feat: my custom libAttrs

feat: migrate nixos-installer from a separate branch into a folder

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/flake_check.yml

@@ -0,0 +1,24 @@
+name: Nix Flake Check
+
+on: [push, pull_request, workflow_dispatch]
+
+jobs:
+  checks:
+    name: Check expressions
+    runs-on: ubuntu-latest
+
+    steps:
+      # - name: Checkout repository
+      #   uses: actions/checkout@v4
+      # - name: Install nix
+      #   uses: cachix/install-nix-action@v24
+      #   with:
+      #     install_url: https://nixos.org/nix/install
+      #     extra_nix_config: |
+      #       access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+      #       experimental-features = nix-command flakes
+
+      - name: Run Nix Flake Check
+        run: |
+          echo 'TODO: nix flake check'
+          # nix flake check

.gitignore

@@ -1,3 +1,5 @@
 result
 result/
+.direnv/
 .DS_Store
+.pre-commit-config.yaml

Makefile

@@ -33,12 +33,18 @@ upp:
 history:
 	nix profile history --profile /nix/var/nix/profiles/system
 
+repl:
+	nix repl -f flake:nixpkgs
+
+eye:
+	systemctl --user start gammastep.service
+
 gc:
 	# remove all generations older than 7 days
 	sudo nix profile wipe-history --profile /nix/var/nix/profiles/system  --older-than 7d
 
 	# garbage collect all unused nix store entries
-	sudo nix store gc --debug
+	# sudo nix store gc --debug
 
 ############################################################################
 #
@@ -47,20 +53,28 @@ gc:
 ############################################################################
 
 darwin-set-proxy:
-	echo "skip setting proxy, use global proxy instead"
-	# sudo python3 scripts/darwin_set_proxy.py
+	sudo python3 scripts/darwin_set_proxy.py
+	sleep 1
+
+darwin-rollback:
+	./result/sw/bin/darwin-rebuild rollback
 
 ha: darwin-set-proxy
 	nix build .#darwinConfigurations.harmonica.system
-	./result/sw/bin/darwin-rebuild switch --flake .
-	sleep 3
-	sudo chmod 644 /etc/agenix/alias-for-work.*
+	./result/sw/bin/darwin-rebuild switch --flake .#harmonica
 
 ha-debug: darwin-set-proxy
-	nix build .#darwinConfigurations.harmonica.system --show-trace --verbose
+	nom build .#darwinConfigurations.harmonica.system --show-trace --verbose
 	./result/sw/bin/darwin-rebuild switch --flake .#harmonica --show-trace --verbose
-	sleep 3
-	sudo chmod 644 /etc/agenix/alias-for-work.*
+
+fe: darwin-set-proxy
+	nix build .#darwinConfigurations.fern.system
+	./result/sw/bin/darwin-rebuild switch --flake .#fern
+
+fe-debug: darwin-set-proxy
+	nom build .#darwinConfigurations.fern.system --show-trace --verbose
+	./result/sw/bin/darwin-rebuild switch --flake .#fern --show-trace --verbose
+
 
 ############################################################################
 #

README.md

@@ -16,13 +16,15 @@
 
 This repository is home to the nix code that builds my systems.
 
-## Why Nix?
+## Why NixOS & Flakes?
 
-Nix allows for easy-to-manage, collaborative, reproducible deployments. This means that once something is setup and configured once, it works forever. If someone else shares their configuration, anyone can make use of it.
+Nix allows for easy-to-manage, collaborative, reproducible deployments. This means that once something is setup and configured once, it works (almost) forever. If someone else shares their configuration, anyone can make use of it(if you really understand what you're copying/refering now).
 
-**Want to know Nix in detail? Looking for a beginner-friendly tutorial or best practices? Check out [NixOS & Nix Flakes Book - 🛠️ ❤️ An unofficial & opinionated :book: for beginners](https://github.com/ryan4yin/nixos-and-flakes-book)!**
+As for Flakes, refer to [Introduction to Flakes - NixOS & Nix Flakes Book](https://nixos-and-flakes.thiscute.world/nixos-with-flakes/introduction-to-flakes)
 
-> If you're using macOS, you can also check out [ryan4yin/nix-darwin-kickstarter](https://github.com/ryan4yin/nix-darwin-kickstarter) for a quick start.
+**Want to know NixOS & Flaks in detail? Looking for a beginner-friendly tutorial or best practices? You don't have to go through the pain I've experienced again! Check out  my [NixOS & Nix Flakes Book - 🛠️ ❤️ An unofficial & opinionated :book: for beginners](https://github.com/ryan4yin/nixos-and-flakes-book)!**
+
+> If you're using macOS, check out [ryan4yin/nix-darwin-kickstarter](https://github.com/ryan4yin/nix-darwin-kickstarter) for a quick start.
 
 ## Components
 
@@ -79,18 +81,10 @@ See [./secrets](./secrets) for details.
 
 > :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine:exclamation: It will not succeed.** this flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols/ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols/ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols/ai/default.nix#L77-L91), etc.) which is not suitable for your hardware, and my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) that only I have access to. You may use this repo as a reference to build your own configuration.
 
-For MacOS:
-
-```bash
-# deploy the darwin configuration(harmonicia)
-make ha
-
-# deploy with details
-make ha-debug
-```
-
 For NixOS:
 
+> To deploy this flake from NixOS's official ISO image(purest installation method), please refer to [./hosts/idols/ai/nixos-installer/](./hosts/idols/ai/nixos-installer/)
+
 > Need to restart the machine when switching between `wayland` and `xorg`.
 
 ```bash
@@ -107,7 +101,21 @@ make i3-debug
 # make hypr-debug
 ```
 
-To deploy this flake from NixOS's official ISO image(purest installation method), please refer to [ryan4yin/nix-config/nixos-install](https://github.com/ryan4yin/nix-config/tree/nixos-install)
+For macOS:
+
+```bash
+# deploy harmonicia's configuration(macOS Intel)
+make ha
+
+# deploy fern's configuration(Apple Silicon)
+make fe
+
+# deploy with details
+make ha-debug
+# make fe
+```
+
+> [What y'all will need when Nix drives you to drink.](https://www.youtube.com/watch?v=Eni9PPPPBpg) (copy from hlissner's dotfiles, it really matches my feelings when I first started using NixOS...)
 
 ## How to create & managage VM from this flake?
 
@@ -151,6 +159,8 @@ Other dotfiles that inspired me:
   - [gvolpe/nix-config](https://github.com/gvolpe/nix-config)
   - [Ruixi-rebirth/flakes](https://github.com/Ruixi-rebirth/flakes)
   - [fufexan/dotfiles](https://github.com/fufexan/dotfiles): gtk theme, xdg, git, media, anyrun, etc.
+- Modularized NixOS Configuration
+  - [hlissner/dotfiles](https://github.com/hlissner/dotfiles)
 - Hyprland(wayland)
   - [notwidow/hyprland](https://github.com/notwidow/hyprland): This is where I start my hyprland journey.
   - [HeinzDev/Hyprland-dotfiles](https://github.com/HeinzDev/Hyprland-dotfiles): Refer to the waybar configuration here.

constants.nix

@@ -0,0 +1,17 @@
+rec {
+  # user information
+  username = "ryan";
+  userfullname = "Ryan Yin";
+  useremail = "xiaoyin_c@qq.com";
+
+  allSystemAttrs = {
+    # linux systems
+    x64_system = "x86_64-linux";
+    riscv64_system = "riscv64-linux";
+    aarch64_system = "aarch64-linux";
+    # darwin systems
+    x64_darwin = "x86_64-darwin";
+    aarch64_darwin = "aarch64-darwin";
+  };
+  allSystems = builtins.attrValues allSystemAttrs;
+}

flake.nix

@@ -16,258 +16,72 @@
   outputs = inputs @ {
     self,
     nixpkgs,
-    nixpkgs-unstable,
-    nix-darwin,
-    home-manager,
-    nixos-generators,
-    nixos-licheepi4a,
-    nixos-rk3588,
+    pre-commit-hooks,
     ...
   }: let
-    username = "ryan";
-    userfullname = "Ryan Yin";
-    useremail = "xiaoyin_c@qq.com";
+    constants = import ./constants.nix;
 
-    x64_system = "x86_64-linux";
-    x64_darwin = "x86_64-darwin";
-    riscv64_system = "riscv64-linux";
-    aarch64_system = "aarch64-linux";
-    allSystems = [x64_system x64_darwin riscv64_system aarch64_system];
+    # `lib.genAttrs [ "foo" "bar" ] (name: "x_" + name)` => `{ foo = "x_foo"; bar = "x_bar"; }`
+    forEachSystem = func: (nixpkgs.lib.genAttrs constants.allSystems func);
 
-    nixosSystem = import ./lib/nixosSystem.nix;
-    macosSystem = import ./lib/macosSystem.nix;
-    colmenaSystem = import ./lib/colmenaSystem.nix;
-
-    # 星野 アイ, Hoshino Ai
-    idol_ai_modules_i3 = {
-      nixos-modules = [
-        ./hosts/idols/ai
-        ./modules/nixos/i3.nix
-      ];
-      home-module = import ./home/linux/desktop-i3.nix;
-    };
-    idol_ai_modules_hyprland = {
-      nixos-modules = [
-        ./hosts/idols/ai
-        ./modules/nixos/hyprland.nix
-      ];
-      home-module = import ./home/linux/desktop-hyprland.nix;
-    };
-
-    # 星野 愛久愛海, Hoshino Akuamarin
-    idol_aquamarine_modules = {
-      nixos-modules = [
-        ./hosts/idols/aquamarine
-      ];
-      home-module = import ./home/linux/server.nix;
-    };
-    idol_aquamarine_tags = ["dist-build" "aqua"];
-
-    # 星野 瑠美衣, Hoshino Rubii
-    idol_ruby_modules = {
-      nixos-modules = [
-        ./hosts/idols/ruby
-      ];
-      home-module = import ./home/linux/server.nix;
-    };
-    idol_ruby_tags = ["dist-build" "ruby"];
-
-    # 有馬 かな, Arima Kana
-    idol_kana_modules = {
-      nixos-modules = [
-        ./hosts/idols/kana
-      ];
-      home-module = import ./home/linux/server.nix;
-    };
-    idol_kana_tags = ["dist-build" "kana"];
-
-    # 森友 望未, Moritomo Nozomi
-    rolling_nozomi_modules = {
-      nixos-modules = [
-        ./hosts/rolling_girls/nozomi
-      ];
-      # home-module = import ./home/linux/server-riscv64.nix;
-    };
-    rolling_nozomi_tags = ["riscv" "nozomi"];
-
-    # 小坂 結季奈, Kosaka Yukina
-    rolling_yukina_modules = {
-      nixos-modules = [
-        ./hosts/rolling_girls/yukina
-      ];
-      # home-module = import ./home/linux/server-riscv64.nix;
-    };
-    rolling_yukina_tags = ["riscv" "yukina"];
-
-    # 大木 鈴, Ōki Suzu
-    _12kingdoms_suzu_modules = {
-      nixos-modules = [
-        ./hosts/12kingdoms/suzu
-      ];
-      # home-module = import ./home/linux/server.nix;
-    };
-    _12kingdoms_suzu_tags = ["aarch" "suzu"];
-
-    x64_specialArgs =
-      {
-        inherit username userfullname useremail;
-        # use unstable branch for some packages to get the latest updates
-        pkgs-unstable = import nixpkgs-unstable {
-          system = x64_system; # refer the `system` parameter form outer scope recursively
-          # To use chrome, we need to allow the installation of non-free software
-          config.allowUnfree = true;
-        };
-      }
-      // inputs;
-  in {
-    nixosConfigurations = let
-      base_args = {
-        inherit home-manager nixos-generators;
-        nixpkgs = nixpkgs; # or nixpkgs-unstable
-        system = x64_system;
-        specialArgs = x64_specialArgs;
-      };
-    in {
-      # ai with i3 window manager
-      ai_i3 = nixosSystem (idol_ai_modules_i3 // base_args);
-      # ai with hyprland compositor
-      ai_hyprland = nixosSystem (idol_ai_modules_hyprland // base_args);
-
-      # three virtual machines without desktop environment.
-      aquamarine = nixosSystem (idol_aquamarine_modules // base_args);
-      ruby = nixosSystem (idol_ruby_modules // base_args);
-      kana = nixosSystem (idol_kana_modules // base_args);
-    };
-
-    # colmena - remote deployment via SSH
-    colmena = let
-      # x86_64 related
-      x64_base_args = {
-        inherit home-manager;
-        nixpkgs = nixpkgs; # or nixpkgs-unstable
-        specialArgs = x64_specialArgs;
-      };
-
-      # riscv64 related
-      # using the same nixpkgs as nixos-licheepi4a to utilize the cross-compilation cache.
-      lpi4a_pkgs = import nixos-licheepi4a.inputs.nixpkgs {system = x64_system;};
-      lpi4a_specialArgs =
-        {
-          inherit username userfullname useremail;
-          pkgsKernel = nixos-licheepi4a.packages.${x64_system}.pkgsKernelCross;
-        }
-        // inputs;
-      lpi4a_base_args = {
-        inherit home-manager;
-        nixpkgs = nixos-licheepi4a.inputs.nixpkgs; # or nixpkgs-unstable
-        specialArgs = lpi4a_specialArgs;
-        targetUser = "root";
-      };
-
-      # aarch64 related
-      # using the same nixpkgs as nixos-rk3588 to utilize the cross-compilation cache.
-      rk3588_pkgs = import nixos-rk3588.inputs.nixpkgs {system = x64_system;};
-      rk3588_specialArgs =
-        {
-          inherit username userfullname useremail;
-        }
-        // nixos-rk3588.inputs;
-      rk3588_base_args = {
-        inherit home-manager;
-        nixpkgs = nixos-rk3588.inputs.nixpkgs; # or nixpkgs-unstable
-        specialArgs = rk3588_specialArgs;
-        targetUser = "root";
-      };
-    in {
-      meta = {
-        nixpkgs = import nixpkgs {system = x64_system;};
-        specialArgs = x64_specialArgs;
-
-        nodeSpecialArgs = {
-          # riscv64 SBCs
-          nozomi = lpi4a_specialArgs;
-          yukina = lpi4a_specialArgs;
-
-          # aarch64 SBCs
-          suzu = rk3588_specialArgs;
-        };
-        nodeNixpkgs = {
-          nozomi = lpi4a_pkgs;
-          yukina = lpi4a_pkgs;
-
-          # aarch64 SBCs
-          suzu = rk3588_pkgs;
-        };
-      };
-
-      # proxmox virtual machines(x86_64)
-      aquamarine = colmenaSystem (idol_aquamarine_modules // x64_base_args // {host_tags = idol_aquamarine_tags;});
-      ruby = colmenaSystem (idol_ruby_modules // x64_base_args // {host_tags = idol_ruby_tags;});
-      kana = colmenaSystem (idol_kana_modules // x64_base_args // {host_tags = idol_kana_tags;});
-
-      # riscv64 SBCs
-      nozomi = colmenaSystem (rolling_nozomi_modules // lpi4a_base_args // {host_tags = rolling_nozomi_tags;});
-      yukina = colmenaSystem (rolling_yukina_modules // lpi4a_base_args // {host_tags = rolling_yukina_tags;});
-
-      # aarch64 SBCs
-      suzu = colmenaSystem (_12kingdoms_suzu_modules // rk3588_base_args // {host_tags = _12kingdoms_suzu_tags;});
-    };
-
-    # take system images for idols
-    # https://github.com/nix-community/nixos-generators
-    packages."${x64_system}" =
-      # genAttrs returns an attribute set with the given keys and values(host => image).
-      nixpkgs.lib.genAttrs [
-        "ai_i3"
-        "ai_hyprland"
-      ] (
-        # generate iso image for hosts with desktop environment
-        host:
-          self.nixosConfigurations.${host}.config.formats.iso
-      )
-      // nixpkgs.lib.genAttrs [
-        "aquamarine"
-        "ruby"
-        "kana"
-      ] (
-        # generate proxmox image for virtual machines without desktop environment
-        host:
-          self.nixosConfigurations.${host}.config.formats.proxmox
-      );
-
-    # macOS's configuration, for work.
-    darwinConfigurations = let
-      system = x64_darwin;
-      specialArgs =
-        {
-          inherit username userfullname useremail;
-          # use unstable branch for some packages to get the latest updates
-          pkgs-unstable = import nixpkgs-unstable {
-            inherit system; # refer the `system` parameter form outer scope recursively
-            # To use chrome, we need to allow the installation of non-free software
-            config.allowUnfree = true;
-          };
-        }
-        // inputs;
-      base_args = {
-        inherit nix-darwin home-manager system specialArgs nixpkgs;
-      };
-    in {
-      harmonica = macosSystem (base_args
+    allSystemConfigurations = import ./systems {inherit self inputs constants;};
+  in
+    allSystemConfigurations
     // {
-          darwin-modules = [
-            ./hosts/harmonica
-          ];
-          home-module = import ./home/darwin;
-        });
-    };
-
       # format the nix code in this flake
       # alejandra is a nix formatter with a beautiful output
-    formatter = nixpkgs.lib.genAttrs allSystems (
-      system:
-        nixpkgs.legacyPackages.${system}.alejandra
+      formatter = forEachSystem (
+        system: nixpkgs.legacyPackages.${system}.alejandra
       );
+
+      # pre-commit hooks for nix code
+      checks = forEachSystem (
+        system: {
+          pre-commit-check = pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            hooks = {
+              alejandra.enable = true; # formatter
+              # deadnix.enable = true; # detect unused variable bindings in `*.nix`
+              statix.enable = true; # lints and suggestions for Nix code(auto suggestions)
+              prettier = {
+                enable = true;
+                excludes = [".js" ".md" ".ts"];
+              };
+            };
+          };
+        }
+      );
+      devShells = forEachSystem (
+        system: {
+          default = nixpkgs.legacyPackages.${system}.mkShell {
+            packages = [
+              # fix https://discourse.nixos.org/t/non-interactive-bash-errors-from-flake-nix-mkshell/33310
+              nixpkgs.legacyPackages.${system}.bashInteractive
+            ];
+            name = "dots";
+            shellHook = ''
+              ${self.checks.${system}.pre-commit-check.shellHook}
+            '';
+          };
+        }
+      );
+    };
+
+  # the nixConfig here only affects the flake itself, not the system configuration!
+  # for more information, see:
+  #     https://nixos-and-flakes.thiscute.world/nixos-with-flakes/add-custom-cache-servers
+  nixConfig = {
+    # substituers will be appended to the default substituters when fetching packages
+    extra-substituters = [
+      "https://anyrun.cachix.org"
+      "https://hyprland.cachix.org"
+      # "https://nixpkgs-wayland.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+    ];
   };
 
   # This is the standard format for flake.nix. `inputs` are the dependencies of the flake,
@@ -281,6 +95,12 @@
     # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
+    # add git hooks to format nix code before commit
+    pre-commit-hooks = {
+      url = "github:cachix/pre-commit-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # for macos
     nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin";
     nix-darwin = {
@@ -306,10 +126,13 @@
 
     impermanence.url = "github:nix-community/impermanence";
 
-    # modern window compositor
-    hyprland.url = "github:hyprwm/Hyprland/v0.32.3";
+    hyprland = {
+      url = "github:hyprwm/Hyprland/v0.33.1";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # community wayland nixpkgs
-    nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
+    # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
     # anyrun - a wayland launcher
     anyrun = {
       url = "github:Kirottu/anyrun";
@@ -321,15 +144,20 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
-    # secrets management, lock with git commit at 2023/7/15
-    agenix.url = "github:ryantm/agenix/0d8c5325fc81daf00532e3e26c6752f7bcde1143";
+    # secrets management
+    agenix = {
+      # lock with git commit at 0.14.0
+      url = "github:ryantm/agenix/54693c91d923fecb4cf04c4535e3d84f8dec7919";
+      # replaced with a type-safe reimplementation to get a better error message and less bugs.
+      # url = "github:ryan4yin/ragenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     ########################  Some non-flake repositories  #########################################
 
     # AstroNvim is an aesthetic and feature-rich neovim config.
     astronvim = {
-      url = "github:AstroNvim/AstroNvim/v3.39.0";
+      url = "github:AstroNvim/AstroNvim/v3.40.3";
       flake = false;
     };
 
@@ -365,65 +193,5 @@
 
     # aarch64 SBCs
     nixos-rk3588.url = "github:ryan4yin/nixos-rk3588";
-
-    ########################  Color Schemes  #########################################
-
-    # color scheme - catppuccin
-    catppuccin-btop = {
-      url = "github:catppuccin/btop";
-      flake = false;
-    };
-    catppuccin-fcitx5 = {
-      url = "github:catppuccin/fcitx5";
-      flake = false;
-    };
-    catppuccin-bat = {
-      url = "github:catppuccin/bat";
-      flake = false;
-    };
-    catppuccin-alacritty = {
-      url = "github:catppuccin/alacritty";
-      flake = false;
-    };
-    catppuccin-helix = {
-      url = "github:catppuccin/helix";
-      flake = false;
-    };
-    catppuccin-starship = {
-      url = "github:catppuccin/starship";
-      flake = false;
-    };
-    catppuccin-hyprland = {
-      url = "github:catppuccin/hyprland";
-      flake = false;
-    };
-    catppuccin-cava = {
-      url = "github:catppuccin/cava";
-      flake = false;
-    };
-    cattppuccin-k9s = {
-      url = "github:catppuccin/k9s";
-      flake = false;
-    };
-  };
-
-  # the nixConfig here only affects the flake itself, not the system configuration!
-  nixConfig = {
-    # substituers will be appended to the default substituters when fetching packages
-    extra-substituters = [
-      # my own cache server
-      "https://ryan4yin.cachix.org"
-      "https://anyrun.cachix.org"
-      "https://hyprland.cachix.org"
-      "https://nix-community.cachix.org"
-      "https://nixpkgs-wayland.cachix.org"
-    ];
-    extra-trusted-public-keys = [
-      "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU="
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
-      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-    ];
   };
 }

home/base/desktop/cloud/default.nix

@@ -1,8 +1,6 @@
-{
-  pkgs,
-  ...
-}: {
-  home.packages = with pkgs; [
+{pkgs, ...}: {
+  home.packages = with pkgs;
+    [
       # general tools
       pulumi
       pulumictl
@@ -10,15 +8,21 @@
 
       # aws
       awscli2
+      ssm-session-manager-plugin # Amazon SSM Session Manager Plugin
       aws-iam-authenticator
       eksctl
       istioctl
 
       # aliyun
       aliyun-cli
-   ] ++ (if pkgs.stdenv.isLinux then [
+    ]
+    ++ (
+      if pkgs.stdenv.isLinux
+      then [
         # cloud tools that nix do not have cache for.
         terraform
         terraformer # generate terraform configs from existing cloud resources
-   ] else []);
+      ]
+      else []
+    );
 }

home/base/desktop/container/kubernetes.nix

@@ -1,7 +1,6 @@
 {
   pkgs,
-  pkgs-unstable,
-  cattppuccin-k9s,
+  nur-ryan4yin,
   ...
 }: {
   home.packages = with pkgs; [
@@ -12,10 +11,10 @@
   programs = {
     k9s = {
       enable = true;
-      skin =
-        let
-          skin_file = "${cattppuccin-k9s}/dist/mocha.yml";  # theme - cattppuccin mocha
-          skin_attr = builtins.fromJSON (builtins.readFile
+      skin = let
+        skin_file = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-k9s}/dist/mocha.yml"; # theme - catppuccin mocha
+        skin_attr = builtins.fromJSON (
+          builtins.readFile
           # replace 'base: &base "#1e1e2e"' with 'base: &base "default"'
           # to make fg/bg color transparent. "default" means transparent in k9s skin.
           (pkgs.runCommandNoCC "get-skin-json" {} ''

home/base/desktop/default.nix

@@ -11,5 +11,6 @@
     ./helix.nix
     ./media.nix
     ./shell.nix
+    ./yazi.nix
   ];
 }

home/base/desktop/development.nix

@@ -14,7 +14,8 @@
   #
   #############################################################
 
-  home.packages = with pkgs; [
+  home.packages = with pkgs;
+    [
       (python3.withPackages (
         ps:
           with ps; [
@@ -41,6 +42,9 @@
       # embedded development
       minicom
 
+      # ai related
+      python311Packages.huggingface-hub # huggingface-cli
+
       # misc
       pkgs-unstable.devbox
       glow # markdown previewer
@@ -50,7 +54,10 @@
       bfg-repo-cleaner # remove large files from git history
       k6 # load testing tool
       protobuf # protocol buffer compiler
-  ] ++ (if pkgs.stdenv.isLinux then [
+    ]
+    ++ (
+      if pkgs.stdenv.isLinux
+      then [
         # Automatically trims your branches whose tracking remote refs are merged or gone
         # It's really useful when you work on a project for a long time.
         git-trim
@@ -63,7 +70,9 @@
         mitmproxy # http/https proxy tool
         insomnia # REST client
         wireshark # network analyzer
-  ] else []);
+      ]
+      else []
+    );
 
   programs = {
     direnv = {

home/base/desktop/helix.nix

@@ -1,8 +1,10 @@
-{ pkgs, catppuccin-helix, ... }:
-
 {
+  pkgs,
+  nur-ryan4yin,
+  ...
+}: {
   # https://github.com/catppuccin/helix
-  xdg.configFile."helix/themes".source = "${catppuccin-helix}/themes/default";
+  xdg.configFile."helix/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-helix}/themes/default";
 
   programs.helix = {
     enable = true;
@@ -22,9 +24,11 @@
         indent-guides.render = true;
       };
       keys.normal = {
-        space.space = "file_picker";
-        space.w = ":w";
-        space.q = ":q";
+        space = {
+          space = "file_picker";
+          w = ":w";
+          q = ":q";
+        };
         esc = ["collapse_selection" "keep_primary_selection"];
       };
     };

home/base/desktop/neovim/default.nix

@@ -47,7 +47,6 @@
           checkmake
           gcc # c/c++ compiler, required by nvim-treesitter!
           llvmPackages.clang-unwrapped # c/c++ tools with clang-tools such as clangd
-          gdb
           lldb
 
           #-- python
@@ -149,6 +148,7 @@
           else [
             #-- verilog / systemverilog
             verible
+            gdb
           ]
         );
     };

home/base/desktop/terminal/alacritty.nix

@@ -1,4 +1,8 @@
-{pkgs, catppuccin-alacritty, ...}:
+{
+  pkgs,
+  nur-ryan4yin,
+  ...
+}:
 ###########################################################
 #
 # Alacritty Configuration
@@ -20,7 +24,7 @@
 #
 ###########################################################
 {
-  xdg.configFile."alacritty/theme_catppuccin.yml".source = "${catppuccin-alacritty}/catppuccin-mocha.yml";
+  xdg.configFile."alacritty/theme_catppuccin.yml".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-alacritty}/catppuccin-mocha.yml";
   programs.alacritty = {
     enable = true;
   };

home/base/desktop/terminal/wezterm.nix

@@ -25,8 +25,7 @@
           if pkgs.stdenv.isDarwin
           then "14.0"
           else "13.0";
-      in
-        ''
+      in ''
         -- Pull in the wezterm API
         local wezterm = require 'wezterm'
 

home/base/desktop/yazi.nix

@@ -0,0 +1,10 @@
+{pkgs-unstable, ...}: {
+  # terminal file manager
+  programs.yazi = {
+    enable = true;
+    package = pkgs-unstable.yazi;
+    enableBashIntegration = true;
+    # TODO: nushellIntegration is broken on release-23.11, wait for master's fix to be released
+    enableNushellIntegration = false;
+  };
+}

home/base/server/bash.nix

@@ -1,16 +0,0 @@
-{...}: {
-  programs.bash = {
-    enable = true;
-    enableCompletion = true;
-    bashrcExtra = ''
-      export PATH="$PATH:$HOME/bin:$HOME/.local/bin:$HOME/go/bin"
-    '';
-
-    shellAliases = {
-      k = "kubectl";
-
-      urldecode = "python3 -c 'import sys, urllib.parse as ul; print(ul.unquote_plus(sys.stdin.read()))'";
-      urlencode = "python3 -c 'import sys, urllib.parse as ul; print(ul.quote_plus(sys.stdin.read()))'";
-    };
-  };
-}

home/base/server/bat.nix

@@ -1,4 +1,8 @@
-{ catppuccin-bat, ...}: {
+{
+  pkgs,
+  nur-ryan4yin,
+  ...
+}: {
   # a cat(1) clone with syntax highlighting and Git integration.
   programs.bat = {
     enable = true;
@@ -9,7 +13,7 @@
     themes = {
       # https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme
       catppuccin-mocha = {
-        src = catppuccin-bat;
+        src = nur-ryan4yin.packages.${pkgs.system}.catppuccin-bat;
         file = "Catppuccin-mocha.tmTheme";
       };
     };

home/base/server/btop.nix

@@ -1,8 +1,10 @@
-{ catppuccin-btop, ... }:
-
 {
+  pkgs,
+  nur-ryan4yin,
+  ...
+}: {
   # https://github.com/catppuccin/btop/blob/main/themes/catppuccin_mocha.theme
-  home.file.".config/btop/themes".source = "${catppuccin-btop}/themes";
+  xdg.configFile."btop/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-btop}/themes";
 
   # replacement of htop/nmon
   programs.btop = {

home/base/server/core.nix

@@ -19,7 +19,6 @@
     nmap # A utility for network discovery and security auditing
     ipcalc # it is a calculator for the IPv4/v6 addresses
 
-
     # Text Processing
     # Docs: https://github.com/learnbyexample/Command-line-text-processing
     gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
@@ -58,18 +57,11 @@
   ];
 
   programs = {
-    # modern vim
-    neovim = {
-      enable = true;
-      defaultEditor = true;
-      vimAlias = true;
-    };
-
     # A modern replacement for ‘ls’
     # useful in bash/zsh prompt, not in nushell.
     eza = {
       enable = true;
-      enableAliases = true;
+      enableAliases = false; # do not enable aliases in nushell!
       git = true;
       icons = true;
     };

home/base/server/default.nix

@@ -1,10 +1,9 @@
 {...}: {
   imports = [
-    ./nushell
+    ./shells
     ./tmux
     ./zellij
 
-    ./bash.nix
     ./bat.nix
     ./btop.nix
     ./core.nix

home/base/server/git.nix

@@ -2,7 +2,6 @@
   config,
   lib,
   pkgs,
-
   userfullname,
   useremail,
   ...
@@ -12,7 +11,7 @@
   #
   #    https://git-scm.com/docs/git-config#Documentation/git-config.txt---global
   home.activation.removeExistingGitconfig = lib.hm.dag.entryBefore ["checkLinkTargets"] ''
-    rm -f ~/.gitconfig
+    rm -f ${config.home.homeDirectory}/.gitconfig
   '';
 
   home.packages = with pkgs; [

home/base/server/nushell/default.nix

@@ -1,19 +0,0 @@
-{ config, ...}: {
-  programs.nushell = {
-    enable = true;
-    configFile.source = ./config.nu;
-
-    # home-manager will merge the cotent in `environmentVariables` with the `envFile.source`
-    # but basically, I set all environment variables via the shell-independent way, so I don't need to use those two options
-    #
-    # envFile.source = ./env.nu;
-    # environmentVariables = { FOO="bar"; };
-
-    shellAliases = {
-      k = "kubectl";
-
-      urldecode = "python3 -c 'import sys, urllib.parse as ul; print(ul.unquote_plus(sys.stdin.read()))'";
-      urlencode = "python3 -c 'import sys, urllib.parse as ul; print(ul.quote_plus(sys.stdin.read()))'";
-    };
-  };
-}

home/base/server/shells/default.nix

@@ -0,0 +1,25 @@
+let
+  shellAliases = {
+    k = "kubectl";
+
+    urldecode = "python3 -c 'import sys, urllib.parse as ul; print(ul.unquote_plus(sys.stdin.read()))'";
+    urlencode = "python3 -c 'import sys, urllib.parse as ul; print(ul.quote_plus(sys.stdin.read()))'";
+  };
+in {
+  # only works in bash/zsh, not nushell
+  home.shellAliases = shellAliases;
+
+  programs.nushell = {
+    enable = true;
+    configFile.source = ./config.nu;
+    shellAliases = shellAliases;
+  };
+
+  programs.bash = {
+    enable = true;
+    enableCompletion = true;
+    bashrcExtra = ''
+      export PATH="$HOME/.local/bin:$HOME/go/bin:$PATH"
+    '';
+  };
+}

home/base/server/starship.nix

@@ -1,4 +1,8 @@
-{ catppuccin-starship, ...}: {
+{
+  pkgs,
+  nur-ryan4yin,
+  ...
+}: {
   programs.starship = {
     enable = true;
 
@@ -6,7 +10,8 @@
     enableZshIntegration = true;
     enableNushellIntegration = true;
 
-    settings = {
+    settings =
+      {
         character = {
           success_symbol = "[›](bold green)";
           error_symbol = "[›](bold red)";
@@ -22,6 +27,7 @@
         };
 
         palette = "catppuccin_mocha";
-    } // builtins.fromTOML (builtins.readFile "${catppuccin-starship}/palettes/mocha.toml");
+      }
+      // builtins.fromTOML (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-starship}/palettes/mocha.toml");
   };
 }

home/base/server/zellij/default.nix

@@ -1,7 +1,7 @@
-{...}: {
+_: {
   programs.zellij = {
     enable = true;
   };
 
-  home.file.".config/zellij/config.kdl".source = ./config.kdl;
+  xdg.configFile."zellij/config.kdl".source = ./config.kdl;
 }

home/darwin/default.nix

@@ -3,15 +3,15 @@
     ../base/desktop
 
     ./proxychains
-
     ./core.nix
     ./rime-squirrel.nix
+    ./shell.nix
   ];
 
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    username = username;
+    inherit username;
     # set homeDirectory make build fail
     homeDirectory = "/Users/${username}";
 
@@ -23,7 +23,7 @@
     # You can update Home Manager without changing this value. See
     # the Home Manager release notes for a list of state version
     # changes in each release.
-    stateVersion = "22.11";
+    stateVersion = "23.11";
   };
 
   # Let Home Manager install and manage itself.

home/darwin/rime-squirrel.nix

@@ -1,17 +1,11 @@
-{
-  lib,
-  pkgs,
-  ...
-}: {
-  # remove existing rime data (squirrel)
-  home.activation.removeExistingRimeData = lib.hm.dag.entryBefore ["checkLinkTargets"] ''
-    rm -rf "~/Library/Rime/build/flypy.prism.bin"
-  '';
-
+{pkgs, ...}: {
   # Squirrel Input Method
   home.file."Library/Rime" = {
     # my custom squirrel data (flypy input method)
     source = "${pkgs.flypy-squirrel}/share/rime-data";
     recursive = true;
+    # overwrite possible existing data dynamically generated by squirrel
+    # https://github.com/nix-community/home-manager/blob/release-23.05/modules/lib/file-type.nix#L101-L111
+    force = true;
   };
 }

home/darwin/shell.nix

@@ -0,0 +1,13 @@
+_: {
+  # Homebrew's default install location:
+  #   /opt/homebrew for Apple Silicon
+  #   /usr/local for macOS Intel
+  # The prefix /opt/homebrew was chosen to allow installations
+  # in /opt/homebrew for Apple Silicon and /usr/local for Rosetta 2 to coexist and use bottles.
+  programs.bash.bashrcExtra = ''
+    export PATH="/opt/homebrew/bin:/usr/local/bin:$PATH"
+  '';
+  programs.zsh.envExtra = ''
+    export PATH="/opt/homebrew/bin:/usr/local/bin:$PATH"
+  '';
+}

home/linux/base/shell.nix

@@ -1,4 +1,8 @@
-{config, nushell-scripts, ...}: let
+{
+  config,
+  nushell-scripts,
+  ...
+}: let
   d = config.xdg.dataHome;
   c = config.xdg.configHome;
   cache = config.xdg.cacheHome;

home/linux/desktop-hyprland.nix

@@ -12,7 +12,7 @@
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    username = username;
+    inherit username;
     homeDirectory = "/home/${username}";
 
     # This value determines the Home Manager release that your
@@ -23,7 +23,7 @@
     # You can update Home Manager without changing this value. See
     # the Home Manager release notes for a list of state version
     # changes in each release.
-    stateVersion = "22.11";
+    stateVersion = "23.11";
   };
 
   # Let Home Manager install and manage itself.

home/linux/desktop-i3.nix

@@ -12,7 +12,7 @@
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    username = username;
+    inherit username;
     homeDirectory = "/home/${username}";
 
     # This value determines the Home Manager release that your
@@ -23,7 +23,7 @@
     # You can update Home Manager without changing this value. See
     # the Home Manager release notes for a list of state version
     # changes in each release.
-    stateVersion = "22.11";
+    stateVersion = "23.11";
   };
 
   # Let Home Manager install and manage itself.

home/linux/desktop/default.nix

@@ -7,6 +7,7 @@
     ./ssh.nix
     ./wallpaper.nix
     ./xdg.nix
+    ./eye-protection.nix
   ];
 
   home.packages = with pkgs; [

home/linux/desktop/eye-protection.nix

@@ -0,0 +1,45 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  # Adjust the color temperature(& brightness) of your screen according to
+  # your surroundings. This may help your eyes hurt less if you are
+  # working in front of the screen at night.
+  #
+  # works fine with both x11 & wayland(hyprland)
+  #
+  # https://gitlab.com/chinstrap/gammastep
+  services.gammastep = {
+    enable = true;
+    # add a gammastep icon in the system tray
+    # has problem with wayland, so disable it
+    tray = false;
+    temperature = {
+      day = 5700;
+      night = 4000;
+    };
+    # https://gitlab.com/chinstrap/gammastep/-/blob/master/gammastep.conf.sample?ref_type=heads
+    settings = {
+      general = {
+        fade = "1"; # gradually apply the new screen temperature/brightness over a couple of seconds.
+        # it is a fake brightness adjustment obtained by manipulating the gamma ramps,
+        # which means that it does not reduce the backlight　of the screen.
+        # Preferably only use it if your normal backlight adjustment is too coarse-grained.
+        brightness-day = "1.0";
+        brightness-night = "0.8";
+        location-provider = "manual";
+
+        # by default, Redshift will use the current elevation of the sun
+        # to determine whether it is daytime, night or in transition (dawn/dusk).
+        # dawn-time = "6:00-8:45";
+        # dusk-time = "18:35-20:15";
+      };
+      manual = {
+        # China, Shenzhen
+        lat = "22.5"; # latitude
+        lon = "114.1"; # longitude
+      };
+    };
+  };
+}

home/linux/desktop/gtk.nix

@@ -3,12 +3,16 @@
   config,
   ...
 }: {
+  # If your themes for mouse cursor, icons or windows don’t load correctly,
+  # try setting them with home.pointerCursor and gtk.theme,
+  # which enable a bunch of compatibility options that should make the themes load in all situations.
+
   home.pointerCursor = {
+    gtk.enable = true;
+    x11.enable = true;
     package = pkgs.bibata-cursors;
     name = "Bibata-Modern-Classic";
     size = 24;
-    gtk.enable = true;
-    x11.enable = true;
   };
 
   # set dpi for 4k monitor
@@ -27,8 +31,9 @@
     enable = true;
 
     font = {
-      name = "Roboto";
-      package = pkgs.roboto;
+      name = "Noto Sans";
+      package = pkgs.noto-fonts;
+      size = 11;
     };
 
     gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";

home/linux/desktop/immutable-file.nix

@@ -18,7 +18,7 @@
 ##############################################################################################
 with lib; let
   cfg = config.home.immutable-file;
-  immutableFileOpts = {...}: {
+  immutableFileOpts = _: {
     options = {
       src = mkOption {
         type = types.path;

home/linux/desktop/media.nix

@@ -1,7 +1,7 @@
 {
   pkgs,
-  catppuccin-cava,
   pkgs-unstable,
+  nur-ryan4yin,
   ...
 }:
 # media - control and enjoy audio/video
@@ -24,9 +24,11 @@
   ];
 
   # https://github.com/catppuccin/cava
-  home.file.".config/cava/config".text = ''
+  xdg.configFile."cava/config".text =
+    ''
       # custom cava config
-  '' + builtins.readFile "${catppuccin-cava}/mocha.cava";
+    ''
+    + builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-cava}/mocha.cava";
 
   programs = {
     mpv = {
@@ -34,15 +36,6 @@
       defaultProfiles = ["gpu-hq"];
       scripts = [pkgs.mpvScripts.mpris];
     };
-
-    # terminal file manager
-    yazi = {
-      enable = true;
-      package = pkgs-unstable.yazi;
-      enableBashIntegration = true;
-      # TODO: nushellIntegration is broken on release-23.11, wait for master's fix to be released
-      enableNushellIntegration = false;
-    };
   };
 
   services = {

home/linux/desktop/wallpaper.nix

@@ -1,8 +1,6 @@
-{ wallpapers, ... }:
-
-{
+{wallpapers, ...}: {
   # https://github.com/ryan4yin/wallpapers
-  home.file.".config/wallpapers".source = wallpapers;
+  xdg.configFile."wallpapers".source = wallpapers;
   home.file.".local/bin/wallpaper_random" = {
     source = "${wallpapers}/wallpaper_random.py";
     executable = true;

home/linux/desktop/xdg.nix

@@ -62,8 +62,7 @@
         "image/webp" = ["imv.desktop"];
       };
 
-      associations.removed =
-        {
+      associations.removed = {
         # ......
       };
     };

home/linux/fcitx5/default.nix

@@ -1,22 +1,19 @@
 {
   pkgs,
-  config,
-  lib,
-  catppuccin-fcitx5,
+  nur-ryan4yin,
   ...
 }: {
-  home.file.".config/fcitx5/profile".source = ./profile;
+  home.file.".local/share/fcitx5/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-fcitx5}/src";
 
-  # color schema
-  home.file.".local/share/fcitx5/themes".source = "${catppuccin-fcitx5}/src";
-  home.file.".config/fcitx5/conf/classicui.conf".source = ./classicui.conf;
-
-  # every time fcitx5 switch input method, it will modify ~/.config/fcitx5/profile file,
-  # which will override my config managed by home-manager
-  # so we need to remove it before everytime we rebuild the config
-  home.activation.removeExistingFcitx5Profile = lib.hm.dag.entryBefore ["checkLinkTargets"] ''
-    rm -f "${config.xdg.configHome}/fcitx5/profile"
-  '';
+  xdg.configFile = {
+    "fcitx5/profile" = {
+      source = ./profile;
+      # every time fcitx5 switch input method, it will modify ~/.config/fcitx5/profile,
+      # so we need to force replace it in every rebuild to avoid file conflict.
+      force = true;
+    };
+    "fcitx5/conf/classicui.conf".source = ./classicui.conf;
+  };
 
   i18n.inputMethod = {
     enabled = "fcitx5";

home/linux/hyprland/anyrun.nix

@@ -1,6 +1,8 @@
-{ pkgs, anyrun, ... }:
-
 {
+  pkgs,
+  anyrun,
+  ...
+}: {
   imports = [
     anyrun.homeManagerModules.default
   ];
@@ -83,5 +85,4 @@
       }
     '';
   };
-
 }

home/linux/hyprland/default.nix

@@ -1,26 +1,56 @@
-{pkgs, hyprland, catppuccin-hyprland, ...}: {
+{
+  lib,
+  pkgs,
+  hyprland,
+  nur-ryan4yin,
+  ...
+}: {
   imports = [
-    # hyprland.homeManagerModules.default
-
     ./anyrun.nix
     ./wayland-apps.nix
   ];
 
-  # wayland.windowManager.hyprland.enable = true;
+  # NOTE:
+  #   (Required) NixOS Module: enables critical components needed to run Hyprland properly
+  #   (Optional) Home-manager module: lets you declaratively configure Hyprland
+  wayland.windowManager.hyprland = {
+    enable = true;
+    package = hyprland.packages.${pkgs.system}.hyprland;
+    settings = lib.mkForce {};
+    extraConfig = builtins.readFile ./hypr-conf/hyprland.conf;
+    # programs.grammastep need this to be enabled.
+    systemd.enable = true;
+  };
 
   # hyprland configs, based on https://github.com/notwidow/hyprland
-  home.file.".config/hypr" = {
-    source = ./hypr-conf;
-    # copy the scripts directory recursively
+  xdg.configFile = {
+    "hypr/mako" = {
+      source = ./hypr-conf/mako;
+      recursive = true;
+    };
+    "hypr/scripts" = {
+      source = ./hypr-conf/scripts;
+      recursive = true;
+    };
+    "hypr/waybar" = {
+      source = ./hypr-conf/waybar;
+      recursive = true;
+    };
+    "hypr/wlogout" = {
+      source = ./hypr-conf/wlogout;
+      recursive = true;
+    };
+    "hypr/themes" = {
+      source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-hyprland}/themes";
       recursive = true;
     };
-  home.file.".config/hypr/themes".source = "${catppuccin-hyprland}/themes";
 
     # music player - mpd
-  home.file.".config/mpd" = {
+    "mpd" = {
       source = ./mpd;
       recursive = true;
     };
+  };
 
   # allow fontconfig to discover fonts and configurations installed through home.packages
   fonts.fontconfig.enable = true;
@@ -38,5 +68,4 @@
     "WLR_NO_HARDWARE_CURSORS" = "1";
     "WLR_EGL_NO_MODIFIRES" = "1";
   };
-
 }

home/linux/hyprland/hypr-conf/hyprland.conf

@@ -218,7 +218,15 @@ exec-once = hyprctl setcursor "Bibata-Modern-Ice" 24
 # 相比较一开始的方案输入法字体大小也正确了．唯一有点问题的可能是 xwayland 窗口下的鼠标指针大小不对
 exec-once = xprop -root -f _XWAYLAND_GLOBAL_OUTPUT_SCALE 32c -set _XWAYLAND_GLOBAL_OUTPUT_SCALE 2
 
-exec-once = xrdb -merge ~/.Xresources
-# env = GDK_SCALE,2
-env = XCURSOR_SIZE,48
-env = XCURSOR_THEME,"Bibata-Modern-Ice"
+-- Fix HiDPI - xwayland
+# change monitor to high resolution, the last argument is the scale factor
+monitor=,highres,auto,2
+
+# unscale XWayland
+xwayland {
+  force_zero_scaling = true
+}
+
+# toolkit-specific scale
+env = GDK_SCALE,2
+env = XCURSOR_SIZE,32

home/linux/hyprland/hypr-conf/waybar/config.jsonc

@@ -5,6 +5,7 @@
   "modules-left": [
     "custom/launcher",
     "temperature",
+    "backlight",
     "wlr/workspaces"
   ],
   "modules-center": [
@@ -13,11 +14,11 @@
   "modules-right": [
     "mpd",
     "pulseaudio",
-    "backlight",
     "memory",
     "cpu",
     "network",
     "clock",
+    "idle_inhibitor",
     "custom/powermenu",
     "tray"
   ],
@@ -50,7 +51,9 @@
   },
   "cpu": {
     "format": "\udb80\udf5b {usage}%",
-    "interval": 1
+    "interval": 1,
+    "on-click-middle": "kitty btop",
+    "on-click-right": "kitty btop"
   },
   "custom/launcher": {
     "format": "\uf313 ",
@@ -122,8 +125,10 @@
       "format-linked": " {ifname} (No IP)",
       "format-disconnected": "睊 Disconnected",
       "format-disabled": "睊 Disabled",
-      "format-alt": " {bandwidthUpBits} |  {bandwidthDownBits}",
+      "format-alt": " {bandwidthUpBytes} |  {bandwidthDownBytes}",
       "tooltip-format": " {ifname} via {gwaddr}",
+      "on-click-middle": "nm-connection-editor",
+      "on-click-right": "kitty nmtui"
   },
   "pulseaudio": {
       //"format": "{volume}% {icon} {format_source}",
@@ -156,6 +161,20 @@
     "format": "\uf2c9 {temperatureC}\u00b0C",
     "tooltip": false
   },
+  "backlight": {
+    "format": "{icon} {percent}%",
+    "format-icons": [
+      "",
+      "",
+      "",
+      "",
+      "",
+      "",
+      "",
+      "",
+      ""
+    ]
+  },
   "tray": {
     "icon-size": 15,
     "spacing": 5

home/linux/hyprland/wayland-apps.nix

@@ -8,9 +8,11 @@
       commandLineArgs = [
         # make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
         # (only supported by chromium/chrome at this time, not electron)
-        "--gtk-version=4"
+        "--gtk-version=5"
+        "--enable-features=UseOzonePlatform"
+        "--ozone-platform=wayland"
         # make it use text-input-v1, which works for kwin 5.27 and weston
-        # "--enable-wayland-ime"
+        "--enable-wayland-ime"
 
         # enable hardware acceleration - vulkan api
         # "--enable-features=Vulkan"

home/linux/i3/default.nix

@@ -43,5 +43,4 @@
     "GBM_BACKEND" = "nvidia-drm";
     "__GLX_VENDOR_LIBRARY_NAME" = "nvidia";
   };
-
 }

home/linux/server-riscv64.nix

@@ -5,7 +5,7 @@
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    username = username;
+    inherit username;
     homeDirectory = "/home/${username}";
 
     # This value determines the Home Manager release that your
@@ -16,7 +16,7 @@
     # You can update Home Manager without changing this value. See
     # the Home Manager release notes for a list of state version
     # changes in each release.
-    stateVersion = "23.05";
+    stateVersion = "23.11";
   };
 
   # Let Home Manager install and manage itself.

home/linux/server.nix

@@ -8,7 +8,7 @@
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    username = username;
+    inherit username;
     homeDirectory = "/home/${username}";
 
     # This value determines the Home Manager release that your
@@ -19,7 +19,7 @@
     # You can update Home Manager without changing this value. See
     # the Home Manager release notes for a list of state version
     # changes in each release.
-    stateVersion = "22.11";
+    stateVersion = "23.11";
   };
 
   # Let Home Manager install and manage itself.

hosts/12kingdoms/suzu/default.nix

@@ -3,7 +3,7 @@
   username,
   nixos-rk3588,
   ...
-} @ args:
+}:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox
@@ -11,18 +11,8 @@
 #############################################################
 {
   imports = [
-    {
-      nixpkgs.crossSystem = {
-        config = "aarch64-unknown-linux-gnu";
-      };
-    }
-
     # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
-    (nixos-rk3588 + "/modules/boards/orangepi5.nix")
-
-    # core-riscv64 only the core packages, it's suitable for aarch64 too.
-    ../../../modules/nixos/core-riscv64.nix
-    ../../../modules/nixos/user-group.nix
+    nixos-rk3588.nixosModules.orangepi5
   ];
 
   users.users.root.openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
@@ -58,5 +48,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/README.md

@@ -1,6 +1,8 @@
 # Hosts
 
-1. `harmonica`: My MacBook Pro 2020 13-inch, for work.
+1. macOS
+   1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for business.
+   1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
 2. `idols`
    1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
    2. `aquamarine`: My NixOS virtual machine with R9-5900HX(8C16T), for distributed building & testing.

hosts/fern/default.nix

@@ -0,0 +1,24 @@
+{username, ...} @ args:
+#############################################################
+#
+#  Fern - MacBook Pro 2022 13-inch M2 16G, mainly for business.
+#
+#############################################################
+let
+  hostname = "fern";
+in {
+  networking.hostName = hostname;
+  networking.computerName = hostname;
+  system.defaults.smb.NetBIOSName = hostname;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users."${username}" = {
+    home = "/Users/${username}";
+    description = username;
+
+    # set user's default shell back to zsh
+    #    `chsh -s /bin/zsh`
+    # DO NOT change the system's default shell to nushell! it will break some apps!
+    # It's better to change only starship/alacritty/vscode's shell to nushell!
+  };
+}

hosts/harmonica/default.nix

@@ -1,20 +1,12 @@
 {username, ...} @ args:
 #############################################################
 #
-#  Harmonica - my MacBook Pro 2020 13-inch, mainly for business.
+#  Harmonica - MacBook Pro 2020 13-inch i5 16G, mainly for personal use
 #
 #############################################################
 let
   hostname = "harmonica";
 in {
-  imports = [
-    ../../modules/darwin
-
-    ../../secrets/darwin.nix
-  ];
-
-  nixpkgs.overlays = import ../../overlays args;
-
   networking.hostName = hostname;
   networking.computerName = hostname;
   system.defaults.smb.NetBIOSName = hostname;

hosts/idols/ai/README.md

@@ -0,0 +1,75 @@
+# Host - AI
+
+disk status & mountpoints:
+
+```bash
+› df -Th
+Filesystem                Type      Size  Used Avail Use% Mounted on
+devtmpfs                  devtmpfs  1.6G     0  1.6G   0% /dev
+tmpfs                     tmpfs      16G  8.0K   16G   1% /dev/shm
+tmpfs                     tmpfs     7.8G  7.9M  7.8G   1% /run
+tmpfs                     tmpfs      16G  1.1M   16G   1% /run/wrappers
+tmpfs                     tmpfs      16G   87M   16G   1% /
+/dev/mapper/crypted-nixos btrfs     1.9T  630G  1.3T  34% /persistent
+/dev/mapper/crypted-nixos btrfs     1.9T  630G  1.3T  34% /nix
+tmpfs                     tmpfs     4.0M     0  4.0M   0% /sys/fs/cgroup
+efivarfs                  efivarfs  256K  108K  144K  43% /sys/firmware/efi/efivars
+/dev/mapper/crypted-nixos btrfs     1.9T  630G  1.3T  34% /snapshots
+/dev/mapper/crypted-nixos btrfs     1.9T  630G  1.3T  34% /swap
+/dev/nvme0n1p1            vfat      597M  108M  490M  19% /boot
+tmpfs                     tmpfs     3.2G   48K  3.2G   1% /run/user/1000
+//192.168.5.194/Downloads cifs      3.7T  3.0T  699G  82% /home/ryan/SMB-Downloads
+tmpfs                     tmpfs     100K     0  100K   0% /var/lib/lxd/shmounts
+tmpfs                     tmpfs     100K     0  100K   0% /var/lib/lxd/devlxd
+/dev/mapper/crypted-nixos btrfs     1.9T  630G  1.3T  34% /tmp
+
+~ 
+› lsblk
+NAME              MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
+zram0             253:0    0 15.6G  0 disk  [SWAP]
+nvme0n1           259:0    0  1.8T  0 disk  
+├─nvme0n1p1       259:2    0  598M  0 part  /boot
+└─nvme0n1p2       259:3    0  1.8T  0 part  
+  └─crypted-nixos 254:0    0  1.8T  0 crypt /tmp
+                                            /swap/swapfile
+                                            /swap
+                                            /snapshots
+                                            /home/ryan/tmp
+                                            /home/ryan/nix-config
+                                            /home/ryan/go
+                                            /home/ryan/codes
+                                            /home/ryan/Videos
+                                            /home/ryan/Pictures
+                                            /home/ryan/Music
+                                            /home/ryan/Downloads
+                                            /home/ryan/Documents
+                                            /home/ryan/.wakatime
+                                            /home/ryan/.ssh
+                                            /home/ryan/.pki
+                                            /home/ryan/.npm
+                                            /home/ryan/.mozilla
+                                            /home/ryan/.local/state
+                                            /home/ryan/.local/share
+                                            /home/ryan/.kube
+                                            /home/ryan/.gnupg
+                                            /home/ryan/.docker
+                                            /home/ryan/.config/remmina
+                                            /home/ryan/.config/pulse
+                                            /home/ryan/.config/google-chrome
+                                            /home/ryan/.config/github-copilot
+                                            /home/ryan/.config/freerdp
+                                            /home/ryan/.aws
+                                            /etc/ssh
+                                            /etc/secureboot
+                                            /etc/nix/inputs
+                                            /etc/agenix
+                                            /etc/NetworkManager/system-connections
+                                            /etc/machine-id
+                                            /home/ryan/.config/nushell/history.txt
+                                            /home/ryan/.wakatime.cfg
+                                            /nix/store
+                                            /var/log
+                                            /var/lib
+                                            /nix
+                                            /persistent
+```

hosts/idols/ai/cifs-mount.nix

@@ -1,7 +1,5 @@
 {
   config,
-  pkgs,
-
   username,
   ...
 }: {

hosts/idols/ai/default.nix

@@ -1,4 +1,3 @@
-{lanzaboote, ...} @ args:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -12,18 +11,8 @@
 
     ./impermanence.nix
     ./secureboot.nix
-
-    # ../../../modules/nixos/fhs-fonts.nix
-    ../../../modules/nixos/libvirt.nix
-    ../../../modules/nixos/core-desktop.nix
-    ../../../modules/nixos/remote-building.nix
-    ../../../modules/nixos/user-group.nix
-
-    ../../../secrets/nixos.nix
   ];
 
-  nixpkgs.overlays = import ../../../overlays args;
-
   networking = {
     hostName = "ai";
     wireless.enable = false; # Enables wireless support via wpa_supplicant.
@@ -51,7 +40,8 @@
     ];
   };
 
-  virtualisation.docker.storageDriver = "btrfs";
+  # conflict with feature: containerd-snapshotter
+  # virtualisation.docker.storageDriver = "btrfs";
 
   # for Nvidia GPU
   services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
@@ -59,12 +49,8 @@
     # Optionally, you may need to select the appropriate driver version for your specific GPU.
     # package = config.boot.kernelPackages.nvidiaPackages.stable;
 
-    # Modesetting is needed for most Wayland compositors
+    # required by most wayland compositors!
     modesetting.enable = true;
-    # Use the open source version of the kernel module
-    # Only available on driver 515.43.04+
-    open = false;
-
     powerManagement.enable = true;
   };
   virtualisation.docker.enableNvidia = true; # for nvidia-docker

hosts/idols/ai/hardware-configuration.nix

@@ -18,11 +18,16 @@
   boot.loader.efi.efiSysMountPoint = "/boot";
   boot.loader.systemd-boot.enable = true;
 
+  # boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
+
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = ["kvm-intel"];
   boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
   boot.extraModulePackages = [];
+  # clear /tmp on boot to get a stateless /tmp directory.
+  boot.tmp.cleanOnBoot = true;
 
   # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
   boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
@@ -37,7 +42,6 @@
     "cifs" # mount windows share
   ];
 
-
   boot.initrd = {
     # unlocked luks devices via a keyfile or prompt a passphrase.
     luks.devices."crypted-nixos" = {
@@ -70,6 +74,7 @@
     device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
     fsType = "btrfs";
     options = ["subvol=@persistent" "compress-force=zstd:1"];
+    # impermanence's data is required for booting.
     neededForBoot = true;
   };
 
@@ -79,6 +84,12 @@
     options = ["subvol=@snapshots" "compress-force=zstd:1"];
   };
 
+  fileSystems."/tmp" = {
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
+    fsType = "btrfs";
+    options = ["subvol=@tmp" "compress-force=zstd:1"];
+  };
+
   # mount swap subvolume in readonly mode.
   fileSystems."/swap" = {
     device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";

hosts/idols/ai/impermanence.nix

@@ -24,7 +24,6 @@
   #
   #  See also https://grahamc.com/blog/erase-your-darlings/
 
-
   # NOTE: impermanence only mounts the directory/file list below to /persistent
   # If the directory/file already exists in the root filesystem, you should
   # move those files/directories to /persistent first!
@@ -43,7 +42,7 @@
       "/var/log"
       "/var/lib"
 
-      # created by modules/nixos/fhs-fonts.nix
+      # created by modules/nixos/misc/fhs-fonts.nix
       # for flatpak apps
       # "/usr/share/fonts"
       # "/usr/share/icons"

hosts/idols/ai/nixos-installer/.gitignore

@@ -0,0 +1,3 @@
+result
+result/
+.DS_Store

hosts/idols/ai/nixos-installer/README.md

@@ -0,0 +1,243 @@
+# Nix Environment for Deploying my NixOS Configuration
+
+This flake prepares a Nix environment for setting my desktop [/hosts/idols/ai](/hosts/idols/ai/)(on main flake) up on a new machine.
+
+TODOs:
+
+- [ ] dcalarative disk partitioning with [disko](https://github.com/nix-community/disko)
+
+## Why an extra flake is needed?
+
+The configuration of the main flake, [/flake.nix](/flake.nix), is heavy, and it takes time to debug & deploy.
+This simplified flake is tiny and can be deployed very quickly, it helps me to:
+
+1. Adjust & verify my `hardware-configuration.nix` modification quickly before deploying the `main` flake.
+2. Test some new filesystem related features on a NixOS virtual machine, such as impermanence, Secure Boot, TMP2, Encryption, etc.
+
+## Steps to Deploying the `main` flake
+
+First, create a USB install medium from NixOS's official ISO image and boot from it.
+
+### 1. Encrypting with LUKS(everything except ESP)
+
+> https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning
+
+> [dm-crypt/Encrypting an entire system - Arch Wiki](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system)
+
+> [Encrypted /boot - GRUB2 - Arch Wiki](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot)
+
+> [Frequently asked questions (FAQ) - cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
+
+Securing a root file system is where dm-crypt excels, feature and performance-wise. 
+An encrypted root file system protects everything on the system, it make the system a black box to the attacker.
+
+1. The EFI system partition(ESP) must be left unencrypted, and is mounted at `/boot`
+    1. Since the UEFI firmware can only load boot loaders from unencrypted partitions.
+2. Secure Boot is enabled, everything in ESP is signed.
+3. The BTRFS file system with subvolumes is used for the root partition, and the swap area is a swapfile on a dedicated BTRFS subvolume, thus the swap area is also encrypted.
+
+And the boot flow is:
+
+1. The UEFI firmware loads the boot loader from the ESP(`/boot`).
+2. The boot loader loads the kernel and initrd from the ESP(`/boot`).
+3. **The initrd prompts for the passphrase to unlock the root partition**.
+4. The initrd unlocks the root partition and mounts it at `/`.
+5. The initrd continues the boot process, and hands over the control to the kernel.
+
+Partitioning the disk:
+
+```bash
+# Create a GPT partition table
+parted /dev/nvme0n1 -- mklabel gpt
+
+# NixOS by default uses the ESP (EFI system partition) as its /boot partition
+# Create a 512MB EFI system partition
+parted /dev/nvme0n1 -- mkpart ESP fat32 2MB 629MB
+
+# set the boot flag on the ESP partition
+# Format:
+#    set partition flag state
+parted /dev/nvme0n1 -- set 1 esp on
+
+# Create the root partition using the rest of the disk
+# Format: 
+#   mkpart [part-type name fs-type] start end
+parted /dev/nvme0n1 -- mkpart primary 630MB 100% 
+
+# show disk status
+lsblk
+```
+
+Encrypting the root partition:
+
+```bash
+lsblk
+# show cryptsetup's compiled in defualts
+cryptsetup --help
+
+# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+cryptsetup luksFormat --type luks2 --pbkdf argon2id --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/nvme0n1p2
+
+# show status
+cryptsetup luksDump /dev/nvme0n1p2
+
+# open(unlock) the device with the passphrase you just set
+cryptsetup luksOpen /dev/nvme0n1p2 crypted-nixos
+
+# show disk status
+lsblk
+```
+
+Formatting the root partition:
+
+```bash
+mkfs.fat -F 32 -n ESP /dev/nvme0n1p1
+# format the root partition with btrfs and label it
+mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos 
+
+# mount the root partition and create subvolumes
+mount /dev/mapper/crypted-nixos /mnt
+btrfs subvolume create /mnt/@nix
+btrfs subvolume create /mnt/@tmp
+btrfs subvolume create /mnt/@swap
+btrfs subvolume create /mnt/@persistent
+btrfs subvolume create /mnt/@snapshots
+umount /mnt
+
+# Use tmpfs for root - stateless
+mount -t tmpfs tmpfs /mnt
+
+# Remount the root partition with the subvolumes you just created
+# 
+# Enable zstd compression to:
+#   1. Reduce the read/write operations, which helps to:
+#     1. Extend the life of the SSD.
+#     2. improve the performance of disks with low IOPS / RW throughput, such as HDD and SATA SSD.
+#   2. Save the disk space.
+mkdir /mnt/{nix,tmp,swap,persistent,snapshots,boot}
+mount -o compress-force=zstd:1,noatime,subvol=@nix /dev/mapper/crypted-nixos /mnt/nix
+mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp
+mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap
+mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent
+mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots
+mount /dev/nvme0n1p1 /mnt/boot
+
+# create a swapfile on btrfs file system
+# This command will disable CoW / compression on the swap subvolume and then create a swapfile.
+# because the linux kernel requires that swapfile must not be compressed or have copy-on-write(CoW) enabled.
+btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile
+
+# check whether the swap subvolume has CoW disabled
+# the output of `lsattr` for the swap subvolume should be:
+#    ---------------C------ /swap/swapfile
+# if not, delete the swapfile, and rerun the commands above.
+lsattr /mnt/swap
+
+# mount the swapfile as swap area
+swapon swapfile
+```
+
+Now, the disk status should be:
+
+```bash
+# show disk status
+$ lsblk
+nvme0n1           259:0    0   1.8T  0 disk  
+├─nvme0n1p1       259:2    0   600M  0 part  /mnt/boot
+└─nvme0n1p2       259:3    0   1.8T  0 part  
+  └─crypted-nixos 254:0    0   1.8T  0 crypt /mnt/swap
+                                             /mnt/persistent
+                                             /mnt/snapshots
+                                             /mnt/nix
+                                             /mnt/tmp
+
+# show swap status
+$ swapon -s
+Filename				Type		Size		Used		Priority
+/swap/swapfile                          file		100663292	0		-2
+```
+
+### 2. Generating the NixOS Configuration and Installing NixOS
+
+Clone this repository:
+
+```bash
+# enter an shell with git/vim/ssh-agent/gnumake available
+nix-shell -p git vim gnumake
+
+# clone this repository
+git clone https://github.com/ryan4yin/nix-config.git
+```
+
+Then, generate the NixOS configuration:
+
+```bash
+# nixos configurations
+nixos-generate-config --root /mnt
+
+# we need to update our filesystem configs in old hardware-configuration.nix according to the generated one.
+cp /etc/nixos/hardware-configuration.nix ./nix-config/hosts/idols/ai/hardware-configuration-new.nix
+vim .
+```
+
+Then, Install NixOS:
+
+```bash
+cd ~/nix-config
+
+# run this command if you're retrying to run nixos-install
+rm -rf /mnt/etc
+
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+nixos-install --root /mnt --flake .#ai --no-root-password
+
+# if you want to use a cache mirror, run this command instead
+# replace the mirror url with your own
+nixos-install --root /mnt --flake .#ai --no-root-password --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store"
+
+# enter into the installed system, check password & users
+nixos-enter
+
+# copy the essential files into /persistent
+# otherwise the / will be cleared and data will lost
+## NOTE: impermanence just create links from / to /persistent
+##       We need to copy files into /persistent manually!!!
+mv /etc/machine-id /persistent/etc/
+mv /etc/ssh /persistent/etc/
+
+
+# delte the generated configuration after editing
+rm -f /mnt/etc/nixos
+rm ~/nix-config/hosts/idols/ai/hardware-configuration-new.nix
+
+# commit the changes after installing nixos successfully
+git config --global user.email "ryan4yin@linux.com"
+git config --global user.name "Ryan Yin"
+git commit -am "feat: update hardware-configuration"
+
+# copy our configuration to the installed file system
+cp -r ../nix-config /mnt/etc/nixos
+```
+
+And then reboot.
+
+
+## Deploying the main flake's NixOS configuration
+
+After rebooting, we can deploy the main flake's NixOS configuration by running:
+
+```bash
+# 1. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private git repositories.
+ssh-add ~/.ssh/xxx
+
+sudo mv /etc/nixos ~/nix-config
+chown -R ryan:ryan ~/nix-config
+
+cd ~/nix-config
+
+# deploy the configuration
+make hypr
+```
+
+Finally, to enable secure boot, follow the instructions in [lanzaboote - Quick Start](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) and [nix-config/ai/secure-boot.nix](https://github.com/ryan4yin/nix-config/blob/main/hosts/idols/ai/secureboot.nix)

hosts/idols/ai/nixos-installer/configuration.nix

@@ -0,0 +1,8 @@
+_: {
+  networking = {
+    hostName = "ai";
+    defaultGateway = "192.168.5.201";
+    networkmanager.enable = true;
+  };
+  system.stateVersion = "23.11";
+}

hosts/idols/ai/nixos-installer/flake.lock

@@ -0,0 +1,43 @@
+{
+  "nodes": {
+    "impermanence": {
+      "locked": {
+        "lastModified": 1697303681,
+        "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1701389149,
+        "narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "impermanence": "impermanence",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

hosts/idols/ai/nixos-installer/flake.nix

@@ -0,0 +1,24 @@
+{
+  description = "NixOS configuration of Ryan Yin";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    impermanence.url = "github:nix-community/impermanence";
+  };
+
+  outputs = inputs @ {nixpkgs, ...}: {
+    nixosConfigurations = {
+      ai = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = inputs;
+        modules = [
+          ./configuration.nix
+          ./system.nix
+
+          ../hardware-configuration.nix
+          ../impermanence.nix
+        ];
+      };
+    };
+  };
+}

hosts/idols/ai/nixos-installer/system.nix

@@ -0,0 +1,57 @@
+{pkgs, ...}: {
+  # Set your time zone.
+  time.timeZone = "Asia/Shanghai";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "zh_CN.UTF-8";
+    LC_IDENTIFICATION = "zh_CN.UTF-8";
+    LC_MEASUREMENT = "zh_CN.UTF-8";
+    LC_MONETARY = "zh_CN.UTF-8";
+    LC_NAME = "zh_CN.UTF-8";
+    LC_NUMERIC = "zh_CN.UTF-8";
+    LC_PAPER = "zh_CN.UTF-8";
+    LC_TELEPHONE = "zh_CN.UTF-8";
+    LC_TIME = "zh_CN.UTF-8";
+  };
+
+  # ssh-agent is used to pull my private secrets repo from github when depoloying my nixos config.
+  programs.ssh.startAgent = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    git
+    gnumake
+    wget
+    curl
+    nix-output-monitor
+  ];
+
+  users.groups = {
+    "ryan" = {};
+  };
+
+  # Don't allow mutation of users outside the config.
+  users = {
+    mutableUsers = false;
+    # Define a user account. Don't forget to set a password with ‘passwd’.
+    users = {
+      ryan = {
+        # generated by `mkpasswd -m scrypt`
+        # we have to use initialHashedPassword here, if your'are using tmpfs for /
+        initialHashedPassword = "$7$CU..../....Sdl/JRH..9eIvZ6mE/52r.$xeR6lyvTcVVKt28Owcoc/vPOOECcYSiq1xjw/QCz2t0";
+        isNormalUser = true;
+        description = "ryan";
+        extraGroups = ["ryan" "networkmanager" "wheel"];
+      };
+      root.initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2";
+    };
+  };
+
+  # make ryan a trusted user so he can set custom nix substituters url(cache mirror) to speed up nixos-rebuild.
+  nix.settings.trusted-users = ["ryan"];
+}

hosts/idols/aquamarine/default.nix

@@ -1,19 +1,9 @@
-{...} @ args:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox
 #
 #############################################################
 {
-  imports = [
-    ../../../modules/nixos/proxmox-hardware-configuration.nix
-
-    ../../../modules/nixos/core-server.nix
-    ../../../modules/nixos/user-group.nix
-  ];
-
-  nixpkgs.overlays = import ../../../overlays args;
-
   # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
   boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
   # supported fil systems, so we can mount any removable disks with these filesystems
@@ -60,5 +50,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/idols/kana/default.nix

@@ -1,19 +1,9 @@
-{...} @ args:
 #############################################################
 #
 #  Kana - a NixOS VM running on Proxmox
 #
 #############################################################
 {
-  imports = [
-    ../../../modules/nixos/proxmox-hardware-configuration.nix
-
-    ../../../modules/nixos/core-server.nix
-    ../../../modules/nixos/user-group.nix
-  ];
-
-  nixpkgs.overlays = import ../../../overlays args;
-
   # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
   boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
   # supported fil systems, so we can mount any removable disks with these filesystems
@@ -60,5 +50,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/idols/ruby/default.nix

@@ -1,19 +1,9 @@
-{...} @ args:
 #############################################################
 #
 #  Ruby - a NixOS VM running on Proxmox
 #
 #############################################################
 {
-  imports = [
-    ../../../modules/nixos/proxmox-hardware-configuration.nix
-
-    ../../../modules/nixos/core-server.nix
-    ../../../modules/nixos/user-group.nix
-  ];
-
-  nixpkgs.overlays = import ../../../overlays args;
-
   # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
   boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
   # supported fil systems, so we can mount any removable disks with these filesystems
@@ -60,5 +50,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/rolling_girls/chiaya/default.nix

@@ -1,9 +1,7 @@
 {
-  config,
-  username,
   # nixos-jh7110,
   ...
-} @ args:
+}:
 #############################################################
 #
 #  Chiaya - NixOS Configuration for Milk-V Mars
@@ -13,21 +11,8 @@
 #############################################################
 {
   imports = [
-    {
-      # cross-compilation this flake.
-      nixpkgs.crossSystem = {
-        system = "riscv64-linux";
-      };
-    }
-
-    # TODO
-
-    ../../../modules/nixos/core-riscv64.nix
-    ../../../modules/nixos/user-group.nix
   ];
 
-  users.users.root.openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
-
   # Set static IP address / gateway / DNS servers.
   networking = {
     hostName = "chiaya"; # Define your hostname.

hosts/rolling_girls/nozomi/default.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  username,
-  nixos-licheepi4a,
-  ...
-} @ args:
+{nixos-licheepi4a, ...}:
 #############################################################
 #
 #  Nozomi - NixOS configuration for Lichee Pi 4A
@@ -11,24 +6,12 @@
 #############################################################
 {
   imports = [
-    {
-      # cross-compilation this flake.
-      nixpkgs.crossSystem = {
-        system = "riscv64-linux";
-      };
-    }
-
     # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
     (nixos-licheepi4a + "/modules/licheepi4a.nix")
     # import the sd-image module, which contains the fileSystems & kernel parameters for booting from sd card.
     (nixos-licheepi4a + "/modules/sd-image/sd-image-lp4a.nix")
-
-    ../../../modules/nixos/core-riscv64.nix
-    ../../../modules/nixos/user-group.nix
   ];
 
-  users.users.root.openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
-
   # Set static IP address / gateway / DNS servers.
   networking = {
     hostName = "nozomi"; # Define your hostname.

hosts/rolling_girls/yukina/default.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  username,
-  nixos-licheepi4a,
-  ...
-} @ args:
+{nixos-licheepi4a, ...}:
 #############################################################
 #
 #  Yukina - NixOS configuration for Lichee Pi 4A
@@ -11,24 +6,12 @@
 #############################################################
 {
   imports = [
-    {
-      # cross-compilation this flake.
-      nixpkgs.crossSystem = {
-        system = "riscv64-linux";
-      };
-    }
-
     # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
     (nixos-licheepi4a + "/modules/licheepi4a.nix")
     # import the sd-image module, which contains the fileSystems & kernel parameters for booting from sd card.
     (nixos-licheepi4a + "/modules/sd-image/sd-image-lp4a.nix")
-
-    ../../../modules/nixos/core-riscv64.nix
-    ../../../modules/nixos/user-group.nix
   ];
 
-  users.users.root.openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
-
   # Set static IP address / gateway / DNS servers.
   networking = {
     hostName = "yukina"; # Define your hostname.

lib/attrs.nix

@@ -0,0 +1,46 @@
+{ lib, ... }:
+
+rec {
+  # Generate an attribute set from a list.
+  #
+  #   lib.genAttrs [ "foo" "bar" ] (name: "x_" + name)
+  #     => { foo = "x_foo"; bar = "x_bar"; }
+  listToAttrs = lib.genAttrs;
+
+  # Update only the values of the given attribute set.
+  # 
+  #   mapAttrs
+  #   (name: value: ("bar-" + value))
+  #   { x = "a"; y = "b"; }
+  #     => { foo = "bar-a"; foo = "bar-b"; }
+  mapAttrs = lib.attrsets.mapAttrs;
+
+  # Update both the names and values of the given attribute set.
+  # 
+  #   mapAttrs'
+  #   (name: value: nameValuePair ("foo_" + name) ("bar-" + value))
+  #   { x = "a"; y = "b"; }
+  #     => { foo_x = "bar-a"; foo_y = "bar-b"; }
+  mapAttrs' = lib.attrsets.mapAttrs';
+
+  # Merge a list of attribute sets into one. smilar to the operator `a // b`, but for a list of attribute sets.
+  #
+  #   mergeAttrsList
+  #   [ { x = "a"; y = "b"; } { x = "c"; z = "d"; } { g = "e"; } ]
+  #   => { x = "c"; y = "b"; z = "d"; g = "e"; }
+  mergeAttrsList = lib.attrsets.mergeAttrsList;
+
+  # Generate a string from an attribute set.
+  # 
+  #   attrsets.foldlAttrs
+  #   (acc: name: value: acc + "\nexport ${name}=${value}")
+  #   "# A shell script"
+  #   { x = "a"; y = "b"; }
+  #     =>
+  #     ```
+  #     # A shell script
+  #     export x=a
+  #     export y=b
+  #    ````
+  foldlAttrs = lib.attrsets.foldlAttrs;
+}

lib/colmenaSystem.nix

@@ -8,12 +8,12 @@
   host_tags,
   targetUser ? specialArgs.username,
 }: let
-  username = specialArgs.username;
+  inherit (specialArgs) username;
 in
-  { name, nodes, ... }: {
+  {name, ...}: {
     deployment = {
+      inherit targetUser;
       targetHost = name; # hostName or IP address
-      targetUser = targetUser;
       tags = host_tags;
     };
 
@@ -23,11 +23,14 @@ in
         {
           # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
           nix.registry.nixpkgs.flake = nixpkgs;
-          # make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
-          environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
-          nix.nixPath = ["/etc/nix/inputs"];
+          nix.channel.enable = false; # disable nix-channel, we use flakes instead.
+
+          nixpkgs.overlays = import ../overlays specialArgs;
         }
-      ] ++ (if (home-module != null) then [
+      ]
+      ++ (
+        if (home-module != null)
+        then [
           home-manager.nixosModules.home-manager
           {
             home-manager.useGlobalPkgs = true;
@@ -36,5 +39,7 @@ in
             home-manager.extraSpecialArgs = specialArgs;
             home-manager.users."${username}" = home-module;
           }
-      ] else []);
+        ]
+        else []
+      );
   }

lib/macosSystem.nix

@@ -7,21 +7,25 @@
   darwin-modules,
   home-module,
 }: let
-  username = specialArgs.username;
+  inherit (specialArgs) username;
 in
   nix-darwin.lib.darwinSystem {
     inherit system specialArgs;
     modules =
       darwin-modules
       ++ [
-        {
+        ({lib, ...}: {
+          nixpkgs.pkgs = import nixpkgs {inherit system;};
           # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
           nix.registry.nixpkgs.flake = nixpkgs;
 
-          # make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
           environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
-          nix.nixPath = ["/etc/nix/inputs"];
-        }
+          # make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
+          # discard all the default paths, and only use the one from this flake.
+          nix.nixPath = lib.mkForce ["/etc/nix/inputs"];
+
+          nixpkgs.overlays = import ../overlays specialArgs;
+        })
 
         home-manager.darwinModules.home-manager
         {

lib/nixosSystem.nix

@@ -7,7 +7,7 @@
   nixos-modules,
   home-module,
 }: let
-  username = specialArgs.username;
+  inherit (specialArgs) username;
 in
   nixpkgs.lib.nixosSystem {
     inherit system specialArgs;
@@ -17,10 +17,9 @@ in
         {
           # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
           nix.registry.nixpkgs.flake = nixpkgs;
+          nix.channel.enable = false; # disable nix-channel, we use flakes instead.
 
-          # make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
-          environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
-          nix.nixPath = ["/etc/nix/inputs"];
+          nixpkgs.overlays = import ../overlays specialArgs;
         }
 
         nixos-generators.nixosModules.all-formats

modules/base.nix

@@ -1,4 +1,5 @@
 {
+  config,
   lib,
   username,
   ...
@@ -12,6 +13,7 @@
     #    2. command line args `--options substituers http://xxx`
     trusted-users = [username];
 
+    # substituers that will be considered before the official ones(https://cache.nixos.org)
     substituters = [
       # cache mirror located in China
       # status: https://mirror.sjtu.edu.cn/
@@ -19,22 +21,18 @@
       # status: https://mirrors.ustc.edu.cn/status/
       # "https://mirrors.ustc.edu.cn/nix-channels/store"
 
-      "https://cache.nixos.org"
+      "https://nix-community.cachix.org"
+      # my own cache server
+      "https://ryan4yin.cachix.org"
     ];
 
     trusted-public-keys = [
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU="
     ];
     builders-use-substitutes = true;
   };
 
-  # do garbage collection weekly to keep disk usage low
-  nix.gc = {
-    automatic = lib.mkDefault true;
-    dates = lib.mkDefault "weekly";
-    options = lib.mkDefault "--delete-older-than 7d";
-  };
-
   # Allow unfree packages
   nixpkgs.config.allowUnfree = lib.mkDefault false;
 }

modules/darwin/apps.nix

@@ -1,4 +1,9 @@
-{pkgs, config, ...}: {
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 ##########################################################################
 #
 #  Install all apps and packages here.
@@ -9,7 +14,28 @@
 # TODO Fell free to modify this file to fit your needs.
 #
 ##########################################################################
+let
+  # Homebrew Mirror
+  # NOTE: is only useful when you run `brew install` manually! (not via nix-darwin)
+  homebrew_mirror_env = {
+    HOMEBREW_API_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles/api";
+    HOMEBREW_BOTTLE_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles";
+    HOMEBREW_BREW_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/brew.git";
+    HOMEBREW_CORE_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/homebrew-core.git";
+    HOMEBREW_PIP_INDEX_URL = "https://pypi.tuna.tsinghua.edu.cn/simple";
+  };
 
+  local_proxy_env = {
+    # HTTP_PROXY = "http://127.0.0.1:7890";
+    # HTTPS_PROXY = "http://127.0.0.1:7890";
+  };
+
+  homebrew_env_script =
+    lib.attrsets.foldlAttrs
+    (acc: name: value: acc + "\nexport ${name}=${value}")
+    ""
+    (homebrew_mirror_env // local_proxy_env);
+in {
   # Install packages from nix's official package repository.
   #
   # The packages installed here are available to all users, and are reproducible across machines, and are rollbackable.
@@ -23,12 +49,21 @@
     gnugrep # replacee macos's grep
     gnutar # replacee macos's tar
   ];
-  environment.variables = {
+  environment.variables =
+    {
       # Fix https://github.com/LnL7/nix-darwin/wiki/Terminfo-issues
       TERMINFO_DIRS = map (path: path + "/share/terminfo") config.environment.profiles ++ ["/usr/share/terminfo"];
 
       EDITOR = "nvim";
-  };
+    }
+    # Set variables for you to manually install homebrew packages.
+    // homebrew_mirror_env;
+
+  # Set environment variables for nix-darwin before run `brew bundle`.
+  system.activationScripts.homebrew.text = lib.mkBefore ''
+    echo >&2 '${homebrew_env_script}'
+    ${homebrew_env_script}
+  '';
 
   # Create /etc/zshrc that loads the nix-darwin environment.
   # this is required if you want to use darwin's default shell - zsh
@@ -38,19 +73,10 @@
     pkgs.nushell # my custom shell
   ];
 
-  # Homebrew Mirror
-  # NOTE: is only useful when you run `brew install` manually! (not via nix-darwin)
-  environment.variables = {
-    HOMEBREW_API_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles/api";
-    HOMEBREW_BOTTLE_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles";
-    HOMEBREW_BREW_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/brew.git";
-    HOMEBREW_CORE_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/homebrew-core.git";
-    HOMEBREW_PIP_INDEX_URL = "https://pypi.tuna.tsinghua.edu.cn/simple";
-  };
-
   # homebrew need to be installed manually, see https://brew.sh
+  # https://github.com/LnL7/nix-darwin/blob/master/modules/homebrew.nix
   homebrew = {
-    enable = false;
+    enable = true;
 
     onActivation = {
       autoUpdate = false;
@@ -79,7 +105,6 @@
       "homebrew/cask-versions"
 
       "hashicorp/tap"
-      "pulumi/tap"
     ];
 
     brews = [
@@ -89,7 +114,6 @@
       "aria2" # download tool
       "httpie" # http client
       "wireguard-tools" # wireguard
-      "mitmproxy"
 
       # Usage:
       #  https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS#run-the-tailscaled-daemon
@@ -129,17 +153,17 @@
       "microsoft-remote-desktop"
 
       # "anki"
-      "clashx" # proxy tool
+      "shadowsocksx-ng" # proxy tool
       "iina" # video player
-      "openinterminal-lite" # open current folder in terminal
       "syncthing" # file sync
       "raycast" # (HotKey: alt/option + space)search, caculate and run scripts(with many plugins)
-      "iglance" # beautiful system monitor
+      "stats" # beautiful system status monitor in menu bar
       "eudic" # 欧路词典
       # "reaper"  # audio editor
       "sonic-pi" # music programming
 
       # Development
+      "mitmproxy" # HTTP/HTTPS traffic inspector
       "insomnia" # REST client
       "wireshark" # network analyzer
       "jdk-mission-control" # Java Mission Control

modules/darwin/default.nix

@@ -1,6 +1,6 @@
 {
   imports = [
-    ../common.nix
+    ../base.nix
     ./nix-core.nix
 
     ./apps.nix

modules/darwin/nix-core.nix

@@ -1,8 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
   ###################################################################################
   #
   #  Core configuration for nix-darwin
@@ -12,23 +8,36 @@
   #
   ###################################################################################
 
+  # Fix: https://github.com/LnL7/nix-darwin/issues/149#issuecomment-1741720259
+  # nix is installed via DeterminateSystems's nix-installer.
+  environment.etc."zshrc".knownSha256Hashes = [
+    "b9902f2020c636aeda956a74b5ae11882d53e206d1aa50b3abe591a8144fa710"  # nix-installer on harmonica
+  ];
+  environment.etc."bashrc".knownSha256Hashes = [
+    "53ab77cddb5c9aa2954efe42e9af0b8a2829f94dd31b6c33f8082ed194dcc0cb"    # nix-installer on harmonica
+    "6ffdf5a198ffe73fbcd17def767f52093b42b29149d4a3e911b49ebcb9785101"    # nix-installer on fern
+   ];
+  environment.etc."zshenv".knownSha256Hashes = [
+    "bb96fe80a72ea9cd3291f09e4dc13a64e7db3b401f5889e43edc1fe34ed02d2c"    # nix-installer on harmonica
+    "0c544e42afe7836de9ba933d93f46043b12f58ae484ff8cfb02716353f1dba5f"    # nix-installer on fern
+  ];
+
+
+  environment.etc."shells".knownSha256Hashes = [
+    "9d5aa72f807091b481820d12e693093293ba33c73854909ad7b0fb192c2db193"     # nix-installer on fern
+  ];
+
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
   # Auto upgrade nix package and the daemon service.
   services.nix-daemon.enable = true;
-  # Use this instead of services.nix-daemon.enable if you
-  # don't wan't the daemon service to be managed for you.
-  # nix.useDaemon = true;
-
   nix.package = pkgs.nix;
 
-  programs.nix-index.enable = true;
-
   # Disable auto-optimise-store because of this issue:
   #   https://github.com/NixOS/nix/issues/7273
   # "error: cannot link '/nix/store/.tmp-link-xxxxx-xxxxx' to '/nix/store/.links/xxxx': File exists"
-  nix.settings = {
-    auto-optimise-store = false;
-  };
+  nix.settings.auto-optimise-store = false;
+
+  nix.gc.automatic = false;
 }

modules/darwin/system.nix

@@ -59,7 +59,10 @@
         # `defaults read NSGlobalDomain "xxx"`
         "com.apple.swipescrolldirection" = true; # enable natural scrolling(default to true)
         "com.apple.sound.beep.feedback" = 0; # disable beep sound when pressing volume up/down key
+
+        # Appearance
         AppleInterfaceStyle = "Dark"; # dark mode
+
         AppleKeyboardUIMode = 3; # Mode 3 enables full keyboard control.
         ApplePressAndHoldEnabled = true; # enable press and hold
 
@@ -129,6 +132,9 @@
     # keyboard settings is not very useful on macOS
     # the most important thing is to remap option key to alt key globally,
     # but it's not supported by macOS yet.
+    #
+    # To avoid conflicts with neovim, disable ctrl + up/down/left/right to switch spaces in:
+    #   [System Preferences] -> [Keyboard] -> [Keyboard Shortcuts] -> [Mission Control]
     keyboard = {
       enableKeyMapping = true; # enable key mapping so that we can use `option` as `control`
 

modules/nixos/base/i18n.nix

@@ -0,0 +1,19 @@
+{
+  # Set your time zone.
+  time.timeZone = "Asia/Shanghai";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "zh_CN.UTF-8";
+    LC_IDENTIFICATION = "zh_CN.UTF-8";
+    LC_MEASUREMENT = "zh_CN.UTF-8";
+    LC_MONETARY = "zh_CN.UTF-8";
+    LC_NAME = "zh_CN.UTF-8";
+    LC_NUMERIC = "zh_CN.UTF-8";
+    LC_PAPER = "zh_CN.UTF-8";
+    LC_TELEPHONE = "zh_CN.UTF-8";
+    LC_TIME = "zh_CN.UTF-8";
+  };
+}

modules/nixos/base/misc.nix

@@ -2,57 +2,50 @@
   lib,
   pkgs,
   ...
-}: {
+}:
+{
   ###################################################################################
   #
   #  NixOS's core configuration suitable for all my machines
   #
   ###################################################################################
 
-  imports = [
-    ../common.nix
-  ];
+  # to install chrome, you need to enable unfree packages
+  nixpkgs.config.allowUnfree = true;
 
   # for nix server, we do not need to keep too much generations
   boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
 
+  # do garbage collection weekly to keep disk usage low
+  nix.gc = {
+    automatic = lib.mkDefault true;
+    dates = lib.mkDefault "weekly";
+    options = lib.mkDefault "--delete-older-than 7d";
+  };
+
   # Manual optimise storage: nix-store --optimise
   # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
   nix.settings.auto-optimise-store = true;
 
-  # Set your time zone.
-  time.timeZone = "Asia/Shanghai";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "zh_CN.UTF-8";
-    LC_IDENTIFICATION = "zh_CN.UTF-8";
-    LC_MEASUREMENT = "zh_CN.UTF-8";
-    LC_MONETARY = "zh_CN.UTF-8";
-    LC_NAME = "zh_CN.UTF-8";
-    LC_NUMERIC = "zh_CN.UTF-8";
-    LC_PAPER = "zh_CN.UTF-8";
-    LC_TELEPHONE = "zh_CN.UTF-8";
-    LC_TIME = "zh_CN.UTF-8";
-  };
-
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = lib.mkDefault false;
-
-  # Enable the OpenSSH daemon.
-  services.openssh = {
+  # Enable in-memory compressed devices and swap space provided by the zram kernel module.
+  # By enable this, we can store more data in memory instead of fallback to disk-based swap devices directly, 
+  # and thus improve I/O performance when we have a lot of memory.
+  # 
+  #   https://www.kernel.org/doc/Documentation/blockdev/zram.txt
+  zramSwap = {
     enable = true;
-    settings = {
-      X11Forwarding = true;
-      PermitRootLogin = "no"; # disable root login
-      PasswordAuthentication = false; # disable password login
-    };
-    openFirewall = true;
+    # one of "lzo", "lz4", "zstd"
+    algorithm = "zstd";
+    # Priority of the zram swap devices. 
+    # It should be a number higher than the priority of your disk-based swap devices
+    # (so that the system will fill the zram swap devices before falling back to disk swap).
+    priority = 5;
+    # Maximum total amount of memory that can be stored in the zram swap devices (as a percentage of your total memory). 
+    # Defaults to 1/2 of your total RAM. Run zramctl to check how good memory is compressed. 
+    # This doesn’t define how much memory will be used by the zram swap devices.
+    memoryPercent = 50;
   };
+
   # for power management
   services = {
     power-profiles-daemon = {
@@ -64,6 +57,8 @@
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
+    parted
+    psmisc # killall/pstree/prtstat/fuser/...
     neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
     curl
@@ -89,11 +84,4 @@
 
   # replace default editor with neovim
   environment.variables.EDITOR = "nvim";
-
-  virtualisation.docker = {
-    enable = true;
-    # start dockerd on boot.
-    # This is required for containers which are created with the `--restart=always` flag to work.
-    enableOnBoot = true;
-  };
 }

modules/nixos/base/networking.nix

@@ -0,0 +1,19 @@
+{lib, ...}: {
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = lib.mkDefault false;
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      X11Forwarding = true;
+      PermitRootLogin = "no"; # disable root login
+      PasswordAuthentication = false; # disable password login
+    };
+    openFirewall = true;
+  };
+
+
+}

modules/nixos/base/remote-building.nix

@@ -1,5 +1,4 @@
-{ username, ... }:
-{
+{username, ...}: {
   ####################################################################
   #
   #  NixOS's Configuration for Remote Building / Distributed Building

modules/nixos/base/user-group.nix

@@ -1,6 +1,4 @@
-{ username, ... }: 
-
-{
+{username, config, ...}: {
   # Don't allow mutation of users outside the config.
   users.mutableUsers = false;
 
@@ -39,10 +37,10 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7PTkP3ixXTZlrJNSHnXgkmHNT+QslFi9wNYXOpVwGB ryan@harmonica"
     ];
   };
-  users.users.root.initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2";
-
-  # fix for `sudo xxx` in kitty/wezterm and other modern terminal emulators
-  security.sudo.keepTerminfo = true;
+  users.users.root = {
+    initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2";
+    openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
+  };
 
   # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure`
   security.sudo.extraRules = [

modules/nixos/base/visualisation.nix

@@ -0,0 +1,25 @@
+{pkgs, ...}: {
+  ###################################################################################
+  #
+  #  Visualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid
+  #
+  ###################################################################################
+
+  virtualisation = {
+    docker = {
+      enable = true;
+      daemon.settings = {
+        # enables pulling using containerd, which supports restarting from a partial pull
+        # https://docs.docker.com/storage/containerd/
+        "features" = {"containerd-snapshotter" = true;};
+      };
+
+      # start dockerd on boot.
+      # This is required for containers which are created with the `--restart=always` flag to work.
+      enableOnBoot = true;
+    };
+
+    waydroid.enable = true;
+    lxd.enable = true;
+  };
+}

modules/nixos/core-desktop.nix

@@ -1,216 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  pkgs-unstable,
-  ...
-}: {
-  ###################################################################################
-  #
-  #  NixOS's core configuration suitable for my desktop computer
-  #
-  ###################################################################################
-
-  imports = [
-    ./core-server.nix
-  ];
-
-  # to install chrome, you need to enable unfree packages
-  nixpkgs.config.allowUnfree = lib.mkForce true;
-
-  # add user's shell into /etc/shells
-  environment.shells = with pkgs; [
-    bash
-    nushell
-  ];
-  # set user's default shell system-wide
-  users.defaultUserShell = pkgs.nushell;
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    parted
-    ventoy
-    gnumake
-
-    psmisc  # killall/pstree/prtstat/fuser/...
-    colmena  # nixos's remote deployment tool
-    pulseaudio  # provides `pactl`, which is required by some apps(e.g. sonic-pi)
-  ];
-
-  programs = {
-    # android development tools, this will install adb/fastboot and other android tools and udev rules
-    # see https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/programs/adb.nix
-    adb.enable = true;
-    # The OpenSSH agent remembers private keys for you
-    # so that you don’t have to type in passphrases every time you make an SSH connection.
-    # Use `ssh-add` to add a key to the agent.
-    ssh.startAgent = true;
-    # dconf is a low-level configuration system.
-    dconf.enable = true;
-  };
-
-  # A key remapping daemon for linux.
-  # https://github.com/rvaiya/keyd
-  services.keyd = {
-    enable = true;
-    keyboards = {
-      default = {
-        settings = {
-          main = {
-            # overloads the capslock key to function as both escape (when tapped) and control (when held)
-            capslock = "overload(control, esc)";
-          };
-        };
-      };
-    };
-  };
-
-  # PipeWire is a new low-level multimedia framework.
-  # It aims to offer capture and playback for both audio and video with minimal latency.
-  # It support for PulseAudio-, JACK-, ALSA- and GStreamer-based applications.
-  # PipeWire has a great bluetooth support, it can be a good alternative to PulseAudio.
-  #     https://nixos.wiki/wiki/PipeWire
-  services.pipewire = {
-    enable = true;
-    # package = pkgs-unstable.pipewire;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    # If you want to use JACK applications, uncomment this
-    jack.enable = true;
-    wireplumber.enable = true;
-  };
-  # rtkit is optional but recommended
-  security.rtkit.enable = true;
-  # Remove sound.enable or turn it off if you had it set previously, it seems to cause conflicts with pipewire
-  sound.enable = false;
-  # Disable pulseaudio, it conflicts with pipewire too.
-  hardware.pulseaudio.enable = false;
-
-  # enable bluetooth & gui paring tools - blueman
-  # or you can use cli:
-  # $ bluetoothctl
-  # [bluetooth] # power on
-  # [bluetooth] # agent on
-  # [bluetooth] # default-agent
-  # [bluetooth] # scan on
-  # ...put device in pairing mode and wait [hex-address] to appear here...
-  # [bluetooth] # pair [hex-address]
-  # [bluetooth] # connect [hex-address]
-  # Bluetooth devices automatically connect with bluetoothctl as well:
-  # [bluetooth] # trust [hex-address]
-  hardware.bluetooth.enable = true;
-  services.blueman.enable = true;
-
-  # security with polkit
-  services.power-profiles-daemon = {
-    enable = true;
-  };
-  security.polkit.enable = true;
-  # security with gnome-kering
-  services.gnome.gnome-keyring.enable = true;
-  security.pam.services.greetd.enableGnomeKeyring = true;
-  
-  services = {
-    # Enable CUPS to print documents.
-    printing.enable = true;
-
-    # https://flatpak.org/setup/NixOS
-    flatpak.enable = false;
-
-    dbus.packages = [pkgs.gcr];
-    geoclue2.enable = true;
-
-    udev.packages = with pkgs; [
-      gnome.gnome-settings-daemon
-      platformio # udev rules for platformio
-      openocd # required by paltformio, see https://github.com/NixOS/nixpkgs/issues/224895
-      android-udev-rules
-      openfpgaloader
-    ];
-  };
-
-
-  xdg.portal = {
-    enable = true;
-
-    config = {
-      common = {
-        # Use xdg-desktop-portal-gtk for every portal interface...
-        default = [
-          "gtk"
-        ];
-        # except for the secret portal, which is handled by gnome-keyring
-        "org.freedesktop.impl.portal.Secret" = [
-          "gnome-keyring"
-        ];
-      };
-    };
-
-    # Sets environment variable NIXOS_XDG_OPEN_USE_PORTAL to 1
-    # This will make xdg-open use the portal to open programs,
-    # which resolves bugs involving programs opening inside FHS envs or with unexpected env vars set from wrappers.
-    # xdg-open is used by almost all programs to open a unknown file/uri
-    # alacritty as an example, it use xdg-open as default, but you can also custom this behavior
-    # and vscode has open like `External Uri Openers`
-    xdgOpenUsePortal = false;
-    extraPortals = with pkgs; [
-      xdg-desktop-portal-gtk # for gtk
-      # xdg-desktop-portal-kde  # for kde
-    ];
-  };
-
-  # all fonts are linked to /nix/var/nix/profiles/system/sw/share/X11/fonts
-  fonts = {
-    # use fonts specified by user rather than default ones
-    enableDefaultPackages = false;
-    fontDir.enable = true;
-
-    packages = with pkgs; [
-      # icon fonts
-      material-design-icons
-      font-awesome
-
-      # Noto 系列字体是 Google 主导的，名字的含义是「没有豆腐」（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
-      # Noto 系列字族名只支持英文，命名规则是 Noto + Sans 或 Serif + 文字名称。
-      # 其中汉字部分叫 Noto Sans/Serif CJK SC/TC/HK/JP/KR，最后一个词是地区变种。
-      noto-fonts # 大部分文字的常见样式，不包含汉字
-      noto-fonts-cjk # 汉字部分
-      noto-fonts-emoji # 彩色的表情符号字体
-      noto-fonts-extra # 提供额外的字重和宽度变种
-
-      # 思源系列字体是 Adobe 主导的。其中汉字部分被称为「思源黑体」和「思源宋体」，是由 Adobe + Google 共同开发的
-      source-sans # 无衬线字体，不含汉字。字族名叫 Source Sans 3 和 Source Sans Pro，以及带字重的变体，加上 Source Sans 3 VF
-      source-serif # 衬线字体，不含汉字。字族名叫 Source Code Pro，以及带字重的变体
-      source-han-sans # 思源黑体
-      source-han-serif # 思源宋体
-
-      # nerdfonts
-      (nerdfonts.override {
-        fonts = [
-          "FiraCode"
-          "JetBrainsMono"
-          "Iosevka"
-        ];
-      })
-
-      (pkgs.callPackage ../../fonts/icomoon-feather-icon-font.nix {})
-    ];
-
-    # user defined fonts
-    # the reason there's Noto Color Emoji everywhere is to override DejaVu's
-    # B&W emojis that would sometimes show instead of some Color emojis
-    fontconfig.defaultFonts = {
-      serif = ["Noto Serif CJK SC" "Noto Serif CJK TC" "Noto Serif CJK JP" "Noto Color Emoji"];
-      sansSerif = ["Noto Sans CJK SC" "Noto Sans CJK TC" "Noto Sans CJK JP" "Noto Color Emoji"];
-      monospace = ["JetBrainsMono Nerd Font" "Noto Color Emoji"];
-      emoji = ["Noto Color Emoji"];
-    };
-  };
-
-  environment.variables = {
-    # fix https://github.com/NixOS/nixpkgs/issues/238025
-    TZ = "${config.time.timeZone}";
-  };
-}

modules/nixos/core-riscv64.nix

@@ -1,74 +0,0 @@
-{config, pkgs, nixpkgs, ...}: {
-
-  # =========================================================================
-  #      Base NixOS Configuration
-  # =========================================================================
-
-  # Set your time zone.
-  time.timeZone = "Asia/Shanghai";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  nix.settings = {
-    # Manual optimise storage: nix-store --optimise
-    # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
-    auto-optimise-store = true;
-    builders-use-substitutes = true;
-    # enable flakes globally
-    experimental-features = ["nix-command" "flakes"];
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  #
-  # TODO feel free to add or remove packages here.
-  environment.systemPackages = with pkgs; [
-    neovim
-
-    # networking
-    mtr      # A network diagnostic tool
-    iperf3   # A tool for measuring TCP and UDP bandwidth performance
-    nmap     # A utility for network discovery and security auditing
-    ldns     # replacement of dig, it provide the command `drill`
-    socat    # replacement of openbsd-netcat
-    tcpdump  # A powerful command-line packet analyzer
-
-    # archives
-    zip
-    xz
-    unzip
-    p7zip
-    zstd
-    gnutar
-
-    # misc
-    file
-    which
-    tree
-    gnused
-    gawk
-    tmux
-    docker-compose
-  ];
-
-  # replace default editor with neovim
-  environment.variables.EDITOR = "nvim";
-
-  virtualisation.docker = {
-    enable = true;
-    # start dockerd on boot.
-    # This is required for containers which are created with the `--restart=always` flag to work.
-    enableOnBoot = true;
-  };
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      X11Forwarding = true;
-      PermitRootLogin = "prohibit-password";  # disable root login with password
-      PasswordAuthentication = false; # disable password login
-    };
-    openFirewall = true;
-  };
-}

modules/nixos/desktop/default.nix

@@ -0,0 +1,10 @@
+{
+  imports = [
+    ./fonts.nix
+    ./graphic.nix
+    ./misc.nix
+    ./peripherals.nix
+    ./security.nix
+    ./visualisation.nix
+  ];
+}

modules/nixos/desktop/fonts.nix

@@ -0,0 +1,69 @@
+{pkgs, ...}: {
+  # all fonts are linked to /nix/var/nix/profiles/system/sw/share/X11/fonts
+  fonts = {
+    # use fonts specified by user rather than default ones
+    enableDefaultPackages = false;
+    fontDir.enable = true;
+
+    packages = with pkgs; [
+      # icon fonts
+      material-design-icons
+      font-awesome
+
+      # Noto 系列字体是 Google 主导的，名字的含义是「没有豆腐」（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
+      # Noto 系列字族名只支持英文，命名规则是 Noto + Sans 或 Serif + 文字名称。
+      # 其中汉字部分叫 Noto Sans/Serif CJK SC/TC/HK/JP/KR，最后一个词是地区变种。
+      noto-fonts # 大部分文字的常见样式，不包含汉字
+      noto-fonts-cjk # 汉字部分
+      noto-fonts-emoji # 彩色的表情符号字体
+      noto-fonts-extra # 提供额外的字重和宽度变种
+
+      # 思源系列字体是 Adobe 主导的。其中汉字部分被称为「思源黑体」和「思源宋体」，是由 Adobe + Google 共同开发的
+      source-sans # 无衬线字体，不含汉字。字族名叫 Source Sans 3 和 Source Sans Pro，以及带字重的变体，加上 Source Sans 3 VF
+      source-serif # 衬线字体，不含汉字。字族名叫 Source Code Pro，以及带字重的变体
+      source-han-sans # 思源黑体
+      source-han-serif # 思源宋体
+
+      # nerdfonts
+      (nerdfonts.override {
+        fonts = [
+          "FiraCode"
+          "JetBrainsMono"
+          "Iosevka"
+        ];
+      })
+
+      # added by my custom overlays, custom icon font for hyprland/i3's tray/bar
+      icomoon-feather-icon-font
+    ];
+
+    # user defined fonts
+    # the reason there's Noto Color Emoji everywhere is to override DejaVu's
+    # B&W emojis that would sometimes show instead of some Color emojis
+    fontconfig.defaultFonts = {
+      serif = ["Noto Serif CJK SC" "Noto Serif CJK TC" "Noto Serif CJK JP" "Noto Color Emoji"];
+      sansSerif = ["Noto Sans CJK SC" "Noto Sans CJK TC" "Noto Sans CJK JP" "Noto Color Emoji"];
+      monospace = ["JetBrainsMono Nerd Font" "Noto Color Emoji"];
+      emoji = ["Noto Color Emoji"];
+    };
+  };
+
+  # https://wiki.archlinux.org/title/KMSCON
+  services.kmscon = {
+    # Use kmscon as the virtual console instead of gettys.
+    # kmscon is a kms/dri-based userspace virtual terminal implementation.
+    # It supports a richer feature set than the standard linux console VT,
+    # including full unicode support, and when the video card supports drm should be much faster.
+    enable = true;
+    fonts = [
+      {
+        name = "Source Code Pro";
+        package = pkgs.source-code-pro;
+      }
+    ];
+    extraOptions = "--term xterm-256color";
+    extraConfig = "font-size=12";
+    # Whether to use 3D hardware acceleration to render the console.
+    hwRender = true;
+  };
+}

modules/nixos/desktop/graphic.nix

@@ -0,0 +1,30 @@
+{pkgs, ...}: {
+  xdg.portal = {
+    enable = true;
+
+    config = {
+      common = {
+        # Use xdg-desktop-portal-gtk for every portal interface...
+        default = [
+          "gtk"
+        ];
+        # except for the secret portal, which is handled by gnome-keyring
+        "org.freedesktop.impl.portal.Secret" = [
+          "gnome-keyring"
+        ];
+      };
+    };
+
+    # Sets environment variable NIXOS_XDG_OPEN_USE_PORTAL to 1
+    # This will make xdg-open use the portal to open programs,
+    # which resolves bugs involving programs opening inside FHS envs or with unexpected env vars set from wrappers.
+    # xdg-open is used by almost all programs to open a unknown file/uri
+    # alacritty as an example, it use xdg-open as default, but you can also custom this behavior
+    # and vscode has open like `External Uri Openers`
+    xdgOpenUsePortal = false;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gtk # for gtk
+      # xdg-desktop-portal-kde  # for kde
+    ];
+  };
+}

modules/nixos/desktop/misc.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # add user's shell into /etc/shells
+  environment.shells = with pkgs; [
+    bash
+    nushell
+  ];
+  # set user's default shell system-wide
+  users.defaultUserShell = pkgs.nushell;
+
+  # fix for `sudo xxx` in kitty/wezterm and other modern terminal emulators
+  security.sudo.keepTerminfo = true;
+
+  environment.variables = {
+    # fix https://github.com/NixOS/nixpkgs/issues/238025
+    TZ = "${config.time.timeZone}";
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    ventoy
+    gnumake
+
+    colmena # nixos's remote deployment tool
+  ];
+
+  services = {
+    gvfs.enable = true; # Mount, trash, and other functionalities
+    tumbler.enable = true; # Thumbnail support for images
+  };
+
+  programs = {
+    # The OpenSSH agent remembers private keys for you
+    # so that you don’t have to type in passphrases every time you make an SSH connection.
+    # Use `ssh-add` to add a key to the agent.
+    ssh.startAgent = true;
+    # dconf is a low-level configuration system.
+    dconf.enable = true;
+
+    # thunar file manager(part of xfce) related options
+    thunar = {
+      enable = true;
+      plugins = with pkgs.xfce; [
+        thunar-archive-plugin
+        thunar-volman
+      ];
+    };
+  };
+}

modules/nixos/desktop/peripherals.nix

@@ -0,0 +1,75 @@
+{pkgs, ...}: {
+  #============================= Audio(PipeWire) =======================
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    pulseaudio # provides `pactl`, which is required by some apps(e.g. sonic-pi)
+  ];
+
+  # PipeWire is a new low-level multimedia framework.
+  # It aims to offer capture and playback for both audio and video with minimal latency.
+  # It support for PulseAudio-, JACK-, ALSA- and GStreamer-based applications.
+  # PipeWire has a great bluetooth support, it can be a good alternative to PulseAudio.
+  #     https://nixos.wiki/wiki/PipeWire
+  services.pipewire = {
+    enable = true;
+    # package = pkgs-unstable.pipewire;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    jack.enable = true;
+    wireplumber.enable = true;
+  };
+  # rtkit is optional but recommended
+  security.rtkit.enable = true;
+  # Remove sound.enable or turn it off if you had it set previously, it seems to cause conflicts with pipewire
+  sound.enable = false;
+  # Disable pulseaudio, it conflicts with pipewire too.
+  hardware.pulseaudio.enable = false;
+
+  #============================= Bluetooth =============================
+
+  # enable bluetooth & gui paring tools - blueman
+  # or you can use cli:
+  # $ bluetoothctl
+  # [bluetooth] # power on
+  # [bluetooth] # agent on
+  # [bluetooth] # default-agent
+  # [bluetooth] # scan on
+  # ...put device in pairing mode and wait [hex-address] to appear here...
+  # [bluetooth] # pair [hex-address]
+  # [bluetooth] # connect [hex-address]
+  # Bluetooth devices automatically connect with bluetoothctl as well:
+  # [bluetooth] # trust [hex-address]
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+
+  #================================= Misc =================================
+
+  services = {
+    printing.enable = true; # Enable CUPS to print documents.
+    geoclue2.enable = true; # Enable geolocation services.
+
+    udev.packages = with pkgs; [
+      gnome.gnome-settings-daemon
+      platformio # udev rules for platformio
+      openocd # required by paltformio, see https://github.com/NixOS/nixpkgs/issues/224895
+      android-udev-rules # required by adb
+      openfpgaloader
+    ];
+
+    # A key remapping daemon for linux.
+    # https://github.com/rvaiya/keyd
+    keyd = {
+      enable = true;
+      keyboards.default.settings = {
+        main = {
+          # overloads the capslock key to function as both escape (when tapped) and control (when held)
+          capslock = "overload(control, esc)";
+        };
+      };
+    };
+  };
+}

modules/nixos/desktop/security.nix

@@ -0,0 +1,15 @@
+{ config, ...}:
+{
+  nix.extraOptions = ''
+    !include ${config.age.secrets.nix-access-tokens.path}
+  '';
+
+  # security with polkit
+  services.power-profiles-daemon = {
+    enable = true;
+  };
+  security.polkit.enable = true;
+  # security with gnome-kering
+  services.gnome.gnome-keyring.enable = true;
+  security.pam.services.greetd.enableGnomeKeyring = true;
+}

modules/nixos/desktop/visualisation.nix

@@ -1,14 +1,15 @@
-{
-  lib,
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
   ###################################################################################
   #
-  #  Enable Libvirt(QEMU/KVM), install qemu-system-riscv64/qemu-system-loongarch64/...)
+  #  Visualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid
   #
   ###################################################################################
 
+  boot.kernelModules = ["kvm-amd" "kvm-intel" "vfio-pci"];
+  # Enable nested virsualization, required by security containers and nested vm.
+  boot.extraModprobeConfig = "options kvm_intel nested=1"; # for intel cpu
+  # boot.extraModprobeConfig = "options kvm_amd nested=1";  # for amd cpu
+
   virtualisation = {
     libvirtd = {
       enable = true;
@@ -16,8 +17,10 @@
       # To fix these, manually change ownership of affected files in /var/lib/libvirt/qemu to qemu-libvirtd.
       qemu.runAsRoot = true;
     };
+    waydroid.enable = true;
+    lxd.enable = true;
   };
-  programs.dconf.enable = true;
+
   environment.systemPackages = with pkgs; [
     # Need to add [File (in the menu bar) -> Add connection] when start for the first time
     virt-manager
@@ -37,14 +40,4 @@
     #   ......
     qemu_full
   ];
-
-  boot.kernelModules = ["kvm-amd" "kvm-intel" "vfio-pci"];
-  # Enable nested virsualization, required by security containers and nested vm.
-  boot.extraModprobeConfig = "options kvm_intel nested=1"; # for intel cpu
-  # boot.extraModprobeConfig = "options kvm_amd nested=1";  # for amd cpu
-
-  virtualisation = {
-    waydroid.enable = true;
-    lxd.enable = true;
-  };
 }

modules/nixos/hyprland.nix

@@ -1,16 +1,22 @@
-{pkgs, hyprland, ...}: {
+{pkgs, ...}: {
   ##########################################################################################################
   #
-  #  NixOS's Configuration for Hyprland Window Manager
+  #  NixOS's Configuration for Wayland based Window Manager
   #
-  #    i3wm: old and stable, only support X11
-  #    sway: compatible with i3wm, support Wayland. do not support Nvidia GPU officially.
   #    hyprland: project starts from 2022, support Wayland, envolving fast, good looking, support Nvidia GPU.
   #
   ##########################################################################################################
 
   imports = [
-     # hyprland.nixosModules.default
+    ./base/i18n.nix
+    ./base/misc.nix
+    ./base/networking.nix
+    ./base/remote-building.nix
+    ./base/user-group.nix
+    ./base/visualisation.nix
+
+    ./desktop
+    ../base.nix
   ];
 
   xdg.portal = {
@@ -21,49 +27,21 @@
     ];
   };
 
-  environment.pathsToLink = ["/libexec"]; # links /libexec from derivations to /run/current-system/sw
   services = {
-    gvfs.enable = true; # Mount, trash, and other functionalities
-    tumbler.enable = true; # Thumbnail support for images
-    xserver = {
+    xserver.enable = false;
+    # https://wiki.archlinux.org/title/Greetd
+    greetd = {
       enable = true;
-
-      desktopManager = {
-        xterm.enable = false;
-      };
-
-      displayManager = {
-        defaultSession = "hyprland";
-        lightdm.enable = false;
-        gdm = {
-          enable = true;
-          wayland = true;
+      settings = {
+        default_session = {
+          user = "ryan"; # Hyprland is installed only for user ryan via home-manager!
+          command = "Hyprland"; # start Hyprland directly without a login manager
+          # command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd Hyprland";  # start Hyprland with a TUI login manager
         };
       };
     };
   };
 
-  programs = {
-    hyprland = {
-      enable = true;
-    
-      xwayland = {
-        enable = true;
-      };
-    
-      enableNvidiaPatches = true;
-    };
-
-    # monitor backlight control
-    light.enable = true;
-
-    # thunar file manager(part of xfce) related options
-    thunar.plugins = with pkgs.xfce; [
-      thunar-archive-plugin
-      thunar-volman
-    ];
-  };
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
@@ -90,8 +68,6 @@
     mpc-cli # command-line mpd client
     ncmpcpp # a mpd client with a UI
     networkmanagerapplet # provide GUI app: nm-connection-editor
-
-    xfce.thunar # xfce4's file manager
   ];
 
   # fix https://github.com/ryan4yin/nix-config/issues/10

modules/nixos/i3.nix

@@ -5,23 +5,35 @@
   #
   ####################################################################
 
+  imports = [
+    ./base/i18n.nix
+    ./base/misc.nix
+    ./base/networking.nix
+    ./base/remote-building.nix
+    ./base/user-group.nix
+    ./base/visualisation.nix
+
+    ./desktop
+    ../base.nix
+  ];
+
   # i3 related options
-  environment.pathsToLink = ["/libexec"]; # links /libexec from derivations to /run/current-system/sw
   services = {
     gvfs.enable = true; # Mount, trash, and other functionalities
     tumbler.enable = true; # Thumbnail support for images
+
     xserver = {
       enable = true;
-
-      desktopManager = {
-        xterm.enable = false;
-      };
-
       displayManager = {
-        defaultSession = "none+i3";
-        lightdm.enable = false;
-        gdm.enable = true;
+        lightdm.enable = true;
+        autoLogin = {
+          enable = true;
+          user = "ryan";
         };
+        defaultSession = "none+i3";
+      };
+      # Configure keymap in X11
+      xkb.layout = "us";
 
       windowManager.i3 = {
         enable = true;
@@ -46,20 +58,8 @@
           scrot # minimal screen capture tool, used by i3 blur lock to take a screenshot
           sysstat # get system information
           alsa-utils # provides amixer/alsamixer/...
-
-          xfce.thunar # xfce4's file manager
         ];
       };
-
-      # Configure keymap in X11
-      layout = "us";
-      xkbVariant = "";
     };
   };
-
-  # thunar file manager(part of xfce) related options
-  programs.thunar.plugins = with pkgs.xfce; [
-    thunar-archive-plugin
-    thunar-volman
-  ];
 }

modules/nixos/server-riscv64.nix

@@ -0,0 +1,63 @@
+{pkgs, ...}: {
+  # =========================================================================
+  #      Base NixOS Configuration
+  # =========================================================================
+
+  imports = [
+    ./base/i18n.nix
+    ./base/misc.nix
+    ./base/user-group.nix
+
+    ../base.nix
+  ];
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  #
+  # TODO feel free to add or remove packages here.
+  environment.systemPackages = with pkgs; [
+    neovim
+
+    # networking
+    mtr # A network diagnostic tool
+    iperf3 # A tool for measuring TCP and UDP bandwidth performance
+    nmap # A utility for network discovery and security auditing
+    ldns # replacement of dig, it provide the command `drill`
+    socat # replacement of openbsd-netcat
+    tcpdump # A powerful command-line packet analyzer
+
+    # archives
+    zip
+    xz
+    unzip
+    p7zip
+    zstd
+    gnutar
+
+    # misc
+    file
+    which
+    tree
+    gnused
+    gawk
+    tmux
+    docker-compose
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    # start dockerd on boot.
+    # This is required for containers which are created with the `--restart=always` flag to work.
+    enableOnBoot = true;
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      X11Forwarding = true;
+      PermitRootLogin = "prohibit-password"; # disable root login with password
+      PasswordAuthentication = false; # disable password login
+    };
+    openFirewall = true;
+  };
+}

modules/nixos/server.nix

@@ -0,0 +1,12 @@
+{
+  imports = [
+    ./base/i18n.nix
+    ./base/misc.nix
+    ./base/networking.nix
+    ./base/remote-building.nix
+    ./base/user-group.nix
+    ./base/visualisation.nix
+
+    ../base.nix
+  ];
+}