chore: remove mihomo-party

feat: add netbird for homelab, keep tailscale for work (#225 )
refactor: grafana - add more datasources, rewrite in nix
2026-05-28 18:39:31 +02:00 · 2025-10-02 11:50:46 +08:00 · 2025-10-02 11:49:05 +08:00 · 2025-09-26 23:46:54 +08:00 · 2025-09-26 21:37:23 +08:00 · 2025-09-26 19:12:45 +08:00
136 changed files with 11806 additions and 5814 deletions
@@ -25,9 +25,9 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Install nix
-        uses: cachix/install-nix-action@v24
+        uses: cachix/install-nix-action@v31
        with:
          install_url: https://nixos.org/nix/install
          extra_nix_config: |
@@ -8,3 +8,4 @@ logs/
 core*
 !core/
 !core.nix
+!coredns*
@@ -1,10 +1,21 @@
 [files]
+# Respect .ignore files.
 ignore-dot = true
+# Respect ignore files.
 ignore-files = true
-extend-exclude = ["themes/", "data/", "static-surprises/", "resources/"]
+# Typos-specific ignore globs (gitignore syntax).
+# NOTE: This setting is ignored when you pass the path directly on the command line, as cachix/git-hooks.nix does.
+# To ignore those files, you must also exclude those directories via git-hooks.hooks.typos.settings.exclude.
+extend-exclude = [
+  "data/",
+  "rime-data/",
+]

 [default]
+# Check binary files as text.
 binary = false
+# Verify spelling in file names.
+check-filename = true
 # ignore some special identifiers(sha256, mac address, crypto keys, etc)
 extend-ignore-re = [
  "iterm2",
@@ -57,14 +57,14 @@ You don't have to go through the pain I've experienced again! Check out my
 |                             | NixOS(Wayland)                                                                                                      |
 | --------------------------- | ------------------------------------------------------------------------------------------------------------------- |
 | **Window Manager**          | [Hyprland][Hyprland] / [Niri][Niri]                                                                                 |
-| **Terminal Emulator**       | [Zellij][Zellij] + [Kitty][Kitty]                                                                                   |
+| **Terminal Emulator**       | [Zellij][Zellij] + [foot][foot]/[Kitty][Kitty]/[Alacritty][Alacritty]/[Ghostty][Ghostty]                            |
 | **Bar**                     | [Waybar][Waybar]                                                                                                    |
 | **Application Launcher**    | [anyrun][anyrun]                                                                                                    |
 | **Notification Daemon**     | [Mako][Mako]                                                                                                        |
-| **Display Manager**         | [GDM][GDM]                                                                                                          |
-| **Color Scheme**            | [Catppuccin][Catppuccin]                                                                                            |
+| **Display Manager**         | [tuigreet][tuigreet]                                                                                                |
+| **Color Scheme**            | [catppuccin-nix][catppuccin-nix]                                                                                    |
 | **network management tool** | [NetworkManager][NetworkManager]                                                                                    |
-| **Input method framework**  | [Fcitx5][Fcitx5]                                                                                                    |
+| **Input method framework**  | [Fcitx5][Fcitx5] + [rime][rime] + [小鹤音形 flypy][flypy]                                                           |
 | **System resource monitor** | [Btop][Btop]                                                                                                        |
 | **File Manager**            | [Yazi][Yazi] + [thunar][thunar]                                                                                     |
 | **Shell**                   | [Nushell][Nushell] + [Starship][Starship]                                                                           |
@@ -74,7 +74,7 @@ You don't have to go through the pain I've experienced again! Check out my
 | **Image Viewer**            | [imv][imv]                                                                                                          |
 | **Screenshot Software**     | [hyprshot][hyprshot]                                                                                                |
 | **Screen Recording**        | [OBS][OBS]                                                                                                          |
-| **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
+| **Filesystem & Encryption** | tmpfs as `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
 | **Secure Boot**             | [lanzaboote][lanzaboote]                                                                                            |

 Wallpapers: https://github.com/ryan4yin/wallpapers
@@ -109,8 +109,6 @@ For NixOS:
 > To deploy this flake from NixOS's official ISO image (purest installation method), please refer to
 > [./nixos-installer/](./nixos-installer/)

-> Need to restart the machine when switching between `wayland` and `xorg`.
-
 ```bash
 # deploy one of the configuration based on the hostname
 sudo nixos-rebuild switch --flake .#ai-hyprland
@@ -119,6 +117,9 @@ sudo nixos-rebuild switch --flake .#ai-hyprland
 # Deploy the hyprland nixosConfiguration by hostname match
 just hypr

+# Deploy the niri nixosConfiguration by hostname match
+just niri
+
 # or we can deploy with details
 just hypr debug
 ```
@@ -178,6 +179,9 @@ Other dotfiles that inspired me:
 [Hyprland]: https://github.com/hyprwm/Hyprland
 [Niri]: https://github.com/YaLTeR/niri
 [Kitty]: https://github.com/kovidgoyal/kitty
+[foot]: https://codeberg.org/dnkl/foot
+[Alacritty]: https://github.com/alacritty/alacritty
+[Ghostty]: https://github.com/ghostty-org/ghostty
 [Nushell]: https://github.com/nushell/nushell
 [Starship]: https://github.com/starship/starship
 [Waybar]: https://github.com/Alexays/Waybar
@@ -186,6 +190,8 @@ Other dotfiles that inspired me:
 [anyrun]: https://github.com/Kirottu/anyrun
 [Dunst]: https://github.com/dunst-project/dunst
 [Fcitx5]: https://github.com/fcitx/fcitx5
+[rime]: https://wiki.archlinux.org/title/Rime
+[flypy]: https://flypy.cc/
 [Btop]: https://github.com/aristocratos/btop
 [mpv]: https://github.com/mpv-player/mpv
 [Zellij]: https://github.com/zellij-org/zellij
@@ -196,10 +202,10 @@ Other dotfiles that inspired me:
 [OBS]: https://obsproject.com
 [Mako]: https://github.com/emersion/mako
 [Nerd fonts]: https://github.com/ryanoasis/nerd-fonts
-[catppuccin]: https://github.com/catppuccin/catppuccin
+[catppuccin-nix]: https://github.com/catppuccin/nix
 [NetworkManager]: https://wiki.gnome.org/Projects/NetworkManager
 [wl-clipboard]: https://github.com/bugaevc/wl-clipboard
-[GDM]: https://wiki.archlinux.org/title/GDM
+[tuigreet]: https://github.com/apognu/tuigreet
 [thunar]: https://gitlab.xfce.org/xfce/thunar
 [Yazi]: https://github.com/sxyazi/yazi
 [Catppuccin]: https://github.com/catppuccin/catppuccin
@@ -3,5 +3,21 @@
 This is my private Private Key Infrastructure (PKI) / Certificate Authority (CA) for my personal
 use. It is used to issue certificates for my own servers and services.

-All the private keys are ignored by git, and will be stored in my private secrets repo
-[../secrets](../secrets/)
+## Current Structure
+
+- **ecc-ca.crt** - ECC CA certificate file
+- **ecc-ca.srl** - CA serial number file for certificate tracking
+- **ecc-csr.conf** - OpenSSL configuration file for certificate signing requests
+- **ecc-server.crt** - Server certificate signed by the ECC CA
+- **gen-certs.sh** - Shell script to generate certificates automatically
+
+## Security Notes
+
+All private keys (`.key` files) are ignored by git and stored in a private secrets repository. The
+public certificates and configuration files are committed to this repository for reference.
+
+## Usage
+
+Run `./gen-certs.sh` to generate new certificates using the ECC CA configuration.
+
+See [../secrets](../secrets/) for the corresponding private key management.
@@ -1,5 +1,27 @@
 {
  "nodes": {
+    "aagl": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1758557465,
+        "narHash": "sha256-SeDqOZQoARl/xxEMdej09IScCf77SEQfRAjED7lBgMY=",
+        "owner": "ezKEa",
+        "repo": "aagl-gtk-on-nix",
+        "rev": "944f9903859ad16db762fbe573fb6f05f7367e16",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ezKEa",
+        "repo": "aagl-gtk-on-nix",
+        "type": "github"
+      }
+    },
    "agenix": {
      "inputs": {
        "darwin": "darwin",
@@ -33,15 +55,16 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1755411828,
-        "narHash": "sha256-TJhktHx79CMN6dCvFMST9PECDS9zW5iWEDyiMleXUSo=",
-        "owner": "Kirottu",
+        "lastModified": 1756708978,
+        "narHash": "sha256-01XBO8U2PyhhYXo3oZAu7dghqXkxdemeG82MqnNp4wE=",
+        "owner": "anyrun-org",
        "repo": "anyrun",
-        "rev": "0c3fa788227d29cf8b0184e553c83021bcebad7c",
+        "rev": "b6d08eea668feb8c183ee2a1822f909949792676",
        "type": "github"
      },
      "original": {
-        "owner": "Kirottu",
+        "owner": "anyrun-org",
+        "ref": "v25.9.0",
        "repo": "anyrun",
        "type": "github"
      }
@@ -54,11 +77,11 @@
      },
      "locked": {
        "dir": "blender",
-        "lastModified": 1754037902,
-        "narHash": "sha256-d9hAFy/R8o5UM/mrgCBm+xE8NbtgkXYPHLVza07xGgE=",
+        "lastModified": 1758185131,
+        "narHash": "sha256-GlScQnoFgaFLQ9cd4llbJSisR0LjafjMAkBZQV7m4uk=",
        "owner": "edolstra",
        "repo": "nix-warez",
-        "rev": "e8b2b3214f07970e45ec3fc98d957b0507a3564a",
+        "rev": "f49a87422539d748a34b9f3b07a7b8ced7242dff",
        "type": "github"
      },
      "original": {
@@ -75,11 +98,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755334713,
-        "narHash": "sha256-Nxq+mi6aqEbJA4R7i4TLr68ANuIgnEo2aKzJKRYd11s=",
+        "lastModified": 1758270360,
+        "narHash": "sha256-yqh6EEhlpVWRoKl85o1s+QZ72UHWTvornnc3C0Ls484=",
        "owner": "catppuccin",
        "repo": "nix",
-        "rev": "a2ef20ed6fb921073c2d1b1929447c3bd88f595e",
+        "rev": "2e0aacdd6abbecd1b1c0511a2fcd1460a6bc6645",
        "type": "github"
      },
      "original": {
@@ -125,6 +148,67 @@
        "type": "github"
      }
    },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-darwin": [
+          "determinate",
+          "determinate-nixd-aarch64-darwin"
+        ],
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1757699119,
+        "narHash": "sha256-iOOoVdrkcyk95Xg68TuPeAwpz+v80mgZCqil0jpPZuY=",
+        "rev": "1e16c8f8a44573bb0648c76b6c98352436f5171e",
+        "revCount": 304,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.11.2/01993f0b-1215-7072-ac1a-f2b27b566115/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-q1tqDvmfjDgLk/wbYf4pRhyHDS94iY85Q79FPBtcv7g=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-E1vGfcQ5dqtRG9EDP6eOQWCnCIRB2XFkFBp2C4FgQ8c=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-GtxtkI0cOC2A30Xw6gCDTN7JxN1zJGh7/eIXr6AlTSA=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/x86_64-linux"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -179,12 +263,44 @@
      }
    },
    "flake-compat_3": {
+      "flake": false,
      "locked": {
-        "lastModified": 1688025799,
-        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
+      "locked": {
+        "lastModified": 1746162366,
+        "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
        "owner": "nix-community",
        "repo": "flake-compat",
-        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
+        "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
        "type": "github"
      },
      "original": {
@@ -193,7 +309,7 @@
        "type": "github"
      }
    },
-    "flake-compat_4": {
+    "flake-compat_6": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
@@ -217,11 +333,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
        "type": "github"
      },
      "original": {
@@ -231,6 +347,27 @@
      }
    },
    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
+      }
+    },
+    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "lanzaboote",
@@ -251,16 +388,16 @@
        "type": "github"
      }
    },
-    "flake-parts_3": {
+    "flake-parts_4": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1754487366,
-        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
        "type": "github"
      },
      "original": {
@@ -269,7 +406,7 @@
        "type": "github"
      }
    },
-    "flake-parts_4": {
+    "flake-parts_5": {
      "inputs": {
        "nixpkgs-lib": [
          "nixpak",
@@ -277,11 +414,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754487366,
-        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
        "type": "github"
      },
      "original": {
@@ -328,18 +465,18 @@
    },
    "ghostty": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_3",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_4",
        "zig": "zig",
        "zon2nix": "zon2nix"
      },
      "locked": {
-        "lastModified": 1755285323,
-        "narHash": "sha256-o+TmZKnch5D0IjhWD/rhVK9Ahqafz6oZ61NKDDocXMw=",
+        "lastModified": 1758653744,
+        "narHash": "sha256-y0B40QQ//4fpTAUfhZjoDEiUejhb2hXl5LcpNenRpYM=",
        "owner": "ghostty-org",
        "repo": "ghostty",
-        "rev": "11d56235f9e4a227b794a87a503785ef9f3349ed",
+        "rev": "f97518cc100599186846282457be520fda11f467",
        "type": "github"
      },
      "original": {
@@ -348,6 +485,32 @@
        "type": "github"
      }
    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
+        "nixpkgs": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
+      }
+    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@@ -424,11 +587,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752595130,
-        "narHash": "sha256-CNBgr4OZSuklGtNOa9CnTNo9+Xceqn/EDAC1Tc43fH8=",
+        "lastModified": 1758022363,
+        "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=",
        "owner": "hercules-ci",
        "repo": "hercules-ci-effects",
-        "rev": "5f2e09654b2e70ba643e41609d9f9b6640f22113",
+        "rev": "1a3667d33e247ad35ca250698d63f49a5453d824",
        "type": "github"
      },
      "original": {
@@ -465,11 +628,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755397986,
-        "narHash": "sha256-qwrF5laj6eE3Zht0wKYTmH6QzL7bdOyE2f6jd3WCO8g=",
+        "lastModified": 1758676806,
+        "narHash": "sha256-XhSTUBFOtuumxAUVxTVD5k7nE/FgK11YUxAgzNQcmLU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "8b4ac149687e8520187a66f05e9d4eafebf96522",
+        "rev": "676c0159ed51d10489a249ecdc61e115c2a90d03",
        "type": "github"
      },
      "original": {
@@ -482,13 +645,13 @@
    "lanzaboote": {
      "inputs": {
        "crane": "crane",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_2",
+        "flake-compat": "flake-compat_4",
+        "flake-parts": "flake-parts_3",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "rust-overlay": "rust-overlay"
+        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
        "lastModified": 1737639419,
@@ -525,10 +688,10 @@
    "mysecrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1752678564,
-        "narHash": "sha256-x2sbH7Umncbyc9oca5mqX8kMChHVUTytKk+QXEcB4i4=",
+        "lastModified": 1757651423,
+        "narHash": "sha256-w2hBme0vg3uDoEjP+0WuBT9hAhf1xJa4Np+GS2zQKXU=",
        "ref": "refs/heads/main",
-        "rev": "a231913597362c15c71fd9212cef5092ae85a64c",
+        "rev": "44b2943b7ebed5717bb9855c1b7a95c8a89fb7f7",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -543,17 +706,17 @@
      "inputs": {
        "niri-stable": "niri-stable",
        "niri-unstable": "niri-unstable",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_6",
        "nixpkgs-stable": "nixpkgs-stable_2",
        "xwayland-satellite-stable": "xwayland-satellite-stable",
        "xwayland-satellite-unstable": "xwayland-satellite-unstable"
      },
      "locked": {
-        "lastModified": 1755424351,
-        "narHash": "sha256-xcorYLNdtLpb0wH5CPlUcpmYQUxeK95j1X855xQw+DY=",
+        "lastModified": 1758660031,
+        "narHash": "sha256-/f1k6oL2UqpDxe0MasJyLpXJj80Az/TxBbEf4hinmgI=",
        "owner": "sodiboo",
        "repo": "niri-flake",
-        "rev": "9aa137af01f05386e5bb5050e983750017007a66",
+        "rev": "6e26dd2cece5430571b45ffe3d97213431b3e86f",
        "type": "github"
      },
      "original": {
@@ -565,16 +728,16 @@
    "niri-stable": {
      "flake": false,
      "locked": {
-        "lastModified": 1748151941,
-        "narHash": "sha256-z4viQZLgC2bIJ3VrzQnR+q2F3gAOEQpU1H5xHtX/2fs=",
+        "lastModified": 1756556321,
+        "narHash": "sha256-RLD89dfjN0RVO86C/Mot0T7aduCygPGaYbog566F0Qo=",
        "owner": "YaLTeR",
        "repo": "niri",
-        "rev": "8ba57fcf25d2fc9565131684a839d58703f1dae7",
+        "rev": "01be0e65f4eb91a9cd624ac0b76aaeab765c7294",
        "type": "github"
      },
      "original": {
        "owner": "YaLTeR",
-        "ref": "v25.05.1",
+        "ref": "v25.08",
        "repo": "niri",
        "type": "github"
      }
@@ -582,11 +745,11 @@
    "niri-unstable": {
      "flake": false,
      "locked": {
-        "lastModified": 1755419373,
-        "narHash": "sha256-EFH3zbpyLYjEboNV2Lmkxf9joEuFCmeYX+MMLRPStpg=",
+        "lastModified": 1758631239,
+        "narHash": "sha256-EQecFZ5VZtNjN/yzDA/RV13fK3EdLPblcf9p5wVNACo=",
        "owner": "YaLTeR",
        "repo": "niri",
-        "rev": "a6febb86aa5af0df7bf2792ca027ef95a503d599",
+        "rev": "3850739e445b95a73c2466a718ccaf3a9a406c06",
        "type": "github"
      },
      "original": {
@@ -595,6 +758,27 @@
        "type": "github"
      }
    },
+    "nix": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1757694985,
+        "narHash": "sha256-3Ia+y7Hbwnzcuf1hyuVnFtbnSR6ErQeFjemHdVxjCNE=",
+        "rev": "766f43aa6acb1b3578db488c19fbbedf04ed9f24",
+        "revCount": 22340,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.11.2/01993ee9-f8e7-7b80-80df-ec0a20a32514/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
+      }
+    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
@@ -602,11 +786,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755275010,
-        "narHash": "sha256-lEApCoWUEWh0Ifc3k1JdVjpMtFFXeL2gG1qvBnoRc2I=",
+        "lastModified": 1758447883,
+        "narHash": "sha256-yGA6MV0E4JSEXqLTb4ZZkmdJZcoQ8HUzihRRX12Bvpg=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "7220b01d679e93ede8d7b25d6f392855b81dd475",
+        "rev": "25381509d5c91bbf3c30e23abc6d8476d2143cd1",
        "type": "github"
      },
      "original": {
@@ -617,17 +801,17 @@
    },
    "nix-gaming": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_4",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1755396822,
-        "narHash": "sha256-gID7ynpJuflQ/+ibrhYUWybiGPduNvvMJSk27oqfK24=",
+        "lastModified": 1758678659,
+        "narHash": "sha256-Ff5IFCEABf3CStKvf8MqJe7jwrHk2J8swdYTrwOj9dk=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "f2bf778502254d8852402a83ae346fd803095ccc",
+        "rev": "6418c314274a8ce27078402ab1fbac7c06da7a36",
        "type": "github"
      },
      "original": {
@@ -653,24 +837,24 @@
    },
    "nixos-apple-silicon": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_5",
        "nixpkgs": [
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1755124568,
-        "narHash": "sha256-8fXTYruAwE6OiIz/99P5qknQYag7ZX985pNT+jhIIrU=",
+        "lastModified": 1756110286,
+        "narHash": "sha256-NE0HwcQCQTgM+HuYqmiemPf/5e+3fjwowceAyJj+ikU=",
        "owner": "nix-community",
        "repo": "nixos-apple-silicon",
-        "rev": "2f873fc3ef373e59cd3a7dad4087685fc8ce02ca",
+        "rev": "b99bf9bf7445416fe55da09034fc4a6cd733805c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-2025-08-10",
        "repo": "nixos-apple-silicon",
+        "rev": "b99bf9bf7445416fe55da09034fc4a6cd733805c",
        "type": "github"
      }
    },
@@ -697,18 +881,18 @@
    },
    "nixpak": {
      "inputs": {
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_5",
        "hercules-ci-effects": "hercules-ci-effects",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1755139484,
-        "narHash": "sha256-gCMJp0indBuBXnog2C86aby5Pz268gUMZD0ORahulO8=",
+        "lastModified": 1758163506,
+        "narHash": "sha256-eGksZmv1ie834yfgJW0z85eZZo10A/JE+6dhHNWQajQ=",
        "owner": "nixpak",
        "repo": "nixpak",
-        "rev": "ae70d05017be7e0aa6c1cf5f267fe6953eb027e6",
+        "rev": "17df00be4383dbf88c42ed1fa519cc6dd71df042",
        "type": "github"
      },
      "original": {
@@ -719,24 +903,43 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748189127,
-        "narHash": "sha256-zRDR+EbbeObu4V2X5QCd2Bk5eltfDlCr5yvhBwUT6pY=",
-        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
-        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.05/nixos-25.05.802491.7c43f080a7f2/nixexprs.tar.xz"
+        "lastModified": 1744536153,
+        "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11",
+        "type": "github"
      },
      "original": {
-        "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz"
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-23-11": {
+      "locked": {
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
      }
    },
    "nixpkgs-darwin": {
      "locked": {
-        "lastModified": 1755268003,
-        "narHash": "sha256-nNaeJjo861wFR0tjHDyCnHs1rbRtrMgxAKMoig9Sj/w=",
+        "lastModified": 1758446476,
+        "narHash": "sha256-5rdAi7CTvM/kSs6fHe1bREIva5W3TbImsto+dxG4mBo=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "32f313e49e42f715491e1ea7b306a87c16fe0388",
+        "rev": "a1f79a1770d05af18111fbbe2a3ab2c42c0f6cd0",
        "type": "github"
      },
      "original": {
@@ -748,11 +951,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1753579242,
-        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
        "type": "github"
      },
      "original": {
@@ -763,11 +966,11 @@
    },
    "nixpkgs-ollama": {
      "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1758427187,
+        "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46",
        "type": "github"
      },
      "original": {
@@ -777,6 +980,38 @@
        "type": "github"
      }
    },
+    "nixpkgs-patched": {
+      "locked": {
+        "lastModified": 1757347588,
+        "narHash": "sha256-tLdkkC6XnsY9EOZW9TlpesTclELy8W7lL2ClL+nma8o=",
+        "owner": "ryan4yin",
+        "repo": "nixpkgs",
+        "rev": "b599843bad24621dcaa5ab60dac98f9b0eb1cabe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryan4yin",
+        "ref": "nixos-unstable-patched",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1730741070,
@@ -795,11 +1030,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1755274400,
-        "narHash": "sha256-rTInmnp/xYrfcMZyFMH3kc8oko5zYfxsowaLv1LVobY=",
+        "lastModified": 1758589230,
+        "narHash": "sha256-zMTCFGe8aVGTEr2RqUi/QzC1nOIQ0N1HRsbqB4f646k=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ad7196ae55c295f53a7d1ec39e4a06d922f3b899",
+        "rev": "d1d883129b193f0b495d75c148c2c3a7d95789a0",
        "type": "github"
      },
      "original": {
@@ -811,11 +1046,11 @@
    },
    "nixpkgs-stable_3": {
      "locked": {
-        "lastModified": 1755274400,
-        "narHash": "sha256-rTInmnp/xYrfcMZyFMH3kc8oko5zYfxsowaLv1LVobY=",
+        "lastModified": 1758589230,
+        "narHash": "sha256-zMTCFGe8aVGTEr2RqUi/QzC1nOIQ0N1HRsbqB4f646k=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ad7196ae55c295f53a7d1ec39e4a06d922f3b899",
+        "rev": "d1d883129b193f0b495d75c148c2c3a7d95789a0",
        "type": "github"
      },
      "original": {
@@ -827,11 +1062,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1758427187,
+        "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46",
        "type": "github"
      },
      "original": {
@@ -843,11 +1078,65 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1755922037,
+        "narHash": "sha256-wY1+2JPH0ZZC4BQefoZw/k+3+DowFyfOxv17CN/idKs=",
+        "rev": "b1b3291469652d5a2edb0becc4ef0246fff97a7c",
+        "revCount": 808723,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.808723%2Brev-b1b3291469652d5a2edb0becc4ef0246fff97a7c/0198daf7-011a-7703-95d7-57146e794342/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1757034884,
+        "narHash": "sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao=",
+        "rev": "ca77296380960cd497a765102eeb1356eb80fed0",
+        "revCount": 856744,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.856744%2Brev-ca77296380960cd497a765102eeb1356eb80fed0/01992cf9-9347-761a-8963-9cbe43abe2fa/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1748189127,
+        "narHash": "sha256-zRDR+EbbeObu4V2X5QCd2Bk5eltfDlCr5yvhBwUT6pY=",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.05/nixos-25.05.802491.7c43f080a7f2/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1758360447,
+        "narHash": "sha256-XDY3A83bclygHDtesRoaRTafUd80Q30D/Daf9KSG6bs=",
+        "rev": "8eaee110344796db060382e15d3af0a9fc396e0e",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre864002.8eaee1103447/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
+      }
+    },
+    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1758427187,
+        "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46",
        "type": "github"
      },
      "original": {
@@ -857,13 +1146,13 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_7": {
      "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1758427187,
+        "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46",
        "type": "github"
      },
      "original": {
@@ -878,7 +1167,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
        "lastModified": 1731006591,
@@ -932,18 +1221,18 @@
    },
    "pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_6",
        "gitignore": "gitignore_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1754416808,
-        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
+        "lastModified": 1758108966,
+        "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
+        "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b",
        "type": "github"
      },
      "original": {
@@ -981,11 +1270,11 @@
    },
    "preservation": {
      "locked": {
-        "lastModified": 1751384068,
-        "narHash": "sha256-xGq+Om1ReXcQy6h57yj9V5nOM84g/GBJ3m6oxe1a3js=",
+        "lastModified": 1757436102,
+        "narHash": "sha256-mMI9IanU+Xw+pVogD2oT0I2kTmvz2Un/Apc5+CwUpEY=",
        "owner": "nix-community",
        "repo": "preservation",
-        "rev": "286737ba485f30c1687c833e66f5901a6c8dc019",
+        "rev": "93416f4614ad2dfed5b0dcf12f27e57d27a5ab11",
        "type": "github"
      },
      "original": {
@@ -996,10 +1285,12 @@
    },
    "root": {
      "inputs": {
+        "aagl": "aagl",
        "agenix": "agenix",
        "anyrun": "anyrun",
        "blender-bin": "blender-bin",
        "catppuccin": "catppuccin",
+        "determinate": "determinate",
        "disko": "disko",
        "ghostty": "ghostty",
        "haumea": "haumea",
@@ -1013,9 +1304,10 @@
        "nixos-apple-silicon": "nixos-apple-silicon",
        "nixos-generators": "nixos-generators",
        "nixpak": "nixpak",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_7",
        "nixpkgs-darwin": "nixpkgs-darwin",
        "nixpkgs-ollama": "nixpkgs-ollama",
+        "nixpkgs-patched": "nixpkgs-patched",
        "nixpkgs-stable": "nixpkgs-stable_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nuenv": "nuenv",
@@ -1027,6 +1319,24 @@
      }
    },
    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1758508617,
+        "narHash": "sha256-kx2uELmVnAbiekj/YFfWR26OXqXedImkhe2ocnbumTA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "d2bac276ac7e669a1f09c48614538a37e3eb6d0f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
@@ -1047,7 +1357,7 @@
        "type": "github"
      }
    },
-    "rust-overlay_2": {
+    "rust-overlay_3": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
@@ -1169,16 +1479,16 @@
    "xwayland-satellite-stable": {
      "flake": false,
      "locked": {
-        "lastModified": 1748488455,
-        "narHash": "sha256-IiLr1alzKFIy5tGGpDlabQbe6LV1c9ABvkH6T5WmyRI=",
+        "lastModified": 1755491097,
+        "narHash": "sha256-m+9tUfsmBeF2Gn4HWa6vSITZ4Gz1eA1F5Kh62B0N4oE=",
        "owner": "Supreeeme",
        "repo": "xwayland-satellite",
-        "rev": "3ba30b149f9eb2bbf42cf4758d2158ca8cceef73",
+        "rev": "388d291e82ffbc73be18169d39470f340707edaa",
        "type": "github"
      },
      "original": {
        "owner": "Supreeeme",
-        "ref": "v0.6",
+        "ref": "v0.7",
        "repo": "xwayland-satellite",
        "type": "github"
      }
@@ -1186,11 +1496,11 @@
    "xwayland-satellite-unstable": {
      "flake": false,
      "locked": {
-        "lastModified": 1755219541,
-        "narHash": "sha256-yKV6xHaPbEbh5RPxAJnb9yTs1wypr7do86hFFGQm1w8=",
+        "lastModified": 1758577423,
+        "narHash": "sha256-sB2GAOjhjoWnjU6A/uHNJiY6O3UeztV5pJAN2g1FkXU=",
        "owner": "Supreeeme",
        "repo": "xwayland-satellite",
-        "rev": "5a184d435927c3423f0ad189ea2b490578450fb7",
+        "rev": "03368548ba745e17a85bd631613a59cb2d8469a4",
        "type": "github"
      },
      "original": {
@@ -1230,27 +1540,20 @@
    },
    "zon2nix": {
      "inputs": {
-        "flake-utils": [
-          "ghostty",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "ghostty",
-          "nixpkgs"
-        ]
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
-        "lastModified": 1742104771,
-        "narHash": "sha256-LhidlyEA9MP8jGe1rEnyjGFCzLLgCdDpYeWggibayr0=",
+        "lastModified": 1758405547,
+        "narHash": "sha256-WgaDgvIZMPvlZcZrpPMjkaalTBnGF2lTG+62znXctWM=",
        "owner": "jcollie",
        "repo": "zon2nix",
-        "rev": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
+        "rev": "bf983aa90ff169372b9fa8c02e57ea75e0b42245",
        "type": "github"
      },
      "original": {
        "owner": "jcollie",
        "repo": "zon2nix",
-        "rev": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
+        "rev": "bf983aa90ff169372b9fa8c02e57ea75e0b42245",
        "type": "github"
      }
    }
@@ -16,14 +16,14 @@
  nixConfig = {
    # substituers will be appended to the default substituters when fetching packages
    extra-substituters = [
-      "https://anyrun.cachix.org"
      # "https://nix-gaming.cachix.org"
      # "https://nixpkgs-wayland.cachix.org"
+      # "https://install.determinate.systems"
    ];
    extra-trusted-public-keys = [
-      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
      # "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
      # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+      # "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
    ];
  };

@@ -41,6 +41,8 @@

    nixpkgs-ollama.url = "github:nixos/nixpkgs/nixos-unstable";

+    nixpkgs-patched.url = "github:ryan4yin/nixpkgs/nixos-unstable-patched";
+
    # for macos
    # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.05-darwin";
    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-unstable";
@@ -60,6 +62,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
+
    # https://github.com/catppuccin/nix
    catppuccin = {
      url = "github:catppuccin/nix";
@@ -77,9 +81,10 @@

    # community wayland nixpkgs
    # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
+
    # anyrun - a wayland launcher
    anyrun = {
-      url = "github:Kirottu/anyrun";
+      url = "github:/anyrun-org/anyrun/v25.9.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };

@@ -97,11 +102,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nix-gaming = {
-      url = "github:fufexan/nix-gaming";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    disko = {
      url = "github:nix-community/disko/v1.11.0";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -138,13 +138,24 @@
    };

    nixos-apple-silicon = {
-      # 2025-07-04
-      url = "github:nix-community/nixos-apple-silicon/release-2025-08-10";
+      # 2025-08-25 asahi-6.15.10-3
+      url = "github:nix-community/nixos-apple-silicon/b99bf9bf7445416fe55da09034fc4a6cd733805c";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    niri.url = "github:sodiboo/niri-flake";

+    # -------------- Gaming ---------------------
+
+    nix-gaming = {
+      url = "github:fufexan/nix-gaming";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    aagl = {
+      url = "github:ezKEa/aagl-gtk-on-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    ########################  Some non-flake repositories  #########################################

    polybar-themes = {
@@ -12,14 +12,53 @@
  1. Accessing the network when they don't need to.
  1. Accessing hardware devices they don't need.

-## Current Status
+## Current Structure

-1. **System Level**:
-   - [ ] AppArmor
-   - [ ] Kernel & System Hardening
-1. **Per-App Level**:
-   - Nixpak (Bubblewrap, running at user-level)
-   - Firejail (a SUID program, meaning it's running as root)
+### 1. **System Level**
+
+- **AppArmor** (`apparmor/`): AppArmor profiles and configuration
+- **Kernel & System Hardening** (`profiles/`): System-wide hardening profiles
+
+### 2. **Per-App Level**
+
+- **Nixpak** (`nixpaks/`): Bubblewrap-based sandboxing for applications
+  - Firefox configuration
+  - QQ (Chinese messaging app) configuration
+  - Modular system with reusable components
+- **Firejail** (legacy): SUID-based sandboxing (not used)
+- **Bubblewrap** (`bwraps/`): Direct bubblewrap configurations
+  - WeChat sandboxing configuration
+
+## Current Implementation Status
+
+| Component         | Status    | Notes                          |
+| ----------------- | --------- | ------------------------------ |
+| AppArmor Profiles | 🚧 WIP    | Basic structure in place       |
+| Nixpak Firefox    | ✅ Active | Firefox sandboxing via nixpak  |
+| Nixpak QQ         | ✅ Active | QQ application sandboxing      |
+| Bubblewrap WeChat | ✅ Active | WeChat specific sandboxing     |
+| System Profiles   | 🚧 WIP    | Hardened system configurations |
+
+## Directory Structure
+
+```
+hardening/
+├── README.md
+├── apparmor/           # AppArmor security profiles
+│   └── default.nix
+├── bwraps/            # Direct bubblewrap configurations
+│   ├── default.nix
+│   └── wechat.nix
+├── nixpaks/           # Nixpak application sandboxing
+│   ├── default.nix
+│   ├── firefox.nix
+│   ├── qq.nix
+│   └── modules/       # Reusable nixpak modules
+│       ├── gui-base.nix
+│       └── network.nix
+└── profiles/          # System hardening profiles
+    └── default.nix
+```

 ## Kernel Hardening

@@ -69,13 +108,6 @@ provide a much higher level of security.
 - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
 - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
  hardening.
- nixpak configs:
-  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
-  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
-  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
-  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
- firejail configs:
-  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
 - apparmor configs:
  - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
  - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening
@@ -1,5 +1,6 @@
 {
  pkgs,
+  pkgs-patched,
  nixpak,
  ...
 }:
@@ -14,21 +15,17 @@ let
      (sloth.concat' sloth.homeDir mapdir)
    ];
  };
-  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script;
+  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs);
 in
 {
  # Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules
  nixpkgs.overlays = [
    (_: super: {
      nixpaks = {
-        qq = wrapper super ./qq.nix;
-        qq-desktop-item = super.callPackage ./qq-desktop-item.nix { };
-
+        qq = wrapper pkgs-patched ./qq.nix;
        wechat = wrapper super ./wechat.nix;
-        wechat-desktop-item = super.callPackage ./wechat-desktop-item.nix { };
-
+        telegram-desktop = wrapper super ./telegram-desktop.nix;
        firefox = wrapper super ./firefox.nix;
-        firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix { };
      };
    })
  ];
@@ -1,11 +0,0 @@
-{ makeDesktopItem }:
-makeDesktopItem {
-  name = "firefox";
-  desktopName = "firefox";
-  exec = "firefox %U";
-  terminal = false;
-  icon = "firefox";
-  type = "Application";
-  categories = [ "Network" ];
-  comment = "firefox boxed";
-}
@@ -5,11 +5,16 @@
 # - Firefox's flatpak manifest: https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-flatpak/runme.sh#l151
 {
  lib,
-  pkgs,
+  firefox-wayland,
  mkNixPak,
+  buildEnv,
+  makeDesktopItem,
  ...
 }:
-mkNixPak {
+
+let
+  appId = "org.mozilla.firefox";
+  wrapped = mkNixPak {
    config =
      {
        config,
@@ -18,14 +23,15 @@ mkNixPak {
      }:
      {
        app = {
-        package = pkgs.firefox-wayland;
+          package = firefox-wayland;
          binPath = "bin/firefox";
        };
-      flatpak.appId = "org.mozilla.firefox";
+        flatpak.appId = appId;

        imports = [
          ./modules/gui-base.nix
          ./modules/network.nix
+          ./modules/common.nix
        ];

        # list all dbus services:
@@ -35,20 +41,15 @@ mkNixPak {
          "org.mozilla.firefox.*" = "own"; # firefox
          "org.mozilla.firefox_beta.*" = "own"; # firefox beta
          "org.mpris.MediaPlayer2.firefox.*" = "own";
-        "org.freedesktop.NetworkManager" = "talk";

          "org.gnome.Shell.Screencast" = "talk";
          # System tray icon
          "org.freedesktop.Notifications" = "talk";
          "org.kde.StatusNotifierWatcher" = "talk";
-        # File Manager
-        "org.freedesktop.FileManager1" = "talk";
-        # Uses legacy StatusNotifier implementation
-        "org.kde.*" = "own";
        };

        bubblewrap = {
-        # To trace all the home files QQ accesses, you can use the following nushell command:
+          # To trace all the home files Firefox accesses, you can use the following nushell command:
          #   just trace-access firefox
          # See the Justfile in the root of this repository for more information.
          bind.rw = [
@@ -85,4 +86,55 @@ mkNixPak {
          };
        };
      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Firefox";
+      genericName = "Firefox Boxed";
+      comment = "Firefox Browser";
+      exec = "${exePath} %U";
+      terminal = false;
+      icon = "firefox";
+      startupNotify = true;
+      startupWMClass = "firefox";
+      type = "Application";
+      categories = [
+        "Network"
+        "WebBrowser"
+      ];
+      mimeTypes = [
+        "text/html"
+        "text/xml"
+        "application/xhtml+xml"
+        "application/vnd.mozilla.xul+xml"
+        "x-scheme-handler/http"
+        "x-scheme-handler/https"
+      ];
+
+      actions = {
+        new-private-window = {
+          name = "New Private Window";
+          exec = "${exePath} --private-window %U";
+        };
+        new-window = {
+          name = "New Window";
+          exec = "${exePath} --new-window %U";
+        };
+        profile-manager-window = {
+          name = "Profile Manager";
+          exec = "${exePath} --ProfileManager";
+        };
+      };
+
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
 }
@@ -0,0 +1,236 @@
+{
+  lib,
+  pkgs,
+  sloth,
+  config,
+  ...
+}:
+{
+  config = {
+    dbus =
+      let
+        inherit (config.flatpak) appId;
+      in
+      {
+        policies = {
+          "${appId}" = "own";
+          "${appId}.*" = "own";
+          "org.freedesktop.DBus" = "talk";
+          "org.gtk.vfs.*" = "talk";
+          "org.gtk.vfs" = "talk";
+          "ca.desrt.dconf" = "talk";
+          "org.freedesktop.portal.*" = "talk";
+          "org.a11y.Bus" = "talk";
+          "org.freedesktop.appearance" = "talk";
+          "org.freedesktop.appearance.*" = "talk";
+        }
+        // (builtins.listToAttrs (
+          map (id: lib.nameValuePair "org.kde.StatusNotifierItem-${toString id}-1" "own") (
+            lib.lists.range 2 11
+          )
+        ))
+        // {
+          # --- MPRIS Media Control ---
+          # Allows the app to register as a media player. These are derived from the appID.
+          "org.mpris.MediaPlayer2.${appId}" = "own";
+          "org.mpris.MediaPlayer2.${appId}.*" = "own";
+          "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}" = "own";
+          "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}.*" = "own";
+          # Conditionally allows a custom, friendlier MPRIS name if 'mprisName' is set.
+          #       "org.mpris.MediaPlayer2.${mprisName}" = "own";
+          #       "org.mpris.MediaPlayer2.${mprisName}.*" = "own";
+
+          # --- General Desktop Integration ---
+          "com.canonical.AppMenu.Registrar" = "talk"; # For Ubuntu AppMenu
+          "org.freedesktop.FileManager1" = "talk";
+          "org.freedesktop.Notifications" = "talk";
+
+          # --- Accessibility (a11y) ---
+          "org.a11y.Bus" = "see";
+
+          # --- Portal Access ---
+          "org.freedesktop.portal.Documents" = "talk";
+          "org.freedesktop.portal.FileTransfer" = "talk";
+          "org.freedesktop.portal.FileTransfer.*" = "talk";
+          "org.freedesktop.portal.Notification" = "talk";
+          "org.freedesktop.portal.OpenURI" = "talk";
+          "org.freedesktop.portal.OpenURI.OpenFile" = "talk";
+          "org.freedesktop.portal.OpenURI.OpenURI" = "talk";
+          "org.freedesktop.portal.Print" = "talk";
+          "org.freedesktop.portal.Request" = "see";
+
+          # --- Input Method Portals ---
+          "org.freedesktop.portal.Fcitx" = "talk";
+          "org.freedesktop.portal.Fcitx.*" = "talk";
+          "org.freedesktop.portal.IBus" = "talk";
+          "org.freedesktop.portal.IBus.*" = "talk";
+        };
+        rules = {
+          # 'call' rules permit specific method calls on D-Bus interfaces.
+          call = {
+            # --- Accessibility ---
+            "org.a11y.Bus" = [
+              "org.a11y.Bus.GetAddress@/org/a11y/bus"
+              "org.freedesktop.DBus.Properties.Get@/org/a11y/bus"
+            ];
+
+            # --- General Portal Rules ---
+            "org.freedesktop.FileManager1" = [ "*" ];
+            "org.freedesktop.Notifications.*" = [ "*" ];
+            "org.freedesktop.portal.Documents" = [ "*" ];
+            "org.freedesktop.portal.FileTransfer" = [ "*" ];
+            "org.freedesktop.portal.FileTransfer.*" = [ "*" ];
+            "org.freedesktop.portal.Fcitx" = [ "*" ];
+            "org.freedesktop.portal.Fcitx.*" = [ "*" ];
+            "org.freedesktop.portal.IBus" = [ "*" ];
+            "org.freedesktop.portal.IBus.*" = [ "*" ];
+            "org.freedesktop.portal.Notification" = [ "*" ];
+            "org.freedesktop.portal.OpenURI" = [ "*" ];
+            "org.freedesktop.portal.OpenURI.OpenFile" = [ "*" ];
+            "org.freedesktop.portal.OpenURI.OpenURI" = [ "*" ];
+            "org.freedesktop.portal.Print" = [ "*" ];
+            "org.freedesktop.portal.Request" = [ "*" ];
+
+            # --- Main Desktop Portal Interface ---
+            # A comprehensive list of permissions for interacting with the desktop environment.
+            "org.freedesktop.portal.Desktop" = [
+              # Device Access
+              "org.freedesktop.portal.Camera"
+              "org.freedesktop.portal.Camera.*"
+              "org.freedesktop.portal.Usb"
+              "org.freedesktop.portal.Usb.*"
+
+              # File Chooser & Documents
+              "org.freedesktop.portal.Documents"
+              "org.freedesktop.portal.Documents.*"
+              "org.freedesktop.portal.FileChooser"
+              "org.freedesktop.portal.FileChooser.*"
+              "org.freedesktop.portal.FileTransfer"
+              "org.freedesktop.portal.FileTransfer.*"
+
+              # Input Methods
+              "org.freedesktop.portal.Fcitx"
+              "org.freedesktop.portal.Fcitx.*"
+              "org.freedesktop.portal.IBus"
+              "org.freedesktop.portal.IBus.*"
+
+              # Notifications & Printing
+              "org.freedesktop.portal.Notification"
+              "org.freedesktop.portal.Notification.*"
+              "org.freedesktop.portal.Print"
+              "org.freedesktop.portal.Print.*"
+
+              # Open/Launch Handlers
+              "org.freedesktop.portal.Email.ComposeEmail"
+              "org.freedesktop.portal.OpenURI"
+              "org.freedesktop.portal.OpenURI.*"
+
+              # Properties & Session Management
+              "org.freedesktop.DBus.Properties.GetAll"
+              "org.freedesktop.DBus.Properties.Get@/org/freedesktop/portal/desktop"
+              "org.freedesktop.portal.Session.Close"
+
+              # Screen Capture & Sharing
+              "org.freedesktop.portal.RemoteDesktop"
+              "org.freedesktop.portal.RemoteDesktop.*"
+              "org.freedesktop.portal.ScreenCast"
+              "org.freedesktop.portal.ScreenCast.*"
+              "org.freedesktop.portal.Screenshot"
+              "org.freedesktop.portal.Screenshot.Screenshot"
+
+              # Secrets (Keyring)
+              "org.freedesktop.portal.Secret"
+              "org.freedesktop.portal.Secret.RetrieveSecret"
+
+              # Settings
+              "org.freedesktop.portal.Settings.Read"
+              "org.freedesktop.portal.Settings.ReadAll"
+
+              # System Information
+              "org.freedesktop.portal.Account.GetUserInformation"
+              "org.freedesktop.portal.NetworkMonitor"
+              "org.freedesktop.portal.NetworkMonitor.*"
+              "org.freedesktop.portal.ProxyResolver.Lookup"
+              "org.freedesktop.portal.ProxyResolver.Lookup.*"
+
+              # Generic Request Fallback
+              "org.freedesktop.portal.Request"
+
+              # --- Conditional Portal Rules ---
+              # These would be enabled based on config flags in a real implementation.
+
+              # Enabled if 'allowGlobalShortcuts = true'
+              "org.freedesktop.portal.GlobalShortcuts"
+              "org.freedesktop.portal.GlobalShortcuts.*"
+
+              # Enabled if 'allowInhibit = true'
+              "org.freedesktop.portal.Inhibit"
+              "org.freedesktop.portal.Inhibit.*"
+
+              # Enabled if 'XDG_CURRENT_DESKTOP = "GNOME"'
+              "org.freedesktop.portal.Location"
+              "org.freedesktop.portal.Location.*"
+            ];
+          };
+
+          # 'broadcast' rules permit receiving signals from D-Bus names.
+          broadcast = {
+            "org.freedesktop.portal.*" = [ "@/org/freedesktop/portal/*" ];
+          };
+        };
+        args = [
+          "--filter"
+          "--sloppy-names"
+          "--log"
+        ];
+      };
+
+    etc.sslCertificates.enable = true;
+    bubblewrap = {
+      network = lib.mkDefault true;
+      sockets = {
+        wayland = true;
+        pulse = true;
+      };
+
+      bind.rw = with sloth; [
+        [
+          (mkdir appDataDir)
+          xdgDataHome
+        ]
+        [
+          (mkdir appConfigDir)
+          xdgConfigHome
+        ]
+        [
+          (mkdir appCacheDir)
+          xdgCacheHome
+        ]
+
+        (sloth.concat [
+          sloth.runtimeDir
+          "/"
+          (sloth.envOr "WAYLAND_DISPLAY" "no")
+        ])
+        (sloth.concat' sloth.runtimeDir "/at-spi/bus")
+        (sloth.concat' sloth.runtimeDir "/gvfsd")
+        (sloth.concat' sloth.runtimeDir "/dconf")
+
+        (sloth.concat' sloth.xdgCacheHome "/fontconfig")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache_db")
+        (sloth.concat' sloth.xdgCacheHome "/radv_builtin_shaders")
+      ];
+      bind.ro = [
+        (sloth.concat' sloth.runtimeDir "/doc")
+        (sloth.concat' sloth.xdgConfigHome "/kdeglobals")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-2.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-4.0")
+        (sloth.concat' sloth.xdgConfigHome "/fontconfig")
+        (sloth.concat' sloth.xdgConfigHome "/dconf")
+      ];
+      bind.dev = [ "/dev/shm" ] ++ (map (id: "/dev/video${toString id}") (lib.lists.range 0 9));
+    };
+  };
+}
@@ -16,15 +16,7 @@ in
  config = {
    dbus.policies = {
      "${config.flatpak.appId}" = "own";
-      "org.freedesktop.DBus" = "talk";
-      "org.gtk.vfs.*" = "talk";
-      "org.gtk.vfs" = "talk";
-      "ca.desrt.dconf" = "talk";
-      "org.a11y.Bus" = "talk";
-
-      # for default portal & gtk/hyprland's portal
-      "org.freedesktop.portal.*" = "talk";
-      "org.freedesktop.impl.portal.desktop.*" = "talk";
+      # we add other policies in ./common.nix
    };
    # https://github.com/nixpak/nixpak/blob/master/modules/gpu.nix
    # 1. bind readonly - /run/opengl-driver
@@ -69,8 +61,8 @@ in
        (sloth.concat' sloth.xdgConfigHome "/fontconfig")

        "/etc/fonts" # for fontconfig
-        "/etc/machine-id"
-        "/etc/localtime"
+        "/etc/localtime" # this is a symlink to /etc/zoneinfo/xxx
+        "/etc/zoneinfo"

        # Fix: libEGL warning: egl: failed to create dri2 screen
        "/etc/egl"
@@ -1,17 +0,0 @@
-{
-  makeDesktopItem,
-  qq,
-}:
-makeDesktopItem {
-  name = "qq";
-  desktopName = "QQ";
-  exec = "${qq}/bin/qq %U";
-  terminal = false;
-  # To find the icon name(nushell):
-  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'
-  #   tree $"($p)/share/icons"
-  icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
-  type = "Application";
-  categories = [ "Network" ];
-  comment = "QQ boxed";
-}
@@ -5,26 +5,30 @@
 # - QQ's flatpak manifest: https://github.com/flathub/com.qq.QQ/blob/master/com.qq.QQ.yaml
 {
  lib,
-  pkgs,
+  qq,
  mkNixPak,
+  buildEnv,
+  makeDesktopItem,
  ...
 }:
-mkNixPak {
+
+let
+  appId = "com.qq.QQ";
+
+  wrapped = mkNixPak {
    config =
      { sloth, ... }:
      {
        app = {
-        package = pkgs.qq.override {
-          # fix fcitx5 input method
-          commandLineArgs = lib.concatStringsSep " " [ "--enable-wayland-ime" ];
-        };
+          package = qq;
          binPath = "bin/qq";
        };
-      flatpak.appId = "com.tencent.qq";
+        flatpak.appId = appId;

        imports = [
          ./modules/gui-base.nix
          ./modules/network.nix
+          ./modules/common.nix
        ];

        # list all dbus services:
@@ -45,15 +49,6 @@ mkNixPak {
          #   just trace-access qq
          # See the Justfile in the root of this repository for more information.
          bind.rw = [
-          # given the read write permission to the following directories.
-          # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-          (sloth.mkdir (
-            sloth.concat [
-              sloth.xdgConfigHome
-              "/QQ"
-            ]
-          ))
-
            sloth.xdgDocumentsDir
            sloth.xdgDownloadDir
            sloth.xdgMusicDir
@@ -66,4 +61,31 @@ mkNixPak {
          };
        };
      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "QQ";
+      genericName = "QQ Boxed";
+      comment = "Tencent QQ, also known as QQ, is an instant messaging software service and web portal developed by the Chinese technology company Tencent.";
+      exec = "${exePath} %U";
+      terminal = false;
+      icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
+      startupNotify = true;
+      startupWMClass = "QQ";
+      type = "Application";
+      categories = [
+        "InstantMessaging"
+        "Network"
+      ];
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
 }
@@ -0,0 +1,104 @@
+{
+  lib,
+  telegram-desktop,
+  buildEnv,
+  mkNixPak,
+  makeDesktopItem,
+  ...
+}:
+let
+  appId = "org.telegram.desktop";
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];
+        app.package = telegram-desktop;
+        flatpak = {
+          appId = appId;
+        };
+        dbus = {
+          enable = true;
+          policies = {
+            "org.gnome.Mutter.IdleMonitor" = "talk";
+            "org.freedesktop.Notifications" = "talk";
+            "org.kde.StatusNotifierWatcher" = "talk";
+            "com.canonical.AppMenu.Registrar" = "talk";
+            "com.canonical.indicator.application" = "talk";
+            "org.ayatana.indicator.application" = "talk";
+            "org.sigxcpu.Feedback" = "talk";
+          };
+        };
+
+        bubblewrap = {
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
+      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Telegram";
+      comment = "New era of messaging";
+      tryExec = "${exePath}";
+      exec = "${exePath} -- %u";
+      icon = appId;
+      startupNotify = true;
+      startupWMClass = appId;
+      terminal = false;
+      type = "Application";
+      categories = [
+        "Chat"
+        "Network"
+        "InstantMessaging"
+        "Qt"
+      ];
+      mimeTypes = [
+        "x-scheme-handler/tg"
+        "x-scheme-handler/tonsite"
+      ];
+      keywords = [
+        "tg"
+        "chat"
+        "im"
+        "messaging"
+        "messenger"
+        "sms"
+        "tdesktop"
+      ];
+      actions = {
+        quit = {
+          name = "Quit Telegram";
+          exec = "${exePath} -quit";
+          icon = "application-exit";
+        };
+      };
+      extraConfig = {
+        X-Flatpak = appId;
+        DBusActivatable = "true";
+        SingleMainWindow = "true";
+        X-GNOME-UsesNotifications = "true";
+        X-GNOME-SingleWindow = "true";
+      };
+    })
+  ];
+}
@@ -1,5 +1,49 @@
 # Home Manager's Submodules

-1. `base`: The base module that is suitable for both Linux and macOS.
-2. `linux`: Linux-specific configuration.
-3. `darwin`: macOS-specific configuration.
+This directory contains all Home Manager configurations organized by platform and functionality.
+
+## Current Structure
+
+```
+home/
+├── base/              # Cross-platform home manager configurations
+│   ├── core/          # Essential applications and settings
+│   │   ├── editors/   # Editor configurations (Neovim, Helix)
+│   │   ├── shells/    # Shell configurations (Nushell, Zellij)
+│   │   └── ...
+│   ├── gui/           # GUI applications and desktop settings
+│   │   ├── terminal/  # Terminal emulators (Kitty, Alacritty, etc.)
+│   │   └── ...
+│   ├── tui/           # Terminal/TUI applications
+│   │   ├── editors/   # TUI editors and related tools
+│   │   ├── encryption/ # GPG, password-store, etc.
+│   │   └── ...
+│   └── home.nix       # Main home manager entry point
+├── linux/             # Linux-specific home manager configurations
+│   ├── base/          # Linux base configurations
+│   ├── gui/           # Linux GUI applications
+│   │   ├── hyprland/  # Hyprland window manager
+│   │   ├── niri/      # Niri window manager
+│   │   └── ...
+│   ├── editors/       # Linux-specific editors
+│   └── ...
+└── darwin/            # macOS-specific home manager configurations
+    ├── aerospace/     # macOS window manager
+    ├── proxy/         # Proxy configurations
+    └── ...
+```
+
+## Module Overview
+
+1. **base**: The base module suitable for both Linux and macOS
+   - Cross-platform applications and settings
+   - Shared configurations for editors, shells, and essential tools
+
+2. **linux**: Linux-specific configuration
+   - Desktop environments (Hyprland, Niri)
+   - Linux-specific GUI applications
+   - System integration tools
+
+3. **darwin**: macOS-specific configuration
+   - macOS applications and services
+   - Platform-specific integrations (Aerospace, Squirrel, etc.)
@@ -1,5 +1,66 @@
 # Home Manager's Base Submodules

-1. `server`: Configuration which is suitable for both servers and desktops.
-1. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
-1. `core.nix`: Minimal home-manager's config
+This directory contains cross-platform base configurations that are shared between Linux and Darwin
+systems.
+
+## Configuration Structure
+
+### Core System
+
+- **core/**: Essential cross-platform configurations
+  - **core.nix**: Minimal home-manager configuration
+  - **shells/**: Shell configurations (bash, zsh, fish, nu)
+  - **editors/**: Text editor configurations
+    - **neovim/**: Neovim with custom plugins and settings
+    - **helix/**: Helix editor configuration
+  - **btop.nix**: System monitoring tools
+  - **git.nix**: Git configuration and aliases
+  - **npm.nix**: Node.js package management
+  - **pip.nix**: Python package management
+  - **starship.nix**: Cross-shell prompt configuration
+  - **theme.nix**: Color schemes and theming
+  - **yazi.nix**: Terminal file manager configuration
+  - **zellij/**: Terminal multiplexer with custom layouts
+
+### Desktop Environment
+
+- **gui/**: Cross-platform GUI applications and configurations
+  - **dev-tools.nix**: Development tools and IDEs
+  - **media.nix**: Media players and utilities
+  - **terminal/**: Terminal emulator configurations
+    - **alacritty/**: Alacritty terminal
+    - **kitty/**: Kitty terminal
+    - **foot/**: Foot terminal (Linux)
+    - **ghostty/**: Ghostty terminal
+
+### Terminal Interface
+
+- **tui/**: Terminal-based interface configurations
+  - **cloud/**: Cloud development tools (Terraform, etc.)
+  - **container.nix**: Container tools (Docker, Podman)
+  - **dev-tools.nix**: Terminal-based development tools
+  - **editors/**: Terminal editor configurations
+  - **encryption/**: Encryption and security tools
+  - **gpg/**: GPG key management
+  - **password-store/**: Password management with pass
+  - **shell.nix**: Shell environment configurations
+  - **ssh/**: SSH configuration and management
+  - **zellij/**: Terminal workspace management
+
+### System Management
+
+- **home.nix**: Main home manager configuration file
+
+## Platform Compatibility
+
+All configurations in this directory are designed to work across:
+
+- **Linux**: All distributions with Nix and Home Manager
+- **macOS**: Darwin systems with Home Manager
+- **WSL**: Windows Subsystem for Linux
+
+## Usage
+
+These base configurations provide the foundation for both Linux and Darwin systems, ensuring
+consistent environments across different platforms while allowing for platform-specific
+customizations.
@@ -1,3 +1,10 @@
 # Editors

-See [desktop/editors/](../../desktop/editors/) for more details.
+This directory contains editor configurations that are shared across different environments.
+
+## Available Editors
+
+- **neovim/**: Neovim configuration with AstroNvim
+- **helix/**: Helix editor configuration
+
+These configurations are designed to work across both terminal and GUI environments.
@@ -6,20 +6,24 @@
    enableZshIntegration = true;
    enableNushellIntegration = true;

+    # https://starship.rs/config/
    settings = {
+      # Get editor completions based on the config schema
+      "$schema" = "https://starship.rs/config-schema.json";
      character = {
-        success_symbol = "[›](bold green)";
-        error_symbol = "[›](bold red)";
+        success_symbol = "[➜](bold green)";
+        error_symbol = "[➜](bold red)";
      };
-      aws = {
-        symbol = "🅰 ";
-      };
-      gcloud = {
-        # do not show the account/project's info
-        # to avoid the leak of sensitive information when sharing the terminal
-        format = "on [$symbol$active(\($region\))]($style) ";
-        symbol = "🅶 ️";
+      # I never rely on the defaults, so this module is useless to me—disabled.
+      # I prefer adding --project, --region to very gcloud/aws command.
+      aws.disabled = true;
+      gcloud.disabled = true;
+
+      kubernetes = {
+        symbol = "⛵";
+        disabled = false;
      };
+      os.disabled = false;
    };
  };
 }
@@ -1,6 +1,6 @@
 {
  pkgs,
-  pkgs-unstable,
+  pkgs-stable,
  nur-ryan4yin,
  ...
 }:
@@ -14,6 +14,7 @@

    kubectl
    kubectx # kubectx & kubens
+    kubie # same as kubectl-ctx, but per-shell (won’t touch kubeconfig).
    kubectl-view-secret # kubectl view-secret
    kubectl-tree # kubectl tree
    kubectl-node-shell # exec into node
@@ -24,7 +25,7 @@
    istioctl
    clusterctl # for kubernetes cluster-api
    kubevirt # virtctl
-    kubernetes-helm
+    pkgs-stable.kubernetes-helm
    fluxcd
    argocd

@@ -18,6 +18,8 @@
  home.packages = with pkgs; [
    colmena # nixos's remote deployment tool

+    tokei # count lines of code, alternative to cloc
+
    # db related
    mycli
    pgcli
@@ -34,7 +36,6 @@
    devbox
    bfg-repo-cleaner # remove large files from git history
    k6 # load testing tool
-    protobuf # protocol buffer compiler

    # solve coding extercises - learn by doing
    exercism
@@ -30,7 +30,7 @@

        #-- dockerfile
        hadolint # Dockerfile linter
-        nodePackages.dockerfile-language-server-nodejs
+        dockerfile-language-server

        #-- markdown
        marksman # language server for markdown
@@ -63,14 +63,15 @@
          vscode-extensions.vadimcn.vscode-lldb.adapter # codelldb - debugger

          #-- python
-          pipx # Install and Run Python Applications in Isolated Environments
-          uv # python project package manager
-          pyright # python language server
          (python313.withPackages (
            ps: with ps; [
+              # python language server
+              pyright
              ruff
+
+              pipx # Install and Run Python Applications in Isolated Environments
              black # python formatter
-              # debugpy
+              uv # python project package manager

              # my commonly used python packages
              jupyter
@@ -80,6 +81,10 @@
              pyquery
              pyyaml
              boto3
+
+              # misc
+              protobuf # protocol buffer compiler
+              numpy
            ]
          ))

@@ -9,8 +9,21 @@
  programs.ssh = {
    enable = true;

+    # default config
+    enableDefaultConfig = false;
+    matchBlocks."*" = {
+      forwardAgent = false;
      # "a private key that is used during authentication will be added to ssh-agent if it is running"
      addKeysToAgent = "yes";
+      compression = true;
+      serverAliveInterval = 0;
+      serverAliveCountMax = 3;
+      hashKnownHosts = false;
+      userKnownHostsFile = "~/.ssh/known_hosts";
+      controlMaster = "no";
+      controlPath = "~/.ssh/master-%r@%n:%p";
+      controlPersist = "no";
+    };

    matchBlocks = {
      "github.com" = {
@@ -1,6 +1,33 @@
 # Home Manager's Darwin Submodules

-1. `core.nix`: some basic configuration.
-2. `shell.nix`: shell related.
-3. `rime-squirrel.nix`: [rime-squirrel](https://github.com/rime/squirrel)'s configuration.
-4. `default.nix`: the entrypoint of darwin's configuration, it import all the submodules above.
+This directory contains macOS-specific Home Manager configurations for Darwin systems.
+
+## Configuration Modules
+
+### Core Configurations
+
+- **default.nix**: Entry point that imports all Darwin configurations
+- **shell.nix**: Shell configurations and environment settings
+- **rime-squirrel.nix**: [Rime Squirrel](https://github.com/rime/squirrel) input method
+  configuration
+
+### Window Management
+
+- **aerospace/**: [Aerospace](https://github.com/nikitabobko/AeroSpace) tiling window manager
+  configuration
+  - Custom keybindings and workspace management
+  - Application-specific window rules
+
+### Network Configuration
+
+- **proxy/**: Network proxy configurations
+  - `proxychains.conf`: Proxy chains configuration for network routing
+  - Proxy settings for development tools and applications
+
+## Features
+
+- macOS-specific package installations and configurations
+- Native macOS applications and utilities
+- Touch ID and system integration
+- Homebrew integration for additional packages
+- macOS-specific shell configurations and aliases
@@ -1,10 +1,34 @@
 # Home Manager's Linux Submodules

-1. `base`: The base module that is suitable for any NixOS environment.
-2. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
-3. `server.nix`: Configuration which is suitable for both servers and desktops. It import only
-   `base` as its submodule.
-   1. used by all my nixos servers.
-4. `desktop.nix`: the entrypoint of desktop's configuration, it import both `base` and `desktop` as
-   its submodules.
-   1. used by all my nixos desktops.
+This directory contains Linux-specific Home Manager configurations organized for different use
+cases.
+
+## Configuration Modules
+
+### Core Configurations
+
+- **core.nix**: Essential Linux-specific configurations and settings
+- **base/**: Base Linux configurations including shell, tools, and utilities
+  - `shell.nix`: Shell configurations and aliases
+  - `tools.nix`: Essential command-line tools and utilities
+
+### Desktop Configurations
+
+- **gui/**: Desktop environment configurations
+  - **hyprland/**: Hyprland window manager with custom keybindings and settings
+  - **niri/**: Niri compositor configuration
+  - **base/**: Common desktop applications and services
+  - **editors/**: Text editor configurations for desktop environments
+
+### Available Entry Points
+
+- **core.nix**: Core Linux configuration, suitable for basic setups
+- **tui.nix**: Terminal-based interface configuration for lightweight environments
+- **gui.nix**: Graphical user interface configuration entry point, imports desktop environments
+
+## Usage
+
+- **Lightweight/Terminal**: Use `core.nix` or `tui.nix` for terminal-focused setups
+- **Desktops**: Use `gui.nix` for full desktop environments with window managers like Hyprland or
+  Niri
+- **Custom**: Mix and match configurations as needed for your specific use case
@@ -1,17 +1,49 @@
-# Desktop Related
+# Desktop Environment Configurations

-3. `base`: all common configurations for all desktops.
-4. `hyprland`: Hyprland's configuration.
-
-## Why install I3/Hyprland in Home Manager instead of a NixOS Module?
-
-1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home
+This directory contains desktop environment and window manager configurations managed by Home
 Manager.
-2. I have many user-specific systemd services, such gammastep, wallpaper-switcher, etc. Which can be
-   easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level
-   services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can
-   control their systemd service's dependent order more easily, so we can avoid issues like this.
-3. By install packages as less as possible in NixOS Module, we can:
-   1. Make the NixOS system more secure and stable.
-   2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on
-      any Linux system.
+
+## Available Configurations
+
+### Window Managers
+
+- **hyprland**: Hyprland compositor configuration with custom keybindings, settings, and window
+  rules
+- **niri**: Niri compositor configuration with custom settings, keybindings, spawn-at-startup rules,
+  and window rules
+
+### Base Desktop Environment
+
+- **base**: Common desktop configurations shared across all environments, including:
+  - Desktop applications (anyrun, mako, waybar, wlogout)
+  - Creative tools and media applications
+  - Development tools
+  - Eye protection utilities (gammastep)
+  - Fcitx5 input method framework
+  - Games and gaming utilities
+  - GTK theme configurations
+  - Immutable file handling
+  - Note-taking applications
+  - Wallpaper management with auto-switcher
+  - Wayland applications
+  - XDG desktop configurations
+
+### Editor Configurations
+
+- **editors**: Text editor configurations and integrations
+
+## Why install Desktop Environments in Home Manager instead of NixOS Module?
+
+1. **Configuration Location**: Desktop environment configuration files are located in `~/.config`,
+   which can be easily managed by Home Manager.
+
+2. **User-specific Services**: Many user-specific systemd services (gammastep, wallpaper-switcher,
+   etc.) can be easily managed by Home Manager. If desktop environments were configured via NixOS
+   Module, these user-level services might fail to start automatically. With Home Manager modules,
+   we can control systemd service dependency order more effectively.
+
+3. **System Benefits**: By minimizing package installation through NixOS Module:
+   - Makes the NixOS system more secure and stable
+   - Increases portability to non-NixOS systems, as Home Manager can be installed on any Linux
+     system
+   - Allows for easier switching between different window managers without system-level changes
@@ -32,10 +32,10 @@
      ldtk # A modern, versatile 2D level editor

      # fpga
-      python313Packages.apycula # gowin fpga
-      yosys # fpga synthesis
-      nextpnr # fpga place and route
-      openfpgaloader # fpga programming
+      # python313Packages.apycula # gowin fpga
+      # yosys # fpga synthesis
+      # nextpnr # fpga place and route
+      # openfpgaloader # fpga programming
      # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
    ]);

@@ -3,83 +3,64 @@
  anyrun,
  ...
 }:
+
+let
+  anyrunPackages = anyrun.packages.${pkgs.system};
+in
 {
-  programs.anyrun = {
-    enable = true;
-    config = {
-      plugins = with anyrun.packages.${pkgs.system}; [
-        applications
-        randr
-        rink
-        shell
-        symbols
-        translate
+
+  imports = [
+    (
+      { modulesPath, ... }:
+      {
+        # Important! We disable home-manager's module to avoid option
+        # definition collisions
+        disabledModules = [ "${modulesPath}/programs/anyrun.nix" ];
+      }
+    )
+    anyrun.homeManagerModules.default
  ];

-      width.fraction = 0.3;
-      y.absolute = 15;
-      hidePluginInfo = true;
+  programs.anyrun = {
+    enable = true;
+    # The package should come from the same flake as all the plugins to avoid breakage.
+    package = anyrunPackages.anyrun;
+    config = {
+      # The horizontal position.
+      # when using `fraction`, it sets a fraction of the width or height of the screen
+      x.fraction = 0.5; # at the middle of the screen
+      # The vertical position.
+      y.fraction = 0.05; # at the top of the screen
+      # The width of the runner.
+      width.fraction = 0.3; # 30% of the screen
+
+      hideIcons = false;
+      ignoreExclusiveZones = false;
+      layer = "overlay";
+      hidePluginInfo = false;
      closeOnClick = true;
+      showResultsImmediately = true;
+      maxEntries = null;
+
+      # https://github.com/anyrun-org/anyrun/tree/master/plugins
+      plugins = with anyrunPackages; [
+        applications # Launch applications
+        dictionary # Look up word definitions using the Free Dictionary API.
+        nix-run # search & run graphical apps from nixpkgs via `nix run`, without installing it.
+        # randr         # quickly change monitor configurations on the fly
+        rink # A simple calculator plugin
+        symbols # Look up unicode symbols and custom user defined symbols.
+        translate # ":zh <text to translate>" Quickly translate text using the Google Translate API.
+        niri-focus # Search for & focus the window via title/appid on Niri
+      ];
    };

-    # custom css for anyrun, based on catppuccin-mocha
-    extraCss = ''
-      @define-color bg-col  rgba(30, 30, 46, 0.7);
-      @define-color bg-col-light rgba(150, 220, 235, 0.7);
-      @define-color border-col rgba(30, 30, 46, 0.7);
-      @define-color selected-col rgba(150, 205, 251, 0.7);
-      @define-color fg-col #D9E0EE;
-      @define-color fg-col2 #F28FAD;
-
-      * {
-        transition: 200ms ease;
-        font-family: "Maple Mono NF CN";
-        font-size: 1.3rem;
-      }
-
-      #window {
-        background: transparent;
-      }
-
-      #plugin,
-      #main {
-        border: 3px solid @border-col;
-        color: @fg-col;
-        background-color: @bg-col;
-      }
-      /* anyrun's input window - Text */
-      #entry {
-        color: @fg-col;
-        background-color: @bg-col;
-      }
-
-      /* anyrun's output matches entries - Base */
-      #match {
-        color: @fg-col;
-        background: @bg-col;
-      }
-
-      /* anyrun's selected entry - Red */
-      #match:selected {
-        color: @fg-col2;
-        background: @selected-col;
-      }
-
-      #match {
-        padding: 3px;
-        border-radius: 16px;
-      }
-
-      #entry, #plugin:hover {
-        border-radius: 16px;
-      }
-
-      box#main {
-        background: rgba(30, 30, 46, 0.7);
-        border: 1px solid @border-col;
-        border-radius: 15px;
-        padding: 5px;
-      }
-    '';
+    extraConfigFiles = {
+      "symbols.ron".source = ./conf/anyrun/symbols.ron;
+      "applications.ron".source = ./conf/anyrun/applications.ron;
    };
+  };
+
+  # https://github.com/anyrun-org/anyrun/discussions/179
+  xdg.configFile."anyrun/style.css".source = ./conf/anyrun/style.css;
 }
@@ -0,0 +1,16 @@
+Config(
+  // Also show the Desktop Actions defined in the desktop files, e.g. "New Window" from LibreWolf
+  desktop_actions: true,
+
+  max_entries: 5,
+
+  // The terminal used for running terminal based desktop entries, if left as `None` a static list of terminals is used
+  // to determine what terminal to use.
+  terminal: Some(Terminal(
+    // The main terminal command
+    command: "alacritty",
+    // What arguments should be passed to the terminal process to run the command correctly
+    // {} is replaced with the command in the desktop entry
+    args: "-e {}",
+  )),
+)
@@ -0,0 +1,101 @@
+/* ===== Color variables ===== */
+:root {
+  --bg-color: #313244;
+  --fg-color: #cdd6f4;
+  --primary-color: #89b4fa;
+  --secondary-color: #cba6f7;
+  --border-color: var(--primary-color);
+  --selected-bg-color: var(--primary-color);
+  --selected-fg-color: var(--bg-color);
+}
+
+/* ===== Global reset ===== */
+* {
+  all: unset;
+  font-family: "JetBrainsMono Nerd Font", monospace;
+}
+
+/* ===== Transparent window ===== */
+window {
+  background: transparent;
+}
+
+/* ===== Main container ===== */
+box.main {
+  border-radius: 16px;
+  background-color: color-mix(in srgb, var(--bg-color) 80%, transparent);
+  border: 0.5px solid color-mix(in srgb, var(--fg-color) 25%, transparent);
+  padding: 12px; /* add uniform padding around the whole box */
+}
+
+/* ===== Input field ===== */
+text {
+  font-size: 1.3rem;
+  background: transparent;
+  border: 1px solid var(--border-color);
+  border-radius: 16px;
+  margin-bottom: 12px;
+  padding: 5px 10px;
+  min-height: 44px;
+  caret-color: var(--primary-color);
+}
+
+/* ===== List container ===== */
+.matches {
+  background-color: transparent;
+}
+
+/* ===== Single match row ===== */
+.match {
+  font-size: 1.1rem;
+  padding: 4px 10px; /* tight vertical spacing */
+  border-radius: 6px;
+}
+
+/* Remove default label margins */
+.match * {
+  margin: 0;
+  padding: 0;
+  line-height: 1;
+}
+
+/* Selected / hover state */
+.match:selected,
+.match:hover {
+  background-color: var(--selected-bg-color);
+  color: var(--selected-fg-color);
+}
+
+.match:selected label.plugin.info,
+.match:hover label.plugin.info {
+  color: var(--selected-fg-color);
+}
+
+.match:selected label.match.description,
+.match:hover label.match.description {
+  color: color-mix(in srgb, var(--selected-fg-color) 90%, transparent);
+}
+
+/* ===== Plugin info label ===== */
+label.plugin.info {
+  color: var(--fg-color);
+  font-size: 1rem;
+  min-width: 160px;
+  text-align: left;
+}
+
+/* ===== Description label ===== */
+label.match.description {
+  font-size: 0rem;
+  color: var(--fg-color);
+}
+
+/* ===== Fade-in animation ===== */
+@keyframes fade {
+  0% {
+    opacity: 0;
+  }
+  100% {
+    opacity: 1;
+  }
+}
@@ -0,0 +1,10 @@
+Config(
+  // The prefix that the search needs to begin with to yield symbol results
+  prefix: "",
+  // Custom user defined symbols to be included along the unicode symbols
+  symbols: {
+    // "name": "text to be copied"
+    "shrug": "¯\\_(ツ)_/¯",
+  },
+  max_entries: 3,
+)
@@ -18,7 +18,7 @@
      fcitx5-rime
      # needed enable rime using configtool after installed
      fcitx5-configtool
-      fcitx5-chinese-addons
+      # fcitx5-chinese-addons # we use rime instead
      # fcitx5-mozc    # japanese input method
      fcitx5-gtk # gtk im module
    ];
@@ -1,13 +0,0 @@
-{
-  pkgs,
-  nix-gaming,
-  ...
-}:
-{
-  home.packages = with pkgs; [
-    # nix-gaming.packages.${pkgs.system}.osu-laser-bin
-    gamescope # SteamOS session compositing window manager
-    prismlauncher # A free, open source launcher for Minecraft
-    winetricks # A script to install DLLs needed to work around problems in Wine
-  ];
-}
@@ -0,0 +1,71 @@
+{
+  pkgs,
+  pkgs-x64,
+  osConfig,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.modules.desktop.gaming;
+in
+{
+  options.modules.desktop = {
+    gaming = {
+      enable = mkEnableOption "Install Game Suite(steam, lutris, etc)";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # ==========================================================================
+    # Other Optimizations
+    # Usage:
+    #  Lutris - enable advanced options, go to the System options -> Command prefix, add: `mangohud`
+    #  Steam  - add this as a launch option: `mangohud %command%` / `gamemoderun %command%`
+    # ==========================================================================
+
+    home.packages =
+      (with pkgs; [
+        # https://github.com/flightlessmango/MangoHud
+        # a simple overlay program for monitoring FPS, temperature, CPU and GPU load, and more.
+        mangohud
+
+        # GUI for installing custom Proton versions like GE_Proton
+        # proton - a Wine distribution aimed at gaming
+        protonplus
+        # Script to install various redistributable runtime libraries in Wine.
+        winetricks
+        # https://github.com/Open-Wine-Components/umu-launcher
+        # a unified launcher for Windows games on Linux
+        umu-launcher
+      ])
+      ++ (with pkgs-x64; [
+        # a game launcher - great for epic games and gog games
+        (heroic.override {
+          extraPkgs = _pkgs: [
+            pkgs.gamescope # aarch64
+          ];
+        })
+      ]);
+
+    # a GUI game launcher for Steam/GoG/Epic
+    programs.lutris = {
+      enable = true;
+      defaultWinePackage = pkgs-x64.proton-ge-bin;
+      steamPackage = osConfig.programs.steam.package;
+      protonPackages = [ pkgs-x64.proton-ge-bin ];
+      winePackages = with pkgs-x64; [
+        wineWow64Packages.full
+        wineWowPackages.stagingFull
+      ];
+      extraPackages = with pkgs; [
+        winetricks
+        gamescope
+        gamemode
+        mangohud
+        umu-launcher
+      ];
+    };
+  };
+}
@@ -1,5 +1,6 @@
 {
  pkgs,
+  pkgs-x64,
  pkgs-unstable,
  nur-ryan4yin,
  ...
@@ -21,10 +22,8 @@
      vulkan-tools
      glxinfo
      nvitop
-    ]
-    ++ (lib.optionals pkgs.stdenv.isx86_64 [
-      (zoom-us.override { hyprlandXdgDesktopPortalSupport = true; })
-    ]);
+      (pkgs-x64.zoom-us.override { hyprlandXdgDesktopPortalSupport = true; })
+    ];

  programs.mpv = {
    enable = true;
@@ -10,19 +10,16 @@
    # do not support .pdf
    foliate

-    # instant messaging
-    telegram-desktop
-    # discord # update too frequently, use the web version instead
-
    # remote desktop(rdp connect)
    remmina
    freerdp # required by remmina

    # my custom hardened packages
    pkgs.nixpaks.qq
-    pkgs.nixpaks.qq-desktop-item
+    pkgs.nixpaks.telegram-desktop
    # qqmusic
    pkgs.bwraps.wechat
+    # discord # update too frequently, use the web version instead
  ];

  # allow fontconfig to discover fonts and configurations installed through home.packages
@@ -10,8 +10,7 @@
    Unit = {
      Description = "Wallpaper Switcher daemon";
      After = [
-        "graphical-session-pre.target"
-        "xdg-desktop-autostart.target"
+        "graphical-session.target"
      ];
      Wants = [ "graphical-session-pre.target" ];
    };
@@ -6,7 +6,6 @@
  home.packages = with pkgs; [
    # firefox-wayland
    nixpaks.firefox
-    nixpaks.firefox-desktop-item
  ];

  programs = {
@@ -37,6 +37,13 @@ in
  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      {
+        home.packages = with pkgs; [
+          # Niri v25.08 will create X11 sockets on disk, export $DISPLAY, and spawn `xwayland-satellite` on-demand when an X11 client connects
+          xwayland-satellite
+        ];
+
+        programs.niri.config = cfg.settings;
+
        # NOTE: this executable is used by greetd to start a wayland session when system boot up
        # with such a vendor-no-locking script, we can switch to another wayland compositor without modifying greetd's config in NixOS module
        home.file.".wayland-session" = {
@@ -194,14 +194,14 @@ niri: {
        # (plain "Mod+Space"       [(leaf "switch-layout" "next")])
        # (plain "Mod+Shift+Space" [(leaf "switch-layout" "prev")])

+        # Take an area screenshot. Select the area to screenshot with mouse
        (plain "Print" [ (flag "screenshot") ])
+        # Take a screenshot of the focused monitor
        (plain "Ctrl+Print" [ (flag "screenshot-screen") ])
+        # Take a screenshot of the focused window
        (plain "Alt+Print" [ (flag "screenshot-window") ])

-        # The quit action will show a confirmation dialog to avoid accidental exits.
-        # If you want to skip the confirmation dialog, set the flag like so:
-        # (plain "Mod+Shift+E" [(leaf "quit" { skip-confirmation=true; })])
-        (plain "Mod+Shift+E" [ (flag "quit") ])
+        (plain "Mod+Shift+E" [ (leaf "spawn" [ "wlogout" ]) ])

        (plain "Mod+Shift+P" [ (flag "power-off-monitors") ])

@@ -34,17 +34,17 @@ niri: {
        # Next sections include libinput settings.
        # Omitting settings disables them, or leaves them at their default values.
        (plain "touchpad" [
-          (flag "tap")
-          # (flag "dwt")
-          # (flag "dwtp")
-          (flag "natural-scroll")
+          # (flag "tap")  # tap-to-click
+          (flag "dwt") # disable-when-typing.
+          # (flag "dwtp") # disable-when-trackpointing.
+          (flag "natural-scroll") # inverts the scrolling direction.
          # (leaf "accel-speed" 0.2)
          # (leaf "accel-profile" "flat")
          # (leaf "tap-button-map" "left-middle-right")
        ])

        (plain "mouse" [
-          # (flag "natural-scroll")
+          # (flag "natural-scroll") # inverts the scrolling direction.
          # (leaf "accel-speed" 0.2)
          # (leaf "accel-profile" "flat")
        ])
@@ -13,56 +13,110 @@ niri: {
      # Get all the window's information via:
      #   niri msg windows

-      # --------------- Terminal ---------------
-      # foot → ws 13
+      # --------------- 1Terminal ---------------
      (plain "window-rule" [
        (leaf "match" { app-id = "foot"; })
        (leaf "open-on-workspace" "1terminal")
        (leaf "open-maximized" true)
      ])

-      # Alacritty → ws 10
      (plain "window-rule" [
        (leaf "match" { app-id = "Alacritty"; })
        (leaf "open-on-workspace" "1terminal")
        (leaf "open-maximized" true)
      ])

-      # Ghostty → ws 14
      (plain "window-rule" [
        (leaf "match" { app-id = "com.mitchellh.ghostty"; })
        (leaf "open-on-workspace" "1terminal")
        (leaf "open-maximized" true)
      ])

-      # --------------- Networking ---------------
+      # --------------- 2Browser ---------------

-      # Clash Verge → ws 7
-      (plain "window-rule" [
-        (leaf "match" { app-id = "clash-verge"; })
-        (leaf "open-on-workspace" "0other")
-      ])
-
-      # --------------- Browser ---------------
-
-      # Firefox → ws 11
      (plain "window-rule" [
        (leaf "match" { app-id = "firefox"; })
        (leaf "open-on-workspace" "2browser")
        (leaf "open-maximized" true)
      ])
-      # Google Chrome → ws 12
      (plain "window-rule" [
        (leaf "match" { app-id = "google-chrome"; })
        (leaf "open-on-workspace" "2browser")
        (leaf "open-maximized" true)
      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "chromium-browser"; })
+        (leaf "open-on-workspace" "2browser")
+        (leaf "open-maximized" true)
+      ])

-      # --------------- Chatting ---------------
-      # Telegram → ws 6
+      # --------------- 3Chatting ---------------
      (plain "window-rule" [
        (leaf "match" { app-id = "org.telegram.desktop"; })
        (leaf "open-on-workspace" "3chat")
      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "wechat"; })
+        (leaf "open-on-workspace" "3chat")
+      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "QQ"; })
+        (leaf "open-on-workspace" "3chat")
+      ])
+
+      # --------------- 4Gaming ---------------
+
+      (plain "window-rule" [
+        (leaf "match" { app-id = "steam"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "steam_app_default"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "heroic"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "net.lutris.Lutris"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "com.vysp3r.ProtonPlus"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+      (plain "window-rule" [
+        # Run anime games on Linux
+        (leaf "match" { app-id = "^moe.launcher"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+      (plain "window-rule" [
+        # All *.exe (Windows APPs)
+        (leaf "match" { app-id = "\.exe$"; })
+        (leaf "open-on-workspace" "4gaming")
+      ])
+
+      # --------------- 6File ---------------
+      (plain "window-rule" [
+        (leaf "match" { app-id = "com.github.johnfactotum.Foliate"; })
+        (leaf "open-on-workspace" "6file")
+      ])
+      (plain "window-rule" [
+        (leaf "match" { app-id = "thunar"; })
+        (leaf "open-on-workspace" "6file")
+      ])
+
+      # --------------- 0Other ---------------
+
+      (plain "window-rule" [
+        (leaf "match" { app-id = "clash-verge"; })
+        (leaf "open-on-workspace" "0other")
+      ])
+
+      (plain "window-rule" [
+        (leaf "match" { app-id = "Zoom Workplace"; })
+        (leaf "open-on-workspace" "0other")
+      ])
    ];
 }
@@ -9,6 +9,13 @@
    nixos-apple-silicon.nixosModules.default
  ];

+  environment.systemPackages = with pkgs-unstable; [
+    box64 # Linux Userspace x86 and x86_64 Emulator, run x86_64 apps(such as games, gui apps) on aarch64.
+    # https://asahilinux.org/2024/12/muvm-x11-bridging/
+    # https://github.com/nix-community/nixos-apple-silicon/issues/237
+    muvm # run x86_64 Apps/Games in a microVM, used as a workaround of apple silicon's 16k page size.
+  ];
+
  networking.wireless.iwd = {
    enable = true;
    settings.General.EnableNetworkConfiguration = true;
@@ -30,7 +37,7 @@
  # Hibernate: Store system state & RAM to Disk, and then poweroff the system.
  #
  # NOTE: Hibernate is not supported by Asahi Linux.
-  services.logind = {
+  services.logind.settings.Login = {
    lidSwitch = "suspend";
    lidSwitchExternalPower = "lock";
    # 'Docked' means: more than one display is connected or the system is inserted in a docking station
@@ -10,12 +10,14 @@
 #############################################################
 let
  hostName = "shoukei"; # Define your hostname.
-in {
+in
+{
  imports = [
    ./hardware-configuration.nix
    ../idols-ai/preservation.nix
  ];

+  # disable sunshine for securrity
  services.sunshine.enable = lib.mkForce false;

  networking = {
@@ -28,6 +28,30 @@ in
    "x86_64-linux"
    "riscv64-linux"
  ];
+  # This enables the kernel to preload the emulator binaries when the binfmt registrations are added,
+  # obviating the need to make the emulator binaries available inside chroots and chroot-like sandboxes.
+  boot.binfmt.preferStaticEmulators = true; # required to work with podman
+  nixpkgs.overlays = [
+    (final: previous: {
+      # https://github.com/NixOS/nixpkgs/issues/392673
+      # aarch64-unknown-linux-musl-ld: (.text+0x484): warning: too many GOT entries for -fpic, please recompile with -fPIC
+      nettle = previous.nettle.overrideAttrs (
+        lib.optionalAttrs final.stdenv.hostPlatform.isStatic {
+          CCPIC = "-fPIC";
+        }
+      );
+    })
+    # https://github.com/NixOS/nixpkgs/issues/366902
+    (final: prev: {
+      qemu-user = prev.qemu-user.overrideAttrs (
+        old:
+        lib.optionalAttrs final.stdenv.hostPlatform.isStatic {
+          configureFlags = old.configureFlags ++ [ "--disable-pie" ];
+        }
+      );
+    })
+  ];
+
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = lib.mkForce [
    "ext4"
@@ -1,22 +1,79 @@
 # Hosts

-1. `idols`
-   1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
-   2. `aquamarine`: Kubevirt Virtual Machine.
-      - Monitoring(prometheus, grafana, exporters), CI/CD(gitea, runner), homepage, file browser,
-        and other services.
-   3. `ruby`: Not used now.
-   4. `kana`: Not used now.
-1. `k8s`: My Kubevirt & Kubernetes Clusters
-1. `darwin`(macOS)
-   1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for personal use.
-   1. `frieren`: MacBook Pro 2024 14-inch M4Pro 48G, mainly for work.
-1. `12kingdoms`:
-   1. `shoukei`: NixOS on MacBook Pro 2022 M2.
-1. Other aarch64/riscv64 SBCs:
+This directory contains all host-specific configurations for my NixOS and macOS systems.
+
+## Current Host Inventory
+
+### Physical Machines
+
+#### `idols` - Main Workstations
+
+Named after characters from "Oshi no Ko":
+
+| Host         | Platform    | Hardware              | Purpose               | Status      |
+| ------------ | ----------- | --------------------- | --------------------- | ----------- |
+| `ai`         | NixOS       | i5-13600KF + RTX 4090 | Gaming & Daily Use    | ✅ Active   |
+| `aquamarine` | KubeVirt VM | Virtual               | Monitoring & Services | ✅ Active   |
+| `kana`       | NixOS       | Virtual               | Reserved              | ⚪ Not Used |
+| `ruby`       | NixOS       | Virtual               | Reserved              | ⚪ Not Used |
+
+#### `darwin` - macOS Systems
+
+Named after characters from "Frieren: Beyond Journey's End":
+
+| Host      | Platform | Hardware                   | Purpose      | Status    |
+| --------- | -------- | -------------------------- | ------------ | --------- |
+| `fern`    | macOS    | MacBook Pro M2 13" 16GB    | Personal Use | ✅ Active |
+| `frieren` | macOS    | MacBook Pro M4Pro 14" 48GB | Work Use     | ✅ Active |
+
+#### `12kingdoms` - Homelab Servers & Apple Silicon Linux
+
+Named after "Twelve Kingdoms":
+
+| Host      | Platform | Hardware                               | Purpose                    | Status    |
+| --------- | -------- | -------------------------------------- | -------------------------- | --------- |
+| `shoukei` | NixOS    | MacBook Pro M2                         | NixOS on Apple Silicon     | ✅ Active |
+| `shoryu`  | NixOS    | MoreFine S500Plus (AMD Ryzen 9 5900HX) | KubeVirt Host & K3s Master | ✅ Active |
+| `shushou` | NixOS    | MinisForum UM560 (AMD Ryzen 5 5625U)   | KubeVirt Host & K3s Master | ✅ Active |
+| `youko`   | NixOS    | MinisForum HX99G (AMD Ryzen 9 6900HX)  | KubeVirt Host & K3s Master | ✅ Active |
+
+### Virtual Machines & Clusters
+
+#### `k8s` - Kubernetes Infrastructure
+
+- **KubeVirt Cluster**: 3 physical mini PCs (shoryu, shushou, youko) running all VMs
+- **K3s Production**: 3 masters + 3 workers for production workloads
+- **K3s Testing**: 3 masters for testing and development
+
+### External Systems
+
+- **SBCs**: aarch64/riscv64 single-board computers managed in
  [ryan4yin/nixos-config-sbc](https://github.com/ryan4yin/nixos-config-sbc)

-## How to add a new host
+All my riscv64 hosts:
+
+![](/_img/nixos-riscv-cluster.webp)
+
+## Naming Conventions
+
+- **idols**: Characters from "Oshi no Ko" anime/manga
+- **12kingdoms**: Characters from "Twelve Kingdoms" anime/novel series
+- **darwin**: Characters from "Frieren: Beyond Journey's End" anime/manga
+- **k8s**: Kubernetes-related systems follow standard naming patterns
+
+## How to Add a New Host
+
+The easiest way to add a new host is to copy and adapt an existing similar configuration. All host
+configurations follow similar patterns but are customized for specific hardware and use cases.
+
+### General Process
+
+1. **Identify a similar existing host** from the directory structure above
+2. **Copy the entire directory** and rename it for your new host
+3. **Adapt the configuration files** for your specific hardware and requirements
+4. **Update references** in the flake outputs and networking configuration
+
+### Essential Steps

 1. Under `hosts/`
   1. Create a new folder under `hosts/` with the name of the new host.
@@ -36,15 +93,20 @@
   1. Add the new host's static IP address.
   1. Skip this step if the new host is not in the local network or is a mobile device.

-## idols - Oshi no Ko
+### File Templates

-These four servers are named after the four main characters of the mange/anime Oshi no Ko.
+Use existing hosts as templates. The key files typically include:

-## rolling girls
+- `default.nix` - Main host configuration
+- `hardware-configuration.nix` - Auto-generated hardware settings
+- Platform-specific files (e.g., `nvidia.nix`, `apple-silicon.nix`, etc.)

-My All RISCV64 hosts.
+### Examples to Reference

-![](/_img/nixos-riscv-cluster.webp)
+- **Desktop systems**: See `idols-ai/` for gaming/workstation setup
+- **Server systems**: See `kubevirt-shoryu/` for K8s/KubeVirt hosts
+- **macOS systems**: See `darwin-fern/` for macOS configurations
+- **Apple Silicon**: See `12kingdoms-shoukei/` for ARM Linux setup

 ## Distributed Building

@@ -1,4 +1,4 @@
-{myvars, ...}:
+{ myvars, lib, ... }:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -11,7 +11,8 @@ let
  inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4 ipv6;
  ipv4WithMask = "${ipv4}/24";
  ipv6WithMask = "${ipv6}/64";
-in {
+in
+{
  imports = [
    ./netdev-mount.nix
    # Include the results of the hardware scan.
@@ -23,6 +24,8 @@ in {
    ./secureboot.nix
  ];

+  services.sunshine.enable = lib.mkForce true;
+
  networking = {
    inherit hostName;

@@ -1,62 +0,0 @@
-# https://github.com/fufexan/dotfiles/blob/483680e121b73db8ed24173ac9adbcc718cbbc6e/system/programs/gamemode.nix
-{
-  config,
-  pkgs,
-  nix-gaming,
-  lib,
-  ...
-}:
-let
-  programs = lib.makeBinPath [
-    config.programs.hyprland.package
-    pkgs.coreutils
-    pkgs.power-profiles-daemon
-  ];
-
-  startscript = pkgs.writeShellScript "gamemode-start" ''
-    export PATH=$PATH:${programs}
-    export HYPRLAND_INSTANCE_SIGNATURE=$(ls -1 /tmp/hypr | tail -1)
-    hyprctl --batch 'keyword decoration:blur 0 ; keyword animations:enabled 0 ; keyword misc:vfr 0'
-    powerprofilesctl set performance
-  '';
-
-  endscript = pkgs.writeShellScript "gamemode-end" ''
-    export PATH=$PATH:${programs}
-    export HYPRLAND_INSTANCE_SIGNATURE=$(ls -1 /tmp/hypr | tail -1)
-    hyprctl --batch 'keyword decoration:blur 1 ; keyword animations:enabled 1 ; keyword misc:vfr 1'
-    powerprofilesctl set power-saver
-  '';
-in
-{
-  # Optimise Linux system performance on demand
-  # https://github.com/FeralInteractive/GameMode
-  # https://wiki.archlinux.org/title/Gamemode
-  #
-  # Usage:
-  #   1. For games/launchers which integrate GameMode support:
-  #      https://github.com/FeralInteractive/GameMode#apps-with-gamemode-integration
-  #      simply running the game will automatically activate GameMode.
-  #   2. For others, launching the game through gamemoderun: `gamemoderun ./game`
-  #   3. For steam: `gamemoderun steam-runtime`
-  programs.gamemode = {
-    enable = pkgs.stdenv.isx86_64;
-    settings = {
-      general = {
-        softrealtime = "auto";
-        renice = 15;
-      };
-      custom = {
-        start = startscript.outPath;
-        end = endscript.outPath;
-      };
-    };
-  };
-
-  # see https://github.com/fufexan/nix-gaming/#pipewire-low-latency
-  services.pipewire.lowLatency.enable = true;
-  programs.steam.platformOptimizations.enable = true;
-  imports = with nix-gaming.nixosModules; [
-    pipewireLowLatency
-    platformOptimizations
-  ];
-}
@@ -1,58 +0,0 @@
-# https://github.com/fufexan/dotfiles/blob/483680e/system/programs/steam.nix
-{ pkgs, ... }:
-{
-  # https://wiki.archlinux.org/title/steam
-  # Games installed by Steam works fine on NixOS, no other configuration needed.
-  programs.steam = {
-    # Some location that should be persistent:
-    #   ~/.local/share/Steam - The default Steam install location
-    #   ~/.local/share/Steam/steamapps/common - The default Game install location
-    #   ~/.steam/root        - A symlink to ~/.local/share/Steam
-    #   ~/.steam             - Some Symlinks & user info
-    enable = pkgs.stdenv.isx86_64;
-    # https://github.com/ValveSoftware/gamescope
-    # enables features such as resolution upscaling and stretched aspect ratios (such as 4:3)
-    gamescopeSession.enable = true;
-
-    # fix gamescope inside steam
-    package = pkgs.steam.override {
-      extraPkgs =
-        pkgs: with pkgs; [
-          xorg.libXcursor
-          xorg.libXi
-          xorg.libXinerama
-          xorg.libXScrnSaver
-          libpng
-          libpulseaudio
-          libvorbis
-          stdenv.cc.cc.lib
-          libkrb5
-          keyutils
-
-          # fix CJK fonts
-          source-sans
-          source-serif
-          source-han-sans
-          source-han-serif
-
-          # audio
-          pipewire
-
-          # other common
-          udev
-          alsa-lib
-          vulkan-loader
-          xorg.libX11
-          xorg.libXcursor
-          xorg.libXi
-          xorg.libXrandr # To use the x11 feature
-          libxkbcommon
-          wayland # To use the wayland feature
-        ];
-    };
-  };
-
-  fonts.packages = with pkgs; [
-    wqy_zenhei # Need by steam for Chinese
-  ];
-}
@@ -43,6 +43,10 @@
    "aarch64-linux"
    "riscv64-linux"
  ];
+  # This enables the kernel to preload the emulator binaries when the binfmt registrations are added,
+  # obviating the need to make the emulator binaries available inside chroots and chroot-like sandboxes.
+  boot.binfmt.preferStaticEmulators = true; # required to work with podman
+
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
@@ -64,11 +64,12 @@
        ])

        # ============= Named Workspaces =============
-        (node "workspace" "1terminal" [ (leaf "open-on-output" "HDMI-A-1") ])
        (node "workspace" "2browser" [ (leaf "open-on-output" "DP-2") ])
+        (node "workspace" "4gaming" [ (leaf "open-on-output" "DP-2") ])
+        (node "workspace" "5music" [ (leaf "open-on-output" "DP-2") ])
+
+        (node "workspace" "1terminal" [ (leaf "open-on-output" "HDMI-A-1") ])
        (node "workspace" "3chat" [ (leaf "open-on-output" "HDMI-A-1") ])
-        (node "workspace" "4music" [ (leaf "open-on-output" "DP-2") ])
-        (node "workspace" "5mail" [ (leaf "open-on-output" "DP-2") ])
        (node "workspace" "6file" [ (leaf "open-on-output" "HDMI-A-1") ])
        (node "workspace" "0other" [ (leaf "open-on-output" "HDMI-A-1") ])
      ];
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  # ===============================================================================================
  # for Nvidia GPU
@@ -17,7 +17,7 @@
    open = true;
    # Optionally, you may need to select the appropriate driver version for your specific GPU.
    # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/nvidia-x11/default.nix
-    package = config.boot.kernelPackages.nvidiaPackages.beta;
+    package = config.boot.kernelPackages.nvidiaPackages.production;

    # required by most wayland compositors!
    modesetting.enable = true;
@@ -38,4 +38,11 @@
      # };
    })
  ];
+
+  services.sunshine.settings = {
+    max_bitrate = 20000; # in Kbps
+    # NVIDIA NVENC Encoder
+    nvenc_preset = 3; # 1(fastest + worst quality) - 7(slowest + best quality)
+    nvenc_twopass = "full_res"; # quarter_res / full_res.
+  };
 }
@@ -72,6 +72,7 @@ in

      # network
      "/var/lib/tailscale"
+      "/var/lib/netbird-homelab" # netbird's homelab client
      "/var/lib/bluetooth"
      "/var/lib/NetworkManager"
      "/var/lib/iwd"
@@ -231,32 +232,32 @@ in
        # Games / Media
        # ======================================

+        "Games"
        ".steam"
        ".config/blender"
        ".config/LDtk"
+        ".config/heroic"
+        ".config/lutris"
+        ".local/share/umu"

        ".local/share/Steam"
-        ".local/share/PrismLauncher"
+        ".local/state/Heroic"

+        ".local/share/lutris"
        ".local/share/tiled"
        ".local/share/GOG.com"
        ".local/share/StardewValley"
        ".local/share/feral-interactive"

        # ======================================
-        # Instant Messaging
+        # Meeting / Remote Desktop / Recording
        # ======================================
-        ".config/QQ"
-
-        ".local/share/TelegramDesktop"
-
-        # ======================================
-        # Meeting / Remote Desktop
-        # ======================================
-        ".config/remmina"
-        ".config/freerdp"
        ".zoom"
+        ".config/obs-studio"
+        ".config/sunshine"
+        ".config/freerdp"

+        ".config/remmina"
        ".local/share/remmina"

        # ======================================
@@ -282,7 +283,7 @@ in
        # ======================================
        ".local/share/containers"
        ".local/share/flatpak"
-        # flatpak app's data
+        # flatpak/nixpak app's data
        ".var"

        # ======================================
@@ -88,6 +88,11 @@ in
      encode zstd gzip
      reverse_proxy http://localhost:9093
    '';
+    virtualHosts."vmalert.writefor.fun".extraConfig = ''
+      ${hostCommonConfig}
+      encode zstd gzip
+      reverse_proxy http://localhost:8880
+    '';
    virtualHosts."minio.writefor.fun".extraConfig = ''
      ${hostCommonConfig}
      encode zstd gzip
@@ -0,0 +1,37 @@
+{
+
+  # Declaratively provision Grafana's data sources, dashboards, and alerting rules.
+  # Grafana's alerting rules is not recommended to use, we use Prometheus alertmanager instead.
+  # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
+  services.grafana.provision.dashboards.settings = {
+    apiVersion = 1;
+
+    providers = [
+      {
+        # <string> an unique provider name. Required
+        name = "Homelab";
+        # An organization is an entity that helps you isolate users and resources such as dashboards,
+        # annotations, and data sources from each other.
+        #
+        # <int> Org id. Default to 1
+        #
+        # If you want to customize this id, you need to create the organizations first.
+        orgId = 1;
+        # <string> provider type. Default to 'file'
+        type = "file";
+        # <bool> disable dashboard deletion
+        disableDeletion = true;
+        # <int> how often Grafana will scan for changed dashboards
+        updateIntervalSeconds = 20;
+        # <bool> allow updating provisioned dashboards from the UI
+        allowUiUpdates = false;
+        options = {
+          # <string, required> path to dashboard files on disk. Required when using the 'file' type
+          path = "/etc/grafana/dashboards/";
+          # <bool> use folder names from filesystem to create folders in Grafana
+          foldersFromFilesStructure = true;
+        };
+      }
+    ];
+  };
+}
@@ -1,26 +0,0 @@
-# https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
-apiVersion: 1
-
-providers:
-  # <string> an unique provider name. Required
-  - name: "Homelab"
-    # An organization is an entity that helps you isolate users and resources such as dashboards,
-    # annotations, and data sources from each other.
-    #
-    # <int> Org id. Default to 1
-    #
-    # If you want to customize this id, you need to create the organizations first.
-    orgId: 1
-    # <string> provider type. Default to 'file'
-    type: file
-    # <bool> disable dashboard deletion
-    disableDeletion: true
-    # <int> how often Grafana will scan for changed dashboards
-    updateIntervalSeconds: 20
-    # <bool> allow updating provisioned dashboards from the UI
-    allowUiUpdates: false
-    options:
-      # <string, required> path to dashboard files on disk. Required when using the 'file' type
-      path: /etc/grafana/dashboards/
-      # <bool> use folder names from filesystem to create folders in Grafana
-      foldersFromFilesStructure: true
@@ -32,3 +32,7 @@ mixin provides a comprehensive package for monitoring Loki in production.
   - Instance:
     https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json
   - Pooler(PGBouncer): https://github.com/cloudnative-pg/grafana-dashboards/issues/7
+
+## VictoriaMetrics
+
+- https://grafana.com/orgs/victoriametrics/dashboards
@@ -73,11 +73,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": true,
-      "colors": [
-        "#299c46",
-        "#7eb26d",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "#7eb26d", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "none",
      "gauge": {
@@ -156,11 +152,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "description": "start time of the process",
      "format": "dateTimeFromNow",
@@ -239,11 +231,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "rgba(245, 54, 54, 0.9)",
-        "rgba(237, 129, 40, 0.89)",
-        "rgba(50, 172, 45, 0.97)"
-      ],
+      "colors": ["rgba(245, 54, 54, 0.9)", "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "decbytes",
      "gauge": {
@@ -322,11 +310,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "rgba(245, 54, 54, 0.9)",
-        "rgba(237, 129, 40, 0.89)",
-        "rgba(50, 172, 45, 0.97)"
-      ],
+      "colors": ["rgba(245, 54, 54, 0.9)", "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "decbytes",
      "gauge": {
@@ -405,11 +389,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "rgba(245, 54, 54, 0.9)",
-        "rgba(237, 129, 40, 0.89)",
-        "rgba(50, 172, 45, 0.97)"
-      ],
+      "colors": ["rgba(245, 54, 54, 0.9)", "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "decbytes",
      "gauge": {
@@ -488,11 +468,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "none",
      "gauge": {
@@ -864,11 +840,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "bytes",
      "gauge": {
@@ -945,11 +917,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "bytes",
      "gauge": {
@@ -1026,11 +994,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "bytes",
      "gauge": {
@@ -1107,11 +1071,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "bytes",
      "gauge": {
@@ -1189,11 +1149,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "decimals": 1,
      "format": "bytes",
@@ -1271,11 +1227,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "none",
      "gauge": {
@@ -1352,11 +1304,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "none",
      "gauge": {
@@ -1433,11 +1381,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "none",
      "gauge": {
@@ -1514,11 +1458,7 @@
      "cacheTimeout": null,
      "colorBackground": false,
      "colorValue": false,
-      "colors": [
-        "#299c46",
-        "rgba(237, 129, 40, 0.89)",
-        "#d44a3a"
-      ],
+      "colors": ["#299c46", "rgba(237, 129, 40, 0.89)", "#d44a3a"],
      "datasource": "${DS_PROMETHEUS}",
      "format": "none",
      "gauge": {
@@ -2944,11 +2884,7 @@
  "refresh": "10s",
  "schemaVersion": 19,
  "style": "dark",
-  "tags": [
-    "postgres",
-    "db",
-    "stats"
-  ],
+  "tags": ["postgres", "db", "stats"],
  "templating": {
    "list": [
      {
@@ -3136,32 +3072,11 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "5s",
-      "10s",
-      "30s",
-      "1m",
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ],
-    "time_options": [
-      "5m",
-      "15m",
-      "1h",
-      "6h",
-      "12h",
-      "24h",
-      "2d",
-      "7d",
-      "30d"
-    ]
+    "refresh_intervals": ["5s", "10s", "30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"],
+    "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
  },
  "timezone": "",
  "title": "PostgreSQL Database",
-  "uid": "000000039",
+  "uid": "postgresql-database",
  "version": 1
 }
@@ -11139,6 +11139,6 @@
  },
  "timezone": "",
  "title": "Alertmanager",
-  "uid": "eea-9_sik",
+  "uid": "alertmanager",
  "version": 27
 }
@@ -23262,7 +23262,7 @@
  },
  "timezone": "browser",
  "title": "Node Exporter Full",
-  "uid": "rYdddlPWk",
+  "uid": "node-exporter-full",
  "version": 87,
  "weekStart": ""
 }
@@ -853,19 +853,11 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "30s",
-      "1m",
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ]
+    "refresh_intervals": ["30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"]
  },
  "timezone": "",
  "title": "Istio Wasm Extension Dashboard",
+  "uid": "istio-wasm-extension",
  "version": 1,
  "weekStart": ""
 }
@@ -114,9 +114,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -196,9 +194,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -275,9 +271,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -354,9 +348,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -433,9 +425,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -511,9 +501,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -589,9 +577,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -667,9 +653,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -745,9 +729,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -823,9 +805,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -901,9 +881,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -979,9 +957,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -1329,9 +1305,7 @@
        "footer": {
          "countRows": false,
          "fields": "",
-          "reducer": [
-            "sum"
-          ],
+          "reducer": ["sum"],
          "show": false
        },
        "showHeader": true
@@ -1466,9 +1440,7 @@
        "cellHeight": "sm",
        "footer": {
          "show": false,
-          "reducer": [
-            "sum"
-          ],
+          "reducer": ["sum"],
          "countRows": false,
          "fields": ""
        }
@@ -1832,30 +1804,12 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "30s",
-      "1m",
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ],
-    "time_options": [
-      "5m",
-      "15m",
-      "1h",
-      "6h",
-      "12h",
-      "24h",
-      "2d",
-      "7d",
-      "30d"
-    ]
+    "refresh_intervals": ["30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"],
+    "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
  },
  "timezone": "browser",
  "title": "Istio Mesh Dashboard",
+  "uid": "istio-mesh",
  "version": 1,
  "weekStart": ""
 }
@@ -1574,30 +1574,12 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "30s",
-      "1m",
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ],
-    "time_options": [
-      "5m",
-      "15m",
-      "1h",
-      "6h",
-      "12h",
-      "24h",
-      "2d",
-      "7d",
-      "30d"
-    ]
+    "refresh_intervals": ["30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"],
+    "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
  },
  "timezone": "",
  "title": "Istio Performance Dashboard",
+  "uid": "istio-performance",
  "version": 1,
  "weekStart": ""
 }
@@ -123,9 +123,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -197,9 +195,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -398,9 +394,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -478,9 +472,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -552,9 +544,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -753,9 +743,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -3368,28 +3356,12 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ],
-    "time_options": [
-      "5m",
-      "15m",
-      "1h",
-      "6h",
-      "12h",
-      "24h",
-      "2d",
-      "7d",
-      "30d"
-    ]
+    "refresh_intervals": ["5m", "15m", "30m", "1h", "2h", "1d"],
+    "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
  },
  "timezone": "",
  "title": "Istio Service Dashboard",
+  "uid": "istio-service",
  "version": 1,
  "weekStart": ""
 }
@@ -123,9 +123,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "lastNotNull"
-          ],
+          "calcs": ["lastNotNull"],
          "fields": "",
          "values": false
        },
@@ -206,9 +204,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -405,9 +401,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -485,9 +479,7 @@
        "justifyMode": "auto",
        "orientation": "horizontal",
        "reduceOptions": {
-          "calcs": [
-            "mean"
-          ],
+          "calcs": ["mean"],
          "fields": "",
          "values": false
        },
@@ -3040,28 +3032,12 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ],
-    "time_options": [
-      "5m",
-      "15m",
-      "1h",
-      "6h",
-      "12h",
-      "24h",
-      "2d",
-      "7d",
-      "30d"
-    ]
+    "refresh_intervals": ["5m", "15m", "30m", "1h", "2h", "1d"],
+    "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
  },
  "timezone": "",
  "title": "Istio Workload Dashboard",
+  "uid": "istio-workload",
  "version": 1,
  "weekStart": ""
 }
@@ -96,10 +96,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -185,10 +182,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -239,10 +233,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -285,10 +276,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -477,10 +465,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -539,10 +524,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -573,7 +555,7 @@
        "type": "datasource",
        "uid": "-- Mixed --"
      },
-         "description": "Number of push errors. Many of these are at least potentional fatal and should be explored in-depth via Istiod logs.\nNote: metrics here do not use rate() to avoid missing transition from \"No series\"; series are not reported if there are no errors at all.\n",
+      "description": "Number of push errors. Many of these are at least potential fatal and should be explored in-depth via Istiod logs.\nNote: metrics here do not use rate() to avoid missing transition from \"No series\"; series are not reported if there are no errors at all.\n",
      "fieldConfig": {
        "defaults": {
          "custom": {
@@ -593,10 +575,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -857,5 +836,5 @@
  },
  "timezone": "utc",
  "title": "Istio Control Plane Dashboard",
-   "uid": "1813f692a8e4ac77155348d4c7d2fba8"
+  "uid": "istio-control-plane"
 }
@@ -39,10 +39,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -86,10 +83,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -132,10 +126,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -192,10 +183,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -247,10 +235,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -302,10 +287,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -361,10 +343,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -407,10 +386,7 @@
      "interval": "5s",
      "options": {
        "legend": {
-               "calcs": [
-                  "last",
-                  "max"
-               ],
+          "calcs": ["last", "max"],
          "displayMode": "table"
        }
      },
@@ -454,5 +430,5 @@
  },
  "timezone": "utc",
  "title": "Istio Ztunnel Dashboard",
-   "uid": "12c58766acc81a1c835dd5059eaf2741"
+  "uid": "istio-ztunnel"
 }
@@ -4572,11 +4572,7 @@
  "refresh": "1m",
  "schemaVersion": 26,
  "style": "dark",
-  "tags": [
-    "kubevirt",
-    "kubevirt-control-plane",
-    "sig-scale"
-  ],
+  "tags": ["kubevirt", "kubevirt-control-plane", "sig-scale"],
  "templating": {
    "list": [
      {
@@ -5165,32 +5161,11 @@
    "to": "now"
  },
  "timepicker": {
-    "refresh_intervals": [
-      "5s",
-      "10s",
-      "30s",
-      "1m",
-      "5m",
-      "15m",
-      "30m",
-      "1h",
-      "2h",
-      "1d"
-    ],
-    "time_options": [
-      "5m",
-      "15m",
-      "1h",
-      "6h",
-      "12h",
-      "24h",
-      "2d",
-      "7d",
-      "30d"
-    ]
+    "refresh_intervals": ["5s", "10s", "30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"],
+    "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
  },
  "timezone": "UTC",
  "title": "KubeVirt / Control Plane",
-  "uid": "V1Qq_IBM_za0",
+  "uid": "kubevirt-control-plane",
  "version": 3
 }
@@ -1157,6 +1157,6 @@
  },
  "timezone": "utc",
  "title": "Loki / Chunks",
-  "uid": "chunks",
+  "uid": "loki-chunks",
  "version": 0
 }
@@ -720,6 +720,6 @@
  },
  "timezone": "utc",
  "title": "Loki / Deletion",
-  "uid": "deletion",
+  "uid": "loki-deletion",
  "version": 0
 }
@@ -1032,6 +1032,6 @@
  },
  "timezone": "utc",
  "title": "Loki / Logs",
-  "uid": "logs",
+  "uid": "loki-logs",
  "version": 0
 }
@@ -6701,6 +6701,6 @@
  },
  "timezone": "utc",
  "title": "Loki / Operational",
-  "uid": "operational",
+  "uid": "loki-operational",
  "version": 0
 }
@@ -1464,6 +1464,6 @@
  },
  "timezone": "utc",
  "title": "Loki / Retention",
-  "uid": "retention",
+  "uid": "loki-retention",
  "version": 0
 }
@@ -0,0 +1,124 @@
+{ config, ... }:
+{
+
+  # Declaratively provision Grafana's data sources, dashboards, and alerting rules.
+  # Grafana's alerting rules is not recommended to use, we use Prometheus alertmanager instead.
+  # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
+  services.grafana.provision.datasources.settings = {
+    apiVersion = 1;
+
+    # List of data sources to delete from the database.
+    deleteDatasources = [
+      {
+        name = "Loki";
+        orgId = 1;
+      }
+    ];
+
+    # Mark provisioned data sources for deletion if they are no longer in a provisioning file.
+    # It takes no effect if data sources are already listed in the deleteDatasources section.
+    prune = true;
+
+    datasources = [
+      {
+        # https://grafana.com/docs/grafana/latest/datasources/prometheus/configure/
+        name = "prometheus-homelab";
+        type = "prometheus";
+        access = "proxy";
+        # Access mode - proxy (server in the UI) or direct (browser in the UI).
+        url = "http://localhost:9090";
+        jsonData = {
+          httpMethod = "POST";
+          manageAlerts = true;
+          timeInterval = "15s";
+          queryTimeout = "90s";
+          prometheusType = "Prometheus";
+          cacheLevel = "High";
+          disableRecordingRules = false;
+          # As of Grafana 10 the Prometheus data source can be configured to query live dashboards
+          # incrementally instead of re-querying the entire duration on each dashboard refresh.
+          # Increasing the duration of the incrementalQueryOverlapWindow will increase the size of every incremental query
+          # but might be helpful for instances that have inconsistent results for recent data.
+          incrementalQueryOverlapWindow = "10m";
+        };
+        editable = false;
+      }
+      {
+        # The VictoriaMetrics plugin includes more native VM functionality.
+        name = "victoriametrics-homelab";
+        type = "victoriametrics-metrics-datasource";
+        access = "proxy";
+        url = "http://localhost:9090";
+        # url: http://vmselect:8481/select/0/prometheus  # cluster version
+        jsonData = {
+          httpMethod = "POST";
+          manageAlerts = true;
+          timeInterval = "15s";
+          queryTimeout = "90s";
+          disableMetricsLookup = false; # enable this for metrics autocomplete
+          vmuiUrl = "https://prometheus.writefor.fun/vmui/";
+        };
+        isDefault = true;
+        editable = false;
+      }
+      {
+        # https://grafana.com/docs/grafana/latest/datasources/loki/configure-loki-data-source/
+        name = "loki-k3s-test-1";
+        type = "loki";
+        access = "proxy";
+        url = "https://loki-gateway.writefor.fun";
+        jsonData = {
+          timeout = 30;
+          maxLines = 1000;
+          httpHeaderName1 = "X-Scope-OrgID";
+        };
+        secureJsonData = {
+          httpHeaderValue1 = "fake";
+        };
+        editable = false;
+      }
+      {
+        name = "alertmanager-homelab";
+        type = "alertmanager";
+        url = "http://localhost:9093";
+        access = "proxy";
+        jsonData = {
+          implementation = "prometheus";
+          handleGrafanaManagedAlerts = false;
+        };
+        editable = false;
+      }
+      {
+        # https://grafana.com/docs/grafana/latest/datasources/postgres/configure/
+        name = "postgres-playground";
+        type = "postgres";
+        url = "postgres.writefor.fun:5432";
+        user = "playground";
+        secureJsonData = {
+          password = "$__file{${config.age.secrets."grafana-admin-password".path}}";
+        };
+        jsonData = {
+          database = "playground";
+          sslmode = "verify-full"; # disable/require/verify-ca/verify-full
+          maxOpenConns = 50;
+          maxIdleConns = 250;
+          maxIdleConnsAuto = true;
+          connMaxLifetime = 14400;
+          timeInterval = "1m";
+          timescaledb = false;
+          postgresVersion = 1500; # 15.xx
+          # tls
+          tlsConfigurationMethod = "file-path";
+          sslRootCertFile = ../../../certs/ecc-ca.crt;
+        };
+        editable = false;
+      }
+      {
+        name = "infinity-dataviewer";
+        type = "yesoreyeram-infinity-datasource";
+        editable = false;
+      }
+    ];
+
+  };
+}
@@ -1,45 +0,0 @@
-# https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
-apiVersion: 1
-
-# List of data sources to delete from the database.
-deleteDatasources:
-  - name: Loki
-    orgId: 1
-
-# Mark provisioned data sources for deletion if they are no longer in a provisioning file.
-# It takes no effect if data sources are already listed in the deleteDatasources section.
-prune: true
-
-datasources:
-  # https://grafana.com/docs/grafana/latest/datasources/prometheus/
-  - name: prometheus-homelab
-    type: prometheus
-    access: proxy
-    # Access mode - proxy (server in the UI) or direct (browser in the UI).
-    url: http://localhost:9090
-    jsonData:
-      httpMethod: POST
-      manageAlerts: true
-      prometheusType: Prometheus
-      prometheusVersion: 2.49.0
-      cacheLevel: "High"
-      disableRecordingRules: false
-      # As of Grafana 10, the Prometheus data source can be configured to query live dashboards
-      # incrementally, instead of re-querying the entire duration on each dashboard refresh.
-      # Increasing the duration of the incrementalQueryOverlapWindow will increase the size of every incremental query,
-      # but might be helpful for instances that have inconsistent results for recent data.
-      incrementalQueryOverlapWindow: 10m
-    isDefault: true
-    editable: false
-  # https://grafana.com/docs/grafana/latest/datasources/loki/
-  - name: loki-k3s-test-1
-    type: loki
-    access: proxy
-    url: https://loki-gateway.writefor.fun
-    jsonData:
-      timeout: 30
-      maxLines: 1000
-      httpHeaderName1: "X-Scope-OrgID"
-    secureJsonData:
-      httpHeaderValue1: "fake"
-    editable: false
@@ -1,13 +1,20 @@
 {
+  pkgs,
  config,
  myvars,
  ...
 }:
 {
+
+  imports = [
+    ./dashboards.nix
+    ./datasources.nix
+  ];
+
  services.grafana = {
    enable = true;
    dataDir = "/data/apps/grafana";
-    # DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ];
+    provision.enable = true;
    settings = {
      server = {
        http_addr = "127.0.0.1";
@@ -40,13 +47,30 @@
      };
    };

-    # Declaratively provision Grafana's data sources, dashboards, and alerting rules.
-    # Grafana's alerting rules is not recommended to use, we use Prometheus alertmanager instead.
-    # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
-    provision = {
-      datasources.path = ./datasources.yml;
-      dashboards.path = ./dashboards.yml;
-    };
+    # https://github.com/NixOS/nixpkgs/tree/master/pkgs/servers/monitoring/grafana/plugins
+    declarativePlugins = with pkgs.grafanaPlugins; [
+      # https://github.com/VictoriaMetrics/victoriametrics-datasource
+      # supports victoria-metrics's MetricsQL, template, tracing, prettify, etc.
+      victoriametrics-metrics-datasource
+      # https://github.com/VictoriaMetrics/victorialogs-datasource
+      victoriametrics-logs-datasource
+
+      redis-app
+      redis-datasource
+      redis-explorer-app
+
+      grafana-googlesheets-datasource
+      grafana-github-datasource
+      grafana-clickhouse-datasource
+      grafana-mqtt-datasource
+      frser-sqlite-datasource
+
+      # https://github.com/grafana/grafana-infinity-datasource
+      # Visualize data from JSON, CSV, XML, GraphQL and HTML endpoints in Grafana
+      yesoreyeram-infinity-datasource
+
+      # plugins not included in nixpkgs: trino, grafana advisor, llm, kafka
+    ];
  };

  environment.etc."grafana/dashboards".source = ./dashboards;
@@ -1,6 +1,8 @@
 # Monitoring & Alerting

-## Alert Rules
+## Alert Rules & Recoding Rules

- [awesome-prometheus-alerts](https://github.com/samber/awesome-prometheus-alerts): Collection of
-  Prometheus alerting rules
+- [awesome-prometheus-alerts](https://github.com/samber/awesome-prometheus-alerts)
+  - Collection of Prometheus alerting rules.
+- [victoria-metrics-k8s-stack/files/rules](https://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-metrics-k8s-stack/files/rules/generated)
+  - Alert Rules & Recoding Rules used by kube-prometheus-stack.
@@ -0,0 +1,144 @@
+{ config, ... }:
+{
+  # https://docs.victoriametrics.com/victoriametrics/vmalert/
+  services.vmalert.instances."homelab" = {
+    enable = true;
+    settings = {
+      "httpListenAddr" = "127.0.0.1:8880";
+
+      "datasource.url" = "http://localhost:9090";
+      "notifier.url" = [ "http://localhost:9093" ]; # alertmanager's api
+      # Recording rules results are persisted via remote write.
+      "remoteWrite.url" = "http://localhost:9090";
+      "remoteRead.url" = "http://localhost:9090";
+
+      # Whether to disable long-lived connections to the datasource.
+      "datasource.disableKeepAlive" = true;
+      # Whether to avoid stripping sensitive information such as auth headers or passwords
+      # from URLs in log messages or UI and exported metrics.
+      "datasource.showURL" = false;
+      # Path to the files with alerting and/or recording rules.
+      rule = [
+        "${./alert_rules}/*.yml"
+        "${./recoding_rules}/*.yml"
+      ];
+      # https://docs.victoriametrics.com/victoriametrics/vmalert/#link-to-alert-source
+      # Set this two args to generate the correct `.GeneratorURL`
+      "external.url" = "https://grafana.writefor.fun";
+      "external.alert.source" =
+        ''explore?left={"datasource":"{{ if eq .Type \"vlogs\" }}VictoriaLogs{{ else }}VictoriaMetrics{{ end }}","queries":[{"expr":{{ .Expr|jsonEscape|queryEscape }},"refId":"A"}],"range":{"from":"{{ .ActiveAt.UnixMilli }}","to":"now"}}'';
+    };
+  };
+
+  services.prometheus.alertmanager = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9093;
+    webExternalUrl = "http://alertmanager.writefor.fun";
+    logLevel = "info";
+    environmentFile = config.age.secrets."alertmanager.env".path;
+    configuration = {
+      global = {
+        # The smarthost and SMTP sender used for mail notifications.
+        smtp_smarthost = "smtp.qq.com:465";
+        smtp_from = "$SMTP_SENDER_EMAIL";
+        smtp_auth_username = "$SMTP_AUTH_USERNAME";
+        smtp_auth_password = "$SMTP_AUTH_PASSWORD";
+        # smtp.qq.com:465 support SSL only, so we need to disable TLS here.
+        # https://service.mail.qq.com/detail/0/310
+        smtp_require_tls = false;
+      };
+      route = {
+        receiver = "telegram";
+        routes = [
+          {
+            receiver = "telegram";
+            # group alerts by labels
+            group_by = [
+              "job"
+              # --- Alert labels ---
+              "alertname"
+              "alertgroup"
+              # --- kubernetes labels ---
+              "namespace"
+              # --- custom labels ---
+              "cluster"
+              "env"
+              "type"
+            ];
+            group_wait = "3m"; # wait for other alerts to "group by" before send notification
+            group_interval = "5m"; # wait for an interval, before send a new alert in the same group
+            repeat_interval = "5h"; # avoiding repeating reminders too frequently
+          }
+          # {
+          #   # Route only prod env's critical alerts to email (most severe alerts)
+          #   match = {
+          #     severity = "critical";
+          #     env = "prd";
+          #   };
+          #   receiver = "email";
+          #   group_by = [
+          #     "host"
+          #     "namespace"
+          #     "pod"
+          #     "job"
+          #   ];
+          #   group_wait = "1m";
+          #   group_interval = "5m";
+          #   repeat_interval = "2h";
+          # }
+        ];
+      };
+      receivers = [
+        # {
+        #   name = "email";
+        #   email_configs = [
+        #     {
+        #       to = "ryan4yin@linux.com";
+        #       # Whether to notify about resolved alerts.
+        #       send_resolved = true;
+        #     }
+        #   ];
+        # }
+        {
+          name = "telegram";
+          telegram_configs = [
+            {
+              bot_token = "$TELEGRAM_BOT_TOKEN";
+              chat_id = 586169186; # My Telegram ID
+              # Whether to notify about resolved alerts.
+              send_resolved = true;
+              # Disable notifications for resolved alerts
+              disable_notifications = false;
+              # Telegram's MarkdownV2 & Markdown are all very painful, we use html instead.
+              # https://core.telegram.org/bots/api#formatting-options
+              parse_mode = "HTML";
+              # Message template
+              message = ''
+                {{- if eq .Status "firing" }}
+                🟡 <b>告警触发</b>  {{ .CommonLabels.alertname }} [{{ index .CommonLabels "severity" | title }}]
+                {{- else }}
+                🟢 <b>告警恢复</b>  {{ .CommonLabels.alertname }} [{{ index .CommonLabels "severity" | title }}]
+                {{- end }}
+
+                {{- range .Alerts }}
+
+                📊 <b>详情:</b>
+                • <b>告警组</b>: {{ .Labels.alertgroup }}
+                • <b>等级</b>: {{ if eq .Labels.severity "critical" }}🔴{{ else }}🟡 {{ end }} {{ .Labels.severity | title }}
+                • <b>查询</b>: <a href="{{ .GeneratorURL }}">Grafana Explore</a>
+                • <b>触发值</b>: {{ with .Annotations.value }}{{ . }}{{ else }}N/A{{ end }}
+                • <b>Env</b>: {{ with .Labels.env }}{{ . }}{{ else }}N/A{{ end }}
+                • <b>Cluster</b>: {{ with .Labels.cluster }}{{ . }}{{ else }}N/A{{ end }}
+                • <b>Namespace</b>: {{ with .Labels.namespace }}{{ . }}{{ else }}N/A{{ end }}
+                • <b>标签</b>: {{ range .Labels.SortedPairs }}{{ .Name }}={{ .Value }},{{ end }}
+                • <b>触发时间</b>: {{ .StartsAt.Format "2006-01-02 15:04:05" }}
+                {{- end }}
+              '';
+            }
+          ];
+        }
+      ];
+    };
+  };
+}
@@ -0,0 +1,8 @@
+# Alert Rules
+
+Alert rules are configurations that define conditions, scope, and actions for generating alerts from
+monitored signals, such as metrics, logs, or activity. When an alert rule's defined conditions are
+met for a specific resource within its scope, the system generates a triggered alert, which is the
+actual instance of the condition being met. These rules specify the data to monitor, the trigger
+threshold, and the resulting actions, like sending notifications to specific receivers or performing
+automated tasks.
@@ -0,0 +1,25 @@
+groups:
+  - name: ArgoCD Exporter
+
+    rules:
+      - alert: ArgocdServiceNotSynced
+        expr: 'argocd_app_info{sync_status!="Synced"} != 0'
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: ArgoCD service not synced (instance {{ $labels.instance }})
+          description:
+            "Service {{ $labels.name }} run by argo is currently not in sync.\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: ArgocdServiceUnhealthy
+        expr: 'argocd_app_info{health_status!="Healthy"} != 0'
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: ArgoCD service unhealthy (instance {{ $labels.instance }})
+          description:
+            "Service {{ $labels.name }} run by argo is currently not healthy.\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
@@ -0,0 +1,13 @@
+groups:
+  - name: CoreDNS Exporter
+
+    rules:
+      - alert: CorednsPanicCount
+        expr: "increase(coredns_panics_total[1m]) > 0"
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: CoreDNS Panic Count (instance {{ $labels.instance }})
+          description:
+            "Number of CoreDNS panics encountered\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
@@ -1,5 +1,5 @@
 groups:
-  - name: EmbeddedExporter
+  - name: Etcd Exporter

    rules:
      - alert: EtcdInsufficientMembers
@@ -0,0 +1,53 @@
+groups:
+  - name: FluxCD Exporter
+
+    rules:
+      - alert: FluxKustomizationFailure
+        expr: 'gotk_resource_info{ready="False", customresource_kind="Kustomization"} > 0'
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: Flux Kustomization Failure (instance {{ $labels.instance }})
+          description:
+            "The {{ $labels.customresource_kind }} '{{ $labels.name }}' in namespace {{
+            $labels.exported_namespace }} is marked as not ready.\n  VALUE = {{ $value }}\n  LABELS
+            = {{ $labels }}"
+
+      - alert: FluxHelmreleaseFailure
+        expr: 'gotk_resource_info{ready="False", customresource_kind="HelmRelease"} > 0'
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: Flux HelmRelease Failure (instance {{ $labels.instance }})
+          description:
+            "The {{ $labels.customresource_kind }} '{{ $labels.name }}' in namespace {{
+            $labels.exported_namespace }} is marked as not ready.\n  VALUE = {{ $value }}\n  LABELS
+            = {{ $labels }}"
+
+      - alert: FluxSourceIssue
+        expr:
+          'gotk_resource_info{ready="False",
+          customresource_kind=~"GitRepository|HelmRepository|Bucket|OCIRepository"} > 0'
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: Flux Source Issue (instance {{ $labels.instance }})
+          description:
+            "Flux source {{ $labels.customresource_kind }} '{{ $labels.name }}' has
+            issue(s).\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: FluxImageIssue
+        expr:
+          'gotk_resource_info{ready="False",
+          customresource_kind=~"ImagePolicy|ImageRepository|ImageUpdateAutomation"} > 0'
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: Flux Image Issue (instance {{ $labels.instance }})
+          description:
+            "The {{ $labels.customresource_kind }} '{{ $labels.name }}' is marked as not
+            ready.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
@@ -0,0 +1,57 @@
+groups:
+  - name: general.rules
+    rules:
+      - alert: TargetDown
+        annotations:
+          description:
+            '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service }} targets in
+            {{ $labels.namespace }} namespace are down.'
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/targetdown
+          summary: One or more targets are unreachable.
+        expr:
+          100 * (count(up == 0) BY (cluster, job, namespace, service) / count(up) BY (cluster, job,
+          namespace, service)) > 10
+        for: 10m
+        labels:
+          severity: warning
+      - alert: Watchdog
+        annotations:
+          description: 'This is an alert meant to ensure that the entire alerting pipeline is
+            functional.
+
+            This alert is always firing, therefore it should always be firing in Alertmanager
+
+            and always fire against a receiver. There are integrations with various notification
+
+            mechanisms that send a notification when this alert is not firing. For example the
+
+            "DeadMansSnitch" integration in PagerDuty.'
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/watchdog
+          summary:
+            An alert that should always be firing to certify that Alertmanager is working properly.
+        expr: vector(1)
+        labels:
+          severity: none
+      - alert: InfoInhibitor
+        annotations:
+          description: 'This is an alert that is used to inhibit info alerts.
+
+            By themselves, the info-level alerts are sometimes very noisy, but they are relevant
+            when combined with
+
+            other alerts.
+
+            This alert fires whenever there''s a severity="info" alert, and stops firing when
+            another alert with a
+
+            severity of ''warning'' or ''critical'' starts firing on the same namespace.
+
+            This alert should be routed to a null receiver and configured to inhibit alerts with
+            severity="info".'
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/infoinhibitor
+          summary: Info-level alert inhibition.
+        expr:
+          ALERTS{severity = "info"} == 1 unless on(namespace) ALERTS{alertname != "InfoInhibitor",
+          severity =~ "warning|critical", alertstate="firing"} == 1
+        labels:
+          severity: none
@@ -1,5 +1,5 @@
 groups:
-  - name: EmbeddedExporter
+  - name: Istio Exporter

    rules:
      - alert: IstioKubernetesGatewayAvailabilityDrop
@@ -69,7 +69,7 @@ groups:
        annotations:
          summary: Istio high 4xx error rate (instance {{ $labels.instance }})
          description:
-            "High percentage of HTTP 5xx responses in Istio (> 5%).\n  VALUE = {{ $value
+            "High percentage of HTTP 4xx responses in Istio (> 5%).\n  VALUE = {{ $value
            }}\n  LABELS = {{ $labels }}"

      - alert: IstioHigh5xxErrorRate
@@ -1,5 +1,5 @@
 groups:
-  - name: KubestateExporter
+  - name: kube-state-metrics Exporter

    rules:
      - alert: KubernetesNodeNotReady
@@ -0,0 +1,120 @@
+groups:
+  - name: kubernetes-resources
+    rules:
+      - alert: KubeCPUOvercommit
+        annotations:
+          description:
+            Cluster {{ $labels.cluster }} has overcommitted CPU resource requests for Pods by {{
+            $value }} CPU shares and cannot tolerate node failure.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuovercommit
+          summary: Cluster has overcommitted CPU resource requests.
+        expr: |-
+          sum(namespace_cpu:kube_pod_container_resource_requests:sum{job="kube-state-metrics",}) by (cluster) - (sum(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster) - max(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster)) > 0
+          and
+          (sum(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster) - max(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster)) > 0
+        for: 10m
+        labels:
+          severity: warning
+      - alert: KubeMemoryOvercommit
+        annotations:
+          description:
+            Cluster {{ $labels.cluster }} has overcommitted memory resource requests for Pods by {{
+            $value | humanize }} bytes and cannot tolerate node failure.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryovercommit
+          summary: Cluster has overcommitted memory resource requests.
+        expr: |-
+          sum(namespace_memory:kube_pod_container_resource_requests:sum{}) by (cluster) - (sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) - max(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)) > 0
+          and
+          (sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) - max(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)) > 0
+        for: 10m
+        labels:
+          severity: warning
+      - alert: KubeCPUQuotaOvercommit
+        annotations:
+          description:
+            Cluster {{ $labels.cluster }}  has overcommitted CPU resource requests for Namespaces.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuquotaovercommit
+          summary: Cluster has overcommitted CPU resource requests.
+        expr: |-
+          sum(min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(cpu|requests.cpu)"})) by (cluster)
+            /
+          sum(kube_node_status_allocatable{resource="cpu", job="kube-state-metrics"}) by (cluster)
+            > 1.5
+        for: 5m
+        labels:
+          severity: warning
+      - alert: KubeMemoryQuotaOvercommit
+        annotations:
+          description:
+            Cluster {{ $labels.cluster }}  has overcommitted memory resource requests for
+            Namespaces.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryquotaovercommit
+          summary: Cluster has overcommitted memory resource requests.
+        expr: |-
+          sum(min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(memory|requests.memory)"})) by (cluster)
+            /
+          sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)
+            > 1.5
+        for: 5m
+        labels:
+          severity: warning
+      - alert: KubeQuotaAlmostFull
+        annotations:
+          description:
+            Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage }} of its {{
+            $labels.resource }} quota.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaalmostfull
+          summary: Namespace quota is going to be full.
+        expr: |-
+          kube_resourcequota{job="kube-state-metrics", type="used"}
+            / ignoring(instance, job, type)
+          (kube_resourcequota{job="kube-state-metrics", type="hard"} > 0)
+            > 0.9 < 1
+        for: 15m
+        labels:
+          severity: info
+      - alert: KubeQuotaFullyUsed
+        annotations:
+          description:
+            Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage }} of its {{
+            $labels.resource }} quota.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotafullyused
+          summary: Namespace quota is fully used.
+        expr: |-
+          kube_resourcequota{job="kube-state-metrics", type="used"}
+            / ignoring(instance, job, type)
+          (kube_resourcequota{job="kube-state-metrics", type="hard"} > 0)
+            == 1
+        for: 15m
+        labels:
+          severity: info
+      - alert: KubeQuotaExceeded
+        annotations:
+          description:
+            Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage }} of its {{
+            $labels.resource }} quota.
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaexceeded
+          summary: Namespace quota has exceeded the limits.
+        expr: |-
+          kube_resourcequota{job="kube-state-metrics", type="used"}
+            / ignoring(instance, job, type)
+          (kube_resourcequota{job="kube-state-metrics", type="hard"} > 0)
+            > 1
+        for: 15m
+        labels:
+          severity: warning
+      - alert: CPUThrottlingHigh
+        annotations:
+          description:
+            "{{ $value | humanizePercentage }} throttling of CPU in namespace {{ $labels.namespace
+            }} for container {{ $labels.container }} in pod {{ $labels.pod }}."
+          runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/cputhrottlinghigh
+          summary: Processes experience elevated CPU throttling.
+        expr: |-
+          sum(increase(container_cpu_cfs_throttled_periods_total{container!="", }[5m])) by (cluster, container, pod, namespace)
+            /
+          sum(increase(container_cpu_cfs_periods_total{}[5m])) by (cluster, container, pod, namespace)
+            > ( 25 / 100 )
+        for: 15m
+        labels:
+          severity: info
@@ -0,0 +1,52 @@
+groups:
+  - name: Loki Exporter
+
+    rules:
+      - alert: LokiProcessTooManyRestarts
+        expr: 'changes(process_start_time_seconds{job=~".*loki.*"}[15m]) > 2'
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: Loki process too many restarts (instance {{ $labels.instance }})
+          description:
+            "A loki process had too many restarts (target {{ $labels.instance }})\n  VALUE = {{
+            $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: LokiRequestErrors
+        expr:
+          '100 * sum(rate(loki_request_duration_seconds_count{status_code=~"5.."}[1m])) by
+          (namespace, job, route) / sum(rate(loki_request_duration_seconds_count[1m])) by
+          (namespace, job, route) > 10'
+        for: 15m
+        labels:
+          severity: critical
+        annotations:
+          summary: Loki request errors (instance {{ $labels.instance }})
+          description:
+            "The {{ $labels.job }} and {{ $labels.route }} are experiencing errors\n  VALUE = {{
+            $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: LokiRequestPanic
+        expr: "sum(increase(loki_panic_total[10m])) by (namespace, job) > 0"
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: Loki request panic (instance {{ $labels.instance }})
+          description:
+            "The {{ $labels.job }} is experiencing {{ printf \"%.2f\" $value }}% increase of
+            panics\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: LokiRequestLatency
+        expr:
+          '(histogram_quantile(0.99,
+          sum(rate(loki_request_duration_seconds_bucket{route!~"(?i).*tail.*"}[5m])) by (le)))  > 1'
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: Loki request latency (instance {{ $labels.instance }})
+          description:
+            "The {{ $labels.job }} {{ $labels.route }} is experiencing {{ printf \"%.2f\" $value }}s
+            99th percentile latency\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
@@ -203,18 +203,18 @@ groups:
          summary: Host high CPU load (instance {{ $labels.instance }})
          description: "CPU load is > 80%\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"

-      - alert: HostCpuIsUnderutilized
-        expr:
-          '(100 - (rate(node_cpu_seconds_total{mode="idle"}[30m]) * 100) < 20) * on(instance)
-          group_left (nodename) node_uname_info{nodename=~".+"}'
-        for: 1w
-        labels:
-          severity: info
-        annotations:
-          summary: Host CPU is underutilized (instance {{ $labels.instance }})
-          description:
-            "CPU load is < 20% for 1 week. Consider reducing the number of CPUs.\n  VALUE = {{
-            $value }}\n  LABELS = {{ $labels }}"
+      # - alert: HostCpuIsUnderutilized
+      #   expr:
+      #     '(100 - (rate(node_cpu_seconds_total{mode="idle"}[30m]) * 100) < 20) * on(instance)
+      #     group_left (nodename) node_uname_info{nodename=~".+"}'
+      #   for: 1w
+      #   labels:
+      #     severity: info
+      #   annotations:
+      #     summary: Host CPU is underutilized (instance {{ $labels.instance }})
+      #     description:
+      #       "CPU load is < 20% for 1 week. Consider reducing the number of CPUs.\n  VALUE = {{
+      #       $value }}\n  LABELS = {{ $labels }}"

      - alert: HostCpuStealNoisyNeighbor
        expr:
@@ -0,0 +1,262 @@
+groups:
+  - name: PostgresExporter
+
+    rules:
+      - alert: PostgresqlDown
+        expr: "pg_up == 0"
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql down (instance {{ $labels.instance }})
+          description:
+            "Postgresql instance is down\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlRestarted
+        expr: "time() - pg_postmaster_start_time_seconds < 60"
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql restarted (instance {{ $labels.instance }})
+          description: "Postgresql restarted\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlExporterError
+        expr: "pg_exporter_last_scrape_error > 0"
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql exporter error (instance {{ $labels.instance }})
+          description:
+            "Postgresql exporter is showing errors. A query may be buggy in query.yaml\n  VALUE = {{
+            $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlTableNotAutoVacuumed
+        expr:
+          "((pg_stat_user_tables_n_tup_del + pg_stat_user_tables_n_tup_upd +
+          pg_stat_user_tables_n_tup_hot_upd) > pg_settings_autovacuum_vacuum_threshold) and (time()
+          - pg_stat_user_tables_last_autovacuum) > 60 * 60 * 24 * 10"
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql table not auto vacuumed (instance {{ $labels.instance }})
+          description:
+            "Table {{ $labels.relname }} has not been auto vacuumed for 10 days\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlTableNotAutoAnalyzed
+        expr:
+          "((pg_stat_user_tables_n_tup_del + pg_stat_user_tables_n_tup_upd +
+          pg_stat_user_tables_n_tup_hot_upd) > pg_settings_autovacuum_analyze_threshold) and (time()
+          - pg_stat_user_tables_last_autoanalyze) > 24 * 60 * 60 * 10"
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql table not auto analyzed (instance {{ $labels.instance }})
+          description:
+            "Table {{ $labels.relname }} has not been auto analyzed for 10 days\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlTooManyConnections
+        expr:
+          "sum by (instance, job, server) (pg_stat_activity_count) > min by (instance, job, server)
+          (pg_settings_max_connections * 0.8)"
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql too many connections (instance {{ $labels.instance }})
+          description:
+            "PostgreSQL instance has too many connections (> 80%).\n  VALUE = {{ $value }}\n  LABELS
+            = {{ $labels }}"
+
+      # - alert: PostgresqlNotEnoughConnections
+      #   expr: 'sum by (datname) (pg_stat_activity_count{datname!~"template.*|postgres"}) < 5'
+      #   for: 2m
+      #   labels:
+      #     severity: critical
+      #   annotations:
+      #     summary: Postgresql not enough connections (instance {{ $labels.instance }})
+      #     description:
+      #       "PostgreSQL instance should have more connections (> 5)\n  VALUE = {{ $value
+      #       }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlDeadLocks
+        expr: 'increase(pg_stat_database_deadlocks{datname!~"template.*|postgres"}[1m]) > 5'
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql dead locks (instance {{ $labels.instance }})
+          description: "PostgreSQL has dead-locks\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlHighRollbackRate
+        expr:
+          'sum by (namespace,datname)
+          ((rate(pg_stat_database_xact_rollback{datname!~"template.*|postgres",datid!="0"}[3m])) /
+          ((rate(pg_stat_database_xact_rollback{datname!~"template.*|postgres",datid!="0"}[3m])) +
+          (rate(pg_stat_database_xact_commit{datname!~"template.*|postgres",datid!="0"}[3m])))) >
+          0.02'
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql high rollback rate (instance {{ $labels.instance }})
+          description:
+            "Ratio of transactions being aborted compared to committed is > 2 %\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      # - alert: PostgresqlCommitRateLow
+      #   expr:
+      #     'increase(pg_stat_database_xact_commit{datname!~"template.*|postgres",datid!="0"}[5m]) < 5'
+      #   for: 2m
+      #   labels:
+      #     severity: critical
+      #   annotations:
+      #     summary: Postgresql commit rate low (instance {{ $labels.instance }})
+      #     description:
+      #       "Postgresql seems to be processing very few transactions\n  VALUE = {{ $value
+      #       }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlLowXidConsumption
+        expr: "rate(pg_txid_current[1m]) < 5"
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql low XID consumption (instance {{ $labels.instance }})
+          description:
+            "Postgresql seems to be consuming transaction IDs very slowly\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlHighRateStatementTimeout
+        expr: 'rate(postgresql_errors_total{type="statement_timeout"}[1m]) > 3'
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql high rate statement timeout (instance {{ $labels.instance }})
+          description:
+            "Postgres transactions showing high rate of statement timeouts\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlHighRateDeadlock
+        expr: 'increase(postgresql_errors_total{type="deadlock_detected"}[1m]) > 1'
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql high rate deadlock (instance {{ $labels.instance }})
+          description:
+            "Postgres detected deadlocks\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlUnusedReplicationSlot
+        expr: "pg_replication_slots_active == 0"
+        for: 1m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql unused replication slot (instance {{ $labels.instance }})
+          description: "Unused Replication Slots\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlTooManyDeadTuples
+        expr:
+          "((pg_stat_user_tables_n_dead_tup > 10000) / (pg_stat_user_tables_n_live_tup +
+          pg_stat_user_tables_n_dead_tup)) >= 0.1"
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql too many dead tuples (instance {{ $labels.instance }})
+          description:
+            "PostgreSQL dead tuples is too large\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlConfigurationChanged
+        expr:
+          '{__name__=~"pg_settings_.*"} != ON(__name__, instance)
+          {__name__=~"pg_settings_([^t]|t[^r]|tr[^a]|tra[^n]|tran[^s]|trans[^a]|transa[^c]|transac[^t]|transact[^i]|transacti[^o]|transactio[^n]|transaction[^_]|transaction_[^r]|transaction_r[^e]|transaction_re[^a]|transaction_rea[^d]|transaction_read[^_]|transaction_read_[^o]|transaction_read_o[^n]|transaction_read_on[^l]|transaction_read_only[^y]).*"}
+          OFFSET 5m'
+        for: 0m
+        labels:
+          severity: info
+        annotations:
+          summary: Postgresql configuration changed (instance {{ $labels.instance }})
+          description:
+            "Postgres Database configuration change has occurred\n  VALUE = {{ $value }}\n  LABELS =
+            {{ $labels }}"
+
+      - alert: PostgresqlSslCompressionActive
+        expr: "sum(pg_stat_ssl_compression) > 0"
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql SSL compression active (instance {{ $labels.instance }})
+          description:
+            "Database allows connections with SSL compression enabled. This may add significant
+            jitter in replication delay. Replicas should turn off SSL compression via
+            `sslcompression=0` in `recovery.conf`.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlTooManyLocksAcquired
+        expr:
+          "((sum (pg_locks_count)) / (pg_settings_max_locks_per_transaction *
+          pg_settings_max_connections)) > 0.20"
+        for: 2m
+        labels:
+          severity: critical
+        annotations:
+          summary: Postgresql too many locks acquired (instance {{ $labels.instance }})
+          description:
+            "Too many locks acquired on the database. If this alert happens frequently, we may need
+            to increase the postgres setting max_locks_per_transaction.\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlBloatIndexHigh(>80%)
+        expr:
+          "pg_bloat_btree_bloat_pct > 80 and on (idxname) (pg_bloat_btree_real_size > 100000000)"
+        for: 1h
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql bloat index high (> 80%) (instance {{ $labels.instance }})
+          description:
+            "The index {{ $labels.idxname }} is bloated. You should execute `REINDEX INDEX
+            CONCURRENTLY {{ $labels.idxname }};`\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlBloatTableHigh(>80%)
+        expr:
+          "pg_bloat_table_bloat_pct > 80 and on (relname) (pg_bloat_table_real_size > 200000000)"
+        for: 1h
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql bloat table high (> 80%) (instance {{ $labels.instance }})
+          description:
+            "The table {{ $labels.relname }} is bloated. You should execute `VACUUM {{
+            $labels.relname }};`\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlInvalidIndex
+        expr: 'pg_general_index_info_pg_relation_size{indexrelname=~".*ccnew.*"}'
+        for: 6h
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql invalid index (instance {{ $labels.instance }})
+          description:
+            "The table {{ $labels.relname }} has an invalid index: {{ $labels.indexrelname }}. You
+            should execute `DROP INDEX {{ $labels.indexrelname }};`\n  VALUE = {{ $value
+            }}\n  LABELS = {{ $labels }}"
+
+      - alert: PostgresqlReplicationLag
+        expr: "pg_replication_lag_seconds > 5"
+        for: 30s
+        labels:
+          severity: warning
+        annotations:
+          summary: Postgresql replication lag (instance {{ $labels.instance }})
+          description:
+            "The PostgreSQL replication lag is high (> 5s)\n  VALUE = {{ $value }}\n  LABELS = {{
+            $labels }}"
@@ -1,48 +0,0 @@
-{ config, ... }:
-{
-  services.prometheus.alertmanager = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    port = 9093;
-    webExternalUrl = "http://alertmanager.writefor.fun";
-    logLevel = "info";
-
-    environmentFile = config.age.secrets."alertmanager.env".path;
-    configuration = {
-      global = {
-        # The smarthost and SMTP sender used for mail notifications.
-        smtp_smarthost = "smtp.qq.com:465";
-        smtp_from = "$SMTP_SENDER_EMAIL";
-        smtp_auth_username = "$SMTP_AUTH_USERNAME";
-        smtp_auth_password = "$SMTP_AUTH_PASSWORD";
-        # smtp.qq.com:465 support SSL only, so we need to disable TLS here.
-        # https://service.mail.qq.com/detail/0/310
-        smtp_require_tls = false;
-      };
-      route = {
-        receiver = "default";
-        routes = [
-          {
-            group_by = [ "host" ];
-            group_wait = "5m";
-            group_interval = "5m";
-            repeat_interval = "4h";
-            receiver = "default";
-          }
-        ];
-      };
-      receivers = [
-        {
-          name = "default";
-          email_configs = [
-            {
-              to = "ryan4yin@linux.com";
-              # Whether to notify about resolved alerts.
-              send_resolved = true;
-            }
-          ];
-        }
-      ];
-    };
-  };
-}
@@ -2,6 +2,6 @@
 {
  imports = [
    ./victoriametrics.nix
-    ./alertmanager.nix
+    ./alert.nix
  ];
 }
@@ -0,0 +1,7 @@
+# Recording Rules
+
+Recording rules are pre-defined queries, often complex or computationally expensive, that are
+evaluated periodically to create new, pre-computed time series metrics.
+
+These rules store the results in a metric backend, significantly speeding up queries for dashboards
+and other alerts, and reducing system load by avoiding the re-computation of data.
@@ -0,0 +1,149 @@
+groups:
+  - name: k8s.rules
+    rules:
+      - expr: |-
+          sum by (cluster, namespace, pod, container) (
+            irate(container_cpu_usage_seconds_total{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}[5m])
+          ) * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) (
+            1, max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
+          )
+        record: node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate
+      - expr: |-
+          container_memory_working_set_bytes{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
+          * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
+            max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
+          )
+        record: node_namespace_pod_container:container_memory_working_set_bytes
+      - expr: |-
+          container_memory_rss{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
+          * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
+            max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
+          )
+        record: node_namespace_pod_container:container_memory_rss
+      - expr: |-
+          container_memory_cache{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
+          * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
+            max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
+          )
+        record: node_namespace_pod_container:container_memory_cache
+      - expr: |-
+          container_memory_swap{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
+          * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
+            max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
+          )
+        record: node_namespace_pod_container:container_memory_swap
+      - expr: |-
+          kube_pod_container_resource_requests{resource="memory",job="kube-state-metrics"}  * on (namespace, pod, cluster)
+          group_left() max by (namespace, pod, cluster) (
+            (kube_pod_status_phase{phase=~"Pending|Running"} == 1)
+          )
+        record: cluster:namespace:pod_memory:active:kube_pod_container_resource_requests
+      - expr: |-
+          sum by (namespace, cluster) (
+              sum by (namespace, pod, cluster) (
+                  max by (namespace, pod, container, cluster) (
+                    kube_pod_container_resource_requests{resource="memory",job="kube-state-metrics"}
+                  ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) (
+                    kube_pod_status_phase{phase=~"Pending|Running"} == 1
+                  )
+              )
+          )
+        record: namespace_memory:kube_pod_container_resource_requests:sum
+      - expr: |-
+          kube_pod_container_resource_requests{resource="cpu",job="kube-state-metrics"}  * on (namespace, pod, cluster)
+          group_left() max by (namespace, pod, cluster) (
+            (kube_pod_status_phase{phase=~"Pending|Running"} == 1)
+          )
+        record: cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests
+      - expr: |-
+          sum by (namespace, cluster) (
+              sum by (namespace, pod, cluster) (
+                  max by (namespace, pod, container, cluster) (
+                    kube_pod_container_resource_requests{resource="cpu",job="kube-state-metrics"}
+                  ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) (
+                    kube_pod_status_phase{phase=~"Pending|Running"} == 1
+                  )
+              )
+          )
+        record: namespace_cpu:kube_pod_container_resource_requests:sum
+      - expr: |-
+          kube_pod_container_resource_limits{resource="memory",job="kube-state-metrics"}  * on (namespace, pod, cluster)
+          group_left() max by (namespace, pod, cluster) (
+            (kube_pod_status_phase{phase=~"Pending|Running"} == 1)
+          )
+        record: cluster:namespace:pod_memory:active:kube_pod_container_resource_limits
+      - expr: |-
+          sum by (namespace, cluster) (
+              sum by (namespace, pod, cluster) (
+                  max by (namespace, pod, container, cluster) (
+                    kube_pod_container_resource_limits{resource="memory",job="kube-state-metrics"}
+                  ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) (
+                    kube_pod_status_phase{phase=~"Pending|Running"} == 1
+                  )
+              )
+          )
+        record: namespace_memory:kube_pod_container_resource_limits:sum
+      - expr: |-
+          kube_pod_container_resource_limits{resource="cpu",job="kube-state-metrics"}  * on (namespace, pod, cluster)
+          group_left() max by (namespace, pod, cluster) (
+            (kube_pod_status_phase{phase=~"Pending|Running"} == 1)
+            )
+        record: cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits
+      - expr: |-
+          sum by (namespace, cluster) (
+              sum by (namespace, pod, cluster) (
+                  max by (namespace, pod, container, cluster) (
+                    kube_pod_container_resource_limits{resource="cpu",job="kube-state-metrics"}
+                  ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) (
+                    kube_pod_status_phase{phase=~"Pending|Running"} == 1
+                  )
+              )
+          )
+        record: namespace_cpu:kube_pod_container_resource_limits:sum
+      - expr: |-
+          max by (cluster, namespace, workload, pod) (
+            label_replace(
+              label_replace(
+                kube_pod_owner{job="kube-state-metrics", owner_kind="ReplicaSet"},
+                "replicaset", "$1", "owner_name", "(.*)"
+              ) * on(replicaset, namespace) group_left(owner_name) topk by(replicaset, namespace) (
+                1, max by (replicaset, namespace, owner_name) (
+                  kube_replicaset_owner{job="kube-state-metrics"}
+                )
+              ),
+              "workload", "$1", "owner_name", "(.*)"
+            )
+          )
+        labels:
+          workload_type: deployment
+        record: namespace_workload_pod:kube_pod_owner:relabel
+      - expr: |-
+          max by (cluster, namespace, workload, pod) (
+            label_replace(
+              kube_pod_owner{job="kube-state-metrics", owner_kind="DaemonSet"},
+              "workload", "$1", "owner_name", "(.*)"
+            )
+          )
+        labels:
+          workload_type: daemonset
+        record: namespace_workload_pod:kube_pod_owner:relabel
+      - expr: |-
+          max by (cluster, namespace, workload, pod) (
+            label_replace(
+              kube_pod_owner{job="kube-state-metrics", owner_kind="StatefulSet"},
+              "workload", "$1", "owner_name", "(.*)"
+            )
+          )
+        labels:
+          workload_type: statefulset
+        record: namespace_workload_pod:kube_pod_owner:relabel
+      - expr: |-
+          max by (cluster, namespace, workload, pod) (
+            label_replace(
+              kube_pod_owner{job="kube-state-metrics", owner_kind="Job"},
+              "workload", "$1", "owner_name", "(.*)"
+            )
+          )
+        labels:
+          workload_type: job
+        record: namespace_workload_pod:kube_pod_owner:relabel
@@ -0,0 +1,128 @@
+groups:
+  - name: kube-prometheus-node-recording.rules
+    rules:
+      - expr:
+          sum(rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal"}[3m])) BY
+          (instance)
+        record: instance:node_cpu:rate:sum
+      - expr: sum(rate(node_network_receive_bytes_total[3m])) BY (instance)
+        record: instance:node_network_receive_bytes:rate:sum
+      - expr: sum(rate(node_network_transmit_bytes_total[3m])) BY (instance)
+        record: instance:node_network_transmit_bytes:rate:sum
+      - expr:
+          sum(rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal"}[5m])) WITHOUT
+          (cpu, mode) / ON(instance) GROUP_LEFT() count(sum(node_cpu_seconds_total) BY (instance,
+          cpu)) BY (instance)
+        record: instance:node_cpu:ratio
+      - expr: sum(rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal"}[5m]))
+        record: cluster:node_cpu:sum_rate5m
+      - expr: cluster:node_cpu:sum_rate5m / count(sum(node_cpu_seconds_total) BY (instance, cpu))
+        record: cluster:node_cpu:ratio
+
+  - name: node-exporter.rules
+    rules:
+      - expr: |-
+          count without (cpu, mode) (
+            node_cpu_seconds_total{job="node-exporter",mode="idle"}
+          )
+        record: instance:node_num_cpu:sum
+      - expr: |-
+          1 - avg without (cpu) (
+            sum without (mode) (rate(node_cpu_seconds_total{job="node-exporter", mode=~"idle|iowait|steal"}[5m]))
+          )
+        record: instance:node_cpu_utilisation:rate5m
+      - expr: |-
+          (
+            node_load1{job="node-exporter"}
+          /
+            instance:node_num_cpu:sum{job="node-exporter"}
+          )
+        record: instance:node_load1_per_cpu:ratio
+      - expr: |-
+          1 - (
+            (
+              node_memory_MemAvailable_bytes{job="node-exporter"}
+              or
+              (
+                node_memory_Buffers_bytes{job="node-exporter"}
+                +
+                node_memory_Cached_bytes{job="node-exporter"}
+                +
+                node_memory_MemFree_bytes{job="node-exporter"}
+                +
+                node_memory_Slab_bytes{job="node-exporter"}
+              )
+            )
+          /
+            node_memory_MemTotal_bytes{job="node-exporter"}
+          )
+        record: instance:node_memory_utilisation:ratio
+      - expr: rate(node_vmstat_pgmajfault{job="node-exporter"}[5m])
+        record: instance:node_vmstat_pgmajfault:rate5m
+      - expr:
+          rate(node_disk_io_time_seconds_total{job="node-exporter",
+          device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m])
+        record: instance_device:node_disk_io_time_seconds:rate5m
+      - expr:
+          rate(node_disk_io_time_weighted_seconds_total{job="node-exporter",
+          device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m])
+        record: instance_device:node_disk_io_time_weighted_seconds:rate5m
+      - expr: |-
+          sum without (device) (
+            rate(node_network_receive_bytes_total{job="node-exporter", device!="lo"}[5m])
+          )
+        record: instance:node_network_receive_bytes_excluding_lo:rate5m
+      - expr: |-
+          sum without (device) (
+            rate(node_network_transmit_bytes_total{job="node-exporter", device!="lo"}[5m])
+          )
+        record: instance:node_network_transmit_bytes_excluding_lo:rate5m
+      - expr: |-
+          sum without (device) (
+            rate(node_network_receive_drop_total{job="node-exporter", device!="lo"}[5m])
+          )
+        record: instance:node_network_receive_drop_excluding_lo:rate5m
+      - expr: |-
+          sum without (device) (
+            rate(node_network_transmit_drop_total{job="node-exporter", device!="lo"}[5m])
+          )
+        record: instance:node_network_transmit_drop_excluding_lo:rate5m
+
+  - name: node.rules
+    rules:
+      - expr: |-
+          topk by(cluster, namespace, pod) (1,
+            max by (cluster, node, namespace, pod) (
+              label_replace(kube_pod_info{job="kube-state-metrics",node!=""}, "pod", "$1", "pod", "(.*)")
+          ))
+        record: "node_namespace_pod:kube_pod_info:"
+      - expr: |-
+          count by (cluster, node) (
+            node_cpu_seconds_total{mode="idle",job="node-exporter"}
+            * on (namespace, pod) group_left(node)
+            topk by(namespace, pod) (1, node_namespace_pod:kube_pod_info:)
+          )
+        record: node:node_num_cpu:sum
+      - expr: |-
+          sum(
+            node_memory_MemAvailable_bytes{job="node-exporter"} or
+            (
+              node_memory_Buffers_bytes{job="node-exporter"} +
+              node_memory_Cached_bytes{job="node-exporter"} +
+              node_memory_MemFree_bytes{job="node-exporter"} +
+              node_memory_Slab_bytes{job="node-exporter"}
+            )
+          ) by (cluster)
+        record: :node_memory_MemAvailable_bytes:sum
+      - expr: |-
+          avg by (cluster, node) (
+            sum without (mode) (
+              rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal",job="node-exporter"}[5m])
+            )
+          )
+        record: node:node_cpu_utilization:ratio_rate5m
+      - expr: |-
+          avg by (cluster) (
+            node:node_cpu_utilization:ratio_rate5m
+          )
+        record: cluster:node_cpu:ratio_rate5m
@@ -50,6 +50,8 @@
              labels.type = "app";
              labels.app = "dnsmasq";
              labels.host = "suzi";
+              labels.env = "homelab";
+              labels.cluster = "homelab";
            }
          ];
        }
@@ -64,6 +66,8 @@
              labels.type = "app";
              labels.app = "v2ray";
              labels.host = "aquamarine";
+              labels.env = "homelab";
+              labels.cluster = "homelab";
            }
          ];
        }
@@ -77,6 +81,8 @@
              labels.type = "app";
              labels.app = "postgresql";
              labels.host = "aquamarine";
+              labels.env = "homelab";
+              labels.cluster = "homelab";
            }
          ];
        }
@@ -90,6 +96,39 @@
              labels.type = "app";
              labels.app = "sftpgo";
              labels.host = "aquamarine";
+              labels.env = "homelab";
+              labels.cluster = "homelab";
+            }
+          ];
+        }
+        {
+          job_name = "alertmanager-embedded-exporter";
+          scrape_interval = "30s";
+          metrics_path = "/metrics";
+          static_configs = [
+            {
+              targets = [ "localhost:9093" ];
+              labels.type = "app";
+              labels.app = "alertmanager";
+              labels.host = "aquamarine";
+              labels.env = "homelab";
+              labels.cluster = "homelab";
+            }
+          ];
+        }
+        {
+          job_name = "victoriametrics-embedded-exporter";
+          scrape_interval = "30s";
+          metrics_path = "/metrics";
+          static_configs = [
+            {
+              # scrape vm itself
+              targets = [ "localhost:9090" ];
+              labels.type = "app";
+              labels.app = "victoriametrics";
+              labels.host = "aquamarine";
+              labels.env = "homelab";
+              labels.cluster = "homelab";
            }
          ];
        }
@@ -109,6 +148,8 @@
                targets = [ "${addr.ipv4}:9100" ];
                labels.type = "node";
                labels.host = hostname;
+                labels.env = "homelab";
+                labels.cluster = "homelab";
              }
            ];
          }
@@ -116,25 +157,4 @@
      ) [ ] myvars.networking.hostsAddr);
    };
  };
-
-  services.vmalert = {
-    enable = true;
-    settings = {
-      "datasource.url" = "http://localhost:9090";
-      "notifier.url" = [ "http://localhost:9093" ]; # alertmanager's api
-
-      # Whether to disable long-lived connections to the datasource.
-      "datasource.disableKeepAlive" = true;
-      # Whether to avoid stripping sensitive information such as auth headers or passwords
-      # from URLs in log messages or UI and exported metrics.
-      "datasource.showURL" = false;
-      rule = [
-        ./alert_rules/node-exporter.yml
-        ./alert_rules/kubestate-exporter.yml
-        ./alert_rules/etcd_embedded-exporter.yml
-        ./alert_rules/istio_embedded-exporter.yml
-        ./alert_rules/coredns_embedded-exporter.yml
-      ];
-    };
-  };
 }
--- a/Show More
+++ b/Show More