refactor: var_networking.ssh

fix: nix-darwin do not have a programs.ssh.extraConfig
Merge pull request #53 from ryan4yin/router
2026-05-28 18:39:31 +02:00 · 2024-01-29 01:31:44 +08:00 · 2024-01-29 01:30:17 +08:00 · 2024-01-29 01:25:01 +08:00 · 2024-01-29 01:23:18 +08:00 · 2024-01-28 23:21:47 +08:00
127 changed files with 3116 additions and 820 deletions
@@ -51,6 +51,10 @@ gc:
  sudo nix store gc --debug
  sudo nix-collect-garbage --delete-old
 gitgc:
  git reflog expire --expire-unreachable=now --all
  git gc --prune=now
 ############################################################################
 #
 #  Darwin related commands, harmonica is my macbook pro's hostname
@@ -75,18 +79,25 @@ fe mode="default": darwin-set-proxy
  darwin-build "fern" {{mode}}; \
  darwin-switch "fern" {{mode}}
 yabai-reload:
  launchctl kickstart -k "gui/502/org.nixos.yabai";
  launchctl kickstart -k "gui/502/org.nixos.skhd"; 
 ############################################################################
 #
-#  Idols, Commands related to my remote distributed building cluster
+#  Colmena - Remote NixOS deployment
 #
 ############################################################################
-idols-ssh-key:
+colmena-ssh-key:
-  ssh-add ~/.ssh/ai-idols
+  ssh-add /etc/agenix/ssh-key-romantic
-idols: idols-ssh-key
+dist:
  colmena apply --on '@dist-build'
 dist-debug:
  colmena apply --on '@dist-build' --verbose --show-trace
 aqua:
  colmena apply --on '@aqua'
@@ -96,20 +107,21 @@ ruby:
 kana:
  colmena apply --on '@kana'
-idols-debug: idols-ssh-key
+tailscale_gw:
-  colmena apply --on '@dist-build' --verbose --show-trace
+  colmena apply --on '@tailscale_gw'
 pve-image:
  nom build .#tailscale_gw
  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
 # only used once to setup the virtual machines
 idols-image:
  # take image for idols, and upload the image to proxmox nodes.
  nom build .#aquamarine
-  scp result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
  nom build .#ruby
-  scp result root@s500plus:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
+  rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
  nom build .#kana
-  scp result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
+  rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
 ############################################################################
@@ -118,10 +130,10 @@ idols-image:
 #
 ############################################################################
-roll: idols-ssh-key
+roll:
  colmena apply --on '@riscv'
-roll-debug: idols-ssh-key
+roll-debug:
  colmena apply --on '@dist-build' --verbose --show-trace
 nozomi:
@@ -155,6 +167,9 @@ fmt:
  # format the nix files in this repo
  nix fmt
 path:
   $env.PATH | split row ":"
 nvim-test:
  rm -rf $"($env.HOME)/.config/astronvim/lua/user"
  rsync -avz --copy-links --chmod=D2755,F744 home/base/desktop/editors/neovim/astronvim_user/ $"($env.HOME)/.config/astronvim/lua/user"
@@ -8,7 +8,7 @@
 	<a href="https://github.com/ryan4yin/nix-config/stargazers">
 		<img alt="Stargazers" src="https://img.shields.io/github/stars/ryan4yin/nix-config?style=for-the-badge&logo=starship&color=C9CBFF&logoColor=D9E0EE&labelColor=302D41"></a>
    <a href="https://nixos.org/">
-        <img src="https://img.shields.io/badge/NixOS-23.05-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
+        <img src="https://img.shields.io/badge/NixOS-23.11-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
    <a href="https://github.com/ryan4yin/nixos-and-flakes-book">
        <img src="https://img.shields.io/static/v1?label=Nix Flakes&message=learning&style=for-the-badge&logo=nixos&color=DDB6F2&logoColor=D9E0EE&labelColor=302D41"></a>
  </a>
@@ -85,7 +85,7 @@ See [./secrets](./secrets) for details.
 ## How to Deploy this Flake?
-> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine:exclamation: It will not succeed.** this flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols/ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols/ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols/ai/default.nix#L77-L91), etc.) which is not suitable for your hardware, and my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) that only I have access to. You may use this repo as a reference to build your own configuration.
+> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine:exclamation: It will not succeed.** this flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols_ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/default.nix#L77-L91), etc.) which is not suitable for your hardware, and my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) that only I have access to. You may use this repo as a reference to build your own configuration.
 For NixOS:
@@ -110,9 +110,13 @@ just i3 debug
 For macOS:
 ```bash
-# deploy harmonicia's configuration(macOS Intel)
+# deploy harmonica's configuration(macOS Intel)
 just ha
 # If you are deploying for the first time,
 # enter a shell with essential packages available
 # nix shell nixpkgs#just nixpkgs#git
 # deploy fern's configuration(Apple Silicon)
 just fe
@@ -133,7 +137,7 @@ nom build .#aquamarine  # `nom`(nix-output-monitor) can be replaced by the stand
 # 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
 #    please replace the vma file name with the one you generated in step 1.
-scp result/vzdump-qemu-aquamarine-nixos-23.11.20230603.dd49825.vma.zst root@192.168.5.174:/var/lib/vz/dump
+rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
 # 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
 ```
@@ -142,7 +146,7 @@ Once the virtual machine `aquamarine` is created, we can deploy updates to it wi
 ```shell
 # 1. add the ssh key to ssh-agent
-ssh-add ~/.ssh/ai-idols
+ssh-add /etc/agenix/ssh-key-romantic
 # 2. deploy the configuration to all the remote host with tag `@dist-build`
 # using the ssh key we added in step 1
@@ -47,16 +47,16 @@
    "astronvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1702659104,
+        "lastModified": 1705337239,
-        "narHash": "sha256-h019vKDgaOk0VL+bnAPOUoAL8VAkhY6MGDbqEy+uAKg=",
+        "narHash": "sha256-jF+D2CdnSJ5at9HYrDGHKYodVL4VBdqA94OPBu4ESUo=",
        "owner": "AstroNvim",
        "repo": "AstroNvim",
-        "rev": "271c9c3f71c2e315cb16c31276dec81ddca6a5a6",
+        "rev": "c58489a292fc2ebbc662c54a45213b01f7401f41",
        "type": "github"
      },
      "original": {
        "owner": "AstroNvim",
-        "ref": "v3.40.3",
+        "ref": "v3.41.2",
        "repo": "AstroNvim",
        "type": "github"
      }
@@ -102,11 +102,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1673295039,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
@@ -151,11 +151,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
+        "lastModified": 1696426674,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@@ -206,6 +206,24 @@
        "type": "github"
      }
    },
    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
        "lastModified": 1704982712,
        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
@@ -265,11 +283,11 @@
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1685518550,
+        "lastModified": 1701680307,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
@@ -330,11 +348,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1660459072,
+        "lastModified": 1703887061,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
        "type": "github"
      },
      "original": {
@@ -351,11 +369,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703026685,
+        "lastModified": 1682203081,
-        "narHash": "sha256-AkualfMbc40HkDR2AZc6u71pcap50wDQOXFCY1ULDUA=",
+        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "efc177c15f2a8bb063aeb250fe3c7c21e1de265e",
+        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
        "type": "github"
      },
      "original": {
@@ -371,16 +389,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1702814678,
+        "lastModified": 1705823474,
-        "narHash": "sha256-zDtO0jV2QLoddUJinLlTQrQqCUW3dPiIWOSYgg98T7E=",
+        "narHash": "sha256-2C4uRe9/U3QwSPC4dYKM1/njgCQk0Mltezy4VcjAqa4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1488651d02c1a7a15e284210f0d380a62d8d8cef",
+        "rev": "928f2528f9ee952ba0a47bbb1ece8d93ed66e784",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "master",
        "repo": "home-manager",
        "type": "github"
      }
@@ -437,11 +455,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1702984171,
+        "lastModified": 1703656108,
-        "narHash": "sha256-reIUBrUXibohXmvXRsgpvtlCE0QQSvWSA+qQCKohgR0=",
+        "narHash": "sha256-hCSUqdFJKHHbER8Cenf5JRzjMlBjIdwdftGQsO0xoJs=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "123e94200f63952639492796b8878e588a4a2851",
+        "rev": "033643a45a4a920660ef91caa391fbffb14da466",
        "type": "github"
      },
      "original": {
@@ -497,10 +515,10 @@
    "mysecrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1703697935,
+        "lastModified": 1706343244,
-        "narHash": "sha256-tRwFFk6ICMlVAv8Ko4MV7FObX/cSeiZis2FcIFlw8uQ=",
+        "narHash": "sha256-olsr5nbejNWQtErhLQyLBo1QPuwu1px1SQrQPp1UAUo=",
        "ref": "refs/heads/main",
-        "rev": "a5143705420a687ad535fdcff4765ee409d6e494",
+        "rev": "bbf5d71fa9c3c03022c77c170dbc8c95f407f916",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -518,11 +536,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1705796049,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-zkqbujNu3ixEar79QJTpJeOG5MYse1uJdcjl9f96uBg=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "3ac7acd32db4f7111015e8d5349ff6067df01bf6",
        "type": "github"
      },
      "original": {
@@ -531,6 +549,25 @@
        "type": "github"
      }
    },
    "nix-gaming": {
      "inputs": {
        "flake-parts": "flake-parts_3",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1705886383,
        "narHash": "sha256-AXP+WRbsyCYdT0AQNHEBvblMed64oV2siReHwK+BmRk=",
        "owner": "fufexan",
        "repo": "nix-gaming",
        "rev": "620f74d52371e5fbbd8c6d6dae3b3b36de26d1f7",
        "type": "github"
      },
      "original": {
        "owner": "fufexan",
        "repo": "nix-gaming",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
        "lastModified": 1693701915,
@@ -554,11 +591,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1701689616,
+        "lastModified": 1705400161,
-        "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
+        "narHash": "sha256-0MFaNIwwpVWB1N9m7cfHAM2pSVtYESQ7tlHxnDTOhM4=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "246219bc21b943c6f6812bb7744218ba0df08600",
+        "rev": "521fb4cdd8a2e1a00d1adf0fea7135d1faf04234",
        "type": "github"
      },
      "original": {
@@ -569,11 +606,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1702453208,
+        "lastModified": 1705312285,
-        "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=",
+        "narHash": "sha256-rd+dY+v61Y8w3u9bukO/hB55Xl4wXv4/yC8rCGVnK5U=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6",
+        "rev": "bee2202bec57e521e3bd8acd526884b9767d7fa0",
        "type": "github"
      },
      "original": {
@@ -585,7 +622,7 @@
    },
    "nixos-licheepi4a": {
      "inputs": {
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "thead-kernel": "thead-kernel"
      },
      "locked": {
@@ -606,7 +643,7 @@
      "inputs": {
        "flake-utils": "flake-utils_2",
        "mesa-panfork": "mesa-panfork",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
@@ -625,27 +662,27 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1691280485,
+        "lastModified": 1705697961,
-        "narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=",
+        "narHash": "sha256-XepT3WS516evSFYkme3GrcI3+7uwXHqtHbip+t24J7E=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "240472b7e47a641e9e7675f58b64d3626ca7824d",
+        "rev": "e5d1c87f5813afde2dda384ac807c57a105721cc",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-darwin": {
      "locked": {
-        "lastModified": 1702982572,
+        "lastModified": 1705641746,
-        "narHash": "sha256-IlpMK/1fNRgGzcMr5KUfyBDqoviyIAqTPA2dsWL/jT4=",
+        "narHash": "sha256-D6c2aH8HQbWc7ZWSV0BUpFpd94ImFyCP8jFIsKQ4Slg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ca145534ebd23811ba134772592fedc2f9a17a95",
+        "rev": "d2003f2223cbb8cd95134e4a0541beea215c1073",
        "type": "github"
      },
      "original": {
@@ -655,6 +692,24 @@
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "dir": "lib",
        "lastModified": 1703961334,
        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
        "type": "github"
      },
      "original": {
        "dir": "lib",
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1678872516,
@@ -673,27 +728,43 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1685801374,
+        "lastModified": 1705641746,
-        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "narHash": "sha256-D6c2aH8HQbWc7ZWSV0BUpFpd94ImFyCP8jFIsKQ4Slg=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "d2003f2223cbb8cd95134e4a0541beea215c1073",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_3": {
      "locked": {
        "lastModified": 1704874635,
        "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1702830618,
+        "lastModified": 1705677747,
-        "narHash": "sha256-lvhwIvRwhOLgzbRuYkqHy4M5cQHYs4ktL6/hyuBS6II=",
+        "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "91a00709aebb3602f172a0bf47ba1ef013e34835",
+        "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261",
        "type": "github"
      },
      "original": {
@@ -704,6 +775,22 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1691280485,
        "narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "240472b7e47a641e9e7675f58b64d3626ca7824d",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1691486536,
        "narHash": "sha256-W2jYTn6rNiJEpjXkOiZxNltgxxwgeZE5cQ967NgsrHU=",
@@ -719,23 +806,23 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1702921762,
+        "lastModified": 1705677747,
-        "narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=",
+        "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d02ffbbe834b5599fc5f134e644e49397eb07188",
+        "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-23.11",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1701436327,
        "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=",
@@ -749,7 +836,7 @@
        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1702921762,
        "narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=",
@@ -767,7 +854,7 @@
    },
    "nuenv": {
      "inputs": {
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
@@ -786,14 +873,14 @@
    },
    "nur-ryan4yin": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
-        "lastModified": 1703782686,
+        "lastModified": 1705366605,
-        "narHash": "sha256-nZ8eWb4NYAHn02eUF+PUgdx77vWOmtVxYHKC3eai0FM=",
+        "narHash": "sha256-dtqRDMUIHENtk+phT2ZlMpvjwoL/NSqooYUHGzbTYAI=",
        "owner": "ryan4yin",
        "repo": "nur-packages",
-        "rev": "189eb3df8734c698edc5664f0a3bae68ece2a8dd",
+        "rev": "5d78b74e08398b02344edd462c1cf95febab841e",
        "type": "github"
      },
      "original": {
@@ -890,14 +977,14 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable_3"
      },
      "locked": {
-        "lastModified": 1702456155,
+        "lastModified": 1705757126,
-        "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
+        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc",
+        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
        "type": "github"
      },
      "original": {
@@ -918,12 +1005,14 @@
        "lanzaboote": "lanzaboote",
        "mysecrets": "mysecrets",
        "nix-darwin": "nix-darwin",
        "nix-gaming": "nix-gaming",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixos-licheepi4a": "nixos-licheepi4a",
        "nixos-rk3588": "nixos-rk3588",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nixpkgs-darwin": "nixpkgs-darwin",
        "nixpkgs-stable": "nixpkgs-stable_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nuenv": "nuenv",
        "nur-ryan4yin": "nur-ryan4yin",
@@ -42,21 +42,25 @@
            hooks = {
              alejandra.enable = true; # formatter
              # deadnix.enable = true; # detect unused variable bindings in `*.nix`
-              statix.enable = true; # lints and suggestions for Nix code(auto suggestions)
+              # statix.enable = true; # lints and suggestions for Nix code(auto suggestions)
-              prettier = {
+              # prettier = {
-                enable = true;
+              #   enable = true;
-                excludes = [".js" ".md" ".ts"];
+              #   excludes = [".js" ".md" ".ts"];
-              };
+              # };
            };
          };
        }
      );
      devShells = forEachSystem (
-        system: {
+        system: let
-          default = nixpkgs.legacyPackages.${system}.mkShell {
+          pkgs = nixpkgs.legacyPackages.${system};
-            packages = [
+        in {
          default = pkgs.mkShell {
            packages = with pkgs; [
              # fix https://discourse.nixos.org/t/non-interactive-bash-errors-from-flake-nix-mkshell/33310
-              nixpkgs.legacyPackages.${system}.bashInteractive
+              bashInteractive
              # fix `cc` replaced by clang, which causes nvim-treesitter compilation error
              gcc
            ];
            name = "dots";
            shellHook = ''
@@ -75,11 +79,13 @@
    extra-substituters = [
      "https://anyrun.cachix.org"
      "https://hyprland.cachix.org"
      "https://nix-gaming.cachix.org"
      # "https://nixpkgs-wayland.cachix.org"
    ];
    extra-trusted-public-keys = [
      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
      "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
      # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
    ];
  };
@@ -91,9 +97,9 @@
    # which represents the GitHub repository URL + branch/commit-id/tag.
    # Official NixOS package source, using nixos's stable branch by default
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
    # for macos
    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin";
@@ -105,8 +111,8 @@
    # home-manager, used for managing user configuration
    home-manager = {
-      url = "github:nix-community/home-manager/release-23.11";
+      # url = "github:nix-community/home-manager/release-23.11";
-      # url = "github:nix-community/home-manager/master";
+      url = "github:nix-community/home-manager/master";
      # The `follows` keyword in inputs is used for inheritance.
      # Here, `inputs.nixpkgs` of home-manager is kept consistent with the `inputs.nixpkgs` of the current flake,
@@ -148,6 +154,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-gaming.url = "github:fufexan/nix-gaming";
    # add git hooks to format nix code before commit
    pre-commit-hooks = {
      url = "github:cachix/pre-commit-hooks.nix";
@@ -160,7 +168,7 @@
    # AstroNvim is an aesthetic and feature-rich neovim config.
    astronvim = {
-      url = "github:AstroNvim/AstroNvim/v3.40.3";
+      url = "github:AstroNvim/AstroNvim/v3.41.2";
      flake = false;
    };
    # doom-emacs is a configuration framework for GNU Emacs.
@@ -11,7 +11,6 @@
      ssm-session-manager-plugin # Amazon SSM Session Manager Plugin
      aws-iam-authenticator
      eksctl
      istioctl
      # aliyun
      aliyun-cli
@@ -1,14 +0,0 @@
 {
  pkgs,
  pkgs-unstable,
  ...
 }: {
  home.packages = with pkgs; [
    skopeo
    docker-compose
    dive # explore docker layers
  ];
  programs = {
  };
 }
@@ -31,13 +31,13 @@
      # misc
      pkgs-unstable.devbox
      glow # markdown previewer
      fzf
      gdu # disk usage analyzer, required by AstroNvim
      bfg-repo-cleaner # remove large files from git history
      k6 # load testing tool
      protobuf # protocol buffer compiler
      nix-init # generate nix package from url
      # solve coding extercises - learn by doing
      exercism
    ]
    ++ (
      if pkgs.stdenv.isLinux
@@ -8,6 +8,7 @@
 The Language Server Protocol (LSP) is an open, JSON-RPC-based protocol for use between source code editors or integrated development environments (IDEs) and servers that provide programming language-specific features like:
 - motions such as go-to-definition, find-references, hover.
 - **code completion**
 - **marking of warnings and errors**
 - **refactoring routines**
@@ -8,13 +8,26 @@ My editors:
 And `Zellij` for a smooth and stable terminal experience.
 ## Tips
 1. Many useful keys are already provided by vim, check vim/neovim's docs before you install a new plugin / reinvent the wheel.
 1. After using Emacs/Neovim more skillfully, I strongly recommend that you read the official documentation of Neovim/vim:
   1. <https://vimhelp.org/>: The official vim documentation.
   1. <https://neovim.io/doc/user/>: Neovim's official user documentation.
 1. Use Zellij for terminal related operations, and use Neovim/Helix for editing.
 1. As for Emacs, Use its GUI version & terminal emulator `vterm` for terminal related operations.
 1. Two powerful file search & jump tools:
 1. Tree-view plugins are beginner-friendly and intuitive, but they're not very efficient.
 1. **Search by the file path**: Useful when you're familiar with the project structure, especially on a large project.
 1. **Search by the content**: Useful when you're familiar with the code.
 ## Tutorial
 Type `:tutor`(`:Tutor` in Neovim) to learn the basics usage of vim/neovim.
 ## VIM's Cheetsheet
-> Here only record my commonly used keyboard keys, to see **a more comprehensive cheetsheet**: <https://github.com/rtorr/vim-cheat-sheet>
+> Here only record my commonly used keys, to see **a more comprehensive cheetsheet**: <https://vimhelp.org/quickref.txt.html>
 Both Emacs-Evil & Neovim are compatible with vim, sothe key-bindings described here are common in both Emacs-Evil, Neovim & vim.
@@ -27,36 +40,66 @@ I mainly use Zellij for terminal related operations, here is its terminal shortc
 | Floating Terminal         | `Ctrl + p + w`    |
 | Horizontal Split Terminal | `Ctrl + p + d`    |
 | Vertical Split Terminal   | `Ctrl + p + n`    |
 | Execute a command         | `!xxx`            |
 ### File Management
 > <https://neovim.io/doc/user/usr_22.html>
 > <https://vimhelp.org/editing.txt.html>
 | Action                              |                                                  |
-| --------------------------------- | -------------------------------------------- |
+| ----------------------------------- | ------------------------------------------------ |
 | Save selected text to a file        | `:w filename` (Will show `:'<,'>w filename`)     |
 | Save and close the current buffer   | `:wq`                                            |
 | Save all buffers                    | `:wa`                                            |
 | Save and close all buffers          | `:wqa`                                           |
 | Edit a file                         | `:e filename`(or `:e <TAB>` to show a file list) |
 | Browse the file list                | `:Ex` or `:e .`                                  |
 | Discard changes and reread the file | `:e!`                                            |
 ### Motion
 > https://vimhelp.org/motion.txt.html
 | Action                                              | Command                                            |
 | --------------------------------------------------- | -------------------------------------------------- |
 | Move to the start/end of the buffer                 | `gg`/`G`                                           |
 | Move the line number 5                              | `5gg` / `5G`                                       |
 | Move left/down/up/right                             | h/j/k/l or `5h`/`5j`/`5k`/`5l` or `Ctr-n`/`Ctrl-p` |
 | Move to the matchpairs, default to `()`, `{}`, `[]` | `%`                                                |
 | Move to the start/end of the line                   | `0` / `$`                                          |
 | Move a sentence forward/backward                    | `(` / `)`                                          |
 | Move a paragraph forward/backward                   | `{` / `}`                                          |
 | Move a section forward/backward                     | `[[` / `]]`                                        |
 | Jump to various positions                           | `'` + some other keys(neovim has prompt)           |
 Text Objects:
 - **sentence**: text ending at a '.', '!' or '?' followed by either the end of a line, or by a space or tab.
 - **paragraph**: text ending at a blank line.
 - **section**: text starting with a section header and ending at the start of the next section header (or at the end of the file). - The "`]]`" and "`[[`" commands stop at the '`{`' in the first column. This is
  useful to find the start of a function in a C/Go/Java/... program.
 ### Text Manipulation
 Basics:
 | Action                                  |                            |
-| --------------------------------------------------- | ------------------------------ |
+| --------------------------------------- | -------------------------- |
 | Move to the start/end of the buffer                 | `gg`/`G`                       |
 | Move the line number 5                              | `5gg` / `5G`                   |
 | Move left/down/up/right                             | h/j/k/l or `5h`/`5j`/`5k`/`5l` |
 | Move to the matchpairs, default to `()`, `{}`, `[]` | `%`                            |
 | Delete the current character            | `x`                        |
 | Paste the copied text                   | `p`                        |
 | Delete the selection                    | `d`                        |
 | Undo the last word                      | `CTRL-w`(in insert mode)   |
 | Undo the last line                      | `CTRL-u`(in insert mode)   |
 | Undo the last change                    | `u`                        |
 | Redo the last change                    | `Ctrl + r`                 |
-
+| Inserts the text of the previous insert | `Ctrl + a`                 |
-Convert Text Cases:
+| Repeat the last command                 | `.`                        |
 | Toggle text's case                      | `~`                        |
-| Convert to uppercase | `U` |
+| Convert to uppercase                    | `U` (visual mode)          |
-| Convert to lowercase | `u` |
+| Convert to lowercase                    | `u` (visual mode)          |
 | Align the selected conent               | `:center`/`:left`/`:right` |
 Misc:
@@ -73,9 +116,9 @@ Misc:
 | Action                                                                    |                |
 | ------------------------------------------------------------------------- | -------------- |
 | Sort tye selected lines                                                   | `:sort`        |
 | Join Selection of Lines With Space                                        | `:join` or `J` |
 | Join without spaces                                                       | `:join!`       |
 | Move to the start/end of the line                                         | `0` / `$`      |
 | Enter Insert mode at the start/end of the line                            | `I` / `A`      |
 | Delete from the cursor to the end of the line                             | `D`            |
 | Delete from the cursor to the end of the line, and then enter insert mode | `C`            |
@@ -112,11 +155,11 @@ Advance Techs:
 ### Find and Replace
 | Action                           | Command                             |
-| ------------------------ | ----------------------------------- |
+| -------------------------------- | ----------------------------------- |
 | Replace in selected area         | `:s/old/new/g`                      |
 | Replace in current line          | Same as above                       |
-| Replace in whole file    | `:% s/old/new/g`                    |
+| Replace all the lines            | `:% s/old/new/g`                    |
-| Replace with regex       | `:% s@\vhttp://(\w+)@https://\1@gc` |
+| Replace all the lines with regex | `:% s@\vhttp://(\w+)@https://\1@gc` |
 1. `\v` means means that in the regex pattern after it can be used without backslash escaping(similar to python's raw string).
 2. `\1` means the first matched group in the pattern.
@@ -127,6 +170,7 @@ Advance Techs:
 | ----------------------------------------- | -------------------------------------- |
 | From the 10th line to the end of the file | `:10,$ s/old/new/g` or `:10,$ s@^@#@g` |
 | From the 10th line to the 20th line       | `:10,20 s/old/new/g`                   |
 | Remove the trailing spaces                | `:% s/\s\+$//g`                        |
 The postfix(flags) in the above commands:
@@ -136,15 +180,27 @@ The postfix(flags) in the above commands:
 ### Buffers, Windows and Tabs
 > <https://neovim.io/doc/user/usr_08.html>
 > <https://vimhelp.org/windows.txt.html>
 - A buffer is the in-memory text of a file.
 - A window is a viewport on a buffer.
 - A tab page is a collection of windows.
 | Action                              | Command                             |
 | ----------------------------------- | ----------------------------------- |
 | Split the window horizontally       | `:sp[lit]` or `:sp filename`        |
 | Split the window horizontally       | `:vs[plit]` or `:vs filename`       |
 | Switch to the next/previous window  | `Ctrl-w + w` or `Ctrl-w + h/j/k/l`  |
 | Show all buffers                    | `:ls`                               |
 | show next/previous buffer           | `]b`/`[b` or `:bn[ext]` / `bp[rev]` |
 | Split the window horizontally       | `:sp[lit]`                               |
 | Split the window horizontally       | `:vs[plit]`                              |
 | New Tab(New Workspace in DoomEmacs) | `:tabnew`                           |
 | Next/Previews Tab                   | `gt`/`gT`                           |
 ### History
 | Action                   | Command |
 | ------------------------ | ------- |
 | Show the command history | `q:`    |
 | Show the search history  | `q/`    |
@@ -10,7 +10,7 @@
 Some plugins:
 - Emacs
-    - [parinfer-rust-mode](https://github.com/justinbarclay/parinfer-rust-mode)
+    - [parinfer-rusT-mode](https://github.com/justinbarclay/parinfer-rust-mode)
 - Neovim
    - [parinfer-rust](https://github.com/eraserhd/parinfer-rust)
    - <https://github.com/Olical/conjure>
@@ -48,9 +48,22 @@ jsut emacs-purge
 just emacs-reload
 # clear test data
-just emacs-clear
+just emacs-clean
 ```
 ## Limits
 - It's too slow to start up and install(compile/build) packages.
  - I have to use emacs in daemon/client mode to avoid this issue.
 - It's too large in size, not suitable for servers.
  - So vim/neovim is still the best choice for servers.
 - Emacs's markdown-mode works not well with tables, see:
  - https://github.com/jrblevin/markdown-mode/issues/380
 - I use git command frequently, but doomemacs only autoupdates status of git diff / treemacs when using magit.
  - I have to learn magit to avoid this issue...
 - GitHub's orgmode support is not well, Markdown is better for GitHub.
  - Use markdown for repo's README.md, and use orgmode for my personal notes and docs only.
 ## Cheetsheet
 Here is the cheetsheet related to my DoomEmacs configs. Please read vim's common cheetsheet at [../README.md](../README.md) before reading the following.
@@ -64,6 +77,7 @@ Here is the cheetsheet related to my DoomEmacs configs. Please read vim's common
 | Popup Terminal(vterm)  | `SPC + o + t`                                     |
 | Open Terminal          | `SPC + o + T`                                     |
 | Open file tree sidebar | `SPC + o + p`                                     |
 | Frame fullscreen       | `SPC + t + F`                                     |
 | Exit                   | `M-x C-c`                                         |
 | Execute Command        | `M-x`(hold on `Alt`/`option`, and then press `x`) |
 | Eval Lisp Code         | `M-:`(hold on `Alt`/`option`, and then press `:`) |
@@ -153,7 +167,7 @@ SPC s p foo C-; E C-c C-p :%s/foo/bar/g RET Z Z
 > easily switch between projects without exit emacs!
-| Action                     |               |
+| Action                     | Shortcut      |
 | -------------------------- | ------------- |
 | Switch between projects    | `SPC + p + p` |
 | Browse the current project | `SPC + p + .` |
@@ -163,10 +177,47 @@ SPC s p foo C-; E C-c C-p :%s/foo/bar/g RET Z Z
 > Very useful when run emacs in daemon/client modes
-| Action                      |                             |
+| Action                      | Shortcut                    |
 | --------------------------- | --------------------------- |
 | Switch between workspaces   | `M-1/2/3/...`(Alt-1/2/3/..) |
 | New Workspace               | `SPC + TAB + n`             |
 | New Named Workspace         | `SPC + TAB + N`             |
 | Delete Workspace            | `SPC + TAB + d`             |
 | Display Workspaces bar blow | `SPC + TAB + TAB`           |
 ### Magit
 > https://github.com/magit/magit
 Magit is a powerful tool that make git operations easy and intuitive.
 | Action                   | Shortcut                 |
 | ------------------------ | ------------------------ |
 | Open Magit               | `C-x g` or `SPC + g + g` |
 | Switch branch            | `SPC + g + b`            |
 | Show buffer's commit log | `SPC + g + L`            |
 Shortcuts in magit's pane:
 > When run `git commit` / `git add` / `git push` /... via magit, multiple Arguments can be set.
 > Set arguments won't trigger a git command immediately. Magit will try to run a git command only after an Action key is pressed.
 | Action                                             | Shortcut                                      |
 | -------------------------------------------------- | --------------------------------------------- |
 | Quit the current Magit pane                        | `q`                                           |
 | Show log                                           | `l`                                           |
 | Show current branch's log                          | `l + l`                                       |
 | Show current reflog                                | `l + r`                                       |
 | Commit                                             | `c`                                           |
 | Stage                                              | `s`                                           |
 | Unstage                                            | `u`                                           |
 | Push                                               | `p`                                           |
 | Pull                                               | `f`                                           |
 | Rebase                                             | `r`                                           |
 | Rebase Interactively                               | `r + i`, select on a commit, then `C-c + C-c` |
 | Stash                                              | `z`                                           |
 | Merge                                              | `m`                                           |
 | Fold/Unfold                                        | `TAB`                                         |
 | Show details of the current unit(commit/stage/...) | `<ENTER>`                                     |
 KeyBinding full list: <https://github.com/emacs-evil/evil-collection/tree/master/modes/magit#key-bindings>
@@ -43,6 +43,7 @@ in {
        ## Optional dependencies
        fd # faster projectile indexing
        imagemagick # for image-dired
        fd # faster projectile indexing
        zstd # for undo-fu-session/undo-tree compression
        # go-mode
@@ -64,19 +65,11 @@ in {
      home.shellAliases = shellAliases;
      programs.nushell.shellAliases = shellAliases;
      # allow fontconfig to discover fonts and configurations installed through `home.packages`
      fonts.fontconfig.enable = true;
      xdg.configFile."doom" = {
        source = ./doom;
        force = true;
      };
      xdg.configFile."emacs/lsp-bridge-user-langserver" = {
        source = ./lsp-bridge-user-langserver;
        force = true;
      };
      home.activation.installDoomEmacs = lib.hm.dag.entryAfter ["writeBoundary"] ''
        ${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F744 ${doomemacs}/ ${config.xdg.configHome}/emacs/
@@ -96,50 +96,21 @@
 ;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how
 ;; they are implemented.
 ;; fix vterm's color
 (set-face-attribute 'vterm-color-default nil :foreground fg)                            
 (set-face-attribute 'vterm-color-black nil   :background base0   :foreground base0)     
 (set-face-attribute 'vterm-color-red nil     :background red     :foreground red)       
 (set-face-attribute 'vterm-color-green nil   :background green   :foreground green)     
 (set-face-attribute 'vterm-color-yellow nil  :background yellow  :foreground yellow)    
 (set-face-attribute 'vterm-color-blue nil    :background blue    :foreground blue)      
 (set-face-attribute 'vterm-color-magenta nil :background magenta :foreground magenta)   
 (set-face-attribute 'vterm-color-cyan nil    :background cyan    :foreground cyan)      
 (set-face-attribute 'vterm-color-white nil   :background base8   :foreground base8)     
 (after! vterm
  (setq vterm-shell "nu")) ; use nushell by defualt
 (use-package! lsp-bridge
  :config
  (setq lsp-bridge-enable-log nil)  ;; disabled for performance
  ;; for user's custom langserver file
  (setq lsp-bridge-user-langserver-dir "~/.config/emacs/lsp-bridge-user-langserver")
  (setq lsp-bridge-enable-auto-format-code 1)
  (global-lsp-bridge-mode))
 (use-package! wakatime-mode :ensure t)
 ;; fully enable tree-sitter highlighting
 (after! tree-sitter
  (setq +tree-sitter-hl-enabled-modes t))
 ;; fix: https://github.com/jrblevin/markdown-mode/issues/380
 ;; even add this one, editing a large markdown table is still very slow.
 ;; so avoid editing large markdown file in emacs, use neovim instead...
 (after! markdown-mode
  (global-font-lock-mode 0))
 ;; use alejandra to format nix files
-;; (use-package! lsp-nix
+(use-package! lsp-nix
-;;   :ensure lsp-mode
+  :ensure lsp-mode
-;;   :after
+  :after
-;;   (lsp-mode)
+  (lsp-mode)
-;;   :demand t
+  :demand t
-;;   :custom
+  :custom
-;;   (lsp-nix-nil-formatter
+  (lsp-nix-nil-formatter
-;;    ["alejandra"]))
+   ["alejandra"]))
 (use-package! nushell-mode
  :config
  (setq nushell-enable-auto-indent 1))
 (after! vterm
  (setq vterm-shell "nu")) ; use nushell by defualt
 ;; emacs-rime
 (use-package! rime
@@ -177,3 +148,28 @@
 (add-hook 'fennel-mode-hook         #'turn-off-smartparens-mode)
 (add-hook 'hy-mode-hook             #'turn-off-smartparens-mode)
 ;; auto-save
 (use-package super-save
  :ensure t
  :config
  (super-save-mode +1)
  (setq super-save-auto-save-when-idle t)
  (setq auto-save-default nil))
 ;; save on find-file
 (add-to-list 'super-save-hook-triggers 'find-file-hook)
 (use-package! copilot
  :hook
  (prog-mode . copilot-mode)
  :bind
  (:map copilot-completion-map
        ("<tab>" . 'copilot-accept-completion)
        ("TAB" . 'copilot-accept-completion)
        ("C-TAB" . 'copilot-accept-completion-by-word)
        ("C-<tab>" . 'copilot-accept-completion-by-word))
  :config
  (copilot-mode +1))
 (use-package! wakatime-mode :ensure t)
@@ -61,7 +61,7 @@
       (format +onsave)
                                        ; automated prettiness
       ;; multiple-cursors  ; editing in many places at once
-       ;; objed             ; text object editing for the innocent
+       ;; objed             ; text object editing for the innocent, conflict with parinfer
       parinfer          ; turn lisp into python, sort of, conflict with copilot/objed/smartparens
       ;;rotate-text       ; cycle region at point between text candidates
       snippets   ; my elves. They type so I don't have to
@@ -98,7 +98,7 @@
       (eval +overlay)
                                        ; run code, run (also, repls)
       lookup                   ; navigate your code and its documentation
-       ;; lsp    ; lsp-mode, conflict with lsp-bridge
+       lsp    ; lsp-mode, conflict with lsp-bridge
       magit                    ; a git porcelain for Emacs
       ;;make              ; run make tasks from Emacs
       ;;pass              ; password manager for nerds
@@ -117,7 +117,7 @@
       :lang
       ;;agda              ; types of types of types of types...
       ;;beancount         ; mind the GAAP
-       (cc +tree-sitter)
+       (cc +lsp +tree-sitter)
                                        ; C > C++ == 1
       ;;clojure           ; java with a lisp
       ;;common-lisp       ; if you've seen one lisp, you've seen them all
@@ -138,17 +138,17 @@
       ;;fsharp            ; ML stands for Microsoft's Language
       ;;fstar             ; (dependent) types and (monadic) effects and Z3
       ;;gdscript          ; the language you waited for
-       (go +tree-sitter)  ;; disable go-mode, use lsp-bridge instead
+       (go +lsp +tree-sitter)  ;; disable go-mode, use lsp-bridge instead
                                        ; the hipster dialect
       ;;(graphql)    ; Give queries a REST
       ;;(haskell)    ; a language that's lazier than I am
       ;;hy                ; readability of scheme w/ speed of python
       ;;idris             ; a language you can depend on
-       (json +tree-sitter)
+       (json +lsp +tree-sitter)
                                        ; At least it ain't XML
-       (java +tree-sitter)
+       (java +lsp +tree-sitter)
                                        ; the poster child for carpal tunnel syndrome
-       (javascript +tree-sitter)
+       (javascript +lsp +tree-sitter)
                                        ; all(hope(abandon(ye(who(enter(here))))))
       ;;julia             ; a better, faster MATLAB
       ;;kotlin            ; a better, slicker Java(Script)
@@ -156,19 +156,19 @@
                                        ; writing papers in Emacs has never been so fun
       ;;lean              ; for folks with too much to prove
       ;;ledger            ; be audit you can be
-       (lua +tree-sitter)
+       (lua +lsp +tree-sitter)
                                        ; one-based indices? one-based indices
       (markdown +grip)
                                        ; writing docs for people to ignore
       ;;nim               ; python + lisp at the speed of c
-       (nix +tree-sitter)
+       (nix +lsp +tree-sitter)
                                        ; I hereby declare "nix geht mehr!"
       ;;ocaml             ; an objective camel
-       org              ; organize your plain life in plain text
+       (org +pandoc +hugo +jupyter)  ; organize your plain life in plain text
       ;;php               ; perl's insecure younger brother
       ;;plantuml          ; diagrams for confusing people more
       ;;purescript        ; javascript, but functional
-       (python +tree-sitter +pyright)
+       (python +lsp +tree-sitter +pyright)
                                        ; beautiful is better than ugly
       ;;qt                ; the 'cutest' gui framework ever
       racket           ; a DSL for DSLs
@@ -176,20 +176,20 @@
       ;;rest              ; Emacs as a REST client
       ;;rst               ; ReST in peace
       ;;(ruby +rails)     ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
-       (rust +tree-sitter)
+       (rust +lsp +tree-sitter)
                                        ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
       ;;scala             ; java, but good
       (scheme +guile)
                                        ; a fully conniving family of lisps
-       (sh +tree-sitter)
+       (sh +lsp +tree-sitter)
                                        ; she sells {ba,z,fi}sh shells on the C xor
       ;;sml
       ;;solidity          ; do you need a blockchain? No.
       ;;swift             ; who asked for emoji variables?
       ;;terra             ; Earth and Moon in alignment for performance.
-       (web +tree-sitter)
+       (web +lsp +tree-sitter)
                                        ; support for various web languages, including HTML5, CSS, SASS/SCSS, Pug/Jade/Slim, and more
-       (yaml +tree-sitter)
+       (yaml +lsp +tree-sitter)
                                        ; JSON, but readable
       ;;zig               ; C, but simpler
@@ -5,7 +5,7 @@
 ;; on the command line, then restart Emacs for the changes to take effect -- or
 ;; use 'M-x doom/reload'.
-(package! nerd-icons)
+(package! super-save)
 (package! rime)
 (package! wakatime-mode
  :recipe
@@ -15,15 +15,10 @@
 (package! nushell-mode :recipe
  (:host github :repo "mrkkrp/nushell-mode"))
-(when (package! lsp-bridge
+(package! copilot
-        :recipe (:host github
+  :recipe
-                 :repo "manateelazycat/lsp-bridge"
+  (:host github :repo "copilot-emacs/copilot.el" :files
-                 :branch "master"
+         ("*.el" "dist")))
                 :files ("*.el" "*.py" "acm" "core" "langserver" "multiserver" "resources")
                 ;; do not perform byte compilation or native compilation for lsp-bridge
                 :build (:not compile)))
  (package! markdown-mode)
  (package! yasnippet))
 ;; To install SOME-PACKAGE from MELPA, ELPA or emacsmirror:
 ;; (package! some-package)
@@ -1,10 +0,0 @@
 {
  "name": "nil",
  "languageId": "nix",
  "command": ["nil"],
  "settings": {
    "nil": {
      "formatting": { "command": ["alejandra"] }
    }
  }
 }
@@ -7,8 +7,20 @@ But its configuration is a bit complex, and finding the right plugins, writing c
 That's why I'm interested in Helix, Helix is similar to Neovim, but it's more opinionated, and it's batteries included.
 Whether I'll switch my main editor to Helix or not, it gives me a lot of ideas on how to improve my Neovim workflow.
 ## Tutorial
 Use `:tutor` in helix to start the tutorial.
 ## Differences between Neovim and Helixer
 1. Selecting first, then action.
    1. Helix: delete 2 word: `2w` then `x`. You can always see what you're selecting before you apply the action.
    2. Neovim: delete 2 word: `d`. then `2w`. No visual feedback before you apply the action.
 1. Helix - Morden builtin features: LSP, tree-sitter, fuzzy finder, multi cursors, surround and more.
    1. They're all available in Neovim too, but you need to find and use the right plugins manually, which takes time and effort.
 1. Helix is built in Rust from scratch. The result is a much smaller codebase and a modern set of defaults. No VimScript. No Lua.
    1. Neovim contains a lot of VimScript, and lua is too dynamic, it's hard to debug.
    1. Personally I'm glad to take a look at a Rust codebase, but not a VimScript/Lua codebase.
 1. Neovim have a very activate plugin ecosystem, and it's easy to find plugins for almost everything.
    1. Helix is still new, and it even do have a stable plugin system yet. A PR to add a plugin system is still envolving: <https://github.com/helix-editor/helix/pull/8675>
 2. Neovim has intergrated terminal, and it's very powerful. It's quite similar to VSCode's intergrated terminal. I use it a lot.
@@ -19,9 +31,11 @@ Whether I'll switch my main editor to Helix or not, it gives me a lot of ideas o
 1. Helix do not have a tree-view panel, it's recommended to use Yazi/ranger/Broot instead, and open Helix in them.
    1. a tree-view plugin may be added after the plugin system is stable, but no one knows when it will be.
    2. and some Helix users stated that they don't need a tree-view plugin, Helix's file picker is useful and good enough.
-1. It seems Helix lacks a substitution command, you should run it in another window(via wm or Zellij).
+1. It seems Helix lacks a global substitution command, you should run it in another window(via wm or Zellij).
    1. <https://github.com/helix-editor/helix/issues/196>
    1. Neovim's substitution command allow you to preview the changes before you apply it, and it's very useful. if I switch to Helix, I'll need to find some other tools with similar feature(such as https://github.com/ms-jpq/sad).
-    2. The downside of Neovim's substitution command is that it's unable to save the command we just typed. If I made some things wrong, I have to type the whole substitution command again.
+1. Complexity and Maintenance Costs vs Batteries Included: <https://github.com/helix-editor/helix/discussions/6356>
 I think Use Helix/Neovim within a terminal file manager(Yazi/ranger/Broot) and Zellij is a good idea. 
 It's quite different from the workflow I migrated from VSCode/JetBrains before, I'm very interested in it.
@@ -132,7 +132,13 @@ Press `<Space> + D` to view available bindings and options.
 | Description                                                  | Shortcut                                                         |
 | ------------------------------------------------------------ | ---------------------------------------------------------------- |
 | Open spectre.nvim search and replace panel                   | `<Space> + ss`                                                   |
-| Search and replace in command line(need install `sad` first) | `find -name "*.nix" \| sad '<pattern>' '<replacement>' \| delta` |
+
 Search and replace via cli(fd + sad + delta):
 ```bash
 fd "\\.nix$" . | sad '<pattern>' '<replacement>' | delta
 ```
 ### Surrounding Characters
@@ -32,12 +32,6 @@ in {
  home.shellAliases = shellAliases;
  programs.nushell.shellAliases = shellAliases;
  nixpkgs.config = {
    programs.npm.npmrc = ''
      prefix = ''${HOME}/.npm-global
    '';
  };
  programs = {
    neovim = {
      enable = true;
@@ -1,4 +1,10 @@
 {pkgs, ...}: {
  nixpkgs.config = {
    programs.npm.npmrc = ''
      prefix = ''${HOME}/.npm-global
    '';
  };
  home.packages = with pkgs;
    [
      #-- c/c++
@@ -6,20 +12,22 @@
      cmake-language-server
      gnumake
      checkmake
      llvmPackages.clang-unwrapped # c/c++ tools with clang-tools such as clanvimPlugins.nvim-treesitter-parsers.vuegd
      lldb
      # c/c++ compiler, required by nvim-treesitter!
      # to avoid conflicts, you can comment clang-unwrapped first to compile all nvim-treesitter-parsers.
      gcc
      # c/c++ tools with clang-tools, the unwrapped version won't
      # add alias like `cc` and `c++`, so that it won't conflict with gcc
      llvmPackages.clang-unwrapped
      lldb
      #-- python
      nodePackages.pyright # python language server
-      (python310.withPackages (
+      (python311.withPackages (
        ps:
          with ps; [
            ruff-lsp
            black # python formatter
            jupyter
            ipython
            pandas
            requests
@@ -113,6 +121,8 @@
      marksman # language server for markdown
      glow # markdown previewer
      fzf
      pandoc # document converter
      hugo # static site generator
      #-- Optional Requirements:
      gdu # disk usage analyzer, required by AstroNvim
@@ -0,0 +1,30 @@
 # Encryption
 We have GnuPG & password-store installed by default, mainly for password management, authentication & communication encryption.
 We also have LUKS2 for disk encryption on Linux, and [rclone](https://rclone.org/crypt/) for cross-platform data encryption & syncing.
 [age](https://github.com/FiloSottile/age) may be more general for file encryption.
 [Sops](https://github.com/getsops/sops/tree/main) can be used for file encryption too, if you prefer 
 using a Cloud provider for key management.
 ## Asymmetric Encryption
 Both age, Sops & GnuPG provide asymmetric encryption, which is useful for encrypting files for a specific user.
 For morden use, age is recommended, as it use [AEAD encryption function - ChaCha20-Poly1305][age Format v1],
 If you do not want to manage the keys by yourself, Sops is recommended, as it use KMS for key management.
 ## Symmetric Encryption
 Both age & GnuPG provide symmetric encryption, which is useful for encrypting files for a specific user.
 As described in [age Format v1][age Format v1], age use scrypt to encrypt and decrypt the file key with a provided passphrase,
 which is more secure than GnuPG's symmetric encryption.
 [age Format v1]: https://age-encryption.org/v1
@@ -0,0 +1,7 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [
    age
    sops
    rclone
  ];
 }
@@ -0,0 +1,660 @@
 # GNU Privacy Guard(GnuPG)
 > Offical Website: https://www.gnupg.org/
 The GNU Privacy Guard is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as **PGP**). GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories. 
 > In the following content, we will use GPG to refer to GnuPG tool, and PGP to refer to various concepts defined in the OepnPGP standard(e.g. PGP key, PGP key server).
 Key functions of GnuPG:
 1. Keypair(keyring) management
 2. Sign and Verify your data
 3. Encrypt and Decrypt your data
 Main usage scenarios of GnuPG:
 1. Sign or encrypt your email
   1. Verify or decrypt the email you received
 2. Sign your git commit
 3. Manage your ssh key
 4. Encrypt your data and store it somewhere.
 GnuPG/OpenPGP is complex, so while using it, I have been looking forward to finding an encryption tool that is simple enough, functional enough, and widely adopted.
 Currently I use both age & GnuPG:
 1. Age for secrets encryption(ssh key & other secret files), it's simple and easy to use.
 2. GnuPG for password-store and email encryption.
 > At present, the safe and efficient use of GPG is probably combined with hardware keys such as yubikey. but I don't have one, so I won't talk about it here.
 ## Practical Cryptography for Developers
 To use GnuGP without seamlessly, Some Practical Cryptography knowledge is required, here is dome tutorials:
 - English version: <https://github.com/nakov/Practical-Cryptography-for-Developers-Book>
 - Chinese version: <https://thiscute.world/tags/cryptography/>
 ## Overview of GnuPG
 > GnuPG's Official User Guides: <https://www.gnupg.org/documentation/guides.html>
 > ArchWiki's GnuPG page: <https://wiki.archlinux.org/title/GnuPG>
 ### 0. How GnuGP generate & protect your keypair?
 Related Docs:
 - [2021年，用更现代的方法使用PGP（上）][2021年，用更现代的方法使用PGP（上）]
 - [Predictable, Passphrase-Derived PGP Keys][Predictable, Passphrase-Derived PGP Keys]
 - [OpenPGP - The almost perfect key pair][OpenPGP - The almost perfect key pair]
 GnuPG generate every secret key separately, and encrypt them with a symmetric key derived from your passphrase.
 OpenPGP standard defines [String-to-Key (S2K)](https://datatracker.ietf.org/doc/html/rfc4880#section-3.7)
 algorithm to derive a symmetric key from your passphrase.
 GnuPG's [OpenPGP protocol specific options](https://gnupg.org/documentation/manuals/gnupg/OpenPGP-Options.html#OpenPGP-Options) shows that:
 ```
 --s2k-cipher-algo name
    Use name as the cipher algorithm for symmetric encryption with a passphrase if --personal-cipher-preferences and --cipher-algo are not given. The default is AES-128.
 --s2k-digest-algo name
    Use name as the digest algorithm used to mangle the passphrases for symmetric encryption. The default is SHA-1.
 --s2k-mode n
    Selects how passphrases for symmetric encryption are mangled. If n is 0 a plain passphrase (which is in general not recommended) will be used, a 1 adds a salt (which should not be used) to the passphrase and a 3 (the default) iterates the whole process a number of times (see --s2k-count).
 --s2k-count n
    Specify how many times the passphrases mangling for symmetric encryption is repeated. This value may range between 1024 and 65011712 inclusive. The default is inquired from gpg-agent. Note that not all values in the 1024-65011712 range are legal and if an illegal value is selected, GnuPG will round up to the nearest legal value. This option is only meaningful if --s2k-mode is set to the default of 3.
 ```
 The strongest options should be:
 ```
 gpg --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 --s2k-cipher-algo AES256 ...
 ```
 To use the strongest options globally, you can specify these options in your `~/.gnupg/gpg.conf`.
 I've added them to my Home Manager's `programs.gpg.settings` option.
 ### 1. PGP Key(Primary Key) generation
 Key management is the core of OpenPGP standard / GnuPG.
 GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. **A user's private key is kept secret; it need **never be revealed. The public key may be given to anyone with whom the user wants to communicate**. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair, or a keyring/keychain(which contains multiple sub key-pairs).
 Let's generate a keypair interactively:
 > Now in 2024, GnuPG 2.4.1 defaults to ECC algorithm (9) and Curve 25519 for ECC, which is morden and safe, I would recommend to use these defaults directly.
 ```bash
 gpg --full-gen-key
 ```
 This command will ask you for some algorithm related settings(ECC & Curve 25519), your personal info, and a strong passphrase to protect your PGP key. e.g.
 ``` bash
 › gpg --full-gen-key
 gpg (GnuPG) 2.4.1; Copyright (C) 2023 g10 Code GmbH
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 gpg: directory '/Users/ryan/.gnupg' created
 Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
 Your selection? 9
 Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
 Your selection? 1
 Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
 Key is valid for? (0) 10y
 Key expires at 一  1/ 4 13:50:31 2044 CST
 Is this correct? (y/N) y
 GnuPG needs to construct a user ID to identify your key.
 Real name: 
 Email address: 
 Comment: 
 You selected this USER-ID:
    "Ryan Yin (For pass For Work ssh only) <ryan4yin@linux.com>"
 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 gpg: /Users/ryan/.gnupg/trustdb.gpg: trustdb created
 gpg: directory '/Users/ryan/.gnupg/openpgp-revocs.d' created
 gpg: revocation certificate stored as '/Users/ryan/.gnupg/openpgp-revocs.d/C8D84EBC5F82494F432ACEF042E49B284C30A0DA.rev'
 public and secret key created and signed.
 pub   ed25519 2024-01-09 [SC] [expires: 2034-01-04]
      C8D84EBC5F82494F432ACEF042E49B284C30A0DA
 uid                      Ryan Yin (For pass For Work ssh only) <ryan4yin@linux.com>
 sub   cv25519 2024-01-09 [E] [expires: 2034-01-04]
 ```
 ### 2. Configuration Files
 > https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html
 The generated keys are stored in `~/.gnupg` by default, the functions of each file are as follows:
 ``` bash
 › tree ~/.gnupg/
 /Users/ryan/.gnupg/
 |-- S.gpg-agent           # socket file
 |-- S.gpg-agent.browser   # socket file
 |-- S.gpg-agent.extra     # socket file
 |-- S.gpg-agent.ssh       # socket file
 |-- S.keyboxd             # socket file
 |-- common.conf              # config file
 |-- openpgp-revocs.d         # Revocation certificates
 |   `-- F680C6D7215674ADEA421CC5E22EC419FF93EA98.rev
 |-- private-keys-v1.d        # private keys with user info & protect by passphrase
 |   |-- 2083133619AB24DC32DA68F9FE83C58D375284E3.key
 |   `-- 9350704F120643C504491E92CA97255223778C8A.key
 |-- public-keys.d            # public keys
 |   |-- pubring.db
 |   `-- pubring.db.lock
 `-- trustdb.gpg              # a trust database
 4 directories, 12 files
 ```
 The functions of most files are quite clear at a glance, but the `trustdb.gpg` in them is a bit difficult to understand. Here are the details: <https://www.gnupg.org/gph/en/manual/x334.html>
 Home Manager will manage all the things in `~/.gnupg/` EXCEPT `~/.gnupg/openpgp-revocs.d/` and `~/.gnupg/private-keys-v1.d/`, which is expected.
 ### 3. Sub Key Generation & Best Practice
 In PGP, every keys has a **usage flag** to indicate its usage:
 - `C` means this key can be used to **Certify** other keys, which means this key can be used to **create/delete/revoke/modify** other keys.
 - `S` means this key can be used to **Sign** data.
 - `E` means this key can be used to **Encrypt** data. 
 - `A` means this key can be used to **Authenticate** data with various non-GnuPG programs. The key can be used as e.g. an **SSH key**.
 The **best practice** is:
 1. Generate a primary key with strong cryptography arguments(such as ECC + Curve 25519).
 2. Then generate 3 sub keys with `E`, `S` and `A` usage flag respectively.
 3. **The Primary Key is extremely important**, Backup the primary key to somewhere absolutely safe(such as two encryptd USB drivers, keep them in different places), and then **delete it from your computer immediately**.
 4. The sub key is also important, but you can generate a new one and replace it easily. You can backup it to somewhere else, and import it to another machine to use your keypair.
 5. Backup your Primary key's revocation certificate to somewhere safe, it's the last way to rescure your safety if your primary key is compromised!
  1. It's a big problem if your revocation certificate is compromised, but not the bigest one. because it's only used to revoke your keypair, your data is still safe. But you should generate a new keypair and revoke the old one immediately.
  1. It will be a big problem if your primary key is compromised, and you don't have a revocation certificate to revoke it. But since OpenPGP do not have a good way to distribute revocation certificate, even you have a revocation certificate, it's still hard to distribute it to others...
 To keep your keypair safe, you should backup your keypair according to the following steps.
 Now let's add the sub keys to the keypair we generated above:
 > `E` sub key is already generated by default, so we only need to generate `S` and `A` sub keys.
 > GnuPG will ask you to input your passphrase to unlock your primary key.
 ``` bash
 › gpg --expert --edit-key ryan4yin@linux.com
 gpg (GnuPG) 2.4.1; Copyright (C) 2023 g10 Code GmbH
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 Secret key is available.
 sec  ed25519/42E49B284C30A0DA
     created: 2024-01-09  expires: 2034-01-04  usage: SC
     trust: ultimate      validity: ultimate
 ssb  cv25519/6CB4A81FFB3C99B6
     created: 2024-01-09  expires: 2034-01-04  usage: E
 [ultimate] (1). Ryan Yin (For pass For Work ssh only) <ryan4yin@linux.com>
 gpg> addkey
 Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
 Your selection? 10
 Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (2) Curve 448
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
 Your selection? 1
 Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
 Key is valid for? (0) 10y
 Key expires at Mon Jan  4 17:47:24 2044 CST
 Is this correct? (y/N) y
 Really create? (y/N) y
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 sec  ed25519/42E49B284C30A0DA
     created: 2024-01-09  expires: 2034-01-04  usage: SC
     trust: ultimate      validity: ultimate
 ssb  cv25519/6CB4A81FFB3C99B6
     created: 2024-01-09  expires: 2034-01-04  usage: E
 ssb  ed25519/A42813E03A10F504
     created: 2024-01-09  expires: 2034-01-04  usage: S
 [ultimate] (1). Ryan Yin (For pass For Work ssh only) <ryan4yin@linux.com>
 gpg> addkey
 Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
 Your selection? 11
 Possible actions for this ECC key: Sign Authenticate
 Current allowed actions: Sign
   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished
 Your selection? S
 Possible actions for this ECC key: Sign Authenticate
 Current allowed actions:
   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished
 Your selection? A
 Possible actions for this ECC key: Sign Authenticate
 Current allowed actions: Authenticate
   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished
 Your selection? Q
 Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (2) Curve 448
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
 Your selection? 1
 Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
 Key is valid for? (0) 10y
 Key expires at Mon Jan  4 17:48:27 2044 CST
 Is this correct? (y/N) y
 Really create? (y/N) y
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 sec  ed25519/42E49B284C30A0DA
     created: 2024-01-09  expires: 2034-01-04  usage: SC
     trust: ultimate      validity: ultimate
 ssb  cv25519/6CB4A81FFB3C99B6
     created: 2024-01-09  expires: 2034-01-04  usage: E
 ssb  ed25519/A42813E03A10F504
     created: 2024-01-09  expires: 2034-01-04  usage: S
 ssb  ed25519/5469C4FACC81B60F
     created: 2024-01-09  expires: 2034-01-04  usage: A
 [ultimate] (1). Ryan Yin (For pass For Work ssh only) <ryan4yin@linux.com>
 gpg> save
 ```
 Check the secret keys and public keys we generated:
 ```bash
 › gpg --list-secret-keys --with-subkey-fingerprint
 [keyboxd]
 ---------
 sec   ed25519 2024-01-09 [SC] [expires: 2034-01-04]
      C8D84EBC5F82494F432ACEF042E49B284C30A0DA
 uid           [ultimate] Ryan Yin (For pass For Work ssh only) <ryan4yin@linux.com>
 ssb   cv25519 2024-01-09 [E] [expires: 2034-01-04]
      1146D48B93C2177C92D186026CB4A81FFB3C99B6
 ssb   ed25519 2024-01-09 [S] [expires: 2034-01-04]
      DF64002A822948B17783BBB1A42813E03A10F504
 ssb   ed25519 2024-01-09 [A] [expires: 2034-01-04]
      65E2C6C1C3559362ABB7047C5469C4FACC81B60F
 › gpg --list-public-keys
 ...
 ```
 ### 4. Backup & Restore
 Export Public Keys(Both Primary Key & Sub Keys):
 ```bash
 gpg --armor --export ryan4yin@linux.com > ryan4yin-gpg-keys.pub
 # check what we have exported, we should see 4 public keys
 nix run nixpkgs#pgpdump ryan4yin-gpg-keys.pub
 ```
 Export Primary Key(The exported key is still encrypted by your passphrase):
 > the `!` at the end of the key ID is to force GnuPG to export only the specified key, not the subkeys.
 > GnuPG will ask you to input your passphrase to unlock your keypair,
 > because GnuPG need to convert the secret key's format from its internal protection format to the one specified by the OpenPGP protocol.
 ```bash
 # replace the key ID with your own sec key's ID
 gpg --armor --export-secret-keys C8D84EBC5F82494F432ACEF042E49B284C30A0DA! > ryan4yin-primary-key.priv
 # Check the exported primary key's detail info,
 nix run nixpkgs#pgpdump ryan4yin-primary-key.priv
 ...
 Old: Secret Key Packet(tag 5)(134 bytes)
        Ver 4 - new
        Public key creation time - Sat Jan 27 14:13:13 CST 2024
        Pub alg - EdDSA Edwards-curve Digital Signature Algorithm(pub 22)
        Elliptic Curve - Ed25519 (0x2B 06 01 04 01 DA 47 0F 01)
        EdDSA Q(263 bits) - ...
        Sym alg - AES with 128-bit key(sym 7)
        Iterated and salted string-to-key(s2k 3):
                Hash alg - SHA1(hash 2)
                Salt - 8c 78 58 c0 87 83 8c 2c
                Count - 65011712(coded count 255)
        IV - xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 
        Encrypted EdDSA x
        Encrypted SHA1 hash
 ...
 ```
 As [Predictable, Passphrase-Derived PGP Keys][Predictable, Passphrase-Derived PGP Keys] says, we'll find that gpg ignored the `--s2k-count` option we specified when generating the keypair, and the `--s2k` related options we specified in `~/.gnupg/gpg.conf`, 
 the exported primary key is protectd by `SHA1` and `AES128`, which is not secure enough!
 So to increase the security of the exported primary key, we need to encrypt it again with a stronger algorithm, I choose `age` here(which use `scrypt` to encrypt the file key with a provided passphrase):
 ```bash
 # for simplicity, use the same passphrase as your gpg keypair here
 age --passphrase -o ryan4yin-primary-key.priv.age ryan4yin-primary-key.priv
 rm ryan4yin-primary-key.priv
 ```
 Export Sub Keys one by one(The exported keys is still encrypted by your passphrase):
 ```bash
 gpg --armor --export-secret-subkeys > ryan4yin-gpg-subkeys.priv
 # Check the exported primary key's detail info,
 nix run nixpkgs#pgpdump ryan4yin-gpg-subkeys.priv
 # encrypt it again with age(scrypt)
 age --passphrase  -o ryan4yin-gpg-subkeys.priv.age ryan4yin-gpg-subkeys.priv
 rm ryan4yin-gpg-subkeys.priv
 ```
 Your can import the exported Private Key via `gpg --import <keyfile>` to restore it, but you need to decrypt it via age first.
 As for Public Keys, please import your publicKeys via Home Manager's `programs.gpg.publicKeys` option, DO NOT import it manually(via `gpg --import <keyfile>`).
 To ensure security, delete the master key and revoke the certificate immediately after the backup is completed:
 ```bash
 # delete the primary key and all its sub keys
 gpg --delete-secret-keys ryan4yin@linux.com
 # delete the revocation certificate
 rm ~/.gnupg/openpgp-revocs.d/C8D84EBC5F82494F432ACEF042E49B284C30A0DA.rev
 # import our subkeys back
 age --decrypt -o ryan4yin-primary-key.priv ryan4yin-primary-key.priv.age
 gpg --import ryan4yin-gpg-subkeys.priv
 ```
 Now check the secret keys and public keys again:
 > A `#` at the end of the key ID means that the key is not available, because we have deleted it.
 ```bash
 › gpg --list-secret-keys --keyid-format=long
 /home/ryan/.gnupg/pubring.kbx
 -----------------------------
 sec#  ed25519/D1C5FFA3118A41FC 2024-01-09 [SC] [expires: 2034-01-04]
      Key fingerprint = E267 943C 33AD C5AF 3D76  4D96 D1C5 FFA3 118A 41FC
 uid                 [ unknown] Ryan Yin (Personal) <ryan4yin@linux.com>
 ssb   cv25519/62526A4A0CF43E33 2024-01-09 [E] [expires: 2034-01-04]
 ssb   ed25519/433A66D63805BD1A 2024-01-09 [S] [expires: 2034-01-04]
 ssb   ed25519/441E3D8FBD313BF2 2024-01-09 [A] [expires: 2034-01-04]
 › gpg --list-public-keys --keyid-format=long
 /home/ryan/.gnupg/pubring.kbx
 -----------------------------
 pub   ed25519/D1C5FFA3118A41FC 2024-01-09 [SC] [expires: 2034-01-04]
      Key fingerprint = E267 943C 33AD C5AF 3D76  4D96 D1C5 FFA3 118A 41FC
 uid                 [ unknown] Ryan Yin (Personal) <ryan4yin@linux.com>
 sub   cv25519/62526A4A0CF43E33 2024-01-09 [E] [expires: 2034-01-04]
 sub   ed25519/433A66D63805BD1A 2024-01-09 [S] [expires: 2034-01-04]
 sub   ed25519/441E3D8FBD313BF2 2024-01-09 [A] [expires: 2034-01-04]
 ```
 ### 5. Signing & Verification
 ```bash
 #  Make a cleartext signature.
 gpg --clearsign <file>
 # Make a detached signature, with text output.
 gpg --armor --detach-sign <file>
 # verify the file contains a valid signature.
 gpg --verify <file>
 # verify the file with a detached signature.
 gpg --verify <file> <signature-file>
 ```
 ### 6. Encryption & Decryption
 ```bash
 # Encrypt a file via recipient's public key, sign it via your private key for signing, and output cleartext.
 # so that the reciiptent can decrypt it via his/her private key.
 gpg --armor --sign --encrypt --recipient ryan4yin@linux.com <file>
 # or use this short version
 gpg -aser ryan4yin@linux.com <file>
 # Descrypt a file via your private key, and verify the signature via the sender's public key.
 gpg --decrypt <file>
 # or
 gpg -d <file>
 ```
 If you just want to encrypt/decrypt a file quickly, you can use `age` with a passphrase, `gpg` can also do this, but it's not recommended(as age(scrypt)'s more secure):
 ```bash
 # Encrypt a file via symmetric encryption(AES256), and output cleartext.
 gpg --armor --symmetric --cipher-algo AES256 <file>
 # or
 gpg -ac <file>
 # Decrypt a file via symmetric encryption.
 gpg --decrypt <file>
 # or
 gpg -d <file>
 ```
 ### 7. Public Key Exchange & Revocation
 In the case of many users, it is very difficult to exchange public keys securely and reliably with each other.
 In the Web world, There is a **Chain of Trust**** to resolve this problem:
 - A Certificate Authority(CA) is responsible to verify & sign all the certificate signing request.
 - Web Server can safely transmit its Web Certificate to the client via TLS protocol.
 - Client can verify the recevied Web Certificate via the CA's root certificate(which is built in Browser/OS). 
 But in OpenPGP:
 - There is key servers to distribute(exchange) public keys, but it **do not verify the identity of the key owner**, and any uploaded data is **not allowed to be deleted**. Which make it **insecure and dangerous**.
  - Why key server is dangerous?
    - Many PGP novices follow various tutorials to upload various key with personal privacy (such as real names) to the public key server, and then find that they can't delete them, which is very embarrassing.
    - Anyone can upload a key to the key server, and claim that it is the key of a certain person(such as Linus), which is very insecure.
  - **key server** is not recommend to use.
 - GnuPG will generate revocation certificate when generating keypair(`~/.gnupg/private-keys-v1.d/<Key-ID.rev>`), anyone can import this certificate to revoke the keypair. But OpenPGP standard **DO NOT provide a way to distribute this certificate to others**.
  - Not to mention some key status query protocol like OCSP in Web PKI.
  - Users has to pulish their revocation certificate to their blog, github profile or somewhere else, and others has to check it and run `gpg --import <revocation-certificate>` to revoke the keypair manually.
 In summary, **there is no good way to distribute public keys and revoke them in OpenPGP**, which is a big problem.
 Currently, You have to distribute your public key or revocation certificate via your blog, github profile, or somewhere else, and others has to check it and run `gpg --import` to import your public key or revocation certificate manually.
 Anyway, let's try to revoke a keypair:
 ```bash
 › gpg --list-keys
 gpg: checking the trustdb
 gpg: marginals needed: 3  completes needed: 1  trust model: pgp
 gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
 /home/ryan/.gnupg/pubring.kbx
 -----------------------------
 pub   ed25519/0x55859965C2742B4B 2024-01-09 [SC]
      Key fingerprint = A2CD 07BD 9631 44CB 2725  5A6B 5585 9965 C274 2B4B
 uid                   [ultimate] test <test@test.t>
 sub   cv25519/0x9E78E897B6490D6B 2024-01-09 [E]
 # encrypt some file before revoke the keypair
 › gpg -aer test@test.t README.md > README.md.asc
 # try to decrypt the file, it should works
 › gpg -d README.md.asc
 gpg: encrypted with cv25519 key, ID 0x9E78E897B6490D6B, created 2024-01-09
      "test <test@test.t>"
 # ......
 # take a look at the revocation certificate
 › cat gpg-test-revoke.rev
 This is a revocation certificate for the OpenPGP key:
 pub   ed25519/0x55859965C2742B4B 2024-01-09 [S]
      Key fingerprint = A2CD 07BD 9631 44CB 2725  5A6B 5585 9965 C274 2B4B
 uid                            test <test@test.t>
 A revocation certificate is a kind of "kill switch" to publicly
 declare that a key shall not anymore be used.  It is not possible
 to retract such a revocation certificate once it has been published.
 Use it to revoke this key in case of a compromise or loss of
 the secret key.  However, if the secret key is still accessible,
 it is better to generate a new revocation certificate and give
 a reason for the revocation.  For details see the description of
 of the gpg command "--generate-revocation" in the GnuPG manual.
 To avoid an accidental use of this file, a colon has been inserted
 before the 5 dashes below.  Remove this colon with a text editor
 before importing and publishing this revocation certificate.
 :-----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: This is a revocation certificate
 iHgEIBYKACAWIQSizQe9ljFEyyclWmtVhZllwnQrSwUCZZ1T9wIdAAAKCRBVhZll
 wnQrS2LVAQCegRF1qPqY/OCS5QCz8G0ra0XgPYlQYo9pSOjHgfY39AD+Psin2/6t
 STuJCp+gru6OtbTCu8Y2LugQeDh7UicM7Ak=
 =Xfs6
 -----END PGP PUBLIC KEY BLOCK-----
 ```
 As the revocation certificate says, we need to remove the first colon(`:`) before the 5 dashes(`-----BEGIN PGP PUBLIC KEY BLOCK-----`), then import it:
 ```bash
 › gpg --import gpg-test-revoke.rev
 gpg: key 0x55859965C2742B4B: "test <test@test.t>" revocation certificate imported
 gpg: Total number processed: 1
 gpg:    new key revocations: 1
 gpg: no ultimately trusted keys found
 › gpg --list-secret-keys --keyid-format=long
 /home/ryan/.gnupg/pubring.kbx
 -----------------------------
 sec   ed25519/55859965C2742B4B 2024-01-09 [SC] [revoked: 2024-01-09]
      Key fingerprint = A2CD 07BD 9631 44CB 2725  5A6B 5585 9965 C274 2B4B
 uid                 [ revoked] test <test@test.t>
 # try to decrypt the file, it still works, but will indicate that the key is revoked.
 › gpg -d README.md.asc
 gpg: encrypted with cv25519 key, ID 0x9E78E897B6490D6B, created 2024-01-09
      "test <test@test.t>"
 gpg: Note: key has been revoked
 gpg: reason for revocation: No reason specified
 # ......
 # try to encrypt some file via the revoked key, it will fail.
 › gpg -aer 9E78E897B6490D6B README.md
 gpg: 9E78E897B6490D6B: skipped: Unusable public key
 gpg: README.md: encryption failed: Unusable public key
 ```
 But if you delete the `trustdb.gpg` and `pubring.kbx`, then import the revoked public key again, it will be valid and usable again... which is very dangerous.
 ## References
 - [2021年，用更现代的方法使用PGP（上）][2021年，用更现代的方法使用PGP（上）]
 - [Predictable, Passphrase-Derived PGP Keys][Predictable, Passphrase-Derived PGP Keys]
 - [OpenPGP - The almost perfect key pair][OpenPGP - The almost perfect key pair]
 [2021年，用更现代的方法使用PGP（上）]: https://ulyc.github.io/2021/01/13/2021%E5%B9%B4-%E7%94%A8%E6%9B%B4%E7%8E%B0%E4%BB%A3%E7%9A%84%E6%96%B9%E6%B3%95%E4%BD%BF%E7%94%A8PGP-%E4%B8%8A/
 [Predictable, Passphrase-Derived PGP Keys]: https://nullprogram.com/blog/2019/07/10/
 [OpenPGP - The almost perfect key pair]: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/
@@ -0,0 +1,83 @@
 {
  config,
  mysecrets,
  ...
 }: {
  programs.gpg = {
    enable = true;
    homedir = "${config.home.homeDirectory}/.gnupg";
    #  $GNUPGHOME/trustdb.gpg stores all the trust level you specified in `programs.gpg.publicKeys` option.
    #
    # If set `mutableTrust` to false, the path $GNUPGHOME/trustdb.gpg will be overwritten on each activation.
    # Thus we can only update trsutedb.gpg via home-manager.
    mutableTrust = false;
    # $GNUPGHOME/pubring.kbx stores all the public keys you specified in `programs.gpg.publicKeys` option.
    #
    # If set `mutableKeys` to false, the path $GNUPGHOME/pubring.kbx will become an immutable link to the Nix store, denying modifications.
    # Thus we can only update pubring.kbx via home-manager
    mutableKeys = false;
    publicKeys = [
      # https://www.gnupg.org/gph/en/manual/x334.html
      # {
      #   source = "${mysecrets}/public/ryan4yin-gpg-keys.pub";
      #   trust = 5;
      # } # ultimate trust, my own keys.
    ];
    # This configuration is based on the tutorial below, it allows for a robust setup
    # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
    # ~/.gnupg/gpg.conf
    settings = {
      # Get rid of the copyright notice
      no-greeting = true;
      # Disable inclusion of the version string in ASCII armored output
      no-emit-version = true;
      # Do not write comment packets
      no-comments = false;
      # Export the smallest key possible
      # This removes all signatures except the most recent self-signature on each user ID
      export-options = "export-minimal";
      # Display long key IDs
      keyid-format = "0xlong";
      # List all keys (or the specified ones) along with their fingerprints
      with-fingerprint = true;
      # Display the calculated validity of user IDs during key listings
      list-options = "show-uid-validity";
      verify-options = "show-uid-validity show-keyserver-urls";
      # Select the strongest cipher
      personal-cipher-preferences = "AES256";
      # Select the strongest digest
      personal-digest-preferences = "SHA512";
      # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
      default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
      # Use the strongest cipher algorithm
      cipher-algo = "AES256";
      # Use the strongest digest algorithm
      digest-algo = "SHA512";
      # Message digest algorithm used when signing a key
      cert-digest-algo = "SHA512";
      # Use RFC-1950 ZLIB compression
      compress-algo = "ZLIB";
      # Disable weak algorithm
      disable-cipher-algo = "3DES";
      # Treat the specified digest algorithm as weak
      weak-digest = "SHA1";
      # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
      s2k-cipher-algo = "AES256";
      # The digest algorithm used to mangle the passphrases for symmetric encryption
      s2k-digest-algo = "SHA512";
      # Selects how passphrases for symmetric encryption are mangled
      s2k-mode = "3";
      # Specify how many times the passphrases mangling for symmetric encryption is repeated
      s2k-count = "65011712";
    };
  };
 }
@@ -0,0 +1,47 @@
 # Password Manager
 - https://www.passwordstore.org/
 - [awesome-password-store](https://github.com/tijn/awesome-password-store)
 - <https://github.com/gopasspw/gopass>: reimplement in go, with more features.
 - Clients
  - Android: <https://github.com/android-password-store/Android-Password-Store>
  - Brosers(Chrome/Firefox): <https://github.com/browserpass/browserpass-extension>
 ## How to change the gpg key of the pass password store?
 To ensure security, we should change the GPG key every two or three years. Here is how to do this.
 1. Create a new GPG key pair and backup it to a safe place.
 2. Ensure you can access both the old and new GPG keys.
 3. Update `./default.nix` to use the new GPG sub keys.
 4. Check which Key `pass` currently uses:
    ```bash
    cd ~/.local/share/password-store/
    # check which key is used by pass
    cat .gpg-id
    # check which key is really used to encrypt the password
    gpg --list-packets path/to/any/password.gpg
    ```
 4. Change the key used by `pass`:
    ```bash
    # change the key used by pass, see `man pass` for more details
    # you will be asked to enter the password of both the new and old keys
    # then pass will re-encrypt all the passwords with the new key
    pass init <new-key-id>
    ```
 5. Check if the key is changed:
    ```bash
    # check which key is used by pass
    cat .gpg-id
    # check which key is really used to encrypt the password
    gpg --list-packets path/to/any/password.gpg
    ```
 6. Delete the old GPG key pair:
    ```bash
    # delete the old key pair
    gpg --delete-secret-keys <old-key-id>
    gpg --delete-keys <old-key-id>
    ```
@@ -0,0 +1,52 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  passwordStoreDir = "${config.xdg.dataHome}/password-store";
 in {
  programs.password-store = {
    enable = true;
    package = pkgs.pass.withExtensions (exts: [
      # support for one-time-password (OTP) tokens
      # NOTE: Saving the password and OTP together runs counter to the purpose of secondary verification!
      # exts.pass-otp
      exts.pass-import # a generic importer tool from other password managers
      exts.pass-update # an easy flow for updating passwords
    ]);
    # See the “Environment variables” section of pass(1) and the extension man pages for more information about the available keys.
    settings = {
      PASSWORD_STORE_DIR = passwordStoreDir;
      # Overrides the default gpg key identification set by init.
      # Hexadecimal key signature is recommended.
      # Multiple keys may be specified separated by spaces.
      PASSWORD_STORE_KEY = lib.strings.concatStringsSep " " [
        "EF824EB73CFD6CC7" # E - Ryan Yin (For pass & ssh only) <ryan4yin@linux.com>
      ];
      # all .gpg-id files and non-system extension files must be signed using a detached signature using the GPG key specified by
      #   the full 40 character upper-case fingerprint in this variable.
      # If multiple fingerprints are specified, each separated by a whitespace character, then signatures must match at least one.
      # The init command will keep signatures of .gpg-id files up to date.
      PASSWORD_STORE_SIGNING_KEY = lib.strings.concatStringsSep " " [
        "C2A313F98166C942" # S - Ryan Yin (For pass & ssh only) <ryan4yin@linux.com>
      ];
      PASSWORD_STORE_CLIP_TIME = "60";
      PASSWORD_STORE_GENERATED_LENGTH = "15";
      PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
    };
  };
  # password-store extensions for browsers
  # you need to install the browser extension for this to work
  # https://github.com/browserpass/browserpass-extension
  programs.browserpass = {
    enable = true;
    browsers = [
      "chrome"
      "chromium"
      "firefox"
    ];
  };
 }
@@ -1,5 +1,5 @@
 {pkgs-unstable, ...}: let
-  nu_scripts = pkgs-unstable.nu_scripts;
+  inherit (pkgs-unstable) nu_scripts;
 in {
  programs.bash = {
    # load the alias file for work
@@ -9,7 +9,8 @@ in {
  # auto start zellij in nushell
  programs.nushell.extraConfig = ''
    # auto start zellij
-    if not "ZELLIJ" in $env {
+    # except when in emacs or zellij itself
    if (not "ZELLIJ" in $env) and (not "INSIDE_EMACS" in $env) {
      if "ZELLIJ_AUTO_ATTACH" in $env and $env.ZELLIJ_AUTO_ATTACH == "true" {
        ^zellij attach -c
      } else {
@@ -1,21 +0,0 @@
 {
  pkgs,
  nur-ryan4yin,
  ...
 }: {
  # a cat(1) clone with syntax highlighting and Git integration.
  programs.bat = {
    enable = true;
    config = {
      pager = "less -FR";
      theme = "catppuccin-mocha";
    };
    themes = {
      # https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme
      catppuccin-mocha = {
        src = nur-ryan4yin.packages.${pkgs.system}.catppuccin-bat;
        file = "Catppuccin-mocha.tmTheme";
      };
    };
  };
 }
@@ -1,10 +1,17 @@
 {
  pkgs,
  pkgs-unstable,
  nur-ryan4yin,
  ...
 }: {
  home.packages = with pkgs; [
    skopeo
    docker-compose
    dive # explore docker layers
    lazydocker # Docker terminal UI.
    kubectl
    istioctl
    kubernetes-helm
  ];
@@ -1,13 +1,11 @@
-{pkgs, ...}: {
+{
  pkgs,
  nur-ryan4yin,
  ...
 }: {
  home.packages = with pkgs; [
    neofetch
    # archives
    zip
    xz
    unzip
    p7zip
    # networking tools
    mtr # A network diagnostic tool
    iperf3
@@ -18,43 +16,68 @@
    nmap # A utility for network discovery and security auditing
    ipcalc # it is a calculator for the IPv4/v6 addresses
-    # Text Processing
+    # archives
-    # Docs: https://github.com/learnbyexample/Command-line-text-processing
+    zip
-    gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
+    xz
-    gnused # GNU sed, very powerful(mainly for replacing text in files)
+    unzip
-    gnumake
+    p7zip
    just # a command runner like make, but simpler
    gawk # GNU awk, a pattern scanning and processing language
    sad # CLI search and replace, with diff preview, really useful!!!
    delta # A viewer for git and diff output
    # A fast and polyglot tool for code searching, linting, rewriting at large scale
    # supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
    ast-grep
    jq # A lightweight and flexible command-line JSON processor
    yq-go # yaml processer https://github.com/mikefarah/yq
    # misc
    tldr
    cowsay
    file
    findutils
    which
    tree
    gnutar
    zstd
    caddy
    gnupg
    rsync
    # Text Processing
    # Docs: https://github.com/learnbyexample/Command-line-text-processing
    gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
    gnused # GNU sed, very powerful(mainly for replacing text in files)
    gnumake
    gawk # GNU awk, a pattern scanning and processing language
    jq # A lightweight and flexible command-line JSON processor
    # morden cli tools, replacement of grep/sed/...
    # Interactively filter its input using fuzzy searching, not limit to filenames.
    fzf
    # search for files by name, faster than find
    fd
    # search for files by its content, replacement of grep
    (ripgrep.override {withPCRE2 = true;})
    # A fast and polyglot tool for code searching, linting, rewriting at large scale
    # supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
    ast-grep
    sad # CLI search and replace, just like sed, but with diff preview.
    yq-go # yaml processer https://github.com/mikefarah/yq
    just # a command runner like make, but simpler
    delta # A viewer for git and diff output
    lazygit # Git terminal UI.
    hyperfine # command-line benchmarking tool
    gping # ping, but with a graph(TUI)
    doggo # DNS client for humans
    duf # Disk Usage/Free Utility - a better 'df' alternative
    du-dust # A more intuitive version of `du` in rust
    ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
    gdu # disk usage analyzer(replacement of `du`)
    # nix related
    #
    # it provides the command `nom` works just like `nix
    # with more details log output
    nix-output-monitor
    nodePackages.node2nix
    # productivity
-    hugo # static site generator
+    caddy # A webserver with automatic HTTPS via Let's Encrypt(replacement of nginx)
-    glow # markdown previewer in terminal
+    croc # File transfer between computers securely and easily
  ];
  programs = {
@@ -67,6 +90,22 @@
      icons = true;
    };
    # a cat(1) clone with syntax highlighting and Git integration.
    bat = {
      enable = true;
      config = {
        pager = "less -FR";
        theme = "catppuccin-mocha";
      };
      themes = {
        # https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme
        catppuccin-mocha = {
          src = nur-ryan4yin.packages.${pkgs.system}.catppuccin-bat;
          file = "Catppuccin-mocha.tmTheme";
        };
      };
    };
    # A command-line fuzzy finder
    fzf = {
      enable = true;
@@ -88,11 +127,39 @@
      };
    };
-    # skim provides a single executable: sk.
+    # zoxide is a smarter cd command, inspired by z and autojump.
-    # Basically anywhere you would want to use grep, try sk instead.
+    # It remembers which directories you use most frequently,
-    skim = {
+    # so you can "jump" to them in just a few keystrokes.
    # zoxide works on all major shells.
    #
    #   z foo              # cd into highest ranked directory matching foo
    #   z foo bar          # cd into highest ranked directory matching foo and bar
    #   z foo /            # cd into a subdirectory starting with foo
    #
    #   z ~/foo            # z also works like a regular cd command
    #   z foo/             # cd into relative path
    #   z ..               # cd one level up
    #   z -                # cd into previous directory
    #
    #   zi foo             # cd with interactive selection (using fzf)
    #
    #   z foo<SPACE><TAB>  # show interactive completions (zoxide v0.8.0+, bash 4.4+/fish/zsh only)
    zoxide = {
      enable = true;
      enableBashIntegration = true;
      enableZshIntegration = true;
      enableNushellIntegration = true;
    };
    # Atuin replaces your existing shell history with a SQLite database,
    # and records additional context for your commands.
    # Additionally, it provides optional and fully encrypted
    # synchronisation of your history between machines, via an Atuin server.
    atuin = {
      enable = true;
      enableBashIntegration = true;
      enableZshIntegration = true;
      enableNushellIntegration = true;
    };
  };
 }
@@ -0,0 +1,7 @@
 _: {
  # use mirror for pip install
  xdg.configFile."pip/pip.conf".text = ''
    [global]
    index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
  '';
 }
@@ -12,7 +12,7 @@ in {
  programs.nushell = {
    enable = true;
    configFile.source = ./config.nu;
-    shellAliases = shellAliases;
+    inherit shellAliases;
  };
  programs.bash = {
@@ -1,6 +1,6 @@
 let
  envExtra = ''
-    export PATH="/opt/homebrew/bin:/usr/local/bin:$PATH"
+    export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
  '';
 in {
  # Homebrew's default install location:
@@ -14,6 +14,6 @@ in {
  };
  programs.zsh = {
    enable = true;
-    envExtra = envExtra;
+    inherit envExtra;
  };
 }
@@ -29,9 +29,6 @@
  # auto mount usb drives
  services = {
    udiskie.enable = true;
  };
  services = {
    # syncthing.enable = true;
  };
 }
@@ -1,6 +1,7 @@
 {
  pkgs,
  pkgs-unstable,
  pkgs-stable,
  nur-ryan4yin,
  ...
 }: {
@@ -12,7 +13,7 @@
    krita # digital painting
    musescore # music notation
    # reaper # audio production
-    pkgs-unstable.sonic-pi # music programming
+    # sonic-pi # music programming
    # this app consumes a lot of storage, so do not install it currently
    # kicad     # 3d printing, eletrical engineering
@@ -27,6 +28,34 @@
  programs = {
    # live streaming
-    obs-studio.enable = true;
+    obs-studio = {
      enable = true;
      plugins = with pkgs-stable.obs-studio-plugins; [
        # screen capture
        wlrobs
        # obs-ndi
        obs-vaapi
        obs-nvfbc
        obs-teleport
        # obs-hyperion
        droidcam-obs
        obs-vkcapture
        obs-gstreamer
        obs-3d-effect
        input-overlay
        obs-multi-rtmp
        obs-source-clone
        obs-shaderfilter
        obs-source-record
        obs-livesplit-one
        looking-glass-obs
        obs-vintage-filter
        obs-command-source
        obs-move-transition
        obs-backgroundremoval
        advanced-scene-switcher
        obs-pipewire-audio-capture
      ];
    };
  };
 }
@@ -0,0 +1,12 @@
 {
  pkgs,
  nix-gaming,
  ...
 }: {
  home.packages = with pkgs; [
    # nix-gaming.packages.${pkgs.system}.osu-lazer-bin
    gamescope # SteamOS session compositing window manager
    prismlauncher # A free, open source launcher for Minecraft
    winetricks # A script to install DLLs needed to work around problems in Wine
  ];
 }
@@ -45,12 +45,12 @@
    theme = {
      # https://github.com/catppuccin/gtk
-      name = "Catppuccin-Macchiato-Compact-Pink-dark";
+      name = "Catppuccin-Macchiato-Compact-Pink-Dark";
      package = pkgs.catppuccin-gtk.override {
        # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/pkgs/data/themes/catppuccin-gtk/default.nix
        accents = ["pink"];
        size = "compact";
-        variant = "mocha";
+        variant = "macchiato";
      };
    };
  };
@@ -27,4 +27,8 @@
  programs.gh = {
    enable = true;
  };
  # allow fontconfig to discover fonts and configurations installed through home.packages
  # Install fonts at system-level, not user-level
  fonts.fontconfig.enable = false;
 }
@@ -6,7 +6,11 @@ input {
    kb_model=
    kb_options=
    kb_rules=
    # mouse focus will not switch to the hovered window unless the mouse crosses a window boundary
    follow_mouse=1
    mouse_refocus=false
    natural_scroll=0
    touchpad {
        natural_scroll = 1
@@ -63,7 +63,4 @@
      recursive = true;
    };
  };
  # allow fontconfig to discover fonts and configurations installed through home.packages
  fonts.fontconfig.enable = true;
 }
@@ -48,7 +48,4 @@
    # xrandr - set primary screen
    ".screenlayout/monitor.sh".source = ../conf/dual-monitor-4k-1080p.sh;
  };
  # allow fontconfig to discover fonts and configurations installed through home.packages
  fonts.fontconfig.enable = true;
 }
@@ -1,15 +1,17 @@
 {
  pkgs,
  nixos-hardware,
  vars_networking,
  ...
-} @ args:
+}:
 #############################################################
 #
 #  Shoukei - NixOS running on Macbook Pro 2020 I5 16G
 #   https://github.com/NixOS/nixos-hardware/tree/master/apple/t2
 #
 #############################################################
-{
+let
  hostName = "shoukei"; # Define your hostname.
 in {
  imports = [
    nixos-hardware.nixosModules.apple-t2
    ./apple-set-os-loader.nix
@@ -19,24 +21,15 @@
    ./impermanence.nix
  ];
  boot.kernelModules = ["kvm-amd" "kvm-intel"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
  networking = {
-    hostName = "shoukei"; # Define your hostname.
+    inherit hostName;
    inherit (vars_networking) defaultGateway nameservers;
    # configures the network interface(include wireless) via `nmcli` & `nmtui`
    networkmanager.enable = true;
    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
  };
  # This value determines the NixOS release from which the default
@@ -29,7 +29,7 @@
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
-  # supported fil systems, so we can mount any removable disks with these filesystems
+  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = lib.mkForce [
    "ext4"
    "btrfs"
@@ -1,38 +1,31 @@
 {nixos-rk3588, ...}:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox
 #
 #############################################################
 {
  nixos-rk3588,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Suzu - Orange Pi 5, RK3588s
 #
 #############################################################
 let
  hostName = "suzu"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
    nixos-rk3588.nixosModules.orangepi5
  ];
  networking = {
-    hostName = "suzu"; # Define your hostname.
+    inherit hostName;
-    wireless.enable = false; # Enables wireless support via wpa_supplicant.
+    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    interfaces.end1 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.107";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
  };
  # This value determines the NixOS release from which the default
@@ -1,13 +1,13 @@
 # Hosts
-1. macOS
+1. `darwin`(macOS)
   1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for business.
   1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
 2. `idols`
   1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
-   2. `aquamarine`: My NixOS virtual machine with R9-5900HX(8C16T), for distributed building & testing.
+   2. `aquamarine`: My NixOS virtual machine as a passby router(IPv4 only) to access the global internet.
-   3. `kana`: Yet another NixOS vm on another physical machine with R5-5625U(6C12T).
+   4. `ruby`: Another NixOS vm with R9-5900HX(8C16T), for distributed building & testing.
-   4. `ruby`: Another NixOS vm on another physical machine with R7-5825U(8C16T).
+   3. `kana`: Yet another NixOS vm with R7-5225U(6C12T), for desktop testing.
 3. `rolling_girls`: My RISCV64 hosts.
   1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 8GB RAM + 32G eMMC + 64G SD Card.
   2. `yukina`: Lichee Pi 4A(Internal Test Version), TH1520(4xC910@2.0G), 8GB RAM + 8G eMMC + 128G SD Card.
@@ -15,7 +15,8 @@
 4. `12kingdoms`: 
   1. `shoukei`: NixOS on Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
   1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD.
-
+5. Homelab:
   1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
 # idols - Oshi no Ko
@@ -0,0 +1,43 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Tailscale Gateway(homelab subnet router) - a NixOS VM running on Proxmox
 #
 #############################################################
 let
  hostName = "tailscale_gw"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    ./tailscale.nix
  ];
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
    "xfs"
    "fat"
    "vfat"
    "exfat"
  ];
  networking = {
    inherit hostName;
    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    interfaces.ens18 = {
      useDHCP = false;
      ipv4.addresses = [hostAddress];
    };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
 }
@@ -0,0 +1,46 @@
 {
  config,
  pkgs,
  ...
 }:
 # =============================================================
 #
 # Tailscale - your own private network(VPN) that uses WireGuard
 #
 # It's open souce and free for personal use,
 # and it's really easy to setup and use.
 # Tailscale has great client coverage for Linux, windows, Mac, android, and iOS.
 # Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker.
 # Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale.
 #
 # How to use:
 #  1. Create a Tailscale account at https://login.tailscale.com
 #  2. Login via `tailscale login`
 #  3. join into your Tailscale network via `tailscale up --advertise-routes 192.168.5.0/24`
 #  4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below.
 #
 # Status Data:
 #   `journalctl -u tailscaled` shows tailscaled's logs
 #   logs indicate that tailscale store its data in /var/lib/tailscale
 #   which is already persistent across reboots(via impermanence.nix)
 #
 # References:
 # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/tailscale.nix
 #
 # =============================================================
 {
  # make the tailscale command usable to users
  environment.systemPackages = [pkgs.tailscale];
  # enable the tailscale service
  services.tailscale = {
    enable = true;
    port = 41641;
    interfaceName = "tailscale0";
    # allow the Tailscale UDP port through the firewall
    openFirewall = true;
    useRoutingFeatures = "server";
    extraUpFlags = "--advertise-routes 192.168.5.0/24";
    # authKeyFile = "/var/lib/tailscale/authkey";
  };
 }
@@ -1,14 +0,0 @@
 {
  config,
  username,
  ...
 }: {
  # mount a smb/cifs share
  fileSystems."/home/${username}/SMB-Downloads" = {
    device = "//192.168.5.194/Downloads";
    fsType = "cifs";
    options = [
      "vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=${config.age.secrets.smb-credentials.path},nofail"
    ];
  };
 }
@@ -1,2 +0,0 @@
 {
 }
@@ -1,2 +0,0 @@
 {
 }
@@ -1,2 +0,0 @@
 {
 }
@@ -2,7 +2,7 @@
 Related:
- [/nixos-installer/README.shoukei.md](/nixos-installer/README.ai.md)
+- [/nixos-installer/README.md](/nixos-installer/README.md)
 ## Info
@@ -0,0 +1,17 @@
 {
  config,
  username,
  ...
 }: {
  # mount a smb/cifs share
  fileSystems."/home/${username}/SMB-Downloads" = {
    device = "//192.168.5.194/Downloads";
    fsType = "cifs";
    options = [
      # https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
      "nofail,_netdev"
      "uid=1000,gid=100,dir_mode=0755,file_mode=0755"
      "vers=3.0,credentials=${config.age.secrets.smb-credentials.path}"
    ];
  };
 }
@@ -1,9 +1,13 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
 #
 #############################################################
-{
+let
  hostName = "ai"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    ./cifs-mount.nix
    # Include the results of the hardware scan.
@@ -14,30 +18,16 @@
  ];
  networking = {
-    hostName = "ai";
+    inherit hostName;
    inherit (vars_networking) defaultGateway nameservers;
    wireless.enable = false; # Enables wireless support via wpa_supplicant.
-
+    # configures the network interface(include wireless) via `nmcli` & `nmtui`
-    # Configure network proxy if necessary
+    networkmanager.enable = false;
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    networkmanager.enable = true;
    enableIPv6 = false; # disable ipv6
    interfaces.enp5s0 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.100";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
  };
  # conflict with feature: containerd-snapshotter
@@ -23,7 +23,8 @@
  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
+  boot.kernelModules = ["kvm-intel"]; # kvm virtualization support
  boot.extraModprobeConfig = "options kvm_intel nested=1"; # for intel cpu
  boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
  boot.extraModulePackages = [];
  # clear /tmp on boot to get a stateless /tmp directory.
@@ -31,7 +32,7 @@
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
-  # supported fil systems, so we can mount any removable disks with these filesystems
+  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
@@ -45,7 +46,9 @@
  boot.initrd = {
    # unlocked luks devices via a keyfile or prompt a passphrase.
    luks.devices."crypted-nixos" = {
-      device = "/dev/nvme0n1p2";
+      # NOTE: DO NOT use device name here(like /dev/sda, /dev/nvme0n1p2, etc), use UUID instead.
      # https://github.com/ryan4yin/nix-config/issues/43
      device = "/dev/disk/by-uuid/a21ca82a-9ee6-4e5c-9d3f-a93e84e4e0f4";
      # the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
      # if not specified, you will be prompted for a passphrase instead.
      #keyFile = "/root-part.key";
@@ -71,6 +74,13 @@
    options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
  };
  # for guix store, which use `/gnu/store` as its store directory.
  fileSystems."/gnu" = {
    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
    fsType = "btrfs";
    options = ["subvol=@guix" "noatime" "compress-force=zstd:1"];
  };
  fileSystems."/persistent" = {
    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
    fsType = "btrfs";
@@ -109,7 +119,7 @@
  };
  fileSystems."/boot" = {
-    device = "/dev/nvme0n1p1";
+    device = "/dev/disk/by-uuid/90FB-9F88";
    fsType = "vfat";
  };
@@ -21,8 +21,7 @@
    enable = true;
    extraConfig = ''
      Host github.com
-          # github is controlled by gluttony~
+          IdentityFile ~/.ssh/idols-ai
          IdentityFile ~/.ssh/gluttony
          # Specifies that ssh should only use the identity file explicitly configured above
          # required to prevent sending default identity files first.
          IdentitiesOnly yes
@@ -88,6 +88,7 @@
        # misc
        ".config/pulse"
        ".pki"
        ".steam" # steam games
        # remote desktop
        ".config/remmina"
@@ -0,0 +1,10 @@
 # Idols - Aquamarine
 TODO: use aqua as a passby router(IPv4 only) to access the global internet.
 ## References
 - <https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md>
 - <https://github.com/ghostbuster91/nixos-router>
@@ -0,0 +1,233 @@
 global {
    ##### Software options.
    # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
    # In normal case, you do not need to use it.
    tproxy_port: 12345
    # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
    # iptables tproxy rules.
    tproxy_port_protect: true
    # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
    # rules.
    so_mark_from_dae: 0
    # Log level: error, warn, info, debug, trace.
    log_level: info
    # Disable waiting for network before pulling subscriptions.
    disable_waiting_network: false
    ##### Interface and kernel options.
    # The LAN interface to bind. Use it if you want to proxy LAN.
    # Multiple interfaces split by ",".
    lan_interface: ens18
    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",". Use "auto" to auto detect.
    wan_interface: auto
    # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
    auto_config_kernel_parameter: true
    # Automatically configure firewall rules like firewalld and fw4.
    # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
    # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
    auto_config_firewall_rule: true
    ##### Node connectivity check.
    # Host of URL should have both IPv4 and IPv6 if you have double stack in local.
    # First is URL, others are IP addresses if given.
    # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
    #tcp_check_url: 'http://cp.cloudflare.com'
    tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
    # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
    # accounting for this kind of traffic.
    tcp_check_http_method: HEAD
    # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
    # TCP DNS connectivity of nodes.
    # First is URL, others are IP addresses if given.
    # This DNS should have both IPv4 and IPv6 if you have double stack in local.
    #udp_check_dns: 'dns.google.com:53'
    udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
    check_interval: 30s
    # Group will switch node only when new_latency <= old_latency - tolerance.
    check_tolerance: 50ms
    ##### Connecting options.
    # Optional values of dial_mode are:
    # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
    #       respectively, and makes the IP version requested by the application meet expectations. For example, if you
    #       use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
    #       This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
    #       in this mode.
    # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
    #       if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
    #       re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
    #       That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
    # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
    #       DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
    #       go through dae, dae cannot split traffic by domain.
    # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
    #       domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
    dial_mode: domain
    # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
    allow_insecure: false
    # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
    # in high latency LAN network.
    sniffing_timeout: 100ms
    # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
    tls_implementation: tls
    # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
    # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
    utls_imitate: chrome_auto
 }
 # Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
 # Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
 subscription {
    # Add your subscription links here.
    'file://mysubscription-1.sub' # the path is related to /etc/dae/
    'file://mysubscription-2.sub'
 }
 # Nodes defined here will be merged as a part of the global node pool.
 node {
    # Add your node links here.
    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
    # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
    # mylink: 'ss://LINK'
    # node1: 'vmess://LINK'
    # node2: 'vless://LINK'
    # chains: 'tuic://LINK -> vmess://LINK'
 }
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
 dns {
    # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
    # respond to type A queries and response empty answer to type AAAA queries.
    #ipversion_prefer: 4
    # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
    # for these domains.
    #fixed_domain_ttl {
    #    ddns.example.org: 10
    #    test.example.org: 3600
    #}
    upstream {
        # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
        alidns: 'udp://dns.alidns.com:53'
        googledns: 'tcp+udp://dns.google.com:53'
    }
    routing {
        # According to the request of dns query, decide to use which DNS upstream.
        # Match rules from top to bottom.
        request {
            # Lookup China mainland domains using alidns, otherwise googledns.
            qname(geosite:cn) -> alidns
            # fallback is also called default.
            fallback: googledns
        }
    }
 #    routing {
 #        # According to the request of dns query, decide to use which DNS upstream.
 #        # Match rules from top to bottom.
 #        request {
 #            # fallback is also called default.
 #            fallback: alidns
 #        }
 #        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
 #        # Match rules from top to bottom.
 #        response {
 #            # Trusted upstream. Always accept its result.
 #            upstream(googledns) -> accept
 #            # Possibly polluted, re-lookup using googledns.
 #            ip(geoip:private) && !qname(geosite:cn) -> googledns
 #            # fallback is also called default.
 #            fallback: accept
 #        }
 #    }
 }
 # Node group (outbound).
 group {
    my_group {
        # No filter. Use all nodes.
        # Randomly select a node from the group for every connection.
        #policy: random
        # Select the first node from the group for every connection.
        #policy: fixed(0)
        # Select the node with min last latency from the group for every connection.
        #policy: min
        # Select the node with min moving average of latencies from the group for every connection.
        policy: min_moving_avg
    }
    group2 {
        # Filter nodes from the global node pool defined by the subscription and node section above.
        #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
        # Filter nodes from the global node pool defined by tag.
        #filter: name(node1, node2)
        # Filter nodes and give a fixed latency offset to archive latency-based failover.
        # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
        filter: name(HK_node)
        filter: name(US_node) [add_latency: -500ms]
        # Select the node with min average of the last 10 latencies from the group for every connection.
        policy: min_avg10
    }
 }
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
 routing {
    ### Preset rules.
    # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
    # WAN.
    pname(NetworkManager) -> direct
    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
    # "dip" means destination IP.
    dip(224.0.0.0/3, 'ff00::/8') -> direct
    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct
    ### Write your rules below.
    # Disable h3 because it usually consumes too much cpu/mem resources.
    l4proto(udp) && dport(443) -> block
    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct
    fallback: my_group
 }
@@ -0,0 +1,11 @@
 # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/dae.nix
 {
  services.dae = {
    enable = true;
    openFirewall = {
      enable = true;
      port = 12345;
    };
    configFile = ./bypass-router.dae;
  };
 }
@@ -1,12 +1,20 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox
 #
 #############################################################
-{
+let
  hostName = "aquamarine"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    ./router.nix
  ];
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
-  # supported fil systems, so we can mount any removable disks with these filesystems
+  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
@@ -19,29 +27,18 @@
    "cifs" # mount windows share
  ];
  boot.kernelModules = ["kvm-amd" "kvm-intel"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
  networking = {
-    hostName = "aquamarine"; # Define your hostname.
+    inherit hostName;
-    wireless.enable = false; # Enables wireless support via wpa_supplicant.
+    inherit (vars_networking) defaultGateway nameservers;
-    # Configure network proxy if necessary
+    networkmanager.enable = false;
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    networkmanager.enable = true;
    interfaces.ens18 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.101";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
  };
  # This value determines the NixOS release from which the default
@@ -1,12 +1,16 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Kana - a NixOS VM running on Proxmox
 #
 #############################################################
-{
+let
  hostName = "kana"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
-  # supported fil systems, so we can mount any removable disks with these filesystems
+  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
@@ -19,29 +23,18 @@
    "cifs" # mount windows share
  ];
  boot.kernelModules = ["kvm-amd" "kvm-intel"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
  networking = {
-    hostName = "kana"; # Define your hostname.
+    inherit hostName;
-    wireless.enable = false; # Enables wireless support via wpa_supplicant.
+    inherit (vars_networking) defaultGateway nameservers;
-    # Configure network proxy if necessary
+    networkmanager.enable = false;
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    networkmanager.enable = true;
    interfaces.ens18 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.103";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
  };
  # This value determines the NixOS release from which the default
@@ -1,12 +1,16 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Ruby - a NixOS VM running on Proxmox
 #
 #############################################################
-{
+let
  hostName = "ruby"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
-  # supported fil systems, so we can mount any removable disks with these filesystems
+  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
@@ -19,29 +23,18 @@
    "cifs" # mount windows share
  ];
  boot.kernelModules = ["kvm-amd" "kvm-intel"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
  networking = {
-    hostName = "ruby"; # Define your hostname.
+    inherit hostName;
-    wireless.enable = false; # Enables wireless support via wpa_supplicant.
+    inherit (vars_networking) defaultGateway nameservers;
-    # Configure network proxy if necessary
+    networkmanager.enable = false;
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    networkmanager.enable = true;
    interfaces.ens18 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.102";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
  };
  # This value determines the NixOS release from which the default
@@ -1,5 +1,6 @@
 {
  # nixos-jh7110,
  vars_networking,
  ...
 }:
 #############################################################
@@ -9,38 +10,26 @@
 #  WIP, not working yet.
 #
 #############################################################
-{
+let
  hostName = "chiaya"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
  ];
  # Set static IP address / gateway / DNS servers.
  networking = {
-    hostName = "chiaya"; # Define your hostname.
+    inherit hostName;
-    wireless.enable = false;
+    inherit (vars_networking) defaultGateway nameservers;
    # Failed to enable firewall due to the following error:
    #   firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
    firewall.enable = false;
-
+    networkmanager.enable = false;
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
    # milkv-mars RJ45 port
    interfaces.end0 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.106";
          prefixLength = 24;
        }
      ];
    };
  };
@@ -1,10 +1,17 @@
-{nixos-licheepi4a, ...}:
+{
  nixos-licheepi4a,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Nozomi - NixOS configuration for Lichee Pi 4A
 #
 #############################################################
-{
+let
  hostName = "nozomi"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
    (nixos-licheepi4a + "/modules/licheepi4a.nix")
@@ -14,7 +21,9 @@
  # Set static IP address / gateway / DNS servers.
  networking = {
-    hostName = "nozomi"; # Define your hostname.
+    inherit hostName;
    inherit (vars_networking) defaultGateway nameservers;
    wireless = {
      # https://wiki.archlinux.org/title/wpa_supplicant
      enable = true;
@@ -33,12 +42,6 @@
    #   firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
    firewall.enable = false;
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -46,12 +49,7 @@
    # LPI4A's wireless interface
    interfaces.wlan0 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.104";
          prefixLength = 24;
        }
      ];
    };
    # LPI4A's first ethernet interface
    # interfaces.end0 = {
@@ -1,10 +1,17 @@
-{nixos-licheepi4a, ...}:
+{
  nixos-licheepi4a,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Yukina - NixOS configuration for Lichee Pi 4A
 #
 #############################################################
-{
+let
  hostName = "yukina"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
    (nixos-licheepi4a + "/modules/licheepi4a.nix")
@@ -14,7 +21,9 @@
  # Set static IP address / gateway / DNS servers.
  networking = {
-    hostName = "yukina"; # Define your hostname.
+    inherit hostName;
    inherit (vars_networking) defaultGateway nameservers;
    wireless = {
      # https://wiki.archlinux.org/title/wpa_supplicant
      enable = true;
@@ -33,12 +42,6 @@
    #   firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
    firewall.enable = false;
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -46,19 +49,14 @@
    # LPI4A's wireless interface
    interfaces.wlan0 = {
      useDHCP = false;
-      ipv4.addresses = [
+      ipv4.addresses = [hostAddress];
        {
          address = "192.168.5.105";
          prefixLength = 24;
        }
      ];
    };
    # LPI4A's first ethernet interface
    # interfaces.end0 = {
    #   useDHCP = false;
    #   ipv4.addresses = [
    #     {
-    #       address = "192.168.5.105";
+    #       address = "192.168.5.104";
    #       prefixLength = 24;
    #     }
    #   ];
@@ -11,8 +11,8 @@
  #   mapAttrs
  #   (name: value: ("bar-" + value))
  #   { x = "a"; y = "b"; }
-  #     => { foo = "bar-a"; foo = "bar-b"; }
+  #     => { x = "bar-a"; y = "bar-b"; }
-  mapAttrs = lib.attrsets.mapAttrs;
+  inherit (lib.attrsets) mapAttrs;
  # Update both the names and values of the given attribute set.
  #
@@ -20,7 +20,7 @@
  #   (name: value: nameValuePair ("foo_" + name) ("bar-" + value))
  #   { x = "a"; y = "b"; }
  #     => { foo_x = "bar-a"; foo_y = "bar-b"; }
-  mapAttrs' = lib.attrsets.mapAttrs';
+  inherit (lib.attrsets) mapAttrs';
  # Merge a list of attribute sets into one. smilar to the operator `a // b`, but for a list of attribute sets.
  # NOTE: the later attribute set overrides the former one!
@@ -28,7 +28,7 @@
  #   mergeAttrsList
  #   [ { x = "a"; y = "b"; } { x = "c"; z = "d"; } { g = "e"; } ]
  #   => { x = "c"; y = "b"; z = "d"; g = "e"; }
-  mergeAttrsList = lib.attrsets.mergeAttrsList;
+  inherit (lib.attrsets) mergeAttrsList;
  # Generate a string from an attribute set.
  #
@@ -42,5 +42,5 @@
  #     export x=a
  #     export y=b
  #    ````
-  foldlAttrs = lib.attrsets.foldlAttrs;
+  inherit (lib.attrsets) foldlAttrs;
 }
@@ -5,7 +5,7 @@
  system,
  specialArgs,
  nixos-modules,
-  home-module,
+  home-module ? null,
 }: let
  inherit (specialArgs) username;
 in
@@ -22,7 +22,10 @@ in
            proxmox.qemuConf.name = "${config.networking.hostName}-nixos-${config.system.nixos.label}";
          };
        }
-
+      ]
      ++ (
        if (home-module != null)
        then [
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
@@ -31,5 +34,7 @@ in
            home-manager.extraSpecialArgs = specialArgs;
            home-manager.users."${username}" = home-module;
          }
-      ];
+        ]
        else []
      );
  }
@@ -1,4 +1,5 @@
 {
  vars_networking,
  username,
  userfullname,
  nuenv,
@@ -12,9 +13,22 @@
  users.users.${username} = {
    description = userfullname;
    # Public Keys that can be used to login to all my PCs, Macbooks, and servers.
    #
    # Since its authority is so large, we must strengthen its security:
    # 1. The corresponding private key must be:
    #    1. Generated locally on every trusted client via:
    #      ```bash
    #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
    #      # Passphrase: digits + letters + symbols, 12+ chars
    #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
    #      ```
    #    2. Never leave the device and never sent over the network.
    # 2. Or just use hardware security keys like Yubikey/CanoKey.
    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfp/hvegbK04HykWvoY1EbDW+vXu1AlCjVivWE2ZeR ryan@shoukei"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
    ];
  };
@@ -31,9 +45,9 @@
    substituters = [
      # cache mirror located in China
      # status: https://mirror.sjtu.edu.cn/
-      "https://mirror.sjtu.edu.cn/nix-channels/store"
+      # "https://mirror.sjtu.edu.cn/nix-channels/store"
      # status: https://mirrors.ustc.edu.cn/status/
-      # "https://mirrors.ustc.edu.cn/nix-channels/store"
+      "https://mirrors.ustc.edu.cn/nix-channels/store"
      "https://nix-community.cachix.org"
      # my own cache server
@@ -55,6 +55,9 @@ in {
    nushell # my custom shell
    gnugrep # replacee macos's grep
    gnutar # replacee macos's tar
    # darwin only apps
    utm # virtual machine
  ];
  environment.variables =
    {
@@ -83,10 +86,10 @@ in {
  # homebrew need to be installed manually, see https://brew.sh
  # https://github.com/LnL7/nix-darwin/blob/master/modules/homebrew.nix
  homebrew = {
-    enable = false; # disable homebrew for fast deploy
+    enable = true; # disable homebrew for fast deploy
    onActivation = {
-      autoUpdate = false;
+      autoUpdate = true;
      # 'zap': uninstalls all formulae(and related files) not listed in the generated Brewfile
      cleanup = "zap";
    };
@@ -143,7 +146,7 @@ in {
    # `brew install --cask`
    casks = [
-      # "wezterm"  # use this one if nixpkgs's wezterm broken
+      "zed" # zed editor
      "squirrel" # input method for Chinese, rime-squirrel
@@ -155,14 +158,14 @@ in {
      "telegram"
      "discord"
      "microsoft-remote-desktop"
      "moonlight" # remote desktop client
      "rustdesk"
      # "anki"
      "shadowsocksx-ng" # proxy tool
      "iina" # video player
      "syncthing" # file sync
      "raycast" # (HotKey: alt/option + space)search, caculate and run scripts(with many plugins)
      "stats" # beautiful system status monitor in menu bar
      "eudic" # 欧路词典
      # "reaper"  # audio editor
      "sonic-pi" # music programming
@@ -6,21 +6,12 @@
  #  All the configuration options are documented here:
  #    https://daiderd.com/nix-darwin/manual/index.html#sec-options
  #
  # History Issues:
  #  1. Fixed by replace the determinated nix-installer by the official one:
  #     https://github.com/LnL7/nix-darwin/issues/149#issuecomment-1741720259
  #
  ###################################################################################
  # Fix: https://github.com/LnL7/nix-darwin/issues/149#issuecomment-1741720259
  # nix is installed via DeterminateSystems's nix-installer.
  environment.etc."bashrc".knownSha256Hashes = [
    "6ffdf5a198ffe73fbcd17def767f52093b42b29149d4a3e911b49ebcb9785101" # nix-installer on fern
  ];
  environment.etc."zshenv".knownSha256Hashes = [
    "0c544e42afe7836de9ba933d93f46043b12f58ae484ff8cfb02716353f1dba5f" # nix-installer on fern
  ];
  environment.etc."shells".knownSha256Hashes = [
    "9d5aa72f807091b481820d12e693093293ba33c73854909ad7b0fb192c2db193" # nix-installer on fern
  ];
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
@@ -0,0 +1,20 @@
 {
  config,
  username,
  ...
 }: let
  homeDir = config.users.users."${username}".home;
 in {
  # https://github.com/LnL7/nix-darwin/blob/master/modules/programs/gnupg.nix
  # try `pkill gpg-agent` if you have issues(such as `no pinentry`)
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = false;
  };
  # enable logs for debugging
  launchd.user.agents.gnupg-agent.serviceConfig = {
    StandardErrorPath = "${homeDir}/Library/Logs/gnupg-agent.stderr.log";
    StandardOutPath = "${homeDir}/Library/Logs/gnupg-agent.stdout.log";
  };
 }
@@ -5,6 +5,9 @@
 #
 #  All the configuration options are documented here:
 #    https://daiderd.com/nix-darwin/manual/index.html#sec-options
 #  Incomplete list of macOS `defaults` commands :
 #    https://github.com/yannbertrand/macos-defaults
 #
 #
 # NOTE: Some options are not supported by nix-darwin directly, manually set them:
 #   1. To avoid conflicts with neovim, disable ctrl + up/down/left/right to switch spaces in:
@@ -88,7 +91,8 @@
      };
      # customize settings that not supported by nix-darwin directly
-      # see the source code of https://github.com/rgcr/m-cli to get all the available options
+      # Incomplete list of macOS `defaults` commands :
      #   https://github.com/yannbertrand/macos-defaults
      CustomUserPreferences = {
        ".GlobalPreferences" = {
          # automatically switch to a new space when switching to the application
@@ -113,6 +117,16 @@
          DSDontWriteNetworkStores = true;
          DSDontWriteUSBStores = true;
        };
        "com.apple.spaces" = {
          "spans-displays" = 0; # Display have seperate spaces
        };
        "com.apple.WindowManager" = {
          EnableStandardClickToShowDesktop = 0; # Click wallpaper to reveal desktop
          StandardHideDesktopIcons = 0; # Show items on desktop
          HideDesktop = 0; # Do not hide items on desktop & stage manager
          StageManagerHideWidgets = 0;
          StandardHideWidgets = 0;
        };
        "com.apple.screensaver" = {
          # Require password immediately after sleep or screen saver begins
          askForPassword = 1;
@@ -0,0 +1,18 @@
 {
  config,
  username,
  ...
 }: {
  services.skhd = {
    enable = true;
    skhdConfig = builtins.readFile ./skhdrc;
  };
  # custom log path for debugging
  launchd.user.agents.skhd.serviceConfig = let
    homeDir = config.users.users."${username}".home;
  in {
    StandardErrorPath = "${homeDir}/Library/Logs/skhd.stderr.log";
    StandardOutPath = "${homeDir}/Library/Logs/skhd.stdout.log";
  };
 }
@@ -0,0 +1,70 @@
 # https://github.com/koekeishiya/yabai/blob/master/examples/skhdrc
 #
 # 配置语法 : <modifier> - <key> : <command>
 # modifier 可以是单个键比如 cmd, alt, ctrl, 也可以是组合键比如  ctrl + shift, ctrl + alt
 # ================================ 打开终端 ================================
 # 启动终端
 cmd - return : open -a kitty
 # 关闭当前窗口，这个不需要加，macOS 默认是 cmd + q，我 Linux 也这么设置的
 # ================================ 窗口设置 ================================
 # =============== 为了避免快捷键冲突改用了 ctrl 作为 modifier =================
 # https://github.com/koekeishiya/yabai/wiki/Commands
 # 切换为平铺模式
 alt - e : yabai -m space --layout bsp
 # 切换为堆叠模式
 alt - s : yabai -m space --layout stack
 # 浮动/不浮动窗口 float
 alt - f : yabai -m window --toggle float
 # 全屏
 cmd + alt - f : yabai -m window --toggle zoom-fullscreen
 # focus window : 激活窗口快捷键  h: 左  j: 下  k: 右 l: 上 
 alt - h : yabai -m window --focus west
 alt - j : yabai -m window --focus south
 alt - k : yabai -m window --focus north
 alt - l : yabai -m window --focus east
 # 调整窗口大小
 ctrl + alt + cmd - left : yabai -m window --resize left:-50:0; yabai -m window --resize right:-50:0
 ctrl + alt + cmd - down : yabai -m window --resize bottom:0:50; yabai -m window --resize top:0:50
 ctrl + alt + cmd - up : yabai -m window --resize top:0:-50; yabai -m window --resize bottom:0:-50
 ctrl + alt + cmd - right : yabai -m window --resize right:50:0; yabai -m window --resize left:50:0
 # ================================ 多桌面配置  ================================
 # 创建一个新桌面，并把当前活动的窗口发送到新桌面，并且自动跳转到新桌面. 需要 jq 支持 brew install jq
 shift + cmd - n : yabai -m space --create && index="$(yabai -m query --spaces --display | jq '.| length')" && yabai -m window --space "${index}" && yabai -m space --focus "${index}" && yabai -m space --layout bsp
 # 在 stack 模式下通过方向键切换窗口
 ctrl - down : yabai -m window --focus stack.next || yabai -m window --focus south
 ctrl - up : yabai -m window --focus stack.prev || yabai -m window --focus north
 # 在 bsp 模式下通过方向键切换窗口
 cmd - left : yabai -m window --focus west
 cmd - right : yabai -m window --focus east
 # 切换回最近的一个桌面
 alt - r : yabai -m space --focus recent
 # 在 9 个桌面之间切换
 alt - 1 : yabai -m space --focus 1
 alt - 2 : yabai -m space --focus 2
 alt - 3 : yabai -m space --focus 3
 alt - 4 : yabai -m space --focus 4
 alt - 5 : yabai -m space --focus 5
 alt - 6 : yabai -m space --focus 6
 alt - 7 : yabai -m space --focus 7
 alt - 8 : yabai -m space --focus 8
 alt - 9 : yabai -m space --focus 9
 # 关闭当前桌面
 cmd + alt - w : yabai -m space --destroy
 # 把窗口发送到桌面，并跟随过去 send window to desktop and follow focus
 shift + cmd - z : yabai -m window --space next; yabai -m space --focus next
 shift + cmd - 1 : yabai -m window --space  1; yabai -m space --focus 1
 shift + cmd - 2 : yabai -m window --space  2; yabai -m space --focus 2
 shift + cmd - 3 : yabai -m window --space  3; yabai -m space --focus 3
 shift + cmd - 4 : yabai -m window --space  4; yabai -m space --focus 4
 shift + cmd - 5 : yabai -m window --space  5; yabai -m space --focus 5
 shift + cmd - 6 : yabai -m window --space  6; yabai -m space --focus 6
 shift + cmd - 7 : yabai -m window --space  7; yabai -m space --focus 7
 shift + cmd - 8 : yabai -m window --space  8; yabai -m space --focus 8
 shift + cmd - 9 : yabai -m window --space  9; yabai -m space --focus 9
@@ -0,0 +1,52 @@
 {
  pkgs,
  config,
  lib,
  username,
  pkgs-unstable,
  ...
 }: let
  homeDir = config.users.users."${username}".home;
 in {
  services.yabai = {
    enable = true;
    # temporary workaround for https://github.com/ryan4yin/nix-config/issues/51
    package = pkgs-unstable.yabai.overrideAttrs (oldAttrs: rec {
      version = "6.0.7";
      src =
        if pkgs.stdenv.isAarch64
        then
          (pkgs.fetchzip {
            url = "https://github.com/koekeishiya/yabai/releases/download/v${version}/yabai-v${version}.tar.gz";
            hash = "sha256-hZMBXSCiTlx/37jt2yLquCQ8AZ2LS3heIFPKolLub1c=";
          })
        else
          (pkgs.fetchFromGitHub {
            owner = "koekeishiya";
            repo = "yabai";
            rev = "v${version}";
            hash = "sha256-vWL2KA+Rhj78I2J1kGItJK+OdvhVo1ts0NoOHIK65Hg=";
          });
    });
    # Whether to enable yabai's scripting-addition.
    # SIP must be disabled for this to work.
    # https://github.com/koekeishiya/yabai/wiki/Disabling-System-Integrity-Protection
    enableScriptingAddition = true;
    # config = {};
    extraConfig = builtins.readFile ./yabairc;
  };
  # custom log path for debugging
  launchd.user.agents.yabai.serviceConfig = {
    StandardErrorPath = "${homeDir}/Library/Logs/yabai.stderr.log";
    StandardOutPath = "${homeDir}/Library/Logs/yabai.stdout.log";
  };
  launchd.daemons.yabai-sa = {
    # https://github.com/koekeishiya/yabai/issues/1287
    script = lib.mkForce ''
      echo "skip it"
    '';
  };
 }
@@ -0,0 +1,59 @@
 #!/usr/bin/env sh
 # wiki 要求在配置最前面加这个，看起来是跟 sudo 权限相关的东西
 sudo yabai --load-sa
 yabai -m signal --add event=dock_did_restart action="sudo yabai --load-sa"
 ## 输出 debug 日志，出问题时方便排查
 yabai -m config debug_output on
 # 窗口平铺
 yabai -m space --layout bsp
 # 默认拆分规则 first_child second_child
 yabai -m config window_placement             second_child
 # 窗口间距设置
 yabai -m config top_padding                  10
 yabai -m config bottom_padding               10
 yabai -m config left_padding                 10
 yabai -m config right_padding                10
 yabai -m config window_gap                   10
 # 自动平衡所有窗口始终占据相同的空间
 yabai -m config auto_balance                 off
 # 如果禁用自动平衡，此项属性定义的是新窗口占用的空间量。0.5意为旧窗口占用50%
 yabai -m config split_ratio                 0.50
 # 鼠标修饰键 意思就是按着这个键就可以使用鼠标单独修改窗口大小了
 yabai -m config mouse_modifier ctrl
 # ctrl + 鼠标左键 移动窗口
 yabai -m config mouse_action1 move
 # ctrl + 鼠标右键 调整窗口大小
 yabai -m config mouse_action2 resize
 # 焦点跟随鼠标 默认off: 关闭  autoraise:自动提升 autofocus: 自动对焦
 yabai -m config focus_follows_mouse          autofocus
 # 设置鼠标是否跟随当前活动窗口 默认 off: 关闭 on: 开启
 yabai -m config mouse_follows_focus          on
 # 修改窗口阴影 on: 打开 off: 关闭 float: 只显示浮动窗口的阴影
 yabai -m config window_shadow                float
 # 窗口透明度设置
 yabai -m config window_opacity               on
 # 配置活动窗口不透明度
 yabai -m config active_window_opacity        0.98
 yabai -m config normal_window_opacity        0.9
 yabai -m config window_opacity_duration      0.0
 # 在所有显示器上的每个空间顶部添加 0 填充 底部添加 0 填充
 yabai -m config external_bar all:0:0
 # ================================ 规则 ================================
 # 打开系统偏好设置，不使用平铺模式
 yabai -m rule --add app="^系统偏好设置$" manage=off
 yabai -m rule --add app="^提醒事项$" manage=off
 yabai -m rule --add app="^关于本机$" manage=off
 # float system preferences
 yabai -m rule --add app="^System Preferences$" manage=off
 # show digital colour meter topmost and on all spaces
 yabai -m rule --add app="^Digital Colou?r Meter$" sticky=on
 echo "yabai configuration loaded.."
@@ -1,9 +1,15 @@
-{lib, ...}: {
+{
  lib,
  vars_networking,
  ...
 }: {
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = lib.mkDefault false;
  programs.ssh = vars_networking.ssh;
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
@@ -14,4 +20,18 @@
    };
    openFirewall = true;
  };
  # Network discovery, mDNS
  # With this enabled, you can access your machine at <hostname>.local
  # it's more convenient than using the IP address.
  # https://avahi.org/
  services.avahi = {
    enable = true;
    nssmdns4 = true;
    publish = {
      enable = true;
      domain = true;
      userServices = true;
    };
  };
 }
@@ -16,7 +16,7 @@
  nix.buildMachines = let
    sshUser = username;
    # ssh key's path on local machine
-    sshKey = "/home/${username}/.ssh/ai-idols";
+    sshKey = "/etc/agenix/ssh-key-romantic";
    systems = [
      # native arch
      "x86_64-linux"
@@ -68,64 +68,4 @@
  nix.extraOptions = ''
    builders-use-substitutes = true
  '';
  # define the host alias for remote builders
  # this config will be written to /etc/ssh/ssh_config
  programs.ssh.extraConfig = ''
    # idols
    Host ai
      HostName 192.168.5.100
      Port 22
    Host aquamarine
      HostName 192.168.5.101
      Port 22
    Host ruby
      HostName 192.168.5.102
      Port 22
    Host kana
      HostName 192.168.5.103
      Port 22
    # rolling girls
    Host nozomi
      HostName 192.168.5.104
      Port 22
    Host yukina
      HostName 192.168.5.105
      Port 22
    Host chiaya
      HostName 192.168.5.106
      Port 22
    Host suzu
      HostName 192.168.5.107
      Port 22
  '';
  # define the host key for remote builders so that nix can verify all the remote builders
  # this config will be written to /etc/ssh/ssh_known_hosts
  programs.ssh.knownHosts = {
    # 星野 愛久愛海, Hoshino Aquamarine
    aquamarine = {
      hostNames = ["aquamarine" "192.168.5.101"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU";
    };
    # 星野 瑠美衣, Hoshino Rubii
    ruby = {
      hostNames = ["ruby" "192.168.5.102"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf";
    };
    # 有馬 かな, Arima Kana
    kana = {
      hostNames = ["kana" "192.168.5.103"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+";
    };
  };
 }
@@ -22,7 +22,7 @@
  users.users."${username}" = {
    # generated by `mkpasswd -m scrypt`
    # we have to use initialHashedPassword here when using tmpfs for /
-    initialHashedPassword = "$7$CU..../....Sdl/JRH..9eIvZ6mE/52r.$xeR6lyvTcVVKt28Owcoc/vPOOECcYSiq1xjw/QCz2t0";
+    initialHashedPassword = "$7$CU..../....KDvTIXqLTXpmCaoUy2yC9.$145eM358b7Q0sRXgEBvxctd5EAuEEdao57LmZjc05D.";
    home = "/home/${username}";
    isNormalUser = true;
    extraGroups = [
@@ -37,24 +37,13 @@
    ];
  };
  users.users.root = {
-    initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2";
+    initialHashedPassword = config.users.users."${username}".initialHashedPassword;
    openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
  };
-  # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure`
+  # The wheel group is a special user group,
-  security.sudo.extraRules = [
+  # which can access to the `su` or `sudo` command to run commands as super user.
-    {
+  #
-      users = [username];
+  # Don't ask for password for wheel group
-      commands = [
+  security.sudo.wheelNeedsPassword = false;
        {
          command = "/run/current-system/sw/bin/nix-store";
          options = ["NOPASSWD"];
        }
        {
          command = "/run/current-system/sw/bin/nix-copy-closure";
          options = ["NOPASSWD"];
        }
      ];
    }
  ];
 }
@@ -1,7 +1,7 @@
 {pkgs, ...}: {
  ###################################################################################
  #
-  #  Visualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid
+  #  Virtualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid
  #
  ###################################################################################
@@ -1,10 +1,3 @@
-{
+{mylib, ...}: {
-  imports = [
+  imports = mylib.scanPaths ./.;
    ./fonts.nix
    ./graphic.nix
    ./misc.nix
    ./peripherals.nix
    ./security.nix
    ./visualisation.nix
  ];
 }
@@ -13,10 +13,10 @@
      # Noto 系列字体是 Google 主导的，名字的含义是「没有豆腐」（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
      # Noto 系列字族名只支持英文，命名规则是 Noto + Sans 或 Serif + 文字名称。
      # 其中汉字部分叫 Noto Sans/Serif CJK SC/TC/HK/JP/KR，最后一个词是地区变种。
-      noto-fonts # 大部分文字的常见样式，不包含汉字
+      # noto-fonts # 大部分文字的常见样式，不包含汉字
-      noto-fonts-cjk # 汉字部分
+      # noto-fonts-cjk # 汉字部分
      noto-fonts-emoji # 彩色的表情符号字体
-      noto-fonts-extra # 提供额外的字重和宽度变种
+      # noto-fonts-extra # 提供额外的字重和宽度变种
      # 思源系列字体是 Adobe 主导的。其中汉字部分被称为「思源黑体」和「思源宋体」，是由 Adobe + Google 共同开发的
      source-sans # 无衬线字体，不含汉字。字族名叫 Source Sans 3 和 Source Sans Pro，以及带字重的变体，加上 Source Sans 3 VF
@@ -44,8 +44,8 @@
    # the reason there's Noto Color Emoji everywhere is to override DejaVu's
    # B&W emojis that would sometimes show instead of some Color emojis
    fontconfig.defaultFonts = {
-      serif = ["Noto Serif CJK SC" "Noto Serif CJK TC" "Noto Serif CJK JP" "Noto Color Emoji"];
+      serif = ["Source Han Serif SC" "Source Han Serif TC" "Noto Color Emoji"];
-      sansSerif = ["Noto Sans CJK SC" "Noto Sans CJK TC" "Noto Sans CJK JP" "Noto Color Emoji"];
+      sansSerif = ["Source Han Sans SC" "Source Han Sans TC" "Noto Color Emoji"];
      monospace = ["JetBrainsMono Nerd Font" "Noto Color Emoji"];
      emoji = ["Noto Color Emoji"];
    };
@@ -0,0 +1,3 @@
 {mylib, ...}: {
  imports = mylib.scanPaths ./.;
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ryan Yin	9a09854c59	refactor: var_networking.ssh	2024-01-29 01:31:44 +08:00
Ryan Yin	b8f61f2946	fix: nix-darwin do not have a `programs.ssh.extraConfig`	2024-01-29 01:30:17 +08:00
Ryan Yin	b0f259253b	Merge pull request #53 from ryan4yin/router feat: nixos as a passby router	2024-01-29 01:25:01 +08:00
Ryan Yin	22066db41b	feat: passby router - aqua	2024-01-29 01:23:18 +08:00
Ryan Yin	a2814f326c	Merge pull request #52 from ryan4yin/refactor-networking refactor: centrally manage the network configuration of all hosts in …	2024-01-28 23:21:47 +08:00
Ryan Yin	ad861dcc59	refactor: centrally manage the network configuration of all hosts in homelab feat: new host - tailscalw-gw	2024-01-28 23:09:11 +08:00
Ryan Yin	3eec2a1837	fix: yabai - https://github.com/ryan4yin/nix-config/issues/51	2024-01-28 11:53:05 +08:00
Ryan Yin	40ff86d6d7	fix: yabai - https://github.com/koekeishiya/yabai/issues/1887	2024-01-28 11:02:46 +08:00
Ryan Yin	e6aa017562	Merge pull request #50 from ryan4yin/feat-remote_desktop feat: remote desktop	2024-01-28 10:12:41 +08:00
Ryan Yin	266a190b19	fix: problem disappeared after replacing the determinated nix-installer by the official one	2024-01-28 10:04:24 +08:00
Ryan Yin	0504d0503b	fix: failed to boot - replace device name by uuid	2024-01-28 09:56:40 +08:00
Ryan Yin	63d686ad3a	fix: enable kvm-intel/kvm-amd per host	2024-01-28 09:53:09 +08:00
Ryan Yin	3302f44178	feat: remote desktop	2024-01-28 02:20:35 +08:00
Ryan Yin	b231111d93	chore: use ustc's cache mirror for speed	2024-01-28 02:20:04 +08:00
Ryan Yin	dce701146c	fix: _netdev - mount after the network is available	2024-01-28 00:57:45 +08:00
Ryan Yin	62ce9eb8cb	fix: mount SMB-Downloads failed	2024-01-27 18:09:21 +08:00
Ryan Yin	6b183a0220	docs: change LUKS Key	2024-01-27 18:09:04 +08:00
Ryan Yin	90cd503219	feat: use gpg only for pass & ssh, make public keys & trust immutable	2024-01-27 17:14:14 +08:00
Ryan Yin	a0e00c5453	feat: do not import gpg public keys automatically	2024-01-27 17:09:10 +08:00
Ryan Yin	27f1d54a79	fix: typo	2024-01-27 17:00:49 +08:00
Ryan Yin	05682dbac9	feat: security - password-store, gpg, age, etc...	2024-01-27 16:56:57 +08:00
Ryan Yin	b9b9a55ede	fix: revert password-store cloning	2024-01-27 10:33:42 +08:00
Ryan Yin	b75195d339	feat: clone password-store if it not exists yet	2024-01-26 22:37:05 +08:00
Ryan Yin	7f72a0612b	feat: agenix - use the system's host ssh key for cryption	2024-01-26 22:25:42 +08:00
Ryan Yin	d1cdddc9ca	feat: update user's initialHashedPassword	2024-01-26 20:18:33 +08:00
Ryan Yin	c02590c07a	docs: gpg	2024-01-26 18:38:31 +08:00
Ryan Yin	8646c1a4ff	feat: update mysecrets	2024-01-26 18:25:48 +08:00
Ryan Yin	0b8a50b6d9	feat: update mysecrets	2024-01-26 18:15:01 +08:00
Ryan Yin	66276562b9	feat: gitgc	2024-01-26 18:12:39 +08:00
Ryan Yin	b9a206054a	feat: update mysecrets	2024-01-26 15:05:41 +08:00
Ryan Yin	7cc94146b8	feat: remove eudict, enable homebrew	2024-01-26 14:54:21 +08:00
Ryan Yin	0645a593e6	feat: update openssh keys	2024-01-26 14:46:19 +08:00
Ryan Yin	ecc335b07e	feat: security - gnupg & openssh's KDF	2024-01-26 13:47:01 +08:00
Ryan Yin	ec5ef05983	feat: darwin - zed editor	2024-01-25 17:55:53 +08:00
Ryan Yin	fd438f74c6	fix: keybinding conflict - skhd & emacs fix: reload yabai & skhd	2024-01-25 15:28:47 +08:00
Ryan Yin	7e36360550	feat: set mirror for pip	2024-01-25 15:05:01 +08:00
Ryan Yin	86bdd6539c	fix: nix first in PATH	2024-01-25 14:42:35 +08:00
Ryan Yin	9a2fa01711	feat: darwin rebuild	2024-01-25 10:56:05 +08:00
Ryan Yin	3992de319c	fix: failed to mount cifs volume on boot	2024-01-24 23:38:58 +08:00
Ryan Yin	be6e0a9882	Update README.md	2024-01-24 09:20:22 +08:00
Ryan Yin	15eb7f5a0f	feat: yabai - zoom-fullscreen	2024-01-24 00:44:55 +08:00
Ryan Yin	501b2397d8	feat: yabai - fix x86_64 build, upgrade version	2024-01-24 00:24:56 +08:00
Ryan Yin	2c08b2f1fa	docs: darwin	2024-01-23 19:54:11 +08:00
Ryan Yin	d8aeb36b27	fix: darwin - gpg: public key decryption failed: No pinentry	2024-01-23 19:49:11 +08:00
Ryan Yin	aa3c26d907	Merge pull request #46 from ryan4yin/darwin-wm feat: window manager for darwin - yabai	2024-01-23 19:24:40 +08:00
Ryan Yin	f0e0b18c5f	feat: window manager for darwin - yabai	2024-01-23 19:19:21 +08:00
Ryan Yin	55139cd4fe	Merge pull request #49 from DataEraserC/main Fix: gtk.theme not match	2024-01-23 18:59:46 +08:00
DataEraserC	533758d5da	Fix: gtk.theme not match	2024-01-23 18:56:35 +08:00
Ryan Yin	62505e4488	feat: add croc for file transfering, and age/sops for file encryption	2024-01-23 13:36:25 +08:00
Ryan Yin	1d8452f232	chore: remove duplicate code	2024-01-23 12:58:59 +08:00
Ryan Yin	e4eb232d8f	feat: don't ask for password for wheel group	2024-01-23 12:13:58 +08:00
Ryan Yin	360c218344	docs: gamemode	2024-01-23 12:04:28 +08:00
Ryan Yin	e3b0eca505	docs: steam	2024-01-23 11:53:23 +08:00
Ryan Yin	8d69b2907f	docs: helix	2024-01-23 11:41:44 +08:00
Ryan Yin	d869e7d5ce	feat: update mysecrets, disable prettier	2024-01-23 11:09:48 +08:00
Ryan Yin	4345509218	feat: persistent ~/.steam	2024-01-22 23:31:10 +08:00
Ryan Yin	a6587cfd79	feat: obs - add plugins	2024-01-22 23:24:02 +08:00
Ryan Yin	b1fac0dce5	fix: firefox - fonts for Chinese	2024-01-22 23:14:08 +08:00
Ryan Yin	f47f24cf34	fix: steam's font - remove all noto-fonts	2024-01-22 22:52:18 +08:00
Ryan Yin	05caa0c33a	feat: remove all noto-fonts	2024-01-22 22:51:19 +08:00
Ryan Yin	40921d4199	feat: gaming - gamemode + stream	2024-01-22 22:42:51 +08:00
Ryan Yin	9843ea9db5	feat: morden cli tools	2024-01-22 15:36:08 +08:00
Ryan Yin	f51242ae08	feat: morden cli tools	2024-01-22 15:27:09 +08:00
Ryan Yin	4f1c138a01	refactor: container & kubernetes	2024-01-22 14:32:05 +08:00
Ryan Yin	f7dd9cd6e2	feat: disable statix	2024-01-22 10:42:14 +08:00
Ryan Yin	c90317a84b	feat: add lazygit & lazydocker	2024-01-22 10:41:33 +08:00
Ryan Yin	7f1d365f0b	Merge pull request #45 from DataEraserC/main fix: typo	2024-01-22 02:06:22 +08:00
Sacabambaspis	9d67e03f97	fix: typo	2024-01-21 23:17:19 +08:00
Ryan Yin	d559655e26	docs: emacs - magit	2024-01-21 22:24:20 +08:00
Ryan Yin	03d822da3f	fix: typo	2024-01-21 21:48:42 +08:00
Ryan Yin	02e040d294	refactor: hosts - darwin	2024-01-21 17:17:48 +08:00
Ryan Yin	cba3212896	fix: statix fix	2024-01-21 17:07:44 +08:00
Ryan Yin	68e5d860d8	fix: failed to deploy nixos-unstable	2024-01-21 17:06:25 +08:00
Ryan Yin	a76daab3ce	refactor: hosts	2024-01-21 15:21:05 +08:00
Ryan Yin	489f82f24b	feat: add exercism	2024-01-18 18:33:32 +08:00
Ryan Yin	94aec4440e	docs: emacs - emacs keybinding full list	2024-01-18 16:53:58 +08:00
Ryan Yin	9cbffaf841	docs: emacs - magit	2024-01-18 16:28:07 +08:00
Ryan Yin	3f2049ab02	docs: emacs - magit	2024-01-18 15:55:36 +08:00
Ryan Yin	95bdf1d091	docs: emacs - magit	2024-01-18 15:45:23 +08:00
Ryan Yin	fe73f73adb	docs: vim	2024-01-18 15:02:23 +08:00
Ryan Yin	0148834e15	feat: udpate flake.lock	2024-01-18 13:04:17 +08:00
Ryan Yin	4ca27063e2	fix: https://github.com/ryan4yin/nix-config/issues/43 - /dev/xxx is not a valid luks device	2024-01-16 20:51:24 +08:00
Ryan Yin	f3f74cfd70	docs: editors	2024-01-15 15:34:35 +08:00
Ryan Yin	4d53f559b1	docs: editors(vim)	2024-01-15 14:43:22 +08:00
Ryan Yin	cf2c1a4437	docs: editors(vim)	2024-01-15 14:13:36 +08:00
Ryan Yin	29afd7f670	docs: emacs - limits	2024-01-13 22:18:02 +08:00
Ryan Yin	16b75e90b6	docs: emacs - limits	2024-01-13 17:19:08 +08:00
Ryan Yin	11bbedcde7	fix: emacs - code highlighting is buggy, remove lsp-bridge, add lsp-mode & copilot fix: emacs - unicode symbols rendering is buggy, remove +pretty from org-mode feat: emacs - add pandoc & jupyter for orgmode	2024-01-13 15:49:11 +08:00
Ryan Yin	1ec9c22fd0	Merge pull request #42 from ryan4yin/guix feat: add Guix	2024-01-13 12:52:41 +08:00
Ryan Yin	c4a28eb062	feat: add guix as a daemon service	2024-01-13 12:52:01 +08:00
Ryan Yin	8c8a9105e4	feat: use nixos-unstable	2024-01-13 00:19:03 +08:00
Ryan Yin	04a689c5d1	feat: emacs - orgmode	2024-01-11 22:09:17 +08:00
Ryan Yin	36b44128a0	Merge pull request #41 from DataEraserC/main Fix typo	2024-01-11 21:29:59 +08:00
Sacabambaspis	6fe2d2f002	Fix typo	2024-01-11 21:15:05 +08:00
Ryan Yin	9b96ff35d6	fix: typo	2024-01-11 20:12:23 +08:00
Ryan Yin	471661239f	Merge pull request #40 from DataEraserC/main Fix typo	2024-01-11 20:10:41 +08:00
Sacabambaspis	00b4997a74	Fix typo	2024-01-11 20:04:09 +08:00
Ryan Yin	1d2bdc1beb	fix: typo	2024-01-11 17:48:10 +08:00
Ryan Yin	ca5388740f	feat: docs for nixos-installer	2024-01-11 15:51:08 +08:00
Ryan Yin	1812510e0d	feat: docs for systems	2024-01-11 15:48:16 +08:00
Ryan Yin	161fd0db6a	feat: emacs - save buffers when they lose focus	2024-01-10 18:30:49 +08:00
Ryan Yin	f166761af7	fix: programs.gpg-agent do not support darwin, running gnupg agent at system level	2024-01-10 13:45:20 +08:00
Ryan Yin	228a7099d0	fix: style	2024-01-10 10:05:17 +08:00
Ryan Yin	8c9a212e64	feat: add chrome/chromium/firefox extension for password-store	2024-01-10 00:28:10 +08:00
Ryan Yin	343ebacdcf	feat: init password-store	2024-01-09 23:59:06 +08:00
Ryan Yin	b6f46da403	fix: gpg	2024-01-09 23:18:59 +08:00
Ryan Yin	2f58484b4c	docs: misc	2024-01-09 20:51:04 +08:00
Ryan Yin	7da2c3dd93	feat: add gpg & password-store	2024-01-09 19:27:08 +08:00
Ryan Yin	95fc029194	Update README.md	2024-01-09 08:51:27 +08:00
Ryan Yin	40be9f8a55	fix: do not start zellij inside emacs(vterm)	2024-01-08 14:14:12 +08:00
Ryan Yin	e42fda1d43	refactor: misc	2024-01-08 12:17:17 +08:00
Ryan Yin	70f5b26fd2	docs: emacs	2024-01-08 11:40:28 +08:00
Ryan Yin	3b796515d4	fix: emacs on darwin - vterm's color	2024-01-08 11:37:01 +08:00
Ryan Yin	e809caa9fd	feat: show PATH env	2024-01-08 10:06:29 +08:00
Ryan Yin	919527d6fc	fix: nvim-treesitter	2024-01-08 10:05:02 +08:00
Ryan Yin	31ac4f1439	feat: update flake.lock	2024-01-08 01:41:25 +08:00