docs: how to add a new machine

docs: update docs
docs: update docs, remove unused host - chiaya
2026-05-28 18:39:31 +02:00 · 2024-03-10 20:56:54 +08:00 · 2024-03-10 20:46:36 +08:00 · 2024-03-10 20:45:57 +08:00 · 2024-03-10 20:18:02 +08:00 · 2024-03-10 20:13:57 +08:00
225 changed files with 62879 additions and 1952 deletions
@@ -11,21 +11,21 @@ set shell := ["nu", "-c"]

 i3 mode="default":
  use utils.nu *; \
-  nixos-switch ai_i3 {{mode}}
+  nixos-switch ai-i3 {{mode}}

 hypr mode="default":
  use utils.nu *; \
-  nixos-switch ai_hyprland {{mode}}
+  nixos-switch ai-hyprland {{mode}}


 s-i3 mode="default":
  use utils.nu *; \
-  nixos-switch shoukei_i3 {{mode}}
+  nixos-switch shoukei-i3 {{mode}}


 s-hypr mode="default":
  use utils.nu *; \
-  nixos-switch shoukei_hyprland {{mode}}
+  nixos-switch shoukei-hyprland {{mode}}


 up:
@@ -85,44 +85,97 @@ yabai-reload:

 ############################################################################
 #
-#  Colmena - Remote NixOS deployment
+#  Homelab - NixOS servers running on bare metal
 #
 ############################################################################

-colmena-ssh-key:
-  ssh-add /etc/agenix/ssh-key-romantic
+virt:
+  colmena apply --on '@virt-*' --verbose --show-trace

-dist:
-  colmena apply --on '@dist-build'
+shoryu:
+  colmena apply --on '@shoryu' --verbose --show-trace

-dist-debug:
-  colmena apply --on '@dist-build' --verbose --show-trace
+shushou:
+  colmena apply --on '@shushou' --verbose --show-trace
+
+youko:
+  colmena apply --on '@youko' --verbose --show-trace
+
+
+############################################################################
+#
+#  Homelab - Virtual Machines running on Kubevirt
+#
+############################################################################
+
+lab:
+  colmena apply --on '@homelab-*' --verbose --show-trace

 aqua:
-  colmena apply --on '@aqua'
+  colmena apply --on '@aqua' --verbose --show-trace
+  # some config changes require a restart of the dae service
+  ssh root@aquamarine "sudo systemctl stop dae; sleep 1; sudo systemctl start dae"

 ruby:
-  colmena apply --on '@ruby'
+  colmena apply --on '@ruby' --verbose --show-trace

 kana:
-  colmena apply --on '@kana'
+  colmena apply --on '@kana' --verbose --show-trace

-tailscale_gw:
-  colmena apply --on '@tailscale_gw'
+tailscale:
+  colmena apply --on '@tailscale-gw' --verbose --show-trace

-pve-image:
-  nom build .#tailscale_gw
-  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
+# pve-aqua:
+#   nom build .#aquamarine
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+#
+# pve-ruby:
+#   nom build .#ruby
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
+#
+# pve-kana:
+#   nom build .#kana
+#   rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
+#
+# pve-tsgw:
+#   nom build .#tailscale-gw
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-tailscale-gw.vma.zst
+#

-  nom build .#aquamarine
-  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+############################################################################
+#
+# Kubernetes related commands
+#
+############################################################################

-  nom build .#ruby
-  rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
+k3s:
+  colmena apply --on '@k3s-*' --verbose --show-trace

-  nom build .#kana
-  rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
+master:
+  colmena apply --on '@k3s-prod-1-master-*' --verbose --show-trace

+worker:
+  colmena apply --on '@k3s-prod-1-worker-*' --verbose --show-trace
+
+# pve-k8s:
+#   nom build .#k3s-prod-1-master-1
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-master-1.vma.zst
+#
+#   nom build .#k3s-prod-1-master-2
+#   rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-master-2.vma.zst
+#
+#   nom build .#k3s-prod-1-master-3
+#   rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-master-3.vma.zst
+#
+#   nom build .#k3s-prod-1-worker-1
+#   rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-worker-1.vma.zst
+#
+#   nom build .#k3s-prod-1-worker-2
+#   rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-worker-2.vma.zst
+#
+#   nom build .#k3s-prod-1-worker-3
+#   rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-worker-3.vma.zst
+#

 ############################################################################
 #
@@ -130,17 +183,14 @@ pve-image:
 #
 ############################################################################

-roll:
-  colmena apply --on '@riscv'
-
-roll-debug:
-  colmena apply --on '@dist-build' --verbose --show-trace
+riscv:
+  colmena apply --on '@riscv' --verbose --show-trace

 nozomi:
-  colmena apply --on '@nozomi'
+  colmena apply --on '@nozomi' --verbose --show-trace

 yukina:
-  colmena apply --on '@yukina'
+  colmena apply --on '@yukina' --verbose --show-trace

 ############################################################################
 #
@@ -149,13 +199,21 @@ yukina:
 ############################################################################

 aarch:
-  colmena apply --on '@aarch'
+  colmena apply --on '@aarch' --verbose --show-trace

 suzu:
-  colmena apply --on '@suzu'
+  colmena apply --on '@suzu' --build-on-target --verbose --show-trace

-suzu-debug:
-  colmena apply --on '@suzu' --verbose --show-trace
+suzu-local mode="default":
+  use utils.nu *; \
+  nixos-switch suzu {{mode}}
+
+rakushun:
+  colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
+
+rakushun-local mode="default":
+  use utils.nu *; \
+  nixos-switch rakushun {{mode}}

 ############################################################################
 #
@@ -212,3 +270,14 @@ emacs-purge:
 emacs-reload:
  doom sync
  {{reload-emacs-cmd}}
+
+
+# =================================================
+#
+# Kubernetes related commands
+#
+# =================================================
+
+
+del-failed:
+   kubectl delete pod --all-namespaces --field-selector="status.phase==Failed"
@@ -14,7 +14,16 @@
  </a>
 </p>

-This repository is home to the nix code that builds my systems.
+> My configuration is becoming more and more complex, and it may be difficult for beginners to read it.
+> If you are new to NixOS and want to know how I use NixOS, I would recommend you to take a look at the [ryan4yin/nix-config/releases](https://github.com/ryan4yin/nix-config/releases) first, **checkout to some simpler older versions**, which will be much easier to understand.
+
+This repository is home to the nix code that builds my systems:
+
+1. NixOS Desktops: NixOS with home-manager, i3, hyprland, agenix, etc.
+2. macOS Desktops: nix-darwin with home-manager, share the same home-manager configuration with NixOS Desktops.
+3. NixOS Servers: virtual machines running on Proxmox, with various services, such as kubernetes, homepage, prometheus, grafana, etc.
+
+See [./hosts](./hosts) for details of each host.

 ## Why NixOS & Flakes?

@@ -47,7 +56,7 @@ As for Flakes, refer to [Introduction to Flakes - NixOS & Nix Flakes Book](https
 | **Text Editor**             | [Neovim][Neovim] + [DoomEmacs][DoomEmacs]                                                                         | [Neovim][Neovim] + [DoomEmacs][DoomEmacs]                                                                         |
 | **Fonts**                   | [Nerd fonts][Nerd fonts]                                                                                          | [Nerd fonts][Nerd fonts]                                                                                          |
 | **Image Viewer**            | [imv][imv]                                                                                                        | [imv][imv]                                                                                                        |
-| **Screenshot Software**     | [grim][grim]                                                                                                      | [flameshot](https://github.com/flameshot-org/flameshot)                                                           |
+| **Screenshot Software**     | [flameshot][flameshot] + [grim][grim]                                                                             | [flameshot][flameshot]                                                                                            |
 | **Screen Recording**        | [OBS][OBS]                                                                                                        | [OBS][OBS]                                                                                                        |
 | **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase |
 | **Secure Boot**             | [lanzaboote][lanzaboote]                                                                                          | [lanzaboote][lanzaboote]                                                                                          |
@@ -75,17 +84,16 @@ See [./home/base/desktop/editors/neovim/](./home/base/desktop/editors/neovim/) f

 See [./home/base/desktop/editors/emacs/](./home/base/desktop/editors/emacs/) for details.

-## Hosts
-
-See [./hosts](./hosts) for details.
-
 ## Secrets Management

 See [./secrets](./secrets) for details.

 ## How to Deploy this Flake?

-> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine:exclamation: It will not succeed.** this flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols_ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/default.nix#L77-L91), etc.) which is not suitable for your hardware, and my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) that only I have access to. You may use this repo as a reference to build your own configuration.
+> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine :exclamation: It will not succeed.** 
+> This flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols-ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols-ai/default.nix#L77-L91), etc.) which is not suitable for your hardwares,
+> and requires my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) to deploy.
+> You may use this repo as a reference to build your own configuration.

 For NixOS:

@@ -96,7 +104,7 @@ For NixOS:
 ```bash
 # deploy one of the configuration based on the hostname
 sudo nixos-rebuild switch --flake .#ai_i3
-# sudo nixos-rebuild switch --flake .#ai_hyprland
+# sudo nixos-rebuild switch --flake .#ai-hyprland

 # deploy via `just`(a command runner with similar syntax to make) & Justfile
 just i3    # deploy my pc with i3 window manager
@@ -110,12 +118,15 @@ just i3 debug
 For macOS:

 ```bash
-# deploy harmonica's configuration(macOS Intel)
-just ha
-
 # If you are deploying for the first time,
-# enter a shell with essential packages available
-# nix shell nixpkgs#just nixpkgs#git
+# 1. install nix & homebrew manually.
+# 2. prepare the deployment environment with essential packages available
+nix-shell -p just nushell
+# 3. comment home-manager's code in lib/macosSystem.nix to speed up the first deplyment.
+# 4. comment out the proxy settings in scripts/darwin_set_proxy.py if the proxy is not ready yet.
+
+# 4. deploy harmonica's configuration(macOS Intel)
+just ha

 # deploy fern's configuration(Apple Silicon)
 just fe
@@ -137,7 +148,7 @@ nom build .#aquamarine  # `nom`(nix-output-monitor) can be replaced by the stand

 # 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
 #    please replace the vma file name with the one you generated in step 1.
-rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst

 # 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
 ```
@@ -169,6 +180,7 @@ Other dotfiles that inspired me:
  - [gvolpe/nix-config](https://github.com/gvolpe/nix-config)
  - [Ruixi-rebirth/flakes](https://github.com/Ruixi-rebirth/flakes)
  - [fufexan/dotfiles](https://github.com/fufexan/dotfiles): gtk theme, xdg, git, media, anyrun, etc.
+  - [nix-community/srvos](https://github.com/nix-community/srvos): a collection of opinionated and sharable NixOS configurations for servers
 - Modularized NixOS Configuration
  - [hlissner/dotfiles](https://github.com/hlissner/dotfiles)
  - [viperML/dotfiles](https://github.com/viperML/dotfiles)
@@ -203,6 +215,7 @@ Other dotfiles that inspired me:
 [DoomEmacs]: https://github.com/doomemacs/doomemacs
 [flameshot]: https://github.com/flameshot-org/flameshot
 [grim]: https://github.com/emersion/grim
+[flameshot]: https://github.com/flameshot-org/flameshot
 [imv]: https://sr.ht/~exec64/imv/
 [OBS]: https://obsproject.com
 [Mako]: https://github.com/emersion/mako
@@ -1,17 +0,0 @@
-rec {
-  # user information
-  username = "ryan";
-  userfullname = "Ryan Yin";
-  useremail = "xiaoyin_c@qq.com";
-
-  allSystemAttrs = {
-    # linux systems
-    x64_system = "x86_64-linux";
-    riscv64_system = "riscv64-linux";
-    aarch64_system = "aarch64-linux";
-    #darwin systems
-    x64_darwin = "x86_64-darwin";
-    aarch64_darwin = "aarch64-darwin";
-  };
-  allSystems = builtins.attrValues allSystemAttrs;
-}
@@ -1,5 +1,5 @@
 {
-  description = "NixOS & macOS configuration of Ryan Yin";
+  description = "Ryan Yin's nix configuration for both NixOS & macOS";

  ##################################################################################################################
  #
@@ -8,68 +8,7 @@
  #
  ##################################################################################################################

-  # The `outputs` function will return all the build results of the flake.
-  # A flake can have many use cases and different types of outputs,
-  # parameters in `outputs` are defined in `inputs` and can be referenced by their names.
-  # However, `self` is an exception, this special parameter points to the `outputs` itself (self-reference)
-  # The `@` syntax here is used to alias the attribute set of the inputs's parameter, making it convenient to use inside the function.
-  outputs = inputs @ {
-    self,
-    nixpkgs,
-    pre-commit-hooks,
-    ...
-  }: let
-    constants = import ./constants.nix;
-
-    # `lib.genAttrs [ "foo" "bar" ] (name: "x_" + name)` => `{ foo = "x_foo"; bar = "x_bar"; }`
-    forEachSystem = func: (nixpkgs.lib.genAttrs constants.allSystems func);
-
-    allSystemConfigurations = import ./systems {inherit self inputs constants;};
-  in
-    allSystemConfigurations
-    // {
-      # format the nix code in this flake
-      # alejandra is a nix formatter with a beautiful output
-      formatter = forEachSystem (
-        system: nixpkgs.legacyPackages.${system}.alejandra
-      );
-
-      # pre-commit hooks for nix code
-      checks = forEachSystem (
-        system: {
-          pre-commit-check = pre-commit-hooks.lib.${system}.run {
-            src = ./.;
-            hooks = {
-              alejandra.enable = true; # formatter
-              # deadnix.enable = true; # detect unused variable bindings in `*.nix`
-              # statix.enable = true; # lints and suggestions for Nix code(auto suggestions)
-              # prettier = {
-              #   enable = true;
-              #   excludes = [".js" ".md" ".ts"];
-              # };
-            };
-          };
-        }
-      );
-      devShells = forEachSystem (
-        system: let
-          pkgs = nixpkgs.legacyPackages.${system};
-        in {
-          default = pkgs.mkShell {
-            packages = with pkgs; [
-              # fix https://discourse.nixos.org/t/non-interactive-bash-errors-from-flake-nix-mkshell/33310
-              bashInteractive
-              # fix `cc` replaced by clang, which causes nvim-treesitter compilation error
-              gcc
-            ];
-            name = "dots";
-            shellHook = ''
-              ${self.checks.${system}.pre-commit-check.shellHook}
-            '';
-          };
-        }
-      );
-    };
+  outputs = inputs: import ./outputs inputs;

  # the nixConfig here only affects the flake itself, not the system configuration!
  # for more information, see:
@@ -96,7 +35,7 @@
    # There are many ways to reference flake inputs. The most widely used is github:owner/name/reference,
    # which represents the GitHub repository URL + branch/commit-id/tag.

-    # Official NixOS package source, using nixos's stable branch by default
+    # Official NixOS package source, using nixos's unstable branch by default
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
@@ -147,8 +86,8 @@
    };
    # secrets management
    agenix = {
-      # lock with git commit at 0.14.0
-      url = "github:ryantm/agenix/54693c91d923fecb4cf04c4535e3d84f8dec7919";
+      # lock with git commit at 0.15.0
+      url = "github:ryantm/agenix/564595d0ad4be7277e07fa63b5a991b3c645655d";
      # replaced with a type-safe reimplementation to get a better error message and less bugs.
      # url = "github:ryan4yin/ragenix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -156,6 +95,11 @@

    nix-gaming.url = "github:fufexan/nix-gaming";

+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # add git hooks to format nix code before commit
    pre-commit-hooks = {
      url = "github:cachix/pre-commit-hooks.nix";
@@ -164,6 +108,16 @@

    nuenv.url = "github:DeterminateSystems/nuenv";

+    # daeuniverse.url = "github:daeuniverse/flake.nix/unstable";
+    daeuniverse.url = "github:daeuniverse/flake.nix/exp";
+
+    attic.url = "github:zhaofengli/attic";
+
+    haumea = {
+      url = "github:nix-community/haumea/v0.2.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    ########################  Some non-flake repositories  #########################################

    # AstroNvim is an aesthetic and feature-rich neovim config.
@@ -1,8 +1,8 @@
-{username, ...}: {
+{myvars, ...}: {
  # Home Manager needs a bit of information about you and the
  # paths it should manage.
  home = {
-    inherit username;
+    inherit (myvars) username;

    # This value determines the Home Manager release that your
    # configuration is compatible with. This helps avoid breakage
@@ -1,10 +1,21 @@
-{pkgs, ...}: {
+{
+  lib,
+  pkgs,
+  ...
+}: {
  home.packages = with pkgs;
    [
-      # general tools
-      pulumi
-      pulumictl
-      packer # machine image builder
+      # infrastructure as code
+      # pulumi
+      # pulumictl
+      # tf2pulumi
+      # crd2pulumi
+      # pulumiPackages.pulumi-random
+      # pulumiPackages.pulumi-command
+      # pulumiPackages.pulumi-aws-native
+      # pulumiPackages.pulumi-language-go
+      # pulumiPackages.pulumi-language-python
+      # pulumiPackages.pulumi-language-nodejs

      # aws
      awscli2
@@ -16,12 +27,11 @@
      aliyun-cli
    ]
    ++ (
-      if pkgs.stdenv.isLinux
-      then [
+      lib.optionals pkgs.stdenv.isLinux [
        # cloud tools that nix do not have cache for.
        terraform
        terraformer # generate terraform configs from existing cloud resources
+        packer # machine image builder
      ]
-      else []
    );
 }
@@ -16,6 +16,8 @@

  home.packages = with pkgs;
    [
+      colmena # nixos's remote deployment tool
+
      # db related
      dbeaver
      mycli
@@ -34,14 +36,12 @@
      bfg-repo-cleaner # remove large files from git history
      k6 # load testing tool
      protobuf # protocol buffer compiler
-      nix-init # generate nix package from url

      # solve coding extercises - learn by doing
      exercism
    ]
    ++ (
-      if pkgs.stdenv.isLinux
-      then [
+      lib.optionals pkgs.stdenv.isLinux [
        # Automatically trims your branches whose tracking remote refs are merged or gone
        # It's really useful when you work on a project for a long time.
        git-trim
@@ -54,8 +54,8 @@
        mitmproxy # http/https proxy tool
        insomnia # REST client
        wireshark # network analyzer
+        ventoy # create bootable usb
      ]
-      else []
    );

  programs = {
@@ -47,7 +47,7 @@ in {
        zstd # for undo-fu-session/undo-tree compression

        # go-mode
-        gocode
+        # gocode # project archived, use gopls instead

        ## Module dependencies
        # :checkers spell
@@ -129,9 +129,7 @@
      (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
    ]
    ++ (
-      if pkgs.stdenv.isDarwin
-      then []
-      else [
+      lib.optionals pkgs.stdenv.isLinux [
        #-- verilog / systemverilog
        verible
        gdb
@@ -19,10 +19,10 @@
    mutableKeys = false;
    publicKeys = [
      # https://www.gnupg.org/gph/en/manual/x334.html
-      # {
-      #   source = "${mysecrets}/public/ryan4yin-gpg-keys.pub";
-      #   trust = 5;
-      # } # ultimate trust, my own keys.
+      {
+        source = "${mysecrets}/public/ryan4yin-gpg-keys-2014-01-27.pub";
+        trust = 5;
+      } # ultimate trust, my own keys.
    ];

    # This configuration is based on the tutorial below, it allows for a robust setup
@@ -4,12 +4,12 @@
  programs.ssh = {
    enable = true;

-    # all my ssh private key are generated by `ssh-keygen -t ed25519 -C "ryan@nickname"`
-    # the config's format:
+    # All my ssh private key are generated by `ssh-keygen -t ed25519 -a 256 -C "xxx@xxx"`
+    # Config format:
    #   Host —  given the pattern used to match against the host name given on the command line.
    #   HostName — specify nickname or abbreviation for host
    #   IdentityFile — the location of your SSH key authentication file for the account.
-    # format in details:
+    # Format in details:
    #   https://www.ssh.com/academy/ssh/config
    extraConfig = ''
      # a private key that is used during authentication will be added to ssh-agent if it is running
@@ -36,18 +36,6 @@
      Host s500plus
        HostName 192.168.5.174
        Port 22
-
-      Host k8s-main
-        HostName 192.168.5.181
-        ForwardAgent yes
-
-      Host k8s-data1
-        HostName 192.168.5.182
-        ForwardAgent yes
-
-      Host k8s-data2
-        HostName 192.168.5.183
-        ForwardAgent yes
    '';
  };
 }
@@ -18,18 +18,23 @@
  # we can add wezterm as a flake input once this PR is merged:
  #    https://github.com/wez/wezterm/pull/3547

-  programs.wezterm =
-    {
-      enable = false; # disable
+  programs.wezterm = {
+    enable = true; # disable

-      # TODO: Fix: https://github.com/wez/wezterm/issues/4483
-      # package = pkgs.wezterm.override { };
+    # install wezterm via homebrew on macOS to avoid compilation, dummy package here.
+    package =
+      if pkgs.stdenv.isLinux
+      then pkgs.wezterm
+      else pkgs.hello;
+
+    enableBashIntegration = pkgs.stdenv.isLinux;
+    enableZshIntegration = pkgs.stdenv.isLinux;

    extraConfig = let
      fontsize =
-          if pkgs.stdenv.isDarwin
-          then "14.0"
-          else "13.0";
+        if pkgs.stdenv.isLinux
+        then "13.0"
+        else "14.0";
    in ''
      -- Pull in the wezterm API
      local wezterm = require 'wezterm'
@@ -96,15 +101,5 @@

      return config
    '';
-    }
-    // (
-      if pkgs.stdenv.isDarwin
-      then {
-        # install wezterm via homebrew on macOS to avoid compilation, dummy package here.
-        # package = pkgs.hello;
-        enableBashIntegration = false;
-        enableZshIntegration = false;
-      }
-      else {}
-    );
+  };
 }
@@ -10,7 +10,7 @@ in {
  programs.nushell.extraConfig = ''
    # auto start zellij
    # except when in emacs or zellij itself
-    if (not "ZELLIJ" in $env) and (not "INSIDE_EMACS" in $env) {
+    if (not ("ZELLIJ" in $env)) and (not ("INSIDE_EMACS" in $env)) {
      if "ZELLIJ_AUTO_ATTACH" in $env and $env.ZELLIJ_AUTO_ATTACH == "true" {
        ^zellij attach -c
      } else {
@@ -12,13 +12,21 @@

    kubectl
    istioctl
+    kubevirt # virtctl
    kubernetes-helm
+    fluxcd
+    argocd
  ];

  programs = {
    k9s = {
      enable = true;
-      skin = let
+      # https://k9scli.io/topics/aliases/
+      # aliases = {};
+      settings = {
+        skin = "catppuccino-mocha";
+      };
+      skins.catppuccin-mocha = let
        skin_file = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-k9s}/dist/mocha.yml"; # theme - catppuccin mocha
        skin_attr = builtins.fromJSON (
          builtins.readFile
@@ -1,49 +1,18 @@
 {
  pkgs,
+  attic,
  nur-ryan4yin,
  ...
 }: {
-  home.packages = with pkgs; [
-    neofetch
-
-    # networking tools
-    mtr # A network diagnostic tool
-    iperf3
-    dnsutils # `dig` + `nslookup`
-    ldns # replacement of `dig`, it provide the command `drill`
-    aria2 # A lightweight multi-protocol & multi-source command-line download utility
-    socat # replacement of openbsd-netcat
-    nmap # A utility for network discovery and security auditing
-    ipcalc # it is a calculator for the IPv4/v6 addresses
-
-    # archives
-    zip
-    xz
-    unzip
-    p7zip
-
-    # misc
+  home.packages = with pkgs;
+    [
+      # Misc
      tldr
      cowsay
-    file
-    findutils
-    which
-    tree
-    gnutar
-    zstd
      gnupg
-    rsync
-
-    # Text Processing
-    # Docs: https://github.com/learnbyexample/Command-line-text-processing
-
-    gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
-    gnused # GNU sed, very powerful(mainly for replacing text in files)
      gnumake
-    gawk # GNU awk, a pattern scanning and processing language
-    jq # A lightweight and flexible command-line JSON processor

-    # morden cli tools, replacement of grep/sed/...
+      # Morden cli tools, replacement of grep/sed/...

      # Interactively filter its input using fuzzy searching, not limit to filenames.
      fzf
@@ -74,11 +43,20 @@
      # it provides the command `nom` works just like `nix
      # with more details log output
      nix-output-monitor
+      hydra-check # check hydra(nix's build farm) for the build status of a package
+      nix-index # A small utility to index nix store paths
+      nix-init # generate nix derivation from url
+      # https://github.com/nix-community/nix-melt
+      nix-melt # A TUI flake.lock viewer
+      # https://github.com/utdemir/nix-tree
+      nix-tree # A TUI to visualize the dependency graph of a nix derivation

      # productivity
      caddy # A webserver with automatic HTTPS via Let's Encrypt(replacement of nginx)
      croc # File transfer between computers securely and easily
-  ];
+    ]
+    # self-hosted nix cache server
+    ++ lib.optionals pkgs.stdenv.isLinux [attic.packages.${pkgs.system}.attic-client];

  programs = {
    # A modern replacement for ‘ls’
@@ -2,8 +2,7 @@
  config,
  lib,
  pkgs,
-  userfullname,
-  useremail,
+  myvars,
  ...
 }: {
  # `programs.git` will generate the config file: ~/.config/git/config
@@ -21,8 +20,8 @@
    enable = true;
    lfs.enable = true;

-    userName = userfullname;
-    userEmail = useremail;
+    userName = myvars.userfullname;
+    userEmail = myvars.useremail;

    includes = [
      {
@@ -2,6 +2,12 @@ _: {
  # use mirror for pip install
  xdg.configFile."pip/pip.conf".text = ''
    [global]
-    index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
+    index-url = https://mirrors.ustc.edu.cn/pypi/web/simple
+    format = columns
  '';
+
+  # xdg.configFile."pip/pip.conf".text = ''
+  #   [global]
+  #   index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
+  # '';
 }
@@ -1,3 +1,3 @@
-{username, ...}: {
-  home.homeDirectory = "/Users/${username}";
+{myvars, ...}: {
+  home.homeDirectory = "/Users/${myvars.username}";
 }
@@ -2,6 +2,24 @@ let
  envExtra = ''
    export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
  '';
+  # copied from the content generated by `conda init bash`
+  initExtra = ''
+    arch=$(uname -m)
+
+    if [ "aarch64" = "$arch" ] ||  [ "arm64" = "$arch" ]; then
+      # >>> (miniforge)conda initialize >>>
+      # !! Contents within this block are managed by 'conda init' !!
+      if [ -f "/opt/homebrew/Caskroom/miniforge/base/etc/profile.d/conda.sh" ]; then
+          . "/opt/homebrew/Caskroom/miniforge/base/etc/profile.d/conda.sh"
+      else
+          export PATH="/opt/homebrew/Caskroom/miniforge/base/bin:$PATH"
+      fi
+      # <<< conda initialize <<<
+    elif [[ "x86_64" = "$arch" ]]; then
+      # do nothing
+      true
+    fi
+  '';
 in {
  # Homebrew's default install location:
  #   /opt/homebrew for Apple Silicon
@@ -10,10 +28,10 @@ in {
  # in /opt/homebrew for Apple Silicon and /usr/local for Rosetta 2 to coexist and use bottles.
  programs.bash = {
    enable = true;
-    bashrcExtra = envExtra;
+    bashrcExtra = envExtra + initExtra;
  };
  programs.zsh = {
    enable = true;
-    inherit envExtra;
+    inherit envExtra initExtra;
  };
 }
@@ -0,0 +1,3 @@
+{myvars, ...}: {
+  programs.ssh.extraConfig = myvars.networking.ssh.extraConfig;
+}
@@ -1,13 +1,13 @@
 {
  config,
-  username,
+  myvars,
  ...
 }: let
  d = config.xdg.dataHome;
  c = config.xdg.configHome;
  cache = config.xdg.cacheHome;
 in rec {
-  home.homeDirectory = "/home/${username}";
+  home.homeDirectory = "/home/${myvars.username}";

  # environment variables that always set at login
  home.sessionVariables = {
@@ -1,29 +1,9 @@
 {pkgs, ...}: {
  # Linux Only Packages, not available on Darwin
  home.packages = with pkgs; [
-    nmon
-    iotop
-    iftop
-
    # misc
    libnotify
    wireguard-tools # manage wireguard vpn manually, via wg-quick
-
-    # system call monitoring
-    strace # system call monitoring
-    ltrace # library call monitoring
-    bpftrace # powerful tracing tool
-    tcpdump # network sniffer
-    lsof # list open files
-
-    # system tools
-    sysstat
-    lm_sensors # for `sensors` command
-    ethtool
-    pciutils # lspci
-    usbutils # lsusb
-    hdparm # for disk performance, command
-    dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
  ];

  # auto mount usb drives
@@ -9,8 +9,8 @@
 ## Why install I3/Hyprland in Home Manager instead of a NixOS Module?

 1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home Manager.
-2. There're other user-specific systemd servcies, such gammastep, wallpaper-switcher, etc. which can be easily managed by Home Manager, but if we start i3/hyprland in NixOS Module, they may failed to start automatically. With i3/hyprland installed via home-manager, we can control their systemd service's dependent order, to avoid issues like this.
-3. By install as less as possible in NixOS Module, we can:
+2. I have many user-specific systemd servcies, such gammastep, wallpaper-switcher, etc. Which can be easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can control their systemd service's dependent order more easily, so we can avoid issues like this.
+3. By install packages as less as possible in NixOS Module, we can:
    1. Make the NixOS system more secure and stable.
    2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on any Linux system.

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    # https://joplinapp.org/help/
+    joplin # joplin-cli
+    joplin-desktop
+  ];
+}
@@ -30,14 +30,17 @@
    #  ls /etc/profiles/per-user/ryan/share/applications/
    mimeApps = {
      enable = true;
+      # let `xdg-open` to open the url with the correct application.
      defaultApplications = let
        browser = ["firefox.desktop"];
+        editor = ["nvim.desktop" "Helix.desktop" "code.desktop" "code-insiders.desktop"];
      in {
        "application/json" = browser;
        "application/pdf" = browser; # TODO: pdf viewer

        "text/html" = browser;
        "text/xml" = browser;
+        "text/plain" = editor;
        "application/xml" = browser;
        "application/xhtml+xml" = browser;
        "application/xhtml_xml" = browser;
@@ -48,12 +51,18 @@
        "application/x-extension-shtml" = browser;
        "application/x-extension-xht" = browser;
        "application/x-extension-xhtml" = browser;
+        "application/x-wine-extension-ini" = editor;

-        "x-scheme-handler/about" = browser;
-        "x-scheme-handler/ftp" = browser;
+        # define default applications for some url schemes.
+        "x-scheme-handler/about" = browser; # open `about:` url with `browser`
+        "x-scheme-handler/ftp" = browser; # open `ftp:` url with `browser`
        "x-scheme-handler/http" = browser;
        "x-scheme-handler/https" = browser;
-        "x-scheme-handler/unknown" = browser;
+        # https://github.com/microsoft/vscode/issues/146408
+        "x-scheme-handler/vscode" = ["code-url-handler.desktop"]; # open `vscode://` url with `code-url-handler.desktop`
+        "x-scheme-handler/vscode-insiders" = ["code-insiders-url-handler.desktop"]; # open `vscode-insiders://` url with `code-insiders-url-handler.desktop`
+        # all other unknown schemes will be opened by this default application.
+        # "x-scheme-handler/unknown" = editor;

        "x-scheme-handler/discord" = ["discord.desktop"];
        "x-scheme-handler/tg" = ["org.telegram.desktop.desktop "];
@@ -94,7 +94,6 @@ $term = kitty
 $app_launcher = ~/.config/hypr/scripts/menu
 $volume = ~/.config/hypr/scripts/volume
 $backlight = ~/.config/hypr/scripts/brightness
-$screenshot = ~/.config/hypr/scripts/screenshot
 $lockscreen = ~/.config/hypr/scripts/lockscreen
 $wlogout = ~/.config/hypr/scripts/wlogout
 $colorpicker = ~/.config/hypr/scripts/colorpicker
@@ -137,9 +136,11 @@ bind=,XF86AudioPlay,exec,mpc toggle
 bind=,XF86AudioStop,exec,mpc stop

 # -- Screenshots --
-bind=,Print,exec,$screenshot --now
-bind=SUPER,Print,exec,$screenshot --win
-bind=CTRL,Print,exec,$screenshot --area
+bind=,Print,exec,hyprshot -m output -o ~/Pictures/Screenshots -- imv
+bind=SUPER,Print,exec,hyprshot -m window -o ~/Pictures/Screenshots -- imv
+# flameshot do not recognize hyprland as a wayland compositor, so we set it to sway here
+bind=CTRL,Print,exec,XDG_CURRENT_DESKTOP=sway flameshot gui --raw -p ~/Pictures/Screenshots | wl-copy
+# bind=CTRL,Print,exec,hyprshot -m region -o ~/Pictures/Screenshots -- imv

 # Focus
 bind=SUPER,left,movefocus,l
@@ -195,8 +196,3 @@ exec-once=cp ~/.config/fcitx5/profile-bak ~/.config/fcitx5/profile    # restore
 exec-once=fcitx5 -d --replace     # start fcitx5 daemon
 bind=ALT,E,exec,pkill fcitx5 -9;sleep 1;fcitx5 -d --replace; sleep 1;fcitx5-remote -r

-# fix xwayland apps
-windowrulev2 = rounding 0, xwayland:1, floating:1
-windowrulev2 = center, class:^(.*jetbrains.*)$, title:^(Confirm Exit|Open Project|win424|win201|splash)$
-windowrulev2 = size 640 400, class:^(.*jetbrains.*)$, title:^(splash)$
-
@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-
-## Script to take screenshots with grim, slurp (in Wayland)
-
-iDIR="$HOME/.config/hypr/mako/icons"
-
-time=$(date +%Y-%m-%d-%H-%M-%S)
-dir="$(xdg-user-dir PICTURES)/Screenshots"  # need 
-file="Screenshot_${time}_${RANDOM}.png"
-
-# notify and view screenshot
-notify_cmd_shot="notify-send -h string:x-canonical-private-synchronous:shot-notify -u low -i ${iDIR}/picture.png"
-notify_view () {
-	${notify_cmd_shot} "Copied to clipboard."
-	imv ${dir}/"$file"
-	if [[ -e "$dir/$file" ]]; then
-		${notify_cmd_shot} "Screenshot Saved."
-	else
-		${notify_cmd_shot} "Screenshot Deleted."
-	fi
-}
-
-# take shots
-shotnow () {
-	cd ${dir} && grim - | tee "$file" | wl-copy
-	notify_view
-}
-
-shotwin () {
-	w_pos=$(hyprctl activewindow | grep 'at:' | cut -d':' -f2 | tr -d ' ' | tail -n1)
-	w_size=$(hyprctl activewindow | grep 'size:' | cut -d':' -f2 | tr -d ' ' | tail -n1 | sed s/,/x/g)
-	cd ${dir} && grim -g "$w_pos $w_size" - | tee "$file" | wl-copy
-	notify_view
-}
-
-shotarea () {
-	cd ${dir} && grim -g "$(slurp -b 1B1F28CC -c E06B74ff -s C778DD0D -w 2)" - | tee "$file" | wl-copy
-	notify_view
-}
-
-if [[ ! -d "$dir" ]]; then
-	mkdir -p "$dir"
-fi
-
-if [[ "$1" == "--now" ]]; then
-	shotnow
-elif [[ "$1" == "--area" ]]; then
-	shotarea
-elif [[ "$1" == "--win" ]]; then
-	shotwin
-else
-	echo -e "Available Options : --now --win --area"
-fi
-
-exit 0
@@ -6,7 +6,7 @@
    "custom/launcher",
    "temperature",
    "backlight",
-    "wlr/workspaces"
+    "hyprland/workspaces"
  ],
  "modules-center": [
    "custom/playerctl"
@@ -23,7 +23,7 @@
    "custom/powermenu",
    "tray"
  ],
-  "wlr/workspaces": {
+  "hyprland/workspaces": {
    "format": "{icon}",
    "on-click": "activate",
    "format-icons": {
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
  home.packages = with pkgs; [
    waybar # the status bar
    swaybg # the wallpaper
@@ -8,10 +12,10 @@
    wl-clipboard # copying and pasting
    hyprpicker # color picker

-    wf-recorder # creen recording
+    pkgs-unstable.hyprshot # screen shot
    grim # taking screenshots
    slurp # selecting a region to screenshot
-    # TODO replace by `flameshot gui --raw | wl-copy`
+    wf-recorder # creen recording

    mako # the notification daemon, the same as dunst

@@ -39,12 +39,13 @@
    google-chrome = {
      enable = true;

+      # https://wiki.archlinux.org/title/Chromium#Native_Wayland_support
      commandLineArgs = [
+        "--ozone-platform-hint=auto"
+        "--ozone-platform=wayland"
        # make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
        # (only supported by chromium/chrome at this time, not electron)
        "--gtk-version=4"
-        "--enable-features=UseOzonePlatform"
-        "--ozone-platform=wayland"
        # make it use text-input-v1, which works for kwin 5.27 and weston
        "--enable-wayland-ime"

@@ -58,5 +59,38 @@
      enableGnomeExtensions = false;
      package = pkgs.firefox-wayland; # firefox with wayland support
    };
+
+    vscode = {
+      enable = true;
+      # let vscode sync and update its configuration & extensions across devices, using github account.
+      userSettings = {};
+      package =
+        (pkgs.vscode.override
+          {
+            isInsiders = true;
+            # https://wiki.archlinux.org/title/Wayland#Electron
+            commandLineArgs = [
+              "--ozone-platform-hint=auto"
+              "--ozone-platform=wayland"
+              # make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
+              # (only supported by chromium/chrome at this time, not electron)
+              "--gtk-version=4"
+              # make it use text-input-v1, which works for kwin 5.27 and weston
+              "--enable-wayland-ime"
+
+              # TODO: fix https://github.com/microsoft/vscode/issues/187436
+              # still not works...
+              "--password-store=gnome" # use gnome-keyring as password store
+            ];
+          })
+        .overrideAttrs (oldAttrs: rec {
+          # Use VSCode Insiders to fix crash: https://github.com/NixOS/nixpkgs/issues/246509
+          src = builtins.fetchTarball {
+            url = "https://update.code.visualstudio.com/latest/linux-x64/insider";
+            sha256 = "0k2sh7rb6mrx9d6bkk2744ry4g17d13xpnhcisk4akl4x7dn6a83";
+          };
+          version = "latest";
+        });
+    };
  };
 }
@@ -1,9 +1,12 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
  home.packages = with pkgs; [
    firefox
  ];

-  # TODO vscode & chrome both have wayland support, but they don't work with fcitx5, need to fix it.
  programs = {
    # source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix
    google-chrome = {
@@ -16,5 +19,11 @@
      # commandLineArgs = [
      # ];
    };
+    vscode = {
+      enable = true;
+      package = pkgs-unstable.vscode;
+      # let vscode sync and update its configuration & extensions across devices, using github account.
+      # userSettings = {};
+    };
  };
 }
@@ -0,0 +1,149 @@
+# Rakushun - Orange Pi 5 Plus
+
+LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
+
+## Showcases
+
+![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
+
+Disk layout:
+
+```bash
+[ryan@rakushun:~]$ lsblk
+NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
+sda           8:0    1 58.6G  0 disk
+└─sda1        8:1    1  487M  0 part
+mtdblock0    31:0    0   16M  0 disk
+zram0       254:0    0    0B  0 disk
+nvme0n1     259:0    0  1.8T  0 disk
+├─nvme0n1p1 259:1    0  630M  0 part  /boot
+└─nvme0n1p2 259:2    0  1.8T  0 part
+  └─crypted 253:0    0  1.8T  0 crypt /tmp
+                                      /swap
+                                      /snapshots
+                                      /home/ryan/tmp
+                                      /home/ryan/nix-config
+                                      /home/ryan/go
+                                      /home/ryan/codes
+                                      /home/ryan/.ssh
+                                      /home/ryan/.local/state
+                                      /home/ryan/.npm
+                                      /home/ryan/.local/share
+                                      /home/ryan/.conda
+                                      /etc/ssh
+                                      /etc/nix/inputs
+                                      /etc/secureboot
+                                      /etc/agenix
+                                      /etc/NetworkManager/system-connections
+                                      /etc/machine-id
+                                      /nix/store
+                                      /var/log
+                                      /var/lib
+                                      /nix
+                                      /persistent
+
+[ryan@rakushun:~]$ df -Th
+Filesystem          Type      Size  Used Avail Use% Mounted on
+devtmpfs            devtmpfs  785M     0  785M   0% /dev
+tmpfs               tmpfs     7.7G     0  7.7G   0% /dev/shm
+tmpfs               tmpfs     3.9G  6.8M  3.9G   1% /run
+tmpfs               tmpfs     7.7G  1.9M  7.7G   1% /run/wrappers
+none                tmpfs     4.0G   48K  4.0G   1% /
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /persistent
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /nix
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /snapshots
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /swap
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /tmp
+/dev/nvme0n1p1      vfat      629M   96M  534M  16% /boot
+tmpfs               tmpfs     1.6G  4.0K  1.6G   1% /run/user/1000
+```
+
+CPU info:
+
+```bash
+[ryan@rakushun:~]$ lscpu
+Architecture:           aarch64
+  CPU op-mode(s):       32-bit, 64-bit
+  Byte Order:           Little Endian
+CPU(s):                 8
+  On-line CPU(s) list:  0-7
+Vendor ID:              ARM
+  Model name:           Cortex-A55
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 4
+    Socket(s):          1
+    Stepping:           r2p0
+    CPU(s) scaling MHz: 67%
+    CPU max MHz:        1800.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+  Model name:           Cortex-A76
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 2
+    Socket(s):          2
+    Stepping:           r4p0
+    CPU(s) scaling MHz: 18%
+    CPU max MHz:        2256.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+Caches (sum of all):
+  L1d:                  384 KiB (8 instances)
+  L1i:                  384 KiB (8 instances)
+  L2:                   2.5 MiB (8 instances)
+  L3:                   3 MiB (1 instance)
+```
+
+## How to install NixOS on Orange Pi 5 Plus
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
+mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5plus-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5plus-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5P_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# transfer the nix-config to the target machine
+rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
+
+# login via ssh
+ssh rk@<ip-addr>
+
+cd ~/nix-config/hosts/12kingdoms_rakushun
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
+```
+
+
@@ -1,36 +1,42 @@
 {
-  # nixos-jh7110,
-  vars_networking,
+  disko,
+  nixos-rk3588,
+  myvars,
  ...
 }:
 #############################################################
 #
-#  Chiaya - NixOS Configuration for Milk-V Mars
-#
-#  WIP, not working yet.
+#  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #############################################################
 let
-  hostName = "chiaya"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
+  hostName = "rakushun"; # Define your hostname.
+  hostAddress = myvars.networking.hostAddress.${hostName};
 in {
  imports = [
+    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
+    nixos-rk3588.nixosModules.orangepi5plus.core
+    disko.nixosModules.default
+    ./hardware-configuration.nix
+    ./disko-fs.nix
+    ./impermanence.nix
  ];

-  # Set static IP address / gateway / DNS servers.
  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;

-    # Failed to enable firewall due to the following error:
-    #   firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
-    firewall.enable = false;
    networkmanager.enable = false;
-    # milkv-mars RJ45 port
-    interfaces.end0 = {
+    # RJ45 port 1
+    interfaces.enP4p65s0 = {
      useDHCP = false;
      ipv4.addresses = [hostAddress];
    };
+    # RJ45 port 2
+    # interfaces.enP3p49s0 = {
+    # useDHCP = false;
+    # ipv4.addresses = [hostAddress];
+    # };
  };

  # This value determines the NixOS release from which the default
@@ -39,5 +45,5 @@ in {
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }
@@ -0,0 +1,102 @@
+{
+  # required by impermanence
+  fileSystems."/persistent".neededForBoot = true;
+
+  disko.devices = {
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=4G"
+        "defaults"
+        # set mode to 755, otherwise systemd will set it to 777, which cause problems.
+        # relatime: Update inode access times relative to modify or change time.
+        "mode=755"
+      ];
+    };
+
+    # TODO: rename to main
+    disk.sda = {
+      type = "disk";
+      # When using disko-install, we will overwrite this value from the commandline
+      device = "/dev/nvme0n1"; # The device to partition
+      content = {
+        type = "gpt";
+        partitions = {
+          # The EFI & Boot partition
+          ESP = {
+            size = "630M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+          # The root partition
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "crypted";
+              settings = {
+                keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
+                # The maxium size of the keyfile is 8192 bytes
+                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
+                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
+                fallbackToPassword = true;
+                allowDiscards = true;
+              };
+              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
+              initrdUnlock = true;
+
+              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+              # cryptsetup luksFormat
+              extraFormatArgs = [
+                "--type luks2"
+                "--cipher aes-xts-plain64"
+                "--hash sha512"
+                "--iter-time 5000"
+                "--key-size 256"
+                "--pbkdf argon2id"
+                # use true random data from /dev/random, will block until enough entropy is available
+                "--use-random"
+              ];
+              extraOpenArgs = [
+                "--timeout 10"
+              ];
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@persistent" = {
+                    mountpoint = "/persistent";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@tmp" = {
+                    mountpoint = "/tmp";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@snapshots" = {
+                    mountpoint = "/snapshots";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@swap" = {
+                    mountpoint = "/swap";
+                    swap.swapfile.size = "16384M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.loader = {
+    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
+    efi.efiSysMountPoint = "/boot/";
+    efi.canTouchEfiVariables = true;
+    # do not use systemd-boot here, it has problems when running `nixos-install`
+    grub = {
+      device = "nodev";
+      efiSupport = true;
+    };
+  };
+  # clear /tmp on boot to get a stateless /tmp directory.
+  boot.tmp.cleanOnBoot = true;
+
+  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
@@ -41,11 +41,6 @@

      "/var/log"
      "/var/lib"
-
-      # created by modules/nixos/misc/fhs-fonts.nix
-      # for flatpak apps
-      # "/usr/share/fonts"
-      # "/usr/share/icons"
    ];
    files = [
      "/etc/machine-id"
@@ -58,44 +53,10 @@
        "nix-config"
        "tmp"

-        "Downloads"
-        "Music"
-        "Pictures"
-        "Documents"
-        "Videos"
-
-        {
-          directory = ".gnupg";
-          mode = "0700";
-        }
        {
          directory = ".ssh";
          mode = "0700";
        }
-        {
-          directory = ".aws";
-          mode = "0700";
-        }
-        {
-          directory = ".docker";
-          mode = "0700";
-        }
-        {
-          directory = ".kube";
-          mode = "0700";
-        }
-
-        # misc
-        ".config/pulse"
-        ".pki"
-
-        # remote desktop
-        ".config/remmina"
-        ".config/freerdp"
-
-        # browsers
-        ".mozilla"
-        ".config/google-chrome"

        # neovim / remmina / flatpak / ...
        ".local/share"
@@ -103,14 +64,10 @@

        # language package managers
        ".npm"
+        ".conda" # generated by `conda-shell`
        "go"
-
-        # neovim plugins(wakatime & copilot)
-        ".wakatime"
-        ".config/github-copilot"
      ];
      files = [
-        ".wakatime.cfg"
        ".config/nushell/history.txt"
      ];
    };
@@ -1,6 +1,6 @@
 {
  nixos-hardware,
-  vars_networking,
+  myvars,
  ...
 }:
 #############################################################
@@ -18,15 +18,15 @@ in {
    {hardware.myapple-t2.enableAppleSetOsLoader = true;}

    ./hardware-configuration.nix
-    ./impermanence.nix
+    ../idols-ai/impermanence.nix
  ];

-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;

    # configures the network interface(include wireless) via `nmcli` & `nmtui`
    networkmanager.enable = true;
@@ -53,6 +53,10 @@
      # whether to allow TRIM requests to the underlying device.
      # it's less secure, but faster.
      allowDiscards = true;
+      # Whether to bypass dm-crypt’s internal read and write workqueues.
+      # Enabling this should improve performance on SSDs;
+      # https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
+      bypassWorkqueues = true;
    };
  };

@@ -0,0 +1,149 @@
+# Suzu - Orange Pi 5
+
+LUKS encrypted SSD for NixOS, on Orange Pi 5.
+
+
+## Showcases
+
+![](../../_img/2024-03-07_orangepi5_suzu.webp)
+
+Disk layout:
+
+```bash
+[ryan@suzu:~]$ lsblk
+NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
+sda           8:0    1  58.6G  0 disk
+└─sda1        8:1    1   486M  0 part
+mtdblock0    31:0    0    16M  0 disk
+zram0       254:0    0     0B  0 disk
+nvme0n1     259:0    0 238.5G  0 disk
+├─nvme0n1p1 259:1    0   630M  0 part  /boot
+└─nvme0n1p2 259:2    0 237.9G  0 part
+  └─crypted 253:0    0 237.8G  0 crypt /tmp
+                                       /snapshots
+                                       /swap
+                                       /home/ryan/tmp
+                                       /home/ryan/nix-config
+                                       /home/ryan/go
+                                       /home/ryan/.local/state
+                                       /home/ryan/codes
+                                       /home/ryan/.npm
+                                       /home/ryan/.ssh
+                                       /home/ryan/.local/share
+                                       /etc/ssh
+                                       /home/ryan/.conda
+                                       /etc/secureboot
+                                       /etc/agenix
+                                       /etc/nix/inputs
+                                       /etc/NetworkManager/system-connections
+                                       /nix/store
+                                       /var/log
+                                       /var/lib
+                                       /nix
+                                       /persistent
+
+[ryan@suzu:~]$ df -Th
+Filesystem          Type      Size  Used Avail Use% Mounted on
+devtmpfs            devtmpfs  383M     0  383M   0% /dev
+tmpfs               tmpfs     3.8G     0  3.8G   0% /dev/shm
+tmpfs               tmpfs     1.9G  6.2M  1.9G   1% /run
+tmpfs               tmpfs     3.8G  1.9M  3.8G   1% /run/wrappers
+none                tmpfs     2.0G   48K  2.0G   1% /
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /persistent
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /nix
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /swap
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /snapshots
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /tmp
+/dev/nvme0n1p1      vfat      629M   86M  543M  14% /boot
+tmpfs               tmpfs     766M  4.0K  766M   1% /run/user/1000
+```
+
+CPU info:
+
+```bash
+[ryan@suzu:~]$ lscpu
+Architecture:           aarch64
+  CPU op-mode(s):       32-bit, 64-bit
+  Byte Order:           Little Endian
+CPU(s):                 8
+  On-line CPU(s) list:  0-7
+Vendor ID:              ARM
+  Model name:           Cortex-A55
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 4
+    Socket(s):          1
+    Stepping:           r2p0
+    CPU(s) scaling MHz: 56%
+    CPU max MHz:        1800.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+  Model name:           Cortex-A76
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 2
+    Socket(s):          2
+    Stepping:           r4p0
+    CPU(s) scaling MHz: 18%
+    CPU max MHz:        2256.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+Caches (sum of all):
+  L1d:                  384 KiB (8 instances)
+  L1i:                  384 KiB (8 instances)
+  L2:                   2.5 MiB (8 instances)
+  L3:                   3 MiB (1 instance)
+```
+
+## How to install NixOS on Orange Pi 5 
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart primary 2M 512MB
+mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
+
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# login via ssh
+ssh rk@<ip-addr>
+
+git clone https://github.com/ryan4yin/nix-config.git
+
+cd ~/nix-config/hosts/12kingdoms_suzu
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
+```
+
+
@@ -1,25 +1,30 @@
 {
+  disko,
  nixos-rk3588,
-  vars_networking,
+  myvars,
  ...
 }:
 #############################################################
 #
-#  Suzu - Orange Pi 5, RK3588s
+#  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #############################################################
 let
  hostName = "suzu"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
+  hostAddress = myvars.networking.hostAddress.${hostName};
 in {
  imports = [
    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
-    nixos-rk3588.nixosModules.orangepi5
+    nixos-rk3588.nixosModules.orangepi5plus.core
+    disko.nixosModules.default
+    ./hardware-configuration.nix
+    ./disko-fs.nix
+    ./impermanence.nix
  ];

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;

    networkmanager.enable = false;
    interfaces.end1 = {
@@ -0,0 +1,102 @@
+{
+  # required by impermanence
+  fileSystems."/persistent".neededForBoot = true;
+
+  disko.devices = {
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=2G"
+        "defaults"
+        # set mode to 755, otherwise systemd will set it to 777, which cause problems.
+        # relatime: Update inode access times relative to modify or change time.
+        "mode=755"
+      ];
+    };
+
+    # TODO: rename to main
+    disk.sda = {
+      type = "disk";
+      # When using disko-install, we will overwrite this value from the commandline
+      device = "/dev/nvme0n1"; # The device to partition
+      content = {
+        type = "gpt";
+        partitions = {
+          # The EFI & Boot partition
+          ESP = {
+            size = "630M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+          # The root partition
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "crypted";
+              settings = {
+                keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick
+                # The maxium size of the keyfile is 8192 bytes
+                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
+                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
+                fallbackToPassword = true;
+                allowDiscards = true;
+              };
+              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
+              initrdUnlock = true;
+
+              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+              # cryptsetup luksFormat
+              extraFormatArgs = [
+                "--type luks2"
+                "--cipher aes-xts-plain64"
+                "--hash sha512"
+                "--iter-time 5000"
+                "--key-size 256"
+                "--pbkdf argon2id"
+                # use true random data from /dev/random, will block until enough entropy is available
+                "--use-random"
+              ];
+              extraOpenArgs = [
+                "--timeout 10"
+              ];
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@persistent" = {
+                    mountpoint = "/persistent";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@tmp" = {
+                    mountpoint = "/tmp";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@snapshots" = {
+                    mountpoint = "/snapshots";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@swap" = {
+                    mountpoint = "/swap";
+                    swap.swapfile.size = "8192M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.loader = {
+    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
+    efi.efiSysMountPoint = "/boot/";
+    efi.canTouchEfiVariables = true;
+    # do not use systemd-boot here, it has problems when running `nixos-install`
+    grub = {
+      device = "nodev";
+      efiSupport = true;
+    };
+  };
+  # clear /tmp on boot to get a stateless /tmp directory.
+  boot.tmp.cleanOnBoot = true;
+
+  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
@@ -0,0 +1,75 @@
+{
+  impermanence,
+  pkgs,
+  ...
+}: {
+  imports = [
+    impermanence.nixosModules.impermanence
+  ];
+
+  environment.systemPackages = [
+    # `sudo ncdu -x /`
+    pkgs.ncdu
+  ];
+
+  # There are two ways to clear the root filesystem on every boot:
+  ##  1. use tmpfs for /
+  ##  2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
+  ##     boot.initrd.postDeviceCommands = ''
+  ##       mkdir -p /run/mymount
+  ##       mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
+  ##       btrfs subvolume delete /run/mymount
+  ##       btrfs subvolume snapshot / /run/mymount
+  ##     '';
+  #
+  #  See also https://grahamc.com/blog/erase-your-darlings/
+
+  # NOTE: impermanence only mounts the directory/file list below to /persistent
+  # If the directory/file already exists in the root filesystem, you should
+  # move those files/directories to /persistent first!
+  environment.persistence."/persistent" = {
+    # sets the mount option x-gvfs-hide on all the bind mounts
+    # to hide them from the file manager
+    hideMounts = true;
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+      "/etc/nix/inputs"
+      "/etc/secureboot" # lanzaboote - secure boot
+      # my secrets
+      "/etc/agenix/"
+
+      "/var/log"
+      "/var/lib"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+
+    # the following directories will be passed to /persistent/home/$USER
+    users.ryan = {
+      directories = [
+        "codes"
+        "nix-config"
+        "tmp"
+
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+
+        # neovim / remmina / flatpak / ...
+        ".local/share"
+        ".local/state"
+
+        # language package managers
+        ".npm"
+        ".conda" # generated by `conda-shell`
+        "go"
+      ];
+      files = [
+        ".config/nushell/history.txt"
+      ];
+    };
+  };
+}
@@ -5,29 +5,35 @@
   1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
 2. `idols`
   1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
-   2. `aquamarine`: My NixOS virtual machine as a passby router(IPv4 only) to access the global internet.
-   4. `ruby`: Another NixOS vm with R9-5900HX(8C16T), for distributed building & testing.
-   3. `kana`: Yet another NixOS vm with R7-5225U(6C12T), for desktop testing.
-3. `rolling_girls`: My RISCV64 hosts.
-   1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 8GB RAM + 32G eMMC + 64G SD Card.
-   2. `yukina`: Lichee Pi 4A(Internal Test Version), TH1520(4xC910@2.0G), 8GB RAM + 8G eMMC + 128G SD Card.
-   3. `chiaya`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card.
-4. `12kingdoms`: 
-   1. `shoukei`: NixOS on Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
+   2. `aquamarine`: My NixOS virtual machine as a router(IPv4 only) with a tranparent proxy to bypass the G|F|W.
+   3. `ruby`: Another NixOS VM running operation and maintenance related services, such as prometheus, grafana, restic, etc.
+   4. `kana`: Yet another NixOS VM running some common applications, such as hompage, file browser, torrent downloader, etc.
+3. Homelab:
+   1. `tailscale-gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
+4. `rolling_girls`: My RISCV64 hosts.
+   1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 16GB RAM + 32G eMMC + 128G SD Card.
+   2. `yukina`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card.
+5. `12kingdoms`:
+   1. `shoukei`: NixOS on Macbook Pro 2020 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
   1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD.
-5. Homelab:
-   1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
+   1. `rakushun`: Orange Pi 5 Plus, RK3588(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 16G RAM + 2T SSD.
+6. `k8s`: My Kubernetes Clusters

-# idols - Oshi no Ko
+## How to add a new host

-These four servers are named after the four main characters of the mange/anime Oshi no Ko, they form a NixOS distributed building cluster,
-I usually run the build command on `Ai` and nix will distribute the build to other three machines, which is convenient and fast.
+1. Under `hosts/`
+   1. Create a new folder under `hosts/` with the name of the new host.
+   2. Create & add the new host's `hardware-configuration.nix` to the new folder, and add the new host's `configuration.nix` to `hosts/<name>/default.nix`.
+   3. If the new host need to use home-manager, add its custom config into `hosts/<name>/home.nix`.
+1. Under `outputs/`
+   1. Add a new nix file named `outputs/<system-architecture>/src/<name>.nix`.
+   2. Copy the content from one of the existing host's nix file, and modify it to fit the new host.
+   3. [Optional] Add a new unit test file under `outputs/<system-architecture>/tests/<name>.nix` to test the new host's nix file.
+   4. [Optional] Add a new integration test file under `outputs/<system-architecture>/integration-tests/<name>.nix` to test whether the new host's nix config can be built and deployed correctly.

-When building some packages for riscv64 or aarch64, I often have no cache available because of various changes under the hood, so I need to build much more packages than usual, which is one of the reasons why the cluster was originally built, and another reason is distributed building is cool!
+## idols - Oshi no Ko

-![](/_img/nix-distributed-building.webp)
-
-![](/_img/nix-distributed-building-log.webp)
+These four servers are named after the four main characters of the mange/anime Oshi no Ko.

 ## rolling girls

@@ -35,6 +41,16 @@ My All RISCV64 hosts.

 ![](/_img/nixos-riscv-cluster.webp)

+## Distributed Building
+
+I usually run the build command on `Ai` and nix will distribute the build to other NixOS machines, which is convenient and fast.
+
+When building some packages for riscv64 or aarch64, I often have no cache available because of various changes under the hood, so I need to build much more packages than usual, which is one of the reasons why the cluster was originally built, and another reason is distributed building is cool!
+
+![](/_img/nix-distributed-building.webp)
+
+![](/_img/nix-distributed-building-log.webp)
+
 ## References

 [Oshi no Ko 【推しの子】 - Wikipedia](https://en.wikipedia.org/wiki/Oshi_no_Ko):
@@ -50,3 +66,5 @@ My All RISCV64 hosts.

 ![](/_img/12kingdoms-1.webp)
 ![](/_img/12kingdoms-Youko-Rakushun.webp)
+
+[List of Frieren characters](https://en.wikipedia.org/wiki/List_of_Frieren_characters)
@@ -1,16 +1,18 @@
-{vars_networking, ...}:
+{
+  myvars,
+  mylib,
+  ...
+}:
 #############################################################
 #
 #  Tailscale Gateway(homelab subnet router) - a NixOS VM running on Proxmox
 #
 #############################################################
 let
-  hostName = "tailscale_gw"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
+  hostName = "tailscale-gw"; # Define your hostname.
+  hostAddress = myvars.networking.hostAddress.${hostName};
 in {
-  imports = [
-    ./tailscale.nix
-  ];
+  imports = mylib.scanPaths ./.;

  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
@@ -24,7 +26,10 @@ in {

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) nameservers;
+
+    # Use mainGateway instead of defaultGateway to make NAT Traversal work
+    defaultGateway = myvars.networking.mainGateway;

    networkmanager.enable = false;
    interfaces.ens18 = {
@@ -4,6 +4,10 @@ Related:

 - [/nixos-installer/README.md](/nixos-installer/README.md)

+## TODOs
+
+1. Install DCGM-Exporter on `ai` to monitor the GPU status.
+
 ## Info

 disk status & mountpoints:
@@ -1,10 +1,10 @@
 {
  config,
-  username,
+  myvars,
  ...
 }: {
  # mount a smb/cifs share
-  fileSystems."/home/${username}/SMB-Downloads" = {
+  fileSystems."/home/${myvars.username}/SMB-Downloads" = {
    device = "//192.168.5.194/Downloads";
    fsType = "cifs";
    options = [
@@ -1,4 +1,4 @@
-{vars_networking, ...}:
+{myvars, ...}:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -6,7 +6,7 @@
 #############################################################
 let
  hostName = "ai"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
+  hostAddress = myvars.networking.hostAddress.${hostName};
 in {
  imports = [
    ./cifs-mount.nix
@@ -19,7 +19,7 @@ in {

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;

    wireless.enable = false; # Enables wireless support via wpa_supplicant.
    # configures the network interface(include wireless) via `nmcli` & `nmtui`
@@ -56,6 +56,10 @@
      # whether to allow TRIM requests to the underlying device.
      # it's less secure, but faster.
      allowDiscards = true;
+      # Whether to bypass dm-crypt’s internal read and write workqueues.
+      # Enabling this should improve performance on SSDs;
+      # https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
+      bypassWorkqueues = true;
    };
  };

@@ -72,6 +72,19 @@
          directory = ".ssh";
          mode = "0700";
        }
+
+        # misc
+        ".config/pulse"
+        ".config/attic" # attic nix cache server
+        ".pki"
+        ".steam" # steam games
+
+        # cloud native
+        {
+          # pulumi - infrastructure as code
+          directory = ".pulumi";
+          mode = "0700";
+        }
        {
          directory = ".aws";
          mode = "0700";
@@ -85,11 +98,6 @@
          mode = "0700";
        }

-        # misc
-        ".config/pulse"
-        ".pki"
-        ".steam" # steam games
-
        # remote desktop
        ".config/remmina"
        ".config/freerdp"
@@ -98,6 +106,12 @@
        ".config/emacs"
        "org" #  org files

+        # vscode
+        ".vscode"
+        ".vscode-insiders"
+        ".config/Code/User"
+        ".config/Code - Insiders/User"
+
        # browsers
        ".mozilla"
        ".config/google-chrome"
@@ -108,6 +122,7 @@

        # language package managers
        ".npm"
+        ".conda" # generated by `conda-shell`
        "go"

        # neovim plugins(wakatime & copilot)
@@ -0,0 +1,42 @@
+# Idols - Aquamarine
+
+A router(IPv4 only) with a tranparent proxy to bypass the G|F|W.
+
+NOTE: dae(running on aquamarine) do not provides a http/socks5 proxy server, so a v2ray server is running on [idols_kana](../idols_kana/proxy.nix) to provides a http/socks5 proxy service.
+
+## Troubleshooting
+
+### Can not access the global internet
+
+1. Check wether the subscription url is accessible.
+   - If not, then you need to get a new subscription url and update the `dae`'s configuration.
+1. Check the `dae` service's log by `journalctl -u dae -n 1000`.
+
+### DNS cannot be resolved
+
+1. `sudo systemctl stop dae`, then try to resolve the domain name again.
+   - If it works, the problem is caused by `dae` service.
+   - check dae's log by `journalctl -u dae -n 1000`
+1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
+
+### DHCP cannot be obtained
+
+1. `ss -tunlp`, check if `dnsmasq` is running and listening on udp port 67.
+1. `journalctl -u dnsmasq -n 1000` to check the log of `dnsmasq`.
+1. Request a new IP address by disconnect and reconnect one of your devices' wifi.
+1. `nix shell nixpkgs#dhcpdump` and then `sudo dhcpdump -i br-lan`, check if the DHCP request is received by `dnsmasq`.
+   1. The server listens on UDP port number 67, and the client listens on UDP port number 68.
+   1. DHCP operations fall into four phases:
+      1. Server **discovery**: The DHCP client broadcasts a DHCPDISCOVER message on the network subnet using the destination address 255.255.255.255 (limited broadcast) or the specific subnet broadcast address (directed broadcast).
+      1. IP lease **offer**: When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address lease request, the DHCP server reserves an IP address for the client and makes a lease offer by sending a DHCPOFFER message to the client.
+      1. IP lease **request**: In response to the DHCP offer, the client replies with a DHCPREQUEST message, broadcast to the server,[a] requesting the offered address.
+      1. IP lease **acknowledgement**: When the DHCP server receives the DHCPREQUEST message from the client, it sends a DHCPACK packet to the client, which includes the lease duration and any other configuration information that the client might have requested.
+   1. So if you see only `DISCOVER` messages, the dhsmasq is not working properly.
+
+
+## References
+
+- <https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md>
+- <https://github.com/ghostbuster91/nixos-router>
+
+
@@ -1,3 +1,10 @@
+# https://github.com/daeuniverse/dae/discussions/81
+# https://github.com/daeuniverse/dae/blob/main/example.dae
+
+# load all dae files placed in ./config.d/
+include {
+    config.d/*.dae
+}
 global {
    ##### Software options.

@@ -11,7 +18,7 @@ global {

    # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
    # rules.
-    so_mark_from_dae: 0
+    so_mark_from_dae: 1

    # Log level: error, warn, info, debug, trace.
    log_level: info
@@ -24,20 +31,17 @@ global {

    # The LAN interface to bind. Use it if you want to proxy LAN.
    # Multiple interfaces split by ",".
-    lan_interface: ens18
+    lan_interface: br-lan

    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",". Use "auto" to auto detect.
-    wan_interface: auto
+    # 
+    # Disable this to avoid problems with the proxy server that prevent the subscription link from being updated
+    # wan_interface: auto

    # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
-    auto_config_kernel_parameter: true
-
-    # Automatically configure firewall rules like firewalld and fw4.
-    # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
-    # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
-    auto_config_firewall_rule: true
+    auto_config_kernel_parameter: false

    ##### Node connectivity check.

@@ -98,30 +102,11 @@ global {
    utls_imitate: chrome_auto
 }

-# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
-# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
-subscription {
-    # Add your subscription links here.
-    'file://mysubscription-1.sub' # the path is related to /etc/dae/
-    'file://mysubscription-2.sub'
-}
-
-# Nodes defined here will be merged as a part of the global node pool.
-node {
-    # Add your node links here.
-    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
-    # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
-    # mylink: 'ss://LINK'
-    # node1: 'vmess://LINK'
-    # node2: 'vless://LINK'
-    # chains: 'tuic://LINK -> vmess://LINK'
-}
-
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
 dns {
    # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
    # respond to type A queries and response empty answer to type AAAA queries.
-    #ipversion_prefer: 4
+    ipversion_prefer: 4

    # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
    # for these domains.
@@ -137,8 +122,8 @@ dns {
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.

-        alidns: 'udp://dns.alidns.com:53'
-        googledns: 'tcp+udp://dns.google.com:53'
+        alidns: 'udp://223.5.5.5:53'
+        googledns: 'tcp+udp://8.8.8.8:53'
    }
    routing {
        # According to the request of dns query, decide to use which DNS upstream.
@@ -148,70 +133,105 @@ dns {
            qname(geosite:cn) -> alidns
            # fallback is also called default.
            fallback: googledns
+
+            # other custom rules
+            qname(full:analytics.google.com) -> googledns # do not block google analytics(console)
+            qname(regex: '.+\.nixos.org$') -> googledns
+            qname(geosite:category-ads) -> reject
+            qname(geosite:category-ads-all) -> reject
+            qtype(aaaa) -> reject
+            qname(regex: '.+\.linkedin$') -> googledns
+        }
+
+        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
+        # Match rules from top to bottom.
+        response {
+            # Trusted upstream. Always accept its result.
+            upstream(googledns) -> accept
+
+            # Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
+            ip(geoip:private) && !qname(geosite:cn) -> googledns
+
+            fallback: accept
        }
    }
-#    routing {
-#        # According to the request of dns query, decide to use which DNS upstream.
-#        # Match rules from top to bottom.
-#        request {
-#            # fallback is also called default.
-#            fallback: alidns
-#        }
-#        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
-#        # Match rules from top to bottom.
-#        response {
-#            # Trusted upstream. Always accept its result.
-#            upstream(googledns) -> accept
-#            # Possibly polluted, re-lookup using googledns.
-#            ip(geoip:private) && !qname(geosite:cn) -> googledns
-#            # fallback is also called default.
-#            fallback: accept
-#        }
-#    }
 }

 # Node group (outbound).
 group {
-    my_group {
-        # No filter. Use all nodes.
-
-        # Randomly select a node from the group for every connection.
-        #policy: random
-
-        # Select the first node from the group for every connection.
-        #policy: fixed(0)
-
-        # Select the node with min last latency from the group for every connection.
-        #policy: min
-
-        # Select the node with min moving average of latencies from the group for every connection.
-        policy: min_moving_avg
-    }
-
-    group2 {
-        # Filter nodes from the global node pool defined by the subscription and node section above.
-        #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
-
-        # Filter nodes from the global node pool defined by tag.
-        #filter: name(node1, node2)
-
+    proxy {
+        filter: name(keyword: 'Hong Kong')
+        filter: name(keyword: '香港')
+        filter: name(keyword: 'Singapore')
+        filter: name(keyword: '新加坡')
        # Filter nodes and give a fixed latency offset to archive latency-based failover.
        # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
-        filter: name(HK_node)
-        filter: name(US_node) [add_latency: -500ms]
+        filter: name(keyword: 'USA') [add_latency: -500ms]
+        filter: name(keyword: '美国') [add_latency: -500ms]
+        filter: name(keyword: 'UK') [add_latency: -300ms]
+        # filter: name(keyword: '英国') [add_latency: -300ms]
+        # filter: name(keyword: 'Japan') [add_latency: 300ms]
+        # filter: name(keyword: '日本') [add_latency: 300ms]
+
+        # Other filters:
+        #   Filter nodes from the global node pool defined by the subscription and node section above.
+        #     filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
+        #   Filter nodes from the global node pool defined by tag.
+        #     filter: name('node_a','node_b')

        # Select the node with min average of the last 10 latencies from the group for every connection.
        policy: min_avg10
+        # Other policies:
+        #   random         - Randomly select a node from the group for every connection.
+        #   fixed(0)       - Select the first node from the group for every connection.
+        #   min            - Select the node with min last latency from the group for every connection.
+        #   min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
+    }
+
+    media {
+        filter: name(keyword: 'Hong Kong')
+        filter: name(keyword: '香港')
+        filter: name(keyword: 'Singapore')
+        filter: name(keyword: '新加坡')
+        filter: name(keyword: 'USA') [add_latency: -500ms]
+        filter: name(keyword: '美国') [add_latency: -500ms]
+        filter: name(keyword: 'UK') [add_latency: -300ms]
+        filter: name(keyword: '英国') [add_latency: -300ms]
+        filter: name(keyword: 'Japan') [add_latency: 300ms]
+        filter: name(keyword: '日本') [add_latency: 300ms]
+
+        policy: min_avg10
+    }
+
+    ssh-proxy {
+        filter: name(keyword: 'UK')
+        filter: name(keyword: '英国')
+        policy: min_avg10
+    }
+
+    sg {
+        filter: name(keyword: 'Singapore')
+        filter: name(keyword: '新加坡')
+        policy: min_avg10
+    }
+
+    usa {
+        filter: name(keyword: 'USA')
+        filter: name(keyword: '美国')
+        policy: min_avg10
    }
 }

 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
+# Pname has the highest priority, so should be placed in the front.
+# Priority of other rules is the same as the order of the rules defined in this file.
 routing {
    ### Preset rules.

-    # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
-    # WAN.
+    # Network managers in localhost should be direct to 
+    # avoid false negative network connectivity check when binding to WAN.
    pname(NetworkManager) -> direct
+    pname(systemd-networkd) -> direct

    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
@@ -222,12 +242,79 @@ routing {
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct

-    ### Write your rules below.
+    # --- Core rules ---#

-    # Disable h3 because it usually consumes too much cpu/mem resources.
+    # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
    l4proto(udp) && dport(443) -> block
+
+    # Direct access to all Chinese mainland-related IP addresses
    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct

-    fallback: my_group
+    # Block ads
+    domain(full:analytics.google.com) -> proxy  # do not block google analytics(console)
+    domain(geosite:category-ads) -> block
+    domain(geosite:category-ads-all) -> block
+
+    # DNS
+    dip(8.8.8.8, 8.8.4.4) -> proxy
+    dip(223.5.5.5, 223.6.6.6) -> direct
+    domain(full:dns.alidns.com) -> direct
+    domain(full:dns.googledns.com) -> proxy
+    domain(full:dns.opendns.com) -> proxy
+
+    # --- Rules for other commonly used sites ---#
+
+    # SSH - tcp port 22 is blocked by many proxy servers.
+    dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy
+
+    ### OpenAI
+    domain(geosite:openai) -> sg
+    domain(regex:'.+\.openai$') -> sg
+
+    ### Media
+    domain(geosite:netflix) -> media
+
+    ### Proxy
+    domain(suffix: linkedin.com) -> proxy
+    domain(keyword:'linkedin') -> proxy
+    domain(regex:'.+\.linkedin\.com$') -> proxy
+    domain(regex:'.+\.quay\.io$') -> proxy
+    domain(regex:'.+\.notion\.so$') -> proxy
+    domain(regex:'.+\.amazon\.com$') -> proxy
+    domain(regex:'.+\.oracle\.com$') -> proxy
+    domain(regex:'.+\.docker\.com$') -> proxy
+    domain(regex:'.+\.kubernetes\.io$') -> proxy
+    domain(regex:'.+\.nixos\.org$') -> proxy
+
+    domain(geosite:microsoft) -> proxy
+    domain(geosite:linkedin) -> proxy
+    domain(geosite:twitter) -> proxy
+    domain(geosite:telegram) -> proxy
+    domain(geosite:google) -> proxy
+    domain(geosite:apple) -> proxy
+    domain(geosite:category-container) -> proxy
+    domain(geosite:category-dev) -> proxy
+    domain(geosite:google-scholar) -> proxy
+    domain(geosite:category-scholar-!cn) -> proxy
+
+    ### Direct
+    domain(regex:'.+\.edu\.cn$') -> direct
+    domain(keyword:'baidu') -> direct
+    domain(keyword:'bilibili') -> direct
+    domain(keyword:'taobao') -> direct
+    domain(keyword:'alibabadns') -> direct
+    domain(keyword:'alicdn') -> direct
+    domain(keyword:'tbcache') -> direct
+    domain(keyword:'zhihu') -> direct
+    domain(keyword:'douyu') -> direct
+    domain(geosite:cloudflare-cn) -> direct
+
+    # --- Fallback rules ---#
+
+    # Access all other foreign sites
+    domain(geosite:geolocation-!cn) -> proxy
+    !dip(geoip:cn) -> proxy
+
+    fallback: direct
 }
@@ -0,0 +1,57 @@
+{
+  config,
+  pkgs,
+  daeuniverse,
+  ...
+}:
+# https://github.com/daeuniverse/flake.nix
+let
+  daeConfigPath = "/etc/dae/config.dae";
+  subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
+in {
+  imports = [
+    daeuniverse.nixosModules.dae
+    daeuniverse.nixosModules.daed
+  ];
+
+  # dae - eBPF-based Linux high-performance transparent proxy.
+  services.dae = {
+    enable = true;
+    package = daeuniverse.packages.${pkgs.system}.dae;
+    disableTxChecksumIpGeneric = false;
+    configFile = daeConfigPath;
+    assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
+    # alternatively, specify assets dir
+    # assetsPath = "/etc/dae";
+    openFirewall = {
+      enable = true;
+      port = 12345;
+    };
+  };
+
+  # dae supports two types of subscriptions: base64 encoded proxies, and sip008.
+  # subscription can be a url return the subscription, or a file path that contains the subscription.
+  #
+  # Nix decrypt and merge my dae's base config and subscription config here.
+  # the subscription config is something like:
+  #   ```
+  #   subscription {
+  #     'https://www.example.com/subscription/link'
+  #     'https://example.com/no_tag_link'
+  #   }
+  #   node {
+  #     # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
+  #     node_a: 'trojan://'
+  #     node_b: 'trojan://'
+  #     node_c: 'vless://'
+  #     node_d: 'vless://'
+  #     node_e: 'vmess://'
+  #     node_f: 'tuic://'
+  #     node_h: 'juicity://'
+  #   }
+  #   ```
+  system.activationScripts.installDaeConfig = ''
+    install -Dm 600 ${./config.dae} ${daeConfigPath}
+    install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
+  '';
+}
@@ -1,4 +1,4 @@
-{vars_networking, ...}:
+{myvars, ...}:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox
@@ -6,39 +6,28 @@
 #############################################################
 let
  hostName = "aquamarine"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
 in {
  imports = [
    ./router.nix
+    ./dae.nix
  ];

-  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
    "xfs"
-    #"zfs"
-    "ntfs"
    "fat"
    "vfat"
    "exfat"
-    "cifs" # mount windows share
  ];

-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
-
-    networkmanager.enable = false;
-    interfaces.ens18 = {
-      useDHCP = false;
-      ipv4.addresses = [hostAddress];
-    };
+    inherit (myvars.networking) nameservers;
  };

  # This value determines the NixOS release from which the default
@@ -0,0 +1,182 @@
+{lib, ...}: let
+  hostAddress = "192.168.5.101";
+  hostAddressWithMask = "${hostAddress}/24";
+  mainGatewayAddress = "192.168.5.1";
+  dhcpRange = {
+    start = "192.168.5.50";
+    end = "192.168.5.99";
+  };
+in {
+  # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
+  boot = {
+    kernel = {
+      sysctl = {
+        # forward network packets that are not destined for the interface on which they were received
+        "net.ipv4.conf.all.forwarding" = true;
+        "net.ipv6.conf.all.forwarding" = true;
+        "net.ipv4.conf.br-lan.rp_filter" = 1;
+        "net.ipv4.conf.wan.rp_filter" = 1;
+      };
+    };
+  };
+
+  # Docker uses iptables internally to setup NAT for containers.
+  # This module disables the ip_tables kernel module, which is required for nftables to work.
+  # So make sure to disable docker here.
+  virtualisation.docker.enable = lib.mkForce false;
+  networking = {
+    useNetworkd = true;
+
+    useDHCP = false;
+    networkmanager.enable = false;
+    wireless.enable = false; # Enables wireless support via wpa_supplicant.
+    # No local firewall.
+    nat.enable = false;
+    firewall.enable = false;
+
+    # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/nftables.nix
+    nftables = {
+      enable = true;
+      # Check the applyed rules with `nft -a list ruleset`.
+      # Since this is a internal bypass router, we don't need to do NAT & can forward all traffic.
+      ruleset = ''
+        # Check out https://wiki.nftables.org/ for better documentation.
+        # Table for both IPv4 and IPv6.
+        table inet filter {
+          chain input {
+            type filter hook input priority 0;
+
+            # accept any localhost traffic
+            iifname lo accept
+
+            # accept any lan traffic
+            iifname br-lan accept
+
+            # count and drop any other traffic
+            counter drop
+          }
+
+          # Allow all outgoing connections.
+          chain output {
+            type filter hook output priority 0;
+            accept
+          }
+
+          # Allow all forwarding all traffic.
+          chain forward {
+            type filter hook forward priority 0;
+            accept
+          }
+        }
+      '';
+    };
+  };
+
+  # https://nixos.wiki/wiki/Systemd-networkd
+  systemd.network = {
+    netdevs = {
+      # Create the bridge interface
+      "20-br-lan" = {
+        netdevConfig = {
+          Kind = "bridge";
+          Name = "br-lan";
+        };
+      };
+    };
+    # This is a bypass router, so we do not need a wan interface here.
+    networks = {
+      "30-lan0" = {
+        # match the interface by name
+        matchConfig.Name = "ens18";
+        # Connect to the bridge
+        networkConfig = {
+          Bridge = "br-lan";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      # Configure the bridge device we just created
+      "40-br-lan" = {
+        matchConfig.Name = "br-lan";
+        address = [
+          # configure addresses including subnet mask
+          hostAddressWithMask # forwards all traffic to the gateway except for the router address itself
+        ];
+        routes = [
+          # forward all traffic to the main gateway
+          {routeConfig.Gateway = mainGatewayAddress;}
+        ];
+        bridgeConfig = {};
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+
+  # resolved is conflict with dnsmasq
+  services.resolved.enable = false;
+  services.dnsmasq = {
+    enable = true;
+    # resolve local queries (add 127.0.0.1 to /etc/resolv.conf)
+    resolveLocalQueries = true; # may be conflict with dae, disable this.
+    alwaysKeepRunning = true;
+    # https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=tree
+    settings = {
+      # upstream DNS servers
+      server = [
+        "119.29.29.29" # DNSPod
+        "223.5.5.5" # AliDNS
+        # "8.8.8.8"
+        # "1.1.1.1"
+      ];
+      # forces dnsmasq to try each query with each server strictly
+      # in the order they appear in the config.
+      strict-order = true;
+
+      # Never forward plain names (without a dot or domain part)
+      domain-needed = true;
+      # Never forward addresses in the non-routed address spaces(e.g. private IP).
+      bogus-priv = true;
+      # don't needlessly read /etc/resolv.conf which only contains the localhost addresses of dnsmasq itself.
+      no-resolv = true;
+
+      # Cache dns queries.
+      cache-size = 1000;
+
+      dhcp-range = ["${dhcpRange.start},${dhcpRange.end},24h"];
+      interface = "br-lan";
+      dhcp-sequential-ip = true;
+      dhcp-option = [
+        # Override the default route supplied by dnsmasq, which assumes the
+        # router is the same machine as the one running dnsmasq.
+        "option:router,${hostAddress}"
+        "option:dns-server,${hostAddress}"
+      ];
+
+      # local domains
+      local = "/lan/";
+      domain = "lan";
+      expand-hosts = true;
+
+      # don't use /etc/hosts
+      no-hosts = true;
+      address = [
+        # "/surfer.lan/192.168.10.1"
+      ];
+    };
+  };
+
+  # monitoring with prometheus
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
+  services.prometheus.exporters.dnsmasq = {
+    enable = true;
+    listenAddress = "0.0.0.0";
+    port = 9153;
+    openFirewall = false;
+    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
+  };
+
+  # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of
+  # letting the first CPU core to handle everything.
+  # This is supposed to increase performance by hitting CPU cache more often.
+  services.irqbalance.enable = false;
+}
@@ -0,0 +1,16 @@
+# Idols - Kana
+
+Host running some common applications, such as hompage, file browser, torrent downloader, etc.
+
+All the services assumes a reverse proxy to be setup in the front, they are all listening on localhost,
+and a caddy service is listening on the local network interface and proxy the requests to the services.
+
+## Services
+
+1. dashy: Homepage
+1. ddns
+1. transmission & AriaNg: Torrent downloader and HTTP downloader
+1. uptime-kuma: uptime monitoring
+1. alist/filebrower: File browser for local/SMB/Cloud
+1. excalidraw/DDTV/owncast/jitsi-meet/...
+
@@ -0,0 +1,48 @@
+{myvars, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = myvars.useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://dashy.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:4000
+    '';
+    virtualHosts."http://transmission.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9091
+    '';
+    virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3001
+    '';
+    virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:5010
+    '';
+    virtualHosts."http://webdav.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:5005
+    '';
+    virtualHosts."http://home.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:8082
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}
@@ -1,4 +1,8 @@
-{vars_networking, ...}:
+{
+  myvars,
+  mylib,
+  ...
+}:
 #############################################################
 #
 #  Kana - a NixOS VM running on Proxmox
@@ -6,10 +10,10 @@
 #############################################################
 let
  hostName = "kana"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
+  hostAddress = myvars.networking.hostAddress.${hostName};
 in {
-  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
+  imports = mylib.scanPaths ./.;
+
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
@@ -23,12 +27,12 @@ in {
    "cifs" # mount windows share
  ];

-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;

    networkmanager.enable = false;
    interfaces.ens18 = {
@@ -0,0 +1,4 @@
+# Homepage for my Homelab
+
+> WIP, just a demo for now
+
@@ -0,0 +1,9 @@
+---
+- About Me:
+    - Blog:
+        - abbr: Blog
+          href: https://thiscute.world/
+    - Github:
+        - abbr: GH
+          href: https://github.com/ryan4yin
+
@@ -0,0 +1,3 @@
+# kana-docker:
+#   socket: /var/run/docker.sock
+#
@@ -0,0 +1,8 @@
+# https://gethomepage.dev/latest/configs/kubernetes/
+
+# uses the default kubeconfig to access the cluster
+# read kubbecofig from $KUBECONFIG or $HOME/.kube/config
+# mode: default
+mode: disabled
+
+
@@ -0,0 +1,69 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/latest/configs/services
+
+- Proxmox VE 虚拟化集群:
+    - PVE-UM560:
+        icon: si-proxmox
+        href: https://192.168.5.173:8006/
+        description: 'CPU: R5-5625U / MEM: 32G / DISK: 512G+4T*2'
+        siteMonitor: https://192.168.5.173:8006/
+
+    - PVE-S500Plus:
+        icon: si-proxmox
+        href: https://192.168.5.174:8006/
+        description: 'CPU: R7-5825U / MEM: 64G / DISK: 1T'
+        siteMonitor: https://192.168.5.174:8006/
+
+    - PVE-GTR5:
+        icon: si-proxmox
+        href: https://192.168.5.172:8006/
+        description: 'CPU: R9-5900HX / MEM: 64G / DISK: 1T'
+        siteMonitor: https://192.168.5.172:8006/
+
+- Homelab Monitoring:
+    - Grafana:
+        icon: si-grafana
+        href: http://grafana.writefor.fun
+        description: Data visualised on dashboards
+        siteMonitor: http://grafana.writefor.fun 
+    - Prometheus Dashboard:
+        icon: si-prometheus
+        href: http://prometheus.writefor.fun
+        description: Monitoring - Prometheus
+        siteMonitor: http://prometheus.writefor.fun
+    - Uptime Kuma:
+        icon: si-uptimekuma
+        href: http://uptime-kuma.writefor.fun
+        description: Uptime Checking
+        siteMonitor: http://uptime-kuma.writefor.fun
+
+- Homelab Applications:
+    - SFTPGO:
+      icon: sftpgo.png
+      href: "http://sftpgo.writefor.fun/web/admin/folders"
+      description: WebDAV & SFTP server
+      siteMonitor: http://sftpgo.writefor.fun/
+
+# - Kubernetes Monitoring:
+#     # TODO: Update this
+#     - Emby:
+#       icon: emby.png
+#       href: "http://emby.home/"
+#       description: Media server
+#       namespace: media # The kubernetes namespace the app resides in
+#       app: emby # The name of the deployed app
+#
+#     - Element Chat:
+#         icon: matrix-light.png
+#         href: https://chat.example.com
+#         description: Matrix Synapse Powered Chat
+#         app: matrix-element
+#         namespace: comms
+#         pod-selector: >-
+#           app.kubernetes.io/instance in (
+#               matrix-element,
+#               matrix-media-repo,
+#               matrix-media-repo-postgresql,
+#               matrix-synapse
+#           )
@@ -0,0 +1,83 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/latest/configs/settings
+
+title: Ryan Yin's Homelab
+base: http://home.writefor.fun/
+favicon: https://thiscute.world/favicon.ico
+
+# https://developer.mozilla.org/en-US/docs/Web/Manifest/start_url
+# Used by some browsers to determine the start page of the web application
+startUrl: http://home.writefor.fun/
+
+language: zh
+
+# Define shared API provider options and secrets here,
+# You can then pass provider instead of apiKey in your widget configuration.
+providers:
+  # read api keys from environment variables
+  openweathermap: {{HOMEPAGE_VAR_WEATHERAPI_APIKEY}}
+  weatherapi: {{HOMEPAGE_VAR_WEATHERAPI_APIKEY}}
+
+
+background:
+  image: /images/rolling-girls.png
+  blur: sm # sm, "", md, xl... see https://tailwindcss.com/docs/backdrop-blur
+  saturate: 50 # 0, 50, 100... see https://tailwindcss.com/docs/backdrop-saturate
+  brightness: 50 # 0, 50, 75... see https://tailwindcss.com/docs/backdrop-brightness
+  opacity: 50 # 0-100
+
+theme: dark # or light
+
+# Supported colors are: 
+# slate, gray, zinc, neutral, stone, amber,
+# yellow, lime, green, emerald, teal, cyan,
+# sky, blue, indigo, violet, purple, fuchsia, pink, rose, red, white
+color: indigo
+
+# make all cards in a row the same height.
+useEqualHeights: true
+
+# Groups and its layout
+# Groups Name should match the name defined in your services.yaml or widgets.yaml
+layout:
+  Proxmox VE 虚拟化集群:
+    icon: si-proxmox
+    tab: First
+
+  Group A:
+    initiallyCollapsed: true  # collasped by default
+    tab: First
+    style: row
+    columns: 4
+
+  Second Service Group:
+    useEqualHeights: true # overrides global setting
+    tab: Second
+    columns: 4
+
+  Third Service Group:
+    tab: Third
+    style: row
+
+  Bookmark Group on Fourth Tab:
+    tab: Fourth
+
+  Service Group on every Tab:
+    style: row
+    columns: 4
+
+# https://gethomepage.dev/latest/configs/services/#icons
+# iconStyle: theme # optional, defaults to gradient
+
+# Typing in homepage to quick search
+quicklaunch:
+  searchDescriptions: true
+  hideInternetSearch: true
+  showSearchSuggestions: true
+  hideVisitURL: true
+
+# Show docker stats
+showStats: true
+
+hideErrors: false
@@ -0,0 +1,21 @@
+# TODO: add access to kubernetes cluster
+# - kubernetes:
+#     cluster:
+#       show: true
+#       cpu: true
+#       memory: true
+#       showLabel: true
+#       label: "cluster"
+#     nodes:
+#       show: true
+#       cpu: true
+#       memory: true
+#       showLabel: true
+# - resources:
+#     backend: resources
+#     expanded: true
+#     cpu: true
+#     memory: true
+- search:
+    provider: google
+    target: _blank
@@ -0,0 +1,25 @@
+{pkgs, ...}: let
+  configDir = "/var/lib/homepage-dashboard";
+in {
+  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
+  services.homepage-dashboard = {
+    enable = true;
+    listenPort = 8082;
+    openFirewall = false;
+  };
+  systemd.services.homepage-dashboard.environment = {
+    HOMEPAGE_CONFIG_DIR = configDir;
+
+    # 1. The value of env var HOMEPAGE_VAR_XXX will replace {{HOMEPAGE_VAR_XXX}} in any config
+    # HOMEPAGE_VAR_XXX_APIKEY = "myapikey";
+    # 2. The value of env var HOMEPAGE_FILE_XXX must be a file path,
+    # the contents of which will be used to replace {{HOMEPAGE_FILE_XXX}} in any config
+  };
+  # Install the homepage-dashboard configuration files
+  system.activationScripts.installHomepageDashboardConfig = ''
+    mkdir -p configDir
+    ${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
+
+    ${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard
+  '';
+}
@@ -0,0 +1,26 @@
+{
+  # Replace dashy with gethomepage, because dashy is too slow to start/reload.
+
+  # # Install the dashy configuration file instaed of symlink it
+  # system.activationScripts.installDashyConfig = ''
+  #   install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
+  # '';
+  #
+  # # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/oci-containers.nix
+  # virtualisation.oci-containers.containers = {
+  #   # check its logs via `journalctl -u podman-dashy`
+  #   dashy = {
+  #     hostname = "dashy";
+  #     image = "lissy93/dashy:latest";
+  #     ports = ["127.0.0.1:4000:80"];
+  #     environment = {
+  #       "NODE_ENV" = "production";
+  #     };
+  #     volumes = [
+  #       "/etc/dashy/dashy_conf.yml:/app/public/conf.yml"
+  #     ];
+  #     autoStart = true;
+  #     # cmd = [];
+  #   };
+  # };
+}
@@ -0,0 +1,28 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+  imports = mylib.scanPaths ./.;
+
+  virtualisation = {
+    docker.enable = lib.mkForce false;
+    podman = {
+      enable = true;
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+      # Periodically prune Podman resources
+      autoPrune = {
+        enable = true;
+        dates = "weekly";
+        flags = ["--all"];
+      };
+    };
+
+    oci-containers = {
+      backend = "podman";
+    };
+  };
+}
@@ -0,0 +1,90 @@
+{
+  # dae(running on aquamarine) do not provides http/socks5 proxy server; so we use v2ray here.
+  # https=//github.com/v2fly
+  services.v2ray = {
+    enable = true;
+    config = {
+      # for monitoring
+      "stats" = {};
+      "api" = {
+        "tag" = "api";
+        "services" = [
+          "StatsService"
+        ];
+      };
+      "policy" = {
+        "levels" = {
+          "0" = {
+            "statsUserUplink" = true;
+            "statsUserDownlink" = true;
+          };
+        };
+        "system" = {
+          "statsInboundUplink" = true;
+          "statsInboundDownlink" = true;
+          "statsOutboundUplink" = true;
+          "statsOutboundDownlink" = true;
+        };
+      };
+
+      inbounds = [
+        # core inbound
+        {
+          listen = "0.0.0.0";
+          port = 7890;
+          protocol = "http";
+        }
+        {
+          listen = "0.0.0.0";
+          port = 7891;
+          protocol = "socks";
+          settings = {
+            auth = "noauth";
+            udp = true;
+          };
+        }
+
+        # for monitoring
+        {
+          "tag" = "api";
+          "listen" = "127.0.0.1";
+          "port" = 54321;
+          "protocol" = "dokodemo-door";
+          "settings" = {
+            "address" = "127.0.0.1";
+          };
+        }
+      ];
+      outbounds = [
+        # forward traffic directly via system's default network(to dae proxy running on aquamarine)
+        {
+          protocol = "freedom";
+          tag = "freedom";
+        }
+      ];
+
+      # for monitoring
+      "routing" = {
+        "rules" = [
+          {
+            "inboundTag" = [
+              "api"
+            ];
+            "outboundTag" = "api";
+            "type" = "field";
+          }
+        ];
+      };
+    };
+  };
+
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/v2ray.nix
+  # https://github.com/wi1dcard/v2ray-exporter
+  services.prometheus.exporters.v2ray = {
+    enable = true;
+    listenAddress = "0.0.0.0";
+    port = 9153;
+    openFirewall = false;
+    v2rayEndpoint = "127.0.0.1:54321";
+  };
+}
@@ -0,0 +1,97 @@
+{config, ...}: {
+  # Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file
+  systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path;
+
+  services.sftpgo = {
+    enable = true;
+    user = "sftpgo";
+    dataDir = "/var/lib/sftpgo";
+    extraArgs = [
+      "--log-level"
+      "info"
+    ];
+    # https://github.com/drakkan/sftpgo/blob/2.5.x/docs/full-configuration.md
+    settings = {
+      common = {
+        # Auto-blocking policy for SFTPGo and thus helps to prevent DoS (Denial of Service) and brute force password guessing.
+        defender = {
+          enable = true;
+        };
+      };
+      # Where to store stfpgo's data
+      data_provider = {
+        driver = "sqlite";
+        name = "sftpgo.db";
+        password_hashing = {
+          algo = "argon2id";
+          # options for argon2id hashing algorithm.
+          # The memory and iterations parameters control the computational cost of hashing the password.
+          argon2_options = {
+            memory = 65536; # KiB
+            iterations = 2; # The number of iterations over the memory.
+            parallelism = 2; # The number of threads (or lanes) used by the algorithm.
+          };
+        };
+        password_validation = {
+          # What Entropy Value Should I Use?
+          # somewhere in the 50-70 range seems "reasonable".
+          # https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
+          admins.min_entropy = 60;
+          users.min_entropy = 60;
+        };
+        # Cache passwords in memory to avoid hashing the same password multiple times(it costs).
+        password_caching = true;
+        # create the default admin user via environment variables
+        # SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD
+        create_default_admin = true;
+      };
+
+      # WebDAV is a popular protocol for file sharing, better than CIFS/SMB, NFS, etc.
+      # it's save to use WebDAV over HTTPS on public networks.
+      webdavd.bindings = [
+        {
+          address = "127.0.0.1";
+          port = 5005;
+        }
+      ];
+      # HTTP Server provides a simple web interface to manage the server.
+      httpd.bindings = [
+        {
+          address = "127.0.0.1";
+          enable_https = false;
+          port = 5010;
+          client_ip_proxy_header = "X-Forwarded-For";
+          # a basic built-in web interface that allows you to manage users,
+          # virtual folders, admins and connections.
+          # url: http://127.0.0.1:8080/web/admin
+          enable_web_admin = true;
+          # A basic front-end web interface for your users.
+          # It allows end-users to browse and manage their files and change their credentials.
+          enable_web_client = true;
+          enable_rest_api = true;
+        }
+      ];
+      # prometheus metrics
+      telemetry = {
+        bind_port = 10000;
+        bind_address = "0.0.0.0";
+        # auth_user_file = "";
+      };
+      # multi-factor authentication settings
+      mfa.totp = [
+        {
+          # Unique configuration name, not visible to the authentication apps.
+          # Should not to be changed after the first user has been created.
+          name = "SFTPGo";
+          # Name of the issuing Organization/Company
+          issuer = "SFTPGo";
+          # Algorithm to use for HMAC
+          # Currently Google Authenticator app on iPhone seems to only support sha1
+          algo = "sha1";
+        }
+      ];
+      # SMTP configuration enables SFTPGo email sending capabilities
+      # smtp = {};
+    };
+  };
+}
@@ -0,0 +1,117 @@
+{
+  config,
+  myvars,
+  ...
+}: let
+  dataDir = "/var/lib/transmission";
+  name = "transmission";
+in {
+  # the headless Transmission BitTorrent daemon
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/torrent/transmission.nix
+  # https://wiki.archlinux.org/title/transmission
+  services.transmission = {
+    enable = true;
+    user = name;
+    group = name;
+    home = dataDir;
+    downloadDirPermissions = "0770";
+
+    # Whether to enable tweaking of kernel parameters to open many more connections at the same time.
+    # Note that you may also want to increase peer-limit-global.
+    # And be aware that these settings are quite aggressive and might not suite your regular desktop use.
+    # For instance, SSH sessions may time out more easily.
+    performanceNetParameters = true;
+
+    # Path to a JSON file to be merged with the settings.
+    # Useful to merge a file which is better kept out of the Nix store to set secret config parameters like `rpc-password`.
+    credentialsFile = config.age.secrets."transmission-credentials.json".path;
+
+    # Whether to open the RPC port in the firewall.
+    openRPCPort = false;
+    openPeerPorts = true;
+
+    # https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md
+    settings = {
+      # 0 = None, 1 = Critical, 2 = Error, 3 = Warn, 4 = Info, 5 = Debug, 6 = Trace;
+      message-level = 3;
+
+      # Encryption may help get around some ISP filtering,
+      # but at the cost of slightly higher CPU use.
+      # 0 = Prefer unencrypted connections,
+      # 1 = Prefer encrypted connections,
+      # 2 = Require encrypted connections; default = 1)
+      encryption = 2;
+
+      # rpc = Web Interface
+      rpc-port = 9091;
+      rpc-bind-address = "127.0.0.1";
+      anti-brute-force-enabled = true;
+      # After this amount of failed authentication attempts is surpassed,
+      # the RPC server will deny any further authentication attempts until it is restarted.
+      # This is not tracked per IP but in total.
+      anti-brute-force-threshold = 20;
+      rpc-authentication-required = true;
+
+      # Comma-delimited list of IP addresses.
+      # Wildcards allowed using '*'. Example: "127.0.0.*,192.168.*.*",
+      rpc-whitelist-enabled = true;
+      rpc-whitelist = "127.0.0.*,192.168.*.*";
+      # Comma-delimited list of domain names.
+      # Wildcards allowed using '*'. Example: "*.foo.org,example.com",
+      rpc-host-whitelist-enabled = true;
+      rpc-host-whitelist = "*.writefor.fun,localhost,192.168.5.*";
+      rpc-user = myvars.username;
+      rpc-username = myvars.username;
+      # rpc-password = "test"; # you'd better use the credentialsFile for this.
+
+      incomplete-dir-enabled = true;
+      incomplete-dir = "${dataDir}/incomplete";
+      download-dir = "${dataDir}/downloads";
+
+      # Watch a directory for torrent files and add them to transmission.
+      watch-dir-enabled = false;
+      watch-dir = "${dataDir}/watch";
+      # Whether to enable Micro Transport Protocol (µTP).
+      utp-enabled = true;
+      # Executable to be run at torrent completion.
+      script-torrent-done-enabled = false;
+      # script-torrent-done-filename = "/path/to/script";
+
+      # Enable Local Peer Discovery (LPD).
+      lpd-enabled = true;
+      # The peer port to listen for incoming connections.
+      peer-port = 51413;
+      # Enable UPnP or NAT-PMP to forward a port through your firewall(NAT).
+      # https://github.com/transmission/transmission/blob/main/docs/Port-Forwarding-Guide.md
+      port-forwarding-enabled = true;
+
+      # "normal" speed limits
+      speed-limit-down-enabled = true;
+      speed-limit-down = 30000; # KB/s
+      speed-limit-up-enabled = true;
+      speed-limit-up = 500; # KB/s
+      upload-slots-per-torrent = 8;
+
+      # Start torrents as soon as they are added
+      start-added-torrents = true;
+
+      # Queuing
+      # When true, Transmission will only download
+      # download-queue-size non-stalled torrents at once.
+      download-queue-enabled = true;
+      download-queue-size = 5;
+
+      # When true, torrents that have not shared data for
+      # queue-stalled-minutes are treated as 'stalled'
+      # and are not counted against the queue-download-size
+      # and seed-queue-size limits.
+      queue-stalled-enabled = true;
+      queue-stalled-minutes = 60;
+
+      # When true. Transmission will only seed seed-queue-size
+      # non-stalled torrents at once.
+      seed-queue-enabled = true;
+      seed-queue-size = 10;
+    };
+  };
+}
@@ -0,0 +1,12 @@
+{
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/uptime-kuma.nix
+  services.uptime-kuma = {
+    enable = true;
+    # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
+    settings = {
+      "UPTIME_KUMA_HOST" = "127.0.0.1";
+      "UPTIME_KUMA_PORT" = "3001";
+      "DATA_DIR" = "/var/lib/uptime-kuma/";
+    };
+  };
+}
@@ -0,0 +1,14 @@
+# Idols - Ruby
+
+Host running operation and maintenance related services:
+
+1. Backup or sync my personal data to cloud or NAS.
+   - For safety, those data should be encrypted before sending to the cloud or my NAS.
+1. Collect and monitor the metrics/logs of my homelab.
+
+## Services
+
+1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
+1. restic: Backup my personal data to cloud or NAS.
+1. synthing: Sync file between android/macbook/PC and NAS.
+
@@ -0,0 +1,74 @@
+{
+  config,
+  attic,
+  ...
+}: {
+  #=====================================================
+  #
+  # Attic
+  #
+  # A self-hostable Nix Binary Cache server
+  # backed by an S3-compatible storage provider
+  #
+  # https://docs.attic.rs/tutorial.html
+  #
+  #=====================================================
+
+  imports = [
+    attic.nixosModules.atticd
+  ];
+
+  # Self-Hosted Nix Cache Server
+  # https://github.com/zhaofengli/attic
+  #
+  # The first thing to do after setting up the server is:
+  # 1. Generate a admin token on the server via command:
+  #    `sudo atticd-atticadm make-token --sub "admin-1" --validity "2y" --pull "*" --push "*"  --delete "*" --create-cache "*" --configure-cache "*"  --configure-cache-retention "*"  --destroy-cache "*"`
+  # 2. Login at the desktop via command:
+  #    `attic login central http://attic.writefor.fun <TOKEN>`
+  # 3. Create a new cache via command:
+  #    `attic cache create rk3588`
+  #    `attic use cache rk3588`
+  # 4. Push Caches to the cache server via:
+  #    it's similar to cachix, related docs:
+  #    https://docs.attic.rs/reference/attic-cli.html
+  #    https://docs.cachix.org/pushing#pushing
+  services.atticd = {
+    enable = true;
+
+    # Replace with absolute path to your credentials file
+    # The HS256 JWT secret can be generated with the openssl:
+    #   openssl rand 64 | base64 -w0
+    #
+    # Content:
+    #   ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
+    credentialsFile = config.age.secrets."attic-nix-cache-server.env".path;
+
+    settings = {
+      listen = "[::]:8888";
+
+      # Data chunking
+      #
+      # Warning: If you change any of the values here, it will be
+      # difficult to reuse existing chunks for newly-uploaded NARs
+      # since the cutpoints will be different. As a result, the
+      # deduplication ratio will suffer for a while after the change.
+      chunking = {
+        # The minimum NAR size to trigger chunking
+        #
+        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # If 1, all NARs are chunked.
+        nar-size-threshold = 64 * 1024; # 64 KiB
+
+        # The preferred minimum size of a chunk, in bytes
+        min-size = 16 * 1024; # 16 KiB
+
+        # The preferred average size of a chunk, in bytes
+        avg-size = 64 * 1024; # 64 KiB
+
+        # The preferred maximum size of a chunk, in bytes
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+  };
+}
@@ -0,0 +1,40 @@
+{myvars, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = myvars.useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://grafana.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3000
+    '';
+    virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9090
+    '';
+    virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9093
+    '';
+    virtualHosts."http://attic.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:8888
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}
@@ -1,4 +1,8 @@
-{vars_networking, ...}:
+{
+  myvars,
+  mylib,
+  ...
+}:
 #############################################################
 #
 #  Ruby - a NixOS VM running on Proxmox
@@ -6,10 +10,10 @@
 #############################################################
 let
  hostName = "ruby"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
+  hostAddress = myvars.networking.hostAddress.${hostName};
 in {
-  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
+  imports = mylib.scanPaths ./.;
+
  # supported file systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
@@ -23,12 +27,12 @@ in {
    "cifs" # mount windows share
  ];

-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu

  networking = {
    inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;

    networkmanager.enable = false;
    interfaces.ens18 = {
@@ -0,0 +1,3 @@
+{mylib, ...}: {
+  imports = mylib.scanPaths ./.;
+}
@@ -0,0 +1,4 @@
+{
+  # TODO
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/pve.nix
+}
@@ -0,0 +1,20 @@
+apiVersion: 1
+
+providers:
+  # <string> an unique provider name. Required
+  - name: 'Dashboards'
+    # <int> Org id. Default to 1
+    orgId: 1
+    # <string> provider type. Default to 'file'
+    type: file
+    # <bool> disable dashboard deletion
+    disableDeletion: false
+    # <int> how often Grafana will scan for changed dashboards
+    updateIntervalSeconds: 20
+    # <bool> allow updating provisioned dashboards from the UI
+    allowUiUpdates: false
+    options:
+      # <string, required> path to dashboard files on disk. Required when using the 'file' type
+      path: /etc/grafana/dashboards
+      # <bool> use folder names from filesystem to create folders in Grafana
+      foldersFromFilesStructure: true
@@ -0,0 +1,11 @@
+# Grafana Dashbaords
+
+## Homelab
+
+1. https://grafana.com/grafana/dashboards/1860-node-exporter-full/
+2. https://grafana.com/grafana/dashboards/9578-alertmanager/
+
+## Kubernetes
+
+1. https://github.com/dotdc/grafana-dashboards-kubernetes/
+
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ryan Yin	bd2c3d5902	docs: how to add a new machine	2024-03-10 20:56:54 +08:00
Ryan Yin	06f45bb7b9	docs: update docs	2024-03-10 20:46:36 +08:00
Ryan Yin	864d42397e	docs: update docs, remove unused host - chiaya	2024-03-10 20:45:57 +08:00
Ryan Yin	f43f5b14d5	refactor: replace all unserscore(_) with hyphen(-)	2024-03-10 20:18:02 +08:00
Ryan Yin	ebf9a48677	Merge pull request #79 from ryan4yin/filesystem-based-modules refactor: flake outputs & hosts	2024-03-10 20:13:57 +08:00
Ryan Yin	b382999a70	refactor: Use haumea for filesystem-based module system for flake outputs refactor: Use hyphen(`-`) for variable names & folder names(except Python), replace all unserscore(`_`) with hyphen(`-`).	2024-03-10 20:12:02 +08:00
Ryan Yin	d7738efed2	Merge pull request #78 from yqlbu/main fix(secrets/nixos.nix): correct a typo	2024-03-08 23:26:42 +08:00
kev	88358607f2	fix: correct a typo	2024-03-08 23:25:26 +08:00
Ryan Yin	bf3f364f89	Merge pull request #77 from ryan4yin/use-optionals refactor: use lib.optionals instead of if...then...else	2024-03-08 23:18:41 +08:00
Ryan Yin	3247e4a8e6	refactor: use lib.optionals instead of if...then...else...	2024-03-08 23:16:45 +08:00
Ryan Yin	54c2240be6	feat: update dae & its config	2024-03-08 17:44:25 +08:00
Ryan Yin	2b8d059ecc	feat: add gitops tools	2024-03-08 17:06:40 +08:00
Ryan Yin	52d04c1cb1	Merge pull request #75 from ryan4yin/aarch-tmpfs-on-root feat: aarch64 - tmpfs on root + impermanence	2024-03-07 23:11:23 +08:00
Ryan Yin	5ed77b764f	feat: aarch64 - tmpfs on root + impermanence	2024-03-07 23:01:20 +08:00
Ryan Yin	7c91ffb251	Merge pull request #74 from ryan4yin/update-aarch-riscv feat: UEFI NixOS on aarch64(rk3588)	2024-03-07 22:12:48 +08:00
Ryan Yin	f12e5a4293	fix: broken image link	2024-03-07 22:11:56 +08:00
Ryan Yin	fb9f757519	docs: add other info for orangepi5 & orangepi5 plus	2024-03-07 22:10:44 +08:00
Ryan Yin	606b1d3412	docs: add screenshot for orangepi5 & orangepi5 plus	2024-03-07 22:07:28 +08:00
Ryan Yin	4d0741c841	feat: install nixos on orange pi 5 plus with edk2-rk3588(uefi)	2024-03-07 21:59:23 +08:00
Ryan Yin	efcee11839	docs: README	2024-03-07 17:26:40 +08:00
Ryan Yin	310ac5c3e7	docs: README	2024-03-07 17:12:57 +08:00
Ryan Yin	5a56d4808c	fix: enable sudo password - proxmox	2024-03-07 13:00:47 +08:00
Ryan Yin	9385c5dba5	feat: update nixos-licheepi4a	2024-03-07 00:39:28 +08:00
Ryan Yin	ab414236ce	fix: steam - cjk fonts	2024-03-06 11:49:53 +08:00
Ryan Yin	b997697aed	docs: flake description	2024-03-05 15:16:32 +08:00
Ryan Yin	d59061e526	feat: nix related tools	2024-03-05 14:37:59 +08:00
Ryan Yin	2c8d0f629c	fix(security): enable sudo password for ryan, use root for remote deployment	2024-03-04 18:36:59 +08:00
Ryan Yin	2072da67a5	fix(security): enable sudo password for ryan, use root for remote deployment	2024-03-04 18:28:49 +08:00
Ryan Yin	77bd038f32	Merge pull request #73 from ryan4yin/attic feat: add attic - a self-hosted nix cache server	2024-03-04 02:36:50 +08:00
Ryan Yin	b4015c2189	feat: add attic - a self-hosted nix cache server	2024-03-04 02:35:00 +08:00
Ryan Yin	69a64b209a	refactor: packages & fhs	2024-03-04 01:06:13 +08:00
Ryan Yin	c7c771804a	refactor: packages & fhs	2024-03-04 01:05:55 +08:00
Ryan Yin	f933146a42	fix: suzu	2024-03-04 00:48:01 +08:00
Ryan Yin	d20760cd61	feat: migrate k8s related configs to another repo	2024-03-03 20:48:32 +08:00
Ryan Yin	5811a41aca	fix: dae - cache.nixos.org & analytics.google.com	2024-03-03 20:38:42 +08:00
Ryan Yin	b7845ef85e	Merge pull request #71 from ryan4yin/kubevirt feat: kubevirt on k3s	2024-03-03 20:03:43 +08:00
Ryan Yin	996a27965f	feat: kubevirt - add cdi & ovs	2024-03-03 20:01:09 +08:00
Ryan Yin	d3ddf34267	feat: add flake.nix for pulumi	2024-03-03 12:06:29 +08:00
Ryan Yin	f141b49dc3	feat: kubevirt on k3s	2024-03-03 12:06:25 +08:00
Ryan Yin	9914644189	feat: kubevirt on k3s	2024-03-03 12:06:04 +08:00
Ryan Yin	7d56db3e47	fix: pip mirror - sjtu -> ustc	2024-03-03 12:04:10 +08:00
Ryan Yin	dbc5fcbd01	feat: dae - use pr 466	2024-03-03 00:49:06 +08:00
Ryan Yin	b8e580ee5a	Merge pull request #72 from DataEraserC/main Fix boolean expectation error and update conditional checks.	2024-03-03 00:26:50 +08:00
Sacabambaspis	fa5b1b2752	Fix boolean expectation error and update conditional checks.	2024-03-03 00:25:04 +08:00
Ryan Yin	eb75f1fa49	fix: typo	2024-03-02 20:02:44 +08:00
Ryan Yin	8542fef152	docs: README	2024-03-01 10:20:14 +08:00
Ryan Yin	4cf92e7199	fix: dae	2024-03-01 09:43:24 +08:00
Ryan Yin	4d24c74c16	feat: aqua - use dae - pr458	2024-02-29 22:23:55 +08:00
Ryan Yin	1a7e4d52aa	feat: add home-manager for host - ruby	2024-02-29 22:04:23 +08:00
Ryan Yin	fcde4b8e83	feat: update ssh.nix	2024-02-28 09:02:24 +08:00
Ryan Yin	3c5f0751f5	docs: speedFactor	2024-02-27 22:24:48 +08:00
Ryan Yin	f4ee1a0685	fix: 'xterm-kitty': unknown terminal type	2024-02-27 22:18:38 +08:00
Ryan Yin	a6499f3cb9	feat: update dae & it's secrets	2024-02-27 22:12:51 +08:00
Ryan Yin	8deb3f809b	feat: install colmena & ventoy at user-level	2024-02-27 21:36:23 +08:00
Ryan Yin	bff316ab7e	fix: nixpkgs's joplin not work on macOS intel	2024-02-27 21:24:09 +08:00
Ryan Yin	985beb8bd4	feat: increase cache ttl of gnupg-agent	2024-02-23 21:33:39 +08:00
Ryan Yin	629ef6e451	feat: darwin - Disable password authentication for SSH	2024-02-23 20:12:53 +08:00
Ryan Yin	fa492e0b26	feat: add notes for nixos-installer	2024-02-23 19:16:41 +08:00
Ryan Yin	9f0570d367	fix: typo	2024-02-23 12:09:57 +08:00
Ryan Yin	bbe0f29435	feat: adjust wayland related settings for chromium & vscode	2024-02-22 16:14:07 +08:00
Ryan Yin	b047c064d6	chore: polish	2024-02-20 17:54:14 +08:00
Ryan Yin	3b346c4dd9	fix: some packages has been removed from macOS introduced by `ae238d401d`	2024-02-20 16:15:21 +08:00
Ryan Yin	ed1b4775eb	docs: README	2024-02-20 09:54:18 +08:00
Ryan Yin	0286a84f23	fix: homepage	2024-02-20 01:13:27 +08:00
Ryan Yin	c31525e667	feat: dashy is too slow to start/reload, replace it with homepage-dashboard	2024-02-20 00:46:08 +08:00
Ryan Yin	b50c59d60e	Merge pull request #68 from ryan4yin/webdav feat: webdav server - sftpgo	2024-02-19 22:59:26 +08:00
Ryan Yin	7a229f6e79	feat: webdav provided by sftpgo	2024-02-19 22:57:57 +08:00
Ryan Yin	2cbf8df0fa	fix: just homelab	2024-02-19 22:07:31 +08:00
Ryan Yin	533fcb6144	docs: comment	2024-02-19 18:19:52 +08:00
Ryan Yin	f0217c68f5	feat: note-taking - joplin	2024-02-19 15:05:24 +08:00
Ryan Yin	e2f9c59cb6	fix: pulumi - fix go's import paths	2024-02-19 02:30:20 +08:00
Ryan Yin	5a57d97d36	fix: pulumi stack for k3s-prod-1	2024-02-19 01:52:19 +08:00
Ryan Yin	3a470f1b1f	chore: pulumi - upgrade go dependencies	2024-02-19 01:35:45 +08:00
Ryan Yin	37fff317ef	Merge pull request #67 from ryan4yin/dependabot/go_modules/pulumi/k3s-prod-1/github.com/cloudflare/circl-1.3.7 chore(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 in /pulumi/k3s-prod-1	2024-02-19 01:31:31 +08:00
dependabot[bot]	1ead059695	chore(deps): bump github.com/cloudflare/circl in /pulumi/k3s-prod-1 Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.3.3...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2024-02-18 17:30:44 +00:00
Ryan Yin	9a61f3c889	docs: pulumi	2024-02-19 01:30:34 +08:00
Ryan Yin	f800d96673	feat: add pulumi stack for k3s-prod-1	2024-02-19 01:28:57 +08:00
Ryan Yin	64205a79fd	feat: add pulumi related tools	2024-02-18 23:05:31 +08:00
Ryan Yin	2ec9eed885	feat: add home-manager - k8s-master	2024-02-18 22:38:02 +08:00
Ryan Yin	9a71920fd4	fix: k9s skin	2024-02-18 22:30:56 +08:00
Ryan Yin	0a9dee2aee	docs: pulumi	2024-02-18 22:24:26 +08:00
Ryan Yin	f6b34b042f	feat: impermanence	2024-02-18 22:02:39 +08:00
Ryan Yin	6d1bdd2b40	feat: k3s disable-helm-controller	2024-02-18 21:13:21 +08:00
Ryan Yin	010f3ece90	feat: prometheus targets	2024-02-18 20:44:24 +08:00
Ryan Yin	5f8f5c79d5	docs: k8s nodes overview - screenshots	2024-02-18 20:24:41 +08:00
Ryan Yin	2390ece70b	fix: colmena tags for my k3s clusters	2024-02-18 20:17:54 +08:00
Ryan Yin	36f5367a5d	feat: k3s - kubeconfig	2024-02-18 20:13:34 +08:00
Ryan Yin	a73ebc7726	Merge pull request #64 from ryan4yin/k8s feat: new k3s cluster	2024-02-18 18:57:36 +08:00
Ryan Yin	c19184a6be	feat: new k3s cluster	2024-02-18 18:55:23 +08:00
Ryan Yin	1a3b02a062	feat: remove emulatedSystem from kana & ruby	2024-02-18 13:41:39 +08:00
Ryan Yin	996b1dd077	docs: README	2024-02-18 13:21:36 +08:00
Ryan Yin	0c60bc495f	docs: k8s	2024-02-18 12:21:10 +08:00
Ryan Yin	96ee6f2c01	docs: monitoring gpu	2024-02-18 12:13:44 +08:00
Ryan Yin	517949b78f	docs: hosts - k8s	2024-02-18 11:52:15 +08:00
Ryan Yin	cb43947e32	docs: hosts	2024-02-18 11:51:38 +08:00
Ryan Yin	f1c79bbb70	Merge pull request #63 from ryan4yin/caddy feat: add caddy as a reverse proxy for applications	2024-02-18 11:33:15 +08:00
Ryan Yin	5fe647c0d3	feat: add caddy as a reverse proxy for applications	2024-02-18 11:27:26 +08:00
Ryan Yin	a321d2c803	fix: ssh hosts aliases not working on darwin	2024-02-18 10:49:09 +08:00
Ryan Yin	e5fa57c660	docs: priority of dae routing rules	2024-02-18 02:05:42 +08:00
Ryan Yin	e5b0545dfd	feat: monitoring - grafana dashboards for kubernetes	2024-02-18 00:45:06 +08:00
Ryan Yin	ef1fb417ad	feat: monitoring - grafana dashboards, alertmanager alerting rules	2024-02-18 00:35:25 +08:00
Ryan Yin	b75e9d6abe	feat: adjust colmena tags	2024-02-17 23:47:06 +08:00
Ryan Yin	05028b84d4	Merge pull request #62 from ryan4yin/monitoring feat: monitoring + containers	2024-02-17 23:36:25 +08:00
Ryan Yin	b6e51e1950	feat: monitoring + containers - grafana + prometheus + node_exporter + other exporters	2024-02-17 23:33:48 +08:00
Ryan Yin	9626986524	fix: typo	2024-02-17 16:46:07 +08:00
Ryan Yin	279b1b69eb	fix: dae - github's ssh access	2024-02-17 15:51:49 +08:00
Ryan Yin	88092aba5b	fix: dae - github	2024-02-17 15:06:34 +08:00
Ryan Yin	4c00a430d6	feat: justfile	2024-02-17 14:53:20 +08:00
Ryan Yin	4d23a5eb19	fix: typo	2024-02-17 14:51:43 +08:00
Ryan Yin	9c07aa1113	feat: monitor dnsmasq + v2ray	2024-02-17 14:51:04 +08:00
Ryan Yin	34ca7615b4	fix: dnsmasq dhcp	2024-02-17 14:22:54 +08:00
Ryan Yin	fd4f1f9086	feat: dnsmasq	2024-02-17 05:46:02 +08:00
Ryan Yin	fe6caebe2e	docs: dae & v2ray	2024-02-17 04:42:41 +08:00
Ryan Yin	0da119a5e8	docs: dae & v2ray	2024-02-17 04:41:02 +08:00
Ryan Yin	a2af4728f3	Merge pull request #60 from ryan4yin/bypass-router feat: bypass router	2024-02-17 04:38:00 +08:00
Ryan Yin	ae238d401d	fix: bypass router	2024-02-17 04:36:41 +08:00
Ryan Yin	7cbff9ef3b	feat: dae	2024-02-16 11:15:16 +08:00
Ryan Yin	fa5aaf4f97	feat: set https proxy for nix daemon	2024-02-16 10:27:06 +08:00
Ryan Yin	45c6d0f604	feat: update flake.lock, fix some api/package changes	2024-02-16 10:09:31 +08:00
Ryan Yin	47225fffbc	feat: pick the highest resolution for systemd-boot's console	2024-02-15 03:07:58 +08:00
Ryan Yin	d022fc3fa9	Merge pull request #57 from we-do-it-lu/patch-3 quote markdown on 'main' not correct	2024-02-11 23:31:52 +08:00
Ryan Yin	f034011f96	Merge pull request #58 from we-do-it-lu/patch-4 Tiny typo	2024-02-11 23:31:28 +08:00
Ryan Yin	a5bb4a471a	Merge pull request #59 from we-do-it-lu/patch-5 Tiny typo	2024-02-11 23:31:04 +08:00
JayDeLux	2b781b030c	Tiny typo	2024-02-11 15:44:08 +01:00
JayDeLux	32e0131620	Tiny typo	2024-02-11 15:36:57 +01:00
JayDeLux	339e1ddb76	quote markdown on 'main' not correct	2024-02-11 15:15:02 +01:00
Ryan Yin	2db93b7b01	feat: sjtu's mirror for pypi	2024-02-09 19:09:46 +08:00
Ryan Yin	7fcafe3d04	feat: dae subsciption	2024-02-09 00:01:37 +08:00
Ryan Yin	28ea82df03	feat: transmission & uptime-kuma	2024-02-08 23:47:01 +08:00
Ryan Yin	18a40b49e3	feat: restic drafts	2024-02-08 21:46:05 +08:00
Ryan Yin	140b84df2b	fix: typo	2024-02-08 19:56:32 +08:00
Ryan Yin	9b3a431942	fix: style	2024-02-08 19:56:19 +08:00
Ryan Yin	e7d5ad707f	Merge pull request #56 from we-do-it-lu/patch-2 Little error in comment	2024-02-07 18:58:33 +08:00
JayDeLux	fb55262f39	Little error in comment	2024-02-07 10:09:56 +01:00
Ryan Yin	6c80d9907b	feat: luks - disable workqueue for increased SSD performance	2024-02-06 23:44:30 +08:00
Ryan Yin	a541754381	docs: proxy	2024-02-05 22:45:39 +08:00
Ryan Yin	e88f42182f	feat: update secrets	2024-02-05 01:43:08 +08:00
Ryan Yin	6dacc92ba3	feat: update secrets	2024-02-05 01:02:09 +08:00
Ryan Yin	36ac1b51da	feat: darwin - proxy & README, update brew apps	2024-02-05 00:52:11 +08:00
Ryan Yin	f4c39598ec	feat: persistent - ~/.conda	2024-02-04 21:58:03 +08:00
Ryan Yin	f765fcd633	fix: `conda init` failed because ~/.zshrc not modifiable	2024-02-04 14:23:47 +08:00
Ryan Yin	54c797396c	feat: darwin - add miniforge - a miniconda replacement	2024-02-04 11:06:00 +08:00
Ryan Yin	036d5c7fba	feat: update nix-darwin & yabai	2024-02-01 15:37:33 +08:00
Ryan Yin	af225f2271	docs: darwin & linux	2024-02-01 00:52:36 +08:00
Ryan Yin	1126e8c6a7	docs: deploy on a new machine	2024-02-01 00:40:45 +08:00
Ryan Yin	3f505194b5	docs: systems	2024-01-31 12:07:46 +08:00
Ryan Yin	819463aa20	docs: luks2	2024-01-31 11:53:08 +08:00
Ryan Yin	7e674669d3	docs: secrets	2024-01-31 11:48:53 +08:00
Ryan Yin	fa6dd68818	docs: secrets	2024-01-31 11:48:34 +08:00
Ryan Yin	6367c91f7a	docs: secrets	2024-01-31 11:45:47 +08:00
Ryan Yin	3f9d23dbad	fix: gpg: [stdin]: encryption failed: Unusable public key	2024-01-31 11:45:47 +08:00
Ryan Yin	aa95ad60b7	chore: remove some useless config	2024-01-30 23:16:42 +08:00
Ryan Yin	f91d4a26fc	feat: persistent vscode's data	2024-01-30 23:07:19 +08:00
Ryan Yin	5c92c0e0ac	feat: add vscode again, to get the best experience of copilot chat	2024-01-30 22:59:48 +08:00
Ryan Yin	0695229e9d	feat: use flameshot for region screenshot	2024-01-30 21:33:13 +08:00
Ryan Yin	d8901e3169	fix: waybar & hyprland	2024-01-30 21:16:41 +08:00
Ryan Yin	544ec79aff	feat: add hyprshot for screenshot	2024-01-30 21:07:12 +08:00
Ryan Yin	c70f9de97c	docs: TODO - homelab & k8s	2024-01-29 15:15:03 +08:00
Ryan Yin	45a149f05a	feat: darwin - add tencent-lemon, a macOS cleaner	2024-01-29 11:06:42 +08:00
Ryan Yin	f3b233330b	feat: update mysecrets	2024-01-29 09:45:58 +08:00