feat: list systemd services

fix: hdd storage - auto unlock after booted (#158 )
fix: hdd storage - do not unlock on boot, increase boot.loader.timeout
2026-05-28 18:39:31 +02:00 · 2024-08-17 20:40:27 +08:00 · 2024-08-17 04:05:22 +08:00 · 2024-08-17 03:06:37 +08:00 · 2024-08-17 02:28:12 +08:00 · 2024-08-17 02:26:39 +08:00
180 changed files with 1491 additions and 4214 deletions
@@ -1,2 +1,3 @@
 github: ryan4yin
 patreon: ryan4yin
-custom: ["https://buymeacoffee.com/ryan4yin", "https://afdian.net/a/ryan4yin"]
+custom: ["https://buymeacoffee.com/ryan4yin"]
@@ -3,3 +3,4 @@ result/
 .direnv/
 .DS_Store
 .pre-commit-config.yaml
 logs/
@@ -10,4 +10,5 @@ extend-ignore-re = [
  "iterm2",
  "iHgEIBYKACAWIQSizQe9ljFEyyclWmtVhZllwnQrSwUCZZ1T9wIdAAAKCRBVhZll", # crypto keys
  "noice", # noice.nvim
  "crypted-nixos",
 ]
@@ -1,57 +1,85 @@
 # just is a command runner, Justfile is very similar to Makefile, but simpler.
-# use nushell for shell commands
+# Use nushell for shell commands
 # To usage this justfile, you need to enter a shell with just & nushell installed:
 # 
 #   nix shell nixpkgs#just nixpkgs#nushell
 set shell := ["nu", "-c"]
 utils_nu := absolute_path("utils.nu")
 ############################################################################
 #
 #  Common commands(suitable for all machines)
 #
 ############################################################################
-# Remote deployment via colmena
+# List all the just commands
-col tag:
+default:
-  colmena apply --on '@{{tag}}' --verbose --show-trace
+    @just --list
 local name mode="default":
  use utils.nu *; \
  nixos-switch {{name}} {{mode}}
 # Run eval tests
 [group('nix')]
 test:
  nix eval .#evalTests --show-trace --print-build-logs --verbose
-# update all the flake inputs
+# Update all the flake inputs
 [group('nix')]
 up:
  nix flake update
 # Update specific input
 # Usage: just upp nixpkgs
 [group('nix')]
 upp input:
-  nix flake lock --update-input {{input}}
+  nix flake update {{input}}
 # List all generations of the system profile
 [group('nix')]
 history:
  nix profile history --profile /nix/var/nix/profiles/system
 # Open a nix shell with the flake
 [group('nix')]
 repl:
  nix repl -f flake:nixpkgs
 # remove all generations older than 7 days
 # on darwin, you may need to switch to root user to run this command
 [group('nix')]
 clean:
  sudo nix profile wipe-history --profile /nix/var/nix/profiles/system  --older-than 7d
 # Garbage collect all unused nix store entries
 [group('nix')]
 gc:
-  # garbage collect all unused nix store entries
+  # garbage collect all unused nix store entries(system-wide)
-  sudo nix store gc --debug
+  sudo nix-collect-garbage --delete-older-than 7d
-  sudo nix-collect-garbage --delete-old
+  # garbage collect all unused nix store entries(for the user - home-manager)
  # https://github.com/LnL7/nix-darwin/issues/237
  nix-collect-garbage --delete-older-than 7d
-# Remove all reflog entries and prune unreachable objects
+# Enter a shell session which has all the necessary tools for this flake
-gitgc:
+[linux]
-  git reflog expire --expire-unreachable=now --all
+[group('nix')]
-  git gc --prune=now
+shell:
  nix shell nixpkgs#git nixpkgs#neovim nixpkgs#colmena
 # Enter a shell session which has all the necessary tools for this flake
 [macos]
 [group('nix')]
 shell:
  nix shell nixpkgs#git nixpkgs#neovim
 [group('nix')]
 fmt:
  # format the nix files in this repo
  nix fmt
 # Show all the auto gc roots in the nix store
 [group('nix')]
 gcroot:
  ls -al /nix/var/nix/gcroots/auto/
 ############################################################################
 #
@@ -59,21 +87,33 @@ gitgc:
 #
 ############################################################################
 [linux]
 [group('desktop')]
 i3 mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch ai-i3 {{mode}}
 [linux]
 [group('desktop')]
 hypr mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch ai-hyprland {{mode}}
 [linux]
 [group('desktop')]
 s-i3 mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch shoukei-i3 {{mode}}
 [linux]
 [group('desktop')]
 s-hypr mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch shoukei-hyprland {{mode}}
 ############################################################################
@@ -82,27 +122,40 @@ s-hypr mode="default":
 #
 ############################################################################
 [macos]
 [group('desktop')]
 darwin-set-proxy:
  sudo python3 scripts/darwin_set_proxy.py
  sleep 1sec
 [macos]
 [group('desktop')]
 darwin-rollback:
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *;
  darwin-rollback
 # Deploy to harmonica(macOS host)
 [macos]
 [group('desktop')]
 ha mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
-  darwin-build "harmonica" {{mode}}; \
+  use {{utils_nu}} *;
  darwin-build "harmonica" {{mode}};
  darwin-switch "harmonica" {{mode}}
 # Depoly to fern(macOS host)
 [macos]
 [group('desktop')]
 fe mode="default": darwin-set-proxy
-  use utils.nu *; \
+  #!/usr/bin/env nu
-  darwin-build "fern" {{mode}}; \
+  use {{utils_nu}} *;
  darwin-build "fern" {{mode}};
  darwin-switch "fern" {{mode}}
 # Reload yabai and skhd(macOS)
 [macos]
 [group('desktop')]
 yabai-reload:
  launchctl kickstart -k "gui/502/org.nixos.yabai";
  launchctl kickstart -k "gui/502/org.nixos.skhd"; 
@@ -113,34 +166,67 @@ yabai-reload:
 #
 ############################################################################
 # Remote deployment via colmena
 [linux]
 [group('homelab')]
 col tag:
  colmena apply --on '@{{tag}}' --verbose --show-trace
 [linux]
 [group('homelab')]
 local name mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch {{name}} {{mode}}
 # Build and upload a vm image
 [linux]
 [group('homelab')]
 upload-vm name mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *;
  upload-vm {{name}} {{mode}}
 # Deploy all the KubeVirt nodes(Physical machines running KubeVirt)
 [linux]
 [group('homelab')]
 lab:
  colmena apply --on '@virt-*' --verbose --show-trace
 [linux]
 [group('homelab')]
 shoryu:
  colmena apply --on '@kubevirt-shoryu' --verbose --show-trace
 [linux]
 [group('homelab')]
 shoryu-local mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kubevirt-shoryu {{mode}}
 [linux]
 [group('homelab')]
 shushou:
  colmena apply --on '@kubevirt-shushou' --verbose --show-trace
 [linux]
 [group('homelab')]
 shushou-local mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kubevirt-shushou {{mode}}
 [linux]
 [group('homelab')]
 youko:
  colmena apply --on '@kubevirt-youko' --verbose --show-trace
 [linux]
 [group('homelab')]
 youko-local mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kubevirt-youko {{mode}}
 ############################################################################
@@ -150,31 +236,49 @@ youko-local mode="default":
 ############################################################################
 # Build and upload a vm image
 [linux]
 [group('homelab')]
 upload-idols mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  upload-vm aquamarine {{mode}}
  upload-vm ruby {{mode}}
  upload-vm kana {{mode}}
 [linux]
 [group('homelab')]
 aqua:
  colmena apply --on '@aqua' --verbose --show-trace
 [linux]
 [group('homelab')]
 aqua-local mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch aquamarine {{mode}}
 [linux]
 [group('homelab')]
 ruby:
  colmena apply --on '@ruby' --verbose --show-trace
 [linux]
 [group('homelab')]
 ruby-local mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch ruby {{mode}}
 [linux]
 [group('homelab')]
 kana:
  colmena apply --on '@kana' --verbose --show-trace
 [linux]
 [group('homelab')]
 kana-local mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kana {{mode}}
 ############################################################################
@@ -184,88 +288,49 @@ kana-local mode="default":
 ############################################################################
 # Build and upload a vm image
-upload-k3s mode="default":
+[linux]
-  use utils.nu *; \
+[group('homelab')]
-  upload-vm k3s-prod-1-master-1 {{mode}}; \
+upload-k3s-prod mode="default":
-  upload-vm k3s-prod-1-master-2 {{mode}}; \
+  #!/usr/bin/env nu
-  upload-vm k3s-prod-1-master-3 {{mode}}; \
+  use {{utils_nu}} *; 
-  upload-vm k3s-prod-1-worker-1 {{mode}}; \
+  upload-vm k3s-prod-1-master-1 {{mode}}; 
-  upload-vm k3s-prod-1-worker-2 {{mode}}; \
+  upload-vm k3s-prod-1-master-2 {{mode}}; 
  upload-vm k3s-prod-1-master-3 {{mode}}; 
  upload-vm k3s-prod-1-worker-1 {{mode}}; 
  upload-vm k3s-prod-1-worker-2 {{mode}}; 
  upload-vm k3s-prod-1-worker-3 {{mode}};
 [linux]
 [group('homelab')]
 upload-k3s-test mode="default":
-  use utils.nu *; \
+  #!/usr/bin/env nu
-  upload-vm k3s-test-1-master-1 {{mode}}; \
+  use {{utils_nu}} *; 
-  upload-vm k3s-test-1-master-2 {{mode}}; \
+  upload-vm k3s-test-1-master-1 {{mode}}; 
  upload-vm k3s-test-1-master-2 {{mode}}; 
  upload-vm k3s-test-1-master-3 {{mode}};
-k3s:
+[linux]
-  colmena apply --on '@k3s-*' --verbose --show-trace
+[group('homelab')]
-
+k3s-prod:
-master:
+  colmena apply --on '@k3s-prod-*' --verbose --show-trace
  colmena apply --on '@k3s-prod-1-master-*' --verbose --show-trace
 worker:
  colmena apply --on '@k3s-prod-1-worker-*' --verbose --show-trace
 [linux]
 [group('homelab')]
 k3s-test:
  colmena apply --on '@k3s-test-*' --verbose --show-trace
 ############################################################################
 #
-#  RISC-V related commands
+#  Neovim related commands
 #
 ############################################################################
-riscv:
+[group('neovim')]
  colmena apply --on '@riscv' --verbose --show-trace
 nozomi:
  colmena apply --on '@nozomi' --verbose --show-trace
 yukina:
  colmena apply --on '@yukina' --verbose --show-trace
 ############################################################################
 #
 # Aarch64 related commands
 #
 ############################################################################
 aarch:
  colmena apply --on '@aarch' --build-on-target --verbose --show-trace
 suzu:
  colmena apply --on '@suzu' --build-on-target --verbose --show-trace
 suzu-local mode="default":
  use utils.nu *; \
  nixos-switch suzu {{mode}}
 rakushun:
  colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
 rakushun-local mode="default":
  use utils.nu *; \
  nixos-switch rakushun {{mode}}
 ############################################################################
 #
 #  Misc, other useful commands
 #
 ############################################################################
 fmt:
  # format the nix files in this repo
  nix fmt
 path:
   $env.PATH | split row ":"
 nvim-test:
  rm -rf $"($env.HOME)/.config/nvim"
  rsync -avz --copy-links --chmod=D2755,F744 home/base/tui/editors/neovim/nvim/ $"($env.HOME)/.config/nvim/"
 [group('neovim')]
 nvim-clean:
  rm -rf $"($env.HOME)/.config/nvim"
@@ -273,45 +338,78 @@ nvim-clean:
 # Emacs related commands
 # =================================================
-emacs-plist-path := "~/Library/LaunchAgents/org.nix-community.home.emacs.plist"
+[group('emacs')]
 reload-emacs-cmd := if os() == "macos" {
    "launchctl unload " + emacs-plist-path
    + "\n"
    + "launchctl load " + emacs-plist-path
    + "\n"
    + "tail -f ~/Library/Logs/emacs-daemon.stderr.log"
  } else {
    "systemctl --user restart emacs.service"
    + "\n"
    + "systemctl --user status emacs.service"
  }
 emacs-test:
  rm -rf $"($env.HOME)/.config/doom"
  rsync -avz --copy-links --chmod=D2755,F744 home/base/tui/editors/emacs/doom/ $"($env.HOME)/.config/doom/"
  doom clean
  doom sync
 [group('emacs')]
 emacs-clean:
  rm -rf $"($env.HOME)/.config/doom/"
 [group('emacs')]
 emacs-purge:
  doom purge
  doom clean
  doom sync
 [linux]
 [group('emacs')]
 emacs-reload:
  doom sync
-  {{reload-emacs-cmd}}
+  systemctl --user restart emacs.service
  systemctl --user status emacs.service
 emacs-plist-path := "~/Library/LaunchAgents/org.nix-community.home.emacs.plist"
 [macos]
 [group('emacs')]
 emacs-reload:
  doom sync
  launchctl unload {{emacs-plist-path}}
  launchctl load {{emacs-plist-path}}
  tail -f ~/Library/Logs/emacs-daemon.stderr.log
 # =================================================
 #
-# Kubernetes related commands
+# Other useful commands
 #
 # =================================================
 [group('common')]
 path:
   $env.PATH | split row ":"
 [linux]
 [group('common')]
 penvof pid:
  sudo cat $"/proc/($pid)/environ" | tr '\0' '\n'
 # Remove all reflog entries and prune unreachable objects
 [group('git')]
 ggc:
  git reflog expire --expire-unreachable=now --all
  git gc --prune=now
 # Amend the last commit without changing the commit message
 [group('git')]
 game:
  git commit --amend -a --no-edit
 # Delete all failed pods
 [group('k8s')]
 del-failed:
  kubectl delete pod --all-namespaces --field-selector="status.phase==Failed"
 [linux]
 [group('services')]
 list-inactive:
  systemctl list-units -all --state=inactive
 [linux]
 [group('services')]
 list-failed:
  systemctl list-units -all --state=failed
@@ -8,16 +8,18 @@
 	<a href="https://github.com/ryan4yin/nix-config/stargazers">
 		<img alt="Stargazers" src="https://img.shields.io/github/stars/ryan4yin/nix-config?style=for-the-badge&logo=starship&color=C9CBFF&logoColor=D9E0EE&labelColor=302D41"></a>
    <a href="https://nixos.org/">
-        <img src="https://img.shields.io/badge/NixOS-23.11-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
+        <img src="https://img.shields.io/badge/NixOS-24.05-informational.svg?style=for-the-badge&logo=nixos&color=F2CDCD&logoColor=D9E0EE&labelColor=302D41"></a>
    <a href="https://github.com/ryan4yin/nixos-and-flakes-book">
        <img src="https://img.shields.io/static/v1?label=Nix Flakes&message=learning&style=for-the-badge&logo=nixos&color=DDB6F2&logoColor=D9E0EE&labelColor=302D41"></a>
  </a>
 </p>
-> My configuration is becoming more and more complex, and it may be difficult for beginners to read
+> My configuration is becoming more and more complex, and **it will be difficult for beginners to
-> it. If you are new to NixOS and want to know how I use NixOS, I would recommend you to take a look
+> read**. If you are new to NixOS and want to know how I use NixOS, I would recommend you to take a
-> at the [ryan4yin/nix-config/releases](https://github.com/ryan4yin/nix-config/releases) first,
+> look at the [ryan4yin/nix-config/releases](https://github.com/ryan4yin/nix-config/releases) first,
-> **checkout to some simpler older versions**, which will be much easier to understand.
+> **checkout to some simpler older versions, such as
 > [i3-kickstarter](https://github.com/ryan4yin/nix-config/tree/i3-kickstarter), which will be much
 > easier to understand**.
 This repository is home to the nix code that builds my systems:
@@ -29,6 +31,9 @@ This repository is home to the nix code that builds my systems:
 See [./hosts](./hosts) for details of each host.
 See [./Virtual-Machine.md](./Virtual-Machine.md) for details of how to create & manage KubeVirt's
 Virtual Machine from this flake.
 ## Why NixOS & Flakes?
 Nix allows for easy-to-manage, collaborative, reproducible deployments. This means that once
@@ -89,11 +94,11 @@ Wallpapers: https://github.com/ryan4yin/wallpapers
 ## Neovim
-See [./home/base/desktop/editors/neovim/](./home/base/desktop/editors/neovim/) for details.
+See [./home/base/tui/editors/neovim/](./home/base/tui/editors/neovim/) for details.
 ## Emacs
-See [./home/base/desktop/editors/emacs/](./home/base/desktop/editors/emacs/) for details.
+See [./home/base/tui/editors/emacs/](./home/base/tui/editors/emacs/) for details.
 ## Secrets Management
@@ -1,13 +1,17 @@
 ## How to create & managage KubeVirt's Virtual Machine from this flake?
-Use `aquamarine` as an example, we can create a virtual machine with the following command:
+Use `aquamarine` as an example, first build and upload the virtual machine's qcow2 image to the file
 server:
 ```shell
 just upload-vm aquamarine
 ```
 Then create the virtual machine by creating a yaml file at
-[ryan4yin/k8s-gitops](https://github.com/ryan4yin/k8s-gitops/tree/main/vms)
+[ryan4yin/k8s-gitops](https://github.com/ryan4yin/k8s-gitops/tree/main/vms), set the
 `spec.dataVolumeTemplates[0].source.http.url` to the uploaded file's URL, and fluxcd will
 automatically apply the changes, then a virtual machine named `aquamarine` will be created in the
 KubeVirt cluster.
 Once the virtual machine `aquamarine` is created, we can deploy updates to it with the following
 commands:
@@ -12,18 +12,16 @@
  # the nixConfig here only affects the flake itself, not the system configuration!
  # for more information, see:
-  #     https://nixos-and-flakes.thiscute.world/nixos-with-flakes/add-custom-cache-servers
+  #     https://nixos-and-flakes.thiscute.world/nix-store/add-binary-cache-servers
  nixConfig = {
    # substituers will be appended to the default substituters when fetching packages
    extra-substituters = [
      "https://anyrun.cachix.org"
      "https://hyprland.cachix.org"
      "https://nix-gaming.cachix.org"
      # "https://nixpkgs-wayland.cachix.org"
    ];
    extra-trusted-public-keys = [
      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
      "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
      # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
    ];
@@ -37,11 +35,11 @@
    # Official NixOS package source, using nixos's unstable branch by default
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
    # for macos
-    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin";
+    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-24.05-darwin";
    nix-darwin = {
      url = "github:lnl7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs-darwin";
@@ -50,8 +48,8 @@
    # home-manager, used for managing user configuration
    home-manager = {
      # url = "github:nix-community/home-manager/release-23.11";
      url = "github:nix-community/home-manager/master";
      # url = "github:nix-community/home-manager/release-24.05";
      # The `follows` keyword in inputs is used for inheritance.
      # Here, `inputs.nixpkgs` of home-manager is kept consistent with the `inputs.nixpkgs` of the current flake,
@@ -60,17 +58,12 @@
    };
    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.3.0";
+      url = "github:nix-community/lanzaboote/v0.4.1";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    hyprland = {
      url = "github:hyprwm/Hyprland/v0.38.1";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # community wayland nixpkgs
    # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
    # anyrun - a wayland launcher
@@ -96,7 +89,7 @@
    nix-gaming.url = "github:fufexan/nix-gaming";
    disko = {
-      url = "github:nix-community/disko";
+      url = "github:nix-community/disko/v1.6.1";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@@ -108,19 +101,11 @@
    nuenv.url = "github:DeterminateSystems/nuenv";
    daeuniverse.url = "github:daeuniverse/flake.nix";
    # daeuniverse.url = "github:daeuniverse/flake.nix/exp";
    haumea = {
      url = "github:nix-community/haumea/v0.2.2";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    microvm = {
      url = "github:astro/microvm.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ########################  Some non-flake repositories  #########################################
    # doom-emacs is a configuration framework for GNU Emacs.
@@ -153,12 +138,5 @@
      url = "github:ryan4yin/nur-packages";
      # inputs.nixpkgs.follows = "nixpkgs";
    };
    # riscv64 SBCs
    nixos-licheepi4a.url = "github:ryan4yin/nixos-licheepi4a";
    # nixos-jh7110.url = "github:ryan4yin/nixos-jh7110";
    # aarch64 SBCs
    nixos-rk3588.url = "github:ryan4yin/nixos-rk3588";
  };
 }
@@ -5,17 +5,23 @@
  ...
 }: {
  home.packages = with pkgs; [
    skopeo
    docker-compose
    dive # explore docker layers
    lazydocker # Docker terminal UI.
    skopeo # copy/sync images between registries and local storage
    go-containerregistry # provides `crane` & `gcrane`, it's similar to skopeo
    kubectl
    kubectx
    kubebuilder
    istioctl
    clusterctl # for kubernetes cluster-api
    kubevirt # virtctl
    kubernetes-helm
    fluxcd
    argocd
    ko # build go project to container image
  ];
  programs = {
@@ -10,7 +10,7 @@
    gnupg
    gnumake
-    # Morden cli tools, replacement of grep/sed/...
+    # Modern cli tools, replacement of grep/sed/...
    # Interactively filter its input using fuzzy searching, not limit to filenames.
    fzf
@@ -134,7 +134,7 @@
      enable = true;
      enableBashIntegration = true;
      enableZshIntegration = true;
-      enableNushellIntegration = false;
+      enableNushellIntegration = true;
    };
  };
 }
@@ -25,7 +25,7 @@
    includes = [
      {
-        # use diffrent email & name for work
+        # use different email & name for work
        path = "~/work/.gitconfig";
        condition = "gitdir:~/work/";
      }
@@ -33,6 +33,7 @@
    extraConfig = {
      init.defaultBranch = "main";
      trim.bases = "develop,master,main"; # for git-trim
      push.autoSetupRemote = true;
      pull.rebase = true;
@@ -115,6 +115,33 @@ $env.config = {
  # buffer_editor: "emacs" # command that will be used to edit the current line buffer with ctrl+o, if unset fallback to $env.EDITOR and $env.VISUAL
  bracketed_paste: true # enable bracketed paste, currently useless on windows
  edit_mode: emacs # emacs, vi
-  shell_integration: true # enables terminal markers and a workaround to arrow keys stop working issue
+  shell_integration: {
        # osc2 abbreviates the path if in the home_dir, sets the tab/window title, shows the running command in the tab/window title
        osc2: true
        # osc7 is a way to communicate the path to the terminal, this is helpful for spawning new tabs in the same directory
        osc7: true
        # osc8 is also implemented as the deprecated setting ls.show_clickable_links, it shows clickable links in ls output if your terminal supports it. show_clickable_links is deprecated in favor of osc8
        osc8: true
        # osc9_9 is from ConEmu and is starting to get wider support. It's similar to osc7 in that it communicates the path to the terminal
        osc9_9: false
        # osc133 is several escapes invented by Final Term which include the supported ones below.
        # 133;A - Mark prompt start
        # 133;B - Mark prompt end
        # 133;C - Mark pre-execution
        # 133;D;exit - Mark execution finished with exit code
        # This is used to enable terminals to know where the prompt is, the command is, where the command finishes, and where the output of the command is
        osc133: true
        # osc633 is closely related to osc133 but only exists in visual studio code (vscode) and supports their shell integration features
        # 633;A - Mark prompt start
        # 633;B - Mark prompt end
        # 633;C - Mark pre-execution
        # 633;D;exit - Mark execution finished with exit code
        # 633;E - NOT IMPLEMENTED - Explicitly set the command line with an optional nonce
        # 633;P;Cwd=<path> - Mark the current working directory and communicate it to the terminal
        # and also helps with the run recent menu in vscode
        osc633: true
        # reset_application_mode is escape \x1b[?1l and was added to help ssh work better
        reset_application_mode: true
    }
  render_right_prompt_on_last_line: false # true or false to enable or disable right prompt to be rendered on last line of the prompt.
 }
@@ -1,4 +1,4 @@
-let
+{pkgs-unstable, ...}: let
  shellAliases = {
    k = "kubectl";
@@ -11,6 +11,7 @@ in {
  programs.nushell = {
    enable = true;
    package = pkgs-unstable.nushell;
    configFile.source = ./config.nu;
    inherit shellAliases;
  };
@@ -10,8 +10,13 @@
    package = pkgs-unstable.yazi;
    # Changing working directory when exiting Yazi
    enableBashIntegration = true;
-    # TODO: nushellIntegration is broken on release-23.11, wait for master's fix to be released
+    enableNushellIntegration = true;
-    enableNushellIntegration = false;
+    settings = {
      manager = {
        show_hidden = true;
        sort_dir_first = true;
      };
    };
  };
  xdg.configFile."yazi/theme.toml".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-yazi}/mocha.toml";
@@ -1,10 +1,10 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [
    # db related
    dbeaver
    mitmproxy # http/https proxy tool
    insomnia # REST client
    wireshark # network analyzer
    # IDEs
    jetbrains.idea-community
  ];
 }
@@ -54,7 +54,7 @@ Error opening terminal: xterm-kitty.
 NixOS preserve the `TERMINFO` and `TERMINFO_DIRS` environment variables, for `root` and the `wheel`
 group:
-[nixpkgs/nixos/modules/config/terminfo.nix](https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/config/terminfo.nix#L18)
+[nixpkgs/nixos/modules/config/terminfo.nix](https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/config/terminfo.nix#L18)
 For nix-darwin, take a look at <https://github.com/LnL7/nix-darwin/wiki/Terminfo-issues>
@@ -12,7 +12,7 @@
    # You can update Home Manager without changing this value. See
    # the Home Manager release notes for a list of state version
    # changes in each release.
-    stateVersion = "23.11";
+    stateVersion = "24.05";
  };
  # Let Home Manager install and manage itself.
@@ -24,6 +24,11 @@
    # aliyun
    aliyun-cli
    # digitalocean
    doctl
    # google cloud
    google-cloud-sdk
    # cloud tools that nix do not have cache for.
    terraform
    terraformer # generate terraform configs from existing cloud resources
@@ -18,8 +18,8 @@
    colmena # nixos's remote deployment tool
    # db related
-    mycli
+    pkgs-unstable.mycli
-    pgcli
+    pkgs-unstable.pgcli
    mongosh
    sqlite
@@ -27,7 +27,7 @@
    minicom
    # ai related
-    python311Packages.huggingface-hub # huggingface-cli
+    pkgs-unstable.python312Packages.huggingface-hub # huggingface-cli
    # misc
    pkgs-unstable.devbox
@@ -41,6 +41,7 @@
    # Automatically trims your branches whose tracking remote refs are merged or gone
    # It's really useful when you work on a project for a long time.
    git-trim
    gitleaks
    # need to run `conda-install` before using it
    # need to run `conda-shell` before using command `conda`
@@ -5,7 +5,7 @@
 - paredit/[lispy](https://github.com/doomemacs/doomemacs/tree/master/modules/editor/lispy): too
  complex.
 - [evil-cleverparens](https://github.com/emacs-evil/evil-cleverparens): simple and useful.
- [parinfer(par-in-fer)](https://shaunlebron.github.io/parinfer/): morden, simple, elegant and
+- [parinfer(par-in-fer)](https://shaunlebron.github.io/parinfer/): modern, simple, elegant and
  useful, but works not well with some other completion plugins...
  - to make parinfer works, you should disable sexp & smartparens in any lisp mode.
@@ -20,7 +20,7 @@ Use `:tutor` in helix to start the tutorial.
   1. Helix: delete 2 word: `2w` then `x`. You can always see what you're selecting before you apply
      the action.
   2. Neovim: delete 2 word: `d`. then `2w`. No visual feedback before you apply the action.
-1. Helix - Morden builtin features: LSP, tree-sitter, fuzzy finder, multi cursors, surround and
+1. Helix - Modern builtin features: LSP, tree-sitter, fuzzy finder, multi cursors, surround and
   more.
   1. They're all available in Neovim too, but you need to find and use the right plugins manually,
      which takes time and effort.
@@ -30,7 +30,7 @@ Use `:tutor` in helix to start the tutorial.
   1. Personally I'm glad to take a look at a Rust codebase, but not a VimScript/Lua codebase.
 1. Neovim have a very activate plugin ecosystem, and it's easy to find plugins for almost
   everything.
-   1. Helix is still new, and it even do have a stable plugin system yet. A PR to add a plugin
+   1. Helix is still new, and it even don't have a stable plugin system yet. A PR to add a plugin
      system is still envolving: <https://github.com/helix-editor/helix/pull/8675>
 1. Neovim has integrated terminal, and it's very powerful. It's quite similar to VSCode's integrated
   terminal. I use it a lot.
@@ -88,14 +88,17 @@ plugin.
 ### Window Navigation
 - Switch between windows: `<Ctrl> + h/j/k/l`
- Resize windows: `<Ctrl> + Up/Down/Left/Right`
+- Resize windows: `<Ctrl> + Up/Down/Left/Right` (`<Ctrl-w> + -/+/</>`)
  - Note: On macOS, conflicts with system shortcuts
  - Disable in System Preferences -> Keyboard -> Shortcuts -> Mission Control
 ### Splitting and Buffers
-| | Action | Shortcut | | --------------------- | ------------- | | Horizontal Split | `\` | |
+| Action           | Shortcut      |
-Vertical Split | `\|` | | Close Buffer | `<Space> + c` |
+| ---------------- | ------------- |
 | Horizontal Split | `\`           |
 | Vertical Split   | `\|`          |
 | Close Buffer     | `<Space> + c` |
 ### Editing and Formatting
@@ -109,7 +112,18 @@ Vertical Split | `\|` | | Close Buffer | `<Space> + c` |
 | Comment Line(support multiple lines)                  | `<Space> + /`  |
 | Open filepath/URL at cursor(neovim's builtin command) | `gx`           |
 | Find files by name (fzf)                              | `<Space> + ff` |
 | Find files by name (include hidden files)             | `<Space> + fF` |
 | Grep string in files (ripgrep)                        | `<Space> + fw` |
 | Grep string in files (include hidden files)           | `<Space> + fW` |
 ### Git
 | Action                     | Shortcut        |
 | -------------------------- | --------------- |
 | Git Commits (repository)   | `:<Space> + gc` |
 | Git Commits (current file) | `:<Space> + gC` |
 | Git Branches               | `:<Space> + gb` |
 | Git Status                 | `:<Space> + gt` |
 ### Sessions
@@ -160,9 +174,10 @@ Provided by mini.surround plugin.
 ### Miscellaneous
 | Action                            |                 |
-| --------------------- | --------------- |
+| --------------------------------- | --------------- |
 | Show all Yank History             | `:<Space> + yh` |
 | Show undo history                 | `:<Space> + uh` |
 | Show the path of the current file | `:!echo $%`     |
 ## Additional Resources
@@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
  pkgs-unstable,
  ...
 }:
 ###############################################################################
@@ -25,13 +26,37 @@ in {
  programs = {
    neovim = {
      enable = true;
      package = pkgs-unstable.neovim-unwrapped;
      defaultEditor = true;
      viAlias = true;
      vimAlias = true;
-      # currently we use lazy.nvim as neovim's package manager, so comment this one.
+      # These environment variables are needed to build and run binaries
-      # Install packages that will compile locally or download FHS binaries via Nix!
+      # with external package managers like mason.nvim.
      #
      # LD_LIBRARY_PATH is also needed to run the non-FHS binaries downloaded by mason.nvim.
      # it will be set by nix-ld, so we do not need to set it here again.
      extraWrapperArgs = with pkgs; [
        # LIBRARY_PATH is used by gcc before compilation to search directories
        # containing static and shared libraries that need to be linked to your program.
        "--suffix"
        "LIBRARY_PATH"
        ":"
        "${lib.makeLibraryPath [stdenv.cc.cc zlib]}"
        # PKG_CONFIG_PATH is used by pkg-config before compilation to search directories
        # containing .pc files that describe the libraries that need to be linked to your program.
        "--suffix"
        "PKG_CONFIG_PATH"
        ":"
        "${lib.makeSearchPathOutput "dev" "lib/pkgconfig" [stdenv.cc.cc zlib]}"
      ];
      # Currently we use lazy.nvim as neovim's package manager, so comment this one.
      #
      # NOTE: These plugins will not be used by astronvim by default!
      # We should install packages that will compile locally or download FHS binaries via Nix!
      # and use lazy.nvim's `dir` option to specify the package directory in nix store.
      # so that these plugins can work on NixOS.
      #
@@ -40,6 +65,8 @@ in {
      plugins = with pkgs.vimPlugins; [
        # search all the plugins using https://search.nixos.org/packages
        telescope-fzf-native-nvim
        nvim-treesitter.withAllGrammars
      ];
    };
  };
@@ -3,7 +3,6 @@
 -- NOTE: We highly recommend setting up the Lua Language Server (`:LspInstall lua_ls`)
 --       as this provides autocomplete and documentation while editing
 ---@type LazySpec
 return {
  "AstroNvim/astrolsp",
@@ -42,40 +41,51 @@ return {
      -- end
    },
    -- enable servers that you already have installed without mason
    -- https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md
    servers = {
-      ---- Frontend & NodeJS
+      ---- Data & Configuration Languages
      "jsonls", -- json language server
      "jsonnet_ls", -- jsonnet language server
      "yamlls", -- yaml language server
      "taplo", -- toml language server
      "dagger", -- cuelsp - cue language server
      "terraformls", -- terraform hcl
      "marksman", -- markdown ls
      "nickel_ls", -- nickel language server
      "nil_ls", -- nix language server
      "bufls", -- protocol buffer language server
      "dockerls", -- dockerfile
      "cmake", -- cmake language server
      "sqls", -- sql language server
      ---- General Purpose Languages
      "clangd", -- c/c++
      "gopls", -- go
      "jdtls", -- java language server, provides only basic features
      "rust_analyzer", -- rust
      "pyright", -- python
      "ruff_lsp", -- extremely fast Python linter and code transformation
      -- "julials", -- julia language server
      -- "zls", -- zig language server
      "lua_ls", -- lua
      "bashls", -- bash
      "nushell", -- nushell language server
      ---- Web Development
      "tsserver", -- typescript/javascript language server
      "tailwindcss", -- tailwindcss language server
      "html", -- html language server
      "cssls", -- css language server
      "prismals", -- prisma language server
      "volar", -- vue language server
-      ---- Configuration Language
+
-      "marksman", -- markdown ls
+      ---- Lisp Like
      "jsonls", -- json language server
      "yamlls", -- yaml language server
      "taplo", -- toml language server
      ---- Backend
      "lua_ls", -- lua
      "gopls", -- go
      "rust_analyzer", -- rust
      "pyright", -- python
      "ruff_lsp", -- extremely fast Python linter and code transformation
      "jdtls", -- java
      "nil_ls", -- nix language server
      "bufls", -- protocol buffer language server
      "zls", -- zig language server
      ---- HDL
      "verible", -- verilog language server
      ---- Operation & Cloud Nativautoindente
      "bashls", -- bash
      "cmake", -- cmake language server
      "clangd", -- c/c++
      "dockerls", -- dockerfile
      "jsonnet_ls", -- jsonnet language server
      "terraformls", -- terraform hcl
      "nushell", -- nushell language server
      "scheme_langserver", -- scheme language server
      "elixirls", -- elixir language server
      -- "clojure_lsp", -- clojure language server"
      ---- Circuit Design
      "verible", -- verilog language server
    },
    -- customize language server configuration options passed to `lspconfig`
    ---@diagnostic disable: missing-fields
@@ -1,4 +1,7 @@
 -- Customize Mason plugins
 --
 -- NOTE: Issue - mason.nvim does not support NixOS:
 -- https://github.com/williamboman/mason.nvim/issues/428
 ---@type LazySpec
 return {
@@ -42,13 +45,14 @@ return {
    -- end,
  },
  {
    -- https://docs.astronvim.com/recipes/dap/
    "jay-babu/mason-nvim-dap.nvim",
    -- mason is unusable on NixOS, disable it.
    -- ensure_installed nothing
-    opts = function(_, opts)
+    -- opts = function(_, opts)
-      opts.ensure_installed = nil
+    --   opts.ensure_installed = nil
-      opts.automatic_installation = false
+    --   opts.automatic_installation = false
-    end,
+    -- end,
    -- overrides `require("mason-nvim-dap").setup(...)`
    -- opts = function(_, opts)
@@ -1,26 +1,19 @@
 return {
-  "nvim-orgmode/orgmode",
+  'nvim-orgmode/orgmode',
-  dependencies = {
+  event = 'VeryLazy',
-    { "nvim-treesitter/nvim-treesitter", lazy = true },
+  ft = { 'org' },
  },
  event = "VeryLazy",
  config = function()
    -- Load treesitter grammar for org
    require("orgmode").setup_ts_grammar()
    -- Setup treesitter
    require("nvim-treesitter.configs").setup {
      highlight = {
        enable = true,
        additional_vim_regex_highlighting = { "org" },
      },
      ensure_installed = { "org" },
    }
    -- Setup orgmode
-    require("orgmode").setup {
+    require('orgmode').setup({
      org_agenda_files = "~/org/**/*",
      org_default_notes_file = "~/org/refile.org",
-    }
+    })
    -- NOTE: If you are using nvim-treesitter with ~ensure_installed = "all"~ option
    -- add ~org~ to ignore_install
    require('nvim-treesitter.configs').setup({
      ensure_installed = 'all',
      ignore_install = { 'org' },
    })
  end,
 }
@@ -3,6 +3,10 @@
 ---@type LazySpec
 return {
  "nvim-treesitter/nvim-treesitter",
  dependencies = {
    -- NOTE: additional parser
    { "nushell/tree-sitter-nu" }, -- nushell scripts
  },
  opts = function(_, opts)
    opts.incremental_selection = {
      enable = true,
@@ -13,48 +17,26 @@ return {
        node_decremental = "<bs>", -- Backspace
      },
    }
-    opts.ignore_install = { "gotmpl" }
+    opts.ignore_install = { "gotmpl", "wing" }
    -- add more things to the ensure_installed table protecting against community packs modifying it
    -- https://github.com/nvim-treesitter/nvim-treesitter/tree/master
    opts.ensure_installed = require("astrocore").list_insert_unique(opts.ensure_installed, {
-      -- neovim
+      -- please add only the tree-sitters that are not available in nixpkgs here
-      "vim",
+
-      "lua",
+      "just",
-      -- operation & cloud native
+      "kdl",
      "dockerfile",
      "hcl",
      "jsonnet",
      "regex",
      "terraform",
      "nix",
      "csv",
-      -- other programming language
+      "xml",
      ---- Misc
      "diff",
      "git_config",
      "git_rebase",
      "gitignore",
      "gitcommit",
-      "latex",
+      "gitattributes",
-      "sql",
+      "ssh_config",
      -- Lisp like
      "fennel",
      "clojure",
      "commonlisp",
      -- customized languages:
      "scheme",
    })
    -- add support for scheme
    local parser_config = require("nvim-treesitter.parsers").get_parser_configs()
    parser_config.scheme = {
      install_info = {
        url = "https://github.com/6cdh/tree-sitter-scheme", -- local path or git repo
        files = { "src/parser.c" },
        -- optional entries:
        branch = "main", -- default branch in case of git repo if different from master
        generate_requires_npm = false, -- if stand-alone parser without npm dependencies
        requires_generate_from_grammar = false, -- if folder contains pre-generated src/parser.c
      },
    }
    -- use scheme parser for filetypes: scm
    vim.treesitter.language.register("scheme", "scm")
  end,
 }
@@ -5,50 +5,9 @@
    '';
  };
-  home.packages = with pkgs; [
+  home.packages = with pkgs; (
-    #-- c/c++
+    # -*- Data & Configuration Languages -*-#
-    cmake
+    [
    cmake-language-server
    gnumake
    checkmake
    # c/c++ compiler, required by nvim-treesitter!
    gcc
    # c/c++ tools with clang-tools, the unwrapped version won't
    # add alias like `cc` and `c++`, so that it won't conflict with gcc
    llvmPackages.clang-unwrapped
    lldb
    #-- python
    nodePackages.pyright # python language server
    (python311.withPackages (
      ps:
        with ps; [
          ruff-lsp
          black # python formatter
          jupyter
          ipython
          pandas
          requests
          pyquery
          pyyaml
          ## emacs's lsp-bridge dependenciesge
          epc
          orjson
          sexpdata
          six
          setuptools
          paramiko
          rapidfuzz
        ]
    ))
    #-- rust
    rust-analyzer
    cargo # rust package manager
    rustfmt
      #-- nix
      nil
      # rnix-lsp
@@ -57,6 +16,85 @@
      deadnix # Find and remove unused code in .nix source files
      alejandra # Nix Code Formatter
      #-- nickel lang
      nickel
      #-- json like
      # terraform  # install via brew on macOS
      terraform-ls
      jsonnet
      jsonnet-language-server
      taplo # TOML language server / formatter / validator
      nodePackages.yaml-language-server
      actionlint # GitHub Actions linter
      #-- dockerfile
      hadolint # Dockerfile linter
      nodePackages.dockerfile-language-server-nodejs
      #-- markdown
      marksman # language server for markdown
      glow # markdown previewer
      pandoc # document converter
      hugo # static site generator
      #-- sql
      sqlfluff
      #-- protocol buffer
      buf # linting and formatting
    ]
    ++
    #-*- General Purpose Languages -*-#
    [
      #-- c/c++
      cmake
      cmake-language-server
      gnumake
      checkmake
      # c/c++ compiler, required by nvim-treesitter!
      gcc
      gdb
      # c/c++ tools with clang-tools, the unwrapped version won't
      # add alias like `cc` and `c++`, so that it won't conflict with gcc
      # llvmPackages.clang-unwrapped
      clang-tools
      lldb
      #-- python
      pyright # python language server
      (python311.withPackages (
        ps:
          with ps; [
            ruff-lsp
            black # python formatter
            # debugpy
            # my commonly used python packages
            jupyter
            ipython
            pandas
            requests
            pyquery
            pyyaml
            boto3
            ## emacs's lsp-bridge dependenciesge
            # epc
            # orjson
            # sexpdata
            # six
            # setuptools
            # paramiko
            # rapidfuzz
          ]
      ))
      #-- rust
      rust-analyzer
      cargo # rust package manager
      rustfmt
      #-- golang
      go
      gomodifytags
@@ -71,6 +109,10 @@
      gradle
      maven
      spring-boot-cli
      jdt-language-server
      #-- zig
      zls
      #-- lua
      stylua
@@ -80,8 +122,9 @@
      nodePackages.bash-language-server
      shellcheck
      shfmt
-
+    ]
-    #-- javascript/typescript --#
+    #-*- Web Development -*-#
    ++ [
      nodePackages.nodejs
      nodePackages.typescript
      nodePackages.typescript-language-server
@@ -89,45 +132,24 @@
      nodePackages.vscode-langservers-extracted
      nodePackages."@tailwindcss/language-server"
      emmet-ls
-
+    ]
-    # -- Lisp like Languages
+    # -*- Lisp like Languages -*-#
    ++ [
      guile
      racket-minimal
      fnlfmt # fennel
-
+    ]
-    #-- Others
+    ++ [
    taplo # TOML language server / formatter / validator
    nodePackages.yaml-language-server
    sqlfluff # SQL linter
    actionlint # GitHub Actions linter
    buf # protoc plugin for linting and formatting
      proselint # English prose linter
    #-- Misc
    tree-sitter # common language parser/highlighter
    nodePackages.prettier # common code formatter
    marksman # language server for markdown
    glow # markdown previewer
    fzf
    pandoc # document converter
    hugo # static site generator
    #-- Optional Requirements:
    gdu # disk usage analyzer, required by AstroNvim
    (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
    #-- CloudNative
    nodePackages.dockerfile-language-server-nodejs
    # terraform  # install via brew on macOS
    terraform-ls
    jsonnet
    jsonnet-language-server
    hadolint # Dockerfile linter
    #-- zig
    zls
      #-- verilog / systemverilog
      verible
-    gdb
+
-  ];
+      #-- Optional Requirements:
      nodePackages.prettier # common code formatter
      fzf
      gdu # disk usage analyzer, required by AstroNvim
      (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
    ]
  );
 }
@@ -16,7 +16,7 @@ using a Cloud provider for key management.
 Both age, Sops & GnuPG provide asymmetric encryption, which is useful for encrypting files for a
 specific user.
-For morden use, age is recommended, as it use [AEAD encryption function -
+For modern use, age is recommended, as it use [AEAD encryption function -
 ChaCha20-Poly1305][age Format v1], If you do not want to manage the keys by yourself, Sops is
 recommended, as it use KMS for key management.
@@ -104,7 +104,7 @@ one keypair, or a keyring/keychain(which contains multiple sub key-pairs).
 Let's generate a keypair interactively:
-> Now in 2024, GnuPG 2.4.1 defaults to ECC algorithm (9) and Curve 25519 for ECC, which is morden
+> Now in 2024, GnuPG 2.4.1 defaults to ECC algorithm (9) and Curve 25519 for ECC, which is modern
 > and safe, I would recommend to use these defaults directly.
 ```bash
@@ -31,9 +31,9 @@ in {
      use ${nu_scripts}/share/nu_scripts/custom-completions/cargo/cargo-completions.nu *
      use ${nu_scripts}/share/nu_scripts/custom-completions/zellij/zellij-completions.nu *
      # alias
-      use ${nu_scripts}/share/nu_scripts/aliases/git/git-aliases.nu *
+      # use ${nu_scripts}/share/nu_scripts/aliases/git/git-aliases.nu *
      use ${nu_scripts}/share/nu_scripts/aliases/eza/eza-aliases.nu *
-      # use ${nu_scripts}/share/nu_scripts/aliases/bat/bat-aliases.nu *
+      use ${nu_scripts}/share/nu_scripts/aliases/bat/bat-aliases.nu *
    '';
  };
 }
@@ -1,3 +0,0 @@
 {myvars, ...}: {
  home.homeDirectory = "/Users/${myvars.username}";
 }
@@ -1,4 +1,9 @@
-{mylib, ...}: {
+{
  mylib,
  myvars,
  ...
 }: {
  home.homeDirectory = "/Users/${myvars.username}";
  imports =
    (mylib.scanPaths ./.)
    ++ [
@@ -1,7 +1,7 @@
 {
  pkgs,
  pkgs-unstable,
-  pkgs-stable,
+  # pkgs-stable,
  nur-ryan4yin,
  ...
 }: {
@@ -19,7 +19,7 @@
    # kicad     # 3d printing, eletrical engineering
    # fpga
-    pkgs-unstable.python311Packages.apycula # gowin fpga
+    pkgs-unstable.python312Packages.apycula # gowin fpga
    pkgs-unstable.yosys # fpga synthesis
    pkgs-unstable.nextpnr # fpga place and route
    pkgs-unstable.openfpgaloader # fpga programming
@@ -30,7 +30,7 @@
    # live streaming
    obs-studio = {
      enable = true;
-      plugins = with pkgs-stable.obs-studio-plugins; [
+      plugins = with pkgs.obs-studio-plugins; [
        # screen capture
        wlrobs
        # obs-ndi
@@ -45,7 +45,7 @@
    theme = {
      # https://github.com/catppuccin/gtk
-      name = "Catppuccin-Macchiato-Compact-Pink-Dark";
+      name = "catppuccin-macchiato-pink-compact";
      package = pkgs.catppuccin-gtk.override {
        # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/pkgs/data/themes/catppuccin-gtk/default.nix
        accents = ["pink"];
@@ -1,5 +1,5 @@
-{pkgs, ...}: {
+{pkgs-stable, ...}: {
-  home.packages = with pkgs; [
+  home.packages = with pkgs-stable; [
    # https://joplinapp.org/help/
    joplin # joplin-cli
    joplin-desktop
@@ -68,7 +68,7 @@
        "x-scheme-handler/tg" = ["org.telegram.desktop.desktop "];
        "audio/*" = ["mpv.desktop"];
-        "video/*" = ["mpv.dekstop"];
+        "video/*" = ["mpv.desktop"];
        "image/*" = ["imv-dir.desktop"];
        "image/gif" = ["imv-dir.desktop"];
        "image/jpeg" = ["imv-dir.desktop"];
@@ -1,5 +1,9 @@
 #!/usr/bin/env bash
 ## Fix anyrun
 ## https://github.com/anyrun-org/anyrun/issues/153
 ln -s $XDG_RUNTIME_DIR/hypr /tmp/hypr
 ## Autostart Programs
 # Kill already running process
@@ -1,11 +1,10 @@
 {
  pkgs,
  lib,
  hyprland,
  nur-ryan4yin,
  ...
 }: let
-  package = hyprland.packages.${pkgs.system}.hyprland;
+  package = pkgs.hyprland;
 in {
  # NOTE:
  # We have to enable hyprland/i3's systemd user service in home-manager,
@@ -30,7 +29,10 @@ in {
    };
    extraConfig = builtins.readFile ../conf/hyprland.conf;
    # gammastep/wallpaper-switcher need this to be enabled.
-    systemd.enable = true;
+    systemd = {
      enable = true;
      variables = ["--all"];
    };
  };
  # NOTE: this executable is used by greetd to start a wayland session when system boot up
@@ -1,143 +0,0 @@
 # Rakushun - Disk and Installation
 Disk layout:
 ```bash
 [ryan@rakushun:~]$ lsblk
 NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
 sda           8:0    1 58.6G  0 disk
 └─sda1        8:1    1  487M  0 part
 mtdblock0    31:0    0   16M  0 disk
 zram0       254:0    0    0B  0 disk
 nvme0n1     259:0    0  1.8T  0 disk
 ├─nvme0n1p1 259:1    0  630M  0 part  /boot
 └─nvme0n1p2 259:2    0  1.8T  0 part
  └─encrypted 253:0    0  1.8T  0 crypt /tmp
                                      /swap
                                      /snapshots
                                      /home/ryan/tmp
                                      /home/ryan/nix-config
                                      /home/ryan/go
                                      /home/ryan/codes
                                      /home/ryan/.ssh
                                      /home/ryan/.local/state
                                      /home/ryan/.npm
                                      /home/ryan/.local/share
                                      /home/ryan/.conda
                                      /etc/ssh
                                      /etc/nix/inputs
                                      /etc/secureboot
                                      /etc/agenix
                                      /etc/NetworkManager/system-connections
                                      /etc/machine-id
                                      /nix/store
                                      /var/log
                                      /var/lib
                                      /nix
                                      /persistent
 [ryan@rakushun:~]$ df -Th
 Filesystem          Type      Size  Used Avail Use% Mounted on
 devtmpfs            devtmpfs  785M     0  785M   0% /dev
 tmpfs               tmpfs     7.7G     0  7.7G   0% /dev/shm
 tmpfs               tmpfs     3.9G  6.8M  3.9G   1% /run
 tmpfs               tmpfs     7.7G  1.9M  7.7G   1% /run/wrappers
 none                tmpfs     4.0G   48K  4.0G   1% /
 /dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /persistent
 /dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /nix
 /dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /snapshots
 /dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /swap
 /dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /tmp
 /dev/nvme0n1p1      vfat      629M   96M  534M  16% /boot
 tmpfs               tmpfs     1.6G  4.0K  1.6G   1% /run/user/1000
 ```
 CPU info:
 ```bash
 [ryan@rakushun:~]$ lscpu
 Architecture:           aarch64
  CPU op-mode(s):       32-bit, 64-bit
  Byte Order:           Little Endian
 CPU(s):                 8
  On-line CPU(s) list:  0-7
 Vendor ID:              ARM
  Model name:           Cortex-A55
    Model:              0
    Thread(s) per core: 1
    Core(s) per socket: 4
    Socket(s):          1
    Stepping:           r2p0
    CPU(s) scaling MHz: 67%
    CPU max MHz:        1800.0000
    CPU min MHz:        408.0000
    BogoMIPS:           48.00
    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
  Model name:           Cortex-A76
    Model:              0
    Thread(s) per core: 1
    Core(s) per socket: 2
    Socket(s):          2
    Stepping:           r4p0
    CPU(s) scaling MHz: 18%
    CPU max MHz:        2256.0000
    CPU min MHz:        408.0000
    BogoMIPS:           48.00
    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
 Caches (sum of all):
  L1d:                  384 KiB (8 instances)
  L1i:                  384 KiB (8 instances)
  L2:                   2.5 MiB (8 instances)
  L3:                   3 MiB (1 instance)
 ```
 ## How to install NixOS on Orange Pi 5 Plus
 ### 1. Prepare a USB LUKS key
 Generate LUKS keyfile to encrypt the root partition, it's used by disko.
 ```bash
 # partition the usb stick
 DEV=/dev/sdX
 parted ${DEV} -- mklabel gpt
 parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
 mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
 # Generate a keyfile from the true random number generator
 KEYFILE=./orangepi5plus-luks-keyfile
 dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
 # copy the keyfile and token to the usb stick
 KEYFILE=./orangepi5plus-luks-keyfile
 DEVICE=/dev/disk/by-label/OPI5P_DSC
 # seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
 dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
 ```
 ### 2. Partition the SSD & install NixOS via disko
 First, follow
 [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
 install UEFI bootloader and boot into NixOS live environment via a USB stick.
 Then, run the following commands:
 ```bash
 # transfer the nix-config to the target machine
 rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
 # login via ssh
 ssh rk@<ip-addr>
 cd ~/nix-config/hosts/12kingdoms_rakushun
 # 1. change the disk device path in ./disko-fs.nix to the disk you want to use
 # 2. partition & format the disk via disko
 sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
 cd ~/nix-config
 # install nixos
 # NOTE: the root password you set here will be discarded when reboot
 sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
 ```
@@ -1,33 +0,0 @@
 # Rakushun - Orange Pi 5 Plus
 LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
 Host running storage, operation and maintenance related services:
 1. Storage such as git server, file server/browser, torrent downloader,, etc.
 1. Backup or sync my personal data to cloud or NAS.
   - For safety, those data should be encrypted before sending to the cloud or my NAS.
 1. Collect and monitor the metrics/logs of my homelab.
 ## Showcases
 ![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
 ## Features
 Services:
 1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
 1. restic: Backup my personal data to cloud or NAS.
 1. synthing: Sync file between android/macbook/PC and NAS.
 1. gitea: Self-hosted git service.
 1. sftpgo: SFTP server.
 1. transmission & AriaNg: Torrent downloader and HTTP downloader
 1. alist/filebrower: File browser for local/SMB/Cloud
 All the services assumes a reverse proxy to be setup in the front, they are all listening on
 localhost, and a caddy service is listening on the local network interface and proxy the requests to
 the services.
 TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
 services.
@@ -1,38 +0,0 @@
 {
  mylib,
  disko,
  nixos-rk3588,
  myvars,
  ...
 }:
 #############################################################
 #
 #  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #############################################################
 let
  hostName = "rakushun"; # Define your hostname.
 in {
  imports =
    (mylib.scanPaths ./.)
    ++ [
      # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
      nixos-rk3588.nixosModules.orangepi5plus.core
      disko.nixosModules.default
    ];
  networking = {
    inherit hostName;
    inherit (myvars.networking) defaultGateway nameservers;
    inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
    networkmanager.enable = false;
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
 }
@@ -1,110 +0,0 @@
 {
  # required by impermanence
  fileSystems."/persistent".neededForBoot = true;
  disko.devices = {
    nodev."/" = {
      fsType = "tmpfs";
      mountOptions = [
        "size=4G"
        "defaults"
        # set mode to 755, otherwise systemd will set it to 777, which cause problems.
        # relatime: Update inode access times relative to modify or change time.
        "mode=755"
      ];
    };
    # TODO: rename to main
    disk.sda = {
      type = "disk";
      # When using disko-install, we will overwrite this value from the commandline
      device = "/dev/nvme0n1"; # The device to partition
      content = {
        type = "gpt";
        partitions = {
          # The EFI & Boot partition
          ESP = {
            size = "630M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [
                "defaults"
              ];
            };
          };
          # The root partition
          luks = {
            size = "100%";
            content = {
              type = "luks";
              name = "encrypted";
              settings = {
                keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
                # The maximum size of the keyfile is 8192 bytes
                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                fallbackToPassword = true;
                allowDiscards = true;
              };
              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
              initrdUnlock = true;
              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
              # cryptsetup luksFormat
              extraFormatArgs = [
                "--type luks2"
                "--cipher aes-xts-plain64"
                "--hash sha512"
                "--iter-time 5000"
                "--key-size 256"
                "--pbkdf argon2id"
                # use true random data from /dev/random, will block until enough entropy is available
                "--use-random"
              ];
              extraOpenArgs = [
                "--timeout 10"
              ];
              content = {
                type = "btrfs";
                extraArgs = ["-f"]; # Force override existing partition
                subvolumes = {
                  # mount the top-level subvolume at /btr_pool
                  # it will be used by btrbk to create snapshots
                  "/" = {
                    mountpoint = "/btr_pool";
                    # btrfs's top-level subvolume, internally has an id 5
                    # we can access all other subvolumes from this subvolume.
                    mountOptions = ["subvolid=5"];
                  };
                  "@nix" = {
                    mountpoint = "/nix";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@persistent" = {
                    mountpoint = "/persistent";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@tmp" = {
                    mountpoint = "/tmp";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@snapshots" = {
                    mountpoint = "/snapshots";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@swap" = {
                    mountpoint = "/swap";
                    swap.swapfile.size = "16384M";
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
@@ -1,39 +0,0 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.loader = {
    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
    efi.efiSysMountPoint = "/boot/";
    efi.canTouchEfiVariables = true;
    # do not use systemd-boot here, it has problems when running `nixos-install`
    grub = {
      device = "nodev";
      efiSupport = true;
    };
  };
  # clear /tmp on boot to get a stateless /tmp directory.
  boot.tmp.cleanOnBoot = true;
  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
@@ -1,3 +0,0 @@
 # Homepage for my Homelab
 > WIP, just a demo for now
@@ -1,25 +0,0 @@
 {pkgs, ...}: let
  configDir = "/var/lib/homepage-dashboard";
 in {
  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
  services.homepage-dashboard = {
    enable = true;
    listenPort = 4401;
    openFirewall = false;
  };
  systemd.services.homepage-dashboard.environment = {
    HOMEPAGE_CONFIG_DIR = configDir;
    # 1. The value of env var HOMEPAGE_VAR_XXX will replace {{HOMEPAGE_VAR_XXX}} in any config
    # HOMEPAGE_VAR_XXX_APIKEY = "myapikey";
    # 2. The value of env var HOMEPAGE_FILE_XXX must be a file path,
    # the contents of which will be used to replace {{HOMEPAGE_FILE_XXX}} in any config
  };
  # Install the homepage-dashboard configuration files
  system.activationScripts.installHomepageDashboardConfig = ''
    mkdir -p ${configDir}
    ${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
    ${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard
  '';
 }
@@ -1,75 +0,0 @@
 {
  impermanence,
  pkgs,
  ...
 }: {
  imports = [
    impermanence.nixosModules.impermanence
  ];
  environment.systemPackages = [
    # `sudo ncdu -x /`
    pkgs.ncdu
  ];
  # There are two ways to clear the root filesystem on every boot:
  ##  1. use tmpfs for /
  ##  2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
  ##     boot.initrd.postDeviceCommands = ''
  ##       mkdir -p /run/mymount
  ##       mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
  ##       btrfs subvolume delete /run/mymount
  ##       btrfs subvolume snapshot / /run/mymount
  ##     '';
  #
  #  See also https://grahamc.com/blog/erase-your-darlings/
  # NOTE: impermanence only mounts the directory/file list below to /persistent
  # If the directory/file already exists in the root filesystem, you should
  # move those files/directories to /persistent first!
  environment.persistence."/persistent" = {
    # sets the mount option x-gvfs-hide on all the bind mounts
    # to hide them from the file manager
    hideMounts = true;
    directories = [
      "/etc/NetworkManager/system-connections"
      "/etc/ssh"
      "/etc/nix/inputs"
      "/etc/secureboot" # lanzaboote - secure boot
      # my secrets
      "/etc/agenix/"
      "/var/log"
      "/var/lib"
    ];
    files = [
      "/etc/machine-id"
    ];
    # the following directories will be passed to /persistent/home/$USER
    users.ryan = {
      directories = [
        "codes"
        "nix-config"
        "tmp"
        {
          directory = ".ssh";
          mode = "0700";
        }
        # neovim / remmina / flatpak / ...
        ".local/share"
        ".local/state"
        # language package managers
        ".npm"
        ".conda" # generated by `conda-shell`
        "go"
      ];
      files = [
        ".config/nushell/history.txt"
      ];
    };
  };
 }
@@ -1,26 +0,0 @@
 {
  # Replace dashy with gethomepage, because dashy is too slow to start/reload.
  # # Install the dashy configuration file instead of symlink it
  # system.activationScripts.installDashyConfig = ''
  #   install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
  # '';
  #
  # # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/oci-containers.nix
  # virtualisation.oci-containers.containers = {
  #   # check its logs via `journalctl -u podman-dashy`
  #   dashy = {
  #     hostname = "dashy";
  #     image = "lissy93/dashy:latest";
  #     ports = ["127.0.0.1:4000:80"];
  #     environment = {
  #       "NODE_ENV" = "production";
  #     };
  #     volumes = [
  #       "/etc/dashy/dashy_conf.yml:/app/public/conf.yml"
  #     ];
  #     autoStart = true;
  #     # cmd = [];
  #   };
  # };
 }
@@ -1,12 +0,0 @@
 {
  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/uptime-kuma.nix
  services.uptime-kuma = {
    enable = true;
    # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
    settings = {
      "UPTIME_KUMA_HOST" = "127.0.0.1";
      "UPTIME_KUMA_PORT" = "3350";
      "DATA_DIR" = "/var/lib/uptime-kuma/";
    };
  };
 }
@@ -11,7 +11,7 @@
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -1,6 +1,6 @@
 {
  # a flake for testing
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
  outputs = {nixpkgs, ...}: let
    system = "x86_64-linux";
    pkgs = import nixpkgs {inherit system;};
@@ -38,5 +38,5 @@ in {
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 }
@@ -37,13 +37,14 @@
    "ntfs"
    "fat"
    "vfat"
    "exfat"
  ];
  # clear /tmp on boot to get a stateless /tmp directory.
  boot.tmp.cleanOnBoot = true;
  boot.initrd = {
    # unlocked luks devices via a keyfile or prompt a passphrase.
-    luks.devices."encrypted-nixos" = {
+    luks.devices."crypted-nixos" = {
      device = "/dev/nvme0n1p4";
      # the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
      # if not specified, you will be prompted for a passphrase instead.
@@ -1,142 +0,0 @@
 # Suzu - Disk and Installation
 Disk layout:
 ```bash
 [ryan@suzu:~]$ lsblk
 NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
 sda           8:0    1  58.6G  0 disk
 └─sda1        8:1    1   486M  0 part
 mtdblock0    31:0    0    16M  0 disk
 zram0       254:0    0     0B  0 disk
 nvme0n1     259:0    0 238.5G  0 disk
 ├─nvme0n1p1 259:1    0   630M  0 part  /boot
 └─nvme0n1p2 259:2    0 237.9G  0 part
  └─encrypted 253:0    0 237.8G  0 crypt /tmp
                                       /snapshots
                                       /swap
                                       /home/ryan/tmp
                                       /home/ryan/nix-config
                                       /home/ryan/go
                                       /home/ryan/.local/state
                                       /home/ryan/codes
                                       /home/ryan/.npm
                                       /home/ryan/.ssh
                                       /home/ryan/.local/share
                                       /etc/ssh
                                       /home/ryan/.conda
                                       /etc/secureboot
                                       /etc/agenix
                                       /etc/nix/inputs
                                       /etc/NetworkManager/system-connections
                                       /nix/store
                                       /var/log
                                       /var/lib
                                       /nix
                                       /persistent
 [ryan@suzu:~]$ df -Th
 Filesystem          Type      Size  Used Avail Use% Mounted on
 devtmpfs            devtmpfs  383M     0  383M   0% /dev
 tmpfs               tmpfs     3.8G     0  3.8G   0% /dev/shm
 tmpfs               tmpfs     1.9G  6.2M  1.9G   1% /run
 tmpfs               tmpfs     3.8G  1.9M  3.8G   1% /run/wrappers
 none                tmpfs     2.0G   48K  2.0G   1% /
 /dev/mapper/crypted btrfs     238G   11G  226G   5% /persistent
 /dev/mapper/crypted btrfs     238G   11G  226G   5% /nix
 /dev/mapper/crypted btrfs     238G   11G  226G   5% /swap
 /dev/mapper/crypted btrfs     238G   11G  226G   5% /snapshots
 /dev/mapper/crypted btrfs     238G   11G  226G   5% /tmp
 /dev/nvme0n1p1      vfat      629M   86M  543M  14% /boot
 tmpfs               tmpfs     766M  4.0K  766M   1% /run/user/1000
 ```
 CPU info:
 ```bash
 [ryan@suzu:~]$ lscpu
 Architecture:           aarch64
  CPU op-mode(s):       32-bit, 64-bit
  Byte Order:           Little Endian
 CPU(s):                 8
  On-line CPU(s) list:  0-7
 Vendor ID:              ARM
  Model name:           Cortex-A55
    Model:              0
    Thread(s) per core: 1
    Core(s) per socket: 4
    Socket(s):          1
    Stepping:           r2p0
    CPU(s) scaling MHz: 56%
    CPU max MHz:        1800.0000
    CPU min MHz:        408.0000
    BogoMIPS:           48.00
    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
  Model name:           Cortex-A76
    Model:              0
    Thread(s) per core: 1
    Core(s) per socket: 2
    Socket(s):          2
    Stepping:           r4p0
    CPU(s) scaling MHz: 18%
    CPU max MHz:        2256.0000
    CPU min MHz:        408.0000
    BogoMIPS:           48.00
    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
 Caches (sum of all):
  L1d:                  384 KiB (8 instances)
  L1i:                  384 KiB (8 instances)
  L2:                   2.5 MiB (8 instances)
  L3:                   3 MiB (1 instance)
 ```
 ## How to install NixOS on Orange Pi 5
 ### 1. Prepare a USB LUKS key
 Generate LUKS keyfile to encrypt the root partition, it's used by disko.
 ```bash
 # partition the usb stick
 DEV=/dev/sdX
 parted ${DEV} -- mklabel gpt
 parted ${DEV} -- mkpart primary 2M 512MB
 mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
 # Generate a keyfile from the true random number generator
 KEYFILE=./orangepi5-luks-keyfile
 dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
 # copy the keyfile and token to the usb stick
 KEYFILE=./orangepi5-luks-keyfile
 DEVICE=/dev/disk/by-label/OPI5_DSC
 # seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
 dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
 ```
 ### 2. Partition the SSD & install NixOS via disko
 First, follow
 [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
 install UEFI bootloader and boot into NixOS live environment via a USB stick.
 Then, run the following commands:
 ```bash
 # login via ssh
 ssh rk@<ip-addr>
 git clone https://github.com/ryan4yin/nix-config.git
 cd ~/nix-config/hosts/12kingdoms_suzu
 # 1. change the disk device path in ./disko-fs.nix to the disk you want to use
 # 2. partition & format the disk via disko
 sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
 cd ~/nix-config
 # install nixos
 # NOTE: the root password you set here will be discarded when reboot
 sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
 ```
@@ -1,34 +0,0 @@
 # Suzu - Orange Pi 5
 LUKS encrypted SSD for NixOS, on Orange Pi 5.
 ## TODOs
 - [ ] Add support for BGP routing.
  - [Comparing Open Source BGP Stacks](https://elegantnetwork.github.io/posts/comparing-open-source-bgp-stacks/)
  - [`services.frr.*` - search.nixos.org](https://search.nixos.org/options?channel=unstable&query=services.frr)
 ## Showcases
 ![](../../_img/2024-03-07_orangepi5_suzu.webp)
 ## Features
 Micro VMs:
 1. suzi: dae router(transparent proxy, dhcp)
 1. mitsuha: tailscale gateway(sub router)
 Services:
 1. OCI Containers: to run some servides that's not available in NixOS.
 1. ddns
 1. uptime-kuma: uptime monitoring
 1. excalidraw/DDTV/owncast/jitsi-meet/...
 All the services assumes a reverse proxy to be setup in the front, they are all listening on
 localhost, and a caddy service is listening on the local network interface and proxy the requests to
 the services.
 TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
 services.
@@ -1,34 +0,0 @@
 {
  disko,
  nixos-rk3588,
  mylib,
  ...
 }:
 #############################################################
 #
 #  Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
 #
 #  https://github.com/astro/microvm.nix
 #
 #############################################################
 let
  hostName = "suzu"; # Define your hostname.
 in {
  imports =
    (mylib.scanPaths ./.)
    ++ [
      # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
      nixos-rk3588.nixosModules.orangepi5plus.core
      disko.nixosModules.default
    ];
  networking = {inherit hostName;};
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
 }
@@ -1,110 +0,0 @@
 {
  # required by impermanence
  fileSystems."/persistent".neededForBoot = true;
  disko.devices = {
    nodev."/" = {
      fsType = "tmpfs";
      mountOptions = [
        "size=2G"
        "defaults"
        # set mode to 755, otherwise systemd will set it to 777, which cause problems.
        # relatime: Update inode access times relative to modify or change time.
        "mode=755"
      ];
    };
    # TODO: rename to main
    disk.sda = {
      type = "disk";
      # When using disko-install, we will overwrite this value from the commandline
      device = "/dev/nvme0n1"; # The device to partition
      content = {
        type = "gpt";
        partitions = {
          # The EFI & Boot partition
          ESP = {
            size = "630M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [
                "defaults"
              ];
            };
          };
          # The root partition
          luks = {
            size = "100%";
            content = {
              type = "luks";
              name = "encrypted";
              settings = {
                keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick
                # The maximum size of the keyfile is 8192 bytes
                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                fallbackToPassword = true;
                allowDiscards = true;
              };
              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
              initrdUnlock = true;
              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
              # cryptsetup luksFormat
              extraFormatArgs = [
                "--type luks2"
                "--cipher aes-xts-plain64"
                "--hash sha512"
                "--iter-time 5000"
                "--key-size 256"
                "--pbkdf argon2id"
                # use true random data from /dev/random, will block until enough entropy is available
                "--use-random"
              ];
              extraOpenArgs = [
                "--timeout 10"
              ];
              content = {
                type = "btrfs";
                extraArgs = ["-f"]; # Force override existing partition
                subvolumes = {
                  # mount the top-level subvolume at /btr_pool
                  # it will be used by btrbk to create snapshots
                  "/" = {
                    mountpoint = "/btr_pool";
                    # btrfs's top-level subvolume, internally has an id 5
                    # we can access all other subvolumes from this subvolume.
                    mountOptions = ["subvolid=5"];
                  };
                  "@nix" = {
                    mountpoint = "/nix";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@persistent" = {
                    mountpoint = "/persistent";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@tmp" = {
                    mountpoint = "/tmp";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@snapshots" = {
                    mountpoint = "/snapshots";
                    mountOptions = ["compress-force=zstd:1" "noatime"];
                  };
                  "@swap" = {
                    mountpoint = "/swap";
                    swap.swapfile.size = "8192M";
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
@@ -1,39 +0,0 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.loader = {
    # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
    efi.efiSysMountPoint = "/boot/";
    efi.canTouchEfiVariables = true;
    # do not use systemd-boot here, it has problems when running `nixos-install`
    grub = {
      device = "nodev";
      efiSupport = true;
    };
  };
  # clear /tmp on boot to get a stateless /tmp directory.
  boot.tmp.cleanOnBoot = true;
  boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
@@ -1,75 +0,0 @@
 {
  impermanence,
  pkgs,
  ...
 }: {
  imports = [
    impermanence.nixosModules.impermanence
  ];
  environment.systemPackages = [
    # `sudo ncdu -x /`
    pkgs.ncdu
  ];
  # There are two ways to clear the root filesystem on every boot:
  ##  1. use tmpfs for /
  ##  2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
  ##     boot.initrd.postDeviceCommands = ''
  ##       mkdir -p /run/mymount
  ##       mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
  ##       btrfs subvolume delete /run/mymount
  ##       btrfs subvolume snapshot / /run/mymount
  ##     '';
  #
  #  See also https://grahamc.com/blog/erase-your-darlings/
  # NOTE: impermanence only mounts the directory/file list below to /persistent
  # If the directory/file already exists in the root filesystem, you should
  # move those files/directories to /persistent first!
  environment.persistence."/persistent" = {
    # sets the mount option x-gvfs-hide on all the bind mounts
    # to hide them from the file manager
    hideMounts = true;
    directories = [
      "/etc/NetworkManager/system-connections"
      "/etc/ssh"
      "/etc/nix/inputs"
      "/etc/secureboot" # lanzaboote - secure boot
      # my secrets
      "/etc/agenix/"
      "/var/log"
      "/var/lib"
    ];
    files = [
      "/etc/machine-id"
    ];
    # the following directories will be passed to /persistent/home/$USER
    users.ryan = {
      directories = [
        "codes"
        "nix-config"
        "tmp"
        {
          directory = ".ssh";
          mode = "0700";
        }
        # neovim / remmina / flatpak / ...
        ".local/share"
        ".local/state"
        # language package managers
        ".npm"
        ".conda" # generated by `conda-shell`
        "go"
      ];
      files = [
        ".config/nushell/history.txt"
      ];
    };
  };
 }
@@ -1,45 +0,0 @@
 # microvm.nix
 ## Commands
 > https://github.com/astro/microvm.nix/blob/main/doc/src/microvm-command.md
 ```bash
 # list vm
 microvm -l
 # update vm
 microvm -u my-microvm
 # show logs of a vm
 journalctl -u microvm@my-microvm -n 50
 # stop vm
 systemctl stop microvm@$NAME
 # remove vm
 rm -rf /var/lib/microvms/$NAME
 # Run a MicroVM in foreground(for testing)
 # You have to stop the vm before running this command!
 microvm -r my-microvm
 # Stop a MicroVM that is running in foreground
 ## 1. run `sudo shutdown -h now` in the vm
 ## 2. run `systemctl stop microvm@my-microvm` in the host
 ```
 ## VM's pros compared to container
 1. VM has its own kernel, so it can use a fullfeatured kernel or customise the kernel's
   configuration, without affecting the host.
 1. VM use a fullfeatured init system, so it can run services like a real machine.
 1. VM can use a fullfeatured network stack, so it can run network services like a real machine. it's
   very useful for hosting some network services(such as tailscale, dae, etc).
 ## FAQ
 ### 1. enter the vm without ssh
 [Enter running machine as systemd service](https://github.com/astro/microvm.nix/issues/123)
@@ -1,35 +0,0 @@
 {
  myvars,
  mylib,
  daeuniverse,
  agenix,
  microvm,
  mysecrets,
  nuenv,
  ...
 }: {
  imports = [
    # Include the microvm host module
    microvm.nixosModules.host
  ];
  microvm.vms = {
    suzi = {
      autostart = true;
      restartIfChanged = true;
      specialArgs = {inherit myvars mylib daeuniverse agenix mysecrets nuenv;};
      config.imports = [./suzi];
    };
    mitsuha = {
      autostart = true;
      restartIfChanged = true;
      specialArgs = {inherit myvars mylib nuenv;};
      config.imports = [./mitsuha];
    };
  };
 }
@@ -1,67 +0,0 @@
 {mylib, ...}: {
  imports =
    (mylib.scanPaths ./.)
    ++ [
      ../../../../modules/nixos/base/ssh.nix
      ../../../../modules/nixos/base/user-group.nix
      ../../../../modules/base.nix
    ];
  microvm = {
    mem = 1024; # RAM allocation in MB
    vcpu = 1; # Number of Virtual CPU cores
    interfaces = [
      {
        type = "tap";
        id = "vm-mitsuha"; # should be prefixed with "vm-"
        mac = "02:00:00:00:00:02"; # Unique MAC address
      }
    ];
    # Block device images for persistent storage
    # microvm use tmpfs for root(/), so everything else
    # is ephemeral and will be lost on reboot.
    #
    # you can check this by running `df -Th` & `lsblk` in the VM.
    volumes = [
      {
        mountPoint = "/var";
        image = "var.img";
        size = 512;
      }
      {
        mountPoint = "/etc";
        image = "etc.img";
        size = 50;
      }
    ];
    # shares can not be set to `neededForBoot = true;`
    # so if you try to use a share in boot script(such as system.activationScripts), it will fail!
    shares = [
      {
        # It is highly recommended to share the host's nix-store
        # with the VMs to prevent building huge images.
        # a host's /nix/store will be picked up so that no
        # squashfs/erofs will be built for it.
        #
        # by this way, /nix/store is readonly in the VM,
        # and thus the VM can't run any command that modifies
        # the store. such as nix build, nix shell, etc...
        # if you want to run nix commands in the VM, see
        # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
        tag = "ro-store"; # Unique virtiofs daemon tag
        proto = "virtiofs"; # virtiofs is faster than 9p
        source = "/nix/store";
        mountPoint = "/nix/.ro-store";
      }
    ];
    hypervisor = "qemu";
    # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
    socket = "control.socket";
  };
  system.stateVersion = "23.11";
 }
@@ -1,19 +0,0 @@
 {myvars, ...}: let
  hostName = "mitsuha";
  inherit (myvars.networking) mainGateway nameservers;
  inherit (myvars.networking.hostsAddr.${hostName}) ipv4;
  ipv4WithMask = "${ipv4}/24";
 in {
  systemd.network.enable = true;
  systemd.network.networks."20-lan" = {
    matchConfig.Type = "ether";
    networkConfig = {
      Address = [ipv4WithMask];
      Gateway = mainGateway;
      DNS = nameservers;
      DHCP = "no";
    };
  };
 }
@@ -1,42 +0,0 @@
 {pkgs, ...}:
 # =============================================================
 #
 # Tailscale - your own private network(VPN) that uses WireGuard
 #
 # It's open source and free for personal use,
 # and it's really easy to setup and use.
 # Tailscale has great client coverage for Linux, windows, Mac, android, and iOS.
 # Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker.
 # Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale.
 #
 # How to use:
 #  1. Create a Tailscale account at https://login.tailscale.com
 #  2. Login via `tailscale login`
 #  3. join into your Tailscale network via `tailscale up --advertise-routes 192.168.5.0/24`
 #  4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below.
 #
 # Status Data:
 #   `journalctl -u tailscaled` shows tailscaled's logs
 #   logs indicate that tailscale store its data in /var/lib/tailscale
 #   which is already persistent across reboots(via impermanence.nix)
 #
 # References:
 # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/tailscale.nix
 #
 # =============================================================
 {
  # make the tailscale command usable to users
  environment.systemPackages = [pkgs.tailscale];
  # enable the tailscale service
  services.tailscale = {
    enable = true;
    port = 41641;
    interfaceName = "tailscale0";
    # allow the Tailscale UDP port through the firewall
    openFirewall = true;
    useRoutingFeatures = "server";
    extraUpFlags = "--advertise-routes 192.168.5.0/24";
    # authKeyFile = "/var/lib/tailscale/authkey";
  };
 }
@@ -1,48 +0,0 @@
 # Dae - NixOS Router
 A router(IPv4 only) with a transparent proxy to bypass the G|F|W.
 NOTE: dae do not provides a http/socks5 proxy server, so a v2ray server is running on
 [idols_kana](../idols_kana/proxy.nix) to provides a http/socks5 proxy service.
 ## Troubleshooting
 ### Can not access the global internet
 1. Check whether the subscription url is accessible.
   - If not, then you need to get a new subscription url and update the `dae`'s configuration.
 1. Check the `dae` service's log by `journalctl -u dae -n 1000`.
 ### DNS cannot be resolved
 1. `sudo systemctl stop dae`, then try to resolve the domain name again.
   - If it works, the problem is caused by `dae` service.
   - check dae's log by `journalctl -u dae -n 1000`
 1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
 ### DHCP cannot be obtained
 1. `ss -tunlp`, check if `dnsmasq` is running and listening on udp port 67.
 1. `journalctl -u dnsmasq -n 1000` to check the log of `dnsmasq`.
 1. Request a new IP address by disconnect and reconnect one of your devices' wifi.
 1. `nix shell nixpkgs#dhcpdump` and then `sudo dhcpdump -i br-lan`, check if the DHCP request is
   received by `dnsmasq`.
   1. The server listens on UDP port number 67, and the client listens on UDP port number 68.
   1. DHCP operations fall into four phases:
      1. Server **discovery**: The DHCP client broadcasts a DHCPDISCOVER message on the network
         subnet using the destination address 255.255.255.255 (limited broadcast) or the specific
         subnet broadcast address (directed broadcast).
      1. IP lease **offer**: When a DHCP server receives a DHCPDISCOVER message from a client, which
         is an IP address lease request, the DHCP server reserves an IP address for the client and
         makes a lease offer by sending a DHCPOFFER message to the client.
      1. IP lease **request**: In response to the DHCP offer, the client replies with a DHCPREQUEST
         message, broadcast to the server,[a] requesting the offered address.
      1. IP lease **acknowledgement**: When the DHCP server receives the DHCPREQUEST message from
         the client, it sends a DHCPACK packet to the client, which includes the lease duration and
         any other configuration information that the client might have requested.
   1. So if you see only `DISCOVER` messages, the dhsmasq is not working properly.
 ## References
 - <https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md>
 - <https://github.com/ghostbuster91/nixos-router>
@@ -1,320 +0,0 @@
 # https://github.com/daeuniverse/dae/discussions/81
 # https://github.com/daeuniverse/dae/blob/main/example.dae
 # load all dae files placed in ./config.d/
 include {
    config.d/*.dae
 }
 global {
    ##### Software options.
    # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
    # In normal case, you do not need to use it.
    tproxy_port: 12345
    # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
    # iptables tproxy rules.
    tproxy_port_protect: true
    # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
    # rules.
    so_mark_from_dae: 1
    # Log level: error, warn, info, debug, trace.
    log_level: info
    # Disable waiting for network before pulling subscriptions.
    disable_waiting_network: false
    ##### Interface and kernel options.
    # The LAN interface to bind. Use it if you want to proxy LAN.
    # Multiple interfaces split by ",".
    lan_interface: br-lan
    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",". Use "auto" to auto detect.
    # 
    # Disable this to avoid problems with the proxy server that prevent the subscription link from being updated
    # wan_interface: auto
    # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
    auto_config_kernel_parameter: false
    ##### Node connectivity check.
    # Host of URL should have both IPv4 and IPv6 if you have double stack in local.
    # First is URL, others are IP addresses if given.
    # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
    #tcp_check_url: 'http://cp.cloudflare.com'
    tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
    # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
    # accounting for this kind of traffic.
    tcp_check_http_method: HEAD
    # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
    # TCP DNS connectivity of nodes.
    # First is URL, others are IP addresses if given.
    # This DNS should have both IPv4 and IPv6 if you have double stack in local.
    #udp_check_dns: 'dns.google.com:53'
    udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
    check_interval: 30s
    # Group will switch node only when new_latency <= old_latency - tolerance.
    check_tolerance: 50ms
    ##### Connecting options.
    # Optional values of dial_mode are:
    # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
    #       respectively, and makes the IP version requested by the application meet expectations. For example, if you
    #       use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
    #       This may solve some weird full-cone problem if your are be your node support that. Sniffing will be disabled
    #       in this mode.
    # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
    #       if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
    #       re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
    #       That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
    # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
    #       DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
    #       go through dae, dae cannot split traffic by domain.
    # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
    #       domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
    dial_mode: domain
    # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
    allow_insecure: false
    # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
    # in high latency LAN network.
    sniffing_timeout: 100ms
    # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
    tls_implementation: tls
    # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
    # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
    utls_imitate: chrome_auto
 }
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
 dns {
    # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
    # respond to type A queries and response empty answer to type AAAA queries.
    ipversion_prefer: 4
    # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
    # for these domains.
    #fixed_domain_ttl {
    #    ddns.example.org: 10
    #    test.example.org: 3600
    #}
    upstream {
        # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
        alidns: 'udp://223.5.5.5:53'
        googledns: 'tcp+udp://8.8.8.8:53'
    }
    routing {
        # According to the request of dns query, decide to use which DNS upstream.
        # Match rules from top to bottom.
        request {
            # Lookup China mainland domains using alidns, otherwise googledns.
            qname(geosite:cn) -> alidns
            # fallback is also called default.
            fallback: googledns
            # other custom rules
            qname(full:analytics.google.com) -> googledns # do not block google analytics(console)
            qname(regex: '.+\.nixos.org$') -> googledns
            qname(geosite:category-ads) -> reject
            qname(geosite:category-ads-all) -> reject
            qtype(aaaa) -> reject
            qname(regex: '.+\.linkedin$') -> googledns
        }
        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
        # Match rules from top to bottom.
        response {
            # Trusted upstream. Always accept its result.
            upstream(googledns) -> accept
            # Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
            ip(geoip:private) && !qname(geosite:cn) -> googledns
            fallback: accept
        }
    }
 }
 # Node group (outbound).
 group {
    proxy {
        filter: name(keyword: 'Hong Kong')
        filter: name(keyword: '香港')
        filter: name(keyword: 'Singapore')
        filter: name(keyword: '新加坡')
        # Filter nodes and give a fixed latency offset to archive latency-based failover.
        # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
        filter: name(keyword: 'USA') [add_latency: -500ms]
        filter: name(keyword: '美国') [add_latency: -500ms]
        filter: name(keyword: 'UK') [add_latency: -300ms]
        # filter: name(keyword: '英国') [add_latency: -300ms]
        # filter: name(keyword: 'Japan') [add_latency: 300ms]
        # filter: name(keyword: '日本') [add_latency: 300ms]
        # Other filters:
        #   Filter nodes from the global node pool defined by the subscription and node section above.
        #     filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
        #   Filter nodes from the global node pool defined by tag.
        #     filter: name('node_a','node_b')
        # Select the node with min average of the last 10 latencies from the group for every connection.
        policy: min_avg10
        # Other policies:
        #   random         - Randomly select a node from the group for every connection.
        #   fixed(0)       - Select the first node from the group for every connection.
        #   min            - Select the node with min last latency from the group for every connection.
        #   min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
    }
    media {
        filter: name(keyword: 'Hong Kong')
        filter: name(keyword: '香港')
        filter: name(keyword: 'Singapore')
        filter: name(keyword: '新加坡')
        filter: name(keyword: 'USA') [add_latency: -500ms]
        filter: name(keyword: '美国') [add_latency: -500ms]
        filter: name(keyword: 'UK') [add_latency: -300ms]
        filter: name(keyword: '英国') [add_latency: -300ms]
        filter: name(keyword: 'Japan') [add_latency: 300ms]
        filter: name(keyword: '日本') [add_latency: 300ms]
        policy: min_avg10
    }
    ssh-proxy {
        filter: name(keyword: 'UK')
        filter: name(keyword: '英国')
        policy: min_avg10
    }
    sg {
        filter: name(keyword: 'Singapore')
        filter: name(keyword: '新加坡')
        policy: min_avg10
    }
    usa {
        filter: name(keyword: 'USA')
        filter: name(keyword: '美国')
        policy: min_avg10
    }
 }
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
 # Pname has the highest priority, so should be placed in the front.
 # Priority of other rules is the same as the order of the rules defined in this file.
 routing {
    ### Preset rules.
    # Network managers in localhost should be direct to 
    # avoid false negative network connectivity check when binding to WAN.
    pname(NetworkManager) -> direct
    pname(systemd-networkd) -> direct
    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
    # "dip" means destination IP.
    dip(224.0.0.0/3, 'ff00::/8') -> direct
    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct
    # --- Core rules ---#
    # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
    l4proto(udp) && dport(443) -> block
    # Direct access to all Chinese mainland-related IP addresses
    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct
    # Block ads
    domain(full:analytics.google.com) -> proxy  # do not block google analytics(console)
    domain(geosite:category-ads) -> block
    domain(geosite:category-ads-all) -> block
    # DNS
    dip(8.8.8.8, 8.8.4.4) -> proxy
    dip(223.5.5.5, 223.6.6.6) -> direct
    domain(full:dns.alidns.com) -> direct
    domain(full:dns.googledns.com) -> proxy
    domain(full:dns.opendns.com) -> proxy
    # --- Rules for other commonly used sites ---#
    # SSH - tcp port 22 is blocked by many proxy servers.
    dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy
    ### OpenAI
    domain(geosite:openai) -> sg
    domain(regex:'.+\.openai$') -> sg
    ### Media
    domain(geosite:netflix) -> media
    ### Proxy
    domain(suffix: linkedin.com) -> proxy
    domain(keyword:'linkedin') -> proxy
    domain(regex:'.+\.linkedin\.com$') -> proxy
    domain(regex:'.+\.quay\.io$') -> proxy
    domain(regex:'.+\.notion\.so$') -> proxy
    domain(regex:'.+\.amazon\.com$') -> proxy
    domain(regex:'.+\.oracle\.com$') -> proxy
    domain(regex:'.+\.docker\.com$') -> proxy
    domain(regex:'.+\.kubernetes\.io$') -> proxy
    domain(regex:'.+\.nixos\.org$') -> proxy
    domain(geosite:microsoft) -> proxy
    domain(geosite:linkedin) -> proxy
    domain(geosite:twitter) -> proxy
    domain(geosite:telegram) -> proxy
    domain(geosite:google) -> proxy
    domain(geosite:apple) -> proxy
    domain(geosite:category-container) -> proxy
    domain(geosite:category-dev) -> proxy
    domain(geosite:google-scholar) -> proxy
    domain(geosite:category-scholar-!cn) -> proxy
    ### Direct
    domain(regex:'.+\.edu\.cn$') -> direct
    domain(keyword:'baidu') -> direct
    domain(keyword:'bilibili') -> direct
    domain(keyword:'taobao') -> direct
    domain(keyword:'alibabadns') -> direct
    domain(keyword:'alicdn') -> direct
    domain(keyword:'tbcache') -> direct
    domain(keyword:'zhihu') -> direct
    domain(keyword:'douyu') -> direct
    domain(geosite:cloudflare-cn) -> direct
    # --- Fallback rules ---#
    # Access all other foreign sites
    domain(geosite:geolocation-!cn) -> proxy
    !dip(geoip:cn) -> proxy
    fallback: direct
 }
@@ -1,61 +0,0 @@
 {
  config,
  pkgs,
  daeuniverse,
  ...
 }:
 # https://github.com/daeuniverse/flake.nix
 let
  daeConfigPath = "/etc/dae/config.dae";
  subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
 in {
  imports = [
    daeuniverse.nixosModules.dae
  ];
  # dae - eBPF-based Linux high-performance transparent proxy.
  services.dae = {
    enable = true;
    package = daeuniverse.packages.${pkgs.system}.dae;
    disableTxChecksumIpGeneric = false;
    configFile = daeConfigPath;
    assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
    # alternatively, specify assets dir
    # assetsPath = "/etc/dae";
    openFirewall = {
      enable = true;
      port = 12345;
    };
  };
  systemd.services.dae.serviceConfig = {
    Restart = "on-failure";
    RestartSec = 10;
  };
  # dae supports two types of subscriptions: base64 encoded proxies, and sip008.
  # subscription can be a url return the subscription, or a file path that contains the subscription.
  #
  # Nix decrypt and merge my dae's base config and subscription config here.
  # the subscription config is something like:
  #   ```
  #   subscription {
  #     'https://www.example.com/subscription/link'
  #     'https://example.com/no_tag_link'
  #   }
  #   node {
  #     # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
  #     node_a: 'trojan://'
  #     node_b: 'trojan://'
  #     node_c: 'vless://'
  #     node_d: 'vless://'
  #     node_e: 'vmess://'
  #     node_f: 'tuic://'
  #     node_h: 'juicity://'
  #   }
  #   ```
  system.activationScripts.installDaeConfig = ''
    install -Dm 600 ${./config.dae} ${daeConfigPath}
    install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
  '';
 }
@@ -1,70 +0,0 @@
 {mylib, ...}: {
  imports =
    (mylib.scanPaths ./.)
    ++ [
      ../../../../secrets/nixos.nix
      ../../../../modules/nixos/base/ssh.nix
      ../../../../modules/nixos/base/user-group.nix
      ../../../../modules/base.nix
    ];
  modules.secrets.server.network.enable = true;
  microvm = {
    mem = 1024; # RAM allocation in MB
    vcpu = 1; # Number of Virtual CPU cores
    interfaces = [
      {
        type = "tap";
        id = "vm-suzi"; # should be prefixed with "vm-"
        mac = "02:00:00:00:00:01"; # unique MAC address
      }
    ];
    # Block device images for persistent storage
    # microvm use tmpfs for root(/), so everything else
    # is ephemeral and will be lost on reboot.
    #
    # you can check this by running `df -Th` & `lsblk` in the VM.
    volumes = [
      {
        mountPoint = "/var";
        image = "var.img";
        size = 512;
      }
      {
        mountPoint = "/etc";
        image = "etc.img";
        size = 50;
      }
    ];
    # shares can not be set to `neededForBoot = true;`
    # so if you try to use a share in boot script(such as system.activationScripts), it will fail!
    shares = [
      {
        # It is highly recommended to share the host's nix-store
        # with the VMs to prevent building huge images.
        # a host's /nix/store will be picked up so that no
        # squashfs/erofs will be built for it.
        #
        # by this way, /nix/store is readonly in the VM,
        # and thus the VM can't run any command that modifies
        # the store. such as nix build, nix shell, etc...
        # if you want to run nix commands in the VM, see
        # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
        tag = "ro-store"; # Unique virtiofs daemon tag
        proto = "virtiofs"; # virtiofs is faster than 9p
        source = "/nix/store";
        mountPoint = "/nix/.ro-store";
      }
    ];
    hypervisor = "qemu";
    # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
    socket = "control.socket";
  };
  system.stateVersion = "23.11";
 }
@@ -1,180 +0,0 @@
 {
  lib,
  myvars,
  ...
 }: let
  hostName = "suzi";
  inherit (myvars.networking) mainGateway nameservers;
  inherit (myvars.networking.hostsAddr.${hostName}) ipv4;
  ipv4WithMask = "${ipv4}/24";
  dhcpRange = {
    start = "192.168.5.5";
    end = "192.168.5.99";
  };
 in {
  boot.kernel.sysctl = {
    # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
    # forward network packets that are not destined for the interface on which they were received
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = true;
    "net.ipv4.conf.br-lan.rp_filter" = 1;
    "net.ipv4.conf.br-lan.send_redirects" = 0;
  };
  # Docker uses iptables internally to setup NAT for containers.
  # This module disables the ip_tables kernel module, which is required for nftables to work.
  # So make sure to disable docker here.
  virtualisation.docker.enable = lib.mkForce false;
  networking = {
    useNetworkd = true;
    useDHCP = false;
    networkmanager.enable = false;
    wireless.enable = false; # Enables wireless support via wpa_supplicant.
    # No local firewall.
    nat.enable = false;
    firewall.enable = false;
    # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/nftables.nix
    nftables = {
      enable = true;
      # Check the applied rules with `nft -a list ruleset`.
      # Since this is a internal bypass router, we don't need to do NAT & can forward all traffic.
      ruleset = ''
        # Check out https://wiki.nftables.org/ for better documentation.
        # Table for both IPv4 and IPv6.
        table inet filter {
          chain input {
            type filter hook input priority 0;
            # accept any localhost traffic
            iifname lo accept
            # accept any lan traffic
            iifname br-lan accept
            # count and drop any other traffic
            counter drop
          }
          # Allow all outgoing connections.
          chain output {
            type filter hook output priority 0;
            accept
          }
          # Allow all forwarding all traffic.
          chain forward {
            type filter hook forward priority 0;
            accept
          }
        }
      '';
    };
  };
  # https://nixos.wiki/wiki/Systemd-networkd
  systemd.network = {
    netdevs = {
      # Create the bridge interface
      "20-br-lan" = {
        netdevConfig = {
          Kind = "bridge";
          Name = "br-lan";
        };
      };
    };
    # This is a bypass router, so we do not need a wan interface here.
    networks = {
      "30-lan0" = {
        # match the interface by type
        matchConfig.Type = "ether";
        # Connect to the bridge
        networkConfig = {
          Bridge = "br-lan";
          ConfigureWithoutCarrier = true;
        };
        linkConfig.RequiredForOnline = "enslaved";
      };
      # Configure the bridge device we just created
      "40-br-lan" = {
        matchConfig.Name = "br-lan";
        address = [
          # configure addresses including subnet mask
          ipv4WithMask # forwards all traffic to the gateway except for the router address itself
        ];
        routes = [
          # forward all traffic to the main gateway
          {routeConfig.Gateway = mainGateway;}
        ];
        bridgeConfig = {};
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };
  # resolved is conflict with dnsmasq
  services.resolved.enable = false;
  services.dnsmasq = {
    enable = true;
    # resolve local queries (add 127.0.0.1 to /etc/resolv.conf)
    resolveLocalQueries = true; # may be conflict with dae, disable this.
    alwaysKeepRunning = true;
    # https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=tree
    settings = {
      # upstream DNS servers
      server = nameservers;
      # forces dnsmasq to try each query with each server strictly
      # in the order they appear in the config.
      strict-order = true;
      # Never forward plain names (without a dot or domain part)
      domain-needed = true;
      # Never forward addresses in the non-routed address spaces(e.g. private IP).
      bogus-priv = true;
      # don't needlessly read /etc/resolv.conf which only contains the localhost addresses of dnsmasq itself.
      no-resolv = true;
      # Cache dns queries.
      cache-size = 1000;
      dhcp-range = ["${dhcpRange.start},${dhcpRange.end},24h"];
      interface = "br-lan";
      dhcp-sequential-ip = true;
      dhcp-option = [
        # Override the default route supplied by dnsmasq, which assumes the
        # router is the same machine as the one running dnsmasq.
        "option:router,${ipv4}"
        "option:dns-server,${ipv4}"
      ];
      # local domains
      local = "/lan/";
      domain = "lan";
      expand-hosts = true;
      # don't use /etc/hosts
      no-hosts = true;
      address = [
        # "/surfer.lan/192.168.10.1"
      ];
    };
  };
  # monitoring with prometheus
  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
  services.prometheus.exporters.dnsmasq = {
    enable = true;
    listenAddress = "0.0.0.0";
    port = 9153;
    openFirewall = false;
    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
  };
  # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of
  # letting the first CPU core to handle everything.
  # This is supposed to increase performance by hitting CPU cache more often.
  services.irqbalance.enable = false;
 }
@@ -1,45 +0,0 @@
 {myvars, ...}: let
  hostName = "suzu";
  inherit (myvars.networking) mainGateway nameservers;
  inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4;
  ipv4WithMask = "${ipv4}/24";
 in {
  boot.kernel.sysctl = {
    # forward network packets that are not destined for the interface on which they were received
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
  networking.useNetworkd = true;
  systemd.network.enable = true;
  # A bridge to link all VM's TAP interfaces into local network.
  # https://github.com/astro/microvm.nix/blob/main/doc/src/simple-network.md
  systemd.network.networks."10-lan" = {
    # match on the main interface and all VM interfaces
    matchConfig.Name = [iface "vm-*"];
    networkConfig = {
      Bridge = "br0";
    };
  };
  systemd.network.netdevs."br0" = {
    netdevConfig = {
      Name = "br0";
      Kind = "bridge";
    };
  };
  # Add ipv4 address to the bridge.
  systemd.network.networks."10-lan-bridge" = {
    matchConfig.Name = "br0";
    networkConfig = {
      Address = [ipv4WithMask];
      Gateway = mainGateway;
      DNS = nameservers;
      IPv6AcceptRA = true;
    };
    linkConfig.RequiredForOnline = "routable";
  };
 }
@@ -2,26 +2,19 @@
 1. `12kingdoms`:
   1. `shoukei`: NixOS on Macbook Pro 2020 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
   1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM +
      256G SSD.
      1. Network related services running via microvm.nix, such as router(transparent proxy - dae),
         tailscale subrouter, etc.
   1. `rakushun`: Orange Pi 5 Plus, RK3588(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8),
      16G RAM + 2T SSD.
      1. Monitoring(prometheus, grafana, exporters), CI/CD(gitea, runner), homepage, file browser,
         and other services.
 1. `darwin`(macOS)
   1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for business.
   1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
-1. `k8s`: My Kubernetes Clusters
+1. `k8s`: My Kubevirt & Kubernetes Clusters
 1. `idols`
   1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
-   2. `aquamarine`: Not used now.
+   2. `aquamarine`: Kubevirt Virtual Machine.
      - Monitoring(prometheus, grafana, exporters), CI/CD(gitea, runner), homepage, file browser,
        and other services.
   3. `ruby`: Not used now.
   4. `kana`: Not used now.
-1. `rolling_girls`: My RISCV64 hosts.
+1. Other aarch64/riscv64 SBCs:
-   1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 16GB RAM + 32G eMMC + 128G SD Card.
+   [ryan4yin/nixos-config-sbc](https://github.com/ryan4yin/nixos-config-sbc)
   2. `yukina`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card.
 ## How to add a new host
@@ -40,7 +40,7 @@ zram0             253:0    0 15.6G  0 disk  [SWAP]
 nvme0n1           259:0    0  1.8T  0 disk
 ├─nvme0n1p1       259:2    0  598M  0 part  /boot
 └─nvme0n1p2       259:3    0  1.8T  0 part
-  └─encrypted-nixos 254:0    0  1.8T  0 crypt /tmp
+  └─crypted-nixos 254:0    0  1.8T  0 crypt /tmp
                                            /swap/swapfile
                                            /swap
                                            /snapshots
@@ -20,7 +20,9 @@ in {
    inherit hostName;
    inherit (myvars.networking) defaultGateway nameservers;
    inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
-    networkmanager.enable = false;
+
    # desktop need its cli for status bar
    networkmanager.enable = true;
  };
  # conflict with feature: containerd-snapshotter
@@ -30,6 +32,7 @@ in {
  services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
  hardware.nvidia = {
    # Optionally, you may need to select the appropriate driver version for your specific GPU.
    # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/nvidia-x11/default.nix
    # package = config.boot.kernelPackages.nvidiaPackages.stable;
    # required by most wayland compositors!
@@ -38,12 +41,10 @@ in {
  };
  virtualisation.docker.enableNvidia = true; # for nvidia-docker
-  hardware.opengl = {
+  hardware.graphics = {
    enable = true;
    # if hardware.opengl.driSupport is enabled, mesa is installed and provides Vulkan for supported hardware.
    driSupport = true;
    # needed by nvidia-docker
-    driSupport32Bit = true;
+    enable32Bit = true;
  };
  # This value determines the NixOS release from which the default
@@ -52,5 +53,5 @@ in {
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 }
@@ -40,11 +40,12 @@
    "ntfs"
    "fat"
    "vfat"
    "exfat"
  ];
  boot.initrd = {
    # unlocked luks devices via a keyfile or prompt a passphrase.
-    luks.devices."encrypted-nixos" = {
+    luks.devices."crypted-nixos" = {
      # NOTE: DO NOT use device name here(like /dev/sda, /dev/nvme0n1p2, etc), use UUID instead.
      # https://github.com/ryan4yin/nix-config/issues/43
      device = "/dev/disk/by-uuid/a21ca82a-9ee6-4e5c-9d3f-a93e84e4e0f4";
@@ -1,3 +1,24 @@
 # Idols - Aquamarine
-TODO
+Storage, operation and maintenance related services are running on this host:
 1. Storage such as git server, file server/browser, torrent downloader,, etc.
 1. Backup or sync my personal data to cloud or NAS.
   - For safety, those data should be encrypted before sending to the cloud or my NAS.
 1. Collect and monitor the metrics/logs of my homelab.
 ## Features
 Services:
 1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
 1. restic: Backup my personal data to cloud or NAS.
 1. synthing: Sync file between android/macbook/PC and NAS.
 1. gitea: Self-hosted git service.
 1. sftpgo: SFTP server.
 1. transmission & AriaNg: Torrent downloader and HTTP downloader
 1. alist/filebrower: File browser for local/SMB/Cloud
 All the services assumes a reverse proxy to be setup in the front, they are all listening on
 localhost, and a caddy service is listening on the local network interface and proxy the requests to
 the services.
@@ -1,4 +1,9 @@
-{config, ...}: let
+{
  pkgs,
  config,
  wallpapers,
  ...
 }: let
  hostCommonConfig = ''
    encode zstd gzip
    tls ${../../certs/ecc-server.crt} ${config.age.secrets."certs/ecc-server.key".path} {
@@ -12,7 +17,7 @@ in {
    # Reload Caddy instead of restarting it when configuration file changes.
    enableReload = true;
    user = "caddy"; # User account under which caddy runs.
-    dataDir = "/var/lib/caddy";
+    dataDir = "/data/apps/caddy";
    logDir = "/var/log/caddy";
    # Additional lines of configuration appended to the global config section of the Caddyfile.
@@ -26,12 +31,12 @@ in {
    # Dashboard
    virtualHosts."home.writefor.fun".extraConfig = ''
      ${hostCommonConfig}
-      reverse_proxy http://localhost:4401
+      reverse_proxy http://localhost:54401
    '';
    # https://caddyserver.com/docs/caddyfile/directives/file_server
    virtualHosts."file.writefor.fun".extraConfig = ''
-      root * /var/lib/caddy/fileserver/
+      root * /data/apps/caddy/fileserver/
      ${hostCommonConfig}
      file_server browse {
        hide .git
@@ -59,7 +64,7 @@ in {
    # Monitoring
    virtualHosts."uptime-kuma.writefor.fun".extraConfig = ''
      encode zstd gzip
-      reverse_proxy http://localhost:3350
+      reverse_proxy http://localhost:53350
    '';
    virtualHosts."grafana.writefor.fun".extraConfig = ''
      encode zstd gzip
@@ -78,8 +83,15 @@ in {
  # Create Directories
  systemd.tmpfiles.rules = [
-    "d /var/lib/caddy/fileserver/ 0755 caddy caddy"
+    "d /data/apps/caddy/fileserver/ 0755 caddy caddy"
    # directory for virtual machine's images
-    "d /var/lib/caddy/fileserver/vms 0755 caddy caddy"
+    "d /data/apps/caddy/fileserver/vms 0755 caddy caddy"
  ];
  # Add all my wallpapers into /data/apps/caddy/fileserver/wallpapers
  # Install the homepage-dashboard configuration files
  system.activationScripts.installCaddyWallpapers = ''
    mkdir -p /data/apps/caddy/fileserver/wallpapers
    ${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F644 ${wallpapers}/ /data/apps/caddy/fileserver/wallpapers/
  '';
 }
@@ -1,4 +1,10 @@
-{myvars, ...}:
+{
  mylib,
  myvars,
  pkgs,
  disko,
  ...
 }:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox/KubeVirt
@@ -7,7 +13,10 @@
 let
  hostName = "aquamarine"; # Define your hostname.
 in {
-  imports = [
+  imports =
    (mylib.scanPaths ./.)
    ++ [
      disko.nixosModules.default
    ];
  # supported file systems, so we can mount any removable disks with these filesystems
@@ -15,17 +24,22 @@ in {
    "ext4"
    "btrfs"
    "xfs"
    #"zfs"
    "ntfs"
    "fat"
    "vfat"
    "exfat"
  ];
-  # boot.kernelModules = ["kvm-amd"];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
-  # boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
+  boot.kernelModules = ["kvm-amd"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
  networking = {
    inherit hostName;
-    inherit (myvars.networking) nameservers;
+    inherit (myvars.networking) defaultGateway nameservers;
    inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
    networkmanager.enable = false;
  };
  # This value determines the NixOS release from which the default
@@ -34,5 +48,5 @@ in {
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 }
@@ -0,0 +1,112 @@
 # auto disk partitioning:
 #   nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
 let
  cryptKeyFile = "/etc/agenix/hdd-luks-crypt-key";
  unlockDisk = "data-encrypted";
 in {
  fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];
  # By adding this crypttab entry, the disk will be unlocked by systemd-cryptsetup@xxx.service at boot time.
  # This systemd service is running after agenix, so that the keyfile is already available.
  environment.etc = {
    "crypttab".text = ''
      ${unlockDisk} /dev/disk/by-partlabel/disk-${unlockDisk}-luks ${cryptKeyFile} luks,discard,keyfile-size=32768,keyfile-offset=65536
    '';
  };
  disko.devices = {
    disk.data-encrypted = {
      type = "disk";
      device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
      content = {
        type = "gpt";
        partitions = {
          luks = {
            size = "100%";
            content = {
              type = "luks";
              name = "data-encrypted";
              settings = {
                keyFile = cryptKeyFile;
                # The maximum size of the keyfile is 8192 KiB
                # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
                # to generate a key file:
                #    dd bs=512 count=1024 iflag=fullblock if=/dev/random of=./hdd-luks-crypt-key
                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                fallbackToPassword = true;
                allowDiscards = true;
              };
              # Whether to add a boot.initrd.luks.devices entry for the specified disk.
              # The keyfile do not exist before agenix decrypts its data, do we have to disable this option.
              # Otherwise, the initrd will fail to unlock the disk, which causes the boot process to fail.
              initrdUnlock = false;
              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
              # cryptsetup luksFormat
              extraFormatArgs = [
                "--type luks2"
                "--cipher aes-xts-plain64"
                "--hash sha512"
                "--iter-time 5000"
                "--key-size 256"
                "--pbkdf argon2id"
                # use true random data from /dev/random, will block until enough entropy is available
                "--use-random"
              ];
              extraOpenArgs = [
                "--timeout 10"
              ];
              content = {
                type = "btrfs";
                extraArgs = ["-f"]; # Force override existing partition
                subvolumes = {
                  "@apps" = {
                    mountpoint = "/data/apps";
                    mountOptions = [
                      "compress-force=zstd:1"
                      # https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
                      "nofail"
                    ];
                  };
                  "@fileshare" = {
                    mountpoint = "/data/fileshare";
                    mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
                  };
                  "@backups" = {
                    mountpoint = "/data/backups";
                    mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
                  };
                  "@snapshots" = {
                    mountpoint = "/data/apps-snapshots";
                    mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
                  };
                };
              };
            };
          };
        };
      };
    };
    disk.data-public = {
      type = "disk";
      device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
      content = {
        type = "gpt";
        partitions.data-fileshare = {
          size = "100%";
          content = {
            type = "btrfs";
            # extraArgs = ["-f"]; # Override existing partition
            subvolumes = {
              "@persistent" = {
                mountpoint = "/data/fileshare/public";
                mountOptions = ["compress-force=zstd:1" "nofail"];
              };
            };
          };
        };
      };
    };
  };
 }
@@ -1,11 +1,11 @@
 {pkgs, ...}: let
 in {
-  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/misc/gitea.nix
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/misc/gitea.nix
  services.gitea = {
    enable = true;
    user = "gitea";
    group = "gitea";
-    stateDir = "/var/lib/gitea";
+    stateDir = "/data/apps/gitea";
    appName = "Ryan Yin's Gitea Service";
    lfs.enable = true;
    # Enable a timer that runs gitea dump to generate backup-files of the current gitea database and repositories.
@@ -27,7 +27,10 @@ in {
      };
      # one of "Trace", "Debug", "Info", "Warn", "Error", "Critical"
      log.LEVEL = "Info";
-      session.COOKIE_SECURE = false;
+      # Marks session cookies as "secure" as a hint for browsers to only send them via HTTPS.
      session.COOKIE_SECURE = true;
      # NOTE: The first registered user will be the administrator,
      # so this parameter should NOT be set before the first user registers!
      service.DISABLE_REGISTRATION = true;
      # "cron.sync_external_users" = {
@@ -5,7 +5,7 @@
 }: {
  services.grafana = {
    enable = true;
-    dataDir = "/var/lib/grafana";
+    dataDir = "/data/apps/grafana";
    # DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ];
    settings = {
      server = {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ryan Yin	0693713e94	feat: list systemd services	2024-08-17 20:40:27 +08:00
Ryan Yin	1bf67acde9	fix: hdd storage - auto unlock after booted (#158 )	2024-08-17 04:05:22 +08:00
Ryan Yin	f1a5d419fb	fix: hdd storage - do not unlock on boot, increase boot.loader.timeout	2024-08-17 03:06:37 +08:00
Ryan Yin	e8be41f8e1	Merge pull request #156 from ryan4yin/data-crypted feat: data-crypted	2024-08-17 02:28:12 +08:00
Ryan Yin	d853036fb1	feat: data-crypted	2024-08-17 02:26:39 +08:00
Ryan Yin	df1f9b0070	chore: remove sbc's just commands	2024-08-16 15:13:21 +08:00
Ryan Yin	4def213b08	Merge pull request #155 from ryan4yin/remove-sbcs refactor: migrate sbcs to https://github.com/ryan4yin/nixos-config-sbc	2024-08-16 15:08:12 +08:00
Ryan Yin	35eb6ed5c9	refactor: migrate sbcs to https://github.com/ryan4yin/nixos-config-sbc	2024-08-16 15:06:24 +08:00
Ryan Yin	07178984b1	Merge pull request #154 from ryan4yin/refactor-vars refactor: migrate ssh auth keys & hashed password into vars	2024-08-16 14:40:54 +08:00
Ryan Yin	eb83e88267	refactor: migrate ssh auth keys & hashed password into vars	2024-08-16 14:40:06 +08:00
Ryan Yin	6c8e8111c6	docs: dae - comment	2024-08-16 11:46:37 +08:00
Ryan Yin	62e96cde7e	feat: dae - avoid rate limit of GitHub API & Docker Hub API	2024-08-16 11:44:30 +08:00
Ryan Yin	4bb53d0190	feat: justfile - gc	2024-08-15 22:50:20 +08:00
Ryan Yin	41af2c1444	Merge pull request #152 from ryan4yin/kubevirt-hugepages feat: kubevirt - use 75% of the memory for hugepages	2024-08-15 22:50:05 +08:00
Ryan Yin	43db6bcf63	feat: kubevirt - use 75% of the memory for hugepages	2024-08-15 17:19:26 +08:00
Ryan Yin	e17bc1ec23	feat: neovim - tree-sitter - just	2024-08-12 18:30:26 +08:00
Ryan Yin	c9954c009a	chore: justfile - gc - delete old than 7 days	2024-08-12 17:56:46 +08:00
Ryan Yin	e68a43edce	docs: justfile - nix gc	2024-08-12 17:51:02 +08:00
Ryan Yin	08a6885873	feat: justfile - nix gc	2024-08-12 17:44:37 +08:00
Ryan Yin	930d8322d1	feat: use the latest version of neovim	2024-08-12 17:18:59 +08:00
Ryan Yin	2363ab59c4	chore: add default to just	2024-08-12 17:18:18 +08:00
Ryan Yin	1394e26a59	chore: update flake.lock	2024-08-12 17:18:02 +08:00
Ryan Yin	940367c790	chore: update scripts	2024-08-12 15:17:38 +08:00
Ryan Yin	cae48ede1b	fix: update ntp time servers	2024-08-11 20:18:20 +08:00
Ryan Yin	9535c09a33	feat: add kubectx	2024-08-06 15:13:54 +08:00
Ryan Yin	194c3d9895	chore: remove some unused just commands	2024-08-01 10:14:54 +08:00
Ryan Yin	a8f613ead1	docs: justfile	2024-08-01 10:11:56 +08:00
Ryan Yin	5d69019f60	docs: virtual machine	2024-08-01 10:03:12 +08:00
Ryan Yin	648021b0ca	docs: virtual machine	2024-08-01 10:02:49 +08:00
Ryan Yin	c30730bedd	docs: virtual machine	2024-08-01 09:58:42 +08:00
Ryan Yin	e9b502fa5f	feat: yazi & neovim - show shidden files	2024-08-01 09:44:02 +08:00
Ryan Yin	3e2340aee7	feat: adjust configs for gitea	2024-07-31 23:18:52 +08:00
Ryan Yin	94c8eef2cb	Merge pull request #151 from ryan4yin/homepage feat: adjust homepage config	2024-07-31 23:04:01 +08:00
Ryan Yin	2581c9d562	feat: adjust homepage config	2024-07-31 23:03:07 +08:00
Ryan Yin	3aaa4c0372	Merge pull request #150 from ryan4yin/p8s-scrape-configs refactor: p8s scrape configs	2024-07-31 21:41:19 +08:00
Ryan Yin	c446a693ea	refactor: p8s scrape configs	2024-07-31 19:22:01 +08:00
Ryan Yin	9b0c5d7d50	Merge pull request #149 from ryan4yin/fix-nodejs-based-apps fix: fix nodejs-based apps	2024-07-31 17:19:49 +08:00
Ryan Yin	86ee8132b7	fix: homelab - use https	2024-07-31 17:19:35 +08:00
Ryan Yin	2f3d644234	fix: fix nodejs-based apps	2024-07-31 17:09:20 +08:00
Ryan Yin	87dfa7669f	Merge pull request #145 from ryan4yin/migrate-services-to-aqua feat: migrate grafana & prometheus to aqua	2024-07-31 16:22:27 +08:00
Ryan Yin	64dd1fc2f3	fix: typo	2024-07-31 16:20:32 +08:00
Ryan Yin	fc81143c10	chore: update mysecrets	2024-07-31 16:01:02 +08:00
Ryan Yin	5178a3e638	fix: sftpgo - directory	2024-07-31 15:52:41 +08:00
Ryan Yin	b3127a18c9	fix: uptime kuma	2024-07-31 15:42:40 +08:00
Ryan Yin	15e0b150e9	fix: home page	2024-07-31 15:38:48 +08:00
Ryan Yin	41dc24e350	feat: aqua - no fail if usb storage is not available	2024-07-31 15:07:53 +08:00
Ryan Yin	8c795c7d0d	feat: change data directories, add disko for usb storage	2024-07-31 14:29:21 +08:00
Ryan Yin	b671c05db9	feat: migrate services to aqua	2024-07-31 14:29:21 +08:00
Ryan Yin	80e0bcf031	fix: nix path	2024-07-31 14:28:40 +08:00
Ryan Yin	64ab375d1f	feat: update shell sessin	2024-07-31 14:09:53 +08:00
Ryan Yin	325f82b9cc	fix: nix path (#147 )	2024-07-31 13:39:49 +08:00
Ryan Yin	59a46844a7	fix: justfile & nushell - should use absolute path	2024-07-31 11:22:17 +08:00
Ryan Yin	5e21effb15	refactor: just - emacs reload for linux & macos	2024-07-31 11:08:07 +08:00
Ryan Yin	1e7b9697e1	feat: check process environment variables	2024-07-31 10:56:29 +08:00
Ryan Yin	422ec75ec0	refactor: justfile	2024-07-31 10:56:29 +08:00
Ryan Yin	c059d90b17	feat: aqua - mount usb storage	2024-07-31 09:43:30 +08:00
Ryan Yin	880e0ac65e	chore: update public keys	2024-07-30 14:21:07 +08:00
Ryan Yin	ed4a2f00fe	chore: nix flake update mysecrets	2024-07-30 14:01:26 +08:00
Ryan Yin	7a1788520b	fix: typo	2024-07-30 13:50:32 +08:00
Ryan Yin	e86d7a1020	fix: aqua - networking	2024-07-30 13:48:44 +08:00
Ryan Yin	6670c5bd7d	fix: btrbk - kubevirt	2024-07-30 12:41:08 +08:00
Ryan Yin	0620f199b2	feat: update btrbk configs	2024-07-30 11:41:38 +08:00
Ryan Yin	e2457e80aa	docs: kubevirt-youko - pci passthrough	2024-07-30 10:22:42 +08:00
Ryan Yin	8ffaf4e3ae	feat: decrease pre-allocated hugepages	2024-07-30 01:21:04 +08:00
Ryan Yin	f9d07d92de	fix: virt guest - use default gateway for better network	2024-07-30 00:31:37 +08:00
Ryan Yin	2b91c6f99d	chore: nix flake update mysecrets	2024-07-30 00:02:55 +08:00
Ryan Yin	fed3bc981b	fix: k3s test cluster - token path	2024-07-29 23:42:14 +08:00
Ryan Yin	d02331c1e0	Merge pull request #143 from ryan4yin/kubevirt-hugepages feat: pre-allocate hugepages for kubevirt	2024-07-29 22:43:28 +08:00
Ryan Yin	5ec72c848f	fix: allocate only hugepages with size 1Gi	2024-07-29 22:31:17 +08:00
Ryan Yin	5a6ccd8794	chore: update caddy's vm image path, checksum when uploading	2024-07-29 17:41:51 +08:00
Ryan Yin	3dc7ec1fe8	Merge pull request #141 from DataEraserC/fix-gtk-theme fix(home/linux/gui/base/gtk.nix): gtk theme name mismatch after upgrade	2024-07-26 16:35:14 +08:00
DataEraserC	414a222d19	fix(home/linux/gui/base/gtk.nix): gtk theme name mismatch after upgrade	2024-07-26 04:28:16 +08:00
Ryan Yin	783d61999c	docs: neovim - mason issue about nixos	2024-07-26 00:06:19 +08:00
Ryan Yin	86ec08aecb	Merge pull request #140 from ryan4yin/nix-ld feat: add nix-ld and LIBRARY_PATH for mason.nvim and other downloaded…	2024-07-25 23:27:46 +08:00
Ryan Yin	b7b913b444	feat: add nix-ld and LIBRARY_PATH for mason.nvim and other downloaded binaries	2024-07-25 23:25:33 +08:00
Ryan Yin	aa0e1d84e0	Merge pull request #139 from DataEraserC/patch-11 fix(docs typo):`Morden` -> `Modern`	2024-07-24 08:51:56 +08:00
DataEraserC	94e2e17c60	fix(typo):morden -> modern	2024-07-24 01:45:32 +08:00
Ryan Yin	41f4dc6237	docs: typo	2024-07-23 18:29:01 +08:00
Ryan Yin	d7c0e7caa6	feat(modules/base.nix): add more cache mirrors	2024-07-23 10:00:11 +08:00
Ryan Yin	d8759cc845	feat: darwin - font.packages	2024-07-23 09:49:04 +08:00
Ryan Yin	6c6ada4243	fix: nixos installer	2024-07-23 09:43:46 +08:00
Ryan Yin	95cdd40c77	feat: adjust btrbk's backups preserve policy, and disable backups...	2024-07-21 04:50:09 +08:00
Ryan Yin	a04d6dfdf6	feat: adjust btrbk's snapshot timer	2024-07-21 02:13:24 +08:00
Ryan Yin	adf1415868	docs: minior update	2024-07-20 17:54:25 +08:00
Ryan Yin	b1c6f1b90f	Merge pull request #137 from ryan4yin/update Update dependencies	2024-07-20 12:14:05 +08:00
Ryan Yin	5e9f98e56d	fix: anyrun - https://github.com/anyrun-org/anyrun/issues/153	2024-07-20 12:12:57 +08:00
Ryan Yin	885205d9e3	fix: remove non-existent tree sitter	2024-07-20 11:52:56 +08:00
Ryan Yin	385bcd2d87	chore: update graphics config	2024-07-20 11:49:14 +08:00
Ryan Yin	b3b55c36d8	fix: hyprland - crash	2024-07-20 11:43:16 +08:00
Ryan Yin	7d6fa4028d	chore: debug hyprland	2024-07-20 11:42:01 +08:00
Ryan Yin	0ea8548f37	fix: remove hyprlnad's flake	2024-07-20 11:42:01 +08:00
Ryan Yin	c29148fc77	fix: update flake again to fix lanzaboote's error	2024-07-20 11:42:01 +08:00
Ryan Yin	1eecf89793	feat: update dependencies	2024-07-20 11:42:01 +08:00
Ryan Yin	5fcf0d0995	refactor(home/base/tui/edistors): neovim - adjust the classification of lsp/treesitter	2024-07-19 18:28:06 +08:00
Ryan Yin	66949f6b8f	feat: neovim - add support for nickel	2024-07-19 15:43:50 +08:00
Ryan Yin	36ba5a4efc	feat: remove afdian	2024-07-16 14:44:21 +08:00
Ryan Yin	68285a70d0	feat: add idea for java development	2024-07-12 12:20:54 +08:00
Ryan Yin	f97ad2fd1e	feat: java language server	2024-07-12 12:09:07 +08:00
Ryan Yin	1d66cf655d	feat: add k8s related tools	2024-07-10 15:22:49 +08:00
Ryan Yin	04fa05151a	Merge pull request #136 from DataEraserC/patch-11 fix: ignore typo `crypted-nixos`	2024-07-08 09:36:09 +08:00
Sacabambaspis	62d986d1c8	fix: ignore typo `crypted-nixos`	2024-07-06 18:50:55 +08:00
Ryan Yin	730906ebf2	feat: neovim - add syntax highlight for justfiles	2024-06-28 17:36:40 +08:00
Ryan Yin	bcf5b8b1cb	feat: add gitleaks	2024-06-24 09:11:43 +08:00
Ryan Yin	1f14f5899c	Merge pull request #135 from DataEraserC/patch-9 fix(docs): update url in docs	2024-06-19 09:29:30 +08:00
Sacabambaspis	9732c87d1f	fix(docs): update url in docs	2024-06-18 23:02:27 +08:00
Ryan Yin	032f478d2a	docs: neovim	2024-06-18 11:08:23 +08:00
Ryan Yin	71cb1cf295	Merge pull request #134 from ryan4yin/rename-luks-device chore: rename luks device to crypted-nixos	2024-06-18 09:41:09 +08:00
Ryan Yin	09a9e086d8	chore: rename luks device to crypted-nixos	2024-06-18 09:40:00 +08:00
Ryan Yin	e903f95a46	Merge pull request #133 from yocoldle/patch-1 docs: fix description about the helix plugin system	2024-06-18 09:37:41 +08:00
Coldle	1239f4549a	docs: fix description about the helix plugin system	2024-06-17 22:23:47 +08:00
Ryan Yin	4433e018d9	feat: disable treesitter-wing	2024-06-16 21:38:14 +08:00
Ryan Yin	e9ac7d8ddc	feat: darwin - timezone	2024-06-16 20:13:53 +08:00
Ryan Yin	cf51e77d75	Merge pull request #132 from ryan4yin/update-flake-lock Update flake lock, adjust nushell	2024-06-15 11:54:09 +08:00
Ryan Yin	095b092e08	feat: adjust nushell	2024-06-15 11:39:20 +08:00
Ryan Yin	4e4eb9a003	feat: update flake.lock	2024-06-14 17:15:42 +08:00
Ryan Yin	1efe489846	feat: add gcloud & doctl	2024-06-14 15:29:58 +08:00
Ryan Yin	ea13da3031	feat: add ko for go project	2024-06-14 15:26:30 +08:00
Ryan Yin	47a735d235	feat: add dae rules for steam	2024-06-10 20:53:05 +08:00
Ryan Yin	84c4708b98	feat: add kubebuilder	2024-06-04 11:09:37 +08:00
Ryan Yin	12494d66af	Merge pull request #130 from DataEraserC/main fix(docs): fix partition unmatched	2024-06-03 18:40:51 +08:00
Sacabambaspis	97ff571431	fix(docs): fix docs typo	2024-06-03 18:27:41 +08:00
Ryan Yin	c0e3af3fad	docs: README	2024-06-03 15:20:19 +08:00
Ryan Yin	bbe2e80650	docs: README	2024-06-03 15:07:17 +08:00
Ryan Yin	5bc941d9e2	docs: README	2024-06-03 15:00:37 +08:00
Ryan Yin	7f6c061041	docs: README	2024-06-03 14:59:56 +08:00
Ryan Yin	b8e45b28e1	docs: README	2024-06-03 14:58:49 +08:00
Ryan Yin	21555a4148	feat(neovim): update plugins - orgmode	2024-06-03 14:33:39 +08:00
Ryan Yin	0f4387800f	fix: #122 - cgo-builtin-prolog:1:10: fatal error: 'stddef.h' file not found	2024-06-03 10:11:17 +08:00
Ryan Yin	1095d8fa53	fix: missing pkgs-stable	2024-06-02 14:22:44 +08:00
Ryan Yin	98e2e7196d	Merge pull request #129 from ryan4yin/upgrade-to-24.05 feat: upgrade to 24.05	2024-06-02 13:58:13 +08:00
Ryan Yin	0a764cfdf3	fix: python3.11-k5test-0.10.4 is marked as broken	2024-06-02 13:56:51 +08:00
Ryan Yin	54e4dfcec0	chore: update yabai	2024-06-02 13:35:40 +08:00
Ryan Yin	f37588df64	fix: nixpkgs for darwin	2024-06-02 12:59:13 +08:00
Ryan Yin	9adf87aaf5	feat: upgrade to 24.05 fix: remove or update some packages	2024-06-02 11:17:32 +08:00
Ryan Yin	82dccbdeca	fix: add exfat support for idols-ai	2024-05-15 20:49:51 +08:00
Ryan Yin	af88851772	feat(modules/base.nix): add cuda-maintainer's cache server	2024-05-14 15:21:01 +08:00
Ryan Yin	b3d7d0d2a3	Merge pull request #128 from shelken/main chore(Justfile): Use recipe attributes to scope commands on specific platform	2024-05-13 10:49:23 +08:00
shelken	b0fcf9d9e7	chore(Justfile): Use recipe attributes to scope commands on specific platforms 使用 [配方属性](https://github.com/casey/just/tree/master?tab=readme-ov-file#recipe-attributes) 以限定命令使用的平台	2024-05-13 10:01:25 +08:00
Ryan Yin	7bd264fee9	chore: update darwin's home configs	2024-05-11 17:05:28 +08:00
Ryan Yin	2a841a5a32	feat: yazi intergration - nushell	2024-05-11 11:26:09 +08:00
Ryan Yin	e97e61c8d2	feat(home/base/core/git.nix): trim.bases	2024-05-10 15:01:47 +08:00
Ryan Yin	c65018f450	Update FUNDING.yml	2024-05-10 12:14:26 +08:00
Ryan Yin	218ff4c1da	Merge pull request #127 from DataEraserC/patch-8 fix(Justfile): fix `'--update-input' is a deprecated alias for 'flake update'`	2024-05-10 09:41:10 +08:00
Sacabambaspis	e26c20a29b	fix(Justfile): fix `'--update-input' is a deprecated alias for 'flake update'`	2024-05-09 22:49:16 +08:00
Ryan Yin	13751a4b66	fix: mason-nvim-dap - debugger not found	2024-05-06 15:06:32 +08:00
Ryan Yin	f4d91b6827	feat: enableNushellIntegration for atuin	2024-05-06 11:59:45 +08:00
Ryan Yin	4f780f3f61	refactor: scripts	2024-05-06 11:59:45 +08:00
Ryan Yin	a626458b8e	Merge pull request #126 from DataEraserC/patch-7 fix(secrets/README.md): fix nixpkgs does not contain agenix	2024-05-06 09:33:47 +08:00
Sacabambaspis	87c041f8b4	fix(secrets/README.md): fix nixpkgs does not contain agenix Closes #125	2024-05-05 18:05:43 +08:00
Ryan Yin	ace653e9d6	Merge pull request #124 from DataEraserC/patch-6 feat: Replace unzip with unzipNLS for proper extraction of non-English content	2024-04-30 13:59:21 +08:00
Sacabambaspis	bb913b181d	feat: replace unzip with unzipNLS for proper extraction of non-English content	2024-04-30 00:53:18 +08:00
Ryan Yin	bec52f9d60	feat: update flake.lock, disable all configs related to remote desktop	2024-04-25 21:14:56 +08:00
Ryan Yin	de891782cb	fix(home/base/tui/editors/packages.nix): python debugger	2024-04-24 18:34:21 +08:00
Ryan Yin	5abbd63284	docs: fix the maxium keyfile size of luks	2024-04-24 11:22:15 +08:00
Ryan Yin	14dabdcee5	Merge pull request #123 from ryan4yin/fix-nixpkgs-flakes fix: option `nix.registry.nixpkgs.to.path' has conflicting definition	2024-04-20 14:59:41 +08:00
Ryan Yin	5583f1ffe9	fix: option `nix.registry.nixpkgs.to.path' has conflicting definition	2024-04-20 14:58:49 +08:00
Ryan Yin	6b016a2432	refactor: macos's nixpkgs registry	2024-04-20 14:02:56 +08:00
Ryan Yin	cad8cf325d	fix: suzu - deployment - networking	2024-04-20 13:51:11 +08:00
Ryan Yin	9a0e41429a	docs: nixos-install + persistent	2024-04-20 13:29:03 +08:00
Ryan Yin	44ce90bf68	docs: nvidia	2024-04-20 13:20:49 +08:00
Ryan Yin	9fe6ef9165	fix: enable networkmanager for idols-ai	2024-04-20 12:51:58 +08:00
Ryan Yin	4b2035a0dc	chore: update all flake inputs	2024-04-20 12:48:07 +08:00
Ryan Yin	21d85d41ef	feat: use the latest version of the nix package manager	2024-04-18 11:03:49 +08:00
Ryan Yin	7fd3baca0f	docs: copy closure	2024-04-17 23:28:59 +08:00
Ryan Yin	ce645e7935	fix: homepage - backgroud image	2024-04-17 23:22:13 +08:00
Ryan Yin	9631334088	Merge pull request #121 from kluen/patch-1 docs(README): Fix links to neovim and emacs	2024-04-16 09:42:41 +08:00
Kristof Lünenschloß	a9bb04c37d	docs(README): Fix links to neovim and emacs	2024-04-15 21:48:02 +02:00
Ryan Yin	ddad742023	Merge pull request #120 from DataEraserC/patch-5 fix several typos	2024-04-15 09:47:24 +08:00
Sacabambaspis	21c9e572af	fix(home/linux/gui/base/xdg.nix): fix code typo (dekstop -> desktop)	2024-04-14 02:09:28 +08:00
Sacabambaspis	6b2168b925	fix(utils.nu): fix comment typo (Virutal -> Virtual)	2024-04-14 02:09:05 +08:00
		`@@ -1,3 +0,0 @@`
			`# Homepage for my Homelab`

			`> WIP, just a demo for now`