feat: add WeChat(UOS) sandboxed

fix: mkdir - persist qq's config
feat: update kernel params for nvidia

.gitignore

@@ -5,3 +5,5 @@ result/
 .pre-commit-config.yaml
 logs/
 core*
+!core/
+!core.nix

.typos.toml

@@ -9,6 +9,26 @@ binary = false
 extend-ignore-re = [
   "iterm2",
   "iHgEIBYKACAWIQSizQe9ljFEyyclWmtVhZllwnQrSwUCZZ1T9wIdAAAKCRBVhZll", # crypto keys
-  "noice", # noice.nvim
+  "noice",                                                            # noice.nvim
   "crypted-nixos",
+  "daed",
+
+  # catppuccin theme colors
+  "11111b",
+  "1e1e2e",
+  "313244",
+  "414356",
+  "45475a",
+  "585b70",
+  "89b4fa",
+  "94e2d5",
+  "a6adc8",
+  "a6e3a1",
+  "bac2de",
+  "cdd6f4",
+  "f38ba8",
+  "f5c2e7",
+  "f5e0dc",
+  "f9e2af",
+  "fab387",
 ]

Justfile

@@ -81,6 +81,19 @@ fmt:
 gcroot:
   ls -al /nix/var/nix/gcroots/auto/
 
+# Verify all the store entries
+# Nix Store can contains corrupted entries if the nix store object has been modified unexpectedly.
+# This command will verify all the store entries,
+# and we need to fix the corrupted entries manually via `sudo nix store delete <store-path-1> <store-path-2> ...`
+[group('nix')]
+verify-store:
+  nix store verify --all
+
+# Repair Nix Store Objects
+[group('nix')]
+repair-store *paths:
+  nix store repair {{paths}}
+
 ############################################################################
 #
 #  NixOS Desktop related commands
@@ -138,12 +151,12 @@ fe mode="default": darwin-set-proxy
   darwin-build "fern" {{mode}};
   darwin-switch "fern" {{mode}}
 
-# Reload yabai and skhd(macOS)
+# Reset launchpad to force it to reindex Applications
 [macos]
 [group('desktop')]
-yabai-reload:
-  launchctl kickstart -k "gui/502/org.nixos.yabai";
-  launchctl kickstart -k "gui/502/org.nixos.skhd"; 
+reset-launchpad:
+  defaults write com.apple.dock ResetLaunchPad -bool true
+  killall Dock
 
 ############################################################################
 #
@@ -368,6 +381,10 @@ emacs-reload:
 path:
    $env.PATH | split row ":"
 
+[group('common')]
+trace-access app *args:
+  strace -f -t -e trace=file {{app}} {{args}} | complete | $in.stderr | lines | find -v -r "(/nix/store|/newroot|/proc)" | parse --regex '"(/.+)"' | sort | uniq
+
 [linux]
 [group('common')]
 penvof pid:

README.md

@@ -55,7 +55,7 @@ You don't have to go through the pain I've experienced again! Check out my
 ## Components
 
 |                             | NixOS(Wayland)                                                                                                      |
-| --------------------------- | :------------------------------------------------------------------------------------------------------------------ |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------- |
 | **Window Manager**          | [Hyprland][Hyprland]                                                                                                |
 | **Terminal Emulator**       | [Zellij][Zellij] + [Kitty][Kitty]                                                                                   |
 | **Bar**                     | [Waybar][Waybar]                                                                                                    |
@@ -102,8 +102,9 @@ See [./secrets](./secrets) for details.
 
 ## How to Deploy this Flake?
 
-> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine
-> :exclamation: It will not succeed.** This flake contains my hardware configuration(such as
+<!-- prettier-ignore -->
+> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine :exclamation:
+> It will not succeed.** This flake contains my hardware configuration(such as
 > [hardware-configuration.nix](hosts/idols-ai/hardware-configuration.nix),
 > [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols-ai/default.nix#L77-L91),
 > etc.) which is not suitable for your hardwares, and requires my private secrets repository

flake.nix

@@ -17,12 +17,12 @@
     # substituers will be appended to the default substituters when fetching packages
     extra-substituters = [
       "https://anyrun.cachix.org"
-      "https://nix-gaming.cachix.org"
+      # "https://nix-gaming.cachix.org"
       # "https://nixpkgs-wayland.cachix.org"
     ];
     extra-trusted-public-keys = [
       "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
-      "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
+      # "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
       # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
     ];
   };

hardening/README.md

@@ -1,5 +1,7 @@
 # Linux Hardening
 
+> Work in progress.
+
 ## Goal
 
 - **System Level**: Protect critical files from being accessed by untrusted applications.
@@ -18,7 +20,7 @@
 1. **Per-App Level**:
    - Nixpak (Bubblewrap)
      - [x] QQ
-     - [ ] Firefox (Nvidia GPU support issue)
+     - [x] Firefox
    - [ ] Firejail (risk? not enabled yet)
 
 ## Kernel Hardening
@@ -37,6 +39,7 @@
   - Nix Package:
     [roddhjav-apparmor-rules](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/ro/roddhjav-apparmor-rules/package.nix#L33)
   - https://github.com/NixOS/nixpkgs/issues/331645
+  - https://github.com/LordGrimmauld/aa-alias-manager
 - SELinux: too complex, not recommended for personal use.
 
 ## Application Sandboxing
@@ -66,6 +69,9 @@ provide a much higher level of security.
 - [Sandboxing all programs by default - NixOS Discourse](https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792)
 - [在 Firejail 中运行 Steam](https://imbearchild.cyou/archives/2021/11/steam-in-firejail/)
 - [Firejail - Arch Linux Wiki](https://wiki.archlinux.org/title/Firejail)
+- [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
+- [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
+  hardening.
 - nixpak configs:
   - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
   - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak

hardening/firejail/default.nix

@@ -41,10 +41,6 @@ in {
           executable = "${super.lib.getBin super.zathura}/bin/zathura";
           profile = "${super.firejail}/etc/firejail/zathura.profile";
         };
-        discord = firejailWrapper {
-          executable = "${super.lib.getBin super.discord}/bin/discord";
-          profile = "${super.firejail}/etc/firejail/discord.profile";
-        };
         slack = firejailWrapper {
           executable = "${super.lib.getBin super.slack}/bin/slack";
           profile = "${super.firejail}/etc/firejail/slack.profile";

hardening/nixpaks/default.nix

@@ -22,6 +22,9 @@ in {
         qq = wrapper super ./qq.nix;
         qq-desktop-item = super.callPackage ./qq-desktop-item.nix {};
 
+        wechat-uos = wrapper super ./wechat-uos.nix;
+        wechat-uos-desktop-item = super.callPackage ./wechat-uos-desktop-item.nix {};
+
         firefox = wrapper super ./firefox.nix;
         firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {};
       };

hardening/nixpaks/firefox.nix

@@ -37,10 +37,15 @@ mkNixPak {
     };
 
     bubblewrap = {
+      # To trace all the home files QQ accesses, you can use the following nushell command:
+      #   just trace-access firefox
+      # See the Justfile in the root of this repository for more information.
       bind.rw = [
-        (sloth.concat' sloth.homeDir "/.mozilla")
-        (sloth.concat' sloth.homeDir "/Downloads")
+        # given the read write permission to the following directories.
+        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+        (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
 
+        sloth.xdgDownloadDir
         # ================ for externsions ===============================
         # required by https://github.com/browserpass/browserpass-extension
         (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass
@@ -61,11 +66,6 @@ mkNixPak {
       };
       bind.dev = [
         "/dev/shm" # Shared Memory
-
-        # seems required when using nvidia as primary gpu
-        "/dev/nvidia0"
-        "/dev/nvidia-uvm"
-        "/dev/nvidia-modeset"
       ];
       tmpfs = [
         "/tmp"

hardening/nixpaks/modules/gui-base.nix

@@ -31,7 +31,7 @@ in {
     };
     # https://github.com/nixpak/nixpak/blob/master/modules/gui/fonts.nix
     # it works not well, bind system's /etc/fonts directly instead
-    fonts.enable = true;
+    fonts.enable = false;
     # https://github.com/nixpak/nixpak/blob/master/modules/locale.nix
     locale.enable = true;
     bubblewrap = {
@@ -66,7 +66,19 @@ in {
         "/etc/fonts" # for fontconfig
         "/etc/machine-id"
         "/etc/localtime"
+
+        # Fix: libEGL warning: egl: failed to create dri2 screen
+        "/etc/egl"
+        "/etc/static/egl"
       ];
+      bind.dev = [
+        # seems required when using nvidia as primary gpu
+        "/dev/nvidia0"
+        "/dev/nvidiactl"
+        "/dev/nvidia-modeset"
+        "/dev/nvidia-uvm"
+      ];
+
       env = {
         XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [
           iconTheme

hardening/nixpaks/qq-desktop-item.nix

@@ -7,7 +7,9 @@ makeDesktopItem {
   desktopName = "QQ";
   exec = "qq %U";
   terminal = false;
-  # icon = "qq";
+  # To find the icon name(nushell):
+  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'
+  #   tree $"($p)/share/icons"
   icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
   type = "Application";
   categories = ["Network"];

hardening/nixpaks/qq.nix

@@ -34,8 +34,13 @@ mkNixPak {
       "org.kde.StatusNotifierWatcher" = "talk";
     };
     bubblewrap = {
+      # To trace all the home files QQ accesses, you can use the following nushell command:
+      #   just trace-access qq
+      # See the Justfile in the root of this repository for more information.
       bind.rw = [
-        (sloth.concat [sloth.xdgConfigHome "/QQ"])
+        # given the read write permission to the following directories.
+        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+        (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"]))
         (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/QQ"]))
       ];
       sockets = {
@@ -45,11 +50,6 @@ mkNixPak {
       };
       bind.dev = [
         "/dev/shm" # Shared Memory
-
-        # seems required when using nvidia as primary gpu
-        "/dev/nvidia0"
-        "/dev/nvidia-uvm"
-        "/dev/nvidia-modeset"
       ];
       tmpfs = [
         "/tmp"

hardening/nixpaks/wechat-uos-desktop-item.nix

@@ -0,0 +1,17 @@
+{
+  makeDesktopItem,
+  wechat-uos,
+}:
+makeDesktopItem {
+  name = "wechat";
+  desktopName = "WeChat";
+  exec = "wechat-uos %U";
+  terminal = false;
+  # To find the icon name(nushell):
+  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#wechat-uos.outPath | str trim --char '"'
+  #   tree $"($p)/share/icons"
+  icon = "${wechat-uos}/share/icons/hicolor/256x256/apps/com.tencent.wechat.png";
+  type = "Application";
+  categories = ["Network"];
+  comment = "Wechat boxed";
+}

hardening/nixpaks/wechat-uos.nix

@@ -0,0 +1,73 @@
+# TODO: wechat-uos is running in FHS sandbox by default, it's problematic
+#   to wrap it again via flatpak. We need to find a way to fix it.
+#   https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat-uos/package.nix
+# Refer:
+# - Flatpak manifest's docs:
+#   - https://docs.flatpak.org/en/latest/manifests.html
+#   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
+# - wechat-uos's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
+{
+  lib,
+  pkgs,
+  mkNixPak,
+  ...
+}:
+mkNixPak {
+  config = {sloth, ...}: {
+    app = {
+      package = pkgs.wechat-uos;
+      binPath = "bin/wechat-uos";
+    };
+    flatpak.appId = "com.tencent.WeChat";
+
+    imports = [
+      ./modules/gui-base.nix
+      ./modules/network.nix
+    ];
+
+    # list all dbus services:
+    #   ls -al /run/current-system/sw/share/dbus-1/services/
+    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
+    dbus.policies = {
+      "org.gnome.Shell.Screencast" = "talk";
+      # System tray icon
+      "org.freedesktop.Notifications" = "talk";
+      "org.kde.StatusNotifierWatcher" = "talk";
+      # File Manager
+      "org.freedesktop.FileManager1" = "talk";
+      # Uses legacy StatusNotifier implementation
+      "org.kde.*" = "own";
+    };
+    bubblewrap = {
+      # To trace all the home files QQ accesses, you can use the following nushell command:
+      #   just trace-access wechat-uos
+      # See the Justfile in the root of this repository for more information.
+      bind.rw = [
+        # given the read write permission to the following directories.
+        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+        (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/WeChat"]))
+      ];
+      sockets = {
+        x11 = false;
+        wayland = true;
+        pipewire = true;
+      };
+      bind.dev = [
+        "/dev/shm" # Shared Memory
+      ];
+      tmpfs = [
+        "/tmp"
+      ];
+
+      env = {
+        # Hidpi scale
+        "QT_AUTO_SCREEN_SCALE_FACTOR" = "1";
+        # Only supports xcb
+        "QT_QPA_PLATFORM" = "kcb";
+      };
+    };
+  };
+}

home/base/core/core.nix

@@ -62,7 +62,7 @@
       # do not enable aliases in nushell!
       enableNushellIntegration = false;
       git = true;
-      icons = true;
+      icons = "auto";
     };
 
     # a cat(1) clone with syntax highlighting and Git integration.

home/base/core/shells/config.nu

@@ -109,8 +109,7 @@ $env.config = {
     vi_insert: block # block, underscore, line , blink_block, blink_underscore, blink_line (block is the default)
     vi_normal: underscore # block, underscore, line, blink_block, blink_underscore, blink_line (underscore is the default)
   }
-  use_grid_icons: true
-  footer_mode: "25" # always, never, number_of_rows, auto
+  footer_mode: "auto" # always, never, number_of_rows, auto
   float_precision: 2 # the precision for displaying floats in tables
   # buffer_editor: "emacs" # command that will be used to edit the current line buffer with ctrl+o, if unset fallback to $env.EDITOR and $env.VISUAL
   bracketed_paste: true # enable bracketed paste, currently useless on windows

home/base/core/shells/default.nix

@@ -1,10 +1,18 @@
-{pkgs-unstable, ...}: let
+{
+  config,
+  pkgs-unstable,
+  ...
+}: let
   shellAliases = {
     k = "kubectl";
 
     urldecode = "python3 -c 'import sys, urllib.parse as ul; print(ul.unquote_plus(sys.stdin.read()))'";
     urlencode = "python3 -c 'import sys, urllib.parse as ul; print(ul.quote_plus(sys.stdin.read()))'";
   };
+
+  localBin = "${config.home.homeDirectory}/.local/bin";
+  goBin = "${config.home.homeDirectory}/go/bin";
+  rustBin = "${config.home.homeDirectory}/.cargo/bin";
 in {
   # only works in bash/zsh, not nushell
   home.shellAliases = shellAliases;
@@ -20,7 +28,7 @@ in {
     enable = true;
     enableCompletion = true;
     bashrcExtra = ''
-      export PATH="$HOME/.local/bin:$HOME/go/bin:$PATH"
+      export PATH="$PATH:${localBin}:${goBin}:${rustBin}"
     '';
   };
 }

home/base/gui/terminal/README.md

@@ -13,13 +13,11 @@ My current terminal emulators are:
 1. kitty: My main terminal emulator.
    1. to select/copy a large mount of text, We should do some tricks via kitty's `scrollback_pager`
       with neovim, it's really painful: <https://github.com/kovidgoyal/kitty/issues/719>
-2. wezterm: My secondary terminal emulator.
-   1. its search ability is very basic, and it's not easy to use.
-   1. its scrollback buffer's copy mode is very like vim, which is nice, but zellij's even better,
-      it can use neovim as its default scrollback buffer's editor without any pain!
-3. foot: a fast, lightweight and minimalistic Wayland terminal emulator.
+2. foot: A fast, lightweight and minimalistic Wayland terminal emulator.
    1. foot only do the things a terminal emulator should do, no more, no less.
    1. It's really suitable for tiling window manager or zellij users!
+3. alacritty: A cross-platform, GPU-accelerated terminal emulator.
+   1. alacritty is really fast, I use it as a backup terminal emulator on all my desktops.
 
 ## 'xterm-kitty': unknown terminal type when `ssh` into a remote host or `sudo xxx`
 

home/base/gui/terminal/alacritty/catppuccin-mocha.toml

@@ -0,0 +1,65 @@
+[colors.primary]
+background = "#1e1e2e"
+foreground = "#cdd6f4"
+dim_foreground = "#7f849c"
+bright_foreground = "#cdd6f4"
+
+[colors.cursor]
+text = "#1e1e2e"
+cursor = "#f5e0dc"
+
+[colors.vi_mode_cursor]
+text = "#1e1e2e"
+cursor = "#b4befe"
+
+[colors.search.matches]
+foreground = "#1e1e2e"
+background = "#a6adc8"
+
+[colors.search.focused_match]
+foreground = "#1e1e2e"
+background = "#a6e3a1"
+
+[colors.footer_bar]
+foreground = "#1e1e2e"
+background = "#a6adc8"
+
+[colors.hints.start]
+foreground = "#1e1e2e"
+background = "#f9e2af"
+
+[colors.hints.end]
+foreground = "#1e1e2e"
+background = "#a6adc8"
+
+[colors.selection]
+text = "#1e1e2e"
+background = "#f5e0dc"
+
+[colors.normal]
+black = "#45475a"
+red = "#f38ba8"
+green = "#a6e3a1"
+yellow = "#f9e2af"
+blue = "#89b4fa"
+magenta = "#f5c2e7"
+cyan = "#94e2d5"
+white = "#bac2de"
+
+[colors.bright]
+black = "#585b70"
+red = "#f38ba8"
+green = "#a6e3a1"
+yellow = "#f9e2af"
+blue = "#89b4fa"
+magenta = "#f5c2e7"
+cyan = "#94e2d5"
+white = "#a6adc8"
+
+[[colors.indexed_colors]]
+index = 16
+color = "#fab387"
+
+[[colors.indexed_colors]]
+index = 17
+color = "#f5e0dc"

home/base/gui/terminal/alacritty/default.nix

@@ -0,0 +1,66 @@
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}:
+###########################################################
+#
+# Alacritty Configuration
+#
+# Useful Hot Keys for macOS:
+#   1. Multi-Window: `command + N`
+#   2. Increase Font Size: `command + =` | `command + +`
+#   3. Decrease Font Size: `command + -` | `command + _`
+#   4. Search Text: `command + F`
+#   5. And Other common shortcuts such as Copy, Paste, Cursor Move, etc.
+#
+# Useful Hot Keys for Linux:
+#   1. Increase Font Size: `ctrl + shift + =` | `ctrl + shift + +`
+#   2. Decrease Font Size: `ctrl + shift + -` | `ctrl + shift + _`
+#   3. Search Text: `ctrl + shift + N`
+#   4. And Other common shortcuts such as Copy, Paste, Cursor Move, etc.
+#
+# Note: Alacritty do not have support for Tabs, and any graphic protocol.
+#
+###########################################################
+{
+  programs.alacritty = {
+    enable = true;
+    package = pkgs-unstable.alacritty;
+    # https://alacritty.org/config-alacritty.html
+    settings = {
+      general.import = [
+        ./catppuccin-mocha.toml
+      ];
+      window = {
+        opacity = 0.93;
+        startup_mode = "Maximized"; # Maximized window
+        dynamic_title = true;
+        option_as_alt = "Both"; # Option key acts as Alt on macOS
+      };
+      scrolling = {
+        history = 10000;
+      };
+      font = {
+        bold = {family = "JetBrainsMono Nerd Font";};
+        italic = {family = "JetBrainsMono Nerd Font";};
+        normal = {family = "JetBrainsMono Nerd Font";};
+        bold_italic = {family = "JetBrainsMono Nerd Font";};
+        size =
+          if pkgs.stdenv.isDarwin
+          then 14
+          else 13;
+      };
+      terminal = {
+        # Spawn a nushell in login mode via `bash`
+        shell = {
+          program = "${pkgs.bash}/bin/bash";
+          args = ["--login" "-c" "nu --login --interactive"];
+        };
+        # Controls the ability to write to the system clipboard with the OSC 52 escape sequence.
+        # It's used by zellij to copy text to the system clipboard.
+        osc52 = "CopyPaste";
+      };
+    };
+  };
+}

home/base/gui/terminal/foot.nix

@@ -0,0 +1,62 @@
+{pkgs, ...}: {
+  programs.foot = {
+    # foot is designed only for Linux
+    enable = pkgs.stdenv.isLinux;
+    # https://man.archlinux.org/man/foot.ini.5
+    settings = {
+      main = {
+        term = "foot"; # or "xterm-256color" for maximum compatibility
+        font = "JetBrainsMono Nerd Font:size=14";
+        dpi-aware = "yes";
+
+        # Spawn a nushell in login mode via `bash`
+        shell = "${pkgs.bash}/bin/bash --login -c 'nu --login --interactive'";
+      };
+
+      mouse = {
+        hide-when-typing = "yes";
+      };
+
+      # https://github.com/catppuccin/foot/blob/main/themes/catppuccin-mocha.ini
+      cursor = {
+        color = "11111b f5e0dc";
+      };
+      colors = {
+        alpha = "0.93"; # background opacity
+
+        foreground = "cdd6f4";
+        background = "1e1e2e";
+
+        regular0 = "45475a";
+        regular1 = "f38ba8";
+        regular2 = "a6e3a1";
+        regular3 = "f9e2af";
+        regular4 = "89b4fa";
+        regular5 = "f5c2e7";
+        regular6 = "94e2d5";
+        regular7 = "bac2de";
+
+        bright0 = "585b70";
+        bright1 = "f38ba8";
+        bright2 = "a6e3a1";
+        bright3 = "f9e2af";
+        bright4 = "89b4fa";
+        bright5 = "f5c2e7";
+        bright6 = "94e2d5";
+        bright7 = "a6adc8";
+
+        "16" = "fab387";
+        "17" = "f5e0dc";
+
+        "selection-foreground" = "cdd6f4";
+        "selection-background" = "414356";
+
+        "search-box-no-match" = "11111b f38ba8";
+        "search-box-match" = "cdd6f4 313244";
+
+        "jump-labels" = "11111b fab387";
+        urls = "89b4fa";
+      };
+    };
+  };
+}

home/base/gui/terminal/kitty.nix

@@ -19,7 +19,7 @@
     # kitty has catppuccin theme built-in,
     # all the built-in themes are packaged into an extra package named `kitty-themes`
     # and it's installed by home-manager if `theme` is specified.
-    theme = "Catppuccin-Mocha";
+    themeFile = "Catppuccin-Mocha";
     font = {
       name = "JetBrainsMono Nerd Font";
       # use different font size on macOS
@@ -29,7 +29,7 @@
         else 13;
     };
 
-    # consistent with wezterm
+    # consistent with other terminal emulators
     keybindings = {
       "ctrl+shift+m" = "toggle_maximized";
       "ctrl+shift+f" = "show_scrollback"; # search in the current window

home/base/gui/terminal/wezterm.nix

@@ -1,105 +0,0 @@
-{pkgs, ...}:
-###########################################################
-#
-# Wezterm Configuration
-#
-# Useful Hot Keys for Linux(replace `ctrl + shift` with `cmd` on macOS)):
-#   1. Increase Font Size: `ctrl + shift + =` | `ctrl + shift + +`
-#   2. Decrease Font Size: `ctrl + shift + -` | `ctrl + shift + _`
-#   3. And Other common shortcuts such as Copy, Paste, Cursor Move, etc.
-#
-# Default Keybindings: https://wezfurlong.org/wezterm/config/default-keys.html
-#
-###########################################################
-{
-  # wezterm has catppuccin theme built-in,
-  # it's not necessary to install it separately.
-
-  # we can add wezterm as a flake input once this PR is merged:
-  #    https://github.com/wez/wezterm/pull/3547
-
-  programs.wezterm = {
-    enable = true; # disable
-
-    # install wezterm via homebrew on macOS to avoid compilation, dummy package here.
-    package =
-      if pkgs.stdenv.isLinux
-      then pkgs.wezterm
-      else pkgs.hello;
-
-    enableBashIntegration = pkgs.stdenv.isLinux;
-    enableZshIntegration = pkgs.stdenv.isLinux;
-
-    extraConfig = let
-      fontsize =
-        if pkgs.stdenv.isLinux
-        then "13.0"
-        else "14.0";
-    in ''
-      -- Pull in the wezterm API
-      local wezterm = require 'wezterm'
-
-      -- This table will hold the configuration.
-      local config = {}
-
-      -- In newer versions of wezterm, use the config_builder which will
-      -- help provide clearer error messages
-      if wezterm.config_builder then
-        config = wezterm.config_builder()
-      end
-
-      wezterm.on('toggle-opacity', function(window, pane)
-        local overrides = window:get_config_overrides() or {}
-        if not overrides.window_background_opacity then
-          overrides.window_background_opacity = 0.93
-        else
-          overrides.window_background_opacity = nil
-        end
-        window:set_config_overrides(overrides)
-      end)
-
-      wezterm.on('toggle-maximize', function(window, pane)
-        window:maximize()
-      end)
-
-      -- This is where you actually apply your config choices
-      config.color_scheme = "Catppuccin Mocha"
-      config.font = wezterm.font_with_fallback {
-        "JetBrainsMono Nerd Font",
-        "FiraCode Nerd Font",
-
-        -- To avoid 'Chinese characters displayed as variant (Japanese) glyphs'
-        "Source Han Sans SC",
-        "Source Han Sans TC"
-      }
-
-      config.hide_tab_bar_if_only_one_tab = true
-      config.scrollback_lines = 10000
-      config.enable_scroll_bar = true
-      config.term = 'wezterm'
-
-      config.keys = {
-        -- toggle opacity(CTRL + SHIFT + B)
-        {
-          key = 'B',
-          mods = 'CTRL',
-          action = wezterm.action.EmitEvent 'toggle-opacity',
-        },
-        {
-          key = 'M',
-          mods = 'CTRL',
-          action = wezterm.action.EmitEvent 'toggle-maximize',
-        },
-      }
-      config.font_size = ${fontsize}
-
-      -- To resolve issues:
-      --   1. https://github.com/ryan4yin/nix-config/issues/26
-      --   2. https://github.com/ryan4yin/nix-config/issues/8
-      -- Spawn a nushell in login mode via `bash`
-      config.default_prog = { '${pkgs.bash}/bin/bash', '--login', '-c', 'nu --login --interactive' }
-
-      return config
-    '';
-  };
-}

home/base/tui/editors/emacs/default.nix

@@ -1,5 +1,5 @@
 # ==============================================
-# Based on doomemacs's auther's config:
+# Based on doomemacs's author's config:
 #   https://github.com/hlissner/dotfiles/blob/master/modules/editors/emacs.nix
 #
 # Emacs Tutorials:
@@ -15,12 +15,12 @@
 }:
 with lib; let
   cfg = config.modules.editors.emacs;
-  envExtra = ''
+  envExtra = lib.mkAfter ''
     export PATH="${config.xdg.configHome}/emacs/bin:$PATH"
   '';
   shellAliases = {
     e = "emacsclient --create-frame"; # gui
-    et = "emacsclient --create-frame --tty"; # termimal
+    et = "emacsclient --create-frame --tty"; # terminal
   };
   librime-dir = "${config.xdg.dataHome}/emacs/librime";
   parinfer-rust-lib-dir = "${config.xdg.dataHome}/emacs/parinfer-rust";

home/base/tui/editors/neovim/nvim/lua/plugins/astrolsp.lua

@@ -12,7 +12,7 @@ return {
     features = {
       autoformat = true, -- enable or disable auto formatting on start
       codelens = true, -- enable/disable codelens refresh on start
-      inlay_hints = false, -- enable/disable inlay hints on start
+      inlay_hints = true, -- enable/disable inlay hints on start
       semantic_tokens = true, -- enable/disable semantic token highlighting
     },
     -- customize lsp formatting options
@@ -72,7 +72,7 @@ return {
       "nushell", -- nushell language server
 
       ---- Web Development
-      "tsserver", -- typescript/javascript language server
+      "ts_ls", -- typescript/javascript language server
       "tailwindcss", -- tailwindcss language server
       "html", -- html language server
       "cssls", -- css language server
@@ -101,6 +101,18 @@ return {
         filetypes = { "scheme", "scm" },
         single_file_support = true,
       },
+      rust_analyzer = {
+        settings = {
+          -- Make the rust-analyzer use its own profile,
+          -- so you can run cargo build without that being blocked while rust-analyzer runs.
+          ["rust-analyzer"] = {
+            cargo = {
+              extraEnv = { CARGO_PROFILE_RUST_ANALYZER_INHERITS = "dev" },
+              extraArgs = { "--profile", "rust-analyzer" },
+            },
+          },
+        },
+      },
     },
     -- customize how language servers are attached
     handlers = {

home/base/tui/editors/neovim/nvim/lua/plugins/copilot.lua

@@ -1,6 +1,10 @@
 -- Custom copilot-lua to enable filetypes: markdown
 return {
-  "zbirenbaum/copilot.lua",
+  -- "zbirenbaum/copilot.lua",
+
+  -- Fix https://github.com/zbirenbaum/copilot.lua/pull/336
+  "ryan4yin/copilot.lua",
+  branch = "fix_issue_330",
   opts = function(_, opts)
     opts.filetypes = {
       yaml = true,

home/base/tui/editors/packages.nix

@@ -40,7 +40,7 @@
       marksman # language server for markdown
       glow # markdown previewer
       pandoc # document converter
-      hugo # static site generator
+      pkgs-unstable.hugo # static site generator
 
       #-- sql
       sqlfluff
@@ -64,6 +64,7 @@
       # llvmPackages.clang-unwrapped
       clang-tools
       lldb
+      vscode-extensions.vadimcn.vscode-lldb.adapter # codelldb - debugger
 
       #-- python
       pyright # python language server
@@ -95,9 +96,12 @@
       ))
 
       #-- rust
-      rust-analyzer
-      cargo # rust package manager
-      rustfmt
+      # we'd better use the rust-overlays for rust development
+      pkgs-unstable.rustc
+      pkgs-unstable.rust-analyzer
+      pkgs-unstable.cargo # rust package manager
+      pkgs-unstable.rustfmt
+      pkgs-unstable.clippy # rust linter
 
       #-- golang
       go

home/base/tui/encryption/default.nix

@@ -1,7 +1,11 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
   home.packages = with pkgs; [
     age
-    sops
+    pkgs-unstable.sops
     rclone
   ];
 }

home/base/tui/zellij/default.nix

@@ -1,10 +1,20 @@
-let
+{
+  pkgs,
+  pkgs-stable,
+  ...
+}: let
   shellAliases = {
     "zj" = "zellij";
   };
 in {
   programs.zellij = {
     enable = true;
+    # [Linux] Revert to old v0.40.1 to fix:
+    # https://github.com/zellij-org/zellij/issues/3592
+    package =
+      if pkgs.stdenv.isLinux
+      then pkgs-stable.zellij
+      else pkgs.zellij;
   };
   # auto start zellij in nushell
   programs.nushell.extraConfig = ''

home/darwin/aerospace/aerospace.toml

@@ -121,7 +121,7 @@ alt-shift-equal = 'resize smart +50'
 
 # See: https://nikitabobko.github.io/AeroSpace/commands#workspace
 alt-1 = 'workspace 1Kitty'
-alt-2 = 'workspace 2Wez'
+alt-2 = 'workspace 2Alacritty'
 alt-3 = 'workspace 3Work'
 alt-4 = 'workspace 4Firefox'
 alt-5 = 'workspace 5Chrome'
@@ -134,7 +134,7 @@ alt-0 = 'workspace 10'
 
 # See: https://nikitabobko.github.io/AeroSpace/commands#move-node-to-workspace
 alt-shift-1 = 'move-node-to-workspace 1Kitty'
-alt-shift-2 = 'move-node-to-workspace 2Wez'
+alt-shift-2 = 'move-node-to-workspace 2Alacritty'
 alt-shift-3 = 'move-node-to-workspace 3Work'
 alt-shift-4 = 'move-node-to-workspace 4Firefox'
 alt-shift-5 = 'move-node-to-workspace 5Chrome'
@@ -200,8 +200,8 @@ if.app-id = 'net.kovidgoyal.kitty'
 run = 'move-node-to-workspace 1Kitty'
 
 [[on-window-detected]]
-if.app-id = 'com.github.wez.wezterm'
-run = 'move-node-to-workspace 2Wez'
+if.app-id = 'org.alacritty'
+run = 'move-node-to-workspace 2Alacritty'
 
 [[on-window-detected]]
 if.app-id = 'com.tencent.WeWorkMac'
@@ -246,7 +246,7 @@ run = 'layout floating'
 
 [workspace-to-monitor-force-assignment]
 1Kitty = 'secondary'  # Non-main monitor in case when there are only two monitors'
-2Wez = 'main'         # "Main" monitor ("main" as in System Settings → Displays → Use as)
+2Alacritty = 'main'         # "Main" monitor ("main" as in System Settings → Displays → Use as)
 3Work = 'main'
 4Firefox = 'main'
 5Chrome = 'secondary'

home/darwin/shell.nix

@@ -1,4 +1,4 @@
-let
+{lib, ...}: let
   envExtra = ''
     export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
   '';
@@ -28,7 +28,7 @@ in {
   # in /opt/homebrew for Apple Silicon and /usr/local for Rosetta 2 to coexist and use bottles.
   programs.bash = {
     enable = true;
-    bashrcExtra = envExtra + initExtra;
+    bashrcExtra = lib.mkAfter (envExtra + initExtra);
   };
   programs.zsh = {
     enable = true;

home/linux/gui/base/creative.nix

@@ -15,6 +15,10 @@
     # reaper # audio production
     # sonic-pi # music programming
 
+    # 2d game design
+    ldtk # A modern, versatile 2D level editor
+    aseprite # Animated sprite editor & pixel art tool
+
     # this app consumes a lot of storage, so do not install it currently
     # kicad     # 3d printing, eletrical engineering
 
@@ -53,7 +57,7 @@
         obs-command-source
         obs-move-transition
         obs-backgroundremoval
-        advanced-scene-switcher
+        # advanced-scene-switcher
         obs-pipewire-audio-capture
       ];
     };

home/linux/gui/base/misc.nix

@@ -11,7 +11,7 @@
 
     # instant messaging
     telegram-desktop
-    discord
+    # discord # update too frequently, use the web version instead
 
     # remote desktop(rdp connect)
     remmina
@@ -24,6 +24,10 @@
     # my custom hardened packages
     pkgs.nixpaks.qq
     pkgs.nixpaks.qq-desktop-item
+
+    wechat-uos
+    # pkgs.nixpaks.wechat-uos
+    # pkgs.nixpaks.wechat-uos-desktop-item
   ];
 
   # GitHub CLI tool

home/linux/gui/base/xdg.nix

@@ -64,7 +64,6 @@
         # all other unknown schemes will be opened by this default application.
         # "x-scheme-handler/unknown" = editor;
 
-        "x-scheme-handler/discord" = ["discord.desktop"];
         "x-scheme-handler/tg" = ["org.telegram.desktop.desktop "];
 
         "audio/*" = ["mpv.desktop"];

home/linux/gui/hyprland/README.md

@@ -0,0 +1,9 @@
+# Hyprland
+
+## Troubleshooting
+
+show hyprland's log:
+
+```bash
+hyprctl rollinglog
+```

home/linux/gui/hyprland/conf/hyprland.conf

@@ -24,9 +24,6 @@ input {
 #-- General ----------------------------------------------------
 # General settings like MOD key, Gaps, Colors, etc.
 general {
-    sensitivity=2.0
-	apply_sens_to_raw=0
-
     gaps_in=5
     gaps_out=10
 
@@ -90,7 +87,7 @@ windowrule=size 100% 100%,wlogout
 windowrule=animation slide,wlogout
 
 #-- Keybindings ----------------------------------------------------
-$term = kitty
+$term = foot
 $app_launcher = ~/.config/hypr/scripts/menu
 $volume = ~/.config/hypr/scripts/volume
 $backlight = ~/.config/hypr/scripts/brightness

home/linux/gui/hyprland/conf/waybar/config.jsonc

@@ -46,8 +46,8 @@
   "cpu": {
     "format": "\udb80\udf5b {usage}%",
     "interval": 1,
-    "on-click-middle": "kitty btop",
-    "on-click-right": "kitty btop",
+    "on-click-middle": "foot btop",
+    "on-click-right": "foot btop",
   },
   "custom/launcher": {
     "format": "\uf313 ",
@@ -122,7 +122,7 @@
     "format-alt": " {bandwidthUpBytes} |  {bandwidthDownBytes}",
     "tooltip-format": " {ifname} via {gwaddr}",
     "on-click-middle": "nm-connection-editor",
-    "on-click-right": "kitty nmtui",
+    "on-click-right": "foot nmtui",
   },
   "pulseaudio": {
     //"format": "{volume}% {icon} {format_source}",

home/linux/gui/hyprland/options/nvidia.nix

@@ -16,6 +16,7 @@ in {
       "LIBVA_DRIVER_NAME,nvidia"
       "XDG_SESSION_TYPE,wayland"
       "GBM_BACKEND,nvidia-drm"
+      "AQ_DRM_DEVICES,/dev/dri/card1"
       "__GLX_VENDOR_LIBRARY_NAME,nvidia"
       # fix https://github.com/hyprwm/Hyprland/issues/1520
       "WLR_NO_HARDWARE_CURSORS,1"

home/linux/gui/hyprland/values/wayland-apps.nix

@@ -22,9 +22,9 @@
     + (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-foot}/catppuccin-mocha.conf");
 
   home.packages = [
-    pkgs.firefox-wayland
-    # pkgs.nixpaks.firefox
-    # pkgs.nixpaks.firefox-desktop-item
+    # pkgs.firefox-wayland
+    pkgs.nixpaks.firefox
+    pkgs.nixpaks.firefox-desktop-item
   ];
 
   programs = {

hosts/idols-ai/default.nix

@@ -11,6 +11,7 @@ in {
     ./netdev-mount.nix
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ./nvidia.nix
 
     ./impermanence.nix
     ./secureboot.nix
@@ -28,24 +29,6 @@ in {
   # conflict with feature: containerd-snapshotter
   # virtualisation.docker.storageDriver = "btrfs";
 
-  # for Nvidia GPU
-  services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
-  hardware.nvidia = {
-    # Optionally, you may need to select the appropriate driver version for your specific GPU.
-    # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/nvidia-x11/default.nix
-    # package = config.boot.kernelPackages.nvidiaPackages.stable;
-
-    # required by most wayland compositors!
-    modesetting.enable = true;
-    powerManagement.enable = true;
-  };
-  hardware.nvidia-container-toolkit.enable = true;
-  hardware.graphics = {
-    enable = true;
-    # needed by nvidia-docker
-    enable32Bit = true;
-  };
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/idols-ai/hardware-configuration.nix

@@ -25,7 +25,6 @@
   boot.initrd.kernelModules = [];
   boot.kernelModules = ["kvm-intel"]; # kvm virtualization support
   boot.extraModprobeConfig = "options kvm_intel nested=1"; # for intel cpu
-  boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
   boot.extraModulePackages = [];
   # clear /tmp on boot to get a stateless /tmp directory.
   boot.tmp.cleanOnBoot = true;

hosts/idols-ai/impermanence.nix

@@ -123,10 +123,17 @@
         ".npm"
         ".conda" # generated by `conda-shell`
         "go"
+        ".cargo" # rust
+        ".m2" # maven
+        ".gradle" # gradle
 
         # neovim plugins(wakatime & copilot)
         ".wakatime"
         ".config/github-copilot"
+
+        # others
+        ".config/blender"
+        ".config/LDtk"
       ];
       files = [
         ".wakatime.cfg"

hosts/idols-ai/nvidia.nix

@@ -0,0 +1,48 @@
+{pkgs-unstable, ...}: {
+  # ===============================================================================================
+  # for Nvidia GPU
+  # ===============================================================================================
+
+  # https://wiki.hyprland.org/Nvidia/
+  boot.kernelParams = [
+    "nvidia.NVreg_PreserveVideoMemoryAllocations=1"
+    # Since NVIDIA does not load kernel mode setting by default,
+    # enabling it is required to make Wayland compositors function properly.
+    "nvidia-drm.fbdev=1"
+  ];
+  services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
+  hardware.nvidia = {
+    open = false;
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/nvidia-x11/default.nix
+    # package = config.boot.kernelPackages.nvidiaPackages.stable;
+
+    # required by most wayland compositors!
+    modesetting.enable = true;
+    powerManagement.enable = true;
+  };
+
+  hardware.nvidia-container-toolkit.enable = true;
+  hardware.graphics = {
+    enable = true;
+    # needed by nvidia-docker
+    enable32Bit = true;
+  };
+  # disable cudasupport before this issue get fixed:
+  # https://github.com/NixOS/nixpkgs/issues/338315
+  nixpkgs.config.cudaSupport = false;
+
+  nixpkgs.overlays = [
+    (_: super: {
+      blender = super.blender.override {
+        # https://nixos.org/manual/nixpkgs/unstable/#opt-cudaSupport
+        cudaSupport = true;
+        waylandSupport = true;
+      };
+
+      # ffmpeg-full = super.ffmpeg-full.override {
+      #   withNvcodec = true;
+      # };
+    })
+  ];
+}

hosts/idols-aquamarine/gitea.nix

@@ -1,5 +1,4 @@
-{pkgs, ...}: let
-in {
+{pkgs, ...}: {
   # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/misc/gitea.nix
   services.gitea = {
     enable = true;
@@ -24,6 +23,7 @@ in {
         HTTP_PORT = 3301;
         HTTP_ADDR = "127.0.0.1";
         DOMAIN = "git.writefor.fun";
+        ROOT_URL = "https://git.writefor.fun/";
       };
       # one of "Trace", "Debug", "Info", "Warn", "Error", "Critical"
       log.LEVEL = "Info";
@@ -32,6 +32,12 @@ in {
       # NOTE: The first registered user will be the administrator,
       # so this parameter should NOT be set before the first user registers!
       service.DISABLE_REGISTRATION = true;
+      # https://docs.gitea.com/administration/config-cheat-sheet#security-security
+      security = {
+        LOGIN_REMEMBER_DAYS = 31;
+        PASSWORD_HASH_ALGO = "scrypt";
+        MIN_PASSWORD_LENGTH = 10;
+      };
 
       # "cron.sync_external_users" = {
       #   RUN_AT_START = true;

hosts/idols-aquamarine/monitoring/README.md

@@ -1,4 +1,4 @@
-# Prometheus & Alertmanager
+# Monitoring & Alerting
 
 ## Alert Rules
 

hosts/idols-aquamarine/monitoring/alertmanager.nix

@@ -0,0 +1,47 @@
+{config, ...}: {
+  services.prometheus.alertmanager = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9093;
+    webExternalUrl = "http://alertmanager.writefor.fun";
+    logLevel = "info";
+
+    environmentFile = config.age.secrets."alertmanager.env".path;
+    configuration = {
+      global = {
+        # The smarthost and SMTP sender used for mail notifications.
+        smtp_smarthost = "smtp.qq.com:465";
+        smtp_from = "$SMTP_SENDER_EMAIL";
+        smtp_auth_username = "$SMTP_AUTH_USERNAME";
+        smtp_auth_password = "$SMTP_AUTH_PASSWORD";
+        # smtp.qq.com:465 support SSL only, so we need to disable TLS here.
+        # https://service.mail.qq.com/detail/0/310
+        smtp_require_tls = false;
+      };
+      route = {
+        receiver = "default";
+        routes = [
+          {
+            group_by = ["host"];
+            group_wait = "5m";
+            group_interval = "5m";
+            repeat_interval = "4h";
+            receiver = "default";
+          }
+        ];
+      };
+      receivers = [
+        {
+          name = "default";
+          email_configs = [
+            {
+              to = "ryan4yin@linux.com";
+              # Whether to notify about resolved alerts.
+              send_resolved = true;
+            }
+          ];
+        }
+      ];
+    };
+  };
+}

hosts/idols-aquamarine/monitoring/default.nix

@@ -0,0 +1,6 @@
+{mylib, ...}: {
+  imports = [
+    ./victoriametrics.nix
+    ./alertmanager.nix
+  ];
+}

hosts/idols-aquamarine/monitoring/victoriametrics.nix

@@ -0,0 +1,143 @@
+{
+  lib,
+  myvars,
+  ...
+}: {
+  # Since victoriametrics use DynamicUser, the user & group do not exists before the service starts.
+  # this group is used as a supplementary Unix group for the service to access our data dir(/data/apps/xxx)
+  users.groups.victoriametrics-data = {};
+
+  # Workaround for victoriametrics to store data in another place
+  # https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type
+  systemd.tmpfiles.rules = [
+    "D /data/apps/victoriametrics 0770 root victoriametrics-data - -"
+  ];
+
+  # Symlinks do not work with DynamicUser, so we should use bind mount here.
+  # https://github.com/systemd/systemd/issues/25097#issuecomment-1929074961
+  systemd.services.victoriametrics.serviceConfig = {
+    SupplementaryGroups = ["victoriametrics-data"];
+    BindPaths = ["/data/apps/victoriametrics:/var/lib/victoriametrics:rbind"];
+  };
+
+  # https://victoriametrics.io/docs/victoriametrics/latest/configuration/configuration/
+  services.victoriametrics = {
+    enable = true;
+    listenAddress = "127.0.0.1:9090";
+    retentionPeriod = "30d";
+
+    extraOptions = [
+      # Allowed percent of system memory VictoriaMetrics caches may occupy.
+      "-memory.allowedPercent=50"
+    ];
+    # Directory below /var/lib to store victoriametrics metrics data.
+    stateDir = "victoriametrics";
+
+    # specifies a set of targets and parameters describing how to scrape metrics from them.
+    # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
+    prometheusConfig = {
+      scrape_configs =
+        [
+          # --- Homelab Applications --- #
+
+          {
+            job_name = "dnsmasq-exporter";
+            scrape_interval = "30s";
+            metrics_path = "/metrics";
+            static_configs = [
+              {
+                targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
+                labels.type = "app";
+                labels.app = "dnsmasq";
+                labels.host = "suzi";
+              }
+            ];
+          }
+
+          {
+            job_name = "v2ray-exporter";
+            scrape_interval = "30s";
+            metrics_path = "/metrics";
+            static_configs = [
+              {
+                targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"];
+                labels.type = "app";
+                labels.app = "v2ray";
+                labels.host = "aquamarine";
+              }
+            ];
+          }
+          {
+            job_name = "postgres-exporter";
+            scrape_interval = "30s";
+            metrics_path = "/metrics";
+            static_configs = [
+              {
+                targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9187"];
+                labels.type = "app";
+                labels.app = "postgresql";
+                labels.host = "aquamarine";
+              }
+            ];
+          }
+          {
+            job_name = "sftpgo-embedded-exporter";
+            scrape_interval = "30s";
+            metrics_path = "/metrics";
+            static_configs = [
+              {
+                targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:10000"];
+                labels.type = "app";
+                labels.app = "sftpgo";
+                labels.host = "aquamarine";
+              }
+            ];
+          }
+        ]
+        # --- Hosts --- #
+        ++ (
+          lib.attrsets.foldlAttrs
+          (acc: hostname: addr:
+            acc
+            ++ [
+              {
+                job_name = "node-exporter-${hostname}";
+                scrape_interval = "30s";
+                metrics_path = "/metrics";
+                static_configs = [
+                  {
+                    # All my NixOS hosts.
+                    targets = ["${addr.ipv4}:9100"];
+                    labels.type = "node";
+                    labels.host = hostname;
+                  }
+                ];
+              }
+            ])
+          []
+          myvars.networking.hostsAddr
+        );
+    };
+  };
+
+  services.vmalert = {
+    enable = true;
+    settings = {
+      "datasource.url" = "http://localhost:9090";
+      "notifier.url" = ["http://localhost:9093"]; # alertmanager's api
+
+      # Whether to disable long-lived connections to the datasource.
+      "datasource.disableKeepAlive" = true;
+      # Whether to avoid stripping sensitive information such as auth headers or passwords
+      # from URLs in log messages or UI and exported metrics.
+      "datasource.showURL" = false;
+      rule = [
+        ./alert_rules/node-exporter.yml
+        ./alert_rules/kubestate-exporter.yml
+        ./alert_rules/etcd_embedded-exporter.yml
+        ./alert_rules/istio_embedded-exporter.yml
+        ./alert_rules/coredns_embedded-exporter.yml
+      ];
+    };
+  };
+}

hosts/idols-aquamarine/oci-containers/homepage/config/services.yaml

@@ -63,7 +63,16 @@
         href: "https://minio-ui.writefor.fun/"
         description: S3 compatible object storage
         siteMonitor: "https://minio-ui.writefor.fun/"
-
+    - Gitea:
+        icon: gitea.png
+        href: "https://git.writefor.fun/"
+        description: Gitea - Git with a cup of tea
+        siteMonitor: "https://git.writefor.fun/"
+    - Transmission:
+        icon: transmission.png
+        href: "https://transmission.writefor.fun/"
+        description: Transmission BitTorrent client
+        siteMonitor: "https://transmission.writefor.fun/"
 # - Kubernetes Monitoring:
 #     # TODO: Update this
 #     - Emby:

hosts/idols-aquamarine/prometheus/alert_rules/coredns_embedded-exporter.yml

@@ -1,13 +0,0 @@
-groups:
-  - name: EmbeddedExporter
-
-    rules:
-      - alert: CorednsPanicCount
-        expr: "increase(coredns_panics_total[1m]) > 0"
-        for: 0m
-        labels:
-          severity: critical
-        annotations:
-          summary: CoreDNS Panic Count (instance {{ $labels.instance }})
-          description:
-            "Number of CoreDNS panics encountered\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"

hosts/idols-aquamarine/prometheus/default.nix

@@ -1,192 +0,0 @@
-{
-  lib,
-  config,
-  myvars,
-  ...
-}: {
-  # Workaround for prometheus to store data in another place
-  # https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type
-  systemd.tmpfiles.rules = [
-    "D /data/apps/prometheus2 0751 prometheus prometheus - -"
-    "L+ /var/lib/prometheus2 - - - - /data/apps/prometheus2"
-  ];
-
-  # https://prometheus.io/docs/prometheus/latest/configuration/configuration/
-  services.prometheus = {
-    enable = true;
-    checkConfig = true;
-    listenAddress = "127.0.0.1";
-    port = 9090;
-    webExternalUrl = "http://prometheus.writefor.fun";
-
-    extraFlags = [
-      "--storage.tsdb.retention.time=30d"
-      # https://prometheus.io/docs/prometheus/latest/storage/#remote-storage-integrations
-      "--web.enable-remote-write-receiver"
-    ];
-    # Directory below /var/lib to store Prometheus metrics data.
-    stateDir = "prometheus2";
-
-    # Reload prometheus when configuration file changes (instead of restart).
-    enableReload = true;
-    # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read
-    # remoteRead = [];
-
-    # Rules are read from these files.
-    # https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/
-    #
-    # Prometheus supports two types of rules which may be configured
-    # and then evaluated at regular intervals:
-    #   1. Recording rules
-    #      Recording rules allow you to precompute frequently needed or computationally
-    #      expensive expressions and save their result as a new set of time series.
-    #      Querying the precomputed result will then often be much faster than executing the original expression.
-    #      This is especially useful for dashboards, which need to query the same expression repeatedly every time they refresh.
-    #   2. Alerting rules
-    #      Alerting rules allow you to define alert conditions based on Prometheus expression language expressions
-    #      and to send notifications about firing alerts to an external service.
-    ruleFiles = [
-      ./alert_rules/node-exporter.yml
-      ./alert_rules/kubestate-exporter.yml
-      ./alert_rules/etcd_embedded-exporter.yml
-      ./alert_rules/istio_embedded-exporter.yml
-      ./alert_rules/coredns_embedded-exporter.yml
-
-      # ./recording_rules.yml
-    ];
-
-    # specifies a set of targets and parameters describing how to scrape metrics from them.
-    # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
-    scrapeConfigs =
-      [
-        # --- Homelab Applications --- #
-
-        {
-          job_name = "dnsmasq-exporter";
-          scrape_interval = "30s";
-          metrics_path = "/metrics";
-          static_configs = [
-            {
-              targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
-              labels.type = "app";
-              labels.app = "dnsmasq";
-              labels.host = "suzi";
-            }
-          ];
-        }
-
-        {
-          job_name = "v2ray-exporter";
-          scrape_interval = "30s";
-          metrics_path = "/metrics";
-          static_configs = [
-            {
-              targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"];
-              labels.type = "app";
-              labels.app = "v2ray";
-              labels.host = "aquamarine";
-            }
-          ];
-        }
-        {
-          job_name = "postgres-exporter";
-          scrape_interval = "30s";
-          metrics_path = "/metrics";
-          static_configs = [
-            {
-              targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9187"];
-              labels.type = "app";
-              labels.app = "postgresql";
-              labels.host = "aquamarine";
-            }
-          ];
-        }
-        {
-          job_name = "sftpgo-embedded-exporter";
-          scrape_interval = "30s";
-          metrics_path = "/metrics";
-          static_configs = [
-            {
-              targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:10000"];
-              labels.type = "app";
-              labels.app = "sftpgo";
-              labels.host = "aquamarine";
-            }
-          ];
-        }
-      ]
-      # --- Hosts --- #
-      ++ (
-        lib.attrsets.foldlAttrs
-        (acc: hostname: addr:
-          acc
-          ++ [
-            {
-              job_name = "node-exporter-${hostname}";
-              scrape_interval = "30s";
-              metrics_path = "/metrics";
-              static_configs = [
-                {
-                  # All my NixOS hosts.
-                  targets = ["${addr.ipv4}:9100"];
-                  labels.type = "node";
-                  labels.host = hostname;
-                }
-              ];
-            }
-          ])
-        []
-        myvars.networking.hostsAddr
-      );
-
-    # specifies Alertmanager instances the Prometheus server sends alerts to
-    # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
-    alertmanagers = [{static_configs = [{targets = ["localhost:9093"];}];}];
-  };
-
-  services.prometheus.alertmanager = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    port = 9093;
-    webExternalUrl = "http://alertmanager.writefor.fun";
-    logLevel = "info";
-
-    environmentFile = config.age.secrets."alertmanager.env".path;
-    configuration = {
-      global = {
-        # The smarthost and SMTP sender used for mail notifications.
-        smtp_smarthost = "smtp.qq.com:465";
-        smtp_from = "$SMTP_SENDER_EMAIL";
-        smtp_auth_username = "$SMTP_AUTH_USERNAME";
-        smtp_auth_password = "$SMTP_AUTH_PASSWORD";
-        # smtp.qq.com:465 support SSL only, so we need to disable TLS here.
-        # https://service.mail.qq.com/detail/0/310
-        smtp_require_tls = false;
-      };
-      route = {
-        receiver = "default";
-        routes = [
-          {
-            group_by = ["host"];
-            group_wait = "5m";
-            group_interval = "5m";
-            repeat_interval = "4h";
-            receiver = "default";
-          }
-        ];
-      };
-      receivers = [
-        {
-          name = "default";
-          email_configs = [
-            {
-              to = "ryan4yin@linux.com";
-              # Whether to notify about resolved alerts.
-              send_resolved = true;
-            }
-          ];
-        }
-      ];
-    };
-  };
-}

hosts/idols-aquamarine/proxy.nix

@@ -1,6 +1,6 @@
 {
   # dae(running on aquamarine) do not provides http/socks5 proxy server; so we use v2ray here.
-  # https=//github.com/v2fly
+  # https://github.com/v2fly
   services.v2ray = {
     enable = true;
     config = {

hosts/idols-aquamarine/sftpgo.nix

@@ -8,7 +8,7 @@ in {
   # Create Directories
   # https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type
   systemd.tmpfiles.rules = [
-    "d ${dataDir} 0755 ${user} ${user}"
+    "D ${dataDir} 0755 ${user} ${user}"
   ];
 
   services.sftpgo = {

hosts/k8s/README.md

@@ -28,7 +28,10 @@ Clusters running as virtual machines on the KubeVirt cluster, for testing and pr
    1. `k3s-prod-1-worker-1`
    1. `k3s-prod-1-worker-2`
    1. `k3s-prod-1-worker-3`
-1. For testing:. 2. `k3s-test-1-master-1` 3. `k3s-test-1-master-2` 4. `k3s-test-1-master-3`
+1. For testing:
+   1. `k3s-test-1-master-1`
+   2. `k3s-test-1-master-2`
+   3. `k3s-test-1-master-3`
 
 ## Kubernetes Resources
 

lib/colmenaSystem.nix

@@ -30,6 +30,7 @@ in
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
+            home-manager.backupFileExtension = "home-manager.backup";
 
             home-manager.extraSpecialArgs = specialArgs;
             home-manager.users."${myvars.username}".imports = home-modules;

lib/macosSystem.nix

@@ -27,6 +27,7 @@ in
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
+            home-manager.backupFileExtension = "home-manager.backup";
 
             home-manager.extraSpecialArgs = specialArgs;
             home-manager.users."${myvars.username}".imports = home-modules;

lib/nixosSystem.nix

@@ -25,6 +25,7 @@ in
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
+            home-manager.backupFileExtension = "home-manager.backup";
 
             home-manager.extraSpecialArgs = specialArgs;
             home-manager.users."${myvars.username}".imports = home-modules;

modules/base.nix

@@ -2,8 +2,6 @@
   pkgs,
   myvars,
   nuenv,
-  nixpkgs,
-  lib,
   ...
 } @ args: {
   nixpkgs.overlays =
@@ -89,34 +87,21 @@
     # substituers that will be considered before the official ones(https://cache.nixos.org)
     substituters = [
       # cache mirror located in China
-      # status: https://mirror.sjtu.edu.cn/
-      "https://mirror.sjtu.edu.cn/nix-channels/store"
       # status: https://mirrors.ustc.edu.cn/status/
       "https://mirrors.ustc.edu.cn/nix-channels/store"
       "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
+      # status: https://mirror.sjtu.edu.cn/
+      "https://mirror.sjtu.edu.cn/nix-channels/store"
 
       "https://nix-community.cachix.org"
-      # my own cache server
-      "https://ryan4yin.cachix.org"
-      # cuda-maintainer's cache server
-      "https://cuda-maintainers.cachix.org"
+      # my own cache server, currently not used.
+      # "https://ryan4yin.cachix.org"
     ];
 
     trusted-public-keys = [
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU="
-      "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
     ];
     builders-use-substitutes = true;
   };
-
-  # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
-  nix.registry.nixpkgs.flake = nixpkgs;
-
-  environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
-  # make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
-  # discard all the default paths, and only use the one from this flake.
-  nix.nixPath = lib.mkForce ["/etc/nix/inputs"];
-  # https://github.com/NixOS/nix/issues/9574
-  nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
 }

modules/darwin/apps.nix

@@ -87,7 +87,7 @@ in {
   # homebrew need to be installed manually, see https://brew.sh
   # https://github.com/LnL7/nix-darwin/blob/master/modules/homebrew.nix
   homebrew = {
-    enable = true; # disable homebrew for fast deploy
+    enable = false; # disable homebrew for fast deploy
 
     onActivation = {
       autoUpdate = true; # Fetch the newest stable branch of Homebrew's git repo
@@ -104,7 +104,7 @@ in {
       # Xcode = 497799835;
       Wechat = 836500024;
       QQ = 451108668;
-      WeCom = 1189898970; # Wechat for Work
+      # WeCom = 1189898970; # Wechat for Work
       TecentMeeting = 1484048379;
       QQMusic = 595615424;
     };
@@ -155,20 +155,19 @@ in {
       "visual-studio-code"
       "zed" # zed editor
       "aerospace" # an i3-like tiling window manager for macOS
-      "wezterm"
 
       # https://joplinapp.org/help/
-      "joplin" # note taking app
+      # "joplin" # note taking app
 
       # IM & audio & remote desktop & meeting
       "telegram"
-      "discord"
+      # "discord" # update too frequently, use the web version instead
       "microsoft-remote-desktop"
       "moonlight" # remote desktop client
       "rustdesk"
 
       # Misc
-      "shadowsocksx-ng" # proxy tool
+      # "shadowsocksx-ng" # proxy tool
       "iina" # video player
       "raycast" # (HotKey: alt/option + space)search, calculate and run scripts(with many plugins)
       "stats" # beautiful system status monitor in menu bar
@@ -176,6 +175,7 @@ in {
       "sonic-pi" # music programming
       "tencent-lemon" # macOS cleaner
       "neteasemusic" # music
+      "blender@lts" # 3D creation suite
 
       # Development
       "mitmproxy" # HTTP/HTTPS traffic inspector

modules/darwin/nix-core.nix

@@ -24,4 +24,6 @@
   nix.settings.auto-optimise-store = false;
 
   nix.gc.automatic = false;
+
+  system.stateVersion = 5;
 }

modules/darwin/users.nix

@@ -6,6 +6,6 @@
     # set user's default shell back to zsh
     #    `chsh -s /bin/zsh`
     # DO NOT change the system's default shell to nushell! it will break some apps!
-    # It's better to change only kitty/wezterm's shell to nushell!
+    # It's better to change only kitty/wezterm & other terminal emulator's shell to nushell!
   };
 }

modules/nixos/base/btrbk.nix

@@ -18,11 +18,11 @@
 
   services.btrbk.instances.btrbk = {
     # How often this btrbk instance is started. See systemd.time(7) for more information about the format.
-    onCalendar = "Tue,Thu,Sat *-*-* 3:45:20";
+    onCalendar = "Tue,Sat *-*-* 3:45:20";
     settings = {
       # how to prune local snapshots:
       # 1. keep daily snapshots for xx days
-      snapshot_preserve = "9d";
+      snapshot_preserve = "7d";
       # 2. keep all snapshots for 2 days, no matter how frequently you (or your cron job) run btrbk
       snapshot_preserve_min = "2d";
 

modules/nixos/desktop/game/gamemode.nix

@@ -52,7 +52,9 @@ in {
 
   # see https://github.com/fufexan/nix-gaming/#pipewire-low-latency
   services.pipewire.lowLatency.enable = true;
-  imports = [
-    nix-gaming.nixosModules.pipewireLowLatency
+  programs.steam.platformOptimizations.enable = true;
+  imports = with nix-gaming.nixosModules; [
+    pipewireLowLatency
+    platformOptimizations
   ];
 }

modules/nixos/desktop/game/steam.nix

@@ -9,27 +9,44 @@
     #   ~/.steam/root        - A symlink to ~/.local/share/Steam
     #   ~/.steam             - Some Symlinks & user info
     enable = true;
+    # https://github.com/ValveSoftware/gamescope
+    # enables features such as resolution upscaling and stretched aspect ratios (such as 4:3)
+    gamescopeSession.enable = true;
 
     # fix gamescope inside steam
     package = pkgs.steam.override {
       extraPkgs = pkgs:
         with pkgs; [
-          keyutils
-          libkrb5
-          libpng
-          libpulseaudio
-          libvorbis
-          stdenv.cc.cc.lib
           xorg.libXcursor
           xorg.libXi
           xorg.libXinerama
           xorg.libXScrnSaver
+          libpng
+          libpulseaudio
+          libvorbis
+          stdenv.cc.cc.lib
+          libkrb5
+          keyutils
 
           # fix CJK fonts
           source-sans
           source-serif
           source-han-sans
           source-han-serif
+
+          # audio
+          pipewire
+
+          # other common
+          udev
+          alsa-lib
+          vulkan-loader
+          xorg.libX11
+          xorg.libXcursor
+          xorg.libXi
+          xorg.libXrandr # To use the x11 feature
+          libxkbcommon
+          wayland # To use the wayland feature
         ];
     };
   };

modules/nixos/desktop/misc.nix

@@ -13,7 +13,7 @@
   # set user's default shell system-wide
   users.defaultUserShell = pkgs.bashInteractive;
 
-  # fix for `sudo xxx` in kitty/wezterm and other modern terminal emulators
+  # fix for `sudo xxx` in kitty/wezterm/foot and other modern terminal emulators
   security.sudo.keepTerminfo = true;
 
   environment.variables = {

modules/nixos/desktop/peripherals.nix

@@ -51,7 +51,7 @@
     geoclue2.enable = true; # Enable geolocation services.
 
     udev.packages = with pkgs; [
-      gnome.gnome-settings-daemon
+      gnome-settings-daemon
       platformio # udev rules for platformio
       openocd # required by paltformio, see https://github.com/NixOS/nixpkgs/issues/224895
       android-udev-rules # required by adb

modules/nixos/desktop/virtualisation.nix

@@ -9,7 +9,7 @@
   #
   ###################################################################################
 
-  # Enable nested virsualization, required by security containers and nested vm.
+  # Enable nested virtualization, required by security containers and nested vm.
   # This should be set per host in /hosts, not here.
   #
   ## For AMD CPU, add "kvm-amd" to kernelModules.

nixos-installer/README.md

@@ -1,8 +1,8 @@
 # Nix Environment Setup for Host: Idols - Ai
 
 > :red_circle: **IMPORTANT**: **Once again, you should NOT deploy this flake directly on your
-> machine! Please write your own configuration from scratch, and use my configuration and
-> documentation for reference only.**
+> machine :exclamation: Please write your own configuration from scratch, and use my configuration
+> and documentation for reference only.**
 
 This flake prepares a Nix environment for setting my desktop [/hosts/idols_ai](/hosts/idols_ai/)(in
 main flake) up on a new machine.

nixos-installer/README.shoukei.md

@@ -1,8 +1,8 @@
 # Nix Environment Setup for Host: 12Kingdoms - Shoukei
 
 > :red_circle: **IMPORTANT**: **Once again, you should NOT deploy this flake directly on your
-> machine! Please write your own configuration from scratch, and use my configuration and
-> documentation for reference only.**
+> machine :exclamation: Please write your own configuration from scratch, and use my configuration
+> and documentation for reference only.**
 
 > https://wiki.t2linux.org/distributions/nixos/installation/
 

outputs/x86_64-linux/src/kubevirt-shoryu.nix

@@ -26,9 +26,9 @@
       ++ [
         # {modules.secrets.server.kubernetes.enable = true;}
       ];
-    home-modules = map mylib.relativeToRoot [
-      "home/linux/tui.nix"
-    ];
+    # home-modules = map mylib.relativeToRoot [
+    #   "home/linux/tui.nix"
+    # ];
   };
 
   systemArgs = modules // args;

scripts/darwin_set_proxy.py

@@ -55,5 +55,5 @@ def unset_proxy():
 
 
 if __name__ == "__main__":
-    set_proxy()
-    # unset_proxy()
+    # set_proxy()
+    unset_proxy()

secrets/README.md

@@ -176,6 +176,25 @@ the `age.secrets.<name>.path` argument, which defaults to `/etc/secrets`.
    1. Clone this repo and run `nixos-rebuild switch` to deploy it, all the secrets will be decrypted
       automatically via the host private key.
 
+## Troubleshooting
+
+### 1. Nix-Darwin Module
+
+Check logs:
+
+```bash
+tail -n 100 /Library/Logs/org.nixos.activate-agenix.stderr.log
+tail -n 100 /Library/Logs/org.nixos.activate-agenix.stdout.log
+```
+
+### 2. NixOS Module
+
+Check logs:
+
+```
+journalctl | grep -5 agenix
+```
+
 ## Other Replacements
 
 - [ragenix](https://github.com/yaxitech/ragenix): A Rust reimplementation of agenix.

secrets/darwin.nix

@@ -10,6 +10,12 @@
     agenix.darwinModules.default
   ];
 
+  # enable logs for debugging
+  launchd.daemons."activate-agenix".serviceConfig = {
+    StandardErrorPath = "/Library/Logs/org.nixos.activate-agenix.stderr.log";
+    StandardOutPath = "/Library/Logs/org.nixos.activate-agenix.stdout.log";
+  };
+
   environment.systemPackages = [
     agenix.packages."${pkgs.system}".default
   ];

templates/bevy/Justfile

@@ -0,0 +1,17 @@
+default:
+  @just --list
+
+# Auto-format the source tree
+fmt:
+  treefmt
+
+# Run 'cargo run' on the project
+drun *ARGS:
+  nix develop --command cargo run {{ARGS}}
+
+dbuild:
+  nix develop --command cargo build
+
+# Run 'cargo watch' to run the project (auto-recompiles)
+watch *ARGS:
+  cargo watch -x "run -- {{ARGS}}"

templates/bevy/flake.nix

@@ -0,0 +1,75 @@
+# https://github.com/bevyengine/bevy/blob/v0.14.2/docs/linux_dependencies.md#nix
+{
+  description = "Bevy Game Engine - Rust Lang";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    fenix = {
+      url = "github:nix-community/fenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = {
+    nixpkgs,
+    fenix,
+    ...
+  }: let
+    systems = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+    # Helper function to generate a set of attributes for each system
+    forAllSystems = func: (nixpkgs.lib.genAttrs systems func);
+  in {
+    devShells = forAllSystems (system: let
+      pkgs = import nixpkgs {
+        inherit system;
+        overlays = [fenix.overlays.default];
+      };
+      lib = pkgs.lib;
+    in {
+      default = pkgs.mkShell rec {
+        nativeBuildInputs = with pkgs; [
+          pkg-config
+          clang
+          # lld is much faster at linking than the default Rust linker
+          lld
+        ];
+        buildInputs = with pkgs;
+          [
+            # rust toolchain
+            (pkgs.fenix.complete.withComponents [
+              "cargo"
+              "clippy"
+              "rust-src"
+              "rustc"
+              "rustfmt"
+            ])
+            # use rust-analyzer-nightly for better type inference
+            rust-analyzer-nightly
+            cargo-watch
+          ]
+          # https://github.com/bevyengine/bevy/blob/v0.14.2/docs/linux_dependencies.md#nix
+          ++ (lib.optionals pkgs.stdenv.isLinux [
+            udev
+            alsa-lib
+            vulkan-loader
+            xorg.libX11
+            xorg.libXcursor
+            xorg.libXi
+            xorg.libXrandr # To use the x11 feature
+            libxkbcommon
+            wayland # To use the wayland feature
+          ])
+          ++ (pkgs.lib.optionals pkgs.stdenv.isDarwin [
+            # https://discourse.nixos.org/t/the-darwin-sdks-have-been-updated/55295/1
+            apple-sdk_15
+          ]);
+        LD_LIBRARY_PATH = lib.makeLibraryPath buildInputs;
+      };
+    });
+  };
+}

vars/networking.nix

@@ -193,7 +193,7 @@
         publicKey = value.publicKey;
       })
       {
-        aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbIecyrmrBpjD497lA2adJeTpsubZ3dozEraLGCcgVi root@aquamarine";
+        aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOXFhFu9Duzp6ZBE288gDZ6VLrNaeWL4kDrFUh9Neic root@aquamarine";
         # ruby.publicKey = "";
         # kana.publicKey = "";
       };