6gFt1LE/stVQFeGI263pU6O5EAeY1TPTGee1vvbkwZo=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "e40b5d9061325d66acb598e0ae7038ca149d626d",
+        "rev": "aeb1b88206756e867e398d18e2856b60fc803e12",
         "type": "github"
       },
       "original": {
@@ -225,11 +437,43 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1683408522,
-        "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
+        "lastModified": 1677534593,
+        "narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1683014792,
+        "narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1a411f23ba299db155a5b45d5e145b85a7aafc42",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1684570954,
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
@@ -239,7 +483,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_5": {
       "locked": {
         "lastModified": 1681347147,
         "narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=",
@@ -255,13 +499,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_6": {
       "locked": {
-        "lastModified": 1683408522,
-        "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
+        "lastModified": 1684570954,
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
@@ -271,13 +515,59 @@
         "type": "github"
       }
     },
+    "nur": {
+      "locked": {
+        "lastModified": 1684585623,
+        "narHash": "sha256-28XEOYjrpzlVDt11Elz7db8R3HwY/4B6EspFscSRsfk=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "4e959da0346280293e4008150d48b82fe055a311",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "NUR",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "devenv",
+          "flake-compat"
+        ],
+        "flake-utils": "flake-utils",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1677160285,
+        "narHash": "sha256-tBzpCjMP+P3Y3nKLYvdBkXBg3KvTMo3gvi8tLQaqXVY=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "2bd861ab81469428d9c823ef72c4bb08372dd2c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
+        "agenix": "agenix",
+        "devenv": "devenv",
+        "home-manager": "home-manager_2",
         "hyprland": "hyprland",
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-stable": "nixpkgs-stable",
-        "nixpkgs-wayland": "nixpkgs-wayland"
+        "nixpkgs": "nixpkgs_4",
+        "nixpkgs-stable": "nixpkgs-stable_2",
+        "nixpkgs-wayland": "nixpkgs-wayland",
+        "nur": "nur"
       }
     },
     "systems": {

flake.nix

@@ -19,13 +19,13 @@
     extra-substituters = [
       "https://nix-community.cachix.org"
       "https://nixpkgs-wayland.cachix.org"
-      # "https://nixos-cn.cachix.org"
+      "https://xddxdd.cachix.org"
     ];
     extra-trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
-      # "nixos-cn.cachix.org-1:L0jEaL6w7kwQOPlLoCR3ADx+E3Q8SEFEcB9Jaibl0Xg="
+      "xddxdd.cachix.org-1:ay1HJyNDYmlSwj5NXQG065C8LfoqqKaTNCyzeixGjf8=" 
     ];
   };
 
@@ -36,6 +36,11 @@
 
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";       # 使用 nixos-unstable 分支 for nix flakes
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-22.11";    # unstable branch may be broken sometimes, use stable branch when necessary
+    
+    # nix users repository
+    # used to install some packages not in nixpkgs
+    # e.g. wechat-uos/qqmusic/dingtalk
+    nur.url = github:nix-community/NUR;
 
     home-manager.url = "github:nix-community/home-manager";
     #　follows 是　inputs 中的继承语法
@@ -43,16 +48,15 @@
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     # modern window compositor
-    hyprland.url = "github:hyprwm/Hyprland";
+    hyprland.url = "github:hyprwm/Hyprland/v0.25.0";
     # community wayland nixpkgs
     nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
 
-    # # nixos-cn 提供了一些国内常用的程序包，如 qq wechat dingtalk 等
-    # nixos-cn = {
-    #   url = "github:nixos-cn/flakes";
-    #   # 强制 nixos-cn 和该 flake 使用相同版本的 nixpkgs
-    #   inputs.nixpkgs.follows = "nixpkgs";
-    # };
+    # use devenv to manage my development environment
+    devenv.url = "github:cachix/devenv/v0.6.2";
+    
+    # secrets management, lock with git commit at 2023/5/15
+    agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3";
   };
 
   # outputs 的参数都是 inputs 中定义的依赖项，可以通过它们的名称来引用。
@@ -61,69 +65,14 @@
   outputs = inputs@{
       self,
       nixpkgs,
-      nixpkgs-stable,
       home-manager,
-      # nixos-cn,
       ...
   }: {
-    # 名为 nixosConfigurations 的 outputs 会在执行 `nixos-rebuild switch --flake .` 时被使用
-    # 默认情况下会使用与主机 hostname 同名的 nixosConfigurations，但是也可以通过 `--flake .#<name>` 来指定
     nixosConfigurations = {
-      # hostname 为 nixos-test 的主机会使用这个配置
-      # 这里使用了 nixpkgs.lib.nixosSystem 函数来构建配置，后面的 attributes set 是它的参数
-      # 在 nixos 上使用此命令部署配置：`nixos-rebuild switch --flake .#nixos-test`
-      nixos-test = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-
-        # modules 中每个参数，都是一个 NixOS Module <https://nixos.org/manual/nixos/stable/index.html#sec-modularity>
-        # NixOS Module 可以是一个 attribute set，也可以是一个返回 attribute set 的函数
-        # 如果是函数，那么它的参数就是当前的 NixOS Module 的参数.
-        # 根据 Nix Wiki 对 NixOS modules 的描述，NixOS modules 函数的参数可以有这四个（详见本仓库中的 modules 文件）：
-        #
-        #  config: The configuration of the entire system
-        #  options: All option declarations refined with all definition and declaration references.
-        #  pkgs: The attribute set extracted from the Nix package collection and enhanced with the nixpkgs.config option.
-        #  modulesPath: The location of the module directory of NixOS.
-        #
-        # nix flake 的 modules 系统可将配置模块化，提升配置的可维护性
-        # 默认只能传上面这四个参数，如果需要传其他参数，必须使用 specialArgs
-        specialArgs = {
-          # inherit nixos-cn;
-          inherit nixpkgs-stable;
-        }; 
-        modules = [
-          ./hosts/nixos-test
-
-          # home-manager 作为 nixos 的一个 module
-          # 这样在 nixos-rebuild switch 时，home-manager 也会被自动部署，不需要额外执行 home-manager switch 命令
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-
-            # 使用 home-manager.extraSpecialArgs 自定义传递给 ./home 的参数
-            home-manager.extraSpecialArgs = inputs;
-            home-manager.users.ryan = import ./home;
-          }
-
-          ({pkgs, config, ... }: {
-            config = {
-              # use it as an overlay
-              nixpkgs.overlays = [ 
-                inputs.nixpkgs-wayland.overlay
-              ];
-            };
-          })
-        ];
-      };
-
       msi-rtx4090 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
 
-        specialArgs = {
-          # inherit nixos-cn;
-          inherit nixpkgs-stable;
-        }; 
+        specialArgs = inputs; 
         modules = [
           ./hosts/msi-rtx4090
 
@@ -142,8 +91,25 @@
       };
 
 
-      # 如果你在 x86_64-linux 平台上执行 nix build，那么默认会使用这个配置，或者也能通过 `.#<name>` 参数来指定非 default 的配置
-      # packages.x86_64-linux.default =
+      nixos-test = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = inputs; 
+        modules = [
+          ./hosts/nixos-test
+
+          # home-manager 作为 nixos 的一个 module
+          # 这样在 nixos-rebuild switch 时，home-manager 也会被自动部署，不需要额外执行 home-manager switch 命令
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+
+            # 使用 home-manager.extraSpecialArgs 自定义传递给 ./home 的参数
+            home-manager.extraSpecialArgs = inputs;
+            home-manager.users.ryan = import ./home;
+          }
+        ];
+      };
     };
   };
 }

home/default.nix

@@ -3,7 +3,9 @@
 {
 
   imports = [
+    ./fcitx5
     ./hyprland
+    # ./i3
     ./programs
     ./rofi
     ./shell

home/fcitx5/default.nix

@@ -0,0 +1,34 @@
+{pkgs, config, lib, ... }: {
+
+  home.file.".config/fcitx5/profile".source = ./profile;
+  home.file.".config/fcitx5/profile-bak".source = ./profile;  # used for backup
+  # fcitx5 每次切换输入法，就会修改 ~/.config/fcitx5/profile 文件，导致我用 hm 管理的配置被覆盖
+  # 解决方法是通过如下内置，每次 rebuild 前都先删除下 profile 文件
+  home.activation.removeExistingFcitx5Profile = lib.hm.dag.entryBefore ["checkLinkTargets"] ''
+    rm -f "${config.xdg.configHome}/fcitx5/profile"
+  '';
+
+  i18n.inputMethod = {
+    enabled = "fcitx5";
+    fcitx5.addons = with pkgs; [
+        # for flypy chinese input method
+        fcitx5-rime
+        # needed enable rime using configtool after installed
+        fcitx5-configtool
+        fcitx5-chinese-addons
+        # fcitx5-mozc    # japanese input method
+        fcitx5-gtk     # gtk im module
+      ];
+  };
+
+  systemd.user.sessionVariables = {
+    # copy from  https://github.com/nix-community/home-manager/blob/master/modules/i18n/input-method/fcitx5.nix
+    GLFW_IM_MODULE = "fcitx";
+    GTK_IM_MODULE = "fcitx";
+    QT_IM_MODULE = "fcitx";
+    XMODIFIERS = "@im=fcitx";
+    INPUT_METHOD = "fcitx";
+    IMSETTINGS_MODULE  = "fcitx";
+    
+  };
+}

home/fcitx5/profile

@@ -12,11 +12,6 @@ Name=rime
 # Layout
 Layout=
 
-[Groups/0/Items/1]
-# Name
-Name=keyboard-us
-# Layout
-Layout=
-
 [GroupOrder]
-0=Other
+0=Other
+

home/hyprland/default.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }: {
   # hyprland configs, based on https://github.com/notwidow/hyprland
@@ -15,10 +16,6 @@
   };
   home.file.".gtkrc-2.0".source = ./gtkrc-2.0;
   home.file.".config/hypr/wallpapers/wallpaper.png".source = ../wallpapers/wallpaper.png;
-  home.file.".config/fcitx5" = {
-    source = ./fcitx5;
-    recursive = true;
-  };
 
   # allow fontconfig to discover fonts and configurations installed through home.packages
   fonts.fontconfig.enable = true;
@@ -35,14 +32,14 @@
     "__GLX_VENDOR_LIBRARY_NAME" = "nvidia";
     "WLR_NO_HARDWARE_CURSORS" = "1";
     "WLR_EGL_NO_MODIFIRES" = "1";
-
-    # copy from  https://github.com/nix-community/home-manager/blob/master/modules/i18n/input-method/fcitx5.nix
-    GLFW_IM_MODULE = "fcitx";
-    GTK_IM_MODULE = "fcitx";
-    QT_IM_MODULE = "fcitx";
-    XMODIFIERS = "@im=fcitx";
-    INPUT_METHOD = "fcitx";
-    IMSETTINGS_MODULE  = "fcitx";
   };
+
+  # set cursor size and dpi for 4k monitor
+  # this is for xwayland
+  xresources.properties = {
+    "Xcursor.size" = 16;
+    "Xft.dpi" = 160;
+  };
+
 }
 

home/hyprland/fcitx5/conf/notifications.conf

@@ -1,3 +0,0 @@
-# Hidden Notifications
-HiddenNotifications=
-

home/hyprland/fcitx5/config

@@ -1,75 +0,0 @@
-[Hotkey]
-# Enumerate when press trigger key repeatedly
-EnumerateWithTriggerKeys=True
-# Skip first input method while enumerating
-EnumerateSkipFirst=False
-
-[Hotkey/TriggerKeys]
-0=Control+space
-1=Zenkaku_Hankaku
-2=Hangul
-
-[Hotkey/AltTriggerKeys]
-0=Shift_L
-
-[Hotkey/EnumerateForwardKeys]
-0=Control+Shift_L
-
-[Hotkey/EnumerateBackwardKeys]
-0=Control+Shift_R
-
-[Hotkey/EnumerateGroupForwardKeys]
-0=Super+space
-
-[Hotkey/EnumerateGroupBackwardKeys]
-0=Shift+Super+space
-
-[Hotkey/ActivateKeys]
-0=Hangul_Hanja
-
-[Hotkey/DeactivateKeys]
-0=Hangul_Romaja
-
-[Hotkey/PrevPage]
-0=Up
-
-[Hotkey/NextPage]
-0=Down
-
-[Hotkey/PrevCandidate]
-0=Shift+Tab
-
-[Hotkey/NextCandidate]
-0=Tab
-
-[Hotkey/TogglePreedit]
-0=Control+Alt+P
-
-[Behavior]
-# Active By Default
-ActiveByDefault=False
-# Share Input State
-ShareInputState=No
-# Show preedit in application
-PreeditEnabledByDefault=True
-# Show Input Method Information when switch input method
-ShowInputMethodInformation=True
-# Show Input Method Information when changing focus
-showInputMethodInformationWhenFocusIn=False
-# Show compact input method information
-CompactInputMethodInformation=True
-# Show first input method information
-ShowFirstInputMethodInformation=True
-# Default page size
-DefaultPageSize=5
-# Override Xkb Option
-OverrideXkbOption=False
-# Custom Xkb Option
-CustomXkbOption=
-# Force Enabled Addons
-EnabledAddons=
-# Force Disabled Addons
-DisabledAddons=
-# Preload input method to be used by default
-PreloadInputMethod=True
-

home/hyprland/hypr-conf/hyprland.conf

@@ -193,8 +193,19 @@ exec-once=~/.config/hypr/scripts/startup
 
 
 #-- Fcitx5 input method ----------------------------------------------------
-windowrule=pseudo,fcitx
-exec-once=fcitx5-remote -r
-exec-once=fcitx5 -d --replace
-exec-once=fcitx5-remote -r
-bind=ALT,E,exec,pkill fcitx5 -9;sleep 1;fcitx5 -d --replace; sleep 1;fcitx5-remote -r
+windowrule=pseudo,fcitx    # enable this will make fcitx5 works, but fcitx5-configtool will not work!
+exec-once=cp ~/.config/fcitx5/profile-bak ~/.config/fcitx5/profile    # restore fcitx5 profile manged by nixos
+exec-once=fcitx5 -d --replace     # start fcitx5 daemon
+bind=ALT,E,exec,pkill fcitx5 -9;sleep 1;fcitx5 -d --replace; sleep 1;fcitx5-remote -r
+
+
+# -- Fix input method in vscode
+exec-once = hyprctl setcursor "Bibata-Modern-Ice" 24
+# 效果是 wayland 原生窗口缩放完全正常
+# xwayland 窗口先渲染到 200% 再降到 hyprland config 里 monitor 设置的值，看上去和原生没啥区别
+# 相比较一开始的方案输入法字体大小也正确了．唯一有点问题的可能是 xwayland 窗口下的鼠标指针大小不对
+exec-once = xprop -root -f _XWAYLAND_GLOBAL_OUTPUT_SCALE 32c -set _XWAYLAND_GLOBAL_OUTPUT_SCALE 2
+exec-once = xrdb -merge ~/.Xresources
+# env = GDK_SCALE,2
+env = XCURSOR_SIZE,48
+env = XCURSOR_THEME,"Bibata-Modern-Ice"

home/i3/default.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }: {
   # i3 配置，基于 https://github.com/endeavouros-team/endeavouros-i3wm-setup
@@ -18,16 +19,19 @@
     executable = true;  # make all scripts executable
   };
 
+  # allow fontconfig to discover fonts and configurations installed through home.packages
+  fonts.fontconfig.enable = true;
+
+  systemd.user.sessionVariables = {
+    "LIBVA_DRIVER_NAME" = "nvidia";
+    "GBM_BACKEND" = "nvidia-drm";
+    "__GLX_VENDOR_LIBRARY_NAME" = "nvidia";
+  };
 
   # set cursor size and dpi for 4k monitor
   xresources.properties = {
     "Xcursor.size" = 16;
-    "Xft.dpi" = 192;
+    "Xft.dpi" = 160;
   };
 
-  # 直接以 text 的方式，在 nix 配置文件中硬编码文件内容
-  # home.file.".xxx".text = ''
-  #     xxx
-  # '';
-
 }

home/programs/browsers.nix

@@ -10,18 +10,46 @@
   };
   in {
   home.packages = with pkgs-stable; [
-    firefox-wayland
-
-    # chrome wayland support was broken on nixos-unstable branch, so fallback to stable branch for now
-    # https://github.com/swaywm/sway/issues/7562
-    google-chrome
+    firefox-wayland  # firefox with wayland support
+    # firefox
   ];
 
-  programs.vscode = {
-    enable = true;
-    package = pkgs-stable.vscode;  # use the stable version
 
-    # let vscode sync and update its configuration & extensions across devices, using github account.
-    # userSettings = {};
+  # TODO vscode & chrome both have wayland support, but they don't work with fcitx5, need to fix it.
+  programs = {
+
+    # source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix
+    google-chrome = {
+      enable = true;
+
+      # chrome wayland support was broken on nixos-unstable branch, so fallback to stable branch for now
+      # https://github.com/swaywm/sway/issues/7562
+      package = pkgs-stable.google-chrome;
+
+      commandLineArgs = [
+        # make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
+        # (only supported by chromium/chrome at this time, not electron) 
+        "--gtk-version=4"
+        # make it use text-input-v1, which works for kwin 5.27 and weston
+        # "--enable-wayland-ime"
+
+        # enable hardware acceleration - vulkan api
+        # "--enable-features=Vulkan"
+      ];
+    };
+
+    vscode = {
+      enable = true;
+      # use the stable version
+      package = pkgs-stable.vscode.override {
+        commandLineArgs = [
+          # make it use text-input-v1, which works for kwin 5.27 and weston
+          # "--enable-wayland-ime"
+        ];
+      };
+
+      # let vscode sync and update its configuration & extensions across devices, using github account.
+      # userSettings = {};
+    };
   };
 }

home/programs/common.nix

@@ -1,4 +1,7 @@
-{pkgs, ...}: {
+{pkgs, config, ...}: 
+
+
+{
   home.packages = with pkgs; [
     # archives
     zip
@@ -9,6 +12,9 @@
     ripgrep
     yq-go    # https://github.com/mikefarah/yq
     htop
+    iotop
+    iftop
+    nmon
 
     ## networking tools
     wireshark
@@ -85,9 +91,19 @@
     mycli
     pgcli
 
-    # desktop
-    tdesktop
+    # instant messaging
+    telegram-desktop
     discord
+    qq      # https://github.com/NixOS/nixpkgs/tree/master/pkgs/applications/networking/instant-messengers/qq
+
+    # music
+    musescore
+
+    # system call monitoring
+    strace
+    ltrace  # library call monitoring
+    lsof
+    mtr
   ];
 
   programs = {
@@ -96,6 +112,15 @@
       enable = true;
     };
 
+    # modern vim
+    neovim = {
+      enable = true;
+      defaultEditor = true;  # set nvim as default editor
+      extraConfig = ''
+        set number relativenumber
+      '';
+    };
+
     # a cat(1) clone with syntax highlighting and Git integration.
     bat = {
       enable = true;

home/programs/default.nix

@@ -8,7 +8,6 @@
     ./common.nix
     ./git.nix
     ./media.nix
-    # ./nixos-cn.nix
     ./xdg.nix
   ];
 }

home/programs/nixos-cn.nix

@@ -1,23 +0,0 @@
-{
-  pkgs,
-  config,
-  nixos-cn,
-  ...
-}:
-{
-  imports = [
-    # 将 nixos-cn flake 提供的 registry 添加到全局 registry 列表中
-    # 可在`nixos-rebuild switch`之后通过`nix registry list`查看
-    nixos-cn.nixosModules.nixos-cn-registries
-
-    # 引入nixos-cn flake提供的NixOS模块
-    nixos-cn.nixosModules.nixos-cn
-  ];
-
-  # # 使用 nixos-cn flake 提供的包
-  home.packages = with nixos-cn.legacyPackages.${pkgs.system}; [
-      # qq
-      # wechat-uos           # TODO failed to install
-      netease-cloud-music  # TODO chinese font missing
-    ];
-}

home/programs/xdg.nix

@@ -11,7 +11,7 @@
     "application/xhtml+xml" = browser;
     "text/html" = browser;
     "x-scheme-handler/about" = browser;
-    "x-scheme-handler/chrome" = ["chromium-browser.desktop"];
+    # "x-scheme-handler/chrome" = ["chromium-browser.desktop"];
     "x-scheme-handler/ftp" = browser;
     "x-scheme-handler/http" = browser;
     "x-scheme-handler/https" = browser;

home/shell/default.nix

@@ -2,7 +2,7 @@
   d = config.xdg.dataHome;
   c = config.xdg.configHome;
   cache = config.xdg.cacheHome;
-in {
+in rec {
   imports = [
     ./nushell
     ./common.nix
@@ -13,10 +13,12 @@ in {
   programs.bash = {
     enable = true;
     enableCompletion = true;
+    bashrcExtra = ''
+      export PATH="$PATH:$HOME/bin:$HOME/.local/bin:$HOME/go/bin"
+    '';
   };
 
   # add environment variables
-  # 注意不要用 home.sessionVariables 或 home.xxx.sessionVariables，这俩参数没用
   systemd.user.sessionVariables = {
     # clean up ~
     LESSHISTFILE = cache + "/less/history";
@@ -25,7 +27,6 @@ in {
     XAUTHORITY = "$XDG_RUNTIME_DIR/Xauthority";
 
     # set default applications
-    EDITOR = "vim";
     BROWSER = "firefox";
     TERMINAL = "alacritty";
 
@@ -35,6 +36,8 @@ in {
     MANPAGER = "sh -c 'col -bx | bat -l man -p'";
   };
 
+  home.sessionVariables = systemd.user.sessionVariables;
+
   home.shellAliases = {
     k = "kubectl";
   };

hosts/msi-rtx4090/cifs-mount.nix

@@ -5,7 +5,9 @@
   fileSystems."/home/ryan/SMB-Downloads" = {
       device = "//192.168.5.194/Downloads";
       fsType = "cifs";
-      options = ["vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=/etc/nixos/.smb_credentials,nofail"];
+      options = [
+        "vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=${config.age.secrets.smb-credentials.path},nofail"
+      ];
   };
 }
 

hosts/msi-rtx4090/default.nix

@@ -2,19 +2,30 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, ... }:
+
+{ config, pkgs, home-manager, nur, ... } @ args:
 
 {
-  imports =
-    [
-      ./cifs-mount.nix
-      ../../modules/system.nix
-      ../../modules/hyprland.nix
-      ../../modules/fcitx5
+  imports = [
+    # This adds a nur configuration option.
+    # Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
+    nur.nixosModules.nur
 
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+    ./cifs-mount.nix
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+
+    ../../modules/fhs-fonts.nix
+    ../../modules/hyprland.nix
+    #../../modules/i3.nix
+    ../../modules/nur-packages.nix
+    ../../modules/system.nix
+    ../../modules/user_group.nix
+
+    ../../secrets
+  ];
+
+  nixpkgs.overlays = import ../../overlays args;
 
   # Bootloader.
   boot.loader = {

hosts/nixos-test/default.nix

@@ -2,18 +2,28 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, ... }:
+{ config, pkgs, home-manager, nur, ... } @args:
 
 {
-  imports =
-    [
-      ../../modules/system.nix
-      ../../modules/hyprland.nix
-      ../../modules/fcitx5
+  imports = [
+    # This adds a nur configuration option.
+    # Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
+    nur.nixosModules.nur
 
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+
+    ../../modules/fhs-fonts.nix
+    ../../modules/hyprland.nix
+    #../../modules/i3.nix
+    ../../modules/nur-packages.nix
+    ../../modules/system.nix
+    ../../modules/user_group.nix
+
+    ../../secrets
+  ];
+
+  nixpkgs.overlays = import ../../overlays args;
 
   # Bootloader.
   boot.loader = {

modules/fcitx5/default.nix

@@ -1,28 +0,0 @@
-{ config, pkgs, ... }:
-
-# related issues: https://github.com/hyprwm/Hyprland/discussions/421
-{
-  # 为了不使用默认的 rime-data，改用我自定义的小鹤音形数据，这里需要 override
-  # 参考 https://github.com/NixOS/nixpkgs/blob/e4246ae1e7f78b7087dce9c9da10d28d3725025f/pkgs/tools/inputmethods/fcitx5/fcitx5-rime.nix
-  nixpkgs.overlays = [
-    (self: super: {
-      # 小鹤音形配置，配置来自 flypy.com 官方网盘的鼠须管配置压缩包「小鹤音形“鼠须管”for macOS.zip」
-      # 我仅修改了 default.yaml 文件，将其中的半角括号改为了直角括号「 与 」。
-      rime-data = ./rime-data-flypy;
-      fcitx5-rime = super.fcitx5-rime.override { rimeDataPkgs = [ ./rime-data-flypy ]; };
-    })
-  ];
-
-  i18n.inputMethod = {
-    enabled = "fcitx5";
-    fcitx5.addons = with pkgs; [
-        # for flypy chinese input method
-        fcitx5-rime
-        # needed enable rime using configtool after installed
-        fcitx5-configtool
-        fcitx5-chinese-addons
-        # fcitx5-mozc    # japanese input method
-        fcitx5-gtk     # gtk im module
-      ];
-  };
-}

modules/fhs-fonts.nix

@@ -0,0 +1,25 @@
+# copy from https://github.com/NixOS/nixpkgs/issues/119433#issuecomment-1326957279
+# mainly for flatpak
+# bindfs resolves all symlink, allowing all fonts to be accessed at /usr/share/fonts, without letting /nix into the sandbox.
+
+{ config, pkgs, ... }:
+
+{
+  system.fsPackages = [ pkgs.bindfs ];
+  fileSystems = let
+    mkRoSymBind = path: {
+      device = path;
+      fsType = "fuse.bindfs";
+      options = [ "ro" "resolve-symlinks" "x-gvfs-hide" ];
+    };
+    aggregatedFonts = pkgs.buildEnv {
+      name = "system-fonts";
+      paths = config.fonts.fonts;
+      pathsToLink = [ "/share/fonts" ];
+    };
+  in {
+    # Create an FHS mount to support flatpak host icons/fonts
+    "/usr/share/icons" = mkRoSymBind (config.system.path + "/share/icons");
+    "/usr/share/fonts" = mkRoSymBind (aggregatedFonts + "/share/fonts");
+  };
+}

modules/nur-packages.nix

@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  nixpkgs.config.permittedInsecurePackages = [
+    "electron-19.0.7"  # required by wechat-uos, and it's already EOL
+    "openssl-1.1.1t"   # OpenSSL 1.1 is reaching its end of life on 2023/09/11
+  ];
+
+  environment.systemPackages = with config.nur.repos.xddxdd; [
+    # packages from nur-xddxdd
+    wechat-uos
+  ];
+
+  # flatpack is recommended to install other apps such as netease-cloud-music/qqmusic/...
+}

modules/system.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, devenv, ... }:
 
 {
   # enable flakes globally
@@ -37,10 +37,19 @@
       material-design-icons
       font-awesome
 
-      # normal fonts
-      noto-fonts
-      noto-fonts-cjk
-      noto-fonts-emoji
+      # Noto 系列字体是 Google 主导的，名字的含义是「没有豆腐」（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
+      # Noto 系列字族名只支持英文，命名规则是 Noto + Sans 或 Serif + 文字名称。
+      # 其中汉字部分叫 Noto Sans/Serif CJK SC/TC/HK/JP/KR，最后一个词是地区变种。
+      noto-fonts        # 大部分文字的常见样式，不包含汉字
+      noto-fonts-cjk    # 汉字部分
+      noto-fonts-emoji  # 彩色的表情符号字体
+      noto-fonts-extra  # 提供额外的字重和宽度变种
+
+      # 思源系列字体是 Adobe 主导的。其中汉字部分被称为「思源黑体」和「思源宋体」，是由 Adobe + Google 共同开发的
+      source-sans       # 无衬线字体，不含汉字。字族名叫 Source Sans 3 和 Source Sans Pro，以及带字重的变体，加上 Source Sans 3 VF
+      source-serif      # 衬线字体，不含汉字。字族名叫 Source Code Pro，以及带字重的变体
+      source-han-sans   # 思源黑体
+      source-han-serif  # 思源宋体
 
       # nerdfonts
       (nerdfonts.override { fonts = [
@@ -94,7 +103,8 @@
     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
     curl
-    git
+    git      # used by nix flakes
+    git-lfs  # used by huggingface models
 
     # networking tools
     ethtool
@@ -125,6 +135,9 @@
       requests
       pyquery
     ]))
+
+    # need to run `conda-install` before using it
+    # need to run `conda-shell` before using command `conda`
     conda
 
     # video/audio tools
@@ -146,13 +159,24 @@
 
     # embedded development
     minicom
+
+    # remote desktop(rdp connect)
+    remmina
+    freerdp  # required by remmina
+
+    devenv.packages."${pkgs.system}".devenv
   ];
 
+  # replace default editor with vim
+  environment.variables.EDITOR = "vim";
 
   # Enable sound with pipewire.
   sound.enable = true;
   hardware.pulseaudio.enable = false;
 
+  # https://flatpak.org/setup/NixOS
+  services.flatpak.enable = true;
+
   # security with polkit
   services.power-profiles-daemon = {
     enable = true;
@@ -190,14 +214,4 @@
   # android development tools, this will install adb/fastboot and other android tools and udev rules
   # see https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/programs/adb.nix
   programs.adb.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.ryan = {
-    isNormalUser = true;
-    description = "ryan";
-    extraGroups = [ "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
-    openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP"
-    ];
-  };
 }

modules/user_group.nix

@@ -0,0 +1,18 @@
+{config, pkgs, ...}:
+
+{
+  users.groups = {
+    ryan = {};
+    docker = {};
+    wireshark = {};
+  };
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.ryan = {
+    isNormalUser = true;
+    description = "ryan";
+    extraGroups = [ "ryan" "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
+    openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj"
+    ];
+  };
+}

overlays/default.nix

@@ -0,0 +1,7 @@
+args:
+  # execute and import all overlay files in the current directory with the given args
+  builtins.map
+  (f: (import (./. + "/${f}") args))  # execute and import the overlay file
+  (builtins.filter          # find all overlay files in the current directory
+    (f: f != "default.nix")
+    (builtins.attrNames (builtins.readDir ./.)))

overlays/fcitx5/README.md

@@ -7,3 +7,11 @@
 1. pay attention to the `rm -rf .local/share/fcitx5/rime/`, which may contains some auto generated rime config files, which may cause flypy not the default scheme for rime
 2. manage `~/.config/fcitx5/profile` in ../home/hyprland/default.nix, which hardcode rime as the default input method, so you do not need to use fcitx-configtool to set rime as the default input method.
 3. fcitx5-rime still cannot use on vscode & chrome now... need more time to figure out why and resolve it.
+
+
+## Docs about fcitx5
+
+- [Fcitx5 - Arch Linux Wiki](https://wiki.archlinux.org/title/Fcitx5)
+- [Fcitx5 - Official Wiki](https://fcitx-im.org/wiki/Fcitx_5/zh-cn)
+- [disscussion about using fcitx5 on hyprland](https://github.com/hyprwm/Hyprland/discussions/421)
+- [hyprland issue about fcitx5](https://github.com/hyprwm/Hyprland/discussions/421)

overlays/fcitx5/default.nix

@@ -0,0 +1,10 @@
+# 为了不使用默认的 rime-data，改用我自定义的小鹤音形数据，这里需要 override
+# 参考 https://github.com/NixOS/nixpkgs/blob/e4246ae1e7f78b7087dce9c9da10d28d3725025f/pkgs/tools/inputmethods/fcitx5/fcitx5-rime.nix
+{...}: 
+
+(self: super: {
+  # 小鹤音形配置，配置来自 flypy.com 官方网盘的鼠须管配置压缩包「小鹤音形“鼠须管”for macOS.zip」
+  # 我仅修改了 default.yaml 文件，将其中的半角括号改为了直角括号「 与 」。
+  rime-data = ./rime-data-flypy;
+  fcitx5-rime = super.fcitx5-rime.override { rimeDataPkgs = [ ./rime-data-flypy ]; };
+})

secrets/REAME.md

@@ -0,0 +1,92 @@
+# secrets management
+
+This directory contains my secret files, encrypt by agenix:
+
+- my wireguard configuration files, which is used by `wg-quick`
+- github token, used by nix flakes to query and downloads flakes from github
+  - without this, you may reach out github api rate limit.
+- ssh key pairs for my homelab and other servers
+- ...
+
+## TODO
+
+- a better way to manage all these secrets, is to used a separate private github repository to store all these secrets, and use it as a flakes input this this repo.
+  - e.g. <https://github.com/xddxdd/nixos-config/blob/25ae3de/flake.nix#L82>
+
+## Add or Update Secrets
+
+This job is done by `agenix` CLI tool with the `./secrets.nix` file.
+
+Pretend you want to add a new secret file `xxx.age`, then:
+
+1. `cd` to this directory
+1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the
+   encryption keys and the secret file path, e.g.
+  ```nix
+  # This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
+  # agenix use the public keys defined in this file to encrypt the secrets.
+  # and users can decrypt the secrets by any of the corresponding private keys.
+
+  let
+    # get user's ssh public key by command:
+    #     cat ~/.ssh/id_ed25519.pub
+    # if you do not have one, you can generate it by command:
+    #     ssh-keygen -t ed25519
+    ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+    users = [ ryan ];
+
+    # get system's ssh public key by command:
+    #    cat /etc/ssh/ssh_host_ed25519_key.pub
+    msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
+    systems = [ msi-rtx4090 ];
+  in
+  {
+    "./encrypt/xxx.age".publicKeys = users ++ systems;
+  }
+  ```
+2. create and edit the secret file `xxx.age` interactively by command:
+  ```shell
+  agenix -e ./encrypt/xxx.age
+  ```
+3. or you can also encrypt an existing file to `xxx.age` by command:
+  ```shell
+  agenix -e ./encrypt/xxx.age < /path/to/xxx
+  ```
+
+
+## Deploy Secrets
+
+This job is done by `nixos-rebuild` with the `./default.nix` file.
+
+An nixos module exmaple(need to set agenix as flake inputs first...):
+
+```nix
+{ config, pkgs, agenix, ... }:
+
+{
+  imports = [
+     agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default 
+  ];
+
+  age.secrets."xxx" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # target path for decrypted file
+    path = "/etc/xxx/";
+    # encrypted file path
+    file = ./encrypt/xxx.age;
+    mode = "0400";
+    owner = "root";
+    group = "root";
+  };
+}
+```
+
+`nixos-rebuild` will decrypt the secrets using the private keys defined by argument `age.identityPaths`,
+And then symlink the secrets to the path defined by argument `age.secrets.<name>.path`, it defaults to `/etc/secrets`.
+
+NOTE: `age.identityPaths` it defaults to `~/.ssh/id_ed25519` and `~/.ssh/id_rsa`, so you should put your decrypt keys there. if you're deploying to the same machine as you're encrypting from, it should work out of the box.

secrets/default.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, agenix, ... }:
+
+{
+  imports = [
+     agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default 
+  ];
+
+  # # wireguard config used with `wg-quick up wg-business`  
+  age.secrets."wg-business.conf" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # target path for decrypted file
+    path = "/etc/wireguard/";
+    # encrypted file path
+    file = ./encrypt/wg-business.conf.age;
+    mode = "0400";
+    owner = "root";
+    group = "root";
+  };
+
+  # smb-credentials is referenced in /etc/fstab, by ../hosts/msi-rtx4090/cifs-mount.nix
+  age.secrets."smb-credentials" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # encrypted file path
+    file = ./encrypt/smb-credentials.age;
+  };
+}

secrets/encrypt/smb-credentials.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0
+gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA
+-> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA
+ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8
+-> b[1(F-grease 23C oS"65TE ~50zBiB
+eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX
+gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA
+--- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI
+g·ógs=k+nN½"±äóoá/=^÷Z§Ÿ<~ÑÓŽ
k˜i Gw3ó�Ñ”=(Aˆm	
+úß¼¶�êU#’à

secrets/secrets.nix

@@ -0,0 +1,20 @@
+# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
+
+let
+  # get user's ssh public key by command:
+  #     cat ~/.ssh/id_ed25519.pub
+  # if you do not have one, you can generate it by command:
+  #     ssh-keygen -t ed25519
+  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+  users = [ ryan ];
+
+  # get system's ssh public key by command:
+  #    cat /etc/ssh/ssh_host_ed25519_key.pub
+  msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
+  systems = [ msi-rtx4090 ];
+in
+{
+  "./encrypt/wg-business.conf.age".publicKeys = users ++ systems;
+  "./encrypt/smb-credentials.age".publicKeys = users ++ systems;
+  # "./encrypt/secret123.age".publicKeys = [ user1 system1 ];
+}