Merge pull request #96 from ryan4yin/darwin-eval-tests

feat(tests): add eval tests for darwin systems

.github/workflows/flake_check.yml

@@ -1,24 +0,0 @@
-name: Nix Flake Check
-
-on: [push, pull_request, workflow_dispatch]
-
-jobs:
-  checks:
-    name: Check expressions
-    runs-on: ubuntu-latest
-
-    steps:
-      # - name: Checkout repository
-      #   uses: actions/checkout@v4
-      # - name: Install nix
-      #   uses: cachix/install-nix-action@v24
-      #   with:
-      #     install_url: https://nixos.org/nix/install
-      #     extra_nix_config: |
-      #       access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-      #       experimental-features = nix-command flakes
-
-      - name: Run Nix Flake Check
-        run: |
-          echo 'TODO: nix flake check'
-          # nix flake check

.github/workflows/flake_evaltests.yml

@@ -0,0 +1,40 @@
+name: Nix Flake Eval Tests
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "scripts/**"
+      - "**.md"
+      - "**.nu"
+      - 'Justfile'
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - "scripts/**"
+      - "**.md"
+      - "**.nu"
+      - 'Justfile'
+
+jobs:
+  checks:
+    name: Check expressions
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install nix
+        uses: cachix/install-nix-action@v24
+        with:
+          install_url: https://nixos.org/nix/install
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+            experimental-features = nix-command flakes
+
+      - name: Run Nix Flake Eval Tests
+        run: |
+          echo 'Flake Eval Tests'
+          nix eval .#evalTests --show-trace --print-build-logs --verbose

.github/workflows/mirror_to_gitee.yml

@@ -1,7 +1,11 @@
 name: Mirror this repo to Gitee
 on:
-  workflow_dispatch: {}
-  push: {}
+  push:
+    branches:
+      - main
+    tags:
+      - '*'
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
@@ -26,4 +30,3 @@ jobs:
           export GIT_SSH_COMMAND="ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no"
           git remote add mirror "$INPUT_TARGET_REPO_URL"
           git push --tags --force --prune mirror "refs/remotes/origin/*:refs/heads/*"
-

Justfile

@@ -11,21 +11,21 @@ set shell := ["nu", "-c"]
 
 i3 mode="default":
   use utils.nu *; \
-  nixos-switch ai_i3 {{mode}}
+  nixos-switch ai-i3 {{mode}}
 
 hypr mode="default":
   use utils.nu *; \
-  nixos-switch ai_hyprland {{mode}}
+  nixos-switch ai-hyprland {{mode}}
 
 
 s-i3 mode="default":
   use utils.nu *; \
-  nixos-switch shoukei_i3 {{mode}}
+  nixos-switch shoukei-i3 {{mode}}
 
 
 s-hypr mode="default":
   use utils.nu *; \
-  nixos-switch shoukei_hyprland {{mode}}
+  nixos-switch shoukei-hyprland {{mode}}
 
 
 up:
@@ -85,44 +85,101 @@ yabai-reload:
 
 ############################################################################
 #
-#  Colmena - Remote NixOS deployment
+#  Homelab - NixOS servers running on bare metal
 #
 ############################################################################
 
-colmena-ssh-key:
-  ssh-add /etc/agenix/ssh-key-romantic
+virt:
+  colmena apply --on '@virt-*' --verbose --show-trace
 
-dist:
-  colmena apply --on '@dist-build'
+shoryu:
+  colmena apply --on '@shoryu' --verbose --show-trace
 
-dist-debug:
-  colmena apply --on '@dist-build' --verbose --show-trace
+shushou:
+  colmena apply --on '@shushou' --verbose --show-trace
+
+youko:
+  colmena apply --on '@youko' --verbose --show-trace
+
+
+############################################################################
+#
+#  Homelab - Virtual Machines running on Kubevirt
+#
+############################################################################
+
+lab:
+  colmena apply --on '@homelab-*' --verbose --show-trace
 
 aqua:
-  colmena apply --on '@aqua'
+  colmena apply --on '@aqua' --verbose --show-trace
+  # some config changes require a restart of the dae service
+  ssh root@aquamarine "sudo systemctl stop dae; sleep 1; sudo systemctl start dae"
 
 ruby:
-  colmena apply --on '@ruby'
+  colmena apply --on '@ruby' --verbose --show-trace
+
+ruby-local mode="default":
+  use utils.nu *; \
+  nixos-switch ruby {{mode}}
 
 kana:
-  colmena apply --on '@kana'
+  colmena apply --on '@kana' --verbose --show-trace
 
-tailscale_gw:
-  colmena apply --on '@tailscale_gw'
+tailscale:
+  colmena apply --on '@tailscale-gw' --verbose --show-trace
 
-pve-image:
-  nom build .#tailscale_gw
-  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
+# pve-aqua:
+#   nom build .#aquamarine
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+#
+# pve-ruby:
+#   nom build .#ruby
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
+#
+# pve-kana:
+#   nom build .#kana
+#   rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
+#
+# pve-tsgw:
+#   nom build .#tailscale-gw
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-tailscale-gw.vma.zst
+#
 
-  nom build .#aquamarine
-  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+############################################################################
+#
+# Kubernetes related commands
+#
+############################################################################
 
-  nom build .#ruby
-  rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
+k3s:
+  colmena apply --on '@k3s-*' --verbose --show-trace
 
-  nom build .#kana
-  rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
+master:
+  colmena apply --on '@k3s-prod-1-master-*' --verbose --show-trace
 
+worker:
+  colmena apply --on '@k3s-prod-1-worker-*' --verbose --show-trace
+
+# pve-k8s:
+#   nom build .#k3s-prod-1-master-1
+#   rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-master-1.vma.zst
+#
+#   nom build .#k3s-prod-1-master-2
+#   rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-master-2.vma.zst
+#
+#   nom build .#k3s-prod-1-master-3
+#   rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-master-3.vma.zst
+#
+#   nom build .#k3s-prod-1-worker-1
+#   rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-worker-1.vma.zst
+#
+#   nom build .#k3s-prod-1-worker-2
+#   rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-worker-2.vma.zst
+#
+#   nom build .#k3s-prod-1-worker-3
+#   rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s-prod-1-worker-3.vma.zst
+#
 
 ############################################################################
 #
@@ -130,17 +187,14 @@ pve-image:
 #
 ############################################################################
 
-roll:
-  colmena apply --on '@riscv'
-
-roll-debug:
-  colmena apply --on '@dist-build' --verbose --show-trace
+riscv:
+  colmena apply --on '@riscv' --verbose --show-trace
 
 nozomi:
-  colmena apply --on '@nozomi'
+  colmena apply --on '@nozomi' --verbose --show-trace
 
 yukina:
-  colmena apply --on '@yukina'
+  colmena apply --on '@yukina' --verbose --show-trace
 
 ############################################################################
 #
@@ -149,13 +203,21 @@ yukina:
 ############################################################################
 
 aarch:
-  colmena apply --on '@aarch'
+  colmena apply --on '@aarch' --verbose --show-trace
 
 suzu:
-  colmena apply --on '@suzu'
+  colmena apply --on '@suzu' --build-on-target --verbose --show-trace
 
-suzu-debug:
-  colmena apply --on '@suzu' --verbose --show-trace
+suzu-local mode="default":
+  use utils.nu *; \
+  nixos-switch suzu {{mode}}
+
+rakushun:
+  colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
+
+rakushun-local mode="default":
+  use utils.nu *; \
+  nixos-switch rakushun {{mode}}
 
 ############################################################################
 #
@@ -212,3 +274,14 @@ emacs-purge:
 emacs-reload:
   doom sync
   {{reload-emacs-cmd}}
+
+
+# =================================================
+#
+# Kubernetes related commands
+#
+# =================================================
+
+
+del-failed:
+   kubectl delete pod --all-namespaces --field-selector="status.phase==Failed"

README.md

@@ -14,7 +14,16 @@
   </a>
 </p>
 
-This repository is home to the nix code that builds my systems.
+> My configuration is becoming more and more complex, and it may be difficult for beginners to read it.
+> If you are new to NixOS and want to know how I use NixOS, I would recommend you to take a look at the [ryan4yin/nix-config/releases](https://github.com/ryan4yin/nix-config/releases) first, **checkout to some simpler older versions**, which will be much easier to understand.
+
+This repository is home to the nix code that builds my systems:
+
+1. NixOS Desktops: NixOS with home-manager, i3, hyprland, agenix, etc.
+2. macOS Desktops: nix-darwin with home-manager, share the same home-manager configuration with NixOS Desktops.
+3. NixOS Servers: virtual machines running on Proxmox, with various services, such as kubernetes, homepage, prometheus, grafana, etc.
+
+See [./hosts](./hosts) for details of each host.
 
 ## Why NixOS & Flakes?
 
@@ -47,7 +56,7 @@ As for Flakes, refer to [Introduction to Flakes - NixOS & Nix Flakes Book](https
 | **Text Editor**             | [Neovim][Neovim] + [DoomEmacs][DoomEmacs]                                                                         | [Neovim][Neovim] + [DoomEmacs][DoomEmacs]                                                                         |
 | **Fonts**                   | [Nerd fonts][Nerd fonts]                                                                                          | [Nerd fonts][Nerd fonts]                                                                                          |
 | **Image Viewer**            | [imv][imv]                                                                                                        | [imv][imv]                                                                                                        |
-| **Screenshot Software**     | [grim][grim]                                                                                                      | [flameshot](https://github.com/flameshot-org/flameshot)                                                           |
+| **Screenshot Software**     | [flameshot][flameshot] + [grim][grim]                                                                             | [flameshot][flameshot]                                                                                            |
 | **Screen Recording**        | [OBS][OBS]                                                                                                        | [OBS][OBS]                                                                                                        |
 | **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase |
 | **Secure Boot**             | [lanzaboote][lanzaboote]                                                                                          | [lanzaboote][lanzaboote]                                                                                          |
@@ -75,17 +84,16 @@ See [./home/base/desktop/editors/neovim/](./home/base/desktop/editors/neovim/) f
 
 See [./home/base/desktop/editors/emacs/](./home/base/desktop/editors/emacs/) for details.
 
-## Hosts
-
-See [./hosts](./hosts) for details.
-
 ## Secrets Management
 
 See [./secrets](./secrets) for details.
 
 ## How to Deploy this Flake?
 
-> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine:exclamation: It will not succeed.** this flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols_ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/default.nix#L77-L91), etc.) which is not suitable for your hardware, and my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) that only I have access to. You may use this repo as a reference to build your own configuration.
+> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine :exclamation: It will not succeed.** 
+> This flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols-ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols-ai/default.nix#L77-L91), etc.) which is not suitable for your hardwares,
+> and requires my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) to deploy.
+> You may use this repo as a reference to build your own configuration.
 
 For NixOS:
 
@@ -96,7 +104,7 @@ For NixOS:
 ```bash
 # deploy one of the configuration based on the hostname
 sudo nixos-rebuild switch --flake .#ai_i3
-# sudo nixos-rebuild switch --flake .#ai_hyprland
+# sudo nixos-rebuild switch --flake .#ai-hyprland
 
 # deploy via `just`(a command runner with similar syntax to make) & Justfile
 just i3    # deploy my pc with i3 window manager
@@ -110,12 +118,15 @@ just i3 debug
 For macOS:
 
 ```bash
-# deploy harmonica's configuration(macOS Intel)
-just ha
-
 # If you are deploying for the first time,
-# enter a shell with essential packages available
-# nix shell nixpkgs#just nixpkgs#git
+# 1. install nix & homebrew manually.
+# 2. prepare the deployment environment with essential packages available
+nix-shell -p just nushell
+# 3. comment home-manager's code in lib/macosSystem.nix to speed up the first deplyment.
+# 4. comment out the proxy settings in scripts/darwin_set_proxy.py if the proxy is not ready yet.
+
+# 4. deploy harmonica's configuration(macOS Intel)
+just ha
 
 # deploy fern's configuration(Apple Silicon)
 just fe
@@ -137,7 +148,7 @@ nom build .#aquamarine  # `nom`(nix-output-monitor) can be replaced by the stand
 
 # 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
 #    please replace the vma file name with the one you generated in step 1.
-rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
 
 # 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
 ```
@@ -169,6 +180,7 @@ Other dotfiles that inspired me:
   - [gvolpe/nix-config](https://github.com/gvolpe/nix-config)
   - [Ruixi-rebirth/flakes](https://github.com/Ruixi-rebirth/flakes)
   - [fufexan/dotfiles](https://github.com/fufexan/dotfiles): gtk theme, xdg, git, media, anyrun, etc.
+  - [nix-community/srvos](https://github.com/nix-community/srvos): a collection of opinionated and sharable NixOS configurations for servers
 - Modularized NixOS Configuration
   - [hlissner/dotfiles](https://github.com/hlissner/dotfiles)
   - [viperML/dotfiles](https://github.com/viperML/dotfiles)
@@ -203,6 +215,7 @@ Other dotfiles that inspired me:
 [DoomEmacs]: https://github.com/doomemacs/doomemacs
 [flameshot]: https://github.com/flameshot-org/flameshot
 [grim]: https://github.com/emersion/grim
+[flameshot]: https://github.com/flameshot-org/flameshot
 [imv]: https://sr.ht/~exec64/imv/
 [OBS]: https://obsproject.com
 [Mako]: https://github.com/emersion/mako

constants.nix

@@ -1,17 +0,0 @@
-rec {
-  # user information
-  username = "ryan";
-  userfullname = "Ryan Yin";
-  useremail = "xiaoyin_c@qq.com";
-
-  allSystemAttrs = {
-    # linux systems
-    x64_system = "x86_64-linux";
-    riscv64_system = "riscv64-linux";
-    aarch64_system = "aarch64-linux";
-    #darwin systems
-    x64_darwin = "x86_64-darwin";
-    aarch64_darwin = "aarch64-darwin";
-  };
-  allSystems = builtins.attrValues allSystemAttrs;
-}

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "NixOS & macOS configuration of Ryan Yin";
+  description = "Ryan Yin's nix configuration for both NixOS & macOS";
 
   ##################################################################################################################
   #
@@ -8,68 +8,7 @@
   #
   ##################################################################################################################
 
-  # The `outputs` function will return all the build results of the flake.
-  # A flake can have many use cases and different types of outputs,
-  # parameters in `outputs` are defined in `inputs` and can be referenced by their names.
-  # However, `self` is an exception, this special parameter points to the `outputs` itself (self-reference)
-  # The `@` syntax here is used to alias the attribute set of the inputs's parameter, making it convenient to use inside the function.
-  outputs = inputs @ {
-    self,
-    nixpkgs,
-    pre-commit-hooks,
-    ...
-  }: let
-    constants = import ./constants.nix;
-
-    # `lib.genAttrs [ "foo" "bar" ] (name: "x_" + name)` => `{ foo = "x_foo"; bar = "x_bar"; }`
-    forEachSystem = func: (nixpkgs.lib.genAttrs constants.allSystems func);
-
-    allSystemConfigurations = import ./systems {inherit self inputs constants;};
-  in
-    allSystemConfigurations
-    // {
-      # format the nix code in this flake
-      # alejandra is a nix formatter with a beautiful output
-      formatter = forEachSystem (
-        system: nixpkgs.legacyPackages.${system}.alejandra
-      );
-
-      # pre-commit hooks for nix code
-      checks = forEachSystem (
-        system: {
-          pre-commit-check = pre-commit-hooks.lib.${system}.run {
-            src = ./.;
-            hooks = {
-              alejandra.enable = true; # formatter
-              # deadnix.enable = true; # detect unused variable bindings in `*.nix`
-              # statix.enable = true; # lints and suggestions for Nix code(auto suggestions)
-              # prettier = {
-              #   enable = true;
-              #   excludes = [".js" ".md" ".ts"];
-              # };
-            };
-          };
-        }
-      );
-      devShells = forEachSystem (
-        system: let
-          pkgs = nixpkgs.legacyPackages.${system};
-        in {
-          default = pkgs.mkShell {
-            packages = with pkgs; [
-              # fix https://discourse.nixos.org/t/non-interactive-bash-errors-from-flake-nix-mkshell/33310
-              bashInteractive
-              # fix `cc` replaced by clang, which causes nvim-treesitter compilation error
-              gcc
-            ];
-            name = "dots";
-            shellHook = ''
-              ${self.checks.${system}.pre-commit-check.shellHook}
-            '';
-          };
-        }
-      );
-    };
+  outputs = inputs: import ./outputs inputs;
 
   # the nixConfig here only affects the flake itself, not the system configuration!
   # for more information, see:
@@ -96,7 +35,7 @@
     # There are many ways to reference flake inputs. The most widely used is github:owner/name/reference,
     # which represents the GitHub repository URL + branch/commit-id/tag.
 
-    # Official NixOS package source, using nixos's stable branch by default
+    # Official NixOS package source, using nixos's unstable branch by default
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
@@ -147,8 +86,8 @@
     };
     # secrets management
     agenix = {
-      # lock with git commit at 0.14.0
-      url = "github:ryantm/agenix/54693c91d923fecb4cf04c4535e3d84f8dec7919";
+      # lock with git commit at 0.15.0
+      url = "github:ryantm/agenix/564595d0ad4be7277e07fa63b5a991b3c645655d";
       # replaced with a type-safe reimplementation to get a better error message and less bugs.
       # url = "github:ryan4yin/ragenix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -156,6 +95,11 @@
 
     nix-gaming.url = "github:fufexan/nix-gaming";
 
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # add git hooks to format nix code before commit
     pre-commit-hooks = {
       url = "github:cachix/pre-commit-hooks.nix";
@@ -164,6 +108,16 @@
 
     nuenv.url = "github:DeterminateSystems/nuenv";
 
+    # daeuniverse.url = "github:daeuniverse/flake.nix/unstable";
+    daeuniverse.url = "github:daeuniverse/flake.nix/exp";
+
+    attic.url = "github:zhaofengli/attic";
+
+    haumea = {
+      url = "github:nix-community/haumea/v0.2.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     ########################  Some non-flake repositories  #########################################
 
     # AstroNvim is an aesthetic and feature-rich neovim config.

home/base/core/container.nix

@@ -12,13 +12,21 @@
 
     kubectl
     istioctl
+    kubevirt # virtctl
     kubernetes-helm
+    fluxcd
+    argocd
   ];
 
   programs = {
     k9s = {
       enable = true;
-      skin = let
+      # https://k9scli.io/topics/aliases/
+      # aliases = {};
+      settings = {
+        skin = "catppuccino-mocha";
+      };
+      skins.catppuccin-mocha = let
         skin_file = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-k9s}/dist/mocha.yml"; # theme - catppuccin mocha
         skin_attr = builtins.fromJSON (
           builtins.readFile

home/base/core/core.nix

@@ -1,49 +1,17 @@
 {
   pkgs,
+  attic,
   nur-ryan4yin,
   ...
 }: {
   home.packages = with pkgs; [
-    neofetch
-
-    # networking tools
-    mtr # A network diagnostic tool
-    iperf3
-    dnsutils # `dig` + `nslookup`
-    ldns # replacement of `dig`, it provide the command `drill`
-    aria2 # A lightweight multi-protocol & multi-source command-line download utility
-    socat # replacement of openbsd-netcat
-    nmap # A utility for network discovery and security auditing
-    ipcalc # it is a calculator for the IPv4/v6 addresses
-
-    # archives
-    zip
-    xz
-    unzip
-    p7zip
-
-    # misc
+    # Misc
     tldr
     cowsay
-    file
-    findutils
-    which
-    tree
-    gnutar
-    zstd
     gnupg
-    rsync
-
-    # Text Processing
-    # Docs: https://github.com/learnbyexample/Command-line-text-processing
-
-    gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
-    gnused # GNU sed, very powerful(mainly for replacing text in files)
     gnumake
-    gawk # GNU awk, a pattern scanning and processing language
-    jq # A lightweight and flexible command-line JSON processor
 
-    # morden cli tools, replacement of grep/sed/...
+    # Morden cli tools, replacement of grep/sed/...
 
     # Interactively filter its input using fuzzy searching, not limit to filenames.
     fzf
@@ -66,7 +34,6 @@
     doggo # DNS client for humans
     duf # Disk Usage/Free Utility - a better 'df' alternative
     du-dust # A more intuitive version of `du` in rust
-    ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
     gdu # disk usage analyzer(replacement of `du`)
 
     # nix related
@@ -74,10 +41,20 @@
     # it provides the command `nom` works just like `nix
     # with more details log output
     nix-output-monitor
+    hydra-check # check hydra(nix's build farm) for the build status of a package
+    nix-index # A small utility to index nix store paths
+    nix-init # generate nix derivation from url
+    # https://github.com/nix-community/nix-melt
+    nix-melt # A TUI flake.lock viewer
+    # https://github.com/utdemir/nix-tree
+    nix-tree # A TUI to visualize the dependency graph of a nix derivation
 
     # productivity
     caddy # A webserver with automatic HTTPS via Let's Encrypt(replacement of nginx)
     croc # File transfer between computers securely and easily
+    # self-hosted nix cache server
+    attic.packages.${pkgs.system}.attic-client
+    ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
   ];
 
   programs = {

home/base/core/git.nix

@@ -2,8 +2,7 @@
   config,
   lib,
   pkgs,
-  userfullname,
-  useremail,
+  myvars,
   ...
 }: {
   # `programs.git` will generate the config file: ~/.config/git/config
@@ -21,8 +20,8 @@
     enable = true;
     lfs.enable = true;
 
-    userName = userfullname;
-    userEmail = useremail;
+    userName = myvars.userfullname;
+    userEmail = myvars.useremail;
 
     includes = [
       {

home/base/core/pip.nix

@@ -0,0 +1,13 @@
+_: {
+  # use mirror for pip install
+  xdg.configFile."pip/pip.conf".text = ''
+    [global]
+    index-url = https://mirrors.ustc.edu.cn/pypi/web/simple
+    format = columns
+  '';
+
+  # xdg.configFile."pip/pip.conf".text = ''
+  #   [global]
+  #   index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
+  # '';
+}

home/base/desktop/cloud/default.nix

@@ -1,27 +0,0 @@
-{pkgs, ...}: {
-  home.packages = with pkgs;
-    [
-      # general tools
-      pulumi
-      pulumictl
-      packer # machine image builder
-
-      # aws
-      awscli2
-      ssm-session-manager-plugin # Amazon SSM Session Manager Plugin
-      aws-iam-authenticator
-      eksctl
-
-      # aliyun
-      aliyun-cli
-    ]
-    ++ (
-      if pkgs.stdenv.isLinux
-      then [
-        # cloud tools that nix do not have cache for.
-        terraform
-        terraformer # generate terraform configs from existing cloud resources
-      ]
-      else []
-    );
-}

home/base/desktop/dev-tools.nix

@@ -1,71 +0,0 @@
-{
-  pkgs,
-  pkgs-unstable,
-  ...
-}: {
-  #############################################################
-  #
-  #  Basic settings for development environment
-  #
-  #  Please avoid to install language specific packages here(globally),
-  #  instead, install them:
-  #     1. per IDE, such as `programs.neovim.extraPackages`
-  #     2. per-project, using https://github.com/the-nix-way/dev-templates
-  #
-  #############################################################
-
-  home.packages = with pkgs;
-    [
-      # db related
-      dbeaver
-      mycli
-      pgcli
-      mongosh
-      sqlite
-
-      # embedded development
-      minicom
-
-      # ai related
-      python311Packages.huggingface-hub # huggingface-cli
-
-      # misc
-      pkgs-unstable.devbox
-      bfg-repo-cleaner # remove large files from git history
-      k6 # load testing tool
-      protobuf # protocol buffer compiler
-      nix-init # generate nix package from url
-
-      # solve coding extercises - learn by doing
-      exercism
-    ]
-    ++ (
-      if pkgs.stdenv.isLinux
-      then [
-        # Automatically trims your branches whose tracking remote refs are merged or gone
-        # It's really useful when you work on a project for a long time.
-        git-trim
-
-        # need to run `conda-install` before using it
-        # need to run `conda-shell` before using command `conda`
-        # conda is not available for MacOS
-        conda
-
-        mitmproxy # http/https proxy tool
-        insomnia # REST client
-        wireshark # network analyzer
-      ]
-      else []
-    );
-
-  programs = {
-    direnv = {
-      enable = true;
-      nix-direnv.enable = true;
-
-      enableZshIntegration = true;
-      enableBashIntegration = true;
-      enableNushellIntegration = true;
-    };
-  };
-}

home/base/desktop/editors/packages.nix

@@ -1,140 +0,0 @@
-{pkgs, ...}: {
-  nixpkgs.config = {
-    programs.npm.npmrc = ''
-      prefix = ''${HOME}/.npm-global
-    '';
-  };
-
-  home.packages = with pkgs;
-    [
-      #-- c/c++
-      cmake
-      cmake-language-server
-      gnumake
-      checkmake
-      # c/c++ compiler, required by nvim-treesitter!
-      gcc
-      # c/c++ tools with clang-tools, the unwrapped version won't
-      # add alias like `cc` and `c++`, so that it won't conflict with gcc
-      llvmPackages.clang-unwrapped
-      lldb
-
-      #-- python
-      nodePackages.pyright # python language server
-      (python311.withPackages (
-        ps:
-          with ps; [
-            ruff-lsp
-            black # python formatter
-
-            jupyter
-            ipython
-            pandas
-            requests
-            pyquery
-            pyyaml
-
-            ## emacs's lsp-bridge dependenciesge
-            epc
-            orjson
-            sexpdata
-            six
-            setuptools
-            paramiko
-            rapidfuzz
-          ]
-      ))
-
-      #-- rust
-      rust-analyzer
-      cargo # rust package manager
-      rustfmt
-
-      #-- zig
-      zls
-
-      #-- nix
-      nil
-      rnix-lsp
-      # nixd
-      statix # Lints and suggestions for the nix programming language
-      deadnix # Find and remove unused code in .nix source files
-      alejandra # Nix Code Formatter
-
-      #-- golang
-      go
-      gomodifytags
-      iferr # generate error handling code for go
-      impl # generate function implementation for go
-      gotools # contains tools like: godoc, goimports, etc.
-      gopls # go language server
-      delve # go debugger
-
-      # -- java
-      jdk17
-      gradle
-      maven
-      spring-boot-cli
-
-      #-- lua
-      stylua
-      lua-language-server
-
-      #-- bash
-      nodePackages.bash-language-server
-      shellcheck
-      shfmt
-
-      #-- javascript/typescript --#
-      nodePackages.nodejs
-      nodePackages.typescript
-      nodePackages.typescript-language-server
-      # HTML/CSS/JSON/ESLint language servers extracted from vscode
-      nodePackages.vscode-langservers-extracted
-      nodePackages."@tailwindcss/language-server"
-      emmet-ls
-
-      #-- CloudNative
-      nodePackages.dockerfile-language-server-nodejs
-      # terraform  # install via brew on macOS
-      terraform-ls
-      jsonnet
-      jsonnet-language-server
-      hadolint # Dockerfile linter
-
-      # -- Lisp like Languages
-      guile
-      racket-minimal
-      fnlfmt # fennel
-
-      #-- Others
-      taplo # TOML language server / formatter / validator
-      nodePackages.yaml-language-server
-      sqlfluff # SQL linter
-      actionlint # GitHub Actions linter
-      buf # protoc plugin for linting and formatting
-      proselint # English prose linter
-
-      #-- Misc
-      tree-sitter # common language parser/highlighter
-      nodePackages.prettier # common code formatter
-      marksman # language server for markdown
-      glow # markdown previewer
-      fzf
-      pandoc # document converter
-      hugo # static site generator
-
-      #-- Optional Requirements:
-      gdu # disk usage analyzer, required by AstroNvim
-      (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
-    ]
-    ++ (
-      if pkgs.stdenv.isDarwin
-      then []
-      else [
-        #-- verilog / systemverilog
-        verible
-        gdb
-      ]
-    );
-}

home/base/desktop/terminal/wezterm.nix

@@ -1,110 +0,0 @@
-{pkgs, ...}:
-###########################################################
-#
-# Wezterm Configuration
-#
-# Useful Hot Keys for Linux(replace `ctrl + shift` with `cmd` on macOS)):
-#   1. Increase Font Size: `ctrl + shift + =` | `ctrl + shift + +`
-#   2. Decrease Font Size: `ctrl + shift + -` | `ctrl + shift + _`
-#   3. And Other common shortcuts such as Copy, Paste, Cursor Move, etc.
-#
-# Default Keybindings: https://wezfurlong.org/wezterm/config/default-keys.html
-#
-###########################################################
-{
-  # wezterm has catppuccin theme built-in,
-  # it's not necessary to install it separately.
-
-  # we can add wezterm as a flake input once this PR is merged:
-  #    https://github.com/wez/wezterm/pull/3547
-
-  programs.wezterm =
-    {
-      enable = false; # disable
-
-      # TODO: Fix: https://github.com/wez/wezterm/issues/4483
-      # package = pkgs.wezterm.override { };
-
-      extraConfig = let
-        fontsize =
-          if pkgs.stdenv.isDarwin
-          then "14.0"
-          else "13.0";
-      in ''
-        -- Pull in the wezterm API
-        local wezterm = require 'wezterm'
-
-        -- This table will hold the configuration.
-        local config = {}
-
-        -- In newer versions of wezterm, use the config_builder which will
-        -- help provide clearer error messages
-        if wezterm.config_builder then
-          config = wezterm.config_builder()
-        end
-
-        wezterm.on('toggle-opacity', function(window, pane)
-          local overrides = window:get_config_overrides() or {}
-          if not overrides.window_background_opacity then
-            overrides.window_background_opacity = 0.93
-          else
-            overrides.window_background_opacity = nil
-          end
-          window:set_config_overrides(overrides)
-        end)
-
-        wezterm.on('toggle-maximize', function(window, pane)
-          window:maximize()
-        end)
-
-        -- This is where you actually apply your config choices
-        config.color_scheme = "Catppuccin Mocha"
-        config.font = wezterm.font_with_fallback {
-          "JetBrainsMono Nerd Font",
-          "FiraCode Nerd Font",
-
-          -- To avoid 'Chinese characters displayed as variant (Japanese) glyphs'
-          "Source Han Sans SC",
-          "Source Han Sans TC"
-        }
-
-        config.hide_tab_bar_if_only_one_tab = true
-        config.scrollback_lines = 10000
-        config.enable_scroll_bar = true
-        config.term = 'wezterm'
-
-        config.keys = {
-          -- toggle opacity(CTRL + SHIFT + B)
-          {
-            key = 'B',
-            mods = 'CTRL',
-            action = wezterm.action.EmitEvent 'toggle-opacity',
-          },
-          {
-            key = 'M',
-            mods = 'CTRL',
-            action = wezterm.action.EmitEvent 'toggle-maximize',
-          },
-        }
-        config.font_size = ${fontsize}
-
-        -- To resolve issues:
-        --   1. https://github.com/ryan4yin/nix-config/issues/26
-        --   2. https://github.com/ryan4yin/nix-config/issues/8
-        -- Spawn a nushell in login mode via `bash`
-        config.default_prog = { '${pkgs.bash}/bin/bash', '--login', '-c', 'nu --login --interactive' }
-
-        return config
-      '';
-    }
-    // (
-      if pkgs.stdenv.isDarwin
-      then {
-        # install wezterm via homebrew on macOS to avoid compilation, dummy package here.
-        # package = pkgs.hello;
-        enableBashIntegration = false;
-        enableZshIntegration = false;
-      }
-      else {}
-    );
-}

home/base/gui/dev-tools.nix

@@ -0,0 +1,14 @@
+{
+  pkgs,
+  ...
+}: {
+  home.packages = with pkgs; [
+    # db related
+    dbeaver
+
+    mitmproxy # http/https proxy tool
+    insomnia # REST client
+    wireshark # network analyzer
+    ventoy # create bootable usb
+  ];
+}

home/base/gui/terminal/wezterm.nix

@@ -0,0 +1,105 @@
+{pkgs, ...}:
+###########################################################
+#
+# Wezterm Configuration
+#
+# Useful Hot Keys for Linux(replace `ctrl + shift` with `cmd` on macOS)):
+#   1. Increase Font Size: `ctrl + shift + =` | `ctrl + shift + +`
+#   2. Decrease Font Size: `ctrl + shift + -` | `ctrl + shift + _`
+#   3. And Other common shortcuts such as Copy, Paste, Cursor Move, etc.
+#
+# Default Keybindings: https://wezfurlong.org/wezterm/config/default-keys.html
+#
+###########################################################
+{
+  # wezterm has catppuccin theme built-in,
+  # it's not necessary to install it separately.
+
+  # we can add wezterm as a flake input once this PR is merged:
+  #    https://github.com/wez/wezterm/pull/3547
+
+  programs.wezterm = {
+    enable = true; # disable
+
+    # install wezterm via homebrew on macOS to avoid compilation, dummy package here.
+    package =
+      if pkgs.stdenv.isLinux
+      then pkgs.wezterm
+      else pkgs.hello;
+
+    enableBashIntegration = pkgs.stdenv.isLinux;
+    enableZshIntegration = pkgs.stdenv.isLinux;
+
+    extraConfig = let
+      fontsize =
+        if pkgs.stdenv.isLinux
+        then "13.0"
+        else "14.0";
+    in ''
+      -- Pull in the wezterm API
+      local wezterm = require 'wezterm'
+
+      -- This table will hold the configuration.
+      local config = {}
+
+      -- In newer versions of wezterm, use the config_builder which will
+      -- help provide clearer error messages
+      if wezterm.config_builder then
+        config = wezterm.config_builder()
+      end
+
+      wezterm.on('toggle-opacity', function(window, pane)
+        local overrides = window:get_config_overrides() or {}
+        if not overrides.window_background_opacity then
+          overrides.window_background_opacity = 0.93
+        else
+          overrides.window_background_opacity = nil
+        end
+        window:set_config_overrides(overrides)
+      end)
+
+      wezterm.on('toggle-maximize', function(window, pane)
+        window:maximize()
+      end)
+
+      -- This is where you actually apply your config choices
+      config.color_scheme = "Catppuccin Mocha"
+      config.font = wezterm.font_with_fallback {
+        "JetBrainsMono Nerd Font",
+        "FiraCode Nerd Font",
+
+        -- To avoid 'Chinese characters displayed as variant (Japanese) glyphs'
+        "Source Han Sans SC",
+        "Source Han Sans TC"
+      }
+
+      config.hide_tab_bar_if_only_one_tab = true
+      config.scrollback_lines = 10000
+      config.enable_scroll_bar = true
+      config.term = 'wezterm'
+
+      config.keys = {
+        -- toggle opacity(CTRL + SHIFT + B)
+        {
+          key = 'B',
+          mods = 'CTRL',
+          action = wezterm.action.EmitEvent 'toggle-opacity',
+        },
+        {
+          key = 'M',
+          mods = 'CTRL',
+          action = wezterm.action.EmitEvent 'toggle-maximize',
+        },
+      }
+      config.font_size = ${fontsize}
+
+      -- To resolve issues:
+      --   1. https://github.com/ryan4yin/nix-config/issues/26
+      --   2. https://github.com/ryan4yin/nix-config/issues/8
+      -- Spawn a nushell in login mode via `bash`
+      config.default_prog = { '${pkgs.bash}/bin/bash', '--login', '-c', 'nu --login --interactive' }
+
+      return config
+    '';
+  };
+}

home/base/home.nix

@@ -1,8 +1,8 @@
-{username, ...}: {
+{myvars, ...}: {
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    inherit username;
+    inherit (myvars) username;
 
     # This value determines the Home Manager release that your
     # configuration is compatible with. This helps avoid breakage

home/base/server/pip.nix

@@ -1,7 +0,0 @@
-_: {
-  # use mirror for pip install
-  xdg.configFile."pip/pip.conf".text = ''
-    [global]
-    index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
-  '';
-}

home/base/tui/cloud/default.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  home.packages = with pkgs; [
+    # infrastructure as code
+    # pulumi
+    # pulumictl
+    # tf2pulumi
+    # crd2pulumi
+    # pulumiPackages.pulumi-random
+    # pulumiPackages.pulumi-command
+    # pulumiPackages.pulumi-aws-native
+    # pulumiPackages.pulumi-language-go
+    # pulumiPackages.pulumi-language-python
+    # pulumiPackages.pulumi-language-nodejs
+
+    # aws
+    awscli2
+    ssm-session-manager-plugin # Amazon SSM Session Manager Plugin
+    aws-iam-authenticator
+    eksctl
+
+    # aliyun
+    aliyun-cli
+    # cloud tools that nix do not have cache for.
+    terraform
+    terraformer # generate terraform configs from existing cloud resources
+    packer # machine image builder
+  ];
+}

home/base/tui/dev-tools.nix

@@ -0,0 +1,61 @@
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
+  #############################################################
+  #
+  #  Basic settings for development environment
+  #
+  #  Please avoid to install language specific packages here(globally),
+  #  instead, install them:
+  #     1. per IDE, such as `programs.neovim.extraPackages`
+  #     2. per-project, using https://github.com/the-nix-way/dev-templates
+  #
+  #############################################################
+
+  home.packages = with pkgs; [
+    colmena # nixos's remote deployment tool
+
+    # db related
+    mycli
+    pgcli
+    mongosh
+    sqlite
+
+    # embedded development
+    minicom
+
+    # ai related
+    python311Packages.huggingface-hub # huggingface-cli
+
+    # misc
+    pkgs-unstable.devbox
+    bfg-repo-cleaner # remove large files from git history
+    k6 # load testing tool
+    protobuf # protocol buffer compiler
+
+    # solve coding extercises - learn by doing
+    exercism
+
+    # Automatically trims your branches whose tracking remote refs are merged or gone
+    # It's really useful when you work on a project for a long time.
+    git-trim
+
+    # need to run `conda-install` before using it
+    # need to run `conda-shell` before using command `conda`
+    # conda is not available for MacOS
+    conda
+  ];
+
+  programs = {
+    direnv = {
+      enable = true;
+      nix-direnv.enable = true;
+
+      enableZshIntegration = true;
+      enableBashIntegration = true;
+      enableNushellIntegration = true;
+    };
+  };
+}

home/base/tui/editors/default.nix

@@ -0,0 +1,3 @@
+{mylib, ...}: {
+  imports = mylib.scanPaths ./.;
+}

home/base/tui/editors/emacs/default.nix

@@ -47,7 +47,7 @@ in {
         zstd # for undo-fu-session/undo-tree compression
 
         # go-mode
-        gocode
+        # gocode # project archived, use gopls instead
 
         ## Module dependencies
         # :checkers spell
@@ -57,7 +57,7 @@ in {
         # :tools lookup & :lang org +roam
         sqlite
         # :lang latex & :lang org (latex previews)
-        texlive.combined.scheme-medium
+        # texlive.combined.scheme-medium
       ];
 
       programs.bash.bashrcExtra = envExtra;

home/base/tui/editors/packages.nix

@@ -0,0 +1,133 @@
+{pkgs, ...}: {
+  nixpkgs.config = {
+    programs.npm.npmrc = ''
+      prefix = ''${HOME}/.npm-global
+    '';
+  };
+
+  home.packages = with pkgs; [
+    #-- c/c++
+    cmake
+    cmake-language-server
+    gnumake
+    checkmake
+    # c/c++ compiler, required by nvim-treesitter!
+    gcc
+    # c/c++ tools with clang-tools, the unwrapped version won't
+    # add alias like `cc` and `c++`, so that it won't conflict with gcc
+    llvmPackages.clang-unwrapped
+    lldb
+
+    #-- python
+    nodePackages.pyright # python language server
+    (python311.withPackages (
+      ps:
+        with ps; [
+          ruff-lsp
+          black # python formatter
+
+          jupyter
+          ipython
+          pandas
+          requests
+          pyquery
+          pyyaml
+
+          ## emacs's lsp-bridge dependenciesge
+          epc
+          orjson
+          sexpdata
+          six
+          setuptools
+          paramiko
+          rapidfuzz
+        ]
+    ))
+
+    #-- rust
+    rust-analyzer
+    cargo # rust package manager
+    rustfmt
+
+    #-- nix
+    nil
+    rnix-lsp
+    # nixd
+    statix # Lints and suggestions for the nix programming language
+    deadnix # Find and remove unused code in .nix source files
+    alejandra # Nix Code Formatter
+
+    #-- golang
+    go
+    gomodifytags
+    iferr # generate error handling code for go
+    impl # generate function implementation for go
+    gotools # contains tools like: godoc, goimports, etc.
+    gopls # go language server
+    delve # go debugger
+
+    # -- java
+    jdk17
+    gradle
+    maven
+    spring-boot-cli
+
+    #-- lua
+    stylua
+    lua-language-server
+
+    #-- bash
+    nodePackages.bash-language-server
+    shellcheck
+    shfmt
+
+    #-- javascript/typescript --#
+    nodePackages.nodejs
+    nodePackages.typescript
+    nodePackages.typescript-language-server
+    # HTML/CSS/JSON/ESLint language servers extracted from vscode
+    nodePackages.vscode-langservers-extracted
+    nodePackages."@tailwindcss/language-server"
+    emmet-ls
+
+    # -- Lisp like Languages
+    guile
+    racket-minimal
+    fnlfmt # fennel
+
+    #-- Others
+    taplo # TOML language server / formatter / validator
+    nodePackages.yaml-language-server
+    sqlfluff # SQL linter
+    actionlint # GitHub Actions linter
+    buf # protoc plugin for linting and formatting
+    proselint # English prose linter
+
+    #-- Misc
+    tree-sitter # common language parser/highlighter
+    nodePackages.prettier # common code formatter
+    marksman # language server for markdown
+    glow # markdown previewer
+    fzf
+    pandoc # document converter
+    hugo # static site generator
+
+    #-- Optional Requirements:
+    gdu # disk usage analyzer, required by AstroNvim
+    (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
+
+    #-- CloudNative
+    nodePackages.dockerfile-language-server-nodejs
+    # terraform  # install via brew on macOS
+    terraform-ls
+    jsonnet
+    jsonnet-language-server
+    hadolint # Dockerfile linter
+
+    #-- zig
+    zls
+    #-- verilog / systemverilog
+    verible
+    gdb
+  ];
+}

home/base/tui/gpg/default.nix

@@ -19,10 +19,10 @@
     mutableKeys = false;
     publicKeys = [
       # https://www.gnupg.org/gph/en/manual/x334.html
-      # {
-      #   source = "${mysecrets}/public/ryan4yin-gpg-keys.pub";
-      #   trust = 5;
-      # } # ultimate trust, my own keys.
+      {
+        source = "${mysecrets}/public/ryan4yin-gpg-keys-2014-01-27.pub";
+        trust = 5;
+      } # ultimate trust, my own keys.
     ];
 
     # This configuration is based on the tutorial below, it allows for a robust setup

home/base/tui/ssh.nix

@@ -4,12 +4,12 @@
   programs.ssh = {
     enable = true;
 
-    # all my ssh private key are generated by `ssh-keygen -t ed25519 -C "ryan@nickname"`
-    # the config's format:
+    # All my ssh private key are generated by `ssh-keygen -t ed25519 -a 256 -C "xxx@xxx"`
+    # Config format:
     #   Host —  given the pattern used to match against the host name given on the command line.
     #   HostName — specify nickname or abbreviation for host
     #   IdentityFile — the location of your SSH key authentication file for the account.
-    # format in details:
+    # Format in details:
     #   https://www.ssh.com/academy/ssh/config
     extraConfig = ''
       # a private key that is used during authentication will be added to ssh-agent if it is running
@@ -36,18 +36,6 @@
       Host s500plus
         HostName 192.168.5.174
         Port 22
-
-      Host k8s-main
-        HostName 192.168.5.181
-        ForwardAgent yes
-
-      Host k8s-data1
-        HostName 192.168.5.182
-        ForwardAgent yes
-
-      Host k8s-data2
-        HostName 192.168.5.183
-        ForwardAgent yes
     '';
   };
 }

home/base/tui/zellij/default.nix

@@ -10,7 +10,7 @@ in {
   programs.nushell.extraConfig = ''
     # auto start zellij
     # except when in emacs or zellij itself
-    if (not "ZELLIJ" in $env) and (not "INSIDE_EMACS" in $env) {
+    if (not ("ZELLIJ" in $env)) and (not ("INSIDE_EMACS" in $env)) {
       if "ZELLIJ_AUTO_ATTACH" in $env and $env.ZELLIJ_AUTO_ATTACH == "true" {
         ^zellij attach -c
       } else {

home/darwin/core.nix

@@ -1,3 +1,3 @@
-{username, ...}: {
-  home.homeDirectory = "/Users/${username}";
+{myvars, ...}: {
+  home.homeDirectory = "/Users/${myvars.username}";
 }

home/darwin/default.nix

@@ -2,8 +2,9 @@
   imports =
     (mylib.scanPaths ./.)
     ++ [
-      ../base/server
-      ../base/desktop
-      ../base/core.nix
+      ../base/core
+      ../base/tui
+      ../base/gui
+      ../base/home.nix
     ];
 }

home/darwin/shell.nix

@@ -2,6 +2,24 @@ let
   envExtra = ''
     export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
   '';
+  # copied from the content generated by `conda init bash`
+  initExtra = ''
+    arch=$(uname -m)
+
+    if [ "aarch64" = "$arch" ] ||  [ "arm64" = "$arch" ]; then
+      # >>> (miniforge)conda initialize >>>
+      # !! Contents within this block are managed by 'conda init' !!
+      if [ -f "/opt/homebrew/Caskroom/miniforge/base/etc/profile.d/conda.sh" ]; then
+          . "/opt/homebrew/Caskroom/miniforge/base/etc/profile.d/conda.sh"
+      else
+          export PATH="/opt/homebrew/Caskroom/miniforge/base/bin:$PATH"
+      fi
+      # <<< conda initialize <<<
+    elif [[ "x86_64" = "$arch" ]]; then
+      # do nothing
+      true
+    fi
+  '';
 in {
   # Homebrew's default install location:
   #   /opt/homebrew for Apple Silicon
@@ -10,10 +28,10 @@ in {
   # in /opt/homebrew for Apple Silicon and /usr/local for Rosetta 2 to coexist and use bottles.
   programs.bash = {
     enable = true;
-    bashrcExtra = envExtra;
+    bashrcExtra = envExtra + initExtra;
   };
   programs.zsh = {
     enable = true;
-    inherit envExtra;
+    inherit envExtra initExtra;
   };
 }

home/darwin/ssh.nix

@@ -0,0 +1,3 @@
+{myvars, ...}: {
+  programs.ssh.extraConfig = myvars.networking.ssh.extraConfig;
+}

home/linux/base/shell.nix

@@ -1,13 +1,13 @@
 {
   config,
-  username,
+  myvars,
   ...
 }: let
   d = config.xdg.dataHome;
   c = config.xdg.configHome;
   cache = config.xdg.cacheHome;
 in rec {
-  home.homeDirectory = "/home/${username}";
+  home.homeDirectory = "/home/${myvars.username}";
 
   # environment variables that always set at login
   home.sessionVariables = {

home/linux/base/system-tools.nix

@@ -1,29 +1,9 @@
 {pkgs, ...}: {
   # Linux Only Packages, not available on Darwin
   home.packages = with pkgs; [
-    nmon
-    iotop
-    iftop
-
     # misc
     libnotify
     wireguard-tools # manage wireguard vpn manually, via wg-quick
-
-    # system call monitoring
-    strace # system call monitoring
-    ltrace # library call monitoring
-    bpftrace # powerful tracing tool
-    tcpdump # network sniffer
-    lsof # list open files
-
-    # system tools
-    sysstat
-    lm_sensors # for `sensors` command
-    ethtool
-    pciutils # lspci
-    usbutils # lsusb
-    hdparm # for disk performance, command
-    dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
   ];
 
   # auto mount usb drives

home/linux/core.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ../base/core
+    ../base/home.nix
+
+    ./base
+  ];
+}

home/linux/desktop.nix

@@ -1,10 +0,0 @@
-{
-  imports = [
-    ../base/server
-    ../base/desktop
-    ../base/core.nix
-
-    ./base
-    ./desktop
-  ];
-}

home/linux/desktop/README.md

@@ -9,8 +9,8 @@
 ## Why install I3/Hyprland in Home Manager instead of a NixOS Module?
 
 1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home Manager.
-2. There're other user-specific systemd servcies, such gammastep, wallpaper-switcher, etc. which can be easily managed by Home Manager, but if we start i3/hyprland in NixOS Module, they may failed to start automatically. With i3/hyprland installed via home-manager, we can control their systemd service's dependent order, to avoid issues like this.
-3. By install as less as possible in NixOS Module, we can:
+2. I have many user-specific systemd servcies, such gammastep, wallpaper-switcher, etc. Which can be easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can control their systemd service's dependent order more easily, so we can avoid issues like this.
+3. By install packages as less as possible in NixOS Module, we can:
     1. Make the NixOS system more secure and stable.
     2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on any Linux system.
 

home/linux/desktop/base/dev-tools.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    android-tools
+  ];
+}

home/linux/desktop/base/note-taking.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    # https://joplinapp.org/help/
+    joplin # joplin-cli
+    joplin-desktop
+  ];
+}

home/linux/desktop/base/xdg.nix

@@ -30,14 +30,17 @@
     #  ls /etc/profiles/per-user/ryan/share/applications/
     mimeApps = {
       enable = true;
+      # let `xdg-open` to open the url with the correct application.
       defaultApplications = let
         browser = ["firefox.desktop"];
+        editor = ["nvim.desktop" "Helix.desktop" "code.desktop" "code-insiders.desktop"];
       in {
         "application/json" = browser;
         "application/pdf" = browser; # TODO: pdf viewer
 
         "text/html" = browser;
         "text/xml" = browser;
+        "text/plain" = editor;
         "application/xml" = browser;
         "application/xhtml+xml" = browser;
         "application/xhtml_xml" = browser;
@@ -48,12 +51,18 @@
         "application/x-extension-shtml" = browser;
         "application/x-extension-xht" = browser;
         "application/x-extension-xhtml" = browser;
+        "application/x-wine-extension-ini" = editor;
 
-        "x-scheme-handler/about" = browser;
-        "x-scheme-handler/ftp" = browser;
+        # define default applications for some url schemes.
+        "x-scheme-handler/about" = browser; # open `about:` url with `browser`
+        "x-scheme-handler/ftp" = browser; # open `ftp:` url with `browser`
         "x-scheme-handler/http" = browser;
         "x-scheme-handler/https" = browser;
-        "x-scheme-handler/unknown" = browser;
+        # https://github.com/microsoft/vscode/issues/146408
+        "x-scheme-handler/vscode" = ["code-url-handler.desktop"]; # open `vscode://` url with `code-url-handler.desktop`
+        "x-scheme-handler/vscode-insiders" = ["code-insiders-url-handler.desktop"]; # open `vscode-insiders://` url with `code-insiders-url-handler.desktop`
+        # all other unknown schemes will be opened by this default application.
+        # "x-scheme-handler/unknown" = editor;
 
         "x-scheme-handler/discord" = ["discord.desktop"];
         "x-scheme-handler/tg" = ["org.telegram.desktop.desktop "];

home/linux/desktop/hyprland/conf/hyprland.conf

@@ -94,7 +94,6 @@ $term = kitty
 $app_launcher = ~/.config/hypr/scripts/menu
 $volume = ~/.config/hypr/scripts/volume
 $backlight = ~/.config/hypr/scripts/brightness
-$screenshot = ~/.config/hypr/scripts/screenshot
 $lockscreen = ~/.config/hypr/scripts/lockscreen
 $wlogout = ~/.config/hypr/scripts/wlogout
 $colorpicker = ~/.config/hypr/scripts/colorpicker
@@ -137,9 +136,11 @@ bind=,XF86AudioPlay,exec,mpc toggle
 bind=,XF86AudioStop,exec,mpc stop
 
 # -- Screenshots --
-bind=,Print,exec,$screenshot --now
-bind=SUPER,Print,exec,$screenshot --win
-bind=CTRL,Print,exec,$screenshot --area
+bind=,Print,exec,hyprshot -m output -o ~/Pictures/Screenshots -- imv
+bind=SUPER,Print,exec,hyprshot -m window -o ~/Pictures/Screenshots -- imv
+# flameshot do not recognize hyprland as a wayland compositor, so we set it to sway here
+bind=CTRL,Print,exec,XDG_CURRENT_DESKTOP=sway flameshot gui --raw -p ~/Pictures/Screenshots | wl-copy
+# bind=CTRL,Print,exec,hyprshot -m region -o ~/Pictures/Screenshots -- imv
 
 # Focus
 bind=SUPER,left,movefocus,l
@@ -195,8 +196,3 @@ exec-once=cp ~/.config/fcitx5/profile-bak ~/.config/fcitx5/profile    # restore
 exec-once=fcitx5 -d --replace     # start fcitx5 daemon
 bind=ALT,E,exec,pkill fcitx5 -9;sleep 1;fcitx5 -d --replace; sleep 1;fcitx5-remote -r
 
-# fix xwayland apps
-windowrulev2 = rounding 0, xwayland:1, floating:1
-windowrulev2 = center, class:^(.*jetbrains.*)$, title:^(Confirm Exit|Open Project|win424|win201|splash)$
-windowrulev2 = size 640 400, class:^(.*jetbrains.*)$, title:^(splash)$
-

home/linux/desktop/hyprland/conf/scripts/screenshot

@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-
-## Script to take screenshots with grim, slurp (in Wayland)
-
-iDIR="$HOME/.config/hypr/mako/icons"
-
-time=$(date +%Y-%m-%d-%H-%M-%S)
-dir="$(xdg-user-dir PICTURES)/Screenshots"  # need 
-file="Screenshot_${time}_${RANDOM}.png"
-
-# notify and view screenshot
-notify_cmd_shot="notify-send -h string:x-canonical-private-synchronous:shot-notify -u low -i ${iDIR}/picture.png"
-notify_view () {
-	${notify_cmd_shot} "Copied to clipboard."
-	imv ${dir}/"$file"
-	if [[ -e "$dir/$file" ]]; then
-		${notify_cmd_shot} "Screenshot Saved."
-	else
-		${notify_cmd_shot} "Screenshot Deleted."
-	fi
-}
-
-# take shots
-shotnow () {
-	cd ${dir} && grim - | tee "$file" | wl-copy
-	notify_view
-}
-
-shotwin () {
-	w_pos=$(hyprctl activewindow | grep 'at:' | cut -d':' -f2 | tr -d ' ' | tail -n1)
-	w_size=$(hyprctl activewindow | grep 'size:' | cut -d':' -f2 | tr -d ' ' | tail -n1 | sed s/,/x/g)
-	cd ${dir} && grim -g "$w_pos $w_size" - | tee "$file" | wl-copy
-	notify_view
-}
-
-shotarea () {
-	cd ${dir} && grim -g "$(slurp -b 1B1F28CC -c E06B74ff -s C778DD0D -w 2)" - | tee "$file" | wl-copy
-	notify_view
-}
-
-if [[ ! -d "$dir" ]]; then
-	mkdir -p "$dir"
-fi
-
-if [[ "$1" == "--now" ]]; then
-	shotnow
-elif [[ "$1" == "--area" ]]; then
-	shotarea
-elif [[ "$1" == "--win" ]]; then
-	shotwin
-else
-	echo -e "Available Options : --now --win --area"
-fi
-
-exit 0

home/linux/desktop/hyprland/conf/waybar/config.jsonc

@@ -6,7 +6,7 @@
     "custom/launcher",
     "temperature",
     "backlight",
-    "wlr/workspaces"
+    "hyprland/workspaces"
   ],
   "modules-center": [
     "custom/playerctl"
@@ -23,7 +23,7 @@
     "custom/powermenu",
     "tray"
   ],
-  "wlr/workspaces": {
+  "hyprland/workspaces": {
     "format": "{icon}",
     "on-click": "activate",
     "format-icons": {

home/linux/desktop/hyprland/values/packages.nix

@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
   home.packages = with pkgs; [
     waybar # the status bar
     swaybg # the wallpaper
@@ -8,10 +12,10 @@
     wl-clipboard # copying and pasting
     hyprpicker # color picker
 
-    wf-recorder # creen recording
+    pkgs-unstable.hyprshot # screen shot
     grim # taking screenshots
     slurp # selecting a region to screenshot
-    # TODO replace by `flameshot gui --raw | wl-copy`
+    wf-recorder # creen recording
 
     mako # the notification daemon, the same as dunst
 

home/linux/desktop/hyprland/values/wayland-apps.nix

@@ -39,12 +39,13 @@
     google-chrome = {
       enable = true;
 
+      # https://wiki.archlinux.org/title/Chromium#Native_Wayland_support
       commandLineArgs = [
+        "--ozone-platform-hint=auto"
+        "--ozone-platform=wayland"
         # make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
         # (only supported by chromium/chrome at this time, not electron)
         "--gtk-version=4"
-        "--enable-features=UseOzonePlatform"
-        "--ozone-platform=wayland"
         # make it use text-input-v1, which works for kwin 5.27 and weston
         "--enable-wayland-ime"
 
@@ -58,5 +59,38 @@
       enableGnomeExtensions = false;
       package = pkgs.firefox-wayland; # firefox with wayland support
     };
+
+    vscode = {
+      enable = true;
+      # let vscode sync and update its configuration & extensions across devices, using github account.
+      userSettings = {};
+      package =
+        (pkgs.vscode.override
+          {
+            isInsiders = true;
+            # https://wiki.archlinux.org/title/Wayland#Electron
+            commandLineArgs = [
+              "--ozone-platform-hint=auto"
+              "--ozone-platform=wayland"
+              # make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
+              # (only supported by chromium/chrome at this time, not electron)
+              "--gtk-version=4"
+              # make it use text-input-v1, which works for kwin 5.27 and weston
+              "--enable-wayland-ime"
+
+              # TODO: fix https://github.com/microsoft/vscode/issues/187436
+              # still not works...
+              "--password-store=gnome" # use gnome-keyring as password store
+            ];
+          })
+        .overrideAttrs (oldAttrs: rec {
+          # Use VSCode Insiders to fix crash: https://github.com/NixOS/nixpkgs/issues/246509
+          src = builtins.fetchTarball {
+            url = "https://update.code.visualstudio.com/latest/linux-x64/insider";
+            sha256 = "0k2sh7rb6mrx9d6bkk2744ry4g17d13xpnhcisk4akl4x7dn6a83";
+          };
+          version = "latest";
+        });
+    };
   };
 }

home/linux/desktop/i3/values/x11-apps.nix

@@ -1,9 +1,12 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
   home.packages = with pkgs; [
     firefox
   ];
 
-  # TODO vscode & chrome both have wayland support, but they don't work with fcitx5, need to fix it.
   programs = {
     # source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix
     google-chrome = {
@@ -16,5 +19,11 @@
       # commandLineArgs = [
       # ];
     };
+    vscode = {
+      enable = true;
+      package = pkgs-unstable.vscode;
+      # let vscode sync and update its configuration & extensions across devices, using github account.
+      # userSettings = {};
+    };
   };
 }

home/linux/gui.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ../base/core
+    ../base/tui
+    ../base/gui
+    ../base/home.nix
+
+    ./base
+    ./desktop
+  ];
+}

home/linux/server.nix

@@ -1,8 +0,0 @@
-{
-  imports = [
-    ../base/server
-    ../base/core.nix
-
-    ./base
-  ];
-}

home/linux/tui.nix

@@ -0,0 +1,10 @@
+{
+  imports = [
+    ../base/core
+    ../base/tui
+    ../base/home.nix
+
+    ./base
+    ./desktop
+  ];
+}

hosts/12kingdoms-rakushun/README.md

@@ -0,0 +1,149 @@
+# Rakushun - Orange Pi 5 Plus
+
+LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
+
+## Showcases
+
+![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
+
+Disk layout:
+
+```bash
+[ryan@rakushun:~]$ lsblk
+NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
+sda           8:0    1 58.6G  0 disk
+└─sda1        8:1    1  487M  0 part
+mtdblock0    31:0    0   16M  0 disk
+zram0       254:0    0    0B  0 disk
+nvme0n1     259:0    0  1.8T  0 disk
+├─nvme0n1p1 259:1    0  630M  0 part  /boot
+└─nvme0n1p2 259:2    0  1.8T  0 part
+  └─crypted 253:0    0  1.8T  0 crypt /tmp
+                                      /swap
+                                      /snapshots
+                                      /home/ryan/tmp
+                                      /home/ryan/nix-config
+                                      /home/ryan/go
+                                      /home/ryan/codes
+                                      /home/ryan/.ssh
+                                      /home/ryan/.local/state
+                                      /home/ryan/.npm
+                                      /home/ryan/.local/share
+                                      /home/ryan/.conda
+                                      /etc/ssh
+                                      /etc/nix/inputs
+                                      /etc/secureboot
+                                      /etc/agenix
+                                      /etc/NetworkManager/system-connections
+                                      /etc/machine-id
+                                      /nix/store
+                                      /var/log
+                                      /var/lib
+                                      /nix
+                                      /persistent
+
+[ryan@rakushun:~]$ df -Th
+Filesystem          Type      Size  Used Avail Use% Mounted on
+devtmpfs            devtmpfs  785M     0  785M   0% /dev
+tmpfs               tmpfs     7.7G     0  7.7G   0% /dev/shm
+tmpfs               tmpfs     3.9G  6.8M  3.9G   1% /run
+tmpfs               tmpfs     7.7G  1.9M  7.7G   1% /run/wrappers
+none                tmpfs     4.0G   48K  4.0G   1% /
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /persistent
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /nix
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /snapshots
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /swap
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /tmp
+/dev/nvme0n1p1      vfat      629M   96M  534M  16% /boot
+tmpfs               tmpfs     1.6G  4.0K  1.6G   1% /run/user/1000
+```
+
+CPU info:
+
+```bash
+[ryan@rakushun:~]$ lscpu
+Architecture:           aarch64
+  CPU op-mode(s):       32-bit, 64-bit
+  Byte Order:           Little Endian
+CPU(s):                 8
+  On-line CPU(s) list:  0-7
+Vendor ID:              ARM
+  Model name:           Cortex-A55
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 4
+    Socket(s):          1
+    Stepping:           r2p0
+    CPU(s) scaling MHz: 67%
+    CPU max MHz:        1800.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+  Model name:           Cortex-A76
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 2
+    Socket(s):          2
+    Stepping:           r4p0
+    CPU(s) scaling MHz: 18%
+    CPU max MHz:        2256.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+Caches (sum of all):
+  L1d:                  384 KiB (8 instances)
+  L1i:                  384 KiB (8 instances)
+  L2:                   2.5 MiB (8 instances)
+  L3:                   3 MiB (1 instance)
+```
+
+## How to install NixOS on Orange Pi 5 Plus
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
+mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5plus-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5plus-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5P_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# transfer the nix-config to the target machine
+rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
+
+# login via ssh
+ssh rk@<ip-addr>
+
+cd ~/nix-config/hosts/12kingdoms_rakushun
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
+```
+
+

hosts/12kingdoms-rakushun/caddy.nix

@@ -0,0 +1,28 @@
+{myvars, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = myvars.useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://git.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3000
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}

hosts/12kingdoms-rakushun/default.nix

@@ -0,0 +1,52 @@
+{
+  disko,
+  nixos-rk3588,
+  myvars,
+  ...
+}:
+#############################################################
+#
+#  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
+#
+#############################################################
+let
+  hostName = "rakushun"; # Define your hostname.
+  hostAddress = myvars.networking.hostAddress.${hostName};
+in {
+  imports = [
+    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
+    nixos-rk3588.nixosModules.orangepi5plus.core
+    disko.nixosModules.default
+    ./hardware-configuration.nix
+    ./disko-fs.nix
+    ./impermanence.nix
+
+    ./gitea.nix
+    ./caddy.nix
+  ];
+
+  networking = {
+    inherit hostName;
+    inherit (myvars.networking) defaultGateway nameservers;
+
+    networkmanager.enable = false;
+    # RJ45 port 1
+    interfaces.enP4p65s0 = {
+      useDHCP = false;
+      ipv4.addresses = [hostAddress];
+    };
+    # RJ45 port 2
+    # interfaces.enP3p49s0 = {
+    # useDHCP = false;
+    # ipv4.addresses = [hostAddress];
+    # };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/12kingdoms-rakushun/disko-fs.nix

@@ -0,0 +1,102 @@
+{
+  # required by impermanence
+  fileSystems."/persistent".neededForBoot = true;
+
+  disko.devices = {
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=4G"
+        "defaults"
+        # set mode to 755, otherwise systemd will set it to 777, which cause problems.
+        # relatime: Update inode access times relative to modify or change time.
+        "mode=755"
+      ];
+    };
+
+    # TODO: rename to main
+    disk.sda = {
+      type = "disk";
+      # When using disko-install, we will overwrite this value from the commandline
+      device = "/dev/nvme0n1"; # The device to partition
+      content = {
+        type = "gpt";
+        partitions = {
+          # The EFI & Boot partition
+          ESP = {
+            size = "630M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+          # The root partition
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "crypted";
+              settings = {
+                keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
+                # The maxium size of the keyfile is 8192 bytes
+                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
+                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
+                fallbackToPassword = true;
+                allowDiscards = true;
+              };
+              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
+              initrdUnlock = true;
+
+              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+              # cryptsetup luksFormat
+              extraFormatArgs = [
+                "--type luks2"
+                "--cipher aes-xts-plain64"
+                "--hash sha512"
+                "--iter-time 5000"
+                "--key-size 256"
+                "--pbkdf argon2id"
+                # use true random data from /dev/random, will block until enough entropy is available
+                "--use-random"
+              ];
+              extraOpenArgs = [
+                "--timeout 10"
+              ];
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@persistent" = {
+                    mountpoint = "/persistent";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@tmp" = {
+                    mountpoint = "/tmp";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@snapshots" = {
+                    mountpoint = "/snapshots";
+                    mountOptions = ["compress-force=zstd:1" "noatime"];
+                  };
+                  "@swap" = {
+                    mountpoint = "/swap";
+                    swap.swapfile.size = "16384M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/12kingdoms-rakushun/gitea.nix

@@ -0,0 +1,88 @@
+{pkgs, ...}: let
+in {
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/misc/gitea.nix
+  services.gitea = {
+    enable = true;
+    user = "gitea";
+    group = "gitea";
+    stateDir = "/var/lib/gitea";
+    appName = "Ryan Yin's Gitea Service";
+    lfs.enable = true;
+    # Enable a timer that runs gitea dump to generate backup-files of the current gitea database and repositories.
+    dump = {
+      enable = false;
+      interval = "hourly";
+      file = "gitea-dump";
+      type = "tar.zst";
+    };
+    # Path to a file containing the SMTP password.
+    # mailerPasswordFile = "";
+    settings = {
+      server = {
+        SSH_PORT = 2222;
+        PROTOCOL = "http";
+        HTTP_PORT = 3000;
+        HTTP_ADDR = "127.0.0.1";
+        DOMAIN = "git.writefor.fun";
+      };
+      # one of "Trace", "Debug", "Info", "Warn", "Error", "Critical"
+      log.LEVEL = "Info";
+      session.COOKIE_SECURE = false;
+      service.DISABLE_REGISTRATION = true;
+
+      # "cron.sync_external_users" = {
+      #   RUN_AT_START = true;
+      #   SCHEDULE = "@every 24h";
+      #   UPDATE_EXISTING = true;
+      # };
+      mailer = {
+        ENABLED = true;
+        MAILER_TYPE = "sendmail";
+        FROM = "do-not-reply@writefor.fun";
+        SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+      };
+      other = {
+        SHOW_FOOTER_VERSION = false;
+      };
+    };
+    database = {
+      type = "sqlite3";
+      # create a local database automatically.
+      createDatabase = true;
+    };
+  };
+
+  # services.gitea-actions-runner.instances."default" = {
+  #   enable = true;
+  #   name = "default";
+  #   labels = [
+  #     # provide a debian base with nodejs for actions
+  #     "debian-latest:docker://node:18-bullseye"
+  #     # fake the ubuntu name, because node provides no ubuntu builds
+  #     "ubuntu-latest:docker://node:18-bullseye"
+  #     # provide native execution on the host
+  #     "native:host"
+  #   ];
+  #   gitea = "http://git.writefor.fun";
+  #   # Path to an environment file,
+  #   # containing the TOKEN environment variable,
+  #   # that holds a token to register at the configured Gitea instance.
+  #   tokenFile = "xxx"; # use agenix for secrets.
+  #   # Configuration for act_runner daemon.
+  #   # For an example configuration, see:
+  #   #  https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
+  #   settings = {};
+  #   # List of packages, that are available to actions,
+  #   # when the runner is configured with a host execution label.
+  #   hostPackages = with pkgs; [
+  #     bash
+  #     coreutils
+  #     curl
+  #     gawk
+  #     gitMinimal
+  #     gnused
+  #     nodejs
+  #     wget
+  #   ];
+  # };
+}

hosts/12kingdoms-rakushun/hardware-configuration.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.loader = {
+    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
+    efi.efiSysMountPoint = "/boot/";
+    efi.canTouchEfiVariables = true;
+    # do not use systemd-boot here, it has problems when running `nixos-install`
+    grub = {
+      device = "nodev";
+      efiSupport = true;
+    };
+  };
+  # clear /tmp on boot to get a stateless /tmp directory.
+  boot.tmp.cleanOnBoot = true;
+
+  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}